--- /dev/null
+From 596143e3aec35c93508d6b7a05ddc999ee209b61 Mon Sep 17 00:00:00 2001
+From: Jackie Liu <liuyun01@kylinos.cn>
+Date: Mon, 23 Aug 2021 17:25:26 +0800
+Subject: acpi/arm64: fix next_platform_timer() section mismatch error
+
+From: Jackie Liu <liuyun01@kylinos.cn>
+
+commit 596143e3aec35c93508d6b7a05ddc999ee209b61 upstream.
+
+Fix modpost Section mismatch error in next_platform_timer().
+
+ [...]
+ WARNING: modpost: vmlinux.o(.text.unlikely+0x26e60): Section mismatch in reference from the function next_platform_timer() to the variable .init.data:acpi_gtdt_desc
+ The function next_platform_timer() references
+ the variable __initdata acpi_gtdt_desc.
+ This is often because next_platform_timer lacks a __initdata
+ annotation or the annotation of acpi_gtdt_desc is wrong.
+
+ WARNING: modpost: vmlinux.o(.text.unlikely+0x26e64): Section mismatch in reference from the function next_platform_timer() to the variable .init.data:acpi_gtdt_desc
+ The function next_platform_timer() references
+ the variable __initdata acpi_gtdt_desc.
+ This is often because next_platform_timer lacks a __initdata
+ annotation or the annotation of acpi_gtdt_desc is wrong.
+
+ ERROR: modpost: Section mismatches detected.
+ Set CONFIG_SECTION_MISMATCH_WARN_ONLY=y to allow them.
+ make[1]: *** [scripts/Makefile.modpost:59: vmlinux.symvers] Error 1
+ make[1]: *** Deleting file 'vmlinux.symvers'
+ make: *** [Makefile:1176: vmlinux] Error 2
+ [...]
+
+Fixes: a712c3ed9b8a ("acpi/arm64: Add memory-mapped timer support in GTDT driver")
+Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
+Acked-by: Hanjun Guo <guohanjun@huawei.com>
+Link: https://lore.kernel.org/r/20210823092526.2407526-1-liu.yun@linux.dev
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/arm64/gtdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/arm64/gtdt.c
++++ b/drivers/acpi/arm64/gtdt.c
+@@ -36,7 +36,7 @@ struct acpi_gtdt_descriptor {
+
+ static struct acpi_gtdt_descriptor acpi_gtdt_desc __initdata;
+
+-static inline void *next_platform_timer(void *platform_timer)
++static inline __init void *next_platform_timer(void *platform_timer)
+ {
+ struct acpi_gtdt_header *gh = platform_timer;
+
--- /dev/null
+From 776c75010803849c1cc4f11031a2b3960ab05202 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Wed, 13 Oct 2021 14:16:31 +0800
+Subject: ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 776c75010803849c1cc4f11031a2b3960ab05202 upstream.
+
+I got a null-ptr-deref report:
+
+KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
+...
+RIP: 0010:regulator_enable+0x84/0x260
+...
+Call Trace:
+ ahci_platform_enable_regulators+0xae/0x320
+ ahci_platform_enable_resources+0x1a/0x120
+ ahci_probe+0x4f/0x1b9
+ platform_probe+0x10b/0x280
+...
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+If devm_regulator_get() in ahci_platform_get_resources() fails,
+hpriv->phy_regulator will point to NULL, when enabling or disabling it,
+null-ptr-deref will occur.
+
+ahci_probe()
+ ahci_platform_get_resources()
+ devm_regulator_get(, "phy") // failed, let phy_regulator = NULL
+ ahci_platform_enable_resources()
+ ahci_platform_enable_regulators()
+ regulator_enable(hpriv->phy_regulator) // null-ptr-deref
+
+commit 962399bb7fbf ("ata: libahci_platform: Fix regulator_get_optional()
+misuse") replaces devm_regulator_get_optional() with devm_regulator_get(),
+but PHY regulator omits to delete "hpriv->phy_regulator = NULL;" like AHCI.
+Delete it like AHCI regulator to fix this bug.
+
+Fixes: commit 962399bb7fbf ("ata: libahci_platform: Fix regulator_get_optional() misuse")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libahci_platform.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -440,10 +440,7 @@ struct ahci_host_priv *ahci_platform_get
+ hpriv->phy_regulator = devm_regulator_get(dev, "phy");
+ if (IS_ERR(hpriv->phy_regulator)) {
+ rc = PTR_ERR(hpriv->phy_regulator);
+- if (rc == -EPROBE_DEFER)
+- goto err_out;
+- rc = 0;
+- hpriv->phy_regulator = NULL;
++ goto err_out;
+ }
+
+ if (flags & AHCI_PLATFORM_GET_RESETS) {
--- /dev/null
+From 7904022decc260a19dd65b56ac896387f5da6f8c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 12 Oct 2021 11:44:43 +0300
+Subject: block/rnbd-clt-sysfs: fix a couple uninitialized variable bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 7904022decc260a19dd65b56ac896387f5da6f8c upstream.
+
+These variables are printed on the error path if match_int() fails so
+they have to be initialized.
+
+Fixes: 2958a995edc9 ("block/rnbd-clt: Support polling mode for IO latency optimization")
+Fixes: 1eb54f8f5dd8 ("block/rnbd: client: sysfs interface functions")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Gioh Kim <gi-oh.kim@ionos.com>
+Link: https://lore.kernel.org/r/20211012084443.GA31472@kili
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/rnbd/rnbd-clt-sysfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/rnbd/rnbd-clt-sysfs.c
++++ b/drivers/block/rnbd/rnbd-clt-sysfs.c
+@@ -71,8 +71,10 @@ static int rnbd_clt_parse_map_options(co
+ int opt_mask = 0;
+ int token;
+ int ret = -EINVAL;
+- int i, dest_port, nr_poll_queues;
++ int nr_poll_queues = 0;
++ int dest_port = 0;
+ int p_cnt = 0;
++ int i;
+
+ options = kstrdup(buf, GFP_KERNEL);
+ if (!options)
--- /dev/null
+From 97794170b696856483f74b47bfb6049780d2d3a0 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 5 Oct 2021 19:29:08 -0700
+Subject: drm/edid: In connector_bad_edid() cap num_of_ext by num_blocks read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 97794170b696856483f74b47bfb6049780d2d3a0 upstream.
+
+In commit e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid
+corruption test") the function connector_bad_edid() started assuming
+that the memory for the EDID passed to it was big enough to hold
+`edid[0x7e] + 1` blocks of data (1 extra for the base block). It
+completely ignored the fact that the function was passed `num_blocks`
+which indicated how much memory had been allocated for the EDID.
+
+Let's fix this by adding a bounds check.
+
+This is important for handling the case where there's an error in the
+first block of the EDID. In that case we will call
+connector_bad_edid() without having re-allocated memory based on
+`edid[0x7e]`.
+
+Fixes: e11f5bd8228f ("drm: Add support for DP 1.4 Compliance edid corruption test")
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211005192905.v2.1.Ib059f9c23c2611cb5a9d760e7d0a700c1295928d@changeid
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_edid.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -1834,11 +1834,20 @@ static void connector_bad_edid(struct dr
+ u8 *edid, int num_blocks)
+ {
+ int i;
+- u8 num_of_ext = edid[0x7e];
++ u8 last_block;
++
++ /*
++ * 0x7e in the EDID is the number of extension blocks. The EDID
++ * is 1 (base block) + num_ext_blocks big. That means we can think
++ * of 0x7e in the EDID of the _index_ of the last block in the
++ * combined chunk of memory.
++ */
++ last_block = edid[0x7e];
+
+ /* Calculate real checksum for the last edid extension block data */
+- connector->real_edid_checksum =
+- drm_edid_block_checksum(edid + num_of_ext * EDID_LENGTH);
++ if (last_block < num_blocks)
++ connector->real_edid_checksum =
++ drm_edid_block_checksum(edid + last_block * EDID_LENGTH);
+
+ if (connector->bad_edid_counter++ && !drm_debug_enabled(DRM_UT_KMS))
+ return;
--- /dev/null
+From 3eda901995371d390ef82d0b6462f4ea8efbcfdf Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Oct 2021 15:59:04 +0300
+Subject: drm/msm/a3xx: fix error handling in a3xx_gpu_init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 3eda901995371d390ef82d0b6462f4ea8efbcfdf upstream.
+
+These error paths returned 1 on failure, instead of a negative error
+code. This would lead to an Oops in the caller. A second problem is
+that the check for "if (ret != -ENODATA)" did not work because "ret" was
+set to 1.
+
+Fixes: 5785dd7a8ef0 ("drm/msm: Fix duplicate gpu node in icc summary")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211001125904.GK2283@kili
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/adreno/a3xx_gpu.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a3xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a3xx_gpu.c
+@@ -571,13 +571,14 @@ struct msm_gpu *a3xx_gpu_init(struct drm
+ }
+
+ icc_path = devm_of_icc_get(&pdev->dev, "gfx-mem");
+- ret = IS_ERR(icc_path);
+- if (ret)
++ if (IS_ERR(icc_path)) {
++ ret = PTR_ERR(icc_path);
+ goto fail;
++ }
+
+ ocmem_icc_path = devm_of_icc_get(&pdev->dev, "ocmem");
+- ret = IS_ERR(ocmem_icc_path);
+- if (ret) {
++ if (IS_ERR(ocmem_icc_path)) {
++ ret = PTR_ERR(ocmem_icc_path);
+ /* allow -ENODATA, ocmem icc is optional */
+ if (ret != -ENODATA)
+ goto fail;
--- /dev/null
+From 980d74e7d03ccf2eaa11d133416946bd880c7c08 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Oct 2021 15:57:59 +0300
+Subject: drm/msm/a4xx: fix error handling in a4xx_gpu_init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 980d74e7d03ccf2eaa11d133416946bd880c7c08 upstream.
+
+This code returns 1 on error instead of a negative error. It leads to
+an Oops in the caller. A second problem is that the check for
+"if (ret != -ENODATA)" cannot be true because "ret" is set to 1.
+
+Fixes: 5785dd7a8ef0 ("drm/msm: Fix duplicate gpu node in icc summary")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211001125759.GJ2283@kili
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/adreno/a4xx_gpu.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a4xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a4xx_gpu.c
+@@ -699,13 +699,14 @@ struct msm_gpu *a4xx_gpu_init(struct drm
+ }
+
+ icc_path = devm_of_icc_get(&pdev->dev, "gfx-mem");
+- ret = IS_ERR(icc_path);
+- if (ret)
++ if (IS_ERR(icc_path)) {
++ ret = PTR_ERR(icc_path);
+ goto fail;
++ }
+
+ ocmem_icc_path = devm_of_icc_get(&pdev->dev, "ocmem");
+- ret = IS_ERR(ocmem_icc_path);
+- if (ret) {
++ if (IS_ERR(ocmem_icc_path)) {
++ ret = PTR_ERR(ocmem_icc_path);
+ /* allow -ENODATA, ocmem icc is optional */
+ if (ret != -ENODATA)
+ goto fail;
--- /dev/null
+From 14eb0cb4e9a7323c8735cf6c681ed8423ce6ae06 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Thu, 30 Sep 2021 10:43:20 -0700
+Subject: drm/msm/a6xx: Track current ctx by seqno
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit 14eb0cb4e9a7323c8735cf6c681ed8423ce6ae06 upstream.
+
+In theory a context can be destroyed and a new one allocated at the same
+address, making the pointer comparision to detect when we don't need to
+update the current pagetables invalid. Instead assign a sequence number
+to each context on creation, and use this for the check.
+
+Fixes: 84c31ee16f90 ("drm/msm/a6xx: Add support for per-instance pagetables")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu.c | 6 +++---
+ drivers/gpu/drm/msm/adreno/a6xx_gpu.h | 11 ++++++++++-
+ drivers/gpu/drm/msm/msm_drv.c | 3 +++
+ drivers/gpu/drm/msm/msm_drv.h | 1 +
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.c
+@@ -102,7 +102,7 @@ static void a6xx_set_pagetable(struct a6
+ u32 asid;
+ u64 memptr = rbmemptr(ring, ttbr0);
+
+- if (ctx == a6xx_gpu->cur_ctx)
++ if (ctx->seqno == a6xx_gpu->cur_ctx_seqno)
+ return;
+
+ if (msm_iommu_pagetable_params(ctx->aspace->mmu, &ttbr, &asid))
+@@ -135,7 +135,7 @@ static void a6xx_set_pagetable(struct a6
+ OUT_PKT7(ring, CP_EVENT_WRITE, 1);
+ OUT_RING(ring, 0x31);
+
+- a6xx_gpu->cur_ctx = ctx;
++ a6xx_gpu->cur_ctx_seqno = ctx->seqno;
+ }
+
+ static void a6xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
+@@ -1053,7 +1053,7 @@ static int a6xx_hw_init(struct msm_gpu *
+ /* Always come up on rb 0 */
+ a6xx_gpu->cur_ring = gpu->rb[0];
+
+- a6xx_gpu->cur_ctx = NULL;
++ a6xx_gpu->cur_ctx_seqno = 0;
+
+ /* Enable the SQE_to start the CP engine */
+ gpu_write(gpu, REG_A6XX_CP_SQE_CNTL, 1);
+--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu.h
+@@ -19,7 +19,16 @@ struct a6xx_gpu {
+ uint64_t sqe_iova;
+
+ struct msm_ringbuffer *cur_ring;
+- struct msm_file_private *cur_ctx;
++
++ /**
++ * cur_ctx_seqno:
++ *
++ * The ctx->seqno value of the context with current pgtables
++ * installed. Tracked by seqno rather than pointer value to
++ * avoid dangling pointers, and cases where a ctx can be freed
++ * and a new one created with the same address.
++ */
++ int cur_ctx_seqno;
+
+ struct a6xx_gmu gmu;
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -619,6 +619,7 @@ static void load_gpu(struct drm_device *
+
+ static int context_init(struct drm_device *dev, struct drm_file *file)
+ {
++ static atomic_t ident = ATOMIC_INIT(0);
+ struct msm_drm_private *priv = dev->dev_private;
+ struct msm_file_private *ctx;
+
+@@ -632,6 +633,8 @@ static int context_init(struct drm_devic
+ ctx->aspace = msm_gpu_create_private_address_space(priv->gpu, current);
+ file->driver_priv = ctx;
+
++ ctx->seqno = atomic_inc_return(&ident);
++
+ return 0;
+ }
+
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -59,6 +59,7 @@ struct msm_file_private {
+ int queueid;
+ struct msm_gem_address_space *aspace;
+ struct kref ref;
++ int seqno;
+ };
+
+ enum msm_mdp_plane_property {
--- /dev/null
+From 90b7c1c66132c20e8a550006011a3cbfb73dbfc1 Mon Sep 17 00:00:00 2001
+From: Marijn Suijten <marijn.suijten@somainline.org>
+Date: Mon, 6 Sep 2021 22:25:51 +0200
+Subject: drm/msm/dsi: dsi_phy_14nm: Take ready-bit into account in poll_for_ready
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+commit 90b7c1c66132c20e8a550006011a3cbfb73dbfc1 upstream.
