--- /dev/null
+From 1ea1dbf1f54c3345072c963b3acf8830e2468c1b Mon Sep 17 00:00:00 2001
+From: Sachi King <nakato@nakato.io>
+Date: Sat, 2 Oct 2021 14:18:40 +1000
+Subject: ACPI: PM: Include alternate AMDI0005 id in special behaviour
+
+From: Sachi King <nakato@nakato.io>
+
+commit 1ea1dbf1f54c3345072c963b3acf8830e2468c1b upstream.
+
+The Surface Laptop 4 AMD has used the AMD0005 to identify this
+controller instead of using the appropriate ACPI ID AMDI0005. The
+AMD0005 needs the same special casing as AMDI0005.
+
+Link: https://github.com/linux-surface/acpidumps/tree/master/surface_laptop_4_amd
+Link: https://gist.github.com/nakato/2a1a7df1a45fe680d7a08c583e1bf863
+Signed-off-by: Sachi King <nakato@nakato.io>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Cc: 5.14+ <stable@vger.kernel.org> # 5.14+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/x86/s2idle.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/x86/s2idle.c
++++ b/drivers/acpi/x86/s2idle.c
+@@ -371,7 +371,7 @@ static int lps0_device_attach(struct acp
+ return 0;
+
+ if (acpi_s2idle_vendor_amd()) {
+- /* AMD0004, AMDI0005:
++ /* AMD0004, AMD0005, AMDI0005:
+ * - Should use rev_id 0x0
+ * - function mask > 0x3: Should use AMD method, but has off by one bug
+ * - function mask = 0x3: Should use Microsoft method
+@@ -390,6 +390,7 @@ static int lps0_device_attach(struct acp
+ ACPI_LPS0_DSM_UUID_MICROSOFT, 0,
+ &lps0_dsm_guid_microsoft);
+ if (lps0_dsm_func_mask > 0x3 && (!strcmp(hid, "AMD0004") ||
++ !strcmp(hid, "AMD0005") ||
+ !strcmp(hid, "AMDI0005"))) {
+ lps0_dsm_func_mask = (lps0_dsm_func_mask << 1) | 0x1;
+ acpi_handle_debug(adev->handle, "_DSM UUID %s: Adjusted function mask: 0x%x\n",
--- /dev/null
+From 2e5809a4ddb15969503e43b06662a9a725f613ea Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Tue, 5 Oct 2021 13:25:29 -0700
+Subject: arm64/hugetlb: fix CMA gigantic page order for non-4K PAGE_SIZE
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 2e5809a4ddb15969503e43b06662a9a725f613ea upstream.
+
+For non-4K PAGE_SIZE configs, the largest gigantic huge page size is
+CONT_PMD_SHIFT order. On arm64 with 64K PAGE_SIZE, the gigantic page is
+16G. Therefore, one should be able to specify 'hugetlb_cma=16G' on the
+kernel command line so that one gigantic page can be allocated from CMA.
+However, when adding such an option the following message is produced:
+
+hugetlb_cma: cma area should be at least 8796093022208 MiB
+
+This is because the calculation for non-4K gigantic page order is
+incorrect in the arm64 specific routine arm64_hugetlb_cma_reserve().
+
+Fixes: abb7962adc80 ("arm64/hugetlb: Reserve CMA areas for gigantic pages on 16K and 64K configs")
+Cc: <stable@vger.kernel.org> # 5.9.x
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20211005202529.213812-1-mike.kravetz@oracle.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/hugetlbpage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/hugetlbpage.c
++++ b/arch/arm64/mm/hugetlbpage.c
+@@ -43,7 +43,7 @@ void __init arm64_hugetlb_cma_reserve(vo
+ #ifdef CONFIG_ARM64_4K_PAGES
+ order = PUD_SHIFT - PAGE_SHIFT;
+ #else
+- order = CONT_PMD_SHIFT + PMD_SHIFT - PAGE_SHIFT;
++ order = CONT_PMD_SHIFT - PAGE_SHIFT;
+ #endif
+ /*
+ * HugeTLB CMA reservation is required for gigantic
--- /dev/null
+From cfd312695b71df04c3a2597859ff12c470d1e2e4 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:48:18 +0100
+Subject: btrfs: check for error when looking up inode during dir entry replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit cfd312695b71df04c3a2597859ff12c470d1e2e4 upstream.
+
+At replay_one_name(), we are treating any error from btrfs_lookup_inode()
+as if the inode does not exists. Fix this by checking for an error and
+returning it to the caller.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1941,8 +1941,8 @@ static noinline int replay_one_name(stru
+ struct btrfs_key log_key;
+ struct inode *dir;
+ u8 log_type;
+- int exists;
+- int ret = 0;
++ bool exists;
++ int ret;
+ bool update_size = (key->type == BTRFS_DIR_INDEX_KEY);
+ bool name_added = false;
+
+@@ -1962,12 +1962,12 @@ static noinline int replay_one_name(stru
+ name_len);
+
+ btrfs_dir_item_key_to_cpu(eb, di, &log_key);
+- exists = btrfs_lookup_inode(trans, root, path, &log_key, 0);
+- if (exists == 0)
+- exists = 1;
+- else
+- exists = 0;
++ ret = btrfs_lookup_inode(trans, root, path, &log_key, 0);
+ btrfs_release_path(path);
++ if (ret < 0)
++ goto out;
++ exists = (ret == 0);
++ ret = 0;
+
+ if (key->type == BTRFS_DIR_ITEM_KEY) {
+ dst_di = btrfs_lookup_dir_item(trans, root, path, key->objectid,
--- /dev/null
+From 52db77791fe24538c8aa2a183248399715f6b380 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:52:32 +0100
+Subject: btrfs: deal with errors when adding inode reference during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 52db77791fe24538c8aa2a183248399715f6b380 upstream.
+
+At __inode_add_ref(), we treating any error returned from
+btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning
+that there is no existing directory entry in the fs/subvolume tree.
