--- /dev/null
+From f6eb84fa596abf28959fc7e0b626f925eb1196c7 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sat, 29 May 2021 18:46:46 +0300
+Subject: ASoC: tegra: Set driver_name=tegra for all machine drivers
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit f6eb84fa596abf28959fc7e0b626f925eb1196c7 upstream.
+
+The driver_name="tegra" is now required by the newer ALSA UCMs, otherwise
+Tegra UCMs don't match by the path/name.
+
+All Tegra machine drivers are specifying the card's name, but it has no
+effect if model name is specified in the device-tree since it overrides
+the card's name. We need to set the driver_name to "tegra" in order to
+get a usable lookup path for the updated ALSA UCMs. The new UCM lookup
+path has a form of driver_name/card_name.
+
+The old lookup paths that are based on driver module name continue to
+work as before. Note that UCM matching never worked for Tegra ASoC drivers
+if they were compiled as built-in, this is fixed by supporting the new
+naming scheme.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/20210529154649.25936-2-digetx@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/tegra/tegra_alc5632.c | 1 +
+ sound/soc/tegra/tegra_max98090.c | 1 +
+ sound/soc/tegra/tegra_rt5640.c | 1 +
+ sound/soc/tegra/tegra_rt5677.c | 1 +
+ sound/soc/tegra/tegra_sgtl5000.c | 1 +
+ sound/soc/tegra/tegra_wm8753.c | 1 +
+ sound/soc/tegra/tegra_wm8903.c | 1 +
+ sound/soc/tegra/tegra_wm9712.c | 1 +
+ sound/soc/tegra/trimslice.c | 1 +
+ 9 files changed, 9 insertions(+)
+
+--- a/sound/soc/tegra/tegra_alc5632.c
++++ b/sound/soc/tegra/tegra_alc5632.c
+@@ -137,6 +137,7 @@ static struct snd_soc_dai_link tegra_alc
+
+ static struct snd_soc_card snd_soc_tegra_alc5632 = {
+ .name = "tegra-alc5632",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_alc5632_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_max98090.c
++++ b/sound/soc/tegra/tegra_max98090.c
+@@ -188,6 +188,7 @@ static struct snd_soc_dai_link tegra_max
+
+ static struct snd_soc_card snd_soc_tegra_max98090 = {
+ .name = "tegra-max98090",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_max98090_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_rt5640.c
++++ b/sound/soc/tegra/tegra_rt5640.c
+@@ -138,6 +138,7 @@ static struct snd_soc_dai_link tegra_rt5
+
+ static struct snd_soc_card snd_soc_tegra_rt5640 = {
+ .name = "tegra-rt5640",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_rt5640_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_rt5677.c
++++ b/sound/soc/tegra/tegra_rt5677.c
+@@ -181,6 +181,7 @@ static struct snd_soc_dai_link tegra_rt5
+
+ static struct snd_soc_card snd_soc_tegra_rt5677 = {
+ .name = "tegra-rt5677",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_rt5677_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_sgtl5000.c
++++ b/sound/soc/tegra/tegra_sgtl5000.c
+@@ -103,6 +103,7 @@ static struct snd_soc_dai_link tegra_sgt
+
+ static struct snd_soc_card snd_soc_tegra_sgtl5000 = {
+ .name = "tegra-sgtl5000",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_sgtl5000_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm8753.c
++++ b/sound/soc/tegra/tegra_wm8753.c
+@@ -110,6 +110,7 @@ static struct snd_soc_dai_link tegra_wm8
+
+ static struct snd_soc_card snd_soc_tegra_wm8753 = {
+ .name = "tegra-wm8753",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm8753_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm8903.c
++++ b/sound/soc/tegra/tegra_wm8903.c
+@@ -222,6 +222,7 @@ static struct snd_soc_dai_link tegra_wm8
+
+ static struct snd_soc_card snd_soc_tegra_wm8903 = {
+ .name = "tegra-wm8903",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm8903_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm9712.c
++++ b/sound/soc/tegra/tegra_wm9712.c
+@@ -59,6 +59,7 @@ static struct snd_soc_dai_link tegra_wm9
+
+ static struct snd_soc_card snd_soc_tegra_wm9712 = {
+ .name = "tegra-wm9712",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm9712_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/trimslice.c
++++ b/sound/soc/tegra/trimslice.c
+@@ -103,6 +103,7 @@ static struct snd_soc_dai_link trimslice
+
+ static struct snd_soc_card snd_soc_trimslice = {
+ .name = "tegra-trimslice",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &trimslice_tlv320aic23_dai,
+ .num_links = 1,
--- /dev/null
+From 5fae8a946ac2df879caf3f79a193d4766d00239b Mon Sep 17 00:00:00 2001
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Date: Mon, 14 Jun 2021 11:59:00 -0600
+Subject: coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
+
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+
+commit 5fae8a946ac2df879caf3f79a193d4766d00239b upstream.
