--- /dev/null
+From 2e5809a4ddb15969503e43b06662a9a725f613ea Mon Sep 17 00:00:00 2001
+From: Mike Kravetz <mike.kravetz@oracle.com>
+Date: Tue, 5 Oct 2021 13:25:29 -0700
+Subject: arm64/hugetlb: fix CMA gigantic page order for non-4K PAGE_SIZE
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+commit 2e5809a4ddb15969503e43b06662a9a725f613ea upstream.
+
+For non-4K PAGE_SIZE configs, the largest gigantic huge page size is
+CONT_PMD_SHIFT order. On arm64 with 64K PAGE_SIZE, the gigantic page is
+16G. Therefore, one should be able to specify 'hugetlb_cma=16G' on the
+kernel command line so that one gigantic page can be allocated from CMA.
+However, when adding such an option the following message is produced:
+
+hugetlb_cma: cma area should be at least 8796093022208 MiB
+
+This is because the calculation for non-4K gigantic page order is
+incorrect in the arm64 specific routine arm64_hugetlb_cma_reserve().
+
+Fixes: abb7962adc80 ("arm64/hugetlb: Reserve CMA areas for gigantic pages on 16K and 64K configs")
+Cc: <stable@vger.kernel.org> # 5.9.x
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20211005202529.213812-1-mike.kravetz@oracle.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/hugetlbpage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/mm/hugetlbpage.c
++++ b/arch/arm64/mm/hugetlbpage.c
+@@ -43,7 +43,7 @@ void __init arm64_hugetlb_cma_reserve(vo
+ #ifdef CONFIG_ARM64_4K_PAGES
+ order = PUD_SHIFT - PAGE_SHIFT;
+ #else
+- order = CONT_PMD_SHIFT + PMD_SHIFT - PAGE_SHIFT;
++ order = CONT_PMD_SHIFT - PAGE_SHIFT;
+ #endif
+ /*
+ * HugeTLB CMA reservation is required for gigantic
--- /dev/null
+From cfd312695b71df04c3a2597859ff12c470d1e2e4 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:48:18 +0100
+Subject: btrfs: check for error when looking up inode during dir entry replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit cfd312695b71df04c3a2597859ff12c470d1e2e4 upstream.
+
+At replay_one_name(), we are treating any error from btrfs_lookup_inode()
+as if the inode does not exists. Fix this by checking for an error and
+returning it to the caller.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1902,8 +1902,8 @@ static noinline int replay_one_name(stru
+ struct btrfs_key log_key;
+ struct inode *dir;
+ u8 log_type;
+- int exists;
+- int ret = 0;
++ bool exists;
++ int ret;
+ bool update_size = (key->type == BTRFS_DIR_INDEX_KEY);
+ bool name_added = false;
+
+@@ -1923,12 +1923,12 @@ static noinline int replay_one_name(stru
+ name_len);
+
+ btrfs_dir_item_key_to_cpu(eb, di, &log_key);
+- exists = btrfs_lookup_inode(trans, root, path, &log_key, 0);
+- if (exists == 0)
+- exists = 1;
+- else
+- exists = 0;
++ ret = btrfs_lookup_inode(trans, root, path, &log_key, 0);
+ btrfs_release_path(path);
++ if (ret < 0)
++ goto out;
++ exists = (ret == 0);
++ ret = 0;
+
+ if (key->type == BTRFS_DIR_ITEM_KEY) {
+ dst_di = btrfs_lookup_dir_item(trans, root, path, key->objectid,
--- /dev/null
+From 52db77791fe24538c8aa2a183248399715f6b380 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:52:32 +0100
+Subject: btrfs: deal with errors when adding inode reference during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 52db77791fe24538c8aa2a183248399715f6b380 upstream.
+
+At __inode_add_ref(), we treating any error returned from
+btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning
+that there is no existing directory entry in the fs/subvolume tree.
+This is not correct since we can get errors such as, for example, -EIO
+when reading extent buffers while searching the fs/subvolume's btree.
