--- /dev/null
+From 7e890c37c25c7cbca37ff0ab292873d8146e713b Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Thu, 12 Nov 2020 17:50:04 +0100
+Subject: block: add a return value to set_capacity_revalidate_and_notify
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit 7e890c37c25c7cbca37ff0ab292873d8146e713b upstream.
+
+Return if the function ended up sending an uevent or not.
+
+Cc: stable@vger.kernel.org # v5.9
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c | 5 ++++-
+ include/linux/genhd.h | 2 +-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -49,7 +49,7 @@ static void disk_release_events(struct g
+ * Set disk capacity and notify if the size is not currently
+ * zero and will not be set to zero
+ */
+-void set_capacity_revalidate_and_notify(struct gendisk *disk, sector_t size,
++bool set_capacity_revalidate_and_notify(struct gendisk *disk, sector_t size,
+ bool revalidate)
+ {
+ sector_t capacity = get_capacity(disk);
+@@ -63,7 +63,10 @@ void set_capacity_revalidate_and_notify(
+ char *envp[] = { "RESIZE=1", NULL };
+
+ kobject_uevent_env(&disk_to_dev(disk)->kobj, KOBJ_CHANGE, envp);
++ return true;
+ }
++
++ return false;
+ }
+
+ EXPORT_SYMBOL_GPL(set_capacity_revalidate_and_notify);
+--- a/include/linux/genhd.h
++++ b/include/linux/genhd.h
+@@ -315,7 +315,7 @@ static inline int get_disk_ro(struct gen
+ extern void disk_block_events(struct gendisk *disk);
+ extern void disk_unblock_events(struct gendisk *disk);
+ extern void disk_flush_events(struct gendisk *disk, unsigned int mask);
+-extern void set_capacity_revalidate_and_notify(struct gendisk *disk,
++extern bool set_capacity_revalidate_and_notify(struct gendisk *disk,
+ sector_t size, bool revalidate);
+ extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask);
+
--- /dev/null
+From cf89af146b7e62af55470cf5f3ec3c56ec144a5e Mon Sep 17 00:00:00 2001
+From: Anand Jain <anand.jain@oracle.com>
+Date: Fri, 30 Oct 2020 06:53:56 +0800
+Subject: btrfs: dev-replace: fail mount if we don't have replace item with target device
+
+From: Anand Jain <anand.jain@oracle.com>
+
+commit cf89af146b7e62af55470cf5f3ec3c56ec144a5e upstream.
+
+If there is a device BTRFS_DEV_REPLACE_DEVID without the device replace
+item, then it means the filesystem is inconsistent state. This is either
+corruption or a crafted image. Fail the mount as this needs a closer
+look what is actually wrong.
+
+As of now if BTRFS_DEV_REPLACE_DEVID is present without the replace
+item, in __btrfs_free_extra_devids() we determine that there is an
+extra device, and free those extra devices but continue to mount the
+device.
+However, we were wrong in keeping tack of the rw_devices so the syzbot
+testcase failed:
+
+ WARNING: CPU: 1 PID: 3612 at fs/btrfs/volumes.c:1166 close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166
+ Kernel panic - not syncing: panic_on_warn set ...
+ CPU: 1 PID: 3612 Comm: syz-executor.2 Not tainted 5.9.0-rc4-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x198/0x1fd lib/dump_stack.c:118
+ panic+0x347/0x7c0 kernel/panic.c:231
+ __warn.cold+0x20/0x46 kernel/panic.c:600
+ report_bug+0x1bd/0x210 lib/bug.c:198
+ handle_bug+0x38/0x90 arch/x86/kernel/traps.c:234
+ exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
+ asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
+ RIP: 0010:close_fs_devices.part.0+0x607/0x800 fs/btrfs/volumes.c:1166
+ RSP: 0018:ffffc900091777e0 EFLAGS: 00010246
+ RAX: 0000000000040000 RBX: ffffffffffffffff RCX: ffffc9000c8b7000
+ RDX: 0000000000040000 RSI: ffffffff83097f47 RDI: 0000000000000007
+ RBP: dffffc0000000000 R08: 0000000000000001 R09: ffff8880988a187f
+ R10: 0000000000000000 R11: 0000000000000001 R12: ffff88809593a130
+ R13: ffff88809593a1ec R14: ffff8880988a1908 R15: ffff88809593a050
+ close_fs_devices fs/btrfs/volumes.c:1193 [inline]
+ btrfs_close_devices+0x95/0x1f0 fs/btrfs/volumes.c:1179
+ open_ctree+0x4984/0x4a2d fs/btrfs/disk-io.c:3434
+ btrfs_fill_super fs/btrfs/super.c:1316 [inline]
+ btrfs_mount_root.cold+0x14/0x165 fs/btrfs/super.c:1672
+
+The fix here is, when we determine that there isn't a replace item
+then fail the mount if there is a replace target device (devid 0).
+
+CC: stable@vger.kernel.org # 4.19+
+Reported-by: syzbot+4cfe71a4da060be47502@syzkaller.appspotmail.com
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/dev-replace.c | 26 ++++++++++++++++++++++++--
+ fs/btrfs/volumes.c | 26 +++++++-------------------
+ 2 files changed, 31 insertions(+), 21 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -95,6 +95,17 @@ int btrfs_init_dev_replace(struct btrfs_
+ ret = btrfs_search_slot(NULL, dev_root, &key, path, 0, 0);
+ if (ret) {
+ no_valid_dev_replace_entry_found:
++ /*
++ * We don't have a replace item or it's corrupted. If there is
++ * a replace target, fail the mount.
++ */
++ if (btrfs_find_device(fs_info->fs_devices,
++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) {
++ btrfs_err(fs_info,
++ "found replace target device without a valid replace item");
++ ret = -EUCLEAN;
++ goto out;
++ }
+ ret = 0;
+ dev_replace->replace_state =
+ BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED;
+@@ -147,8 +158,19 @@ no_valid_dev_replace_entry_found:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_NEVER_STARTED:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_FINISHED:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_CANCELED:
+- dev_replace->srcdev = NULL;
+- dev_replace->tgtdev = NULL;
++ /*
++ * We don't have an active replace item but if there is a
++ * replace target, fail the mount.
++ */
++ if (btrfs_find_device(fs_info->fs_devices,
++ BTRFS_DEV_REPLACE_DEVID, NULL, NULL, false)) {
++ btrfs_err(fs_info,
++ "replace devid present without an active replace item");
++ ret = -EUCLEAN;
++ } else {
++ dev_replace->srcdev = NULL;
++ dev_replace->tgtdev = NULL;
++ }
+ break;
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED:
+ case BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED:
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1064,22 +1064,13 @@ again:
+ continue;
+ }
+
+- if (device->devid == BTRFS_DEV_REPLACE_DEVID) {
+- /*
+- * In the first step, keep the device which has
+- * the correct fsid and the devid that is used
+- * for the dev_replace procedure.
+- * In the second step, the dev_replace state is
+- * read from the device tree and it is known
+- * whether the procedure is really active or
+- * not, which means whether this device is
+- * used or whether it should be removed.
+- */
+- if (step == 0 || test_bit(BTRFS_DEV_STATE_REPLACE_TGT,
+- &device->dev_state)) {
+- continue;
+- }
+- }
++ /*
++ * We have already validated the presence of BTRFS_DEV_REPLACE_DEVID,
++ * in btrfs_init_dev_replace() so just continue.
