--- /dev/null
+From 8b3a9ad86239f80ed569e23c3954a311f66481d6 Mon Sep 17 00:00:00 2001
+From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+Date: Sun, 23 Oct 2022 15:33:20 +0100
+Subject: ASoC: jz4740-i2s: Handle independent FIFO flush bits
+
+From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+
+commit 8b3a9ad86239f80ed569e23c3954a311f66481d6 upstream.
+
+On the JZ4740, there is a single bit that flushes (empties) both
+the transmit and receive FIFO. Later SoCs have independent flush
+bits for each FIFO.
+
+Independent FIFOs can be flushed before the snd_soc_dai_active()
+check because it won't disturb other active streams. This ensures
+that the FIFO we're about to use is always flushed before starting
+up. With shared FIFOs we can't do that because if another substream
+is active, flushing its FIFO would cause underrun errors.
+
+This also fixes a bug: since we were only setting the JZ4740's
+flush bit, which corresponds to the TX FIFO flush bit on other
+SoCs, other SoCs were not having their RX FIFO flushed at all.
+
+Fixes: 967beb2e8777 ("ASoC: jz4740: Add jz4780 support")
+Reviewed-by: Paul Cercueil <paul@crapouillou.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+Link: https://lore.kernel.org/r/20221023143328.160866-2-aidanmacdonald.0x0@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/jz4740/jz4740-i2s.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/jz4740/jz4740-i2s.c
++++ b/sound/soc/jz4740/jz4740-i2s.c
+@@ -56,7 +56,8 @@
+ #define JZ_AIC_CTRL_MONO_TO_STEREO BIT(11)
+ #define JZ_AIC_CTRL_SWITCH_ENDIANNESS BIT(10)
+ #define JZ_AIC_CTRL_SIGNED_TO_UNSIGNED BIT(9)
+-#define JZ_AIC_CTRL_FLUSH BIT(8)
++#define JZ_AIC_CTRL_TFLUSH BIT(8)
++#define JZ_AIC_CTRL_RFLUSH BIT(7)
+ #define JZ_AIC_CTRL_ENABLE_ROR_INT BIT(6)
+ #define JZ_AIC_CTRL_ENABLE_TUR_INT BIT(5)
+ #define JZ_AIC_CTRL_ENABLE_RFS_INT BIT(4)
+@@ -91,6 +92,8 @@ enum jz47xx_i2s_version {
+ struct i2s_soc_info {
+ enum jz47xx_i2s_version version;
+ struct snd_soc_dai_driver *dai;
++
++ bool shared_fifo_flush;
+ };
+
+ struct jz4740_i2s {
+@@ -119,19 +122,44 @@ static inline void jz4740_i2s_write(cons
+ writel(value, i2s->base + reg);
+ }
+
++static inline void jz4740_i2s_set_bits(const struct jz4740_i2s *i2s,
++ unsigned int reg, uint32_t bits)
++{
++ uint32_t value = jz4740_i2s_read(i2s, reg);
++ value |= bits;
++ jz4740_i2s_write(i2s, reg, value);
++}
++
+ static int jz4740_i2s_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+ struct jz4740_i2s *i2s = snd_soc_dai_get_drvdata(dai);
+- uint32_t conf, ctrl;
++ uint32_t conf;
+ int ret;
+
++ /*
++ * When we can flush FIFOs independently, only flush the FIFO
++ * that is starting up. We can do this when the DAI is active
++ * because it does not disturb other active substreams.
++ */
++ if (!i2s->soc_info->shared_fifo_flush) {
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH);
++ else
++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_RFLUSH);
++ }
++
+ if (snd_soc_dai_active(dai))
+ return 0;
+
+- ctrl = jz4740_i2s_read(i2s, JZ_REG_AIC_CTRL);
+- ctrl |= JZ_AIC_CTRL_FLUSH;
+- jz4740_i2s_write(i2s, JZ_REG_AIC_CTRL, ctrl);
++ /*
++ * When there is a shared flush bit for both FIFOs, the TFLUSH
++ * bit flushes both FIFOs. Flushing while the DAI is active would
++ * cause FIFO underruns in other active substreams so we have to
++ * guard this behind the snd_soc_dai_active() check.
++ */
++ if (i2s->soc_info->shared_fifo_flush)
++ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH);
+
+ ret = clk_prepare_enable(i2s->clk_i2s);
+ if (ret)
+@@ -462,6 +490,7 @@ static struct snd_soc_dai_driver jz4740_
+ static const struct i2s_soc_info jz4740_i2s_soc_info = {
+ .version = JZ_I2S_JZ4740,
+ .dai = &jz4740_i2s_dai,
++ .shared_fifo_flush = true,
+ };
+
+ static const struct i2s_soc_info jz4760_i2s_soc_info = {
--- /dev/null
+From 10da230a4df1dfe32a58eb09246f5ffe82346f27 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 28 Sep 2022 13:45:05 -0500
+Subject: crypto: ccp - Add support for TEE for PCI ID 0x14CA
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 10da230a4df1dfe32a58eb09246f5ffe82346f27 upstream.
+
+SoCs containing 0x14CA are present both in datacenter parts that
+support SEV as well as client parts that support TEE.
+
+Cc: stable@vger.kernel.org # 5.15+
+Tested-by: Rijo-john Thomas <Rijo-john.Thomas@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -320,6 +320,15 @@ static const struct psp_vdata pspv3 = {
+ .inten_reg = 0x10690,
+ .intsts_reg = 0x10694,
+ };
++
++static const struct psp_vdata pspv4 = {
++ .sev = &sevv2,
++ .tee = &teev1,
++ .feature_reg = 0x109fc,
++ .inten_reg = 0x10690,
++ .intsts_reg = 0x10694,
++};
++
+ #endif
+
+ static const struct sp_dev_vdata dev_vdata[] = {
+@@ -365,7 +374,7 @@ static const struct sp_dev_vdata dev_vda
+ { /* 5 */
+ .bar = 2,
+ #ifdef CONFIG_CRYPTO_DEV_SP_PSP
+- .psp_vdata = &pspv2,
++ .psp_vdata = &pspv4,
+ #endif
+ },
+ };
--- /dev/null
+From 76a4e874593543a2dff91d249c95bac728df2774 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Thu, 6 Oct 2022 04:34:19 +0000
+Subject: crypto: n2 - add missing hash statesize
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit 76a4e874593543a2dff91d249c95bac728df2774 upstream.
+
+Add missing statesize to hash templates.
+This is mandatory otherwise no algorithms can be registered as the core
+requires statesize to be set.
