--- /dev/null
+From fd09347bb15f12a1db944a8411e939b7cb7d3674 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 22:49:56 +0100
+Subject: ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 8ade6d8b02b1ead741bd4f6c42921035caab6560 ]
+
+Some Bay Trail systems:
+1. Use a non CR version of the Bay Trail SoC
+2. Contain at least 6 interrupt resources so that the
+ platform_get_resource(pdev, IORESOURCE_IRQ, 5) check to workaround
+ non CR systems which list their IPC IRQ at index 0 despite being
+ non CR does not work
+3. Despite 1. and 2. still have their IPC IRQ at index 0 rather then 5
+
+Add a DMI quirk table to check for the few known models with this issue,
+so that the right IPC IRQ index is used on these systems.
+
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210120214957.140232-5-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/common/soc-intel-quirks.h | 25 +++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h
+index 863a477d3405..645baf0ed3dd 100644
+--- a/sound/soc/intel/common/soc-intel-quirks.h
++++ b/sound/soc/intel/common/soc-intel-quirks.h
+@@ -11,6 +11,7 @@
+
+ #if IS_ENABLED(CONFIG_X86)
+
++#include <linux/dmi.h>
+ #include <asm/cpu_device_id.h>
+ #include <asm/intel-family.h>
+ #include <asm/iosf_mbi.h>
+@@ -40,12 +41,36 @@ SOC_INTEL_IS_CPU(cml, INTEL_FAM6_KABYLAKE_L);
+
+ static inline bool soc_intel_is_byt_cr(struct platform_device *pdev)
+ {
++ /*
++ * List of systems which:
++ * 1. Use a non CR version of the Bay Trail SoC
++ * 2. Contain at least 6 interrupt resources so that the
++ * platform_get_resource(pdev, IORESOURCE_IRQ, 5) check below
++ * succeeds
++ * 3. Despite 1. and 2. still have their IPC IRQ at index 0 rather then 5
++ *
++ * This needs to be here so that it can be shared between the SST and
++ * SOF drivers. We rely on the compiler to optimize this out in files
++ * where soc_intel_is_byt_cr is not used.
++ */
++ static const struct dmi_system_id force_bytcr_table[] = {
++ { /* Lenovo Yoga Tablet 2 series */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_FAMILY, "YOGATablet2"),
++ },
++ },
++ {}
++ };
+ struct device *dev = &pdev->dev;
+ int status = 0;
+
+ if (!soc_intel_is_byt())
+ return false;
+
++ if (dmi_check_system(force_bytcr_table))
++ return true;
++
+ if (iosf_mbi_available()) {
+ u32 bios_status;
+
+--
+2.30.1
+
--- /dev/null
+From 92b22bf3dfd1c729a495d2c4a2f3480286f38ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Feb 2021 22:35:55 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c58947af08aedbdee0fce5ea6e6bf3e488ae0e2c ]
+
+The Acer One S1002 tablet is using an analog mic on IN1 and has
+its jack-detect connected to JD2_IN4N, instead of using the default
+IN3 for its internal mic and JD1_IN4P for jack-detect.
+
+Note it is also using AIF2 instead of AIF1 which is somewhat unusual,
+this is correctly advertised in the ACPI CHAN package, so the speakers
+do work without the quirk.
+
+Add a quirk for the mic and jack-detect settings.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210216213555.36555-5-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index 00e8d589a724..9ee610504bac 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -400,6 +400,19 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_SSP0_AIF1 |
+ BYT_RT5640_MCLK_EN),
+ },
++ { /* Acer One 10 S1002 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "One S1002"),
++ },
++ .driver_data = (void *)(BYT_RT5640_IN1_MAP |
++ BYT_RT5640_JD_SRC_JD2_IN4N |
++ BYT_RT5640_OVCD_TH_2000UA |
++ BYT_RT5640_OVCD_SF_0P75 |
++ BYT_RT5640_DIFF_MIC |
++ BYT_RT5640_SSP0_AIF2 |
++ BYT_RT5640_MCLK_EN),
++ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+--
+2.30.1
+
--- /dev/null
+From a3b09a746fec78b36764ac4074ab3a48fd2b134d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Feb 2021 22:35:52 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID
+ 7316R tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit bdea43fc0436c9e98fdfe151c2ed8a3fc7277404 ]
+
+The Estar Beauty HD MID 7316R tablet almost fully works with out default
+settings. The only problem is that it has only 1 speaker so any sounds
+only playing on the right channel get lost.
+
+Add a quirk for this model using the default settings + MONO_SPEAKER.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210216213555.36555-2-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index 6012367f6fe4..cdbc00c77338 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -513,6 +513,16 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_MONO_SPEAKER |
+ BYT_RT5640_MCLK_EN),
+ },
++ { /* Estar Beauty HD MID 7316R */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Estar"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "eSTAR BEAUTY HD Intel Quad core"),
++ },
++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS |
++ BYT_RT5640_MONO_SPEAKER |
++ BYT_RT5640_SSP0_AIF1 |
++ BYT_RT5640_MCLK_EN),
++ },
+ {
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
+--
+2.30.1
+
--- /dev/null
+From 45a9372d0682f6dc4108e5c8fb95ffed541c6f8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Feb 2021 22:35:53 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit e1317cc9ca4ac20262895fddb065ffda4fc29cfb ]
+
+The Voyo Winpad A15 tablet uses a Bay Trail (non CR) SoC, so it is using
+SSP2 (AIF1) and it mostly works with the defaults. But instead of using
+DMIC1 it is using an analog mic on IN1, add a quirk for this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210216213555.36555-3-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index cdbc00c77338..00e8d589a724 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -786,6 +786,20 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_SSP0_AIF2 |
+ BYT_RT5640_MCLK_EN),
+ },
++ { /* Voyo Winpad A15 */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
++ DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
++ /* Above strings are too generic, also match on BIOS date */
++ DMI_MATCH(DMI_BIOS_DATE, "11/20/2014"),
++ },
++ .driver_data = (void *)(BYT_RT5640_IN1_MAP |
++ BYT_RT5640_JD_SRC_JD2_IN4N |
++ BYT_RT5640_OVCD_TH_2000UA |
++ BYT_RT5640_OVCD_SF_0P75 |
++ BYT_RT5640_DIFF_MIC |
++ BYT_RT5640_MCLK_EN),
++ },
+ { /* Catch-all for generic Insyde tablets, must be last */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
+--
+2.30.1
+
--- /dev/null
+From afddb093b80692104c143e84920cb04a28be6546 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Feb 2021 22:35:54 +0100
+Subject: ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit df8359c512fa770ffa6b0b0309807d9b9825a47f ]
+
+Add a DMI quirk for the Jumper EZpad 7 tablet, this tablet has
+a jack-detect switch which reads 1/high when a jack is inserted,
+rather then using the standard active-low setup which most
+jack-detect switches use. All other settings are using the defaults.
+
+Add a DMI-quirk setting the defaults + the BYT_RT5651_JD_NOT_INV
+flags for this.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210216213555.36555-4-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5651.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c
+index 4606f6f582d6..921c09cdb480 100644
+--- a/sound/soc/intel/boards/bytcr_rt5651.c
++++ b/sound/soc/intel/boards/bytcr_rt5651.c
+@@ -435,6 +435,19 @@ static const struct dmi_system_id byt_rt5651_quirk_table[] = {
+ BYT_RT5651_SSP0_AIF1 |
+ BYT_RT5651_MONO_SPEAKER),
+ },
++ {
++ /* Jumper EZpad 7 */
++ .callback = byt_rt5651_quirk_cb,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Jumper"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "EZpad"),
++ /* Jumper12x.WJ2012.bsBKRCP05 with the version dropped */
++ DMI_MATCH(DMI_BIOS_VERSION, "Jumper12x.WJ2012.bsBKRCP"),
++ },
++ .driver_data = (void *)(BYT_RT5651_DEFAULT_QUIRKS |
++ BYT_RT5651_IN2_MAP |
++ BYT_RT5651_JD_NOT_INV),
++ },
+ {
+ /* KIANO SlimNote 14.2 */
+ .callback = byt_rt5651_quirk_cb,
+--
+2.30.1
+
--- /dev/null
+From 084e8d7c49192c94f02a37595729d266b805f67d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Dec 2020 14:34:47 +0800
+Subject: ath10k: fix wmi mgmt tx queue full due to race condition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+[ Upstream commit b55379e343a3472c35f4a1245906db5158cab453 ]
+
+Failed to transmit wmi management frames:
+
+[84977.840894] ath10k_snoc a000000.wifi: wmi mgmt tx queue is full
+[84977.840913] ath10k_snoc a000000.wifi: failed to transmit packet, dropping: -28
+[84977.840924] ath10k_snoc a000000.wifi: failed to submit frame: -28
+[84977.840932] ath10k_snoc a000000.wifi: failed to transmit frame: -28
+
+This issue is caused by race condition between skb_dequeue and
+__skb_queue_tail. The queue of ‘wmi_mgmt_tx_queue’ is protected by a
+different lock: ar->data_lock vs list->lock, the result is no protection.
+So when ath10k_mgmt_over_wmi_tx_work() and ath10k_mac_tx_wmi_mgmt()
+running concurrently on different CPUs, there appear to be a rare corner
+cases when the queue length is 1,
+
+ CPUx (skb_deuque) CPUy (__skb_queue_tail)
+ next=list
+ prev=list
+ struct sk_buff *skb = skb_peek(list); WRITE_ONCE(newsk->next, next);
+ WRITE_ONCE(list->qlen, list->qlen - 1);WRITE_ONCE(newsk->prev, prev);
+ next = skb->next; WRITE_ONCE(next->prev, newsk);
+ prev = skb->prev; WRITE_ONCE(prev->next, newsk);
+ skb->next = skb->prev = NULL; list->qlen++;
+ WRITE_ONCE(next->prev, prev);
+ WRITE_ONCE(prev->next, next);
+
+If the instruction ‘next = skb->next’ is executed before
+‘WRITE_ONCE(prev->next, newsk)’, newsk will be lost, as CPUx get the
+old ‘next’ pointer, but the length is still added by one. The final
+result is the length of the queue will reach the maximum value but
+the queue is empty.
+
+So remove ar->data_lock, and use 'skb_queue_tail' instead of
+'__skb_queue_tail' to prevent the potential race condition. Also switch
+to use skb_queue_len_lockless, in case we queue a few SKBs simultaneously.
