--- /dev/null
+From 1cfd8956437f842836e8a066b40d1ec2fc01f13e Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Tue, 27 Apr 2021 13:54:33 -0500
+Subject: ACPI: custom_method: fix a possible memory leak
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit 1cfd8956437f842836e8a066b40d1ec2fc01f13e upstream.
+
+In cm_write(), if the 'buf' is allocated memory but not fully consumed,
+it is possible to reallocate the buffer without freeing it by passing
+'*ppos' as 0 on a subsequent call.
+
+Add an explicit kfree() before kzalloc() to prevent the possible memory
+leak.
+
+Fixes: 526b4af47f44 ("ACPI: Split out custom_method functionality into an own driver")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -42,6 +42,8 @@ static ssize_t cm_write(struct file *fil
+ sizeof(struct acpi_table_header)))
+ return -EFAULT;
+ uncopied_bytes = max_size = table.length;
++ /* make sure the buf is not allocated */
++ kfree(buf);
+ buf = kzalloc(max_size, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
--- /dev/null
+From e483bb9a991bdae29a0caa4b3a6d002c968f94aa Mon Sep 17 00:00:00 2001
+From: Mark Langsdorf <mlangsdo@redhat.com>
+Date: Fri, 23 Apr 2021 10:28:17 -0500
+Subject: ACPI: custom_method: fix potential use-after-free issue
+
+From: Mark Langsdorf <mlangsdo@redhat.com>
+
+commit e483bb9a991bdae29a0caa4b3a6d002c968f94aa upstream.
+
+In cm_write(), buf is always freed when reaching the end of the
+function. If the requested count is less than table.length, the
+allocated buffer will be freed but subsequent calls to cm_write() will
+still try to access it.
+
+Remove the unconditional kfree(buf) at the end of the function and
+set the buf to NULL in the -EINVAL error path to match the rest of
+function.
+
+Fixes: 03d1571d9513 ("ACPI: custom_method: fix memory leaks")
+Signed-off-by: Mark Langsdorf <mlangsdo@redhat.com>
+Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/custom_method.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/custom_method.c
++++ b/drivers/acpi/custom_method.c
+@@ -55,6 +55,7 @@ static ssize_t cm_write(struct file *fil
+ (*ppos + count < count) ||
+ (count > uncopied_bytes)) {
+ kfree(buf);
++ buf = NULL;
+ return -EINVAL;
+ }
+
+@@ -76,7 +77,6 @@ static ssize_t cm_write(struct file *fil
+ add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
+ }
+
+- kfree(buf);
+ return count;
+ }
+
--- /dev/null
+From c4e792d1acce31c2eb7b9193ab06ab94de05bf42 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 5 Feb 2021 19:23:00 +0100
+Subject: ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit c4e792d1acce31c2eb7b9193ab06ab94de05bf42 upstream.
+
+The LLVM ld.lld linker uses a different symbol type for __bss_start,
+resulting in the calculation of KBSS_SZ to be thrown off. Up until now,
+this has gone unnoticed as it only affects the appended DTB case, but
+pending changes for ARM in the way the decompressed kernel is cleaned
+from the caches has uncovered this problem.
+
+On a ld.lld build:
+
+ $ nm vmlinux |grep bss_
+ c1c22034 D __bss_start
+ c1c86e98 B __bss_stop
+
+resulting in
+
+ $ readelf -s arch/arm/boot/compressed/vmlinux | grep bss_size
+ 433: c1c86e98 0 NOTYPE GLOBAL DEFAULT ABS _kernel_bss_size
+
+which is obviously incorrect, and may cause the cache clean to access
+unmapped memory, or cause the size calculation to wrap, resulting in no
+cache clean to be performed at all.
+
+Fix this by updating the sed regex to take D type symbols into account.
+
+Link: https://lore.kernel.org/linux-arm-kernel/6c65bcef-d4e7-25fa-43cf-2c435bb61bb9@collabora.com/
+Link: https://lore.kernel.org/linux-arm-kernel/20210205085220.31232-1-ardb@kernel.org/
+
+Cc: <stable@vger.kernel.org> # v4.19+
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Reported-by: Guillaume Tucker <guillaume.tucker@collabora.com>
+Reported-by: "kernelci.org bot" <bot@kernelci.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/compressed/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/compressed/Makefile
++++ b/arch/arm/boot/compressed/Makefile
+@@ -118,8 +118,8 @@ asflags-y := -DZIMAGE
+
+ # Supply kernel BSS size to the decompressor via a linker symbol.
+ KBSS_SZ = $(shell echo $$(($$($(NM) $(obj)/../../../../vmlinux | \
+- sed -n -e 's/^\([^ ]*\) [AB] __bss_start$$/-0x\1/p' \
+- -e 's/^\([^ ]*\) [AB] __bss_stop$$/+0x\1/p') )) )
++ sed -n -e 's/^\([^ ]*\) [ABD] __bss_start$$/-0x\1/p' \
++ -e 's/^\([^ ]*\) [ABD] __bss_stop$$/+0x\1/p') )) )
+ LDFLAGS_vmlinux = --defsym _kernel_bss_size=$(KBSS_SZ)
+ # Supply ZRELADDR to the decompressor via a linker symbol.
+ ifneq ($(CONFIG_AUTO_ZRELADDR),y)
--- /dev/null
+From 1d88358a89dbac9c7d4559548b9a44840456e6fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 14 Jan 2021 13:40:23 +0100
+Subject: arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 1d88358a89dbac9c7d4559548b9a44840456e6fb upstream.
+
+Add "syscon" compatible to the North Bridge clocks node to allow the
+cpufreq driver to access these registers via syscon API.
+
+This is needed for a fix of cpufreq driver.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: e8d66e7927b2 ("arm64: dts: marvell: armada-37xx: add nodes...")
+Cc: stable@vger.kernel.org
+Cc: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-37xx.dtsi
+@@ -156,7 +156,8 @@
+ };
+
+ nb_periph_clk: nb-periph-clk@13000 {
+- compatible = "marvell,armada-3700-periph-clock-nb";
++ compatible = "marvell,armada-3700-periph-clock-nb",
++ "syscon";
+ reg = <0x13000 0x100>;
+ clocks = <&tbg 0>, <&tbg 1>, <&tbg 2>,
+ <&tbg 3>, <&xtalclk>;
--- /dev/null
+From e4e5d030bd779fb8321d3b8bd65406fbe0827037 Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Tue, 16 Mar 2021 17:22:24 +0800
+Subject: arm64: dts: mt8173: fix property typo of 'phys' in dsi node
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit e4e5d030bd779fb8321d3b8bd65406fbe0827037 upstream.
+
+Use 'phys' instead of 'phy'.
+
+Fixes: 81ad4dbaf7af ("arm64: dts: mt8173: Add display subsystem related nodes")
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Reviewed-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210316092232.9806-5-chunfeng.yun@mediatek.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+@@ -1235,7 +1235,7 @@
+ <&mmsys CLK_MM_DSI1_DIGITAL>,
+ <&mipi_tx1>;
+ clock-names = "engine", "digital", "hs";
+- phy = <&mipi_tx1>;
++ phys = <&mipi_tx1>;
+ phy-names = "dphy";
+ status = "disabled";
+ };
--- /dev/null
+From 7b1ae248279bea33af9e797a93c35f49601cb8a0 Mon Sep 17 00:00:00 2001
+From: Shuo Chen <shuochen@google.com>
+Date: Wed, 14 Apr 2021 14:24:00 -0700
+Subject: dyndbg: fix parsing file query without a line-range suffix
+
+From: Shuo Chen <shuochen@google.com>
+
+commit 7b1ae248279bea33af9e797a93c35f49601cb8a0 upstream.
+
+Query like 'file tcp_input.c line 1234 +p' was broken by
+commit aaebe329bff0 ("dyndbg: accept 'file foo.c:func1' and 'file
+foo.c:10-100'") because a file name without a ':' now makes the loop in
+ddebug_parse_query() exits early before parsing the 'line 1234' part.
+As a result, all pr_debug() in tcp_input.c will be enabled, instead of only
+the one on line 1234. Changing 'break' to 'continue' fixes this.
+
+Fixes: aaebe329bff0 ("dyndbg: accept 'file foo.c:func1' and 'file foo.c:10-100'")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Shuo Chen <shuochen@google.com>
+Acked-by: Jason Baron <jbaron@akamai.com>
+Link: https://lore.kernel.org/r/20210414212400.2927281-1-giantchen@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/dynamic_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/dynamic_debug.c
++++ b/lib/dynamic_debug.c
+@@ -396,7 +396,7 @@ static int ddebug_parse_query(char *word
+ /* tail :$info is function or line-range */
+ fline = strchr(query->filename, ':');
+ if (!fline)
+- break;
++ continue;
+ *fline++ = '\0';
+ if (isalpha(*fline) || *fline == '*' || *fline == '?') {
+ /* take as function name */
--- /dev/null
+From 9046625511ad8dfbc8c6c2de16b3532c43d68d48 Mon Sep 17 00:00:00 2001
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Date: Fri, 26 Feb 2021 15:00:23 -0600
+Subject: ecryptfs: fix kernel panic with null dev_name
+
+From: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+
+commit 9046625511ad8dfbc8c6c2de16b3532c43d68d48 upstream.
+
+When mounting eCryptfs, a null "dev_name" argument to ecryptfs_mount()
+causes a kernel panic if the parsed options are valid. The easiest way to
+reproduce this is to call mount() from userspace with an existing
+eCryptfs mount's options and a "source" argument of 0.
+
+Error out if "dev_name" is null in ecryptfs_mount()
+
+Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeffrey Mitchell <jeffrey.mitchell@starlab.io>
+Signed-off-by: Tyler Hicks <code@tyhicks.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ecryptfs/main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/ecryptfs/main.c
++++ b/fs/ecryptfs/main.c
+@@ -492,6 +492,12 @@ static struct dentry *ecryptfs_mount(str
+ goto out;
+ }
+
++ if (!dev_name) {
++ rc = -EINVAL;
++ err = "Device name cannot be null";
++ goto out;
++ }
++
+ rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
+ if (rc) {
+ err = "Error parsing options";
--- /dev/null
+From 24a806d849c0b0c1d0cd6a6b93ba4ae4c0ec9f08 Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@redhat.com>
+Date: Mon, 29 Mar 2021 08:36:14 +0800
+Subject: erofs: add unsupported inode i_format check
+
+From: Gao Xiang <hsiangkao@redhat.com>
+
+commit 24a806d849c0b0c1d0cd6a6b93ba4ae4c0ec9f08 upstream.
+
+If any unknown i_format fields are set (may be of some new incompat
+inode features), mark such inode as unsupported.
+
+Just in case of any new incompat i_format fields added in the future.
+
+Link: https://lore.kernel.org/r/20210329003614.6583-1-hsiangkao@aol.com
+Fixes: 431339ba9042 ("staging: erofs: add inode operations")
+Cc: <stable@vger.kernel.org> # 4.19+
+Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/erofs_fs.h | 3 +++
+ fs/erofs/inode.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/fs/erofs/erofs_fs.h
++++ b/fs/erofs/erofs_fs.h
+@@ -75,6 +75,9 @@ static inline bool erofs_inode_is_data_c
+ #define EROFS_I_VERSION_BIT 0
+ #define EROFS_I_DATALAYOUT_BIT 1
+
++#define EROFS_I_ALL \
++ ((1 << (EROFS_I_DATALAYOUT_BIT + EROFS_I_DATALAYOUT_BITS)) - 1)
++
+ /* 32-byte reduced form of an ondisk inode */
+ struct erofs_inode_compact {
+ __le16 i_format; /* inode format hints */
+--- a/fs/erofs/inode.c
++++ b/fs/erofs/inode.c
+@@ -44,6 +44,13 @@ static struct page *erofs_read_inode(str
+ dic = page_address(page) + *ofs;
+ ifmt = le16_to_cpu(dic->i_format);
+
++ if (ifmt & ~EROFS_I_ALL) {
++ erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu",
++ ifmt, vi->nid);
++ err = -EOPNOTSUPP;
++ goto err_out;
++ }
++
+ vi->datalayout = erofs_inode_datalayout(ifmt);
+ if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) {
+ erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu",
--- /dev/null
+From 7fab29e356309ff93a4b30ecc466129682ec190b Mon Sep 17 00:00:00 2001
+From: Davidlohr Bueso <dave@stgolabs.net>
+Date: Thu, 6 May 2021 18:04:07 -0700
+Subject: fs/epoll: restore waking from ep_done_scan()
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+commit 7fab29e356309ff93a4b30ecc466129682ec190b upstream.
+
+Commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested
+epoll") changed the userspace visible behavior of exclusive waiters
+blocked on a common epoll descriptor upon a single event becoming ready.
+
+Previously, all tasks doing epoll_wait would awake, and now only one is
+awoken, potentially causing missed wakeups on applications that rely on
+this behavior, such as Apache Qpid.
+
+While the aforementioned commit aims at having only a wakeup single path
+in ep_poll_callback (with the exceptions of epoll_ctl cases), we need to
+restore the wakeup in what was the old ep_scan_ready_list() such that
+the next thread can be awoken, in a cascading style, after the waker's
+corresponding ep_send_events().
+
+Link: https://lkml.kernel.org/r/20210405231025.33829-3-dave@stgolabs.net
+Fixes: 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll")
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jason Baron <jbaron@akamai.com>
+Cc: Roman Penyaev <rpenyaev@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -657,6 +657,12 @@ static void ep_done_scan(struct eventpol
+ */
+ list_splice(txlist, &ep->rdllist);
+ __pm_relax(ep->ws);
++
++ if (!list_empty(&ep->rdllist)) {
++ if (waitqueue_active(&ep->wq))
++ wake_up(&ep->wq);
++ }
++
+ write_unlock_irq(&ep->lock);
+ }
+
--- /dev/null
+From 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
+Date: Wed, 5 May 2021 10:38:24 -0400
+Subject: ftrace: Handle commands when closing set_ftrace_filter file
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+commit 8c9af478c06bb1ab1422f90d8ecbc53defd44bc3 upstream.
+
+ # echo switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter
+
+will cause switch_mm to stop tracing by the traceoff command.
+
+ # echo -n switch_mm:traceoff > /sys/kernel/tracing/set_ftrace_filter
+
+does nothing.
+
+The reason is that the parsing in the write function only processes
+commands if it finished parsing (there is white space written after the
+command). That's to handle:
+
+ write(fd, "switch_mm:", 10);
+ write(fd, "traceoff", 8);
+
+cases, where the command is broken over multiple writes.
+
+The problem is if the file descriptor is closed, then the write call is
+not processed, and the command needs to be processed in the release code.
+The release code can handle matching of functions, but does not handle
+commands.
+
+Cc: stable@vger.kernel.org
+Fixes: eda1e32855656 ("tracing: handle broken names in ftrace filter")
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5631,7 +5631,10 @@ int ftrace_regex_release(struct inode *i
+
+ parser = &iter->parser;
+ if (trace_parser_loaded(parser)) {
+- ftrace_match_records(iter->hash, parser->buffer, parser->idx);
++ int enable = !(iter->flags & FTRACE_ITER_NOTRACE);
++
++ ftrace_process_regex(iter, parser->buffer,
++ parser->idx, enable);
+ }
+
+ trace_parser_put(parser);
--- /dev/null
+From 3f1c6f2122fc780560f09735b6d1dbf39b44eb0f Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 3 May 2021 17:09:01 +0200
+Subject: libceph: allow addrvecs with a single NONE/blank address
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 3f1c6f2122fc780560f09735b6d1dbf39b44eb0f upstream.
+
+Normally, an unused OSD id/slot is represented by an empty addrvec.
+However, it also appears to be possible to generate an osdmap where
+an unused OSD id/slot has an addrvec with a single blank address of
+type NONE. Allow such addrvecs and make the end result be exactly
+the same as for the empty addrvec case -- leave addr intact.
