--- /dev/null
+From 42641042c10c757fe10cc09088cf3f436cec5007 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 27 Sep 2021 14:13:57 +0200
+Subject: cb710: avoid NULL pointer subtraction
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 42641042c10c757fe10cc09088cf3f436cec5007 upstream.
+
+clang-14 complains about an unusual way of converting a pointer to
+an integer:
+
+drivers/misc/cb710/sgbuf2.c:50:15: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction]
+ return ((ptr - NULL) & 3) != 0;
+
+Replace this with a normal cast to uintptr_t.
+
+Fixes: 5f5bac8272be ("mmc: Driver for CB710/720 memory card reader (MMC part)")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20210927121408.939246-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/cb710/sgbuf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/cb710/sgbuf2.c
++++ b/drivers/misc/cb710/sgbuf2.c
+@@ -47,7 +47,7 @@ static inline bool needs_unaligned_copy(
+ #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ return false;
+ #else
+- return ((ptr - NULL) & 3) != 0;
++ return ((uintptr_t)ptr & 3) != 0;
+ #endif
+ }
+
--- /dev/null
+From d9b7748ffc45250b4d7bcf22404383229bc495f5 Mon Sep 17 00:00:00 2001
+From: Hans Potsch <hans.potsch@nokia.com>
+Date: Wed, 6 Oct 2021 14:13:32 +0200
+Subject: EDAC/armada-xp: Fix output of uncorrectable error counter
+
+From: Hans Potsch <hans.potsch@nokia.com>
+
+commit d9b7748ffc45250b4d7bcf22404383229bc495f5 upstream.
+
+The number of correctable errors is displayed as uncorrectable
+errors because the "SBE" error count is passed to both calls of
+edac_mc_handle_error().
+
+Pass the correct uncorrectable error count to the second
+edac_mc_handle_error() call when logging uncorrectable errors.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 7f6998a41257 ("ARM: 8888/1: EDAC: Add driver for the Marvell Armada XP SDRAM and L2 cache ECC")
+Signed-off-by: Hans Potsch <hans.potsch@nokia.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20211006121332.58788-1-hans.potsch@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/armada_xp_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/armada_xp_edac.c
++++ b/drivers/edac/armada_xp_edac.c
+@@ -178,7 +178,7 @@ static void axp_mc_check(struct mem_ctl_
+ "details unavailable (multiple errors)");
+ if (cnt_dbe)
+ edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci,
+- cnt_sbe, /* error count */
++ cnt_dbe, /* error count */
+ 0, 0, 0, /* pfn, offset, syndrome */
+ -1, -1, -1, /* top, mid, low layer */
+ mci->ctl_name,
--- /dev/null
+From 38fa3206bf441911258e5001ac8b6738693f8d82 Mon Sep 17 00:00:00 2001
+From: Zhang Jianhua <chris.zjh@huawei.com>
+Date: Thu, 23 Sep 2021 10:53:40 +0800
+Subject: efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock()
+
+From: Zhang Jianhua <chris.zjh@huawei.com>
+
+commit 38fa3206bf441911258e5001ac8b6738693f8d82 upstream.
+
+While reboot the system by sysrq, the following bug will be occur.
+
+BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:90
+in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 10052, name: rc.shutdown
+CPU: 3 PID: 10052 Comm: rc.shutdown Tainted: G W O 5.10.0 #1
+Call trace:
+ dump_backtrace+0x0/0x1c8
+ show_stack+0x18/0x28
+ dump_stack+0xd0/0x110
+ ___might_sleep+0x14c/0x160
+ __might_sleep+0x74/0x88
+ down_interruptible+0x40/0x118
+ virt_efi_reset_system+0x3c/0xd0
+ efi_reboot+0xd4/0x11c
+ machine_restart+0x60/0x9c
+ emergency_restart+0x1c/0x2c
+ sysrq_handle_reboot+0x1c/0x2c
+ __handle_sysrq+0xd0/0x194
+ write_sysrq_trigger+0xbc/0xe4
+ proc_reg_write+0xd4/0xf0
+ vfs_write+0xa8/0x148
+ ksys_write+0x6c/0xd8
+ __arm64_sys_write+0x18/0x28
+ el0_svc_common.constprop.3+0xe4/0x16c
+ do_el0_svc+0x1c/0x2c
+ el0_svc+0x20/0x30
+ el0_sync_handler+0x80/0x17c
+ el0_sync+0x158/0x180
+
+The reason for this problem is that irq has been disabled in
+machine_restart() and then it calls down_interruptible() in
+virt_efi_reset_system(), which would occur sleep in irq context,
+it is dangerous! Commit 99409b935c9a("locking/semaphore: Add
+might_sleep() to down_*() family") add might_sleep() in
+down_interruptible(), so the bug info is here. down_trylock()
+can solve this problem, cause there is no might_sleep.
+
+--------
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Jianhua <chris.zjh@huawei.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/runtime-wrappers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -414,7 +414,7 @@ static void virt_efi_reset_system(int re
+ unsigned long data_size,
+ efi_char16_t *data)
+ {
+- if (down_interruptible(&efi_runtime_lock)) {
++ if (down_trylock(&efi_runtime_lock)) {
+ pr_warn("failed to invoke the reset_system() runtime service:\n"
+ "could not get exclusive access to the firmware\n");
+ return;
--- /dev/null
+From b3a72ca80351917cc23f9e24c35f3c3979d3c121 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Wed, 1 Sep 2021 08:33:19 +0200
+Subject: efi/cper: use stack buffer for error record decoding
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit b3a72ca80351917cc23f9e24c35f3c3979d3c121 upstream.