+
+commit 6f755e85c332 ("coresight: Add helper for inserting synchronization
+packets") removed trailing '\0' from barrier_pkt array and updated the
+call sites like etb_update_buffer() to have proper checks for barrier_pkt
+size before read but missed updating tmc_update_etf_buffer() which still
+reads barrier_pkt past the array size resulting in KASAN out-of-bounds
+bug. Fix this by adding a check for barrier_pkt size before accessing
+like it is done in etb_update_buffer().
+
+ BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698
+ Read of size 4 at addr ffffffd05b7d1030 by task perf/2629
+
+ Call trace:
+ dump_backtrace+0x0/0x27c
+ show_stack+0x20/0x2c
+ dump_stack+0x11c/0x188
+ print_address_description+0x3c/0x4a4
+ __kasan_report+0x140/0x164
+ kasan_report+0x10/0x18
+ __asan_report_load4_noabort+0x1c/0x24
+ tmc_update_etf_buffer+0x4b8/0x698
+ etm_event_stop+0x248/0x2d8
+ etm_event_del+0x20/0x2c
+ event_sched_out+0x214/0x6f0
+ group_sched_out+0xd0/0x270
+ ctx_sched_out+0x2ec/0x518
+ __perf_event_task_sched_out+0x4fc/0xe6c
+ __schedule+0x1094/0x16a0
+ preempt_schedule_irq+0x88/0x170
+ arm64_preempt_schedule_irq+0xf0/0x18c
+ el1_irq+0xe8/0x180
+ perf_event_exec+0x4d8/0x56c
+ setup_new_exec+0x204/0x400
+ load_elf_binary+0x72c/0x18c0
+ search_binary_handler+0x13c/0x420
+ load_script+0x500/0x6c4
+ search_binary_handler+0x13c/0x420
+ exec_binprm+0x118/0x654
+ __do_execve_file+0x77c/0xba4
+ __arm64_compat_sys_execve+0x98/0xac
+ el0_svc_common+0x1f8/0x5e0
+ el0_svc_compat_handler+0x84/0xb0
+ el0_svc_compat+0x10/0x50
+
+ The buggy address belongs to the variable:
+ barrier_pkt+0x10/0x40
+
+ Memory state around the buggy address:
+ ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+ ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03
+ ^
+ ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa
+ ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
+ ==================================================================
+
+Link: https://lore.kernel.org/r/20210505093430.18445-1-saiprakash.ranjan@codeaurora.org
+Fixes: 0c3fc4d5fa26 ("coresight: Add barrier packet for synchronisation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20210614175901.532683-6-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+@@ -474,7 +474,7 @@ static void tmc_update_etf_buffer(struct
+ buf_ptr = buf->data_pages[cur] + offset;
+ *buf_ptr = readl_relaxed(drvdata->base + TMC_RRD);
+
+- if (lost && *barrier) {
++ if (lost && i < CORESIGHT_BARRIER_PKT_SIZE) {
+ *buf_ptr = *barrier;
+ barrier++;
+ }
--- /dev/null
+From b6e58b5466b2959f83034bead2e2e1395cca8aeb Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 17 Jun 2021 15:45:47 +0800
+Subject: dm btree remove: assign new_root only when removal succeeds
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit b6e58b5466b2959f83034bead2e2e1395cca8aeb upstream.
+
+remove_raw() in dm_btree_remove() may fail due to IO read error
+(e.g. read the content of origin block fails during shadowing),
+and the value of shadow_spine::root is uninitialized, but
+the uninitialized value is still assign to new_root in the
+end of dm_btree_remove().