+
+Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.1.c2-00033-QCAHLSWMTPLZ-1
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1608618887-8857-1-git-send-email-miaoqing@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
+index 915ba2a7f744..47b733fdf4fc 100644
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3624,23 +3624,16 @@ bool ath10k_mac_tx_frm_has_freq(struct ath10k *ar)
+ static int ath10k_mac_tx_wmi_mgmt(struct ath10k *ar, struct sk_buff *skb)
+ {
+ struct sk_buff_head *q = &ar->wmi_mgmt_tx_queue;
+- int ret = 0;
+-
+- spin_lock_bh(&ar->data_lock);
+
+- if (skb_queue_len(q) == ATH10K_MAX_NUM_MGMT_PENDING) {
++ if (skb_queue_len_lockless(q) >= ATH10K_MAX_NUM_MGMT_PENDING) {
+ ath10k_warn(ar, "wmi mgmt tx queue is full\n");
+- ret = -ENOSPC;
+- goto unlock;
++ return -ENOSPC;
+ }
+
+- __skb_queue_tail(q, skb);
++ skb_queue_tail(q, skb);
+ ieee80211_queue_work(ar->hw, &ar->wmi_mgmt_tx_work);
+
+-unlock:
+- spin_unlock_bh(&ar->data_lock);
+-
+- return ret;
++ return 0;
+ }
+
+ static enum ath10k_mac_tx_path
+--
+2.30.1
+
--- /dev/null
+From 3f020f06c80253e54a25a66154f44532cb5ba1fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Feb 2021 15:12:30 +0530
+Subject: Bluetooth: Fix null pointer dereference in
+ amp_read_loc_assoc_final_data
+
+From: Gopal Tiwari <gtiwari@redhat.com>
+
+[ Upstream commit e8bd76ede155fd54d8c41d045dda43cd3174d506 ]
+
+kernel panic trace looks like:
+
+ #5 [ffffb9e08698fc80] do_page_fault at ffffffffb666e0d7
+ #6 [ffffb9e08698fcb0] page_fault at ffffffffb70010fe
+ [exception RIP: amp_read_loc_assoc_final_data+63]
+ RIP: ffffffffc06ab54f RSP: ffffb9e08698fd68 RFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffff8c8845a5a000 RCX: 0000000000000004
+ RDX: 0000000000000000 RSI: ffff8c8b9153d000 RDI: ffff8c8845a5a000
+ RBP: ffffb9e08698fe40 R8: 00000000000330e0 R9: ffffffffc0675c94
+ R10: ffffb9e08698fe58 R11: 0000000000000001 R12: ffff8c8b9cbf6200
+ R13: 0000000000000000 R14: 0000000000000000 R15: ffff8c8b2026da0b
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ #7 [ffffb9e08698fda8] hci_event_packet at ffffffffc0676904 [bluetooth]
+ #8 [ffffb9e08698fe50] hci_rx_work at ffffffffc06629ac [bluetooth]
+ #9 [ffffb9e08698fe98] process_one_work at ffffffffb66f95e7
+
+hcon->amp_mgr seems NULL triggered kernel panic in following line inside
+function amp_read_loc_assoc_final_data
+
+ set_bit(READ_LOC_AMP_ASSOC_FINAL, &mgr->state);
+
+Fixed by checking NULL for mgr.
+
+Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/amp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/amp.c b/net/bluetooth/amp.c
+index 9c711f0dfae3..be2d469d6369 100644
+--- a/net/bluetooth/amp.c
++++ b/net/bluetooth/amp.c
+@@ -297,6 +297,9 @@ void amp_read_loc_assoc_final_data(struct hci_dev *hdev,
+ struct hci_request req;
+ int err;
+
++ if (!mgr)
++ return;
++
+ cp.phy_handle = hcon->handle;
+ cp.len_so_far = cpu_to_le16(0);
+ cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
+--
+2.30.1
+
--- /dev/null
+From ca77bda294ff8a3db1e426761d2bdcf2475631a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Jan 2021 19:47:00 +0800
+Subject: Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl
+
+From: Claire Chang <tientzu@chromium.org>
+
+[ Upstream commit 7f9f2c3f7d99b8ae773459c74ac5e99a0dd46db9 ]
+
+Realtek Bluetooth controllers can do both LE scan and BR/EDR inquiry
+at once, need to set HCI_QUIRK_SIMULTANEOUS_DISCOVERY quirk.
+
+Signed-off-by: Claire Chang <tientzu@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_h5.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
+index e11af747395d..bf3e23104194 100644
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -894,6 +894,11 @@ static int h5_btrtl_setup(struct h5 *h5)
+ /* Give the device some time before the hci-core sends it a reset */
+ usleep_range(10000, 20000);
+
++ /* Enable controller to do both LE scan and BR/EDR inquiry
++ * simultaneously.
++ */
++ set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &h5->hu->hdev->quirks);
++
+ out_free:
+ btrtl_free(btrtl_dev);
+
+--
+2.30.1
+
--- /dev/null
+From 0145ce870eee881d019d0ae72e1d6accdd4104b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jan 2021 18:14:12 +0100
+Subject: brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit af4b3a6f36d6c2fc5fca026bccf45e0fdcabddd9 ]
+
+The Predia Basic tablet contains quite generic names in the sys_vendor and
+product_name DMI strings, without this patch brcmfmac will try to load:
+brcmfmac43340-sdio.Insyde-CherryTrail.txt as nvram file which is a bit
+too generic.
+
+Add a DMI quirk so that a unique and clearly identifiable nvram file name
+is used on the Predia Basic tablet.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210129171413.139880-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+index 4aa2561934d7..824a79f24383 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -40,6 +40,10 @@ static const struct brcmf_dmi_data pov_tab_p1006w_data = {
+ BRCM_CC_43340_CHIP_ID, 2, "pov-tab-p1006w-data"
+ };
+
++static const struct brcmf_dmi_data predia_basic_data = {
++ BRCM_CC_43341_CHIP_ID, 2, "predia-basic"
++};
++
+ static const struct dmi_system_id dmi_platform_data[] = {
+ {
+ /* ACEPC T8 Cherry Trail Z8350 mini PC */
+@@ -111,6 +115,16 @@ static const struct dmi_system_id dmi_platform_data[] = {
+ },
+ .driver_data = (void *)&pov_tab_p1006w_data,
+ },
++ {
++ /* Predia Basic tablet (+ with keyboard dock) */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "CherryTrail"),
++ /* Mx.WT107.KUBNGEA02 with the version-nr dropped */
++ DMI_MATCH(DMI_BIOS_VERSION, "Mx.WT107.KUBNGEA"),
++ },
++ .driver_data = (void *)&predia_basic_data,
++ },
+ {}
+ };
+
+--
+2.30.1
+
--- /dev/null
+From ae0a13e080bf9dac4a3f66edbb9093c92a4b6983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jan 2021 18:14:13 +0100
+Subject: brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit a338c874d3d9d2463f031e89ae14942929b93db6 ]
+
+The Voyo winpad A15 tablet contains quite generic names in the sys_vendor
+and product_name DMI strings, without this patch brcmfmac will try to load:
+rcmfmac4330-sdio.To be filled by O.E.M.-To be filled by O.E.M..txt
+as nvram file which is a bit too generic.
+
+Add a DMI quirk so that a unique and clearly identifiable nvram file name
+is used on the Voyo winpad A15 tablet.
+
+While preparing a matching linux-firmware update I noticed that the nvram
+is identical to the nvram used on the Prowise-PT301 tablet, so the new DMI
+quirk entry simply points to the already existing Prowise-PT301 nvram file.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210129171413.139880-2-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/broadcom/brcm80211/brcmfmac/dmi.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+index 824a79f24383..6d5188b78f2d 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+@@ -44,6 +44,14 @@ static const struct brcmf_dmi_data predia_basic_data = {
+ BRCM_CC_43341_CHIP_ID, 2, "predia-basic"
+ };
+
++/* Note the Voyo winpad A15 tablet uses the same Ampak AP6330 module, with the
++ * exact same nvram file as the Prowise-PT301 tablet. Since the nvram for the
++ * Prowise-PT301 is already in linux-firmware we just point to that here.
++ */
++static const struct brcmf_dmi_data voyo_winpad_a15_data = {
++ BRCM_CC_4330_CHIP_ID, 4, "Prowise-PT301"
++};
++
+ static const struct dmi_system_id dmi_platform_data[] = {
+ {
+ /* ACEPC T8 Cherry Trail Z8350 mini PC */
+@@ -125,6 +133,16 @@ static const struct dmi_system_id dmi_platform_data[] = {
+ },
+ .driver_data = (void *)&predia_basic_data,
+ },
++ {
++ /* Voyo winpad A15 tablet */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
++ DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
++ /* Above strings are too generic, also match on BIOS date */
++ DMI_MATCH(DMI_BIOS_DATE, "11/20/2014"),
++ },
++ .driver_data = (void *)&voyo_winpad_a15_data,
++ },
+ {}
+ };
+
+--
+2.30.1
+
--- /dev/null
+From c3a752ecf467a792c67ef5d441d3d9437be840fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Dec 2020 09:53:23 -0500
+Subject: btrfs: fix error handling in commit_fs_roots
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 4f4317c13a40194940acf4a71670179c4faca2b5 ]
+
+While doing error injection I would sometimes get a corrupt file system.
+This is because I was injecting errors at btrfs_search_slot, but would
+only do it one time per stack. This uncovered a problem in
+commit_fs_roots, where if we get an error we would just break. However
+we're in a nested loop, the first loop being a loop to find all the
+dirty fs roots, and then subsequent root updates would succeed clearing
+the error value.
+
+This isn't likely to happen in real scenarios, however we could
+potentially get a random ENOMEM once and then not again, and we'd end up
+with a corrupted file system. Fix this by moving the error checking
+around a bit to the main loop, as this is the only place where something
+will fail, and return the error as soon as it occurs.
+
+With this patch my reproducer no longer corrupts the file system.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/transaction.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index c346ee7ec18d..aca6c467d776 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1212,7 +1212,6 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans)
+ struct btrfs_root *gang[8];
+ int i;
+ int ret;
+- int err = 0;
+
+ spin_lock(&fs_info->fs_roots_radix_lock);
+ while (1) {
+@@ -1224,6 +1223,8 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans)
+ break;
+ for (i = 0; i < ret; i++) {
+ struct btrfs_root *root = gang[i];
++ int ret2;
++
+ radix_tree_tag_clear(&fs_info->fs_roots_radix,
+ (unsigned long)root->root_key.objectid,
+ BTRFS_ROOT_TRANS_TAG);
+@@ -1245,17 +1246,17 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans)
+ root->node);
+ }
+
+- err = btrfs_update_root(trans, fs_info->tree_root,
++ ret2 = btrfs_update_root(trans, fs_info->tree_root,
+ &root->root_key,
+ &root->root_item);
++ if (ret2)
++ return ret2;
+ spin_lock(&fs_info->fs_roots_radix_lock);
+- if (err)
+- break;
+ btrfs_qgroup_free_meta_all_pertrans(root);
+ }
+ }
+ spin_unlock(&fs_info->fs_roots_radix_lock);
+- return err;
++ return 0;
+ }
+
+ /*
+--
+2.30.1
+
--- /dev/null
+From 2a2a35e4eceb56e9faffb74e95b6ca43f407df6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Dec 2020 15:34:41 +0100
+Subject: crypto: tcrypt - avoid signed overflow in byte count
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 303fd3e1c771077e32e96e5788817f025f0067e2 ]
+
+The signed long type used for printing the number of bytes processed in
+tcrypt benchmarks limits the range to -/+ 2 GiB, which is not sufficient
+to cover the performance of common accelerated ciphers such as AES-NI
+when benchmarked with sec=1. So switch to u64 instead.
+
+While at it, fix up a missing printk->pr_cont conversion in the AEAD
+benchmark.