+
+The downstream driver models this PLL lock check as an if-elseif-else.
+The only way to reach the else case where pll_locked=true [1] is by
+succeeding both readl_poll_timeout_atomic calls (which return zero on
+success) in the if _and_ elseif condition. Hence both the "lock" and
+"ready" bit need to be tested in the SM_READY_STATUS register before
+considering the PLL locked and ready to go.
+
+Tested on the Sony Xperia XA2 Ultra (nile-discovery, sdm630).
+
+[1]: https://source.codeaurora.org/quic/la/kernel/msm-4.19/tree/drivers/clk/qcom/mdss/mdss-dsi-pll-14nm-util.c?h=LA.UM.9.2.1.r1-08000-sdm660.0#n302
+
+Fixes: f079f6d999cb ("drm/msm/dsi: Add PHY/PLL for 8x96")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210906202552.824598-1-marijn.suijten@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c | 30 ++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c
++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy_14nm.c
+@@ -110,14 +110,13 @@ static struct dsi_pll_14nm *pll_14nm_lis
+ static bool pll_14nm_poll_for_ready(struct dsi_pll_14nm *pll_14nm,
+ u32 nb_tries, u32 timeout_us)
+ {
+- bool pll_locked = false;
++ bool pll_locked = false, pll_ready = false;
+ void __iomem *base = pll_14nm->phy->pll_base;
+ u32 tries, val;
+
+ tries = nb_tries;
+ while (tries--) {
+- val = dsi_phy_read(base +
+- REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS);
++ val = dsi_phy_read(base + REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS);
+ pll_locked = !!(val & BIT(5));
+
+ if (pll_locked)
+@@ -126,23 +125,24 @@ static bool pll_14nm_poll_for_ready(stru
+ udelay(timeout_us);
+ }
+
+- if (!pll_locked) {
+- tries = nb_tries;
+- while (tries--) {
+- val = dsi_phy_read(base +
+- REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS);
+- pll_locked = !!(val & BIT(0));
++ if (!pll_locked)
++ goto out;
+
+- if (pll_locked)
+- break;
++ tries = nb_tries;
++ while (tries--) {
++ val = dsi_phy_read(base + REG_DSI_14nm_PHY_PLL_RESET_SM_READY_STATUS);
++ pll_ready = !!(val & BIT(0));
+
+- udelay(timeout_us);
+- }
++ if (pll_ready)
++ break;
++
++ udelay(timeout_us);
+ }
+
+- DBG("DSI PLL is %slocked", pll_locked ? "" : "*not* ");
++out:
++ DBG("DSI PLL is %slocked, %sready", pll_locked ? "" : "*not* ", pll_ready ? "" : "*not* ");
+
+- return pll_locked;
++ return pll_locked && pll_ready;
+ }
+
+ static void dsi_pll_14nm_config_init(struct dsi_pll_config *pconf)
--- /dev/null
+From 739b4e7756d3301dd673ca517afca46a5f635562 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Oct 2021 15:33:08 +0300
+Subject: drm/msm/dsi: Fix an error code in msm_dsi_modeset_init()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 739b4e7756d3301dd673ca517afca46a5f635562 upstream.
+
+Return an error code if msm_dsi_manager_validate_current_config().
+Don't return success.
+
+Fixes: 8b03ad30e314 ("drm/msm/dsi: Use one connector for dual DSI mode")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20211001123308.GF2283@kili
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/dsi/dsi.c
++++ b/drivers/gpu/drm/msm/dsi/dsi.c
+@@ -208,8 +208,10 @@ int msm_dsi_modeset_init(struct msm_dsi
+ goto fail;
+ }
+
+- if (!msm_dsi_manager_validate_current_config(msm_dsi->id))
++ if (!msm_dsi_manager_validate_current_config(msm_dsi->id)) {
++ ret = -EINVAL;
+ goto fail;
++ }
+
+ msm_dsi->encoder = encoder;
+
--- /dev/null
+From c8f01ffc83923a91e8087aaa077de13354a7aa59 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 1 Oct 2021 15:34:09 +0300
+Subject: drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit c8f01ffc83923a91e8087aaa077de13354a7aa59 upstream.
+
+This disables a lock which wasn't enabled and it does not disable
+the first lock in the array.
+
+Fixes: 6e0eb52eba9e ("drm/msm/dsi: Parse bus clocks from a list")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20211001123409.GG2283@kili
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -463,7 +463,7 @@ static int dsi_bus_clk_enable(struct msm
+
+ return 0;
+ err:
+- for (; i > 0; i--)
++ while (--i >= 0)
+ clk_disable_unprepare(msm_host->bus_clks[i]);
+
+ return ret;
--- /dev/null
+From 2133c4fc8e1348dcb752f267a143fe2254613b34 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 29 Sep 2021 13:18:57 +0100
+Subject: drm/msm: Fix null pointer dereference on pointer edp
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 2133c4fc8e1348dcb752f267a143fe2254613b34 upstream.
+
+The initialization of pointer dev dereferences pointer edp before
+edp is null checked, so there is a potential null pointer deference
+issue. Fix this by only dereferencing edp after edp has been null
+checked.
+
+Addresses-Coverity: ("Dereference before null check")
+Fixes: ab5b0107ccf3 ("drm/msm: Initial add eDP support in msm drm driver (v5)")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210929121857.213922-1-colin.king@canonical.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/edp/edp_ctrl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/edp/edp_ctrl.c
++++ b/drivers/gpu/drm/msm/edp/edp_ctrl.c
+@@ -1116,7 +1116,7 @@ void msm_edp_ctrl_power(struct edp_ctrl
+ int msm_edp_ctrl_init(struct msm_edp *edp)
+ {
+ struct edp_ctrl *ctrl = NULL;
+- struct device *dev = &edp->pdev->dev;
++ struct device *dev;
+ int ret;
+
+ if (!edp) {
+@@ -1124,6 +1124,7 @@ int msm_edp_ctrl_init(struct msm_edp *ed
+ return -EINVAL;
+ }
+
++ dev = &edp->pdev->dev;
+ ctrl = devm_kzalloc(dev, sizeof(*ctrl), GFP_KERNEL);
+ if (!ctrl)
+ return -ENOMEM;
--- /dev/null
+From c491a0c7bbf3a64732cb8414021429d15ec08eec Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Date: Sat, 25 Sep 2021 22:28:24 +0300
+Subject: drm/msm/mdp5: fix cursor-related warnings
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+commit c491a0c7bbf3a64732cb8414021429d15ec08eec upstream.
+
+Since f35a2a99100f ("drm/encoder: make encoder control functions
+optional") drm_mode_config_validate would print warnings if both cursor
+plane and cursor functions are provided. Restore separate set of
+drm_crtc_funcs to be used if separate cursor plane is provided.
+
+[ 6.556046] ------------[ cut here ]------------
+[ 6.556071] [CRTC:93:crtc-0] must not have both a cursor plane and a cursor_set func
+[ 6.556091] WARNING: CPU: 1 PID: 76 at drivers/gpu/drm/drm_mode_config.c:648 drm_mode_config_validate+0x238/0x4d0
+[ 6.567453] Modules linked in:
+[ 6.577604] CPU: 1 PID: 76 Comm: kworker/u8:2 Not tainted 5.15.0-rc1-dirty #43
+[ 6.580557] Hardware name: Qualcomm Technologies, Inc. DB820c (DT)
+[ 6.587763] Workqueue: events_unbound deferred_probe_work_func
+[ 6.593926] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 6.599740] pc : drm_mode_config_validate+0x238/0x4d0
+[ 6.606596] lr : drm_mode_config_validate+0x238/0x4d0
+[ 6.611804] sp : ffff8000121b3980
+[ 6.616838] x29: ffff8000121b3990 x28: 0000000000000000 x27: 0000000000000001
+[ 6.620140] x26: ffff8000114cde50 x25: ffff8000114cdd40 x24: ffff0000987282d8
+[ 6.627258] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000001
+[ 6.634376] x20: ffff000098728000 x19: ffff000080a39000 x18: ffffffffffffffff
+[ 6.641494] x17: 3136564e3631564e x16: 0000000000000324 x15: ffff800011c78709
+[ 6.648613] x14: 0000000000000000 x13: ffff800011a22850 x12: 00000000000009ab
+[ 6.655730] x11: 0000000000000339 x10: ffff800011a22850 x9 : ffff800011a22850
+[ 6.662848] x8 : 00000000ffffefff x7 : ffff800011a7a850 x6 : ffff800011a7a850
+[ 6.669966] x5 : 000000000000bff4 x4 : 40000000fffff339 x3 : 0000000000000000
+[ 6.677084] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008093b800
+[ 6.684205] Call trace:
+[ 6.691319] drm_mode_config_validate+0x238/0x4d0
+[ 6.693577] drm_dev_register+0x17c/0x210
+[ 6.698435] msm_drm_bind+0x4b4/0x694
+[ 6.702429] try_to_bring_up_master+0x164/0x1d0
+[ 6.706075] __component_add+0xa0/0x170
+[ 6.710415] component_add+0x14/0x20
+[ 6.714234] msm_hdmi_dev_probe+0x1c/0x2c
+[ 6.718053] platform_probe+0x68/0xe0
+[ 6.721959] really_probe.part.0+0x9c/0x30c
+[ 6.725606] __driver_probe_device+0x98/0x144
+[ 6.729600] driver_probe_device+0xc8/0x15c
+[ 6.734114] __device_attach_driver+0xb4/0x120
+[ 6.738106] bus_for_each_drv+0x78/0xd0
+[ 6.742619] __device_attach+0xdc/0x184
+[ 6.746351] device_initial_probe+0x14/0x20
+[ 6.750172] bus_probe_device+0x9c/0xa4
+[ 6.754337] deferred_probe_work_func+0x88/0xc0
+[ 6.758158] process_one_work+0x1d0/0x370
+[ 6.762671] worker_thread+0x2c8/0x470
+[ 6.766839] kthread+0x15c/0x170
+[ 6.770483] ret_from_fork+0x10/0x20
+[ 6.773870] ---[ end trace 5884eb76cd26d274 ]---
+[ 6.777500] ------------[ cut here ]------------
+[ 6.782043] [CRTC:93:crtc-0] must not have both a cursor plane and a cursor_move func
+[ 6.782063] WARNING: CPU: 1 PID: 76 at drivers/gpu/drm/drm_mode_config.c:654 drm_mode_config_validate+0x290/0x4d0
+[ 6.794362] Modules linked in:
+[ 6.804600] CPU: 1 PID: 76 Comm: kworker/u8:2 Tainted: G W 5.15.0-rc1-dirty #43
+[ 6.807555] Hardware name: Qualcomm Technologies, Inc. DB820c (DT)
+[ 6.816148] Workqueue: events_unbound deferred_probe_work_func
+[ 6.822311] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 6.828126] pc : drm_mode_config_validate+0x290/0x4d0
+[ 6.834981] lr : drm_mode_config_validate+0x290/0x4d0
+[ 6.840189] sp : ffff8000121b3980
+[ 6.845223] x29: ffff8000121b3990 x28: 0000000000000000 x27: 0000000000000001
+[ 6.848525] x26: ffff8000114cde50 x25: ffff8000114cdd40 x24: ffff0000987282d8
+[ 6.855643] x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000001
+[ 6.862763] x20: ffff000098728000 x19: ffff000080a39000 x18: ffffffffffffffff
+[ 6.869879] x17: 3136564e3631564e x16: 0000000000000324 x15: ffff800011c790c2
+[ 6.876998] x14: 0000000000000000 x13: ffff800011a22850 x12: 0000000000000a2f
+[ 6.884116] x11: 0000000000000365 x10: ffff800011a22850 x9 : ffff800011a22850
+[ 6.891234] x8 : 00000000ffffefff x7 : ffff800011a7a850 x6 : ffff800011a7a850
+[ 6.898351] x5 : 000000000000bff4 x4 : 40000000fffff365 x3 : 0000000000000000
+[ 6.905470] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00008093b800
+[ 6.912590] Call trace:
+[ 6.919702] drm_mode_config_validate+0x290/0x4d0
+[ 6.921960] drm_dev_register+0x17c/0x210
+[ 6.926821] msm_drm_bind+0x4b4/0x694
+[ 6.930813] try_to_bring_up_master+0x164/0x1d0
+[ 6.934459] __component_add+0xa0/0x170
+[ 6.938799] component_add+0x14/0x20
+[ 6.942619] msm_hdmi_dev_probe+0x1c/0x2c
+[ 6.946438] platform_probe+0x68/0xe0
+[ 6.950345] really_probe.part.0+0x9c/0x30c
+[ 6.953991] __driver_probe_device+0x98/0x144
+[ 6.957984] driver_probe_device+0xc8/0x15c
+[ 6.962498] __device_attach_driver+0xb4/0x120
+[ 6.966492] bus_for_each_drv+0x78/0xd0
+[ 6.971004] __device_attach+0xdc/0x184
+[ 6.974737] device_initial_probe+0x14/0x20
+[ 6.978556] bus_probe_device+0x9c/0xa4
+[ 6.982722] deferred_probe_work_func+0x88/0xc0
+[ 6.986543] process_one_work+0x1d0/0x370
+[ 6.991057] worker_thread+0x2c8/0x470
+[ 6.995223] kthread+0x15c/0x170
+[ 6.998869] ret_from_fork+0x10/0x20
+[ 7.002255] ---[ end trace 5884eb76cd26d275 ]---
+
+Fixes: aa649e875daf ("drm/msm/mdp5: mdp5_crtc: Restore cursor state only if LM cursors are enabled")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210925192824.3416259-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
+@@ -1125,6 +1125,20 @@ static void mdp5_crtc_reset(struct drm_c
+ __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base);
+ }
+
++static const struct drm_crtc_funcs mdp5_crtc_no_lm_cursor_funcs = {
++ .set_config = drm_atomic_helper_set_config,
++ .destroy = mdp5_crtc_destroy,
++ .page_flip = drm_atomic_helper_page_flip,
++ .reset = mdp5_crtc_reset,
++ .atomic_duplicate_state = mdp5_crtc_duplicate_state,
++ .atomic_destroy_state = mdp5_crtc_destroy_state,
++ .atomic_print_state = mdp5_crtc_atomic_print_state,
++ .get_vblank_counter = mdp5_crtc_get_vblank_counter,
++ .enable_vblank = msm_crtc_enable_vblank,
++ .disable_vblank = msm_crtc_disable_vblank,
++ .get_vblank_timestamp = drm_crtc_vblank_helper_get_vblank_timestamp,
++};
++
+ static const struct drm_crtc_funcs mdp5_crtc_funcs = {
+ .set_config = drm_atomic_helper_set_config,
+ .destroy = mdp5_crtc_destroy,
+@@ -1313,6 +1327,8 @@ struct drm_crtc *mdp5_crtc_init(struct d
+ mdp5_crtc->lm_cursor_enabled = cursor_plane ? false : true;
+
+ drm_crtc_init_with_planes(dev, crtc, plane, cursor_plane,
++ cursor_plane ?