+
+So fix that and return the error to the caller when it is not -ENOENT.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1137,7 +1137,10 @@ next:
+ /* look for a conflicting sequence number */
+ di = btrfs_lookup_dir_index_item(trans, root, path, btrfs_ino(dir),
+ ref_index, name, namelen, 0);
+- if (di && !IS_ERR(di)) {
++ if (IS_ERR(di)) {
++ if (PTR_ERR(di) != -ENOENT)
++ return PTR_ERR(di);
++ } else if (di) {
+ ret = drop_one_dir_item(trans, root, path, dir, di);
+ if (ret)
+ return ret;
+@@ -1147,7 +1150,9 @@ next:
+ /* look for a conflicting name */
+ di = btrfs_lookup_dir_item(trans, root, path, btrfs_ino(dir),
+ name, namelen, 0);
+- if (di && !IS_ERR(di)) {
++ if (IS_ERR(di)) {
++ return PTR_ERR(di);
++ } else if (di) {
+ ret = drop_one_dir_item(trans, root, path, dir, di);
+ if (ret)
+ return ret;
--- /dev/null
+From e15ac6413745e3def00e663de00aea5a717311c1 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 1 Oct 2021 13:52:31 +0100
+Subject: btrfs: deal with errors when replaying dir entry during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit e15ac6413745e3def00e663de00aea5a717311c1 upstream.
+
+At replay_one_one(), we are treating any error returned from
+btrfs_lookup_dir_item() or from btrfs_lookup_dir_index_item() as meaning
+that there is no existing directory entry in the fs/subvolume tree.
+This is not correct since we can get errors such as, for example, -EIO
+when reading extent buffers while searching the fs/subvolume's btree.
+
+So fix that and return the error to the caller when it is not -ENOENT.
+
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1938,7 +1938,14 @@ static noinline int replay_one_name(stru
+ ret = -EINVAL;
+ goto out;
+ }
+- if (IS_ERR_OR_NULL(dst_di)) {
++
++ if (dst_di == ERR_PTR(-ENOENT))
++ dst_di = NULL;
++
++ if (IS_ERR(dst_di)) {
++ ret = PTR_ERR(dst_di);
++ goto out;
++ } else if (!dst_di) {
+ /* we need a sequence number to insert, so we only
+ * do inserts for the BTRFS_DIR_INDEX_KEY types
+ */
--- /dev/null
+From 4afb912f439c4bc4e6a4f3e7547f2e69e354108f Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Tue, 5 Oct 2021 16:35:27 -0400
+Subject: btrfs: fix abort logic in btrfs_replace_file_extents
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 4afb912f439c4bc4e6a4f3e7547f2e69e354108f upstream.
+
+Error injection testing uncovered a case where we'd end up with a
+corrupt file system with a missing extent in the middle of a file. This
+occurs because the if statement to decide if we should abort is wrong.
+
+The only way we would abort in this case is if we got a ret !=
+-EOPNOTSUPP and we called from the file clone code. However the
+prealloc code uses this path too. Instead we need to abort if there is
+an error, and the only error we _don't_ abort on is -EOPNOTSUPP and only
+if we came from the clone file code.
+
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -2661,14 +2661,16 @@ int btrfs_replace_file_extents(struct in
+ 1, 0, 0, NULL);
+ if (ret != -ENOSPC) {
+ /*
+- * When cloning we want to avoid transaction aborts when
+- * nothing was done and we are attempting to clone parts
+- * of inline extents, in such cases -EOPNOTSUPP is
+- * returned by __btrfs_drop_extents() without having
+- * changed anything in the file.
++ * The only time we don't want to abort is if we are
++ * attempting to clone a partial inline extent, in which
++ * case we'll get EOPNOTSUPP. However if we aren't
++ * clone we need to abort no matter what, because if we
++ * got EOPNOTSUPP via prealloc then we messed up and
++ * need to abort.
