--- /dev/null
+From 91e8b74fe6381e083f8aa55217bb0562785ab398 Mon Sep 17 00:00:00 2001
+From: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+Date: Wed, 19 Oct 2022 16:27:27 +0200
+Subject: arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency
+
+From: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+
+commit 91e8b74fe6381e083f8aa55217bb0562785ab398 upstream.
+
+CRC errors (code -84 EILSEQ) have been observed for some SanDisk
+Ultra A1 cards when running at 50MHz.
+
+Waveform analysis suggest that the level shifters that are used on the
+RK3399-Q7 module for voltage translation between 3.0 and 3.3V don't
+handle clock rates at or above 48MHz properly. Back off to 40MHz for
+some safety margin.
+
+Cc: stable@vger.kernel.org
+Fixes: 60fd9f72ce8a ("arm64: dts: rockchip: add Haikou baseboard with RK3399-Q7 SoM")
+Signed-off-by: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Link: https://lore.kernel.org/r/20221019-upstream-puma-sd-40mhz-v1-0-754a76421518@theobroma-systems.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+@@ -207,7 +207,7 @@
+ cap-sd-highspeed;
+ cd-gpios = <&gpio0 RK_PA7 GPIO_ACTIVE_LOW>;
+ disable-wp;
+- max-frequency = <150000000>;
++ max-frequency = <40000000>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_cd &sdmmc_bus4>;
+ vmmc-supply = <&vcc3v3_baseboard>;
--- /dev/null
+From 62f102c0d1563ff6a31082f5d83b886ad2ff7ca0 Mon Sep 17 00:00:00 2001
+From: Vasanth Sadhasivan <vasanth.sadhasivan@samsara.com>
+Date: Tue, 20 Sep 2022 11:47:24 -0400
+Subject: can: gs_usb: remove dma allocations
+
+From: Vasanth Sadhasivan <vasanth.sadhasivan@samsara.com>
+
+commit 62f102c0d1563ff6a31082f5d83b886ad2ff7ca0 upstream.
+
+DMA allocated buffers are a precious resource. If there is no need for
+DMA allocations, then it might be worth to use non-dma allocated
+buffers.
+
+After testing the gs_usb driver with and without DMA allocation, there
+does not seem to be a significant change in latency or CPU utilization
+either way. Therefore, DMA allocation is not necessary and removed.
+
+Internal buffers used within urbs were managed and freed manually.
+These buffers are no longer needed to be managed by the driver. The
+URB_FREE_BUFFER flag, allows for the buffers in question to be
+automatically freed.
+
+Co-developed-by: Rhett Aultman <rhett.aultman@samsara.com>
+Signed-off-by: Rhett Aultman <rhett.aultman@samsara.com>
+Signed-off-by: Vasanth Sadhasivan <vasanth.sadhasivan@samsara.com>
+Link: https://lore.kernel.org/all/20220920154724.861093-2-rhett.aultman@samsara.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/gs_usb.c | 39 ++++++---------------------------------
+ 1 file changed, 6 insertions(+), 33 deletions(-)
+
+--- a/drivers/net/can/usb/gs_usb.c
++++ b/drivers/net/can/usb/gs_usb.c
+@@ -268,8 +268,6 @@ struct gs_can {
+
+ struct usb_anchor tx_submitted;
+ atomic_t active_tx_urbs;
+- void *rxbuf[GS_MAX_RX_URBS];
+- dma_addr_t rxbuf_dma[GS_MAX_RX_URBS];
+ };
+
+ /* usb interface struct */
+@@ -587,9 +585,6 @@ static void gs_usb_xmit_callback(struct
+
+ if (urb->status)
+ netdev_info(netdev, "usb xmit fail %u\n", txc->echo_id);
+-
+- usb_free_coherent(urb->dev, urb->transfer_buffer_length,
+- urb->transfer_buffer, urb->transfer_dma);
+ }
+
+ static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb,
+@@ -618,8 +613,7 @@ static netdev_tx_t gs_can_start_xmit(str
+ if (!urb)
+ goto nomem_urb;