+
+Cc: stable@vger.kernel.org # 5.11+
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/decode.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/net/ceph/decode.c
++++ b/net/ceph/decode.c
+@@ -4,6 +4,7 @@
+ #include <linux/inet.h>
+
+ #include <linux/ceph/decode.h>
++#include <linux/ceph/messenger.h> /* for ceph_pr_addr() */
+
+ static int
+ ceph_decode_entity_addr_versioned(void **p, void *end,
+@@ -110,6 +111,7 @@ int ceph_decode_entity_addrvec(void **p,
+ }
+
+ ceph_decode_32_safe(p, end, addr_cnt, e_inval);
++ dout("%s addr_cnt %d\n", __func__, addr_cnt);
+
+ found = false;
+ for (i = 0; i < addr_cnt; i++) {
+@@ -117,6 +119,7 @@ int ceph_decode_entity_addrvec(void **p,
+ if (ret)
+ return ret;
+
++ dout("%s i %d addr %s\n", __func__, i, ceph_pr_addr(&tmp_addr));
+ if (tmp_addr.type == my_type) {
+ if (found) {
+ pr_err("another match of type %d in addrvec\n",
+@@ -128,13 +131,18 @@ int ceph_decode_entity_addrvec(void **p,
+ found = true;
+ }
+ }
+- if (!found && addr_cnt != 0) {
+- pr_err("no match of type %d in addrvec\n",
+- le32_to_cpu(my_type));
+- return -ENOENT;
+- }
+
+- return 0;
++ if (found)
++ return 0;
++
++ if (!addr_cnt)
++ return 0; /* normal -- e.g. unused OSD id/slot */
++
++ if (addr_cnt == 1 && !memchr_inv(&tmp_addr, 0, sizeof(tmp_addr)))
++ return 0; /* weird but effectively the same as !addr_cnt */
++
++ pr_err("no match of type %d in addrvec\n", le32_to_cpu(my_type));
++ return -ENOENT;
+
+ e_inval:
+ return -EINVAL;
--- /dev/null
+From 7807dafda21a549403d922da98dde0ddfeb70d08 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Wed, 14 Apr 2021 10:38:40 +0200
+Subject: libceph: bump CephXAuthenticate encoding version
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7807dafda21a549403d922da98dde0ddfeb70d08 upstream.
+
+A dummy v3 encoding (exactly the same as v2) was introduced so that
+the monitors can distinguish broken clients that may not include their
+auth ticket in CEPHX_GET_AUTH_SESSION_KEY request on reconnects, thus
+failing to prove previous possession of their global_id (one part of
+CVE-2021-20288).
+
+The kernel client has always included its auth ticket, so it is
+compatible with enforcing mode as is. However we want to bump the
+encoding version to avoid having to authenticate twice on the initial
+connect -- all legacy (CephXAuthenticate < v3) are now forced do so in
+order to expose insecure global_id reclaim.
+
+Marking for stable since at least for 5.11 and 5.12 it is trivial
+(v2 -> v3).
+
+Cc: stable@vger.kernel.org # 5.11+
+URL: https://tracker.ceph.com/issues/50452
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/auth_x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ceph/auth_x.c
++++ b/net/ceph/auth_x.c
+@@ -526,7 +526,7 @@ static int ceph_x_build_request(struct c
+ if (ret < 0)
+ return ret;
+
+- auth->struct_v = 2; /* nautilus+ */
++ auth->struct_v = 3; /* nautilus+ */
+ auth->key = 0;
+ for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++)
+ auth->key ^= *(__le64 *)u;
--- /dev/null
+From 61ca49a9105faefa003b37542cebad8722f8ae22 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Mon, 26 Apr 2021 19:11:37 +0200
+Subject: libceph: don't set global_id until we get an auth ticket
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 61ca49a9105faefa003b37542cebad8722f8ae22 upstream.
+
+With the introduction of enforcing mode, setting global_id as soon
+as we get it in the first MAuth reply will result in EACCES if the
+connection is reset before we get the second MAuth reply containing
+an auth ticket -- because on retry we would attempt to reclaim that
+global_id with no auth ticket at hand.
+
+Neither ceph_auth_client nor ceph_mon_client depend on global_id
+being set ealy, so just delay the setting until we get and process
+the second MAuth reply. While at it, complain if the monitor sends
+a zero global_id or changes our global_id as the session is likely
+to fail after that.
+
+Cc: stable@vger.kernel.org # needs backporting for < 5.11
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Sage Weil <sage@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ceph/auth.c | 36 +++++++++++++++++++++++-------------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+--- a/net/ceph/auth.c
++++ b/net/ceph/auth.c
+@@ -36,6 +36,20 @@ static int init_protocol(struct ceph_aut
+ }
+ }
+
++static void set_global_id(struct ceph_auth_client *ac, u64 global_id)
++{
++ dout("%s global_id %llu\n", __func__, global_id);
++
++ if (!global_id)
++ pr_err("got zero global_id\n");
++
++ if (ac->global_id && global_id != ac->global_id)
++ pr_err("global_id changed from %llu to %llu\n", ac->global_id,
++ global_id);
++
++ ac->global_id = global_id;
++}
++
+ /*
+ * setup, teardown.
+ */
+@@ -222,11 +236,6 @@ int ceph_handle_auth_reply(struct ceph_a
+
+ payload_end = payload + payload_len;
+
+- if (global_id && ac->global_id != global_id) {
+- dout(" set global_id %lld -> %lld\n", ac->global_id, global_id);
+- ac->global_id = global_id;
+- }
+-
+ if (ac->negotiating) {
+ /* server does not support our protocols? */
+ if (!protocol && result < 0) {
+@@ -253,11 +262,16 @@ int ceph_handle_auth_reply(struct ceph_a
+
+ ret = ac->ops->handle_reply(ac, result, payload, payload_end,
+ NULL, NULL, NULL, NULL);
+- if (ret == -EAGAIN)
++ if (ret == -EAGAIN) {
+ ret = build_request(ac, true, reply_buf, reply_len);
+- else if (ret)
++ goto out;
++ } else if (ret) {
+ pr_err("auth protocol '%s' mauth authentication failed: %d\n",
+ ceph_auth_proto_name(ac->protocol), result);
++ goto out;
++ }
++
++ set_global_id(ac, global_id);
+
+ out:
+ mutex_unlock(&ac->mutex);
+@@ -484,15 +498,11 @@ int ceph_auth_handle_reply_done(struct c
+ int ret;
+
+ mutex_lock(&ac->mutex);
+- if (global_id && ac->global_id != global_id) {
+- dout("%s global_id %llu -> %llu\n", __func__, ac->global_id,
+- global_id);
+- ac->global_id = global_id;
+- }
+-
+ ret = ac->ops->handle_reply(ac, 0, reply, reply + reply_len,
+ session_key, session_key_len,
+ con_secret, con_secret_len);
++ if (!ret)
++ set_global_id(ac, global_id);
+ mutex_unlock(&ac->mutex);
+ return ret;
+ }
--- /dev/null
+From 97fce126e279690105ee15be652b465fd96f9997 Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@wdc.com>
+Date: Sun, 25 Apr 2021 09:02:06 +0300
+Subject: mmc: block: Issue a cache flush only when it's enabled
+
+From: Avri Altman <avri.altman@wdc.com>
+
+commit 97fce126e279690105ee15be652b465fd96f9997 upstream.
+
+In command queueing mode, the cache isn't flushed via the mmc_flush_cache()
+function, but instead by issuing a CMDQ_TASK_MGMT (CMD48) with a
+FLUSH_CACHE opcode. In this path, we need to check if cache has been
+enabled, before deciding to flush the cache, along the lines of what's
+being done in mmc_flush_cache().
+
+To fix this problem, let's add a new bus ops callback ->cache_enabled() and
+implement it for the mmc bus type. In this way, the mmc block device driver
+can call it to know whether cache flushing should be done.
+
+Fixes: 1e8e55b67030 (mmc: block: Add CQE support)
+Cc: stable@vger.kernel.org
+Reported-by: Brendan Peter <bpeter@lytx.com>
+Signed-off-by: Avri Altman <avri.altman@wdc.com>
+Tested-by: Brendan Peter <bpeter@lytx.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20210425060207.2591-2-avri.altman@wdc.com
+Link: https://lore.kernel.org/r/20210425060207.2591-3-avri.altman@wdc.com
+[Ulf: Squashed the two patches and made some minor updates]
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 4 ++++
+ drivers/mmc/core/core.h | 9 +++++++++
+ drivers/mmc/core/mmc.c | 7 +++++++
+ drivers/mmc/core/mmc_ops.c | 4 +---
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -2236,6 +2236,10 @@ enum mmc_issued mmc_blk_mq_issue_rq(stru
+ case MMC_ISSUE_ASYNC:
+ switch (req_op(req)) {
+ case REQ_OP_FLUSH:
++ if (!mmc_cache_enabled(host)) {
++ blk_mq_end_request(req, BLK_STS_OK);
++ return MMC_REQ_FINISHED;
++ }
+ ret = mmc_blk_cqe_issue_flush(mq, req);
+ break;
+ case REQ_OP_READ:
+--- a/drivers/mmc/core/core.h
++++ b/drivers/mmc/core/core.h
+@@ -29,6 +29,7 @@ struct mmc_bus_ops {
+ int (*shutdown)(struct mmc_host *);
+ int (*hw_reset)(struct mmc_host *);
+ int (*sw_reset)(struct mmc_host *);
++ bool (*cache_enabled)(struct mmc_host *);
+ };
+
+ void mmc_attach_bus(struct mmc_host *host, const struct mmc_bus_ops *ops);
+@@ -171,4 +172,12 @@ static inline void mmc_post_req(struct m
+ host->ops->post_req(host, mrq, err);
+ }
+
++static inline bool mmc_cache_enabled(struct mmc_host *host)
++{
++ if (host->bus_ops->cache_enabled)
++ return host->bus_ops->cache_enabled(host);
++
++ return false;
++}
++
+ #endif
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -2029,6 +2029,12 @@ static void mmc_detect(struct mmc_host *
+ }
+ }
+
++static bool _mmc_cache_enabled(struct mmc_host *host)
++{
++ return host->card->ext_csd.cache_size > 0 &&
++ host->card->ext_csd.cache_ctrl & 1;
++}
++
+ static int _mmc_suspend(struct mmc_host *host, bool is_suspend)
+ {
+ int err = 0;
+@@ -2208,6 +2214,7 @@ static const struct mmc_bus_ops mmc_ops
+ .alive = mmc_alive,
+ .shutdown = mmc_shutdown,
+ .hw_reset = _mmc_hw_reset,
++ .cache_enabled = _mmc_cache_enabled,
+ };
+
+ /*
+--- a/drivers/mmc/core/mmc_ops.c
++++ b/drivers/mmc/core/mmc_ops.c
+@@ -988,9 +988,7 @@ int mmc_flush_cache(struct mmc_card *car
+ {
+ int err = 0;
+
+- if (mmc_card_mmc(card) &&
+- (card->ext_csd.cache_size > 0) &&
+- (card->ext_csd.cache_ctrl & 1)) {
++ if (mmc_cache_enabled(card->host)) {
+ err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
+ EXT_CSD_FLUSH_CACHE, 1,
+ MMC_CACHE_FLUSH_TIMEOUT_MS);
--- /dev/null
+From aea0440ad023ab0662299326f941214b0d7480bd Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@wdc.com>
+Date: Tue, 20 Apr 2021 16:46:41 +0300
+Subject: mmc: block: Update ext_csd.cache_ctrl if it was written
+
+From: Avri Altman <avri.altman@wdc.com>
+
+commit aea0440ad023ab0662299326f941214b0d7480bd upstream.
+
+The cache function can be turned ON and OFF by writing to the CACHE_CTRL
+byte (EXT_CSD byte [33]). However, card->ext_csd.cache_ctrl is only
+set on init if cache size > 0.
+
+Fix that by explicitly setting ext_csd.cache_ctrl on ext-csd write.
+
+Signed-off-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210420134641.57343-3-avri.altman@wdc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -573,6 +573,18 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ }
+
+ /*
++ * Make sure to update CACHE_CTRL in case it was changed. The cache
++ * will get turned back on if the card is re-initialized, e.g.
++ * suspend/resume or hw reset in recovery.
++ */
++ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_CACHE_CTRL) &&
++ (cmd.opcode == MMC_SWITCH)) {
++ u8 value = MMC_EXTRACT_VALUE_FROM_ARG(cmd.arg) & 1;
++
++ card->ext_csd.cache_ctrl = value;
++ }
++
++ /*
+ * According to the SD specs, some commands require a delay after
+ * issuing the command.
+ */
--- /dev/null
+From 147186f531ae49c18b7a9091a2c40e83b3d95649 Mon Sep 17 00:00:00 2001
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+Date: Wed, 10 Feb 2021 13:59:36 +0900
+Subject: mmc: core: Do a power cycle when the CMD11 fails
+
+From: DooHyun Hwang <dh0421.hwang@samsung.com>
+
+commit 147186f531ae49c18b7a9091a2c40e83b3d95649 upstream.
+
+A CMD11 is sent to the SD/SDIO card to start the voltage switch procedure
+into 1.8V I/O. According to the SD spec a power cycle is needed of the
+card, if it turns out that the CMD11 fails. Let's fix this, to allow a
+retry of the initialization without the voltage switch, to succeed.
+
+Note that, whether it makes sense to also retry with the voltage switch
+after the power cycle is a bit more difficult to know. At this point, we
+treat it like the CMD11 isn't supported and therefore we skip it when
+retrying.
+
+Signed-off-by: DooHyun Hwang <dh0421.hwang@samsung.com>
+Link: https://lore.kernel.org/r/20210210045936.7809-1-dh0421.hwang@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -1207,7 +1207,7 @@ int mmc_set_uhs_voltage(struct mmc_host
+
+ err = mmc_wait_for_cmd(host, &cmd, 0);
+ if (err)
+- return err;
++ goto power_cycle;
+
+ if (!mmc_host_is_spi(host) && (cmd.resp[0] & R1_ERROR))
+ return -EIO;
--- /dev/null
+From 17a17bf50612e6048a9975450cf1bd30f93815b5 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 10 Mar 2021 16:29:00 +0100
+Subject: mmc: core: Fix hanging on I/O during system suspend for removable cards
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 17a17bf50612e6048a9975450cf1bd30f93815b5 upstream.
+
+The mmc core uses a PM notifier to temporarily during system suspend, turn
+off the card detection mechanism for removal/insertion of (e)MMC/SD/SDIO
+cards. Additionally, the notifier may be used to remove an SDIO card
+entirely, if a corresponding SDIO functional driver don't have the system
+suspend/resume callbacks assigned. This behaviour has been around for a
+very long time.
+
+However, a recent bug report tells us there are problems with this
+approach. More precisely, when receiving the PM_SUSPEND_PREPARE
+notification, we may end up hanging on I/O to be completed, thus also
+preventing the system from getting suspended.
+
+In the end what happens, is that the cancel_delayed_work_sync() in
+mmc_pm_notify() ends up waiting for mmc_rescan() to complete - and since
+mmc_rescan() wants to claim the host, it needs to wait for the I/O to be
+completed first.
+
+Typically, this problem is triggered in Android, if there is ongoing I/O
+while the user decides to suspend, resume and then suspend the system
+again. This due to that after the resume, an mmc_rescan() work gets punted
+to the workqueue, which job is to verify that the card remains inserted
+after the system has resumed.
+
+To fix this problem, userspace needs to become frozen to suspend the I/O,
+prior to turning off the card detection mechanism. Therefore, let's drop
+the PM notifiers for mmc subsystem altogether and rely on the card
+detection to be turned off/on as a part of the system_freezable_wq, that we
+are already using.
+
+Moreover, to allow and SDIO card to be removed during system suspend, let's
+manage this from a ->prepare() callback, assigned at the mmc_host_class
+level. In this way, we can use the parent device (the mmc_host_class
+device), to remove the card device that is the child, in the
+device_prepare() phase.
