--- /dev/null
+From b3b5d91c9ac60e549318eecb6919a3630c810757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 17:36:50 +0800
+Subject: ACPI: bus: Call kobject_put() in acpi_init() error path
+
+From: Hanjun Guo <guohanjun@huawei.com>
+
+[ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ]
+
+Although the system will not be in a good condition or it will not
+boot if acpi_bus_init() fails, it is still necessary to put the
+kobject in the error path before returning to avoid leaking memory.
+
+Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/bus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
+index 1cb7c6a52f61..7ea02bb50c73 100644
+--- a/drivers/acpi/bus.c
++++ b/drivers/acpi/bus.c
+@@ -1249,6 +1249,7 @@ static int __init acpi_init(void)
+ init_acpi_device_notify();
+ result = acpi_bus_init();
+ if (result) {
++ kobject_put(acpi_kobj);
+ disable_acpi();
+ return result;
+ }
+--
+2.30.2
+
--- /dev/null
+From 5493bde190679bc29e75ff2cac5463408f9c1835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 11:09:50 +0800
+Subject: ACPI: EC: Make more Asus laptops use ECDT _GPE
+
+From: Chris Chiu <chris.chiu@canonical.com>
+
+[ Upstream commit 6306f0431914beaf220634ad36c08234006571d5 ]
+
+More ASUS laptops have the _GPE define in the DSDT table with a
+different value than the _GPE number in the ECDT.
+
+This is causing media keys not working on ASUS X505BA/BP, X542BA/BP
+
+Add model info to the quirks list.
+
+Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
+Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index 37aacb39e692..f8fc30be6871 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -1886,6 +1886,22 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "GL702VMK"),}, NULL},
+ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BA", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BA"),}, NULL},
++ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BP", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X505BP"),}, NULL},
++ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BA", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BA"),}, NULL},
++ {
++ ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BP", {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "X542BP"),}, NULL},
++ {
+ ec_honor_ecdt_gpe, "ASUS X550VXK", {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "X550VXK"),}, NULL},
+--
+2.30.2
+
--- /dev/null
+From 7524bac8d152a2f385af24bff57441710a8085d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 17:15:14 -0500
+Subject: ACPI: processor idle: Fix up C-state latency if not ordered
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ]
+
+Generally, the C-state latency is provided by the _CST method or
+FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh,
+and Cezanne set the C2 latency greater than C3's which causes the
+C2 state to be skipped.
+
+That will block the core entering PC6, which prevents S0ix working
+properly on Linux systems.
+
+In other operating systems, the latency values are not validated and
+this does not cause problems by skipping states.
+
+To avoid this issue on Linux, detect when latencies are not an
+arithmetic progression and sort them.
+
+Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174
+Suggested-by: Prike Liang <Prike.Liang@amd.com>
+Suggested-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
+index d50a7b6ccddd..590eeca2419f 100644
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -29,6 +29,7 @@
+ #include <linux/acpi.h>
+ #include <linux/dmi.h>
+ #include <linux/sched.h> /* need_resched() */
++#include <linux/sort.h>
+ #include <linux/tick.h>
+ #include <linux/cpuidle.h>
+ #include <linux/cpu.h>
+@@ -540,10 +541,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr,
+ return;
+ }
+
++static int acpi_cst_latency_cmp(const void *a, const void *b)
++{
++ const struct acpi_processor_cx *x = a, *y = b;
++
++ if (!(x->valid && y->valid))
++ return 0;
++ if (x->latency > y->latency)
++ return 1;
++ if (x->latency < y->latency)
++ return -1;
++ return 0;
++}
++static void acpi_cst_latency_swap(void *a, void *b, int n)
++{
++ struct acpi_processor_cx *x = a, *y = b;
++ u32 tmp;
++
++ if (!(x->valid && y->valid))
++ return;
++ tmp = x->latency;
++ x->latency = y->latency;
++ y->latency = tmp;
++}
++
+ static int acpi_processor_power_verify(struct acpi_processor *pr)
+ {
+ unsigned int i;
+ unsigned int working = 0;
++ unsigned int last_latency = 0;
++ unsigned int last_type = 0;
++ bool buggy_latency = false;
+
+ pr->power.timer_broadcast_on_state = INT_MAX;
+
+@@ -567,12 +595,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr)
+ }
+ if (!cx->valid)
+ continue;
++ if (cx->type >= last_type && cx->latency < last_latency)
++ buggy_latency = true;
++ last_latency = cx->latency;
++ last_type = cx->type;
+
+ lapic_timer_check_state(i, pr, cx);
+ tsc_check_state(cx->type);
+ working++;
+ }
+
++ if (buggy_latency) {
++ pr_notice("FW issue: working around C-state latencies out of order\n");
++ sort(&pr->power.states[1], max_cstate,
++ sizeof(struct acpi_processor_cx),
++ acpi_cst_latency_cmp,
++ acpi_cst_latency_swap);
++ }
++
+ lapic_timer_propagate_broadcast(pr);
+
+ return (working);
+--
+2.30.2
+
--- /dev/null
+From 363a7e08e8a77edac498549d4a888ba6271c2445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 17:12:01 +0000
+Subject: ACPI: sysfs: Fix a buffer overrun problem with description_show()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Wilczyński <kw@linux.com>
+
+[ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ]
+
+Currently, a device description can be obtained using ACPI, if the _STR
+method exists for a particular device, and then exposed to the userspace
+via a sysfs object as a string value.
+
+If the _STR method is available for a given device then the data
+(usually a Unicode string) is read and stored in a buffer (of the
+ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the
+struct acpi_device_pnp for later access.
+
+The description_show() function is responsible for exposing the device
+description to the userspace via a corresponding sysfs object and
+internally calls the utf16s_to_utf8s() function with a pointer to the
+buffer that contains the Unicode string so that it can be converted from
+UTF16 encoding to UTF8 and thus allowing for the value to be safely
+stored and later displayed.
+
+When invoking the utf16s_to_utf8s() function, the description_show()
+function also sets a limit of the data that can be saved into a provided
+buffer as a result of the character conversion to be a total of
+PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns
+an integer value denoting the number of bytes that have been written
+into the provided buffer.
+
+Following the execution of the utf16s_to_utf8s() a newline character
+will be added at the end of the resulting buffer so that when the value
+is read in the userspace through the sysfs object then it would include
+newline making it more accessible when working with the sysfs file
+system in the shell, etc. Normally, this wouldn't be a problem, but if
+the function utf16s_to_utf8s() happens to return the number of bytes
+written to be precisely PAGE_SIZE, then we would overrun the buffer and
+write the newline character outside the allotted space which can have
+undefined consequences or result in a failure.
+
+To fix this buffer overrun, ensure that there always is enough space
+left for the newline character to be safely appended.
+
+Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description")
+Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/device_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
+index 6d7ff5ef702c..9f4743d9804b 100644
+--- a/drivers/acpi/device_sysfs.c
++++ b/drivers/acpi/device_sysfs.c
+@@ -452,7 +452,7 @@ static ssize_t description_show(struct device *dev,
+ (wchar_t *)acpi_dev->pnp.str_obj->buffer.pointer,
+ acpi_dev->pnp.str_obj->buffer.length,
+ UTF16_LITTLE_ENDIAN, buf,
+- PAGE_SIZE);
++ PAGE_SIZE - 1);
+
+ buf[result++] = '\n';
+
+--
+2.30.2
+
--- /dev/null
+From 2fb3fc4775d5033b547467061f46df2340f146a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 16:24:33 +0100
+Subject: ACPI: tables: Add custom DSDT file as makefile prerequisite
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit d1059c1b1146870c52f3dac12cb7b6cbf39ed27f ]
+
+A custom DSDT file is mostly used during development or debugging,
+and in that case it is quite likely to want to rebuild the kernel
+after changing ONLY the content of the DSDT.
+
+This patch adds the custom DSDT as a prerequisite to tables.o
+to ensure a rebuild if the DSDT file is updated. Make will merge
+the prerequisites from multiple rules for the same target.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/acpi/Makefile b/drivers/acpi/Makefile
+index cd1abc9bc325..f9df9541f2ce 100644
+--- a/drivers/acpi/Makefile
++++ b/drivers/acpi/Makefile
+@@ -8,6 +8,11 @@ ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT
+ #
+ # ACPI Boot-Time Table Parsing
+ #
++ifeq ($(CONFIG_ACPI_CUSTOM_DSDT),y)
++tables.o: $(src)/../../include/$(subst $\",,$(CONFIG_ACPI_CUSTOM_DSDT_FILE)) ;
++
++endif
++
+ obj-$(CONFIG_ACPI) += tables.o
+ obj-$(CONFIG_X86) += blacklist.o
+
+--
+2.30.2
+
--- /dev/null
+From ab9a0aea582937412cce91baefc49fcc73efa8c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 14:25:57 -0700
+Subject: ACPICA: Fix memory leak caused by _CID repair function
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit c27bac0314131b11bccd735f7e8415ac6444b667 ]
+
+ACPICA commit 180cb53963aa876c782a6f52cc155d951b26051a
+
+According to the ACPI spec, _CID returns a package containing
+hardware ID's. Each element of an ASL package contains a reference
+count from the parent package as well as the element itself.
+
+Name (TEST, Package() {
+ "String object" // this package element has a reference count of 2
+})
+
+A memory leak was caused in the _CID repair function because it did
+not decrement the reference count created by the package. Fix the
+memory leak by calling acpi_ut_remove_reference on _CID package elements
+that represent a hardware ID (_HID).
+
+Link: https://github.com/acpica/acpica/commit/180cb539
+Tested-by: Shawn Guo <shawn.guo@linaro.org>
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/nsrepair2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c
+index 06037e044694..78b802b5f7d3 100644
+--- a/drivers/acpi/acpica/nsrepair2.c
++++ b/drivers/acpi/acpica/nsrepair2.c
+@@ -409,6 +409,13 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
+
+ (*element_ptr)->common.reference_count =
+ original_ref_count;
++
++ /*
++ * The original_element holds a reference from the package object
++ * that represents _HID. Since a new element was created by _HID,
++ * remove the reference from the _CID package.
++ */
++ acpi_ut_remove_reference(original_element);
+ }
+
+ element_ptr++;
+--
+2.30.2
+
--- /dev/null
+From bf3d4445ad785d836fde7106a39277b8b7a08fb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 14:56:04 +0100
+Subject: ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit fac165f22ac947b55407cd3a60a2a9824f905235 ]
+
+The definition of CS42L42_ADC_PDN_MASK was incorrectly defined
+as the HP_PDN bit.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210616135604.19363-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.h b/sound/soc/codecs/cs42l42.h
+index 3d5fa343db96..72d3778e10ad 100644
+--- a/sound/soc/codecs/cs42l42.h
++++ b/sound/soc/codecs/cs42l42.h
+@@ -81,7 +81,7 @@
+ #define CS42L42_HP_PDN_SHIFT 3
+ #define CS42L42_HP_PDN_MASK (1 << CS42L42_HP_PDN_SHIFT)
+ #define CS42L42_ADC_PDN_SHIFT 2
+-#define CS42L42_ADC_PDN_MASK (1 << CS42L42_HP_PDN_SHIFT)
++#define CS42L42_ADC_PDN_MASK (1 << CS42L42_ADC_PDN_SHIFT)
+ #define CS42L42_PDN_ALL_SHIFT 0
+ #define CS42L42_PDN_ALL_MASK (1 << CS42L42_PDN_ALL_SHIFT)
+
+--
+2.30.2
+
--- /dev/null
+From db93a10d76e2e68c1fea58b9a435015e87b9751a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 12:45:14 +0800
+Subject: ASoC: hisilicon: fix missing clk_disable_unprepare() on error in
+ hi6210_i2s_startup()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 375904e3931955fcf0a847f029b2492a117efc43 ]
+
+After calling clk_prepare_enable(), clk_disable_unprepare() need
+be called when calling clk_set_rate() failed.
+
+Fixes: 0bf750f4cbe1 ("ASoC: hisilicon: Add hi6210 i2s audio driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210518044514.607010-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/hisilicon/hi6210-i2s.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/hisilicon/hi6210-i2s.c b/sound/soc/hisilicon/hi6210-i2s.c
+index 0c8f86d4020e..d8d14cdee786 100644
+--- a/sound/soc/hisilicon/hi6210-i2s.c
++++ b/sound/soc/hisilicon/hi6210-i2s.c
+@@ -111,18 +111,15 @@ static int hi6210_i2s_startup(struct snd_pcm_substream *substream,
+
+ for (n = 0; n < i2s->clocks; n++) {
+ ret = clk_prepare_enable(i2s->clk[n]);
+- if (ret) {
+- while (n--)
+- clk_disable_unprepare(i2s->clk[n]);
+- return ret;
+- }
++ if (ret)
++ goto err_unprepare_clk;
+ }
+
+ ret = clk_set_rate(i2s->clk[CLK_I2S_BASE], 49152000);
+ if (ret) {
+ dev_err(i2s->dev, "%s: setting 49.152MHz base rate failed %d\n",
+ __func__, ret);
+- return ret;
++ goto err_unprepare_clk;
+ }
+
+ /* enable clock before frequency division */
+@@ -174,6 +171,11 @@ static int hi6210_i2s_startup(struct snd_pcm_substream *substream,
+ hi6210_write_reg(i2s, HII2S_SW_RST_N, val);
+
+ return 0;
++
++err_unprepare_clk:
++ while (n--)
++ clk_disable_unprepare(i2s->clk[n]);
++ return ret;
+ }
+
+ static void hi6210_i2s_shutdown(struct snd_pcm_substream *substream,
+--
+2.30.2
+
--- /dev/null
+From 6ea176dd5d45db2c4a12e09b8cf74bb794ebd264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 18:46:17 +0800
+Subject: ath10k: Fix an error code in ath10k_add_interface()
+
+From: Yang Li <yang.lee@linux.alibaba.com>
+
+[ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ]
+
+When the code execute this if statement, the value of ret is 0.
+However, we can see from the ath10k_warn() log that the value of
+ret should be -EINVAL.
+
+Clean up smatch warning:
+
+drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn:
+missing error code 'ret'
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine")
+Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index aa5bec5a3676..e42546bc99ef 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5061,6 +5061,7 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
+
+ if (arvif->nohwcrypt &&
+ !test_bit(ATH10K_FLAG_RAW_MODE, &ar->dev_flags)) {
++ ret = -EINVAL;
+ ath10k_warn(ar, "cryptmode module param needed for sw crypto\n");
+ goto err;
+ }
+--
+2.30.2
+
--- /dev/null
+From c056a5998b9fffe31380762201b305d466917f42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Mar 2021 11:01:44 +0800
+Subject: block_dump: remove block_dump feature in mark_inode_dirty()
+
+From: zhangyi (F) <yi.zhang@huawei.com>
+
+[ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ]
+
+block_dump is an old debugging interface, one of it's functions is used
+to print the information about who write which file on disk. If we
+enable block_dump through /proc/sys/vm/block_dump and turn on debug log
+level, we can gather information about write process name, target file
+name and disk from kernel message. This feature is realized in
+block_dump___mark_inode_dirty(), it print above information into kernel
+message directly when marking inode dirty, so it is noisy and can easily
+trigger log storm. At the same time, get the dentry refcount is also not
+safe, we found it will lead to deadlock on ext4 file system with
+data=journal mode.
+
+After tracepoints has been introduced into the kernel, we got a
+tracepoint in __mark_inode_dirty(), which is a better replacement of
+block_dump___mark_inode_dirty(). The only downside is that it only trace
+the inode number and not a file name, but it probably doesn't matter
+because the original printed file name in block_dump is not accurate in
+some cases, and we can still find it through the inode number and device
+id. So this patch delete the dirting inode part of block_dump feature.
+
+Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 25 -------------------------
+ 1 file changed, 25 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index fde277be2642..08fef9c2296b 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -2082,28 +2082,6 @@ int dirtytime_interval_handler(struct ctl_table *table, int write,
+ return ret;
+ }
+
+-static noinline void block_dump___mark_inode_dirty(struct inode *inode)
+-{
+- if (inode->i_ino || strcmp(inode->i_sb->s_id, "bdev")) {
+- struct dentry *dentry;
+- const char *name = "?";
+-
+- dentry = d_find_alias(inode);
+- if (dentry) {
+- spin_lock(&dentry->d_lock);
+- name = (const char *) dentry->d_name.name;
+- }
+- printk(KERN_DEBUG
+- "%s(%d): dirtied inode %lu (%s) on %s\n",
+- current->comm, task_pid_nr(current), inode->i_ino,
+- name, inode->i_sb->s_id);
+- if (dentry) {
+- spin_unlock(&dentry->d_lock);
+- dput(dentry);
+- }
+- }
+-}
+-
+ /**
+ * __mark_inode_dirty - internal function
+ *
+@@ -2163,9 +2141,6 @@ void __mark_inode_dirty(struct inode *inode, int flags)
+ (dirtytime && (inode->i_state & I_DIRTY_INODE)))
+ return;
+
+- if (unlikely(block_dump))
+- block_dump___mark_inode_dirty(inode);
+-
+ spin_lock(&inode->i_lock);
+ if (dirtytime && (inode->i_state & I_DIRTY_INODE))
+ goto out_unlock_inode;
+--
+2.30.2
+
--- /dev/null
+From 6ab173c5063e776a58699068d6299f039049d831 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 11:45:02 -0700
+Subject: Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 799acb9347915bfe4eac0ff2345b468f0a1ca207 ]
+
+This fixes parsing of LTV entries when the length is 0.
+
+Found with:
+
+tools/mgmt-tester -s "Add Advertising - Success (ScRsp only)"
+
+Add Advertising - Success (ScRsp only) - run
+ Sending Add Advertising (0x003e)
+ Test condition added, total 1
+[ 11.004577] ==================================================================
+[ 11.005292] BUG: KASAN: slab-out-of-bounds in tlv_data_is_valid+0x87/0xe0
+[ 11.005984] Read of size 1 at addr ffff888002c695b0 by task mgmt-tester/87
+[ 11.006711]
+[ 11.007176]
+[ 11.007429] Allocated by task 87:
+[ 11.008151]
+[ 11.008438] The buggy address belongs to the object at ffff888002c69580
+[ 11.008438] which belongs to the cache kmalloc-64 of size 64
+[ 11.010526] The buggy address is located 48 bytes inside of
+[ 11.010526] 64-byte region [ffff888002c69580, ffff888002c695c0)
+[ 11.012423] The buggy address belongs to the page:
+[ 11.013291]
+[ 11.013544] Memory state around the buggy address:
+[ 11.014359] ffff888002c69480: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 11.015453] ffff888002c69500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 11.016232] >ffff888002c69580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+[ 11.017010] ^
+[ 11.017547] ffff888002c69600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+[ 11.018296] ffff888002c69680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 11.019116] ==================================================================
+
+Fixes: 2bb36870e8cb2 ("Bluetooth: Unify advertising instance flags check")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index bca1408f815f..fa9526712b0a 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -6087,6 +6087,9 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
+ for (i = 0, cur_len = 0; i < len; i += (cur_len + 1)) {
+ cur_len = data[i];
+
++ if (!cur_len)
++ continue;
++
+ if (data[i + 1] == EIR_FLAGS &&
+ (!is_adv_data || flags_managed(adv_flags)))
+ return false;
+--
+2.30.2
+
--- /dev/null
+From 0b2b35d3e8d5971a2882409aacec64b6efc90398 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 22:58:30 +0200
+Subject: brcmsmac: mac80211_if: Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ]
+
+If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()'
+as already done in the remove function.
+
+Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index 66f1f41b1380..c82e53145c2c 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -1223,6 +1223,7 @@ static int brcms_bcma_probe(struct bcma_device *pdev)
+ {
+ struct brcms_info *wl;
+ struct ieee80211_hw *hw;
++ int ret;
+
+ dev_info(&pdev->dev, "mfg %x core %x rev %d class %d irq %d\n",
+ pdev->id.manuf, pdev->id.id, pdev->id.rev, pdev->id.class,
+@@ -1247,11 +1248,16 @@ static int brcms_bcma_probe(struct bcma_device *pdev)
+ wl = brcms_attach(pdev);
+ if (!wl) {
+ pr_err("%s: brcms_attach failed!\n", __func__);
+- return -ENODEV;
++ ret = -ENODEV;
++ goto err_free_ieee80211;
+ }
+ brcms_led_register(wl);
+
+ return 0;
++
++err_free_ieee80211:
++ ieee80211_free_hw(hw);
++ return ret;
+ }
+
+ static int brcms_suspend(struct bcma_device *pdev)
+--
+2.30.2
+
--- /dev/null
+From a0bc44d93c2a810d70437464394f3615934d243d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 16:44:09 -0400
+Subject: btrfs: abort transaction if we fail to update the delayed inode
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 04587ad9bef6ce9d510325b4ba9852b6129eebdb ]
+
+If we fail to update the delayed inode we need to abort the transaction,
+because we could leave an inode with the improper counts or some other
+such corruption behind.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 3631154d8245..9f276d1dd29c 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -1105,6 +1105,14 @@ err_out:
+ btrfs_delayed_inode_release_metadata(fs_info, node);
+ btrfs_release_delayed_inode(node);
+
++ /*
++ * If we fail to update the delayed inode we need to abort the
++ * transaction, because we could leave the inode with the improper
++ * counts behind.
++ */
++ if (ret && ret != -ENOENT)
++ btrfs_abort_transaction(trans, ret);
++
+ return ret;
+
+ search:
+--
+2.30.2
+
--- /dev/null
+From 099c774bb24920eba031d4d3749fb8e816938ace Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 18:38:05 +0200
+Subject: btrfs: clear log tree recovering status if starting transaction fails
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 1aeb6b563aea18cd55c73cf666d1d3245a00f08c ]
+
+When a log recovery is in progress, lots of operations have to take that
+into account, so we keep this status per tree during the operation. Long
+time ago error handling revamp patch 79787eaab461 ("btrfs: replace many
+BUG_ONs with proper error handling") removed clearing of the status in
+an error branch. Add it back as was intended in e02119d5a7b4 ("Btrfs:
+Add a write ahead tree log to optimize synchronous operations").
+
+There are probably no visible effects, log replay is done only during
+mount and if it fails all structures are cleared so the stale status
+won't be kept.
+
+Fixes: 79787eaab461 ("btrfs: replace many BUG_ONs with proper error handling")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index f890fdb59915..fbcfee38583b 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -5957,6 +5957,7 @@ next:
+ error:
+ if (wc.trans)
+ btrfs_end_transaction(wc.trans);
++ clear_bit(BTRFS_FS_LOG_RECOVERING, &fs_info->flags);
+ btrfs_free_path(path);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From b34a10661a2d6afda6aba485f1d155b4572b38fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 05:23:02 +0000
+Subject: btrfs: disable build on platforms having page size 256K
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ]
+
+With a config having PAGE_SIZE set to 256K, BTRFS build fails
+with the following message
+
+ include/linux/compiler_types.h:326:38: error: call to
+ '__compiletime_assert_791' declared with attribute error:
+ BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0
+
+BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with
+256K pages at the time being.
+
+There are two platforms that can select 256K pages:
+ - hexagon
+ - powerpc
+
+Disable BTRFS when 256K page size is selected. Supporting this would
+require changes to the subpage mode that's currently being developed.
+Given that 256K is many times larger than page sizes commonly used and
+for what the algorithms and structures have been tuned, it's out of
+scope and disabling build is a reasonable option.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig
+index a26c63b4ad68..9dd07eb88455 100644
+--- a/fs/btrfs/Kconfig
++++ b/fs/btrfs/Kconfig
+@@ -11,6 +11,8 @@ config BTRFS_FS
+ select RAID6_PQ
+ select XOR_BLOCKS
+ select SRCU
++ depends on !PPC_256K_PAGES # powerpc
++ depends on !PAGE_SIZE_256KB # hexagon
+
+ help
+ Btrfs is a general purpose copy-on-write filesystem with extents,
+--
+2.30.2
+
--- /dev/null
+From 8f27f83d02c8db8a93036f35bc4a5182e3765b26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 16:44:08 -0400
+Subject: btrfs: fix error handling in __btrfs_update_delayed_inode
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit bb385bedded3ccbd794559600de4a09448810f4a ]
+
+If we get an error while looking up the inode item we'll simply bail
+without cleaning up the delayed node. This results in this style of
+warning happening on commit:
+
+ WARNING: CPU: 0 PID: 76403 at fs/btrfs/delayed-inode.c:1365 btrfs_assert_delayed_root_empty+0x5b/0x90
+ CPU: 0 PID: 76403 Comm: fsstress Tainted: G W 5.13.0-rc1+ #373
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+ RIP: 0010:btrfs_assert_delayed_root_empty+0x5b/0x90
+ RSP: 0018:ffffb8bb815a7e50 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: ffff95d6d07e1888 RCX: ffff95d6c0fa3000
+ RDX: 0000000000000002 RSI: 000000000029e91c RDI: ffff95d6c0fc8060
+ RBP: ffff95d6c0fc8060 R08: 00008d6d701a2c1d R09: 0000000000000000
+ R10: ffff95d6d1760ea0 R11: 0000000000000001 R12: ffff95d6c15a4d00
+ R13: ffff95d6c0fa3000 R14: 0000000000000000 R15: ffffb8bb815a7e90
+ FS: 00007f490e8dbb80(0000) GS:ffff95d73bc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f6e75555cb0 CR3: 00000001101ce001 CR4: 0000000000370ef0
+ Call Trace:
+ btrfs_commit_transaction+0x43c/0xb00
+ ? finish_wait+0x80/0x80
+ ? vfs_fsync_range+0x90/0x90
+ iterate_supers+0x8c/0x100
+ ksys_sync+0x50/0x90
+ __do_sys_sync+0xa/0x10
+ do_syscall_64+0x3d/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Because the iref isn't dropped and this leaves an elevated node->count,
+so any release just re-queues it onto the delayed inodes list. Fix this
+by going to the out label to handle the proper cleanup of the delayed
+node.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 416fb50a5378..3631154d8245 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -1064,12 +1064,10 @@ static int __btrfs_update_delayed_inode(struct btrfs_trans_handle *trans,
+ nofs_flag = memalloc_nofs_save();
+ ret = btrfs_lookup_inode(trans, root, path, &key, mod);
+ memalloc_nofs_restore(nofs_flag);
+- if (ret > 0) {
+- btrfs_release_path(path);
+- return -ENOENT;
+- } else if (ret < 0) {
+- return ret;
+- }
++ if (ret > 0)
++ ret = -ENOENT;
++ if (ret < 0)
++ goto out;
+
+ leaf = path->nodes[0];
+ inode_item = btrfs_item_ptr(leaf, path->slots[0],
+--
+2.30.2
+
--- /dev/null
+From 3e3e4a3639c1c8520a32f2eb01338e8331a502e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 20:06:17 +0800
+Subject: char: pcmcia: error out if 'num_bytes_read' is greater than 4 in
+ set_protocol()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ]
+
+Theoretically, it will cause index out of bounds error if
+'num_bytes_read' is greater than 4. As we expect it(and was tested)
+never to be greater than 4, error out if it happens.