+
+- hf = usb_alloc_coherent(dev->udev, dev->hf_size_tx, GFP_ATOMIC,
+- &urb->transfer_dma);
++ hf = kmalloc(dev->hf_size_tx, GFP_ATOMIC);
+ if (!hf) {
+ netdev_err(netdev, "No memory left for USB buffer\n");
+ goto nomem_hf;
+@@ -663,7 +657,7 @@ static netdev_tx_t gs_can_start_xmit(str
+ hf, dev->hf_size_tx,
+ gs_usb_xmit_callback, txc);
+
+- urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++ urb->transfer_flags |= URB_FREE_BUFFER;
+ usb_anchor_urb(urb, &dev->tx_submitted);
+
+ can_put_echo_skb(skb, netdev, idx, 0);
+@@ -678,8 +672,6 @@ static netdev_tx_t gs_can_start_xmit(str
+ gs_free_tx_context(txc);
+
+ usb_unanchor_urb(urb);
+- usb_free_coherent(dev->udev, urb->transfer_buffer_length,
+- urb->transfer_buffer, urb->transfer_dma);
+
+ if (rc == -ENODEV) {
+ netif_device_detach(netdev);
+@@ -699,8 +691,7 @@ static netdev_tx_t gs_can_start_xmit(str
+ return NETDEV_TX_OK;
+
+ badidx:
+- usb_free_coherent(dev->udev, urb->transfer_buffer_length,
+- urb->transfer_buffer, urb->transfer_dma);
++ kfree(hf);
+ nomem_hf:
+ usb_free_urb(urb);
+
+@@ -744,7 +735,6 @@ static int gs_can_open(struct net_device
+ for (i = 0; i < GS_MAX_RX_URBS; i++) {
+ struct urb *urb;
+ u8 *buf;
+- dma_addr_t buf_dma;
+
+ /* alloc rx urb */
+ urb = usb_alloc_urb(0, GFP_KERNEL);
+@@ -752,10 +742,8 @@ static int gs_can_open(struct net_device
+ return -ENOMEM;
+
+ /* alloc rx buffer */
+- buf = usb_alloc_coherent(dev->udev,
+- dev->parent->hf_size_rx,
+- GFP_KERNEL,
+- &buf_dma);
++ buf = kmalloc(dev->parent->hf_size_rx,
++ GFP_KERNEL);
+ if (!buf) {
+ netdev_err(netdev,
+ "No memory left for USB buffer\n");
+@@ -763,8 +751,6 @@ static int gs_can_open(struct net_device
+ return -ENOMEM;
+ }
+
+- urb->transfer_dma = buf_dma;
+-
+ /* fill, anchor, and submit rx urb */
+ usb_fill_bulk_urb(urb,
+ dev->udev,
+@@ -773,7 +759,7 @@ static int gs_can_open(struct net_device
+ buf,
+ dev->parent->hf_size_rx,
+ gs_usb_receive_bulk_callback, parent);
+- urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++ urb->transfer_flags |= URB_FREE_BUFFER;
+
+ usb_anchor_urb(urb, &parent->rx_submitted);
+
+@@ -786,17 +772,10 @@ static int gs_can_open(struct net_device
+ "usb_submit failed (err=%d)\n", rc);
+
+ usb_unanchor_urb(urb);
+- usb_free_coherent(dev->udev,
+- sizeof(struct gs_host_frame),
+- buf,
+- buf_dma);
+ usb_free_urb(urb);
+ break;
+ }
+
+- dev->rxbuf[i] = buf;
+- dev->rxbuf_dma[i] = buf_dma;
+-
+ /* Drop reference,
+ * USB core will take care of freeing it
+ */
+@@ -854,7 +833,6 @@ static int gs_can_close(struct net_devic
+ int rc;
+ struct gs_can *dev = netdev_priv(netdev);
+ struct gs_usb *parent = dev->parent;
+- unsigned int i;
+
+ netif_stop_queue(netdev);
+
+@@ -862,11 +840,6 @@ static int gs_can_close(struct net_devic
+ parent->active_channels--;
+ if (!parent->active_channels) {
+ usb_kill_anchored_urbs(&parent->rx_submitted);
+- for (i = 0; i < GS_MAX_RX_URBS; i++)
+- usb_free_coherent(dev->udev,
+- sizeof(struct gs_host_frame),
+- dev->rxbuf[i],
+- dev->rxbuf_dma[i]);
+ }
+
+ /* Stop sending URBs */
--- /dev/null
+From 502487847743018c93d75b401eac2ea4c4973123 Mon Sep 17 00:00:00 2001
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+Date: Sat, 19 Nov 2022 12:51:59 +0800
+Subject: cifs: fix missing unlock in cifs_file_copychunk_range()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+commit 502487847743018c93d75b401eac2ea4c4973123 upstream.
