--- /dev/null
+From 02fa8b9f0dfbd33984047c7ef8f8c722fdc55a81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jan 2021 23:21:43 +0800
+Subject: ALSA: hda: Balance runtime/system PM if direct-complete is disabled
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 2b73649cee65b8e33c75c66348cb1bfe0ff9d766 ]
+
+After hibernation, HDA controller can't be runtime-suspended after
+commit 215a22ed31a1 ("ALSA: hda: Refactor codjc PM to use
+direct-complete optimization"), which enables direct-complete for HDA
+codec.
+
+The HDA codec driver didn't expect direct-complete will be disabled
+after it returns a positive value from prepare() callback. However,
+there are some places that PM core can disable direct-complete. For
+instance, system hibernation or when codec has subordinates like LEDs.
+
+So if the codec is prepared for direct-complete but PM core still calls
+codec's suspend or freeze callback, partially revert the commit and take
+the original approach, which uses pm_runtime_force_*() helpers to
+ensure PM refcount are balanced. Meanwhile, still keep prepare() and
+complete() callbacks to enable direct-complete and request a resume for
+jack detection, respectively.
+
+Reported-by: Kenneth R. Crudup <kenny@panix.com>
+Fixes: 215a22ed31a1 ("ALSA: hda: Refactor codec PM to use direct-complete optimization")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Link: https://lore.kernel.org/r/20210119152145.346558-1-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 24 +++++++-----------------
+ 1 file changed, 7 insertions(+), 17 deletions(-)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 687216e745267..eec1775dfffe9 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -2934,7 +2934,7 @@ static void hda_call_codec_resume(struct hda_codec *codec)
+ snd_hdac_leave_pm(&codec->core);
+ }
+
+-static int hda_codec_suspend(struct device *dev)
++static int hda_codec_runtime_suspend(struct device *dev)
+ {
+ struct hda_codec *codec = dev_to_hda_codec(dev);
+ unsigned int state;
+@@ -2953,7 +2953,7 @@ static int hda_codec_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int hda_codec_resume(struct device *dev)
++static int hda_codec_runtime_resume(struct device *dev)
+ {
+ struct hda_codec *codec = dev_to_hda_codec(dev);
+
+@@ -2968,16 +2968,6 @@ static int hda_codec_resume(struct device *dev)
+ return 0;
+ }
+
+-static int hda_codec_runtime_suspend(struct device *dev)
+-{
+- return hda_codec_suspend(dev);
+-}
+-
+-static int hda_codec_runtime_resume(struct device *dev)
+-{
+- return hda_codec_resume(dev);
+-}
+-
+ #endif /* CONFIG_PM */
+
+ #ifdef CONFIG_PM_SLEEP
+@@ -2998,31 +2988,31 @@ static void hda_codec_pm_complete(struct device *dev)
+ static int hda_codec_pm_suspend(struct device *dev)
+ {
+ dev->power.power_state = PMSG_SUSPEND;
+- return hda_codec_suspend(dev);
++ return pm_runtime_force_suspend(dev);
+ }
+
+ static int hda_codec_pm_resume(struct device *dev)
+ {
+ dev->power.power_state = PMSG_RESUME;
+- return hda_codec_resume(dev);
++ return pm_runtime_force_resume(dev);
+ }
+
+ static int hda_codec_pm_freeze(struct device *dev)
+ {
+ dev->power.power_state = PMSG_FREEZE;
+- return hda_codec_suspend(dev);
++ return pm_runtime_force_suspend(dev);
+ }
+
+ static int hda_codec_pm_thaw(struct device *dev)
+ {
+ dev->power.power_state = PMSG_THAW;
+- return hda_codec_resume(dev);
++ return pm_runtime_force_resume(dev);
+ }
+
+ static int hda_codec_pm_restore(struct device *dev)
+ {
+ dev->power.power_state = PMSG_RESTORE;
+- return hda_codec_resume(dev);
++ return pm_runtime_force_resume(dev);
+ }
+ #endif /* CONFIG_PM_SLEEP */
+
+--
+2.27.0
+
--- /dev/null
+From 74025921d947a6f3eaf807f2734797719d762014 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 14:53:10 +0000
+Subject: arm64: entry: remove redundant IRQ flag tracing
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit df06824767cc9a32fbdb0e3d3b7e169292a5b5fe ]
+
+All EL0 returns go via ret_to_user(), which masks IRQs and notifies
+lockdep and tracing before calling into do_notify_resume(). Therefore,
+there's no need for do_notify_resume() to call trace_hardirqs_off(), and
+the comment is stale. The call is simply redundant.
+
+In ret_to_user() we call exit_to_user_mode(), which notifies lockdep and
+tracing the IRQs will be enabled in userspace, so there's no need for
+el0_svc_common() to call trace_hardirqs_on() before returning. Further,
+at the start of ret_to_user() we call trace_hardirqs_off(), so not only
+is this redundant, but it is immediately undone.
+
+In addition to being redundant, the trace_hardirqs_on() in
+el0_svc_common() leaves lockdep inconsistent with the hardware state,
+and is liable to cause issues for any C code or instrumentation
+between this and the call to trace_hardirqs_off() which undoes it in
+ret_to_user().
+
+This patch removes the redundant tracing calls and associated stale
+comments.
+
+Fixes: 23529049c684 ("arm64: entry: fix non-NMI user<->kernel transitions")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20210107145310.44616-1-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/signal.c | 7 -------
+ arch/arm64/kernel/syscall.c | 9 +--------
+ 2 files changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
+index a8184cad88907..50852992752b0 100644
+--- a/arch/arm64/kernel/signal.c
++++ b/arch/arm64/kernel/signal.c
+@@ -914,13 +914,6 @@ static void do_signal(struct pt_regs *regs)
+ asmlinkage void do_notify_resume(struct pt_regs *regs,
+ unsigned long thread_flags)
+ {
+- /*
+- * The assembly code enters us with IRQs off, but it hasn't
+- * informed the tracing code of that for efficiency reasons.
+- * Update the trace code with the current status.
+- */
+- trace_hardirqs_off();
+-
+ do {
+ /* Check valid user FS if needed */
+ addr_limit_user_check();
+diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c
+index f8f758e4a3064..6fa8cfb8232aa 100644
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -165,15 +165,8 @@ static void el0_svc_common(struct pt_regs *regs, int scno, int sc_nr,
+ if (!has_syscall_work(flags) && !IS_ENABLED(CONFIG_DEBUG_RSEQ)) {
+ local_daif_mask();
+ flags = current_thread_info()->flags;
+- if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP)) {
+- /*
+- * We're off to userspace, where interrupts are
+- * always enabled after we restore the flags from
+- * the SPSR.
+- */
+- trace_hardirqs_on();
++ if (!has_syscall_work(flags) && !(flags & _TIF_SINGLESTEP))
+ return;
+- }
+ local_daif_restore(DAIF_PROCCTX);
+ }
+
+--
+2.27.0
+
--- /dev/null
+From c775a36d81b9c097f91bc398eb78f54fd73e4c32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jan 2021 20:16:50 +0100
+Subject: bpf: Prevent double bpf_prog_put call from bpf_tracing_prog_attach
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit 5541075a348b6ca6ac668653f7d2c423ae8e00b6 ]
+
+The bpf_tracing_prog_attach error path calls bpf_prog_put
+on prog, which causes refcount underflow when it's called
+from link_create function.
+
+ link_create
+ prog = bpf_prog_get <-- get
+ ...
+ tracing_bpf_link_attach(prog..
+ bpf_tracing_prog_attach(prog..
+ out_put_prog:
+ bpf_prog_put(prog); <-- put
+
+ if (ret < 0)
+ bpf_prog_put(prog); <-- put
+
+Removing bpf_prog_put call from bpf_tracing_prog_attach
+and making sure its callers call it instead.
+
+Fixes: 4a1e7c0c63e0 ("bpf: Support attaching freplace programs to multiple attach points")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210111191650.1241578-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/syscall.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index 8f50c9c19f1b0..9433ab9995cd7 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -2717,7 +2717,6 @@ out_unlock:
+ out_put_prog:
+ if (tgt_prog_fd && tgt_prog)
+ bpf_prog_put(tgt_prog);
+- bpf_prog_put(prog);
+ return err;
+ }
+
+@@ -2830,7 +2829,10 @@ static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
+ tp_name = prog->aux->attach_func_name;
+ break;
+ }
+- return bpf_tracing_prog_attach(prog, 0, 0);
++ err = bpf_tracing_prog_attach(prog, 0, 0);
++ if (err >= 0)
++ return err;
++ goto out_put_prog;
+ case BPF_PROG_TYPE_RAW_TRACEPOINT:
+ case BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE:
+ if (strncpy_from_user(buf,
+--
+2.27.0
+
--- /dev/null
+From 4ea3f7c81b79548b4309083e610a20cec96148ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Jan 2021 15:42:54 -0800
+Subject: bpf: Reject too big ctx_size_in for raw_tp test run
+
+From: Song Liu <songliubraving@fb.com>
+
+[ Upstream commit 7ac6ad051150592557520b45773201b987ecfce3 ]
+
+syzbot reported a WARNING for allocating too big memory:
+
+WARNING: CPU: 1 PID: 8484 at mm/page_alloc.c:4976 __alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:5011
+Modules linked in:
+CPU: 1 PID: 8484 Comm: syz-executor862 Not tainted 5.11.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__alloc_pages_nodemask+0x5f8/0x730 mm/page_alloc.c:4976
+Code: 00 00 0c 00 0f 85 a7 00 00 00 8b 3c 24 4c 89 f2 44 89 e6 c6 44 24 70 00 48 89 6c 24 58 e8 d0 d7 ff ff 49 89 c5 e9 ea fc ff ff <0f> 0b e9 b5 fd ff ff 89 74 24 14 4c 89 4c 24 08 4c 89 74 24 18 e8
+RSP: 0018:ffffc900012efb10 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 1ffff9200025df66 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000140dc0
+RBP: 0000000000140dc0 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff81b1f7e1 R11: 0000000000000000 R12: 0000000000000014
+R13: 0000000000000014 R14: 0000000000000000 R15: 0000000000000000
+FS: 000000000190c880(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f08b7f316c0 CR3: 0000000012073000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
+alloc_pages include/linux/gfp.h:547 [inline]
+kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
+kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
+kmalloc include/linux/slab.h:557 [inline]
+kzalloc include/linux/slab.h:682 [inline]
+bpf_prog_test_run_raw_tp+0x4b5/0x670 net/bpf/test_run.c:282
+bpf_prog_test_run kernel/bpf/syscall.c:3120 [inline]
+__do_sys_bpf+0x1ea9/0x4f10 kernel/bpf/syscall.c:4398
+do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x440499
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffe1f3bfb18 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440499
+RDX: 0000000000000048 RSI: 0000000020000600 RDI: 000000000000000a
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ca0
+R13: 0000000000401d30 R14: 0000000000000000 R15: 0000000000000000
+
+This is because we didn't filter out too big ctx_size_in. Fix it by
+rejecting ctx_size_in that are bigger than MAX_BPF_FUNC_ARGS (12) u64
+numbers.
