--- /dev/null
+From 2cc3041ebfcf354f2c0934d9e0ee551de979aa9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Nov 2021 14:15:38 -0600
+Subject: ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1527f69204fe35f341cb599f1cb01bd02daf4374 ]
+
+AMD requires that the SATA controller be configured for devsleep in order
+for S0i3 entry to work properly.
+
+commit b1a9585cc396 ("ata: ahci: Enable DEVSLP by default on x86 with
+SLP_S0") sets up a kernel policy to enable devsleep on Intel mobile
+platforms that are using s0ix. Add the PCI ID for the SATA controller in
+Green Sardine platforms to extend this policy by default for AMD based
+systems using s0i3 as well.
+
+Cc: Nehal-bakulchandra Shah <Nehal-bakulchandra.Shah@amd.com>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 8beb418ce167b..6f572967b5552 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -420,6 +420,7 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ /* AMD */
+ { PCI_VDEVICE(AMD, 0x7800), board_ahci }, /* AMD Hudson-2 */
+ { PCI_VDEVICE(AMD, 0x7900), board_ahci }, /* AMD CZ */
++ { PCI_VDEVICE(AMD, 0x7901), board_ahci_mobile }, /* AMD Green Sardine */
+ /* AMD is using RAID class only for ahci controllers */
+ { PCI_VENDOR_ID_AMD, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_STORAGE_RAID << 8, 0xffffff, board_ahci },
+--
+2.33.0
+
--- /dev/null
+From db888225e1ed1cd86a763e2f33923a4face3a86e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Nov 2021 22:24:40 -0500
+Subject: atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
+
+From: Zekun Shen <bruceshenzk@gmail.com>
+
+[ Upstream commit b922f622592af76b57cbc566eaeccda0b31a3496 ]
+
+This bug report shows up when running our research tools. The
+reports is SOOB read, but it seems SOOB write is also possible
+a few lines below.
+
+In details, fw.len and sw.len are inputs coming from io. A len
+over the size of self->rpc triggers SOOB. The patch fixes the
+bugs by adding sanity checks.
+
+The bugs are triggerable with compromised/malfunctioning devices.
+They are potentially exploitable given they first leak up to
+0xffff bytes and able to overwrite the region later.
+
+The patch is tested with QEMU emulater.
+This is NOT tested with a real device.
+
+Attached is the log we found by fuzzing.
+
+BUG: KASAN: slab-out-of-bounds in
+ hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+Read of size 4 at addr ffff888016260b08 by task modprobe/213
+CPU: 0 PID: 213 Comm: modprobe Not tainted 5.6.0 #1
+Call Trace:
+ dump_stack+0x76/0xa0
+ print_address_description.constprop.0+0x16/0x200
+ ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ __kasan_report.cold+0x37/0x7c
+ ? aq_hw_read_reg_bit+0x60/0x70 [atlantic]
+ ? hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ kasan_report+0xe/0x20
+ hw_atl_utils_fw_upload_dwords+0x393/0x3c0 [atlantic]
+ hw_atl_utils_fw_rpc_call+0x95/0x130 [atlantic]
+ hw_atl_utils_fw_rpc_wait+0x176/0x210 [atlantic]
+ hw_atl_utils_mpi_create+0x229/0x2e0 [atlantic]
+ ? hw_atl_utils_fw_rpc_wait+0x210/0x210 [atlantic]
+ ? hw_atl_utils_initfw+0x9f/0x1c8 [atlantic]
+ hw_atl_utils_initfw+0x12a/0x1c8 [atlantic]
+ aq_nic_ndev_register+0x88/0x650 [atlantic]
+ ? aq_nic_ndev_init+0x235/0x3c0 [atlantic]
+ aq_pci_probe+0x731/0x9b0 [atlantic]
+ ? aq_pci_func_init+0xc0/0xc0 [atlantic]
+ local_pci_probe+0xd3/0x160
+ pci_device_probe+0x23f/0x3e0
+
+Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
+Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+index 873f9865f0d15..b7d70c33459fd 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+@@ -481,6 +481,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
+ goto err_exit;
+
+ if (fw.len == 0xFFFFU) {
++ if (sw.len > sizeof(self->rpc)) {
++ printk(KERN_INFO "Invalid sw len: %x\n", sw.len);
++ err = -EINVAL;
++ goto err_exit;
++ }
+ err = hw_atl_utils_fw_rpc_call(self, sw.len);
+ if (err < 0)
+ goto err_exit;
+@@ -489,6 +494,11 @@ int hw_atl_utils_fw_rpc_wait(struct aq_hw_s *self,
+
+ if (rpc) {
+ if (fw.len) {
++ if (fw.len > sizeof(self->rpc)) {
++ printk(KERN_INFO "Invalid fw len: %x\n", fw.len);
++ err = -EINVAL;
++ goto err_exit;
++ }
+ err =
+ hw_atl_utils_fw_downld_dwords(self,
+ self->rpc_addr,
+--
+2.33.0
+
--- /dev/null
+From 416ca35ae6fa23ddb1e91045cbed32f0bf2d7d70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 06:32:54 +0800
+Subject: btrfs: check-integrity: fix a warning on write caching disabled disk
+
+From: Wang Yugui <wangyugui@e16-tech.com>
+
+[ Upstream commit a91cf0ffbc244792e0b3ecf7d0fddb2f344b461f ]
+
+When a disk has write caching disabled, we skip submission of a bio with
+flush and sync requests before writing the superblock, since it's not
+needed. However when the integrity checker is enabled, this results in
+reports that there are metadata blocks referred by a superblock that
+were not properly flushed. So don't skip the bio submission only when
+the integrity checker is enabled for the sake of simplicity, since this
+is a debug tool and not meant for use in non-debug builds.