+
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/tcrypt.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
+index 83ad0b1fab30..0cece1f883eb 100644
+--- a/crypto/tcrypt.c
++++ b/crypto/tcrypt.c
+@@ -198,8 +198,8 @@ static int test_mb_aead_jiffies(struct test_mb_aead_data *data, int enc,
+ goto out;
+ }
+
+- pr_cont("%d operations in %d seconds (%ld bytes)\n",
+- bcount * num_mb, secs, (long)bcount * blen * num_mb);
++ pr_cont("%d operations in %d seconds (%llu bytes)\n",
++ bcount * num_mb, secs, (u64)bcount * blen * num_mb);
+
+ out:
+ kfree(rc);
+@@ -468,8 +468,8 @@ static int test_aead_jiffies(struct aead_request *req, int enc,
+ return ret;
+ }
+
+- printk("%d operations in %d seconds (%ld bytes)\n",
+- bcount, secs, (long)bcount * blen);
++ pr_cont("%d operations in %d seconds (%llu bytes)\n",
++ bcount, secs, (u64)bcount * blen);
+ return 0;
+ }
+
+@@ -759,8 +759,8 @@ static int test_mb_ahash_jiffies(struct test_mb_ahash_data *data, int blen,
+ goto out;
+ }
+
+- pr_cont("%d operations in %d seconds (%ld bytes)\n",
+- bcount * num_mb, secs, (long)bcount * blen * num_mb);
++ pr_cont("%d operations in %d seconds (%llu bytes)\n",
++ bcount * num_mb, secs, (u64)bcount * blen * num_mb);
+
+ out:
+ kfree(rc);
+@@ -1196,8 +1196,8 @@ static int test_mb_acipher_jiffies(struct test_mb_skcipher_data *data, int enc,
+ goto out;
+ }
+
+- pr_cont("%d operations in %d seconds (%ld bytes)\n",
+- bcount * num_mb, secs, (long)bcount * blen * num_mb);
++ pr_cont("%d operations in %d seconds (%llu bytes)\n",
++ bcount * num_mb, secs, (u64)bcount * blen * num_mb);
+
+ out:
+ kfree(rc);
+@@ -1434,8 +1434,8 @@ static int test_acipher_jiffies(struct skcipher_request *req, int enc,
+ return ret;
+ }
+
+- pr_cont("%d operations in %d seconds (%ld bytes)\n",
+- bcount, secs, (long)bcount * blen);
++ pr_cont("%d operations in %d seconds (%llu bytes)\n",
++ bcount, secs, (u64)bcount * blen);
+ return 0;
+ }
+
+--
+2.30.1
+
--- /dev/null
+From 5139ed7e0c5b79b5c46a651d4465eb11019f8865 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Dec 2020 12:14:00 -0500
+Subject: drm/amd/display: Guard against NULL pointer deref when get_i2c_info
+ fails
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+[ Upstream commit 44a09e3d95bd2b7b0c224100f78f335859c4e193 ]
+
+[Why]
+If the BIOS table is invalid or corrupt then get_i2c_info can fail
+and we dereference a NULL pointer.
+
+[How]
+Check that ddc_pin is not NULL before using it and log an error if it
+is because this is unexpected.
+
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Eric Yang <eric.yang2@amd.com>
+Acked-by: Anson Jacob <anson.jacob@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+index fa92b88bc5a1..40041c61a100 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+@@ -1303,6 +1303,11 @@ static bool construct(
+ goto ddc_create_fail;
+ }
+
++ if (!link->ddc->ddc_pin) {
++ DC_ERROR("Failed to get I2C info for connector!\n");
++ goto ddc_create_fail;
++ }
++
+ link->ddc_hw_inst =
+ dal_ddc_get_line(
+ dal_ddc_service_get_ddc_pin(link->ddc));
+--
+2.30.1
+
--- /dev/null
+From 414ca1b0ee51843f1dba27430b3408f1817b4916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Jan 2021 00:06:39 +0800
+Subject: drm/amdgpu: Add check to prevent IH overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Defang Bo <bodefang@126.com>
+
+[ Upstream commit e4180c4253f3f2da09047f5139959227f5cf1173 ]
+
+Similar to commit <b82175750131>("drm/amdgpu: fix IH overflow on Vega10 v2").
+When an ring buffer overflow happens the appropriate bit is set in the WPTR
+register which is also written back to memory. But clearing the bit in the
+WPTR doesn't trigger another memory writeback.
+
+So what can happen is that we end up processing the buffer overflow over and
+over again because the bit is never cleared. Resulting in a random system
+lockup because of an infinite loop in an interrupt handler.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Defang Bo <bodefang@126.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/cz_ih.c | 37 ++++++++++++++++---------
+ drivers/gpu/drm/amd/amdgpu/iceland_ih.c | 36 +++++++++++++++---------
+ drivers/gpu/drm/amd/amdgpu/tonga_ih.c | 37 ++++++++++++++++---------
+ 3 files changed, 71 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/cz_ih.c b/drivers/gpu/drm/amd/amdgpu/cz_ih.c
+index 1dca0cabc326..13520d173296 100644
+--- a/drivers/gpu/drm/amd/amdgpu/cz_ih.c
++++ b/drivers/gpu/drm/amd/amdgpu/cz_ih.c
+@@ -193,19 +193,30 @@ static u32 cz_ih_get_wptr(struct amdgpu_device *adev,
+
+ wptr = le32_to_cpu(*ih->wptr_cpu);
+
+- if (REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW)) {
+- wptr = REG_SET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW, 0);
+- /* When a ring buffer overflow happen start parsing interrupt
+- * from the last not overwritten vector (wptr + 16). Hopefully
+- * this should allow us to catchup.
+- */
+- dev_warn(adev->dev, "IH ring buffer overflow (0x%08X, 0x%08X, 0x%08X)\n",
+- wptr, ih->rptr, (wptr + 16) & ih->ptr_mask);
+- ih->rptr = (wptr + 16) & ih->ptr_mask;
+- tmp = RREG32(mmIH_RB_CNTL);
+- tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1);
+- WREG32(mmIH_RB_CNTL, tmp);
+- }
++ if (!REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW))
++ goto out;
++
++ /* Double check that the overflow wasn't already cleared. */
++ wptr = RREG32(mmIH_RB_WPTR);
++
++ if (!REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW))
++ goto out;
++
++ wptr = REG_SET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW, 0);
++
++ /* When a ring buffer overflow happen start parsing interrupt
++ * from the last not overwritten vector (wptr + 16). Hopefully
++ * this should allow us to catchup.
++ */
++ dev_warn(adev->dev, "IH ring buffer overflow (0x%08X, 0x%08X, 0x%08X)\n",
++ wptr, ih->rptr, (wptr + 16) & ih->ptr_mask);
++ ih->rptr = (wptr + 16) & ih->ptr_mask;
++ tmp = RREG32(mmIH_RB_CNTL);
++ tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1);
++ WREG32(mmIH_RB_CNTL, tmp);
++
++
++out:
+ return (wptr & ih->ptr_mask);
+ }
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/iceland_ih.c b/drivers/gpu/drm/amd/amdgpu/iceland_ih.c
+index a13dd9a51149..7d165f024f07 100644
+--- a/drivers/gpu/drm/amd/amdgpu/iceland_ih.c
++++ b/drivers/gpu/drm/amd/amdgpu/iceland_ih.c
+@@ -193,19 +193,29 @@ static u32 iceland_ih_get_wptr(struct amdgpu_device *adev,
+
+ wptr = le32_to_cpu(*ih->wptr_cpu);
+
+- if (REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW)) {
+- wptr = REG_SET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW, 0);
+- /* When a ring buffer overflow happen start parsing interrupt
+- * from the last not overwritten vector (wptr + 16). Hopefully
+- * this should allow us to catchup.
+- */
+- dev_warn(adev->dev, "IH ring buffer overflow (0x%08X, 0x%08X, 0x%08X)\n",
+- wptr, ih->rptr, (wptr + 16) & ih->ptr_mask);
+- ih->rptr = (wptr + 16) & ih->ptr_mask;
+- tmp = RREG32(mmIH_RB_CNTL);
+- tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1);
+- WREG32(mmIH_RB_CNTL, tmp);
+- }
++ if (!REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW))
++ goto out;
++
++ /* Double check that the overflow wasn't already cleared. */
++ wptr = RREG32(mmIH_RB_WPTR);
++
++ if (!REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW))
++ goto out;
++
++ wptr = REG_SET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW, 0);
++ /* When a ring buffer overflow happen start parsing interrupt
++ * from the last not overwritten vector (wptr + 16). Hopefully
++ * this should allow us to catchup.
++ */
++ dev_warn(adev->dev, "IH ring buffer overflow (0x%08X, 0x%08X, 0x%08X)\n",
++ wptr, ih->rptr, (wptr + 16) & ih->ptr_mask);
++ ih->rptr = (wptr + 16) & ih->ptr_mask;
++ tmp = RREG32(mmIH_RB_CNTL);
++ tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1);
++ WREG32(mmIH_RB_CNTL, tmp);
++
++
++out:
+ return (wptr & ih->ptr_mask);
+ }
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/tonga_ih.c b/drivers/gpu/drm/amd/amdgpu/tonga_ih.c
+index e40140bf6699..db0a3bda13fb 100644
+--- a/drivers/gpu/drm/amd/amdgpu/tonga_ih.c
++++ b/drivers/gpu/drm/amd/amdgpu/tonga_ih.c
+@@ -195,19 +195,30 @@ static u32 tonga_ih_get_wptr(struct amdgpu_device *adev,
+
+ wptr = le32_to_cpu(*ih->wptr_cpu);
+
+- if (REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW)) {
+- wptr = REG_SET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW, 0);
+- /* When a ring buffer overflow happen start parsing interrupt
+- * from the last not overwritten vector (wptr + 16). Hopefully
+- * this should allow us to catchup.
+- */
+- dev_warn(adev->dev, "IH ring buffer overflow (0x%08X, 0x%08X, 0x%08X)\n",
+- wptr, ih->rptr, (wptr + 16) & ih->ptr_mask);
+- ih->rptr = (wptr + 16) & ih->ptr_mask;
+- tmp = RREG32(mmIH_RB_CNTL);
+- tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1);
+- WREG32(mmIH_RB_CNTL, tmp);
+- }
++ if (!REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW))
++ goto out;
++
++ /* Double check that the overflow wasn't already cleared. */
++ wptr = RREG32(mmIH_RB_WPTR);
++
++ if (!REG_GET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW))
++ goto out;
++
++ wptr = REG_SET_FIELD(wptr, IH_RB_WPTR, RB_OVERFLOW, 0);
++
++ /* When a ring buffer overflow happen start parsing interrupt
++ * from the last not overwritten vector (wptr + 16). Hopefully
++ * this should allow us to catchup.