+
+Fixes: 1b4d60ec162f ("bpf: Enable BPF_PROG_TEST_RUN for raw_tracepoint")
+Reported-by: syzbot+4f98876664c7337a4ae6@syzkaller.appspotmail.com
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210112234254.1906829-1-songliubraving@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index c1c30a9f76f34..8b796c499cbb2 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -272,7 +272,8 @@ int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
+ kattr->test.repeat)
+ return -EINVAL;
+
+- if (ctx_size_in < prog->aux->max_ctx_offset)
++ if (ctx_size_in < prog->aux->max_ctx_offset ||
++ ctx_size_in > MAX_BPF_FUNC_ARGS * sizeof(u64))
+ return -EINVAL;
+
+ if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 && cpu != 0)
+--
+2.27.0
+
--- /dev/null
+From 4ffe3b6d58eb232e2cbe2903e2a68a6a5281db0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Dec 2020 11:18:44 -0500
+Subject: btrfs: print the actual offset in btrfs_root_name
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 71008734d27f2276fcef23a5e546d358430f2d52 ]
+
+We're supposed to print the root_key.offset in btrfs_root_name in the
+case of a reloc root, not the objectid. Fix this helper to take the key
+so we have access to the offset when we need it.
+
+Fixes: 457f1864b569 ("btrfs: pretty print leaked root name")
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 2 +-
+ fs/btrfs/print-tree.c | 10 +++++-----
+ fs/btrfs/print-tree.h | 2 +-
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index af97ddcc6b3e8..56f3b9acd2154 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1482,7 +1482,7 @@ void btrfs_check_leaked_roots(struct btrfs_fs_info *fs_info)
+ root = list_first_entry(&fs_info->allocated_roots,
+ struct btrfs_root, leak_list);
+ btrfs_err(fs_info, "leaked root %s refcount %d",
+- btrfs_root_name(root->root_key.objectid, buf),
++ btrfs_root_name(&root->root_key, buf),
+ refcount_read(&root->refs));
+ while (refcount_read(&root->refs) > 1)
+ btrfs_put_root(root);
+diff --git a/fs/btrfs/print-tree.c b/fs/btrfs/print-tree.c
+index 7695c4783d33b..c62771f3af8c6 100644
+--- a/fs/btrfs/print-tree.c
++++ b/fs/btrfs/print-tree.c
+@@ -26,22 +26,22 @@ static const struct root_name_map root_map[] = {
+ { BTRFS_DATA_RELOC_TREE_OBJECTID, "DATA_RELOC_TREE" },
+ };
+
+-const char *btrfs_root_name(u64 objectid, char *buf)
++const char *btrfs_root_name(const struct btrfs_key *key, char *buf)
+ {
+ int i;
+
+- if (objectid == BTRFS_TREE_RELOC_OBJECTID) {
++ if (key->objectid == BTRFS_TREE_RELOC_OBJECTID) {
+ snprintf(buf, BTRFS_ROOT_NAME_BUF_LEN,
+- "TREE_RELOC offset=%llu", objectid);
++ "TREE_RELOC offset=%llu", key->offset);
+ return buf;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(root_map); i++) {
+- if (root_map[i].id == objectid)
++ if (root_map[i].id == key->objectid)
+ return root_map[i].name;
+ }
+
+- snprintf(buf, BTRFS_ROOT_NAME_BUF_LEN, "%llu", objectid);
++ snprintf(buf, BTRFS_ROOT_NAME_BUF_LEN, "%llu", key->objectid);
+ return buf;
+ }
+
+diff --git a/fs/btrfs/print-tree.h b/fs/btrfs/print-tree.h
+index 78b99385a503f..8c3e9319ec4ef 100644
+--- a/fs/btrfs/print-tree.h
++++ b/fs/btrfs/print-tree.h
+@@ -11,6 +11,6 @@
+
+ void btrfs_print_leaf(struct extent_buffer *l);
+ void btrfs_print_tree(struct extent_buffer *c, bool follow);
+-const char *btrfs_root_name(u64 objectid, char *buf);
++const char *btrfs_root_name(const struct btrfs_key *key, char *buf);
+
+ #endif
+--
+2.27.0
+
--- /dev/null
+From a68f0ad8e788e736d7dc23e75500a6d067777ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:35 +0900
+Subject: can: dev: can_restart: fix use after free bug
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ]
+
+After calling netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is accessed
+after the netif_rx_ni() in:
+ stats->rx_bytes += cf->len;
+
+Reordering the lines solves the issue.
+
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 81e39d7507d8f..09879aea9f7cc 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -592,11 +592,11 @@ static void can_restart(struct net_device *dev)
+
+ cf->can_id |= CAN_ERR_RESTARTED;
+
+- netif_rx_ni(skb);
+-
+ stats->rx_packets++;
+ stats->rx_bytes += cf->can_dlc;
+
++ netif_rx_ni(skb);
++
+ restart:
+ netdev_dbg(dev, "restarted\n");
+ priv->can_stats.restarts++;
+--
+2.27.0
+
--- /dev/null
+From 862c7dca860234f94f345a323bf373e1870fc492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:37 +0900
+Subject: can: peak_usb: fix use after free bugs
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 50aca891d7a554db0901b245167cd653d73aaa71 ]
+
+After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is accessed
+after the peak_usb_netif_rx_ni().
+
+Reordering the lines solves the issue.
+
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Link: https://lore.kernel.org/r/20210120114137.200019-4-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+index d29d20525588c..d565922838186 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -512,11 +512,11 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
+ else
+ memcpy(cfd->data, rm->d, cfd->len);
+
+- peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
+-
+ netdev->stats.rx_packets++;
+ netdev->stats.rx_bytes += cfd->len;
+
++ peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(rm->ts_low));
++
+ return 0;
+ }
+
+@@ -578,11 +578,11 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
+ if (!skb)
+ return -ENOMEM;
+
+- peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
+-
+ netdev->stats.rx_packets++;
+ netdev->stats.rx_bytes += cf->can_dlc;
+
++ peak_usb_netif_rx(skb, &usb_if->time_ref, le32_to_cpu(sm->ts_low));
++
+ return 0;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From fd0aa8dfe4ca8bc0c34e71c0abd6b2571b94a1f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:36 +0900
+Subject: can: vxcan: vxcan_xmit: fix use after free bug
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 75854cad5d80976f6ea0f0431f8cedd3bcc475cb ]
+
+After calling netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the canfd_frame cfd which aliases skb memory is accessed
+after the netif_rx_ni().
+
+Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)")
+Link: https://lore.kernel.org/r/20210120114137.200019-3-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/vxcan.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
+index d6ba9426be4de..b1baa4ac1d537 100644
+--- a/drivers/net/can/vxcan.c
++++ b/drivers/net/can/vxcan.c
+@@ -39,6 +39,7 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
+ struct net_device *peer;
+ struct canfd_frame *cfd = (struct canfd_frame *)skb->data;
+ struct net_device_stats *peerstats, *srcstats = &dev->stats;
++ u8 len;
+
+ if (can_dropped_invalid_skb(dev, skb))
+ return NETDEV_TX_OK;
+@@ -61,12 +62,13 @@ static netdev_tx_t vxcan_xmit(struct sk_buff *skb, struct net_device *dev)
+ skb->dev = peer;
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
+
++ len = cfd->len;
+ if (netif_rx_ni(skb) == NET_RX_SUCCESS) {
+ srcstats->tx_packets++;
+- srcstats->tx_bytes += cfd->len;
++ srcstats->tx_bytes += len;
+ peerstats = &peer->stats;
+ peerstats->rx_packets++;
+- peerstats->rx_bytes += cfd->len;
++ peerstats->rx_bytes += len;
+ }
+
+ out_unlock:
+--
+2.27.0
+
--- /dev/null
+From 793ff612e5fd50546f9cc0552fb06c8dcae7997c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Jan 2021 15:03:04 +0100
+Subject: crypto: omap-sham - Fix link error without crypto-engine
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 382811940303f7cd01d0f3dcdf432dfd89c5a98e ]
+
+The driver was converted to use the crypto engine helper
+but is missing the corresponding Kconfig statement to ensure
+it is available:
+
+arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_probe':
+omap-sham.c:(.text+0x374): undefined reference to `crypto_engine_alloc_init'
+arm-linux-gnueabi-ld: omap-sham.c:(.text+0x384): undefined reference to `crypto_engine_start'
+arm-linux-gnueabi-ld: omap-sham.c:(.text+0x510): undefined reference to `crypto_engine_exit'
+arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_finish_req':
+omap-sham.c:(.text+0x98c): undefined reference to `crypto_finalize_hash_request'
+arm-linux-gnueabi-ld: omap-sham.c:(.text+0x9a0): undefined reference to `crypto_transfer_hash_request_to_engine'
+arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_update':
+omap-sham.c:(.text+0xf24): undefined reference to `crypto_transfer_hash_request_to_engine'
+arm-linux-gnueabi-ld: drivers/crypto/omap-sham.o: in function `omap_sham_final':
+omap-sham.c:(.text+0x1020): undefined reference to `crypto_transfer_hash_request_to_engine'
+
+Fixes: 133c3d434d91 ("crypto: omap-sham - convert to use crypto engine")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
+index 9d6645b1f0abe..ff5e85eefbf69 100644
+--- a/drivers/crypto/Kconfig
++++ b/drivers/crypto/Kconfig
+@@ -366,6 +366,7 @@ if CRYPTO_DEV_OMAP
+ config CRYPTO_DEV_OMAP_SHAM
+ tristate "Support for OMAP MD5/SHA1/SHA2 hw accelerator"
+ depends on ARCH_OMAP2PLUS
++ select CRYPTO_ENGINE
+ select CRYPTO_SHA1
+ select CRYPTO_MD5
+ select CRYPTO_SHA256
+--
+2.27.0
+
--- /dev/null
+From 02c9e80788198a10f0b3685f99c65cf26b49071e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jan 2021 16:05:28 -0500
+Subject: drm/amdkfd: Fix out-of-bounds read in kdf_create_vcrat_image_cpu()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+[ Upstream commit 8b335bff643f3b39935c7377dbcd361c5b605d98 ]
+
+KASAN reported a slab-out-of-bounds read of size 1 in
+kdf_create_vcrat_image_cpu().
+
+This occurs when, for example, when on an x86_64 with a single NUMA node
+because kfd_fill_iolink_info_for_cpu() is a no-op, but afterwards the
+sub_type_hdr->length, which is out-of-bounds, is read and multiplied by
+entries. Fortunately, entries is 0 in this case so the overall
+crat_table->length is still correct.
+
+Check if there were any entries before de-referencing sub_type_hdr which
+may be pointing to out-of-bounds memory.