+ */
+- if (extent_info && !extent_info->is_new_extent &&
+- ret && ret != -EOPNOTSUPP)
++ if (ret &&
++ (ret != -EOPNOTSUPP ||
++ (extent_info && extent_info->is_new_extent)))
+ btrfs_abort_transaction(trans, ret);
+ break;
+ }
--- /dev/null
+From 19ea40dddf1833db868533958ca066f368862211 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 14 Sep 2021 14:57:59 +0800
+Subject: btrfs: unlock newly allocated extent buffer after error
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 19ea40dddf1833db868533958ca066f368862211 upstream.
+
+[BUG]
+There is a bug report that injected ENOMEM error could leave a tree
+block locked while we return to user-space:
+
+ BTRFS info (device loop0): enabling ssd optimizations
+ FAULT_INJECTION: forcing a failure.
+ name failslab, interval 1, probability 0, space 0, times 0
+ CPU: 0 PID: 7579 Comm: syz-executor Not tainted 5.15.0-rc1 #16
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
+ fail_dump lib/fault-inject.c:52 [inline]
+ should_fail+0x13c/0x160 lib/fault-inject.c:146
+ should_failslab+0x5/0x10 mm/slab_common.c:1328
+ slab_pre_alloc_hook.constprop.99+0x4e/0xc0 mm/slab.h:494
+ slab_alloc_node mm/slub.c:3120 [inline]
+ slab_alloc mm/slub.c:3214 [inline]
+ kmem_cache_alloc+0x44/0x280 mm/slub.c:3219
+ btrfs_alloc_delayed_extent_op fs/btrfs/delayed-ref.h:299 [inline]
+ btrfs_alloc_tree_block+0x38c/0x670 fs/btrfs/extent-tree.c:4833
+ __btrfs_cow_block+0x16f/0x7d0 fs/btrfs/ctree.c:415
+ btrfs_cow_block+0x12a/0x300 fs/btrfs/ctree.c:570
+ btrfs_search_slot+0x6b0/0xee0 fs/btrfs/ctree.c:1768
+ btrfs_insert_empty_items+0x80/0xf0 fs/btrfs/ctree.c:3905
+ btrfs_new_inode+0x311/0xa60 fs/btrfs/inode.c:6530
+ btrfs_create+0x12b/0x270 fs/btrfs/inode.c:6783
+ lookup_open+0x660/0x780 fs/namei.c:3282
+ open_last_lookups fs/namei.c:3352 [inline]
+ path_openat+0x465/0xe20 fs/namei.c:3557
+ do_filp_open+0xe3/0x170 fs/namei.c:3588
+ do_sys_openat2+0x357/0x4a0 fs/open.c:1200
+ do_sys_open+0x87/0xd0 fs/open.c:1216
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x46ae99
+ Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48
+ 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
+ 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+ RSP: 002b:00007f46711b9c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000055
+ RAX: ffffffffffffffda RBX: 000000000078c0a0 RCX: 000000000046ae99
+ RDX: 0000000000000000 RSI: 00000000000000a1 RDI: 0000000020005800
+ RBP: 00007f46711b9c80 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000017
+ R13: 0000000000000000 R14: 000000000078c0a0 R15: 00007ffc129da6e0
+
+ ================================================
+ WARNING: lock held when returning to user space!
+ 5.15.0-rc1 #16 Not tainted
+ ------------------------------------------------
+ syz-executor/7579 is leaving the kernel with locks still held!
+ 1 lock held by syz-executor/7579:
+ #0: ffff888104b73da8 (btrfs-tree-01/1){+.+.}-{3:3}, at:
+ __btrfs_tree_lock+0x2e/0x1a0 fs/btrfs/locking.c:112
+
+[CAUSE]
+In btrfs_alloc_tree_block(), after btrfs_init_new_buffer(), the new
+extent buffer @buf is locked, but if later operations like adding
+delayed tree ref fail, we just free @buf without unlocking it,
+resulting above warning.
+
+[FIX]
+Unlock @buf in out_free_buf: label.