+This is not correct since we can get errors such as, for example, -EIO
+when reading extent buffers while searching the fs/subvolume's btree.
+
+So fix that and return the error to the caller when it is not -ENOENT.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1182,7 +1182,10 @@ next:
+ /* look for a conflicting sequence number */
+ di = btrfs_lookup_dir_index_item(trans, root, path, btrfs_ino(dir),
+ ref_index, name, namelen, 0);
+- if (di && !IS_ERR(di)) {
++ if (IS_ERR(di)) {
++ if (PTR_ERR(di) != -ENOENT)
++ return PTR_ERR(di);
++ } else if (di) {
+ ret = drop_one_dir_item(trans, root, path, dir, di);
+ if (ret)
+ return ret;
+@@ -1192,7 +1195,9 @@ next:
+ /* look for a conflicting name */
+ di = btrfs_lookup_dir_item(trans, root, path, btrfs_ino(dir),
+ name, namelen, 0);
+- if (di && !IS_ERR(di)) {
++ if (IS_ERR(di)) {
++ return PTR_ERR(di);
++ } else if (di) {
+ ret = drop_one_dir_item(trans, root, path, dir, di);
+ if (ret)
+ return ret;
--- /dev/null
+From e15ac6413745e3def00e663de00aea5a717311c1 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:52:31 +0100
+Subject: btrfs: deal with errors when replaying dir entry during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit e15ac6413745e3def00e663de00aea5a717311c1 upstream.
+
+At replay_one_one(), we are treating any error returned from
+btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning
+that there is no existing directory entry in the fs/subvolume tree.
+This is not correct since we can get errors such as, for example, -EIO
+when reading extent buffers while searching the fs/subvolume's btree.
+
+So fix that and return the error to the caller when it is not -ENOENT.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1977,7 +1977,14 @@ static noinline int replay_one_name(stru
+ ret = -EINVAL;
+ goto out;
+ }
+- if (IS_ERR_OR_NULL(dst_di)) {
++
++ if (dst_di == ERR_PTR(-ENOENT))
++ dst_di = NULL;
++
++ if (IS_ERR(dst_di)) {
++ ret = PTR_ERR(dst_di);
++ goto out;
++ } else if (!dst_di) {
+ /* we need a sequence number to insert, so we only
+ * do inserts for the BTRFS_DIR_INDEX_KEY types
+ */
--- /dev/null
+From 4afb912f439c4bc4e6a4f3e7547f2e69e354108f Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Tue, 5 Oct 2021 16:35:27 -0400
+Subject: btrfs: fix abort logic in btrfs_replace_file_extents
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 4afb912f439c4bc4e6a4f3e7547f2e69e354108f upstream.
+
+Error injection testing uncovered a case where we'd end up with a
+corrupt file system with a missing extent in the middle of a file. This
+occurs because the if statement to decide if we should abort is wrong.
+
+The only way we would abort in this case is if we got a ret !=
+-EOPNOTSUPP and we called from the file clone code. However the
+prealloc code uses this path too. Instead we need to abort if there is
+an error, and the only error we _don't_ abort on is -EOPNOTSUPP and only
+if we came from the clone file code.
+
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2691,14 +2691,16 @@ int btrfs_replace_file_extents(struct bt
+ drop_args.bytes_found);
+ if (ret != -ENOSPC) {
+ /*
+- * When cloning we want to avoid transaction aborts when
+- * nothing was done and we are attempting to clone parts
+- * of inline extents, in such cases -EOPNOTSUPP is
+- * returned by __btrfs_drop_extents() without having
+- * changed anything in the file.
++ * The only time we don't want to abort is if we are
++ * attempting to clone a partial inline extent, in which
++ * case we'll get EOPNOTSUPP. However if we aren't
++ * clone we need to abort no matter what, because if we
++ * got EOPNOTSUPP via prealloc then we messed up and
++ * need to abort.
+ */
+- if (extent_info && !extent_info->is_new_extent &&
+- ret && ret != -EOPNOTSUPP)
++ if (ret &&
++ (ret != -EOPNOTSUPP ||
++ (extent_info && extent_info->is_new_extent)))
+ btrfs_abort_transaction(trans, ret);
+ break;
+ }
--- /dev/null
+From 19ea40dddf1833db868533958ca066f368862211 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 14 Sep 2021 14:57:59 +0800
+Subject: btrfs: unlock newly allocated extent buffer after error
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 19ea40dddf1833db868533958ca066f368862211 upstream.
+
+[BUG]
+There is a bug report that injected ENOMEM error could leave a tree
+block locked while we return to user-space:
+
+ BTRFS info (device loop0): enabling ssd optimizations
+ FAULT_INJECTION: forcing a failure.
+ name failslab, interval 1, probability 0, space 0, times 0
+ CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
+ fail_dump lib/fault-inject.c:52 [inline]
+ should_fail+0x13c/0x160 lib/fault-inject.c:146
+ should_failslab+0x5/0x10 mm/slab_common.c:1328
+ slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494
+ slab_alloc_node mm/slub.c:3120 [inline]
+ slab_alloc mm/slub.c:3214 [inline]
+ kmem_cache_alloc+0x44/0x280 mm/slub.c:3219
+ btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline]
+ btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833
+ __btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415
+ btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570
+ btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768
+ btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905
+ btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530
+ btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783
+ lookup_open+0x660/0x780 fs/namei.c:3282
+ open_last_lookups fs/namei.c:3352 [inline]
+ path_openat+0x465/0xe20 fs/namei.c:3557
+ do_filp_open+0xe3/0x170 fs/namei.c:3588
+ do_sys_openat2+0x357/0x4a0 fs/open.c:1200
+ do_sys_open+0x87/0xd0 fs/open.c:1216
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x46ae99
+ Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
+ 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+ 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+ RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
+ RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99
+ RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800
+ RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017
+ R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0
+
+ ================================================
+ WARNING: lock held when returning to user space!