+
+Fixes: b7b6c38529c9 ("drm/amdkfd: Calculate CPU VCRAT size dynamically (v2)")
+Suggested-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
+index d7f67620f57ba..31d793ee0836e 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
+@@ -1034,11 +1034,14 @@ static int kfd_create_vcrat_image_cpu(void *pcrat_image, size_t *size)
+ (struct crat_subtype_iolink *)sub_type_hdr);
+ if (ret < 0)
+ return ret;
+- crat_table->length += (sub_type_hdr->length * entries);
+- crat_table->total_entries += entries;
+
+- sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
+- sub_type_hdr->length * entries);
++ if (entries) {
++ crat_table->length += (sub_type_hdr->length * entries);
++ crat_table->total_entries += entries;
++
++ sub_type_hdr = (typeof(sub_type_hdr))((char *)sub_type_hdr +
++ sub_type_hdr->length * entries);
++ }
+ #else
+ pr_info("IO link not available for non x86 platforms\n");
+ #endif
+--
+2.27.0
+
--- /dev/null
+From 4ed7797d8c0a164d87287c86f724591d1ed1eccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jan 2021 20:12:09 +0100
+Subject: drm/vc4: Unify PCM card's driver_name
+
+From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+
+[ Upstream commit 33c74535b03ecf11359de14bc88302595b1de44f ]
+
+User-space ALSA matches a card's driver name against an internal list of
+aliases in order to select the correct configuration for the system.
+When the driver name isn't defined, the match is performed against the
+card's name.
+
+With the introduction of RPi4 we now have two HDMI ports with two
+distinct audio cards. This is reflected in their names, making them
+different from previous RPi versions. With this, ALSA ultimately misses
+the board's configuration on RPi4.
+
+In order to avoid this, set "card->driver_name" to "vc4-hdmi"
+unanimously.
+
+Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Fixes: f437bc1ec731 ("drm/vc4: drv: Support BCM2711")
+Reviewed-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210115191209.12852-1-nsaenzjulienne@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index afc178b0d89f4..eaba98e15de46 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -1268,6 +1268,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi)
+ card->dai_link = dai_link;
+ card->num_links = 1;
+ card->name = vc4_hdmi->variant->card_name;
++ card->driver_name = "vc4-hdmi";
+ card->dev = dev;
+ card->owner = THIS_MODULE;
+
+--
+2.27.0
+
--- /dev/null
+From 792b8d76a2a701435c1d97c183c92a80f606ddc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jan 2021 19:18:13 -0800
+Subject: gpio: sifive: select IRQ_DOMAIN_HIERARCHY rather than depend on it
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 18eedf2b5ec7c8ce2bb23d9148cfd63949207414 ]
+
+This is the only driver in the kernel source tree that depends on
+IRQ_DOMAIN_HIERARCHY instead of selecting it. Since it is not a
+visible Kconfig symbol, depending on it (expecting a user to
+set/enable it) doesn't make much sense, so change it to select
+instead of "depends on".
+
+Fixes: 96868dce644d ("gpio/sifive: Add GPIO driver for SiFive SoCs")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Cc: linux-gpio@vger.kernel.org
+Cc: Thierry Reding <treding@nvidia.com>
+Cc: Greentime Hu <greentime.hu@sifive.com>
+Cc: Yash Shah <yash.shah@sifive.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/Kconfig b/drivers/gpio/Kconfig
+index 5d4de5cd67595..f20ac3d694246 100644
+--- a/drivers/gpio/Kconfig
++++ b/drivers/gpio/Kconfig
+@@ -508,7 +508,8 @@ config GPIO_SAMA5D2_PIOBU
+
+ config GPIO_SIFIVE
+ bool "SiFive GPIO support"
+- depends on OF_GPIO && IRQ_DOMAIN_HIERARCHY
++ depends on OF_GPIO
++ select IRQ_DOMAIN_HIERARCHY
+ select GPIO_GENERIC
+ select GPIOLIB_IRQCHIP
+ select REGMAP_MMIO
+--
+2.27.0
+
--- /dev/null
+From 9ef7f0053a0c6e35ffab584ca1e72af792ede08e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Dec 2020 00:10:40 +0800
+Subject: gpiolib: cdev: fix frame size warning in gpio_ioctl()
+
+From: Kent Gibson <warthog618@gmail.com>
+
+[ Upstream commit 2e202ad873365513c6ad72e29a531071dffa498a ]
+
+The kernel test robot reports the following warning in [1]:
+
+ drivers/gpio/gpiolib-cdev.c: In function 'gpio_ioctl':
+ >>drivers/gpio/gpiolib-cdev.c:1437:1: warning: the frame size of 1040 bytes is larger than 1024 bytes [-Wframe-larger-than=]
+
+Refactor gpio_ioctl() to handle each ioctl in its own helper function
+and so reduce the variables stored on the stack to those explicitly
+required to service the ioctl at hand.
+
+The lineinfo_get_v1() helper handles both the GPIO_GET_LINEINFO_IOCTL
+and GPIO_GET_LINEINFO_WATCH_IOCTL, as per the corresponding v2
+implementation - lineinfo_get().
+
+[1] https://lore.kernel.org/lkml/202012270910.VW3qc1ER-lkp@intel.com/
+
+Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 145 ++++++++++++++++++------------------
+ 1 file changed, 73 insertions(+), 72 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
+index e9faeaf65d14f..689c06cbbb457 100644
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -1960,6 +1960,21 @@ struct gpio_chardev_data {
+ #endif
+ };
+
++static int chipinfo_get(struct gpio_chardev_data *cdev, void __user *ip)
++{
++ struct gpio_device *gdev = cdev->gdev;
++ struct gpiochip_info chipinfo;
++
++ memset(&chipinfo, 0, sizeof(chipinfo));
++
++ strscpy(chipinfo.name, dev_name(&gdev->dev), sizeof(chipinfo.name));
++ strscpy(chipinfo.label, gdev->label, sizeof(chipinfo.label));
++ chipinfo.lines = gdev->ngpio;
++ if (copy_to_user(ip, &chipinfo, sizeof(chipinfo)))
++ return -EFAULT;
++ return 0;
++}
++
+ #ifdef CONFIG_GPIO_CDEV_V1
+ /*
+ * returns 0 if the versions match, else the previously selected ABI version
+@@ -1974,6 +1989,41 @@ static int lineinfo_ensure_abi_version(struct gpio_chardev_data *cdata,
+
+ return abiv;
+ }
++
++static int lineinfo_get_v1(struct gpio_chardev_data *cdev, void __user *ip,
++ bool watch)
++{
++ struct gpio_desc *desc;
++ struct gpioline_info lineinfo;
++ struct gpio_v2_line_info lineinfo_v2;
++
++ if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
++ return -EFAULT;
++
++ /* this doubles as a range check on line_offset */
++ desc = gpiochip_get_desc(cdev->gdev->chip, lineinfo.line_offset);
++ if (IS_ERR(desc))
++ return PTR_ERR(desc);
++
++ if (watch) {
++ if (lineinfo_ensure_abi_version(cdev, 1))
++ return -EPERM;
++
++ if (test_and_set_bit(lineinfo.line_offset, cdev->watched_lines))
++ return -EBUSY;
++ }
++
++ gpio_desc_to_lineinfo(desc, &lineinfo_v2);
++ gpio_v2_line_info_to_v1(&lineinfo_v2, &lineinfo);
++
++ if (copy_to_user(ip, &lineinfo, sizeof(lineinfo))) {
++ if (watch)
++ clear_bit(lineinfo.line_offset, cdev->watched_lines);
++ return -EFAULT;
++ }
++
++ return 0;
++}
+ #endif
+
+ static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip,
+@@ -2011,6 +2061,22 @@ static int lineinfo_get(struct gpio_chardev_data *cdev, void __user *ip,
+ return 0;
+ }
+
++static int lineinfo_unwatch(struct gpio_chardev_data *cdev, void __user *ip)
++{
++ __u32 offset;
++
++ if (copy_from_user(&offset, ip, sizeof(offset)))
++ return -EFAULT;
++
++ if (offset >= cdev->gdev->ngpio)
++ return -EINVAL;
++
++ if (!test_and_clear_bit(offset, cdev->watched_lines))
++ return -EBUSY;
++
++ return 0;
++}
++
+ /*
+ * gpio_ioctl() - ioctl handler for the GPIO chardev
+ */
+@@ -2018,80 +2084,24 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
+ struct gpio_chardev_data *cdev = file->private_data;
+ struct gpio_device *gdev = cdev->gdev;
+- struct gpio_chip *gc = gdev->chip;
+ void __user *ip = (void __user *)arg;
+- __u32 offset;
+
+ /* We fail any subsequent ioctl():s when the chip is gone */
+- if (!gc)
++ if (!gdev->chip)
+ return -ENODEV;
+
+ /* Fill in the struct and pass to userspace */
+ if (cmd == GPIO_GET_CHIPINFO_IOCTL) {
+- struct gpiochip_info chipinfo;
+-
+- memset(&chipinfo, 0, sizeof(chipinfo));
+-
+- strscpy(chipinfo.name, dev_name(&gdev->dev),
+- sizeof(chipinfo.name));
+- strscpy(chipinfo.label, gdev->label,
+- sizeof(chipinfo.label));
+- chipinfo.lines = gdev->ngpio;
+- if (copy_to_user(ip, &chipinfo, sizeof(chipinfo)))
+- return -EFAULT;
+- return 0;
++ return chipinfo_get(cdev, ip);
+ #ifdef CONFIG_GPIO_CDEV_V1
+- } else if (cmd == GPIO_GET_LINEINFO_IOCTL) {
+- struct gpio_desc *desc;
+- struct gpioline_info lineinfo;
+- struct gpio_v2_line_info lineinfo_v2;
+-
+- if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
+- return -EFAULT;
+-
+- /* this doubles as a range check on line_offset */
+- desc = gpiochip_get_desc(gc, lineinfo.line_offset);
+- if (IS_ERR(desc))
+- return PTR_ERR(desc);
+-
+- gpio_desc_to_lineinfo(desc, &lineinfo_v2);
+- gpio_v2_line_info_to_v1(&lineinfo_v2, &lineinfo);
+-
+- if (copy_to_user(ip, &lineinfo, sizeof(lineinfo)))
+- return -EFAULT;
+- return 0;
+ } else if (cmd == GPIO_GET_LINEHANDLE_IOCTL) {
+ return linehandle_create(gdev, ip);
+ } else if (cmd == GPIO_GET_LINEEVENT_IOCTL) {
+ return lineevent_create(gdev, ip);
+- } else if (cmd == GPIO_GET_LINEINFO_WATCH_IOCTL) {
+- struct gpio_desc *desc;
+- struct gpioline_info lineinfo;
+- struct gpio_v2_line_info lineinfo_v2;
+-
+- if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
+- return -EFAULT;
+-
+- /* this doubles as a range check on line_offset */
+- desc = gpiochip_get_desc(gc, lineinfo.line_offset);
+- if (IS_ERR(desc))
+- return PTR_ERR(desc);
+-
+- if (lineinfo_ensure_abi_version(cdev, 1))
+- return -EPERM;
+-
+- if (test_and_set_bit(lineinfo.line_offset, cdev->watched_lines))
+- return -EBUSY;
+-
+- gpio_desc_to_lineinfo(desc, &lineinfo_v2);
+- gpio_v2_line_info_to_v1(&lineinfo_v2, &lineinfo);
+-
+- if (copy_to_user(ip, &lineinfo, sizeof(lineinfo))) {
+- clear_bit(lineinfo.line_offset, cdev->watched_lines);
+- return -EFAULT;
+- }
+-
+- return 0;
++ } else if (cmd == GPIO_GET_LINEINFO_IOCTL ||
++ cmd == GPIO_GET_LINEINFO_WATCH_IOCTL) {
++ return lineinfo_get_v1(cdev, ip,
++ cmd == GPIO_GET_LINEINFO_WATCH_IOCTL);
+ #endif /* CONFIG_GPIO_CDEV_V1 */
+ } else if (cmd == GPIO_V2_GET_LINEINFO_IOCTL ||
+ cmd == GPIO_V2_GET_LINEINFO_WATCH_IOCTL) {
+@@ -2100,16 +2110,7 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ } else if (cmd == GPIO_V2_GET_LINE_IOCTL) {
+ return linereq_create(gdev, ip);
+ } else if (cmd == GPIO_GET_LINEINFO_UNWATCH_IOCTL) {
+- if (copy_from_user(&offset, ip, sizeof(offset)))
+- return -EFAULT;
+-
+- if (offset >= cdev->gdev->ngpio)
+- return -EINVAL;
+-
+- if (!test_and_clear_bit(offset, cdev->watched_lines))
+- return -EBUSY;
+-
+- return 0;
++ return lineinfo_unwatch(cdev, ip);
+ }
+ return -EINVAL;
+ }
+--
+2.27.0
+
--- /dev/null
+From 2890e66a41aeaee7db7bef2b8d0619b103444234 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Jan 2021 13:43:08 +0100
+Subject: i2c: octeon: check correct size of maximum RECV_LEN packet
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1b2cfa2d1dbdcc3b6dba1ecb7026a537a1d7277f ]
+
+I2C_SMBUS_BLOCK_MAX defines already the maximum number as defined in the
+SMBus 2.0 specs. No reason to add one to it.