+
+Reported-by: Kiwoong Kim <kwmad.kim@samsung.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20210310152900.149380-1-ulf.hansson@linaro.org
+Reviewed-by: Kiwoong Kim <kwmad.kim@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/core.c | 74 -----------------------------------------------
+ drivers/mmc/core/core.h | 8 -----
+ drivers/mmc/core/host.c | 40 +++++++++++++++++++++++--
+ drivers/mmc/core/sdio.c | 28 +++++++++++++----
+ include/linux/mmc/host.h | 3 -
+ 5 files changed, 59 insertions(+), 94 deletions(-)
+
+--- a/drivers/mmc/core/core.c
++++ b/drivers/mmc/core/core.c
+@@ -2369,80 +2369,6 @@ void mmc_stop_host(struct mmc_host *host
+ mmc_release_host(host);
+ }
+
+-#ifdef CONFIG_PM_SLEEP
+-/* Do the card removal on suspend if card is assumed removeable
+- * Do that in pm notifier while userspace isn't yet frozen, so we will be able
+- to sync the card.
+-*/
+-static int mmc_pm_notify(struct notifier_block *notify_block,
+- unsigned long mode, void *unused)
+-{
+- struct mmc_host *host = container_of(
+- notify_block, struct mmc_host, pm_notify);
+- unsigned long flags;
+- int err = 0;
+-
+- switch (mode) {
+- case PM_HIBERNATION_PREPARE:
+- case PM_SUSPEND_PREPARE:
+- case PM_RESTORE_PREPARE:
+- spin_lock_irqsave(&host->lock, flags);
+- host->rescan_disable = 1;
+- spin_unlock_irqrestore(&host->lock, flags);
+- cancel_delayed_work_sync(&host->detect);
+-
+- if (!host->bus_ops)
+- break;
+-
+- /* Validate prerequisites for suspend */
+- if (host->bus_ops->pre_suspend)
+- err = host->bus_ops->pre_suspend(host);
+- if (!err)
+- break;
+-
+- if (!mmc_card_is_removable(host)) {
+- dev_warn(mmc_dev(host),
+- "pre_suspend failed for non-removable host: "
+- "%d\n", err);
+- /* Avoid removing non-removable hosts */
+- break;
+- }
+-
+- /* Calling bus_ops->remove() with a claimed host can deadlock */
+- host->bus_ops->remove(host);
+- mmc_claim_host(host);
+- mmc_detach_bus(host);
+- mmc_power_off(host);
+- mmc_release_host(host);
+- host->pm_flags = 0;
+- break;
+-
+- case PM_POST_SUSPEND:
+- case PM_POST_HIBERNATION:
+- case PM_POST_RESTORE:
+-
+- spin_lock_irqsave(&host->lock, flags);
+- host->rescan_disable = 0;
+- spin_unlock_irqrestore(&host->lock, flags);
+- _mmc_detect_change(host, 0, false);
+-
+- }
+-
+- return 0;
+-}
+-
+-void mmc_register_pm_notifier(struct mmc_host *host)
+-{
+- host->pm_notify.notifier_call = mmc_pm_notify;
+- register_pm_notifier(&host->pm_notify);
+-}
+-
+-void mmc_unregister_pm_notifier(struct mmc_host *host)
+-{
+- unregister_pm_notifier(&host->pm_notify);
+-}
+-#endif
+-
+ static int __init mmc_init(void)
+ {
+ int ret;
+--- a/drivers/mmc/core/core.h
++++ b/drivers/mmc/core/core.h
+@@ -94,14 +94,6 @@ int mmc_execute_tuning(struct mmc_card *
+ int mmc_hs200_to_hs400(struct mmc_card *card);
+ int mmc_hs400_to_hs200(struct mmc_card *card);
+
+-#ifdef CONFIG_PM_SLEEP
+-void mmc_register_pm_notifier(struct mmc_host *host);
+-void mmc_unregister_pm_notifier(struct mmc_host *host);
+-#else
+-static inline void mmc_register_pm_notifier(struct mmc_host *host) { }
+-static inline void mmc_unregister_pm_notifier(struct mmc_host *host) { }
+-#endif
+-
+ void mmc_wait_for_req_done(struct mmc_host *host, struct mmc_request *mrq);
+ bool mmc_is_req_done(struct mmc_host *host, struct mmc_request *mrq);
+
+--- a/drivers/mmc/core/host.c
++++ b/drivers/mmc/core/host.c
+@@ -35,6 +35,42 @@
+
+ static DEFINE_IDA(mmc_host_ida);
+
++#ifdef CONFIG_PM_SLEEP
++static int mmc_host_class_prepare(struct device *dev)
++{
++ struct mmc_host *host = cls_dev_to_mmc_host(dev);
++
++ /*
++ * It's safe to access the bus_ops pointer, as both userspace and the
++ * workqueue for detecting cards are frozen at this point.
++ */
++ if (!host->bus_ops)
++ return 0;
++
++ /* Validate conditions for system suspend. */
++ if (host->bus_ops->pre_suspend)
++ return host->bus_ops->pre_suspend(host);
++
++ return 0;
++}
++
++static void mmc_host_class_complete(struct device *dev)
++{
++ struct mmc_host *host = cls_dev_to_mmc_host(dev);
++
++ _mmc_detect_change(host, 0, false);
++}
++
++static const struct dev_pm_ops mmc_host_class_dev_pm_ops = {
++ .prepare = mmc_host_class_prepare,
++ .complete = mmc_host_class_complete,
++};
++
++#define MMC_HOST_CLASS_DEV_PM_OPS (&mmc_host_class_dev_pm_ops)
++#else
++#define MMC_HOST_CLASS_DEV_PM_OPS NULL
++#endif
++
+ static void mmc_host_classdev_release(struct device *dev)
+ {
+ struct mmc_host *host = cls_dev_to_mmc_host(dev);
+@@ -46,6 +82,7 @@ static void mmc_host_classdev_release(st
+ static struct class mmc_host_class = {
+ .name = "mmc_host",
+ .dev_release = mmc_host_classdev_release,
++ .pm = MMC_HOST_CLASS_DEV_PM_OPS,
+ };
+
+ int mmc_register_host_class(void)
+@@ -538,8 +575,6 @@ int mmc_add_host(struct mmc_host *host)
+ #endif
+
+ mmc_start_host(host);
+- mmc_register_pm_notifier(host);
+-
+ return 0;
+ }
+
+@@ -555,7 +590,6 @@ EXPORT_SYMBOL(mmc_add_host);
+ */
+ void mmc_remove_host(struct mmc_host *host)
+ {
+- mmc_unregister_pm_notifier(host);
+ mmc_stop_host(host);
+
+ #ifdef CONFIG_DEBUG_FS
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -985,21 +985,37 @@ out:
+ */
+ static int mmc_sdio_pre_suspend(struct mmc_host *host)
+ {
+- int i, err = 0;
++ int i;
+
+ for (i = 0; i < host->card->sdio_funcs; i++) {
+ struct sdio_func *func = host->card->sdio_func[i];
+ if (func && sdio_func_present(func) && func->dev.driver) {
+ const struct dev_pm_ops *pmops = func->dev.driver->pm;
+- if (!pmops || !pmops->suspend || !pmops->resume) {
++ if (!pmops || !pmops->suspend || !pmops->resume)
+ /* force removal of entire card in that case */
+- err = -ENOSYS;
+- break;
+- }
++ goto remove;
+ }
+ }
+
+- return err;
++ return 0;
++
++remove:
++ if (!mmc_card_is_removable(host)) {
++ dev_warn(mmc_dev(host),
++ "missing suspend/resume ops for non-removable SDIO card\n");
++ /* Don't remove a non-removable card - we can't re-detect it. */
++ return 0;
++ }
++
++ /* Remove the SDIO card and let it be re-detected later on. */
++ mmc_sdio_remove(host);
++ mmc_claim_host(host);
++ mmc_detach_bus(host);
++ mmc_power_off(host);
++ mmc_release_host(host);
++ host->pm_flags = 0;
++
++ return 0;
+ }
+
+ /*
+--- a/include/linux/mmc/host.h
++++ b/include/linux/mmc/host.h
+@@ -302,9 +302,6 @@ struct mmc_host {
+ u32 ocr_avail_sdio; /* SDIO-specific OCR */
+ u32 ocr_avail_sd; /* SD-specific OCR */
+ u32 ocr_avail_mmc; /* MMC-specific OCR */
+-#ifdef CONFIG_PM_SLEEP
+- struct notifier_block pm_notify;
+-#endif
+ struct wakeup_source *ws; /* Enable consume of uevents */
+ u32 max_current_330;
+ u32 max_current_300;
--- /dev/null
+From 917a5336f2c27928be270226ab374ed0cbf3805d Mon Sep 17 00:00:00 2001
+From: Seunghui Lee <sh043.lee@samsung.com>
+Date: Mon, 22 Feb 2021 17:31:56 +0900
+Subject: mmc: core: Set read only for SD cards with permanent write protect bit
+
+From: Seunghui Lee <sh043.lee@samsung.com>
+
+commit 917a5336f2c27928be270226ab374ed0cbf3805d upstream.
+
+Some of SD cards sets permanent write protection bit in their CSD register,
+due to lifespan or internal problem. To avoid unnecessary I/O write
+operations, let's parse the bits in the CSD during initialization and mark
+the card as read only for this case.
+
+Signed-off-by: Seunghui Lee <sh043.lee@samsung.com>
+Link: https://lore.kernel.org/r/20210222083156.19158-1-sh043.lee@samsung.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -135,6 +135,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->erase_size = UNSTUFF_BITS(resp, 39, 7) + 1;
+ csd->erase_size <<= csd->write_blkbits - 9;
+ }
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ case 1:
+ /*
+@@ -169,6 +172,9 @@ static int mmc_decode_csd(struct mmc_car
+ csd->write_blkbits = 9;
+ csd->write_partial = 0;
+ csd->erase_size = 1;
++
++ if (UNSTUFF_BITS(resp, 13, 1))
++ mmc_card_set_readonly(card);
+ break;
+ default:
+ pr_err("%s: unrecognised CSD structure version %d\n",
--- /dev/null
+From 21e35e898aa9ef7781632959db8613a5380f2eae Mon Sep 17 00:00:00 2001
+From: Pradeep P V K <pragalla@codeaurora.org>
+Date: Wed, 3 Mar 2021 14:02:11 +0530
+Subject: mmc: sdhci: Check for reset prior to DMA address unmap
+
+From: Pradeep P V K <pragalla@codeaurora.org>
+
+commit 21e35e898aa9ef7781632959db8613a5380f2eae upstream.
+
+For data read commands, SDHC may initiate data transfers even before it
+completely process the command response. In case command itself fails,
+driver un-maps the memory associated with data transfer but this memory
+can still be accessed by SDHC for the already initiated data transfer.
+This scenario can lead to un-mapped memory access error.
+
+To avoid this scenario, reset SDHC (when command fails) prior to
+un-mapping memory. Resetting SDHC ensures that all in-flight data
+transfers are either aborted or completed. So we don't run into this
+scenario.
+
+Swap the reset, un-map steps sequence in sdhci_request_done().
+
+Suggested-by: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
+Signed-off-by: Pradeep P V K <pragalla@codeaurora.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/1614760331-43499-1-git-send-email-pragalla@qti.qualcomm.com
+Cc: stable@vger.kernel.org # v4.9+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 60 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 31 insertions(+), 29 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2997,6 +2997,37 @@ static bool sdhci_request_done(struct sd
+ }
+
+ /*
++ * The controller needs a reset of internal state machines
++ * upon error conditions.
++ */
++ if (sdhci_needs_reset(host, mrq)) {
++ /*
++ * Do not finish until command and data lines are available for
++ * reset. Note there can only be one other mrq, so it cannot
++ * also be in mrqs_done, otherwise host->cmd and host->data_cmd
++ * would both be null.
++ */
++ if (host->cmd || host->data_cmd) {
++ spin_unlock_irqrestore(&host->lock, flags);
++ return true;
++ }
++
++ /* Some controllers need this kick or reset won't work here */
++ if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET)
++ /* This is to force an update */
++ host->ops->set_clock(host, host->clock);
++
++ /*
++ * Spec says we should do both at the same time, but Ricoh
++ * controllers do not like that.
++ */
++ sdhci_do_reset(host, SDHCI_RESET_CMD);
++ sdhci_do_reset(host, SDHCI_RESET_DATA);
++
++ host->pending_reset = false;
++ }
++
++ /*
+ * Always unmap the data buffers if they were mapped by
+ * sdhci_prepare_data() whenever we finish with a request.
+ * This avoids leaking DMA mappings on error.
+@@ -3059,35 +3090,6 @@ static bool sdhci_request_done(struct sd
+ }
+ }
+
+- /*
+- * The controller needs a reset of internal state machines
+- * upon error conditions.
+- */
+- if (sdhci_needs_reset(host, mrq)) {
+- /*
+- * Do not finish until command and data lines are available for
+- * reset. Note there can only be one other mrq, so it cannot
+- * also be in mrqs_done, otherwise host->cmd and host->data_cmd
+- * would both be null.
+- */
+- if (host->cmd || host->data_cmd) {
+- spin_unlock_irqrestore(&host->lock, flags);
+- return true;
+- }
+-
+- /* Some controllers need this kick or reset won't work here */
+- if (host->quirks & SDHCI_QUIRK_CLOCK_BEFORE_RESET)
+- /* This is to force an update */
+- host->ops->set_clock(host, host->clock);
+-
+- /* Spec says we should do both at the same time, but Ricoh
+- controllers do not like that. */
+- sdhci_do_reset(host, SDHCI_RESET_CMD);
+- sdhci_do_reset(host, SDHCI_RESET_DATA);
+-
+- host->pending_reset = false;
+- }
+-
+ host->mrqs_done[i] = NULL;
+
+ spin_unlock_irqrestore(&host->lock, flags);
--- /dev/null
+From 2970134b927834e9249659a70aac48e62dff804a Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 31 Mar 2021 11:17:52 +0300
+Subject: mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 2970134b927834e9249659a70aac48e62dff804a upstream.
+
+Bus power may control card power, but the full reset done by SDHCI at
+initialization still may not reset the power, whereas a direct write to
+SDHCI_POWER_CONTROL can. That might be needed to initialize correctly, if
+the card was left powered on previously.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210331081752.23621-1-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-core.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -516,6 +516,7 @@ struct intel_host {
+ int drv_strength;
+ bool d3_retune;
+ bool rpm_retune_ok;
++ bool needs_pwr_off;
+ u32 glk_rx_ctrl1;
+ u32 glk_tun_val;
+ u32 active_ltr;
+@@ -643,9 +644,25 @@ out:
+ static void sdhci_intel_set_power(struct sdhci_host *host, unsigned char mode,
+ unsigned short vdd)
+ {
++ struct sdhci_pci_slot *slot = sdhci_priv(host);
++ struct intel_host *intel_host = sdhci_pci_priv(slot);
+ int cntr;
+ u8 reg;
+
++ /*
++ * Bus power may control card power, but a full reset still may not
++ * reset the power, whereas a direct write to SDHCI_POWER_CONTROL can.
++ * That might be needed to initialize correctly, if the card was left
++ * powered on previously.