+
+CC: stable@kernel.org # 4.3+
+Reported-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
+Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver")
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/n2_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/crypto/n2_core.c
++++ b/drivers/crypto/n2_core.c
+@@ -1229,6 +1229,7 @@ struct n2_hash_tmpl {
+ const u8 *hash_init;
+ u8 hw_op_hashsz;
+ u8 digest_size;
++ u8 statesize;
+ u8 block_size;
+ u8 auth_type;
+ u8 hmac_type;
+@@ -1260,6 +1261,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_HMAC_MD5,
+ .hw_op_hashsz = MD5_DIGEST_SIZE,
+ .digest_size = MD5_DIGEST_SIZE,
++ .statesize = sizeof(struct md5_state),
+ .block_size = MD5_HMAC_BLOCK_SIZE },
+ { .name = "sha1",
+ .hash_zero = sha1_zero_message_hash,
+@@ -1268,6 +1270,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_HMAC_SHA1,
+ .hw_op_hashsz = SHA1_DIGEST_SIZE,
+ .digest_size = SHA1_DIGEST_SIZE,
++ .statesize = sizeof(struct sha1_state),
+ .block_size = SHA1_BLOCK_SIZE },
+ { .name = "sha256",
+ .hash_zero = sha256_zero_message_hash,
+@@ -1276,6 +1279,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_HMAC_SHA256,
+ .hw_op_hashsz = SHA256_DIGEST_SIZE,
+ .digest_size = SHA256_DIGEST_SIZE,
++ .statesize = sizeof(struct sha256_state),
+ .block_size = SHA256_BLOCK_SIZE },
+ { .name = "sha224",
+ .hash_zero = sha224_zero_message_hash,
+@@ -1284,6 +1288,7 @@ static const struct n2_hash_tmpl hash_tm
+ .hmac_type = AUTH_TYPE_RESERVED,
+ .hw_op_hashsz = SHA256_DIGEST_SIZE,
+ .digest_size = SHA224_DIGEST_SIZE,
++ .statesize = sizeof(struct sha256_state),
+ .block_size = SHA224_BLOCK_SIZE },
+ };
+ #define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls)
+@@ -1424,6 +1429,7 @@ static int __n2_register_one_ahash(const
+
+ halg = &ahash->halg;
+ halg->digestsize = tmpl->digest_size;
++ halg->statesize = tmpl->statesize;
+
+ base = &halg->base;
+ snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name);
--- /dev/null
+From e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f Mon Sep 17 00:00:00 2001
+From: Wang Weiyang <wangweiyang2@huawei.com>
+Date: Tue, 25 Oct 2022 19:31:01 +0800
+Subject: device_cgroup: Roll back to original exceptions after copy failure
+
+From: Wang Weiyang <wangweiyang2@huawei.com>
+
+commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream.
+
+When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
+exceptions will be cleaned and A's behavior is changed to
+DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
+whitelist. If copy failure occurs, just return leaving A to grant
+permissions to all devices. And A may grant more permissions than
+parent.
+
+Backup A's whitelist and recover original exceptions after copy
+failure.
+
+Cc: stable@vger.kernel.org
+Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior")
+Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
+Reviewed-by: Aristeu Rozanski <aris@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/device_cgroup.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -81,6 +81,17 @@ free_and_exit:
+ return -ENOMEM;
+ }
+
++static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
++{
++ struct dev_exception_item *ex, *tmp;
++
++ lockdep_assert_held(&devcgroup_mutex);
++
++ list_for_each_entry_safe(ex, tmp, orig, list) {
++ list_move_tail(&ex->list, dest);
++ }
++}
++
+ /*
+ * called under devcgroup_mutex
+ */
+@@ -603,11 +614,13 @@ static int devcgroup_update_access(struc
+ int count, rc = 0;
+ struct dev_exception_item ex;
+ struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
++ struct dev_cgroup tmp_devcgrp;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
+ memset(&ex, 0, sizeof(ex));
++ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
+ b = buffer;
+
+ switch (*b) {
+@@ -619,15 +632,27 @@ static int devcgroup_update_access(struc
+
+ if (!may_allow_all(parent))
+ return -EPERM;
+- dev_exception_clean(devcgroup);
+- devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+- if (!parent)
++ if (!parent) {
++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
++ dev_exception_clean(devcgroup);
+ break;
++ }
+
++ INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
++ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
++ &devcgroup->exceptions);
++ if (rc)
++ return rc;
++ dev_exception_clean(devcgroup);
+ rc = dev_exceptions_copy(&devcgroup->exceptions,
+ &parent->exceptions);
+- if (rc)
++ if (rc) {
++ dev_exceptions_move(&devcgroup->exceptions,
++ &tmp_devcgrp.exceptions);
+ return rc;
++ }
++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
++ dev_exception_clean(&tmp_devcgrp);
+ break;
+ case DEVCG_DENY:
+ if (css_has_online_children(&devcgroup->css))
--- /dev/null
+From 27c0d217340e47ec995557f61423ef415afba987 Mon Sep 17 00:00:00 2001
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 20 Sep 2022 17:14:13 -0700
+Subject: driver core: Fix bus_type.match() error handling in __driver_attach()
+
+From: Isaac J. Manjarres <isaacmanjarres@google.com>
+
+commit 27c0d217340e47ec995557f61423ef415afba987 upstream.
+
+When a driver registers with a bus, it will attempt to match with every
+device on the bus through the __driver_attach() function. Currently, if
+the bus_type.match() function encounters an error that is not
+-EPROBE_DEFER, __driver_attach() will return a negative error code, which
+causes the driver registration logic to stop trying to match with the
+remaining devices on the bus.
+
+This behavior is not correct; a failure while matching a driver to a
+device does not mean that the driver won't be able to match and bind
+with other devices on the bus. Update the logic in __driver_attach()
+to reflect this.
+
+Fixes: 656b8035b0ee ("ARM: 8524/1: driver cohandle -EPROBE_DEFER from bus_type.match()")
+Cc: stable@vger.kernel.org
+Cc: Saravana Kannan <saravanak@google.com>
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Link: https://lore.kernel.org/r/20220921001414.4046492-1-isaacmanjarres@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/dd.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/dd.c
++++ b/drivers/base/dd.c
+@@ -1127,7 +1127,11 @@ static int __driver_attach(struct device
+ return 0;
+ } else if (ret < 0) {
+ dev_dbg(dev, "Bus failed to match device: %d\n", ret);
+- return ret;
++ /*
++ * Driver could not match with device, but may match with
++ * another device on the bus.
++ */
++ return 0;
+ } /* ret > 0 means positive match */
+
+ if (driver_allows_async_probing(drv)) {
--- /dev/null
+From 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc Mon Sep 17 00:00:00 2001
+From: Simon Ser <contact@emersion.fr>
+Date: Mon, 17 Oct 2022 15:32:01 +0000
+Subject: drm/connector: send hotplug uevent on connector cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Simon Ser <contact@emersion.fr>
+
+commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream.
+
+A typical DP-MST unplug removes a KMS connector. However care must
+be taken to properly synchronize with user-space. The expected
+sequence of events is the following:
+
+1. The kernel notices that the DP-MST port is gone.
+2. The kernel marks the connector as disconnected, then sends a
+ uevent to make user-space re-scan the connector list.
+3. User-space notices the connector goes from connected to disconnected,
+ disables it.
+4. Kernel handles the IOCTL disabling the connector. On success,
+ the very last reference to the struct drm_connector is dropped and
+ drm_connector_cleanup() is called.
+5. The connector is removed from the list, and a uevent is sent to tell
+ user-space that the connector disappeared.
+
+The very last step was missing. As a result, user-space thought the
+connector still existed and could try to disable it again. Since the
+kernel no longer knows about the connector, that would end up with
+EINVAL and confused user-space.
+
+Fix this by sending a hotplug uevent from drm_connector_cleanup().