+
+Fixes: 886f6f8337dd ("i2c: octeon: Support I2C_M_RECV_LEN")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Robert Richter <rric@kernel.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-octeon-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-octeon-core.c b/drivers/i2c/busses/i2c-octeon-core.c
+index d9607905dc2f1..845eda70b8cab 100644
+--- a/drivers/i2c/busses/i2c-octeon-core.c
++++ b/drivers/i2c/busses/i2c-octeon-core.c
+@@ -347,7 +347,7 @@ static int octeon_i2c_read(struct octeon_i2c *i2c, int target,
+ if (result)
+ return result;
+ if (recv_len && i == 0) {
+- if (data[i] > I2C_SMBUS_BLOCK_MAX + 1)
++ if (data[i] > I2C_SMBUS_BLOCK_MAX)
+ return -EPROTO;
+ length += data[i];
+ }
+--
+2.27.0
+
--- /dev/null
+From 63d4e60351a2f0c53a1267224ac33c4022083bbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Jan 2021 12:43:13 +0100
+Subject: i2c: sprd: depend on COMMON_CLK to fix compile tests
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 9ecd1d2b302b600351fac50779f43fcb680c1a16 ]
+
+The I2C_SPRD uses Common Clock Framework thus it cannot be built on
+platforms without it (e.g. compile test on MIPS with LANTIQ):
+
+ /usr/bin/mips-linux-gnu-ld: drivers/i2c/busses/i2c-sprd.o: in function `sprd_i2c_probe':
+ i2c-sprd.c:(.text.sprd_i2c_probe+0x254): undefined reference to `clk_set_parent'
+
+Fixes: 4a2d5f663dab ("i2c: Enable compile testing for more drivers")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Baolin Wang <baolin.wang7@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/busses/Kconfig b/drivers/i2c/busses/Kconfig
+index a49e0ed4a599d..7e693dcbdd196 100644
+--- a/drivers/i2c/busses/Kconfig
++++ b/drivers/i2c/busses/Kconfig
+@@ -1012,6 +1012,7 @@ config I2C_SIRF
+ config I2C_SPRD
+ tristate "Spreadtrum I2C interface"
+ depends on I2C=y && (ARCH_SPRD || COMPILE_TEST)
++ depends on COMMON_CLK
+ help
+ If you say yes to this option, support will be included for the
+ Spreadtrum I2C interface.
+--
+2.27.0
+
--- /dev/null
+From 6ddccbde0638133ea0c71dcd1c96bdb5843f83b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jan 2021 18:19:26 +0100
+Subject: iov_iter: fix the uaccess area in copy_compat_iovec_from_user
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit a959a9782fa87669feeed095ced5d78181a7c02d ]
+
+sizeof needs to be called on the compat pointer, not the native one.
+
+Fixes: 89cd35c58bc2 ("iov_iter: transparently handle compat iovecs in import_iovec")
+Reported-by: David Laight <David.Laight@ACULAB.COM>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/iov_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 1635111c5bd2a..a21e6a5792c5a 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -1658,7 +1658,7 @@ static int copy_compat_iovec_from_user(struct iovec *iov,
+ (const struct compat_iovec __user *)uvec;
+ int ret = -EFAULT, i;
+
+- if (!user_access_begin(uvec, nr_segs * sizeof(*uvec)))
++ if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
+ return -EFAULT;
+
+ for (i = 0; i < nr_segs; i++) {
+--
+2.27.0
+
--- /dev/null
+From 0f28a0037dcee82c74210fac593a409428105194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Dec 2020 12:26:15 -0500
+Subject: nfsd: Don't set eof on a truncated READ_PLUS
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit b68f0cbd3f95f2df81e525c310a41fc73c2ed0d3 ]
+
+If the READ_PLUS operation was truncated due to an error, then ensure we
+clear the 'eof' flag.
+
+Fixes: 9f0b5792f07d ("NFSD: Encode a full READ_PLUS reply")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4xdr.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 26f6e277101de..5f5169b9c2e90 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -4736,14 +4736,15 @@ out:
+ if (nfserr && segments == 0)
+ xdr_truncate_encode(xdr, starting_len);
+ else {
+- tmp = htonl(eof);
+- write_bytes_to_xdr_buf(xdr->buf, starting_len, &tmp, 4);
+- tmp = htonl(segments);
+- write_bytes_to_xdr_buf(xdr->buf, starting_len + 4, &tmp, 4);
+ if (nfserr) {
+ xdr_truncate_encode(xdr, last_segment);
+ nfserr = nfs_ok;
++ eof = 0;
+ }
++ tmp = htonl(eof);
++ write_bytes_to_xdr_buf(xdr->buf, starting_len, &tmp, 4);
++ tmp = htonl(segments);
++ write_bytes_to_xdr_buf(xdr->buf, starting_len + 4, &tmp, 4);
+ }
+
+ return nfserr;
+--
+2.27.0
+
--- /dev/null
+From b72ac41b4de4c66e5599342b1fbe559a62aeb2ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Dec 2020 12:26:14 -0500
+Subject: nfsd: Fixes for nfsd4_encode_read_plus_data()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 72d78717c6d06adf65d2e3dccc96d9e9dc978593 ]
+
+Ensure that we encode the data payload + padding, and that we truncate
+the preallocated buffer to the actual read size.
+
+Fixes: 528b84934eb9 ("NFSD: Add READ_PLUS data support")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4xdr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index 833a2c64dfe80..26f6e277101de 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -4632,6 +4632,7 @@ nfsd4_encode_read_plus_data(struct nfsd4_compoundres *resp,
+ resp->rqstp->rq_vec, read->rd_vlen, maxcount, eof);
+ if (nfserr)
+ return nfserr;
++ xdr_truncate_encode(xdr, starting_len + 16 + xdr_align_size(*maxcount));
+
+ tmp = htonl(NFS4_CONTENT_DATA);
+ write_bytes_to_xdr_buf(xdr->buf, starting_len, &tmp, 4);
+@@ -4639,6 +4640,10 @@ nfsd4_encode_read_plus_data(struct nfsd4_compoundres *resp,
+ write_bytes_to_xdr_buf(xdr->buf, starting_len + 4, &tmp64, 8);
+ tmp = htonl(*maxcount);
+ write_bytes_to_xdr_buf(xdr->buf, starting_len + 12, &tmp, 4);
++
++ tmp = xdr_zero;
++ write_bytes_to_xdr_buf(xdr->buf, starting_len + 16 + *maxcount, &tmp,
++ xdr_pad_size(*maxcount));
+ return nfs_ok;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 26f130dcb91e4673f47fe19d51657c1ef53d8f8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 14:54:46 +0200
+Subject: perf evlist: Fix id index for heterogeneous systems
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit fc705fecf3a0c9128933cc6db59159c050aaca33 ]
+
+perf_evlist__set_sid_idx() updates perf_sample_id with the evlist map
+index, CPU number and TID. It is passed indexes to the evsel's cpu and
+thread maps, but references the evlist's maps instead. That results in
+using incorrect CPU numbers on heterogeneous systems. Fix it by using
+evsel maps.
+
+The id index (PERF_RECORD_ID_INDEX) is used by AUX area tracing when in
+sampling mode. Having an incorrect CPU number causes the trace data to
+be attributed to the wrong CPU, and can result in decoder errors because
+the trace data is then associated with the wrong process.
+
+Committer notes:
+
+Keep the class prefix convention in the function name, switching from
+perf_evlist__set_sid_idx() to perf_evsel__set_sid_idx().
+
+Fixes: 3c659eedada2fbf9 ("perf tools: Add id index")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: http://lore.kernel.org/lkml/20210121125446.11287-1-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/perf/evlist.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c
+index cfcdbd7be066e..17465d454a0e3 100644
+--- a/tools/lib/perf/evlist.c
++++ b/tools/lib/perf/evlist.c
+@@ -367,21 +367,13 @@ static struct perf_mmap* perf_evlist__alloc_mmap(struct perf_evlist *evlist, boo
+ return map;
+ }
+
+-static void perf_evlist__set_sid_idx(struct perf_evlist *evlist,
+- struct perf_evsel *evsel, int idx, int cpu,
+- int thread)
++static void perf_evsel__set_sid_idx(struct perf_evsel *evsel, int idx, int cpu, int thread)
+ {
+ struct perf_sample_id *sid = SID(evsel, cpu, thread);
+
+ sid->idx = idx;
+- if (evlist->cpus && cpu >= 0)
+- sid->cpu = evlist->cpus->map[cpu];
+- else
+- sid->cpu = -1;
+- if (!evsel->system_wide && evlist->threads && thread >= 0)
+- sid->tid = perf_thread_map__pid(evlist->threads, thread);
+- else
+- sid->tid = -1;
++ sid->cpu = perf_cpu_map__cpu(evsel->cpus, cpu);
++ sid->tid = perf_thread_map__pid(evsel->threads, thread);
+ }
+
+ static struct perf_mmap*
+@@ -500,8 +492,7 @@ mmap_per_evsel(struct perf_evlist *evlist, struct perf_evlist_mmap_ops *ops,
+ if (perf_evlist__id_add_fd(evlist, evsel, cpu, thread,
+ fd) < 0)
+ return -1;
+- perf_evlist__set_sid_idx(evlist, evsel, idx, cpu,
+- thread);
++ perf_evsel__set_sid_idx(evsel, idx, cpu, thread);
+ }
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 40a3062829d7cf94a4dd88d53e5d5f59c699248a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Dec 2020 10:49:12 +0800
+Subject: pinctrl: aspeed: g6: Fix PWMG0 pinctrl setting
+
+From: Billy Tsai <billy_tsai@aspeedtech.com>
+
+[ Upstream commit 92ff62a7bcc17d47c0ce8dddfb7a6e1a2e55ebf4 ]
+
+The SCU offset for signal PWM8 in group PWM8G0 is wrong, fix it from
+SCU414 to SCU4B4.