+
+Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/pcmcia/cm4000_cs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
+index cd53771b9ae7..432e161efe5d 100644
+--- a/drivers/char/pcmcia/cm4000_cs.c
++++ b/drivers/char/pcmcia/cm4000_cs.c
+@@ -544,6 +544,10 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq)
+ io_read_num_rec_bytes(iobase, &num_bytes_read);
+ if (num_bytes_read >= 4) {
+ DEBUGP(2, dev, "NumRecBytes = %i\n", num_bytes_read);
++ if (num_bytes_read > 4) {
++ rc = -EIO;
++ goto exit_setprotocol;
++ }
+ break;
+ }
+ mdelay(10);
+--
+2.30.2
+
--- /dev/null
+From 64841f5b2d3c462a5a2b4a9f2a1f62c6fe8f1cae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 15:59:25 +0800
+Subject: configfs: fix memleak in configfs_release_bin_file
+
+From: Chung-Chiang Cheng <shepjeng@gmail.com>
+
+[ Upstream commit 3c252b087de08d3cb32468b54a158bd7ad0ae2f7 ]
+
+When reading binary attributes in progress, buffer->bin_buffer is setup in
+configfs_read_bin_file() but never freed.
+
+Fixes: 03607ace807b4 ("configfs: implement binary attributes")
+Signed-off-by: Chung-Chiang Cheng <cccheng@synology.com>
+[hch: move the vfree rather than duplicating it]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/configfs/file.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/fs/configfs/file.c b/fs/configfs/file.c
+index 50b7c4c4310e..38eb80e29715 100644
+--- a/fs/configfs/file.c
++++ b/fs/configfs/file.c
+@@ -496,13 +496,13 @@ static int configfs_release_bin_file(struct inode *inode, struct file *file)
+ buffer->bin_buffer_size);
+ }
+ up_read(&frag->frag_sem);
+- /* vfree on NULL is safe */
+- vfree(buffer->bin_buffer);
+- buffer->bin_buffer = NULL;
+- buffer->bin_buffer_size = 0;
+- buffer->needs_read_fill = 1;
+ }
+
++ vfree(buffer->bin_buffer);
++ buffer->bin_buffer = NULL;
++ buffer->bin_buffer_size = 0;
++ buffer->needs_read_fill = 1;
++
+ configfs_release(inode, file);
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 8490ce1ac1a73236e805ec556a0af59f0fc650da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 08:58:04 +0200
+Subject: crypto: ccp - Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a6f8e68e238a15bb15f1726b35c695136c64eaba ]
+
+If an error occurs after calling 'sp_get_irqs()', 'sp_free_irqs()' must be
+called as already done in the error handling path.
+
+Fixes: f4d18d656f88 ("crypto: ccp - Abstract interrupt registeration")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: John Allen <john.allen@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
+index 9859aa683a28..e820d99c555f 100644
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -173,7 +173,7 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (ret) {
+ dev_err(dev, "dma_set_mask_and_coherent failed (%d)\n",
+ ret);
+- goto e_err;
++ goto free_irqs;
+ }
+ }
+
+@@ -181,12 +181,14 @@ static int sp_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+
+ ret = sp_init(sp);
+ if (ret)
+- goto e_err;
++ goto free_irqs;
+
+ dev_notice(dev, "enabled\n");
+
+ return 0;
+
++free_irqs:
++ sp_free_irqs(sp);
+ e_err:
+ dev_notice(dev, "initialization failed\n");
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From a6268eb078ec37d9ee9f1ccbe870fa2ad497d805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 20:26:08 +0000
+Subject: crypto: ixp4xx - dma_unmap the correct address
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+[ Upstream commit 9395c58fdddd79cdd3882132cdd04e8ac7ad525f ]
+
+Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error:
+DMA-API: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes]
+
+This is due to dma_unmap using the wrong address.
+
+Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers")
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ixp4xx_crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
+index 4b6773c345ab..a2266334297b 100644
+--- a/drivers/crypto/ixp4xx_crypto.c
++++ b/drivers/crypto/ixp4xx_crypto.c
+@@ -333,7 +333,7 @@ static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys)
+
+ buf1 = buf->next;
+ phys1 = buf->phys_next;
+- dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir);
++ dma_unmap_single(dev, buf->phys_addr, buf->buf_len, buf->dir);
+ dma_pool_free(buffer_pool, buf, phys);
+ buf = buf1;
+ phys = phys1;
+--
+2.30.2
+
--- /dev/null
+From 51948fb62855b8fef1cf397609b94bf0055c83f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 11:14:55 +0800
+Subject: crypto: nx - add missing MODULE_DEVICE_TABLE
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/nx-842-pseries.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
+index cddc6d8b55d9..2e5b4004f0ee 100644
+--- a/drivers/crypto/nx/nx-842-pseries.c
++++ b/drivers/crypto/nx/nx-842-pseries.c
+@@ -1086,6 +1086,7 @@ static struct vio_device_id nx842_vio_driver_ids[] = {
+ {"ibm,compression-v1", "ibm,compression"},
+ {"", ""},
+ };
++MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids);
+
+ static struct vio_driver nx842_vio_driver = {
+ .name = KBUILD_MODNAME,
+--
+2.30.2
+
--- /dev/null
+From b4ce4f8b2a70d137c9dde7104f3a7a60d9ac32a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 15:57:12 +0800
+Subject: crypto: nx - Fix RCU warning in nx842_OF_upd_status
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ]
+
+The function nx842_OF_upd_status triggers a sparse RCU warning when
+it directly dereferences the RCU-protected devdata. This appears
+to be an accident as there was another variable of the same name
+that was passed in from the caller.
+
+After it was removed (because the main purpose of using it, to
+update the status member was itself removed) the global variable
+unintenionally stood in as its replacement.
+
+This patch restores the devdata parameter.
+
+Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/nx-842-pseries.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
+index 2e5b4004f0ee..1b8c87770645 100644
+--- a/drivers/crypto/nx/nx-842-pseries.c
++++ b/drivers/crypto/nx/nx-842-pseries.c
+@@ -553,13 +553,15 @@ static int nx842_OF_set_defaults(struct nx842_devdata *devdata)
+ * The status field indicates if the device is enabled when the status
+ * is 'okay'. Otherwise the device driver will be disabled.
+ *
+- * @prop - struct property point containing the maxsyncop for the update
++ * @devdata: struct nx842_devdata to use for dev_info
++ * @prop: struct property point containing the maxsyncop for the update
+ *
+ * Returns:
+ * 0 - Device is available
+ * -ENODEV - Device is not available
+ */
+-static int nx842_OF_upd_status(struct property *prop)
++static int nx842_OF_upd_status(struct nx842_devdata *devdata,
++ struct property *prop)
+ {
+ const char *status = (const char *)prop->value;
+
+@@ -773,7 +775,7 @@ static int nx842_OF_upd(struct property *new_prop)
+ goto out;
+
+ /* Perform property updates */
+- ret = nx842_OF_upd_status(status);
++ ret = nx842_OF_upd_status(new_devdata, status);
+ if (ret)
+ goto error_out;
+
+--
+2.30.2
+
--- /dev/null
+From cdae9883a332f88ae397e5e01bf480994bdf5b71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 05:13:15 -0400
+Subject: crypto: qat - check return code of qat_hal_rd_rel_reg()
+
+From: Jack Xu <jack.xu@intel.com>
+
+[ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ]
+
+Check the return code of the function qat_hal_rd_rel_reg() and return it
+to the caller.
+
+This is to fix the following warning when compiling the driver with
+clang scan-build:
+
+ drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value
+
+Signed-off-by: Jack Xu <jack.xu@intel.com>
+Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c
+index 8c4fd255a601..cdf80c16a033 100644
+--- a/drivers/crypto/qat/qat_common/qat_hal.c
++++ b/drivers/crypto/qat/qat_common/qat_hal.c
+@@ -1255,7 +1255,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle,
+ pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr);
+ return -EINVAL;
+ }
+- qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
++ status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
++ if (status) {
++ pr_err("QAT: failed to read register");
++ return status;
++ }
+ gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum);
+ data16low = 0xffff & data;
+ data16hi = 0xffff & (data >> 0x10);
+--
+2.30.2
+
--- /dev/null
+From 7c4bc59ea09240e9214fee6b325076b6f8e2728e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 05:13:16 -0400
+Subject: crypto: qat - remove unused macro in FW loader
+
+From: Jack Xu <jack.xu@intel.com>
+
+[ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ]
+
+Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware
+loader.
+
+This is to fix the following warning when compiling the driver using the
+clang compiler with CC=clang W=2:
+
+ drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros]
+
+Signed-off-by: Jack Xu <jack.xu@intel.com>
+Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/qat_uclo.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c
+index 4f1cd83bf56f..a8e3191e5185 100644
+--- a/drivers/crypto/qat/qat_common/qat_uclo.c
++++ b/drivers/crypto/qat/qat_common/qat_uclo.c
+@@ -385,7 +385,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle,
+ return 0;
+ }
+
+-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000
+ static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle,
+ struct icp_qat_uof_initmem *init_mem)
+ {
+--
+2.30.2
+
--- /dev/null
+From 6be198690aa1158fc00b1e5520d8f87420fa5de5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 08:21:50 +0200
+Subject: crypto: shash - avoid comparing pointers to exported functions under
+ CFI
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ]
+
+crypto_shash_alg_has_setkey() is implemented by testing whether the
+.setkey() member of a struct shash_alg points to the default version,
+called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static
+inline, this requires shash_no_setkey() to be exported to modules.
+
+Unfortunately, when building with CFI, function pointers are routed
+via CFI stubs which are private to each module (or to the kernel proper)
+and so this function pointer comparison may fail spuriously.
+
+Let's fix this by turning crypto_shash_alg_has_setkey() into an out of
+line function.
+
+Cc: Sami Tolvanen <samitolvanen@google.com>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/shash.c | 18 +++++++++++++++---
+ include/crypto/internal/hash.h | 8 +-------
+ 2 files changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/crypto/shash.c b/crypto/shash.c
+index a04145e5306a..55e7a2f63b34 100644
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -25,12 +25,24 @@
+
+ static const struct crypto_type crypto_shash_type;
+
+-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen)
++static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen)
+ {
+ return -ENOSYS;
+ }
+-EXPORT_SYMBOL_GPL(shash_no_setkey);
++
++/*
++ * Check whether an shash algorithm has a setkey function.
++ *
++ * For CFI compatibility, this must not be an inline function. This is because
++ * when CFI is enabled, modules won't get the same address for shash_no_setkey
++ * (if it were exported, which inlining would require) as the core kernel will.
++ */
++bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
++{
++ return alg->setkey != shash_no_setkey;
++}
++EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey);
+
+ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
+diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
+index 27040a46d50a..556b40fee2d1 100644
+--- a/include/crypto/internal/hash.h
++++ b/include/crypto/internal/hash.h
+@@ -82,13 +82,7 @@ int ahash_register_instance(struct crypto_template *tmpl,
+ struct ahash_instance *inst);
+ void ahash_free_instance(struct crypto_instance *inst);
+
+-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen);
+-
+-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
+-{
+- return alg->setkey != shash_no_setkey;
+-}
++bool crypto_shash_alg_has_setkey(struct shash_alg *alg);
+
+ bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
+
+--
+2.30.2
+
--- /dev/null
+From be3818d596719c20d6dfdc85f473b115bf3eca55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 15:00:49 +0800
+Subject: crypto: ux500 - Fix error return code in hash_hw_final()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit b01360384009ab066940b45f34880991ea7ccbfb ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ux500/hash/hash_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
+index 17c8e2b28c42..7500ec9efa6a 100644
+--- a/drivers/crypto/ux500/hash/hash_core.c
++++ b/drivers/crypto/ux500/hash/hash_core.c
+@@ -1006,6 +1006,7 @@ static int hash_hw_final(struct ahash_request *req)
+ goto out;
+ }
+ } else if (req->nbytes == 0 && ctx->keylen > 0) {
++ ret = -EPERM;
+ dev_err(device_data->dev, "%s: Empty message with keylength > 0, NOT supported\n",
+ __func__);
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From daa6f5e987d95977092793a6c553208b10a328b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 17:13:13 +0100
+Subject: drm: qxl: ensure surf.data is ininitialized
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ]
+
+The object surf is not fully initialized and the uninitialized
+field surf.data is being copied by the call to qxl_bo_create
+via the call to qxl_gem_object_create. Set surf.data to zero
+to ensure garbage data from the stack is not being copied.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/qxl/qxl_dumb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c
+index 11085ab01374..9a0c92d8a1eb 100644
+--- a/drivers/gpu/drm/qxl/qxl_dumb.c
++++ b/drivers/gpu/drm/qxl/qxl_dumb.c
+@@ -57,6 +57,8 @@ int qxl_mode_dumb_create(struct drm_file *file_priv,
+ surf.height = args->height;
+ surf.stride = pitch;
+ surf.format = format;
++ surf.data = 0;
++
+ r = qxl_gem_object_create_with_handle(qdev, file_priv,
+ QXL_GEM_DOMAIN_VRAM,
+ args->size, &surf, &qobj,
+--
+2.30.2
+
--- /dev/null
+From a86a199836cc37235d2eae324cbf3e9e8509b0a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 21:49:28 +0800
+Subject: drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on
+ error in cdn_dp_grf_write()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit ae41d925c75b53798f289c69ee8d9f7d36432f6d ]
+
+After calling clk_prepare_enable(), clk_disable_unprepare() need
+be called when calling regmap_write() failed.
+
+Fixes: 1a0f7ed3abe2 ("drm/rockchip: cdn-dp: add cdn DP support for rk3399")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210519134928.2696617-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/cdn-dp-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+index a57da051f516..97ce3c5c3fce 100644
+--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+@@ -83,6 +83,7 @@ static int cdn_dp_grf_write(struct cdn_dp_device *dp,
+ ret = regmap_write(dp->grf, reg, val);
+ if (ret) {
+ DRM_DEV_ERROR(dp->dev, "Could not write to GRF: %d\n", ret);
++ clk_disable_unprepare(dp->grf_clk);
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5be6aa3ff9382a0b718ae7e507b20c87c2b21f2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 01:17:55 +0300
+Subject: eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 3f6ee1c095156a74ab2df605af13020f1ce3e600 ]
+
+device_get_next_child_node() bumps a reference counting of a returned variable.
+We have to balance it whenever we return to the caller.
+
+Fixes: db15d73e5f0e ("eeprom: idt_89hpesx: Support both ACPI and OF probing")
+Cc: Huy Duong <qhuyduong@hotmail.com>
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210607221757.81465-1-andy.shevchenko@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/idt_89hpesx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/misc/eeprom/idt_89hpesx.c b/drivers/misc/eeprom/idt_89hpesx.c
+index 34a5a41578d7..b972b5425654 100644
+--- a/drivers/misc/eeprom/idt_89hpesx.c
++++ b/drivers/misc/eeprom/idt_89hpesx.c
+@@ -1165,6 +1165,7 @@ static void idt_get_fw_data(struct idt_89hpesx_dev *pdev)
+ else /* if (!fwnode_property_read_bool(node, "read-only")) */
+ pdev->eero = false;
+
++ fwnode_handle_put(fwnode);
+ dev_info(dev, "EEPROM of %d bytes found by 0x%x",
+ pdev->eesize, pdev->eeaddr);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8c6f69bb32b07c8673f8e3628c88043ead15ab42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 16:55:55 +0800
+Subject: ehea: fix error return code in ehea_restart_qps()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ]
+
+Fix to return -EFAULT from the error handling case instead of 0, as done
+elsewhere in this function.
+
+By the way, when get_zeroed_page() fails, directly return -ENOMEM to
+simplify code.
+
+Fixes: 2c69448bbced ("ehea: DLPAR memory add fix")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+index 373deb247ac0..a754e2ce7730 100644
+--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
+@@ -2647,10 +2647,8 @@ static int ehea_restart_qps(struct net_device *dev)
+ u16 dummy16 = 0;
+
+ cb0 = (void *)get_zeroed_page(GFP_KERNEL);
+- if (!cb0) {
+- ret = -ENOMEM;
+- goto out;
+- }
++ if (!cb0)
++ return -ENOMEM;
+
+ for (i = 0; i < (port->num_def_qps); i++) {
+ struct ehea_port_res *pr = &port->port_res[i];
+@@ -2670,6 +2668,7 @@ static int ehea_restart_qps(struct net_device *dev)
+ cb0);
+ if (hret != H_SUCCESS) {
+ netdev_err(dev, "query_ehea_qp failed (1)\n");
++ ret = -EFAULT;
+ goto out;
+ }
+
+@@ -2682,6 +2681,7 @@ static int ehea_restart_qps(struct net_device *dev)
+ &dummy64, &dummy16, &dummy16);
+ if (hret != H_SUCCESS) {
+ netdev_err(dev, "modify_ehea_qp failed (1)\n");
++ ret = -EFAULT;
+ goto out;
+ }
+
+@@ -2690,6 +2690,7 @@ static int ehea_restart_qps(struct net_device *dev)
+ cb0);
+ if (hret != H_SUCCESS) {
+ netdev_err(dev, "query_ehea_qp failed (2)\n");
++ ret = -EFAULT;
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 92e5cfda1603fa9734f2c35c0f0ce04591113ae2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 22:46:24 +0200
+Subject: extcon: max8997: Add missing modalias string
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ]
+
+The platform device driver name is "max8997-muic", so advertise it
+properly in the modalias string. This fixes automated module loading when
+this driver is compiled as a module.
+
+Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-max8997.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c
+index b9b48d45a6dc..17d426829f5d 100644
+--- a/drivers/extcon/extcon-max8997.c
++++ b/drivers/extcon/extcon-max8997.c
+@@ -783,3 +783,4 @@ module_platform_driver(max8997_muic_driver);
+ MODULE_DESCRIPTION("Maxim MAX8997 Extcon driver");
+ MODULE_AUTHOR("Donggeun Kim <dg77.kim@samsung.com>");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS("platform:max8997-muic");
+--
+2.30.2
+
--- /dev/null
+From bbee3e68d68a3172abb0d0475ceb875b105ecfd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 15:34:35 +0200
+Subject: extcon: sm5502: Drop invalid register write in sm5502_reg_data
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ]
+
+When sm5502_init_dev_type() iterates over sm5502_reg_data to
+initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data).
+There is no need to add another empty element to sm5502_reg_data.
+
+Having the additional empty element in sm5502_reg_data will just
+result in writing 0xff to register 0x00, which does not really
+make sense.
+
+Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-sm5502.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c
+index 1a1ee3db3455..431538a14ec8 100644
+--- a/drivers/extcon/extcon-sm5502.c
++++ b/drivers/extcon/extcon-sm5502.c
+@@ -92,7 +92,6 @@ static struct reg_data sm5502_reg_data[] = {
+ | SM5502_REG_INTM2_MHL_MASK,
+ .invert = true,
+ },
+- { }
+ };
+
+ /* List of detectable cables */
+--
+2.30.2
+
--- /dev/null
+From 25ac912c986369a8640128f060f83a07e4563550 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 15:08:38 -0400
+Subject: fs: dlm: cancel work sync othercon
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ]
+
+These rx tx flags arguments are for signaling close_connection() from
+which worker they are called. Obviously the receive worker cannot cancel
+itself and vice versa for swork. For the othercon the receive worker
+should only be used, however to avoid deadlocks we should pass the same
+flags as the original close_connection() was called.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/lowcomms.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
+index 4813d0e0cd9b..af17fcd798c8 100644
+--- a/fs/dlm/lowcomms.c
++++ b/fs/dlm/lowcomms.c
+@@ -595,7 +595,7 @@ static void close_connection(struct connection *con, bool and_other,
+ }
+ if (con->othercon && and_other) {
+ /* Will only re-enter once. */
+- close_connection(con->othercon, false, true, true);
++ close_connection(con->othercon, false, tx, rx);
+ }
+ if (con->rx_page) {
+ __free_page(con->rx_page);
+--
+2.30.2
+
--- /dev/null
+From 55c94878e4b7d54b9d2b76873cd178d80f58a882 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 09:45:16 -0400
+Subject: fs: dlm: fix memory leak when fenced
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 700ab1c363c7b54c9ea3222379b33fc00ab02f7b ]
+
+I got some kmemleak report when a node was fenced. The user space tool
+dlm_controld will therefore run some rmdir() in dlm configfs which was
+triggering some memleaks. This patch stores the sps and cms attributes
+which stores some handling for subdirectories of the configfs cluster
+entry and free them if they get released as the parent directory gets
+freed.
+
+unreferenced object 0xffff88810d9e3e00 (size 192):
+ comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 73 70 61 63 65 73 00 00 ........spaces..
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000db8b640b>] make_cluster+0x5d/0x360
+ [<000000006a571db4>] configfs_mkdir+0x274/0x730
+ [<00000000b094501c>] vfs_mkdir+0x27e/0x340
+ [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0
+ [<00000000d1ffd156>] do_syscall_64+0x40/0x80
+ [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+unreferenced object 0xffff88810d9e3a00 (size 192):
+ comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 63 6f 6d 6d 73 00 00 00 ........comms...
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000a7ef6ad2>] make_cluster+0x82/0x360
+ [<000000006a571db4>] configfs_mkdir+0x274/0x730
+ [<00000000b094501c>] vfs_mkdir+0x27e/0x340
+ [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0
+ [<00000000d1ffd156>] do_syscall_64+0x40/0x80
+ [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/config.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/dlm/config.c b/fs/dlm/config.c
+index 472f4f835d3e..4fb070b7f00f 100644
+--- a/fs/dlm/config.c
++++ b/fs/dlm/config.c
+@@ -80,6 +80,9 @@ struct dlm_cluster {
+ unsigned int cl_new_rsb_count;
+ unsigned int cl_recover_callbacks;
+ char cl_cluster_name[DLM_LOCKSPACE_LEN];
++
++ struct dlm_spaces *sps;
++ struct dlm_comms *cms;
+ };
+
+ static struct dlm_cluster *config_item_to_cluster(struct config_item *i)
+@@ -356,6 +359,9 @@ static struct config_group *make_cluster(struct config_group *g,
+ if (!cl || !sps || !cms)
+ goto fail;
+
++ cl->sps = sps;
++ cl->cms = cms;
++
+ config_group_init_type_name(&cl->group, name, &cluster_type);
+ config_group_init_type_name(&sps->ss_group, "spaces", &spaces_type);
+ config_group_init_type_name(&cms->cs_group, "comms", &comms_type);
+@@ -405,6 +411,9 @@ static void drop_cluster(struct config_group *g, struct config_item *i)
+ static void release_cluster(struct config_item *i)
+ {
+ struct dlm_cluster *cl = config_item_to_cluster(i);
++
++ kfree(cl->sps);
++ kfree(cl->cms);
+ kfree(cl);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 1a9cff4b2b6a756176ebdaeb857f526a9184c376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 17:27:16 -0700
+Subject: HID: do not use down_interruptible() when unbinding devices
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 ]
+
+Action of unbinding driver from a device is not cancellable and should not
+fail, and driver core does not pay attention to the result of "remove"
+method, therefore using down_interruptible() in hid_device_remove() does
+not make sense.
+
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 381ab96c1e38..a3656a158ba3 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -2613,12 +2613,8 @@ static int hid_device_remove(struct device *dev)
+ {
+ struct hid_device *hdev = to_hid_device(dev);
+ struct hid_driver *hdrv;
+- int ret = 0;
+
+- if (down_interruptible(&hdev->driver_input_lock)) {
+- ret = -EINTR;
+- goto end;
+- }
++ down(&hdev->driver_input_lock);
+ hdev->io_started = false;
+
+ hdrv = hdev->driver;
+@@ -2633,8 +2629,8 @@ static int hid_device_remove(struct device *dev)
+
+ if (!hdev->io_started)
+ up(&hdev->driver_input_lock);
+-end:
+- return ret;
++
++ return 0;
+ }
+
+ static ssize_t modalias_show(struct device *dev, struct device_attribute *a,
+--
+2.30.2
+
--- /dev/null
+From d829000564041a6a4688aa67eb57e017687af29b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 09:58:09 -0700
+Subject: HID: wacom: Correct base usage for capacitive ExpressKey status bits
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+[ Upstream commit 424d8237945c6c448c8b3f23885d464fb5685c97 ]
+
+The capacitive status of ExpressKeys is reported with usages beginning
+at 0x940, not 0x950. Bring our driver into alignment with reality.
+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/wacom_wac.h b/drivers/hid/wacom_wac.h
+index d2fe7af2c152..55b542a6a66b 100644
+--- a/drivers/hid/wacom_wac.h
++++ b/drivers/hid/wacom_wac.h
+@@ -121,7 +121,7 @@
+ #define WACOM_HID_WD_TOUCHONOFF (WACOM_HID_UP_WACOMDIGITIZER | 0x0454)
+ #define WACOM_HID_WD_BATTERY_LEVEL (WACOM_HID_UP_WACOMDIGITIZER | 0x043b)
+ #define WACOM_HID_WD_EXPRESSKEY00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0910)
+-#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0950)
++#define WACOM_HID_WD_EXPRESSKEYCAP00 (WACOM_HID_UP_WACOMDIGITIZER | 0x0940)
+ #define WACOM_HID_WD_MODE_CHANGE (WACOM_HID_UP_WACOMDIGITIZER | 0x0980)
+ #define WACOM_HID_WD_MUTE_DEVICE (WACOM_HID_UP_WACOMDIGITIZER | 0x0981)
+ #define WACOM_HID_WD_CONTROLPANEL (WACOM_HID_UP_WACOMDIGITIZER | 0x0982)
+--
+2.30.2
+
--- /dev/null
+From a23c09ff39ffb878f3cd1146c9de979c41ac7533 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 15:01:16 +0800
+Subject: hv_utils: Fix passing zero to 'PTR_ERR' warning
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit c6a8625fa4c6b0a97860d053271660ccedc3d1b3 ]
+
+Sparse warn this:
+
+drivers/hv/hv_util.c:753 hv_timesync_init() warn:
+ passing zero to 'PTR_ERR'
+
+Use PTR_ERR_OR_ZERO instead of PTR_ERR to fix this.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20210514070116.16800-1-yuehaibing@huawei.com
+[ wei: change %ld to %d ]
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/hv_util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hv/hv_util.c b/drivers/hv/hv_util.c
+index 14dce25c104f..8b2ebcab1518 100644
+--- a/drivers/hv/hv_util.c
++++ b/drivers/hv/hv_util.c
+@@ -545,8 +545,8 @@ static int hv_timesync_init(struct hv_util_service *srv)
+ */
+ hv_ptp_clock = ptp_clock_register(&ptp_hyperv_info, NULL);
+ if (IS_ERR_OR_NULL(hv_ptp_clock)) {
+- pr_err("cannot register PTP clock: %ld\n",
+- PTR_ERR(hv_ptp_clock));
++ pr_err("cannot register PTP clock: %d\n",
++ PTR_ERR_OR_ZERO(hv_ptp_clock));
+ hv_ptp_clock = NULL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 118ce9d153f939175dbb0b554a8162662888ab66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 09:50:25 -0700
+Subject: hwmon: (max31722) Remove non-standard ACPI device IDs
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 97387c2f06bcfd79d04a848d35517b32ee6dca7c ]
+
+Valid Maxim Integrated ACPI device IDs would start with MXIM,
+not with MAX1. On top of that, ACPI device IDs reflecting chip names
+are almost always invalid.
+
+Remove the invalid ACPI IDs.
+
+Fixes: 04e1e70afec6 ("hwmon: (max31722) Add support for MAX31722/MAX31723 temperature sensors")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max31722.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/drivers/hwmon/max31722.c b/drivers/hwmon/max31722.c
+index 30a100e70a0d..877c3d7dca01 100644
+--- a/drivers/hwmon/max31722.c
++++ b/drivers/hwmon/max31722.c
+@@ -9,7 +9,6 @@
+ * directory of this archive for more details.