+
+Joe reports that using a statically allocated buffer for converting CPER
+error records into human readable text is probably a bad idea. Even
+though we are not aware of any actual issues, a stack buffer is clearly
+a better choice here anyway, so let's move the buffer into the stack
+frames of the two functions that refer to it.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Joe Perches <joe@perches.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/cper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -25,8 +25,6 @@
+ #include <acpi/ghes.h>
+ #include <ras/ras_event.h>
+
+-static char rcd_decode_str[CPER_REC_LEN];
+-
+ /*
+ * CPER record ID need to be unique even after reboot, because record
+ * ID is used as index for ERST storage, while CPER records from
+@@ -313,6 +311,7 @@ const char *cper_mem_err_unpack(struct t
+ struct cper_mem_err_compact *cmem)
+ {
+ const char *ret = trace_seq_buffer_ptr(p);
++ char rcd_decode_str[CPER_REC_LEN];
+
+ if (cper_mem_err_location(cmem, rcd_decode_str))
+ trace_seq_printf(p, "%s", rcd_decode_str);
+@@ -327,6 +326,7 @@ static void cper_print_mem(const char *p
+ int len)
+ {
+ struct cper_mem_err_compact cmem;
++ char rcd_decode_str[CPER_REC_LEN];
+
+ /* Don't trust UEFI 2.1/2.2 structure with bad validation bits */
+ if (len == sizeof(struct cper_sec_mem_err_old) &&
--- /dev/null
+From 3378a07daa6cdd11e042797454c706d1c69f9ca6 Mon Sep 17 00:00:00 2001
+From: Michael Cullen <michael@michaelcullen.name>
+Date: Fri, 15 Oct 2021 13:17:50 -0700
+Subject: Input: xpad - add support for another USB ID of Nacon GC-100
+
+From: Michael Cullen <michael@michaelcullen.name>
+
+commit 3378a07daa6cdd11e042797454c706d1c69f9ca6 upstream.
+
+The Nacon GX100XF is already mapped, but it seems there is a Nacon
+GC-100 (identified as NC5136Wht PCGC-100WHITE though I believe other
+colours exist) with a different USB ID when in XInput mode.
+
+Signed-off-by: Michael Cullen <michael@michaelcullen.name>
+Link: https://lore.kernel.org/r/20211015192051.5196-1-michael@michaelcullen.name
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -334,6 +334,7 @@ static const struct xpad_device {
+ { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 },
+ { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 },
+ { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 },
++ { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 },
+ { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX },
+ { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX },
+ { 0x0000, 0x0000, "Generic X-Box pad", 0, XTYPE_UNKNOWN }
+@@ -451,6 +452,7 @@ static const struct usb_device_id xpad_t
+ XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */
+ XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */
+ XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */
++ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */
+ { }
+ };
+
--- /dev/null
+From 6d7163f2c49fda5658e43105a96b555c89a4548d Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Wed, 13 Oct 2021 10:45:52 +0300
+Subject: mei: hbm: drop hbm responses on early shutdown
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 6d7163f2c49fda5658e43105a96b555c89a4548d upstream.
+
+Drop HBM responses also in the early shutdown phase where
+the usual traffic is allowed.
+Extend the rule that drop HBM responses received during the shutdown phase
+by also in MEI_DEV_POWERING_DOWN state.
+This resolves the stall if the driver is stopping in the middle
+of the link init or link reset.
+
+Fixes: da3eb47c90d4 ("mei: hbm: drop hbm responses on shutdown")
+Fixes: 36edb1407c3c ("mei: allow clients on bus to communicate in remove callback")
+Cc: <stable@vger.kernel.org> # v5.12+
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20211013074552.2278419-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hbm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/mei/hbm.c
++++ b/drivers/misc/mei/hbm.c
+@@ -1298,7 +1298,8 @@ int mei_hbm_dispatch(struct mei_device *
+
+ if (dev->dev_state != MEI_DEV_INIT_CLIENTS ||
+ dev->hbm_state != MEI_HBM_STARTING) {
+- if (dev->dev_state == MEI_DEV_POWER_DOWN) {
++ if (dev->dev_state == MEI_DEV_POWER_DOWN ||
++ dev->dev_state == MEI_DEV_POWERING_DOWN) {
+ dev_dbg(dev->dev, "hbm: start: on shutdown, ignoring\n");
+ return 0;
+ }
+@@ -1381,7 +1382,8 @@ int mei_hbm_dispatch(struct mei_device *
+
+ if (dev->dev_state != MEI_DEV_INIT_CLIENTS ||
+ dev->hbm_state != MEI_HBM_DR_SETUP) {
+- if (dev->dev_state == MEI_DEV_POWER_DOWN) {
++ if (dev->dev_state == MEI_DEV_POWER_DOWN ||
++ dev->dev_state == MEI_DEV_POWERING_DOWN) {
+ dev_dbg(dev->dev, "hbm: dma setup response: on shutdown, ignoring\n");
+ return 0;
+ }
+@@ -1448,7 +1450,8 @@ int mei_hbm_dispatch(struct mei_device *
+
+ if (dev->dev_state != MEI_DEV_INIT_CLIENTS ||
+ dev->hbm_state != MEI_HBM_CLIENT_PROPERTIES) {
+- if (dev->dev_state == MEI_DEV_POWER_DOWN) {
++ if (dev->dev_state == MEI_DEV_POWER_DOWN ||
++ dev->dev_state == MEI_DEV_POWERING_DOWN) {
+ dev_dbg(dev->dev, "hbm: properties response: on shutdown, ignoring\n");
+ return 0;
+ }
+@@ -1490,7 +1493,8 @@ int mei_hbm_dispatch(struct mei_device *
+
+ if (dev->dev_state != MEI_DEV_INIT_CLIENTS ||
+ dev->hbm_state != MEI_HBM_ENUM_CLIENTS) {
+- if (dev->dev_state == MEI_DEV_POWER_DOWN) {
++ if (dev->dev_state == MEI_DEV_POWER_DOWN ||
++ dev->dev_state == MEI_DEV_POWERING_DOWN) {
+ dev_dbg(dev->dev, "hbm: enumeration response: on shutdown, ignoring\n");
+ return 0;
+ }
--- /dev/null
+From 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 1 Oct 2021 20:36:44 +0300
+Subject: mei: me: add Ice Lake-N device id.