+
+Signed-off-by: Billy Tsai <billy_tsai@aspeedtech.com>
+Fixes: 2eda1cdec49f ("pinctrl: aspeed: Add AST2600 pinmux support")
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Link: https://lore.kernel.org/r/20201217024912.3198-1-billy_tsai@aspeedtech.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c
+index 34803a6c76643..5c1a109842a76 100644
+--- a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c
++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c
+@@ -347,7 +347,7 @@ FUNC_GROUP_DECL(RMII4, F24, E23, E24, E25, C25, C24, B26, B25, B24);
+
+ #define D22 40
+ SIG_EXPR_LIST_DECL_SESG(D22, SD1CLK, SD1, SIG_DESC_SET(SCU414, 8));
+-SIG_EXPR_LIST_DECL_SEMG(D22, PWM8, PWM8G0, PWM8, SIG_DESC_SET(SCU414, 8));
++SIG_EXPR_LIST_DECL_SEMG(D22, PWM8, PWM8G0, PWM8, SIG_DESC_SET(SCU4B4, 8));
+ PIN_DECL_2(D22, GPIOF0, SD1CLK, PWM8);
+ GROUP_DECL(PWM8G0, D22);
+
+--
+2.27.0
+
--- /dev/null
+From cc967fd763c359635835c06b604bf9be2c21a52a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Dec 2020 17:04:25 +0800
+Subject: pinctrl: mediatek: Fix fallback call path
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit 81bd1579b43e0e285cba667399f1b063f1ce7672 ]
+
+Some SoCs, eg. mt8183, are using a pinconfig operation bias_set_combo.
+The fallback path in mtk_pinconf_adv_pull_set() should also try this
+operation.
+
+Fixes: cafe19db7751 ("pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull usage")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Acked-by: Sean Wang <sean.wang@kernel.org>
+Link: https://lore.kernel.org/r/20201228090425.2130569-1-hsinyi@chromium.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+index 7e950f5d62d0f..7815426e7aeaa 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+@@ -926,6 +926,10 @@ int mtk_pinconf_adv_pull_set(struct mtk_pinctrl *hw,
+ err = hw->soc->bias_set(hw, desc, pullup);
+ if (err)
+ return err;
++ } else if (hw->soc->bias_set_combo) {
++ err = hw->soc->bias_set_combo(hw, desc, pullup, arg);
++ if (err)
++ return err;
+ } else {
+ return -ENOTSUPP;
+ }
+--
+2.27.0
+
--- /dev/null
+From 763c1dc0b3d252a97d53a4d01fd46fb325d954cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jan 2021 00:27:44 +0100
+Subject: platform/x86: hp-wmi: Don't log a warning on
+ HPWMI_RET_UNKNOWN_COMMAND errors
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit d35c9a029a73e84d84337403d20b060494890570 ]
+
+The recently added thermal policy support makes a
+hp_wmi_perform_query(0x4c, ...) call on older devices which do not
+support thermal policies this causes the following warning to be
+logged (seen on a HP Stream x360 Convertible PC 11):
+
+[ 26.805305] hp_wmi: query 0x4c returned error 0x3
+
+Error 0x3 is HPWMI_RET_UNKNOWN_COMMAND error. This commit silences
+the warning for unknown-command errors, silencing the new warning.
+
+Cc: Elia Devito <eliadevito@gmail.com>
+Fixes: 81c93798ef3e ("platform/x86: hp-wmi: add support for thermal policy")
+Link: https://lore.kernel.org/r/20210114232744.154886-1-hdegoede@redhat.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp-wmi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c
+index ecd477964d117..18bf8aeb5f870 100644
+--- a/drivers/platform/x86/hp-wmi.c
++++ b/drivers/platform/x86/hp-wmi.c
+@@ -247,7 +247,8 @@ static int hp_wmi_perform_query(int query, enum hp_wmi_command command,
+ ret = bios_return->return_code;
+
+ if (ret) {
+- if (ret != HPWMI_RET_UNKNOWN_CMDTYPE)
++ if (ret != HPWMI_RET_UNKNOWN_COMMAND &&
++ ret != HPWMI_RET_UNKNOWN_CMDTYPE)
+ pr_warn("query 0x%x returned error 0x%x\n", query, ret);
+ goto out_free;
+ }
+--
+2.27.0
+
--- /dev/null
+From 706ad85ddf52f38dca369038c04cbd80a832c1c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Jan 2021 15:34:32 +0100
+Subject: platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from
+ allow-list
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 070222731be52d741e55d8967b1764482b81e54c ]
+
+THe HP Stream x360 Convertible PC 11 DSDT has the following VGBS function:
+
+ Method (VGBS, 0, Serialized)
+ {
+ If ((^^PCI0.LPCB.EC0.ROLS == Zero))
+ {
+ VBDS = Zero
+ }
+ Else
+ {
+ VBDS = Zero
+ }
+
+ Return (VBDS) /* \_SB_.VGBI.VBDS */
+ }
+
+Which is obviously wrong, because it always returns 0 independent of the
+2-in-1 being in laptop or tablet mode. This causes the intel-vbtn driver
+to initially report SW_TABLET_MODE = 1 to userspace, which is known to
+cause problems when the 2-in-1 is actually in laptop mode.
+
+During earlier testing this turned out to not be a problem because the
+2-in-1 would do a Notify(..., 0xCC) or Notify(..., 0xCD) soon after
+the intel-vbtn driver loaded, correcting the SW_TABLET_MODE state.
+
+Further testing however has shown that this Notify() soon after the
+intel-vbtn driver loads, does not always happen. When the Notify
+does not happen, then intel-vbtn reports SW_TABLET_MODE = 1 resulting in
+a non-working touchpad.
+
+IOW the tablet-mode reporting is not reliable on this device, so it
+should be dropped from the allow-list, fixing the touchpad sometimes
+not working.
+
+Fixes: 8169bd3e6e19 ("platform/x86: intel-vbtn: Switch to an allow-list for SW_TABLET_MODE reporting")
+Link: https://lore.kernel.org/r/20210114143432.31750-1-hdegoede@redhat.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-vbtn.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/platform/x86/intel-vbtn.c b/drivers/platform/x86/intel-vbtn.c
+index 3b49a1f4061bc..65fb3a3031470 100644
+--- a/drivers/platform/x86/intel-vbtn.c
++++ b/drivers/platform/x86/intel-vbtn.c
+@@ -204,12 +204,6 @@ static const struct dmi_system_id dmi_switches_allow_list[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Venue 11 Pro 7130"),
+ },
+ },
+- {
+- .matches = {
+- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
+- DMI_MATCH(DMI_PRODUCT_NAME, "HP Stream x360 Convertible PC 11"),
+- },
+- },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
+--
+2.27.0
+
--- /dev/null
+From 52770a53a8bd3e98c3051d8d1b2545d7df2d9a9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Jan 2021 22:11:56 +0200
+Subject: powerpc: Fix alignment bug within the init sections
+
+From: Ariel Marcovitch <arielmarcovitch@gmail.com>
+
+[ Upstream commit 2225a8dda263edc35a0e8b858fe2945cf6240fde ]
+
+This is a bug that causes early crashes in builds with an .exit.text
+section smaller than a page and an .init.text section that ends in the
+beginning of a physical page (this is kinda random, which might
+explain why this wasn't really encountered before).
+
+The init sections are ordered like this:
+ .init.text
+ .exit.text
+ .init.data
+
+Currently, these sections aren't page aligned.
+
+Because the init code might become read-only at runtime and because
+the .init.text section can potentially reside on the same physical
+page as .init.data, the beginning of .init.data might be mapped
+read-only along with .init.text.
+
+Then when the kernel tries to modify a variable in .init.data (like
+kthreadd_done, used in kernel_init()) the kernel panics.
+
+To avoid this, make _einittext page aligned and also align .exit.text
+to make sure .init.data is always seperated from the text segments.
+
+Fixes: 060ef9d89d18 ("powerpc32: PAGE_EXEC required for inittext")
+Signed-off-by: Ariel Marcovitch <ariel.marcovitch@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210102201156.10805-1-ariel.marcovitch@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vmlinux.lds.S | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
+index 50507dac118ae..83281aee14d2f 100644
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -187,6 +187,12 @@ SECTIONS
+ .init.text : AT(ADDR(.init.text) - LOAD_OFFSET) {
+ _sinittext = .;
+ INIT_TEXT
++
++ /*
++ *.init.text might be RO so we must ensure this section ends on
++ * a page boundary.
++ */
++ . = ALIGN(PAGE_SIZE);
+ _einittext = .;
+ #ifdef CONFIG_PPC64
+ *(.tramp.ftrace.init);
+@@ -200,6 +206,8 @@ SECTIONS
+ EXIT_TEXT
+ }
+
++ . = ALIGN(PAGE_SIZE);
++
+ INIT_DATA_SECTION(16)
+
+ . = ALIGN(8);
+--
+2.27.0
+
--- /dev/null
+From 60db73aaab5eeaac474c57d920bfd4ee42c8d3cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Nov 2020 18:59:10 +0800
+Subject: powerpc: Use the common INIT_DATA_SECTION macro in vmlinux.lds.S
+
+From: Youling Tang <tangyouling@loongson.cn>
+
+[ Upstream commit fdcfeaba38e5b183045f5b079af94f97658eabe6 ]
+
+Use the common INIT_DATA_SECTION rule for the linker script in an effort
+to regularize the linker script.
+
+Signed-off-by: Youling Tang <tangyouling@loongson.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1604487550-20040-1-git-send-email-tangyouling@loongson.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/vmlinux.lds.S | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/arch/powerpc/kernel/vmlinux.lds.S b/arch/powerpc/kernel/vmlinux.lds.S
+index f887f9d5b9e84..50507dac118ae 100644
+--- a/arch/powerpc/kernel/vmlinux.lds.S
++++ b/arch/powerpc/kernel/vmlinux.lds.S
+@@ -200,21 +200,7 @@ SECTIONS
+ EXIT_TEXT
+ }
+
+- .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) {
+- INIT_DATA
+- }
+-
+- .init.setup : AT(ADDR(.init.setup) - LOAD_OFFSET) {
+- INIT_SETUP(16)
+- }
+-
+- .initcall.init : AT(ADDR(.initcall.init) - LOAD_OFFSET) {
+- INIT_CALLS
+- }
+-
+- .con_initcall.init : AT(ADDR(.con_initcall.init) - LOAD_OFFSET) {
+- CON_INITCALL
+- }
++ INIT_DATA_SECTION(16)
+
+ . = ALIGN(8);
+ __ftr_fixup : AT(ADDR(__ftr_fixup) - LOAD_OFFSET) {
+@@ -242,9 +228,6 @@ SECTIONS
+ __stop___fw_ftr_fixup = .;
+ }
+ #endif
+- .init.ramfs : AT(ADDR(.init.ramfs) - LOAD_OFFSET) {
+- INIT_RAM_FS
+- }
+
+ PERCPU_SECTION(L1_CACHE_BYTES)
+
+--
+2.27.0
+
--- /dev/null
+From e3346945bca0232750950ebd7e1e158383ec686a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 17:50:13 +0106
+Subject: printk: fix kmsg_dump_get_buffer length calulations
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 89ccf18f032f26946e2ea6258120472eec6aa745 ]
+
+kmsg_dump_get_buffer() uses @syslog to determine if the syslog
+prefix should be written to the buffer. However, when calculating
+the maximum number of records that can fit into the buffer, it
+always counts the bytes from the syslog prefix.