+
+fstests/btrfs/220 trigger a check-integrity warning like the following
+when CONFIG_BTRFS_FS_CHECK_INTEGRITY=y and the disk with WCE=0.
+
+ btrfs: attempt to write superblock which references block M @5242880 (sdb2/5242880/0) which is not flushed out of disk's write cache (block flush_gen=1, dev->flush_gen=0)!
+ ------------[ cut here ]------------
+ WARNING: CPU: 28 PID: 843680 at fs/btrfs/check-integrity.c:2196 btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs]
+ CPU: 28 PID: 843680 Comm: umount Not tainted 5.15.0-0.rc5.39.el8.x86_64 #1
+ Hardware name: Dell Inc. Precision T7610/0NK70N, BIOS A18 09/11/2019
+ RIP: 0010:btrfsic_process_written_superblock+0x22a/0x2a0 [btrfs]
+ RSP: 0018:ffffb642afb47940 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
+ RDX: 00000000ffffffff RSI: ffff8b722fc97d00 RDI: ffff8b722fc97d00
+ RBP: ffff8b5601c00000 R08: 0000000000000000 R09: c0000000ffff7fff
+ R10: 0000000000000001 R11: ffffb642afb476f8 R12: ffffffffffffffff
+ R13: ffffb642afb47974 R14: ffff8b5499254c00 R15: 0000000000000003
+ FS: 00007f00a06d4080(0000) GS:ffff8b722fc80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fff5cff5ff0 CR3: 00000001c0c2a006 CR4: 00000000001706e0
+ Call Trace:
+ btrfsic_process_written_block+0x2f7/0x850 [btrfs]
+ __btrfsic_submit_bio.part.19+0x310/0x330 [btrfs]
+ ? bio_associate_blkg_from_css+0xa4/0x2c0
+ btrfsic_submit_bio+0x18/0x30 [btrfs]
+ write_dev_supers+0x81/0x2a0 [btrfs]
+ ? find_get_pages_range_tag+0x219/0x280
+ ? pagevec_lookup_range_tag+0x24/0x30
+ ? __filemap_fdatawait_range+0x6d/0xf0
+ ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
+ ? find_first_extent_bit+0x9b/0x160 [btrfs]
+ ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
+ write_all_supers+0x1b3/0xa70 [btrfs]
+ ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
+ btrfs_commit_transaction+0x59d/0xac0 [btrfs]
+ close_ctree+0x11d/0x339 [btrfs]
+ generic_shutdown_super+0x71/0x110
+ kill_anon_super+0x14/0x30
+ btrfs_kill_super+0x12/0x20 [btrfs]
+ deactivate_locked_super+0x31/0x70
+ cleanup_mnt+0xb8/0x140
+ task_work_run+0x6d/0xb0
+ exit_to_user_mode_prepare+0x1f0/0x200
+ syscall_exit_to_user_mode+0x12/0x30
+ do_syscall_64+0x46/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f009f711dfb
+ RSP: 002b:00007fff5cff7928 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+ RAX: 0000000000000000 RBX: 000055b68c6c9970 RCX: 00007f009f711dfb
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000055b68c6c9b50
+ RBP: 0000000000000000 R08: 000055b68c6ca900 R09: 00007f009f795580
+ R10: 0000000000000000 R11: 0000000000000246 R12: 000055b68c6c9b50
+ R13: 00007f00a04bf184 R14: 0000000000000000 R15: 00000000ffffffff
+ ---[ end trace 2c4b82abcef9eec4 ]---
+ S-65536(sdb2/65536/1)
+ -->
+ M-1064960(sdb2/1064960/1)
+
+Reviewed-by: Filipe Manana <fdmanana@gmail.com>
+Signed-off-by: Wang Yugui <wangyugui@e16-tech.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 1499531bc1511..f18c6d97932ed 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3636,11 +3636,23 @@ static void btrfs_end_empty_barrier(struct bio *bio)
+ */
+ static void write_dev_flush(struct btrfs_device *device)
+ {
+- struct request_queue *q = bdev_get_queue(device->bdev);
+ struct bio *bio = device->flush_bio;
+
++#ifndef CONFIG_BTRFS_FS_CHECK_INTEGRITY
++ /*
++ * When a disk has write caching disabled, we skip submission of a bio
++ * with flush and sync requests before writing the superblock, since
++ * it's not needed. However when the integrity checker is enabled, this
++ * results in reports that there are metadata blocks referred by a
++ * superblock that were not properly flushed. So don't skip the bio
++ * submission only when the integrity checker is enabled for the sake
++ * of simplicity, since this is a debug tool and not meant for use in
++ * non-debug builds.
++ */
++ struct request_queue *q = bdev_get_queue(device->bdev);
+ if (!test_bit(QUEUE_FLAG_WC, &q->queue_flags))
+ return;
++#endif
+
+ bio_reset(bio);
+ bio->bi_end_io = btrfs_end_empty_barrier;
+--
+2.33.0
+
--- /dev/null
+From f3da08b19ac05f553ea5200e53f6604235f606e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 22:23:51 -0500
+Subject: drm/sun4i: fix unmet dependency on RESET_CONTROLLER for
+ PHY_SUN6I_MIPI_DPHY
+
+From: Julian Braha <julianbraha@gmail.com>
+
+[ Upstream commit bb162bb2b4394108c8f055d1b115735331205e28 ]
+
+When PHY_SUN6I_MIPI_DPHY is selected, and RESET_CONTROLLER
+is not selected, Kbuild gives the following warning:
+
+WARNING: unmet direct dependencies detected for PHY_SUN6I_MIPI_DPHY
+ Depends on [n]: (ARCH_SUNXI [=n] || COMPILE_TEST [=y]) && HAS_IOMEM [=y] && COMMON_CLK [=y] && RESET_CONTROLLER [=n]
+ Selected by [y]:
+ - DRM_SUN6I_DSI [=y] && HAS_IOMEM [=y] && DRM_SUN4I [=y]
+
+This is because DRM_SUN6I_DSI selects PHY_SUN6I_MIPI_DPHY
+without selecting or depending on RESET_CONTROLLER, despite
+PHY_SUN6I_MIPI_DPHY depending on RESET_CONTROLLER.