+
+xfstests generic/013 and generic/476 reported WARNING as follows:
+
+ WARNING: lock held when returning to user space!
+ 6.1.0-rc5+ #4 Not tainted
+ ------------------------------------------------
+ fsstress/504233 is leaving the kernel with locks still held!
+ 2 locks held by fsstress/504233:
+ #0: ffff888054c38850 (&sb->s_type->i_mutex_key#21){+.+.}-{3:3}, at:
+ lock_two_nondirectories+0xcf/0xf0
+ #1: ffff8880b8fec750 (&sb->s_type->i_mutex_key#21/4){+.+.}-{3:3}, at:
+ lock_two_nondirectories+0xb7/0xf0
+
+This will lead to deadlock and hungtask.
+
+Fix this by releasing locks when failed to write out on a file range in
+cifs_file_copychunk_range().
+
+Fixes: 3e3761f1ec7d ("smb3: use filemap_write_and_wait_range instead of filemap_write_and_wait")
+Cc: stable@vger.kernel.org # 6.0
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -1252,7 +1252,7 @@ ssize_t cifs_file_copychunk_range(unsign
+ rc = filemap_write_and_wait_range(src_inode->i_mapping, off,
+ off + len - 1);
+ if (rc)
+- goto out;
++ goto unlock;
+
+ /* should we flush first and last page first */
+ truncate_inode_pages(&target_inode->i_data, 0);
+@@ -1268,6 +1268,8 @@ ssize_t cifs_file_copychunk_range(unsign
+ * that target is updated on the server
+ */
+ CIFS_I(target_inode)->time = 0;
++
++unlock:
+ /* although unlocking in the reverse order from locking is not
+ * strictly necessary here it is a little cleaner to be consistent
+ */
--- /dev/null
+From f391d6ee002ea022c62dc0b09d0578f3ccce81be Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 18 Nov 2022 14:48:00 +0300
+Subject: cifs: Use after free in debug code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f391d6ee002ea022c62dc0b09d0578f3ccce81be upstream.
+
+This debug code dereferences "old_iface" after it was already freed by
+the call to release_iface(). Re-order the debugging to avoid this
+issue.
+
+Fixes: b54034a73baf ("cifs: during reconnect, update interface if necessary")
+Cc: stable@vger.kernel.org # 5.19+
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/sess.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
+index 92e4278ec35d..9e7d9f0baa18 100644
+--- a/fs/cifs/sess.c
++++ b/fs/cifs/sess.c
+@@ -302,14 +302,14 @@ cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server)
+
+ /* now drop the ref to the current iface */
+ if (old_iface && iface) {
+- kref_put(&old_iface->refcount, release_iface);
+ cifs_dbg(FYI, "replacing iface: %pIS with %pIS\n",
+ &old_iface->sockaddr,
+ &iface->sockaddr);
+- } else if (old_iface) {
+ kref_put(&old_iface->refcount, release_iface);
++ } else if (old_iface) {
+ cifs_dbg(FYI, "releasing ref to iface: %pIS\n",
+ &old_iface->sockaddr);
++ kref_put(&old_iface->refcount, release_iface);
+ } else {
+ WARN_ON(!iface);
+ cifs_dbg(FYI, "adding new iface: %pIS\n", &iface->sockaddr);
+--
+2.38.1
+
--- /dev/null
+From c19083c72ea72a1c12037bb3d708014632df80e4 Mon Sep 17 00:00:00 2001
+From: Jason Ekstrand <jason@jlekstrand.net>
+Date: Tue, 2 Aug 2022 16:01:58 -0500
+Subject: dma-buf: Use dma_fence_unwrap_for_each when importing fences
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Ekstrand <jason@jlekstrand.net>
+
+commit c19083c72ea72a1c12037bb3d708014632df80e4 upstream.
