--- /dev/null
+From 2d63664de23974de8977117690f70d7bbf7e392c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 17:39:22 +0900
+Subject: ALSA: bebob: add support for ToneWeal FW66
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit 50ebe56222bfa0911a932930f9229ee5995508d9 ]
+
+A user of FFADO project reported the issue of ToneWeal FW66. As a result,
+the device is identified as one of applications of BeBoB solution.
+
+I note that in the report the device returns contradictory result in plug
+discovery process for audio subunit. Fortunately ALSA BeBoB driver doesn't
+perform it thus it's likely to handle the device without issues.
+
+I receive no reaction to test request for this patch yet, however it would
+be worth to add support for it.
+
+daniel@gibbonmoon:/sys/bus/firewire/devices/fw1$ grep -r . *
+Binary file config_rom matches
+dev:244:1
+guid:0x0023270002000000
+hardware_version:0x000002
+is_local:0
+model:0x020002
+model_name:FW66
+power/runtime_active_time:0
+power/runtime_active_kids:0
+power/runtime_usage:0
+power/runtime_status:unsupported
+power/async:disabled
+power/runtime_suspended_time:0
+power/runtime_enabled:disabled
+power/control:auto
+subsystem/drivers_autoprobe:1
+uevent:MAJOR=244
+uevent:MINOR=1
+uevent:DEVNAME=fw1
+units:0x00a02d:0x010001
+vendor:0x002327
+vendor_name:ToneWeal
+fw1.0/uevent:MODALIAS=ieee1394:ven00002327mo00020002sp0000A02Dver00010001
+fw1.0/power/runtime_active_time:0
+fw1.0/power/runtime_active_kids:0
+fw1.0/power/runtime_usage:0
+fw1.0/power/runtime_status:unsupported
+fw1.0/power/async:disabled
+fw1.0/power/runtime_suspended_time:0
+fw1.0/power/runtime_enabled:disabled
+fw1.0/power/control:auto
+fw1.0/model:0x020002
+fw1.0/rom_index:15
+fw1.0/specifier_id:0x00a02d
+fw1.0/model_name:FW66
+fw1.0/version:0x010001
+fw1.0/modalias:ieee1394:ven00002327mo00020002sp0000A02Dver00010001
+
+Cc: Daniel Jozsef <daniel.jozsef@gmail.com>
+Reference: https://lore.kernel.org/alsa-devel/20200119164335.GA11974@workstation/
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20210619083922.16060-1-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/Kconfig | 1 +
+ sound/firewire/bebob/bebob.c | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig
+index 4199cfc4a96a..850315d1abca 100644
+--- a/sound/firewire/Kconfig
++++ b/sound/firewire/Kconfig
+@@ -117,6 +117,7 @@ config SND_BEBOB
+ * M-Audio Ozonic/NRV10/ProfireLightBridge
+ * M-Audio FireWire 1814/ProjectMix IO
+ * Digidesign Mbox 2 Pro
++ * ToneWeal FW66
+
+ To compile this driver as a module, choose M here: the module
+ will be called snd-bebob.
+diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c
+index 64dca7931272..c3c14e383e73 100644
+--- a/sound/firewire/bebob/bebob.c
++++ b/sound/firewire/bebob/bebob.c
+@@ -60,6 +60,7 @@ static DECLARE_BITMAP(devices_used, SNDRV_CARDS);
+ #define VEN_MAUDIO1 0x00000d6c
+ #define VEN_MAUDIO2 0x000007f5
+ #define VEN_DIGIDESIGN 0x00a07e
++#define OUI_SHOUYO 0x002327
+
+ #define MODEL_FOCUSRITE_SAFFIRE_BOTH 0x00000000
+ #define MODEL_MAUDIO_AUDIOPHILE_BOTH 0x00010060
+@@ -461,6 +462,8 @@ static const struct ieee1394_device_id bebob_id_table[] = {
+ &maudio_special_spec),
+ /* Digidesign Mbox 2 Pro */
+ SND_BEBOB_DEV_ENTRY(VEN_DIGIDESIGN, 0x0000a9, &spec_normal),
++ // Toneweal FW66.
++ SND_BEBOB_DEV_ENTRY(OUI_SHOUYO, 0x020002, &spec_normal),
+ /* IDs are unknown but able to be supported */
+ /* Apogee, Mini-ME Firewire */
+ /* Apogee, Mini-DAC Firewire */
+--
+2.30.2
+
--- /dev/null
+From e8e4eee5ea0451a417c1395ab85d03f0009aa173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 21:19:42 +0800
+Subject: ALSA: hda: Add IRQ check for platform_get_irq()
+
+From: Jiajun Cao <jjcao20@fudan.edu.cn>
+
+[ Upstream commit 8c13212443230d03ff25014514ec0d53498c0912 ]
+
+The function hda_tegra_first_init() neglects to check the return
+value after executing platform_get_irq().