+
+For dm-thin, the value of pmd->details_root or pmd->root will become
+an uninitialized value, so if trying to read details_info tree again
+out-of-bound memory may occur as showed below:
+
+ general protection fault, probably for non-canonical address 0x3fdcb14c8d7520
+ CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6
+ Hardware name: QEMU Standard PC
+ RIP: 0010:metadata_ll_load_ie+0x14/0x30
+ Call Trace:
+ sm_metadata_count_is_more_than_one+0xb9/0xe0
+ dm_tm_shadow_block+0x52/0x1c0
+ shadow_step+0x59/0xf0
+ remove_raw+0xb2/0x170
+ dm_btree_remove+0xf4/0x1c0
+ dm_pool_delete_thin_device+0xc3/0x140
+ pool_message+0x218/0x2b0
+ target_message+0x251/0x290
+ ctl_ioctl+0x1c4/0x4d0
+ dm_ctl_ioctl+0xe/0x20
+ __x64_sys_ioctl+0x7b/0xb0
+ do_syscall_64+0x40/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixing it by only assign new_root when removal succeeds
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/persistent-data/dm-btree-remove.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -549,7 +549,8 @@ int dm_btree_remove(struct dm_btree_info
+ delete_at(n, index);
+ }
+
+- *new_root = shadow_root(&spine);
++ if (!r)
++ *new_root = shadow_root(&spine);
+ exit_shadow_spine(&spine);
+
+ return r;
--- /dev/null
+From 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 Mon Sep 17 00:00:00 2001
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Date: Mon, 24 May 2021 02:32:05 -0700
+Subject: ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+commit 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 upstream.
+
+In the out_err_bus_register error branch of tpci200_pci_probe,
+tpci200->info->cfg_regs is freed by tpci200_uninstall()->
+tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
+in the first time.
+
+But later, iounmap() is called to free tpci200->info->cfg_regs
+again.
+
+My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
+to avoid the double free.
+
+Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Link: https://lore.kernel.org/r/20210524093205.8333-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/carriers/tpci200.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/ipack/carriers/tpci200.c
++++ b/drivers/ipack/carriers/tpci200.c
+@@ -591,8 +591,11 @@ static int tpci200_pci_probe(struct pci_
+
+ out_err_bus_register:
+ tpci200_uninstall(tpci200);
++ /* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */
++ tpci200->info->cfg_regs = NULL;
+ out_err_install:
+- iounmap(tpci200->info->cfg_regs);
++ if (tpci200->info->cfg_regs)
++ iounmap(tpci200->info->cfg_regs);
+ out_err_ioremap:
+ pci_release_region(pdev, TPCI200_CFG_MEM_BAR);
+ out_err_pci_request:
--- /dev/null
+From 2253042d86f57d90a621ac2513a7a7a13afcf809 Mon Sep 17 00:00:00 2001
+From: Petr Pavlu <petr.pavlu@suse.com>
+Date: Thu, 13 May 2021 14:26:36 +0200
+Subject: ipmi/watchdog: Stop watchdog timer when the current action is 'none'
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+commit 2253042d86f57d90a621ac2513a7a7a13afcf809 upstream.
+
+When an IPMI watchdog timer is being stopped in ipmi_close() or
+ipmi_ioctl(WDIOS_DISABLECARD), the current watchdog action is updated to
+WDOG_TIMEOUT_NONE and _ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB) is called
+to install this action. The latter function ends up invoking
+__ipmi_set_timeout() which makes the actual 'Set Watchdog Timer' IPMI
+request.
+
+For IPMI 1.0, this operation results in fully stopping the watchdog timer.
+For IPMI >= 1.5, function __ipmi_set_timeout() always specifies the "don't
+stop" flag in the prepared 'Set Watchdog Timer' IPMI request. This causes
+that the watchdog timer has its action correctly updated to 'none' but the
+timer continues to run. A problem is that IPMI firmware can then still log
+an expiration event when the configured timeout is reached, which is
+unexpected because the watchdog timer was requested to be stopped.
+
+The patch fixes this problem by not setting the "don't stop" flag in
+__ipmi_set_timeout() when the current action is WDOG_TIMEOUT_NONE which
+results in stopping the watchdog timer. This makes the behaviour for
+IPMI >= 1.5 consistent with IPMI 1.0. It also matches the logic in
+__ipmi_heartbeat() which does not allow to reset the watchdog if the
+current action is WDOG_TIMEOUT_NONE as that would start the timer.
+
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Message-Id: <10a41bdc-9c99-089c-8d89-fa98ce5ea080@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -394,16 +394,18 @@ static int i_ipmi_set_timeout(struct ipm
+ data[0] = 0;
+ WDOG_SET_TIMER_USE(data[0], WDOG_TIMER_USE_SMS_OS);
+
+- if ((ipmi_version_major > 1)
+- || ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
+- /* This is an IPMI 1.5-only feature. */
+- data[0] |= WDOG_DONT_STOP_ON_SET;
+- } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+- /*
+- * In ipmi 1.0, setting the timer stops the watchdog, we
+- * need to start it back up again.