++ */
++ if (intel_host->needs_pwr_off) {
++ intel_host->needs_pwr_off = false;
++ if (mode != MMC_POWER_OFF) {
++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL);
++ usleep_range(10000, 12500);
++ }
++ }
++
+ sdhci_set_power(host, mode, vdd);
+
+ if (mode == MMC_POWER_OFF)
+@@ -1135,6 +1152,14 @@ static int byt_sdio_probe_slot(struct sd
+ return 0;
+ }
+
++static void byt_needs_pwr_off(struct sdhci_pci_slot *slot)
++{
++ struct intel_host *intel_host = sdhci_pci_priv(slot);
++ u8 reg = sdhci_readb(slot->host, SDHCI_POWER_CONTROL);
++
++ intel_host->needs_pwr_off = reg & SDHCI_POWER_ON;
++}
++
+ static int byt_sd_probe_slot(struct sdhci_pci_slot *slot)
+ {
+ byt_probe_slot(slot);
+@@ -1152,6 +1177,8 @@ static int byt_sd_probe_slot(struct sdhc
+ slot->chip->pdev->subsystem_device == PCI_SUBDEVICE_ID_NI_78E3)
+ slot->host->mmc->caps2 |= MMC_CAP2_AVOID_3_3V;
+
++ byt_needs_pwr_off(slot);
++
+ return 0;
+ }
+
--- /dev/null
+From 5ec6fa5a6dc5e42a4aa782f3a81d5f08b0fac1e6 Mon Sep 17 00:00:00 2001
+From: Aniruddha Tvs Rao <anrao@nvidia.com>
+Date: Wed, 7 Apr 2021 10:46:17 +0100
+Subject: mmc: sdhci-tegra: Add required callbacks to set/clear CQE_EN bit
+
+From: Aniruddha Tvs Rao <anrao@nvidia.com>
+
+commit 5ec6fa5a6dc5e42a4aa782f3a81d5f08b0fac1e6 upstream.
+
+CMD8 is not supported with Command Queue Enabled. Add required callback
+to clear CQE_EN and CQE_INTR fields in the host controller register
+before sending CMD8. Add corresponding callback in the CQHCI resume path
+to re-enable CQE_EN and CQE_INTR fields.
+
+Reported-by: Kamal Mostafa <kamal@canonical.com>
+Tested-by: Kamal Mostafa <kamal@canonical.com>
+Signed-off-by: Aniruddha Tvs Rao <anrao@nvidia.com>
+Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20210407094617.770495-1-jonathanh@nvidia.com
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-tegra.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-tegra.c
++++ b/drivers/mmc/host/sdhci-tegra.c
+@@ -119,6 +119,10 @@
+ /* SDMMC CQE Base Address for Tegra Host Ver 4.1 and Higher */
+ #define SDHCI_TEGRA_CQE_BASE_ADDR 0xF000
+
++#define SDHCI_TEGRA_CQE_TRNS_MODE (SDHCI_TRNS_MULTI | \
++ SDHCI_TRNS_BLK_CNT_EN | \
++ SDHCI_TRNS_DMA)
++
+ struct sdhci_tegra_soc_data {
+ const struct sdhci_pltfm_data *pdata;
+ u64 dma_mask;
+@@ -1156,6 +1160,7 @@ static void tegra_sdhci_voltage_switch(s
+ static void tegra_cqhci_writel(struct cqhci_host *cq_host, u32 val, int reg)
+ {
+ struct mmc_host *mmc = cq_host->mmc;
++ struct sdhci_host *host = mmc_priv(mmc);
+ u8 ctrl;
+ ktime_t timeout;
+ bool timed_out;
+@@ -1170,6 +1175,7 @@ static void tegra_cqhci_writel(struct cq
+ */
+ if (reg == CQHCI_CTL && !(val & CQHCI_HALT) &&
+ cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) {
++ sdhci_writew(host, SDHCI_TEGRA_CQE_TRNS_MODE, SDHCI_TRANSFER_MODE);
+ sdhci_cqe_enable(mmc);
+ writel(val, cq_host->mmio + reg);
+ timeout = ktime_add_us(ktime_get(), 50);
+@@ -1205,6 +1211,7 @@ static void sdhci_tegra_update_dcmd_desc
+ static void sdhci_tegra_cqe_enable(struct mmc_host *mmc)
+ {
+ struct cqhci_host *cq_host = mmc->cqe_private;
++ struct sdhci_host *host = mmc_priv(mmc);
+ u32 val;
+
+ /*
+@@ -1218,6 +1225,7 @@ static void sdhci_tegra_cqe_enable(struc
+ if (val & CQHCI_ENABLE)
+ cqhci_writel(cq_host, (val & ~CQHCI_ENABLE),
+ CQHCI_CFG);
++ sdhci_writew(host, SDHCI_TEGRA_CQE_TRNS_MODE, SDHCI_TRANSFER_MODE);
+ sdhci_cqe_enable(mmc);
+ if (val & CQHCI_ENABLE)
+ cqhci_writel(cq_host, val, CQHCI_CFG);
+@@ -1281,12 +1289,36 @@ static void tegra_sdhci_set_timeout(stru
+ __sdhci_set_timeout(host, cmd);
+ }
+
++static void sdhci_tegra_cqe_pre_enable(struct mmc_host *mmc)
++{
++ struct cqhci_host *cq_host = mmc->cqe_private;
++ u32 reg;
++
++ reg = cqhci_readl(cq_host, CQHCI_CFG);
++ reg |= CQHCI_ENABLE;
++ cqhci_writel(cq_host, reg, CQHCI_CFG);
++}
++
++static void sdhci_tegra_cqe_post_disable(struct mmc_host *mmc)
++{
++ struct cqhci_host *cq_host = mmc->cqe_private;
++ struct sdhci_host *host = mmc_priv(mmc);
++ u32 reg;
++
++ reg = cqhci_readl(cq_host, CQHCI_CFG);
++ reg &= ~CQHCI_ENABLE;
++ cqhci_writel(cq_host, reg, CQHCI_CFG);
++ sdhci_writew(host, 0x0, SDHCI_TRANSFER_MODE);
++}
++
+ static const struct cqhci_host_ops sdhci_tegra_cqhci_ops = {
+ .write_l = tegra_cqhci_writel,
+ .enable = sdhci_tegra_cqe_enable,
+ .disable = sdhci_cqe_disable,
+ .dumpregs = sdhci_tegra_dumpregs,
+ .update_dcmd_desc = sdhci_tegra_update_dcmd_desc,
++ .pre_enable = sdhci_tegra_cqe_pre_enable,
++ .post_disable = sdhci_tegra_cqe_post_disable,
+ };
+
+ static int tegra_sdhci_set_dma_mask(struct sdhci_host *host)
--- /dev/null
+From e29c84857e2d51aa017ce04284b962742fb97d9e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 20 Feb 2021 15:29:53 +0100
+Subject: mmc: uniphier-sd: Fix a resource leak in the remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit e29c84857e2d51aa017ce04284b962742fb97d9e upstream.
+
+A 'tmio_mmc_host_free()' call is missing in the remove function, in order
+to balance a 'tmio_mmc_host_alloc()' call in the probe.
+This is done in the error handling path of the probe, but not in the remove
+function.
+
+Add the missing call.
+
+Fixes: 3fd784f745dd ("mmc: uniphier-sd: add UniPhier SD/eMMC controller driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20210220142953.918608-1-christophe.jaillet@wanadoo.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/uniphier-sd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/uniphier-sd.c
++++ b/drivers/mmc/host/uniphier-sd.c
+@@ -660,6 +660,7 @@ static int uniphier_sd_remove(struct pla
+
+ tmio_mmc_host_remove(host);
+ uniphier_sd_clk_disable(host);
++ tmio_mmc_host_free(host);
+
+ return 0;
+ }
--- /dev/null
+From b03aec1c1f337dfdae44cdb0645ecac34208ae0a Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 20 Feb 2021 15:29:35 +0100
+Subject: mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit b03aec1c1f337dfdae44cdb0645ecac34208ae0a upstream.
+
+A 'uniphier_sd_clk_enable()' call should be balanced by a corresponding
+'uniphier_sd_clk_disable()' call.
+This is done in the remove function, but not in the error handling path of
+the probe.
+
+Add the missing call.
+
+Fixes: 3fd784f745dd ("mmc: uniphier-sd: add UniPhier SD/eMMC controller driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20210220142935.918554-1-christophe.jaillet@wanadoo.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/uniphier-sd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/uniphier-sd.c
++++ b/drivers/mmc/host/uniphier-sd.c
+@@ -635,7 +635,7 @@ static int uniphier_sd_probe(struct plat
+
+ ret = tmio_mmc_host_probe(host);
+ if (ret)
+- goto free_host;
++ goto disable_clk;
+
+ ret = devm_request_irq(dev, irq, tmio_mmc_irq, IRQF_SHARED,
+ dev_name(dev), host);
+@@ -646,6 +646,8 @@ static int uniphier_sd_probe(struct plat
+
+ remove_host:
+ tmio_mmc_host_remove(host);
++disable_clk:
++ uniphier_sd_clk_disable(host);
+ free_host:
+ tmio_mmc_host_free(host);
+
--- /dev/null
+From 683313993dbe1651c7aa00bb42a041d70e914925 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Fri, 12 Feb 2021 04:40:22 -0600
+Subject: mtd: physmap: physmap-bt1-rom: Fix unintentional stack access
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 683313993dbe1651c7aa00bb42a041d70e914925 upstream.
+
+Cast &data to (char *) in order to avoid unintentionally accessing
+the stack.
+
+Notice that data is of type u32, so any increment to &data
+will be in the order of 4-byte chunks, and this piece of code
+is actually intended to be a byte offset.
+
+Fixes: b3e79e7682e0 ("mtd: physmap: Add Baikal-T1 physically mapped ROM support")
+Addresses-Coverity-ID: 1497765 ("Out-of-bounds access")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Acked-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210212104022.GA242669@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/maps/physmap-bt1-rom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/maps/physmap-bt1-rom.c
++++ b/drivers/mtd/maps/physmap-bt1-rom.c
+@@ -79,7 +79,7 @@ static void __xipram bt1_rom_map_copy_fr
+ if (shift) {
+ chunk = min_t(ssize_t, 4 - shift, len);
+ data = readl_relaxed(src - shift);
+- memcpy(to, &data + shift, chunk);
++ memcpy(to, (char *)&data + shift, chunk);
+ src += chunk;
+ to += chunk;
+ len -= chunk;
--- /dev/null
+From 33cebf701e98dd12b01d39d1c644387b27c1a627 Mon Sep 17 00:00:00 2001
+From: "Kai Stuhlemmer (ebee Engineering)" <kai.stuhlemmer@ebee.de>
+Date: Mon, 22 Mar 2021 17:07:14 +0200
+Subject: mtd: rawnand: atmel: Update ecc_stats.corrected counter
+
+From: Kai Stuhlemmer (ebee Engineering) <kai.stuhlemmer@ebee.de>
+
+commit 33cebf701e98dd12b01d39d1c644387b27c1a627 upstream.
+
+Update MTD ECC statistics with the number of corrected bits.
+
+Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kai Stuhlemmer (ebee Engineering) <kai.stuhlemmer@ebee.de>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210322150714.101585-1-tudor.ambarus@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/atmel/nand-controller.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
+@@ -883,10 +883,12 @@ static int atmel_nand_pmecc_correct_data
+ NULL, 0,
+ chip->ecc.strength);
+
+- if (ret >= 0)
++ if (ret >= 0) {
++ mtd->ecc_stats.corrected += ret;
+ max_bitflips = max(ret, max_bitflips);
+- else
++ } else {
+ mtd->ecc_stats.failed++;
++ }
+
+ databuf += chip->ecc.size;
+ eccbuf += chip->ecc.bytes;
--- /dev/null
+From be94215be1ab19e5d38f50962f611c88d4bfc83a Mon Sep 17 00:00:00 2001
+From: Xiang Chen <chenxiang66@hisilicon.com>
+Date: Thu, 1 Apr 2021 15:34:46 +0800
+Subject: mtd: spi-nor: core: Fix an issue of releasing resources during read/write
+
+From: Xiang Chen <chenxiang66@hisilicon.com>
+
+commit be94215be1ab19e5d38f50962f611c88d4bfc83a upstream.
+
+If rmmod the driver during read or write, the driver will release the
+resources which are used during read or write, so it is possible to
+refer to NULL pointer.
+
+Use the testcase "mtd_debug read /dev/mtd0 0xc00000 0x400000 dest_file &
+sleep 0.5;rmmod spi_hisi_sfc_v3xx.ko", the issue can be reproduced in
+hisi_sfc_v3xx driver.
+
+To avoid the issue, fill the interface _get_device and _put_device of
+mtd_info to grab the reference to the spi controller driver module, so
+the request of rmmod the driver is rejected before read/write is finished.
+
+Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR")
+Signed-off-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Tested-by: Michael Walle <michael@walle.cc>
+Tested-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Michael Walle <michael@walle.cc>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1617262486-4223-1-git-send-email-yangyicong@hisilicon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/core.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -3301,6 +3301,37 @@ static void spi_nor_resume(struct mtd_in
+ dev_err(dev, "resume() failed\n");
+ }
+
++static int spi_nor_get_device(struct mtd_info *mtd)
++{
++ struct mtd_info *master = mtd_get_master(mtd);
++ struct spi_nor *nor = mtd_to_spi_nor(master);
++ struct device *dev;
++
++ if (nor->spimem)
++ dev = nor->spimem->spi->controller->dev.parent;
++ else
++ dev = nor->dev;
++
++ if (!try_module_get(dev->driver->owner))
++ return -ENODEV;
++
++ return 0;
++}
++
++static void spi_nor_put_device(struct mtd_info *mtd)
++{
++ struct mtd_info *master = mtd_get_master(mtd);
++ struct spi_nor *nor = mtd_to_spi_nor(master);
++ struct device *dev;
++
++ if (nor->spimem)
++ dev = nor->spimem->spi->controller->dev.parent;
++ else
++ dev = nor->dev;
++
++ module_put(dev->driver->owner);
++}
++
+ void spi_nor_restore(struct spi_nor *nor)
+ {
+ /* restore the addressing mode */
+@@ -3495,6 +3526,8 @@ int spi_nor_scan(struct spi_nor *nor, co
+ mtd->_read = spi_nor_read;
+ mtd->_suspend = spi_nor_suspend;
+ mtd->_resume = spi_nor_resume;
++ mtd->_get_device = spi_nor_get_device;
++ mtd->_put_device = spi_nor_put_device;
+
+ if (nor->params->locking_ops) {
+ mtd->_lock = spi_nor_lock;
--- /dev/null
+From 25fefc88c71f47db0466570335e3f75f10952e7a Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Tue, 23 Mar 2021 17:37:19 +0000
+Subject: mtd: spinand: core: add missing MODULE_DEVICE_TABLE()
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 25fefc88c71f47db0466570335e3f75f10952e7a upstream.
+
+The module misses MODULE_DEVICE_TABLE() for both SPI and OF ID tables
+and thus never autoloads on ID matches.
+Add the missing declarations.
+Present since day-0 of spinand framework introduction.
+
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210323173714.317884-1-alobakin@pm.me
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/spi/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -1263,12 +1263,14 @@ static const struct spi_device_id spinan
+ { .name = "spi-nand" },
+ { /* sentinel */ },
+ };
++MODULE_DEVICE_TABLE(spi, spinand_ids);
+
+ #ifdef CONFIG_OF
+ static const struct of_device_id spinand_of_ids[] = {
+ { .compatible = "spi-nand" },
+ { /* sentinel */ },
+ };
++MODULE_DEVICE_TABLE(of, spinand_of_ids);
+ #endif
+
+ static struct spi_mem_driver spinand_drv = {
--- /dev/null
+From f1ce3986baa62cffc3c5be156994de87524bab99 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@grsecurity.net>
+Date: Thu, 29 Apr 2021 19:59:41 +0300
+Subject: nitro_enclaves: Fix stale file descriptors on failed usercopy
+
+From: Mathias Krause <minipli@grsecurity.net>
+
+commit f1ce3986baa62cffc3c5be156994de87524bab99 upstream.
+
+A failing usercopy of the slot uid will lead to a stale entry in the
+file descriptor table as put_unused_fd() won't release it. This enables
+userland to refer to a dangling 'file' object through that still valid
+file descriptor, leading to all kinds of use-after-free exploitation
+scenarios.