+
+hda_tegra_first_init() should check the return value (if negative
+error number) for errors so as to not pass a negative value to
+the devm_request_irq().
+
+Fix it by adding a check for the return value irq_id.
+
+Signed-off-by: Jiajun Cao <jjcao20@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Reviewed-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20210622131947.94346-1-jjcao20@fudan.edu.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_tegra.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
+index 039fbbb1e53c..89359a962e47 100644
+--- a/sound/pci/hda/hda_tegra.c
++++ b/sound/pci/hda/hda_tegra.c
+@@ -363,6 +363,9 @@ static int hda_tegra_first_init(struct azx *chip, struct platform_device *pdev)
+ unsigned short gcap;
+ int irq_id = platform_get_irq(pdev, 0);
+
++ if (irq_id < 0)
++ return irq_id;
++
+ err = hda_tegra_init_chip(chip, pdev);
+ if (err)
+ return err;
+--
+2.30.2
+
--- /dev/null
+From fff3486e31e0d1ea0755c1584fbb665ffec5156a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 15:40:51 +0800
+Subject: ALSA: isa: Fix error return code in snd_cmi8330_probe()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 31028cbed26a8afa25533a10425ffa2ab794c76c ]
+
+When 'SB_HW_16' check fails, the error code -ENODEV instead of 0 should be
+returned, which is the same as that returned when 'WSS_HW_CMI8330' check
+fails.
+
+Fixes: 43bcd973d6d0 ("[ALSA] Add snd_card_set_generic_dev() call to ISA drivers")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210707074051.2663-1-thunder.leizhen@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/cmi8330.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/isa/cmi8330.c b/sound/isa/cmi8330.c
+index dfedfd85f205..463906882b95 100644
+--- a/sound/isa/cmi8330.c
++++ b/sound/isa/cmi8330.c
+@@ -564,7 +564,7 @@ static int snd_cmi8330_probe(struct snd_card *card, int dev)
+ }
+ if (acard->sb->hardware != SB_HW_16) {
+ snd_printk(KERN_ERR PFX "SB16 not found during probe\n");
+- return err;
++ return -ENODEV;
+ }
+
+ snd_wss_out(acard->wss, CS4231_MISC_INFO, 0x40); /* switch on MODE2 */
+--
+2.30.2
+
--- /dev/null
+From 58c0e7ef4c9cc3ee2e6e374d62273edd96c4ff45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 10:11:21 +0800
+Subject: ALSA: ppc: fix error return code in snd_pmac_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 80b9c1be567c3c6bbe0d4b290af578e630485b5d ]
+
+If snd_pmac_tumbler_init() or snd_pmac_tumbler_post_init() fails,
+snd_pmac_probe() need return error code.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210616021121.1991502-1-yangyingliang@huawei.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/ppc/powermac.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/ppc/powermac.c b/sound/ppc/powermac.c
+index 33c6be9fb388..7c70ba5e2540 100644
+--- a/sound/ppc/powermac.c
++++ b/sound/ppc/powermac.c
+@@ -90,7 +90,11 @@ static int snd_pmac_probe(struct platform_device *devptr)
+ sprintf(card->shortname, "PowerMac %s", name_ext);
+ sprintf(card->longname, "%s (Dev %d) Sub-frame %d",
+ card->shortname, chip->device_id, chip->subframe);
+- if ( snd_pmac_tumbler_init(chip) < 0 || snd_pmac_tumbler_post_init() < 0)
++ err = snd_pmac_tumbler_init(chip);
++ if (err < 0)
++ goto __error;
++ err = snd_pmac_tumbler_post_init();
++ if (err < 0)
+ goto __error;
+ break;
+ case PMAC_AWACS:
+--
+2.30.2
+
--- /dev/null
+From 776eeffab8824b8f46954b72116deebfd658669f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 16:04:37 +0200
+Subject: ALSA: sb: Fix potential double-free of CSP mixer elements
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit c305366a37441c2ac90b08711cb6f032b43672f2 ]
+
+snd_sb_qsound_destroy() contains the calls of removing the previously
+created mixer controls, but it doesn't clear the pointers. As
+snd_sb_qsound_destroy() itself may be repeatedly called via ioctl,
+this could lead to double-free potentially.
+
+Fix it by clearing the struct fields properly afterwards.