++ &mdp5_crtc_no_lm_cursor_funcs :
+ &mdp5_crtc_funcs, NULL);
+
+ drm_flip_work_init(&mdp5_crtc->unref_cursor_work,
--- /dev/null
+From 95c58291ee709424557996891926a05a32c5b13a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 27 Sep 2021 13:36:23 +0200
+Subject: drm/msm/submit: fix overflow check on 64-bit architectures
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 95c58291ee709424557996891926a05a32c5b13a upstream.
+
+The overflow check does causes a warning from clang-14 when 'sz' is a type
+that is smaller than size_t:
+
+drivers/gpu/drm/msm/msm_gem_submit.c:217:10: error: result of comparison of constant 18446744073709551615 with expression of type 'unsigned int' is always false [-Werror,-Wtautological-constant-out-of-range-compare]
+ if (sz == SIZE_MAX) {
+
+Change the type accordingly.
+
+Fixes: 20224d715a88 ("drm/msm/submit: Move copy_from_user ahead of locking bos")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20210927113632.3849987-1-arnd@kernel.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -161,7 +161,8 @@ out:
+ static int submit_lookup_cmds(struct msm_gem_submit *submit,
+ struct drm_msm_gem_submit *args, struct drm_file *file)
+ {
+- unsigned i, sz;
++ unsigned i;
++ size_t sz;
+ int ret = 0;
+
+ for (i = 0; i < args->nr_cmds; i++) {
--- /dev/null
+From a14bc107edd0c108bda2245e50daa22f91c95d20 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Tue, 12 Oct 2021 13:52:42 +0200
+Subject: drm/panel: olimex-lcd-olinuxino: select CRC32
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit a14bc107edd0c108bda2245e50daa22f91c95d20 upstream.
+
+Fix the following build/link error by adding a dependency on the CRC32
+routines:
+
+ ld: drivers/gpu/drm/panel/panel-olimex-lcd-olinuxino.o: in function `lcd_olinuxino_probe':
+ panel-olimex-lcd-olinuxino.c:(.text+0x303): undefined reference to `crc32_le'
+
+Fixes: 17fd7a9d324fd ("drm/panel: Add support for Olimex LCD-OLinuXino panel")
+Cc: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211012115242.10325-1-vegard.nossum@oracle.com
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/panel/Kconfig
++++ b/drivers/gpu/drm/panel/Kconfig
+@@ -273,6 +273,7 @@ config DRM_PANEL_OLIMEX_LCD_OLINUXINO
+ depends on OF
+ depends on I2C
+ depends on BACKLIGHT_CLASS_DEVICE
++ select CRC32
+ help
+ The panel is used with different sizes LCDs, from 480x272 to
+ 1280x800, and 24 bit per pixel.
--- /dev/null
+From 4d4a223a86afe658cd878800f09458e8bb54415d Mon Sep 17 00:00:00 2001
+From: Jacob Keller <jacob.e.keller@intel.com>
+Date: Mon, 11 Oct 2021 13:48:06 -0700
+Subject: ice: fix locking for Tx timestamp tracking flush
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+commit 4d4a223a86afe658cd878800f09458e8bb54415d upstream.
+
+Commit 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush")
+added a lock around the Tx timestamp tracker flow which is used to
+cleanup any left over SKBs and prepare for device removal.
+
+This lock is problematic because it is being held around a call to
+ice_clear_phy_tstamp. The clear function takes a mutex to send a PHY
+write command to firmware. This could lead to a deadlock if the mutex
+actually sleeps, and causes the following warning on a kernel with
+preemption debugging enabled:
+
+[ 715.419426] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:573
+[ 715.427900] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3100, name: rmmod
+[ 715.435652] INFO: lockdep is turned off.
+[ 715.439591] Preemption disabled at:
+[ 715.439594] [<0000000000000000>] 0x0
+[ 715.446678] CPU: 52 PID: 3100 Comm: rmmod Tainted: G W OE 5.15.0-rc4+ #42 bdd7ec3018e725f159ca0d372ce8c2c0e784891c
+[ 715.458058] Hardware name: Intel Corporation S2600STQ/S2600STQ, BIOS SE5C620.86B.02.01.0010.010620200716 01/06/2020
+[ 715.468483] Call Trace:
+[ 715.470940] dump_stack_lvl+0x6a/0x9a
+[ 715.474613] ___might_sleep.cold+0x224/0x26a
+[ 715.478895] __mutex_lock+0xb3/0x1440
+[ 715.482569] ? stack_depot_save+0x378/0x500
+[ 715.486763] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.494979] ? kfree+0xc1/0x520
+[ 715.498128] ? mutex_lock_io_nested+0x12a0/0x12a0
+[ 715.502837] ? kasan_set_free_info+0x20/0x30
+[ 715.507110] ? __kasan_slab_free+0x10b/0x140
+[ 715.511385] ? slab_free_freelist_hook+0xc7/0x220
+[ 715.516092] ? kfree+0xc1/0x520
+[ 715.519235] ? ice_deinit_lag+0x16c/0x220 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.527359] ? ice_remove+0x1cf/0x6a0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.535133] ? pci_device_remove+0xab/0x1d0
+[ 715.539318] ? __device_release_driver+0x35b/0x690
+[ 715.544110] ? driver_detach+0x214/0x2f0
+[ 715.548035] ? bus_remove_driver+0x11d/0x2f0
+[ 715.552309] ? pci_unregister_driver+0x26/0x250
+[ 715.556840] ? ice_module_exit+0xc/0x2f [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.564799] ? __do_sys_delete_module.constprop.0+0x2d8/0x4e0
+[ 715.570554] ? do_syscall_64+0x3b/0x90
+[ 715.574303] ? entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 715.579529] ? start_flush_work+0x542/0x8f0
+[ 715.583719] ? ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.591923] ice_sq_send_cmd+0x78/0x14c0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.599960] ? wait_for_completion_io+0x250/0x250
+[ 715.604662] ? lock_acquire+0x196/0x200
+[ 715.608504] ? do_raw_spin_trylock+0xa5/0x160
+[ 715.612864] ice_sbq_rw_reg+0x1e6/0x2f0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.620813] ? ice_reset+0x130/0x130 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.628497] ? __debug_check_no_obj_freed+0x1e8/0x3c0
+[ 715.633550] ? trace_hardirqs_on+0x1c/0x130
+[ 715.637748] ice_write_phy_reg_e810+0x70/0xf0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.646220] ? do_raw_spin_trylock+0xa5/0x160
+[ 715.650581] ? ice_ptp_release+0x910/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.658797] ? ice_ptp_release+0x255/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.667013] ice_clear_phy_tstamp+0x2c/0x110 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.675403] ice_ptp_release+0x408/0x910 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.683440] ice_remove+0x560/0x6a0 [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.691037] ? _raw_spin_unlock_irqrestore+0x46/0x73
+[ 715.696005] pci_device_remove+0xab/0x1d0
+[ 715.700018] __device_release_driver+0x35b/0x690
+[ 715.704637] driver_detach+0x214/0x2f0
+[ 715.708389] bus_remove_driver+0x11d/0x2f0
+[ 715.712489] pci_unregister_driver+0x26/0x250
+[ 715.716857] ice_module_exit+0xc/0x2f [ice 9a7e1ec00971c89ecd3fe0d4dc7da2b3786a421d]
+[ 715.724637] __do_sys_delete_module.constprop.0+0x2d8/0x4e0
+[ 715.730210] ? free_module+0x6d0/0x6d0
+[ 715.733963] ? task_work_run+0xe1/0x170
+[ 715.737803] ? exit_to_user_mode_loop+0x17f/0x1d0
+[ 715.742509] ? rcu_read_lock_sched_held+0x12/0x80
+[ 715.747215] ? trace_hardirqs_on+0x1c/0x130
+[ 715.751401] do_syscall_64+0x3b/0x90
+[ 715.754981] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 715.760033] RIP: 0033:0x7f4dfe59000b
+[ 715.763612] Code: 73 01 c3 48 8b 0d 6d 1e 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 1e 0c 00 f7 d8 64 89 01 48
+[ 715.782357] RSP: 002b:00007ffe8c891708 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[ 715.789923] RAX: ffffffffffffffda RBX: 00005558a20468b0 RCX: 00007f4dfe59000b
+[ 715.797054] RDX: 000000000000000a RSI: 0000000000000800 RDI: 00005558a2046918
+[ 715.804189] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+[ 715.811319] R10: 00007f4dfe603ac0 R11: 0000000000000206 R12: 00007ffe8c891940
+[ 715.818455] R13: 00007ffe8c8920a3 R14: 00005558a20462a0 R15: 00005558a20468b0
+
+Notice that this is the only case where we use the lock in this way. In
+the cleanup kthread and work kthread the lock is only taken around the
+bit accesses. This was done intentionally to avoid this kind of issue.
+The way the lock is used, we only protect ordering of bit sets vs bit
+clears. The Tx writers in the hot path don't need to be protected
+against the entire kthread loop. The Tx queues threads only need to
+ensure that they do not re-use an index that is currently in use. The
+cleanup loop does not need to block all new set bits, since it will
+re-queue itself if new timestamps are present.
+
+Fix the tracker flow so that it uses the same flow as the standard
+cleanup thread. In addition, ensure the in_use bitmap actually gets
+cleared properly.
+
+This fixes the warning and also avoids the potential deadlock that might
+have occurred otherwise.
+
+Fixes: 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -1324,22 +1324,21 @@ ice_ptp_flush_tx_tracker(struct ice_pf *
+ {
+ u8 idx;
+
+- spin_lock(&tx->lock);
+-
+ for (idx = 0; idx < tx->len; idx++) {
+ u8 phy_idx = idx + tx->quad_offset;
+
+- /* Clear any potential residual timestamp in the PHY block */
+- if (!pf->hw.reset_ongoing)
+- ice_clear_phy_tstamp(&pf->hw, tx->quad, phy_idx);
+-
++ spin_lock(&tx->lock);
+ if (tx->tstamps[idx].skb) {
+ dev_kfree_skb_any(tx->tstamps[idx].skb);
+ tx->tstamps[idx].skb = NULL;
+ }
+- }
++ clear_bit(idx, tx->in_use);
++ spin_unlock(&tx->lock);
+
+- spin_unlock(&tx->lock);
++ /* Clear any potential residual timestamp in the PHY block */
++ if (!pf->hw.reset_ongoing)
++ ice_clear_phy_tstamp(&pf->hw, tx->quad, phy_idx);
++ }
+ }
+
+ /**
--- /dev/null
+From 5c976a56570f29aaf4a2f9a1bf99789c252183c9 Mon Sep 17 00:00:00 2001
+From: Shannon Nelson <snelson@pensando.io>
+Date: Fri, 8 Oct 2021 12:38:01 -0700
+Subject: ionic: don't remove netdev->dev_addr when syncing uc list
+
+From: Shannon Nelson <snelson@pensando.io>
+
+commit 5c976a56570f29aaf4a2f9a1bf99789c252183c9 upstream.
+
+Bridging, and possibly other upper stack gizmos, adds the
+lower device's netdev->dev_addr to its own uc list, and
+then requests it be deleted when the upper bridge device is
+removed. This delete request also happens with the bridging
+vlan_filtering is enabled and then disabled.
+
+Bonding has a similar behavior with the uc list, but since it
+also uses set_mac to manage netdev->dev_addr, it doesn't have
+the same the failure case.
+
+Because we store our netdev->dev_addr in our uc list, we need
+to ignore the delete request from dev_uc_sync so as to not
+lose the address and all hope of communicating. Note that
+ndo_set_mac_address is expressly changing netdev->dev_addr,
+so no limitation is set there.
+
+Fixes: 2a654540be10 ("ionic: Add Rx filter and rx_mode ndo support")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -1357,6 +1357,10 @@ static int ionic_addr_add(struct net_dev
+
+ static int ionic_addr_del(struct net_device *netdev, const u8 *addr)
+ {
++ /* Don't delete our own address from the uc list */
++ if (ether_addr_equal(addr, netdev->dev_addr))
++ return 0;
++
+ return ionic_lif_addr(netdev_priv(netdev), addr, DEL_ADDR);
+ }
+
--- /dev/null
+From 332fdf951df8b870e3da86b122ae304e2aabe88c Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 12 Oct 2021 20:49:55 +0300
+Subject: mlxsw: thermal: Fix out-of-bounds memory accesses
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 332fdf951df8b870e3da86b122ae304e2aabe88c upstream.
+
+Currently, mlxsw allows cooling states to be set above the maximum
+cooling state supported by the driver:
+
+ # cat /sys/class/thermal/thermal_zone2/cdev0/type
+ mlxsw_fan
+ # cat /sys/class/thermal/thermal_zone2/cdev0/max_state
+ 10
+ # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state
+ # echo $?
+ 0
+
+This results in out-of-bounds memory accesses when thermal state
+transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the
+transition table is accessed with a too large index (state) [1].
+
+According to the thermal maintainer, it is the responsibility of the
+driver to reject such operations [2].
+
+Therefore, return an error when the state to be set exceeds the maximum
+cooling state supported by the driver.