++ */
++ if (device->devid == BTRFS_DEV_REPLACE_DEVID)
++ continue;
++
+ if (device->bdev) {
+ blkdev_put(device->bdev, device->mode);
+ device->bdev = NULL;
+@@ -1088,9 +1079,6 @@ again:
+ if (test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state)) {
+ list_del_init(&device->dev_alloc_list);
+ clear_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state);
+- if (!test_bit(BTRFS_DEV_STATE_REPLACE_TGT,
+- &device->dev_state))
+- fs_devices->rw_devices--;
+ }
+ list_del_init(&device->dev_list);
+ fs_devices->num_devices--;
--- /dev/null
+From fca3a45d08782a2bb85e048fb8e3128b1388d7b7 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Mon, 26 Oct 2020 16:57:27 -0400
+Subject: btrfs: fix min reserved size calculation in merge_reloc_root
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit fca3a45d08782a2bb85e048fb8e3128b1388d7b7 upstream.
+
+The minimum reserve size was adjusted to take into account the height of
+the tree we are merging, however we can have a root with a level == 0.
+What we want is root_level + 1 to get the number of nodes we may have to
+cow. This fixes the enospc_debug warning pops with btrfs/101.
+
+Nikolay: this fixes failures on btrfs/060 btrfs/062 btrfs/063 and
+btrfs/195 That I was seeing, the call trace was:
+
+ [ 3680.515564] ------------[ cut here ]------------
+ [ 3680.515566] BTRFS: block rsv returned -28
+ [ 3680.515585] WARNING: CPU: 2 PID: 8339 at fs/btrfs/block-rsv.c:521 btrfs_use_block_rsv+0x162/0x180
+ [ 3680.515587] Modules linked in:
+ [ 3680.515591] CPU: 2 PID: 8339 Comm: btrfs Tainted: G W 5.9.0-rc8-default #95
+ [ 3680.515593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+ [ 3680.515595] RIP: 0010:btrfs_use_block_rsv+0x162/0x180
+ [ 3680.515600] RSP: 0018:ffffa01ac9753910 EFLAGS: 00010282
+ [ 3680.515602] RAX: 0000000000000000 RBX: ffff984b34200000 RCX: 0000000000000027
+ [ 3680.515604] RDX: 0000000000000027 RSI: 0000000000000000 RDI: ffff984b3bd19e28
+ [ 3680.515606] RBP: 0000000000004000 R08: ffff984b3bd19e20 R09: 0000000000000001
+ [ 3680.515608] R10: 0000000000000004 R11: 0000000000000046 R12: ffff984b264fdc00
+ [ 3680.515609] R13: ffff984b13149000 R14: 00000000ffffffe4 R15: ffff984b34200000
+ [ 3680.515613] FS: 00007f4e2912b8c0(0000) GS:ffff984b3bd00000(0000) knlGS:0000000000000000
+ [ 3680.515615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 3680.515617] CR2: 00007fab87122150 CR3: 0000000118e42000 CR4: 00000000000006e0
+ [ 3680.515620] Call Trace:
+ [ 3680.515627] btrfs_alloc_tree_block+0x8b/0x340
+ [ 3680.515633] ? __lock_acquire+0x51a/0xac0
+ [ 3680.515646] alloc_tree_block_no_bg_flush+0x4f/0x60
+ [ 3680.515651] __btrfs_cow_block+0x14e/0x7e0
+ [ 3680.515662] btrfs_cow_block+0x144/0x2c0
+ [ 3680.515670] merge_reloc_root+0x4d4/0x610
+ [ 3680.515675] ? btrfs_lookup_fs_root+0x78/0x90
+ [ 3680.515686] merge_reloc_roots+0xee/0x280
+ [ 3680.515695] relocate_block_group+0x2ce/0x5e0
+ [ 3680.515704] btrfs_relocate_block_group+0x16e/0x310
+ [ 3680.515711] btrfs_relocate_chunk+0x38/0xf0
+ [ 3680.515716] btrfs_shrink_device+0x200/0x560
+ [ 3680.515728] btrfs_rm_device+0x1ae/0x6a6
+ [ 3680.515744] ? _copy_from_user+0x6e/0xb0
+ [ 3680.515750] btrfs_ioctl+0x1afe/0x28c0
+ [ 3680.515755] ? find_held_lock+0x2b/0x80
+ [ 3680.515760] ? do_user_addr_fault+0x1f8/0x418
+ [ 3680.515773] ? __x64_sys_ioctl+0x77/0xb0
+ [ 3680.515775] __x64_sys_ioctl+0x77/0xb0
+ [ 3680.515781] do_syscall_64+0x31/0x70
+ [ 3680.515785] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: Nikolay Borisov <nborisov@suse.com>
+Fixes: 44d354abf33e ("btrfs: relocation: review the call sites which can be interrupted by signal")
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Tested-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/relocation.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1646,6 +1646,7 @@ static noinline_for_stack int merge_relo
+ struct btrfs_root_item *root_item;
+ struct btrfs_path *path;
+ struct extent_buffer *leaf;
++ int reserve_level;
+ int level;
+ int max_level;
+ int replaced = 0;
+@@ -1694,7 +1695,8 @@ static noinline_for_stack int merge_relo
+ * Thus the needed metadata size is at most root_level * nodesize,
+ * and * 2 since we have two trees to COW.
+ */
+- min_reserved = fs_info->nodesize * btrfs_root_level(root_item) * 2;
++ reserve_level = max_t(int, 1, btrfs_root_level(root_item));
++ min_reserved = fs_info->nodesize * reserve_level * 2;
+ memset(&next_key, 0, sizeof(next_key));
+
+ while (1) {
--- /dev/null
+From a1fbc6750e212c5675a4e48d7f51d44607eb8756 Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Sun, 4 Oct 2020 19:04:26 +0100
+Subject: btrfs: fix potential overflow in cluster_pages_for_defrag on 32bit arch
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit a1fbc6750e212c5675a4e48d7f51d44607eb8756 upstream.
+
+On 32-bit systems, this shift will overflow for files larger than 4GB as
+start_index is unsigned long while the calls to btrfs_delalloc_*_space
+expect u64.
+
+CC: stable@vger.kernel.org # 4.4+
+Fixes: df480633b891 ("btrfs: extent-tree: Switch to new delalloc space reserve and release")
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ define the variable instead of repeating the shift ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ioctl.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1261,6 +1261,7 @@ static int cluster_pages_for_defrag(stru
+ u64 page_start;
+ u64 page_end;
+ u64 page_cnt;
++ u64 start = (u64)start_index << PAGE_SHIFT;
+ int ret;
+ int i;
+ int i_done;
+@@ -1277,8 +1278,7 @@ static int cluster_pages_for_defrag(stru
+ page_cnt = min_t(u64, (u64)num_pages, (u64)file_end - start_index + 1);
+
+ ret = btrfs_delalloc_reserve_space(BTRFS_I(inode), &data_reserved,
+- start_index << PAGE_SHIFT,
+- page_cnt << PAGE_SHIFT);
++ start, page_cnt << PAGE_SHIFT);
+ if (ret)
+ return ret;
+ i_done = 0;
+@@ -1367,8 +1367,7 @@ again:
+ btrfs_mod_outstanding_extents(BTRFS_I(inode), 1);
+ spin_unlock(&BTRFS_I(inode)->lock);
+ btrfs_delalloc_release_space(BTRFS_I(inode), data_reserved,
+- start_index << PAGE_SHIFT,
+- (page_cnt - i_done) << PAGE_SHIFT, true);
++ start, (page_cnt - i_done) << PAGE_SHIFT, true);
+ }
+
+
+@@ -1395,8 +1394,7 @@ out:
+ put_page(pages[i]);
+ }
+ btrfs_delalloc_release_space(BTRFS_I(inode), data_reserved,
+- start_index << PAGE_SHIFT,
+- page_cnt << PAGE_SHIFT, true);
++ start, page_cnt << PAGE_SHIFT, true);
+ btrfs_delalloc_release_extents(BTRFS_I(inode), page_cnt << PAGE_SHIFT);
+ extent_changeset_free(data_reserved);
+ return ret;
--- /dev/null
+From 468600c6ec28613b756193c5f780aac062f1acdf Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Wed, 21 Oct 2020 13:36:55 +0800
+Subject: btrfs: ref-verify: fix memory leak in btrfs_ref_tree_mod
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit 468600c6ec28613b756193c5f780aac062f1acdf upstream.