+
+Reported-by: Hao Sun <sunhao.th@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/CACkBjsZ9O6Zr0KK1yGn=1rQi6Crh1yeCRdTSBxx9R99L4xdn-Q@mail.gmail.com/
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -4715,6 +4715,7 @@ struct extent_buffer *btrfs_alloc_tree_b
+ out_free_delayed:
+ btrfs_free_delayed_extent_op(extent_op);
+ out_free_buf:
++ btrfs_tree_unlock(buf);
+ free_extent_buffer(buf);
+ out_free_reserved:
+ btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 0);
--- /dev/null
+From d175209be04d7d263fa1a54cde7608c706c9d0d7 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Fri, 1 Oct 2021 13:57:18 -0400
+Subject: btrfs: update refs for any root except tree log roots
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit d175209be04d7d263fa1a54cde7608c706c9d0d7 upstream.
+
+I hit a stuck relocation on btrfs/061 during my overnight testing. This
+turned out to be because we had left over extent entries in our extent
+root for a data reloc inode that no longer existed. This happened
+because in btrfs_drop_extents() we only update refs if we have SHAREABLE
+set or we are the tree_root. This regression was introduced by
+aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree")
+where we stopped setting SHAREABLE for the data reloc tree.
+
+The problem here is we actually do want to update extent references for
+data extents in the data reloc tree, in fact we only don't want to
+update extent references if the file extents are in the log tree.
+Update this check to only skip updating references in the case of the
+log tree.
+
+This is relatively rare, because you have to be running scrub at the
+same time, which is what btrfs/061 does. The data reloc inode has its
+extents pre-allocated, and then we copy the extent into the
+pre-allocated chunks. We theoretically should never be calling
+btrfs_drop_extents() on a data reloc inode. The exception of course is
+with scrub, if our pre-allocated extent falls inside of the block group
+we are scrubbing, then the block group will be marked read only and we
+will be forced to cow that extent. This means we will call
+btrfs_drop_extents() on that range when we COW that file extent.
+
+This isn't really problematic if we do this, the data reloc inode
+requires that our extent lengths match exactly with the extent we are
+copying, thankfully we validate the extent is correct with
+get_new_location(), so if we happen to COW only part of the extent we
+won't link it in when we do the relocation, so we are safe from any
+other shenanigans that arise because of this interaction with scrub.
+
+Fixes: aeb935a45581 ("btrfs: don't set SHAREABLE flag for data reloc tree")
+CC: stable@vger.kernel.org # 5.8+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -710,8 +710,7 @@ int __btrfs_drop_extents(struct btrfs_tr
+ if (start >= inode->disk_i_size && !replace_extent)
+ modify_tree = 0;
+
+- update_refs = (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) ||
+- root == fs_info->tree_root);
++ update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID);
+ while (1) {
+ recow = 0;
+ ret = btrfs_lookup_file_extent(trans, root, path, ino,
--- /dev/null
+From 09540fa337196be20e9f0241652364f09275d374 Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Thu, 16 Sep 2021 17:51:26 -0500
+Subject: clk: socfpga: agilex: fix duplicate s2f_user0_clk
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit 09540fa337196be20e9f0241652364f09275d374 upstream.
+
+Remove the duplicate s2f_user0_clk and the unused s2f_usr0_mux define.
+
+Fixes: f817c132db67 ("clk: socfpga: agilex: fix up s2f_user0_clk representation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Link: https://lore.kernel.org/r/20210916225126.1427700-1-dinguyen@kernel.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/socfpga/clk-agilex.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/clk/socfpga/clk-agilex.c
++++ b/drivers/clk/socfpga/clk-agilex.c
+@@ -165,13 +165,6 @@ static const struct clk_parent_data mpu_
+ .name = "boot_clk", },
+ };
+
+-static const struct clk_parent_data s2f_usr0_mux[] = {
+- { .fw_name = "f2s-free-clk",
+- .name = "f2s-free-clk", },
+- { .fw_name = "boot_clk",
+- .name = "boot_clk", },
+-};
+-
+ static const struct clk_parent_data emac_mux[] = {
+ { .fw_name = "emaca_free_clk",
+ .name = "emaca_free_clk", },
+@@ -299,8 +292,6 @@ static const struct stratix10_gate_clock
+ 4, 0x44, 28, 1, 0, 0, 0},
+ { AGILEX_CS_TIMER_CLK, "cs_timer_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+ 5, 0, 0, 0, 0x30, 1, 0},
+- { AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_usr0_mux, ARRAY_SIZE(s2f_usr0_mux), 0, 0x24,
+- 6, 0, 0, 0, 0, 0, 0},
+ { AGILEX_EMAC0_CLK, "emac0_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C,
+ 0, 0, 0, 0, 0x94, 26, 0},
+ { AGILEX_EMAC1_CLK, "emac1_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C,
--- /dev/null
+From fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 24 Sep 2021 00:35:42 +0000
+Subject: csky: don't let sigreturn play with priveleged bits of status register
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit fbd63c08cdcca5fb1315aca3172b3c9c272cfb4f upstream.