+ 5.15.0-rc1 #16 Not tainted
+ ------------------------------------------------
+ syz-executor/7579 is leaving the kernel with locks still held!
+ 1 lock held by syz-executor/7579:
+ #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:
+ __btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112
+
+[CAUSE]
+In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new
+extent buffer @buf is locked, but if later operations like adding
+delayed tree ref fail, we just free @buf without unlocking it,
+resulting above warning.
+
+[FIX]
+Unlock @buf in out_free_buf: label.
+
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4859,6 +4859,7 @@ struct extent_buffer *btrfs_alloc_tree_b
+ out_free_delayed:
+ btrfs_free_delayed_extent_op(extent_op);
+ out_free_buf:
++ btrfs_tree_unlock(buf);
+ free_extent_buffer(buf);
+ out_free_reserved:
+ btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0);
--- /dev/null
+From d175209be04d7d263fa1a54cde7608c706c9d0d7 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 1 Oct 2021 13:57:18 -0400
+Subject: btrfs: update refs for any root except tree log roots
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit d175209be04d7d263fa1a54cde7608c706c9d0d7 upstream.
+
+I hit a stuck relocation on btrfs/061 during my overnight testing. This
+turned out to be because we had left over extent entries in our extent
+root for a data reloc inode that no longer existed. This happened
+because in btrfs_drop_extents() we only update refs if we have SHAREABLE
+set or we are the tree_root. This regression was introduced by
+aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree")
+where we stopped setting SHAREABLE for the data reloc tree.
+
+The problem here is we actually do want to update extent references for
+data extents in the data reloc tree, in fact we only don't want to
+update extent references if the file extents are in the log tree.
+Update this check to only skip updating references in the case of the
+log tree.
+
+This is relatively rare, because you have to be running scrub at the
+same time, which is what btrfs/061 does. The data reloc inode has its
+extents pre-allocated, and then we copy the extent into the
+pre-allocated chunks. We theoretically should never be calling
+btrfs_drop_extents() on a data reloc inode. The exception of course is
+with scrub, if our pre-allocated extent falls inside of the block group
+we are scrubbing, then the block group will be marked read only and we
+will be forced to cow that extent. This means we will call
+btrfs_drop_extents() on that range when we COW that file extent.
+
+This isn't really problematic if we do this, the data reloc inode
+requires that our extent lengths match exactly with the extent we are
+copying, thankfully we validate the extent is correct with
+get_new_location(), so if we happen to COW only part of the extent we
+won't link it in when we do the relocation, so we are safe from any
+other shenanigans that arise because of this interaction with scrub.
+
+Fixes: aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree")
+CC: stable@vger.kernel.org # 5.8+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -733,8 +733,7 @@ int btrfs_drop_extents(struct btrfs_tran
+ if (args->start >= inode->disk_i_size && !args->replace_extent)
+ modify_tree = 0;
+
+- update_refs = (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) ||
+- root == fs_info->tree_root);
++ update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID);
+ while (1) {
+ recow = 0;
+ ret = btrfs_lookup_file_extent(trans, root, path, ino,
--- /dev/null
+From 09540fa337196be20e9f0241652364f09275d374 Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Thu, 16 Sep 2021 17:51:26 -0500
+Subject: clk: socfpga: agilex: fix duplicate s2f_user0_clk
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit 09540fa337196be20e9f0241652364f09275d374 upstream.
+
+Remove the duplicate s2f_user0_clk and the unused s2f_usr0_mux define.
+
+Fixes: f817c132db67 ("clk: socfpga: agilex: fix up s2f_user0_clk representation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Link: https://lore.kernel.org/r/20210916225126.1427700-1-dinguyen@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/socfpga/clk-agilex.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/clk/socfpga/clk-agilex.c
++++ b/drivers/clk/socfpga/clk-agilex.c
+@@ -165,13 +165,6 @@ static const struct clk_parent_data mpu_
+ .name = "boot_clk", },
+ };
+
+-static const struct clk_parent_data s2f_usr0_mux[] = {
+- { .fw_name = "f2s-free-clk",
+- .name = "f2s-free-clk", },
+- { .fw_name = "boot_clk",
+- .name = "boot_clk", },
+-};
+-
+ static const struct clk_parent_data emac_mux[] = {
+ { .fw_name = "emaca_free_clk",
+ .name = "emaca_free_clk", },
+@@ -312,8 +305,6 @@ static const struct stratix10_gate_clock
+ 4, 0x44, 28, 1, 0, 0, 0},
+ { AGILEX_CS_TIMER_CLK, "cs_timer_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+ 5, 0, 0, 0, 0x30, 1, 0},
+- { AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_usr0_mux, ARRAY_SIZE(s2f_usr0_mux), 0, 0x24,
+- 6, 0, 0, 0, 0, 0, 0},
+ { AGILEX_EMAC0_CLK, "emac0_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C,
+ 0, 0, 0, 0, 0x94, 26, 0},
+ { AGILEX_EMAC1_CLK, "emac1_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C,
--- /dev/null
+From fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 24 Sep 2021 00:35:42 +0000
+Subject: csky: don't let sigreturn play with priveleged bits of status register
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f upstream.
+
+csky restore_sigcontext() blindly overwrites regs->sr with the value
+it finds in sigcontext. Attacker can store whatever they want in there,
+which includes things like S-bit. Userland shouldn't be able to set
+that, or anything other than C flag (bit 0).