+
+Link: https://lore.kernel.org/r/20210608140540.17885-4-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_csp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/isa/sb/sb16_csp.c b/sound/isa/sb/sb16_csp.c
+index 2cc068be7d3b..90fa57ad14c0 100644
+--- a/sound/isa/sb/sb16_csp.c
++++ b/sound/isa/sb/sb16_csp.c
+@@ -1086,10 +1086,14 @@ static void snd_sb_qsound_destroy(struct snd_sb_csp * p)
+ card = p->chip->card;
+
+ down_write(&card->controls_rwsem);
+- if (p->qsound_switch)
++ if (p->qsound_switch) {
+ snd_ctl_remove(card, p->qsound_switch);
+- if (p->qsound_space)
++ p->qsound_switch = NULL;
++ }
++ if (p->qsound_space) {
+ snd_ctl_remove(card, p->qsound_space);
++ p->qsound_space = NULL;
++ }
+ up_write(&card->controls_rwsem);
+
+ /* cancel pending transfer of QSound parameters */
+--
+2.30.2
+
--- /dev/null
+From 781a2c624bdf5e1c0bc94ff9cb0033787fb35a49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 20:29:26 +0100
+Subject: ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit 8b95a7d90ce8160ac5cffd5bace6e2eba01a871e ]
+
+There's a few instructions that GAS infers operands but Clang doesn't;
+from what I can tell the Arm ARM doesn't say these are optional.
+
+F5.1.257 TBB, TBH T1 Halfword variant
+F5.1.238 STREXD T1 variant
+F5.1.84 LDREXD T1 variant
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/1309
+
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Reviewed-by: Jian Cai <jiancai@google.com>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/probes/kprobes/test-thumb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/probes/kprobes/test-thumb.c b/arch/arm/probes/kprobes/test-thumb.c
+index b683b4517458..4254391f3906 100644
+--- a/arch/arm/probes/kprobes/test-thumb.c
++++ b/arch/arm/probes/kprobes/test-thumb.c
+@@ -444,21 +444,21 @@ void kprobe_thumb32_test_cases(void)
+ "3: mvn r0, r0 \n\t"
+ "2: nop \n\t")
+
+- TEST_RX("tbh [pc, r",7, (9f-(1f+4))>>1,"]",
++ TEST_RX("tbh [pc, r",7, (9f-(1f+4))>>1,", lsl #1]",
+ "9: \n\t"
+ ".short (2f-1b-4)>>1 \n\t"
+ ".short (3f-1b-4)>>1 \n\t"
+ "3: mvn r0, r0 \n\t"
+ "2: nop \n\t")
+
+- TEST_RX("tbh [pc, r",12, ((9f-(1f+4))>>1)+1,"]",
++ TEST_RX("tbh [pc, r",12, ((9f-(1f+4))>>1)+1,", lsl #1]",
+ "9: \n\t"
+ ".short (2f-1b-4)>>1 \n\t"
+ ".short (3f-1b-4)>>1 \n\t"
+ "3: mvn r0, r0 \n\t"
+ "2: nop \n\t")
+
+- TEST_RRX("tbh [r",1,9f, ", r",14,1,"]",
++ TEST_RRX("tbh [r",1,9f, ", r",14,1,", lsl #1]",
+ "9: \n\t"
+ ".short (2f-1b-4)>>1 \n\t"
+ ".short (3f-1b-4)>>1 \n\t"
+@@ -471,10 +471,10 @@ void kprobe_thumb32_test_cases(void)
+
+ TEST_UNSUPPORTED("strexb r0, r1, [r2]")
+ TEST_UNSUPPORTED("strexh r0, r1, [r2]")
+- TEST_UNSUPPORTED("strexd r0, r1, [r2]")
++ TEST_UNSUPPORTED("strexd r0, r1, r2, [r2]")
+ TEST_UNSUPPORTED("ldrexb r0, [r1]")
+ TEST_UNSUPPORTED("ldrexh r0, [r1]")
+- TEST_UNSUPPORTED("ldrexd r0, [r1]")
++ TEST_UNSUPPORTED("ldrexd r0, r1, [r1]")
+
+ TEST_GROUP("Data-processing (shifted register) and (modified immediate)")
+
+--
+2.30.2
+
--- /dev/null
+From ea825ad90d2d3b19e5b62b79016b1e02546df291 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 09:59:41 -0400
+Subject: ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit fd2f1717966535b7d0b6fe45cf0d79e94330da5f ]
+
+There is no "max_brightness" property as pointed out by dtschema:
+
+ arch/arm/boot/dts/exynos5422-odroidxu4.dt.yaml: led-controller: led-1: 'max-brightness' is a required property
+
+Fixes: 6658356014cb ("ARM: dts: Add support Odroid XU4 board for exynos5422-odroidxu4")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20210505135941.59898-5-krzysztof.kozlowski@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5422-odroidxu4.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5422-odroidxu4.dts b/arch/arm/boot/dts/exynos5422-odroidxu4.dts
+index 2faf88627a48..b45e2a0c3908 100644
+--- a/arch/arm/boot/dts/exynos5422-odroidxu4.dts
++++ b/arch/arm/boot/dts/exynos5422-odroidxu4.dts
+@@ -26,7 +26,7 @@
+ label = "blue:heartbeat";
+ pwms = <&pwm 2 2000000 0>;
+ pwm-names = "pwm2";
+- max_brightness = <255>;
++ max-brightness = <255>;
+ linux,default-trigger = "heartbeat";
+ };
+ };
+--
+2.30.2
+
--- /dev/null
+From c8915d74dec1e0d614f54b8087e2f77dc4d2a6a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 18:37:29 +0800
+Subject: ASoC: soc-core: Fix the error return code in
+ snd_soc_of_parse_audio_routing()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 7d3865a10b9ff2669c531d5ddd60bf46b3d48f1e ]
+
+When devm_kcalloc() fails, the error code -ENOMEM should be returned
+instead of -EINVAL.