+
+Ever since 68129f431faa ("dma-buf: warn about containers in dma_resv object"),
+dma_resv_add_shared_fence will warn if you attempt to add a container fence.
+While most drivers were fine, fences can also be added to a dma_resv via the
+recently added DMA_BUF_IOCTL_IMPORT_SYNC_FILE. Use dma_fence_unwrap_for_each
+to add each fence one at a time.
+
+Fixes: 594740497e99 ("dma-buf: Add an API for importing sync files (v10)")
+Signed-off-by: Jason Ekstrand <jason.ekstrand@collabora.com>
+Reported-by: Sarah Walker <Sarah.Walker@imgtec.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+CC: stable@vger.kernel.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20220802210158.4162525-1-jason.ekstrand@collabora.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/dma-buf.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
+index dd0f83ee505b..e6f36c014c4c 100644
+--- a/drivers/dma-buf/dma-buf.c
++++ b/drivers/dma-buf/dma-buf.c
+@@ -15,6 +15,7 @@
+ #include <linux/slab.h>
+ #include <linux/dma-buf.h>
+ #include <linux/dma-fence.h>
++#include <linux/dma-fence-unwrap.h>
+ #include <linux/anon_inodes.h>
+ #include <linux/export.h>
+ #include <linux/debugfs.h>
+@@ -391,8 +392,10 @@ static long dma_buf_import_sync_file(struct dma_buf *dmabuf,
+ const void __user *user_data)
+ {
+ struct dma_buf_import_sync_file arg;
+- struct dma_fence *fence;
++ struct dma_fence *fence, *f;
+ enum dma_resv_usage usage;
++ struct dma_fence_unwrap iter;
++ unsigned int num_fences;
+ int ret = 0;
+
+ if (copy_from_user(&arg, user_data, sizeof(arg)))
+@@ -411,13 +414,21 @@ static long dma_buf_import_sync_file(struct dma_buf *dmabuf,
+ usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE :
+ DMA_RESV_USAGE_READ;
+
+- dma_resv_lock(dmabuf->resv, NULL);
++ num_fences = 0;
++ dma_fence_unwrap_for_each(f, &iter, fence)
++ ++num_fences;
+
+- ret = dma_resv_reserve_fences(dmabuf->resv, 1);
+- if (!ret)
+- dma_resv_add_fence(dmabuf->resv, fence, usage);
++ if (num_fences > 0) {
++ dma_resv_lock(dmabuf->resv, NULL);
+
+- dma_resv_unlock(dmabuf->resv);
++ ret = dma_resv_reserve_fences(dmabuf->resv, num_fences);
++ if (!ret) {
++ dma_fence_unwrap_for_each(f, &iter, fence)
++ dma_resv_add_fence(dmabuf->resv, f, usage);
++ }
++
++ dma_resv_unlock(dmabuf->resv);
++ }
+
+ dma_fence_put(fence);
+
+--
+2.38.1
+
--- /dev/null
+From f6b1a1cf1c3ee430d3f5e47847047ce789a690aa Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Thu, 22 Sep 2022 20:04:34 +0800
+Subject: ext4: fix use-after-free in ext4_ext_shift_extents
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit f6b1a1cf1c3ee430d3f5e47847047ce789a690aa upstream.
+
+If the starting position of our insert range happens to be in the hole
+between the two ext4_extent_idx, because the lblk of the ext4_extent in
+the previous ext4_extent_idx is always less than the start, which leads
+to the "extent" variable access across the boundary, the following UAF is
+triggered:
+==================================================================
+BUG: KASAN: use-after-free in ext4_ext_shift_extents+0x257/0x790
+Read of size 4 at addr ffff88819807a008 by task fallocate/8010
+CPU: 3 PID: 8010 Comm: fallocate Tainted: G E 5.10.0+ #492
+Call Trace:
+ dump_stack+0x7d/0xa3
+ print_address_description.constprop.0+0x1e/0x220
+ kasan_report.cold+0x67/0x7f
+ ext4_ext_shift_extents+0x257/0x790
+ ext4_insert_range+0x5b6/0x700
+ ext4_fallocate+0x39e/0x3d0
+ vfs_fallocate+0x26f/0x470
+ ksys_fallocate+0x3a/0x70
+ __x64_sys_fallocate+0x4f/0x60
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+==================================================================
+
+For right shifts, we can divide them into the following situations:
+
+1. When the first ee_block of ext4_extent_idx is greater than or equal to
+ start, make right shifts directly from the first ee_block.