++ */
++
++ dev_warn(adev->dev, "IH ring buffer overflow (0x%08X, 0x%08X, 0x%08X)\n",
++ wptr, ih->rptr, (wptr + 16) & ih->ptr_mask);
++ ih->rptr = (wptr + 16) & ih->ptr_mask;
++ tmp = RREG32(mmIH_RB_CNTL);
++ tmp = REG_SET_FIELD(tmp, IH_RB_CNTL, WPTR_OVERFLOW_CLEAR, 1);
++ WREG32(mmIH_RB_CNTL, tmp);
++
++out:
+ return (wptr & ih->ptr_mask);
+ }
+
+--
+2.30.1
+
--- /dev/null
+From 2c59dff4b4b02f28bfd9a7474fb3ddce49da4ffd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 18:32:53 +0800
+Subject: drm/hisilicon: Fix use-after-free
+
+From: Tian Tao <tiantao6@hisilicon.com>
+
+[ Upstream commit c855af2f9c5c60760fd1bed7889a81bc37d2591d ]
+
+Fix the problem of dev being released twice.
+------------[ cut here ]------------
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 75 PID: 15700 at lib/refcount.c:28 refcount_warn_saturate+0xd4/0x150
+CPU: 75 PID: 15700 Comm: rmmod Tainted: G E 5.10.0-rc3+ #3
+Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 0.88 07/24/2019
+pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)
+pc : refcount_warn_saturate+0xd4/0x150
+lr : refcount_warn_saturate+0xd4/0x150
+sp : ffff2028150cbc00
+x29: ffff2028150cbc00 x28: ffff2028150121c0
+x27: 0000000000000000 x26: 0000000000000000
+x25: 0000000000000000 x24: 0000000000000003
+x23: 0000000000000000 x22: ffff2028150cbc90
+x21: ffff2020038a30a8 x20: ffff2028150cbc90
+x19: ffff0020cd938020 x18: 0000000000000010
+x17: 0000000000000000 x16: 0000000000000000
+x15: ffffffffffffffff x14: ffff2028950cb88f
+x13: ffff2028150cb89d x12: 0000000000000000
+x11: 0000000005f5e0ff x10: ffff2028150cb800
+x9 : 00000000ffffffd0 x8 : 75203b776f6c6672
+x7 : ffff800011a6f7c8 x6 : 0000000000000001
+x5 : 0000000000000000 x4 : 0000000000000000
+x3 : 0000000000000000 x2 : ffff202ffe2f9dc0
+x1 : ffffa02fecf40000 x0 : 0000000000000026
+Call trace:
+ refcount_warn_saturate+0xd4/0x150
+ devm_drm_dev_init_release+0x50/0x70
+ devm_action_release+0x20/0x30
+ release_nodes+0x13c/0x218
+ devres_release_all+0x80/0x170
+ device_release_driver_internal+0x128/0x1f0
+ driver_detach+0x6c/0xe0
+ bus_remove_driver+0x74/0x100
+ driver_unregister+0x34/0x60
+ pci_unregister_driver+0x24/0xd8
+ hibmc_pci_driver_exit+0x14/0xe858 [hibmc_drm]
+ __arm64_sys_delete_module+0x1fc/0x2d0
+ el0_svc_common.constprop.3+0xa8/0x188
+ do_el0_svc+0x80/0xa0
+ el0_sync_handler+0x8c/0xb0
+ el0_sync+0x15c/0x180
+CPU: 75 PID: 15700 Comm: rmmod Tainted: G E 5.10.0-rc3+ #3
+Hardware name: Huawei TaiShan 200 (Model 2280)/BC82AMDDA, BIOS 0.88 07/24/2019
+Call trace:
+ dump_backtrace+0x0/0x208
+ show_stack+0x2c/0x40
+ dump_stack+0xd8/0x10c
+ __warn+0xac/0x128
+ report_bug+0xcc/0x180
+ bug_handler+0x24/0x78
+ call_break_hook+0x80/0xa0
+ brk_handler+0x28/0x68
+ do_debug_exception+0x9c/0x148
+ el1_sync_handler+0x7c/0x128
+ el1_sync+0x80/0x100
+ refcount_warn_saturate+0xd4/0x150
+ devm_drm_dev_init_release+0x50/0x70
+ devm_action_release+0x20/0x30
+ release_nodes+0x13c/0x218
+ devres_release_all+0x80/0x170
+ device_release_driver_internal+0x128/0x1f0
+ driver_detach+0x6c/0xe0
+ bus_remove_driver+0x74/0x100
+ driver_unregister+0x34/0x60
+ pci_unregister_driver+0x24/0xd8
+ hibmc_pci_driver_exit+0x14/0xe858 [hibmc_drm]
+ __arm64_sys_delete_module+0x1fc/0x2d0
+ el0_svc_common.constprop.3+0xa8/0x188
+ do_el0_svc+0x80/0xa0
+ el0_sync_handler+0x8c/0xb0
+ el0_sync+0x15c/0x180
+---[ end trace 00718630d6e5ff18 ]---
+
+Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/1607941973-32287-1-git-send-email-tiantao6@hisilicon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
+index c103005b0a33..a34ef5ec7d42 100644
+--- a/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
++++ b/drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c
+@@ -376,7 +376,6 @@ static void hibmc_pci_remove(struct pci_dev *pdev)
+
+ drm_dev_unregister(dev);
+ hibmc_unload(dev);
+- drm_dev_put(dev);
+ }
+
+ static struct pci_device_id hibmc_pci_table[] = {
+--
+2.30.1
+
--- /dev/null
+From 2aa50353291cd0570e5ce7d492e17251718ea79e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Jan 2021 09:55:09 +0800
+Subject: f2fs: fix to set/clear I_LINKABLE under i_lock
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 46085f37fc9e12d5c3539fb768b5ad7951e72acf ]
+
+fsstress + fault injection test case reports a warning message as
+below:
+
+WARNING: CPU: 13 PID: 6226 at fs/inode.c:361 inc_nlink+0x32/0x40
+Call Trace:
+ f2fs_init_inode_metadata+0x25c/0x4a0 [f2fs]
+ f2fs_add_inline_entry+0x153/0x3b0 [f2fs]
+ f2fs_add_dentry+0x75/0x80 [f2fs]
+ f2fs_do_add_link+0x108/0x160 [f2fs]
+ f2fs_rename2+0x6ab/0x14f0 [f2fs]
+ vfs_rename+0x70c/0x940
+ do_renameat2+0x4d8/0x4f0
+ __x64_sys_renameat2+0x4b/0x60
+ do_syscall_64+0x33/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Following race case can cause this:
+Thread A Kworker
+- f2fs_rename
+ - f2fs_create_whiteout
+ - __f2fs_tmpfile
+ - f2fs_i_links_write
+ - f2fs_mark_inode_dirty_sync
+ - mark_inode_dirty_sync
+ - writeback_single_inode
+ - __writeback_single_inode
+ - spin_lock(&inode->i_lock)
+ - inode->i_state |= I_LINKABLE
+ - inode->i_state &= ~dirty
+ - spin_unlock(&inode->i_lock)
+ - f2fs_add_link
+ - f2fs_do_add_link
+ - f2fs_add_dentry
+ - f2fs_add_inline_entry
+ - f2fs_init_inode_metadata
+ - f2fs_i_links_write
+ - inc_nlink
+ - WARN_ON(!(inode->i_state & I_LINKABLE))
+
+Fix to add i_lock to avoid i_state update race condition.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 5d9584281935..3a97ac56821b 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -797,7 +797,11 @@ static int __f2fs_tmpfile(struct inode *dir, struct dentry *dentry,
+
+ if (whiteout) {
+ f2fs_i_links_write(inode, false);
++
++ spin_lock(&inode->i_lock);
+ inode->i_state |= I_LINKABLE;
++ spin_unlock(&inode->i_lock);
++
+ *whiteout = inode;
+ } else {
+ d_tmpfile(dentry, inode);
+@@ -996,7 +1000,11 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
+ err = f2fs_add_link(old_dentry, whiteout);
+ if (err)
+ goto put_out_dir;
++
++ spin_lock(&whiteout->i_lock);
+ whiteout->i_state &= ~I_LINKABLE;
++ spin_unlock(&whiteout->i_lock);
++
+ iput(whiteout);
+ }
+
+--
+2.30.1
+
--- /dev/null
+From 4796bc4b1f1c52305e7f44ad867313a89f8b2f2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Dec 2020 11:44:25 -0800
+Subject: f2fs: handle unallocated section and zone on pinned/atgc
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit 632faca72938f9f63049e48a8c438913828ac7a9 ]
+
+If we have large section/zone, unallocated segment makes them corrupted.
+
+E.g.,
+
+ - Pinned file: -1 119304647 119304647
+ - ATGC data: -1 119304647 119304647
+
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.h b/fs/f2fs/segment.h
+index 325781a1ae4d..2034b9a07d63 100644
+--- a/fs/f2fs/segment.h
++++ b/fs/f2fs/segment.h
+@@ -88,11 +88,11 @@
+ #define BLKS_PER_SEC(sbi) \
+ ((sbi)->segs_per_sec * (sbi)->blocks_per_seg)
+ #define GET_SEC_FROM_SEG(sbi, segno) \
+- ((segno) / (sbi)->segs_per_sec)
++ (((segno) == -1) ? -1: (segno) / (sbi)->segs_per_sec)
+ #define GET_SEG_FROM_SEC(sbi, secno) \
+ ((secno) * (sbi)->segs_per_sec)
+ #define GET_ZONE_FROM_SEC(sbi, secno) \
+- ((secno) / (sbi)->secs_per_zone)
++ (((secno) == -1) ? -1: (secno) / (sbi)->secs_per_zone)
+ #define GET_ZONE_FROM_SEG(sbi, segno) \
+ GET_ZONE_FROM_SEC(sbi, GET_SEC_FROM_SEG(sbi, segno))
+
+--
+2.30.1
+
--- /dev/null
+From 5b3f91c3b5e868fcc2b7b5d7eb81afb455079318 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Dec 2020 14:35:19 +0100
+Subject: media: uvcvideo: Allow entities with no pads
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 7532dad6634031d083df7af606fac655b8d08b5c ]
+
+Avoid an underflow while calculating the number of inputs for entities
+with zero pads.
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 99883550375e..40ca1d4e0348 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -967,7 +967,10 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id,
+ unsigned int i;
+
+ extra_size = roundup(extra_size, sizeof(*entity->pads));
+- num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1;
++ if (num_pads)
++ num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1;
++ else
++ num_inputs = 0;
+ size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads
+ + num_inputs;
+ entity = kzalloc(size, GFP_KERNEL);
+@@ -983,7 +986,7 @@ static struct uvc_entity *uvc_alloc_entity(u16 type, u8 id,
+
+ for (i = 0; i < num_inputs; ++i)
+ entity->pads[i].flags = MEDIA_PAD_FL_SINK;
+- if (!UVC_ENTITY_IS_OTERM(entity))
++ if (!UVC_ENTITY_IS_OTERM(entity) && num_pads)
+ entity->pads[num_pads-1].flags = MEDIA_PAD_FL_SOURCE;
+
+ entity->bNrInPins = num_inputs;
+--
+2.30.1
+
--- /dev/null
+From b6ab0139d961af6a30bd9a1897f32848c0feff7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 11:32:36 +0800
+Subject: nvme-core: add cancel tagset helpers
+
+From: Chao Leng <lengchao@huawei.com>
+
+[ Upstream commit 2547906982e2e6a0d42f8957f55af5bb51a7e55f ]
+
+Add nvme_cancel_tagset and nvme_cancel_admin_tagset for tear down and
+reconnection error handling.