+ */
+
+-#include <linux/acpi.h>
+ #include <linux/hwmon.h>
+ #include <linux/hwmon-sysfs.h>
+ #include <linux/kernel.h>
+@@ -138,20 +137,12 @@ static const struct spi_device_id max31722_spi_id[] = {
+ {"max31723", 0},
+ {}
+ };
+-
+-static const struct acpi_device_id __maybe_unused max31722_acpi_id[] = {
+- {"MAX31722", 0},
+- {"MAX31723", 0},
+- {}
+-};
+-
+ MODULE_DEVICE_TABLE(spi, max31722_spi_id);
+
+ static struct spi_driver max31722_driver = {
+ .driver = {
+ .name = "max31722",
+ .pm = &max31722_pm_ops,
+- .acpi_match_table = ACPI_PTR(max31722_acpi_id),
+ },
+ .probe = max31722_probe,
+ .remove = max31722_remove,
+--
+2.30.2
+
--- /dev/null
+From 64412e50b1a45a553b8057a394236dc62e6ddfe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 08:40:16 -0700
+Subject: hwmon: (max31790) Fix fan speed reporting for fan7..12
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit cbbf244f0515af3472084f22b6213121b4a63835 ]
+
+Fans 7..12 do not have their own set of configuration registers.
+So far the code ignored that and read beyond the end of the configuration
+register range to get the tachometer period. This resulted in more or less
+random fan speed values for those fans.
+
+The datasheet is quite vague when it comes to defining the tachometer
+period for fans 7..12. Experiments confirm that the period is the same
+for both fans associated with a given set of configuration registers.
+
+Fixes: 54187ff9d766 ("hwmon: (max31790) Convert to use new hwmon registration API")
+Fixes: 195a4b4298a7 ("hwmon: Driver for Maxim MAX31790")
+Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
+Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Cc: Václav Kubernát <kubernat@cesnet.cz>
+Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210526154022.3223012-2-linux@roeck-us.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max31790.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c
+index 281491cca510..66cf772de7d2 100644
+--- a/drivers/hwmon/max31790.c
++++ b/drivers/hwmon/max31790.c
+@@ -179,7 +179,7 @@ static int max31790_read_fan(struct device *dev, u32 attr, int channel,
+
+ switch (attr) {
+ case hwmon_fan_input:
+- sr = get_tach_period(data->fan_dynamics[channel]);
++ sr = get_tach_period(data->fan_dynamics[channel % NR_CHANNEL]);
+ rpm = RPM_FROM_REG(data->tach[channel], sr);
+ *val = rpm;
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 27170e7c861b1e26371b6fd4ee1efeb0d335b3c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Feb 2021 19:50:58 +0800
+Subject: i40e: Fix error handling in i40e_vsi_open
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ]
+
+When vsi->type == I40E_VSI_FDIR, we have caught the return value of
+i40e_vsi_request_irq() but without further handling. Check and execute
+memory clean on failure just like the other i40e_vsi_request_irq().
+
+Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index e25bb667fb59..65c17e39c405 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -5755,6 +5755,8 @@ int i40e_vsi_open(struct i40e_vsi *vsi)
+ dev_driver_string(&pf->pdev->dev),
+ dev_name(&pf->pdev->dev));
+ err = i40e_vsi_request_irq(vsi, int_name);
++ if (err)
++ goto err_setup_rx;
+
+ } else {
+ err = -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 78eee3143980f9e813b0532c6676e795c3ea103e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:33:41 -0700
+Subject: ia64: mca_drv: fix incorrect array size calculation
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit c5f320ff8a79501bb59338278336ec43acb9d7e2 ]
+
+gcc points out a mistake in the mca driver that goes back to before the
+git history:
+
+arch/ia64/kernel/mca_drv.c: In function 'init_record_index_pools':
+arch/ia64/kernel/mca_drv.c:346:54: error: expression does not compute the number of elements in this array; element typ
+e is 'int', not 'size_t' {aka 'long unsigned int'} [-Werror=sizeof-array-div]
+ 346 | for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++)
+ | ^
+
+This is the same as sizeof(size_t), which is two shorter than the actual
+array. Use the ARRAY_SIZE() macro to get the correct calculation instead.
+
+Link: https://lkml.kernel.org/r/20210514214123.875971-1-arnd@kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/kernel/mca_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/ia64/kernel/mca_drv.c b/arch/ia64/kernel/mca_drv.c
+index 94f8bf777afa..3503d488e9b3 100644
+--- a/arch/ia64/kernel/mca_drv.c
++++ b/arch/ia64/kernel/mca_drv.c
+@@ -343,7 +343,7 @@ init_record_index_pools(void)
+
+ /* - 2 - */
+ sect_min_size = sal_log_sect_min_sizes[0];
+- for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++)
++ for (i = 1; i < ARRAY_SIZE(sal_log_sect_min_sizes); i++)
+ if (sect_min_size > sal_log_sect_min_sizes[i])
+ sect_min_size = sal_log_sect_min_sizes[i];
+
+--
+2.30.2
+
--- /dev/null
+From fca2669c76b18ab886813e8462ef622a7cf4dc00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:03 +0100
+Subject: iio: accel: bma180: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Peter Meerwald <pmeerw@pmeerw.net>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bma180.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c
+index 3dec972ca672..dabe4717961f 100644
+--- a/drivers/iio/accel/bma180.c
++++ b/drivers/iio/accel/bma180.c
+@@ -121,7 +121,11 @@ struct bma180_data {
+ int scale;
+ int bw;
+ bool pmode;
+- u8 buff[16]; /* 3x 16-bit + 8-bit + padding + timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chan[4];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ enum bma180_chan {
+@@ -668,12 +672,12 @@ static irqreturn_t bma180_trigger_handler(int irq, void *p)
+ mutex_unlock(&data->mutex);
+ goto err;
+ }
+- ((s16 *)data->buff)[i++] = ret;
++ data->scan.chan[i++] = ret;
+ }
+
+ mutex_unlock(&data->mutex);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buff, time_ns);
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, time_ns);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+
+--
+2.30.2
+
--- /dev/null
+From eb31aa19920b82c25dfe621e06259c8e7ab73e5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:04 +0100
+Subject: iio: accel: bma220: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 151dbf0078da98206817ee0b87d499035479ef11 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 194dc4c71413 ("iio: accel: Add triggered buffer support for BMA220")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-3-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/bma220_spi.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/bma220_spi.c b/drivers/iio/accel/bma220_spi.c
+index 5099f295dd37..a96f2d530ae3 100644
+--- a/drivers/iio/accel/bma220_spi.c
++++ b/drivers/iio/accel/bma220_spi.c
+@@ -76,7 +76,11 @@ static const int bma220_scale_table[][4] = {
+ struct bma220_data {
+ struct spi_device *spi_device;
+ struct mutex lock;
+- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 8x8 timestamp */
++ struct {
++ s8 chans[3];
++ /* Ensure timestamp is naturally aligned. */
++ s64 timestamp __aligned(8);
++ } scan;
+ u8 tx_buf[2] ____cacheline_aligned;
+ };
+
+@@ -107,12 +111,12 @@ static irqreturn_t bma220_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->lock);
+ data->tx_buf[0] = BMA220_REG_ACCEL_X | BMA220_READ_MASK;
+- ret = spi_write_then_read(spi, data->tx_buf, 1, data->buffer,
++ ret = spi_write_then_read(spi, data->tx_buf, 1, &data->scan.chans,
+ ARRAY_SIZE(bma220_channels) - 1);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ mutex_unlock(&data->lock);
+--
+2.30.2
+
--- /dev/null
+From 2ae9dc38e77946a668cfacd01faee64021a30b85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:05 +0100
+Subject: iio: accel: hid: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit c6559bf796ccdb3a0c79db846af96c8f7046880b ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+Note this matches what was done in all the other hid sensor drivers.
+This one was missed previously due to an extra level of indirection.
+
+Found during an audit of all calls of this function.
+
+Fixes: a96cd0f901ee ("iio: accel: hid-sensor-accel-3d: Add timestamp")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-4-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/hid-sensor-accel-3d.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/accel/hid-sensor-accel-3d.c b/drivers/iio/accel/hid-sensor-accel-3d.c
+index f573d9c61fc3..fc210d88bba9 100644
+--- a/drivers/iio/accel/hid-sensor-accel-3d.c
++++ b/drivers/iio/accel/hid-sensor-accel-3d.c
+@@ -42,8 +42,11 @@ struct accel_3d_state {
+ struct hid_sensor_hub_callbacks callbacks;
+ struct hid_sensor_common common_attributes;
+ struct hid_sensor_hub_attribute_info accel[ACCEL_3D_CHANNEL_MAX];
+- /* Reserve for 3 channels + padding + timestamp */
+- u32 accel_val[ACCEL_3D_CHANNEL_MAX + 3];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u32 accel_val[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ int scale_pre_decml;
+ int scale_post_decml;
+ int scale_precision;
+@@ -255,8 +258,8 @@ static int accel_3d_proc_event(struct hid_sensor_hub_device *hsdev,
+ accel_state->timestamp = iio_get_time_ns(indio_dev);
+
+ hid_sensor_push_data(indio_dev,
+- accel_state->accel_val,
+- sizeof(accel_state->accel_val),
++ &accel_state->scan,
++ sizeof(accel_state->scan),
+ accel_state->timestamp);
+
+ accel_state->timestamp = 0;
+@@ -281,7 +284,7 @@ static int accel_3d_capture_sample(struct hid_sensor_hub_device *hsdev,
+ case HID_USAGE_SENSOR_ACCEL_Y_AXIS:
+ case HID_USAGE_SENSOR_ACCEL_Z_AXIS:
+ offset = usage_id - HID_USAGE_SENSOR_ACCEL_X_AXIS;
+- accel_state->accel_val[CHANNEL_SCAN_INDEX_X + offset] =
++ accel_state->scan.accel_val[CHANNEL_SCAN_INDEX_X + offset] =
+ *(u32 *)raw_data;
+ ret = 0;
+ break;
+--
+2.30.2
+
--- /dev/null
+From 21fb4aa2a2f65d8cef7191e48d360eb1f93b4c7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:06 +0100
+Subject: iio: accel: kxcjk-1013: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 3ab3aa2e7bd57497f9a7c6275c00dce237d2c9ba ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 1a4fbf6a9286 ("iio: accel: kxcjk1013 3-axis accelerometer driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-5-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/kxcjk-1013.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c
+index 92a73ada8e4a..296fd00f0e97 100644
+--- a/drivers/iio/accel/kxcjk-1013.c
++++ b/drivers/iio/accel/kxcjk-1013.c
+@@ -97,12 +97,23 @@ enum kx_acpi_type {
+ ACPI_KIOX010A,
+ };
+
++enum kxcjk1013_axis {
++ AXIS_X,
++ AXIS_Y,
++ AXIS_Z,
++ AXIS_MAX
++};
++
+ struct kxcjk1013_data {
+ struct i2c_client *client;
+ struct iio_trigger *dready_trig;
+ struct iio_trigger *motion_trig;
+ struct mutex mutex;
+- s16 buffer[8];
++ /* Ensure timestamp naturally aligned */
++ struct {
++ s16 chans[AXIS_MAX];
++ s64 timestamp __aligned(8);
++ } scan;
+ u8 odr_bits;
+ u8 range;
+ int wake_thres;
+@@ -116,13 +127,6 @@ struct kxcjk1013_data {
+ enum kx_acpi_type acpi_type;
+ };
+
+-enum kxcjk1013_axis {
+- AXIS_X,
+- AXIS_Y,
+- AXIS_Z,
+- AXIS_MAX,
+-};
+-
+ enum kxcjk1013_mode {
+ STANDBY,
+ OPERATION,
+@@ -1005,12 +1009,12 @@ static irqreturn_t kxcjk1013_trigger_handler(int irq, void *p)
+ ret = i2c_smbus_read_i2c_block_data_or_emulated(data->client,
+ KXCJK1013_REG_XOUT_L,
+ AXIS_MAX * 2,
+- (u8 *)data->buffer);
++ (u8 *)data->scan.chans);
+ mutex_unlock(&data->mutex);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ data->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From cbab3cfa9cad62c6b6bdb89b475427121d49c093 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:08 +0100
+Subject: iio: accel: stk8312: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/stk8312.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/accel/stk8312.c b/drivers/iio/accel/stk8312.c
+index e31023dc5f1b..24a7499049f1 100644
+--- a/drivers/iio/accel/stk8312.c
++++ b/drivers/iio/accel/stk8312.c
+@@ -106,7 +106,11 @@ struct stk8312_data {
+ u8 mode;
+ struct iio_trigger *dready_trig;
+ bool dready_trigger_on;
+- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 64-bit timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s8 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static IIO_CONST_ATTR(in_accel_scale_available, STK8312_SCALE_AVAIL);
+@@ -443,7 +447,7 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p)
+ ret = i2c_smbus_read_i2c_block_data(data->client,
+ STK8312_REG_XOUT,
+ STK8312_ALL_CHANNEL_SIZE,
+- data->buffer);
++ data->scan.chans);
+ if (ret < STK8312_ALL_CHANNEL_SIZE) {
+ dev_err(&data->client->dev, "register read failed\n");
+ mutex_unlock(&data->lock);
+@@ -457,12 +461,12 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p)
+ mutex_unlock(&data->lock);
+ goto err;
+ }
+- data->buffer[i++] = ret;
++ data->scan.chans[i++] = ret;
+ }
+ }
+ mutex_unlock(&data->lock);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From 3ea054aa8f29926443ee8a54feef9bd806415724 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:09 +0100
+Subject: iio: accel: stk8ba50: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/stk8ba50.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/iio/accel/stk8ba50.c b/drivers/iio/accel/stk8ba50.c
+index 300d955bad00..5ca179cea2fb 100644
+--- a/drivers/iio/accel/stk8ba50.c
++++ b/drivers/iio/accel/stk8ba50.c
+@@ -94,12 +94,11 @@ struct stk8ba50_data {
+ u8 sample_rate_idx;
+ struct iio_trigger *dready_trig;
+ bool dready_trigger_on;
+- /*
+- * 3 x 16-bit channels (10-bit data, 6-bit padding) +
+- * 1 x 16 padding +
+- * 4 x 16 64-bit timestamp
+- */
+- s16 buffer[8];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chans[3];
++ s64 timetamp __aligned(8);
++ } scan;
+ };
+
+ #define STK8BA50_ACCEL_CHANNEL(index, reg, axis) { \
+@@ -329,7 +328,7 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p)
+ ret = i2c_smbus_read_i2c_block_data(data->client,
+ STK8BA50_REG_XOUT,
+ STK8BA50_ALL_CHANNEL_SIZE,
+- (u8 *)data->buffer);
++ (u8 *)data->scan.chans);
+ if (ret < STK8BA50_ALL_CHANNEL_SIZE) {
+ dev_err(&data->client->dev, "register read failed\n");
+ goto err;
+@@ -342,10 +341,10 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto err;
+
+- data->buffer[i++] = ret;
++ data->scan.chans[i++] = ret;
+ }
+ }
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ mutex_unlock(&data->lock);
+--
+2.30.2
+
--- /dev/null
+From 72ffff881073a892f3e14a6cb85118ecac275fad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jun 2021 16:22:56 +0100
+Subject: iio: adc: mxs-lradc: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 6a6be221b8bd561b053f0701ec752a5ed9007f69 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+Add a comment on why the buffer is the size it is as not immediately
+obvious.
+
+Found during an audit of all calls of this function.
+
+Fixes: 6dd112b9f85e ("iio: adc: mxs-lradc: Add support for ADC driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Andreas Klinger <ak@it-klinger.de>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210613152301.571002-4-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/mxs-lradc-adc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/mxs-lradc-adc.c b/drivers/iio/adc/mxs-lradc-adc.c
+index d32b34638c2f..8c193d006967 100644
+--- a/drivers/iio/adc/mxs-lradc-adc.c
++++ b/drivers/iio/adc/mxs-lradc-adc.c
+@@ -124,7 +124,8 @@ struct mxs_lradc_adc {
+ struct device *dev;
+
+ void __iomem *base;
+- u32 buffer[10];
++ /* Maximum of 8 channels + 8 byte ts */
++ u32 buffer[10] __aligned(8);
+ struct iio_trigger *trig;
+ struct completion completion;
+ spinlock_t lock;
+--
+2.30.2
+
--- /dev/null
+From 2f97ec8b66b95e1f6778431b2277663a829e84e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:10 +0100
+Subject: iio: adc: ti-ads1015: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit d85d71dd1ab67eaa7351f69fec512d8f09d164e1 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of this function.
+
+Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Daniel Baluta <daniel.baluta@nxp.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-9-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ti-ads1015.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ti-ads1015.c b/drivers/iio/adc/ti-ads1015.c
+index df71c6105353..007898d3b3a9 100644
+--- a/drivers/iio/adc/ti-ads1015.c
++++ b/drivers/iio/adc/ti-ads1015.c
+@@ -392,10 +392,14 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p)
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+ struct ads1015_data *data = iio_priv(indio_dev);
+- s16 buf[8]; /* 1x s16 ADC val + 3x s16 padding + 4x s16 timestamp */
++ /* Ensure natural alignment of timestamp */
++ struct {
++ s16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ int chan, ret, res;
+
+- memset(buf, 0, sizeof(buf));
++ memset(&scan, 0, sizeof(scan));
+
+ mutex_lock(&data->lock);
+ chan = find_first_bit(indio_dev->active_scan_mask,
+@@ -406,10 +410,10 @@ static irqreturn_t ads1015_trigger_handler(int irq, void *p)
+ goto err;
+ }
+
+- buf[0] = res;
++ scan.chan = res;
+ mutex_unlock(&data->lock);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, buf,
++ iio_push_to_buffers_with_timestamp(indio_dev, &scan,
+ iio_get_time_ns(indio_dev));
+
+ err:
+--
+2.30.2
+
--- /dev/null
+From 89da7587a2f9c92522a2cca6745f17db8343e891 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:11 +0100
+Subject: iio: adc: vf610: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 7765dfaa22ea08abf0c175e7553826ba2a939632 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 0010d6b44406 ("iio: adc: vf610: Add IIO buffer support for Vybrid ADC")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Stefan-Gabriel Mirea <stefan-gabriel.mirea@nxp.com>
+Cc: Sanchayan Maity <maitysanchayan@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-10-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/vf610_adc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/adc/vf610_adc.c b/drivers/iio/adc/vf610_adc.c
+index c168e0db329a..d4409366e3c6 100644
+--- a/drivers/iio/adc/vf610_adc.c
++++ b/drivers/iio/adc/vf610_adc.c
+@@ -180,7 +180,11 @@ struct vf610_adc {
+ u32 sample_freq_avail[5];
+
+ struct completion completion;
+- u16 buffer[8];
++ /* Ensure the timestamp is naturally aligned */
++ struct {
++ u16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static const u32 vf610_hw_avgs[] = { 1, 4, 8, 16, 32 };
+@@ -592,9 +596,9 @@ static irqreturn_t vf610_adc_isr(int irq, void *dev_id)
+ if (coco & VF610_ADC_HS_COCO0) {
+ info->value = vf610_adc_read_data(info);
+ if (iio_buffer_enabled(indio_dev)) {
+- info->buffer[0] = info->value;
++ info->scan.chan = info->value;
+ iio_push_to_buffers_with_timestamp(indio_dev,
+- info->buffer,
++ &info->scan,
+ iio_get_time_ns(indio_dev));
+ iio_trigger_notify_done(indio_dev->trig);
+ } else
+--
+2.30.2
+
--- /dev/null
+From 370682132451e694400b5a796c6be94ac6aee51c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 12:19:03 +0200
+Subject: iio: adis_buffer: do not return ints in irq handlers
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+[ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ]
+
+On an IRQ handler we should not return normal error codes as 'irqreturn_t'
+is expected.
+
+Not necessarily stable material as the old check cannot fail, so it's a bug
+we can not hit.
+
+Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library")
+Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis_buffer.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
+index 9de553e8c214..625f54d9e382 100644
+--- a/drivers/iio/imu/adis_buffer.c
++++ b/drivers/iio/imu/adis_buffer.c
+@@ -83,9 +83,6 @@ static irqreturn_t adis_trigger_handler(int irq, void *p)
+ struct adis *adis = iio_device_get_drvdata(indio_dev);
+ int ret;
+
+- if (!adis->buffer)
+- return -ENOMEM;
+-
+ if (adis->data->has_paging) {
+ mutex_lock(&adis->txrx_lock);
+ if (adis->current_page != 0) {
+--
+2.30.2
+
--- /dev/null
+From 0ab83001b94500666da1124a466bb9efebc1766e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:12 +0100
+Subject: iio: gyro: bmg160: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 06778d881f3798ce93ffbbbf801234292250b598 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 13426454b649 ("iio: bmg160: Separate i2c and core driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-11-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/gyro/bmg160_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
+index b5a5517e3ce1..ec2830c16433 100644
+--- a/drivers/iio/gyro/bmg160_core.c
++++ b/drivers/iio/gyro/bmg160_core.c
+@@ -104,7 +104,11 @@ struct bmg160_data {
+ struct iio_trigger *dready_trig;
+ struct iio_trigger *motion_trig;
+ struct mutex mutex;
+- s16 buffer[8];
++ /* Ensure naturally aligned timestamp */
++ struct {
++ s16 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ u32 dps_range;
+ int ev_enable_state;
+ int slope_thres;
+@@ -874,12 +878,12 @@ static irqreturn_t bmg160_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->mutex);
+ ret = regmap_bulk_read(data->regmap, BMG160_REG_XOUT_L,
+- data->buffer, AXIS_MAX * 2);
++ data->scan.chans, AXIS_MAX * 2);
+ mutex_unlock(&data->mutex);
+ if (ret < 0)
+ goto err;
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From 1ef34a0204854a1addc4df88b12b2fadd2f285c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:13 +0100
+Subject: iio: humidity: am2315: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit f4ca2e2595d9fee65d5ce0d218b22ce00e5b2915 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 0d96d5ead3f7 ("iio: humidity: Add triggered buffer support for AM2315")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-12-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/humidity/am2315.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/humidity/am2315.c b/drivers/iio/humidity/am2315.c
+index ff96b6d0fdae..77513fd84b99 100644
+--- a/drivers/iio/humidity/am2315.c
++++ b/drivers/iio/humidity/am2315.c
+@@ -36,7 +36,11 @@
+ struct am2315_data {
+ struct i2c_client *client;
+ struct mutex lock;
+- s16 buffer[8]; /* 2x16-bit channels + 2x16 padding + 4x16 timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chans[2];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ struct am2315_sensor_data {
+@@ -170,20 +174,20 @@ static irqreturn_t am2315_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->lock);
+ if (*(indio_dev->active_scan_mask) == AM2315_ALL_CHANNEL_MASK) {
+- data->buffer[0] = sensor_data.hum_data;
+- data->buffer[1] = sensor_data.temp_data;
++ data->scan.chans[0] = sensor_data.hum_data;
++ data->scan.chans[1] = sensor_data.temp_data;
+ } else {
+ i = 0;
+ for_each_set_bit(bit, indio_dev->active_scan_mask,
+ indio_dev->masklength) {
+- data->buffer[i] = (bit ? sensor_data.temp_data :
+- sensor_data.hum_data);
++ data->scan.chans[i] = (bit ? sensor_data.temp_data :
++ sensor_data.hum_data);
+ i++;
+ }
+ }
+ mutex_unlock(&data->lock);
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ pf->timestamp);
+ err:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From a3d11f1ddb6eb7e444695cae5ef0a67906920551 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:19 +0100
+Subject: iio: light: isl29125: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 3d4725194de6935dba2ad7c9cc075c885008f747 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 6c25539cbc46 ("iio: Add Intersil isl29125 digital color light sensor driver")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-18-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/isl29125.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/light/isl29125.c b/drivers/iio/light/isl29125.c
+index 1d2c0c8a1d4f..207b856cef8c 100644
+--- a/drivers/iio/light/isl29125.c
++++ b/drivers/iio/light/isl29125.c
+@@ -54,7 +54,11 @@
+ struct isl29125_data {
+ struct i2c_client *client;
+ u8 conf1;
+- u16 buffer[8]; /* 3x 16-bit, padding, 8 bytes timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chans[3];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ #define ISL29125_CHANNEL(_color, _si) { \
+@@ -187,10 +191,10 @@ static irqreturn_t isl29125_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto done;
+
+- data->buffer[j++] = ret;
++ data->scan.chans[j++] = ret;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From f40f820bd72efae3c4ab9957b88089ed43ca9c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:20 +0100
+Subject: iio: light: tcs3414: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit ff08fbc22ab32ccc6690c21b0e5e1d402dcc076f ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: a244e7b57f0f ("iio: Add driver for AMS/TAOS tcs3414 digital color sensor")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-19-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/tcs3414.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/light/tcs3414.c b/drivers/iio/light/tcs3414.c
+index a795afb7667b..b51cd43ef824 100644
+--- a/drivers/iio/light/tcs3414.c
++++ b/drivers/iio/light/tcs3414.c
+@@ -56,7 +56,11 @@ struct tcs3414_data {
+ u8 control;
+ u8 gain;
+ u8 timing;
+- u16 buffer[8]; /* 4x 16-bit + 8 bytes timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chans[4];
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ #define TCS3414_CHANNEL(_color, _si, _addr) { \
+@@ -212,10 +216,10 @@ static irqreturn_t tcs3414_trigger_handler(int irq, void *p)
+ if (ret < 0)
+ goto done;
+
+- data->buffer[j++] = ret;
++ data->scan.chans[j++] = ret;
+ }
+
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From 98d65df704684cfdcf182083eaef40ed7e4a2279 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:13:48 +0100
+Subject: iio: potentiostat: lmp91000: Fix alignment of buffer in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 8979b67ec61abc232636400ee8c758a16a73c95f ]
+
+Add __aligned(8) to ensure the buffer passed to
+iio_push_to_buffers_with_timestamp() is suitable for the naturally
+aligned timestamp that will be inserted.
+
+Here structure is not used, because this buffer is also used
+elsewhere in the driver.