+
+These unmet dependency bugs were detected by Kismet,
+a static analysis tool for Kconfig. Please advise if this
+is not the appropriate solution.
+
+v2:
+Fixed indentation to match the rest of the file.
+
+Signed-off-by: Julian Braha <julianbraha@gmail.com>
+Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211109032351.43322-1-julianbraha@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/sun4i/Kconfig b/drivers/gpu/drm/sun4i/Kconfig
+index 37e90e42943f6..0e2d304f0d83f 100644
+--- a/drivers/gpu/drm/sun4i/Kconfig
++++ b/drivers/gpu/drm/sun4i/Kconfig
+@@ -46,6 +46,7 @@ config DRM_SUN6I_DSI
+ default MACH_SUN8I
+ select CRC_CCITT
+ select DRM_MIPI_DSI
++ select RESET_CONTROLLER
+ select PHY_SUN6I_MIPI_DPHY
+ help
+ Choose this option if you want have an Allwinner SoC with
+--
+2.33.0
+
--- /dev/null
+From a554daf526b571cf9034043d0a073ab6533ab5da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 11:44:53 +0800
+Subject: ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array
+ overflow in hns_dsaf_ge_srst_by_port()
+
+From: Teng Qi <starmiku1207184332@gmail.com>
+
+[ Upstream commit a66998e0fbf213d47d02813b9679426129d0d114 ]
+
+The if statement:
+ if (port >= DSAF_GE_NUM)
+ return;
+
+limits the value of port less than DSAF_GE_NUM (i.e., 8).
+However, if the value of port is 6 or 7, an array overflow could occur:
+ port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
+
+because the length of dsaf_dev->mac_cb is DSAF_MAX_PORT_NUM (i.e., 6).
+
+To fix this possible array overflow, we first check port and if it is
+greater than or equal to DSAF_MAX_PORT_NUM, the function returns.
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+index ed3829ae4ef1b..580199fdd0c22 100644
+--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+@@ -398,6 +398,10 @@ static void hns_dsaf_ge_srst_by_port(struct dsaf_device *dsaf_dev, u32 port,
+ return;
+
+ if (!HNS_DSAF_IS_DEBUG(dsaf_dev)) {
++ /* DSAF_MAX_PORT_NUM is 6, but DSAF_GE_NUM is 8.
++ We need check to prevent array overflow */
++ if (port >= DSAF_MAX_PORT_NUM)
++ return;
+ reg_val_1 = 0x1 << port;
+ port_rst_off = dsaf_dev->mac_cb[port]->port_rst_off;
+ /* there is difference between V1 and V2 in register.*/
+--
+2.33.0
+
--- /dev/null
+From f8d963ae1ce01a6a7da5556ff1e5a35b5bfe6804 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Nov 2021 00:18:56 +0100
+Subject: gfs2: Fix length of holes reported at end-of-file
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit f3506eee81d1f700d9ee2d2f4a88fddb669ec032 ]
+
+Fix the length of holes reported at the end of a file: the length is
+relative to the beginning of the extent, not the seek position which is
+rounded down to the filesystem block size.
+
+This bug went unnoticed for some time, but is now caught by the
+following assertion in iomap_iter_done():
+
+ WARN_ON_ONCE(iter->iomap.offset + iter->iomap.length <= iter->pos)
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/bmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
+index aaec3c5b02028..dec5285a02e9d 100644
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -940,7 +940,7 @@ static int gfs2_iomap_get(struct inode *inode, loff_t pos, loff_t length,
+ else if (height == ip->i_height)
+ ret = gfs2_hole_size(inode, lblock, len, mp, iomap);
+ else
+- iomap->length = size - pos;
++ iomap->length = size - iomap->offset;
+ } else if (flags & IOMAP_WRITE) {
+ u64 alloc_size;
+
+--
+2.33.0
+
--- /dev/null
+From 34a869ffdcfb4b14fc90fe7d09a4efc4668b9b8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Nov 2021 10:46:57 +0800
+Subject: mac80211: do not access the IV when it was stripped
+
+From: Xing Song <xing.song@mediatek.com>
+
+[ Upstream commit 77dfc2bc0bb4b8376ecd7a430f27a4a8fff6a5a0 ]
+
+ieee80211_get_keyid() will return false value if IV has been stripped,
+such as return 0 for IP/ARP frames due to LLC header, and return -EINVAL
+for disassociation frames due to its length... etc. Don't try to access
+it if it's not present.