+
+There is one error handling path that does not free ref, which may cause
+a minor memory leak.
+
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/btrfs/ref-verify.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/ref-verify.c
++++ b/fs/btrfs/ref-verify.c
+@@ -860,6 +860,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i
+ "dropping a ref for a root that doesn't have a ref on the block");
+ dump_block_entry(fs_info, be);
+ dump_ref_action(fs_info, ra);
++ kfree(ref);
+ kfree(ra);
+ goto out_unlock;
+ }
--- /dev/null
+From d3938ee23e97bfcac2e0eb6b356875da73d700df Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@redhat.com>
+Date: Sun, 1 Nov 2020 03:51:02 +0800
+Subject: erofs: derive atime instead of leaving it empty
+
+From: Gao Xiang <hsiangkao@redhat.com>
+
+commit d3938ee23e97bfcac2e0eb6b356875da73d700df upstream.
+
+EROFS has _only one_ ondisk timestamp (ctime is currently
+documented and recorded, we might also record mtime instead
+with a new compat feature if needed) for each extended inode
+since EROFS isn't mainly for archival purposes so no need to
+keep all timestamps on disk especially for Android scenarios
+due to security concerns. Also, romfs/cramfs don't have their
+own on-disk timestamp, and squashfs only records mtime instead.
+
+Let's also derive access time from ondisk timestamp rather than
+leaving it empty, and if mtime/atime for each file are really
+needed for specific scenarios as well, we can also use xattrs
+to record them then.
+
+Link: https://lore.kernel.org/r/20201031195102.21221-1-hsiangkao@aol.com
+[ Gao Xiang: It'd be better to backport for user-friendly concern. ]
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+Cc: stable <stable@vger.kernel.org> # 4.19+
+Reported-by: nl6720 <nl6720@gmail.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/erofs/inode.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -107,11 +107,9 @@ static struct page *erofs_read_inode(str
+ i_gid_write(inode, le32_to_cpu(die->i_gid));
+ set_nlink(inode, le32_to_cpu(die->i_nlink));
+
+- /* ns timestamp */
+- inode->i_mtime.tv_sec = inode->i_ctime.tv_sec =
+- le64_to_cpu(die->i_ctime);
+- inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec =
+- le32_to_cpu(die->i_ctime_nsec);
++ /* extended inode has its own timestamp */
++ inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime);
++ inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec);
+
+ inode->i_size = le64_to_cpu(die->i_size);
+
+@@ -149,11 +147,9 @@ static struct page *erofs_read_inode(str
+ i_gid_write(inode, le16_to_cpu(dic->i_gid));
+ set_nlink(inode, le16_to_cpu(dic->i_nlink));
+
+- /* use build time to derive all file time */
+- inode->i_mtime.tv_sec = inode->i_ctime.tv_sec =
+- sbi->build_time;
+- inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec =
+- sbi->build_time_nsec;
++ /* use build time for compact inodes */
++ inode->i_ctime.tv_sec = sbi->build_time;
++ inode->i_ctime.tv_nsec = sbi->build_time_nsec;
+
+ inode->i_size = le32_to_cpu(dic->i_size);
+ if (erofs_inode_is_data_compressed(vi->datalayout))
+@@ -167,6 +163,11 @@ static struct page *erofs_read_inode(str
+ goto err_out;
+ }
+
++ inode->i_mtime.tv_sec = inode->i_ctime.tv_sec;
++ inode->i_atime.tv_sec = inode->i_ctime.tv_sec;
++ inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec;
++ inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec;
++
+ if (!nblks)
+ /* measure inode.i_blocks as generic filesystems */
+ inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9;
--- /dev/null
+From a30573b3cdc77b8533d004ece1ea7c0146b437a0 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@redhat.com>
+Date: Thu, 22 Oct 2020 22:57:21 +0800
+Subject: erofs: fix setting up pcluster for temporary pages
+
+From: Gao Xiang <hsiangkao@redhat.com>
+
+commit a30573b3cdc77b8533d004ece1ea7c0146b437a0 upstream.
+
+pcluster should be only set up for all managed pages instead of
+temporary pages. Since it currently uses page->mapping to identify,
+the impact is minor for now.
+
+[ Update: Vladimir reported the kernel log becomes polluted
+ because PAGE_FLAGS_CHECK_AT_FREE flag(s) set if the page
+ allocation debug option is enabled. ]
+
+Link: https://lore.kernel.org/r/20201022145724.27284-1-hsiangkao@aol.com
+Fixes: 5ddcee1f3a1c ("erofs: get rid of __stagingpage_alloc helper")
+Cc: <stable@vger.kernel.org> # 5.5+
+Tested-by: Vladimir Zapolskiy <vladimir@tuxera.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/erofs/zdata.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -1080,8 +1080,11 @@ out_allocpage:
+ cond_resched();
+ goto repeat;
+ }
+- set_page_private(page, (unsigned long)pcl);
+- SetPagePrivate(page);
++
++ if (tocache) {
++ set_page_private(page, (unsigned long)pcl);
++ SetPagePrivate(page);
++ }
+ out: /* the only exit (for tracing and debugging) */
+ return page;
+ }
--- /dev/null
+From 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d Mon Sep 17 00:00:00 2001
+From: Kaixu Xia <kaixuxia@tencent.com>
+Date: Thu, 29 Oct 2020 23:46:36 +0800
+Subject: ext4: correctly report "not supported" for {usr,grp}jquota when !CONFIG_QUOTA
+
+From: Kaixu Xia <kaixuxia@tencent.com>
+
+commit 174fe5ba2d1ea0d6c5ab2a7d4aa058d6d497ae4d upstream.
+
+The macro MOPT_Q is used to indicates the mount option is related to
+quota stuff and is defined to be MOPT_NOSUPPORT when CONFIG_QUOTA is
+disabled. Normally the quota options are handled explicitly, so it
+didn't matter that the MOPT_STRING flag was missing, even though the
+usrjquota and grpjquota mount options take a string argument. It's
+important that's present in the !CONFIG_QUOTA case, since without
+MOPT_STRING, the mount option matcher will match usrjquota= followed
+by an integer, and will otherwise skip the table entry, and so "mount
+option not supported" error message is never reported.
+
+[ Fixed up the commit description to better explain why the fix
+ works. --TYT ]
+
+Fixes: 26092bf52478 ("ext4: use a table-driven handler for mount options")
+Signed-off-by: Kaixu Xia <kaixuxia@tencent.com>
+Link: https://lore.kernel.org/r/1603986396-28917-1-git-send-email-kaixuxia@tencent.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1829,8 +1829,8 @@ static const struct mount_opts {
+ {Opt_noquota, (EXT4_MOUNT_QUOTA | EXT4_MOUNT_USRQUOTA |
+ EXT4_MOUNT_GRPQUOTA | EXT4_MOUNT_PRJQUOTA),
+ MOPT_CLEAR | MOPT_Q},
+- {Opt_usrjquota, 0, MOPT_Q},
+- {Opt_grpjquota, 0, MOPT_Q},
++ {Opt_usrjquota, 0, MOPT_Q | MOPT_STRING},
++ {Opt_grpjquota, 0, MOPT_Q | MOPT_STRING},
+ {Opt_offusrjquota, 0, MOPT_Q},
+ {Opt_offgrpjquota, 0, MOPT_Q},
+ {Opt_jqfmt_vfsold, QFMT_VFS_OLD, MOPT_QFMT},
--- /dev/null
+From 7067b2619017d51e71686ca9756b454de0e5826a Mon Sep 17 00:00:00 2001
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+Date: Tue, 3 Nov 2020 10:29:02 +0800
+Subject: ext4: unlock xattr_sem properly in ext4_inline_data_truncate()
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+commit 7067b2619017d51e71686ca9756b454de0e5826a upstream.