+
+To avoid dead code, as suggested by the thermal maintainer [3],
+partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling
+device with cooling levels") that tried to interpret these invalid
+cooling states (above the maximum) in a special way. The cooling levels
+array is not removed in order to prevent the fans going below 20% PWM,
+which would cause them to get stuck at 0% PWM.
+
+[1]
+BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290
+Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5
+
+CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122
+Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016
+Workqueue: events_freezable_power_ thermal_zone_device_check
+Call Trace:
+ dump_stack_lvl+0x8b/0xb3
+ print_address_description.constprop.0+0x1f/0x140
+ kasan_report.cold+0x7f/0x11b
+ thermal_cooling_device_stats_update+0x271/0x290
+ __thermal_cdev_update+0x15e/0x4e0
+ thermal_cdev_update+0x9f/0xe0
+ step_wise_throttle+0x770/0xee0
+ thermal_zone_device_update+0x3f6/0xdf0
+ process_one_work+0xa42/0x1770
+ worker_thread+0x62f/0x13e0
+ kthread+0x3ee/0x4e0
+ ret_from_fork+0x1f/0x30
+
+Allocated by task 1:
+ kasan_save_stack+0x1b/0x40
+ __kasan_kmalloc+0x7c/0x90
+ thermal_cooling_device_setup_sysfs+0x153/0x2c0
+ __thermal_cooling_device_register.part.0+0x25b/0x9c0
+ thermal_cooling_device_register+0xb3/0x100
+ mlxsw_thermal_init+0x5c5/0x7e0
+ __mlxsw_core_bus_device_register+0xcb3/0x19c0
+ mlxsw_core_bus_device_register+0x56/0xb0
+ mlxsw_pci_probe+0x54f/0x710
+ local_pci_probe+0xc6/0x170
+ pci_device_probe+0x2b2/0x4d0
+ really_probe+0x293/0xd10
+ __driver_probe_device+0x2af/0x440
+ driver_probe_device+0x51/0x1e0
+ __driver_attach+0x21b/0x530
+ bus_for_each_dev+0x14c/0x1d0
+ bus_add_driver+0x3ac/0x650
+ driver_register+0x241/0x3d0
+ mlxsw_sp_module_init+0xa2/0x174
+ do_one_initcall+0xee/0x5f0
+ kernel_init_freeable+0x45a/0x4de
+ kernel_init+0x1f/0x210
+ ret_from_fork+0x1f/0x30
+
+The buggy address belongs to the object at ffff8881052f7800
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 1016 bytes inside of
+ 1024-byte region [ffff8881052f7800, ffff8881052f7c00)
+The buggy address belongs to the page:
+page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0
+head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x200000000010200(slab|head|node=0|zone=2)
+raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
+ ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+[2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-1895-1fdc45c0244e@linaro.org/
+[3] https://lore.kernel.org/linux-pm/af9857f2-578e-de3a-e62b-6baff7e69fd4@linaro.org/
+
+CC: Daniel Lezcano <daniel.lezcano@linaro.org>
+Fixes: a50c1e35650b ("mlxsw: core: Implement thermal zone")
+Fixes: a421ce088ac8 ("mlxsw: core: Extend cooling device with cooling levels")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Tested-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20211012174955.472928-1-idosch@idosch.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_thermal.c | 52 ++-------------------
+ 1 file changed, 5 insertions(+), 47 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c
+@@ -24,16 +24,8 @@
+ #define MLXSW_THERMAL_ZONE_MAX_NAME 16
+ #define MLXSW_THERMAL_TEMP_SCORE_MAX GENMASK(31, 0)
+ #define MLXSW_THERMAL_MAX_STATE 10
++#define MLXSW_THERMAL_MIN_STATE 2
+ #define MLXSW_THERMAL_MAX_DUTY 255
+-/* Minimum and maximum fan allowed speed in percent: from 20% to 100%. Values
+- * MLXSW_THERMAL_MAX_STATE + x, where x is between 2 and 10 are used for
+- * setting fan speed dynamic minimum. For example, if value is set to 14 (40%)
+- * cooling levels vector will be set to 4, 4, 4, 4, 4, 5, 6, 7, 8, 9, 10 to
+- * introduce PWM speed in percent: 40, 40, 40, 40, 40, 50, 60. 70, 80, 90, 100.
+- */
+-#define MLXSW_THERMAL_SPEED_MIN (MLXSW_THERMAL_MAX_STATE + 2)
+-#define MLXSW_THERMAL_SPEED_MAX (MLXSW_THERMAL_MAX_STATE * 2)
+-#define MLXSW_THERMAL_SPEED_MIN_LEVEL 2 /* 20% */
+
+ /* External cooling devices, allowed for binding to mlxsw thermal zones. */
+ static char * const mlxsw_thermal_external_allowed_cdev[] = {
+@@ -646,49 +638,16 @@ static int mlxsw_thermal_set_cur_state(s
+ struct mlxsw_thermal *thermal = cdev->devdata;
+ struct device *dev = thermal->bus_info->dev;
+ char mfsc_pl[MLXSW_REG_MFSC_LEN];
+- unsigned long cur_state, i;
+ int idx;
+- u8 duty;
+ int err;
+
++ if (state > MLXSW_THERMAL_MAX_STATE)
++ return -EINVAL;
++
+ idx = mlxsw_get_cooling_device_idx(thermal, cdev);
+ if (idx < 0)
+ return idx;
+
+- /* Verify if this request is for changing allowed fan dynamical
+- * minimum. If it is - update cooling levels accordingly and update
+- * state, if current state is below the newly requested minimum state.
+- * For example, if current state is 5, and minimal state is to be
+- * changed from 4 to 6, thermal->cooling_levels[0 to 5] will be changed
+- * all from 4 to 6. And state 5 (thermal->cooling_levels[4]) should be
+- * overwritten.
+- */
+- if (state >= MLXSW_THERMAL_SPEED_MIN &&
+- state <= MLXSW_THERMAL_SPEED_MAX) {
+- state -= MLXSW_THERMAL_MAX_STATE;
+- for (i = 0; i <= MLXSW_THERMAL_MAX_STATE; i++)
+- thermal->cooling_levels[i] = max(state, i);
+-
+- mlxsw_reg_mfsc_pack(mfsc_pl, idx, 0);
+- err = mlxsw_reg_query(thermal->core, MLXSW_REG(mfsc), mfsc_pl);
+- if (err)
+- return err;
+-
+- duty = mlxsw_reg_mfsc_pwm_duty_cycle_get(mfsc_pl);
+- cur_state = mlxsw_duty_to_state(duty);
+-
+- /* If current fan state is lower than requested dynamical
+- * minimum, increase fan speed up to dynamical minimum.
+- */
+- if (state < cur_state)
+- return 0;
+-
+- state = cur_state;
+- }
+-
+- if (state > MLXSW_THERMAL_MAX_STATE)
+- return -EINVAL;
+-
+ /* Normalize the state to the valid speed range. */
+ state = thermal->cooling_levels[state];
+ mlxsw_reg_mfsc_pack(mfsc_pl, idx, mlxsw_state_to_duty(state));
+@@ -998,8 +957,7 @@ int mlxsw_thermal_init(struct mlxsw_core
+
+ /* Initialize cooling levels per PWM state. */
+ for (i = 0; i < MLXSW_THERMAL_MAX_STATE; i++)
+- thermal->cooling_levels[i] = max(MLXSW_THERMAL_SPEED_MIN_LEVEL,
+- i);
++ thermal->cooling_levels[i] = max(MLXSW_THERMAL_MIN_STATE, i);
+
+ thermal->polling_delay = bus_info->low_frequency ?
+ MLXSW_THERMAL_SLOW_POLL_INT :
--- /dev/null
+From 612f71d7328c14369924384ad2170aae2a6abd92 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Thu, 7 Oct 2021 15:05:00 -0700
+Subject: mptcp: fix possible stall on recvmsg()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 612f71d7328c14369924384ad2170aae2a6abd92 upstream.
+
+recvmsg() can enter an infinite loop if the caller provides the
+MSG_WAITALL, the data present in the receive queue is not sufficient to
+fulfill the request, and no more data is received by the peer.
+
+When the above happens, mptcp_wait_data() will always return with
+no wait, as the MPTCP_DATA_READY flag checked by such function is
+set and never cleared in such code path.
+
+Leveraging the above syzbot was able to trigger an RCU stall:
+
+rcu: INFO: rcu_preempt self-detected stall on CPU
+rcu: 0-...!: (10499 ticks this GP) idle=0af/1/0x4000000000000000 softirq=10678/10678 fqs=1
+ (t=10500 jiffies g=13089 q=109)
+rcu: rcu_preempt kthread starved for 10497 jiffies! g13089 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
+rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
+rcu: RCU grace-period kthread stack dump:
+task:rcu_preempt state:R running task stack:28696 pid: 14 ppid: 2 flags:0x00004000
+Call Trace:
+ context_switch kernel/sched/core.c:4955 [inline]
+ __schedule+0x940/0x26f0 kernel/sched/core.c:6236
+ schedule+0xd3/0x270 kernel/sched/core.c:6315
+ schedule_timeout+0x14a/0x2a0 kernel/time/timer.c:1881
+ rcu_gp_fqs_loop+0x186/0x810 kernel/rcu/tree.c:1955
+ rcu_gp_kthread+0x1de/0x320 kernel/rcu/tree.c:2128
+ kthread+0x405/0x4f0 kernel/kthread.c:327
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+rcu: Stack dump where RCU GP kthread last ran:
+Sending NMI from CPU 0 to CPUs 1:
+NMI backtrace for cpu 1
+CPU: 1 PID: 8510 Comm: syz-executor827 Not tainted 5.15.0-rc2-next-20210920-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:84 [inline]
+RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
+RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
+RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
+RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
+RIP: 0010:kasan_check_range+0xc8/0x180 mm/kasan/generic.c:189
+Code: 38 00 74 ed 48 8d 50 08 eb 09 48 83 c0 01 48 39 d0 74 7a 80 38 00 74 f2 48 89 c2 b8 01 00 00 00 48 85 d2 75 56 5b 5d 41 5c c3 <48> 85 d2 74 5e 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 50 80 38 00
+RSP: 0018:ffffc9000cd676c8 EFLAGS: 00000283
+RAX: ffffed100e9a110e RBX: ffffed100e9a110f RCX: ffffffff88ea062a
+RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888074d08870
+RBP: ffffed100e9a110e R08: 0000000000000001 R09: ffff888074d08877
+R10: ffffed100e9a110e R11: 0000000000000000 R12: ffff888074d08000
+R13: ffff888074d08000 R14: ffff888074d08088 R15: ffff888074d08000
+FS: 0000555556d8e300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+S: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000180 CR3: 0000000068909000 CR4: 00000000001506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
+ test_and_clear_bit include/asm-generic/bitops/instrumented-atomic.h:83 [inline]
+ mptcp_release_cb+0x14a/0x210 net/mptcp/protocol.c:3016
+ release_sock+0xb4/0x1b0 net/core/sock.c:3204
+ mptcp_wait_data net/mptcp/protocol.c:1770 [inline]
+ mptcp_recvmsg+0xfd1/0x27b0 net/mptcp/protocol.c:2080
+ inet6_recvmsg+0x11b/0x5e0 net/ipv6/af_inet6.c:659
+ sock_recvmsg_nosec net/socket.c:944 [inline]
+ ____sys_recvmsg+0x527/0x600 net/socket.c:2626
+ ___sys_recvmsg+0x127/0x200 net/socket.c:2670
+ do_recvmmsg+0x24d/0x6d0 net/socket.c:2764
+ __sys_recvmmsg net/socket.c:2843 [inline]
+ __do_sys_recvmmsg net/socket.c:2866 [inline]
+ __se_sys_recvmmsg net/socket.c:2859 [inline]
+ __x64_sys_recvmmsg+0x20b/0x260 net/socket.c:2859
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fc200d2dc39
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffc5758e5a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc200d2dc39
+RDX: 0000000000000002 RSI: 00000000200017c0 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000f0b5ff
+R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000000003
+R13: 00007ffc5758e5d0 R14: 00007ffc5758e5c0 R15: 0000000000000003
+
+Fix the issue by replacing the MPTCP_DATA_READY bit with direct
+inspection of the msk receive queue.
+
+Reported-and-tested-by: syzbot+3360da629681aa0d22fe@syzkaller.appspotmail.com
+Fixes: 7a6a6cbc3e59 ("mptcp: recvmsg() can drain data from multiple subflow")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 55 +++++++++++++--------------------------------------
+ 1 file changed, 15 insertions(+), 40 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -515,7 +515,6 @@ static bool mptcp_check_data_fin(struct
+
+ sk->sk_shutdown |= RCV_SHUTDOWN;
+ smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+- set_bit(MPTCP_DATA_READY, &msk->flags);
+
+ switch (sk->sk_state) {
+ case TCP_ESTABLISHED:
+@@ -730,10 +729,9 @@ void mptcp_data_ready(struct sock *sk, s
+
+ /* Wake-up the reader only for in-sequence data */
+ mptcp_data_lock(sk);
+- if (move_skbs_to_msk(msk, ssk)) {
+- set_bit(MPTCP_DATA_READY, &msk->flags);
++ if (move_skbs_to_msk(msk, ssk))
+ sk->sk_data_ready(sk);
+- }
++
+ mptcp_data_unlock(sk);
+ }
+
+@@ -838,7 +836,6 @@ static void mptcp_check_for_eof(struct m
+ sk->sk_shutdown |= RCV_SHUTDOWN;
+
+ smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+- set_bit(MPTCP_DATA_READY, &msk->flags);
+ sk->sk_data_ready(sk);
+ }
+
+@@ -1701,21 +1698,6 @@ out:
+ return copied ? : ret;
+ }
+
+-static void mptcp_wait_data(struct sock *sk, long *timeo)
+-{
+- DEFINE_WAIT_FUNC(wait, woken_wake_function);
+- struct mptcp_sock *msk = mptcp_sk(sk);
+-
+- add_wait_queue(sk_sleep(sk), &wait);
+- sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+-
+- sk_wait_event(sk, timeo,
+- test_bit(MPTCP_DATA_READY, &msk->flags), &wait);
+-
+- sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+- remove_wait_queue(sk_sleep(sk), &wait);
+-}
+-
+ static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk,
+ struct msghdr *msg,
+ size_t len, int flags,
+@@ -2019,19 +2001,7 @@ static int mptcp_recvmsg(struct sock *sk
+ }
+
+ pr_debug("block timeout %ld", timeo);
+- mptcp_wait_data(sk, &timeo);
+- }
+-
+- if (skb_queue_empty_lockless(&sk->sk_receive_queue) &&
+- skb_queue_empty(&msk->receive_queue)) {
+- /* entire backlog drained, clear DATA_READY. */
+- clear_bit(MPTCP_DATA_READY, &msk->flags);
+-
+- /* .. race-breaker: ssk might have gotten new data
+- * after last __mptcp_move_skbs() returned false.