+
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210617103729.1918-1-thunder.leizhen@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index b927f9c81d92..e69a7f8b6163 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -3394,7 +3394,7 @@ int snd_soc_of_parse_audio_routing(struct snd_soc_card *card,
+ if (!routes) {
+ dev_err(card->dev,
+ "ASoC: Could not allocate DAPM route table\n");
+- return -EINVAL;
++ return -ENOMEM;
+ }
+
+ for (i = 0; i < num_routes; i++) {
+--
+2.30.2
+
--- /dev/null
+From 5e28df511d43ad2f6fd840b853d2daa708b8ff06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 14:21:47 +0200
+Subject: backlight: lm3630a: Fix return code of .update_status() callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit b9481a667a90ec739995e85f91f3672ca44d6ffa ]
+
+According to <linux/backlight.h> .update_status() is supposed to
+return 0 on success and a negative error code otherwise. Adapt
+lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status() to
+actually do it.
+
+While touching that also add the error code to the failure message.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/lm3630a_bl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c
+index 5ef6f9d420a2..ab882c04f975 100644
+--- a/drivers/video/backlight/lm3630a_bl.c
++++ b/drivers/video/backlight/lm3630a_bl.c
+@@ -183,7 +183,7 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl)
+ if ((pwm_ctrl & LM3630A_PWM_BANK_A) != 0) {
+ lm3630a_pwm_ctrl(pchip, bl->props.brightness,
+ bl->props.max_brightness);
+- return bl->props.brightness;
++ return 0;
+ }
+
+ /* disable sleep */
+@@ -203,8 +203,8 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl)
+ return 0;
+
+ out_i2c_err:
+- dev_err(pchip->dev, "i2c failed to access\n");
+- return bl->props.brightness;
++ dev_err(pchip->dev, "i2c failed to access (%pe)\n", ERR_PTR(ret));
++ return ret;
+ }
+
+ static int lm3630a_bank_a_get_brightness(struct backlight_device *bl)
+@@ -260,7 +260,7 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl)
+ if ((pwm_ctrl & LM3630A_PWM_BANK_B) != 0) {
+ lm3630a_pwm_ctrl(pchip, bl->props.brightness,
+ bl->props.max_brightness);
+- return bl->props.brightness;
++ return 0;
+ }
+
+ /* disable sleep */
+@@ -280,8 +280,8 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl)
+ return 0;
+
+ out_i2c_err:
+- dev_err(pchip->dev, "i2c failed to access REG_CTRL\n");
+- return bl->props.brightness;
++ dev_err(pchip->dev, "i2c failed to access (%pe)\n", ERR_PTR(ret));
++ return ret;
+ }
+
+ static int lm3630a_bank_b_get_brightness(struct backlight_device *bl)
+--
+2.30.2
+
--- /dev/null
+From d7ec02a934edb85792c546ca52dac8cb6ad8148d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 10:08:30 -0400
+Subject: ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 22d41cdcd3cfd467a4af074165357fcbea1c37f5 ]
+
+The checks for page->mapping are odd, as set_page_dirty is an
+address_space operation, and I don't see where it would be called on a
+non-pagecache page.
+
+The warning about the page lock also seems bogus. The comment over
+set_page_dirty() says that it can be called without the page lock in
+some rare cases. I don't think we want to warn if that's the case.
+
+Reported-by: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/addr.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
+index fbf383048409..26de74684c17 100644
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -72,10 +72,6 @@ static int ceph_set_page_dirty(struct page *page)
+ struct inode *inode;
+ struct ceph_inode_info *ci;
+ struct ceph_snap_context *snapc;
+- int ret;
+-
+- if (unlikely(!mapping))
+- return !TestSetPageDirty(page);
+
+ if (PageDirty(page)) {
+ dout("%p set_page_dirty %p idx %lu -- already dirty\n",
+@@ -121,11 +117,7 @@ static int ceph_set_page_dirty(struct page *page)
+ page->private = (unsigned long)snapc;
+ SetPagePrivate(page);
+
+- ret = __set_page_dirty_nobuffers(page);
+- WARN_ON(!PageLocked(page));
+- WARN_ON(!page->mapping);
+-
+- return ret;
++ return __set_page_dirty_nobuffers(page);
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 50ff3b7aa303096c0c8a9b0b053db7d8fcd26686 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 19:07:10 +0800
+Subject: fs/jfs: Fix missing error code in lmLogInit()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 492109333c29e1bb16d8732e1d597b02e8e0bf2e ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'rc.