+
+Fixes: 67e17300dc1d ("iio: potentiostat: add LMP91000 support")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Matt Ranostay <matt.ranostay@konsulko.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Link: https://lore.kernel.org/r/20210501171352.512953-8-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/potentiostat/lmp91000.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/potentiostat/lmp91000.c b/drivers/iio/potentiostat/lmp91000.c
+index afa8de3418d0..cb67edf53ab4 100644
+--- a/drivers/iio/potentiostat/lmp91000.c
++++ b/drivers/iio/potentiostat/lmp91000.c
+@@ -79,8 +79,8 @@ struct lmp91000_data {
+
+ struct completion completion;
+ u8 chan_select;
+-
+- u32 buffer[4]; /* 64-bit data + 64-bit timestamp */
++ /* 64-bit data + 64-bit naturally aligned timestamp */
++ u32 buffer[4] __aligned(8);
+ };
+
+ static const struct iio_chan_spec lmp91000_channels[] = {
+--
+2.30.2
+
--- /dev/null
+From 3715273dd1e9209bcabb57a1d26fe31ed25c3a40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:16 +0100
+Subject: iio: prox: as3935: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 37eb8d8c64f2ecb3a5521ba1cc1fad973adfae41 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 37b1ba2c68cf ("iio: proximity: as3935: fix buffer stack trashing")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Matt Ranostay <matt.ranostay@konsulko.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-15-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/as3935.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/proximity/as3935.c b/drivers/iio/proximity/as3935.c
+index 4a48b7ba3a1c..105fe680e8ca 100644
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -70,7 +70,11 @@ struct as3935_state {
+ unsigned long noise_tripped;
+ u32 tune_cap;
+ u32 nflwdth_reg;
+- u8 buffer[16]; /* 8-bit data + 56-bit padding + 64-bit timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u8 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ u8 buf[2] ____cacheline_aligned;
+ };
+
+@@ -237,8 +241,8 @@ static irqreturn_t as3935_trigger_handler(int irq, void *private)
+ if (ret)
+ goto err_read;
+
+- st->buffer[0] = val & AS3935_DATA_MASK;
+- iio_push_to_buffers_with_timestamp(indio_dev, &st->buffer,
++ st->scan.chan = val & AS3935_DATA_MASK;
++ iio_push_to_buffers_with_timestamp(indio_dev, &st->scan,
+ iio_get_time_ns(indio_dev));
+ err_read:
+ iio_trigger_notify_done(indio_dev->trig);
+--
+2.30.2
+
--- /dev/null
+From 906dc16d1b542595220521d86eb01ab0099985fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:15 +0100
+Subject: iio: prox: pulsed-light: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 679cc377a03ff1944491eafc7355c1eb1fad4109 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: cb119d535083 ("iio: proximity: add support for PulsedLight LIDAR")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Matt Ranostay <matt.ranostay@konsulko.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-14-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/pulsedlight-lidar-lite-v2.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
+index c033db701bb5..07f69b47f739 100644
+--- a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
++++ b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
+@@ -51,7 +51,11 @@ struct lidar_data {
+ int (*xfer)(struct lidar_data *data, u8 reg, u8 *val, int len);
+ int i2c_enabled;
+
+- u16 buffer[8]; /* 2 byte distance + 8 byte timestamp */
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ u16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+ };
+
+ static const struct iio_chan_spec lidar_channels[] = {
+@@ -236,9 +240,9 @@ static irqreturn_t lidar_trigger_handler(int irq, void *private)
+ struct lidar_data *data = iio_priv(indio_dev);
+ int ret;
+
+- ret = lidar_get_measurement(data, data->buffer);
++ ret = lidar_get_measurement(data, &data->scan.chan);
+ if (!ret) {
+- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
+ iio_get_time_ns(indio_dev));
+ } else if (ret != -EINVAL) {
+ dev_err(&data->client->dev, "cannot read LIDAR measurement");
+--
+2.30.2
+
--- /dev/null
+From aa0a5aa49eea01ae5b1c34a885ecb77c4e55a802 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 18:01:14 +0100
+Subject: iio: prox: srf08: Fix buffer alignment in
+ iio_push_to_buffers_with_timestamp()
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 19f1a254fe4949fff1e67db386409f48cf438bd7 ]
+
+To make code more readable, use a structure to express the channel
+layout and ensure the timestamp is 8 byte aligned.
+
+Found during an audit of all calls of uses of
+iio_push_to_buffers_with_timestamp()
+
+Fixes: 78f839029e1d ("iio: distance: srf08: add IIO driver for us ranger")
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Andreas Klinger <ak@it-klinger.de>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210501170121.512209-13-jic23@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/proximity/srf08.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iio/proximity/srf08.c b/drivers/iio/proximity/srf08.c
+index 9380d545aab1..d36f634a22d6 100644
+--- a/drivers/iio/proximity/srf08.c
++++ b/drivers/iio/proximity/srf08.c
+@@ -66,11 +66,11 @@ struct srf08_data {
+ int range_mm;
+ struct mutex lock;
+
+- /*
+- * triggered buffer
+- * 1x16-bit channel + 3x16 padding + 4x16 timestamp
+- */
+- s16 buffer[8];
++ /* Ensure timestamp is naturally aligned */
++ struct {
++ s16 chan;
++ s64 timestamp __aligned(8);
++ } scan;
+
+ /* Sensor-Type */
+ enum srf08_sensor_type sensor_type;
+@@ -193,9 +193,9 @@ static irqreturn_t srf08_trigger_handler(int irq, void *p)
+
+ mutex_lock(&data->lock);
+
+- data->buffer[0] = sensor_data;
++ data->scan.chan = sensor_data;
+ iio_push_to_buffers_with_timestamp(indio_dev,
+- data->buffer, pf->timestamp);
++ &data->scan, pf->timestamp);
+
+ mutex_unlock(&data->lock);
+ err:
+--
+2.30.2
+
--- /dev/null
+From 75329f44872fdb718d5e88429bced434d1f2e348 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 11:52:42 -0700
+Subject: Input: hil_kbd - fix error return code in hil_dev_connect()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ]
+
+Return error code -EINVAL rather than '0' when the combo devices are not
+supported.
+
+Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/hil_kbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/input/keyboard/hil_kbd.c b/drivers/input/keyboard/hil_kbd.c
+index bb29a7c9a1c0..54afb38601b9 100644
+--- a/drivers/input/keyboard/hil_kbd.c
++++ b/drivers/input/keyboard/hil_kbd.c
+@@ -512,6 +512,7 @@ static int hil_dev_connect(struct serio *serio, struct serio_driver *drv)
+ HIL_IDD_NUM_AXES_PER_SET(*idd)) {
+ printk(KERN_INFO PREFIX
+ "combo devices are not supported.\n");
++ error = -EINVAL;
+ goto bail1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4950e3c3e9fedc46e69b9b3619ce6c61c371f846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 11:06:46 +0800
+Subject: leds: as3645a: Fix error return code in as3645a_parse_node()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 96a30960a2c5246c8ffebe8a3c9031f9df094d97 ]
+
+Return error code -ENODEV rather than '0' when the indicator node can not
+be found.
+
+Fixes: a56ba8fbcb55 ("media: leds: as3645a: Add LED flash class driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-as3645a.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/leds-as3645a.c b/drivers/leds/leds-as3645a.c
+index 9a257f969300..8109972998b7 100644
+--- a/drivers/leds/leds-as3645a.c
++++ b/drivers/leds/leds-as3645a.c
+@@ -564,6 +564,7 @@ static int as3645a_parse_node(struct as3645a *flash,
+ if (!flash->indicator_node) {
+ dev_warn(&flash->client->dev,
+ "can't find indicator node\n");
++ rval = -ENODEV;
+ goto out_err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e605da9321c58d1a4fafccce28414bd0a41c1a8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 13:21:01 +0200
+Subject: leds: ktd2692: Fix an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ee78b9360e14c276f5ceaa4a0d06f790f04ccdad ]
+
+In 'ktd2692_parse_dt()', if an error occurs after a successful
+'regulator_enable()' call, we should call 'regulator_enable()'.
+
+This is the same in 'ktd2692_probe()', if an error occurs after a
+successful 'ktd2692_parse_dt()' call.
+
+Instead of adding 'regulator_enable()' in several places, implement a
+resource managed solution and simplify the remove function accordingly.
+
+Fixes: b7da8c5c725c ("leds: Add ktd2692 flash LED driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-ktd2692.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/leds/leds-ktd2692.c b/drivers/leds/leds-ktd2692.c
+index 45296aaca9da..02738b5b1dbf 100644
+--- a/drivers/leds/leds-ktd2692.c
++++ b/drivers/leds/leds-ktd2692.c
+@@ -259,6 +259,17 @@ static void ktd2692_setup(struct ktd2692_context *led)
+ | KTD2692_REG_FLASH_CURRENT_BASE);
+ }
+
++static void regulator_disable_action(void *_data)
++{
++ struct device *dev = _data;
++ struct ktd2692_context *led = dev_get_drvdata(dev);
++ int ret;
++
++ ret = regulator_disable(led->regulator);
++ if (ret)
++ dev_err(dev, "Failed to disable supply: %d\n", ret);
++}
++
+ static int ktd2692_parse_dt(struct ktd2692_context *led, struct device *dev,
+ struct ktd2692_led_config_data *cfg)
+ {
+@@ -289,8 +300,14 @@ static int ktd2692_parse_dt(struct ktd2692_context *led, struct device *dev,
+
+ if (led->regulator) {
+ ret = regulator_enable(led->regulator);
+- if (ret)
++ if (ret) {
+ dev_err(dev, "Failed to enable supply: %d\n", ret);
++ } else {
++ ret = devm_add_action_or_reset(dev,
++ regulator_disable_action, dev);
++ if (ret)
++ return ret;
++ }
+ }
+
+ child_node = of_get_next_available_child(np, NULL);
+@@ -380,17 +397,9 @@ static int ktd2692_probe(struct platform_device *pdev)
+ static int ktd2692_remove(struct platform_device *pdev)
+ {
+ struct ktd2692_context *led = platform_get_drvdata(pdev);
+- int ret;
+
+ led_classdev_flash_unregister(&led->fled_cdev);
+
+- if (led->regulator) {
+- ret = regulator_disable(led->regulator);
+- if (ret)
+- dev_err(&pdev->dev,
+- "Failed to disable supply: %d\n", ret);
+- }
+-
+ mutex_destroy(&led->lock);
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 4071ee7ce89628924f284801e62458b24c2b9d0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 17:12:04 +0100
+Subject: lib: vsprintf: Fix handling of number field widths in vsscanf
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 ]
+
+The existing code attempted to handle numbers by doing a strto[u]l(),
+ignoring the field width, and then repeatedly dividing to extract the
+field out of the full converted value. If the string contains a run of
+valid digits longer than will fit in a long or long long, this would
+overflow and no amount of dividing can recover the correct value.
+
+This patch fixes vsscanf() to obey number field widths when parsing
+the number.
+
+A new _parse_integer_limit() is added that takes a limit for the number
+of characters to parse. The number field conversion in vsscanf is changed
+to use this new function.
+
+If a number starts with a radix prefix, the field width must be long
+enough for at last one digit after the prefix. If not, it will be handled
+like this:
+
+ sscanf("0x4", "%1i", &i): i=0, scanning continues with the 'x'
+ sscanf("0x4", "%2i", &i): i=0, scanning continues with the '4'
+
+This is consistent with the observed behaviour of userland sscanf.
+
+Note that this patch does NOT fix the problem of a single field value
+overflowing the target type. So for example:
+
+ sscanf("123456789abcdef", "%x", &i);
+
+Will not produce the correct result because the value obviously overflows
+INT_MAX. But sscanf will report a successful conversion.
+
+Note that where a very large number is used to mean "unlimited", the value
+INT_MAX is used for consistency with the behaviour of vsnprintf().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210514161206.30821-2-rf@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kstrtox.c | 13 ++++++--
+ lib/kstrtox.h | 2 ++
+ lib/vsprintf.c | 82 +++++++++++++++++++++++++++++---------------------
+ 3 files changed, 60 insertions(+), 37 deletions(-)
+
+diff --git a/lib/kstrtox.c b/lib/kstrtox.c
+index 661a1e807bd1..1a02b87b19c7 100644
+--- a/lib/kstrtox.c
++++ b/lib/kstrtox.c
+@@ -39,20 +39,22 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base)
+
+ /*
+ * Convert non-negative integer string representation in explicitly given radix
+- * to an integer.
++ * to an integer. A maximum of max_chars characters will be converted.
++ *
+ * Return number of characters consumed maybe or-ed with overflow bit.
+ * If overflow occurs, result integer (incorrect) is still returned.
+ *
+ * Don't you dare use this function.
+ */
+-unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p)
++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p,
++ size_t max_chars)
+ {
+ unsigned long long res;
+ unsigned int rv;
+
+ res = 0;
+ rv = 0;
+- while (1) {
++ while (max_chars--) {
+ unsigned int c = *s;
+ unsigned int lc = c | 0x20; /* don't tolower() this line */
+ unsigned int val;
+@@ -82,6 +84,11 @@ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long
+ return rv;
+ }
+
++unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p)
++{
++ return _parse_integer_limit(s, base, p, INT_MAX);
++}
++
+ static int _kstrtoull(const char *s, unsigned int base, unsigned long long *res)
+ {
+ unsigned long long _res;
+diff --git a/lib/kstrtox.h b/lib/kstrtox.h
+index 3b4637bcd254..158c400ca865 100644
+--- a/lib/kstrtox.h
++++ b/lib/kstrtox.h
+@@ -4,6 +4,8 @@
+
+ #define KSTRTOX_OVERFLOW (1U << 31)
+ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base);
++unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *res,
++ size_t max_chars);
+ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *res);
+
+ #endif
+diff --git a/lib/vsprintf.c b/lib/vsprintf.c
+index 4a990f3fd345..83b164707e5c 100644
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -46,6 +46,31 @@
+ #include <linux/string_helpers.h>
+ #include "kstrtox.h"
+
++static unsigned long long simple_strntoull(const char *startp, size_t max_chars,
++ char **endp, unsigned int base)
++{
++ const char *cp;
++ unsigned long long result = 0ULL;
++ size_t prefix_chars;
++ unsigned int rv;
++
++ cp = _parse_integer_fixup_radix(startp, &base);
++ prefix_chars = cp - startp;
++ if (prefix_chars < max_chars) {
++ rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
++ /* FIXME */
++ cp += (rv & ~KSTRTOX_OVERFLOW);
++ } else {
++ /* Field too short for prefix + digit, skip over without converting */
++ cp = startp + max_chars;
++ }
++
++ if (endp)
++ *endp = (char *)cp;
++
++ return result;
++}
++
+ /**
+ * simple_strtoull - convert a string to an unsigned long long
+ * @cp: The start of the string
+@@ -56,18 +81,7 @@
+ */
+ unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base)
+ {
+- unsigned long long result;
+- unsigned int rv;
+-
+- cp = _parse_integer_fixup_radix(cp, &base);
+- rv = _parse_integer(cp, base, &result);
+- /* FIXME */
+- cp += (rv & ~KSTRTOX_OVERFLOW);
+-
+- if (endp)
+- *endp = (char *)cp;
+-
+- return result;
++ return simple_strntoull(cp, INT_MAX, endp, base);
+ }
+ EXPORT_SYMBOL(simple_strtoull);
+
+@@ -102,6 +116,21 @@ long simple_strtol(const char *cp, char **endp, unsigned int base)
+ }
+ EXPORT_SYMBOL(simple_strtol);
+
++static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
++ unsigned int base)
++{
++ /*
++ * simple_strntoull() safely handles receiving max_chars==0 in the
++ * case cp[0] == '-' && max_chars == 1.
++ * If max_chars == 0 we can drop through and pass it to simple_strntoull()
++ * and the content of *cp is irrelevant.
++ */
++ if (*cp == '-' && max_chars > 0)
++ return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
++
++ return simple_strntoull(cp, max_chars, endp, base);
++}
++
+ /**
+ * simple_strtoll - convert a string to a signed long long
+ * @cp: The start of the string
+@@ -112,10 +141,7 @@ EXPORT_SYMBOL(simple_strtol);
+ */
+ long long simple_strtoll(const char *cp, char **endp, unsigned int base)
+ {
+- if (*cp == '-')
+- return -simple_strtoull(cp + 1, endp, base);
+-
+- return simple_strtoull(cp, endp, base);
++ return simple_strntoll(cp, INT_MAX, endp, base);
+ }
+ EXPORT_SYMBOL(simple_strtoll);
+
+@@ -2943,25 +2969,13 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
+ break;
+
+ if (is_sign)
+- val.s = qualifier != 'L' ?
+- simple_strtol(str, &next, base) :
+- simple_strtoll(str, &next, base);
++ val.s = simple_strntoll(str,
++ field_width >= 0 ? field_width : INT_MAX,
++ &next, base);
+ else
+- val.u = qualifier != 'L' ?
+- simple_strtoul(str, &next, base) :
+- simple_strtoull(str, &next, base);
+-
+- if (field_width > 0 && next - str > field_width) {
+- if (base == 0)
+- _parse_integer_fixup_radix(str, &base);
+- while (next - str > field_width) {
+- if (is_sign)
+- val.s = div_s64(val.s, base);
+- else
+- val.u = div_u64(val.u, base);
+- --next;
+- }
+- }
++ val.u = simple_strntoull(str,
++ field_width >= 0 ? field_width : INT_MAX,
++ &next, base);
+
+ switch (qualifier) {
+ case 'H': /* that's 'hh' in format */
+--
+2.30.2
+
--- /dev/null
+From be1084a4a9a432fde299cd88757027f2fba922b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 17:18:36 +0200
+Subject: media: bt8xx: Fix a missing check bug in bt878_probe
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ]
+
+In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is
+set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'.
+However, this two drivers are separate. The user may not load the
+'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet
+has not been initialized when 'tasklet_schedule' is called, so it is
+necessary to check whether the tasklet is initialized in 'bt878_probe'.
+
+Fix this by adding a check at the end of bt878_probe.
+
+The KASAN's report reveals it:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0
+Oops: 0010 [#1] PREEMPT SMP KASAN PTI
+CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177-
+gdba4159c14ef-dirty #40
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-
+gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+RIP: 0010: (null)
+Code: Bad RIP value.
+RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
+RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
+RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
+R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
+R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
+FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
+0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522
+ tasklet_action+0x50/0x70 kernel/softirq.c:540
+ __do_softirq+0x224/0x92c kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:372 [inline]
+ irq_exit+0x15a/0x180 kernel/softirq.c:412
+ exiting_irq arch/x86/include/asm/apic.h:535 [inline]
+ do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260
+ common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
+ </IRQ>
+RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline]
+RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline]
+RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584
+Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8
+14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad
+24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec
+RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde
+RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000
+RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0
+RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58
+R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000
+ do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4692a9
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f
+RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
+RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60
+R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0
+Modules linked in:
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+CR2: 0000000000000000
+---[ end trace 68e5849c3f77cbb6 ]---
+RIP: 0010: (null)
+Code: Bad RIP value.
+RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
+RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
+RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
+R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
+R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
+FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
+0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Reported-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/bt8xx/bt878.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
+index d4bc78b4fcb5..cbf855d78785 100644
+--- a/drivers/media/pci/bt8xx/bt878.c
++++ b/drivers/media/pci/bt8xx/bt878.c
+@@ -494,6 +494,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
+ btwrite(0, BT878_AINT_MASK);
+ bt878_num++;
+
++ if (!bt->tasklet.func)
++ tasklet_disable(&bt->tasklet);
++
+ return 0;
+
+ fail2:
+--
+2.30.2
+
--- /dev/null
+From 6010e4474faa751a1f090d878ba01940cc745a25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 10:00:49 +0200
+Subject: media: cobalt: fix race condition in setting HPD
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 3d37ef41bed0854805ab9af22c422267510e1344 ]
+
+The cobalt_s_bit_sysctrl reads the old register value over PCI,
+then changes a bit and sets writes the new value to the register.
+
+This is used among other things for setting the HPD output pin.
+
+But if the HPD is changed for multiple inputs at the same time,
+then this causes a race condition where a stale value is read.
+
+Serialize this function with a mutex.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cobalt/cobalt-driver.c | 1 +
+ drivers/media/pci/cobalt/cobalt-driver.h | 7 ++++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c
+index 98b6cb9505d1..0c827f488317 100644
+--- a/drivers/media/pci/cobalt/cobalt-driver.c
++++ b/drivers/media/pci/cobalt/cobalt-driver.c
+@@ -687,6 +687,7 @@ static int cobalt_probe(struct pci_dev *pci_dev,
+ return -ENOMEM;
+ cobalt->pci_dev = pci_dev;
+ cobalt->instance = i;
++ mutex_init(&cobalt->pci_lock);
+
+ retval = v4l2_device_register(&pci_dev->dev, &cobalt->v4l2_dev);
+ if (retval) {
+diff --git a/drivers/media/pci/cobalt/cobalt-driver.h b/drivers/media/pci/cobalt/cobalt-driver.h
+index 00f773ec359a..9f8db7eaa43c 100644
+--- a/drivers/media/pci/cobalt/cobalt-driver.h
++++ b/drivers/media/pci/cobalt/cobalt-driver.h
+@@ -262,6 +262,8 @@ struct cobalt {
+ int instance;
+ struct pci_dev *pci_dev;
+ struct v4l2_device v4l2_dev;
++ /* serialize PCI access in cobalt_s_bit_sysctrl() */
++ struct mutex pci_lock;
+
+ void __iomem *bar0, *bar1;
+
+@@ -331,10 +333,13 @@ static inline u32 cobalt_g_sysctrl(struct cobalt *cobalt)
+ static inline void cobalt_s_bit_sysctrl(struct cobalt *cobalt,
+ int bit, int val)
+ {
+- u32 ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE);
++ u32 ctrl;
+
++ mutex_lock(&cobalt->pci_lock);
++ ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE);
+ cobalt_write_bar1(cobalt, COBALT_SYS_CTRL_BASE,
+ (ctrl & ~(1UL << bit)) | (val << bit));
++ mutex_unlock(&cobalt->pci_lock);
+ }
+
+ static inline u32 cobalt_g_sysstat(struct cobalt *cobalt)
+--
+2.30.2
+
--- /dev/null
+From 104a0088afc2bd32aec968e2cb9a1b8f25f568f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 21:43:45 +0200
+Subject: media: cpia2: fix memory leak in cpia2_usb_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ]
+
+syzbot reported leak in cpia2 usb driver. The problem was
+in invalid error handling.
+
+v4l2_device_register() is called in cpia2_init_camera_struct(), but
+all error cases after cpia2_init_camera_struct() did not call the
+v4l2_device_unregister()
+
+Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/cpia2/cpia2.h | 1 +
+ drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++
+ drivers/media/usb/cpia2/cpia2_usb.c | 13 +++++++------
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h
+index 81f72c0b561f..7259d0f75ddf 100644
+--- a/drivers/media/usb/cpia2/cpia2.h
++++ b/drivers/media/usb/cpia2/cpia2.h
+@@ -438,6 +438,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd);
+ int cpia2_do_command(struct camera_data *cam,
+ unsigned int command,
+ unsigned char direction, unsigned char param);
++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf);
+ struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf);
+ int cpia2_init_camera(struct camera_data *cam);
+ int cpia2_allocate_buffers(struct camera_data *cam);
+diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
+index 0efba0da0a45..d82d6c1d7654 100644
+--- a/drivers/media/usb/cpia2/cpia2_core.c
++++ b/drivers/media/usb/cpia2/cpia2_core.c
+@@ -2172,6 +2172,18 @@ static void reset_camera_struct(struct camera_data *cam)
+ cam->height = cam->params.roi.height;
+ }
+
++/******************************************************************************
++ *
++ * cpia2_init_camera_struct
++ *
++ * Deinitialize camera struct
++ *****************************************************************************/
++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf)
++{
++ v4l2_device_unregister(&cam->v4l2_dev);
++ kfree(cam);
++}
++
+ /******************************************************************************
+ *
+ * cpia2_init_camera_struct
+diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
+index 91b9eaa9b2ad..6475f992c2b2 100644
+--- a/drivers/media/usb/cpia2/cpia2_usb.c
++++ b/drivers/media/usb/cpia2/cpia2_usb.c
+@@ -852,15 +852,13 @@ static int cpia2_usb_probe(struct usb_interface *intf,
+ ret = set_alternate(cam, USBIF_CMDONLY);
+ if (ret < 0) {
+ ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret);
+- kfree(cam);
+- return ret;
++ goto alt_err;
+ }
+
+
+ if((ret = cpia2_init_camera(cam)) < 0) {
+ ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret);
+- kfree(cam);
+- return ret;
++ goto alt_err;
+ }
+ LOG(" CPiA Version: %d.%02d (%d.%d)\n",
+ cam->params.version.firmware_revision_hi,
+@@ -880,11 +878,14 @@ static int cpia2_usb_probe(struct usb_interface *intf,
+ ret = cpia2_register_camera(cam);
+ if (ret < 0) {
+ ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret);
+- kfree(cam);
+- return ret;
++ goto alt_err;
+ }
+
+ return 0;
++
++alt_err:
++ cpia2_deinit_camera_struct(cam, intf);
++ return ret;
+ }
+
+ /******************************************************************************
+--
+2.30.2
+
--- /dev/null
+From e43e75f04d264d171814368a4072c2d610c320eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 13:13:54 +0200
+Subject: media: dvb_net: avoid speculation from net slot
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ]
+
+The risk of especulation is actually almost-non-existing here,
+as there are very few users of TCP/IP using the DVB stack,
+as, this is mainly used with DVB-S/S2 cards, and only by people
+that receives TCP/IP from satellite connections, which limits
+a lot the number of users of such feature(*).
+
+(*) In thesis, DVB-C cards could also benefit from it, but I'm
+yet to see a hardware that supports it.
+
+Yet, fixing it is trivial.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c
+index 06b0dcc13695..280f941ca97d 100644
+--- a/drivers/media/dvb-core/dvb_net.c
++++ b/drivers/media/dvb-core/dvb_net.c
+@@ -56,6 +56,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+ #include <linux/netdevice.h>
++#include <linux/nospec.h>
+ #include <linux/etherdevice.h>
+ #include <linux/dvb/net.h>
+ #include <linux/uio.h>
+@@ -1481,14 +1482,20 @@ static int dvb_net_do_ioctl(struct file *file,
+ struct net_device *netdev;
+ struct dvb_net_priv *priv_data;
+ struct dvb_net_if *dvbnetif = parg;
++ int if_num = dvbnetif->if_num;
+
+- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
+- !dvbnet->state[dvbnetif->if_num]) {
++ if (if_num >= DVB_NET_DEVICES_MAX) {
+ ret = -EINVAL;
+ goto ioctl_error;
+ }
++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
+
+- netdev = dvbnet->device[dvbnetif->if_num];
++ if (!dvbnet->state[if_num]) {
++ ret = -EINVAL;
++ goto ioctl_error;
++ }
++
++ netdev = dvbnet->device[if_num];
+
+ priv_data = netdev_priv(netdev);
+ dvbnetif->pid=priv_data->pid;
+@@ -1541,14 +1548,20 @@ static int dvb_net_do_ioctl(struct file *file,
+ struct net_device *netdev;
+ struct dvb_net_priv *priv_data;
+ struct __dvb_net_if_old *dvbnetif = parg;
++ int if_num = dvbnetif->if_num;
++
++ if (if_num >= DVB_NET_DEVICES_MAX) {
++ ret = -EINVAL;
++ goto ioctl_error;
++ }
++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
+
+- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
+- !dvbnet->state[dvbnetif->if_num]) {
++ if (!dvbnet->state[if_num]) {
+ ret = -EINVAL;
+ goto ioctl_error;
+ }
+
+- netdev = dvbnet->device[dvbnetif->if_num];
++ netdev = dvbnet->device[if_num];
+
+ priv_data = netdev_priv(netdev);
+ dvbnetif->pid=priv_data->pid;
+--
+2.30.2
+
--- /dev/null
+From 5ae1fd74d21b869ffc998b775b9f3acbf43e93db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 15:06:52 +0200
+Subject: media: dvd_usb: memory leak in cinergyt2_fe_attach
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 9ad1efee086e0e913914fa2b2173efb830bad68c ]
+
+When the driver fails to talk with the hardware with dvb_usb_generic_rw,
+it will return an error to dvb_usb_adapter_frontend_init. However, the
+driver forgets to free the resource (e.g., struct cinergyt2_fe_state),
+which leads to a memory leak.
+
+Fix this by freeing struct cinergyt2_fe_state when dvb_usb_generic_rw
+fails in cinergyt2_frontend_attach.