+
+It takes xattr_sem to check inline data again but without unlock it
+in case not have. So unlock it before return.
+
+Fixes: aef1c8513c1f ("ext4: let ext4_truncate handle inline data correctly")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Tao Ma <boyu.mt@taobao.com>
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Link: https://lore.kernel.org/r/1604370542-124630-1-git-send-email-joseph.qi@linux.alibaba.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/inline.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1880,6 +1880,7 @@ int ext4_inline_data_truncate(struct ino
+
+ ext4_write_lock_xattr(inode, &no_expand);
+ if (!ext4_has_inline_data(inode)) {
++ ext4_write_unlock_xattr(inode, &no_expand);
+ *has_inline = 0;
+ ext4_journal_stop(handle);
+ return 0;
--- /dev/null
+From f3217d6f2f7a76b36a3326ad58c8897f4d5fbe31 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 26 Oct 2020 16:54:36 +0100
+Subject: firmware: xilinx: fix out-of-bounds access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit f3217d6f2f7a76b36a3326ad58c8897f4d5fbe31 upstream.
+
+The zynqmp_pm_set_suspend_mode() and zynqmp_pm_get_trustzone_version()
+functions pass values as api_id into zynqmp_pm_invoke_fn
+that are beyond PM_API_MAX, resulting in an out-of-bounds access:
+
+drivers/firmware/xilinx/zynqmp.c: In function 'zynqmp_pm_set_suspend_mode':
+drivers/firmware/xilinx/zynqmp.c:150:24: warning: array subscript 2562 is above array bounds of 'u32[64]' {aka 'unsigned int[64]'} [-Warray-bounds]
+ 150 | if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED)
+ | ~~~~~~~~~~~~~~~~~~^~~~~~~~
+drivers/firmware/xilinx/zynqmp.c:28:12: note: while referencing 'zynqmp_pm_features'
+ 28 | static u32 zynqmp_pm_features[PM_API_MAX];
+ | ^~~~~~~~~~~~~~~~~~
+
+Replace the resulting undefined behavior with an error return.
+This may break some things that happen to work at the moment
+but seems better than randomly overwriting kernel data.
+
+I assume we need additional fixes for the two functions that now
+return an error.
+
+Fixes: 76582671eb5d ("firmware: xilinx: Add Zynqmp firmware driver")
+Fixes: e178df31cf41 ("firmware: xilinx: Implement ZynqMP power management APIs")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20201026155449.3703142-1-arnd@kernel.org
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/xilinx/zynqmp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/firmware/xilinx/zynqmp.c
++++ b/drivers/firmware/xilinx/zynqmp.c
+@@ -147,6 +147,9 @@ static int zynqmp_pm_feature(u32 api_id)
+ return 0;
+
+ /* Return value if feature is already checked */
++ if (api_id > ARRAY_SIZE(zynqmp_pm_features))
++ return PM_FEATURE_INVALID;
++
+ if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED)
+ return zynqmp_pm_features[api_id];
+
--- /dev/null
+From f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Thu, 5 Nov 2020 10:10:19 +0100
+Subject: KVM: arm64: Don't hide ID registers from userspace
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrew Jones <drjones@redhat.com>
+
+commit f81cb2c3ad41ac6d8cb2650e3d72d5f67db1aa28 upstream.
+
+ID registers are RAZ until they've been allocated a purpose, but
+that doesn't mean they should be removed from the KVM_GET_REG_LIST
+list. So far we only have one register, SYS_ID_AA64ZFR0_EL1, that
+is hidden from userspace when its function, SVE, is not present.
+
+Expose SYS_ID_AA64ZFR0_EL1 to userspace as RAZ when SVE is not
+implemented. Removing the userspace visibility checks is enough
+to reexpose it, as it will already return zero to userspace when
+SVE is not present. The register already behaves as RAZ for the
+guest when SVE is not present.
+
+Fixes: 73433762fcae ("KVM: arm64/sve: System register context switch and access support")
+Reported-by: å¼ ä¸œæ— <xu910121@sina.com>
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org#v5.2+
+Link: https://lore.kernel.org/r/20201105091022.15373-2-drjones@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/sys_regs.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -1193,16 +1193,6 @@ static unsigned int sve_visibility(const
+ return REG_HIDDEN_USER | REG_HIDDEN_GUEST;
+ }
+
+-/* Visibility overrides for SVE-specific ID registers */
+-static unsigned int sve_id_visibility(const struct kvm_vcpu *vcpu,
+- const struct sys_reg_desc *rd)
+-{
+- if (vcpu_has_sve(vcpu))
+- return 0;
+-
+- return REG_HIDDEN_USER;
+-}
+-
+ /* Generate the emulated ID_AA64ZFR0_EL1 value exposed to the guest */
+ static u64 guest_id_aa64zfr0_el1(const struct kvm_vcpu *vcpu)
+ {
+@@ -1229,9 +1219,6 @@ static int get_id_aa64zfr0_el1(struct kv
+ {
+ u64 val;
+
+- if (WARN_ON(!vcpu_has_sve(vcpu)))
+- return -ENOENT;
+-
+ val = guest_id_aa64zfr0_el1(vcpu);
+ return reg_to_user(uaddr, &val, reg->id);
+ }
+@@ -1244,9 +1231,6 @@ static int set_id_aa64zfr0_el1(struct kv
+ int err;
+ u64 val;
+
+- if (WARN_ON(!vcpu_has_sve(vcpu)))
+- return -ENOENT;
+-
+ err = reg_from_user(&val, uaddr, id);
+ if (err)
+ return err;
+@@ -1509,7 +1493,7 @@ static const struct sys_reg_desc sys_reg
+ ID_SANITISED(ID_AA64PFR1_EL1),
+ ID_UNALLOCATED(4,2),
+ ID_UNALLOCATED(4,3),
+- { SYS_DESC(SYS_ID_AA64ZFR0_EL1), access_id_aa64zfr0_el1, .get_user = get_id_aa64zfr0_el1, .set_user = set_id_aa64zfr0_el1, .visibility = sve_id_visibility },
++ { SYS_DESC(SYS_ID_AA64ZFR0_EL1), access_id_aa64zfr0_el1, .get_user = get_id_aa64zfr0_el1, .set_user = set_id_aa64zfr0_el1, },
+ ID_UNALLOCATED(4,5),
+ ID_UNALLOCATED(4,6),
+ ID_UNALLOCATED(4,7),
--- /dev/null
+From c01a21b77722db0474bbcc4eafc8c4e0d8fed6d8 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Thu, 12 Nov 2020 17:50:05 +0100
+Subject: loop: Fix occasional uevent drop
+
+From: Petr Vorel <pvorel@suse.cz>
+
+commit c01a21b77722db0474bbcc4eafc8c4e0d8fed6d8 upstream.
+
+Commit 716ad0986cbd ("loop: Switch to set_capacity_revalidate_and_notify")
+causes an occasional drop of loop device uevent, which are no longer
+triggered in loop_set_size() but in a different part of code.