+
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Cc: stable@vger.kernel.org
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Lyude Paul <lyude@redhat.com>
+Cc: Jonas Ã…dahl <jadahl@redhat.com>
+Tested-by: Jonas Ã…dahl <jadahl@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_connector.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_connector.c
++++ b/drivers/gpu/drm/drm_connector.c
+@@ -487,6 +487,9 @@ void drm_connector_cleanup(struct drm_co
+ mutex_destroy(&connector->mutex);
+
+ memset(connector, 0, sizeof(*connector));
++
++ if (dev->registered)
++ drm_sysfs_hotplug_event(dev);
+ }
+ EXPORT_SYMBOL(drm_connector_cleanup);
+
--- /dev/null
+From f9cdf4130671d767071607d0a7568c9bd36a68d0 Mon Sep 17 00:00:00 2001
+From: Mikko Kovanen <mikko.kovanen@aavamobile.com>
+Date: Sat, 26 Nov 2022 13:27:13 +0000
+Subject: drm/i915/dsi: fix VBT send packet port selection for dual link DSI
+
+From: Mikko Kovanen <mikko.kovanen@aavamobile.com>
+
+commit f9cdf4130671d767071607d0a7568c9bd36a68d0 upstream.
+
+intel_dsi->ports contains bitmask of enabled ports and correspondingly
+logic for selecting port for VBT packet sending must use port specific
+bitmask when deciding appropriate port.
+
+Fixes: 08c59dde71b7 ("drm/i915/dsi: fix VBT send packet port selection for ICL+")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikko Kovanen <mikko.kovanen@aavamobile.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/DBBPR09MB466592B16885D99ABBF2393A91119@DBBPR09MB4665.eurprd09.prod.outlook.com
+(cherry picked from commit 8d58bb7991c45f6b60710cc04c9498c6ea96db90)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
++++ b/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
+@@ -133,9 +133,9 @@ static enum port intel_dsi_seq_port_to_p
+ return ffs(intel_dsi->ports) - 1;
+
+ if (seq_port) {
+- if (intel_dsi->ports & PORT_B)
++ if (intel_dsi->ports & BIT(PORT_B))
+ return PORT_B;
+- else if (intel_dsi->ports & PORT_C)
++ else if (intel_dsi->ports & BIT(PORT_C))
+ return PORT_C;
+ }
+
--- /dev/null
+From 47078311b8efebdefd5b3b2f87e2b02b14f49c66 Mon Sep 17 00:00:00 2001
+From: Yuan Can <yuancan@huawei.com>
+Date: Fri, 4 Nov 2022 06:45:12 +0000
+Subject: drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+commit 47078311b8efebdefd5b3b2f87e2b02b14f49c66 upstream.
+
+A problem about modprobe ingenic-drm failed is triggered with the following
+log given:
+
+ [ 303.561088] Error: Driver 'ingenic-ipu' is already registered, aborting...
+ modprobe: ERROR: could not insert 'ingenic_drm': Device or resource busy
+
+The reason is that ingenic_drm_init() returns platform_driver_register()
+directly without checking its return value, if platform_driver_register()
+failed, it returns without unregistering ingenic_ipu_driver_ptr, resulting
+the ingenic-drm can never be installed later.
+A simple call graph is shown as below:
+
+ ingenic_drm_init()
+ platform_driver_register() # ingenic_ipu_driver_ptr are registered
+ platform_driver_register()
+ driver_register()
+ bus_add_driver()
+ priv = kzalloc(...) # OOM happened
+ # return without unregister ingenic_ipu_driver_ptr
+
+Fixing this problem by checking the return value of
+platform_driver_register() and do platform_unregister_drivers() if
+error happened.
+
+Fixes: fc1acf317b01 ("drm/ingenic: Add support for the IPU")
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221104064512.8569-1-yuancan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
++++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
+@@ -1326,7 +1326,11 @@ static int ingenic_drm_init(void)
+ return err;
+ }
+
+- return platform_driver_register(&ingenic_drm_driver);
++ err = platform_driver_register(&ingenic_drm_driver);
++ if (IS_ENABLED(CONFIG_DRM_INGENIC_IPU) && err)
++ platform_driver_unregister(ingenic_ipu_driver_ptr);
++
++ return err;
+ }
+ module_init(ingenic_drm_init);
+
--- /dev/null
+From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001
+From: Zack Rusin <zackr@vmware.com>
+Date: Tue, 25 Oct 2022 23:19:35 -0400
+Subject: drm/vmwgfx: Validate the box size for the snooped cursor
+
+From: Zack Rusin <zackr@vmware.com>
+
+commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream.
+
+Invalid userspace dma surface copies could potentially overflow
+the memcpy from the surface to the snooped image leading to crashes.
+To fix it the dimensions of the copybox have to be validated
+against the expected size of the snooped cursor.
+
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes")
+Cc: <stable@vger.kernel.org> # v3.2+
+Reviewed-by: Michael Banack <banackm@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -186,7 +186,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur
+ if (cmd->dma.guest.ptr.offset % PAGE_SIZE ||
+ box->x != 0 || box->y != 0 || box->z != 0 ||
+ box->srcx != 0 || box->srcy != 0 || box->srcz != 0 ||
+- box->d != 1 || box_count != 1) {
++ box->d != 1 || box_count != 1 ||
++ box->w > 64 || box->h > 64) {
+ /* TODO handle none page aligned offsets */
+ /* TODO handle more dst & src != 0 */
+ /* TODO handle more then one copy */
--- /dev/null
+From 0be56a116220f9e5731a6609e66a11accfe8d8e2 Mon Sep 17 00:00:00 2001
+From: Aditya Garg <gargaditya08@live.com>
+Date: Thu, 27 Oct 2022 10:01:43 +0000
+Subject: efi: Add iMac Pro 2017 to uefi skip cert quirk
+
+From: Aditya Garg <gargaditya08@live.com>
+
+commit 0be56a116220f9e5731a6609e66a11accfe8d8e2 upstream.
+
+The iMac Pro 2017 is also a T2 Mac. Thus add it to the list of uefi skip
+cert.
+
+Cc: stable@vger.kernel.org
+Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot for T2 Macs")
+Link: https://lore.kernel.org/linux-integrity/9D46D92F-1381-4F10-989C-1A12CD2FFDD8@live.com/
+Signed-off-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/platform_certs/load_uefi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -34,6 +34,7 @@ static const struct dmi_system_id uefi_s
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
++ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMacPro1,1") },
+ { }
+ };
+
--- /dev/null
+From 11220db412edae8dba58853238f53258268bdb88 Mon Sep 17 00:00:00 2001
+From: Huaxin Lu <luhuaxin1@huawei.com>
+Date: Thu, 3 Nov 2022 00:09:49 +0800
+Subject: ima: Fix a potential NULL pointer access in ima_restore_measurement_list
+
+From: Huaxin Lu <luhuaxin1@huawei.com>
+
+commit 11220db412edae8dba58853238f53258268bdb88 upstream.
+
+In restore_template_fmt, when kstrdup fails, a non-NULL value will still be
+returned, which causes a NULL pointer access in template_desc_init_fields.