+
+csky restore_sigcontext() blindly overwrites regs->sr with the value
+it finds in sigcontext. Attacker can store whatever they want in there,
+which includes things like S-bit. Userland shouldn't be able to set
+that, or anything other than C flag (bit 0).
+
+Do the same thing other architectures with protected bits in flags
+register do - preserve everything that shouldn't be settable in
+user mode, picking the rest from the value saved is sigcontext.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Guo Ren <guoren@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/csky/kernel/signal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/csky/kernel/signal.c
++++ b/arch/csky/kernel/signal.c
+@@ -52,10 +52,14 @@ static long restore_sigcontext(struct pt
+ struct sigcontext __user *sc)
+ {
+ int err = 0;
++ unsigned long sr = regs->sr;
+
+ /* sc_pt_regs is structured the same as the start of pt_regs */
+ err |= __copy_from_user(regs, &sc->sc_pt_regs, sizeof(struct pt_regs));
+
++ /* BIT(0) of regs->sr is Condition Code/Carry bit */
++ regs->sr = (sr & ~1) | (regs->sr & 1);
++
+ /* Restore the floating-point state. */
+ err |= restore_fpu_state(sc);
+
--- /dev/null
+From af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 Mon Sep 17 00:00:00 2001
+From: Guo Ren <guoren@linux.alibaba.com>
+Date: Fri, 24 Sep 2021 15:33:38 +0800
+Subject: csky: Fixup regs.sr broken in ptrace
+
+From: Guo Ren <guoren@linux.alibaba.com>
+
+commit af89ebaa64de726ca0a39bbb0bf0c81a1f43ad50 upstream.
+
+gpr_get() return the entire pt_regs (include sr) to userspace, if we
+don't restore the C bit in gpr_set, it may break the ALU result in
+that context. So the C flag bit is part of gpr context, that's why
+riscv totally remove the C bit in the ISA. That makes sr reg clear
+from userspace to supervisor privilege.
+
+Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/csky/kernel/ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/csky/kernel/ptrace.c
++++ b/arch/csky/kernel/ptrace.c
+@@ -98,7 +98,8 @@ static int gpr_set(struct task_struct *t
+ if (ret)
+ return ret;
+
+- regs.sr = task_pt_regs(target)->sr;
++ /* BIT(0) of regs.sr is Condition Code/Carry bit */
++ regs.sr = (regs.sr & BIT(0)) | (task_pt_regs(target)->sr & ~BIT(0));
+ #ifdef CONFIG_CPU_HAS_HILO
+ regs.dcsr = task_pt_regs(target)->dcsr;
+ #endif
--- /dev/null
+From 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Fri, 17 Sep 2021 02:59:13 +0200
+Subject: drm/msm: Avoid potential overflow in timeout_to_jiffies()
+
+From: Marek Vasut <marex@denx.de>
+
+commit 171316a68d9a8e0d9e28b7cf4c15afc4c6244a4e upstream.
+
+The return type of ktime_divns() is s64. The timeout_to_jiffies() currently
+assigns the result of this ktime_divns() to unsigned long, which on 32 bit
+systems may overflow. Furthermore, the result of this function is sometimes
+also passed to functions which expect signed long, dma_fence_wait_timeout()
+is one such example.