+
+Eliminate the follow smatch warning:
+
+fs/jfs/jfs_logmgr.c:1327 lmLogInit() warn: missing error code 'rc'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_logmgr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
+index a69bdf2a1085..d19542a88c2c 100644
+--- a/fs/jfs/jfs_logmgr.c
++++ b/fs/jfs/jfs_logmgr.c
+@@ -1339,6 +1339,7 @@ int lmLogInit(struct jfs_log * log)
+ } else {
+ if (memcmp(logsuper->uuid, log->uuid, 16)) {
+ jfs_warn("wrong uuid on JFS log device");
++ rc = -EINVAL;
+ goto errout20;
+ }
+ log->size = le32_to_cpu(logsuper->size);
+--
+2.30.2
+
--- /dev/null
+From 4f1bf90854094062471735036e85d09d0fb9fd65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 19:38:05 +0530
+Subject: gpio: zynq: Check return value of pm_runtime_get_sync
+
+From: Srinivas Neeli <srinivas.neeli@xilinx.com>
+
+[ Upstream commit a51b2fb94b04ab71e53a71b9fad03fa826941254 ]
+
+Return value of "pm_runtime_get_sync" API was neither captured nor checked.
+Fixed it by capturing the return value and then checking for any warning.
+
+Addresses-Coverity: "check_return"
+Signed-off-by: Srinivas Neeli <srinivas.neeli@xilinx.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-zynq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
+index 8abeacac5885..ccfdf5a45998 100644
+--- a/drivers/gpio/gpio-zynq.c
++++ b/drivers/gpio/gpio-zynq.c
+@@ -764,8 +764,11 @@ err_disable_clk:
+ static int zynq_gpio_remove(struct platform_device *pdev)
+ {
+ struct zynq_gpio *gpio = platform_get_drvdata(pdev);
++ int ret;
+
+- pm_runtime_get_sync(&pdev->dev);
++ ret = pm_runtime_get_sync(&pdev->dev);
++ if (ret < 0)
++ dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
+ gpiochip_remove(&gpio->chip);
+ clk_disable_unprepare(gpio->clk);
+ device_set_wakeup_capable(&pdev->dev, 0);
+--
+2.30.2
+
--- /dev/null
+From f4443218f6061c6e44b131c032e8ab16892fbe25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 18:07:41 -0700
+Subject: hexagon: use common DISCARDS macro
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 681ba73c72302214686401e707e2087ed11a6556 ]
+
+ld.lld warns that the '.modinfo' section is not currently handled:
+
+ld.lld: warning: kernel/built-in.a(workqueue.o):(.modinfo) is being placed in '.modinfo'
+ld.lld: warning: kernel/built-in.a(printk/printk.o):(.modinfo) is being placed in '.modinfo'
+ld.lld: warning: kernel/built-in.a(irq/spurious.o):(.modinfo) is being placed in '.modinfo'
+ld.lld: warning: kernel/built-in.a(rcu/update.o):(.modinfo) is being placed in '.modinfo'
+
+The '.modinfo' section was added in commit 898490c010b5 ("moduleparam:
+Save information about built-in modules in separate file") to the DISCARDS
+macro but Hexagon has never used that macro. The unification of DISCARDS
+happened in commit 023bf6f1b8bf ("linker script: unify usage of discard
+definition") in 2009, prior to Hexagon being added in 2011.
+
+Switch Hexagon over to the DISCARDS macro so that anything that is
+expected to be discarded gets discarded.
+
+Link: https://lkml.kernel.org/r/20210521011239.1332345-3-nathan@kernel.org
+Fixes: e95bf452a9e2 ("Hexagon: Add configuration and makefiles for the Hexagon architecture.")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Acked-by: Brian Cain <bcain@codeaurora.org>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Oliver Glitta <glittao@gmail.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/hexagon/kernel/vmlinux.lds.S | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/arch/hexagon/kernel/vmlinux.lds.S b/arch/hexagon/kernel/vmlinux.lds.S
+index 5f268c1071b3..b5c050fe23a5 100644
+--- a/arch/hexagon/kernel/vmlinux.lds.S
++++ b/arch/hexagon/kernel/vmlinux.lds.S
+@@ -70,13 +70,8 @@ SECTIONS
+
+ _end = .;
+
+- /DISCARD/ : {
+- EXIT_TEXT
+- EXIT_DATA
+- EXIT_CALL
+- }
+-
+ STABS_DEBUG
+ DWARF_DEBUG
+
++ DISCARDS
+ }
+--
+2.30.2
+
--- /dev/null
+From c15525ae0019668de8973056df813c78f1608851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:56:16 -0700
+Subject: lib/decompress_unlz4.c: correctly handle zero-padding around initrds.