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 upstream.
+
+Add Ice Lake-N device ID.
+
+The device can be found on MacBookPro16,2 [1].
+
+[1]: https://linux-hardware.org/?probe=f1c5cf0c43
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211001173644.16068-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 1 +
+ drivers/misc/mei/pci-me.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -92,6 +92,7 @@
+ #define MEI_DEV_ID_CDF 0x18D3 /* Cedar Fork */
+
+ #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
++#define MEI_DEV_ID_ICP_N 0x38E0 /* Ice Lake Point N */
+
+ #define MEI_DEV_ID_JSP_N 0x4DE0 /* Jasper Lake Point N */
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -96,6 +96,7 @@ static const struct pci_device_id mei_me
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_ITOUCH_CFG)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_N, MEI_ME_PCH12_CFG)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_H, MEI_ME_PCH15_SPS_CFG)},
--- /dev/null
+From f9a470db2736b01538ad193c316eb3f26be37d58 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Wed, 22 Sep 2021 16:43:26 +0100
+Subject: misc: fastrpc: Add missing lock before accessing find_vma()
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit f9a470db2736b01538ad193c316eb3f26be37d58 upstream.
+
+fastrpc driver is using find_vma() without any protection, as a
+result we see below warning due to recent patch 5b78ed24e8ec
+("mm/pagemap: add mmap_assert_locked() annotations to find_vma*()")
+which added mmap_assert_locked() in find_vma() function.
+
+This bug went un-noticed in previous versions. Fix this issue by adding
+required protection while calling find_vma().
+
+CPU: 0 PID: 209746 Comm: benchmark_model Not tainted 5.15.0-rc2-00445-ge14fe2bf817a-dirty #969
+Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : find_vma+0x64/0xd0
+lr : find_vma+0x60/0xd0
+sp : ffff8000158ebc40
+...
+
+Call trace:
+ find_vma+0x64/0xd0
+ fastrpc_internal_invoke+0x570/0xda8
+ fastrpc_device_ioctl+0x3e0/0x928
+ __arm64_sys_ioctl+0xac/0xf0
+ invoke_syscall+0x44/0x100
+ el0_svc_common.constprop.3+0x70/0xf8
+ do_el0_svc+0x24/0x88
+ el0_svc+0x3c/0x138
+ el0t_64_sync_handler+0x90/0xb8
+ el0t_64_sync+0x180/0x184
+
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210922154326.8927-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -814,10 +814,12 @@ static int fastrpc_get_args(u32 kernel,
+ rpra[i].pv = (u64) ctx->args[i].ptr;
+ pages[i].addr = ctx->maps[i]->phys;
+
++ mmap_read_lock(current->mm);
+ vma = find_vma(current->mm, ctx->args[i].ptr);
+ if (vma)
+ pages[i].addr += ctx->args[i].ptr -
+ vma->vm_start;
++ mmap_read_unlock(current->mm);
+
+ pg_start = (ctx->args[i].ptr & PAGE_MASK) >> PAGE_SHIFT;
+ pg_end = ((ctx->args[i].ptr + len - 1) & PAGE_MASK) >>
--- /dev/null
+From 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Wed, 13 Oct 2021 13:45:11 +0100
+Subject: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 upstream.
+
+If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic
+
+ *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);
+
+will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we
+subtract one from that making a large number that is then shifted more than the
+number of bits that fit into an unsigned long.
+
+UBSAN reports this problem:
+
+ UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8
+ shift exponent 64 is too large for 64-bit type 'unsigned long'
+ CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9
+ Hardware name: Google Lazor (rev3+) with KB Backlight (DT)
+ Workqueue: events_unbound deferred_probe_work_func
+ Call trace:
+ dump_backtrace+0x0/0x170
+ show_stack+0x24/0x30
+ dump_stack_lvl+0x64/0x7c
+ dump_stack+0x18/0x38
+ ubsan_epilogue+0x10/0x54
+ __ubsan_handle_shift_out_of_bounds+0x180/0x194
+ __nvmem_cell_read+0x1ec/0x21c
+ nvmem_cell_read+0x58/0x94
+ nvmem_cell_read_variable_common+0x4c/0xb0
+ nvmem_cell_read_variable_le_u32+0x40/0x100
+ a6xx_gpu_init+0x170/0x2f4
+ adreno_bind+0x174/0x284
+ component_bind_all+0xf0/0x264
+ msm_drm_bind+0x1d8/0x7a0
+ try_to_bring_up_master+0x164/0x1ac
+ __component_add+0xbc/0x13c
+ component_add+0x20/0x2c
+ dp_display_probe+0x340/0x384
+ platform_probe+0xc0/0x100
+ really_probe+0x110/0x304
+ __driver_probe_device+0xb8/0x120
+ driver_probe_device+0x4c/0xfc
+ __device_attach_driver+0xb0/0x128
+ bus_for_each_drv+0x90/0xdc
+ __device_attach+0xc8/0x174
+ device_initial_probe+0x20/0x2c
+ bus_probe_device+0x40/0xa4
+ deferred_probe_work_func+0x7c/0xb8
+ process_one_work+0x128/0x21c
+ process_scheduled_works+0x40/0x54
+ worker_thread+0x1ec/0x2a8
+ kthread+0x138/0x158
+ ret_from_fork+0x10/0x20
+
+Fix it by making sure there are any bits to mask out.
+
+Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -1383,7 +1383,8 @@ static void nvmem_shift_read_buffer_in_p
+ *p-- = 0;
+
+ /* clear msb bits if any leftover in the last byte */
+- *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);
++ if (cell->nbits % BITS_PER_BYTE)
++ *p &= GENMASK((cell->nbits % BITS_PER_BYTE) - 1, 0);
+ }
+
+ static int __nvmem_cell_read(struct nvmem_device *nvmem,
--- /dev/null
+From ff63198850f33eab54b2da6905380fd4d4fc0739 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Mon, 4 Oct 2021 11:31:00 -0400
+Subject: Revert "virtio-blk: Add validation for block size in config space"
+
+From: Michael S. Tsirkin <mst@redhat.com>
+
+commit ff63198850f33eab54b2da6905380fd4d4fc0739 upstream.