+
+Fixes: c7d09367702e ("ima: support restoring multiple template formats")
+Cc: stable@kernel.org
+Co-developed-by: Jiaming Li <lijiaming30@huawei.com>
+Signed-off-by: Jiaming Li <lijiaming30@huawei.com>
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_template.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/security/integrity/ima/ima_template.c
++++ b/security/integrity/ima/ima_template.c
+@@ -336,8 +336,11 @@ static struct ima_template_desc *restore
+
+ template_desc->name = "";
+ template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
+- if (!template_desc->fmt)
++ if (!template_desc->fmt) {
++ kfree(template_desc);
++ template_desc = NULL;
+ goto out;
++ }
+
+ spin_lock(&template_list);
+ list_add_tail_rcu(&template_desc->list, &defined_templates);
--- /dev/null
+From 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Mon, 19 Sep 2022 10:56:37 -0500
+Subject: iommu/amd: Fix ivrs_acpihid cmdline parsing code
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream.
+
+The second (UID) strcmp in acpi_dev_hid_uid_match considers
+"0" and "00" different, which can prevent device registration.
+
+Have the AMD IOMMU driver's ivrs_acpihid parsing code remove
+any leading zeroes to make the UID strcmp succeed. Now users
+can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect
+the same behaviour.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Cc: stable@vger.kernel.org
+Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
+Cc: Joerg Roedel <jroedel@suse.de>
+Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd/init.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3226,6 +3226,13 @@ static int __init parse_ivrs_acpihid(cha
+ return 1;
+ }
+
++ /*
++ * Ignore leading zeroes after ':', so e.g., AMDI0095:00
++ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match
++ */
++ while (*uid == '0' && *(uid + 1))
++ uid++;
++
+ i = early_acpihid_map_size++;
+ memcpy(early_acpihid_map[i].hid, hid, strlen(hid));
+ memcpy(early_acpihid_map[i].uid, uid, strlen(uid));
--- /dev/null
+From f6f1234d98cce69578bfac79df147a1f6660596c Mon Sep 17 00:00:00 2001
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Date: Fri, 7 Oct 2022 17:26:16 +0800
+Subject: ipmi: fix long wait in unload when IPMI disconnect
+
+From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+
+commit f6f1234d98cce69578bfac79df147a1f6660596c upstream.
+
+When fixing the problem mentioned in PATCH1, we also found
+the following problem:
+
+If the IPMI is disconnected and in the sending process, the
+uninstallation driver will be stuck for a long time.
+
+The main problem is that uninstalling the driver waits for curr_msg to
+be sent or HOSED. After stopping tasklet, the only place to trigger the
+timeout mechanism is the circular poll in shutdown_smi.
+
+The poll function delays 10us and calls smi_event_handler(smi_info,10).
+Smi_event_handler deducts 10us from kcs->ibf_timeout.
+
+But the poll func is followed by schedule_timeout_uninterruptible(1).
+The time consumed here is not counted in kcs->ibf_timeout.
+
+So when 10us is deducted from kcs->ibf_timeout, at least 1 jiffies has
+actually passed. The waiting time has increased by more than a
+hundredfold.
+
+Now instead of calling poll(). call smi_event_handler() directly and
+calculate the elapsed time.
+
+For verification, you can directly use ebpf to check the kcs->
+ibf_timeout for each call to kcs_event() when IPMI is disconnected.
+Decrement at normal rate before unloading. The decrement rate becomes
+very slow after unloading.
+
+ $ bpftrace -e 'kprobe:kcs_event {printf("kcs->ibftimeout : %d\n",
+ *(arg0+584));}'
+
+Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
+Message-Id: <20221007092617.87597-3-zhangyuchen.lcr@bytedance.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2152,6 +2152,20 @@ skip_fallback_noirq:
+ }
+ module_init(init_ipmi_si);
+
++static void wait_msg_processed(struct smi_info *smi_info)
++{
++ unsigned long jiffies_now;
++ long time_diff;
++
++ while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
++ jiffies_now = jiffies;
++ time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies)
++ * SI_USEC_PER_JIFFY);
++ smi_event_handler(smi_info, time_diff);
++ schedule_timeout_uninterruptible(1);
++ }
++}
++
+ static void shutdown_smi(void *send_info)
+ {
+ struct smi_info *smi_info = send_info;
+@@ -2186,16 +2200,13 @@ static void shutdown_smi(void *send_info
+ * in the BMC. Note that timers and CPU interrupts are off,
+ * so no need for locks.
+ */
+- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
+- poll(smi_info);
+- schedule_timeout_uninterruptible(1);
+- }
++ wait_msg_processed(smi_info);
++
+ if (smi_info->handlers)
+ disable_si_irq(smi_info);
+- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
+- poll(smi_info);
+- schedule_timeout_uninterruptible(1);
+- }
++
++ wait_msg_processed(smi_info);
++
+ if (smi_info->handlers)
+ smi_info->handlers->cleanup(smi_info->si_sm);
+
--- /dev/null
+From a92ce570c81dc0feaeb12a429b4bc65686d17967 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Tue, 15 Nov 2022 16:17:43 +0300
+Subject: ipmi: fix use after free in _ipmi_destroy_user()
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit a92ce570c81dc0feaeb12a429b4bc65686d17967 upstream.
+
+The intf_free() function frees the "intf" pointer so we cannot
+dereference it again on the next line.
+
+Fixes: cbb79863fc31 ("ipmi: Don't allow device module unload when in use")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Message-Id: <Y3M8xa1drZv4CToE@kili>
+Cc: <stable@vger.kernel.org> # 5.5+
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -1273,6 +1273,7 @@ static void _ipmi_destroy_user(struct ip
+ unsigned long flags;
+ struct cmd_rcvr *rcvr;
+ struct cmd_rcvr *rcvrs = NULL;
++ struct module *owner;
+
+ if (!acquire_ipmi_user(user, &i)) {
+ /*
+@@ -1334,8 +1335,9 @@ static void _ipmi_destroy_user(struct ip
+ kfree(rcvr);
+ }
+
++ owner = intf->owner;
+ kref_put(&intf->refcount, intf_free);
+- module_put(intf->owner);
++ module_put(owner);
+ }
+
+ int ipmi_destroy_user(struct ipmi_user *user)
--- /dev/null
+From dc608edf7d45ba0c2ad14c06eccd66474fec7847 Mon Sep 17 00:00:00 2001
+From: Maximilian Luz <luzmaximilian@gmail.com>
+Date: Thu, 8 Sep 2022 00:44:09 +0200
+Subject: ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()
+
+From: Maximilian Luz <luzmaximilian@gmail.com>
+
+commit dc608edf7d45ba0c2ad14c06eccd66474fec7847 upstream.
+
+Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose()
+with a subdev state of NULL leads to a NULL pointer dereference. This
+can currently happen in imgu_subdev_set_selection() when the state
+passed in is NULL, as this method first gets pointers to both the "try"
+and "active" states and only then decides which to use.
+
+The same issue has been addressed for imgu_subdev_get_selection() with
+commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active
+selection access"). However the issue still persists in
+imgu_subdev_set_selection().
+
+Therefore, apply a similar fix as done in the aforementioned commit to
+imgu_subdev_set_selection(). To keep things a bit cleaner, introduce
+helper functions for "crop" and "compose" access and use them in both
+imgu_subdev_set_selection() and imgu_subdev_get_selection().