+
+From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+
+[ Upstream commit 2c484419efc09e7234c667aa72698cb79ba8d8ed ]
+
+lz4 compatible decompressor is simple. The format is underspecified and
+relies on EOF notification to determine when to stop. Initramfs buffer
+format[1] explicitly states that it can have arbitrary number of zero
+padding. Thus when operating without a fill function, be extra careful to
+ensure that sizes less than 4, or apperantly empty chunksizes are treated
+as EOF.
+
+To test this I have created two cpio initrds, first a normal one,
+main.cpio. And second one with just a single /test-file with content
+"second" second.cpio. Then i compressed both of them with gzip, and with
+lz4 -l. Then I created a padding of 4 bytes (dd if=/dev/zero of=pad4 bs=1
+count=4). To create four testcase initrds:
+
+ 1) main.cpio.gzip + extra.cpio.gzip = pad0.gzip
+ 2) main.cpio.lz4 + extra.cpio.lz4 = pad0.lz4
+ 3) main.cpio.gzip + pad4 + extra.cpio.gzip = pad4.gzip
+ 4) main.cpio.lz4 + pad4 + extra.cpio.lz4 = pad4.lz4
+
+The pad4 test-cases replicate the initrd load by grub, as it pads and
+aligns every initrd it loads.
+
+All of the above boot, however /test-file was not accessible in the initrd
+for the testcase #4, as decoding in lz4 decompressor failed. Also an
+error message printed which usually is harmless.
+
+Whith a patched kernel, all of the above testcases now pass, and
+/test-file is accessible.
+
+This fixes lz4 initrd decompress warning on every boot with grub. And
+more importantly this fixes inability to load multiple lz4 compressed
+initrds with grub. This patch has been shipping in Ubuntu kernels since
+January 2021.
+
+[1] ./Documentation/driver-api/early-userspace/buffer-format.rst
+
+BugLink: https://bugs.launchpad.net/bugs/1835660
+Link: https://lore.kernel.org/lkml/20210114200256.196589-1-xnox@ubuntu.com/ # v0
+Link: https://lkml.kernel.org/r/20210513104831.432975-1-dimitri.ledkov@canonical.com
+Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
+Cc: Kyungsik Lee <kyungsik.lee@lge.com>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Cc: Bongkyu Kim <bongkyu.kim@lge.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Sven Schmidt <4sschmid@informatik.uni-hamburg.de>
+Cc: Rajat Asthana <thisisrast7@gmail.com>
+Cc: Nick Terrell <terrelln@fb.com>
+Cc: Gao Xiang <hsiangkao@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/decompress_unlz4.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/decompress_unlz4.c b/lib/decompress_unlz4.c
+index 036fc882cd72..f1449244fdd4 100644
+--- a/lib/decompress_unlz4.c
++++ b/lib/decompress_unlz4.c
+@@ -115,6 +115,9 @@ STATIC inline int INIT unlz4(u8 *input, long in_len,
+ error("data corrupted");
+ goto exit_2;
+ }
++ } else if (size < 4) {
++ /* empty or end-of-file */
++ goto exit_3;
+ }
+
+ chunksize = get_unaligned_le32(inp);
+@@ -128,6 +131,10 @@ STATIC inline int INIT unlz4(u8 *input, long in_len,
+ continue;
+ }
+
++ if (!fill && chunksize == 0) {
++ /* empty or end-of-file */
++ goto exit_3;
++ }
+
+ if (posp)
+ *posp += 4;
+@@ -184,6 +191,7 @@ STATIC inline int INIT unlz4(u8 *input, long in_len,
+ }
+ }
+
++exit_3:
+ ret = 0;
+ exit_2:
+ if (!input)
+--
+2.30.2
+
--- /dev/null
+From 4bea78116645623d070dabb916d26fedea31ffc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 11:43:21 -0400
+Subject: memory: fsl_ifc: fix leak of IO mapping on probe failure
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 3b132ab67fc7a358fff35e808fa65d4bea452521 ]
+
+On probe error the driver should unmap the IO memory. Smatch reports:
+
+ drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298.
+
+Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20210527154322.81253-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/fsl_ifc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c
+index acd1460cf787..040be4638140 100644
+--- a/drivers/memory/fsl_ifc.c
++++ b/drivers/memory/fsl_ifc.c
+@@ -228,8 +228,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+ fsl_ifc_ctrl_dev->regs = of_iomap(dev->dev.of_node, 0);
+ if (!fsl_ifc_ctrl_dev->regs) {
+ dev_err(&dev->dev, "failed to get memory region\n");
+- ret = -ENODEV;
+- goto err;
++ return -ENODEV;
+ }
+
+ version = ifc_in32(&fsl_ifc_ctrl_dev->regs->ifc_rev) &
+@@ -306,6 +305,7 @@ err_irq:
+ free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev);
+ irq_dispose_mapping(fsl_ifc_ctrl_dev->irq);
+ err:
++ iounmap(fsl_ifc_ctrl_dev->gregs);
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e33a25ce7259a31a6ce87ec461347ae60ed0e4a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 11:43:22 -0400
+Subject: memory: fsl_ifc: fix leak of private memory on probe failure
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit 8e0d09b1232d0538066c40ed4c13086faccbdff6 ]
+
+On probe error the driver should free the memory allocated for private
+structure. Fix this by using resource-managed allocation.