+- */
+- if (unlikely(__mptcp_move_skbs(msk)))
+- set_bit(MPTCP_DATA_READY, &msk->flags);
++ sk_wait_data(sk, &timeo, NULL);
+ }
+
+ out_err:
+@@ -2040,9 +2010,9 @@ out_err:
+ tcp_recv_timestamp(msg, sk, &tss);
+ }
+
+- pr_debug("msk=%p data_ready=%d rx queue empty=%d copied=%d",
+- msk, test_bit(MPTCP_DATA_READY, &msk->flags),
+- skb_queue_empty_lockless(&sk->sk_receive_queue), copied);
++ pr_debug("msk=%p rx queue empty=%d:%d copied=%d",
++ msk, skb_queue_empty_lockless(&sk->sk_receive_queue),
++ skb_queue_empty(&msk->receive_queue), copied);
+ if (!(flags & MSG_PEEK))
+ mptcp_rcv_space_adjust(msk, copied);
+
+@@ -2255,7 +2225,6 @@ static void mptcp_check_fastclose(struct
+ inet_sk_state_store(sk, TCP_CLOSE);
+ sk->sk_shutdown = SHUTDOWN_MASK;
+ smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
+- set_bit(MPTCP_DATA_READY, &msk->flags);
+ set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags);
+
+ mptcp_close_wake_up(sk);
+@@ -3272,8 +3241,14 @@ unlock_fail:
+
+ static __poll_t mptcp_check_readable(struct mptcp_sock *msk)
+ {
+- return test_bit(MPTCP_DATA_READY, &msk->flags) ? EPOLLIN | EPOLLRDNORM :
+- 0;
++ /* Concurrent splices from sk_receive_queue into receive_queue will
++ * always show at least one non-empty queue when checked in this order.
++ */
++ if (skb_queue_empty_lockless(&((struct sock *)msk)->sk_receive_queue) &&
++ skb_queue_empty_lockless(&msk->receive_queue))
++ return 0;
++
++ return EPOLLIN | EPOLLRDNORM;
+ }
+
+ static __poll_t mptcp_check_writeable(struct mptcp_sock *msk)
+@@ -3308,7 +3283,7 @@ static __poll_t mptcp_poll(struct file *
+ state = inet_sk_state_load(sk);
+ pr_debug("msk=%p state=%d flags=%lx", msk, state, msk->flags);
+ if (state == TCP_LISTEN)
+- return mptcp_check_readable(msk);
++ return test_bit(MPTCP_DATA_READY, &msk->flags) ? EPOLLIN | EPOLLRDNORM : 0;
+
+ if (state != TCP_SYN_SENT && state != TCP_SYN_RECV) {
+ mask |= mptcp_check_readable(msk);
--- /dev/null
+From 14132690860e4d06aa3e1c4d7d8e9866ba7756dd Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 7 Oct 2021 19:49:57 +0200
+Subject: mqprio: Correct stats in mqprio_dump_class_stats().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 14132690860e4d06aa3e1c4d7d8e9866ba7756dd upstream.
+
+Introduction of lockless subqueues broke the class statistics.
+Before the change stats were accumulated in `bstats' and `qstats'
+on the stack which was then copied to struct gnet_dump.
+
+After the change the `bstats' and `qstats' are initialized to 0
+and never updated, yet still fed to gnet_dump. The code updates
+the global qdisc->cpu_bstats and qdisc->cpu_qstats instead,
+clobbering them. Most likely a copy-paste error from the code in
+mqprio_dump().
+
+__gnet_stats_copy_basic() and __gnet_stats_copy_queue() accumulate
+the values for per-CPU case but for global stats they overwrite
+the value, so only stats from the last loop iteration / tc end up
+in sch->[bq]stats.
+
+Use the on-stack [bq]stats variables again and add the stats manually
+in the global case.
+
+Fixes: ce679e8df7ed2 ("net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mqprio")
+Cc: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+https://lore.kernel.org/all/20211007175000.2334713-2-bigeasy@linutronix.de/
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_mqprio.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+--- a/net/sched/sch_mqprio.c
++++ b/net/sched/sch_mqprio.c
+@@ -529,22 +529,28 @@ static int mqprio_dump_class_stats(struc
+ for (i = tc.offset; i < tc.offset + tc.count; i++) {
+ struct netdev_queue *q = netdev_get_tx_queue(dev, i);
+ struct Qdisc *qdisc = rtnl_dereference(q->qdisc);
+- struct gnet_stats_basic_cpu __percpu *cpu_bstats = NULL;
+- struct gnet_stats_queue __percpu *cpu_qstats = NULL;
+
+ spin_lock_bh(qdisc_lock(qdisc));
++
+ if (qdisc_is_percpu_stats(qdisc)) {
+- cpu_bstats = qdisc->cpu_bstats;
+- cpu_qstats = qdisc->cpu_qstats;
+- }
++ qlen = qdisc_qlen_sum(qdisc);
+
+- qlen = qdisc_qlen_sum(qdisc);
+- __gnet_stats_copy_basic(NULL, &sch->bstats,
+- cpu_bstats, &qdisc->bstats);
+- __gnet_stats_copy_queue(&sch->qstats,
+- cpu_qstats,
+- &qdisc->qstats,
+- qlen);
++ __gnet_stats_copy_basic(NULL, &bstats,
++ qdisc->cpu_bstats,
++ &qdisc->bstats);
++ __gnet_stats_copy_queue(&qstats,
++ qdisc->cpu_qstats,
++ &qdisc->qstats,
++ qlen);
++ } else {
++ qlen += qdisc->q.qlen;
++ bstats.bytes += qdisc->bstats.bytes;
++ bstats.packets += qdisc->bstats.packets;
++ qstats.backlog += qdisc->qstats.backlog;
++ qstats.drops += qdisc->qstats.drops;
++ qstats.requeues += qdisc->qstats.requeues;
++ qstats.overlimits += qdisc->qstats.overlimits;
++ }
+ spin_unlock_bh(qdisc_lock(qdisc));
+ }
+
--- /dev/null
+From 8d5f7954b7c8de54902a8beda141064a7e2e6ee0 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Oct 2021 14:40:44 +0300
+Subject: net: dsa: felix: break at first CPU port during init and teardown
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 8d5f7954b7c8de54902a8beda141064a7e2e6ee0 upstream.
+
+The NXP LS1028A switch has two Ethernet ports towards the CPU, but only
+one of them is capable of acting as an NPI port at a time (inject and
+extract packets using DSA tags).
+
+However, using the alternative ocelot-8021q tagging protocol, it should
+be possible to use both CPU ports symmetrically, but for that we need to
+mark both ports in the device tree as DSA masters.
+
+In the process of doing that, it can be seen that traffic to/from the
+network stack gets broken, and this is because the Felix driver iterates
+through all DSA CPU ports and configures them as NPI ports. But since
+there can only be a single NPI port, we effectively end up in a
+situation where DSA thinks the default CPU port is the first one, but
+the hardware port configured to be an NPI is the last one.
+
+I would like to treat this as a bug, because if the updated device trees
+are going to start circulating, it would be really good for existing
+kernels to support them, too.
+
+Fixes: adb3dccf090b ("net: dsa: felix: convert to the new .change_tag_protocol DSA API")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/ocelot/felix.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/dsa/ocelot/felix.c
++++ b/drivers/net/dsa/ocelot/felix.c
+@@ -271,12 +271,12 @@ static void felix_8021q_cpu_port_deinit(
+ */
+ static int felix_setup_mmio_filtering(struct felix *felix)
+ {
+- unsigned long user_ports = 0, cpu_ports = 0;
++ unsigned long user_ports = dsa_user_ports(felix->ds);
+ struct ocelot_vcap_filter *redirect_rule;
+ struct ocelot_vcap_filter *tagging_rule;
+ struct ocelot *ocelot = &felix->ocelot;
+ struct dsa_switch *ds = felix->ds;
+- int port, ret;
++ int cpu = -1, port, ret;
+
+ tagging_rule = kzalloc(sizeof(struct ocelot_vcap_filter), GFP_KERNEL);
+ if (!tagging_rule)
+@@ -289,12 +289,15 @@ static int felix_setup_mmio_filtering(st
+ }
+
+ for (port = 0; port < ocelot->num_phys_ports; port++) {
+- if (dsa_is_user_port(ds, port))
+- user_ports |= BIT(port);
+- if (dsa_is_cpu_port(ds, port))
+- cpu_ports |= BIT(port);
++ if (dsa_is_cpu_port(ds, port)) {
++ cpu = port;
++ break;
++ }
+ }
+
++ if (cpu < 0)
++ return -EINVAL;
++
+ tagging_rule->key_type = OCELOT_VCAP_KEY_ETYPE;
+ *(__be16 *)tagging_rule->key.etype.etype.value = htons(ETH_P_1588);
+ *(__be16 *)tagging_rule->key.etype.etype.mask = htons(0xffff);
+@@ -330,7 +333,7 @@ static int felix_setup_mmio_filtering(st
+ * the CPU port module
+ */
+ redirect_rule->action.mask_mode = OCELOT_MASK_MODE_REDIRECT;
+- redirect_rule->action.port_mask = cpu_ports;
++ redirect_rule->action.port_mask = BIT(cpu);
+ } else {
+ /* Trap PTP packets only to the CPU port module (which is
+ * redirected to the NPI port)
+@@ -1241,6 +1244,7 @@ static int felix_setup(struct dsa_switch
+ * there's no real point in checking for errors.
+ */
+ felix_set_tag_protocol(ds, port, felix->tag_proto);
++ break;
+ }
+
+ ds->mtu_enforcement_ingress = true;
+@@ -1277,6 +1281,7 @@ static void felix_teardown(struct dsa_sw
+ continue;
+
+ felix_del_tag_protocol(ds, port, felix->tag_proto);
++ break;
+ }
+
+ ocelot_devlink_sb_unregister(ocelot);
--- /dev/null
+From 52849bcf0029ccc553be304e4f804938a39112e2 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Oct 2021 14:40:36 +0300
+Subject: net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 52849bcf0029ccc553be304e4f804938a39112e2 upstream.
+
+PTP packets with 2-step TX timestamp requests are matched to packets
+based on the egress port number and a 6-bit timestamp identifier.
+All PTP timestamps are held in a common FIFO that is 128 entry deep.
+
+This patch ensures that back-to-back timestamping requests cannot exceed
+the hardware FIFO capacity. If that happens, simply send the packets
+without requesting a TX timestamp to be taken (in the case of felix,
+since the DSA API has a void return code in ds->ops->port_txtstamp) or
+drop them (in the case of ocelot).