+
+backtrace:
+ [<0000000056e17b1a>] kmalloc include/linux/slab.h:552 [inline]
+ [<0000000056e17b1a>] kzalloc include/linux/slab.h:682 [inline]
+ [<0000000056e17b1a>] cinergyt2_fe_attach+0x21/0x80 drivers/media/usb/dvb-usb/cinergyT2-fe.c:271
+ [<00000000ae0b1711>] cinergyt2_frontend_attach+0x21/0x70 drivers/media/usb/dvb-usb/cinergyT2-core.c:74
+ [<00000000d0254861>] dvb_usb_adapter_frontend_init+0x11b/0x1b0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290
+ [<0000000002e08ac6>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:84 [inline]
+ [<0000000002e08ac6>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:173 [inline]
+ [<0000000002e08ac6>] dvb_usb_device_init.cold+0x4d0/0x6ae drivers/media/usb/dvb-usb/dvb-usb-init.c:287
+
+Reported-by: syzbot+e1de8986786b3722050e@syzkaller.appspotmail.com
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/cinergyT2-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+index 6131aa7914a9..fb59dda7547a 100644
+--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
++++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
+@@ -88,6 +88,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
+
+ ret = dvb_usb_generic_rw(d, st->data, 1, st->data, 3, 0);
+ if (ret < 0) {
++ if (adap->fe_adap[0].fe)
++ adap->fe_adap[0].fe->ops.release(adap->fe_adap[0].fe);
+ deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep state info\n");
+ }
+ mutex_unlock(&d->data_mutex);
+--
+2.30.2
+
--- /dev/null
+From cd3e99654d9fc3b0cebf20de3bc0fdec8aadba8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 20:32:49 +0200
+Subject: media: em28xx: Fix possible memory leak of em28xx struct
+
+From: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
+
+[ Upstream commit ac5688637144644f06ed1f3c6d4dd8bb7db96020 ]
+
+The em28xx struct kref isn't being decreased after an error in the
+em28xx_ir_init, leading to a possible memory leak.
+
+A kref_put and em28xx_shutdown_buttons is added to the error handler code.
+
+Signed-off-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-input.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
+index 046223de1e91..b8c94b4ad232 100644
+--- a/drivers/media/usb/em28xx/em28xx-input.c
++++ b/drivers/media/usb/em28xx/em28xx-input.c
+@@ -710,7 +710,8 @@ static int em28xx_ir_init(struct em28xx *dev)
+ dev->board.has_ir_i2c = 0;
+ dev_warn(&dev->intf->dev,
+ "No i2c IR remote control device found.\n");
+- return -ENODEV;
++ err = -ENODEV;
++ goto ref_put;
+ }
+ }
+
+@@ -725,7 +726,7 @@ static int em28xx_ir_init(struct em28xx *dev)
+
+ ir = kzalloc(sizeof(*ir), GFP_KERNEL);
+ if (!ir)
+- return -ENOMEM;
++ goto ref_put;
+ rc = rc_allocate_device(RC_DRIVER_SCANCODE);
+ if (!rc)
+ goto error;
+@@ -836,6 +837,9 @@ error:
+ dev->ir = NULL;
+ rc_free_device(rc);
+ kfree(ir);
++ref_put:
++ em28xx_shutdown_buttons(dev);
++ kref_put(&dev->ref, em28xx_free_device);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a789a43c44195f48c063574eaf4c6147093a72d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 10:12:31 +0200
+Subject: media: exynos4-is: Fix a use after free in isp_video_release
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 01fe904c9afd26e79c1f73aa0ca2e3d785e5e319 ]
+
+In isp_video_release, file->private_data is freed via
+_vb2_fop_release()->v4l2_fh_release(). But the freed
+file->private_data is still used in v4l2_fh_is_singular_file()
+->v4l2_fh_is_singular(file->private_data), which is a use
+after free bug.
+
+My patch uses a variable 'is_singular_file' to avoid the uaf.
+v3: https://lore.kernel.org/patchwork/patch/1419058/
+
+Fixes: 34947b8aebe3f ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/fimc-isp-video.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+index 39340abefd14..c9ef74ee476a 100644
+--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
+@@ -308,17 +308,20 @@ static int isp_video_release(struct file *file)
+ struct fimc_is_video *ivc = &isp->video_capture;
+ struct media_entity *entity = &ivc->ve.vdev.entity;
+ struct media_device *mdev = entity->graph_obj.mdev;
++ bool is_singular_file;
+
+ mutex_lock(&isp->video_lock);
+
+- if (v4l2_fh_is_singular_file(file) && ivc->streaming) {
++ is_singular_file = v4l2_fh_is_singular_file(file);
++
++ if (is_singular_file && ivc->streaming) {
+ media_pipeline_stop(entity);
+ ivc->streaming = 0;
+ }
+
+ _vb2_fop_release(file, NULL);
+
+- if (v4l2_fh_is_singular_file(file)) {
++ if (is_singular_file) {
+ fimc_pipeline_call(&ivc->ve, close);
+
+ mutex_lock(&mdev->graph_mutex);
+--
+2.30.2
+
--- /dev/null
+From 76da9802424bef1eea64942186386b91d3fb9515 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 22:19:55 +0200
+Subject: media: I2C: change 'RST' to "RSET" to fix multiple build errors
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 8edcb5049ac29aa3c8acc5ef15dd4036543d747e ]
+
+The use of an enum named 'RST' conflicts with a #define macro
+named 'RST' in arch/mips/include/asm/mach-rc32434/rb.h.
+
+The MIPS use of RST was there first (AFAICT), so change the
+media/i2c/ uses of RST to be named 'RSET'.
+'git grep -w RSET' does not report any naming conflicts with the
+new name.
+
+This fixes multiple build errors:
+
+arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
+ 15 | #define RST (1 << 15)
+ | ^
+drivers/media/i2c/s5c73m3/s5c73m3.h:356:2: note: in expansion of macro 'RST'
+ 356 | RST,
+ | ^~~
+
+../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
+ 15 | #define RST (1 << 15)
+ | ^
+../drivers/media/i2c/s5k6aa.c:180:2: note: in expansion of macro 'RST'
+ 180 | RST,
+ | ^~~
+
+../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
+ 15 | #define RST (1 << 15)
+ | ^
+../drivers/media/i2c/s5k5baf.c:238:2: note: in expansion of macro 'RST'
+ 238 | RST,
+ | ^~~
+
+and some others that I have trimmed.
+
+Fixes: cac47f1822fc ("[media] V4L: Add S5C73M3 camera driver")
+Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor")
+Fixes: 7d459937dc09 ("[media] Add driver for Samsung S5K5BAF camera sensor")
+Fixes: bfa8dd3a0524 ("[media] v4l: Add v4l2 subdev driver for S5K6AAFX sensor")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
+Cc: Andrzej Hajda <a.hajda@samsung.com>
+Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Cc: Sangwook Lee <sangwook.lee@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/s5c73m3/s5c73m3-core.c | 6 +++---
+ drivers/media/i2c/s5c73m3/s5c73m3.h | 2 +-
+ drivers/media/i2c/s5k4ecgx.c | 10 +++++-----
+ drivers/media/i2c/s5k5baf.c | 6 +++---
+ drivers/media/i2c/s5k6aa.c | 10 +++++-----
+ 5 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/media/i2c/s5c73m3/s5c73m3-core.c b/drivers/media/i2c/s5c73m3/s5c73m3-core.c
+index cdc4f2392ef9..e7a107ecd219 100644
+--- a/drivers/media/i2c/s5c73m3/s5c73m3-core.c
++++ b/drivers/media/i2c/s5c73m3/s5c73m3-core.c
+@@ -1394,7 +1394,7 @@ static int __s5c73m3_power_on(struct s5c73m3 *state)
+ s5c73m3_gpio_deassert(state, STBY);
+ usleep_range(100, 200);
+
+- s5c73m3_gpio_deassert(state, RST);
++ s5c73m3_gpio_deassert(state, RSET);
+ usleep_range(50, 100);
+
+ return 0;
+@@ -1409,7 +1409,7 @@ static int __s5c73m3_power_off(struct s5c73m3 *state)
+ {
+ int i, ret;
+
+- if (s5c73m3_gpio_assert(state, RST))
++ if (s5c73m3_gpio_assert(state, RSET))
+ usleep_range(10, 50);
+
+ if (s5c73m3_gpio_assert(state, STBY))
+@@ -1614,7 +1614,7 @@ static int s5c73m3_get_platform_data(struct s5c73m3 *state)
+
+ state->mclk_frequency = pdata->mclk_frequency;
+ state->gpio[STBY] = pdata->gpio_stby;
+- state->gpio[RST] = pdata->gpio_reset;
++ state->gpio[RSET] = pdata->gpio_reset;
+ return 0;
+ }
+
+diff --git a/drivers/media/i2c/s5c73m3/s5c73m3.h b/drivers/media/i2c/s5c73m3/s5c73m3.h
+index 653f68e7ea07..e267b2522149 100644
+--- a/drivers/media/i2c/s5c73m3/s5c73m3.h
++++ b/drivers/media/i2c/s5c73m3/s5c73m3.h
+@@ -361,7 +361,7 @@ struct s5c73m3_ctrls {
+
+ enum s5c73m3_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ GPIO_NUM,
+ };
+
+diff --git a/drivers/media/i2c/s5k4ecgx.c b/drivers/media/i2c/s5k4ecgx.c
+index 6ebcf254989a..75fb13a33eab 100644
+--- a/drivers/media/i2c/s5k4ecgx.c
++++ b/drivers/media/i2c/s5k4ecgx.c
+@@ -177,7 +177,7 @@ static const char * const s5k4ecgx_supply_names[] = {
+
+ enum s5k4ecgx_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ GPIO_NUM,
+ };
+
+@@ -482,7 +482,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv)
+ if (s5k4ecgx_gpio_set_value(priv, STBY, priv->gpio[STBY].level))
+ usleep_range(30, 50);
+
+- if (s5k4ecgx_gpio_set_value(priv, RST, priv->gpio[RST].level))
++ if (s5k4ecgx_gpio_set_value(priv, RSET, priv->gpio[RSET].level))
+ usleep_range(30, 50);
+
+ return 0;
+@@ -490,7 +490,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv)
+
+ static int __s5k4ecgx_power_off(struct s5k4ecgx *priv)
+ {
+- if (s5k4ecgx_gpio_set_value(priv, RST, !priv->gpio[RST].level))
++ if (s5k4ecgx_gpio_set_value(priv, RSET, !priv->gpio[RSET].level))
+ usleep_range(30, 50);
+
+ if (s5k4ecgx_gpio_set_value(priv, STBY, !priv->gpio[STBY].level))
+@@ -878,7 +878,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv,
+ int ret;
+
+ priv->gpio[STBY].gpio = -EINVAL;
+- priv->gpio[RST].gpio = -EINVAL;
++ priv->gpio[RSET].gpio = -EINVAL;
+
+ ret = s5k4ecgx_config_gpio(gpio->gpio, gpio->level, "S5K4ECGX_STBY");
+
+@@ -897,7 +897,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv,
+ s5k4ecgx_free_gpios(priv);
+ return ret;
+ }
+- priv->gpio[RST] = *gpio;
++ priv->gpio[RSET] = *gpio;
+ if (gpio_is_valid(gpio->gpio))
+ gpio_set_value(gpio->gpio, 0);
+
+diff --git a/drivers/media/i2c/s5k5baf.c b/drivers/media/i2c/s5k5baf.c
+index ff46d2c96cea..18a88eb50ad8 100644
+--- a/drivers/media/i2c/s5k5baf.c
++++ b/drivers/media/i2c/s5k5baf.c
+@@ -238,7 +238,7 @@ struct s5k5baf_gpio {
+
+ enum s5k5baf_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ NUM_GPIOS,
+ };
+
+@@ -973,7 +973,7 @@ static int s5k5baf_power_on(struct s5k5baf *state)
+
+ s5k5baf_gpio_deassert(state, STBY);
+ usleep_range(50, 100);
+- s5k5baf_gpio_deassert(state, RST);
++ s5k5baf_gpio_deassert(state, RSET);
+ return 0;
+
+ err_reg_dis:
+@@ -991,7 +991,7 @@ static int s5k5baf_power_off(struct s5k5baf *state)
+ state->apply_cfg = 0;
+ state->apply_crop = 0;
+
+- s5k5baf_gpio_assert(state, RST);
++ s5k5baf_gpio_assert(state, RSET);
+ s5k5baf_gpio_assert(state, STBY);
+
+ if (!IS_ERR(state->clock))
+diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c
+index 13c10b5e2b45..e9c6e41cd44d 100644
+--- a/drivers/media/i2c/s5k6aa.c
++++ b/drivers/media/i2c/s5k6aa.c
+@@ -181,7 +181,7 @@ static const char * const s5k6aa_supply_names[] = {
+
+ enum s5k6aa_gpio_id {
+ STBY,
+- RST,
++ RSET,
+ GPIO_NUM,
+ };
+
+@@ -845,7 +845,7 @@ static int __s5k6aa_power_on(struct s5k6aa *s5k6aa)
+ ret = s5k6aa->s_power(1);
+ usleep_range(4000, 5000);
+
+- if (s5k6aa_gpio_deassert(s5k6aa, RST))
++ if (s5k6aa_gpio_deassert(s5k6aa, RSET))
+ msleep(20);
+
+ return ret;
+@@ -855,7 +855,7 @@ static int __s5k6aa_power_off(struct s5k6aa *s5k6aa)
+ {
+ int ret;
+
+- if (s5k6aa_gpio_assert(s5k6aa, RST))
++ if (s5k6aa_gpio_assert(s5k6aa, RSET))
+ usleep_range(100, 150);
+
+ if (s5k6aa->s_power) {
+@@ -1514,7 +1514,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa,
+ int ret;
+
+ s5k6aa->gpio[STBY].gpio = -EINVAL;
+- s5k6aa->gpio[RST].gpio = -EINVAL;
++ s5k6aa->gpio[RSET].gpio = -EINVAL;
+
+ gpio = &pdata->gpio_stby;
+ if (gpio_is_valid(gpio->gpio)) {
+@@ -1537,7 +1537,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa,
+ if (ret < 0)
+ return ret;
+
+- s5k6aa->gpio[RST] = *gpio;
++ s5k6aa->gpio[RSET] = *gpio;
+ }
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 5245487a43cf396564f529836e19093dea9b908a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 19:08:58 +0200
+Subject: media: pvrusb2: fix warning in pvr2_i2c_core_done
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+[ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ]
+
+syzbot has reported the following warning in pvr2_i2c_done:
+
+ sysfs group 'power' not found for kobject '1-0043'
+
+When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
+not unregistered along with the USB and v4l2 teardown. As part of the USB
+device disconnect, the sysfs files of the subdevices are also deleted.
+So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the
+sysfs files have been deleted.
+
+To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
+the device deregistration code shared by calling pvr_hdw_disconnect from
+pvr2_hdw_destroy.
+
+Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
+Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+index 18db7aaafcd6..fd1bd94cd78f 100644
+--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+@@ -2670,9 +2670,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
+ pvr2_stream_destroy(hdw->vid_stream);
+ hdw->vid_stream = NULL;
+ }
+- pvr2_i2c_core_done(hdw);
+ v4l2_device_unregister(&hdw->v4l2_dev);
+- pvr2_hdw_remove_usb_stuff(hdw);
++ pvr2_hdw_disconnect(hdw);
+ mutex_lock(&pvr2_unit_mtx);
+ do {
+ if ((hdw->unit_number >= 0) &&
+@@ -2699,6 +2698,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
+ {
+ pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
+ LOCK_TAKE(hdw->big_lock);
++ pvr2_i2c_core_done(hdw);
+ LOCK_TAKE(hdw->ctl_lock);
+ pvr2_hdw_remove_usb_stuff(hdw);
+ LOCK_GIVE(hdw->ctl_lock);
+--
+2.30.2
+
--- /dev/null
+From 677b1f31baebe51add418374cbec8967e88421ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 17:18:32 +0200
+Subject: media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
+
+From: Dillon Min <dillon.minfei@gmail.com>
+
+[ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ]
+
+The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open()
+should be freed from g2d_release() when it's not used.
+
+Fix it
+
+Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family")
+Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-g2d/g2d.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c
+index 770100d40372..4b745138b363 100644
+--- a/drivers/media/platform/s5p-g2d/g2d.c
++++ b/drivers/media/platform/s5p-g2d/g2d.c
+@@ -283,6 +283,9 @@ static int g2d_release(struct file *file)
+ struct g2d_dev *dev = video_drvdata(file);
+ struct g2d_ctx *ctx = fh2ctx(file->private_data);
+
++ mutex_lock(&dev->mutex);
++ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
++ mutex_unlock(&dev->mutex);
+ v4l2_ctrl_handler_free(&ctx->ctrl_handler);
+ v4l2_fh_del(&ctx->fh);
+ v4l2_fh_exit(&ctx->fh);
+--
+2.30.2
+
--- /dev/null
+From e22c0d3a9bf9f50cf360402bd5cf30764c2645c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 09:38:56 +0200
+Subject: media: s5p_cec: decrement usage count if disabled
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 747bad54a677d8633ec14b39dfbeb859c821d7f2 ]
+
+There's a bug at s5p_cec_adap_enable(): if called to
+disable the device, it should call pm_runtime_put()
+instead of pm_runtime_disable(), as the goal here is to
+decrement the usage_count and not to disable PM runtime.
+
+Reported-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Fixes: 1bcbf6f4b6b0 ("[media] cec: s5p-cec: Add s5p-cec driver")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-cec/s5p_cec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c
+index 8837e2678bde..3032247c63a5 100644
+--- a/drivers/media/platform/s5p-cec/s5p_cec.c
++++ b/drivers/media/platform/s5p-cec/s5p_cec.c
+@@ -55,7 +55,7 @@ static int s5p_cec_adap_enable(struct cec_adapter *adap, bool enable)
+ } else {
+ s5p_cec_mask_tx_interrupts(cec);
+ s5p_cec_mask_rx_interrupts(cec);
+- pm_runtime_disable(cec->dev);
++ pm_runtime_put(cec->dev);
+ }
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From a404cd0ba4f61ada73fe5996a7f7f2bb87c03826 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 08:57:02 +0200
+Subject: media: siano: fix device register error path
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 5368b1ee2939961a16e74972b69088433fc52195 ]
+
+As reported by smatch:
+ drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list
+
+If an error occur at the end of the registration logic, it won't
+drop the device from the list.
+
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/siano/smsdvb-main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c
+index 15e895c9f2e0..cbe5f08ae9ad 100644
+--- a/drivers/media/common/siano/smsdvb-main.c
++++ b/drivers/media/common/siano/smsdvb-main.c
+@@ -1187,6 +1187,10 @@ static int smsdvb_hotplug(struct smscore_device_t *coredev,
+ return 0;
+
+ media_graph_error:
++ mutex_lock(&g_smsdvb_clientslock);
++ list_del(&client->entry);
++ mutex_unlock(&g_smsdvb_clientslock);
++
+ smsdvb_debugfs_release(client);
+
+ client_error:
+--
+2.30.2
+
--- /dev/null
+From 3bf85d8b1f55ac1ab03c7b4409817aaeeffd6a82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 19:40:43 -0600
+Subject: media: siano: Fix out-of-bounds warnings in
+ smscore_load_firmware_family2()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ]
+
+Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of
+its msg_data array from 4 to 5 elements. Notice that at some point
+the 5th element of msg_data is being accessed in function
+smscore_load_firmware_family2():
+
+1006 trigger_msg->msg_data[4] = 4; /* Task ID */
+
+Also, there is no need for the object _trigger_msg_ of type struct
+sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data
+in struct sms_msg_data is a one-element array, which causes multiple
+out-of-bounds warnings when accessing beyond its first element
+in function smscore_load_firmware_family2():
+
+ 992 struct sms_msg_data *trigger_msg =
+ 993 (struct sms_msg_data *) msg;
+ 994
+ 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n");
+ 996 SMS_INIT_MSG(&msg->x_msg_header,
+ 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ,
+ 998 sizeof(struct sms_msg_hdr) +
+ 999 sizeof(u32) * 5);
+1000
+1001 trigger_msg->msg_data[0] = firmware->start_address;
+1002 /* Entry point */
+1003 trigger_msg->msg_data[1] = 6; /* Priority */
+1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */
+1005 trigger_msg->msg_data[3] = 0; /* Parameter */
+1006 trigger_msg->msg_data[4] = 4; /* Task ID */
+
+even when enough dynamic memory is allocated for _msg_:
+
+ 929 /* PAGE_SIZE buffer shall be enough and dma aligned */
+ 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags);
+
+but as _msg_ is casted to (struct sms_msg_data *):
+
+ 992 struct sms_msg_data *trigger_msg =
+ 993 (struct sms_msg_data *) msg;
+
+the out-of-bounds warnings are actually valid and should be addressed.
+
+Fix this by declaring object _msg_ of type struct sms_msg_data5 *,
+which contains a 5-elements array, instead of just 4. And use
+_msg_ directly, instead of creating object trigger_msg.
+
+This helps with the ongoing efforts to enable -Warray-bounds by fixing
+the following warnings:
+
+ CC [M] drivers/media/common/siano/smscoreapi.o
+drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’:
+drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1003 | trigger_msg->msg_data[1] = 6; /* Priority */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
+ 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */
+ | ~~~~~~~~~~~~~~~~~~~~~^~~
+In file included from drivers/media/common/siano/smscoreapi.c:12:
+drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
+ 619 | u32 msg_data[1];
+ | ^~~~~~~~
+
+Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares")
+Co-developed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/siano/smscoreapi.c | 22 +++++++++-------------
+ drivers/media/common/siano/smscoreapi.h | 4 ++--
+ 2 files changed, 11 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
+index e7a0d7798d5b..963289e21598 100644
+--- a/drivers/media/common/siano/smscoreapi.c
++++ b/drivers/media/common/siano/smscoreapi.c
+@@ -910,7 +910,7 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev,
+ void *buffer, size_t size)
+ {
+ struct sms_firmware *firmware = (struct sms_firmware *) buffer;
+- struct sms_msg_data4 *msg;
++ struct sms_msg_data5 *msg;
+ u32 mem_address, calc_checksum = 0;
+ u32 i, *ptr;
+ u8 *payload = firmware->payload;
+@@ -991,24 +991,20 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev,
+ goto exit_fw_download;
+
+ if (coredev->mode == DEVICE_MODE_NONE) {
+- struct sms_msg_data *trigger_msg =
+- (struct sms_msg_data *) msg;
+-
+ pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n");
+ SMS_INIT_MSG(&msg->x_msg_header,
+ MSG_SMS_SWDOWNLOAD_TRIGGER_REQ,
+- sizeof(struct sms_msg_hdr) +
+- sizeof(u32) * 5);
++ sizeof(*msg));
+
+- trigger_msg->msg_data[0] = firmware->start_address;
++ msg->msg_data[0] = firmware->start_address;
+ /* Entry point */
+- trigger_msg->msg_data[1] = 6; /* Priority */
+- trigger_msg->msg_data[2] = 0x200; /* Stack size */
+- trigger_msg->msg_data[3] = 0; /* Parameter */
+- trigger_msg->msg_data[4] = 4; /* Task ID */
++ msg->msg_data[1] = 6; /* Priority */
++ msg->msg_data[2] = 0x200; /* Stack size */
++ msg->msg_data[3] = 0; /* Parameter */
++ msg->msg_data[4] = 4; /* Task ID */
+
+- rc = smscore_sendrequest_and_wait(coredev, trigger_msg,
+- trigger_msg->x_msg_header.msg_length,
++ rc = smscore_sendrequest_and_wait(coredev, msg,
++ msg->x_msg_header.msg_length,
+ &coredev->trigger_done);
+ } else {
+ SMS_INIT_MSG(&msg->x_msg_header, MSG_SW_RELOAD_EXEC_REQ,
+diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h
+index 4cc39e4a8318..55d02c27f124 100644
+--- a/drivers/media/common/siano/smscoreapi.h
++++ b/drivers/media/common/siano/smscoreapi.h
+@@ -636,9 +636,9 @@ struct sms_msg_data2 {
+ u32 msg_data[2];
+ };
+
+-struct sms_msg_data4 {
++struct sms_msg_data5 {
+ struct sms_msg_hdr x_msg_header;
+- u32 msg_data[4];
++ u32 msg_data[5];
+ };
+
+ struct sms_data_download {
+--
+2.30.2
+
--- /dev/null
+From 501c8c6b799b4821a44c32de2f88541baff0eb57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 14:04:49 +0200
+Subject: media: st-hva: Fix potential NULL pointer dereferences
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit b7fdd208687ba59ebfb09b2199596471c63b69e3 ]
+
+When ctx_id >= HVA_MAX_INSTANCES in hva_hw_its_irq_thread() it tries to
+access fields of ctx that is NULL at that point. The patch gets rid of
+these accesses.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/hva/hva-hw.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
+index 1185f6b6721e..3bb4d55c2058 100644
+--- a/drivers/media/platform/sti/hva/hva-hw.c
++++ b/drivers/media/platform/sti/hva/hva-hw.c
+@@ -130,8 +130,7 @@ static irqreturn_t hva_hw_its_irq_thread(int irq, void *arg)
+ ctx_id = (hva->sts_reg & 0xFF00) >> 8;
+ if (ctx_id >= HVA_MAX_INSTANCES) {
+ dev_err(dev, "%s %s: bad context identifier: %d\n",
+- ctx->name, __func__, ctx_id);
+- ctx->hw_err = true;
++ HVA_PREFIX, __func__, ctx_id);
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b3ab117c659b573a3b4a848eaeb6a0a720264ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 08:58:30 +0200
+Subject: media: tc358743: Fix error return code in tc358743_probe_of()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ]
+
+When the CSI bps per lane is not in the valid range, an appropriate error
+code -EINVAL should be returned. However, we currently do not explicitly
+assign this error code to 'ret'. As a result, 0 was incorrectly returned.
+
+Fixes: 256148246852 ("[media] tc358743: support probe from device tree")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index f74c4f6814eb..b294433c8345 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1806,6 +1806,7 @@ static int tc358743_probe_of(struct tc358743_state *state)
+ bps_pr_lane = 2 * endpoint->link_frequencies[0];
+ if (bps_pr_lane < 62500000U || bps_pr_lane > 1000000000U) {
+ dev_err(dev, "unsupported bps per lane: %u bps\n", bps_pr_lane);
++ ret = -EINVAL;
+ goto disable_clk;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 955ceda03bfe16c567ed966f3d71ff8b96a0c16b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 10:24:02 +0200
+Subject: media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ]
+
+A use after free bug caused by the dangling pointer
+filp->privitate_data in v4l2_fh_release.
+See https://lore.kernel.org/patchwork/patch/1419058/.
+
+My patch sets the dangling pointer to NULL to provide
+robust.
+
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-fh.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c
+index c91a7bd3ecfc..ac8282d059fc 100644
+--- a/drivers/media/v4l2-core/v4l2-fh.c
++++ b/drivers/media/v4l2-core/v4l2-fh.c
+@@ -104,6 +104,7 @@ int v4l2_fh_release(struct file *filp)
+ v4l2_fh_del(fh);
+ v4l2_fh_exit(fh);
+ kfree(fh);
++ filp->private_data = NULL;
+ }
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 7092d46972c55adde522e97327e536acfa2b965d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:47:57 -0700
+Subject: mm/huge_memory.c: don't discard hugepage if other processes are
+ mapping it
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit babbbdd08af98a59089334eb3effbed5a7a0cf7f ]
+
+If other processes are mapping any other subpages of the hugepage, i.e.