+
+Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20210527154322.81253-2-krzysztof.kozlowski@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/fsl_ifc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c
+index 040be4638140..65b984d64350 100644
+--- a/drivers/memory/fsl_ifc.c
++++ b/drivers/memory/fsl_ifc.c
+@@ -107,7 +107,6 @@ static int fsl_ifc_ctrl_remove(struct platform_device *dev)
+ iounmap(ctrl->regs);
+
+ dev_set_drvdata(&dev->dev, NULL);
+- kfree(ctrl);
+
+ return 0;
+ }
+@@ -218,7 +217,8 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
+
+ dev_info(&dev->dev, "Freescale Integrated Flash Controller\n");
+
+- fsl_ifc_ctrl_dev = kzalloc(sizeof(*fsl_ifc_ctrl_dev), GFP_KERNEL);
++ fsl_ifc_ctrl_dev = devm_kzalloc(&dev->dev, sizeof(*fsl_ifc_ctrl_dev),
++ GFP_KERNEL);
+ if (!fsl_ifc_ctrl_dev)
+ return -ENOMEM;
+
+--
+2.30.2
+
--- /dev/null
+From e5e2caa0d55b31b7d81b1064a0b3569ed2591c39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 14:33:46 +0800
+Subject: mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 4700ef326556ed74aba188f12396740a8c1c21dd ]
+
+This patch adds/modifies MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/da9052-i2c.c | 1 +
+ drivers/mfd/stmpe-i2c.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/da9052-i2c.c b/drivers/mfd/da9052-i2c.c
+index 2697ffb08009..2992fd94bc0c 100644
+--- a/drivers/mfd/da9052-i2c.c
++++ b/drivers/mfd/da9052-i2c.c
+@@ -118,6 +118,7 @@ static const struct i2c_device_id da9052_i2c_id[] = {
+ {"da9053-bc", DA9053_BC},
+ {}
+ };
++MODULE_DEVICE_TABLE(i2c, da9052_i2c_id);
+
+ #ifdef CONFIG_OF
+ static const struct of_device_id dialog_dt_ids[] = {
+diff --git a/drivers/mfd/stmpe-i2c.c b/drivers/mfd/stmpe-i2c.c
+index c3f4aab53b07..663a6c1c3d0d 100644
+--- a/drivers/mfd/stmpe-i2c.c
++++ b/drivers/mfd/stmpe-i2c.c
+@@ -107,7 +107,7 @@ static const struct i2c_device_id stmpe_i2c_id[] = {
+ { "stmpe2403", STMPE2403 },
+ { }
+ };
+-MODULE_DEVICE_TABLE(i2c, stmpe_id);
++MODULE_DEVICE_TABLE(i2c, stmpe_i2c_id);
+
+ static struct i2c_driver stmpe_i2c_driver = {
+ .driver = {
+--
+2.30.2
+
--- /dev/null
+From d8b28fbc6918a744455c2dfcd0deb290601dd189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Jul 2021 16:02:11 -0700
+Subject: mips: disable branch profiling in boot/decompress.o
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 97e488073cfca0eea84450169ca4cbfcc64e33e3 ]
+
+Use DISABLE_BRANCH_PROFILING for arch/mips/boot/compressed/decompress.o
+to prevent linkage errors.
+
+mips64-linux-ld: arch/mips/boot/compressed/decompress.o: in function `LZ4_decompress_fast_extDict':
+decompress.c:(.text+0x8c): undefined reference to `ftrace_likely_update'
+mips64-linux-ld: decompress.c:(.text+0xf4): undefined reference to `ftrace_likely_update'
+mips64-linux-ld: decompress.c:(.text+0x200): undefined reference to `ftrace_likely_update'
+mips64-linux-ld: decompress.c:(.text+0x230): undefined reference to `ftrace_likely_update'
+mips64-linux-ld: decompress.c:(.text+0x320): undefined reference to `ftrace_likely_update'
+mips64-linux-ld: arch/mips/boot/compressed/decompress.o:decompress.c:(.text+0x3f4): more undefined references to `ftrace_likely_update' follow
+
+Fixes: e76e1fdfa8f8 ("lib: add support for LZ4-compressed kernel")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Cc: Kyungsik Lee <kyungsik.lee@lge.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/compressed/decompress.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/boot/compressed/decompress.c b/arch/mips/boot/compressed/decompress.c
+index 080cd53bac36..a1a54a3af03b 100644
+--- a/arch/mips/boot/compressed/decompress.c
++++ b/arch/mips/boot/compressed/decompress.c
+@@ -11,6 +11,8 @@
+ * option) any later version.