+
+I've moved the ts_id_lock from a per-port basis to a per-switch basis,
+because we need separate accounting for both numbers of PTP frames in
+flight. And since we need locking to inc/dec the per-switch counter,
+that also offers protection for the per-port counter and hence there is
+no reason to have a per-port counter anymore.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/ocelot/felix.c | 6 +++++-
+ drivers/net/ethernet/mscc/ocelot.c | 37 ++++++++++++++++++++++++++++++-------
+ include/soc/mscc/ocelot.h | 5 ++++-
+ include/soc/mscc/ocelot_ptp.h | 1 +
+ 4 files changed, 40 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/dsa/ocelot/felix.c
++++ b/drivers/net/dsa/ocelot/felix.c
+@@ -1406,8 +1406,12 @@ static void felix_txtstamp(struct dsa_sw
+ if (!ocelot->ptp)
+ return;
+
+- if (ocelot_port_txtstamp_request(ocelot, port, skb, &clone))
++ if (ocelot_port_txtstamp_request(ocelot, port, skb, &clone)) {
++ dev_err_ratelimited(ds->dev,
++ "port %d delivering skb without TX timestamp\n",
++ port);
+ return;
++ }
+
+ if (clone)
+ OCELOT_SKB_CB(skb)->clone = clone;
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -536,22 +536,36 @@ void ocelot_port_disable(struct ocelot *
+ }
+ EXPORT_SYMBOL(ocelot_port_disable);
+
+-static void ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port,
+- struct sk_buff *clone)
++static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port,
++ struct sk_buff *clone)
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
++ unsigned long flags;
++
++ spin_lock_irqsave(&ocelot->ts_id_lock, flags);
+
+- spin_lock(&ocelot_port->ts_id_lock);
++ if (ocelot_port->ptp_skbs_in_flight == OCELOT_MAX_PTP_ID ||
++ ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) {
++ spin_unlock_irqrestore(&ocelot->ts_id_lock, flags);
++ return -EBUSY;
++ }
+
+ skb_shinfo(clone)->tx_flags |= SKBTX_IN_PROGRESS;
+ /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */
+ OCELOT_SKB_CB(clone)->ts_id = ocelot_port->ts_id;
++
+ ocelot_port->ts_id++;
+ if (ocelot_port->ts_id == OCELOT_MAX_PTP_ID)
+ ocelot_port->ts_id = 0;
++
++ ocelot_port->ptp_skbs_in_flight++;
++ ocelot->ptp_skbs_in_flight++;
++
+ skb_queue_tail(&ocelot_port->tx_skbs, clone);
+
+- spin_unlock(&ocelot_port->ts_id_lock);
++ spin_unlock_irqrestore(&ocelot->ts_id_lock, flags);
++
++ return 0;
+ }
+
+ u32 ocelot_ptp_rew_op(struct sk_buff *skb)
+@@ -600,6 +614,7 @@ int ocelot_port_txtstamp_request(struct
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
+ u8 ptp_cmd = ocelot_port->ptp_cmd;
++ int err;
+
+ /* Store ptp_cmd in OCELOT_SKB_CB(skb)->ptp_cmd */
+ if (ptp_cmd == IFH_REW_OP_ORIGIN_PTP) {
+@@ -617,7 +632,10 @@ int ocelot_port_txtstamp_request(struct
+ if (!(*clone))
+ return -ENOMEM;
+
+- ocelot_port_add_txtstamp_skb(ocelot, port, *clone);
++ err = ocelot_port_add_txtstamp_skb(ocelot, port, *clone);
++ if (err)
++ return err;
++
+ OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd;
+ }
+
+@@ -676,9 +694,14 @@ void ocelot_get_txtstamp(struct ocelot *
+ id = SYS_PTP_STATUS_PTP_MESS_ID_X(val);
+ txport = SYS_PTP_STATUS_PTP_MESS_TXPORT_X(val);
+
+- /* Retrieve its associated skb */
+ port = ocelot->ports[txport];
+
++ spin_lock(&ocelot->ts_id_lock);
++ port->ptp_skbs_in_flight--;
++ ocelot->ptp_skbs_in_flight--;
++ spin_unlock(&ocelot->ts_id_lock);
++
++ /* Retrieve its associated skb */
+ spin_lock_irqsave(&port->tx_skbs.lock, flags);
+
+ skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) {
+@@ -1917,7 +1940,6 @@ void ocelot_init_port(struct ocelot *oce
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
+
+ skb_queue_head_init(&ocelot_port->tx_skbs);
+- spin_lock_init(&ocelot_port->ts_id_lock);
+
+ /* Basic L2 initialization */
+
+@@ -2041,6 +2063,7 @@ int ocelot_init(struct ocelot *ocelot)
+ mutex_init(&ocelot->stats_lock);
+ mutex_init(&ocelot->ptp_lock);
+ spin_lock_init(&ocelot->ptp_clock_lock);
++ spin_lock_init(&ocelot->ts_id_lock);
+ snprintf(queue_name, sizeof(queue_name), "%s-stats",
+ dev_name(ocelot->dev));
+ ocelot->stats_queue = create_singlethread_workqueue(queue_name);
+--- a/include/soc/mscc/ocelot.h
++++ b/include/soc/mscc/ocelot.h
+@@ -600,10 +600,10 @@ struct ocelot_port {
+ /* The VLAN ID that will be transmitted as untagged, on egress */
+ struct ocelot_vlan native_vlan;
+
++ unsigned int ptp_skbs_in_flight;
+ u8 ptp_cmd;
+ struct sk_buff_head tx_skbs;
+ u8 ts_id;
+- spinlock_t ts_id_lock;
+
+ phy_interface_t phy_mode;
+
+@@ -677,6 +677,9 @@ struct ocelot {
+ struct ptp_clock *ptp_clock;
+ struct ptp_clock_info ptp_info;
+ struct hwtstamp_config hwtstamp_config;
++ unsigned int ptp_skbs_in_flight;
++ /* Protects the 2-step TX timestamp ID logic */
++ spinlock_t ts_id_lock;
+ /* Protects the PTP interface state */
+ struct mutex ptp_lock;
+ /* Protects the PTP clock */
+--- a/include/soc/mscc/ocelot_ptp.h
++++ b/include/soc/mscc/ocelot_ptp.h
+@@ -14,6 +14,7 @@
+ #include <soc/mscc/ocelot.h>
+
+ #define OCELOT_MAX_PTP_ID 63
++#define OCELOT_PTP_FIFO_SIZE 128
+
+ #define PTP_PIN_CFG_RSZ 0x20
+ #define PTP_PIN_TOD_SEC_MSB_RSZ PTP_PIN_CFG_RSZ
--- /dev/null
+From ebb4c6a990f786d7e0e4618a0d3766cd660125d8 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Oct 2021 14:40:39 +0300
+Subject: net: mscc: ocelot: cross-check the sequence id from the timestamp FIFO with the skb PTP header
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit ebb4c6a990f786d7e0e4618a0d3766cd660125d8 upstream.
+
+The sad reality is that when a PTP frame with a TX timestamping request
+is transmitted, it isn't guaranteed that it will make it all the way to
+the wire (due to congestion inside the switch), and that a timestamp
+will be taken by the hardware and placed in the timestamp FIFO where an
+IRQ will be raised for it.
+
+The implication is that if enough PTP frames are silently dropped by the
+hardware such that the timestamp ID has rolled over, it is possible to
+match a timestamp to an old skb.
+
+Furthermore, nobody will match on the real skb corresponding to this
+timestamp, since we stupidly matched on a previous one that was stale in
+the queue, and stopped there.
+
+So PTP timestamping will be broken and there will be no way to recover.
+
+It looks like the hardware parses the sequenceID from the PTP header,
+and also provides that metadata for each timestamp. The driver currently
+ignores this, but it shouldn't.
+
+As an extra resiliency measure, do the following:
+
+- check whether the PTP sequenceID also matches between the skb and the
+ timestamp, treat the skb as stale otherwise and free it
+
+- if we see a stale skb, don't stop there and try to match an skb one
+ more time, chances are there's one more skb in the queue with the same
+ timestamp ID, otherwise we wouldn't have ever found the stale one (it
+ is by timestamp ID that we matched it).
+
+While this does not prevent PTP packet drops, it at least prevents
+the catastrophic consequences of incorrect timestamp matching.
+
+Since we already call ptp_classify_raw in the TX path, save the result
+in the skb->cb of the clone, and just use that result in the interrupt
+code path.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 24 +++++++++++++++++++++++-
+ include/soc/mscc/ocelot.h | 1 +
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -642,6 +642,7 @@ int ocelot_port_txtstamp_request(struct
+ return err;
+
+ OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd;
++ OCELOT_SKB_CB(*clone)->ptp_class = ptp_class;
+ }
+
+ return 0;
+@@ -675,6 +676,17 @@ static void ocelot_get_hwtimestamp(struc
+ spin_unlock_irqrestore(&ocelot->ptp_clock_lock, flags);
+ }
+
++static bool ocelot_validate_ptp_skb(struct sk_buff *clone, u16 seqid)
++{
++ struct ptp_header *hdr;
++
++ hdr = ptp_parse_header(clone, OCELOT_SKB_CB(clone)->ptp_class);
++ if (WARN_ON(!hdr))
++ return false;
++
++ return seqid == ntohs(hdr->sequence_id);
++}
++
+ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ {
+ int budget = OCELOT_PTP_QUEUE_SZ;
+@@ -682,10 +694,10 @@ void ocelot_get_txtstamp(struct ocelot *
+ while (budget--) {
+ struct sk_buff *skb, *skb_tmp, *skb_match = NULL;
+ struct skb_shared_hwtstamps shhwtstamps;
++ u32 val, id, seqid, txport;
+ struct ocelot_port *port;
+ struct timespec64 ts;
+ unsigned long flags;
+- u32 val, id, txport;
+
+ val = ocelot_read(ocelot, SYS_PTP_STATUS);
+
+@@ -698,6 +710,7 @@ void ocelot_get_txtstamp(struct ocelot *
+ /* Retrieve the ts ID and Tx port */
+ id = SYS_PTP_STATUS_PTP_MESS_ID_X(val);
+ txport = SYS_PTP_STATUS_PTP_MESS_TXPORT_X(val);
++ seqid = SYS_PTP_STATUS_PTP_MESS_SEQ_ID(val);
+
+ port = ocelot->ports[txport];
+
+@@ -707,6 +720,7 @@ void ocelot_get_txtstamp(struct ocelot *
+ spin_unlock(&ocelot->ts_id_lock);
+
+ /* Retrieve its associated skb */
++try_again:
+ spin_lock_irqsave(&port->tx_skbs.lock, flags);
+
+ skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) {
+@@ -722,6 +736,14 @@ void ocelot_get_txtstamp(struct ocelot *
+ if (WARN_ON(!skb_match))
+ continue;
+
++ if (!ocelot_validate_ptp_skb(skb_match, seqid)) {
++ dev_err_ratelimited(ocelot->dev,
++ "port %d received stale TX timestamp for seqid %d, discarding\n",
++ txport, seqid);
++ dev_kfree_skb_any(skb);
++ goto try_again;
++ }
++
+ /* Get the h/w timestamp */
+ ocelot_get_hwtimestamp(ocelot, &ts);
+
+--- a/include/soc/mscc/ocelot.h
++++ b/include/soc/mscc/ocelot.h
+@@ -694,6 +694,7 @@ struct ocelot_policer {
+
+ struct ocelot_skb_cb {
+ struct sk_buff *clone;
++ unsigned int ptp_class; /* valid only for clones */
+ u8 ptp_cmd;
+ u8 ts_id;
+ };
--- /dev/null
+From fba01283d85a09e0e2ef552c6e764b903111d90a Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Oct 2021 14:40:38 +0300
+Subject: net: mscc: ocelot: deny TX timestamping of non-PTP packets
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit fba01283d85a09e0e2ef552c6e764b903111d90a upstream.
+
+It appears that Ocelot switches cannot timestamp non-PTP frames,
+I tested this using the isochron program at:
+https://github.com/vladimiroltean/tsn-scripts
+
+with the result that the driver increments the ocelot_port->ts_id
+counter as expected, puts it in the REW_OP, but the hardware seems to
+not timestamp these packets at all, since no IRQ is emitted.
+
+Therefore check whether we are sending PTP frames, and refuse to
+populate REW_OP otherwise.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -585,16 +585,12 @@ u32 ocelot_ptp_rew_op(struct sk_buff *sk
+ }
+ EXPORT_SYMBOL(ocelot_ptp_rew_op);
+
+-static bool ocelot_ptp_is_onestep_sync(struct sk_buff *skb)
++static bool ocelot_ptp_is_onestep_sync(struct sk_buff *skb,
++ unsigned int ptp_class)
+ {
+ struct ptp_header *hdr;
+- unsigned int ptp_class;
+ u8 msgtype, twostep;
+
+- ptp_class = ptp_classify_raw(skb);
+- if (ptp_class == PTP_CLASS_NONE)
+- return false;
+-
+ hdr = ptp_parse_header(skb, ptp_class);
+ if (!hdr)
+ return false;
+@@ -614,11 +610,20 @@ int ocelot_port_txtstamp_request(struct
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
+ u8 ptp_cmd = ocelot_port->ptp_cmd;
++ unsigned int ptp_class;
+ int err;
+
++ /* Don't do anything if PTP timestamping not enabled */
++ if (!ptp_cmd)
++ return 0;
++
++ ptp_class = ptp_classify_raw(skb);
++ if (ptp_class == PTP_CLASS_NONE)
++ return -EINVAL;
++
+ /* Store ptp_cmd in OCELOT_SKB_CB(skb)->ptp_cmd */
+ if (ptp_cmd == IFH_REW_OP_ORIGIN_PTP) {
+- if (ocelot_ptp_is_onestep_sync(skb)) {
++ if (ocelot_ptp_is_onestep_sync(skb, ptp_class)) {
+ OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd;
+ return 0;
+ }
--- /dev/null
+From c57fe0037a4e3863d9b740f8c14df9c51ac31aa1 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Oct 2021 14:40:35 +0300
+Subject: net: mscc: ocelot: make use of all 63 PTP timestamp identifiers
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit c57fe0037a4e3863d9b740f8c14df9c51ac31aa1 upstream.
+
+At present, there is a problem when user space bombards a port with PTP
+event frames which have TX timestamping requests (or when a tc-taprio
+offload is installed on a port, which delays the TX timestamps by a
+significant amount of time). The driver will happily roll over the 2-bit
+timestamp ID and this will cause incorrect matches between an skb and
+the TX timestamp collected from the FIFO.
+
+The Ocelot switches have a 6-bit PTP timestamp identifier, and the value
+63 is reserved, so that leaves identifiers 0-62 to be used.
+
+The timestamp identifiers are selected by the REW_OP packet field, and
+are actually shared between CPU-injected frames and frames which match a
+VCAP IS2 rule that modifies the REW_OP. The hardware supports
+partitioning between the two uses of the REW_OP field through the
+PTP_ID_LOW and PTP_ID_HIGH registers, and by default reserves the PTP
+IDs 0-3 for CPU-injected traffic and the rest for VCAP IS2.
+
+The driver does not use VCAP IS2 to set REW_OP for 2-step timestamping,
+and it also writes 0xffffffff to both PTP_ID_HIGH and PTP_ID_LOW in
+ocelot_init_timestamp() which makes all timestamp identifiers available
+to CPU injection.
+
+Therefore, we can make use of all 63 timestamp identifiers, which should
+allow more timestampable packets to be in flight on each port. This is
+only part of the solution, more issues will be addressed in future changes.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 4 +++-
+ include/soc/mscc/ocelot_ptp.h | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -546,7 +546,9 @@ static void ocelot_port_add_txtstamp_skb
+ skb_shinfo(clone)->tx_flags |= SKBTX_IN_PROGRESS;
+ /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */
+ OCELOT_SKB_CB(clone)->ts_id = ocelot_port->ts_id;
+- ocelot_port->ts_id = (ocelot_port->ts_id + 1) % 4;
++ ocelot_port->ts_id++;
++ if (ocelot_port->ts_id == OCELOT_MAX_PTP_ID)
++ ocelot_port->ts_id = 0;
+ skb_queue_tail(&ocelot_port->tx_skbs, clone);
+
+ spin_unlock(&ocelot_port->ts_id_lock);
+--- a/include/soc/mscc/ocelot_ptp.h
++++ b/include/soc/mscc/ocelot_ptp.h
+@@ -13,6 +13,8 @@
+ #include <linux/ptp_clock_kernel.h>
+ #include <soc/mscc/ocelot.h>
+
++#define OCELOT_MAX_PTP_ID 63
++
+ #define PTP_PIN_CFG_RSZ 0x20
+ #define PTP_PIN_TOD_SEC_MSB_RSZ PTP_PIN_CFG_RSZ
+ #define PTP_PIN_TOD_SEC_LSB_RSZ PTP_PIN_CFG_RSZ
--- /dev/null
+From 9fde506e0c53b8309f69b18b4b8144c544b4b3b1 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Oct 2021 14:40:37 +0300
+Subject: net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 9fde506e0c53b8309f69b18b4b8144c544b4b3b1 upstream.
+
+When skb_match is NULL, it means we received a PTP IRQ for a timestamp
+ID that the kernel has no idea about, since there is no skb in the
+timestamping queue with that timestamp ID.
+
+This is a grave error and not something to just "continue" over.
+So print a big warning in case this happens.