+ 1) If it is greater than start, we need to continue searching in the
+ previous ext4_extent_idx.
+ 2) If it is equal to start, we can exit the loop (iterator=NULL).
+
+2. When the first ee_block of ext4_extent_idx is less than start, then
+ traverse from the last extent to find the first extent whose ee_block
+ is less than start.
+ 1) If extent is still the last extent after traversal, it means that
+ the last ee_block of ext4_extent_idx is less than start, that is,
+ start is located in the hole between idx and (idx+1), so we can
+ exit the loop directly (break) without right shifts.
+ 2) Otherwise, make right shifts at the corresponding position of the
+ found extent, and then exit the loop (iterator=NULL).
+
+Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: stable@vger.kernel.org # v4.2+
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Link: https://lore.kernel.org/r/20220922120434.1294789-1-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -5183,6 +5183,7 @@ ext4_ext_shift_extents(struct inode *ino
+ * and it is decreased till we reach start.
+ */
+ again:
++ ret = 0;
+ if (SHIFT == SHIFT_LEFT)
+ iterator = &start;
+ else
+@@ -5226,14 +5227,21 @@ again:
+ ext4_ext_get_actual_len(extent);
+ } else {
+ extent = EXT_FIRST_EXTENT(path[depth].p_hdr);
+- if (le32_to_cpu(extent->ee_block) > 0)
++ if (le32_to_cpu(extent->ee_block) > start)
+ *iterator = le32_to_cpu(extent->ee_block) - 1;
+- else
+- /* Beginning is reached, end of the loop */
++ else if (le32_to_cpu(extent->ee_block) == start)
+ iterator = NULL;
+- /* Update path extent in case we need to stop */
+- while (le32_to_cpu(extent->ee_block) < start)
++ else {
++ extent = EXT_LAST_EXTENT(path[depth].p_hdr);
++ while (le32_to_cpu(extent->ee_block) >= start)
++ extent--;
++
++ if (extent == EXT_LAST_EXTENT(path[depth].p_hdr))
++ break;
++
+ extent++;
++ iterator = NULL;
++ }
+ path[depth].p_ext = extent;
+ }
+ ret = ext4_ext_shift_path_extents(path, shift, inode,
--- /dev/null
+From 50c697215a8cc22f0e58c88f06f2716c05a26e85 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Wed, 16 Nov 2022 18:26:34 +0000
+Subject: kbuild: fix -Wimplicit-function-declaration in license_is_gpl_compatible
+
+From: Sam James <sam@gentoo.org>
+
+commit 50c697215a8cc22f0e58c88f06f2716c05a26e85 upstream.
+
+Add missing <linux/string.h> include for strcmp.
+
+Clang 16 makes -Wimplicit-function-declaration an error by default.
+Unfortunately, out of tree modules may use this in configure scripts,
+which means failure might cause silent miscompilation or misconfiguration.
+
+For more information, see LWN.net [0] or LLVM's Discourse [1], gentoo-dev@ [2],
+or the (new) c-std-porting mailing list [3].
+
+[0] https://lwn.net/Articles/913505/
+[1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213
+[2] https://archives.gentoo.org/gentoo-dev/message/dd9f2d3082b8b6f8dfbccb0639e6e240
+[3] hosted at lists.linux.dev.