+
+Signed-off-by: Xing Song <xing.song@mediatek.com>
+Link: https://lore.kernel.org/r/20211101024657.143026-1-xing.song@mediatek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index c7e6bf7c22c78..282bf336b15a4 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1918,7 +1918,8 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
+ int keyid = rx->sta->ptk_idx;
+ sta_ptk = rcu_dereference(rx->sta->ptk[keyid]);
+
+- if (ieee80211_has_protected(fc)) {
++ if (ieee80211_has_protected(fc) &&
++ !(status->flag & RX_FLAG_IV_STRIPPED)) {
+ cs = rx->sta->cipher_scheme;
+ keyid = ieee80211_get_keyid(rx->skb, cs);
+
+--
+2.33.0
+
--- /dev/null
+From 1c2a13155d119aa4fc537108ba393e8ec2166206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 15:01:18 +0800
+Subject: net: ethernet: dec: tulip: de4x5: fix possible array overflows in
+ type3_infoblock()
+
+From: Teng Qi <starmiku1207184332@gmail.com>
+
+[ Upstream commit 0fa68da72c3be09e06dd833258ee89c33374195f ]
+
+The definition of macro MOTO_SROM_BUG is:
+ #define MOTO_SROM_BUG (lp->active == 8 && (get_unaligned_le32(
+ dev->dev_addr) & 0x00ffffff) == 0x3e0008)
+
+and the if statement
+ if (MOTO_SROM_BUG) lp->active = 0;
+
+using this macro indicates lp->active could be 8. If lp->active is 8 and
+the second comparison of this macro is false. lp->active will remain 8 in:
+ lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].ana = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].fdx = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].ttm = get_unaligned_le16(p); p += 2;
+ lp->phy[lp->active].mci = *p;
+
+However, the length of array lp->phy is 8, so array overflows can occur.
+To fix these possible array overflows, we first check lp->active and then
+return -EINVAL if it is greater or equal to ARRAY_SIZE(lp->phy) (i.e. 8).
+
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Teng Qi <starmiku1207184332@gmail.com>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/de4x5.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
+index a80252973171f..c97fc0e384ca6 100644
+--- a/drivers/net/ethernet/dec/tulip/de4x5.c
++++ b/drivers/net/ethernet/dec/tulip/de4x5.c
+@@ -4708,6 +4708,10 @@ type3_infoblock(struct net_device *dev, u_char count, u_char *p)
+ lp->ibn = 3;
+ lp->active = *p++;
+ if (MOTO_SROM_BUG) lp->active = 0;
++ /* if (MOTO_SROM_BUG) statement indicates lp->active could
++ * be 8 (i.e. the size of array lp->phy) */
++ if (WARN_ON(lp->active >= ARRAY_SIZE(lp->phy)))
++ return -EINVAL;
+ lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
+ lp->phy[lp->active].mc = get_unaligned_le16(p); p += 2;
+--
+2.33.0
+
--- /dev/null
+From 83d6e5de7d6cc1fd41236aecd4d88d96f5c961b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 16:14:48 +0800
+Subject: net: return correct error code
+
+From: liuguoqiang <liuguoqiang@uniontech.com>
+
+[ Upstream commit 6def480181f15f6d9ec812bca8cbc62451ba314c ]
+
+When kmemdup called failed and register_net_sysctl return NULL, should
+return ENOMEM instead of ENOBUFS
+
+Signed-off-by: liuguoqiang <liuguoqiang@uniontech.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 603a3495afa62..4a8ad46397c0e 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -2585,7 +2585,7 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name,
+ free:
+ kfree(t);
+ out:
+- return -ENOBUFS;
++ return -ENOMEM;
+ }
+
+ static void __devinet_sysctl_unregister(struct net *net,
+--
+2.33.0
+
--- /dev/null
+From 6ab6f92f63d1fec35fd94e22e9e5b43c12e808e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 20:32:53 +0800
+Subject: net/smc: Avoid warning of possible recursive locking
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit 7a61432dc81375be06b02f0061247d3efbdfce3a ]
+
+Possible recursive locking is detected by lockdep when SMC
+falls back to TCP. The corresponding warnings are as follows:
+
+ ============================================
+ WARNING: possible recursive locking detected
+ 5.16.0-rc1+ #18 Tainted: G E
+ --------------------------------------------
+ wrk/1391 is trying to acquire lock:
+ ffff975246c8e7d8 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0x109/0x250 [smc]
+
+ but task is already holding lock:
+ ffff975246c8f918 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0xfe/0x250 [smc]
+
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&ei->socket.wq.wait);
+ lock(&ei->socket.wq.wait);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+ 2 locks held by wrk/1391:
+ #0: ffff975246040130 (sk_lock-AF_SMC){+.+.}-{0:0}, at: smc_connect+0x43/0x150 [smc]
+ #1: ffff975246c8f918 (&ei->socket.wq.wait){..-.}-{3:3}, at: smc_switch_to_fallback+0xfe/0x250 [smc]
+
+ stack backtrace:
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x56/0x7b
+ __lock_acquire+0x951/0x11f0
+ lock_acquire+0x27a/0x320
+ ? smc_switch_to_fallback+0x109/0x250 [smc]
+ ? smc_switch_to_fallback+0xfe/0x250 [smc]
+ _raw_spin_lock_irq+0x3b/0x80
+ ? smc_switch_to_fallback+0x109/0x250 [smc]
+ smc_switch_to_fallback+0x109/0x250 [smc]
+ smc_connect_fallback+0xe/0x30 [smc]
+ __smc_connect+0xcf/0x1090 [smc]
+ ? mark_held_locks+0x61/0x80
+ ? __local_bh_enable_ip+0x77/0xe0
+ ? lockdep_hardirqs_on+0xbf/0x130
+ ? smc_connect+0x12a/0x150 [smc]
+ smc_connect+0x12a/0x150 [smc]
+ __sys_connect+0x8a/0xc0
+ ? syscall_enter_from_user_mode+0x20/0x70
+ __x64_sys_connect+0x16/0x20
+ do_syscall_64+0x34/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The nested locking in smc_switch_to_fallback() is considered to
+possibly cause a deadlock because smc_wait->lock and clc_wait->lock
+are the same type of lock. But actually it is safe so far since
+there is no other place trying to obtain smc_wait->lock when
+clc_wait->lock is held. So the patch replaces spin_lock() with
+spin_lock_nested() to avoid false report by lockdep.