+
+Do the same thing other architectures with protected bits in flags
+register do - preserve everything that shouldn't be settable in
+user mode, picking the rest from the value saved is sigcontext.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/csky/kernel/signal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/csky/kernel/signal.c
++++ b/arch/csky/kernel/signal.c
+@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt
+ struct sigcontext __user *sc)
+ {
+ int err = 0;
++ unsigned long sr = regs->sr;
+
+ /* sc_pt_regs is structured the same as the start of pt_regs */
+ err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
+
++ /* BIT(0) of regs->sr is Condition Code/Carry bit */
++ regs->sr = (sr & ~1) | (regs->sr & 1);
++
+ /* Restore the floating-point state. */
+ err |= restore_fpu_state(sc);
+
--- /dev/null
+From af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Fri, 24 Sep 2021 15:33:38 +0800
+Subject: csky: Fixup regs.sr broken in ptrace
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 upstream.
+
+gpr_get() return the entire pt_regs (include sr) to userspace, if we
+don't restore the C bit in gpr_set, it may break the ALU result in
+that context. So the C flag bit is part of gpr context, that's why
+riscv totally remove the C bit in the ISA. That makes sr reg clear
+from userspace to supervisor privilege.
+
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/csky/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/csky/kernel/ptrace.c
++++ b/arch/csky/kernel/ptrace.c
+@@ -99,7 +99,8 @@ static int gpr_set(struct task_struct *t
+ if (ret)
+ return ret;
+
+- regs.sr = task_pt_regs(target)->sr;
++ /* BIT(0) of regs.sr is Condition Code/Carry bit */
++ regs.sr = (regs.sr & BIT(0)) | (task_pt_regs(target)->sr & ~BIT(0));
+ #ifdef CONFIG_CPU_HAS_HILO
+ regs.dcsr = task_pt_regs(target)->dcsr;
+ #endif
--- /dev/null
+From d208b89401e073de986dc891037c5a668f5d5d95 Mon Sep 17 00:00:00 2001
+From: Jiazi Li <jqqlijiazi@gmail.com>
+Date: Wed, 29 Sep 2021 19:59:28 +0800
+Subject: dm: fix mempool NULL pointer race when completing IO
+
+From: Jiazi Li <jqqlijiazi@gmail.com>
+
+commit d208b89401e073de986dc891037c5a668f5d5d95 upstream.
+
+dm_io_dec_pending() calls end_io_acct() first and will then dec md
+in-flight pending count. But if a task is swapping DM table at same
+time this can result in a crash due to mempool->elements being NULL:
+
+task1 task2
+do_resume
+ ->do_suspend
+ ->dm_wait_for_completion
+ bio_endio
+ ->clone_endio
+ ->dm_io_dec_pending
+ ->end_io_acct
+ ->wakeup task1
+ ->dm_swap_table
+ ->__bind
+ ->__bind_mempools
+ ->bioset_exit
+ ->mempool_exit
+ ->free_io
+
+[ 67.330330] Unable to handle kernel NULL pointer dereference at
+virtual address 0000000000000000
+......
+[ 67.330494] pstate: 80400085 (Nzcv daIf +PAN -UAO)
+[ 67.330510] pc : mempool_free+0x70/0xa0
+[ 67.330515] lr : mempool_free+0x4c/0xa0
+[ 67.330520] sp : ffffff8008013b20
+[ 67.330524] x29: ffffff8008013b20 x28: 0000000000000004
+[ 67.330530] x27: ffffffa8c2ff40a0 x26: 00000000ffff1cc8
+[ 67.330535] x25: 0000000000000000 x24: ffffffdada34c800
+[ 67.330541] x23: 0000000000000000 x22: ffffffdada34c800
+[ 67.330547] x21: 00000000ffff1cc8 x20: ffffffd9a1304d80
+[ 67.330552] x19: ffffffdada34c970 x18: 000000b312625d9c
+[ 67.330558] x17: 00000000002dcfbf x16: 00000000000006dd
+[ 67.330563] x15: 000000000093b41e x14: 0000000000000010
+[ 67.330569] x13: 0000000000007f7a x12: 0000000034155555
+[ 67.330574] x11: 0000000000000001 x10: 0000000000000001
+[ 67.330579] x9 : 0000000000000000 x8 : 0000000000000000
+[ 67.330585] x7 : 0000000000000000 x6 : ffffff80148b5c1a
+[ 67.330590] x5 : ffffff8008013ae0 x4 : 0000000000000001
+[ 67.330596] x3 : ffffff80080139c8 x2 : ffffff801083bab8
+[ 67.330601] x1 : 0000000000000000 x0 : ffffffdada34c970
+[ 67.330609] Call trace:
+[ 67.330616] mempool_free+0x70/0xa0
+[ 67.330627] bio_put+0xf8/0x110
+[ 67.330638] dec_pending+0x13c/0x230
+[ 67.330644] clone_endio+0x90/0x180
+[ 67.330649] bio_endio+0x198/0x1b8
+[ 67.330655] dec_pending+0x190/0x230
+[ 67.330660] clone_endio+0x90/0x180
+[ 67.330665] bio_endio+0x198/0x1b8
+[ 67.330673] blk_update_request+0x214/0x428
+[ 67.330683] scsi_end_request+0x2c/0x300
+[ 67.330688] scsi_io_completion+0xa0/0x710
+[ 67.330695] scsi_finish_command+0xd8/0x110
+[ 67.330700] scsi_softirq_done+0x114/0x148
+[ 67.330708] blk_done_softirq+0x74/0xd0
+[ 67.330716] __do_softirq+0x18c/0x374
+[ 67.330724] irq_exit+0xb4/0xb8
+[ 67.330732] __handle_domain_irq+0x84/0xc0
+[ 67.330737] gic_handle_irq+0x148/0x1b0
+[ 67.330744] el1_irq+0xe8/0x190
+[ 67.330753] lpm_cpuidle_enter+0x4f8/0x538
+[ 67.330759] cpuidle_enter_state+0x1fc/0x398
+[ 67.330764] cpuidle_enter+0x18/0x20
+[ 67.330772] do_idle+0x1b4/0x290
+[ 67.330778] cpu_startup_entry+0x20/0x28
+[ 67.330786] secondary_start_kernel+0x160/0x170
+
+Fix this by:
+1) Establishing pointers to 'struct dm_io' members in
+dm_io_dec_pending() so that they may be passed into end_io_acct()
+_after_ free_io() is called.