+
+Signed-off-by: Chao Leng <lengchao@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 20 ++++++++++++++++++++
+ drivers/nvme/host/nvme.h | 2 ++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index c2cabd77884b..95d77a17375e 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -317,6 +317,26 @@ bool nvme_cancel_request(struct request *req, void *data, bool reserved)
+ }
+ EXPORT_SYMBOL_GPL(nvme_cancel_request);
+
++void nvme_cancel_tagset(struct nvme_ctrl *ctrl)
++{
++ if (ctrl->tagset) {
++ blk_mq_tagset_busy_iter(ctrl->tagset,
++ nvme_cancel_request, ctrl);
++ blk_mq_tagset_wait_completed_request(ctrl->tagset);
++ }
++}
++EXPORT_SYMBOL_GPL(nvme_cancel_tagset);
++
++void nvme_cancel_admin_tagset(struct nvme_ctrl *ctrl)
++{
++ if (ctrl->admin_tagset) {
++ blk_mq_tagset_busy_iter(ctrl->admin_tagset,
++ nvme_cancel_request, ctrl);
++ blk_mq_tagset_wait_completed_request(ctrl->admin_tagset);
++ }
++}
++EXPORT_SYMBOL_GPL(nvme_cancel_admin_tagset);
++
+ bool nvme_change_ctrl_state(struct nvme_ctrl *ctrl,
+ enum nvme_ctrl_state new_state)
+ {
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index e392d6cd92ce..62e5401865fe 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -468,6 +468,8 @@ static inline void nvme_put_ctrl(struct nvme_ctrl *ctrl)
+
+ void nvme_complete_rq(struct request *req);
+ bool nvme_cancel_request(struct request *req, void *data, bool reserved);
++void nvme_cancel_tagset(struct nvme_ctrl *ctrl);
++void nvme_cancel_admin_tagset(struct nvme_ctrl *ctrl);
+ bool nvme_change_ctrl_state(struct nvme_ctrl *ctrl,
+ enum nvme_ctrl_state new_state);
+ bool nvme_wait_reset(struct nvme_ctrl *ctrl);
+--
+2.30.1
+
--- /dev/null
+From f4edaf81bd1943e0725087bd2069bcf6718141b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 11:32:37 +0800
+Subject: nvme-rdma: add clean action for failed reconnection
+
+From: Chao Leng <lengchao@huawei.com>
+
+[ Upstream commit 958dc1d32c80566f58d18f05ef1f05bd32d172c1 ]
+
+A crash happens when inject failed reconnection.
+If reconnect failed after start io queues, the queues will be unquiesced
+and new requests continue to be delivered. Reconnection error handling
+process directly free queues without cancel suspend requests. The
+suppend request will time out, and then crash due to use the queue
+after free.
+
+Add sync queues and cancel suppend requests for reconnection error
+handling.
+
+Signed-off-by: Chao Leng <lengchao@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 8a62c2fe5a5e..da6030010432 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -835,12 +835,16 @@ static int nvme_rdma_configure_admin_queue(struct nvme_rdma_ctrl *ctrl,
+
+ error = nvme_init_identify(&ctrl->ctrl);
+ if (error)
+- goto out_stop_queue;
++ goto out_quiesce_queue;
+
+ return 0;
+
++out_quiesce_queue:
++ blk_mq_quiesce_queue(ctrl->ctrl.admin_q);
++ blk_sync_queue(ctrl->ctrl.admin_q);
+ out_stop_queue:
+ nvme_rdma_stop_queue(&ctrl->queues[0]);
++ nvme_cancel_admin_tagset(&ctrl->ctrl);
+ out_cleanup_queue:
+ if (new)
+ blk_cleanup_queue(ctrl->ctrl.admin_q);
+@@ -917,8 +921,10 @@ static int nvme_rdma_configure_io_queues(struct nvme_rdma_ctrl *ctrl, bool new)
+
+ out_wait_freeze_timed_out:
+ nvme_stop_queues(&ctrl->ctrl);
++ nvme_sync_io_queues(&ctrl->ctrl);
+ nvme_rdma_stop_io_queues(ctrl);
+ out_cleanup_connect_q:
++ nvme_cancel_tagset(&ctrl->ctrl);
+ if (new)
+ blk_cleanup_queue(ctrl->ctrl.connect_q);
+ out_free_tag_set:
+@@ -1054,10 +1060,18 @@ static int nvme_rdma_setup_ctrl(struct nvme_rdma_ctrl *ctrl, bool new)
+ return 0;
+
+ destroy_io:
+- if (ctrl->ctrl.queue_count > 1)
++ if (ctrl->ctrl.queue_count > 1) {
++ nvme_stop_queues(&ctrl->ctrl);
++ nvme_sync_io_queues(&ctrl->ctrl);
++ nvme_rdma_stop_io_queues(ctrl);
++ nvme_cancel_tagset(&ctrl->ctrl);
+ nvme_rdma_destroy_io_queues(ctrl, new);
++ }
+ destroy_admin:
++ blk_mq_quiesce_queue(ctrl->ctrl.admin_q);
++ blk_sync_queue(ctrl->ctrl.admin_q);
+ nvme_rdma_stop_queue(&ctrl->queues[0]);
++ nvme_cancel_admin_tagset(&ctrl->ctrl);
+ nvme_rdma_destroy_admin_queue(ctrl, new);
+ return ret;
+ }
+--
+2.30.1
+
--- /dev/null
+From 634fad6238cd1945d0ddb311a575eb535fa08462 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 11:32:38 +0800
+Subject: nvme-tcp: add clean action for failed reconnection
+
+From: Chao Leng <lengchao@huawei.com>
+
+[ Upstream commit 70a99574a79f1cd4dc7ad56ea37be40844bfb97b ]
+
+If reconnect failed after start io queues, the queues will be unquiesced
+and new requests continue to be delivered. Reconnection error handling
+process directly free queues without cancel suspend requests. The
+suppend request will time out, and then crash due to use the queue
+after free.
+
+Add sync queues and cancel suppend requests for reconnection error
+handling.
+
+Signed-off-by: Chao Leng <lengchao@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index a554021e1ab9..77a3c488ec12 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1710,8 +1710,10 @@ static int nvme_tcp_configure_io_queues(struct nvme_ctrl *ctrl, bool new)
+
+ out_wait_freeze_timed_out:
+ nvme_stop_queues(ctrl);
++ nvme_sync_io_queues(ctrl);
+ nvme_tcp_stop_io_queues(ctrl);
+ out_cleanup_connect_q:
++ nvme_cancel_tagset(ctrl);
+ if (new)
+ blk_cleanup_queue(ctrl->connect_q);
+ out_free_tag_set:
+@@ -1773,12 +1775,16 @@ static int nvme_tcp_configure_admin_queue(struct nvme_ctrl *ctrl, bool new)
+
+ error = nvme_init_identify(ctrl);
+ if (error)
+- goto out_stop_queue;
++ goto out_quiesce_queue;
+
+ return 0;
+
++out_quiesce_queue:
++ blk_mq_quiesce_queue(ctrl->admin_q);
++ blk_sync_queue(ctrl->admin_q);
+ out_stop_queue:
+ nvme_tcp_stop_queue(ctrl, 0);
++ nvme_cancel_admin_tagset(ctrl);
+ out_cleanup_queue:
+ if (new)
+ blk_cleanup_queue(ctrl->admin_q);
+@@ -1892,10 +1898,18 @@ static int nvme_tcp_setup_ctrl(struct nvme_ctrl *ctrl, bool new)
+ return 0;
+
+ destroy_io:
+- if (ctrl->queue_count > 1)
++ if (ctrl->queue_count > 1) {
++ nvme_stop_queues(ctrl);
++ nvme_sync_io_queues(ctrl);
++ nvme_tcp_stop_io_queues(ctrl);
++ nvme_cancel_tagset(ctrl);
+ nvme_tcp_destroy_io_queues(ctrl, new);
++ }
+ destroy_admin:
++ blk_mq_quiesce_queue(ctrl->admin_q);
++ blk_sync_queue(ctrl->admin_q);
+ nvme_tcp_stop_queue(ctrl, 0);
++ nvme_cancel_admin_tagset(ctrl);
+ nvme_tcp_destroy_admin_queue(ctrl, new);
+ return ret;
+ }
+--
+2.30.1
+
--- /dev/null
+From 8a90e2a655121c75faae5e024225770bd9582117 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jan 2021 18:12:30 -0500
+Subject: parisc: Bump 64-bit IRQ stack size to 64 KB
+
+From: John David Anglin <dave.anglin@bell.net>
+
+[ Upstream commit 31680c1d1595a59e17c14ec036b192a95f8e5f4a ]
+
+Bump 64-bit IRQ stack size to 64 KB.
+
+I had a kernel IRQ stack overflow on the mx3210 debian buildd machine. This patch increases the
+64-bit IRQ stack size to 64 KB. The 64-bit stack size needs to be larger than the 32-bit stack
+size since registers are twice as big.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/irq.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
+index e5fcfb70cc7c..4d54aa70ea5f 100644
+--- a/arch/parisc/kernel/irq.c
++++ b/arch/parisc/kernel/irq.c
+@@ -376,7 +376,11 @@ static inline int eirr_to_irq(unsigned long eirr)
+ /*
+ * IRQ STACK - used for irq handler
+ */
++#ifdef CONFIG_64BIT
++#define IRQ_STACK_SIZE (4096 << 4) /* 64k irq stack size */
++#else
+ #define IRQ_STACK_SIZE (4096 << 3) /* 32k irq stack size */
++#endif
+
+ union irq_stack_union {
+ unsigned long stack[IRQ_STACK_SIZE/sizeof(unsigned long)];
+--
+2.30.1
+
--- /dev/null
+From d8b319ae8173e4e815d24c73f4893fd08aeba4e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Jan 2021 12:26:55 +0100
+Subject: PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@amd.com>
+
+[ Upstream commit 907830b0fc9e374d00f3c83de5e426157b482c01 ]
+
+RX 5600 XT Pulse advertises support for BAR 0 being 256MB, 512MB,
+or 1GB, but it also supports 2GB, 4GB, and 8GB. Add a rebar
+size quirk so that the BAR 0 is big enough to cover complete VARM.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20210107175017.15893-5-nirmoy.das@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 89dece8a4132..9add26438be5 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3471,7 +3471,14 @@ u32 pci_rebar_get_possible_sizes(struct pci_dev *pdev, int bar)
+ return 0;
+
+ pci_read_config_dword(pdev, pos + PCI_REBAR_CAP, &cap);
+- return (cap & PCI_REBAR_CAP_SIZES) >> 4;
++ cap &= PCI_REBAR_CAP_SIZES;
++
++ /* Sapphire RX 5600 XT Pulse has an invalid cap dword for BAR 0 */
++ if (pdev->vendor == PCI_VENDOR_ID_ATI && pdev->device == 0x731f &&
++ bar == 0 && cap == 0x7000)
++ cap = 0x3f000;
++
++ return cap >> 4;
+ }
+
+ /**
+--
+2.30.1
+
--- /dev/null
+From 222ed1f463efb6dede0790e33109735db966f032 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Feb 2021 11:13:24 -0800
+Subject: perf/x86/kvm: Add Cascade Lake Xeon steppings to isolation_ucodes[]
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit b3c3361fe325074d4144c29d46daae4fc5a268d5 ]
+
+Cascade Lake Xeon parts have the same model number as Skylake Xeon
+parts, so they are tagged with the intel_pebs_isolation
+quirk. However, as with Skylake Xeon H0 stepping parts, the PEBS
+isolation issue is fixed in all microcode versions.