+
+It turns out that access to config space before completing the feature
+negotiation is broken for big endian guests at least with QEMU hosts up
+to 6.1 inclusive. This affects any device that accesses config space in
+the validate callback: at the moment that is virtio-net with
+VIRTIO_NET_F_MTU but since 82e89ea077b9 ("virtio-blk: Add validation for
+block size in config space") that also started affecting virtio-blk with
+VIRTIO_BLK_F_BLK_SIZE. Further, unlike VIRTIO_NET_F_MTU which is off by
+default on QEMU, VIRTIO_BLK_F_BLK_SIZE is on by default, which resulted
+in lots of people not being able to boot VMs on BE.
+
+The spec is very clear that what we are doing is legal so QEMU needs to
+be fixed, but given it's been broken for so many years and no one
+noticed, we need to give QEMU a bit more time before applying this.
+
+Further, this patch is incomplete (does not check blk size is a power
+of two) and it duplicates the logic from nbd.
+
+Revert for now, and we'll reapply a cleaner logic in the next release.
+
+Cc: stable@vger.kernel.org
+Fixes: 82e89ea077b9 ("virtio-blk: Add validation for block size in config space")
+Cc: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/virtio_blk.c | 39 ++++++---------------------------------
+ 1 file changed, 6 insertions(+), 33 deletions(-)
+
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -692,28 +692,6 @@ static const struct blk_mq_ops virtio_mq
+ static unsigned int virtblk_queue_depth;
+ module_param_named(queue_depth, virtblk_queue_depth, uint, 0444);
+
+-static int virtblk_validate(struct virtio_device *vdev)
+-{
+- u32 blk_size;
+-
+- if (!vdev->config->get) {
+- dev_err(&vdev->dev, "%s failure: config access disabled\n",
+- __func__);
+- return -EINVAL;
+- }
+-
+- if (!virtio_has_feature(vdev, VIRTIO_BLK_F_BLK_SIZE))
+- return 0;
+-
+- blk_size = virtio_cread32(vdev,
+- offsetof(struct virtio_blk_config, blk_size));
+-
+- if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE)
+- __virtio_clear_bit(vdev, VIRTIO_BLK_F_BLK_SIZE);
+-
+- return 0;
+-}
+-
+ static int virtblk_probe(struct virtio_device *vdev)
+ {
+ struct virtio_blk *vblk;
+@@ -725,6 +703,12 @@ static int virtblk_probe(struct virtio_d
+ u8 physical_block_exp, alignment_offset;
+ unsigned int queue_depth;
+
++ if (!vdev->config->get) {
++ dev_err(&vdev->dev, "%s failure: config access disabled\n",
++ __func__);
++ return -EINVAL;
++ }
++
+ err = ida_simple_get(&vd_index_ida, 0, minor_to_index(1 << MINORBITS),
+ GFP_KERNEL);
+ if (err < 0)
+@@ -839,14 +823,6 @@ static int virtblk_probe(struct virtio_d
+ else
+ blk_size = queue_logical_block_size(q);
+
+- if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE) {
+- dev_err(&vdev->dev,
+- "block size is changed unexpectedly, now is %u\n",
+- blk_size);
+- err = -EINVAL;
+- goto err_cleanup_disk;
+- }
+-
+ /* Use topology information if available */
+ err = virtio_cread_feature(vdev, VIRTIO_BLK_F_TOPOLOGY,
+ struct virtio_blk_config, physical_block_exp,
+@@ -905,8 +881,6 @@ static int virtblk_probe(struct virtio_d
+ device_add_disk(&vdev->dev, vblk->disk, virtblk_attr_groups);
+ return 0;
+
+-err_cleanup_disk:
+- blk_cleanup_disk(vblk->disk);
+ out_free_tags:
+ blk_mq_free_tag_set(&vblk->tag_set);
+ out_free_vq:
+@@ -1009,7 +983,6 @@ static struct virtio_driver virtio_blk =
+ .driver.name = KBUILD_MODNAME,
+ .driver.owner = THIS_MODULE,
+ .id_table = id_table,
+- .validate = virtblk_validate,
+ .probe = virtblk_probe,
+ .remove = virtblk_remove,
+ .config_changed = virtblk_config_changed,
btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch
module-fix-clang-cfi-with-module_unload-n.patch
x86-resctrl-free-the-ctrlval-arrays-when-domain_setup_mon_state-fails.patch
+mei-me-add-ice-lake-n-device-id.patch
+mei-hbm-drop-hbm-responses-on-early-shutdown.patch
+usb-xhci-dbc-fix-tty-registration-race.patch
+xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch
+xhci-add-quirk-for-host-controllers-that-don-t-update-endpoint-dcs.patch
+xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch
+xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch
+cb710-avoid-null-pointer-subtraction.patch
+efi-cper-use-stack-buffer-for-error-record-decoding.patch
+efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch
+usb-musb-dsps-fix-the-probe-error-path.patch
+input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch
+usb-serial-qcserial-add-em9191-qdl-support.patch
+usb-serial-option-add-quectel-ec200s-cn-module-support.patch
+usb-serial-option-add-telit-le910cx-composition-0x1204.patch
+usb-serial-option-add-prod.-id-for-quectel-eg91.patch
+misc-fastrpc-add-missing-lock-before-accessing-find_vma.patch
+virtio-write-back-f_version_1-before-validate.patch
+edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch
+nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch
+virtio-blk-remove-unneeded-likely-statements.patch
+revert-virtio-blk-add-validation-for-block-size-in-config-space.patch
--- /dev/null
+From c2115b2b16421d93d4993f3fe4c520e91d6fe801 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 6 Oct 2021 00:16:31 +0200
+Subject: usb: musb: dsps: Fix the probe error path
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit c2115b2b16421d93d4993f3fe4c520e91d6fe801 upstream.