+
+Also, move the check above ocelot_get_hwtimestamp(), there is no point
+in reading the full 64-bit current PTP time if we're not going to do
+anything with it anyway for this skb.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -714,12 +714,12 @@ void ocelot_get_txtstamp(struct ocelot *
+
+ spin_unlock_irqrestore(&port->tx_skbs.lock, flags);
+
++ if (WARN_ON(!skb_match))
++ continue;
++
+ /* Get the h/w timestamp */
+ ocelot_get_hwtimestamp(ocelot, &ts);
+
+- if (unlikely(!skb_match))
+- continue;
+-
+ /* Set the timestamp into the skb */
+ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+ shhwtstamps.hwtstamp = ktime_set(ts.tv_sec, ts.tv_nsec);
--- /dev/null
+From 291c932fc3692e4d211a445ba8aa35663831bac7 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 13 Oct 2021 15:50:32 +0800
+Subject: NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 291c932fc3692e4d211a445ba8aa35663831bac7 upstream.
+
+'skb' is allocated in digital_in_send_sdd_req(), but not free when
+digital_in_send_cmd() failed, which will cause memory leak. Fix it
+by freeing 'skb' if digital_in_send_cmd() return failed.
+
+Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/digital_technology.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/digital_technology.c
++++ b/net/nfc/digital_technology.c
+@@ -465,8 +465,12 @@ static int digital_in_send_sdd_req(struc
+ skb_put_u8(skb, sel_cmd);
+ skb_put_u8(skb, DIGITAL_SDD_REQ_SEL_PAR);
+
+- return digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res,
+- target);
++ rc = digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res,
++ target);
++ if (rc)
++ kfree_skb(skb);
++
++ return rc;
+ }
+
+ static void digital_in_recv_sens_res(struct nfc_digital_dev *ddev, void *arg,
--- /dev/null
+From 58e7dcc9ca29c14e44267a4d0ea61e3229124907 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 13 Oct 2021 15:50:12 +0800
+Subject: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 58e7dcc9ca29c14e44267a4d0ea61e3229124907 upstream.
+
+'params' is allocated in digital_tg_listen_mdaa(), but not free when
+digital_send_cmd() failed, which will cause memory leak. Fix it by
+freeing 'params' if digital_send_cmd() return failed.
+
+Fixes: 1c7a4c24fbfd ("NFC Digital: Add target NFC-DEP support")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/digital_core.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/digital_core.c
++++ b/net/nfc/digital_core.c
+@@ -277,6 +277,7 @@ int digital_tg_configure_hw(struct nfc_d
+ static int digital_tg_listen_mdaa(struct nfc_digital_dev *ddev, u8 rf_tech)
+ {
+ struct digital_tg_mdaa_params *params;
++ int rc;
+
+ params = kzalloc(sizeof(*params), GFP_KERNEL);
+ if (!params)
+@@ -291,8 +292,12 @@ static int digital_tg_listen_mdaa(struct
+ get_random_bytes(params->nfcid2 + 2, NFC_NFCID2_MAXSIZE - 2);
+ params->sc = DIGITAL_SENSF_FELICA_SC;
+
+- return digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params,
+- 500, digital_tg_recv_atr_req, NULL);
++ rc = digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params,
++ 500, digital_tg_recv_atr_req, NULL);
++ if (rc)
++ kfree(params);
++
++ return rc;
+ }
+
+ static int digital_tg_listen_md(struct nfc_digital_dev *ddev, u8 rf_tech)
--- /dev/null
+From 0911ab31896f0e908540746414a77dd63912748d Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 13 Oct 2021 11:49:32 +0800
+Subject: nfc: fix error handling of nfc_proto_register()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 0911ab31896f0e908540746414a77dd63912748d upstream.
+
+When nfc proto id is using, nfc_proto_register() return -EBUSY error
+code, but forgot to unregister proto. Fix it by adding proto_unregister()
+in the error handling case.
+
+Fixes: c7fe3b52c128 ("NFC: add NFC socket family")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20211013034932.2833737-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/af_nfc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/nfc/af_nfc.c
++++ b/net/nfc/af_nfc.c
+@@ -60,6 +60,9 @@ int nfc_proto_register(const struct nfc_
+ proto_tab[nfc_proto->id] = nfc_proto;
+ write_unlock(&proto_tab_lock);
+
++ if (rc)
++ proto_unregister(nfc_proto->proto);
++
+ return rc;
+ }
+ EXPORT_SYMBOL(nfc_proto_register);
--- /dev/null
+From 60d950f443a52d950126ad664fbd4a1eb8353dc9 Mon Sep 17 00:00:00 2001
+From: Baowen Zheng <baowen.zheng@corigine.com>
+Date: Tue, 12 Oct 2021 14:48:50 +0200
+Subject: nfp: flow_offload: move flow_indr_dev_register from app init to app start
+
+From: Baowen Zheng <baowen.zheng@corigine.com>
+
+commit 60d950f443a52d950126ad664fbd4a1eb8353dc9 upstream.
+
+In commit 74fc4f828769 ("net: Fix offloading indirect devices dependency
+on qdisc order creation"), it adds a process to trigger the callback to
+setup the bo callback when the driver regists a callback.
+
+In our current implement, we are not ready to run the callback when nfp
+call the function flow_indr_dev_register, then there will be error
+message as:
+
+kernel: Oops: 0000 [#1] SMP PTI
+kernel: CPU: 0 PID: 14119 Comm: kworker/0:0 Tainted: G
+kernel: Workqueue: events work_for_cpu_fn
+kernel: RIP: 0010:nfp_flower_indr_setup_tc_cb+0x258/0x410
+kernel: RSP: 0018:ffffbc1e02c57bf8 EFLAGS: 00010286
+kernel: RAX: 0000000000000000 RBX: ffff9c761fabc000 RCX: 0000000000000001
+kernel: RDX: 0000000000000001 RSI: fffffffffffffff0 RDI: ffffffffc0be9ef1
+kernel: RBP: ffffbc1e02c57c58 R08: ffffffffc08f33aa R09: ffff9c6db7478800
+kernel: R10: 0000009c003f6e00 R11: ffffbc1e02800000 R12: ffffbc1e000d9000
+kernel: R13: ffffbc1e000db428 R14: ffff9c6db7478800 R15: ffff9c761e884e80
+kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+kernel: CR2: fffffffffffffff0 CR3: 00000009e260a004 CR4: 00000000007706f0
+kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+kernel: PKRU: 55555554
+kernel: Call Trace:
+kernel: ? flow_indr_dev_register+0xab/0x210
+kernel: ? __cond_resched+0x15/0x30
+kernel: ? kmem_cache_alloc_trace+0x44/0x4b0
+kernel: ? nfp_flower_setup_tc+0x1d0/0x1d0 [nfp]
+kernel: flow_indr_dev_register+0x158/0x210
+kernel: ? tcf_block_unbind+0xe0/0xe0
+kernel: nfp_flower_init+0x40b/0x650 [nfp]
+kernel: nfp_net_pci_probe+0x25f/0x960 [nfp]
+kernel: ? nfp_rtsym_read_le+0x76/0x130 [nfp]
+kernel: nfp_pci_probe+0x6a9/0x820 [nfp]
+kernel: local_pci_probe+0x45/0x80
+
+So we need to call flow_indr_dev_register in app start process instead of
+init stage.
+
+Fixes: 74fc4f828769 ("net: Fix offloading indirect devices dependency on qdisc order creation")
+Signed-off-by: Baowen Zheng <baowen.zheng@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Link: https://lore.kernel.org/r/20211012124850.13025-1-louis.peens@corigine.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -830,10 +830,6 @@ static int nfp_flower_init(struct nfp_ap
+ if (err)
+ goto err_cleanup;
+
+- err = flow_indr_dev_register(nfp_flower_indr_setup_tc_cb, app);
+- if (err)
+- goto err_cleanup;
+-
+ if (app_priv->flower_ext_feats & NFP_FL_FEATS_VF_RLIM)
+ nfp_flower_qos_init(app);
+
+@@ -942,7 +938,20 @@ static int nfp_flower_start(struct nfp_a
+ return err;
+ }
+
+- return nfp_tunnel_config_start(app);
++ err = flow_indr_dev_register(nfp_flower_indr_setup_tc_cb, app);
++ if (err)
++ return err;
++
++ err = nfp_tunnel_config_start(app);
++ if (err)
++ goto err_tunnel_config;
++
++ return 0;
++
++err_tunnel_config:
++ flow_indr_dev_unregister(nfp_flower_indr_setup_tc_cb, app,
++ nfp_flower_setup_indr_tc_release);
++ return err;
+ }
+
+ static void nfp_flower_stop(struct nfp_app *app)
--- /dev/null
+From 013923477cb311293df9079332cf8b806ed0e6f2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 6 Oct 2021 10:34:19 +0300
+Subject: pata_legacy: fix a couple uninitialized variable bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 013923477cb311293df9079332cf8b806ed0e6f2 upstream.
+
+The last byte of "pad" is used without being initialized.
+
+Fixes: 55dba3120fbc ("libata: update ->data_xfer hook for ATAPI")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/pata_legacy.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/pata_legacy.c
++++ b/drivers/ata/pata_legacy.c
+@@ -352,7 +352,8 @@ static unsigned int pdc_data_xfer_vlb(st
+ iowrite32_rep(ap->ioaddr.data_addr, buf, buflen >> 2);
+
+ if (unlikely(slop)) {
+- __le32 pad;
++ __le32 pad = 0;
++
+ if (rw == READ) {
+ pad = cpu_to_le32(ioread32(ap->ioaddr.data_addr));
+ memcpy(buf + buflen - slop, &pad, slop);
+@@ -742,7 +743,8 @@ static unsigned int vlb32_data_xfer(stru
+ ioread32_rep(ap->ioaddr.data_addr, buf, buflen >> 2);
+
+ if (unlikely(slop)) {
+- __le32 pad;
++ __le32 pad = 0;
++
+ if (rw == WRITE) {
+ memcpy(&pad, buf + buflen - slop, slop);
+ iowrite32(le32_to_cpu(pad), ap->ioaddr.data_addr);
--- /dev/null
+From 9b024201693e397441668cca0d2df7055fe572eb Mon Sep 17 00:00:00 2001
+From: Vadim Pasternak <vadimp@nvidia.com>
+Date: Mon, 27 Sep 2021 17:22:13 +0300
+Subject: platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+commit 9b024201693e397441668cca0d2df7055fe572eb upstream.
+
+Change kstrtou32() argument 'base' to be zero instead of 'len'.
+It works by chance for setting one bit value, but it is not supposed to
+work in case value passed to mlxreg_io_attr_store() is greater than 1.
+
+It works for example, for:
+echo 1 > /sys/devices/platform/mlxplat/mlxreg-io/hwmon/.../jtag_enable
+But it will fail for:
+echo n > /sys/devices/platform/mlxplat/mlxreg-io/hwmon/.../jtag_enable,
+where n > 1.
+
+The flow for input buffer conversion is as below:
+_kstrtoull(const char *s, unsigned int base, unsigned long long *res)
+calls:
+rv = _parse_integer(s, base, &_res);
+
+For the second case, where n > 1:
+- _parse_integer() converts 's' to 'val'.
+ For n=2, 'len' is set to 2 (string buffer is 0x32 0x0a), for n=3
+ 'len' is set to 3 (string buffer 0x33 0x0a), etcetera.
+- 'base' is equal or greater then '2' (length of input buffer).
+
+As a result, _parse_integer() exits with result zero (rv):
+ rv = 0;
+ while (1) {
+ ...
+ if (val >= base)-> (2 >= 2)
+ break;
+ ...
+ rv++;
+ ...
+ }
+
+And _kstrtoull() in their turn will fail:
+ if (rv == 0)
+ return -EINVAL;
+
+Fixes: 5ec4a8ace06c ("platform/mellanox: Introduce support for Mellanox register access driver")
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20210927142214.2613929-2-vadimp@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/mellanox/mlxreg-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/mellanox/mlxreg-io.c
++++ b/drivers/platform/mellanox/mlxreg-io.c
+@@ -141,7 +141,7 @@ mlxreg_io_attr_store(struct device *dev,
+ return -EINVAL;
+
+ /* Convert buffer to input value. */
+- ret = kstrtou32(buf, len, &input_val);
++ ret = kstrtou32(buf, 0, &input_val);
+ if (ret)
+ return ret;
+
--- /dev/null
+From db9cc7d6f95e7d89b0ce57e785cfd9d67a7505d8 Mon Sep 17 00:00:00 2001
+From: Vadim Pasternak <vadimp@nvidia.com>
+Date: Mon, 27 Sep 2021 17:22:14 +0300
+Subject: platform/mellanox: mlxreg-io: Fix read access of n-bytes size attributes
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+commit db9cc7d6f95e7d89b0ce57e785cfd9d67a7505d8 upstream.
+
+Fix shift argument for function rol32(). It should be provided in bits,
+while was provided in bytes.
+
+Fixes: 86148190a7db ("platform/mellanox: mlxreg-io: Add support for complex attributes")
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20210927142214.2613929-3-vadimp@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/mellanox/mlxreg-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/mellanox/mlxreg-io.c
++++ b/drivers/platform/mellanox/mlxreg-io.c
+@@ -98,7 +98,7 @@ mlxreg_io_get_reg(void *regmap, struct m
+ if (ret)
+ goto access_error;
+
+- *regval |= rol32(val, regsize * i);
++ *regval |= rol32(val, regsize * i * 8);
+ }
+ }
+
--- /dev/null
+From 41512e4dc0b84525495e784295092592adb87f1b Mon Sep 17 00:00:00 2001
+From: Prashant Malani <pmalani@chromium.org>
+Date: Tue, 28 Sep 2021 03:19:30 -0700
+Subject: platform/x86: intel_scu_ipc: Fix busy loop expiry time
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Prashant Malani <pmalani@chromium.org>
+
+commit 41512e4dc0b84525495e784295092592adb87f1b upstream.
+
+The macro IPC_TIMEOUT is already in jiffies (it is also used like that
+elsewhere in the file when calling wait_for_completion_timeout()). Don’t
+convert it using helper functions for the purposes of calculating the
+busy loop expiry time.