+
+Add the Cascade Lake Xeon steppings (5, 6, and 7) to the
+isolation_ucodes[] table so that these parts benefit from Andi's
+optimization in commit 9b545c04abd4f ("perf/x86/kvm: Avoid unnecessary
+work in guest filtering").
+
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Link: https://lkml.kernel.org/r/20210205191324.2889006-1-jmattson@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index b24c38090dd9..90760393a964 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4002,6 +4002,9 @@ static const struct x86_cpu_desc isolation_ucodes[] = {
+ INTEL_CPU_DESC(INTEL_FAM6_BROADWELL_X, 2, 0x0b000014),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 3, 0x00000021),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 4, 0x00000000),
++ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 5, 0x00000000),
++ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 6, 0x00000000),
++ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_X, 7, 0x00000000),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE_L, 3, 0x0000007c),
+ INTEL_CPU_DESC(INTEL_FAM6_SKYLAKE, 3, 0x0000007c),
+ INTEL_CPU_DESC(INTEL_FAM6_KABYLAKE, 9, 0x0000004e),
+--
+2.30.1
+
--- /dev/null
+From 83cdc8000f17fd027593698cdb137e75d94b3f51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jan 2021 20:42:29 +0800
+Subject: pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
+
+From: Di Zhu <zhudi21@huawei.com>
+
+[ Upstream commit 275b1e88cabb34dbcbe99756b67e9939d34a99b6 ]
+
+pktgen create threads for all online cpus and bond these threads to
+relevant cpu repecivtily. when this thread firstly be woken up, it
+will compare cpu currently running with the cpu specified at the time
+of creation and if the two cpus are not equal, BUG_ON() will take effect
+causing panic on the system.
+Notice that these threads could be migrated to other cpus before start
+running because of the cpu hotplug after these threads have created. so the
+BUG_ON() used here seems unreasonable and we can replace it with WARN_ON()
+to just printf a warning other than panic the system.
+
+Signed-off-by: Di Zhu <zhudi21@huawei.com>
+Link: https://lore.kernel.org/r/20210125124229.19334-1-zhudi21@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/pktgen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/pktgen.c b/net/core/pktgen.c
+index cb3b565ff5ad..1d20dd70879b 100644
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -3465,7 +3465,7 @@ static int pktgen_thread_worker(void *arg)
+ struct pktgen_dev *pkt_dev = NULL;
+ int cpu = t->cpu;
+
+- BUG_ON(smp_processor_id() != cpu);
++ WARN_ON(smp_processor_id() != cpu);
+
+ init_waitqueue_head(&t->queue);
+ complete(&t->start_done);
+--
+2.30.1
+
--- /dev/null
+From 6af62a5e6aeeb4b19daa39997d4360b83362ab6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Feb 2021 08:35:53 +0100
+Subject: sched/features: Fix hrtick reprogramming
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit 156ec6f42b8d300dbbf382738ff35c8bad8f4c3a ]
+
+Hung tasks and RCU stall cases were reported on systems which were not
+100% busy. Investigation of such unexpected cases (no sign of potential
+starvation caused by tasks hogging the system) pointed out that the
+periodic sched tick timer wasn't serviced anymore after a certain point
+and that caused all machinery that depends on it (timers, RCU, etc.) to
+stop working as well. This issues was however only reproducible if
+HRTICK was enabled.
+
+Looking at core dumps it was found that the rbtree of the hrtimer base
+used also for the hrtick was corrupted (i.e. next as seen from the base
+root and actual leftmost obtained by traversing the tree are different).
+Same base is also used for periodic tick hrtimer, which might get "lost"
+if the rbtree gets corrupted.
+
+Much alike what described in commit 1f71addd34f4c ("tick/sched: Do not
+mess with an enqueued hrtimer") there is a race window between
+hrtimer_set_expires() in hrtick_start and hrtimer_start_expires() in
+__hrtick_restart() in which the former might be operating on an already
+queued hrtick hrtimer, which might lead to corruption of the base.
+
+Use hrtick_start() (which removes the timer before enqueuing it back) to
+ensure hrtick hrtimer reprogramming is entirely guarded by the base
+lock, so that no race conditions can occur.
+
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lkml.kernel.org/r/20210208073554.14629-2-juri.lelli@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 8 +++-----
+ kernel/sched/sched.h | 1 +
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 7841e738e38f..2ce61018e33b 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -254,8 +254,9 @@ static enum hrtimer_restart hrtick(struct hrtimer *timer)
+ static void __hrtick_restart(struct rq *rq)
+ {
+ struct hrtimer *timer = &rq->hrtick_timer;
++ ktime_t time = rq->hrtick_time;
+
+- hrtimer_start_expires(timer, HRTIMER_MODE_ABS_PINNED_HARD);
++ hrtimer_start(timer, time, HRTIMER_MODE_ABS_PINNED_HARD);
+ }
+
+ /*
+@@ -280,7 +281,6 @@ static void __hrtick_start(void *arg)
+ void hrtick_start(struct rq *rq, u64 delay)
+ {
+ struct hrtimer *timer = &rq->hrtick_timer;
+- ktime_t time;
+ s64 delta;
+
+ /*
+@@ -288,9 +288,7 @@ void hrtick_start(struct rq *rq, u64 delay)
+ * doesn't make sense and can cause timer DoS.
+ */
+ delta = max_t(s64, delay, 10000LL);
+- time = ktime_add_ns(timer->base->get_time(), delta);
+-
+- hrtimer_set_expires(timer, time);
++ rq->hrtick_time = ktime_add_ns(timer->base->get_time(), delta);
+
+ if (rq == this_rq()) {
+ __hrtick_restart(rq);
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index e10fb9bf2988..4e490e3db2f8 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -973,6 +973,7 @@ struct rq {
+ call_single_data_t hrtick_csd;
+ #endif
+ struct hrtimer hrtick_timer;
++ ktime_t hrtick_time;
+ #endif
+
+ #ifdef CONFIG_SCHEDSTATS
+--
+2.30.1
+
rsi-fix-tx-eapol-packet-handling-against-iwlwifi-ap.patch
rsi-move-card-interrupt-handling-to-rx-thread.patch
rcu-nocb-trigger-self-ipi-on-late-deferred-wake-up-b.patch
+staging-fwserial-fix-error-handling-in-fwserial_crea.patch
+x86-reboot-add-zotac-zbox-ci327-nano-pci-reboot-quir.patch
+vt-consolemap-do-font-sum-unsigned.patch
+wlcore-fix-command-execute-failure-19-for-wl12xx.patch
+bluetooth-hci_h5-set-hci_quirk_simultaneous_discover.patch
+pktgen-fix-misuse-of-bug_on-in-pktgen_thread_worker.patch
+ath10k-fix-wmi-mgmt-tx-queue-full-due-to-race-condit.patch
+x86-build-treat-r_386_plt32-relocation-as-r_386_pc32.patch
+bluetooth-fix-null-pointer-dereference-in-amp_read_l.patch
+staging-most-sound-add-sanity-check-for-function-arg.patch
+staging-bcm2835-audio-replace-unsafe-strcpy-with-str.patch
+brcmfmac-add-dmi-nvram-filename-quirk-for-predia-bas.patch
+brcmfmac-add-dmi-nvram-filename-quirk-for-voyo-winpa.patch
+drm-hisilicon-fix-use-after-free.patch
+crypto-tcrypt-avoid-signed-overflow-in-byte-count.patch
+drm-amdgpu-add-check-to-prevent-ih-overflow.patch
+pci-add-a-rebar-size-quirk-for-sapphire-rx-5600-xt-p.patch
+drm-amd-display-guard-against-null-pointer-deref-whe.patch
+media-uvcvideo-allow-entities-with-no-pads.patch
+f2fs-handle-unallocated-section-and-zone-on-pinned-a.patch
+f2fs-fix-to-set-clear-i_linkable-under-i_lock.patch
+nvme-core-add-cancel-tagset-helpers.patch
+nvme-rdma-add-clean-action-for-failed-reconnection.patch
+nvme-tcp-add-clean-action-for-failed-reconnection.patch
+asoc-intel-add-dmi-quirk-table-to-soc_intel_is_byt_c.patch
+btrfs-fix-error-handling-in-commit_fs_roots.patch
+perf-x86-kvm-add-cascade-lake-xeon-steppings-to-isol.patch
+parisc-bump-64-bit-irq-stack-size-to-64-kb.patch
+sched-features-fix-hrtick-reprogramming.patch
+asoc-intel-bytcr_rt5640-add-quirk-for-the-estar-beau.patch
+asoc-intel-bytcr_rt5640-add-quirk-for-the-voyo-winpa.patch
+asoc-intel-bytcr_rt5651-add-quirk-for-the-jumper-ezp.patch
+asoc-intel-bytcr_rt5640-add-quirk-for-the-acer-one-s.patch
--- /dev/null
+From 28b9f0a6e391ba1d5e5fba93c50dcec25a2c356e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Feb 2021 08:25:02 +0100
+Subject: staging: bcm2835-audio: Replace unsafe strcpy() with strscpy()
+
+From: Juerg Haefliger <juerg.haefliger@canonical.com>
+
+[ Upstream commit 4964a4300660d27907ceb655f219ac47e5941534 ]
+
+Replace strcpy() with strscpy() in bcm2835-audio/bcm2835.c to prevent the
+following when loading snd-bcm2835:
+
+[ 58.480634] ------------[ cut here ]------------
+[ 58.485321] kernel BUG at lib/string.c:1149!