+
+Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after
+initializing musb") has inverted the calls to
+dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without
+updating correctly the error path. dsps_create_musb_pdev() allocates and
+registers a new platform device which must be unregistered and freed
+with platform_device_unregister(), and this is missing upon
+dsps_setup_optional_vbus_irq() error.
+
+While on the master branch it seems not to trigger any issue, I observed
+a kernel crash because of a NULL pointer dereference with a v5.10.70
+stable kernel where the patch mentioned above was backported. With this
+kernel version, -EPROBE_DEFER is returned the first time
+dsps_setup_optional_vbus_irq() is called which triggers the probe to
+error out without unregistering the platform device. Unfortunately, on
+the Beagle Bone Black Wireless, the platform device still living in the
+system is being used by the USB Ethernet gadget driver, which during the
+boot phase triggers the crash.
+
+My limited knowledge of the musb world prevents me to revert this commit
+which was sent to silence a robot warning which, as far as I understand,
+does not make sense. The goal of this patch was to prevent an IRQ to
+fire before the platform device being registered. I think this cannot
+ever happen due to the fact that enabling the interrupts is done by the
+->enable() callback of the platform musb device, and this platform
+device must be already registered in order for the core or any other
+user to use this callback.
+
+Hence, I decided to fix the error path, which might prevent future
+errors on mainline kernels while also fixing older ones.
+
+Fixes: 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20211005221631.1529448-1-miquel.raynal@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/musb_dsps.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -899,11 +899,13 @@ static int dsps_probe(struct platform_de
+ if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) {
+ ret = dsps_setup_optional_vbus_irq(pdev, glue);
+ if (ret)
+- goto err;
++ goto unregister_pdev;
+ }
+
+ return 0;
+
++unregister_pdev:
++ platform_device_unregister(glue->musb);
+ err:
+ pm_runtime_disable(&pdev->dev);
+ iounmap(glue->usbss_base);
--- /dev/null
+From c184accc4a42c7872dc8e8d0fc97a740dc61fe24 Mon Sep 17 00:00:00 2001
+From: Tomaz Solc <tomaz.solc@tablix.org>
+Date: Wed, 6 Oct 2021 14:57:50 +0200
+Subject: USB: serial: option: add prod. id for Quectel EG91
+
+From: Tomaz Solc <tomaz.solc@tablix.org>
+
+commit c184accc4a42c7872dc8e8d0fc97a740dc61fe24 upstream.
+
+Adding support for Quectel EG91 LTE module.
+
+The interface layout is same as for EG95.
+
+usb-devices output:
+T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=0191 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+
+Interfaces:
+
+0: Diag
+1: GNSS
+2: AT-command interface/modem
+3: Modem
+4: QMI
+
+Signed-off-by: Tomaz Solc <tomaz.solc@tablix.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -246,6 +246,7 @@ static void option_instat_callback(struc
+ /* These Quectel products use Quectel's vendor ID */
+ #define QUECTEL_PRODUCT_EC21 0x0121
+ #define QUECTEL_PRODUCT_EC25 0x0125
++#define QUECTEL_PRODUCT_EG91 0x0191
+ #define QUECTEL_PRODUCT_EG95 0x0195
+ #define QUECTEL_PRODUCT_BG96 0x0296
+ #define QUECTEL_PRODUCT_EP06 0x0306
+@@ -1112,6 +1113,9 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0xff, 0xff),
+ .driver_info = NUMEP2 },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0, 0) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0xff, 0xff),
++ .driver_info = NUMEP2 },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0xff, 0xff),
+ .driver_info = NUMEP2 },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0, 0) },
--- /dev/null
+From 2263eb7370060bdb0013bc14e1a7c9bf33617a55 Mon Sep 17 00:00:00 2001
+From: Yu-Tung Chang <mtwget@gmail.com>
+Date: Thu, 30 Sep 2021 10:11:12 +0800
+Subject: USB: serial: option: add Quectel EC200S-CN module support
+
+From: Yu-Tung Chang <mtwget@gmail.com>
+
+commit 2263eb7370060bdb0013bc14e1a7c9bf33617a55 upstream.
+
+Add usb product id of the Quectel EC200S-CN module.
+
+usb-devices output for 0x6002:
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=6002 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=0000
+C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+
+Signed-off-by: Yu-Tung Chang <mtwget@gmail.com>
+Link: https://lore.kernel.org/r/20210930021112.330396-1-mtwget@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -251,6 +251,7 @@ static void option_instat_callback(struc
+ #define QUECTEL_PRODUCT_EP06 0x0306
+ #define QUECTEL_PRODUCT_EM12 0x0512
+ #define QUECTEL_PRODUCT_RM500Q 0x0800
++#define QUECTEL_PRODUCT_EC200S_CN 0x6002
+ #define QUECTEL_PRODUCT_EC200T 0x6026
+
+ #define CMOTECH_VENDOR_ID 0x16d8
+@@ -1128,6 +1129,7 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10),
+ .driver_info = ZLP },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) },
+
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
--- /dev/null
+From f5a8a07edafed8bede17a95ef8940fe3a57a77d5 Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 4 Oct 2021 12:56:55 +0200
+Subject: USB: serial: option: add Telit LE910Cx composition 0x1204
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit f5a8a07edafed8bede17a95ef8940fe3a57a77d5 upstream.