+
+Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't
+solve the underlying issue, as the file descriptor might have been
+replaced in the meantime, e.g. via userland calling close() on it
+(leading to a NULL pointer dereference in the error handling code as
+'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a
+completely different file object to that very file descriptor, leading
+to the same situation: a dangling file descriptor pointing to a freed
+object -- just in this case to a file object of user's choosing.
+
+Generally speaking, after the call to fd_install() the file descriptor
+is live and userland is free to do whatever with it. We cannot rely on
+it to still refer to our enclave object afterwards. In fact, by abusing
+userfaultfd() userland can hit the condition without any racing and
+abuse the error handling in the nitro code as it pleases.
+
+To fix the above issues, defer the call to fd_install() until all
+possible errors are handled. In this case it's just the usercopy, so do
+it directly in ne_create_vm_ioctl() itself.
+
+Signed-off-by: Mathias Krause <minipli@grsecurity.net>
+Signed-off-by: Andra Paraschiv <andraprs@amazon.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210429165941.27020-2-andraprs@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virt/nitro_enclaves/ne_misc_dev.c | 43 +++++++++++-------------------
+ 1 file changed, 17 insertions(+), 26 deletions(-)
+
+--- a/drivers/virt/nitro_enclaves/ne_misc_dev.c
++++ b/drivers/virt/nitro_enclaves/ne_misc_dev.c
+@@ -1524,7 +1524,8 @@ static const struct file_operations ne_e
+ * enclave file descriptor to be further used for enclave
+ * resources handling e.g. memory regions and CPUs.
+ * @ne_pci_dev : Private data associated with the PCI device.
+- * @slot_uid: Generated unique slot id associated with an enclave.
++ * @slot_uid: User pointer to store the generated unique slot id
++ * associated with an enclave to.
+ *
+ * Context: Process context. This function is called with the ne_pci_dev enclave
+ * mutex held.
+@@ -1532,7 +1533,7 @@ static const struct file_operations ne_e
+ * * Enclave fd on success.
+ * * Negative return value on failure.
+ */
+-static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 *slot_uid)
++static int ne_create_vm_ioctl(struct ne_pci_dev *ne_pci_dev, u64 __user *slot_uid)
+ {
+ struct ne_pci_dev_cmd_reply cmd_reply = {};
+ int enclave_fd = -1;
+@@ -1634,7 +1635,18 @@ static int ne_create_vm_ioctl(struct ne_
+
+ list_add(&ne_enclave->enclave_list_entry, &ne_pci_dev->enclaves_list);
+
+- *slot_uid = ne_enclave->slot_uid;
++ if (copy_to_user(slot_uid, &ne_enclave->slot_uid, sizeof(ne_enclave->slot_uid))) {
++ /*
++ * As we're holding the only reference to 'enclave_file', fput()
++ * will call ne_enclave_release() which will do a proper cleanup
++ * of all so far allocated resources, leaving only the unused fd
++ * for us to free.
++ */
++ fput(enclave_file);
++ put_unused_fd(enclave_fd);
++
++ return -EFAULT;
++ }
+
+ fd_install(enclave_fd, enclave_file);
+
+@@ -1671,34 +1683,13 @@ static long ne_ioctl(struct file *file,
+ switch (cmd) {
+ case NE_CREATE_VM: {
+ int enclave_fd = -1;
+- struct file *enclave_file = NULL;
+ struct ne_pci_dev *ne_pci_dev = ne_devs.ne_pci_dev;
+- int rc = -EINVAL;
+- u64 slot_uid = 0;
++ u64 __user *slot_uid = (void __user *)arg;
+
+ mutex_lock(&ne_pci_dev->enclaves_list_mutex);
+-
+- enclave_fd = ne_create_vm_ioctl(ne_pci_dev, &slot_uid);
+- if (enclave_fd < 0) {
+- rc = enclave_fd;
+-
+- mutex_unlock(&ne_pci_dev->enclaves_list_mutex);
+-
+- return rc;
+- }
+-
++ enclave_fd = ne_create_vm_ioctl(ne_pci_dev, slot_uid);
+ mutex_unlock(&ne_pci_dev->enclaves_list_mutex);
+
+- if (copy_to_user((void __user *)arg, &slot_uid, sizeof(slot_uid))) {
+- enclave_file = fget(enclave_fd);
+- /* Decrement file refs to have release() called. */
+- fput(enclave_file);
+- fput(enclave_file);
+- put_unused_fd(enclave_fd);
+-
+- return -EFAULT;
+- }
+-
+ return enclave_fd;
+ }
+
--- /dev/null
+From 48582b2e3b87b794a9845d488af2c76ce055502b Mon Sep 17 00:00:00 2001
+From: Jim Quinlan <jim2101024@gmail.com>
+Date: Fri, 30 Apr 2021 11:21:54 -0400
+Subject: reset: add missing empty function reset_control_rearm()
+
+From: Jim Quinlan <jim2101024@gmail.com>
+
+commit 48582b2e3b87b794a9845d488af2c76ce055502b upstream.
+
+All other functions are defined for when CONFIG_RESET_CONTROLLER
+is not set.
+
+Fixes: 557acb3d2cd9 ("reset: make shared pulsed reset controls re-triggerable")
+Link: https://lore.kernel.org/r/20210430152156.21162-2-jim2101024@gmail.com
+Signed-off-by: Jim Quinlan <jim2101024@gmail.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v5.11+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/reset.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/include/linux/reset.h
++++ b/include/linux/reset.h
+@@ -47,6 +47,11 @@ static inline int reset_control_reset(st
+ return 0;
+ }
+
++static inline int reset_control_rearm(struct reset_control *rstc)
++{
++ return 0;
++}
++
+ static inline int reset_control_assert(struct reset_control *rstc)
+ {
+ return 0;
--- /dev/null
+From 46094049a49be777f12a9589798f7c70b90cd03f Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+Date: Fri, 2 Apr 2021 11:20:30 +0300
+Subject: Revert "mtd: spi-nor: macronix: Add support for mx25l51245g"
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+commit 46094049a49be777f12a9589798f7c70b90cd03f upstream.
+
+This reverts commit 04b8edad262eec0d153005973dfbdd83423c0dcb.
+
+mx25l51245g and mx66l51235l have the same flash ID. The flash
+detection returns the first entry in the flash_info array that
+matches the flash ID that was read, thus for the 0xc2201a ID,
+mx25l51245g was always hit, introducing a regression for
+mx66l51235l.
+
+If one wants to differentiate the flash names, a better fix would be
+to differentiate between the two at run-time, depending on SFDP,
+and choose the correct name from a list of flash names, depending on
+the SFDP differentiator.
+
+Fixes: 04b8edad262e ("mtd: spi-nor: macronix: Add support for mx25l51245g")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Acked-by: Pratyush Yadav <p.yadav@ti.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210402082031.19055-2-tudor.ambarus@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/macronix.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/mtd/spi-nor/macronix.c
++++ b/drivers/mtd/spi-nor/macronix.c
+@@ -73,9 +73,6 @@ static const struct flash_info macronix_
+ SECT_4K | SPI_NOR_DUAL_READ |
+ SPI_NOR_QUAD_READ) },
+ { "mx25l25655e", INFO(0xc22619, 0, 64 * 1024, 512, 0) },
+- { "mx25l51245g", INFO(0xc2201a, 0, 64 * 1024, 1024,
+- SECT_4K | SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ |
+- SPI_NOR_4B_OPCODES) },
+ { "mx66l51235l", INFO(0xc2201a, 0, 64 * 1024, 1024,
+ SPI_NOR_DUAL_READ | SPI_NOR_QUAD_READ |
+ SPI_NOR_4B_OPCODES) },
--- /dev/null
+From 2f7484fd73729f89085fe08d683f5a8d9e17fe99 Mon Sep 17 00:00:00 2001
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+Date: Fri, 23 Apr 2021 12:08:43 +0200
+Subject: s390/cio: remove invalid condition on IO_SCH_UNREG
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+commit 2f7484fd73729f89085fe08d683f5a8d9e17fe99 upstream.
+
+The condition to check the cdev pointer validity on
+css_sch_device_unregister() is a leftover from the 'commit 8cc0dcfdc1c0
+("s390/cio: remove pm support from ccw bus driver")'. This could lead to a
+situation, where detaching the device is not happening completely. Remove
+this invalid condition in the IO_SCH_UNREG case.
+
+Link: https://lore.kernel.org/r/20210423100843.2230969-1-vneethv@linux.ibm.com
+Fixes: 8cc0dcfdc1c0 ("s390/cio: remove pm support from ccw bus driver")
+Reported-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Suggested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Tested-by: Julian Wiedmann <jwi@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/device.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1532,8 +1532,7 @@ static int io_subchannel_sch_event(struc
+ switch (action) {
+ case IO_SCH_ORPH_UNREG:
+ case IO_SCH_UNREG:
+- if (!cdev)
+- css_sch_device_unregister(sch);
++ css_sch_device_unregister(sch);
+ break;
+ case IO_SCH_ORPH_ATTACH:
+ case IO_SCH_UNREG_ATTACH:
--- /dev/null
+From 6f3353c2d2b3eb4de52e9704cb962712033db181 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Tue, 20 Apr 2021 11:04:10 +0200
+Subject: s390/disassembler: increase ebpf disasm buffer size
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit 6f3353c2d2b3eb4de52e9704cb962712033db181 upstream.
+
+Current ebpf disassembly buffer size of 64 is too small. E.g. this line
+takes 65 bytes:
+01fffff8005822e: ec8100ed8065\tclgrj\t%r8,%r1,8,001fffff80058408\n\0
+
+Double the buffer size like it is done for the kernel disassembly buffer.
+
+Fixes the following KASAN finding:
+
+UG: KASAN: stack-out-of-bounds in print_fn_code+0x34c/0x380
+Write of size 1 at addr 001fff800ad5f970 by task test_progs/853
+
+CPU: 53 PID: 853 Comm: test_progs Not tainted
+5.12.0-rc7-23786-g23457d86b1f0-dirty #19
+Hardware name: IBM 3906 M04 704 (LPAR)
+Call Trace:
+ [<0000000cd8e0538a>] show_stack+0x17a/0x1668
+ [<0000000cd8e2a5d8>] dump_stack+0x140/0x1b8
+ [<0000000cd8e16e74>] print_address_description.constprop.0+0x54/0x260
+ [<0000000cd75a8698>] kasan_report+0xc8/0x130
+ [<0000000cd6e26da4>] print_fn_code+0x34c/0x380
+ [<0000000cd6ea0f4e>] bpf_int_jit_compile+0xe3e/0xe58
+ [<0000000cd72c4c88>] bpf_prog_select_runtime+0x5b8/0x9c0
+ [<0000000cd72d1bf8>] bpf_prog_load+0xa78/0x19c0
+ [<0000000cd72d7ad6>] __do_sys_bpf.part.0+0x18e/0x768
+ [<0000000cd6e0f392>] do_syscall+0x12a/0x220
+ [<0000000cd8e333f8>] __do_syscall+0x98/0xc8
+ [<0000000cd8e54834>] system_call+0x6c/0x94
+1 lock held by test_progs/853:
+ #0: 0000000cd9bf7460 (report_lock){....}-{2:2}, at:
+ kasan_report+0x96/0x130
+
+addr 001fff800ad5f970 is located in stack of task test_progs/853 at
+offset 96 in frame:
+ print_fn_code+0x0/0x380
+this frame has 1 object:
+ [32, 96) 'buffer'
+
+Memory state around the buggy address:
+ 001fff800ad5f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5f880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>001fff800ad5f900: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3 f3
+ ^
+ 001fff800ad5f980: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 001fff800ad5fa00: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/dis.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/kernel/dis.c
++++ b/arch/s390/kernel/dis.c
+@@ -563,7 +563,7 @@ void show_code(struct pt_regs *regs)
+
+ void print_fn_code(unsigned char *code, unsigned long len)
+ {
+- char buffer[64], *ptr;
++ char buffer[128], *ptr;
+ int opsize, i;
+
+ while (len) {
--- /dev/null
+From 0cc00c8d40500c4c8fe058dc014bdaf44a82f4f7 Mon Sep 17 00:00:00 2001
+From: Tony Krowiak <akrowiak@linux.ibm.com>
+Date: Thu, 25 Mar 2021 08:46:40 -0400
+Subject: s390/vfio-ap: fix circular lockdep when setting/clearing crypto masks
+
+From: Tony Krowiak <akrowiak@linux.ibm.com>
+
+commit 0cc00c8d40500c4c8fe058dc014bdaf44a82f4f7 upstream.
+
+This patch fixes a lockdep splat introduced by commit f21916ec4826
+("s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated").
+The lockdep splat only occurs when starting a Secure Execution guest.
+Crypto virtualization (vfio_ap) is not yet supported for SE guests;
+however, in order to avoid this problem when support becomes available,
+this fix is being provided.
+
+The circular locking dependency was introduced when the setting of the
+masks in the guest's APCB was executed while holding the matrix_dev->lock.
+While the lock is definitely needed to protect the setting/unsetting of the
+matrix_mdev->kvm pointer, it is not necessarily critical for setting the
+masks; so, the matrix_dev->lock will be released while the masks are being
+set or cleared.
+
+Keep in mind, however, that another process that takes the matrix_dev->lock
+can get control while the masks in the guest's APCB are being set or
+cleared as a result of the driver being notified that the KVM pointer
+has been set or unset. This could result in invalid access to the
+matrix_mdev->kvm pointer by the intervening process. To avoid this
+scenario, two new fields are being added to the ap_matrix_mdev struct:
+
+struct ap_matrix_mdev {
+ ...
+ bool kvm_busy;
+ wait_queue_head_t wait_for_kvm;
+ ...
+};
+
+The functions that handle notification that the KVM pointer value has
+been set or cleared will set the kvm_busy flag to true until they are done
+processing at which time they will set it to false and wake up the tasks on
+the matrix_mdev->wait_for_kvm wait queue. Functions that require
+access to matrix_mdev->kvm will sleep on the wait queue until they are
+awakened at which time they can safely access the matrix_mdev->kvm
+field.
+
+Fixes: f21916ec4826 ("s390/vfio-ap: clean up vfio_ap resources when KVM pointer invalidated")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tony Krowiak <akrowiak@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/vfio_ap_ops.c | 308 +++++++++++++++++++++++-----------
+ drivers/s390/crypto/vfio_ap_private.h | 2
+ 2 files changed, 215 insertions(+), 95 deletions(-)
+
+--- a/drivers/s390/crypto/vfio_ap_ops.c
++++ b/drivers/s390/crypto/vfio_ap_ops.c
+@@ -294,6 +294,19 @@ static int handle_pqap(struct kvm_vcpu *
+ matrix_mdev = container_of(vcpu->kvm->arch.crypto.pqap_hook,
+ struct ap_matrix_mdev, pqap_hook);
+
++ /*
++ * If the KVM pointer is in the process of being set, wait until the
++ * process has completed.
++ */
++ wait_event_cmd(matrix_mdev->wait_for_kvm,
++ !matrix_mdev->kvm_busy,
++ mutex_unlock(&matrix_dev->lock),
++ mutex_lock(&matrix_dev->lock));
++
++ /* If the there is no guest using the mdev, there is nothing to do */
++ if (!matrix_mdev->kvm)
++ goto out_unlock;
++
+ q = vfio_ap_get_queue(matrix_mdev, apqn);
+ if (!q)
+ goto out_unlock;
+@@ -337,6 +350,7 @@ static int vfio_ap_mdev_create(struct ko
+
+ matrix_mdev->mdev = mdev;
+ vfio_ap_matrix_init(&matrix_dev->info, &matrix_mdev->matrix);
++ init_waitqueue_head(&matrix_mdev->wait_for_kvm);
+ mdev_set_drvdata(mdev, matrix_mdev);
+ matrix_mdev->pqap_hook.hook = handle_pqap;
+ matrix_mdev->pqap_hook.owner = THIS_MODULE;
+@@ -351,17 +365,23 @@ static int vfio_ap_mdev_remove(struct md
+ {
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+
+- if (matrix_mdev->kvm)
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * un-assignment of control domain.