+
+[akpm@linux-foundation.org: remember "linux/"]
+Link: https://lkml.kernel.org/r/20221116182634.2823136-1-sam@gentoo.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/license.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/license.h
++++ b/include/linux/license.h
+@@ -2,6 +2,8 @@
+ #ifndef __LICENSE_H
+ #define __LICENSE_H
+
++#include <linux/string.h>
++
+ static inline int license_is_gpl_compatible(const char *license)
+ {
+ return (strcmp(license, "GPL") == 0
io_uring-filetable-fix-file-reference-underflow.patch
io_uring-poll-fix-poll_refs-race-with-cancelation.patch
lib-vdso-use-grep-e-instead-of-egrep.patch
+can-gs_usb-remove-dma-allocations.patch
+usb-dwc3-exynos-fix-remove-function.patch
+usb-cdnsp-fix-issue-with-clear-feature-halt-endpoint.patch
+usb-cdnsp-fix-issue-with-zlp-added-td_size-1.patch
+dma-buf-use-dma_fence_unwrap_for_each-when-importing-fences.patch
+cifs-fix-missing-unlock-in-cifs_file_copychunk_range.patch
+cifs-use-after-free-in-debug-code.patch
+ext4-fix-use-after-free-in-ext4_ext_shift_extents.patch
+arm64-dts-rockchip-lower-rk3399-puma-haikou-sd-controller-clock-frequency.patch
+kbuild-fix-wimplicit-function-declaration-in-license_is_gpl_compatible.patch
init-kconfig-fix-cc_has_asm_goto_tied_output-test-wi.patch
nfsd-fix-reads-with-a-non-zero-offset-that-don-t-end.patch
nios2-add-force-for-vmlinuz.gz.patch
--- /dev/null
+From b25264f22b498dff3fa5c70c9bea840e83fff0d1 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Thu, 10 Nov 2022 01:30:05 -0500
+Subject: usb: cdnsp: Fix issue with Clear Feature Halt Endpoint
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit b25264f22b498dff3fa5c70c9bea840e83fff0d1 upstream.
+
+During handling Clear Halt Endpoint Feature request, driver invokes
+Reset Endpoint command. Because this command has some issue with
+transition endpoint from Running to Idle state the driver must
+stop the endpoint by using Stop Endpoint command.
+
+cc: <stable@vger.kernel.org>
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20221110063005.370656-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-gadget.c | 12 ++++--------
+ drivers/usb/cdns3/cdnsp-ring.c | 3 ++-
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-gadget.c
++++ b/drivers/usb/cdns3/cdnsp-gadget.c
+@@ -600,11 +600,11 @@ int cdnsp_halt_endpoint(struct cdnsp_dev
+
+ trace_cdnsp_ep_halt(value ? "Set" : "Clear");
+
+- if (value) {
+- ret = cdnsp_cmd_stop_ep(pdev, pep);
+- if (ret)
+- return ret;
++ ret = cdnsp_cmd_stop_ep(pdev, pep);
++ if (ret)
++ return ret;
+
++ if (value) {
+ if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_STOPPED) {
+ cdnsp_queue_halt_endpoint(pdev, pep->idx);
+ cdnsp_ring_cmd_db(pdev);
+@@ -613,10 +613,6 @@ int cdnsp_halt_endpoint(struct cdnsp_dev
+
+ pep->ep_state |= EP_HALTED;
+ } else {
+- /*
+- * In device mode driver can call reset endpoint command
+- * from any endpoint state.
+- */
+ cdnsp_queue_reset_ep(pdev, pep->idx);
+ cdnsp_ring_cmd_db(pdev);
+ ret = cdnsp_wait_for_cmd_compl(pdev);
+--- a/drivers/usb/cdns3/cdnsp-ring.c
++++ b/drivers/usb/cdns3/cdnsp-ring.c
+@@ -2076,7 +2076,8 @@ int cdnsp_cmd_stop_ep(struct cdnsp_devic
+ u32 ep_state = GET_EP_CTX_STATE(pep->out_ctx);
+ int ret = 0;
+
+- if (ep_state == EP_STATE_STOPPED || ep_state == EP_STATE_DISABLED) {
++ if (ep_state == EP_STATE_STOPPED || ep_state == EP_STATE_DISABLED ||
++ ep_state == EP_STATE_HALTED) {
+ trace_cdnsp_ep_stopped_or_disabled(pep->out_ctx);
+ goto ep_stopped;
+ }
--- /dev/null
+From 7a21b27aafa3edead79ed97e6f22236be6b9f447 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Tue, 15 Nov 2022 04:22:18 -0500
+Subject: usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit 7a21b27aafa3edead79ed97e6f22236be6b9f447 upstream.
+
+Patch modifies the TD_SIZE in TRB before ZLP TRB.