+
+Add the following Telit LE910Cx composition:
+
+0x1204: tty, adb, mbim, tty, tty, tty, tty
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Link: https://lore.kernel.org/r/20211004105655.8515-1-dnlplm@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1229,6 +1229,8 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1203, 0xff), /* Telit LE910Cx (RNDIS) */
+ .driver_info = NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1204, 0xff), /* Telit LE910Cx (MBIM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
--- /dev/null
+From 11c52d250b34a0862edc29db03fbec23b30db6da Mon Sep 17 00:00:00 2001
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Thu, 7 Oct 2021 14:25:01 +0200
+Subject: USB: serial: qcserial: add EM9191 QDL support
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+commit 11c52d250b34a0862edc29db03fbec23b30db6da upstream.
+
+When the module boots into QDL download mode it exposes the 1199:90d2
+ids, which can be mapped to the qcserial driver, and used to run
+firmware upgrades (e.g. with the qmi-firmware-update program).
+
+ T: Bus=01 Lev=03 Prnt=08 Port=03 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
+ D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+ P: Vendor=1199 ProdID=90d2 Rev=00.00
+ S: Manufacturer=Sierra Wireless, Incorporated
+ S: Product=Sierra Wireless EM9191
+ S: SerialNumber=8W0382004102A109
+ C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA
+ I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/qcserial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -165,6 +165,7 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */
+ {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */
+ {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */
++ {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */
+ {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
--- /dev/null
+From 880de403777376e50bdf60def359fa50a722006f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 8 Oct 2021 12:25:45 +0300
+Subject: USB: xhci: dbc: fix tty registration race
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 880de403777376e50bdf60def359fa50a722006f upstream.
+
+Make sure to allocate resources before registering the tty device to
+avoid having a racing open() and write() fail to enable rx or
+dereference a NULL pointer when accessing the uninitialised fifo.
+
+Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
+Cc: stable@vger.kernel.org # 4.16
+Cc: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-dbgtty.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+--- a/drivers/usb/host/xhci-dbgtty.c
++++ b/drivers/usb/host/xhci-dbgtty.c
+@@ -408,40 +408,38 @@ static int xhci_dbc_tty_register_device(
+ return -EBUSY;
+
+ xhci_dbc_tty_init_port(dbc, port);
+- tty_dev = tty_port_register_device(&port->port,
+- dbc_tty_driver, 0, NULL);
+- if (IS_ERR(tty_dev)) {
+- ret = PTR_ERR(tty_dev);
+- goto register_fail;
+- }
+
+ ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL);
+ if (ret)
+- goto buf_alloc_fail;
++ goto err_exit_port;
+
+ ret = xhci_dbc_alloc_requests(dbc, BULK_IN, &port->read_pool,
+ dbc_read_complete);
+ if (ret)
+- goto request_fail;
++ goto err_free_fifo;
+
+ ret = xhci_dbc_alloc_requests(dbc, BULK_OUT, &port->write_pool,
+ dbc_write_complete);
+ if (ret)
+- goto request_fail;
++ goto err_free_requests;
++
++ tty_dev = tty_port_register_device(&port->port,
++ dbc_tty_driver, 0, NULL);
++ if (IS_ERR(tty_dev)) {
++ ret = PTR_ERR(tty_dev);
++ goto err_free_requests;
++ }
+
+ port->registered = true;
+
+ return 0;
+
+-request_fail:
++err_free_requests:
+ xhci_dbc_free_requests(&port->read_pool);
+ xhci_dbc_free_requests(&port->write_pool);
++err_free_fifo:
+ kfifo_free(&port->write_fifo);
+-
+-buf_alloc_fail:
+- tty_unregister_device(dbc_tty_driver, 0);
+-
+-register_fail:
++err_exit_port:
+ xhci_dbc_tty_exit_port(port);
+
+ dev_err(dbc->dev, "can't register tty port, err %d\n", ret);
--- /dev/null
+From 6105d1fe6f4c24ce8c13e2e6568b16b76e04983d Mon Sep 17 00:00:00 2001
+From: Max Gurtovoy <mgurtovoy@nvidia.com>
+Date: Sun, 5 Sep 2021 11:57:17 +0300
+Subject: virtio-blk: remove unneeded "likely" statements
+
+From: Max Gurtovoy <mgurtovoy@nvidia.com>
+
+commit 6105d1fe6f4c24ce8c13e2e6568b16b76e04983d upstream.
+
+Usually we use "likely/unlikely" to optimize the fast path. Remove
+redundant "likely/unlikely" statements in the control path to simplify
+the code and make it easier to read.
+
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Link: https://lore.kernel.org/r/20210905085717.7427-1-mgurtovoy@nvidia.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Chaitanya Kulkarni <ckulkarnilinux@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/virtio_blk.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -765,7 +765,7 @@ static int virtblk_probe(struct virtio_d
+ goto out_free_vblk;
+
+ /* Default queue sizing is to fill the ring. */
+- if (likely(!virtblk_queue_depth)) {
++ if (!virtblk_queue_depth) {
+ queue_depth = vblk->vqs[0].vq->num_free;
+ /* ... but without indirect descs, we use 2 descs per req */
+ if (!virtio_has_feature(vdev, VIRTIO_RING_F_INDIRECT_DESC))
+@@ -839,7 +839,7 @@ static int virtblk_probe(struct virtio_d
+ else
+ blk_size = queue_logical_block_size(q);
+
+- if (unlikely(blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE)) {
++ if (blk_size < SECTOR_SIZE || blk_size > PAGE_SIZE) {
+ dev_err(&vdev->dev,
+ "block size is changed unexpectedly, now is %u\n",
+ blk_size);
--- /dev/null
+From 2f9a174f918e29608564c7a4e8329893ab604fb4 Mon Sep 17 00:00:00 2001
+From: Halil Pasic <pasic@linux.ibm.com>
+Date: Mon, 11 Oct 2021 07:39:21 +0200
+Subject: virtio: write back F_VERSION_1 before validate
+
+From: Halil Pasic <pasic@linux.ibm.com>
+
+commit 2f9a174f918e29608564c7a4e8329893ab604fb4 upstream.