+
+Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct")
+Cc: stable@vger.kernel.org # for v5.14 and later
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/ipu3/ipu3-v4l2.c | 57 +++++++++++++++-----------
+ 1 file changed, 34 insertions(+), 23 deletions(-)
+
+diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c
+index ce13e746c15f..e530767e80a5 100644
+--- a/drivers/staging/media/ipu3/ipu3-v4l2.c
++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c
+@@ -188,6 +188,28 @@ static int imgu_subdev_set_fmt(struct v4l2_subdev *sd,
+ return 0;
+ }
+
++static struct v4l2_rect *
++imgu_subdev_get_crop(struct imgu_v4l2_subdev *sd,
++ struct v4l2_subdev_state *sd_state, unsigned int pad,
++ enum v4l2_subdev_format_whence which)
++{
++ if (which == V4L2_SUBDEV_FORMAT_TRY)
++ return v4l2_subdev_get_try_crop(&sd->subdev, sd_state, pad);
++ else
++ return &sd->rect.eff;
++}
++
++static struct v4l2_rect *
++imgu_subdev_get_compose(struct imgu_v4l2_subdev *sd,
++ struct v4l2_subdev_state *sd_state, unsigned int pad,
++ enum v4l2_subdev_format_whence which)
++{
++ if (which == V4L2_SUBDEV_FORMAT_TRY)
++ return v4l2_subdev_get_try_compose(&sd->subdev, sd_state, pad);
++ else
++ return &sd->rect.bds;
++}
++
+ static int imgu_subdev_get_selection(struct v4l2_subdev *sd,
+ struct v4l2_subdev_state *sd_state,
+ struct v4l2_subdev_selection *sel)
+@@ -200,18 +222,12 @@ static int imgu_subdev_get_selection(struct v4l2_subdev *sd,
+
+ switch (sel->target) {
+ case V4L2_SEL_TGT_CROP:
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- sel->r = *v4l2_subdev_get_try_crop(sd, sd_state,
+- sel->pad);
+- else
+- sel->r = imgu_sd->rect.eff;
++ sel->r = *imgu_subdev_get_crop(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ return 0;
+ case V4L2_SEL_TGT_COMPOSE:
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- sel->r = *v4l2_subdev_get_try_compose(sd, sd_state,
+- sel->pad);
+- else
+- sel->r = imgu_sd->rect.bds;
++ sel->r = *imgu_subdev_get_compose(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ return 0;
+ default:
+ return -EINVAL;
+@@ -223,10 +239,9 @@ static int imgu_subdev_set_selection(struct v4l2_subdev *sd,
+ struct v4l2_subdev_selection *sel)
+ {
+ struct imgu_device *imgu = v4l2_get_subdevdata(sd);
+- struct imgu_v4l2_subdev *imgu_sd = container_of(sd,
+- struct imgu_v4l2_subdev,
+- subdev);
+- struct v4l2_rect *rect, *try_sel;
++ struct imgu_v4l2_subdev *imgu_sd =
++ container_of(sd, struct imgu_v4l2_subdev, subdev);
++ struct v4l2_rect *rect;
+
+ dev_dbg(&imgu->pci_dev->dev,
+ "set subdev %u sel which %u target 0x%4x rect [%ux%u]",
+@@ -238,22 +253,18 @@ static int imgu_subdev_set_selection(struct v4l2_subdev *sd,
+
+ switch (sel->target) {
+ case V4L2_SEL_TGT_CROP:
+- try_sel = v4l2_subdev_get_try_crop(sd, sd_state, sel->pad);
+- rect = &imgu_sd->rect.eff;
++ rect = imgu_subdev_get_crop(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ break;
+ case V4L2_SEL_TGT_COMPOSE:
+- try_sel = v4l2_subdev_get_try_compose(sd, sd_state, sel->pad);
+- rect = &imgu_sd->rect.bds;
++ rect = imgu_subdev_get_compose(imgu_sd, sd_state, sel->pad,
++ sel->which);
+ break;
+ default:
+ return -EINVAL;
+ }
+
+- if (sel->which == V4L2_SUBDEV_FORMAT_TRY)
+- *try_sel = sel->r;
+- else
+- *rect = sel->r;
+-
++ *rect = sel->r;
+ return 0;
+ }
+
+--
+2.39.0
+
--- /dev/null
+From 4555211190798b6b6fa2c37667d175bf67945c78 Mon Sep 17 00:00:00 2001
+From: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
+Date: Tue, 25 Oct 2022 09:37:05 +0200
+Subject: md/bitmap: Fix bitmap chunk size overflow issues
+
+From: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
+
+commit 4555211190798b6b6fa2c37667d175bf67945c78 upstream.
+
+- limit bitmap chunk size internal u64 variable to values not overflowing
+ the u32 bitmap superblock structure variable stored on persistent media
+- assign bitmap chunk size internal u64 variable from unsigned values to
+ avoid possible sign extension artifacts when assigning from a s32 value
+
+The bug has been there since at least kernel 4.0.
+Steps to reproduce it:
+1: mdadm -C /dev/mdx -l 1 --bitmap=internal --bitmap-chunk=256M -e 1.2
+-n2 /dev/rnbd1 /dev/rnbd2
+2 resize member device rnbd1 and rnbd2 to 8 TB
+3 mdadm --grow /dev/mdx --size=max
+
+The bitmap_chunksize will overflow without patch.
+
+Cc: stable@vger.kernel.org
+
+Signed-off-by: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-bitmap.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -486,7 +486,7 @@ void md_bitmap_print_sb(struct bitmap *b
+ sb = kmap_atomic(bitmap->storage.sb_page);
+ pr_debug("%s: bitmap file superblock:\n", bmname(bitmap));
+ pr_debug(" magic: %08x\n", le32_to_cpu(sb->magic));
+- pr_debug(" version: %d\n", le32_to_cpu(sb->version));
++ pr_debug(" version: %u\n", le32_to_cpu(sb->version));
+ pr_debug(" uuid: %08x.%08x.%08x.%08x\n",
+ le32_to_cpu(*(__le32 *)(sb->uuid+0)),
+ le32_to_cpu(*(__le32 *)(sb->uuid+4)),
+@@ -497,11 +497,11 @@ void md_bitmap_print_sb(struct bitmap *b
+ pr_debug("events cleared: %llu\n",
+ (unsigned long long) le64_to_cpu(sb->events_cleared));
+ pr_debug(" state: %08x\n", le32_to_cpu(sb->state));
+- pr_debug(" chunksize: %d B\n", le32_to_cpu(sb->chunksize));
+- pr_debug(" daemon sleep: %ds\n", le32_to_cpu(sb->daemon_sleep));
++ pr_debug(" chunksize: %u B\n", le32_to_cpu(sb->chunksize));
++ pr_debug(" daemon sleep: %us\n", le32_to_cpu(sb->daemon_sleep));
+ pr_debug(" sync size: %llu KB\n",
+ (unsigned long long)le64_to_cpu(sb->sync_size)/2);
+- pr_debug("max write behind: %d\n", le32_to_cpu(sb->write_behind));
++ pr_debug("max write behind: %u\n", le32_to_cpu(sb->write_behind));
+ kunmap_atomic(sb);
+ }
+
+@@ -2106,7 +2106,8 @@ int md_bitmap_resize(struct bitmap *bitm
+ bytes = DIV_ROUND_UP(chunks, 8);
+ if (!bitmap->mddev->bitmap_info.external)
+ bytes += sizeof(bitmap_super_t);
+- } while (bytes > (space << 9));
++ } while (bytes > (space << 9) && (chunkshift + BITMAP_BLOCK_SHIFT) <
++ (BITS_PER_BYTE * sizeof(((bitmap_super_t *)0)->chunksize) - 1));
+ } else
+ chunkshift = ffz(~chunksize) - BITMAP_BLOCK_SHIFT;