+
+Bug is reproducible with LTP test uevent01 [1]:
+
+i=0; while true; do
+ i=$((i+1)); echo "== $i =="
+ lsmod |grep -q loop && rmmod -f loop
+ ./uevent01 || break
+done
+
+Put back triggering through code called in loop_set_size().
+
+Fix required to add yet another parameter to
+set_capacity_revalidate_and_notify().
+
+[1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/uevents/uevent01.c
+
+[hch: rebased on a different change to the prototype of
+ set_capacity_revalidate_and_notify]
+
+Cc: stable@vger.kernel.org # v5.9
+Fixes: 716ad0986cbd ("loop: Switch to set_capacity_revalidate_and_notify")
+Reported-by: <ltp@lists.linux.it>
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -255,7 +255,8 @@ static void loop_set_size(struct loop_de
+
+ bd_set_size(bdev, size << SECTOR_SHIFT);
+
+- set_capacity_revalidate_and_notify(lo->lo_disk, size, false);
++ if (!set_capacity_revalidate_and_notify(lo->lo_disk, size, false))
++ kobject_uevent(&disk_to_dev(bdev->bd_disk)->kobj, KOBJ_CHANGE);
+ }
+
+ static inline int
--- /dev/null
+From ffa13d2d94029882eca22a565551783787f121e5 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Thu, 12 Nov 2020 14:59:00 +0100
+Subject: Revert "usb: musb: convert to devm_platform_ioremap_resource_byname"
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit ffa13d2d94029882eca22a565551783787f121e5 upstream.
+
+This reverts commit 2d30e408a2a6b3443d3232593e3d472584a3e9f8.
+
+On Beaglebone Black, where each interface has 2 children:
+
+ musb-dsps 47401c00.usb: can't request region for resource [mem 0x47401800-0x474019ff]
+ musb-hdrc musb-hdrc.1: musb_init_controller failed with status -16
+ musb-hdrc: probe of musb-hdrc.1 failed with error -16
+ musb-dsps 47401400.usb: can't request region for resource [mem 0x47401000-0x474011ff]
+ musb-hdrc musb-hdrc.0: musb_init_controller failed with status -16
+ musb-hdrc: probe of musb-hdrc.0 failed with error -16
+
+Before, devm_ioremap_resource() was called on "dev" ("musb-hdrc.0" or
+"musb-hdrc.1"), after it is called on "&pdev->dev" ("47401400.usb" or
+"47401c00.usb"), leading to a duplicate region request, which fails.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Fixes: 2d30e408a2a6 ("usb: musb: convert to devm_platform_ioremap_resource_byname")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201112135900.3822599-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_dsps.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -429,10 +429,12 @@ static int dsps_musb_init(struct musb *m
+ struct platform_device *parent = to_platform_device(dev->parent);
+ const struct dsps_musb_wrapper *wrp = glue->wrp;
+ void __iomem *reg_base;
++ struct resource *r;
+ u32 rev, val;
+ int ret;
+
+- reg_base = devm_platform_ioremap_resource_byname(parent, "control");
++ r = platform_get_resource_byname(parent, IORESOURCE_MEM, "control");
++ reg_base = devm_ioremap_resource(dev, r);
+ if (IS_ERR(reg_base))
+ return PTR_ERR(reg_base);
+ musb->ctrl_base = reg_base;
nvme-fix-incorrect-behavior-when-blkroset-is-called-.patch
perf-simplify-group_sched_in.patch
perf-fix-event-multiplexing-for-exclusive-groups.patch
+firmware-xilinx-fix-out-of-bounds-access.patch
+erofs-fix-setting-up-pcluster-for-temporary-pages.patch
+erofs-derive-atime-instead-of-leaving-it-empty.patch
+ext4-correctly-report-not-supported-for-usr-grp-jquota-when-config_quota.patch
+ext4-unlock-xattr_sem-properly-in-ext4_inline_data_truncate.patch
+btrfs-fix-potential-overflow-in-cluster_pages_for_defrag-on-32bit-arch.patch
+btrfs-ref-verify-fix-memory-leak-in-btrfs_ref_tree_mod.patch
+btrfs-fix-min-reserved-size-calculation-in-merge_reloc_root.patch
+btrfs-dev-replace-fail-mount-if-we-don-t-have-replace-item-with-target-device.patch
+kvm-arm64-don-t-hide-id-registers-from-userspace.patch
+speakup-fix-var_id_t-values-and-thus-keymap.patch
+speakup-ttyio-do-not-schedule-in-ttyio_in_nowait.patch
+speakup-fix-clearing-selection-in-safe-context.patch
+thunderbolt-fix-memory-leak-if-ida_simple_get-fails-in-enumerate_services.patch
+thunderbolt-add-the-missed-ida_simple_remove-in-ring_request_msix.patch
+block-add-a-return-value-to-set_capacity_revalidate_and_notify.patch
+loop-fix-occasional-uevent-drop.patch
+uio-fix-use-after-free-in-uio_unregister_device.patch
+revert-usb-musb-convert-to-devm_platform_ioremap_resource_byname.patch
+usb-cdc-acm-add-disable_echo-for-renesas-usb-download-mode.patch
+usb-typec-ucsi-report-power-supply-changes.patch
--- /dev/null
+From 640969a69ca4dd2ac025fe873c6bf25eba8f11b3 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Sun, 8 Nov 2020 00:33:10 +0100
+Subject: speakup: Fix clearing selection in safe context
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+commit 640969a69ca4dd2ac025fe873c6bf25eba8f11b3 upstream.
+
+speakup_cut() calls speakup_clear_selection() which calls console_lock.
+Problem is: speakup_cut() is called from a keyboard interrupt
+context. This would hang if speakup_cut is pressed while the console
+lock is unfortunately already held.
+
+We can however as well just defer calling clear_selection() until the
+already-deferred set_selection_kernel() call.
+
+This was spotted by the lock hardener:
+
+ Possible unsafe locking scenario:\x0a
+ CPU0
+ ----
+ lock(console_lock);
+ <Interrupt>
+ lock(console_lock);
+\x0a *** DEADLOCK ***\x0a
+[...]