+
+Use @syslog when calculating the maximum number of records that can
+fit into the buffer.
+
+Fixes: e2ae715d66bf ("kmsg - kmsg_dump() use iterator to receive log buffer content")
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210113164413.1599-1-john.ogness@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 1246b3b330fd1..807810216492a 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -3394,7 +3394,7 @@ bool kmsg_dump_get_buffer(struct kmsg_dumper *dumper, bool syslog,
+ while (prb_read_valid_info(prb, seq, &info, &line_count)) {
+ if (r.info->seq >= dumper->next_seq)
+ break;
+- l += get_record_print_text_size(&info, line_count, true, time);
++ l += get_record_print_text_size(&info, line_count, syslog, time);
+ seq = r.info->seq + 1;
+ }
+
+@@ -3404,7 +3404,7 @@ bool kmsg_dump_get_buffer(struct kmsg_dumper *dumper, bool syslog,
+ &info, &line_count)) {
+ if (r.info->seq >= dumper->next_seq)
+ break;
+- l -= get_record_print_text_size(&info, line_count, true, time);
++ l -= get_record_print_text_size(&info, line_count, syslog, time);
+ seq = r.info->seq + 1;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From ace6b21908a2114cc2f5c78dc758eef09d06f38e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 15:48:34 +0106
+Subject: printk: ringbuffer: fix line counting
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 668af87f995b6d6d09595c088ad1fb5dd9ff25d2 ]
+
+Counting text lines in a record simply involves counting the number
+of newline characters (+1). However, it is searching the full data
+block for newline characters, even though the text data can be (and
+often is) a subset of that area. Since the extra area in the data
+block was never initialized, the result is that extra newlines may
+be seen and counted.
+
+Restrict newline searching to the text data length.
+
+Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20210113144234.6545-1-john.ogness@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk_ringbuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c
+index 74e25a1704f2b..617dd63589650 100644
+--- a/kernel/printk/printk_ringbuffer.c
++++ b/kernel/printk/printk_ringbuffer.c
+@@ -1720,7 +1720,7 @@ static bool copy_data(struct prb_data_ring *data_ring,
+
+ /* Caller interested in the line count? */
+ if (line_count)
+- *line_count = count_lines(data, data_size);
++ *line_count = count_lines(data, len);
+
+ /* Caller interested in the data content? */
+ if (!buf || !buf_size)
+--
+2.27.0
+
--- /dev/null
+From 9fbbacaaae915937f5b9cfa41b8eeef4beedd4ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 15:02:14 +0200
+Subject: RDMA/cma: Fix error flow in default_roce_mode_store
+
+From: Neta Ostrovsky <netao@nvidia.com>
+
+[ Upstream commit 7c7b3e5d9aeed31d35c5dab0bf9c0fd4c8923206 ]
+
+In default_roce_mode_store(), we took a reference to cma_dev, but didn't
+return it with cma_dev_put in the error flow.
+
+Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
+Link: https://lore.kernel.org/r/20210113130214.562108-1-leon@kernel.org
+Signed-off-by: Neta Ostrovsky <netao@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma_configfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma_configfs.c b/drivers/infiniband/core/cma_configfs.c
+index 7ec4af2ed87ab..35d1ec1095f9c 100644
+--- a/drivers/infiniband/core/cma_configfs.c
++++ b/drivers/infiniband/core/cma_configfs.c
+@@ -131,8 +131,10 @@ static ssize_t default_roce_mode_store(struct config_item *item,
+ return ret;
+
+ gid_type = ib_cache_gid_parse_type_str(buf);
+- if (gid_type < 0)
++ if (gid_type < 0) {
++ cma_configfs_params_put(cma_dev);
+ return -EINVAL;
++ }
+
+ ret = cma_set_default_gid_type(cma_dev, group->port_num, gid_type);
+
+--
+2.27.0
+
--- /dev/null
+From fbefcc22db92689f447db5b2ee2404f9f2aaa133 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 13:13:27 +0200
+Subject: RDMA/ucma: Do not miss ctx destruction steps in some cases
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 8ae291cc95e49011b736b641b0cfad502b7a1526 ]
+
+The destruction flow is very complicated here because the cm_id can be
+destroyed from the event handler at any time if the device is
+hot-removed. This leaves behind a partial ctx with no cm_id in the
+xarray, and will let user space leak memory.
+
+Make everything consistent in this flow in all places:
+
+ - Return the xarray back to XA_ZERO_ENTRY before beginning any
+ destruction. The thread that reaches this first is responsible to
+ kfree, everyone else does nothing.
+
+ - Test the xarray during the special hot-removal case to block the
+ queue_work, this has much simpler locking and doesn't require a
+ 'destroying'
+
+ - Fix the ref initialization so that it is only positive if cm_id !=
+ NULL, then rely on that to guide the destruction process in all cases.
+
+Now the new ucma_destroy_private_ctx() can be called in all places that
+want to free the ctx, including all the error unwinds, and none of the
+details are missed.
+
+Fixes: a1d33b70dbbc ("RDMA/ucma: Rework how new connections are passed through event delivery")
+Link: https://lore.kernel.org/r/20210105111327.230270-1-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/ucma.c | 135 ++++++++++++++++++---------------
+ 1 file changed, 72 insertions(+), 63 deletions(-)
+
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index ffe2563ad3456..2cc785c1970b4 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -95,8 +95,6 @@ struct ucma_context {
+ u64 uid;
+
+ struct list_head list;
+- /* sync between removal event and id destroy, protected by file mut */
+- int destroying;
+ struct work_struct close_work;
+ };
+
+@@ -122,7 +120,7 @@ static DEFINE_XARRAY_ALLOC(ctx_table);
+ static DEFINE_XARRAY_ALLOC(multicast_table);
+
+ static const struct file_operations ucma_fops;
+-static int __destroy_id(struct ucma_context *ctx);
++static int ucma_destroy_private_ctx(struct ucma_context *ctx);
+
+ static inline struct ucma_context *_ucma_find_context(int id,
+ struct ucma_file *file)
+@@ -179,19 +177,14 @@ static void ucma_close_id(struct work_struct *work)
+
+ /* once all inflight tasks are finished, we close all underlying
+ * resources. The context is still alive till its explicit destryoing
+- * by its creator.
++ * by its creator. This puts back the xarray's reference.
+ */
+ ucma_put_ctx(ctx);
+ wait_for_completion(&ctx->comp);
+ /* No new events will be generated after destroying the id. */
+ rdma_destroy_id(ctx->cm_id);
+
+- /*
+- * At this point ctx->ref is zero so the only place the ctx can be is in
+- * a uevent or in __destroy_id(). Since the former doesn't touch
+- * ctx->cm_id and the latter sync cancels this, there is no races with
+- * this store.
+- */
++ /* Reading the cm_id without holding a positive ref is not allowed */
+ ctx->cm_id = NULL;
+ }
+
+@@ -204,7 +197,6 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file)
+ return NULL;
+
+ INIT_WORK(&ctx->close_work, ucma_close_id);
+- refcount_set(&ctx->ref, 1);
+ init_completion(&ctx->comp);
+ /* So list_del() will work if we don't do ucma_finish_ctx() */
+ INIT_LIST_HEAD(&ctx->list);
+@@ -218,6 +210,13 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file)
+ return ctx;
+ }
+
++static void ucma_set_ctx_cm_id(struct ucma_context *ctx,
++ struct rdma_cm_id *cm_id)
++{
++ refcount_set(&ctx->ref, 1);
++ ctx->cm_id = cm_id;
++}
++
+ static void ucma_finish_ctx(struct ucma_context *ctx)
+ {
+ lockdep_assert_held(&ctx->file->mut);
+@@ -303,7 +302,7 @@ static int ucma_connect_event_handler(struct rdma_cm_id *cm_id,
+ ctx = ucma_alloc_ctx(listen_ctx->file);
+ if (!ctx)
+ goto err_backlog;
+- ctx->cm_id = cm_id;
++ ucma_set_ctx_cm_id(ctx, cm_id);
+
+ uevent = ucma_create_uevent(listen_ctx, event);
+ if (!uevent)
+@@ -321,8 +320,7 @@ static int ucma_connect_event_handler(struct rdma_cm_id *cm_id,
+ return 0;
+
+ err_alloc:
+- xa_erase(&ctx_table, ctx->id);
+- kfree(ctx);
++ ucma_destroy_private_ctx(ctx);
+ err_backlog:
+ atomic_inc(&listen_ctx->backlog);
+ /* Returning error causes the new ID to be destroyed */
+@@ -356,8 +354,12 @@ static int ucma_event_handler(struct rdma_cm_id *cm_id,
+ wake_up_interruptible(&ctx->file->poll_wait);
+ }
+
+- if (event->event == RDMA_CM_EVENT_DEVICE_REMOVAL && !ctx->destroying)
+- queue_work(system_unbound_wq, &ctx->close_work);
++ if (event->event == RDMA_CM_EVENT_DEVICE_REMOVAL) {
++ xa_lock(&ctx_table);
++ if (xa_load(&ctx_table, ctx->id) == ctx)
++ queue_work(system_unbound_wq, &ctx->close_work);
++ xa_unlock(&ctx_table);
++ }
+ return 0;
+ }
+
+@@ -461,13 +463,12 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
+ ret = PTR_ERR(cm_id);
+ goto err1;
+ }
+- ctx->cm_id = cm_id;
++ ucma_set_ctx_cm_id(ctx, cm_id);
+
+ resp.id = ctx->id;
+ if (copy_to_user(u64_to_user_ptr(cmd.response),
+ &resp, sizeof(resp))) {
+- xa_erase(&ctx_table, ctx->id);
+- __destroy_id(ctx);
++ ucma_destroy_private_ctx(ctx);
+ return -EFAULT;
+ }
+
+@@ -477,8 +478,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
+ return 0;
+
+ err1:
+- xa_erase(&ctx_table, ctx->id);
+- kfree(ctx);
++ ucma_destroy_private_ctx(ctx);
+ return ret;
+ }
+
+@@ -516,68 +516,73 @@ static void ucma_cleanup_mc_events(struct ucma_multicast *mc)
+ rdma_unlock_handler(mc->ctx->cm_id);
+ }
+
+-/*
+- * ucma_free_ctx is called after the underlying rdma CM-ID is destroyed. At
+- * this point, no new events will be reported from the hardware. However, we
+- * still need to cleanup the UCMA context for this ID. Specifically, there
+- * might be events that have not yet been consumed by the user space software.