+2) Moving end_io_acct() after free_io().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiazi Li <lijiazi@xiaomi.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -492,18 +492,17 @@ static void start_io_acct(struct dm_io *
+ false, 0, &io->stats_aux);
+ }
+
+-static void end_io_acct(struct dm_io *io)
++static void end_io_acct(struct mapped_device *md, struct bio *bio,
++ unsigned long start_time, struct dm_stats_aux *stats_aux)
+ {
+- struct mapped_device *md = io->md;
+- struct bio *bio = io->orig_bio;
+- unsigned long duration = jiffies - io->start_time;
++ unsigned long duration = jiffies - start_time;
+
+- bio_end_io_acct(bio, io->start_time);
++ bio_end_io_acct(bio, start_time);
+
+ if (unlikely(dm_stats_used(&md->stats)))
+ dm_stats_account_io(&md->stats, bio_data_dir(bio),
+ bio->bi_iter.bi_sector, bio_sectors(bio),
+- true, duration, &io->stats_aux);
++ true, duration, stats_aux);
+
+ /* nudge anyone waiting on suspend queue */
+ if (unlikely(wq_has_sleeper(&md->wait)))
+@@ -786,6 +785,8 @@ void dm_io_dec_pending(struct dm_io *io,
+ blk_status_t io_error;
+ struct bio *bio;
+ struct mapped_device *md = io->md;
++ unsigned long start_time = 0;
++ struct dm_stats_aux stats_aux;
+
+ /* Push-back supersedes any I/O errors */
+ if (unlikely(error)) {
+@@ -817,8 +818,10 @@ void dm_io_dec_pending(struct dm_io *io,
+ }
+
+ io_error = io->status;
+- end_io_acct(io);
++ start_time = io->start_time;
++ stats_aux = io->stats_aux;
+ free_io(md, io);
++ end_io_acct(md, bio, start_time, &stats_aux);
+
+ if (io_error == BLK_STS_DM_REQUEUE)
+ return;
--- /dev/null
+From b4459b11e84092658fa195a2587aff3b9637f0e7 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Thu, 23 Sep 2021 17:11:31 +0800
+Subject: dm rq: don't queue request to blk-mq during DM suspend
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit b4459b11e84092658fa195a2587aff3b9637f0e7 upstream.
+
+DM uses blk-mq's quiesce/unquiesce to stop/start device mapper queue.
+
+But blk-mq's unquiesce may come from outside events, such as elevator
+switch, updating nr_requests or others, and request may come during
+suspend, so simply ask for blk-mq to requeue it.
+
+Fixes one kernel panic issue when running updating nr_requests and
+dm-mpath suspend/resume stress test.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-rq.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/md/dm-rq.c
++++ b/drivers/md/dm-rq.c
+@@ -490,6 +490,14 @@ static blk_status_t dm_mq_queue_rq(struc
+ struct mapped_device *md = tio->md;
+ struct dm_target *ti = md->immutable_target;
+
++ /*
++ * blk-mq's unquiesce may come from outside events, such as
++ * elevator switch, updating nr_requests or others, and request may
++ * come during suspend, so simply ask for blk-mq to requeue it.
++ */
++ if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)))
++ return BLK_STS_RESOURCE;
++
+ if (unlikely(!ti)) {
+ int srcu_idx;
+ struct dm_table *map = dm_get_live_table(md, &srcu_idx);
--- /dev/null
+From b693e42921e0220c0d564c55c6cdc680b0f85390 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Tue, 5 Oct 2021 09:03:55 +0200
+Subject: drm/fbdev: Clamp fbdev surface size if too large
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit b693e42921e0220c0d564c55c6cdc680b0f85390 upstream.
+
+Clamp the fbdev surface size of the available maximumi height to avoid
+failing to init console emulation. An example error is shown below.
+
+ bad framebuffer height 2304, should be >= 768 && <= 768
+ [drm] Initialized simpledrm 1.0.0 20200625 for simple-framebuffer.0 on minor 0
+ simple-framebuffer simple-framebuffer.0: [drm] *ERROR* fbdev: Failed to setup generic emulation (ret=-22)
+
+This is especially a problem with drivers that have very small screen
+sizes and cannot over-allocate at all.
+
+v2:
+ * reduce warning level (Ville)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reported-by: Amanoel Dawod <kernel@amanoeldawod.com>
+Reported-by: Zoltán Kővágó <dirty.ice.hu@gmail.com>
+Reported-by: Michael Stapelberg <michael+lkml@stapelberg.ch>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Maxime Ripard <maxime@cerno.tech>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.14+
+Link: https://patchwork.freedesktop.org/patch/msgid/20211005070355.7680-1-tzimmermann@suse.de
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_fb_helper.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -1506,6 +1506,7 @@ static int drm_fb_helper_single_fb_probe
+ {
+ struct drm_client_dev *client = &fb_helper->client;
+ struct drm_device *dev = fb_helper->dev;
++ struct drm_mode_config *config = &dev->mode_config;
+ int ret = 0;
+ int crtc_count = 0;
+ struct drm_connector_list_iter conn_iter;
+@@ -1663,6 +1664,11 @@ static int drm_fb_helper_single_fb_probe
+ /* Handle our overallocation */
+ sizes.surface_height *= drm_fbdev_overalloc;
+ sizes.surface_height /= 100;
++ if (sizes.surface_height > config->max_height) {
++ drm_dbg_kms(dev, "Fbdev over-allocation too large; clamping height to %d\n",
++ config->max_height);
++ sizes.surface_height = config->max_height;
++ }
+
+ /* push down into drivers */
+ ret = (*fb_helper->funcs->fb_probe)(fb_helper, &sizes);
--- /dev/null
+From 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Fri, 17 Sep 2021 02:59:13 +0200
+Subject: drm/msm: Avoid potential overflow in timeout_to_jiffies()
+
+From: Marek Vasut <marex@denx.de>
+
+commit 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e upstream.