+
+@@ -2151,7 +2152,7 @@ int md_bitmap_resize(struct bitmap *bitm
+ bitmap->counts.missing_pages = pages;
+ bitmap->counts.chunkshift = chunkshift;
+ bitmap->counts.chunks = chunks;
+- bitmap->mddev->bitmap_info.chunksize = 1 << (chunkshift +
++ bitmap->mddev->bitmap_info.chunksize = 1UL << (chunkshift +
+ BITMAP_BLOCK_SHIFT);
+
+ blocks = min(old_counts.chunks << old_counts.chunkshift,
+@@ -2177,8 +2178,8 @@ int md_bitmap_resize(struct bitmap *bitm
+ bitmap->counts.missing_pages = old_counts.pages;
+ bitmap->counts.chunkshift = old_counts.chunkshift;
+ bitmap->counts.chunks = old_counts.chunks;
+- bitmap->mddev->bitmap_info.chunksize = 1 << (old_counts.chunkshift +
+- BITMAP_BLOCK_SHIFT);
++ bitmap->mddev->bitmap_info.chunksize =
++ 1UL << (old_counts.chunkshift + BITMAP_BLOCK_SHIFT);
+ blocks = old_counts.chunks << old_counts.chunkshift;
+ pr_warn("Could not pre-allocate in-memory bitmap for cluster raid\n");
+ break;
+@@ -2519,6 +2520,9 @@ chunksize_store(struct mddev *mddev, con
+ if (csize < 512 ||
+ !is_power_of_2(csize))
+ return -EINVAL;
++ if (BITS_PER_LONG > 32 && csize >= (1ULL << (BITS_PER_BYTE *
++ sizeof(((bitmap_super_t *)0)->chunksize))))
++ return -EOVERFLOW;
+ mddev->bitmap_info.chunksize = csize;
+ return len;
+ }
--- /dev/null
+From 2ebc336be08160debfe27f87660cf550d710f3e9 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Date: Fri, 19 Nov 2021 09:14:12 +0100
+Subject: mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type()
+
+From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+
+commit 2ebc336be08160debfe27f87660cf550d710f3e9 upstream.
+
+Erase can be zeroed in spi_nor_parse_4bait() or
+spi_nor_init_non_uniform_erase_map(). In practice it happened with
+mt25qu256a, which supports 4K, 32K, 64K erases with 3b address commands,
+but only 4K and 64K erase with 4b address commands.
+
+Fixes: dc92843159a7 ("mtd: spi-nor: fix erase_type array to indicate current map conf")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211119081412.29732-1-alexander.sverdlin@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -1409,6 +1409,8 @@ spi_nor_find_best_erase_type(const struc
+ continue;
+
+ erase = &map->erase_type[i];
++ if (!erase->size)
++ continue;
+
+ /* Alignment is not mandatory for overlaid regions */
+ if (region->offset & SNOR_OVERLAID_REGION &&
--- /dev/null
+From 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 Mon Sep 17 00:00:00 2001
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+Date: Thu, 17 Nov 2022 10:45:14 +0800
+Subject: parisc: led: Fix potential null-ptr-deref in start_task()
+
+From: Shang XiaoJing <shangxiaojing@huawei.com>
+
+commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream.
+
+start_task() calls create_singlethread_workqueue() and not checked the
+ret value, which may return NULL. And a null-ptr-deref may happen:
+
+start_task()
+ create_singlethread_workqueue() # failed, led_wq is NULL
+ queue_delayed_work()
+ queue_delayed_work_on()
+ __queue_delayed_work() # warning here, but continue
+ __queue_work() # access wq->flags, null-ptr-deref
+
+Check the ret value and return -ENOMEM if it is NULL.
+
+Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.")
+Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/parisc/led.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/parisc/led.c
++++ b/drivers/parisc/led.c
+@@ -137,6 +137,9 @@ static int start_task(void)
+
+ /* Create the work queue and queue the LED task */
+ led_wq = create_singlethread_workqueue("led_wq");
++ if (!led_wq)
++ return -ENOMEM;
++
+ queue_delayed_work(led_wq, &led_task, 0);
+
+ return 0;
--- /dev/null
+From 98b04dd0b4577894520493d96bc4623387767445 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Wed, 26 Oct 2022 02:11:21 -0400
+Subject: PCI: Fix pci_device_is_present() for VFs by checking PF
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit 98b04dd0b4577894520493d96bc4623387767445 upstream.
+
+pci_device_is_present() previously didn't work for VFs because it reads the
+Vendor and Device ID, which are 0xffff for VFs, which looks like they
+aren't present. Check the PF instead.
+
+Wei Gong reported that if virtio I/O is in progress when the driver is
+unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O
+operation hangs, which may result in output like this:
+
+ task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002
+ Call Trace:
+ schedule+0x4f/0xc0
+ blk_mq_freeze_queue_wait+0x69/0xa0
+ blk_mq_freeze_queue+0x1b/0x20
+ blk_cleanup_queue+0x3d/0xd0
+ virtblk_remove+0x3c/0xb0 [virtio_blk]
+ virtio_dev_remove+0x4b/0x80
+ ...
+ device_unregister+0x1b/0x60
+ unregister_virtio_device+0x18/0x30
+ virtio_pci_remove+0x41/0x80
+ pci_device_remove+0x3e/0xb0
+
+This happened because pci_device_is_present(VF) returned "false" in
+virtio_pci_remove(), so it called virtio_break_device(). The broken vq
+meant that vring_interrupt() skipped the vq.callback() that would have
+completed the virtio I/O operation via virtblk_done().
+
+[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]
+Link: https://lore.kernel.org/r/20221026060912.173250-1-mst@redhat.com
+Reported-by: Wei Gong <gongwei833x@gmail.com>
+Tested-by: Wei Gong <gongwei833x@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -6383,6 +6383,8 @@ bool pci_device_is_present(struct pci_de
+ {
+ u32 v;
+
++ /* Check PF if pdev is a VF, since VF Vendor/Device IDs are 0xffff */
++ pdev = pci_physfn(pdev);
+ if (pci_dev_is_disconnected(pdev))
+ return false;
+ return pci_bus_read_dev_vendor_id(pdev->bus, pdev->devfn, &v, 0);
--- /dev/null
+From aa382ffa705bea9931ec92b6f3c70e1fdb372195 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Tue, 8 Nov 2022 17:05:59 -0600
+Subject: PCI/sysfs: Fix double free in error path
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream.
+
+When pci_create_attr() fails, pci_remove_resource_files() is called which
+will iterate over the res_attr[_wc] arrays and frees every non NULL entry.
+To avoid a double free here set the array entry only after it's clear we
+successfully initialized it.