+in pte-mapped thp case, page_mapcount() will return 1 incorrectly. Then
+we would discard the page while other processes are still mapping it. Fix
+it by using total_mapcount() which can tell whether other processes are
+still mapping it.
+
+Link: https://lkml.kernel.org/r/20210511134857.1581273-6-linmiaohe@huawei.com
+Fixes: b8d3c4c3009d ("mm/huge_memory.c: don't split THP page when MADV_FREE syscall is called")
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.ibm.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Ralph Campbell <rcampbell@nvidia.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: William Kucharski <william.kucharski@oracle.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/huge_memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 972893908bcd..928ae18b1c13 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1624,7 +1624,7 @@ bool madvise_free_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ * If other processes are mapping this page, we couldn't discard
+ * the page unless they all do MADV_FREE so let's skip the page.
+ */
+- if (page_mapcount(page) != 1)
++ if (total_mapcount(page) != 1)
+ goto out;
+
+ if (!trylock_page(page))
+--
+2.30.2
+
--- /dev/null
+From e0ed1b1a73a8450a38000af22ef6563103316324 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 10:03:21 +0800
+Subject: mmc: usdhi6rol0: fix error return code in usdhi6_probe()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ]
+
+Fix to return a negative error code from the error handling case instead
+of 0, as done elsewhere in this function.
+
+Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/usdhi6rol0.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c
+index 76e31a30b0cf..d27ee9eb2eac 100644
+--- a/drivers/mmc/host/usdhi6rol0.c
++++ b/drivers/mmc/host/usdhi6rol0.c
+@@ -1809,6 +1809,7 @@ static int usdhi6_probe(struct platform_device *pdev)
+
+ version = usdhi6_read(host, USDHI6_VERSION);
+ if ((version & 0xfff) != 0xa0d) {
++ ret = -EPERM;
+ dev_err(dev, "Version not recognized %x\n", version);
+ goto e_clk_off;
+ }
+--
+2.30.2
+
--- /dev/null
+From 488b5b23924f712e041078f9b380742b4d2fb51e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 13:33:20 +0000
+Subject: mmc: via-sdmmc: add a check against NULL pointer dereference
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ]
+
+Before referencing 'host->data', the driver needs to check whether it is
+null pointer, otherwise it will cause a null pointer reference.
+
+This log reveals it:
+
+[ 29.355199] BUG: kernel NULL pointer dereference, address:
+0000000000000014
+[ 29.357323] #PF: supervisor write access in kernel mode
+[ 29.357706] #PF: error_code(0x0002) - not-present page
+[ 29.358088] PGD 0 P4D 0
+[ 29.358280] Oops: 0002 [#1] PREEMPT SMP PTI
+[ 29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-
+g70e7f0549188-dirty #102
+[ 29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
+BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410
+[ 29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
+10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
+18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
+[ 29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
+[ 29.362042] RAX: 0000000000000000 RBX: ffff888107d77880
+RCX: 0000000000000000
+[ 29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb
+RDI: 00000000ffffffff
+[ 29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001
+R09: 0000000000000001
+[ 29.363604] R10: 0000000000000000 R11: 0000000000000001
+R12: 0000000000008600
+[ 29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200
+R15: 0000000000008000
+[ 29.364651] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000)
+knlGS:0000000000000000
+[ 29.365235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000
+CR4: 00000000000006e0
+[ 29.366170] DR0: 0000000000000000 DR1: 0000000000000000
+DR2: 0000000000000000
+[ 29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0
+DR7: 0000000000000400
+[ 29.367197] Call Trace:
+[ 29.367381] <IRQ>
+[ 29.367537] __handle_irq_event_percpu+0x53/0x3e0
+[ 29.367916] handle_irq_event_percpu+0x35/0x90
+[ 29.368247] handle_irq_event+0x39/0x60
+[ 29.368632] handle_fasteoi_irq+0xc2/0x1d0
+[ 29.368950] __common_interrupt+0x7f/0x150
+[ 29.369254] common_interrupt+0xb4/0xd0
+[ 29.369547] </IRQ>
+[ 29.369708] asm_common_interrupt+0x1e/0x40
+[ 29.370016] RIP: 0010:native_safe_halt+0x17/0x20
+[ 29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00
+00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb
+f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91
+[ 29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
+[ 29.372079] RAX: 0000000000000000 RBX: 0000000000000002
+RCX: 0000000000000000
+[ 29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4
+RDI: ffffffff85403406
+[ 29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001
+R09: 0000000000000001
+[ 29.373646] R10: 0000000000000000 R11: 0000000000000001
+R12: ffffffff86009188
+[ 29.374160] R13: 0000000000000000 R14: 0000000000000000
+R15: ffff888100258000
+[ 29.374690] default_idle+0x9/0x10
+[ 29.374944] arch_cpu_idle+0xa/0x10
+[ 29.375198] default_idle_call+0x6e/0x250
+[ 29.375491] do_idle+0x1f0/0x2d0
+[ 29.375740] cpu_startup_entry+0x18/0x20
+[ 29.376034] start_secondary+0x11f/0x160
+[ 29.376328] secondary_startup_64_no_verify+0xb0/0xbb
+[ 29.376705] Modules linked in:
+[ 29.376939] Dumping ftrace buffer:
+[ 29.377187] (ftrace buffer empty)
+[ 29.377460] CR2: 0000000000000014
+[ 29.377712] ---[ end trace 51a473dffb618c47 ]---
+[ 29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410
+[ 29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
+10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
+18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
+[ 29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
+[ 29.380098] RAX: 0000000000000000 RBX: ffff888107d77880
+RCX: 0000000000000000
+[ 29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb
+RDI: 00000000ffffffff
+[ 29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001
+R09: 0000000000000001
+[ 29.381653] R10: 0000000000000000 R11: 0000000000000001
+R12: 0000000000008600
+[ 29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200
+R15: 0000000000008000
+[ 29.382697] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000)
+knlGS:0000000000000000
+[ 29.383277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000
+CR4: 00000000000006e0
+[ 29.384223] DR0: 0000000000000000 DR1: 0000000000000000
+DR2: 0000000000000000
+[ 29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0
+DR7: 0000000000000400
+[ 29.385260] Kernel panic - not syncing: Fatal exception in interrupt
+[ 29.385882] Dumping ftrace buffer:
+[ 29.386135] (ftrace buffer empty)
+[ 29.386401] Kernel Offset: disabled
+[ 29.386656] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/via-sdmmc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
+index 8c0e348c6053..4e5043657ee2 100644
+--- a/drivers/mmc/host/via-sdmmc.c
++++ b/drivers/mmc/host/via-sdmmc.c
+@@ -865,6 +865,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask)
+ {
+ BUG_ON(intmask == 0);
+
++ if (!host->data)
++ return;
++
+ if (intmask & VIA_CRDR_SDSTS_DT)
+ host->data->error = -ETIMEDOUT;
+ else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC))
+--
+2.30.2
+
--- /dev/null
+From 2b198d4176e0616999d5b33d846044099e7ef365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 00:07:55 +0200
+Subject: mwifiex: re-fix for unaligned accesses
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8f4e3d48bb50765ab27ae5bebed2595b20de80a1 ]
+
+A patch from 2017 changed some accesses to DMA memory to use
+get_unaligned_le32() and similar interfaces, to avoid problems
+with doing unaligned accesson uncached memory.
+
+However, the change in the mwifiex_pcie_alloc_sleep_cookie_buf()
+function ended up changing the size of the access instead,
+as it operates on a pointer to u8.
+
+Change this function back to actually access the entire 32 bits.
+Note that the pointer is aligned by definition because it came
+from dma_alloc_coherent().
+
+Fixes: 92c70a958b0b ("mwifiex: fix for unaligned reads")
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/pcie.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c
+index 7f615ad98aca..5b12d5191acc 100644
+--- a/drivers/net/wireless/marvell/mwifiex/pcie.c
++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c
+@@ -1070,7 +1070,7 @@ static int mwifiex_pcie_delete_cmdrsp_buf(struct mwifiex_adapter *adapter)
+ static int mwifiex_pcie_alloc_sleep_cookie_buf(struct mwifiex_adapter *adapter)
+ {
+ struct pcie_service_card *card = adapter->card;
+- u32 tmp;
++ u32 *cookie;
+
+ card->sleep_cookie_vbase = pci_alloc_consistent(card->dev, sizeof(u32),
+ &card->sleep_cookie_pbase);
+@@ -1079,13 +1079,11 @@ static int mwifiex_pcie_alloc_sleep_cookie_buf(struct mwifiex_adapter *adapter)
+ "pci_alloc_consistent failed!\n");
+ return -ENOMEM;
+ }
++ cookie = (u32 *)card->sleep_cookie_vbase;
+ /* Init val of Sleep Cookie */
+- tmp = FW_AWAKE_COOKIE;
+- put_unaligned(tmp, card->sleep_cookie_vbase);
++ *cookie = FW_AWAKE_COOKIE;
+
+- mwifiex_dbg(adapter, INFO,
+- "alloc_scook: sleep cookie=0x%x\n",
+- get_unaligned(card->sleep_cookie_vbase));
++ mwifiex_dbg(adapter, INFO, "alloc_scook: sleep cookie=0x%x\n", *cookie);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 277df8ea1fbddc6f471ef6fa86e5c66a1d3732de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 11:28:03 +0800
+Subject: net: bcmgenet: Fix attaching to PYH failed on RPi 4B
+
+From: Jian-Hong Pan <jhp@endlessos.org>
+
+[ Upstream commit b2ac9800cfe0f8da16abc4e74e003440361c112e ]
+
+The Broadcom UniMAC MDIO bus from mdio-bcm-unimac module comes too late.
+So, GENET cannot find the ethernet PHY on UniMAC MDIO bus. This leads
+GENET fail to attach the PHY as following log:
+
+bcmgenet fd580000.ethernet: GENET 5.0 EPHY: 0x0000
+...
+could not attach to PHY
+bcmgenet fd580000.ethernet eth0: failed to connect to PHY
+uart-pl011 fe201000.serial: no DMA platform data
+libphy: bcmgenet MII bus: probed
+...
+unimac-mdio unimac-mdio.-19: Broadcom UniMAC MDIO bus
+
+This patch adds the soft dependency to load mdio-bcm-unimac module
+before genet module to avoid the issue.
+
+Fixes: 9a4e79697009 ("net: bcmgenet: utilize generic Broadcom UniMAC MDIO controller driver")
+Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=213485
+Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index 5855ffec4952..ce89c43ced8a 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3765,3 +3765,4 @@ MODULE_AUTHOR("Broadcom Corporation");
+ MODULE_DESCRIPTION("Broadcom GENET Ethernet controller driver");
+ MODULE_ALIAS("platform:bcmgenet");
+ MODULE_LICENSE("GPL");
++MODULE_SOFTDEP("pre: mdio-bcm-unimac");
+--
+2.30.2
+
--- /dev/null
+From 2f80eb75719af544d57457b1fb3f730e1e39f495 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 17:57:31 +0300
+Subject: net: ethernet: aeroflex: fix UAF in greth_of_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ]
+
+static int greth_of_remove(struct platform_device *of_dev)
+{
+...
+ struct greth_private *greth = netdev_priv(ndev);
+...
+ unregister_netdev(ndev);
+ free_netdev(ndev);
+
+ of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
+...
+}
+
+greth is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing greth
+pointer. So, fix it by moving free_netdev() after of_iounmap()
+call.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index 4309be3724ad..a20e95b39cf7 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -1546,10 +1546,11 @@ static int greth_of_remove(struct platform_device *of_dev)
+ mdiobus_unregister(greth->mdio);
+
+ unregister_netdev(ndev);
+- free_netdev(ndev);
+
+ of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
+
++ free_netdev(ndev);
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2eead90ff1ca5f08e31fcb64469cf6dce0e17ca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 19:14:47 +0300
+Subject: net: ethernet: ezchip: fix error handling
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ]
+
+As documented at drivers/base/platform.c for platform_get_irq:
+
+ * Gets an IRQ for a platform device and prints an error message if finding the
+ * IRQ fails. Device drivers should check the return value for errors so as to
+ * not pass a negative integer value to the request_irq() APIs.
+
+So, the driver should check that platform_get_irq() return value
+is _negative_, not that it's equal to zero, because -ENXIO (return
+value from request_irq() if irq was not found) will
+pass this check and it leads to passing negative irq to request_irq()
+
+Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ezchip/nps_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
+index fbadf08b7c5d..70ccbd11b9e7 100644
+--- a/drivers/net/ethernet/ezchip/nps_enet.c
++++ b/drivers/net/ethernet/ezchip/nps_enet.c
+@@ -623,7 +623,7 @@ static s32 nps_enet_probe(struct platform_device *pdev)
+
+ /* Get IRQ number */
+ priv->irq = platform_get_irq(pdev, 0);
+- if (!priv->irq) {
++ if (priv->irq < 0) {
+ dev_err(dev, "failed to retrieve <irq Rx-Tx> value from device tree\n");
+ err = -ENODEV;
+ goto out_netdev;
+--
+2.30.2
+
--- /dev/null
+From 392670dbd7ff349508803cf7a878b4d170143ecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 19:14:31 +0300
+Subject: net: ethernet: ezchip: fix UAF in nps_enet_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ]
+
+priv is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing priv
+pointer. So, fix it by moving free_netdev() after netif_napi_del()
+call.
+
+Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ezchip/nps_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
+index 659f1ad37e96..fbadf08b7c5d 100644
+--- a/drivers/net/ethernet/ezchip/nps_enet.c
++++ b/drivers/net/ethernet/ezchip/nps_enet.c
+@@ -658,8 +658,8 @@ static s32 nps_enet_remove(struct platform_device *pdev)
+ struct nps_enet_priv *priv = netdev_priv(ndev);
+
+ unregister_netdev(ndev);
+- free_netdev(ndev);
+ netif_napi_del(&priv->napi);
++ free_netdev(ndev);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 8833fab082ba3f0435ddced32dcc0e8f5a6244c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 19:39:27 +0300
+Subject: net: pch_gbe: Propagate error from devm_gpio_request_one()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ]
+
+If GPIO controller is not available yet we need to defer
+the probe of GBE until provider will become available.
+
+While here, drop GPIOF_EXPORT because it's deprecated and
+may not be available.
+
+Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Flavio Suligoi <f.suligoi@asem.it>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 5ae9681a2da7..cb16f86ab90a 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -2599,9 +2599,13 @@ static int pch_gbe_probe(struct pci_dev *pdev,
+ adapter->pdev = pdev;
+ adapter->hw.back = adapter;
+ adapter->hw.reg = pcim_iomap_table(pdev)[PCH_GBE_PCI_BAR];
++
+ adapter->pdata = (struct pch_gbe_privdata *)pci_id->driver_data;
+- if (adapter->pdata && adapter->pdata->platform_init)
+- adapter->pdata->platform_init(pdev);
++ if (adapter->pdata && adapter->pdata->platform_init) {
++ ret = adapter->pdata->platform_init(pdev);
++ if (ret)
++ goto err_free_netdev;
++ }
+
+ adapter->ptp_pdev = pci_get_bus_and_slot(adapter->pdev->bus->number,
+ PCI_DEVFN(12, 4));
+@@ -2696,7 +2700,7 @@ err_free_netdev:
+ */
+ static int pch_gbe_minnow_platform_init(struct pci_dev *pdev)
+ {
+- unsigned long flags = GPIOF_DIR_OUT | GPIOF_INIT_HIGH | GPIOF_EXPORT;
++ unsigned long flags = GPIOF_OUT_INIT_HIGH;
+ unsigned gpio = MINNOW_PHY_RESET_GPIO;
+ int ret;
+
+--
+2.30.2
+
--- /dev/null
+From 0eed33415bdc46d57dc9e7ecbd03addad4e4cf1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jun 2021 23:23:48 +0300
+Subject: net: sched: fix warning in tcindex_alloc_perfect_hash
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 3f2db250099f46988088800052cdf2332c7aba61 ]
+
+Syzbot reported warning in tcindex_alloc_perfect_hash. The problem
+was in too big cp->hash, which triggers warning in kmalloc. Since
+cp->hash comes from userspace, there is no need to warn if value
+is not correct
+
+Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
+Reported-and-tested-by: syzbot+1071ad60cd7df39fdadb@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Acked-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_tcindex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index 5b119efb20ee..9314a739c170 100644
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -297,7 +297,7 @@ static int tcindex_alloc_perfect_hash(struct tcindex_data *cp)
+ int i, err = 0;
+
+ cp->perfect = kcalloc(cp->hash, sizeof(struct tcindex_filter_result),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (!cp->perfect)
+ return -ENOMEM;
+
+--
+2.30.2
+
--- /dev/null
+From 556d8d17768fb72be2ee869bbc456b08239b2aca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 20:20:30 +0200
+Subject: netfilter: nft_exthdr: check for IPv6 packet before further
+ processing
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ]
+
+ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a
+sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet
+is passed for parsing.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index a0a93d987a3b..a301d3bbd3fa 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -46,6 +46,9 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+ unsigned int offset = 0;
+ int err;
+
++ if (pkt->skb->protocol != htons(ETH_P_IPV6))
++ goto err;
++
+ err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+ *dest = (err >= 0);
+--
+2.30.2
+
--- /dev/null
+From 516d4776680e0ac9b788f74d9b863e2f3249e0b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 10:14:44 +0800
+Subject: netlabel: Fix memory leak in netlbl_mgmt_add_common
+
+From: Liu Shixin <liushixin2@huawei.com>
+
+[ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ]
+
+Hulk Robot reported memory leak in netlbl_mgmt_add_common.
+The problem is non-freed map in case of netlbl_domhsh_add() failed.
+
+BUG: memory leak
+unreferenced object 0xffff888100ab7080 (size 96):
+ comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s)
+ hex dump (first 32 bytes):
+ 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................
+ backtrace:
+ [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40
+ [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0
+ [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320
+ [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0
+ [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0
+ [<0000000020e96fdd>] genl_rcv+0x24/0x40
+ [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0
+ [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70
+ [<000000006e43415f>] sock_sendmsg+0x139/0x170
+ [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0
+ [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170
+ [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190
+ [<00000000643ac172>] do_syscall_64+0x37/0x90
+ [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_mgmt.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
+index 21e0095b1d14..71ba69cb50c9 100644
+--- a/net/netlabel/netlabel_mgmt.c
++++ b/net/netlabel/netlabel_mgmt.c
+@@ -90,6 +90,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
+ static int netlbl_mgmt_add_common(struct genl_info *info,
+ struct netlbl_audit *audit_info)
+ {
++ void *pmap = NULL;
+ int ret_val = -EINVAL;
+ struct netlbl_domaddr_map *addrmap = NULL;
+ struct cipso_v4_doi *cipsov4 = NULL;
+@@ -189,6 +190,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ ret_val = -ENOMEM;
+ goto add_free_addrmap;
+ }
++ pmap = map;
+ map->list.addr = addr->s_addr & mask->s_addr;
+ map->list.mask = mask->s_addr;
+ map->list.valid = 1;
+@@ -197,10 +199,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ map->def.cipso = cipsov4;
+
+ ret_val = netlbl_af4list_add(&map->list, &addrmap->list4);
+- if (ret_val != 0) {
+- kfree(map);
+- goto add_free_addrmap;
+- }
++ if (ret_val != 0)
++ goto add_free_map;
+
+ entry->family = AF_INET;
+ entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
+@@ -237,6 +237,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ ret_val = -ENOMEM;
+ goto add_free_addrmap;
+ }
++ pmap = map;
+ map->list.addr = *addr;
+ map->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
+ map->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
+@@ -249,10 +250,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+ map->def.calipso = calipso;
+
+ ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
+- if (ret_val != 0) {
+- kfree(map);
+- goto add_free_addrmap;
+- }
++ if (ret_val != 0)
++ goto add_free_map;
+
+ entry->family = AF_INET6;
+ entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
+@@ -262,10 +261,12 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
+
+ ret_val = netlbl_domhsh_add(entry, audit_info);
+ if (ret_val != 0)
+- goto add_free_addrmap;
++ goto add_free_map;
+
+ return 0;
+
++add_free_map:
++ kfree(pmap);
+ add_free_addrmap:
+ kfree(addrmap);
+ add_doi_put_def:
+--
+2.30.2
+
--- /dev/null
+From 5c1bc632c56b53053fa15d011a600f7137c87625 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:34:01 -0700
+Subject: ocfs2: fix snprintf() checking
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 54e948c60cc843b6e84dc44496edc91f51d2a28e ]
+
+The snprintf() function returns the number of bytes which would have been
+printed if the buffer was large enough. In other words it can return ">=
+remain" but this code assumes it returns "== remain".
+
+The run time impact of this bug is not very severe. The next iteration
+through the loop would trigger a WARN() when we pass a negative limit to
+snprintf(). We would then return success instead of -E2BIG.
+
+The kernel implementation of snprintf() will never return negatives so
+there is no need to check and I have deleted that dead code.
+
+Link: https://lkml.kernel.org/r/20210511135350.GV1955@kadam
+Fixes: a860f6eb4c6a ("ocfs2: sysfile interfaces for online file check")
+Fixes: 74ae4e104dfc ("ocfs2: Create stack glue sysfs files.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/filecheck.c | 6 +-----
+ fs/ocfs2/stackglue.c | 8 ++------
+ 2 files changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/fs/ocfs2/filecheck.c b/fs/ocfs2/filecheck.c
+index 2cabbcf2f28e..5571268b681c 100644
+--- a/fs/ocfs2/filecheck.c
++++ b/fs/ocfs2/filecheck.c
+@@ -431,11 +431,7 @@ static ssize_t ocfs2_filecheck_show(struct kobject *kobj,
+ ret = snprintf(buf + total, remain, "%lu\t\t%u\t%s\n",
+ p->fe_ino, p->fe_done,
+ ocfs2_filecheck_error(p->fe_status));
+- if (ret < 0) {
+- total = ret;
+- break;
+- }
+- if (ret == remain) {
++ if (ret >= remain) {
+ /* snprintf() didn't fit */
+ total = -E2BIG;
+ break;
+diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
+index c4b029c43464..e7eb08ac4215 100644
+--- a/fs/ocfs2/stackglue.c
++++ b/fs/ocfs2/stackglue.c
+@@ -510,11 +510,7 @@ static ssize_t ocfs2_loaded_cluster_plugins_show(struct kobject *kobj,
+ list_for_each_entry(p, &ocfs2_stack_list, sp_list) {
+ ret = snprintf(buf, remain, "%s\n",
+ p->sp_name);
+- if (ret < 0) {
+- total = ret;
+- break;
+- }
+- if (ret == remain) {
++ if (ret >= remain) {
+ /* snprintf() didn't fit */
+ total = -E2BIG;
+ break;
+@@ -541,7 +537,7 @@ static ssize_t ocfs2_active_cluster_plugin_show(struct kobject *kobj,
+ if (active_stack) {
+ ret = snprintf(buf, PAGE_SIZE, "%s\n",
+ active_stack->sp_name);
+- if (ret == PAGE_SIZE)
++ if (ret >= PAGE_SIZE)
+ ret = -E2BIG;
+ }
+ spin_unlock(&ocfs2_stack_lock);
+--
+2.30.2
+
--- /dev/null
+From 1e7635b6d3af55dd9cbf83d9c39db747728853f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 11:27:44 +0200
+Subject: of: Fix truncation of memory sizes on 32-bit platforms
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 2892d8a00d23d511a0591ac4b2ff3f050ae1f004 ]
+
+Variable "size" has type "phys_addr_t", which can be either 32-bit or
+64-bit on 32-bit systems, while "unsigned long" is always 32-bit on
+32-bit systems. Hence the cast in
+
+ (unsigned long)size / SZ_1M
+
+may truncate a 64-bit size to 32-bit, as casts have a higher operator
+precedence than divisions.
+
+Fix this by inverting the order of the cast and division, which should
+be safe for memory blocks smaller than 4 PiB. Note that the division is
+actually a shift, as SZ_1M is a power-of-two constant, hence there is no
+need to use div_u64().
+
+While at it, use "%lu" to format "unsigned long".
+
+Fixes: e8d9d1f5485b52ec ("drivers: of: add initialization code for static reserved memory")
+Fixes: 3f0c8206644836e4 ("drivers: of: add initialization code for dynamic reserved memory")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Link: https://lore.kernel.org/r/4a1117e72d13d26126f57be034c20dac02f1e915.1623835273.git.geert+renesas@glider.be
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/fdt.c | 8 ++++----
+ drivers/of/of_reserved_mem.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index 6337c394bfe3..b0bf2cb4f548 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -607,11 +607,11 @@ static int __init __reserved_mem_reserve_reg(unsigned long node,
+
+ if (size &&
+ early_init_dt_reserve_memory_arch(base, size, nomap) == 0)
+- pr_debug("Reserved memory: reserved region for node '%s': base %pa, size %ld MiB\n",
+- uname, &base, (unsigned long)size / SZ_1M);
++ pr_debug("Reserved memory: reserved region for node '%s': base %pa, size %lu MiB\n",
++ uname, &base, (unsigned long)(size / SZ_1M));
+ else
+- pr_info("Reserved memory: failed to reserve memory for node '%s': base %pa, size %ld MiB\n",
+- uname, &base, (unsigned long)size / SZ_1M);
++ pr_info("Reserved memory: failed to reserve memory for node '%s': base %pa, size %lu MiB\n",
++ uname, &base, (unsigned long)(size / SZ_1M));
+
+ len -= t_len;
+ if (first) {
+diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
+index 55cbafdb93ae..41589eb1bd8b 100644
+--- a/drivers/of/of_reserved_mem.c
++++ b/drivers/of/of_reserved_mem.c
+@@ -158,9 +158,9 @@ static int __init __reserved_mem_alloc_size(unsigned long node,
+ ret = early_init_dt_alloc_reserved_memory_arch(size,
+ align, start, end, nomap, &base);
+ if (ret == 0) {
+- pr_debug("allocated memory for '%s' node: base %pa, size %ld MiB\n",
++ pr_debug("allocated memory for '%s' node: base %pa, size %lu MiB\n",
+ uname, &base,
+- (unsigned long)size / SZ_1M);
++ (unsigned long)(size / SZ_1M));
+ break;
+ }
+ len -= t_len;
+@@ -170,8 +170,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node,
+ ret = early_init_dt_alloc_reserved_memory_arch(size, align,
+ 0, 0, nomap, &base);
+ if (ret == 0)
+- pr_debug("allocated memory for '%s' node: base %pa, size %ld MiB\n",
+- uname, &base, (unsigned long)size / SZ_1M);
++ pr_debug("allocated memory for '%s' node: base %pa, size %lu MiB\n",
++ uname, &base, (unsigned long)(size / SZ_1M));
+ }
+
+ if (base == 0) {
+--
+2.30.2
+
--- /dev/null
+From b6193c711dec6791e8d435182813f87c14a83129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 23:32:38 +0300
+Subject: pata_ep93xx: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Propagate the error code
+upstream, as it should have been done from the start...