+
+Fixes: e7b7ab3847c9 (“platform/x86: intel_scu_ipc: Sleeping is fine when polling”)
+Signed-off-by: Prashant Malani <pmalani@chromium.org>
+Cc: Benson Leung <bleung@chromium.org>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/r/20210928101932.2543937-2-pmalani@chromium.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -232,7 +232,7 @@ static inline u32 ipc_data_readl(struct
+ /* Wait till scu status is busy */
+ static inline int busy_loop(struct intel_scu_ipc_dev *scu)
+ {
+- unsigned long end = jiffies + msecs_to_jiffies(IPC_TIMEOUT);
++ unsigned long end = jiffies + IPC_TIMEOUT;
+
+ do {
+ u32 status;
--- /dev/null
+From a5a14ea7b4e55604acb0dc9d88fdb4cb6945bc77 Mon Sep 17 00:00:00 2001
+From: chongjiapeng <jiapeng.chong@linux.alibaba.com>
+Date: Sat, 9 Oct 2021 16:09:26 +0800
+Subject: qed: Fix missing error code in qed_slowpath_start()
+
+From: chongjiapeng <jiapeng.chong@linux.alibaba.com>
+
+commit a5a14ea7b4e55604acb0dc9d88fdb4cb6945bc77 upstream.
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'rc'.
+
+Eliminate the follow smatch warning:
+
+drivers/net/ethernet/qlogic/qed/qed_main.c:1298 qed_slowpath_start()
+warn: missing error code 'rc'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Fixes: d51e4af5c209 ("qed: aRFS infrastructure support")
+Signed-off-by: chongjiapeng <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
+@@ -1295,6 +1295,7 @@ static int qed_slowpath_start(struct qed
+ } else {
+ DP_NOTICE(cdev,
+ "Failed to acquire PTT for aRFS\n");
++ rc = -EINVAL;
+ goto err;
+ }
+ }
--- /dev/null
+From 9973a43012b6ad1720dbc4d5faf5302c28635b8c Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 11 Oct 2021 17:22:49 +0200
+Subject: r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 9973a43012b6ad1720dbc4d5faf5302c28635b8c upstream.
+
+Fix the following build/link errors by adding a dependency on
+CRYPTO, CRYPTO_HASH, CRYPTO_SHA256 and CRC32:
+
+ ld: drivers/net/usb/r8152.o: in function `rtl8152_fw_verify_checksum':
+ r8152.c:(.text+0x2b2a): undefined reference to `crypto_alloc_shash'
+ ld: r8152.c:(.text+0x2bed): undefined reference to `crypto_shash_digest'
+ ld: r8152.c:(.text+0x2c50): undefined reference to `crypto_destroy_tfm'
+ ld: drivers/net/usb/r8152.o: in function `_rtl8152_set_rx_mode':
+ r8152.c:(.text+0xdcb0): undefined reference to `crc32_le'
+
+Fixes: 9370f2d05a2a1 ("r8152: support request_firmware for RTL8153")
+Fixes: ac718b69301c7 ("net/usb: new driver for RTL8152")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/Kconfig | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/Kconfig
++++ b/drivers/net/usb/Kconfig
+@@ -99,6 +99,10 @@ config USB_RTL8150
+ config USB_RTL8152
+ tristate "Realtek RTL8152/RTL8153 Based USB Ethernet Adapters"
+ select MII
++ select CRC32
++ select CRYPTO
++ select CRYPTO_HASH
++ select CRYPTO_SHA256
+ help
+ This option adds support for Realtek RTL8152 based USB 2.0
+ 10/100 Ethernet adapters and RTL8153 based USB 3.0 10/100/1000
net-dsa-fix-spurious-error-message-when-unoffloaded-port-leaves-bridge.patch
net-encx24j600-check-error-in-devm_regmap_init_encx24j600.patch
ethernet-s2io-fix-setting-mac-address-during-resume.patch
+vhost-vdpa-fix-the-wrong-input-in-config_cb.patch
+nfc-fix-error-handling-of-nfc_proto_register.patch
+nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch
+nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch
+pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch
+ata-ahci_platform-fix-null-ptr-deref-in-ahci_platform_enable_regulators.patch
+mlxsw-thermal-fix-out-of-bounds-memory-accesses.patch
+platform-mellanox-mlxreg-io-fix-argument-base-in-kstrtou32-call.patch
+platform-mellanox-mlxreg-io-fix-read-access-of-n-bytes-size-attributes.patch
+spi-spidev-add-spi-id-table.patch
+spi-bcm-qspi-clear-mspi-spifie-interrupt-during-probe.patch
+drm-panel-olimex-lcd-olinuxino-select-crc32.patch
+drm-edid-in-connector_bad_edid-cap-num_of_ext-by-num_blocks-read.patch
+drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch
+drm-msm-mdp5-fix-cursor-related-warnings.patch
+drm-msm-submit-fix-overflow-check-on-64-bit-architectures.patch
+drm-msm-a6xx-track-current-ctx-by-seqno.patch
+drm-msm-a4xx-fix-error-handling-in-a4xx_gpu_init.patch
+drm-msm-a3xx-fix-error-handling-in-a3xx_gpu_init.patch
+drm-msm-dsi-dsi_phy_14nm-take-ready-bit-into-account-in-poll_for_ready.patch
+drm-msm-dsi-fix-an-error-code-in-msm_dsi_modeset_init.patch
+drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch
+acpi-arm64-fix-next_platform_timer-section-mismatch-error.patch
+platform-x86-intel_scu_ipc-fix-busy-loop-expiry-time.patch
+mqprio-correct-stats-in-mqprio_dump_class_stats.patch
+mptcp-fix-possible-stall-on-recvmsg.patch
+qed-fix-missing-error-code-in-qed_slowpath_start.patch
+r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch
+ice-fix-locking-for-tx-timestamp-tracking-flush.patch
+block-rnbd-clt-sysfs-fix-a-couple-uninitialized-variable-bugs.patch
+nfp-flow_offload-move-flow_indr_dev_register-from-app-init-to-app-start.patch
+net-mscc-ocelot-make-use-of-all-63-ptp-timestamp-identifiers.patch
+net-mscc-ocelot-avoid-overflowing-the-ptp-timestamp-fifo.patch
+net-mscc-ocelot-warn-when-a-ptp-irq-is-raised-for-an-unknown-skb.patch
+net-mscc-ocelot-deny-tx-timestamping-of-non-ptp-packets.patch
+net-mscc-ocelot-cross-check-the-sequence-id-from-the-timestamp-fifo-with-the-skb-ptp-header.patch
+net-dsa-felix-break-at-first-cpu-port-during-init-and-teardown.patch
+ionic-don-t-remove-netdev-dev_addr-when-syncing-uc-list.patch
--- /dev/null
+From 75b3cb97eb1f05042745c0655a7145b0262d4c5c Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kdasu@broadcom.com>
+Date: Fri, 8 Oct 2021 16:36:02 -0400
+Subject: spi: bcm-qspi: clear MSPI spifie interrupt during probe
+
+From: Kamal Dasu <kdasu@broadcom.com>
+
+commit 75b3cb97eb1f05042745c0655a7145b0262d4c5c upstream.
+
+Intermittent Kernel crash has been observed on probe in
+bcm_qspi_mspi_l2_isr() handler when the MSPI spifie interrupt bit
+has not been cleared before registering for interrupts.
+Fix the driver to move SoC specific custom interrupt handling code
+before we register IRQ in probe. Also clear MSPI interrupt status
+resgiter prior to registering IRQ handlers.
+
+Fixes: cc20a38612db ("spi: iproc-qspi: Add Broadcom iProc SoCs support")
+Signed-off-by: Kamal Dasu <kdasu@broadcom.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20211008203603.40915-3-kdasu.kdev@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm-qspi.c | 77 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 45 insertions(+), 32 deletions(-)
+
+--- a/drivers/spi/spi-bcm-qspi.c
++++ b/drivers/spi/spi-bcm-qspi.c
+@@ -1250,10 +1250,14 @@ static void bcm_qspi_hw_init(struct bcm_
+
+ static void bcm_qspi_hw_uninit(struct bcm_qspi *qspi)
+ {
++ u32 status = bcm_qspi_read(qspi, MSPI, MSPI_MSPI_STATUS);
++
+ bcm_qspi_write(qspi, MSPI, MSPI_SPCR2, 0);
+ if (has_bspi(qspi))
+ bcm_qspi_write(qspi, MSPI, MSPI_WRITE_LOCK, 0);
+
++ /* clear interrupt */
++ bcm_qspi_write(qspi, MSPI, MSPI_MSPI_STATUS, status & ~1);
+ }
+
+ static const struct spi_controller_mem_ops bcm_qspi_mem_ops = {
+@@ -1397,6 +1401,47 @@ int bcm_qspi_probe(struct platform_devic
+ if (!qspi->dev_ids)
+ return -ENOMEM;
+
++ /*
++ * Some SoCs integrate spi controller (e.g., its interrupt bits)
++ * in specific ways
++ */
++ if (soc_intc) {
++ qspi->soc_intc = soc_intc;
++ soc_intc->bcm_qspi_int_set(soc_intc, MSPI_DONE, true);
++ } else {
++ qspi->soc_intc = NULL;
++ }
++
++ if (qspi->clk) {
++ ret = clk_prepare_enable(qspi->clk);
++ if (ret) {
++ dev_err(dev, "failed to prepare clock\n");
++ goto qspi_probe_err;
++ }
++ qspi->base_clk = clk_get_rate(qspi->clk);
++ } else {
++ qspi->base_clk = MSPI_BASE_FREQ;
++ }
++
++ if (data->has_mspi_rev) {
++ rev = bcm_qspi_read(qspi, MSPI, MSPI_REV);
++ /* some older revs do not have a MSPI_REV register */
++ if ((rev & 0xff) == 0xff)
++ rev = 0;
++ }
++
++ qspi->mspi_maj_rev = (rev >> 4) & 0xf;
++ qspi->mspi_min_rev = rev & 0xf;
++ qspi->mspi_spcr3_sysclk = data->has_spcr3_sysclk;
++
++ qspi->max_speed_hz = qspi->base_clk / (bcm_qspi_spbr_min(qspi) * 2);
++
++ /*
++ * On SW resets it is possible to have the mask still enabled
++ * Need to disable the mask and clear the status while we init
++ */
++ bcm_qspi_hw_uninit(qspi);
++
+ for (val = 0; val < num_irqs; val++) {
+ irq = -1;
+ name = qspi_irq_tab[val].irq_name;
+@@ -1433,38 +1478,6 @@ int bcm_qspi_probe(struct platform_devic
+ goto qspi_probe_err;
+ }
+
+- /*
+- * Some SoCs integrate spi controller (e.g., its interrupt bits)
+- * in specific ways
+- */
+- if (soc_intc) {
+- qspi->soc_intc = soc_intc;
+- soc_intc->bcm_qspi_int_set(soc_intc, MSPI_DONE, true);
+- } else {
+- qspi->soc_intc = NULL;
+- }
+-
+- ret = clk_prepare_enable(qspi->clk);
+- if (ret) {
+- dev_err(dev, "failed to prepare clock\n");
+- goto qspi_probe_err;
+- }
+-
+- qspi->base_clk = clk_get_rate(qspi->clk);
+-
+- if (data->has_mspi_rev) {
+- rev = bcm_qspi_read(qspi, MSPI, MSPI_REV);
+- /* some older revs do not have a MSPI_REV register */
+- if ((rev & 0xff) == 0xff)
+- rev = 0;
+- }
+-
+- qspi->mspi_maj_rev = (rev >> 4) & 0xf;
+- qspi->mspi_min_rev = rev & 0xf;
+- qspi->mspi_spcr3_sysclk = data->has_spcr3_sysclk;
+-
+- qspi->max_speed_hz = qspi->base_clk / (bcm_qspi_spbr_min(qspi) * 2);
+-
+ bcm_qspi_hw_init(qspi);
+ init_completion(&qspi->mspi_done);
+ init_completion(&qspi->bspi_done);
--- /dev/null
+From 6840615f85f6046039ebc4989870ddb12892b7fc Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Thu, 23 Sep 2021 18:00:23 +0100
+Subject: spi: spidev: Add SPI ID table
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 6840615f85f6046039ebc4989870ddb12892b7fc upstream.
+
+Currently autoloading for SPI devices does not use the DT ID table, it uses
+SPI modalises. Supporting OF modalises is going to be difficult if not
+impractical, an attempt was made but has been reverted, so ensure that
+module autoloading works for this driver by adding an id_table listing the
+SPI IDs for everything.
+
+Fixes: 96c8395e2166 ("spi: Revert modalias changes")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20210923170023.1683-1-broonie@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spidev.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/spi/spidev.c
++++ b/drivers/spi/spidev.c
+@@ -673,6 +673,19 @@ static const struct file_operations spid
+
+ static struct class *spidev_class;
+
++static const struct spi_device_id spidev_spi_ids[] = {
++ { .name = "dh2228fv" },
++ { .name = "ltc2488" },
++ { .name = "sx1301" },
++ { .name = "bk4" },
++ { .name = "dhcom-board" },
++ { .name = "m53cpld" },
++ { .name = "spi-petra" },
++ { .name = "spi-authenta" },
++ {},
++};
++MODULE_DEVICE_TABLE(spi, spidev_spi_ids);
++
+ #ifdef CONFIG_OF
+ static const struct of_device_id spidev_dt_ids[] = {
+ { .compatible = "rohm,dh2228fv" },
+@@ -819,6 +832,7 @@ static struct spi_driver spidev_spi_driv
+ },
+ .probe = spidev_probe,
+ .remove = spidev_remove,
++ .id_table = spidev_spi_ids,
+
+ /* NOTE: suspend/resume methods are not necessary here.
+ * We don't do anything except pass the requests to/from
--- /dev/null
+From bcef9356fc2e1302daf373c83c826aa27954d128 Mon Sep 17 00:00:00 2001
+From: Cindy Lu <lulu@redhat.com>
+Date: Wed, 29 Sep 2021 17:09:33 +0800
+Subject: vhost-vdpa: Fix the wrong input in config_cb
+
+From: Cindy Lu <lulu@redhat.com>
+
+commit bcef9356fc2e1302daf373c83c826aa27954d128 upstream.
+
+Fix the wrong input in for config_cb. In function vhost_vdpa_config_cb,
+the input cb.private was used as struct vhost_vdpa, so the input was
+wrong here, fix this issue
+
+Fixes: 776f395004d8 ("vhost_vdpa: Support config interrupt in vdpa")
+Signed-off-by: Cindy Lu <lulu@redhat.com>
+Link: https://lore.kernel.org/r/20210929090933.20465-1-lulu@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vdpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -316,7 +316,7 @@ static long vhost_vdpa_set_config_call(s
+ struct eventfd_ctx *ctx;
+
+ cb.callback = vhost_vdpa_config_cb;
+- cb.private = v->vdpa;
++ cb.private = v;
+ if (copy_from_user(&fd, argp, sizeof(fd)))
+ return -EFAULT;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