+Call Trace:
+ <IRQ>
+ dump_stack+0xc2/0x11a
+ print_usage_bug.cold+0x3e0/0x4b1
+ mark_lock+0xd95/0x1390
+ ? print_irq_inversion_bug+0xa0/0xa0
+ __lock_acquire+0x21eb/0x5730
+ ? __kasan_check_read+0x11/0x20
+ ? check_chain_key+0x215/0x5e0
+ ? register_lock_class+0x1580/0x1580
+ ? lock_downgrade+0x7a0/0x7a0
+ ? __rwlock_init+0x140/0x140
+ lock_acquire+0x13f/0x370
+ ? speakup_clear_selection+0xe/0x20 [speakup]
+ console_lock+0x33/0x50
+ ? speakup_clear_selection+0xe/0x20 [speakup]
+ speakup_clear_selection+0xe/0x20 [speakup]
+ speakup_cut+0x19e/0x4b0 [speakup]
+ keyboard_notifier_call+0x1f04/0x4a40 [speakup]
+ ? read_all_doc+0x240/0x240 [speakup]
+ notifier_call_chain+0xbf/0x130
+ __atomic_notifier_call_chain+0x80/0x130
+ atomic_notifier_call_chain+0x16/0x20
+ kbd_event+0x7d7/0x3b20
+ ? k_pad+0x850/0x850
+ ? sysrq_filter+0x450/0xd40
+ input_to_handler+0x362/0x4b0
+ ? rcu_read_lock_sched_held+0xe0/0xe0
+ input_pass_values+0x408/0x5a0
+ ? __rwlock_init+0x140/0x140
+ ? lock_acquire+0x13f/0x370
+ input_handle_event+0x70e/0x1380
+ input_event+0x67/0x90
+ atkbd_interrupt+0xe62/0x1d4e [atkbd]
+ ? __kasan_check_write+0x14/0x20
+ ? atkbd_event_work+0x130/0x130 [atkbd]
+ ? _raw_spin_lock_irqsave+0x26/0x70
+ serio_interrupt+0x93/0x120 [serio]
+ i8042_interrupt+0x232/0x510 [i8042]
+ ? rcu_read_lock_bh_held+0xd0/0xd0
+ ? handle_irq_event+0xa5/0x13a
+ ? i8042_remove+0x1f0/0x1f0 [i8042]
+ __handle_irq_event_percpu+0xe6/0x6c0
+ handle_irq_event_percpu+0x71/0x150
+ ? __handle_irq_event_percpu+0x6c0/0x6c0
+ ? __kasan_check_read+0x11/0x20
+ ? do_raw_spin_unlock+0x5c/0x240
+ handle_irq_event+0xad/0x13a
+ handle_edge_irq+0x233/0xa90
+ do_IRQ+0x10b/0x310
+ common_interrupt+0xf/0xf
+ </IRQ>
+
+Cc: stable@vger.kernel.org
+Reported-by: Jookia <contact@jookia.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Link: https://lore.kernel.org/r/20201107233310.7iisvaozpiqj3yvy@function
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/accessibility/speakup/main.c | 1 -
+ drivers/accessibility/speakup/selection.c | 11 ++++-------
+ drivers/accessibility/speakup/speakup.h | 1 -
+ 3 files changed, 4 insertions(+), 9 deletions(-)
+
+--- a/drivers/accessibility/speakup/main.c
++++ b/drivers/accessibility/speakup/main.c
+@@ -357,7 +357,6 @@ static void speakup_cut(struct vc_data *
+ mark_cut_flag = 0;
+ synth_printf("%s\n", spk_msg_get(MSG_CUT));
+
+- speakup_clear_selection();
+ ret = speakup_set_selection(tty);
+
+ switch (ret) {
+--- a/drivers/accessibility/speakup/selection.c
++++ b/drivers/accessibility/speakup/selection.c
+@@ -22,13 +22,6 @@ struct speakup_selection_work {
+ struct tty_struct *tty;
+ };
+
+-void speakup_clear_selection(void)
+-{
+- console_lock();
+- clear_selection();
+- console_unlock();
+-}
+-
+ static void __speakup_set_selection(struct work_struct *work)
+ {
+ struct speakup_selection_work *ssw =
+@@ -51,6 +44,10 @@ static void __speakup_set_selection(stru
+ goto unref;
+ }
+
++ console_lock();
++ clear_selection();
++ console_unlock();
++
+ set_selection_kernel(&sel, tty);
+
+ unref:
+--- a/drivers/accessibility/speakup/speakup.h
++++ b/drivers/accessibility/speakup/speakup.h
+@@ -70,7 +70,6 @@ void spk_do_flush(void);
+ void speakup_start_ttys(void);
+ void synth_buffer_add(u16 ch);
+ void synth_buffer_clear(void);
+-void speakup_clear_selection(void);
+ int speakup_set_selection(struct tty_struct *tty);
+ void speakup_cancel_selection(void);
+ int speakup_paste_selection(struct tty_struct *tty);
--- /dev/null
+From d7012df3c9aecdcfb50f7a2ebad766952fd1410e Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Mon, 12 Oct 2020 18:06:46 +0200
+Subject: speakup: Fix var_id_t values and thus keymap
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+commit d7012df3c9aecdcfb50f7a2ebad766952fd1410e upstream.
+
+commit d97a9d7aea04 ("staging/speakup: Add inflection synth parameter")
+introduced a new "inflection" speakup parameter next to "pitch", but
+the values of the var_id_t enum are actually used by the keymap tables
+so we must not renumber them. The effect was that notably the volume
+control shortcut (speakup-1 or 2) was actually changing the inflection.
+
+This moves the INFLECTION value at the end of the var_id_t enum to
+fix back the enum values. This also adds a warning about it.
+
+Fixes: d97a9d7aea04 ("staging/speakup: Add inflection synth parameter")
+Cc: stable@vger.kernel.org
+Reported-by: Kirk Reiser <kirk@reisers.ca>
+Reported-by: Gregory Nowak <greg@gregn.net>
+Tested-by: Gregory Nowak <greg@gregn.net>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Link: https://lore.kernel.org/r/20201012160646.qmdo4eqtj24hpch4@function
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/accessibility/speakup/spk_types.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/accessibility/speakup/spk_types.h
++++ b/drivers/accessibility/speakup/spk_types.h
+@@ -32,6 +32,10 @@ enum {
+ E_NEW_DEFAULT,
+ };
+
++/*
++ * Note: add new members at the end, speakupmap.h depends on the values of the
++ * enum starting from SPELL_DELAY (see inc_dec_var)
++ */
+ enum var_id_t {
+ VERSION = 0, SYNTH, SILENT, SYNTH_DIRECT,
+ KEYMAP, CHARS,
+@@ -42,9 +46,9 @@ enum var_id_t {
+ SAY_CONTROL, SAY_WORD_CTL, NO_INTERRUPT, KEY_ECHO,
+ SPELL_DELAY, PUNC_LEVEL, READING_PUNC,
+ ATTRIB_BLEEP, BLEEPS,
+- RATE, PITCH, INFLECTION, VOL, TONE, PUNCT, VOICE, FREQUENCY, LANG,
++ RATE, PITCH, VOL, TONE, PUNCT, VOICE, FREQUENCY, LANG,
+ DIRECT, PAUSE,
+- CAPS_START, CAPS_STOP, CHARTAB,
++ CAPS_START, CAPS_STOP, CHARTAB, INFLECTION,
+ MAXVARS
+ };
+
--- /dev/null
+From 3ed1cfb2cee4355ddef49489897bfe474daeeaec Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Sun, 8 Nov 2020 14:12:33 +0100
+Subject: speakup ttyio: Do not schedule() in ttyio_in_nowait
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+commit 3ed1cfb2cee4355ddef49489897bfe474daeeaec upstream.
+
+With the ltlk and spkout drivers, the index read function, i.e.
+in_nowait, is getting called from the read_all_doc mechanism, from
+the timer softirq:
+
+Call Trace:
+ <IRQ>
+ dump_stack+0x71/0x98
+ dequeue_task_idle+0x1f/0x28
+ __schedule+0x167/0x5d6
+ ? trace_hardirqs_on+0x2e/0x3a
+ ? usleep_range+0x7f/0x7f
+ schedule+0x8a/0xae
+ schedule_timeout+0xb1/0xea
+ ? del_timer_sync+0x31/0x31
+ do_wait_for_common+0xba/0x12b
+ ? wake_up_q+0x45/0x45
+ wait_for_common+0x37/0x50
+ ttyio_in+0x2a/0x6b
+ spk_ttyio_in_nowait+0xc/0x13
+ spk_get_index_count+0x20/0x93
+ cursor_done+0x1c6/0x4c6
+ ? read_all_doc+0xb1/0xb1
+ call_timer_fn+0x89/0x140
+ run_timer_softirq+0x164/0x1a5
+ ? read_all_doc+0xb1/0xb1
+ ? hrtimer_forward+0x7b/0x87
+ ? timerqueue_add+0x62/0x68
+ ? enqueue_hrtimer+0x95/0x9f
+ __do_softirq+0x181/0x31f
+ irq_exit+0x6a/0x86
+smp_apic_timer_interrupt+0x15e/0x183
+ apic_timer_interrupt+0xf/0x20
+ </IRQ>
+
+We thus should not schedule() at all, even with timeout == 0, this
+crashes the kernel. We can however use try_wait_for_completion()
+instead of wait_for_completion_timeout(0).