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ mutex_unlock(&matrix_dev->lock);
+ return -EBUSY;
++ }
+
+- mutex_lock(&matrix_dev->lock);
+ vfio_ap_mdev_reset_queues(mdev);
+ list_del(&matrix_mdev->node);
+- mutex_unlock(&matrix_dev->lock);
+-
+ kfree(matrix_mdev);
+ mdev_set_drvdata(mdev, NULL);
+ atomic_inc(&matrix_dev->available_instances);
++ mutex_unlock(&matrix_dev->lock);
+
+ return 0;
+ }
+@@ -606,24 +626,31 @@ static ssize_t assign_adapter_store(stru
+ struct mdev_device *mdev = mdev_from_dev(dev);
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+
+- /* If the guest is running, disallow assignment of adapter */
+- if (matrix_mdev->kvm)
+- return -EBUSY;
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * un-assignment of adapter
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ ret = -EBUSY;
++ goto done;
++ }
+
+ ret = kstrtoul(buf, 0, &apid);
+ if (ret)
+- return ret;
++ goto done;
+
+- if (apid > matrix_mdev->matrix.apm_max)
+- return -ENODEV;
++ if (apid > matrix_mdev->matrix.apm_max) {
++ ret = -ENODEV;
++ goto done;
++ }
+
+ /*
+ * Set the bit in the AP mask (APM) corresponding to the AP adapter
+ * number (APID). The bits in the mask, from most significant to least
+ * significant bit, correspond to APIDs 0-255.
+ */
+- mutex_lock(&matrix_dev->lock);
+-
+ ret = vfio_ap_mdev_verify_queues_reserved_for_apid(matrix_mdev, apid);
+ if (ret)
+ goto done;
+@@ -672,22 +699,31 @@ static ssize_t unassign_adapter_store(st
+ struct mdev_device *mdev = mdev_from_dev(dev);
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+
+- /* If the guest is running, disallow un-assignment of adapter */
+- if (matrix_mdev->kvm)
+- return -EBUSY;
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * un-assignment of adapter
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ ret = -EBUSY;
++ goto done;
++ }
+
+ ret = kstrtoul(buf, 0, &apid);
+ if (ret)
+- return ret;
++ goto done;
+
+- if (apid > matrix_mdev->matrix.apm_max)
+- return -ENODEV;
++ if (apid > matrix_mdev->matrix.apm_max) {
++ ret = -ENODEV;
++ goto done;
++ }
+
+- mutex_lock(&matrix_dev->lock);
+ clear_bit_inv((unsigned long)apid, matrix_mdev->matrix.apm);
++ ret = count;
++done:
+ mutex_unlock(&matrix_dev->lock);
+-
+- return count;
++ return ret;
+ }
+ static DEVICE_ATTR_WO(unassign_adapter);
+
+@@ -753,17 +789,24 @@ static ssize_t assign_domain_store(struc
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+ unsigned long max_apqi = matrix_mdev->matrix.aqm_max;
+
+- /* If the guest is running, disallow assignment of domain */
+- if (matrix_mdev->kvm)
+- return -EBUSY;
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * assignment of domain
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ ret = -EBUSY;
++ goto done;
++ }
+
+ ret = kstrtoul(buf, 0, &apqi);
+ if (ret)
+- return ret;
+- if (apqi > max_apqi)
+- return -ENODEV;
+-
+- mutex_lock(&matrix_dev->lock);
++ goto done;
++ if (apqi > max_apqi) {
++ ret = -ENODEV;
++ goto done;
++ }
+
+ ret = vfio_ap_mdev_verify_queues_reserved_for_apqi(matrix_mdev, apqi);
+ if (ret)
+@@ -814,22 +857,32 @@ static ssize_t unassign_domain_store(str
+ struct mdev_device *mdev = mdev_from_dev(dev);
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+
+- /* If the guest is running, disallow un-assignment of domain */
+- if (matrix_mdev->kvm)
+- return -EBUSY;
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * un-assignment of domain
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ ret = -EBUSY;
++ goto done;
++ }
+
+ ret = kstrtoul(buf, 0, &apqi);
+ if (ret)
+- return ret;
++ goto done;
+
+- if (apqi > matrix_mdev->matrix.aqm_max)
+- return -ENODEV;
++ if (apqi > matrix_mdev->matrix.aqm_max) {
++ ret = -ENODEV;
++ goto done;
++ }
+
+- mutex_lock(&matrix_dev->lock);
+ clear_bit_inv((unsigned long)apqi, matrix_mdev->matrix.aqm);
+- mutex_unlock(&matrix_dev->lock);
++ ret = count;
+
+- return count;
++done:
++ mutex_unlock(&matrix_dev->lock);
++ return ret;
+ }
+ static DEVICE_ATTR_WO(unassign_domain);
+
+@@ -858,27 +911,36 @@ static ssize_t assign_control_domain_sto
+ struct mdev_device *mdev = mdev_from_dev(dev);
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+
+- /* If the guest is running, disallow assignment of control domain */
+- if (matrix_mdev->kvm)
+- return -EBUSY;
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * assignment of control domain.
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ ret = -EBUSY;
++ goto done;
++ }
+
+ ret = kstrtoul(buf, 0, &id);
+ if (ret)
+- return ret;
++ goto done;
+
+- if (id > matrix_mdev->matrix.adm_max)
+- return -ENODEV;
++ if (id > matrix_mdev->matrix.adm_max) {
++ ret = -ENODEV;
++ goto done;
++ }
+
+ /* Set the bit in the ADM (bitmask) corresponding to the AP control
+ * domain number (id). The bits in the mask, from most significant to
+ * least significant, correspond to IDs 0 up to the one less than the
+ * number of control domains that can be assigned.
+ */
+- mutex_lock(&matrix_dev->lock);
+ set_bit_inv(id, matrix_mdev->matrix.adm);
++ ret = count;
++done:
+ mutex_unlock(&matrix_dev->lock);
+-
+- return count;
++ return ret;
+ }
+ static DEVICE_ATTR_WO(assign_control_domain);
+
+@@ -908,21 +970,30 @@ static ssize_t unassign_control_domain_s
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+ unsigned long max_domid = matrix_mdev->matrix.adm_max;
+
+- /* If the guest is running, disallow un-assignment of control domain */
+- if (matrix_mdev->kvm)
+- return -EBUSY;
++ mutex_lock(&matrix_dev->lock);
++
++ /*
++ * If the KVM pointer is in flux or the guest is running, disallow
++ * un-assignment of control domain.
++ */
++ if (matrix_mdev->kvm_busy || matrix_mdev->kvm) {
++ ret = -EBUSY;
++ goto done;
++ }
+
+ ret = kstrtoul(buf, 0, &domid);
+ if (ret)
+- return ret;
+- if (domid > max_domid)
+- return -ENODEV;
++ goto done;
++ if (domid > max_domid) {
++ ret = -ENODEV;
++ goto done;
++ }
+
+- mutex_lock(&matrix_dev->lock);
+ clear_bit_inv(domid, matrix_mdev->matrix.adm);
++ ret = count;
++done:
+ mutex_unlock(&matrix_dev->lock);
+-
+- return count;
++ return ret;
+ }
+ static DEVICE_ATTR_WO(unassign_control_domain);
+
+@@ -1027,8 +1098,15 @@ static const struct attribute_group *vfi
+ * @matrix_mdev: a mediated matrix device
+ * @kvm: reference to KVM instance
+ *
+- * Verifies no other mediated matrix device has @kvm and sets a reference to
+- * it in @matrix_mdev->kvm.
++ * Sets all data for @matrix_mdev that are needed to manage AP resources
++ * for the guest whose state is represented by @kvm.
++ *
++ * Note: The matrix_dev->lock must be taken prior to calling
++ * this function; however, the lock will be temporarily released while the
++ * guest's AP configuration is set to avoid a potential lockdep splat.
++ * The kvm->lock is taken to set the guest's AP configuration which, under
++ * certain circumstances, will result in a circular lock dependency if this is
++ * done under the @matrix_mdev->lock.
+ *
+ * Return 0 if no other mediated matrix device has a reference to @kvm;
+ * otherwise, returns an -EPERM.
+@@ -1038,14 +1116,25 @@ static int vfio_ap_mdev_set_kvm(struct a
+ {
+ struct ap_matrix_mdev *m;
+
+- list_for_each_entry(m, &matrix_dev->mdev_list, node) {
+- if ((m != matrix_mdev) && (m->kvm == kvm))
+- return -EPERM;
+- }
++ if (kvm->arch.crypto.crycbd) {
++ list_for_each_entry(m, &matrix_dev->mdev_list, node) {
++ if (m != matrix_mdev && m->kvm == kvm)
++ return -EPERM;
++ }
+
+- matrix_mdev->kvm = kvm;
+- kvm_get_kvm(kvm);
+- kvm->arch.crypto.pqap_hook = &matrix_mdev->pqap_hook;
++ kvm_get_kvm(kvm);
++ matrix_mdev->kvm_busy = true;
++ mutex_unlock(&matrix_dev->lock);
++ kvm_arch_crypto_set_masks(kvm,
++ matrix_mdev->matrix.apm,
++ matrix_mdev->matrix.aqm,
++ matrix_mdev->matrix.adm);
++ mutex_lock(&matrix_dev->lock);
++ kvm->arch.crypto.pqap_hook = &matrix_mdev->pqap_hook;
++ matrix_mdev->kvm = kvm;
++ matrix_mdev->kvm_busy = false;
++ wake_up_all(&matrix_mdev->wait_for_kvm);
++ }
+
+ return 0;
+ }
+@@ -1079,51 +1168,65 @@ static int vfio_ap_mdev_iommu_notifier(s
+ return NOTIFY_DONE;
+ }
+
++/**
++ * vfio_ap_mdev_unset_kvm
++ *
++ * @matrix_mdev: a matrix mediated device
++ *
++ * Performs clean-up of resources no longer needed by @matrix_mdev.
++ *
++ * Note: The matrix_dev->lock must be taken prior to calling
++ * this function; however, the lock will be temporarily released while the
++ * guest's AP configuration is cleared to avoid a potential lockdep splat.
++ * The kvm->lock is taken to clear the guest's AP configuration which, under
++ * certain circumstances, will result in a circular lock dependency if this is
++ * done under the @matrix_mdev->lock.
++ *
++ */
+ static void vfio_ap_mdev_unset_kvm(struct ap_matrix_mdev *matrix_mdev)
+ {
+- kvm_arch_crypto_clear_masks(matrix_mdev->kvm);
+- matrix_mdev->kvm->arch.crypto.pqap_hook = NULL;
+- vfio_ap_mdev_reset_queues(matrix_mdev->mdev);
+- kvm_put_kvm(matrix_mdev->kvm);
+- matrix_mdev->kvm = NULL;
++ /*
++ * If the KVM pointer is in the process of being set, wait until the
++ * process has completed.
++ */
++ wait_event_cmd(matrix_mdev->wait_for_kvm,
++ !matrix_mdev->kvm_busy,
++ mutex_unlock(&matrix_dev->lock),
++ mutex_lock(&matrix_dev->lock));
++
++ if (matrix_mdev->kvm) {
++ matrix_mdev->kvm_busy = true;
++ mutex_unlock(&matrix_dev->lock);
++ kvm_arch_crypto_clear_masks(matrix_mdev->kvm);
++ mutex_lock(&matrix_dev->lock);
++ vfio_ap_mdev_reset_queues(matrix_mdev->mdev);
++ matrix_mdev->kvm->arch.crypto.pqap_hook = NULL;
++ kvm_put_kvm(matrix_mdev->kvm);
++ matrix_mdev->kvm = NULL;
++ matrix_mdev->kvm_busy = false;
++ wake_up_all(&matrix_mdev->wait_for_kvm);
++ }
+ }
+
+ static int vfio_ap_mdev_group_notifier(struct notifier_block *nb,
+ unsigned long action, void *data)
+ {
+- int ret, notify_rc = NOTIFY_OK;
++ int notify_rc = NOTIFY_OK;
+ struct ap_matrix_mdev *matrix_mdev;
+
+ if (action != VFIO_GROUP_NOTIFY_SET_KVM)
+ return NOTIFY_OK;
+
+- matrix_mdev = container_of(nb, struct ap_matrix_mdev, group_notifier);
+ mutex_lock(&matrix_dev->lock);
++ matrix_mdev = container_of(nb, struct ap_matrix_mdev, group_notifier);
+
+- if (!data) {
+- if (matrix_mdev->kvm)
+- vfio_ap_mdev_unset_kvm(matrix_mdev);
+- goto notify_done;
+- }
+-
+- ret = vfio_ap_mdev_set_kvm(matrix_mdev, data);
+- if (ret) {
+- notify_rc = NOTIFY_DONE;
+- goto notify_done;
+- }
+-
+- /* If there is no CRYCB pointer, then we can't copy the masks */
+- if (!matrix_mdev->kvm->arch.crypto.crycbd) {
++ if (!data)
++ vfio_ap_mdev_unset_kvm(matrix_mdev);
++ else if (vfio_ap_mdev_set_kvm(matrix_mdev, data))
+ notify_rc = NOTIFY_DONE;
+- goto notify_done;
+- }
+-
+- kvm_arch_crypto_set_masks(matrix_mdev->kvm, matrix_mdev->matrix.apm,
+- matrix_mdev->matrix.aqm,
+- matrix_mdev->matrix.adm);
+
+-notify_done:
+ mutex_unlock(&matrix_dev->lock);
++
+ return notify_rc;
+ }
+
+@@ -1258,8 +1361,7 @@ static void vfio_ap_mdev_release(struct
+ struct ap_matrix_mdev *matrix_mdev = mdev_get_drvdata(mdev);
+
+ mutex_lock(&matrix_dev->lock);
+- if (matrix_mdev->kvm)
+- vfio_ap_mdev_unset_kvm(matrix_mdev);
++ vfio_ap_mdev_unset_kvm(matrix_mdev);
+ mutex_unlock(&matrix_dev->lock);
+
+ vfio_unregister_notifier(mdev_dev(mdev), VFIO_IOMMU_NOTIFY,
+@@ -1293,6 +1395,7 @@ static ssize_t vfio_ap_mdev_ioctl(struct
+ unsigned int cmd, unsigned long arg)
+ {
+ int ret;
++ struct ap_matrix_mdev *matrix_mdev;
+
+ mutex_lock(&matrix_dev->lock);
+ switch (cmd) {
+@@ -1300,6 +1403,21 @@ static ssize_t vfio_ap_mdev_ioctl(struct
+ ret = vfio_ap_mdev_get_device_info(arg);
+ break;
+ case VFIO_DEVICE_RESET:
++ matrix_mdev = mdev_get_drvdata(mdev);
++ if (WARN(!matrix_mdev, "Driver data missing from mdev!!")) {
++ ret = -EINVAL;
++ break;
++ }
++
++ /*
++ * If the KVM pointer is in the process of being set, wait until
++ * the process has completed.
++ */
++ wait_event_cmd(matrix_mdev->wait_for_kvm,
++ !matrix_mdev->kvm_busy,
++ mutex_unlock(&matrix_dev->lock),
++ mutex_lock(&matrix_dev->lock));
++
+ ret = vfio_ap_mdev_reset_queues(mdev);
+ break;
+ default:
+--- a/drivers/s390/crypto/vfio_ap_private.h
++++ b/drivers/s390/crypto/vfio_ap_private.h
+@@ -83,6 +83,8 @@ struct ap_matrix_mdev {
+ struct ap_matrix matrix;
+ struct notifier_block group_notifier;
+ struct notifier_block iommu_notifier;
++ bool kvm_busy;
++ wait_queue_head_t wait_for_kvm;
+ struct kvm *kvm;
+ struct kvm_s390_module_hook pqap_hook;
+ struct mdev_device *mdev;
--- /dev/null
+From 70fac8088cfad9f3b379c9082832b4d7532c16c2 Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Thu, 15 Apr 2021 11:22:03 +0200
+Subject: s390/zcrypt: fix zcard and zqueue hot-unplug memleak
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit 70fac8088cfad9f3b379c9082832b4d7532c16c2 upstream.