+
+Fixes: 2fff27512600 ("PATA host controller driver for ep93xx")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_ep93xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_ep93xx.c b/drivers/ata/pata_ep93xx.c
+index cc6d06c1b2c7..7ce62cdb63a5 100644
+--- a/drivers/ata/pata_ep93xx.c
++++ b/drivers/ata/pata_ep93xx.c
+@@ -927,7 +927,7 @@ static int ep93xx_pata_probe(struct platform_device *pdev)
+ /* INT[3] (IRQ_EP93XX_EXT3) line connected as pull down */
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0) {
+- err = -ENXIO;
++ err = irq;
+ goto err_rel_gpio;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ac880e3c5bde0bc3d0c910cff678f9b7c65162a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 23:38:54 +0300
+Subject: pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ]
+
+Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode
+has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler'
+parameter being non-NULL if the polling mode is selected. Let's only set
+the pointer to the driver's IRQ handler if platform_get_irq() returns a
+valid IRQ # -- this should avoid the unnecessary WARN_ON()...
+
+Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_octeon_cf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c
+index d3d851b014a3..ac3b1fda820f 100644
+--- a/drivers/ata/pata_octeon_cf.c
++++ b/drivers/ata/pata_octeon_cf.c
+@@ -898,10 +898,11 @@ static int octeon_cf_probe(struct platform_device *pdev)
+ return -EINVAL;
+ }
+
+- irq_handler = octeon_cf_interrupt;
+ i = platform_get_irq(dma_dev, 0);
+- if (i > 0)
++ if (i > 0) {
+ irq = i;
++ irq_handler = octeon_cf_interrupt;
++ }
+ }
+ of_node_put(dma_node);
+ }
+--
+2.30.2
+
--- /dev/null
+From aafc08e2e75deff6b7969e0e3e1110217ce3a102 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 14:46:53 +0300
+Subject: pata_rb532_cf: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 2d3a62fbae8e5badc2342388f65ab2191c209cc0 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-ENOENT, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error code upstream, still checking/overriding IRQ0 as libata regards it
+as "no IRQ" (thus polling) anyway...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/771ced55-3efb-21f5-f21c-b99920aae611@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_rb532_cf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_rb532_cf.c b/drivers/ata/pata_rb532_cf.c
+index 653b9a0bf727..0416a390b94c 100644
+--- a/drivers/ata/pata_rb532_cf.c
++++ b/drivers/ata/pata_rb532_cf.c
+@@ -120,10 +120,12 @@ static int rb532_pata_driver_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0) {
++ if (irq < 0) {
+ dev_err(&pdev->dev, "no IRQ resource found\n");
+- return -ENOENT;
++ return irq;
+ }
++ if (!irq)
++ return -EINVAL;
+
+ pdata = dev_get_platdata(&pdev->dev);
+ if (!pdata) {
+--
+2.30.2
+
--- /dev/null
+From 9512a04d7d1f860c99408a78a7e2671d74f9ca48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 15:17:43 +0200
+Subject: phy: ti: dm816x: Fix the error handling path in
+ 'dm816x_usb_phy_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ]
+
+Add an error handling path in the probe to release some resources, as
+already done in the remove function.
+
+Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-dm816x-usb.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/phy/ti/phy-dm816x-usb.c b/drivers/phy/ti/phy-dm816x-usb.c
+index cbcce7cf0028..2ed5fe20d779 100644
+--- a/drivers/phy/ti/phy-dm816x-usb.c
++++ b/drivers/phy/ti/phy-dm816x-usb.c
+@@ -246,19 +246,28 @@ static int dm816x_usb_phy_probe(struct platform_device *pdev)
+
+ pm_runtime_enable(phy->dev);
+ generic_phy = devm_phy_create(phy->dev, NULL, &ops);
+- if (IS_ERR(generic_phy))
+- return PTR_ERR(generic_phy);
++ if (IS_ERR(generic_phy)) {
++ error = PTR_ERR(generic_phy);
++ goto clk_unprepare;
++ }
+
+ phy_set_drvdata(generic_phy, phy);
+
+ phy_provider = devm_of_phy_provider_register(phy->dev,
+ of_phy_simple_xlate);
+- if (IS_ERR(phy_provider))
+- return PTR_ERR(phy_provider);
++ if (IS_ERR(phy_provider)) {
++ error = PTR_ERR(phy_provider);
++ goto clk_unprepare;
++ }
+
+ usb_add_phy_dev(&phy->phy);
+
+ return 0;
++
++clk_unprepare:
++ pm_runtime_disable(phy->dev);
++ clk_unprepare(phy->refclk);
++ return error;
+ }
+
+ static int dm816x_usb_phy_remove(struct platform_device *pdev)
+--
+2.30.2
+
--- /dev/null
+From 7266cb02918e0aefab714337c41f21699b8f3db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 10:54:49 -0700
+Subject: pkt_sched: sch_qfq: fix qfq_change_class() error path
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0cd58e5c53babb9237b741dbef711f0a9eb6d3fd ]
+
+If qfq_change_class() is unable to allocate memory for qfq_aggregate,
+it frees the class that has been inserted in the class hash table,
+but does not unhash it.
+
+Defer the insertion after the problematic allocation.
+
+BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:884 [inline]
+BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731
+Write of size 8 at addr ffff88814a534f10 by task syz-executor.4/31478
+
+CPU: 0 PID: 31478 Comm: syz-executor.4 Not tainted 5.13.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233
+ __kasan_report mm/kasan/report.c:419 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
+ hlist_add_head include/linux/list.h:884 [inline]
+ qdisc_class_hash_insert+0x200/0x210 net/sched/sch_api.c:731
+ qfq_change_class+0x96c/0x1990 net/sched/sch_qfq.c:489
+ tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x4665d9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fdc7b5f0188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9
+RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
+RBP: 00007fdc7b5f01d0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
+R13: 00007ffcf7310b3f R14: 00007fdc7b5f0300 R15: 0000000000022000
+
+Allocated by task 31445:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:428 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:507 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:466 [inline]
+ __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:516
+ kmalloc include/linux/slab.h:556 [inline]
+ kzalloc include/linux/slab.h:686 [inline]
+ qfq_change_class+0x705/0x1990 net/sched/sch_qfq.c:464
+ tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Freed by task 31445:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
+ kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
+ kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
+ ____kasan_slab_free mm/kasan/common.c:360 [inline]
+ ____kasan_slab_free mm/kasan/common.c:325 [inline]
+ __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368
+ kasan_slab_free include/linux/kasan.h:212 [inline]
+ slab_free_hook mm/slub.c:1583 [inline]
+ slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1608
+ slab_free mm/slub.c:3168 [inline]
+ kfree+0xe5/0x7f0 mm/slub.c:4212
+ qfq_change_class+0x10fb/0x1990 net/sched/sch_qfq.c:518
+ tc_ctl_tclass+0x514/0xe50 net/sched/sch_api.c:2113
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff88814a534f00
+ which belongs to the cache kmalloc-128 of size 128
+The buggy address is located 16 bytes inside of
+ 128-byte region [ffff88814a534f00, ffff88814a534f80)
+The buggy address belongs to the page:
+page:ffffea0005294d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14a534
+flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)
+raw: 057ff00000000200 ffffea00004fee00 0000000600000006 ffff8880110418c0
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 29797, ts 604817765317, free_ts 604810151744
+ prep_new_page mm/page_alloc.c:2358 [inline]
+ get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994
+ __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200
+ alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272
+ alloc_slab_page mm/slub.c:1646 [inline]
+ allocate_slab+0x2c5/0x4c0 mm/slub.c:1786
+ new_slab mm/slub.c:1849 [inline]
+ new_slab_objects mm/slub.c:2595 [inline]
+ ___slab_alloc+0x4a1/0x810 mm/slub.c:2758
+ __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2798
+ slab_alloc_node mm/slub.c:2880 [inline]
+ slab_alloc mm/slub.c:2922 [inline]
+ __kmalloc+0x315/0x330 mm/slub.c:4050
+ kmalloc include/linux/slab.h:561 [inline]
+ kzalloc include/linux/slab.h:686 [inline]
+ __register_sysctl_table+0x112/0x1090 fs/proc/proc_sysctl.c:1318
+ mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421
+ mpls_add_dev net/mpls/af_mpls.c:1472 [inline]
+ mpls_dev_notify+0x214/0x8b0 net/mpls/af_mpls.c:1588
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2121
+ call_netdevice_notifiers_extack net/core/dev.c:2133 [inline]
+ call_netdevice_notifiers net/core/dev.c:2147 [inline]
+ register_netdevice+0x106b/0x1500 net/core/dev.c:10312
+ veth_newlink+0x585/0xac0 drivers/net/veth.c:1547
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3452
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3500
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1298 [inline]
+ free_pcp_prepare+0x223/0x300 mm/page_alloc.c:1342
+ free_unref_page_prepare mm/page_alloc.c:3250 [inline]
+ free_unref_page+0x12/0x1d0 mm/page_alloc.c:3298
+ __vunmap+0x783/0xb60 mm/vmalloc.c:2566
+ free_work+0x58/0x70 mm/vmalloc.c:80
+ process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
+ worker_thread+0x64c/0x1120 kernel/workqueue.c:2422
+ kthread+0x3b1/0x4a0 kernel/kthread.c:313
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+
+Memory state around the buggy address:
+ ffff88814a534e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88814a534e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88814a534f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88814a534f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88814a535000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Fixes: 462dbc9101acd ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_qfq.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 6ddfd4991108..1e1d6146189f 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -496,11 +496,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+
+ if (cl->qdisc != &noop_qdisc)
+ qdisc_hash_add(cl->qdisc, true);
+- sch_tree_lock(sch);
+- qdisc_class_hash_insert(&q->clhash, &cl->common);
+- sch_tree_unlock(sch);
+-
+- qdisc_class_hash_grow(sch, &q->clhash);
+
+ set_change_agg:
+ sch_tree_lock(sch);
+@@ -518,8 +513,11 @@ set_change_agg:
+ }
+ if (existing)
+ qfq_deact_rm_from_agg(q, cl);
++ else
++ qdisc_class_hash_insert(&q->clhash, &cl->common);
+ qfq_add_to_agg(q, new_agg, cl);
+ sch_tree_unlock(sch);
++ qdisc_class_hash_grow(sch, &q->clhash);
+
+ *arg = (unsigned long)cl;
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 512a616f4fd93a038e9ac345a477efef1e33a939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 18:05:48 +0800
+Subject: platform/x86: toshiba_acpi: Fix missing error code in
+ toshiba_acpi_setup_keyboard()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'error'.
+
+Eliminate the follow smatch warning:
+
+drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard()
+warn: missing error code 'error'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/toshiba_acpi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c
+index 25955b4d80b0..61eccbb900e0 100644
+--- a/drivers/platform/x86/toshiba_acpi.c
++++ b/drivers/platform/x86/toshiba_acpi.c
+@@ -2861,6 +2861,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev)
+
+ if (!dev->info_supported && !dev->system_event_supported) {
+ pr_warn("No hotkey query interface found\n");
++ error = -EINVAL;
+ goto err_remove_filter;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 40c1d6ed46776b8fe924ac5bcdbabdd8a2f2de4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 13:20:12 +0100
+Subject: random32: Fix implicit truncation warning in prandom_seed_state()
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ]
+
+sparse generates the following warning:
+
+ include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from
+ constant value
+
+This is because the 64-bit seed value is manipulated and then placed in a
+u32, causing an implicit cast and truncation. A forced cast to u32 doesn't
+prevent this warning, which is reasonable because a typecast doesn't prove
+that truncation was expected.
+
+Logical-AND the value with 0xffffffff to make explicit that truncation to
+32-bit is intended.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/prandom.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/prandom.h b/include/linux/prandom.h
+index cc1e71334e53..e20339c78a84 100644
+--- a/include/linux/prandom.h
++++ b/include/linux/prandom.h
+@@ -93,7 +93,7 @@ static inline u32 __seed(u32 x, u32 m)
+ */
+ static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
+ {
+- u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
++ u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL;
+
+ state->s1 = __seed(i, 2U);
+ state->s2 = __seed(i, 8U);
+--
+2.30.2
+
--- /dev/null
+From 72dec7cdde8e9662afb1e24f6cf0c7b6a4c3a69a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 12:01:12 +0300
+Subject: RDMA/rxe: Fix failure during driver load
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 32a25f2ea690dfaace19f7a3a916f5d7e1ddafe8 ]
+
+To avoid the following failure when trying to load the rdma_rxe module
+while IPv6 is disabled, add a check for EAFNOSUPPORT and ignore the
+failure, also delete the needless debug print from rxe_setup_udp_tunnel().
+
+$ modprobe rdma_rxe
+modprobe: ERROR: could not insert 'rdma_rxe': Operation not permitted
+
+Fixes: dfdd6158ca2c ("IB/rxe: Fix kernel panic in udp_setup_tunnel")
+Link: https://lore.kernel.org/r/20210603090112.36341-1-kamalheib1@gmail.com
+Reported-by: Yi Zhang <yi.zhang@redhat.com>
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_net.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
+index 24a68a9da8be..4aeed31d8e04 100644
+--- a/drivers/infiniband/sw/rxe/rxe_net.c
++++ b/drivers/infiniband/sw/rxe/rxe_net.c
+@@ -269,10 +269,8 @@ static struct socket *rxe_setup_udp_tunnel(struct net *net, __be16 port,
+
+ /* Create UDP socket */
+ err = udp_sock_create(net, &udp_cfg, &sock);
+- if (err < 0) {
+- pr_err("failed to create udp socket. err = %d\n", err);
++ if (err < 0)
+ return ERR_PTR(err);
+- }
+
+ tnl_cfg.encap_type = 1;
+ tnl_cfg.encap_rcv = rxe_udp_encap_recv;
+@@ -696,6 +694,12 @@ static int rxe_net_ipv6_init(void)
+
+ recv_sockets.sk6 = rxe_setup_udp_tunnel(&init_net,
+ htons(ROCE_V2_UDP_DPORT), true);
++ if (PTR_ERR(recv_sockets.sk6) == -EAFNOSUPPORT) {
++ recv_sockets.sk6 = NULL;
++ pr_warn("IPv6 is not supported, can not create a UDPv6 socket\n");
++ return 0;
++ }
++
+ if (IS_ERR(recv_sockets.sk6)) {
+ recv_sockets.sk6 = NULL;
+ pr_err("Failed to create IPv6 UDP tunnel\n");
+--
+2.30.2
+
--- /dev/null
+From 434f2ebabbe4aebc5e842df99f92d6697c9dd89a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 22:14:11 +0800
+Subject: regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ]
+
+Use DIV_ROUND_UP to prevent truncation by integer division issue.
+This ensures we return enough delay time.
+
+Also fix returning negative value when new_sel < old_sel.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/da9052-regulator.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c
+index 9ececfef42d6..bd91c95f73e0 100644
+--- a/drivers/regulator/da9052-regulator.c
++++ b/drivers/regulator/da9052-regulator.c
+@@ -258,7 +258,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev,
+ case DA9052_ID_BUCK3:
+ case DA9052_ID_LDO2:
+ case DA9052_ID_LDO3:
+- ret = (new_sel - old_sel) * info->step_uV / 6250;
++ ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV,
++ 6250);
+ break;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2f7a654918ecca8da7d3fcf1064d6e500bd66979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 21:13:11 -0700
+Subject: Revert "ibmvnic: remove duplicate napi_schedule call in open
+ function"
+
+From: Dany Madden <drt@linux.ibm.com>
+
+[ Upstream commit 2ca220f92878470c6ba03f9946e412323093cc94 ]
+
+This reverts commit 7c451f3ef676c805a4b77a743a01a5c21a250a73.
+
+When a vnic interface is taken down and then up, connectivity is not
+restored. We bisected it to this commit. Reverting this commit until
+we can fully investigate the issue/benefit of the change.
+
+Fixes: 7c451f3ef676 ("ibmvnic: remove duplicate napi_schedule call in open function")
+Reported-by: Cristobal Forno <cforno12@linux.ibm.com>
+Reported-by: Abdul Haleem <abdhalee@in.ibm.com>
+Signed-off-by: Dany Madden <drt@linux.ibm.com>
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 66fddc4ba56b..76ab6c0d40cf 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -898,6 +898,11 @@ static int __ibmvnic_open(struct net_device *netdev)
+
+ netif_tx_start_all_queues(netdev);
+
++ if (prev_state == VNIC_CLOSED) {
++ for (i = 0; i < adapter->req_rx_queues; i++)
++ napi_schedule(&adapter->napi[i]);
++ }
++
+ adapter->state = VNIC_OPEN;
+ return rc;
+ }
+--
+2.30.2
+
--- /dev/null
+From fdcfdca843bb19b43da53d0a6cb431c21d3b6e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 17:24:20 -0700
+Subject: s390: appldata depends on PROC_SYSCTL
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ]
+
+APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS.
+Building with PROC_FS but not PROC_SYSCTL causes a build error,
+since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c.
+
+arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler':
+appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals'
+
+Fixes: c185b783b099 ("[S390] Remove config options.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@de.ibm.com>
+Cc: linux-s390@vger.kernel.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
+index 49fb6614ea8c..8dbadad1117c 100644
+--- a/arch/s390/Kconfig
++++ b/arch/s390/Kconfig
+@@ -892,7 +892,7 @@ config CMM_IUCV
+ config APPLDATA_BASE
+ def_bool n
+ prompt "Linux - VM Monitor Stream, base infrastructure"
+- depends on PROC_FS
++ depends on PROC_SYSCTL
+ help
+ This provides a kernel interface for creating and updating z/VM APPLDATA
+ monitor records. The monitor records are updated at certain time
+--
+2.30.2
+
--- /dev/null
+From 958f6a006d47a48d730b4dbb3e93d33ac5d3171f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:25:34 +0800
+Subject: samples/bpf: Fix the error return code of xdp_redirect's main()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 7c6090ee2a7b3315410cfc83a94c3eb057407b25 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+If bpf_map_update_elem() failed, main() should return a negative error.
+
+Fixes: 832622e6bd18 ("xdp: sample program for new bpf_redirect helper")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210616042534.315097-1-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdp_redirect_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/samples/bpf/xdp_redirect_user.c b/samples/bpf/xdp_redirect_user.c
+index 4475d837bf2c..bd9fa7a55a30 100644
+--- a/samples/bpf/xdp_redirect_user.c
++++ b/samples/bpf/xdp_redirect_user.c
+@@ -139,5 +139,5 @@ int main(int argc, char **argv)
+ poll_stats(2, ifindex_out);
+
+ out:
+- return 0;
++ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 452136eca34f8ce89bba6cab4dc14a7c8bd9406e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Mar 2021 23:34:27 +0300
+Subject: sata_highbank: fix deferred probing
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 4a24efa16e7db02306fb5db84518bb0a7ada5a46 ]
+
+The driver overrides the error codes returned by platform_get_irq() to
+-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe
+permanently instead of the deferred probing. Switch to propagating the
+error code upstream, still checking/overriding IRQ0 as libata regards it
+as "no IRQ" (thus polling) anyway...
+
+Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/105b456d-1199-f6e9-ceb7-ffc5ba551d1a@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_highbank.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/sata_highbank.c b/drivers/ata/sata_highbank.c
+index e67815b896fc..1dd47a05b34b 100644
+--- a/drivers/ata/sata_highbank.c
++++ b/drivers/ata/sata_highbank.c
+@@ -483,10 +483,12 @@ static int ahci_highbank_probe(struct platform_device *pdev)
+ }
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0) {
++ if (irq < 0) {
+ dev_err(dev, "no irq\n");
+- return -EINVAL;
++ return irq;
+ }
++ if (!irq)
++ return -EINVAL;
+
+ hpriv = devm_kzalloc(dev, sizeof(*hpriv), GFP_KERNEL);
+ if (!hpriv) {
+--
+2.30.2
+
--- /dev/null
+From 66a8236f715c76959be7f43a5c8842153fc975c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 May 2021 16:48:57 -0700
+Subject: scsi: FlashPoint: Rename si_flags field
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ]
+
+The BusLogic driver has build errors on ia64 due to a name collision (in
+the #included FlashPoint.c file). Rename the struct field in struct
+sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build.
+
+This is the first problem. There are 50+ others after this one:
+
+In file included from ../include/uapi/linux/signal.h:6,
+ from ../include/linux/signal_types.h:10,
+ from ../include/linux/sched.h:29,
+ from ../include/linux/hardirq.h:9,
+ from ../include/linux/interrupt.h:11,
+ from ../drivers/scsi/BusLogic.c:27:
+../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token
+ 15 | #define si_flags _sifields._sigfault._flags
+ | ^
+../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags'
+ 43 | u16 si_flags;
+ | ^~~~~~~~
+In file included from ../drivers/scsi/BusLogic.c:51:
+../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter':
+../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields'
+ 1076 | pCardInfo->si_flags = 0x0000;
+ | ^~
+../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields'
+
+Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org
+Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.")
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Khalid Aziz <khalid.aziz@oracle.com>
+Cc: Khalid Aziz <khalid@gonehiking.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/FlashPoint.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/scsi/FlashPoint.c b/drivers/scsi/FlashPoint.c
+index 867b864f5047..4bca37d52bad 100644
+--- a/drivers/scsi/FlashPoint.c
++++ b/drivers/scsi/FlashPoint.c
+@@ -40,7 +40,7 @@ struct sccb_mgr_info {
+ u16 si_per_targ_ultra_nego;
+ u16 si_per_targ_no_disc;
+ u16 si_per_targ_wide_nego;
+- u16 si_flags;
++ u16 si_mflags;
+ unsigned char si_card_family;
+ unsigned char si_bustype;
+ unsigned char si_card_model[3];
+@@ -1070,22 +1070,22 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+ ScamFlg =
+ (unsigned char)FPT_utilEERead(ioport, SCAM_CONFIG / 2);
+
+- pCardInfo->si_flags = 0x0000;
++ pCardInfo->si_mflags = 0x0000;
+
+ if (i & 0x01)
+- pCardInfo->si_flags |= SCSI_PARITY_ENA;
++ pCardInfo->si_mflags |= SCSI_PARITY_ENA;
+
+ if (!(i & 0x02))
+- pCardInfo->si_flags |= SOFT_RESET;
++ pCardInfo->si_mflags |= SOFT_RESET;
+
+ if (i & 0x10)
+- pCardInfo->si_flags |= EXTENDED_TRANSLATION;
++ pCardInfo->si_mflags |= EXTENDED_TRANSLATION;
+
+ if (ScamFlg & SCAM_ENABLED)
+- pCardInfo->si_flags |= FLAG_SCAM_ENABLED;
++ pCardInfo->si_mflags |= FLAG_SCAM_ENABLED;
+
+ if (ScamFlg & SCAM_LEVEL2)
+- pCardInfo->si_flags |= FLAG_SCAM_LEVEL2;
++ pCardInfo->si_mflags |= FLAG_SCAM_LEVEL2;
+
+ j = (RD_HARPOON(ioport + hp_bm_ctrl) & ~SCSI_TERM_ENA_L);
+ if (i & 0x04) {
+@@ -1101,7 +1101,7 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+
+ if (!(RD_HARPOON(ioport + hp_page_ctrl) & NARROW_SCSI_CARD))
+
+- pCardInfo->si_flags |= SUPPORT_16TAR_32LUN;
++ pCardInfo->si_mflags |= SUPPORT_16TAR_32LUN;
+
+ pCardInfo->si_card_family = HARPOON_FAMILY;
+ pCardInfo->si_bustype = BUSTYPE_PCI;
+@@ -1137,15 +1137,15 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+
+ if (pCardInfo->si_card_model[1] == '3') {
+ if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
+- pCardInfo->si_flags |= LOW_BYTE_TERM;
++ pCardInfo->si_mflags |= LOW_BYTE_TERM;
+ } else if (pCardInfo->si_card_model[2] == '0') {
+ temp = RD_HARPOON(ioport + hp_xfer_pad);
+ WR_HARPOON(ioport + hp_xfer_pad, (temp & ~BIT(4)));
+ if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
+- pCardInfo->si_flags |= LOW_BYTE_TERM;
++ pCardInfo->si_mflags |= LOW_BYTE_TERM;
+ WR_HARPOON(ioport + hp_xfer_pad, (temp | BIT(4)));
+ if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
+- pCardInfo->si_flags |= HIGH_BYTE_TERM;
++ pCardInfo->si_mflags |= HIGH_BYTE_TERM;
+ WR_HARPOON(ioport + hp_xfer_pad, temp);
+ } else {
+ temp = RD_HARPOON(ioport + hp_ee_ctrl);
+@@ -1163,9 +1163,9 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
+ WR_HARPOON(ioport + hp_ee_ctrl, temp);
+ WR_HARPOON(ioport + hp_xfer_pad, temp2);
+ if (!(temp3 & BIT(7)))
+- pCardInfo->si_flags |= LOW_BYTE_TERM;
++ pCardInfo->si_mflags |= LOW_BYTE_TERM;
+ if (!(temp3 & BIT(6)))
+- pCardInfo->si_flags |= HIGH_BYTE_TERM;
++ pCardInfo->si_mflags |= HIGH_BYTE_TERM;
+ }
+
+ ARAM_ACCESS(ioport);
+@@ -1272,7 +1272,7 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info
+ WR_HARPOON(ioport + hp_arb_id, pCardInfo->si_id);
+ CurrCard->ourId = pCardInfo->si_id;
+
+- i = (unsigned char)pCardInfo->si_flags;
++ i = (unsigned char)pCardInfo->si_mflags;
+ if (i & SCSI_PARITY_ENA)
+ WR_HARPOON(ioport + hp_portctrl_1, (HOST_MODE8 | CHK_SCSI_P));
+
+@@ -1286,14 +1286,14 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info
+ j |= SCSI_TERM_ENA_H;
+ WR_HARPOON(ioport + hp_ee_ctrl, j);
+
+- if (!(pCardInfo->si_flags & SOFT_RESET)) {
++ if (!(pCardInfo->si_mflags & SOFT_RESET)) {
+
+ FPT_sresb(ioport, thisCard);
+
+ FPT_scini(thisCard, pCardInfo->si_id, 0);
+ }
+
+- if (pCardInfo->si_flags & POST_ALL_UNDERRRUNS)
++ if (pCardInfo->si_mflags & POST_ALL_UNDERRRUNS)
+ CurrCard->globalFlags |= F_NO_FILTER;
+
+ if (pCurrNvRam) {
+--
+2.30.2
+
--- /dev/null
+From 0a2d8f2297fee1e1be95ad2b5780d42578ed312d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 16:13:00 +0800
+Subject: scsi: mpt3sas: Fix error return value in _scsih_expander_add()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ]
+
+When an expander does not contain any 'phys', an appropriate error code -1
+should be returned, as done elsewhere in this function. However, we
+currently do not explicitly assign this error code to 'rc'. As a result, 0
+was incorrectly returned.
+
+Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com
+Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 400c055167b0..332ea3af69ec 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -5236,8 +5236,10 @@ _scsih_expander_add(struct MPT3SAS_ADAPTER *ioc, u16 handle)
+ handle, parent_handle, (unsigned long long)
+ sas_expander->sas_address, sas_expander->num_phys);
+
+- if (!sas_expander->num_phys)
++ if (!sas_expander->num_phys) {
++ rc = -1;
+ goto out_fail;
++ }
+ sas_expander->phy = kcalloc(sas_expander->num_phys,
+ sizeof(struct _sas_phy), GFP_KERNEL);
+ if (!sas_expander->phy) {
+--
+2.30.2
+
--- /dev/null
+From 71ef8f42cbf2baff1f48f5d462cd1a410f0a9c15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:56:53 -0700
+Subject: selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really
+ random
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit f36ef407628835a7d7fb3d235b1f1aac7022d9a3 ]
+
+Patch series "selftests/vm/pkeys: Bug fixes and a new test".