+
+The return type of ktime_divns() is s64. The timeout_to_jiffies() currently
+assigns the result of this ktime_divns() to unsigned long, which on 32 bit
+systems may overflow. Furthermore, the result of this function is sometimes
+also passed to functions which expect signed long, dma_fence_wait_timeout()
+is one such example.
+
+Fix this by adjusting the type of remaining_jiffies to s64, so we do not
+suffer overflow there, and return a value limited to range of 0..INT_MAX,
+which is safe for all usecases of this timeout.
+
+The above overflow can be triggered if userspace passes in too large timeout
+value, larger than INT_MAX / HZ seconds. The kernel detects it and complains
+about "schedule_timeout: wrong timeout value %lx" and generates a warning
+backtrace.
+
+Note that this fixes commit 6cedb8b377bb ("drm/msm: avoid using 'timespec'"),
+because the previously used timespec_to_jiffies() function returned unsigned
+long instead of s64:
+static inline unsigned long timespec_to_jiffies(const struct timespec *value)
+
+Fixes: 6cedb8b377bb ("drm/msm: avoid using 'timespec'")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Jordan Crouse <jcrouse@codeaurora.org>
+Cc: Rob Clark <robdclark@chromium.org>
+Cc: stable@vger.kernel.org # 5.6+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210917005913.157379-1-marex@denx.de
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -535,7 +535,7 @@ static inline int align_pitch(int width,
+ static inline unsigned long timeout_to_jiffies(const ktime_t *timeout)
+ {
+ ktime_t now = ktime_get();
+- unsigned long remaining_jiffies;
++ s64 remaining_jiffies;
+
+ if (ktime_compare(*timeout, now) < 0) {
+ remaining_jiffies = 0;
+@@ -544,7 +544,7 @@ static inline unsigned long timeout_to_j
+ remaining_jiffies = ktime_divns(rem, NSEC_PER_SEC / HZ);
+ }
+
+- return remaining_jiffies;
++ return clamp(remaining_jiffies, 0LL, (s64)INT_MAX);
+ }
+
+ #endif /* __MSM_DRV_H__ */
--- /dev/null
+From 6a7e0b0e9fb839caa7c7f25bcf91a95b1c2cbef1 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Tue, 14 Sep 2021 14:48:31 -0300
+Subject: drm/msm: Do not run snapshot on non-DPU devices
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 6a7e0b0e9fb839caa7c7f25bcf91a95b1c2cbef1 upstream.
+
+Since commit 98659487b845 ("drm/msm: add support to take dpu snapshot")
+the following NULL pointer dereference is seen on i.MX53:
+
+[ 3.275493] msm msm: bound 30000000.gpu (ops a3xx_ops)
+[ 3.287174] [drm] Initialized msm 1.8.0 20130625 for msm on minor 0
+[ 3.293915] 8<--- cut here ---
+[ 3.297012] Unable to handle kernel NULL pointer dereference at virtual address 00000028
+[ 3.305244] pgd = (ptrval)
+[ 3.307989] [00000028] *pgd=00000000
+[ 3.311624] Internal error: Oops: 805 [#1] SMP ARM
+[ 3.316430] Modules linked in:
+[ 3.319503] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.14.0+g682d702b426b #1
+[ 3.326652] Hardware name: Freescale i.MX53 (Device Tree Support)
+[ 3.332754] PC is at __mutex_init+0x14/0x54
+[ 3.336969] LR is at msm_disp_snapshot_init+0x24/0xa0
+
+i.MX53 does not use the DPU controller.
+
+Fix the problem by only calling msm_disp_snapshot_init() on platforms that
+use the DPU controller.
+
+Cc: stable@vger.kernel.org
+Fixes: 98659487b845 ("drm/msm: add support to take dpu snapshot")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Link: https://lore.kernel.org/r/20210914174831.2044420-1-festevam@gmail.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -566,10 +566,11 @@ static int msm_drm_init(struct device *d
+ if (ret)
+ goto err_msm_uninit;
+
+- ret = msm_disp_snapshot_init(ddev);
+- if (ret)
+- DRM_DEV_ERROR(dev, "msm_disp_snapshot_init failed ret = %d\n", ret);
+-
++ if (kms) {
++ ret = msm_disp_snapshot_init(ddev);
++ if (ret)
++ DRM_DEV_ERROR(dev, "msm_disp_snapshot_init failed ret = %d\n", ret);
++ }
+ drm_mode_config_reset(ddev);
+
+ #ifdef CONFIG_DRM_FBDEV_EMULATION
--- /dev/null
+From d1d94b0129dccd226784633c60b7df90e8a051b5 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Thu, 7 Oct 2021 23:41:17 +0200
+Subject: drm/nouveau/fifo: Reinstate the correct engine bit programming
+
+From: Marek Vasut <marex@denx.de>
+
+commit d1d94b0129dccd226784633c60b7df90e8a051b5 upstream.
+
+Commit 64f7c698bea9 ("drm/nouveau/fifo: add engine_id hook") replaced
+fifo/chang84.c g84_fifo_chan_engine() call with an indirect call of
+fifo/g84.c g84_fifo_engine_id(). The G84_FIFO_ENGN_* values returned
+from the later g84_fifo_engine_id() are incremented by 1 compared to
+the previous g84_fifo_chan_engine() return values.