+
+Tests with kvm and a kmemdebug kernel showed, that on hot unplug the
+zcard and zqueue structs for the unplugged card or queue are not
+properly freed because of a mismatch with get/put for the embedded
+kref counter.
+
+This fix now adjusts the handling of the kref counters. With init the
+kref counter starts with 1. This initial value needs to drop to zero
+with the unregister of the card or queue to trigger the release and
+free the object.
+
+Fixes: 29c2680fd2bf ("s390/ap: fix ap devices reference counting")
+Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/zcrypt_card.c | 1 +
+ drivers/s390/crypto/zcrypt_queue.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/s390/crypto/zcrypt_card.c
++++ b/drivers/s390/crypto/zcrypt_card.c
+@@ -192,5 +192,6 @@ void zcrypt_card_unregister(struct zcryp
+ spin_unlock(&zcrypt_list_lock);
+ sysfs_remove_group(&zc->card->ap_dev.device.kobj,
+ &zcrypt_card_attr_group);
++ zcrypt_card_put(zc);
+ }
+ EXPORT_SYMBOL(zcrypt_card_unregister);
+--- a/drivers/s390/crypto/zcrypt_queue.c
++++ b/drivers/s390/crypto/zcrypt_queue.c
+@@ -223,5 +223,6 @@ void zcrypt_queue_unregister(struct zcry
+ sysfs_remove_group(&zq->queue->ap_dev.device.kobj,
+ &zcrypt_queue_attr_group);
+ zcrypt_card_put(zc);
++ zcrypt_queue_put(zq);
+ }
+ EXPORT_SYMBOL(zcrypt_queue_unregister);
--- /dev/null
+From 078c68b87a717b9fcd8e0f2109f73456fbc55490 Mon Sep 17 00:00:00 2001
+From: James Smart <jsmart2021@gmail.com>
+Date: Sun, 11 Apr 2021 18:31:12 -0700
+Subject: scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag
+
+From: James Smart <jsmart2021@gmail.com>
+
+commit 078c68b87a717b9fcd8e0f2109f73456fbc55490 upstream.
+
+Rmmod on SLI-4 adapters is sometimes hitting a bad ptr dereference in
+lpfc_els_free_iocb().
+
+A prior patch refactored the lpfc_sli_abort_iocb() routine. One of the
+changes was to convert from building/sending an abort within the routine to
+using a common routine. The reworked routine passes, without modification,
+the pring ptr to the new common routine. The older routine had logic to
+check SLI-3 vs SLI-4 and adapt the pring ptr if necessary as callers were
+passing SLI-3 pointers even when not on an SLI-4 adapter. The new routine
+is missing this check and adapt, so the SLI-3 ring pointers are being used
+in SLI-4 paths.
+
+Fix by cleaning up the calling routines. In review, there is no need to
+pass the ring ptr argument to abort_iocb at all. The routine can look at
+the adapter type itself and reference the proper ring.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-2-jsmart2021@gmail.com
+Fixes: db7531d2b377 ("scsi: lpfc: Convert abort handling to SLI-3 and SLI-4 handlers")
+Cc: <stable@vger.kernel.org> # v5.11+
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_crtn.h | 4 ++--
+ drivers/scsi/lpfc/lpfc_hbadisc.c | 10 +++-------
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 4 +---
+ drivers/scsi/lpfc/lpfc_sli.c | 20 +++++++++++++++-----
+ 4 files changed, 21 insertions(+), 17 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_crtn.h
++++ b/drivers/scsi/lpfc/lpfc_crtn.h
+@@ -351,8 +351,8 @@ int lpfc_sli_hbq_size(void);
+ int lpfc_sli_issue_abort_iotag(struct lpfc_hba *, struct lpfc_sli_ring *,
+ struct lpfc_iocbq *, void *);
+ int lpfc_sli_sum_iocb(struct lpfc_vport *, uint16_t, uint64_t, lpfc_ctx_cmd);
+-int lpfc_sli_abort_iocb(struct lpfc_vport *, struct lpfc_sli_ring *, uint16_t,
+- uint64_t, lpfc_ctx_cmd);
++int lpfc_sli_abort_iocb(struct lpfc_vport *vport, u16 tgt_id, u64 lun_id,
++ lpfc_ctx_cmd abort_cmd);
+ int
+ lpfc_sli_abort_taskmgmt(struct lpfc_vport *, struct lpfc_sli_ring *,
+ uint16_t, uint64_t, lpfc_ctx_cmd);
+--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
+@@ -140,11 +140,8 @@ lpfc_terminate_rport_io(struct fc_rport
+ "rport terminate: sid:x%x did:x%x flg:x%x",
+ ndlp->nlp_sid, ndlp->nlp_DID, ndlp->nlp_flag);
+
+- if (ndlp->nlp_sid != NLP_NO_SID) {
+- lpfc_sli_abort_iocb(vport,
+- &vport->phba->sli.sli3_ring[LPFC_FCP_RING],
+- ndlp->nlp_sid, 0, LPFC_CTX_TGT);
+- }
++ if (ndlp->nlp_sid != NLP_NO_SID)
++ lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT);
+ }
+
+ /*
+@@ -299,8 +296,7 @@ lpfc_dev_loss_tmo_handler(struct lpfc_no
+
+ if (ndlp->nlp_sid != NLP_NO_SID) {
+ warn_on = 1;
+- lpfc_sli_abort_iocb(vport, &phba->sli.sli3_ring[LPFC_FCP_RING],
+- ndlp->nlp_sid, 0, LPFC_CTX_TGT);
++ lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT);
+ }
+
+ if (warn_on) {
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -2633,12 +2633,10 @@ static uint32_t
+ lpfc_rcv_prlo_mapped_node(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+ void *arg, uint32_t evt)
+ {
+- struct lpfc_hba *phba = vport->phba;
+ struct lpfc_iocbq *cmdiocb = (struct lpfc_iocbq *) arg;
+
+ /* flush the target */
+- lpfc_sli_abort_iocb(vport, &phba->sli.sli3_ring[LPFC_FCP_RING],
+- ndlp->nlp_sid, 0, LPFC_CTX_TGT);
++ lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT);
+
+ /* Treat like rcv logo */
+ lpfc_rcv_logo(vport, ndlp, cmdiocb, ELS_CMD_PRLO);
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -11647,7 +11647,7 @@ lpfc_sli_issue_abort_iotag(struct lpfc_h
+ icmd = &cmdiocb->iocb;
+ if (icmd->ulpCommand == CMD_ABORT_XRI_CN ||
+ icmd->ulpCommand == CMD_CLOSE_XRI_CN ||
+- (cmdiocb->iocb_flag & LPFC_DRIVER_ABORTED) != 0)
++ cmdiocb->iocb_flag & LPFC_DRIVER_ABORTED)
+ return IOCB_ABORTING;
+
+ if (!pring) {
+@@ -11945,7 +11945,6 @@ lpfc_sli_abort_fcp_cmpl(struct lpfc_hba
+ /**
+ * lpfc_sli_abort_iocb - issue abort for all commands on a host/target/LUN
+ * @vport: Pointer to virtual port.
+- * @pring: Pointer to driver SLI ring object.
+ * @tgt_id: SCSI ID of the target.
+ * @lun_id: LUN ID of the scsi device.
+ * @abort_cmd: LPFC_CTX_LUN/LPFC_CTX_TGT/LPFC_CTX_HOST.
+@@ -11960,18 +11959,22 @@ lpfc_sli_abort_fcp_cmpl(struct lpfc_hba
+ * FCP iocbs associated with SCSI target specified by tgt_id parameter.
+ * When abort_cmd == LPFC_CTX_HOST, the function sends abort to all
+ * FCP iocbs associated with virtual port.
++ * The pring used for SLI3 is sli3_ring[LPFC_FCP_RING], for SLI4
++ * lpfc_sli4_calc_ring is used.
+ * This function returns number of iocbs it failed to abort.
+ * This function is called with no locks held.
+ **/
+ int
+-lpfc_sli_abort_iocb(struct lpfc_vport *vport, struct lpfc_sli_ring *pring,
+- uint16_t tgt_id, uint64_t lun_id, lpfc_ctx_cmd abort_cmd)
++lpfc_sli_abort_iocb(struct lpfc_vport *vport, u16 tgt_id, u64 lun_id,
++ lpfc_ctx_cmd abort_cmd)
+ {
+ struct lpfc_hba *phba = vport->phba;
++ struct lpfc_sli_ring *pring = NULL;
+ struct lpfc_iocbq *iocbq;
+ int errcnt = 0, ret_val = 0;
+ unsigned long iflags;
+ int i;
++ void *fcp_cmpl = NULL;
+
+ /* all I/Os are in process of being flushed */
+ if (phba->hba_flag & HBA_IOQ_FLUSH)
+@@ -11985,8 +11988,15 @@ lpfc_sli_abort_iocb(struct lpfc_vport *v
+ continue;
+
+ spin_lock_irqsave(&phba->hbalock, iflags);
++ if (phba->sli_rev == LPFC_SLI_REV3) {
++ pring = &phba->sli.sli3_ring[LPFC_FCP_RING];
++ fcp_cmpl = lpfc_sli_abort_fcp_cmpl;
++ } else if (phba->sli_rev == LPFC_SLI_REV4) {
++ pring = lpfc_sli4_calc_ring(phba, iocbq);
++ fcp_cmpl = lpfc_sli4_abort_fcp_cmpl;
++ }
+ ret_val = lpfc_sli_issue_abort_iotag(phba, pring, iocbq,
+- lpfc_sli_abort_fcp_cmpl);
++ fcp_cmpl);
+ spin_unlock_irqrestore(&phba->hbalock, iflags);
+ if (ret_val != IOCB_SUCCESS)
+ errcnt++;
--- /dev/null
+From 3c8604691d2acc7b7d4795d9695070de9eaa5828 Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Tue, 30 Mar 2021 16:21:37 +0530
+Subject: scsi: mpt3sas: Block PCI config access from userspace during reset
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+commit 3c8604691d2acc7b7d4795d9695070de9eaa5828 upstream.
+
+While diag reset is in progress there is short duration where all access to
+controller's PCI config space from the host needs to be blocked. This is
+due to a hardware limitation of the IOC controllers.
+
+Block all access to controller's config space from userland applications by
+calling pci_cfg_access_lock() while diag reset is in progress and unlocking
+it again after the controller comes back to ready state.
+
+Link: https://lore.kernel.org/r/20210330105137.20728-1-sreekanth.reddy@broadcom.com
+Cc: stable@vger.kernel.org #v5.4.108+
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -7252,6 +7252,8 @@ _base_diag_reset(struct MPT3SAS_ADAPTER
+
+ ioc_info(ioc, "sending diag reset !!\n");
+
++ pci_cfg_access_lock(ioc->pdev);
++
+ drsprintk(ioc, ioc_info(ioc, "clear interrupts\n"));
+
+ count = 0;
+@@ -7342,10 +7344,12 @@ _base_diag_reset(struct MPT3SAS_ADAPTER
+ goto out;
+ }
+
++ pci_cfg_access_unlock(ioc->pdev);
+ ioc_info(ioc, "diag reset: SUCCESS\n");
+ return 0;
+
+ out:
++ pci_cfg_access_unlock(ioc->pdev);
+ ioc_err(ioc, "diag reset: FAILED\n");
+ return -EFAULT;
+ }
--- /dev/null
+From 4c51f956965120b3441cdd39c358b87daba13e19 Mon Sep 17 00:00:00 2001
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Date: Tue, 30 Mar 2021 16:20:04 +0530
+Subject: scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+commit 4c51f956965120b3441cdd39c358b87daba13e19 upstream.
+
+Whenever the driver is adding a vSES to virtual-phys list it is
+reinitializing the list head. Hence those vSES devices which were added
+previously are lost.
+
+Stop reinitializing the list every time a new vSES device is added.
+
+Link: https://lore.kernel.org/r/20210330105004.20413-1-sreekanth.reddy@broadcom.com
+Cc: stable@vger.kernel.org #v5.11.10+
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -6483,6 +6483,9 @@ _scsih_alloc_vphy(struct MPT3SAS_ADAPTER
+ if (!vphy)
+ return NULL;
+
++ if (!port->vphys_mask)
++ INIT_LIST_HEAD(&port->vphys_list);
++
+ /*
+ * Enable bit corresponding to HBA phy number on its
+ * parent hba_port object's vphys_mask field.
+@@ -6490,7 +6493,6 @@ _scsih_alloc_vphy(struct MPT3SAS_ADAPTER
+ port->vphys_mask |= (1 << phy_num);
+ vphy->phy_mask |= (1 << phy_num);
+
+- INIT_LIST_HEAD(&port->vphys_list);
+ list_add_tail(&vphy->list, &port->vphys_list);
+
+ ioc_info(ioc,
--- /dev/null
+From 6641df81ab799f28a5d564f860233dd26cca0d93 Mon Sep 17 00:00:00 2001
+From: Arun Easi <aeasi@marvell.com>
+Date: Mon, 29 Mar 2021 01:52:23 -0700
+Subject: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()
+
+From: Arun Easi <aeasi@marvell.com>
+
+commit 6641df81ab799f28a5d564f860233dd26cca0d93 upstream.
+
+ RIP: 0010:kmem_cache_free+0xfa/0x1b0
+ Call Trace:
+ qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]
+ scsi_queue_rq+0x5e2/0xa40
+ __blk_mq_try_issue_directly+0x128/0x1d0
+ blk_mq_request_issue_directly+0x4e/0xb0
+
+Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now
+allocated by upper layers. This fixes smatch warning of srb unintended
+free.
+
+Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com
+Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")
+Cc: stable@vger.kernel.org # 5.5
+Reported-by: Laurence Oberman <loberman@redhat.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Arun Easi <aeasi@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1013,8 +1013,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *
+ if (rval != QLA_SUCCESS) {
+ ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,
+ "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);
+- if (rval == QLA_INTERFACE_ERROR)
+- goto qc24_free_sp_fail_command;
+ goto qc24_host_busy_free_sp;
+ }
+
+@@ -1026,11 +1024,6 @@ qc24_host_busy_free_sp:
+ qc24_target_busy:
+ return SCSI_MLQUEUE_TARGET_BUSY;
+
+-qc24_free_sp_fail_command:
+- sp->free(sp);
+- CMD_SP(cmd) = NULL;
+- qla2xxx_rel_qpair_sp(sp->qpair, sp);
+-
+ qc24_fail_command:
+ cmd->scsi_done(cmd);
+
--- /dev/null
+From f02d4086a8f36a0e1aaebf559b54cf24a177a486 Mon Sep 17 00:00:00 2001
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+Date: Mon, 12 Apr 2021 19:57:40 +0300
+Subject: scsi: qla2xxx: Reserve extra IRQ vectors
+
+From: Roman Bolshakov <r.bolshakov@yadro.com>
+
+commit f02d4086a8f36a0e1aaebf559b54cf24a177a486 upstream.
+
+Commit a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of
+CPUs") lowers the number of allocated MSI-X vectors to the number of CPUs.
+
+That breaks vector allocation assumptions in qla83xx_iospace_config(),
+qla24xx_enable_msix() and qla2x00_iospace_config(). Either of the functions
+computes maximum number of qpairs as:
+
+ ha->max_qpairs = ha->msix_count - 1 (MB interrupt) - 1 (default
+ response queue) - 1 (ATIO, in dual or pure target mode)
+
+max_qpairs is set to zero in case of two CPUs and initiator mode. The
+number is then used to allocate ha->queue_pair_map inside
+qla2x00_alloc_queues(). No allocation happens and ha->queue_pair_map is
+left NULL but the driver thinks there are queue pairs available.