+- */
+- hbnow = 1;
++ if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
++ if ((ipmi_version_major > 1) ||
++ ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
++ /* This is an IPMI 1.5-only feature. */
++ data[0] |= WDOG_DONT_STOP_ON_SET;
++ } else {
++ /*
++ * In ipmi 1.0, setting the timer stops the watchdog, we
++ * need to start it back up again.
++ */
++ hbnow = 1;
++ }
+ }
+
+ data[1] = 0;
--- /dev/null
+From f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sun, 27 Jun 2021 01:47:49 +0200
+Subject: power: supply: ab8500: Fix an old bug
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream.
+
+Trying to get the AB8500 charging driver working I ran into a bit
+of bitrot: we haven't used the driver for a while so errors in
+refactorings won't be noticed.
+
+This one is pretty self evident: use argument to the macro or we
+end up with a random pointer to something else.
+
+Cc: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Marcus Cooper <codekipper@gmail.com>
+Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mfd/abx500/ux500_chargalg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mfd/abx500/ux500_chargalg.h
++++ b/include/linux/mfd/abx500/ux500_chargalg.h
+@@ -15,7 +15,7 @@
+ * - POWER_SUPPLY_TYPE_USB,
+ * because only them store as drv_data pointer to struct ux500_charger.
+ */
+-#define psy_to_ux500_charger(x) power_supply_get_drvdata(psy)
++#define psy_to_ux500_charger(x) power_supply_get_drvdata(x)
+
+ /* Forward declaration */
+ struct ux500_charger;
--- /dev/null
+From fca41af18e10318e4de090db47d9fa7169e1bf2f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 11 Feb 2021 12:42:58 -0700
+Subject: qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit fca41af18e10318e4de090db47d9fa7169e1bf2f upstream.
+
+fw_cfg_showrev() is called by an indirect call in kobj_attr_show(),
+which violates clang's CFI checking because fw_cfg_showrev()'s second
+parameter is 'struct attribute', whereas the ->show() member of 'struct
+kobj_structure' expects the second parameter to be of type 'struct
+kobj_attribute'.
+
+$ cat /sys/firmware/qemu_fw_cfg/rev
+3
+
+$ dmesg | grep "CFI failure"
+[ 26.016832] CFI failure (target: fw_cfg_showrev+0x0/0x8):
+
+Fix this by converting fw_cfg_rev_attr to 'struct kobj_attribute' where
+this would have been caught automatically by the incompatible pointer
+types compiler warning. Update fw_cfg_showrev() accordingly.
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1299
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210211194258.4137998-1-nathan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/qemu_fw_cfg.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -192,15 +192,13 @@ static int fw_cfg_do_platform_probe(stru
+ /* fw_cfg revision attribute, in /sys/firmware/qemu_fw_cfg top-level dir. */
+ static u32 fw_cfg_rev;
+
+-static ssize_t fw_cfg_showrev(struct kobject *k, struct attribute *a, char *buf)
++static ssize_t fw_cfg_showrev(struct kobject *k, struct kobj_attribute *a,
++ char *buf)
+ {
+ return sprintf(buf, "%u\n", fw_cfg_rev);
+ }
+
+-static const struct {
+- struct attribute attr;
+- ssize_t (*show)(struct kobject *k, struct attribute *a, char *buf);
+-} fw_cfg_rev_attr = {
++static const struct kobj_attribute fw_cfg_rev_attr = {
+ .attr = { .name = "rev", .mode = S_IRUSR },
+ .show = fw_cfg_showrev,
+ };
--- /dev/null
+From d3b16034a24a112bb83aeb669ac5b9b01f744bb7 Mon Sep 17 00:00:00 2001
+From: Yun Zhou <yun.zhou@windriver.com>
+Date: Sat, 26 Jun 2021 11:21:55 +0800
+Subject: seq_buf: Fix overflow in seq_buf_putmem_hex()
+
+From: Yun Zhou <yun.zhou@windriver.com>
+
+commit d3b16034a24a112bb83aeb669ac5b9b01f744bb7 upstream.
+
+There's two variables being increased in that loop (i and j), and i
+follows the raw data, and j follows what is being written into the buffer.
+We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS.
+Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the
+destination buffer.