+
+Link: https://lkml.org/lkml/2021/11/19/962
+Fixes: 2153bd1e3d3d ("Transfer remaining wait queue entries during fallback")
+Reported-by: syzbot+e979d3597f48262cb4ee@syzkaller.appspotmail.com
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Acked-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 00d3787387172..fa3b20e5f4608 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -483,7 +483,7 @@ static void smc_switch_to_fallback(struct smc_sock *smc)
+ * to clcsocket->wq during the fallback.
+ */
+ spin_lock_irqsave(&smc_wait->lock, flags);
+- spin_lock(&clc_wait->lock);
++ spin_lock_nested(&clc_wait->lock, SINGLE_DEPTH_NESTING);
+ list_splice_init(&smc_wait->head, &clc_wait->head);
+ spin_unlock(&clc_wait->lock);
+ spin_unlock_irqrestore(&smc_wait->lock, flags);
+--
+2.33.0
+
--- /dev/null
+From 9fc4d1ea9100cc4998f2cf101c101a338dd85dbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Nov 2021 15:33:35 +0800
+Subject: net/smc: Transfer remaining wait queue entries during fallback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+[ Upstream commit 2153bd1e3d3dbf6a3403572084ef6ed31c53c5f0 ]
+
+The SMC fallback is incomplete currently. There may be some
+wait queue entries remaining in smc socket->wq, which should
+be removed to clcsocket->wq during the fallback.
+
+For example, in nginx/wrk benchmark, this issue causes an
+all-zeros test result:
+
+server: nginx -g 'daemon off;'
+client: smc_run wrk -c 1 -t 1 -d 5 http://11.200.15.93/index.html
+
+ Running 5s test @ http://11.200.15.93/index.html
+ 1 threads and 1 connections
+ Thread Stats Avg Stdev Max ± Stdev
+ Latency 0.00us 0.00us 0.00us -nan%
+ Req/Sec 0.00 0.00 0.00 -nan%
+ 0 requests in 5.00s, 0.00B read
+ Requests/sec: 0.00
+ Transfer/sec: 0.00B
+
+The reason for this all-zeros result is that when wrk used SMC
+to replace TCP, it added an eppoll_entry into smc socket->wq
+and expected to be notified if epoll events like EPOLL_IN/
+EPOLL_OUT occurred on the smc socket.
+
+However, once a fallback occurred, wrk switches to use clcsocket.
+Now it is clcsocket->wq instead of smc socket->wq which will
+be woken up. The eppoll_entry remaining in smc socket->wq does
+not work anymore and wrk stops the test.
+
+This patch fixes this issue by removing remaining wait queue
+entries from smc socket->wq to clcsocket->wq during the fallback.
+
+Link: https://www.spinics.net/lists/netdev/msg779769.html
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 5e1493f8deba7..00d3787387172 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -467,12 +467,26 @@ static void smc_link_save_peer_info(struct smc_link *link,
+
+ static void smc_switch_to_fallback(struct smc_sock *smc)
+ {
++ wait_queue_head_t *smc_wait = sk_sleep(&smc->sk);
++ wait_queue_head_t *clc_wait = sk_sleep(smc->clcsock->sk);
++ unsigned long flags;
++
+ smc->use_fallback = true;
+ if (smc->sk.sk_socket && smc->sk.sk_socket->file) {
+ smc->clcsock->file = smc->sk.sk_socket->file;
+ smc->clcsock->file->private_data = smc->clcsock;
+ smc->clcsock->wq.fasync_list =
+ smc->sk.sk_socket->wq.fasync_list;
++
++ /* There may be some entries remaining in
++ * smc socket->wq, which should be removed
++ * to clcsocket->wq during the fallback.
++ */
++ spin_lock_irqsave(&smc_wait->lock, flags);
++ spin_lock(&clc_wait->lock);
++ list_splice_init(&smc_wait->head, &clc_wait->head);
++ spin_unlock(&clc_wait->lock);
++ spin_unlock_irqrestore(&smc_wait->lock, flags);
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 4cc316280e949728949317d76456c5c34cf59d71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 13:46:32 +0800
+Subject: net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be
+ out of bound
+
+From: zhangyue <zhangyue1@kylinos.cn>
+
+[ Upstream commit 61217be886b5f7402843677e4be7e7e83de9cb41 ]
+
+In line 5001, if all id in the array 'lp->phy[8]' is not 0, when the
+'for' end, the 'k' is 8.
+
+At this time, the array 'lp->phy[8]' may be out of bound.
+
+Signed-off-by: zhangyue <zhangyue1@kylinos.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/de4x5.c | 30 +++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
+index c813e6f2b371e..a80252973171f 100644
+--- a/drivers/net/ethernet/dec/tulip/de4x5.c
++++ b/drivers/net/ethernet/dec/tulip/de4x5.c
+@@ -4999,19 +4999,23 @@ mii_get_phy(struct net_device *dev)
+ }
+ if ((j == limit) && (i < DE4X5_MAX_MII)) {
+ for (k=0; k < DE4X5_MAX_PHY && lp->phy[k].id; k++);
+- lp->phy[k].addr = i;
+- lp->phy[k].id = id;
+- lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */
+- lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */
+- lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */
+- lp->mii_cnt++;
+- lp->active++;
+- printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name);
+- j = de4x5_debug;
+- de4x5_debug |= DEBUG_MII;
+- de4x5_dbg_mii(dev, k);
+- de4x5_debug = j;
+- printk("\n");
++ if (k < DE4X5_MAX_PHY) {
++ lp->phy[k].addr = i;
++ lp->phy[k].id = id;
++ lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */
++ lp->phy[k].spd.mask = GENERIC_MASK; /* 100Mb/s technologies */
++ lp->phy[k].spd.value = GENERIC_VALUE; /* TX & T4, H/F Duplex */
++ lp->mii_cnt++;
++ lp->active++;
++ printk("%s: Using generic MII device control. If the board doesn't operate,\nplease mail the following dump to the author:\n", dev->name);
++ j = de4x5_debug;
++ de4x5_debug |= DEBUG_MII;
++ de4x5_dbg_mii(dev, k);
++ de4x5_debug = j;
++ printk("\n");
++ } else {
++ goto purgatory;
++ }
+ }
+ }
+ purgatory:
+--
+2.33.0
+
--- /dev/null
+From 5abf431f2021d4610d5bba7647f357f7dbafcb2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 23:12:47 -0800
+Subject: perf hist: Fix memory leak of a perf_hpp_fmt
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 0ca1f534a776cc7d42f2c33da4732b74ec2790cd ]
+
+perf_hpp__column_unregister() removes an entry from a list but doesn't
+free the memory causing a memory leak spotted by leak sanitizer.