+
+This is fine either way for most of the code, except this one line
+where an engine bit programmed into the hardware is derived from the
+return value. Decrement the return value accordingly, otherwise the
+wrong engine bit is programmed into the hardware and that leads to
+the following failure:
+nouveau 0000:01:00.0: gr: 00000030 [ILLEGAL_MTHD ILLEGAL_CLASS] ch 1 [003fbce000 DRM] subc 3 class 0000 mthd 085c data 00000420
+
+On the following hardware:
+lspci -s 01:00.0
+01:00.0 VGA compatible controller: NVIDIA Corporation GT216GLM [Quadro FX 880M] (rev a2)
+lspci -ns 01:00.0
+01:00.0 0300: 10de:0a3c (rev a2)
+
+Fixes: 64f7c698bea9 ("drm/nouveau/fifo: add engine_id hook")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: <stable@vger.kernel.org> # 5.12+
+Cc: Ben Skeggs <bskeggs@redhat.com>
+Cc: Karol Herbst <kherbst@redhat.com>
+Cc: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Reviewed-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211007214117.231472-1-marex@denx.de
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/fifo/chang84.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chang84.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/fifo/chang84.c
+@@ -82,7 +82,7 @@ g84_fifo_chan_engine_fini(struct nvkm_fi
+ if (offset < 0)
+ return 0;
+
+- engn = fifo->base.func->engine_id(&fifo->base, engine);
++ engn = fifo->base.func->engine_id(&fifo->base, engine) - 1;
+ save = nvkm_mask(device, 0x002520, 0x0000003f, 1 << engn);
+ nvkm_wr32(device, 0x0032fc, chan->base.inst->addr >> 12);
+ done = nvkm_msec(device, 2000,
--- /dev/null
+From f60f5741002b9fde748cff65fd09bd6222c5db0c Mon Sep 17 00:00:00 2001
+From: Md Sadre Alam <mdalam@codeaurora.org>
+Date: Tue, 7 Sep 2021 12:35:57 +0530
+Subject: mtd: rawnand: qcom: Update code word value for raw read
+
+From: Md Sadre Alam <mdalam@codeaurora.org>
+
+commit f60f5741002b9fde748cff65fd09bd6222c5db0c upstream.
+
+From QPIC V2 onwards there is a separate register to read
+last code word "QPIC_NAND_READ_LOCATION_LAST_CW_n".
+
+qcom_nandc_read_cw_raw() is used to read only one code word
+at a time. If we will configure number of code words to 1 in
+in QPIC_NAND_DEV0_CFG0 register then QPIC controller thinks
+its reading the last code word, since from QPIC V2 onwards
+we are having separate register to read the last code word,
+we have to configure "QPIC_NAND_READ_LOCATION_LAST_CW_n"
+register to fetch data from controller buffer to system
+memory.
+
+Fixes: 503ee5aad430 ("mtd: rawnand: qcom: update last code word register")
+Cc: stable@kernel.org
+Signed-off-by: Md Sadre Alam <mdalam@codeaurora.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/1630998357-1359-1-git-send-email-mdalam@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/qcom_nandc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/qcom_nandc.c
++++ b/drivers/mtd/nand/raw/qcom_nandc.c
+@@ -1676,13 +1676,17 @@ qcom_nandc_read_cw_raw(struct mtd_info *
+ struct nand_ecc_ctrl *ecc = &chip->ecc;
+ int data_size1, data_size2, oob_size1, oob_size2;
+ int ret, reg_off = FLASH_BUF_ACC, read_loc = 0;
++ int raw_cw = cw;
+
+ nand_read_page_op(chip, page, 0, NULL, 0);
+ host->use_ecc = false;
+
++ if (nandc->props->qpic_v2)
++ raw_cw = ecc->steps - 1;
++
+ clear_bam_transaction(nandc);
+ set_address(host, host->cw_size * cw, page);
+- update_rw_regs(host, 1, true, cw);
++ update_rw_regs(host, 1, true, raw_cw);
+ config_nand_page_read(chip);
+
+ data_size1 = mtd->writesize - host->cw_size * (ecc->steps - 1);
+@@ -1711,7 +1715,7 @@ qcom_nandc_read_cw_raw(struct mtd_info *
+ nandc_set_read_loc(chip, cw, 3, read_loc, oob_size2, 1);
+ }
+
+- config_nand_cw_read(chip, false, cw);
++ config_nand_cw_read(chip, false, raw_cw);
+
+ read_data_dma(nandc, reg_off, data_buf, data_size1, 0);
+ reg_off += data_size1;
--- /dev/null
+From be358af1191b1b2fedebd8f3421cafdc8edacc7d Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 14 Oct 2021 14:35:07 -0400
+Subject: nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^'
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit be358af1191b1b2fedebd8f3421cafdc8edacc7d upstream.
+
+I received a build failure for a new patch I'm working on the nds32
+architecture, and when I went to test it, I couldn't get to my build error,
+because it failed to build with a bunch of:
+
+ Error: invalid operands (*UND* and *UND* sections) for `^'
+
+issues with various files. Those files were temporary asm files that looked
+like: kernel/.tmp_mc_fork.s
+
+I decided to look deeper, and found that the "mc" portion of that name
+stood for "mcount", and was created by the recordmcount.pl script. One that
+I wrote over a decade ago. Once I knew the source of the problem, I was
+able to investigate it further.
+
+The way the recordmcount.pl script works (BTW, there's a C version that
+simply modifies the ELF object) is by doing an "objdump" on the object
+file. Looks for all the calls to "mcount", and creates an offset of those
+locations from some global variable it can use (usually a global function
+name, found with <.*>:). Creates a asm file that is a table of references
+to these locations, using the found variable/function. Compiles it and
+links it back into the original object file. This asm file is called
+".tmp_mc_<object_base_name>.s".
+
+The problem here is that the objdump produced by the nds32 object file,
+contains things that look like:
+
+ 0000159a <.L3^B1>:
+ 159a: c6 00 beqz38 $r6, 159a <.L3^B1>
+ 159a: R_NDS32_9_PCREL_RELA .text+0x159e
+ 159c: 84 d2 movi55 $r6, #-14
+ 159e: 80 06 mov55 $r0, $r6
+ 15a0: ec 3c addi10.sp #0x3c
+
+Where ".L3^B1 is somehow selected as the "global" variable to index off of.