+The TD_SIZE in TRB before ZLP TRB must be set to 1 to force
+processing ZLP TRB by controller.
+
+cc: <stable@vger.kernel.org>
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20221115092218.421267-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdnsp-ring.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/cdns3/cdnsp-ring.c
++++ b/drivers/usb/cdns3/cdnsp-ring.c
+@@ -1763,10 +1763,15 @@ static u32 cdnsp_td_remainder(struct cdn
+ int trb_buff_len,
+ unsigned int td_total_len,
+ struct cdnsp_request *preq,
+- bool more_trbs_coming)
++ bool more_trbs_coming,
++ bool zlp)
+ {
+ u32 maxp, total_packet_count;
+
++ /* Before ZLP driver needs set TD_SIZE = 1. */
++ if (zlp)
++ return 1;
++
+ /* One TRB with a zero-length data packet. */
+ if (!more_trbs_coming || (transferred == 0 && trb_buff_len == 0) ||
+ trb_buff_len == td_total_len)
+@@ -1960,7 +1965,8 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev
+ /* Set the TRB length, TD size, and interrupter fields. */
+ remainder = cdnsp_td_remainder(pdev, enqd_len, trb_buff_len,
+ full_len, preq,
+- more_trbs_coming);
++ more_trbs_coming,
++ zero_len_trb);
+
+ length_field = TRB_LEN(trb_buff_len) | TRB_TD_SIZE(remainder) |
+ TRB_INTR_TARGET(0);
+@@ -2025,7 +2031,7 @@ int cdnsp_queue_ctrl_tx(struct cdnsp_dev
+
+ if (preq->request.length > 0) {
+ remainder = cdnsp_td_remainder(pdev, 0, preq->request.length,
+- preq->request.length, preq, 1);
++ preq->request.length, preq, 1, 0);
+
+ length_field = TRB_LEN(preq->request.length) |
+ TRB_TD_SIZE(remainder) | TRB_INTR_TARGET(0);
+@@ -2226,7 +2232,7 @@ static int cdnsp_queue_isoc_tx(struct cd
+ /* Set the TRB length, TD size, & interrupter fields. */
+ remainder = cdnsp_td_remainder(pdev, running_total,
+ trb_buff_len, td_len, preq,
+- more_trbs_coming);
++ more_trbs_coming, 0);
+
+ length_field = TRB_LEN(trb_buff_len) | TRB_INTR_TARGET(0);
+
--- /dev/null
+From e0481e5b3cc12ea7ccf4552d41518c89d3509004 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 10 Nov 2022 16:41:31 +0100
+Subject: usb: dwc3: exynos: Fix remove() function
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit e0481e5b3cc12ea7ccf4552d41518c89d3509004 upstream.
+
+The core DWC3 device node was not properly removed by the custom
+dwc3_exynos_remove_child() function. Replace it with generic
+of_platform_depopulate() which does that job right.
+
+Fixes: adcf20dcd262 ("usb: dwc3: exynos: Use of_platform API to create dwc3 core pdev")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Link: https://lore.kernel.org/r/20221110154131.2577-1-m.szyprowski@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-exynos.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+--- a/drivers/usb/dwc3/dwc3-exynos.c
++++ b/drivers/usb/dwc3/dwc3-exynos.c
+@@ -37,15 +37,6 @@ struct dwc3_exynos {
+ struct regulator *vdd10;
+ };
+
+-static int dwc3_exynos_remove_child(struct device *dev, void *unused)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+-
+- platform_device_unregister(pdev);
+-
+- return 0;
+-}
+-
+ static int dwc3_exynos_probe(struct platform_device *pdev)
+ {
+ struct dwc3_exynos *exynos;
+@@ -142,7 +133,7 @@ static int dwc3_exynos_remove(struct pla
+ struct dwc3_exynos *exynos = platform_get_drvdata(pdev);
+ int i;
+
+- device_for_each_child(&pdev->dev, NULL, dwc3_exynos_remove_child);
++ of_platform_depopulate(&pdev->dev);
+
+ for (i = exynos->num_clks - 1; i >= 0; i--)
+ clk_disable_unprepare(exynos->clks[i]);
projects / thirdparty / kernel / stable-queue.git / commitdiff