+[ 58.489650] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+[ 58.495214] Modules linked in: snd_bcm2835(COE+) snd_pcm snd_timer snd dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua btsdio bluetooth ecdh_generic ecc bcm2835_v4l2(CE) bcm2835_codec(CE) brcmfmac bcm2835_isp(CE) bcm2835_mmal_vchiq(CE) brcmutil cfg80211 v4l2_mem2mem videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops raspberrypi_hwmon videobuf2_v4l2 videobuf2_common videodev bcm2835_gpiomem mc vc_sm_cma(CE) rpivid_mem uio_pdrv_genirq uio sch_fq_codel drm ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear dwc2 roles spidev udc_core crct10dif_ce xhci_pci xhci_pci_renesas phy_generic aes_neon_bs aes_neon_blk crypto_simd cryptd
+[ 58.563787] CPU: 3 PID: 1959 Comm: insmod Tainted: G C OE 5.11.0-1001-raspi #1
+[ 58.572172] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT)
+[ 58.578086] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
+[ 58.584178] pc : fortify_panic+0x20/0x24
+[ 58.588161] lr : fortify_panic+0x20/0x24
+[ 58.592136] sp : ffff800010a83990
+[ 58.595491] x29: ffff800010a83990 x28: 0000000000000002
+[ 58.600879] x27: ffffb0b07cb72928 x26: 0000000000000000
+[ 58.606268] x25: ffff39e884973838 x24: ffffb0b07cb74190
+[ 58.611655] x23: ffffb0b07cb72030 x22: 0000000000000000
+[ 58.617042] x21: ffff39e884973014 x20: ffff39e88b793010
+[ 58.622428] x19: ffffb0b07cb72670 x18: 0000000000000030
+[ 58.627814] x17: 0000000000000000 x16: ffffb0b092ce2c1c
+[ 58.633200] x15: ffff39e88b901500 x14: 0720072007200720
+[ 58.638588] x13: 0720072007200720 x12: 0720072007200720
+[ 58.643979] x11: ffffb0b0936cbdf0 x10: 00000000fffff000
+[ 58.649366] x9 : ffffb0b09220cfa8 x8 : 0000000000000000
+[ 58.654752] x7 : ffffb0b093673df0 x6 : ffffb0b09364e000
+[ 58.660140] x5 : 0000000000000000 x4 : ffff39e93b7db948
+[ 58.665526] x3 : ffff39e93b7ebcf0 x2 : 0000000000000000
+[ 58.670913] x1 : 0000000000000000 x0 : 0000000000000022
+[ 58.676299] Call trace:
+[ 58.678775] fortify_panic+0x20/0x24
+[ 58.682402] snd_bcm2835_alsa_probe+0x5b8/0x7d8 [snd_bcm2835]
+[ 58.688247] platform_probe+0x74/0xe4
+[ 58.691963] really_probe+0xf0/0x510
+[ 58.695585] driver_probe_device+0xe0/0x100
+[ 58.699826] device_driver_attach+0xcc/0xd4
+[ 58.704068] __driver_attach+0xb0/0x17c
+[ 58.707956] bus_for_each_dev+0x7c/0xd4
+[ 58.711843] driver_attach+0x30/0x40
+[ 58.715467] bus_add_driver+0x154/0x250
+[ 58.719354] driver_register+0x84/0x140
+[ 58.723242] __platform_driver_register+0x34/0x40
+[ 58.728013] bcm2835_alsa_driver_init+0x30/0x1000 [snd_bcm2835]
+[ 58.734024] do_one_initcall+0x54/0x300
+[ 58.737914] do_init_module+0x60/0x280
+[ 58.741719] load_module+0x680/0x770
+[ 58.745344] __do_sys_finit_module+0xbc/0x130
+[ 58.749761] __arm64_sys_finit_module+0x2c/0x40
+[ 58.754356] el0_svc_common.constprop.0+0x88/0x220
+[ 58.759216] do_el0_svc+0x30/0xa0
+[ 58.762575] el0_svc+0x28/0x70
+[ 58.765669] el0_sync_handler+0x1a4/0x1b0
+[ 58.769732] el0_sync+0x178/0x180
+[ 58.773095] Code: aa0003e1 91366040 910003fd 97ffee21 (d4210000)
+[ 58.779275] ---[ end trace 29be5b17497bd898 ]---
+[ 58.783955] note: insmod[1959] exited with preempt_count 1
+[ 58.791921] ------------[ cut here ]------------
+
+For the sake of it, replace all the other occurences of strcpy() under
+bcm2835-audio/ as well.
+
+Signed-off-by: Juerg Haefliger <juergh@canonical.com>
+Link: https://lore.kernel.org/r/20210205072502.10907-1-juergh@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c | 6 +++---
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c | 2 +-
+ drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 6 +++---
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
+index 4c2cae99776b..3703409715da 100644
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-ctl.c
+@@ -224,7 +224,7 @@ int snd_bcm2835_new_ctl(struct bcm2835_chip *chip)
+ {
+ int err;
+
+- strcpy(chip->card->mixername, "Broadcom Mixer");
++ strscpy(chip->card->mixername, "Broadcom Mixer", sizeof(chip->card->mixername));
+ err = create_ctls(chip, ARRAY_SIZE(snd_bcm2835_ctl), snd_bcm2835_ctl);
+ if (err < 0)
+ return err;
+@@ -261,7 +261,7 @@ static const struct snd_kcontrol_new snd_bcm2835_headphones_ctl[] = {
+
+ int snd_bcm2835_new_headphones_ctl(struct bcm2835_chip *chip)
+ {
+- strcpy(chip->card->mixername, "Broadcom Mixer");
++ strscpy(chip->card->mixername, "Broadcom Mixer", sizeof(chip->card->mixername));
+ return create_ctls(chip, ARRAY_SIZE(snd_bcm2835_headphones_ctl),
+ snd_bcm2835_headphones_ctl);
+ }
+@@ -295,7 +295,7 @@ static const struct snd_kcontrol_new snd_bcm2835_hdmi[] = {
+
+ int snd_bcm2835_new_hdmi_ctl(struct bcm2835_chip *chip)
+ {
+- strcpy(chip->card->mixername, "Broadcom Mixer");
++ strscpy(chip->card->mixername, "Broadcom Mixer", sizeof(chip->card->mixername));
+ return create_ctls(chip, ARRAY_SIZE(snd_bcm2835_hdmi),
+ snd_bcm2835_hdmi);
+ }
+diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c
+index 826016c3431a..8708f97b46f3 100644
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835-pcm.c
+@@ -351,7 +351,7 @@ int snd_bcm2835_new_pcm(struct bcm2835_chip *chip, const char *name,
+
+ pcm->private_data = chip;
+ pcm->nonatomic = true;
+- strcpy(pcm->name, name);
++ strscpy(pcm->name, name, sizeof(pcm->name));
+ if (!spdif) {
+ chip->dest = route;
+ chip->volume = 0;
+diff --git a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
+index cf5f80f5ca6b..c250fbef2fa3 100644
+--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c
+@@ -185,9 +185,9 @@ static int snd_add_child_device(struct device *dev,
+ goto error;
+ }
+
+- strcpy(card->driver, audio_driver->driver.name);
+- strcpy(card->shortname, audio_driver->shortname);
+- strcpy(card->longname, audio_driver->longname);
++ strscpy(card->driver, audio_driver->driver.name, sizeof(card->driver));
++ strscpy(card->shortname, audio_driver->shortname, sizeof(card->shortname));
++ strscpy(card->longname, audio_driver->longname, sizeof(card->longname));
+
+ err = audio_driver->newpcm(chip, audio_driver->shortname,
+ audio_driver->route,
+--
+2.30.1
+
--- /dev/null
+From 20704eb0112926e934a00db357450e54d3b1a9cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Dec 2020 20:24:35 +0800
+Subject: staging: fwserial: Fix error handling in fwserial_create
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit f31559af97a0eabd467e4719253675b7dccb8a46 ]
+
+When fw_core_add_address_handler() fails, we need to destroy
+the port by tty_port_destroy(). Also we need to unregister
+the address handler by fw_core_remove_address_handler() on
+failure.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Link: https://lore.kernel.org/r/20201221122437.10274-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/fwserial/fwserial.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/fwserial/fwserial.c b/drivers/staging/fwserial/fwserial.c
+index aec0f19597a9..4df6e3c1ea96 100644
+--- a/drivers/staging/fwserial/fwserial.c
++++ b/drivers/staging/fwserial/fwserial.c
+@@ -2189,6 +2189,7 @@ static int fwserial_create(struct fw_unit *unit)
+ err = fw_core_add_address_handler(&port->rx_handler,
+ &fw_high_memory_region);
+ if (err) {
++ tty_port_destroy(&port->port);
+ kfree(port);
+ goto free_ports;
+ }
+@@ -2271,6 +2272,7 @@ unregister_ttys:
+
+ free_ports:
+ for (--i; i >= 0; --i) {
++ fw_core_remove_address_handler(&serial->ports[i]->rx_handler);
+ tty_port_destroy(&serial->ports[i]->port);
+ kfree(serial->ports[i]);
+ }
+--
+2.30.1
+
--- /dev/null
+From ae1c0ed4045ea7cc6ada52b41d4d5531d8c2b658 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Feb 2021 17:21:05 +0100
+Subject: staging: most: sound: add sanity check for function argument
+
+From: Christian Gromm <christian.gromm@microchip.com>
+
+[ Upstream commit 45b754ae5b82949dca2b6e74fa680313cefdc813 ]
+
+This patch checks the function parameter 'bytes' before doing the
+subtraction to prevent memory corruption.
+
+Signed-off-by: Christian Gromm <christian.gromm@microchip.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/1612282865-21846-1-git-send-email-christian.gromm@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/most/sound/sound.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/staging/most/sound/sound.c b/drivers/staging/most/sound/sound.c
+index 79817061fcfa..4225ee9fcf7b 100644
+--- a/drivers/staging/most/sound/sound.c
++++ b/drivers/staging/most/sound/sound.c
+@@ -98,6 +98,8 @@ static void swap_copy24(u8 *dest, const u8 *source, unsigned int bytes)
+ {
+ unsigned int i = 0;
+
++ if (bytes < 2)
++ return;
+ while (i < bytes - 2) {
+ dest[i] = source[i + 2];
+ dest[i + 1] = source[i + 1];
+--
+2.30.1
+
--- /dev/null
+From 38c6056e45d2749e96d28e095780ba4e4c493a45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Jan 2021 13:02:34 +0100
+Subject: vt/consolemap: do font sum unsigned
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit 9777f8e60e718f7b022a94f2524f967d8def1931 ]
+
+The constant 20 makes the font sum computation signed which can lead to
+sign extensions and signed wraps. It's not much of a problem as we build
+with -fno-strict-overflow. But if we ever decide not to, be ready, so
+switch the constant to unsigned.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Link: https://lore.kernel.org/r/20210105120239.28031-7-jslaby@suse.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/consolemap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c
+index b28aa0d289f8..251c02af1fc3 100644
+--- a/drivers/tty/vt/consolemap.c
++++ b/drivers/tty/vt/consolemap.c
+@@ -495,7 +495,7 @@ con_insert_unipair(struct uni_pagedir *p, u_short unicode, u_short fontpos)
+
+ p2[unicode & 0x3f] = fontpos;
+
+- p->sum += (fontpos << 20) + unicode;
++ p->sum += (fontpos << 20U) + unicode;
+
+ return 0;
+ }
+--
+2.30.1
+
--- /dev/null
+From f6475649af72a9a2cfb40448e4b02af54e6d77de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Jan 2021 08:56:13 +0200
+Subject: wlcore: Fix command execute failure 19 for wl12xx
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit cb88d01b67383a095e3f7caeb4cdade5a6cf0417 ]
+
+We can currently get a "command execute failure 19" error on beacon loss
+if the signal is weak:
+
+wlcore: Beacon loss detected. roles:0xff
+wlcore: Connection loss work (role_id: 0).
+...
+wlcore: ERROR command execute failure 19
+...
+WARNING: CPU: 0 PID: 1552 at drivers/net/wireless/ti/wlcore/main.c:803
+...