+- * mutex. After that we release them as needed.
+- */
+-static int ucma_free_ctx(struct ucma_context *ctx)
++static int ucma_cleanup_ctx_events(struct ucma_context *ctx)
+ {
+ int events_reported;
+ struct ucma_event *uevent, *tmp;
+ LIST_HEAD(list);
+
+- ucma_cleanup_multicast(ctx);
+-
+- /* Cleanup events not yet reported to the user. */
++ /* Cleanup events not yet reported to the user.*/
+ mutex_lock(&ctx->file->mut);
+ list_for_each_entry_safe(uevent, tmp, &ctx->file->event_list, list) {
+- if (uevent->ctx == ctx || uevent->conn_req_ctx == ctx)
++ if (uevent->ctx != ctx)
++ continue;
++
++ if (uevent->resp.event == RDMA_CM_EVENT_CONNECT_REQUEST &&
++ xa_cmpxchg(&ctx_table, uevent->conn_req_ctx->id,
++ uevent->conn_req_ctx, XA_ZERO_ENTRY,
++ GFP_KERNEL) == uevent->conn_req_ctx) {
+ list_move_tail(&uevent->list, &list);
++ continue;
++ }
++ list_del(&uevent->list);
++ kfree(uevent);
+ }
+ list_del(&ctx->list);
+ events_reported = ctx->events_reported;
+ mutex_unlock(&ctx->file->mut);
+
+ /*
+- * If this was a listening ID then any connections spawned from it
+- * that have not been delivered to userspace are cleaned up too.
+- * Must be done outside any locks.
++ * If this was a listening ID then any connections spawned from it that
++ * have not been delivered to userspace are cleaned up too. Must be done
++ * outside any locks.
+ */
+ list_for_each_entry_safe(uevent, tmp, &list, list) {
+- list_del(&uevent->list);
+- if (uevent->resp.event == RDMA_CM_EVENT_CONNECT_REQUEST &&
+- uevent->conn_req_ctx != ctx)
+- __destroy_id(uevent->conn_req_ctx);
++ ucma_destroy_private_ctx(uevent->conn_req_ctx);
+ kfree(uevent);
+ }
+-
+- mutex_destroy(&ctx->mutex);
+- kfree(ctx);
+ return events_reported;
+ }
+
+-static int __destroy_id(struct ucma_context *ctx)
++/*
++ * When this is called the xarray must have a XA_ZERO_ENTRY in the ctx->id (ie
++ * the ctx is not public to the user). This either because:
++ * - ucma_finish_ctx() hasn't been called
++ * - xa_cmpxchg() succeed to remove the entry (only one thread can succeed)
++ */
++static int ucma_destroy_private_ctx(struct ucma_context *ctx)
+ {
++ int events_reported;
++
+ /*
+- * If the refcount is already 0 then ucma_close_id() has already
+- * destroyed the cm_id, otherwise holding the refcount keeps cm_id
+- * valid. Prevent queue_work() from being called.
++ * Destroy the underlying cm_id. New work queuing is prevented now by
++ * the removal from the xarray. Once the work is cancled ref will either
++ * be 0 because the work ran to completion and consumed the ref from the
++ * xarray, or it will be positive because we still have the ref from the
++ * xarray. This can also be 0 in cases where cm_id was never set
+ */
+- if (refcount_inc_not_zero(&ctx->ref)) {
+- rdma_lock_handler(ctx->cm_id);
+- ctx->destroying = 1;
+- rdma_unlock_handler(ctx->cm_id);
+- ucma_put_ctx(ctx);
+- }
+-
+ cancel_work_sync(&ctx->close_work);
+- /* At this point it's guaranteed that there is no inflight closing task */
+- if (ctx->cm_id)
++ if (refcount_read(&ctx->ref))
+ ucma_close_id(&ctx->close_work);
+- return ucma_free_ctx(ctx);
++
++ events_reported = ucma_cleanup_ctx_events(ctx);
++ ucma_cleanup_multicast(ctx);
++
++ WARN_ON(xa_cmpxchg(&ctx_table, ctx->id, XA_ZERO_ENTRY, NULL,
++ GFP_KERNEL) != NULL);
++ mutex_destroy(&ctx->mutex);
++ kfree(ctx);
++ return events_reported;
+ }
+
+ static ssize_t ucma_destroy_id(struct ucma_file *file, const char __user *inbuf,
+@@ -596,14 +601,17 @@ static ssize_t ucma_destroy_id(struct ucma_file *file, const char __user *inbuf,
+
+ xa_lock(&ctx_table);
+ ctx = _ucma_find_context(cmd.id, file);
+- if (!IS_ERR(ctx))
+- __xa_erase(&ctx_table, ctx->id);
++ if (!IS_ERR(ctx)) {
++ if (__xa_cmpxchg(&ctx_table, ctx->id, ctx, XA_ZERO_ENTRY,
++ GFP_KERNEL) != ctx)
++ ctx = ERR_PTR(-ENOENT);
++ }
+ xa_unlock(&ctx_table);
+
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
+
+- resp.events_reported = __destroy_id(ctx);
++ resp.events_reported = ucma_destroy_private_ctx(ctx);
+ if (copy_to_user(u64_to_user_ptr(cmd.response),
+ &resp, sizeof(resp)))
+ ret = -EFAULT;
+@@ -1777,15 +1785,16 @@ static int ucma_close(struct inode *inode, struct file *filp)
+ * prevented by this being a FD release function. The list_add_tail() in
+ * ucma_connect_event_handler() can run concurrently, however it only
+ * adds to the list *after* a listening ID. By only reading the first of
+- * the list, and relying on __destroy_id() to block
++ * the list, and relying on ucma_destroy_private_ctx() to block
+ * ucma_connect_event_handler(), no additional locking is needed.
+ */
+ while (!list_empty(&file->ctx_list)) {
+ struct ucma_context *ctx = list_first_entry(
+ &file->ctx_list, struct ucma_context, list);
+
+- xa_erase(&ctx_table, ctx->id);
+- __destroy_id(ctx);
++ WARN_ON(xa_cmpxchg(&ctx_table, ctx->id, ctx, XA_ZERO_ENTRY,
++ GFP_KERNEL) != ctx);
++ ucma_destroy_private_ctx(ctx);
+ }
+ kfree(file);
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 7c32e223fe3817048ac46e0fc8c222626fda64a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Jan 2021 14:16:59 +0200
+Subject: RDMA/umem: Avoid undefined behavior of rounddown_pow_of_two()
+
+From: Aharon Landau <aharonl@nvidia.com>
+
+[ Upstream commit b79f2dc5ffe17b03ec8c55f0d63f65e87bcac676 ]
+
+rounddown_pow_of_two() is undefined when the input is 0. Therefore we need
+to avoid it in ib_umem_find_best_pgsz and return 0. Otherwise, it could
+result in not rejecting an invalid page size which eventually causes a
+kernel oops due to the logical inconsistency.
+
+Fixes: 3361c29e9279 ("RDMA/umem: Use simpler logic for ib_umem_find_best_pgsz()")
+Link: https://lore.kernel.org/r/20210113121703.559778-2-leon@kernel.org
+Signed-off-by: Aharon Landau <aharonl@nvidia.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/umem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
+index e9fecbdf391bc..5157ae29a4460 100644
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -126,7 +126,7 @@ unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem,
+ */
+ if (mask)
+ pgsz_bitmap &= GENMASK(count_trailing_zeros(mask), 0);
+- return rounddown_pow_of_two(pgsz_bitmap);
++ return pgsz_bitmap ? rounddown_pow_of_two(pgsz_bitmap) : 0;
+ }
+ EXPORT_SYMBOL(ib_umem_find_best_pgsz);
+
+--
+2.27.0
+
--- /dev/null
+From fd5715df28037c43b9cfca54d28c952365b359e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 00:41:04 +0100
+Subject: scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b112036535eda34460677ea883eaecc3a45a435d ]
+
+Phil Oester reported that a fix for a possible buffer overrun that I sent
+caused a regression that manifests in this output:
+
+ Event Message: A PCI parity error was detected on a component at bus 0 device 5 function 0.
+ Severity: Critical
+ Message ID: PCI1308
+
+The original code tried to handle the sense data pointer differently when
+using 32-bit 64-bit DMA addressing, which would lead to a 32-bit dma_addr_t
+value of 0x11223344 to get stored
+
+32-bit kernel: 44 33 22 11 ?? ?? ?? ??
+64-bit LE kernel: 44 33 22 11 00 00 00 00
+64-bit BE kernel: 00 00 00 00 44 33 22 11
+
+or a 64-bit dma_addr_t value of 0x1122334455667788 to get stored as
+
+32-bit kernel: 88 77 66 55 ?? ?? ?? ??
+64-bit kernel: 88 77 66 55 44 33 22 11
+
+In my patch, I tried to ensure that the same value is used on both 32-bit
+and 64-bit kernels, and picked what seemed to be the most sensible
+combination, storing 32-bit addresses in the first four bytes (as 32-bit
+kernels already did), and 64-bit addresses in eight consecutive bytes (as
+64-bit kernels already did), but evidently this was incorrect.
+
+Always storing the dma_addr_t pointer as 64-bit little-endian,
+i.e. initializing the second four bytes to zero in case of 32-bit
+addressing, apparently solved the problem for Phil, and is consistent with
+what all 64-bit little-endian machines did before.
+
+I also checked in the history that in previous versions of the code, the
+pointer was always in the first four bytes without padding, and that
+previous attempts to fix 64-bit user space, big-endian architectures and
+64-bit DMA were clearly flawed and seem to have introduced made this worse.
+
+Link: https://lore.kernel.org/r/20210104234137.438275-1-arnd@kernel.org
+Fixes: 381d34e376e3 ("scsi: megaraid_sas: Check user-provided offsets")
+Fixes: 107a60dd71b5 ("scsi: megaraid_sas: Add support for 64bit consistent DMA")
+Fixes: 94cd65ddf4d7 ("[SCSI] megaraid_sas: addded support for big endian architecture")
+Fixes: 7b2519afa1ab ("[SCSI] megaraid_sas: fix 64 bit sense pointer truncation")
+Reported-by: Phil Oester <kernel@linuxace.com>
+Tested-by: Phil Oester <kernel@linuxace.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c
+index 9ebeb031329d9..cc45cdac13844 100644
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -8232,11 +8232,9 @@ megasas_mgmt_fw_ioctl(struct megasas_instance *instance,
+ goto out;
+ }
+
++ /* always store 64 bits regardless of addressing */
+ sense_ptr = (void *)cmd->frame + ioc->sense_off;
+- if (instance->consistent_mask_64bit)
+- put_unaligned_le64(sense_handle, sense_ptr);
+- else
+- put_unaligned_le32(sense_handle, sense_ptr);
++ put_unaligned_le64(sense_handle, sense_ptr);
+ }
+
+ /*
+--
+2.27.0
+
--- /dev/null
+From 0a1e271c730138d79212b469470660d23385a6fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 10:53:16 -0800
+Subject: scsi: ufs: Fix tm request when non-fatal error happens
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit eeb1b55b6e25c5f7265ff45cd050f3bc2cc423a4 ]
+
+When non-fatal error like line-reset happens, ufshcd_err_handler() starts
+to abort tasks by ufshcd_try_to_abort_task(). When it tries to issue a task
+management request, we hit two warnings:
+
+WARNING: CPU: 7 PID: 7 at block/blk-core.c:630 blk_get_request+0x68/0x70
+WARNING: CPU: 4 PID: 157 at block/blk-mq-tag.c:82 blk_mq_get_tag+0x438/0x46c
+
+After fixing the above warnings we hit another tm_cmd timeout which may be
+caused by unstable controller state:
+
+__ufshcd_issue_tm_cmd: task management cmd 0x80 timed-out
+
+Then, ufshcd_err_handler() enters full reset, and kernel gets stuck. It
+turned out ufshcd_print_trs() printed too many messages on console which
+requires CPU locks. Likewise hba->silence_err_logs, we need to avoid too
+verbose messages. This is actually not an error case.