+
+Then the assembly file that holds the mcount locations looks like this:
+
+ .section __mcount_loc,"a",@progbits
+ .align 2
+ .long .L3^B1 + -5522
+ .long .L3^B1 + -5384
+ .long .L3^B1 + -5270
+ .long .L3^B1 + -5098
+ .long .L3^B1 + -4970
+ .long .L3^B1 + -4758
+ .long .L3^B1 + -4122
+ [...]
+
+And when it is compiled back to an object to link to the original object,
+the compile fails on the "^" symbol.
+
+Simple solution for now, is to have the perl script ignore using function
+symbols that have an "^" in the name.
+
+Link: https://lkml.kernel.org/r/20211014143507.4ad2c0f7@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Acked-by: Greentime Hu <green.hu@gmail.com>
+Fixes: fbf58a52ac088 ("nds32/ftrace: Add RECORD_MCOUNT support")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -189,7 +189,7 @@ if ($arch =~ /(x86(_64)?)|(i386)/) {
+ $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)";
+ $weak_regex = "^[0-9a-fA-F]+\\s+([wW])\\s+(\\S+)";
+ $section_regex = "Disassembly of section\\s+(\\S+):";
+-$function_regex = "^([0-9a-fA-F]+)\\s+<(.*?)>:";
++$function_regex = "^([0-9a-fA-F]+)\\s+<([^^]*?)>:";
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s(mcount|__fentry__)\$";
+ $section_type = '@progbits';
+ $mcount_adjust = 0;
--- /dev/null
+From 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 5 Oct 2021 14:08:36 +0200
+Subject: s390: fix strrchr() implementation
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d upstream.
+
+Fix two problems found in the strrchr() implementation for s390
+architectures: evaluate empty strings (return the string address instead of
+NULL, if '\0' is passed as second argument); evaluate the first character
+of non-empty strings (the current implementation stops at the second).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reported-by: Heiko Carstens <hca@linux.ibm.com> (incorrect behavior with empty strings)
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Link: https://lore.kernel.org/r/20211005120836.60630-1-roberto.sassu@huawei.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/lib/string.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/lib/string.c
++++ b/arch/s390/lib/string.c
+@@ -259,14 +259,13 @@ EXPORT_SYMBOL(strcmp);
+ #ifdef __HAVE_ARCH_STRRCHR
+ char *strrchr(const char *s, int c)
+ {
+- size_t len = __strend(s) - s;
++ ssize_t len = __strend(s) - s;
+
+- if (len)
+- do {
+- if (s[len] == (char) c)
+- return (char *) s + len;
+- } while (--len > 0);
+- return NULL;
++ do {
++ if (s[len] == (char)c)
++ return (char *)s + len;
++ } while (--len >= 0);
++ return NULL;
+ }
+ EXPORT_SYMBOL(strrchr);
+ #endif
alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch
platform-x86-gigabyte-wmi-add-support-for-b550-aorus-elite-ax-v2.patch
platform-x86-amd-pmc-add-alternative-acpi-id-for-pmc-controller.patch
+spi-atmel-fix-pdc-transfer-setup-bug.patch
+mtd-rawnand-qcom-update-code-word-value-for-raw-read.patch
+nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch
+dm-fix-mempool-null-pointer-race-when-completing-io.patch
+acpi-pm-include-alternate-amdi0005-id-in-special-behaviour.patch
+dm-rq-don-t-queue-request-to-blk-mq-during-dm-suspend.patch
+s390-fix-strrchr-implementation.patch
+clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch
+csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch
+csky-fixup-regs.sr-broken-in-ptrace.patch
+drm-fbdev-clamp-fbdev-surface-size-if-too-large.patch
+arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch
+drm-nouveau-fifo-reinstate-the-correct-engine-bit-programming.patch
+drm-msm-do-not-run-snapshot-on-non-dpu-devices.patch
+drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch
+btrfs-unlock-newly-allocated-extent-buffer-after-error.patch
+btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch
+btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch
+btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch
+btrfs-update-refs-for-any-root-except-tree-log-roots.patch
+btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch
--- /dev/null
+From 75e33c55ae8fb4a177fe07c284665e1d61b02560 Mon Sep 17 00:00:00 2001
+From: Ville Baillie <villeb@bytesnap.co.uk>
+Date: Tue, 21 Sep 2021 07:21:32 +0000
+Subject: spi: atmel: Fix PDC transfer setup bug
+
+From: Ville Baillie <villeb@bytesnap.co.uk>
+
+commit 75e33c55ae8fb4a177fe07c284665e1d61b02560 upstream.
+
+atmel_spi_dma_map_xfer to never be called in PDC mode. This causes the
+driver to silently fail.
+
+This patch changes the conditional to match the behaviour of the
+previous commit before the refactor.
+
+Fixes: 5fa5e6dec762 ("spi: atmel: Switch to transfer_one transfer method")
+Signed-off-by: Ville Baillie <villeb@bytesnap.co.uk>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210921072132.21831-1-villeb@bytesnap.co.uk
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-atmel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-atmel.c
++++ b/drivers/spi/spi-atmel.c
+@@ -1301,7 +1301,7 @@ static int atmel_spi_one_transfer(struct
+ * DMA map early, for performance (empties dcache ASAP) and
+ * better fault reporting.
+ */
+- if ((!master->cur_msg_mapped)
++ if ((!master->cur_msg->is_dma_mapped)
+ && as->use_pdc) {
+ if (atmel_spi_dma_map_xfer(as, xfer) < 0)
+ return -ENOMEM;
+@@ -1381,7 +1381,7 @@ static int atmel_spi_one_transfer(struct
+ }
+ }
+
+- if (!master->cur_msg_mapped
++ if (!master->cur_msg->is_dma_mapped
+ && as->use_pdc)
+ atmel_spi_dma_unmap_xfer(master, xfer);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