+
+Add the free while at the same time reducing the scope of the function
+to static.
+
+Signed-off-by: Ian Rogers <irogers@google.com>
+Reviewed-by: Kajol Jain <kjain@linux.ibm.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20211118071247.2140392-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/hist.c | 28 ++++++++++++++--------------
+ tools/perf/util/hist.h | 1 -
+ 2 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/tools/perf/ui/hist.c b/tools/perf/ui/hist.c
+index f736755000616..9ae316445f04b 100644
+--- a/tools/perf/ui/hist.c
++++ b/tools/perf/ui/hist.c
+@@ -472,6 +472,18 @@ struct perf_hpp_list perf_hpp_list = {
+ #undef __HPP_SORT_ACC_FN
+ #undef __HPP_SORT_RAW_FN
+
++static void fmt_free(struct perf_hpp_fmt *fmt)
++{
++ /*
++ * At this point fmt should be completely
++ * unhooked, if not it's a bug.
++ */
++ BUG_ON(!list_empty(&fmt->list));
++ BUG_ON(!list_empty(&fmt->sort_list));
++
++ if (fmt->free)
++ fmt->free(fmt);
++}
+
+ void perf_hpp__init(void)
+ {
+@@ -535,9 +547,10 @@ void perf_hpp_list__prepend_sort_field(struct perf_hpp_list *list,
+ list_add(&format->sort_list, &list->sorts);
+ }
+
+-void perf_hpp__column_unregister(struct perf_hpp_fmt *format)
++static void perf_hpp__column_unregister(struct perf_hpp_fmt *format)
+ {
+ list_del_init(&format->list);
++ fmt_free(format);
+ }
+
+ void perf_hpp__cancel_cumulate(void)
+@@ -609,19 +622,6 @@ void perf_hpp__append_sort_keys(struct perf_hpp_list *list)
+ }
+
+
+-static void fmt_free(struct perf_hpp_fmt *fmt)
+-{
+- /*
+- * At this point fmt should be completely
+- * unhooked, if not it's a bug.
+- */
+- BUG_ON(!list_empty(&fmt->list));
+- BUG_ON(!list_empty(&fmt->sort_list));
+-
+- if (fmt->free)
+- fmt->free(fmt);
+-}
+-
+ void perf_hpp__reset_output_field(struct perf_hpp_list *list)
+ {
+ struct perf_hpp_fmt *fmt, *tmp;
+diff --git a/tools/perf/util/hist.h b/tools/perf/util/hist.h
+index 4792731307947..ecce30f086de7 100644
+--- a/tools/perf/util/hist.h
++++ b/tools/perf/util/hist.h
+@@ -361,7 +361,6 @@ enum {
+ };
+
+ void perf_hpp__init(void);
+-void perf_hpp__column_unregister(struct perf_hpp_fmt *format);
+ void perf_hpp__cancel_cumulate(void);
+ void perf_hpp__setup_output_field(struct perf_hpp_list *list);
+ void perf_hpp__reset_output_field(struct perf_hpp_list *list);
+--
+2.33.0
+
--- /dev/null
+From b98bc1cc2e0046f56d0bb7a608b67befb438f2be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 23:38:04 -0800
+Subject: perf report: Fix memory leaks around perf_tip()
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit d9fc706108c15f8bc2d4ccccf8e50f74830fabd9 ]
+
+perf_tip() may allocate memory or use a literal, this means memory
+wasn't freed if allocated. Change the API so that literals aren't used.
+
+At the same time add missing frees for system_path. These issues were
+spotted using leak sanitizer.