+
+Cc: stable@vger.kernel.org
+Reported-by: John Covici <covici@ccs.covici.com>
+Tested-by: John Covici <covici@ccs.covici.com>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Link: https://lore.kernel.org/r/20201108131233.tadycr73sxlvodgo@function
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/accessibility/speakup/spk_ttyio.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/accessibility/speakup/spk_ttyio.c
++++ b/drivers/accessibility/speakup/spk_ttyio.c
+@@ -298,11 +298,13 @@ static unsigned char ttyio_in(int timeou
+ struct spk_ldisc_data *ldisc_data = speakup_tty->disc_data;
+ char rv;
+
+- if (wait_for_completion_timeout(&ldisc_data->completion,
++ if (!timeout) {
++ if (!try_wait_for_completion(&ldisc_data->completion))
++ return 0xff;
++ } else if (wait_for_completion_timeout(&ldisc_data->completion,
+ usecs_to_jiffies(timeout)) == 0) {
+- if (timeout)
+- pr_warn("spk_ttyio: timeout (%d) while waiting for input\n",
+- timeout);
++ pr_warn("spk_ttyio: timeout (%d) while waiting for input\n",
++ timeout);
+ return 0xff;
+ }
+
--- /dev/null
+From 7342ca34d931a357d408aaa25fadd031e46af137 Mon Sep 17 00:00:00 2001
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Date: Thu, 15 Oct 2020 16:40:53 +0800
+Subject: thunderbolt: Add the missed ida_simple_remove() in ring_request_msix()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+commit 7342ca34d931a357d408aaa25fadd031e46af137 upstream.
+
+ring_request_msix() misses to call ida_simple_remove() in an error path.
+Add a label 'err_ida_remove' and jump to it.
+
+Fixes: 046bee1f9ab8 ("thunderbolt: Add MSI-X support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/nhi.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/thunderbolt/nhi.c
++++ b/drivers/thunderbolt/nhi.c
+@@ -405,12 +405,23 @@ static int ring_request_msix(struct tb_r
+
+ ring->vector = ret;
+
+- ring->irq = pci_irq_vector(ring->nhi->pdev, ring->vector);
+- if (ring->irq < 0)
+- return ring->irq;
++ ret = pci_irq_vector(ring->nhi->pdev, ring->vector);
++ if (ret < 0)
++ goto err_ida_remove;
++
++ ring->irq = ret;
+
+ irqflags = no_suspend ? IRQF_NO_SUSPEND : 0;
+- return request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring);
++ ret = request_irq(ring->irq, ring_msix, irqflags, "thunderbolt", ring);
++ if (ret)
++ goto err_ida_remove;
++
++ return 0;
++
++err_ida_remove:
++ ida_simple_remove(&nhi->msix_ida, ring->vector);
++
++ return ret;
+ }
+
+ static void ring_release_msix(struct tb_ring *ring)
--- /dev/null
+From a663e0df4a374b8537562a44d1cecafb472cd65b Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 7 Oct 2020 17:06:17 +0300
+Subject: thunderbolt: Fix memory leak if ida_simple_get() fails in enumerate_services()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit a663e0df4a374b8537562a44d1cecafb472cd65b upstream.
+
+The svc->key field is not released as it should be if ida_simple_get()
+fails so fix that.
+
+Fixes: 9aabb68568b4 ("thunderbolt: Fix to check return value of ida_simple_get")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thunderbolt/xdomain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thunderbolt/xdomain.c
++++ b/drivers/thunderbolt/xdomain.c
+@@ -881,6 +881,7 @@ static void enumerate_services(struct tb
+
+ id = ida_simple_get(&xd->service_ids, 0, 0, GFP_KERNEL);
+ if (id < 0) {
++ kfree(svc->key);
+ kfree(svc);
+ break;
+ }
--- /dev/null
+From 092561f06702dd4fdd7fb74dd3a838f1818529b7 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Mon, 2 Nov 2020 21:28:19 +0900
+Subject: uio: Fix use-after-free in uio_unregister_device()
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 092561f06702dd4fdd7fb74dd3a838f1818529b7 upstream.
+
+Commit 8fd0e2a6df26 ("uio: free uio id after uio file node is freed")
+triggered KASAN use-after-free failure at deletion of TCM-user
+backstores [1].
+
+In uio_unregister_device(), struct uio_device *idev is passed to
+uio_free_minor() to refer idev->minor. However, before uio_free_minor()
+call, idev is already freed by uio_device_release() during call to
+device_unregister().
+
+To avoid reference to idev->minor after idev free, keep idev->minor
+value in a local variable. Also modify uio_free_minor() argument to
+receive the value.
+
+[1]
+BUG: KASAN: use-after-free in uio_unregister_device+0x166/0x190
+Read of size 4 at addr ffff888105196508 by task targetcli/49158
+
+CPU: 3 PID: 49158 Comm: targetcli Not tainted 5.10.0-rc1 #1
+Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015
+Call Trace:
+ dump_stack+0xae/0xe5
+ ? uio_unregister_device+0x166/0x190
+ print_address_description.constprop.0+0x1c/0x210
+ ? uio_unregister_device+0x166/0x190
+ ? uio_unregister_device+0x166/0x190
+ kasan_report.cold+0x37/0x7c
+ ? kobject_put+0x80/0x410
+ ? uio_unregister_device+0x166/0x190
+ uio_unregister_device+0x166/0x190
+ tcmu_destroy_device+0x1c4/0x280 [target_core_user]
+ ? tcmu_release+0x90/0x90 [target_core_user]
+ ? __mutex_unlock_slowpath+0xd6/0x5d0
+ target_free_device+0xf3/0x2e0 [target_core_mod]
+ config_item_cleanup+0xea/0x210
+ configfs_rmdir+0x651/0x860
+ ? detach_groups.isra.0+0x380/0x380
+ vfs_rmdir.part.0+0xec/0x3a0
+ ? __lookup_hash+0x20/0x150
+ do_rmdir+0x252/0x320
+ ? do_file_open_root+0x420/0x420
+ ? strncpy_from_user+0xbc/0x2f0
+ ? getname_flags.part.0+0x8e/0x450
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f9e2bfc91fb
+Code: 73 01 c3 48 8b 0d 9d ec 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 54 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6d ec 0c 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdd2baafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000054
+RAX: ffffffffffffffda RBX: 00007f9e2beb44a0 RCX: 00007f9e2bfc91fb
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f9e1c20be90
+RBP: 00007ffdd2bab000 R08: 0000000000000000 R09: 00007f9e2bdf2440
+R10: 00007ffdd2baaf37 R11: 0000000000000246 R12: 00000000ffffff9c
+R13: 000055f9abb7e390 R14: 000055f9abcf9558 R15: 00007f9e2be7a780
+
+Allocated by task 34735:
+ kasan_save_stack+0x1b/0x40
+ __kasan_kmalloc.constprop.0+0xc2/0xd0
+ __uio_register_device+0xeb/0xd40
+ tcmu_configure_device+0x5a0/0xbc0 [target_core_user]
+ target_configure_device+0x12f/0x760 [target_core_mod]
+ target_dev_enable_store+0x32/0x50 [target_core_mod]
+ configfs_write_file+0x2bb/0x450
+ vfs_write+0x1ce/0x610
+ ksys_write+0xe9/0x1b0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 49158:
+ kasan_save_stack+0x1b/0x40
+ kasan_set_track+0x1c/0x30
+ kasan_set_free_info+0x1b/0x30
+ __kasan_slab_free+0x110/0x150
+ slab_free_freelist_hook+0x5a/0x170
+ kfree+0xc6/0x560
+ device_release+0x9b/0x210
+ kobject_put+0x13e/0x410
+ uio_unregister_device+0xf9/0x190
+ tcmu_destroy_device+0x1c4/0x280 [target_core_user]
+ target_free_device+0xf3/0x2e0 [target_core_mod]
+ config_item_cleanup+0xea/0x210
+ configfs_rmdir+0x651/0x860