+
+Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails")
+Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-sysfs.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -1179,11 +1179,9 @@ static int pci_create_attr(struct pci_de
+
+ sysfs_bin_attr_init(res_attr);
+ if (write_combine) {
+- pdev->res_attr_wc[num] = res_attr;
+ sprintf(res_attr_name, "resource%d_wc", num);
+ res_attr->mmap = pci_mmap_resource_wc;
+ } else {
+- pdev->res_attr[num] = res_attr;
+ sprintf(res_attr_name, "resource%d", num);
+ if (pci_resource_flags(pdev, num) & IORESOURCE_IO) {
+ res_attr->read = pci_read_resource_io;
+@@ -1201,10 +1199,17 @@ static int pci_create_attr(struct pci_de
+ res_attr->size = pci_resource_len(pdev, num);
+ res_attr->private = (void *)(unsigned long)num;
+ retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr);
+- if (retval)
++ if (retval) {
+ kfree(res_attr);
++ return retval;
++ }
++
++ if (write_combine)
++ pdev->res_attr_wc[num] = res_attr;
++ else
++ pdev->res_attr[num] = res_attr;
+
+- return retval;
++ return 0;
+ }
+
+ /**
--- /dev/null
+From 910dd4883d757af5faac92590f33f0f7da963032 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 14 Nov 2022 09:13:43 +0100
+Subject: phy: qcom-qmp-combo: fix sc8180x reset
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 910dd4883d757af5faac92590f33f0f7da963032 upstream.
+
+The SC8180X has two resets but the DP configuration erroneously
+described only one.
+
+In case the DP part of the PHY is initialised before the USB part (e.g.
+depending on probe order), then only the first reset would be asserted.
+
+Fixes: 1633802cd4ac ("phy: qcom: qmp: Add SC8180x USB/DP combo")
+Cc: stable@vger.kernel.org # 5.15
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20221114081346.5116-4-johan+linaro@kernel.org
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/qualcomm/phy-qcom-qmp.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c
+@@ -3417,8 +3417,8 @@ static const struct qmp_phy_cfg sc7180_d
+
+ .clk_list = qmp_v3_phy_clk_l,
+ .num_clks = ARRAY_SIZE(qmp_v3_phy_clk_l),
+- .reset_list = sc7180_usb3phy_reset_l,
+- .num_resets = ARRAY_SIZE(sc7180_usb3phy_reset_l),
++ .reset_list = msm8996_usb3phy_reset_l,
++ .num_resets = ARRAY_SIZE(msm8996_usb3phy_reset_l),
+ .vreg_list = qmp_phy_vreg_l,
+ .num_vregs = ARRAY_SIZE(qmp_phy_vreg_l),
+ .regs = qmp_v3_usb3phy_regs_layout,
--- /dev/null
+From 11c7f9e3131ad14b27a957496088fa488b153a48 Mon Sep 17 00:00:00 2001
+From: Maria Yu <quic_aiquny@quicinc.com>
+Date: Tue, 6 Dec 2022 09:59:57 +0800
+Subject: remoteproc: core: Do pm_relax when in RPROC_OFFLINE state
+
+From: Maria Yu <quic_aiquny@quicinc.com>
+
+commit 11c7f9e3131ad14b27a957496088fa488b153a48 upstream.
+
+Make sure that pm_relax() happens even when the remoteproc
+is stopped before the crash handler work is scheduled.
+
+Signed-off-by: Maria Yu <quic_aiquny@quicinc.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery")
+Link: https://lore.kernel.org/r/20221206015957.2616-2-quic_aiquny@quicinc.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -1955,12 +1955,18 @@ static void rproc_crash_handler_work(str
+
+ mutex_lock(&rproc->lock);
+
+- if (rproc->state == RPROC_CRASHED || rproc->state == RPROC_OFFLINE) {
++ if (rproc->state == RPROC_CRASHED) {
+ /* handle only the first crash detected */
+ mutex_unlock(&rproc->lock);
+ return;
+ }
+
++ if (rproc->state == RPROC_OFFLINE) {
++ /* Don't recover if the remote processor was stopped */
++ mutex_unlock(&rproc->lock);
++ goto out;
++ }
++
+ rproc->state = RPROC_CRASHED;
+ dev_err(dev, "handling crash #%u in %s\n", ++rproc->crash_cnt,
+ rproc->name);
+@@ -1970,6 +1976,7 @@ static void rproc_crash_handler_work(str
+ if (!rproc->recovery_disabled)
+ rproc_trigger_recovery(rproc);
+
++out:
+ pm_relax(rproc->dev.parent);
+ }
+
--- /dev/null
+From 4bd1d80efb5af640f99157f39b50fb11326ce641 Mon Sep 17 00:00:00 2001
+From: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+Date: Mon, 29 Aug 2022 23:52:19 +0300
+Subject: riscv: mm: notify remote harts about mmu cache updates
+
+From: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+
+commit 4bd1d80efb5af640f99157f39b50fb11326ce641 upstream.
+
+Current implementation of update_mmu_cache function performs local TLB
+flush. It does not take into account ASID information. Besides, it does
+not take into account other harts currently running the same mm context
+or possible migration of the running context to other harts. Meanwhile
+TLB flush is not performed for every context switch if ASID support
+is enabled.
+
+Patch [1] proposed to add ASID support to update_mmu_cache to avoid
+flushing local TLB entirely. This patch takes into account other
+harts currently running the same mm context as well as possible
+migration of this context to other harts.
+
+For this purpose the approach from flush_icache_mm is reused. Remote
+harts currently running the same mm context are informed via SBI calls
+that they need to flush their local TLBs. All the other harts are marked
+as needing a deferred TLB flush when this mm context runs on them.
+
+[1] https://lore.kernel.org/linux-riscv/20220821013926.8968-1-tjytimi@163.com/
+
+Signed-off-by: Sergey Matyukevich <sergey.matyukevich@syntacore.com>
+Fixes: 65d4b9c53017 ("RISC-V: Implement ASID allocator")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/linux-riscv/20220829205219.283543-1-geomatsi@gmail.com/#t
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/mmu.h | 2 ++
+ arch/riscv/include/asm/pgtable.h | 2 +-
+ arch/riscv/include/asm/tlbflush.h | 18 ++++++++++++++++++
+ arch/riscv/mm/context.c | 10 ++++++++++
+ arch/riscv/mm/tlbflush.c | 28 +++++++++++-----------------
+ 5 files changed, 42 insertions(+), 18 deletions(-)
+
+--- a/arch/riscv/include/asm/mmu.h
++++ b/arch/riscv/include/asm/mmu.h
+@@ -19,6 +19,8 @@ typedef struct {
+ #ifdef CONFIG_SMP
+ /* A local icache flush is needed before user execution can resume. */
+ cpumask_t icache_stale_mask;
++ /* A local tlb flush is needed before user execution can resume. */
++ cpumask_t tlb_stale_mask;
+ #endif
+ } mm_context_t;
+
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -386,7 +386,7 @@ static inline void update_mmu_cache(stru
+ * Relying on flush_tlb_fix_spurious_fault would suffice, but
+ * the extra traps reduce performance. So, eagerly SFENCE.VMA.