+
+The virtio specification virtio-v1.1-cs01 states: "Transitional devices
+MUST detect Legacy drivers by detecting that VIRTIO_F_VERSION_1 has not
+been acknowledged by the driver." This is exactly what QEMU as of 6.1
+has done relying solely on VIRTIO_F_VERSION_1 for detecting that.
+
+However, the specification also says: "... the driver MAY read (but MUST
+NOT write) the device-specific configuration fields to check that it can
+support the device ..." before setting FEATURES_OK.
+
+In that case, any transitional device relying solely on
+VIRTIO_F_VERSION_1 for detecting legacy drivers will return data in
+legacy format. In particular, this implies that it is in big endian
+format for big endian guests. This naturally confuses the driver which
+expects little endian in the modern mode.
+
+It is probably a good idea to amend the spec to clarify that
+VIRTIO_F_VERSION_1 can only be relied on after the feature negotiation
+is complete. Before validate callback existed, config space was only
+read after FEATURES_OK. However, we already have two regressions, so
+let's address this here as well.
+
+The regressions affect the VIRTIO_NET_F_MTU feature of virtio-net and
+the VIRTIO_BLK_F_BLK_SIZE feature of virtio-blk for BE guests when
+virtio 1.0 is used on both sides. The latter renders virtio-blk unusable
+with DASD backing, because things simply don't work with the default.
+See Fixes tags for relevant commits.
+
+For QEMU, we can work around the issue by writing out the feature bits
+with VIRTIO_F_VERSION_1 bit set. We (ab)use the finalize_features
+config op for this. This isn't enough to address all vhost devices since
+these do not get the features until FEATURES_OK, however it looks like
+the affected devices actually never handled the endianness for legacy
+mode correctly, so at least that's not a regression.
+
+No devices except virtio net and virtio blk seem to be affected.
+
+Long term the right thing to do is to fix the hypervisors.
+
+Cc: <stable@vger.kernel.org> #v4.11
+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
+Fixes: 82e89ea077b9 ("virtio-blk: Add validation for block size in config space")
+Fixes: fe36cbe0671e ("virtio_net: clear MTU when out of range")
+Reported-by: markver@us.ibm.com
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Link: https://lore.kernel.org/r/20211011053921.1198936-1-pasic@linux.ibm.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -238,6 +238,17 @@ static int virtio_dev_probe(struct devic
+ driver_features_legacy = driver_features;
+ }
+
++ /*
++ * Some devices detect legacy solely via F_VERSION_1. Write
++ * F_VERSION_1 to force LE config space accesses before FEATURES_OK for
++ * these when needed.
++ */
++ if (drv->validate && !virtio_legacy_is_little_endian()
++ && device_features & BIT_ULL(VIRTIO_F_VERSION_1)) {
++ dev->features = BIT_ULL(VIRTIO_F_VERSION_1);
++ dev->config->finalize_features(dev);
++ }
++
+ if (device_features & (1ULL << VIRTIO_F_VERSION_1))
+ dev->features = driver_features & device_features;
+ else
--- /dev/null
+From 5255660b208aebfdb71d574f3952cf48392f4306 Mon Sep 17 00:00:00 2001
+From: Jonathan Bell <jonathan@raspberrypi.org>
+Date: Fri, 8 Oct 2021 12:25:44 +0300
+Subject: xhci: add quirk for host controllers that don't update endpoint DCS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Bell <jonathan@raspberrypi.org>
+
+commit 5255660b208aebfdb71d574f3952cf48392f4306 upstream.
+
+Seen on a VLI VL805 PCIe to USB controller. For non-stream endpoints
+at least, if the xHC halts on a particular TRB due to an error then
+the DCS field in the Out Endpoint Context maintained by the hardware
+is not updated with the current cycle state.
+
+Using the quirk XHCI_EP_CTX_BROKEN_DCS and instead fetch the DCS bit
+from the TRB that the xHC stopped on.
+
+[ bjorn: rebased to v5.14-rc2 ]
+
+Link: https://github.com/raspberrypi/linux/issues/3060
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Bell <jonathan@raspberrypi.org>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ drivers/usb/host/xhci-ring.c | 25 ++++++++++++++++++++++++-
+ drivers/usb/host/xhci.h | 1 +
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -279,8 +279,10 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == 0x3432)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+
+- if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483)
++ if (pdev->vendor == PCI_VENDOR_ID_VIA && pdev->device == 0x3483) {
+ xhci->quirks |= XHCI_LPM_SUPPORT;
++ xhci->quirks |= XHCI_EP_CTX_BROKEN_DCS;
++ }
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI)
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -559,8 +559,11 @@ static int xhci_move_dequeue_past_td(str
+ struct xhci_ring *ep_ring;
+ struct xhci_command *cmd;
+ struct xhci_segment *new_seg;
++ struct xhci_segment *halted_seg = NULL;
+ union xhci_trb *new_deq;
+ int new_cycle;
++ union xhci_trb *halted_trb;
++ int index = 0;
+ dma_addr_t addr;
+ u64 hw_dequeue;
+ bool cycle_found = false;
+@@ -598,7 +601,27 @@ static int xhci_move_dequeue_past_td(str
+ hw_dequeue = xhci_get_hw_deq(xhci, dev, ep_index, stream_id);
+ new_seg = ep_ring->deq_seg;
+ new_deq = ep_ring->dequeue;
+- new_cycle = hw_dequeue & 0x1;
++
++ /*
++ * Quirk: xHC write-back of the DCS field in the hardware dequeue
++ * pointer is wrong - use the cycle state of the TRB pointed to by
++ * the dequeue pointer.