+
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20211118073804.2149974-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 15 +++++++++------
+ tools/perf/util/util.c | 14 +++++++-------
+ tools/perf/util/util.h | 2 +-
+ 3 files changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index d3c0b04e2e22b..dc228bdf2bbc2 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -569,14 +569,17 @@ static int report__browse_hists(struct report *rep)
+ int ret;
+ struct perf_session *session = rep->session;
+ struct evlist *evlist = session->evlist;
+- const char *help = perf_tip(system_path(TIPDIR));
++ char *help = NULL, *path = NULL;
+
+- if (help == NULL) {
++ path = system_path(TIPDIR);
++ if (perf_tip(&help, path) || help == NULL) {
+ /* fallback for people who don't install perf ;-) */
+- help = perf_tip(DOCDIR);
+- if (help == NULL)
+- help = "Cannot load tips.txt file, please install perf!";
++ free(path);
++ path = system_path(DOCDIR);
++ if (perf_tip(&help, path) || help == NULL)
++ help = strdup("Cannot load tips.txt file, please install perf!");
+ }
++ free(path);
+
+ switch (use_browser) {
+ case 1:
+@@ -598,7 +601,7 @@ static int report__browse_hists(struct report *rep)
+ ret = perf_evlist__tty_browse_hists(evlist, rep, help);
+ break;
+ }
+-
++ free(help);
+ return ret;
+ }
+
+diff --git a/tools/perf/util/util.c b/tools/perf/util/util.c
+index ae56c766eda16..b3c1ae288b478 100644
+--- a/tools/perf/util/util.c
++++ b/tools/perf/util/util.c
+@@ -343,32 +343,32 @@ fetch_kernel_version(unsigned int *puint, char *str,
+ return 0;
+ }
+
+-const char *perf_tip(const char *dirpath)
++int perf_tip(char **strp, const char *dirpath)
+ {
+ struct strlist *tips;
+ struct str_node *node;
+- char *tip = NULL;
+ struct strlist_config conf = {
+ .dirname = dirpath,
+ .file_only = true,
+ };
++ int ret = 0;
+
++ *strp = NULL;
+ tips = strlist__new("tips.txt", &conf);
+ if (tips == NULL)
+- return errno == ENOENT ? NULL :
+- "Tip: check path of tips.txt or get more memory! ;-p";
++ return -errno;
+
+ if (strlist__nr_entries(tips) == 0)
+ goto out;
+
+ node = strlist__entry(tips, random() % strlist__nr_entries(tips));
+- if (asprintf(&tip, "Tip: %s", node->s) < 0)
+- tip = (char *)"Tip: get more memory! ;-)";
++ if (asprintf(strp, "Tip: %s", node->s) < 0)
++ ret = -ENOMEM;
+
+ out:
+ strlist__delete(tips);
+
+- return tip;
++ return ret;
+ }
+
+ char *perf_exe(char *buf, int len)
+diff --git a/tools/perf/util/util.h b/tools/perf/util/util.h
+index 9969b8b46f7c3..e4a7e1cafc70a 100644
+--- a/tools/perf/util/util.h
++++ b/tools/perf/util/util.h
+@@ -37,7 +37,7 @@ int fetch_kernel_version(unsigned int *puint,
+ #define KVER_FMT "%d.%d.%d"
+ #define KVER_PARAM(x) KVER_VERSION(x), KVER_PATCHLEVEL(x), KVER_SUBLEVEL(x)
+
+-const char *perf_tip(const char *dirpath);
++int perf_tip(char **strp, const char *dirpath);
+
+ #ifndef HAVE_SCHED_GETCPU_SUPPORT
+ int sched_getcpu(void);
+--
+2.33.0
+
--- /dev/null
+From 0663ce17d461e624112aac241b64d040036c8b58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Nov 2021 14:06:48 +0800
+Subject: platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3
+ deep
+
+From: Slark Xiao <slark_xiao@163.com>
+
+[ Upstream commit 39f53292181081d35174a581a98441de5da22bc9 ]
+
+When WWAN device wake from S3 deep, under thinkpad platform,
+WWAN would be disabled. This disable status could be checked
+by command 'nmcli r wwan' or 'rfkill list'.
+
+Issue analysis as below:
+ When host resume from S3 deep, thinkpad_acpi driver would
+call hotkey_resume() function. Finnaly, it will use
+wan_get_status to check the current status of WWAN device.
+During this resume progress, wan_get_status would always
+return off even WWAN boot up completely.
+ In patch V2, Hans said 'sw_state should be unchanged
+after a suspend/resume. It's better to drop the
+tpacpi_rfk_update_swstate call all together from the
+resume path'.
+ And it's confimed by Lenovo that GWAN is no longer
+ available from WHL generation because the design does not
+ match with current pin control.
+
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Link: https://lore.kernel.org/r/20211108060648.8212-1-slark_xiao@163.com
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 3028d9f1ac59c..5d114088c88fb 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -1188,15 +1188,6 @@ static int tpacpi_rfk_update_swstate(const struct tpacpi_rfk *tp_rfk)
+ return status;
+ }
+
+-/* Query FW and update rfkill sw state for all rfkill switches */
+-static void tpacpi_rfk_update_swstate_all(void)
+-{
+- unsigned int i;
+-
+- for (i = 0; i < TPACPI_RFK_SW_MAX; i++)
+- tpacpi_rfk_update_swstate(tpacpi_rfkill_switches[i]);
+-}
+-
+ /*
+ * Sync the HW-blocking state of all rfkill switches,
+ * do notice it causes the rfkill core to schedule uevents
+@@ -3135,9 +3126,6 @@ static void tpacpi_send_radiosw_update(void)
+ if (wlsw == TPACPI_RFK_RADIO_OFF)
+ tpacpi_rfk_update_hwblock_state(true);
+
+- /* Sync sw blocking state */
+- tpacpi_rfk_update_swstate_all();
+-
+ /* Sync hw blocking state last if it is hw-unblocked */
+ if (wlsw == TPACPI_RFK_RADIO_ON)
+ tpacpi_rfk_update_hwblock_state(false);
+--
+2.33.0
+
--- /dev/null
+From a3612540501968af7247a19411aea1de3056ea4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Oct 2021 13:38:17 +0200
+Subject: s390/setup: avoid using memblock_enforce_memory_limit
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+[ Upstream commit 5dbc4cb4667457b0c53bcd7bff11500b3c362975 ]
+
+There is a difference in how architectures treat "mem=" option. For some
+that is an amount of online memory, for s390 and x86 this is the limiting
+max address. Some memblock api like memblock_enforce_memory_limit()
+take limit argument and explicitly treat it as the size of online memory,
+and use __find_max_addr to convert it to an actual max address. Current
+s390 usage:
+
+memblock_enforce_memory_limit(memblock_end_of_DRAM());
+
+yields different results depending on presence of memory holes (offline
+memory blocks in between online memory). If there are no memory holes
+limit == max_addr in memblock_enforce_memory_limit() and it does trim
+online memory and reserved memory regions. With memory holes present it
+actually does nothing.
+
+Since we already use memblock_remove() explicitly to trim online memory
+regions to potential limit (think mem=, kdump, addressing limits, etc.)