+ vfs_rmdir.part.0+0xec/0x3a0
+ do_rmdir+0x252/0x320
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff888105196000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1288 bytes inside of
+ 2048-byte region [ffff888105196000, ffff888105196800)
+The buggy address belongs to the page:
+page:0000000098e6ca81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x105190
+head:0000000098e6ca81 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x17ffffc0010200(slab|head)
+raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100043040
+raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88810eb55c01
+page dumped because: kasan: bad access detected
+page->mem_cgroup:ffff88810eb55c01
+
+Memory state around the buggy address:
+ ffff888105196400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888105196480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888105196500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888105196580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888105196600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 8fd0e2a6df26 ("uio: free uio id after uio file node is freed")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Link: https://lore.kernel.org/r/20201102122819.2346270-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uio/uio.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio.c
++++ b/drivers/uio/uio.c
+@@ -413,10 +413,10 @@ static int uio_get_minor(struct uio_devi
+ return retval;
+ }
+
+-static void uio_free_minor(struct uio_device *idev)
++static void uio_free_minor(unsigned long minor)
+ {
+ mutex_lock(&minor_lock);
+- idr_remove(&uio_idr, idev->minor);
++ idr_remove(&uio_idr, minor);
+ mutex_unlock(&minor_lock);
+ }
+
+@@ -990,7 +990,7 @@ err_request_irq:
+ err_uio_dev_add_attributes:
+ device_del(&idev->dev);
+ err_device_create:
+- uio_free_minor(idev);
++ uio_free_minor(idev->minor);
+ put_device(&idev->dev);
+ return ret;
+ }
+@@ -1042,11 +1042,13 @@ EXPORT_SYMBOL_GPL(__devm_uio_register_de
+ void uio_unregister_device(struct uio_info *info)
+ {
+ struct uio_device *idev;
++ unsigned long minor;
+
+ if (!info || !info->uio_dev)
+ return;
+
+ idev = info->uio_dev;
++ minor = idev->minor;
+
+ mutex_lock(&idev->info_lock);
+ uio_dev_del_attributes(idev);
+@@ -1062,7 +1064,7 @@ void uio_unregister_device(struct uio_in
+
+ device_unregister(&idev->dev);
+
+- uio_free_minor(idev);
++ uio_free_minor(minor);
+
+ return;
+ }
--- /dev/null
+From 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 Mon Sep 17 00:00:00 2001
+From: Chris Brandt <chris.brandt@renesas.com>
+Date: Wed, 11 Nov 2020 08:12:09 -0500
+Subject: usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode
+
+From: Chris Brandt <chris.brandt@renesas.com>
+
+commit 6d853c9e4104b4fc8d55dc9cd3b99712aa347174 upstream.
+
+Renesas R-Car and RZ/G SoCs have a firmware download mode over USB.
+However, on reset a banner string is transmitted out which is not expected
+to be echoed back and will corrupt the protocol.
+
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
+Link: https://lore.kernel.org/r/20201111131209.3977903-1-chris.brandt@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1706,6 +1706,15 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x0870, 0x0001), /* Metricom GS Modem */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
++ { USB_DEVICE(0x045b, 0x023c), /* Renesas USB Download mode */
++ .driver_info = DISABLE_ECHO, /* Don't echo banner */
++ },
++ { USB_DEVICE(0x045b, 0x0248), /* Renesas USB Download mode */
++ .driver_info = DISABLE_ECHO, /* Don't echo banner */
++ },
++ { USB_DEVICE(0x045b, 0x024D), /* Renesas USB Download mode */
++ .driver_info = DISABLE_ECHO, /* Don't echo banner */
++ },
+ { USB_DEVICE(0x0e8d, 0x0003), /* FIREFLY, MediaTek Inc; andrey.arapov@gmail.com */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
--- /dev/null
+From 0e6371fbfba3a4f76489e6e97c1c7f8386ad5fd2 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Tue, 10 Nov 2020 15:05:47 +0300
+Subject: usb: typec: ucsi: Report power supply changes
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit 0e6371fbfba3a4f76489e6e97c1c7f8386ad5fd2 upstream.
+
+When the ucsi power supply goes online/offline, and when the
+power levels change, the power supply class needs to be
+notified so it can inform the user space.
+
+Fixes: 992a60ed0d5e ("usb: typec: ucsi: register with power_supply class")
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: Vladimir Yerilov <openmindead@gmail.com>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20201110120547.67922-1-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/ucsi/psy.c | 9 +++++++++
+ drivers/usb/typec/ucsi/ucsi.c | 7 ++++++-
+ drivers/usb/typec/ucsi/ucsi.h | 2 ++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/ucsi/psy.c
++++ b/drivers/usb/typec/ucsi/psy.c
+@@ -238,4 +238,13 @@ void ucsi_unregister_port_psy(struct ucs
+ return;
+
+ power_supply_unregister(con->psy);
++ con->psy = NULL;
++}
++
++void ucsi_port_psy_changed(struct ucsi_connector *con)
++{
++ if (IS_ERR_OR_NULL(con->psy))
++ return;
++
++ power_supply_changed(con->psy);
+ }
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -643,8 +643,10 @@ static void ucsi_handle_connector_change
+ role = !!(con->status.flags & UCSI_CONSTAT_PWR_DIR);
+
+ if (con->status.change & UCSI_CONSTAT_POWER_OPMODE_CHANGE ||
+- con->status.change & UCSI_CONSTAT_POWER_LEVEL_CHANGE)
++ con->status.change & UCSI_CONSTAT_POWER_LEVEL_CHANGE) {
+ ucsi_pwr_opmode_change(con);
++ ucsi_port_psy_changed(con);
++ }
+
+ if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ typec_set_pwr_role(con->port, role);
+@@ -674,6 +676,8 @@ static void ucsi_handle_connector_change
+ ucsi_register_partner(con);
+ else
+ ucsi_unregister_partner(con);
++
++ ucsi_port_psy_changed(con);
+ }
+
+ if (con->status.change & UCSI_CONSTAT_CAM_CHANGE) {
+@@ -994,6 +998,7 @@ static int ucsi_register_port(struct ucs
+ !!(con->status.flags & UCSI_CONSTAT_PWR_DIR));
+ ucsi_pwr_opmode_change(con);
+ ucsi_register_partner(con);
++ ucsi_port_psy_changed(con);
+ }
+
+ if (con->partner) {
+--- a/drivers/usb/typec/ucsi/ucsi.h
++++ b/drivers/usb/typec/ucsi/ucsi.h
+@@ -340,9 +340,11 @@ int ucsi_resume(struct ucsi *ucsi);
+ #if IS_ENABLED(CONFIG_POWER_SUPPLY)
+ int ucsi_register_port_psy(struct ucsi_connector *con);
+ void ucsi_unregister_port_psy(struct ucsi_connector *con);
++void ucsi_port_psy_changed(struct ucsi_connector *con);
+ #else
+ static inline int ucsi_register_port_psy(struct ucsi_connector *con) { return 0; }
+ static inline void ucsi_unregister_port_psy(struct ucsi_connector *con) { }
++static inline void ucsi_port_psy_changed(struct ucsi_connector *con) { }
+ #endif /* CONFIG_POWER_SUPPLY */
+
+ #if IS_ENABLED(CONFIG_TYPEC_DP_ALTMODE)
projects / thirdparty / kernel / stable-queue.git / commitdiff