+(wl12xx_queue_recovery_work.part.0 [wlcore])
+(wl12xx_cmd_role_start_sta [wlcore])
+(wl1271_op_bss_info_changed [wlcore])
+(ieee80211_prep_connection [mac80211])
+
+Error 19 is defined as CMD_STATUS_WRONG_NESTING from the wlcore firmware,
+and seems to mean that the firmware no longer wants to see the quirk
+handling for WLCORE_QUIRK_START_STA_FAILS done.
+
+This quirk got added with commit 18eab430700d ("wlcore: workaround
+start_sta problem in wl12xx fw"), and it seems that this already got fixed
+in the firmware long time ago back in 2012 as wl18xx never had this quirk
+in place to start with.
+
+As we no longer even support firmware that early, to me it seems that it's
+safe to just drop WLCORE_QUIRK_START_STA_FAILS to fix the error. Looks
+like earlier firmware got disabled back in 2013 with commit 0e284c074ef9
+("wl12xx: increase minimum singlerole firmware version required").
+
+If it turns out we still need WLCORE_QUIRK_START_STA_FAILS with any
+firmware that the driver works with, we can simply revert this patch and
+add extra checks for firmware version used.
+
+With this fix wlcore reconnects properly after a beacon loss.
+
+Cc: Raz Bouganim <r-bouganim@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210115065613.7731-1-tony@atomide.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl12xx/main.c | 3 ---
+ drivers/net/wireless/ti/wlcore/main.c | 15 +--------------
+ drivers/net/wireless/ti/wlcore/wlcore.h | 3 ---
+ 3 files changed, 1 insertion(+), 20 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
+index 3c9c623bb428..9d7dbfe7fe0c 100644
+--- a/drivers/net/wireless/ti/wl12xx/main.c
++++ b/drivers/net/wireless/ti/wl12xx/main.c
+@@ -635,7 +635,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
+ wl->quirks |= WLCORE_QUIRK_LEGACY_NVS |
+ WLCORE_QUIRK_DUAL_PROBE_TMPL |
+ WLCORE_QUIRK_TKIP_HEADER_SPACE |
+- WLCORE_QUIRK_START_STA_FAILS |
+ WLCORE_QUIRK_AP_ZERO_SESSION_ID;
+ wl->sr_fw_name = WL127X_FW_NAME_SINGLE;
+ wl->mr_fw_name = WL127X_FW_NAME_MULTI;
+@@ -659,7 +658,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
+ wl->quirks |= WLCORE_QUIRK_LEGACY_NVS |
+ WLCORE_QUIRK_DUAL_PROBE_TMPL |
+ WLCORE_QUIRK_TKIP_HEADER_SPACE |
+- WLCORE_QUIRK_START_STA_FAILS |
+ WLCORE_QUIRK_AP_ZERO_SESSION_ID;
+ wl->plt_fw_name = WL127X_PLT_FW_NAME;
+ wl->sr_fw_name = WL127X_FW_NAME_SINGLE;
+@@ -688,7 +686,6 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
+ wl->quirks |= WLCORE_QUIRK_TX_BLOCKSIZE_ALIGN |
+ WLCORE_QUIRK_DUAL_PROBE_TMPL |
+ WLCORE_QUIRK_TKIP_HEADER_SPACE |
+- WLCORE_QUIRK_START_STA_FAILS |
+ WLCORE_QUIRK_AP_ZERO_SESSION_ID;
+
+ wlcore_set_min_fw_ver(wl, WL128X_CHIP_VER,
+diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
+index 5f74cf821068..be0ed19f9356 100644
+--- a/drivers/net/wireless/ti/wlcore/main.c
++++ b/drivers/net/wireless/ti/wlcore/main.c
+@@ -2862,21 +2862,8 @@ static int wlcore_join(struct wl1271 *wl, struct wl12xx_vif *wlvif)
+
+ if (is_ibss)
+ ret = wl12xx_cmd_role_start_ibss(wl, wlvif);
+- else {
+- if (wl->quirks & WLCORE_QUIRK_START_STA_FAILS) {
+- /*
+- * TODO: this is an ugly workaround for wl12xx fw
+- * bug - we are not able to tx/rx after the first
+- * start_sta, so make dummy start+stop calls,
+- * and then call start_sta again.
+- * this should be fixed in the fw.
+- */
+- wl12xx_cmd_role_start_sta(wl, wlvif);
+- wl12xx_cmd_role_stop_sta(wl, wlvif);
+- }
+-
++ else
+ ret = wl12xx_cmd_role_start_sta(wl, wlvif);
+- }
+
+ return ret;
+ }
+diff --git a/drivers/net/wireless/ti/wlcore/wlcore.h b/drivers/net/wireless/ti/wlcore/wlcore.h
+index b7821311ac75..81c94d390623 100644
+--- a/drivers/net/wireless/ti/wlcore/wlcore.h
++++ b/drivers/net/wireless/ti/wlcore/wlcore.h
+@@ -547,9 +547,6 @@ wlcore_set_min_fw_ver(struct wl1271 *wl, unsigned int chip,
+ /* Each RX/TX transaction requires an end-of-transaction transfer */
+ #define WLCORE_QUIRK_END_OF_TRANSACTION BIT(0)
+
+-/* the first start_role(sta) sometimes doesn't work on wl12xx */
+-#define WLCORE_QUIRK_START_STA_FAILS BIT(1)
+-
+ /* wl127x and SPI don't support SDIO block size alignment */
+ #define WLCORE_QUIRK_TX_BLOCKSIZE_ALIGN BIT(2)
+
+--
+2.30.1
+
--- /dev/null
+From 5cf56c92f87e05ea776b5e2f079945a3996bd332 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jan 2021 12:56:00 -0800
+Subject: x86/build: Treat R_386_PLT32 relocation as R_386_PC32
+
+From: Fangrui Song <maskray@google.com>
+
+[ Upstream commit bb73d07148c405c293e576b40af37737faf23a6a ]
+
+This is similar to commit
+
+ b21ebf2fb4cd ("x86: Treat R_X86_64_PLT32 as R_X86_64_PC32")
+
+but for i386. As far as the kernel is concerned, R_386_PLT32 can be
+treated the same as R_386_PC32.
+
+R_386_PLT32/R_X86_64_PLT32 are PC-relative relocation types which
+can only be used by branches. If the referenced symbol is defined
+externally, a PLT will be used.
+
+R_386_PC32/R_X86_64_PC32 are PC-relative relocation types which can be
+used by address taking operations and branches. If the referenced symbol
+is defined externally, a copy relocation/canonical PLT entry will be
+created in the executable.
+
+On x86-64, there is no PIC vs non-PIC PLT distinction and an
+R_X86_64_PLT32 relocation is produced for both `call/jmp foo` and
+`call/jmp foo@PLT` with newer (2018) GNU as/LLVM integrated assembler.
+This avoids canonical PLT entries (st_shndx=0, st_value!=0).
+
+On i386, there are 2 types of PLTs, PIC and non-PIC. Currently,
+the GCC/GNU as convention is to use R_386_PC32 for non-PIC PLT and
+R_386_PLT32 for PIC PLT. Copy relocations/canonical PLT entries
+are possible ABI issues but GCC/GNU as will likely keep the status
+quo because (1) the ABI is legacy (2) the change will drop a GNU
+ld diagnostic for non-default visibility ifunc in shared objects.
+
+clang-12 -fno-pic (since [1]) can emit R_386_PLT32 for compiler
+generated function declarations, because preventing canonical PLT
+entries is weighed over the rare ifunc diagnostic.
+
+Further info for the more interested:
+
+ https://github.com/ClangBuiltLinux/linux/issues/1210
+ https://sourceware.org/bugzilla/show_bug.cgi?id=27169
+ https://github.com/llvm/llvm-project/commit/a084c0388e2a59b9556f2de0083333232da3f1d6 [1]
+
+ [ bp: Massage commit message. ]
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Fangrui Song <maskray@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nathan Chancellor <natechancellor@gmail.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://lkml.kernel.org/r/20210127205600.1227437-1-maskray@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/module.c | 1 +
+ arch/x86/tools/relocs.c | 12 ++++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
+index d5c72cb877b3..77dabedaa9d1 100644
+--- a/arch/x86/kernel/module.c
++++ b/arch/x86/kernel/module.c
+@@ -114,6 +114,7 @@ int apply_relocate(Elf32_Shdr *sechdrs,
+ *location += sym->st_value;
+ break;
+ case R_386_PC32:
++ case R_386_PLT32:
+ /* Add the value, subtract its position */
+ *location += sym->st_value - (uint32_t)location;
+ break;
+diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
+index ce7188cbdae5..1c3a1962cade 100644
+--- a/arch/x86/tools/relocs.c
++++ b/arch/x86/tools/relocs.c
+@@ -867,9 +867,11 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
+ case R_386_PC32:
+ case R_386_PC16:
+ case R_386_PC8:
++ case R_386_PLT32:
+ /*
+- * NONE can be ignored and PC relative relocations don't
+- * need to be adjusted.
++ * NONE can be ignored and PC relative relocations don't need
++ * to be adjusted. Because sym must be defined, R_386_PLT32 can
++ * be treated the same way as R_386_PC32.
+ */
+ break;
+
+@@ -910,9 +912,11 @@ static int do_reloc_real(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
+ case R_386_PC32:
+ case R_386_PC16:
+ case R_386_PC8:
++ case R_386_PLT32:
+ /*
+- * NONE can be ignored and PC relative relocations don't
+- * need to be adjusted.
++ * NONE can be ignored and PC relative relocations don't need
++ * to be adjusted. Because sym must be defined, R_386_PLT32 can
++ * be treated the same way as R_386_PC32.
+ */
+ break;
+
+--
+2.30.1
+
--- /dev/null
+From 74cd5d4969c5a0815a37d5482ee6dd0b17c0d384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Dec 2020 12:39:57 +0100
+Subject: x86/reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 4b2d8ca9208be636b30e924b1cbcb267b0740c93 ]
+
+On this system the M.2 PCIe WiFi card isn't detected after reboot, only
+after cold boot. reboot=pci fixes this behavior. In [0] the same issue
+is described, although on another system and with another Intel WiFi
+card. In case it's relevant, both systems have Celeron CPUs.
+
+Add a PCI reboot quirk on affected systems until a more generic fix is
+available.
+
+[0] https://bugzilla.kernel.org/show_bug.cgi?id=202399
+
+ [ bp: Massage commit message. ]
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/1524eafd-f89c-cfa4-ed70-0bde9e45eec9@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/reboot.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
+index 835b6fc0c1bb..b1b96d461bc7 100644
+--- a/arch/x86/kernel/reboot.c
++++ b/arch/x86/kernel/reboot.c
+@@ -477,6 +477,15 @@ static const struct dmi_system_id reboot_dmi_table[] __initconst = {
+ },
+ },
+
++ { /* PCIe Wifi card isn't detected after reboot otherwise */
++ .callback = set_pci_reboot,
++ .ident = "Zotac ZBOX CI327 nano",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "NA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "ZBOX-CI327NANO-GS-01"),
++ },
++ },
++
+ /* Sony */
+ { /* Handle problems with rebooting on Sony VGN-Z540N */
+ .callback = set_bios_reboot,
+--
+2.30.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