+
+Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/
+Link: https://lkml.kernel.org/r/20210626032156.47889-1-yun.zhou@windriver.com
+
+Cc: stable@vger.kernel.org
+Fixes: 5e3ca0ec76fce ("ftrace: introduce the "hex" output method")
+Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/seq_buf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/seq_buf.c
++++ b/lib/seq_buf.c
+@@ -228,8 +228,10 @@ int seq_buf_putmem_hex(struct seq_buf *s
+
+ WARN_ON(s->size == 0);
+
++ BUILD_BUG_ON(MAX_MEMHEX_BYTES * 2 >= HEX_CHARS);
++
+ while (len) {
+- start_len = min(len, HEX_CHARS - 1);
++ start_len = min(len, MAX_MEMHEX_BYTES);
+ #ifdef __BIG_ENDIAN
+ for (i = 0, j = 0; i < start_len; i++) {
+ #else
mmc-core-allow-uhs-i-voltage-switch-for-sdsc-cards-if-supported.patch
ata-ahci_sunxi-disable-dipm.patch
cpu-hotplug-cure-the-cpusets-trainwreck.patch
+asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch
+qemu_fw_cfg-make-fw_cfg_rev_attr-a-proper-kobj_attribute.patch
+ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch
+power-supply-ab8500-fix-an-old-bug.patch
+seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch
+tracing-simplify-fix-saved_tgids-logic.patch
+ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch
+coresight-tmc-etf-fix-global-out-of-bounds-in-tmc_update_etf_buffer.patch
+dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch
--- /dev/null
+From b81b3e959adb107cd5b36c7dc5ba1364bbd31eb2 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paulburton@google.com>
+Date: Tue, 29 Jun 2021 17:34:05 -0700
+Subject: tracing: Simplify & fix saved_tgids logic
+
+From: Paul Burton <paulburton@google.com>
+
+commit b81b3e959adb107cd5b36c7dc5ba1364bbd31eb2 upstream.
+
+The tgid_map array records a mapping from pid to tgid, where the index
+of an entry within the array is the pid & the value stored at that index
+is the tgid.
+
+The saved_tgids_next() function iterates over pointers into the tgid_map
+array & dereferences the pointers which results in the tgid, but then it
+passes that dereferenced value to trace_find_tgid() which treats it as a
+pid & does a further lookup within the tgid_map array. It seems likely
+that the intent here was to skip over entries in tgid_map for which the
+recorded tgid is zero, but instead we end up skipping over entries for
+which the thread group leader hasn't yet had its own tgid recorded in
+tgid_map.
+
+A minimal fix would be to remove the call to trace_find_tgid, turning:
+
+ if (trace_find_tgid(*ptr))
+
+into:
+
+ if (*ptr)
+
+..but it seems like this logic can be much simpler if we simply let
+seq_read() iterate over the whole tgid_map array & filter out empty
+entries by returning SEQ_SKIP from saved_tgids_show(). Here we take that
+approach, removing the incorrect logic here entirely.
+
+Link: https://lkml.kernel.org/r/20210630003406.4013668-1-paulburton@google.com
+
+Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks")
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Joel Fernandes <joelaf@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Paul Burton <paulburton@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 38 +++++++++++++-------------------------
+ 1 file changed, 13 insertions(+), 25 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4750,37 +4750,20 @@ static const struct file_operations trac
+
+ static void *saved_tgids_next(struct seq_file *m, void *v, loff_t *pos)
+ {
+- int *ptr = v;
++ int pid = ++(*pos);
+
+- if (*pos || m->count)
+- ptr++;
+-
+- (*pos)++;
+-
+- for (; ptr <= &tgid_map[PID_MAX_DEFAULT]; ptr++) {
+- if (trace_find_tgid(*ptr))
+- return ptr;
+- }
++ if (pid > PID_MAX_DEFAULT)
++ return NULL;
+
+- return NULL;
++ return &tgid_map[pid];
+ }
+
+ static void *saved_tgids_start(struct seq_file *m, loff_t *pos)
+ {
+- void *v;
+- loff_t l = 0;
+-
+- if (!tgid_map)
++ if (!tgid_map || *pos > PID_MAX_DEFAULT)
+ return NULL;
+
+- v = &tgid_map[0];
+- while (l <= *pos) {
+- v = saved_tgids_next(m, v, &l);
+- if (!v)
+- return NULL;
+- }
+-
+- return v;
++ return &tgid_map[*pos];
+ }
+
+ static void saved_tgids_stop(struct seq_file *m, void *v)
+@@ -4789,9 +4772,14 @@ static void saved_tgids_stop(struct seq_
+
+ static int saved_tgids_show(struct seq_file *m, void *v)
+ {
+- int pid = (int *)v - tgid_map;
++ int *entry = (int *)v;
++ int pid = entry - tgid_map;
++ int tgid = *entry;
++
++ if (tgid == 0)
++ return SEQ_SKIP;
+
+- seq_printf(m, "%d %d\n", pid, trace_find_tgid(pid));
++ seq_printf(m, "%d %d\n", pid, tgid);
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