+
+qla2xxx_queuecommand() tries to find a qpair in the map and crashes:
+
+ if (ha->mqenable) {
+ uint32_t tag;
+ uint16_t hwq;
+ struct qla_qpair *qpair = NULL;
+
+ tag = blk_mq_unique_tag(cmd->request);
+ hwq = blk_mq_unique_tag_to_hwq(tag);
+ qpair = ha->queue_pair_map[hwq]; # <- HERE
+
+ if (qpair)
+ return qla2xxx_mqueuecommand(host, cmd, qpair);
+ }
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 0 PID: 72 Comm: kworker/u4:3 Tainted: G W 5.10.0-rc1+ #25
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
+ Workqueue: scsi_wq_7 fc_scsi_scan_rport [scsi_transport_fc]
+ RIP: 0010:qla2xxx_queuecommand+0x16b/0x3f0 [qla2xxx]
+ Call Trace:
+ scsi_queue_rq+0x58c/0xa60
+ blk_mq_dispatch_rq_list+0x2b7/0x6f0
+ ? __sbitmap_get_word+0x2a/0x80
+ __blk_mq_sched_dispatch_requests+0xb8/0x170
+ blk_mq_sched_dispatch_requests+0x2b/0x50
+ __blk_mq_run_hw_queue+0x49/0xb0
+ __blk_mq_delay_run_hw_queue+0xfb/0x150
+ blk_mq_sched_insert_request+0xbe/0x110
+ blk_execute_rq+0x45/0x70
+ __scsi_execute+0x10e/0x250
+ scsi_probe_and_add_lun+0x228/0xda0
+ __scsi_scan_target+0xf4/0x620
+ ? __pm_runtime_resume+0x4f/0x70
+ scsi_scan_target+0x100/0x110
+ fc_scsi_scan_rport+0xa1/0xb0 [scsi_transport_fc]
+ process_one_work+0x1ea/0x3b0
+ worker_thread+0x28/0x3b0
+ ? process_one_work+0x3b0/0x3b0
+ kthread+0x112/0x130
+ ? kthread_park+0x80/0x80
+ ret_from_fork+0x22/0x30
+
+The driver should allocate enough vectors to provide every CPU it's own HW
+queue and still handle reserved (MB, RSP, ATIO) interrupts.
+
+The change fixes the crash on dual core VM and prevents unbalanced QP
+allocation where nr_hw_queues is two less than the number of CPUs.
+
+Link: https://lore.kernel.org/r/20210412165740.39318-1-r.bolshakov@yadro.com
+Fixes: a6dcfe08487e ("scsi: qla2xxx: Limit interrupt vectors to number of CPUs")
+Cc: Daniel Wagner <daniel.wagner@suse.com>
+Cc: Himanshu Madhani <himanshu.madhani@oracle.com>
+Cc: Quinn Tran <qutran@marvell.com>
+Cc: Nilesh Javali <njavali@marvell.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: stable@vger.kernel.org # 5.11+
+Reported-by: Aleksandr Volkov <a.y.volkov@yadro.com>
+Reported-by: Aleksandr Miloserdov <a.miloserdov@yadro.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_isr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -4005,11 +4005,11 @@ qla24xx_enable_msix(struct qla_hw_data *
+ if (USER_CTRL_IRQ(ha) || !ha->mqiobase) {
+ /* user wants to control IRQ setting for target mode */
+ ret = pci_alloc_irq_vectors(ha->pdev, min_vecs,
+- min((u16)ha->msix_count, (u16)num_online_cpus()),
++ min((u16)ha->msix_count, (u16)(num_online_cpus() + min_vecs)),
+ PCI_IRQ_MSIX);
+ } else
+ ret = pci_alloc_irq_vectors_affinity(ha->pdev, min_vecs,
+- min((u16)ha->msix_count, (u16)num_online_cpus()),
++ min((u16)ha->msix_count, (u16)(num_online_cpus() + min_vecs)),
+ PCI_IRQ_MSIX | PCI_IRQ_AFFINITY,
+ &desc);
+
bus-mhi-pci_generic-remove-wq_mem_reclaim-flag-from-state-workqueue.patch
bus-mhi-core-fix-mhi-runtime_pm-behavior.patch
bus-mhi-core-fix-invalid-error-returning-in-mhi_queue.patch
+nitro_enclaves-fix-stale-file-descriptors-on-failed-usercopy.patch
+dyndbg-fix-parsing-file-query-without-a-line-range-suffix.patch
+s390-disassembler-increase-ebpf-disasm-buffer-size.patch
+s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak.patch
+s390-vfio-ap-fix-circular-lockdep-when-setting-clearing-crypto-masks.patch
+s390-cio-remove-invalid-condition-on-io_sch_unreg.patch
+vhost-vdpa-fix-vm_flags-for-virtqueue-doorbell-mapping.patch
+tpm-acpi-check-eventlog-signature-before-using-it.patch
+acpi-custom_method-fix-potential-use-after-free-issue.patch
+acpi-custom_method-fix-a-possible-memory-leak.patch
+ftrace-handle-commands-when-closing-set_ftrace_filter-file.patch
+arm-9056-1-decompressor-fix-bss-size-calculation-for-llvm-ld.lld.patch
+arm64-dts-marvell-armada-37xx-add-syscon-compatible-to-nb-clk-node.patch
+arm64-dts-mt8173-fix-property-typo-of-phys-in-dsi-node.patch
+ecryptfs-fix-kernel-panic-with-null-dev_name.patch
+fs-epoll-restore-waking-from-ep_done_scan.patch
+reset-add-missing-empty-function-reset_control_rearm.patch
+mtd-spi-nor-core-fix-an-issue-of-releasing-resources-during-read-write.patch
+revert-mtd-spi-nor-macronix-add-support-for-mx25l51245g.patch
+mtd-spinand-core-add-missing-module_device_table.patch
+mtd-rawnand-atmel-update-ecc_stats.corrected-counter.patch
+mtd-physmap-physmap-bt1-rom-fix-unintentional-stack-access.patch
+erofs-add-unsupported-inode-i_format-check.patch
+spi-stm32-qspi-fix-pm_runtime-usage_count-counter.patch
+spi-spi-ti-qspi-free-dma-resources.patch
+libceph-bump-cephxauthenticate-encoding-version.patch
+libceph-allow-addrvecs-with-a-single-none-blank-address.patch
+libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch
+scsi-qla2xxx-reserve-extra-irq-vectors.patch
+scsi-lpfc-fix-rmmod-crash-due-to-bad-ring-pointers-to-abort_iotag.patch
+scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch
+scsi-mpt3sas-only-one-vses-is-present-even-when-ioc-has-multi-vses.patch
+scsi-mpt3sas-block-pci-config-access-from-userspace-during-reset.patch
+mmc-uniphier-sd-fix-an-error-handling-path-in-uniphier_sd_probe.patch
+mmc-uniphier-sd-fix-a-resource-leak-in-the-remove-function.patch
+mmc-sdhci-check-for-reset-prior-to-dma-address-unmap.patch
+mmc-sdhci-pci-fix-initialization-of-some-sd-cards-for-intel-byt-based-controllers.patch
+mmc-sdhci-tegra-add-required-callbacks-to-set-clear-cqe_en-bit.patch
+mmc-block-update-ext_csd.cache_ctrl-if-it-was-written.patch
+mmc-block-issue-a-cache-flush-only-when-it-s-enabled.patch
+mmc-core-do-a-power-cycle-when-the-cmd11-fails.patch
+mmc-core-set-read-only-for-sd-cards-with-permanent-write-protect-bit.patch
+mmc-core-fix-hanging-on-i-o-during-system-suspend-for-removable-cards.patch
--- /dev/null
+From 1d309cd688a76fb733f0089d36dc630327b32d59 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+Date: Thu, 18 Feb 2021 15:09:50 +0200
+Subject: spi: spi-ti-qspi: Free DMA resources
+
+From: Tudor Ambarus <tudor.ambarus@microchip.com>
+
+commit 1d309cd688a76fb733f0089d36dc630327b32d59 upstream.
+
+Release the RX channel and free the dma coherent memory when
+devm_spi_register_master() fails.
+
+Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Link: https://lore.kernel.org/r/20210218130950.90155-1-tudor.ambarus@microchip.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-ti-qspi.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/spi/spi-ti-qspi.c
++++ b/drivers/spi/spi-ti-qspi.c
+@@ -733,6 +733,17 @@ static int ti_qspi_runtime_resume(struct
+ return 0;
+ }
+
++static void ti_qspi_dma_cleanup(struct ti_qspi *qspi)
++{
++ if (qspi->rx_bb_addr)
++ dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE,
++ qspi->rx_bb_addr,
++ qspi->rx_bb_dma_addr);
++
++ if (qspi->rx_chan)
++ dma_release_channel(qspi->rx_chan);
++}
++
+ static const struct of_device_id ti_qspi_match[] = {
+ {.compatible = "ti,dra7xxx-qspi" },
+ {.compatible = "ti,am4372-qspi" },
+@@ -886,6 +897,8 @@ no_dma:
+ if (!ret)
+ return 0;
+
++ ti_qspi_dma_cleanup(qspi);
++
+ pm_runtime_disable(&pdev->dev);
+ free_master:
+ spi_master_put(master);
+@@ -904,12 +917,7 @@ static int ti_qspi_remove(struct platfor
+ pm_runtime_put_sync(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
+- if (qspi->rx_bb_addr)
+- dma_free_coherent(qspi->dev, QSPI_DMA_BUFFER_SIZE,
+- qspi->rx_bb_addr,
+- qspi->rx_bb_dma_addr);
+- if (qspi->rx_chan)
+- dma_release_channel(qspi->rx_chan);
++ ti_qspi_dma_cleanup(qspi);
+
+ return 0;
+ }
--- /dev/null
+From 102e9d1936569d43f55dd1ea89be355ad207143c Mon Sep 17 00:00:00 2001
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+Date: Mon, 19 Apr 2021 14:15:39 +0200
+Subject: spi: stm32-qspi: fix pm_runtime usage_count counter
+
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+
+commit 102e9d1936569d43f55dd1ea89be355ad207143c upstream.
+
+pm_runtime usage_count counter is not well managed.
+pm_runtime_put_autosuspend callback drops the usage_counter but this
+one has never been increased. Add pm_runtime_get_sync callback to bump up
+the usage counter. It is also needed to use pm_runtime_force_suspend and
+pm_runtime_force_resume APIs to handle properly the clock.
+
+Fixes: 9d282c17b023 ("spi: stm32-qspi: Add pm_runtime support")
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210419121541.11617-2-patrice.chotard@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-stm32-qspi.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-stm32-qspi.c
++++ b/drivers/spi/spi-stm32-qspi.c
+@@ -727,21 +727,31 @@ static int __maybe_unused stm32_qspi_sus
+ {
+ pinctrl_pm_select_sleep_state(dev);
+
+- return 0;
++ return pm_runtime_force_suspend(dev);
+ }
+
+ static int __maybe_unused stm32_qspi_resume(struct device *dev)
+ {
+ struct stm32_qspi *qspi = dev_get_drvdata(dev);
++ int ret;
++
++ ret = pm_runtime_force_resume(dev);
++ if (ret < 0)
++ return ret;
+
+ pinctrl_pm_select_default_state(dev);
+- clk_prepare_enable(qspi->clk);
++
++ ret = pm_runtime_get_sync(dev);
++ if (ret < 0) {
++ pm_runtime_put_noidle(dev);
++ return ret;
++ }
+
+ writel_relaxed(qspi->cr_reg, qspi->io_base + QSPI_CR);
+ writel_relaxed(qspi->dcr_reg, qspi->io_base + QSPI_DCR);
+
+- pm_runtime_mark_last_busy(qspi->dev);
+- pm_runtime_put_autosuspend(qspi->dev);
++ pm_runtime_mark_last_busy(dev);
++ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+ }
--- /dev/null
+From 3dcd15665aca80197333500a4be3900948afccc1 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Wed, 10 Mar 2021 17:19:15 -0500
+Subject: tpm: acpi: Check eventlog signature before using it
+
+From: Stefan Berger <stefanb@linux.ibm.com>
+
+commit 3dcd15665aca80197333500a4be3900948afccc1 upstream.
+
+Check the eventlog signature before using it. This avoids using an
+empty log, as may be the case when QEMU created the ACPI tables,
+rather than probing the EFI log next. This resolves an issue where
+the EFI log was empty since an empty ACPI log was used.
+
+Cc: stable@vger.kernel.org
+Fixes: 85467f63a05c ("tpm: Add support for event log pointer found in TPM2 ACPI table")
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/eventlog/acpi.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/eventlog/acpi.c
++++ b/drivers/char/tpm/eventlog/acpi.c
+@@ -41,6 +41,27 @@ struct acpi_tcpa {
+ };
+ };
+
++/* Check that the given log is indeed a TPM2 log. */
++static bool tpm_is_tpm2_log(void *bios_event_log, u64 len)
++{
++ struct tcg_efi_specid_event_head *efispecid;
++ struct tcg_pcr_event *event_header;
++ int n;
++
++ if (len < sizeof(*event_header))
++ return false;
++ len -= sizeof(*event_header);
++ event_header = bios_event_log;
++
++ if (len < sizeof(*efispecid))
++ return false;
++ efispecid = (struct tcg_efi_specid_event_head *)event_header->event;
++
++ n = memcmp(efispecid->signature, TCG_SPECID_SIG,
++ sizeof(TCG_SPECID_SIG));
++ return n == 0;
++}
++
+ /* read binary bios log */
+ int tpm_read_log_acpi(struct tpm_chip *chip)
+ {
+@@ -52,6 +73,7 @@ int tpm_read_log_acpi(struct tpm_chip *c
+ struct acpi_table_tpm2 *tbl;
+ struct acpi_tpm2_phy *tpm2_phy;
+ int format;
++ int ret;
+
+ log = &chip->log;
+
+@@ -112,6 +134,7 @@ int tpm_read_log_acpi(struct tpm_chip *c
+
+ log->bios_event_log_end = log->bios_event_log + len;
+
++ ret = -EIO;
+ virt = acpi_os_map_iomem(start, len);
+ if (!virt)
+ goto err;
+@@ -119,11 +142,19 @@ int tpm_read_log_acpi(struct tpm_chip *c
+ memcpy_fromio(log->bios_event_log, virt, len);
+
+ acpi_os_unmap_iomem(virt, len);
++
++ if (chip->flags & TPM_CHIP_FLAG_TPM2 &&
++ !tpm_is_tpm2_log(log->bios_event_log, len)) {
++ /* try EFI log next */
++ ret = -ENODEV;
++ goto err;
++ }
++
+ return format;
+
+ err:
+ kfree(log->bios_event_log);
+ log->bios_event_log = NULL;
+- return -EIO;
++ return ret;
+
+ }
--- /dev/null
+From 3a3e0fad16d40a2aa68ddf7eea4acdf48b22dd44 Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 13 Apr 2021 17:15:57 +0800
+Subject: vhost-vdpa: fix vm_flags for virtqueue doorbell mapping
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 3a3e0fad16d40a2aa68ddf7eea4acdf48b22dd44 upstream.
+
+The virtqueue doorbell is usually implemented via registeres but we
+don't provide the necessary vma->flags like VM_PFNMAP. This may cause
+several issues e.g when userspace tries to map the doorbell via vhost
+IOTLB, kernel may panic due to the page is not backed by page
+structure. This patch fixes this by setting the necessary
+vm_flags. With this patch, try to map doorbell via IOTLB will fail
+with bad address.
+
+Cc: stable@vger.kernel.org
+Fixes: ddd89d0a059d ("vhost_vdpa: support doorbell mapping via mmap")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20210413091557.29008-1-jasowang@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vdpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -993,6 +993,7 @@ static int vhost_vdpa_mmap(struct file *
+ if (vma->vm_end - vma->vm_start != notify.size)
+ return -ENOTSUPP;
+
++ vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
+ vma->vm_ops = &vhost_vdpa_vm_ops;
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