+ */
+- local_flush_tlb_page(address);
++ flush_tlb_page(vma, address);
+ }
+
+ static inline void update_mmu_cache_pmd(struct vm_area_struct *vma,
+--- a/arch/riscv/include/asm/tlbflush.h
++++ b/arch/riscv/include/asm/tlbflush.h
+@@ -22,6 +22,24 @@ static inline void local_flush_tlb_page(
+ {
+ ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory"));
+ }
++
++static inline void local_flush_tlb_all_asid(unsigned long asid)
++{
++ __asm__ __volatile__ ("sfence.vma x0, %0"
++ :
++ : "r" (asid)
++ : "memory");
++}
++
++static inline void local_flush_tlb_page_asid(unsigned long addr,
++ unsigned long asid)
++{
++ __asm__ __volatile__ ("sfence.vma %0, %1"
++ :
++ : "r" (addr), "r" (asid)
++ : "memory");
++}
++
+ #else /* CONFIG_MMU */
+ #define local_flush_tlb_all() do { } while (0)
+ #define local_flush_tlb_page(addr) do { } while (0)
+--- a/arch/riscv/mm/context.c
++++ b/arch/riscv/mm/context.c
+@@ -196,6 +196,16 @@ switch_mm_fast:
+
+ if (need_flush_tlb)
+ local_flush_tlb_all();
++#ifdef CONFIG_SMP
++ else {
++ cpumask_t *mask = &mm->context.tlb_stale_mask;
++
++ if (cpumask_test_cpu(cpu, mask)) {
++ cpumask_clear_cpu(cpu, mask);
++ local_flush_tlb_all_asid(cntx & asid_mask);
++ }
++ }
++#endif
+ }
+
+ static void set_mm_noasid(struct mm_struct *mm)
+--- a/arch/riscv/mm/tlbflush.c
++++ b/arch/riscv/mm/tlbflush.c
+@@ -5,23 +5,7 @@
+ #include <linux/sched.h>
+ #include <asm/sbi.h>
+ #include <asm/mmu_context.h>
+-
+-static inline void local_flush_tlb_all_asid(unsigned long asid)
+-{
+- __asm__ __volatile__ ("sfence.vma x0, %0"
+- :
+- : "r" (asid)
+- : "memory");
+-}
+-
+-static inline void local_flush_tlb_page_asid(unsigned long addr,
+- unsigned long asid)
+-{
+- __asm__ __volatile__ ("sfence.vma %0, %1"
+- :
+- : "r" (addr), "r" (asid)
+- : "memory");
+-}
++#include <asm/tlbflush.h>
+
+ void flush_tlb_all(void)
+ {
+@@ -31,6 +15,7 @@ void flush_tlb_all(void)
+ static void __sbi_tlb_flush_range(struct mm_struct *mm, unsigned long start,
+ unsigned long size, unsigned long stride)
+ {
++ struct cpumask *pmask = &mm->context.tlb_stale_mask;
+ struct cpumask *cmask = mm_cpumask(mm);
+ struct cpumask hmask;
+ unsigned int cpuid;
+@@ -45,6 +30,15 @@ static void __sbi_tlb_flush_range(struct
+ if (static_branch_unlikely(&use_asid_allocator)) {
+ unsigned long asid = atomic_long_read(&mm->context.id);
+
++ /*
++ * TLB will be immediately flushed on harts concurrently
++ * executing this MM context. TLB flush on other harts
++ * is deferred until this MM context migrates there.
++ */
++ cpumask_setall(pmask);
++ cpumask_clear_cpu(cpuid, pmask);
++ cpumask_andnot(pmask, pmask, cmask);
++
+ if (broadcast) {
+ riscv_cpuid_to_hartid_mask(cmask, &hmask);
+ sbi_remote_sfence_vma_asid(cpumask_bits(&hmask),
--- /dev/null
+From 5c3022e4a616d800cf5f4c3a981d7992179e44a1 Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Wed, 9 Nov 2022 01:49:36 -0500
+Subject: riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit 5c3022e4a616d800cf5f4c3a981d7992179e44a1 upstream.
+
+The 'retp' is a pointer to the return address on the stack, so we
+must pass the current return address pointer as the 'retp'
+argument to ftrace_push_return_trace(). Not parent function's
+return address on the stack.
+
+Fixes: b785ec129bd9 ("riscv/ftrace: Add HAVE_FUNCTION_GRAPH_RET_ADDR_PTR support")
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/20221109064937.3643993-2-guoren@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/stacktrace.c
++++ b/arch/riscv/kernel/stacktrace.c
+@@ -60,7 +60,7 @@ void notrace walk_stackframe(struct task
+ } else {
+ fp = frame->fp;
+ pc = ftrace_graph_ret_addr(current, NULL, frame->ra,
+- (unsigned long *)(fp - 8));
++ &frame->ra);
+ }
+
+ }
cifs-fix-missing-display-of-three-mount-options.patch
rtc-ds1347-fix-value-written-to-century-register.patch
block-mq-deadline-do-not-break-sequential-write-streams-to-zoned-hdds.patch
+md-bitmap-fix-bitmap-chunk-size-overflow-issues.patch
+efi-add-imac-pro-2017-to-uefi-skip-cert-quirk.patch
+wifi-wilc1000-sdio-fix-module-autoloading.patch
+asoc-jz4740-i2s-handle-independent-fifo-flush-bits.patch
+ipu3-imgu-fix-null-pointer-dereference-in-imgu_subdev_set_selection.patch
+ipmi-fix-long-wait-in-unload-when-ipmi-disconnect.patch
+mtd-spi-nor-check-for-zero-erase-size-in-spi_nor_find_best_erase_type.patch
+ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch
+ipmi-fix-use-after-free-in-_ipmi_destroy_user.patch
+pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch
+pci-sysfs-fix-double-free-in-error-path.patch
+riscv-stacktrace-fixup-ftrace_graph_ret_addr-retp-argument.patch
+riscv-mm-notify-remote-harts-about-mmu-cache-updates.patch
+crypto-n2-add-missing-hash-statesize.patch
+crypto-ccp-add-support-for-tee-for-pci-id-0x14ca.patch
+driver-core-fix-bus_type.match-error-handling-in-__driver_attach.patch
+phy-qcom-qmp-combo-fix-sc8180x-reset.patch
+iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch
+remoteproc-core-do-pm_relax-when-in-rproc_offline-state.patch
+parisc-led-fix-potential-null-ptr-deref-in-start_task.patch
+device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch
+drm-connector-send-hotplug-uevent-on-connector-cleanup.patch
+drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch
+drm-i915-dsi-fix-vbt-send-packet-port-selection-for-dual-link-dsi.patch
+drm-ingenic-fix-missing-platform_driver_unregister-call-in-ingenic_drm_init.patch
--- /dev/null
+From 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 Mon Sep 17 00:00:00 2001
+From: Michael Walle <michael@walle.cc>
+Date: Thu, 27 Oct 2022 19:12:21 +0200
+Subject: wifi: wilc1000: sdio: fix module autoloading
+
+From: Michael Walle <michael@walle.cc>
+
+commit 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 upstream.
+
+There are no SDIO module aliases included in the driver, therefore,
+module autoloading isn't working. Add the proper MODULE_DEVICE_TABLE().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221027171221.491937-1-michael@walle.cc
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/microchip/wilc1000/sdio.c
++++ b/drivers/net/wireless/microchip/wilc1000/sdio.c
+@@ -20,6 +20,7 @@ static const struct sdio_device_id wilc_
+ { SDIO_DEVICE(SDIO_VENDOR_ID_MICROCHIP_WILC, SDIO_DEVICE_ID_MICROCHIP_WILC1000) },
+ { },
+ };
++MODULE_DEVICE_TABLE(sdio, wilc_sdio_ids);
+
+ #define WILC_SDIO_BLOCK_SIZE 512
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