+
+There has been a lot of activity on the x86 front around the XSAVE
+architecture which is used to context-switch processor state (among other
+things). In addition, AMD has recently joined the protection keys club by
+adding processor support for PKU.
+
+The AMD implementation helped uncover a kernel bug around the PKRU "init
+state", which actually applied to Intel's implementation but was just
+harder to hit. This series adds a test which is expected to help find
+this class of bug both on AMD and Intel. All the work around pkeys on x86
+also uncovered a few bugs in the selftest.
+
+This patch (of 4):
+
+The "random" pkey allocation code currently does the good old:
+
+ srand((unsigned int)time(NULL));
+
+*But*, it unfortunately does this on every random pkey allocation.
+
+There may be thousands of these a second. time() has a one second
+resolution. So, each time alloc_random_pkey() is called, the PRNG is
+*RESET* to time(). This is nasty. Normally, if you do:
+
+ srand(<ANYTHING>);
+ foo = rand();
+ bar = rand();
+
+You'll be quite guaranteed that 'foo' and 'bar' are different. But, if
+you do:
+
+ srand(1);
+ foo = rand();
+ srand(1);
+ bar = rand();
+
+You are quite guaranteed that 'foo' and 'bar' are the *SAME*. The recent
+"fix" effectively forced the test case to use the same "random" pkey for
+the whole test, unless the test run crossed a second boundary.
+
+Only run srand() once at program startup.
+
+This explains some very odd and persistent test failures I've been seeing.
+
+Link: https://lkml.kernel.org/r/20210611164153.91B76FB8@viggo.jf.intel.com
+Link: https://lkml.kernel.org/r/20210611164155.192D00FF@viggo.jf.intel.com
+Fixes: 6e373263ce07 ("selftests/vm/pkeys: fix alloc_random_pkey() to make it really random")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Ram Pai <linuxram@us.ibm.com>
+Cc: Sandipan Das <sandipan@linux.ibm.com>
+Cc: Florian Weimer <fweimer@redhat.com>
+Cc: "Desnes A. Nunes do Rosario" <desnesn@linux.vnet.ibm.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Thiago Jung Bauermann <bauerman@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Michal Suchanek <msuchanek@suse.de>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/x86/protection_keys.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/x86/protection_keys.c b/tools/testing/selftests/x86/protection_keys.c
+index b8778960da10..27661302a698 100644
+--- a/tools/testing/selftests/x86/protection_keys.c
++++ b/tools/testing/selftests/x86/protection_keys.c
+@@ -613,7 +613,6 @@ int alloc_random_pkey(void)
+ int nr_alloced = 0;
+ int random_index;
+ memset(alloced_pkeys, 0, sizeof(alloced_pkeys));
+- srand((unsigned int)time(NULL));
+
+ /* allocate every possible key and make a note of which ones we got */
+ max_nr_pkey_allocs = NR_PKEYS;
+@@ -1479,6 +1478,8 @@ int main(void)
+ {
+ int nr_iterations = 22;
+
++ srand((unsigned int)time(NULL));
++
+ setup_handlers();
+
+ printf("has pku: %d\n", cpu_has_pku());
+--
+2.30.2
+
rsi-assign-beacon-rate-settings-to-the-correct-rate_info-descriptor-field.patch
seq_buf-make-trace_seq_putmem_hex-support-data-longer-than-8.patch
fuse-check-connected-before-queueing-on-fpq-io.patch
+spi-make-of_register_spi_device-also-set-the-fwnode.patch
+spi-spi-loopback-test-fix-tx_buf-might-be-rx_buf.patch
+spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch
+spi-omap-100k-fix-the-length-judgment-problem.patch
+crypto-nx-add-missing-module_device_table.patch
+media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch
+media-cobalt-fix-race-condition-in-setting-hpd.patch
+media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch
+crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch
+crypto-qat-remove-unused-macro-in-fw-loader.patch
+media-em28xx-fix-possible-memory-leak-of-em28xx-stru.patch
+media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch
+media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch
+media-st-hva-fix-potential-null-pointer-dereferences.patch
+media-dvd_usb-memory-leak-in-cinergyt2_fe_attach.patch
+mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch
+crypto-shash-avoid-comparing-pointers-to-exported-fu.patch
+media-dvb_net-avoid-speculation-from-net-slot.patch
+media-siano-fix-device-register-error-path.patch
+btrfs-fix-error-handling-in-__btrfs_update_delayed_i.patch
+btrfs-abort-transaction-if-we-fail-to-update-the-del.patch
+btrfs-disable-build-on-platforms-having-page-size-25.patch
+regulator-da9052-ensure-enough-delay-time-for-.set_v.patch
+hid-do-not-use-down_interruptible-when-unbinding-dev.patch
+acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch
+hv_utils-fix-passing-zero-to-ptr_err-warning.patch
+lib-vsprintf-fix-handling-of-number-field-widths-in-.patch
+acpi-ec-make-more-asus-laptops-use-ecdt-_gpe.patch
+block_dump-remove-block_dump-feature-in-mark_inode_d.patch
+fs-dlm-cancel-work-sync-othercon.patch
+random32-fix-implicit-truncation-warning-in-prandom_.patch
+fs-dlm-fix-memory-leak-when-fenced.patch
+acpica-fix-memory-leak-caused-by-_cid-repair-functio.patch
+acpi-bus-call-kobject_put-in-acpi_init-error-path.patch
+platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch
+acpi-tables-add-custom-dsdt-file-as-makefile-prerequ.patch
+hid-wacom-correct-base-usage-for-capacitive-expressk.patch
+ia64-mca_drv-fix-incorrect-array-size-calculation.patch
+media-s5p_cec-decrement-usage-count-if-disabled.patch
+crypto-ixp4xx-dma_unmap-the-correct-address.patch
+crypto-ux500-fix-error-return-code-in-hash_hw_final.patch
+sata_highbank-fix-deferred-probing.patch
+pata_rb532_cf-fix-deferred-probing.patch
+media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch
+pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch
+crypto-ccp-fix-a-resource-leak-in-an-error-handling-.patch
+pata_ep93xx-fix-deferred-probing.patch
+media-exynos4-is-fix-a-use-after-free-in-isp_video_r.patch
+media-tc358743-fix-error-return-code-in-tc358743_pro.patch
+media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch
+mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch
+media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch
+hwmon-max31722-remove-non-standard-acpi-device-ids.patch
+hwmon-max31790-fix-fan-speed-reporting-for-fan7.12.patch
+btrfs-clear-log-tree-recovering-status-if-starting-t.patch
+spi-spi-sun6i-fix-chipselect-clock-bug.patch
+crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch
+acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch
+ocfs2-fix-snprintf-checking.patch
+net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch
+drm-rockchip-cdn-dp-core-add-missing-clk_disable_unp.patch
+ehea-fix-error-return-code-in-ehea_restart_qps.patch
+rdma-rxe-fix-failure-during-driver-load.patch
+drm-qxl-ensure-surf.data-is-ininitialized.patch
+wireless-carl9170-fix-leds-build-errors-warnings.patch
+brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch
+ath10k-fix-an-error-code-in-ath10k_add_interface.patch
+netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch
+netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch
+samples-bpf-fix-the-error-return-code-of-xdp_redirec.patch
+net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch
+net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch
+net-ethernet-ezchip-fix-error-handling.patch
+pkt_sched-sch_qfq-fix-qfq_change_class-error-path.patch
+vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch
+net-bcmgenet-fix-attaching-to-pyh-failed-on-rpi-4b.patch
+i40e-fix-error-handling-in-i40e_vsi_open.patch
+revert-ibmvnic-remove-duplicate-napi_schedule-call-i.patch
+bluetooth-mgmt-fix-slab-out-of-bounds-in-tlv_data_is.patch
+writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch
+net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch
+tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch
+mwifiex-re-fix-for-unaligned-accesses.patch
+iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch
+iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch
+iio-accel-bma220-fix-buffer-alignment-in-iio_push_to.patch
+iio-accel-hid-fix-buffer-alignment-in-iio_push_to_bu.patch
+iio-accel-kxcjk-1013-fix-buffer-alignment-in-iio_pus.patch
+iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch
+iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch
+iio-adc-ti-ads1015-fix-buffer-alignment-in-iio_push_.patch
+iio-adc-vf610-fix-buffer-alignment-in-iio_push_to_bu.patch
+iio-gyro-bmg160-fix-buffer-alignment-in-iio_push_to_.patch
+iio-humidity-am2315-fix-buffer-alignment-in-iio_push.patch
+iio-prox-srf08-fix-buffer-alignment-in-iio_push_to_b.patch
+iio-prox-pulsed-light-fix-buffer-alignment-in-iio_pu.patch
+iio-prox-as3935-fix-buffer-alignment-in-iio_push_to_.patch
+iio-light-isl29125-fix-buffer-alignment-in-iio_push_.patch
+iio-light-tcs3414-fix-buffer-alignment-in-iio_push_t.patch
+iio-potentiostat-lmp91000-fix-alignment-of-buffer-in.patch
+asoc-hisilicon-fix-missing-clk_disable_unprepare-on-.patch
+input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch
+char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch
+tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch
+scsi-flashpoint-rename-si_flags-field.patch
+s390-appldata-depends-on-proc_sysctl.patch
+eeprom-idt_89hpesx-put-fwnode-in-matching-case-durin.patch
+iio-adc-mxs-lradc-fix-buffer-alignment-in-iio_push_t.patch
+staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch
+staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch
+asoc-cs42l42-correct-definition-of-cs42l42_adc_pdn_m.patch
+of-fix-truncation-of-memory-sizes-on-32-bit-platform.patch
+scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch
+phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch
+extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch
+extcon-max8997-add-missing-modalias-string.patch
+configfs-fix-memleak-in-configfs_release_bin_file.patch
+leds-as3645a-fix-error-return-code-in-as3645a_parse_.patch
+leds-ktd2692-fix-an-error-handling-path.patch
+mm-huge_memory.c-don-t-discard-hugepage-if-other-pro.patch
+selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch
--- /dev/null
+From 8e7320a134e9ea95591983d1a82f878f00988785 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 11:14:02 +0100
+Subject: spi: Make of_register_spi_device also set the fwnode
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 0e793ba77c18382f08e440260fe72bc6fce2a3cb ]
+
+Currently, the SPI core doesn't set the struct device fwnode pointer
+when it creates a new SPI device. This means when the device is
+registered the fwnode is NULL and the check in device_add which sets
+the fwnode->dev pointer is skipped. This wasn't previously an issue,
+however these two patches:
+
+commit 4731210c09f5 ("gpiolib: Bind gpio_device to a driver to enable
+fw_devlink=on by default")
+commit ced2af419528 ("gpiolib: Don't probe gpio_device if it's not the
+primary device")
+
+Added some code to the GPIO core which relies on using that
+fwnode->dev pointer to determine if a driver is bound to the fwnode
+and if not bind a stub GPIO driver. This means the GPIO providers
+behind SPI will get both the expected driver and this stub driver
+causing the stub driver to fail if it attempts to request any pin
+configuration. For example on my system:
+
+madera-pinctrl madera-pinctrl: pin gpio5 already requested by madera-pinctrl; cannot claim for gpiochip3
+madera-pinctrl madera-pinctrl: pin-4 (gpiochip3) status -22
+madera-pinctrl madera-pinctrl: could not request pin 4 (gpio5) from group aif1 on device madera-pinctrl
+gpio_stub_drv gpiochip3: Error applying setting, reverse things back
+gpio_stub_drv: probe of gpiochip3 failed with error -22
+
+The firmware node on the device created by the GPIO framework is set
+through the of_node pointer hence things generally actually work,
+however that fwnode->dev is never set, as the check was skipped at
+device_add time. This fix appears to match how the I2C subsystem
+handles the same situation.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210421101402.8468-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
+index da71a53b0df7..71f74015efb9 100644
+--- a/drivers/spi/spi.c
++++ b/drivers/spi/spi.c
+@@ -1670,6 +1670,7 @@ of_register_spi_device(struct spi_controller *ctlr, struct device_node *nc)
+ /* Store a pointer to the node in the device structure */
+ of_node_get(nc);
+ spi->dev.of_node = nc;
++ spi->dev.fwnode = of_fwnode_handle(nc);
+
+ /* Register the new device */
+ rc = spi_add_device(spi);
+--
+2.30.2
+
--- /dev/null
+From 44a641688685027f7d9b645fbe24f399cdf9dff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 19:20:48 +0800
+Subject: spi: omap-100k: Fix the length judgment problem
+
+From: Tian Tao <tiantao6@hisilicon.com>
+
+[ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ]
+
+word_len should be checked in the omap1_spi100k_setup_transfer
+function to see if it exceeds 32.
+
+Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
+Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index 1eccdc4a4581..2eeb0fe2eed2 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -251,7 +251,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi,
+ else
+ word_len = spi->bits_per_word;
+
+- if (spi->bits_per_word > 32)
++ if (word_len > 32)
+ return -EINVAL;
+ cs->word_len = word_len;
+
+--
+2.30.2
+
--- /dev/null
+From ba6bf60d6e6c910ae009d1b99af43c029a558117 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 14:58:23 +0800
+Subject: spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
+
+From: Jay Fang <f.fangjian@huawei.com>
+
+[ Upstream commit 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 ]
+
+In function 'spi_test_run_iter': Value 'tx_buf' might be 'rx_buf'.
+
+Signed-off-by: Jay Fang <f.fangjian@huawei.com>
+Link: https://lore.kernel.org/r/1620629903-15493-5-git-send-email-f.fangjian@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-loopback-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c
+index b9a7117b6dce..85d3475915dd 100644
+--- a/drivers/spi/spi-loopback-test.c
++++ b/drivers/spi/spi-loopback-test.c
+@@ -877,7 +877,7 @@ static int spi_test_run_iter(struct spi_device *spi,
+ test.transfers[i].len = len;
+ if (test.transfers[i].tx_buf)
+ test.transfers[i].tx_buf += tx_off;
+- if (test.transfers[i].tx_buf)
++ if (test.transfers[i].rx_buf)
+ test.transfers[i].rx_buf += rx_off;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From fde385d5ffa72c6b6aa84fdc1c7d93fcc4119f64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 16:45:07 +0200
+Subject: spi: spi-sun6i: Fix chipselect/clock bug
+
+From: Mirko Vogt <mirko-dev|linux@nanl.de>
+
+[ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ]
+
+The current sun6i SPI implementation initializes the transfer too early,
+resulting in SCK going high before the transfer. When using an additional
+(gpio) chipselect with sun6i, the chipselect is asserted at a time when
+clock is high, making the SPI transfer fail.
+
+This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into
+SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer
+function, hence, right before the transfer starts, mitigates that
+problem.
+
+Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver)
+Signed-off-by: Mirko Vogt <mirko-dev|linux@nanl.de>
+Signed-off-by: Ralf Schlatterbeck <rsc@runtux.com>
+Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sun6i.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c
+index 21a22d42818c..ef62366899ad 100644
+--- a/drivers/spi/spi-sun6i.c
++++ b/drivers/spi/spi-sun6i.c
+@@ -301,6 +301,10 @@ static int sun6i_spi_transfer_one(struct spi_master *master,
+ }
+
+ sun6i_spi_write(sspi, SUN6I_CLK_CTL_REG, reg);
++ /* Finally enable the bus - doing so before might raise SCK to HIGH */
++ reg = sun6i_spi_read(sspi, SUN6I_GBL_CTL_REG);
++ reg |= SUN6I_GBL_CTL_BUS_ENABLE;
++ sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, reg);
+
+ /* Setup the transfer now... */
+ if (sspi->tx_buf)
+@@ -409,7 +413,7 @@ static int sun6i_spi_runtime_resume(struct device *dev)
+ }
+
+ sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG,
+- SUN6I_GBL_CTL_BUS_ENABLE | SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP);
++ SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP);
+
+ return 0;
+
+--
+2.30.2
+
--- /dev/null
+From 034f77302c32209eefdf0ea8f9775b7a91c7b631 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 15:08:08 +0800
+Subject: spi: spi-topcliff-pch: Fix potential double free in
+ pch_spi_process_messages()
+
+From: Jay Fang <f.fangjian@huawei.com>
+
+[ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ]
+
+pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for
+data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will
+free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after
+kfree() to avoid double free.
+
+Signed-off-by: Jay Fang <f.fangjian@huawei.com>
+Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-topcliff-pch.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
+index fa730a871d25..f3ffcb9ce5e3 100644
+--- a/drivers/spi/spi-topcliff-pch.c
++++ b/drivers/spi/spi-topcliff-pch.c
+@@ -585,8 +585,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw)
+ data->pkt_tx_buff = kzalloc(size, GFP_KERNEL);
+ if (data->pkt_tx_buff != NULL) {
+ data->pkt_rx_buff = kzalloc(size, GFP_KERNEL);
+- if (!data->pkt_rx_buff)
++ if (!data->pkt_rx_buff) {
+ kfree(data->pkt_tx_buff);
++ data->pkt_tx_buff = NULL;
++ }
+ }
+
+ if (!data->pkt_rx_buff) {
+--
+2.30.2
+
--- /dev/null
+From 3425aa115aa27351ee2411537d6e8c5a767d9377 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 12:55:35 +0300
+Subject: staging: gdm724x: check for buffer overflow in
+ gdm_lte_multi_sdu_pkt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ]
+
+There needs to be a check to verify that we don't read beyond the end
+of "buf". This function is called from do_rx(). The "buf" is the USB
+transfer_buffer and "len" is "urb->actual_length".
+
+Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gdm724x/gdm_lte.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
+index 9ab6ce231f11..8dd510137c90 100644
+--- a/drivers/staging/gdm724x/gdm_lte.c
++++ b/drivers/staging/gdm724x/gdm_lte.c
+@@ -680,6 +680,7 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
+ struct sdu *sdu = NULL;
+ struct gdm_endian *endian = phy_dev->get_endian(phy_dev->priv_dev);
+ u8 *data = (u8 *)multi_sdu->data;
++ int copied;
+ u16 i = 0;
+ u16 num_packet;
+ u16 hci_len;
+@@ -691,6 +692,12 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
+ num_packet = gdm_dev16_to_cpu(endian, multi_sdu->num_packet);
+
+ for (i = 0; i < num_packet; i++) {
++ copied = data - multi_sdu->data;
++ if (len < copied + sizeof(*sdu)) {
++ pr_err("rx prevent buffer overflow");
++ return;
++ }
++
+ sdu = (struct sdu *)data;
+
+ cmd_evt = gdm_dev16_to_cpu(endian, sdu->cmd_evt);
+@@ -701,7 +708,8 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
+ pr_err("rx sdu wrong hci %04x\n", cmd_evt);
+ return;
+ }
+- if (hci_len < 12) {
++ if (hci_len < 12 ||
++ len < copied + sizeof(*sdu) + (hci_len - 12)) {
+ pr_err("rx sdu invalid len %d\n", hci_len);
+ return;
+ }
+--
+2.30.2
+
--- /dev/null
+From 95e178f2795e872e27df3eb2ec0f6f5a937d103e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 12:58:36 +0300
+Subject: staging: gdm724x: check for overflow in gdm_lte_netif_rx()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ]
+
+This code assumes that "len" is at least 62 bytes, but we need a check
+to prevent a read overflow.
+
+Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/gdm724x/gdm_lte.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
+index 8dd510137c90..ed0c5fd2d640 100644
+--- a/drivers/staging/gdm724x/gdm_lte.c
++++ b/drivers/staging/gdm724x/gdm_lte.c
+@@ -614,10 +614,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf,
+ * bytes (99,130,83,99 dec)
+ */
+ } __packed;
+- void *addr = buf + sizeof(struct iphdr) +
+- sizeof(struct udphdr) +
+- offsetof(struct dhcp_packet, chaddr);
+- ether_addr_copy(nic->dest_mac_addr, addr);
++ int offset = sizeof(struct iphdr) +
++ sizeof(struct udphdr) +
++ offsetof(struct dhcp_packet, chaddr);
++ if (offset + ETH_ALEN > len)
++ return;
++ ether_addr_copy(nic->dest_mac_addr, buf + offset);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b46b97f0942ce9cf9dafca6a197ebb2d218d5a83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 19:22:33 +0200
+Subject: tty: nozomi: Fix a resource leak in an error handling function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ]
+
+A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in
+the error handling path, as already done in the remove function.
+
+Add it.
+
+Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result")
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/nozomi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
+index 39b3723a32a6..d19acddc3cf3 100644
+--- a/drivers/tty/nozomi.c
++++ b/drivers/tty/nozomi.c
+@@ -1458,6 +1458,7 @@ err_free_tty:
+ tty_unregister_device(ntty_driver, dc->index_start + i);
+ tty_port_destroy(&dc->port[i].port);
+ }
++ free_irq(pdev->irq, dc);
+ err_free_kfifo:
+ for (i = 0; i < MAX_PORT; i++)
+ kfifo_free(&dc->port[i].fifo_ul);
+--
+2.30.2
+
--- /dev/null
+From 27db46e23b223ce27eb7c105bc47445f606e0194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 20:51:57 +0200
+Subject: tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ]
+
+The error handling path is broken and we may un-register things that have
+never been registered.
+
+Update the loops index accordingly.
+
+Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/nozomi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
+index d19acddc3cf3..0c424624a00c 100644
+--- a/drivers/tty/nozomi.c
++++ b/drivers/tty/nozomi.c
+@@ -1416,7 +1416,7 @@ static int nozomi_card_init(struct pci_dev *pdev,
+ NOZOMI_NAME, dc);
+ if (unlikely(ret)) {
+ dev_err(&pdev->dev, "can't request irq %d\n", pdev->irq);
+- goto err_free_kfifo;
++ goto err_free_all_kfifo;
+ }
+
+ DBG1("base_addr: %p", dc->base_addr);
+@@ -1454,13 +1454,15 @@ static int nozomi_card_init(struct pci_dev *pdev,
+ return 0;
+
+ err_free_tty:
+- for (i = 0; i < MAX_PORT; ++i) {
++ for (i--; i >= 0; i--) {
+ tty_unregister_device(ntty_driver, dc->index_start + i);
+ tty_port_destroy(&dc->port[i].port);
+ }
+ free_irq(pdev->irq, dc);
++err_free_all_kfifo:
++ i = MAX_PORT;
+ err_free_kfifo:
+- for (i = 0; i < MAX_PORT; i++)
++ for (i--; i >= PORT_MDM; i--)
+ kfifo_free(&dc->port[i].fifo_ul);
+ err_free_sbuf:
+ kfree(dc->send_buf);
+--
+2.30.2
+
--- /dev/null
+From 5a6f42e962610877766d7f365619ea7fbf894368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 07:44:17 -0700
+Subject: vxlan: add missing rcu_read_lock() in neigh_reduce()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ]
+
+syzbot complained in neigh_reduce(), because rcu_read_lock_bh()
+is treated differently than rcu_read_lock()
+
+WARNING: suspicious RCU usage
+5.13.0-rc6-syzkaller #0 Not tainted
+-----------------------------
+include/net/addrconf.h:313 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+3 locks held by kworker/0:0/5:
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
+ #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247
+ #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251
+ #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180
+
+stack backtrace:
+CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events ipvlan_process_multicast
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ __in6_dev_get include/net/addrconf.h:313 [inline]
+ __in6_dev_get include/net/addrconf.h:311 [inline]
+ neigh_reduce drivers/net/vxlan.c:2167 [inline]
+ vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919
+ __netdev_start_xmit include/linux/netdevice.h:4944 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4958 [inline]
+ xmit_one net/core/dev.c:3654 [inline]
+ dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670
+ __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246
+ ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287
+ process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
+ worker_thread+0x64c/0x1120 kernel/workqueue.c:2422
+ kthread+0x3b1/0x4a0 kernel/kthread.c:313
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+
+Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 94a9add2fc87..066a4654e838 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1681,6 +1681,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ struct neighbour *n;
+ struct nd_msg *msg;
+
++ rcu_read_lock();
+ in6_dev = __in6_dev_get(dev);
+ if (!in6_dev)
+ goto out;
+@@ -1732,6 +1733,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ }
+
+ out:
++ rcu_read_unlock();
+ consume_skb(skb);
+ return NETDEV_TX_OK;
+ }
+--
+2.30.2
+
--- /dev/null
+From 3e2fe7abbee31b2a9384ff9a1b538dabb1bb6410 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 17:41:28 +0300
+Subject: wireless: carl9170: fix LEDS build errors & warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ]
+
+kernel test robot reports over 200 build errors and warnings
+that are due to this Kconfig problem when CARL9170=m,
+MAC80211=y, and LEDS_CLASS=m.
+
+WARNING: unmet direct dependencies detected for MAC80211_LEDS
+ Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y])
+ Selected by [m]:
+ - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m]
+
+CARL9170_LEDS selects MAC80211_LEDS even though its kconfig
+dependencies are not met. This happens because 'select' does not follow
+any Kconfig dependency chains.
+
+Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where
+the latter supplies any needed dependencies on LEDS_CLASS.
+
+Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: Christian Lamparter <chunkeey@googlemail.com>
+Cc: linux-wireless@vger.kernel.org
+Cc: Arnd Bergmann <arnd@arndb.de>
+Suggested-by: Christian Lamparter <chunkeey@googlemail.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/carl9170/Kconfig | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/carl9170/Kconfig b/drivers/net/wireless/ath/carl9170/Kconfig
+index 2e34baeaf764..2b782db20fde 100644
+--- a/drivers/net/wireless/ath/carl9170/Kconfig
++++ b/drivers/net/wireless/ath/carl9170/Kconfig
+@@ -15,13 +15,11 @@ config CARL9170
+
+ config CARL9170_LEDS
+ bool "SoftLED Support"
+- depends on CARL9170
+- select MAC80211_LEDS
+- select LEDS_CLASS
+- select NEW_LEDS
+ default y
++ depends on CARL9170
++ depends on MAC80211_LEDS
+ help
+- This option is necessary, if you want your device' LEDs to blink
++ This option is necessary, if you want your device's LEDs to blink.
+
+ Say Y, unless you need the LEDs for firmware debugging.
+
+--
+2.30.2
+
--- /dev/null
+From 74e3d26f3b28fe87b824a4af81f0707bca75309d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 17:11:45 +0800
+Subject: writeback: fix obtain a reference to a freeing memcg css
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+[ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ]
+
+The caller of wb_get_create() should pin the memcg, because
+wb_get_create() relies on this guarantee. The rcu read lock
+only can guarantee that the memcg css returned by css_from_id()
+cannot be released, but the reference of the memcg can be zero.
+
+ rcu_read_lock()
+ memcg_css = css_from_id()
+ wb_get_create(memcg_css)
+ cgwb_create(memcg_css)
+ // css_get can change the ref counter from 0 back to 1
+ css_get(memcg_css)
+ rcu_read_unlock()
+
+Fix it by holding a reference to the css before calling
+wb_get_create(). This is not a problem I encountered in the
+real world. Just the result of a code review.
+
+Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates")
+Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fs-writeback.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
+index 08fef9c2296b..1e583e24dd5d 100644
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -512,9 +512,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
+ /* find and pin the new wb */
+ rcu_read_lock();
+ memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
+- if (memcg_css)
+- isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
++ if (memcg_css && !css_tryget(memcg_css))
++ memcg_css = NULL;
+ rcu_read_unlock();
++ if (!memcg_css)
++ goto out_free;
++
++ isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
++ css_put(memcg_css);
+ if (!isw->new_wb)
+ goto out_free;
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