+
+Fix this by adjusting the type of remaining_jiffies to s64, so we do not
+suffer overflow there, and return a value limited to range of 0..INT_MAX,
+which is safe for all usecases of this timeout.
+
+The above overflow can be triggered if userspace passes in too large timeout
+value, larger than INT_MAX / HZ seconds. The kernel detects it and complains
+about "schedule_timeout: wrong timeout value %lx" and generates a warning
+backtrace.
+
+Note that this fixes commit 6cedb8b377bb ("drm/msm: avoid using 'timespec'"),
+because the previously used timespec_to_jiffies() function returned unsigned
+long instead of s64:
+static inline unsigned long timespec_to_jiffies(const struct timespec *value)
+
+Fixes: 6cedb8b377bb ("drm/msm: avoid using 'timespec'")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Jordan Crouse <jcrouse@codeaurora.org>
+Cc: Rob Clark <robdclark@chromium.org>
+Cc: stable@vger.kernel.org # 5.6+
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210917005913.157379-1-marex@denx.de
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -543,7 +543,7 @@ static inline int align_pitch(int width,
+ static inline unsigned long timeout_to_jiffies(const ktime_t *timeout)
+ {
+ ktime_t now = ktime_get();
+- unsigned long remaining_jiffies;
++ s64 remaining_jiffies;
+
+ if (ktime_compare(*timeout, now) < 0) {
+ remaining_jiffies = 0;
+@@ -552,7 +552,7 @@ static inline unsigned long timeout_to_j
+ remaining_jiffies = ktime_divns(rem, NSEC_PER_SEC / HZ);
+ }
+
+- return remaining_jiffies;
++ return clamp(remaining_jiffies, 0LL, (s64)INT_MAX);
+ }
+
+ #endif /* __MSM_DRV_H__ */
--- /dev/null
+From be358af1191b1b2fedebd8f3421cafdc8edacc7d Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 14 Oct 2021 14:35:07 -0400
+Subject: nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^'
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit be358af1191b1b2fedebd8f3421cafdc8edacc7d upstream.
+
+I received a build failure for a new patch I'm working on the nds32
+architecture, and when I went to test it, I couldn't get to my build error,
+because it failed to build with a bunch of:
+
+ Error: invalid operands (*UND* and *UND* sections) for `^'
+
+issues with various files. Those files were temporary asm files that looked
+like: kernel/.tmp_mc_fork.s
+
+I decided to look deeper, and found that the "mc" portion of that name
+stood for "mcount", and was created by the recordmcount.pl script. One that
+I wrote over a decade ago. Once I knew the source of the problem, I was
+able to investigate it further.
+
+The way the recordmcount.pl script works (BTW, there's a C version that
+simply modifies the ELF object) is by doing an "objdump" on the object
+file. Looks for all the calls to "mcount", and creates an offset of those
+locations from some global variable it can use (usually a global function
+name, found with <.*>:). Creates a asm file that is a table of references
+to these locations, using the found variable/function. Compiles it and
+links it back into the original object file. This asm file is called
+".tmp_mc_<object_base_name>.s".
+
+The problem here is that the objdump produced by the nds32 object file,
+contains things that look like:
+
+ 0000159a <.L3^B1>:
+ 159a: c6 00 beqz38 $r6, 159a <.L3^B1>
+ 159a: R_NDS32_9_PCREL_RELA .text+0x159e
+ 159c: 84 d2 movi55 $r6, #-14
+ 159e: 80 06 mov55 $r0, $r6
+ 15a0: ec 3c addi10.sp #0x3c
+
+Where ".L3^B1 is somehow selected as the "global" variable to index off of.
+
+Then the assembly file that holds the mcount locations looks like this:
+
+ .section __mcount_loc,"a",@progbits
+ .align 2
+ .long .L3^B1 + -5522
+ .long .L3^B1 + -5384
+ .long .L3^B1 + -5270
+ .long .L3^B1 + -5098
+ .long .L3^B1 + -4970
+ .long .L3^B1 + -4758
+ .long .L3^B1 + -4122
+ [...]