+
+Link: https://lore.kernel.org/r/20210107185316.788815-3-jaegeuk@kernel.org
+Fixes: 69a6c269c097 ("scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs")
+Reviewed-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 974a4f339ede2..8132893284670 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -4913,7 +4913,8 @@ ufshcd_transfer_rsp_status(struct ufs_hba *hba, struct ufshcd_lrb *lrbp)
+ break;
+ } /* end of switch */
+
+- if ((host_byte(result) != DID_OK) && !hba->silence_err_logs)
++ if ((host_byte(result) != DID_OK) &&
++ (host_byte(result) != DID_REQUEUE) && !hba->silence_err_logs)
+ ufshcd_print_trs(hba, 1 << lrbp->task_tag, true);
+ return result;
+ }
+@@ -6208,9 +6209,13 @@ static irqreturn_t ufshcd_intr(int irq, void *__hba)
+ intr_status = ufshcd_readl(hba, REG_INTERRUPT_STATUS);
+ }
+
+- if (enabled_intr_status && retval == IRQ_NONE) {
+- dev_err(hba->dev, "%s: Unhandled interrupt 0x%08x\n",
+- __func__, intr_status);
++ if (enabled_intr_status && retval == IRQ_NONE &&
++ !ufshcd_eh_in_progress(hba)) {
++ dev_err(hba->dev, "%s: Unhandled interrupt 0x%08x (0x%08x, 0x%08x)\n",
++ __func__,
++ intr_status,
++ hba->ufs_stats.last_intr_status,
++ enabled_intr_status);
+ ufshcd_dump_regs(hba, 0, UFSHCI_REG_SPACE_SIZE, "host_regs: ");
+ }
+
+@@ -6254,7 +6259,10 @@ static int __ufshcd_issue_tm_cmd(struct ufs_hba *hba,
+ * Even though we use wait_event() which sleeps indefinitely,
+ * the maximum wait time is bounded by %TM_CMD_TIMEOUT.
+ */
+- req = blk_get_request(q, REQ_OP_DRV_OUT, BLK_MQ_REQ_RESERVED);
++ req = blk_get_request(q, REQ_OP_DRV_OUT, 0);
++ if (IS_ERR(req))
++ return PTR_ERR(req);
++
+ req->end_io_data = &wait;
+ free_slot = req->tag;
+ WARN_ON_ONCE(free_slot < 0 || free_slot >= hba->nutmrs);
+--
+2.27.0
+
--- /dev/null
+From 4ca5ce8dbf665fcbe24d7b558f9a9f307515128b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 20:08:22 -0800
+Subject: scsi: ufs: ufshcd-pltfrm depends on HAS_IOMEM
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 5e6ddadf7637d336acaad1df1f3bcbb07f7d104d ]
+
+Building ufshcd-pltfrm.c on arch/s390/ has a linker error since S390 does
+not support IOMEM, so add a dependency on HAS_IOMEM.
+
+s390-linux-ld: drivers/scsi/ufs/ufshcd-pltfrm.o: in function `ufshcd_pltfrm_init':
+ufshcd-pltfrm.c:(.text+0x38e): undefined reference to `devm_platform_ioremap_resource'
+
+where that devm_ function is inside an #ifdef CONFIG_HAS_IOMEM/#endif
+block.
+
+Link: lore.kernel.org/r/202101031125.ZEFCUiKi-lkp@intel.com
+Link: https://lore.kernel.org/r/20210106040822.933-1-rdunlap@infradead.org
+Fixes: 03b1781aa978 ("[SCSI] ufs: Add Platform glue driver for ufshcd")
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: Alim Akhtar <alim.akhtar@samsung.com>
+Cc: Avri Altman <avri.altman@wdc.com>
+Cc: linux-scsi@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ufs/Kconfig b/drivers/scsi/ufs/Kconfig
+index dcdb4eb1f90ba..c339517b7a094 100644
+--- a/drivers/scsi/ufs/Kconfig
++++ b/drivers/scsi/ufs/Kconfig
+@@ -72,6 +72,7 @@ config SCSI_UFS_DWC_TC_PCI
+ config SCSI_UFSHCD_PLATFORM
+ tristate "Platform bus based UFS Controller support"
+ depends on SCSI_UFSHCD
++ depends on HAS_IOMEM
+ help
+ This selects the UFS host controller support. Select this if
+ you have an UFS controller on Platform bus.
+--
+2.27.0
+
--- /dev/null
+From 84a5488a0b0b6f5363a4ea91c885691e6675ab52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jan 2021 10:59:30 +0800
+Subject: selftests: net: fib_tests: remove duplicate log test
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit fd23d2dc180fccfad4b27a8e52ba1bc415d18509 ]
+
+The previous test added an address with a specified metric and check if
+correspond route was created. I somehow added two logs for the same
+test. Remove the duplicated one.
+
+Reported-by: Antoine Tenart <atenart@redhat.com>
+Fixes: 0d29169a708b ("selftests/net/fib_tests: update addr_metric_test for peer route testing")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20210119025930.2810532-1-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
+index 84205c3a55ebe..2b5707738609e 100755
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -1055,7 +1055,6 @@ ipv6_addr_metric_test()
+
+ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 260"
+ log_test $? 0 "Set metric with peer route on local side"
+- log_test $? 0 "User specified metric on local address"
+ check_route6 "2001:db8:104::2 dev dummy2 proto kernel metric 260"
+ log_test $? 0 "Set metric with peer route on peer side"
+
+--
+2.27.0
+
risc-v-set-current-memblock-limit.patch
risc-v-fix-maximum-allowed-phsyical-memory-for-rv32.patch
x86-xen-fix-nopvspin-build-error.patch
+nfsd-fixes-for-nfsd4_encode_read_plus_data.patch
+nfsd-don-t-set-eof-on-a-truncated-read_plus.patch
+gpiolib-cdev-fix-frame-size-warning-in-gpio_ioctl.patch
+pinctrl-aspeed-g6-fix-pwmg0-pinctrl-setting.patch
+pinctrl-mediatek-fix-fallback-call-path.patch
+rdma-ucma-do-not-miss-ctx-destruction-steps-in-some-.patch
+btrfs-print-the-actual-offset-in-btrfs_root_name.patch
+scsi-megaraid_sas-fix-megasas_ioc_firmware-regressio.patch
+scsi-ufs-ufshcd-pltfrm-depends-on-has_iomem.patch
+scsi-ufs-fix-tm-request-when-non-fatal-error-happens.patch
+crypto-omap-sham-fix-link-error-without-crypto-engin.patch
+bpf-prevent-double-bpf_prog_put-call-from-bpf_tracin.patch
+powerpc-use-the-common-init_data_section-macro-in-vm.patch
+powerpc-fix-alignment-bug-within-the-init-sections.patch
+arm64-entry-remove-redundant-irq-flag-tracing.patch
+bpf-reject-too-big-ctx_size_in-for-raw_tp-test-run.patch
+drm-amdkfd-fix-out-of-bounds-read-in-kdf_create_vcra.patch
+rdma-umem-avoid-undefined-behavior-of-rounddown_pow_.patch
+rdma-cma-fix-error-flow-in-default_roce_mode_store.patch
+printk-ringbuffer-fix-line-counting.patch
+printk-fix-kmsg_dump_get_buffer-length-calulations.patch
+iov_iter-fix-the-uaccess-area-in-copy_compat_iovec_f.patch
+i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch
+drm-vc4-unify-pcm-card-s-driver_name.patch
+platform-x86-intel-vbtn-drop-hp-stream-x360-converti.patch
+platform-x86-hp-wmi-don-t-log-a-warning-on-hpwmi_ret.patch
+gpio-sifive-select-irq_domain_hierarchy-rather-than-.patch
+alsa-hda-balance-runtime-system-pm-if-direct-complet.patch
+xsk-clear-pool-even-for-inactive-queues.patch
+selftests-net-fib_tests-remove-duplicate-log-test.patch
+can-dev-can_restart-fix-use-after-free-bug.patch
+can-vxcan-vxcan_xmit-fix-use-after-free-bug.patch
+can-peak_usb-fix-use-after-free-bugs.patch
+perf-evlist-fix-id-index-for-heterogeneous-systems.patch
+i2c-sprd-depend-on-common_clk-to-fix-compile-tests.patch
--- /dev/null
+From 1f5f09cedbad60fabd46671578bb8eb96272480a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jan 2021 18:03:33 +0200
+Subject: xsk: Clear pool even for inactive queues
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit b425e24a934e21a502d25089c6c7443d799c5594 ]
+
+The number of queues can change by other means, rather than ethtool. For
+example, attaching an mqprio qdisc with num_tc > 1 leads to creating
+multiple sets of TX queues, which may be then destroyed when mqprio is
+deleted. If an AF_XDP socket is created while mqprio is active,
+dev->_tx[queue_id].pool will be filled, but then real_num_tx_queues may
+decrease with deletion of mqprio, which will mean that the pool won't be
+NULLed, and a further increase of the number of TX queues may expose a
+dangling pointer.
+
+To avoid any potential misbehavior, this commit clears pool for RX and
+TX queues, regardless of real_num_*_queues, still taking into
+consideration num_*_queues to avoid overflows.
+
+Fixes: 1c1efc2af158 ("xsk: Create and free buffer pool independently from umem")
+Fixes: a41b4f3c58dd ("xsk: simplify xdp_clear_umem_at_qid implementation")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Link: https://lore.kernel.org/bpf/20210118160333.333439-1-maximmi@mellanox.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index d5f42c62fd79e..52fd1f96b241e 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -107,9 +107,9 @@ EXPORT_SYMBOL(xsk_get_pool_from_qid);
+
+ void xsk_clear_pool_at_qid(struct net_device *dev, u16 queue_id)
+ {
+- if (queue_id < dev->real_num_rx_queues)
++ if (queue_id < dev->num_rx_queues)
+ dev->_rx[queue_id].pool = NULL;
+- if (queue_id < dev->real_num_tx_queues)
++ if (queue_id < dev->num_tx_queues)
+ dev->_tx[queue_id].pool = NULL;
+ }
+
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