+drop the usage of memblock_enforce_memory_limit() altogether. Trimming
+reserved regions should not be required, since we now use
+memblock_set_current_limit() to limit allocations and any explicit memory
+reservations above the limit is an actual problem we should not hide.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/setup.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
+index f661f176966f5..9a0316a067a11 100644
+--- a/arch/s390/kernel/setup.c
++++ b/arch/s390/kernel/setup.c
+@@ -841,9 +841,6 @@ static void __init setup_memory(void)
+ storage_key_init_range(reg->base, reg->base + reg->size);
+ }
+ psw_set_key(PAGE_DEFAULT_KEY);
+-
+- /* Only cosmetics */
+- memblock_enforce_memory_limit(memblock_end_of_DRAM());
+ }
+
+ /*
+--
+2.33.0
+
--- /dev/null
+From 42e2f614d394b7340f9d323f312520bb2a809910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 17:10:47 -0500
+Subject: scsi: iscsi: Unblock session then wake up error handler
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit a0c2f8b6709a9a4af175497ca65f93804f57b248 ]
+
+We can race where iscsi_session_recovery_timedout() has woken up the error
+handler thread and it's now setting the devices to offline, and
+session_recovery_timedout()'s call to scsi_target_unblock() is also trying
+to set the device's state to transport-offline. We can then get a mix of
+states.
+
+For the case where we can't relogin we want the devices to be in
+transport-offline so when we have repaired the connection
+__iscsi_unblock_session() can set the state back to running.
+
+Set the device state then call into libiscsi to wake up the error handler.
+
+Link: https://lore.kernel.org/r/20211105221048.6541-2-michael.christie@oracle.com
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 6f21cb75d95fd..f6cce0befa7de 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -1894,12 +1894,12 @@ static void session_recovery_timedout(struct work_struct *work)
+ }
+ spin_unlock_irqrestore(&session->lock, flags);
+
+- if (session->transport->session_recovery_timedout)
+- session->transport->session_recovery_timedout(session);
+-
+ ISCSI_DBG_TRANS_SESSION(session, "Unblocking SCSI target\n");
+ scsi_target_unblock(&session->dev, SDEV_TRANSPORT_OFFLINE);
+ ISCSI_DBG_TRANS_SESSION(session, "Completed unblocking SCSI target\n");
++
++ if (session->transport->session_recovery_timedout)
++ session->transport->session_recovery_timedout(session);
+ }
+
+ static void __iscsi_unblock_session(struct work_struct *work)
+--
+2.33.0
+
of-clk-make-linux-of_clk.h-self-contained.patch
arm64-dts-mcbin-support-2w-sfp-modules.patch
can-j1939-j1939_tp_cmd_recv-check-the-dst-address-of-tp.cm_bam.patch
+gfs2-fix-length-of-holes-reported-at-end-of-file.patch
+drm-sun4i-fix-unmet-dependency-on-reset_controller-f.patch
+mac80211-do-not-access-the-iv-when-it-was-stripped.patch
+net-smc-transfer-remaining-wait-queue-entries-during.patch
+atlantic-fix-oob-read-and-write-in-hw_atl_utils_fw_r.patch
+net-return-correct-error-code.patch
+platform-x86-thinkpad_acpi-fix-wwan-device-disabled-.patch
+s390-setup-avoid-using-memblock_enforce_memory_limit.patch
+btrfs-check-integrity-fix-a-warning-on-write-caching.patch
+thermal-core-reset-previous-low-and-high-trip-during.patch
+scsi-iscsi-unblock-session-then-wake-up-error-handle.patch
+ata-ahci-add-green-sardine-vendor-id-as-board_ahci_m.patch
+ethernet-hisilicon-hns-hns_dsaf_misc-fix-a-possible-.patch
+net-tulip-de4x5-fix-the-problem-that-the-array-lp-ph.patch
+net-ethernet-dec-tulip-de4x5-fix-possible-array-over.patch
+perf-hist-fix-memory-leak-of-a-perf_hpp_fmt.patch
+perf-report-fix-memory-leaks-around-perf_tip.patch
+net-smc-avoid-warning-of-possible-recursive-locking.patch
--- /dev/null
+From 52fdeb4011f9a52a10f80564424154d398900118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Nov 2021 01:30:40 +0530
+Subject: thermal: core: Reset previous low and high trip during thermal zone
+ init
+
+From: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
+
+[ Upstream commit 99b63316c39988039965693f5f43d8b4ccb1c86c ]
+
+During the suspend is in process, thermal_zone_device_update bails out
+thermal zone re-evaluation for any sensor trip violation without
+setting next valid trip to that sensor. It assumes during resume
+it will re-evaluate same thermal zone and update trip. But when it is
+in suspend temperature goes down and on resume path while updating
+thermal zone if temperature is less than previously violated trip,
+thermal zone set trip function evaluates the same previous high and
+previous low trip as new high and low trip. Since there is no change
+in high/low trip, it bails out from thermal zone set trip API without
+setting any trip. It leads to a case where sensor high trip or low
+trip is disabled forever even though thermal zone has a valid high
+or low trip.
+
+During thermal zone device init, reset thermal zone previous high
+and low trip. It resolves above mentioned scenario.
+
+Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
+Reviewed-by: Thara Gopinath <thara.gopinath@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 20eab56b02cb9..f4490b8120176 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -460,6 +460,8 @@ static void thermal_zone_device_init(struct thermal_zone_device *tz)
+ {
+ struct thermal_instance *pos;
+ tz->temperature = THERMAL_TEMP_INVALID;
++ tz->prev_low_trip = -INT_MAX;
++ tz->prev_high_trip = INT_MAX;
+ list_for_each_entry(pos, &tz->thermal_instances, tz_node)
+ pos->initialized = false;
+ }
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