+
+And when it is compiled back to an object to link to the original object,
+the compile fails on the "^" symbol.
+
+Simple solution for now, is to have the perl script ignore using function
+symbols that have an "^" in the name.
+
+Link: https://lkml.kernel.org/r/20211014143507.4ad2c0f7@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Acked-by: Greentime Hu <green.hu@gmail.com>
+Fixes: fbf58a52ac088 ("nds32/ftrace: Add RECORD_MCOUNT support")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -222,7 +222,7 @@ if ($arch =~ /(x86(_64)?)|(i386)/) {
+ $local_regex = "^[0-9a-fA-F]+\\s+t\\s+(\\S+)";
+ $weak_regex = "^[0-9a-fA-F]+\\s+([wW])\\s+(\\S+)";
+ $section_regex = "Disassembly of section\\s+(\\S+):";
+-$function_regex = "^([0-9a-fA-F]+)\\s+<(.*?)>:";
++$function_regex = "^([0-9a-fA-F]+)\\s+<([^^]*?)>:";
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):.*\\s(mcount|__fentry__)\$";
+ $section_type = '@progbits';
+ $mcount_adjust = 0;
--- /dev/null
+From 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 5 Oct 2021 14:08:36 +0200
+Subject: s390: fix strrchr() implementation
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+commit 8e0ab8e26b72a80e991c66a8abc16e6c856abe3d upstream.
+
+Fix two problems found in the strrchr() implementation for s390
+architectures: evaluate empty strings (return the string address instead of
+NULL, if '\0' is passed as second argument); evaluate the first character
+of non-empty strings (the current implementation stops at the second).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Reported-by: Heiko Carstens <hca@linux.ibm.com> (incorrect behavior with empty strings)
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Link: https://lore.kernel.org/r/20211005120836.60630-1-roberto.sassu@huawei.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/lib/string.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/arch/s390/lib/string.c
++++ b/arch/s390/lib/string.c
+@@ -246,14 +246,13 @@ EXPORT_SYMBOL(strcmp);
+ #ifdef __HAVE_ARCH_STRRCHR
+ char *strrchr(const char *s, int c)
+ {
+- size_t len = __strend(s) - s;
++ ssize_t len = __strend(s) - s;
+
+- if (len)
+- do {
+- if (s[len] == (char) c)
+- return (char *) s + len;
+- } while (--len > 0);
+- return NULL;
++ do {
++ if (s[len] == (char)c)
++ return (char *)s + len;
++ } while (--len >= 0);
++ return NULL;
+ }
+ EXPORT_SYMBOL(strrchr);
+ #endif
alsa-hda-realtek-add-quirk-for-tongfang-phxtxx1.patch
alsa-hda-realtek-fix-for-quirk-to-enable-speaker-output-on-the-lenovo-13s-gen2.patch
alsa-hda-realtek-fix-the-mic-type-detection-issue-for-asus-g551jw.patch
+nds32-ftrace-fix-error-invalid-operands-und-and-und-sections-for.patch
+s390-fix-strrchr-implementation.patch
+clk-socfpga-agilex-fix-duplicate-s2f_user0_clk.patch
+csky-don-t-let-sigreturn-play-with-priveleged-bits-of-status-register.patch
+csky-fixup-regs.sr-broken-in-ptrace.patch
+arm64-hugetlb-fix-cma-gigantic-page-order-for-non-4k-page_size.patch
+drm-msm-avoid-potential-overflow-in-timeout_to_jiffies.patch
+btrfs-unlock-newly-allocated-extent-buffer-after-error.patch
+btrfs-deal-with-errors-when-replaying-dir-entry-during-log-replay.patch
+btrfs-deal-with-errors-when-adding-inode-reference-during-log-replay.patch
+btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch
+btrfs-update-refs-for-any-root-except-tree-log-roots.patch
+btrfs-fix-abort-logic-in-btrfs_replace_file_extents.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