++ */
++ if (xhci->quirks & XHCI_EP_CTX_BROKEN_DCS &&
++ !(ep->ep_state & EP_HAS_STREAMS))
++ halted_seg = trb_in_td(xhci, td->start_seg,
++ td->first_trb, td->last_trb,
++ hw_dequeue & ~0xf, false);
++ if (halted_seg) {
++ index = ((dma_addr_t)(hw_dequeue & ~0xf) - halted_seg->dma) /
++ sizeof(*halted_trb);
++ halted_trb = &halted_seg->trbs[index];
++ new_cycle = halted_trb->generic.field[3] & 0x1;
++ xhci_dbg(xhci, "Endpoint DCS = %d TRB index = %d cycle = %d\n",
++ (u8)(hw_dequeue & 0x1), index, new_cycle);
++ } else {
++ new_cycle = hw_dequeue & 0x1;
++ }
+
+ /*
+ * We want to find the pointer, segment and cycle state of the new trb
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1899,6 +1899,7 @@ struct xhci_hcd {
+ #define XHCI_SG_TRB_CACHE_SIZE_QUIRK BIT_ULL(39)
+ #define XHCI_NO_SOFT_RETRY BIT_ULL(40)
+ #define XHCI_BROKEN_D3COLD BIT_ULL(41)
++#define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42)
+
+ unsigned int num_active_eps;
+ unsigned int limit_active_eps;
--- /dev/null
+From ea0f69d8211963c4b2cc1998b86779a500adb502 Mon Sep 17 00:00:00 2001
+From: Nikolay Martynov <mar.kolya@gmail.com>
+Date: Fri, 8 Oct 2021 12:25:47 +0300
+Subject: xhci: Enable trust tx length quirk for Fresco FL11 USB controller
+
+From: Nikolay Martynov <mar.kolya@gmail.com>
+
+commit ea0f69d8211963c4b2cc1998b86779a500adb502 upstream.
+
+Tested on SD5200T TB3 dock which has Fresco Logic FL1100 USB 3.0 Host
+Controller.
+Before this patch streaming video from USB cam made mouse and keyboard
+connected to the same USB bus unusable. Also video was jerky.
+With this patch streaming video doesn't have any effect on other
+periferals and video is smooth.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -30,6 +30,7 @@
+ #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009
++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 0x1100
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400
+
+ #define PCI_VENDOR_ID_ETRON 0x1b6f
+@@ -113,6 +114,7 @@ static void xhci_pci_quirks(struct devic
+ /* Look for vendor-specific quirks */
+ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
+ (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK ||
++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 ||
+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) {
+ if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK &&
+ pdev->revision == 0x0) {
--- /dev/null
+From ff0e50d3564f33b7f4b35cadeabd951d66cfc570 Mon Sep 17 00:00:00 2001
+From: Pavankumar Kondeti <pkondeti@codeaurora.org>
+Date: Fri, 8 Oct 2021 12:25:46 +0300
+Subject: xhci: Fix command ring pointer corruption while aborting a command
+
+From: Pavankumar Kondeti <pkondeti@codeaurora.org>
+
+commit ff0e50d3564f33b7f4b35cadeabd951d66cfc570 upstream.
+
+The command ring pointer is located at [6:63] bits of the command
+ring control register (CRCR). All the control bits like command stop,
+abort are located at [0:3] bits. While aborting a command, we read the
+CRCR and set the abort bit and write to the CRCR. The read will always
+give command ring pointer as all zeros. So we essentially write only
+the control bits. Since we split the 64 bit write into two 32 bit writes,
+there is a possibility of xHC command ring stopped before the upper
+dword (all zeros) is written. If that happens, xHC updates the upper
+dword of its internal command ring pointer with all zeros. Next time,
+when the command ring is restarted, we see xHC memory access failures.
+Fix this issue by only writing to the lower dword of CRCR where all
+control bits are located.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -366,16 +366,22 @@ static void xhci_handle_stopped_cmd_ring
+ /* Must be called with xhci->lock held, releases and aquires lock back */
+ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)
+ {
+- u64 temp_64;
++ u32 temp_32;
+ int ret;
+
+ xhci_dbg(xhci, "Abort command ring\n");
+
+ reinit_completion(&xhci->cmd_ring_stop_completion);
+
+- temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+- xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
+- &xhci->op_regs->cmd_ring);
++ /*
++ * The control bits like command stop, abort are located in lower
++ * dword of the command ring control register. Limit the write
++ * to the lower dword to avoid corrupting the command ring pointer
++ * in case if the command ring is stopped by the time upper dword
++ * is written.
++ */
++ temp_32 = readl(&xhci->op_regs->cmd_ring);
++ writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);
+
+ /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the
+ * completion of the Command Abort operation. If CRR is not negated in 5
--- /dev/null
+From a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 Mon Sep 17 00:00:00 2001
+From: Jonathan Bell <jonathan@raspberrypi.com>
+Date: Fri, 8 Oct 2021 12:25:43 +0300
+Subject: xhci: guard accesses to ep_state in xhci_endpoint_reset()
+
+From: Jonathan Bell <jonathan@raspberrypi.com>
+
+commit a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 upstream.
+
+See https://github.com/raspberrypi/linux/issues/3981
+
+Two read-modify-write cycles on ep->ep_state are not guarded by
+xhci->lock. Fix these.
+
+Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3212,10 +3212,13 @@ static void xhci_endpoint_reset(struct u
+ return;
+
+ /* Bail out if toggle is already being cleared by a endpoint reset */
++ spin_lock_irqsave(&xhci->lock, flags);
+ if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) {
+ ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE;
++ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
+ }
++ spin_unlock_irqrestore(&xhci->lock, flags);
+ /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */
+ if (usb_endpoint_xfer_control(&host_ep->desc) ||
+ usb_endpoint_xfer_isoc(&host_ep->desc))
+@@ -3301,8 +3304,10 @@ static void xhci_endpoint_reset(struct u
+ xhci_free_command(xhci, cfg_cmd);
+ cleanup:
+ xhci_free_command(xhci, stop_cmd);
++ spin_lock_irqsave(&xhci->lock, flags);
+ if (ep->ep_state & EP_SOFT_CLEAR_TOGGLE)
+ ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE;
++ spin_unlock_irqrestore(&xhci->lock, flags);
+ }
+
+ static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,
projects / thirdparty / kernel / stable-queue.git / commitdiff