+ */
+
++#define DISABLE_BRANCH_PROFILING
++
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/string.h>
+--
+2.30.2
+
--- /dev/null
+From f684892186086766db956fc5aec62fe68c099937 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 02:03:54 +0200
+Subject: MIPS: vdso: Invalid GIC access through VDSO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Fäcknitz <faecknitz@hotsplots.de>
+
+[ Upstream commit 47ce8527fbba145a7723685bc9a27d9855e06491 ]
+
+Accessing raw timers (currently only CLOCK_MONOTONIC_RAW) through VDSO
+doesn't return the correct time when using the GIC as clock source.
+The address of the GIC mapped page is in this case not calculated
+correctly. The GIC mapped page is calculated from the VDSO data by
+subtracting PAGE_SIZE:
+
+ void *get_gic(const struct vdso_data *data) {
+ return (void __iomem *)data - PAGE_SIZE;
+ }
+
+However, the data pointer is not page aligned for raw clock sources.
+This is because the VDSO data for raw clock sources (CS_RAW = 1) is
+stored after the VDSO data for coarse clock sources (CS_HRES_COARSE = 0).
+Therefore, only the VDSO data for CS_HRES_COARSE is page aligned:
+
+ +--------------------+
+ | |
+ | vd[CS_RAW] | ---+
+ | vd[CS_HRES_COARSE] | |
+ +--------------------+ | -PAGE_SIZE
+ | | |
+ | GIC mapped page | <--+
+ | |
+ +--------------------+
+
+When __arch_get_hw_counter() is called with &vd[CS_RAW], get_gic returns
+the wrong address (somewhere inside the GIC mapped page). The GIC counter
+values are not returned which results in an invalid time.
+
+Fixes: a7f4df4e21dd ("MIPS: VDSO: Add implementations of gettimeofday() and clock_gettime()")
+Signed-off-by: Martin Fäcknitz <faecknitz@hotsplots.de>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/vdso/vdso.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/vdso/vdso.h b/arch/mips/vdso/vdso.h
+index cfb1be441dec..921589b45bc2 100644
+--- a/arch/mips/vdso/vdso.h
++++ b/arch/mips/vdso/vdso.h
+@@ -81,7 +81,7 @@ static inline const union mips_vdso_data *get_vdso_data(void)
+
+ static inline void __iomem *get_gic(const union mips_vdso_data *data)
+ {
+- return (void __iomem *)data - PAGE_SIZE;
++ return (void __iomem *)((unsigned long)data & PAGE_MASK) - PAGE_SIZE;
+ }
+
+ #endif /* CONFIG_CLKSRC_MIPS_GIC */
+--
+2.30.2
+
--- /dev/null
+From 1e610d354615c13632e15554bbfcc037431b3ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Apr 2021 10:06:20 -0700
+Subject: misc/libmasm/module: Fix two use after free in ibmasm_init_one
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ]
+
+In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
+Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
+allocated by input_allocate_device(), and assigned to
+sp->remote.mouse_dev and sp->remote.keybd_dev respectively.
+
+In the err_free_devices error branch of ibmasm_init_one,
+mouse_dev and keybd_dev are freed by input_free_device(), and return
+error. Then the execution runs into error_send_message error branch
+of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called
+to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.
+
+My patch add a "error_init_remote" label to handle the error of
+ibmasm_init_remote_input_dev(), to avoid the uaf bugs.
+
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/ibmasm/module.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
+index 6b3bf9ab051d..706decef68a0 100644
+--- a/drivers/misc/ibmasm/module.c
++++ b/drivers/misc/ibmasm/module.c
+@@ -123,7 +123,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ result = ibmasm_init_remote_input_dev(sp);
+ if (result) {
+ dev_err(sp->dev, "Failed to initialize remote queue\n");
+- goto error_send_message;
++ goto error_init_remote;
+ }
+
+ result = ibmasm_send_driver_vpd(sp);
+@@ -143,8 +143,9 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ return 0;
+
+ error_send_message:
+- disable_sp_interrupts(sp->base_address);
+ ibmasm_free_remote_input_dev(sp);
++error_init_remote:
++ disable_sp_interrupts(sp->base_address);
+ free_irq(sp->irq, (void *)sp);
+ error_request_irq:
+ iounmap(sp->base_address);
+--
+2.30.2
+
--- /dev/null
+From 800880c3bcdb1f55b9acf1e79ece0d48bda2d01b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 12:20:55 +0800
+Subject: nfs: fix acl memory leak of posix_acl_create()
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 1fcb6fcd74a222d9ead54d405842fc763bb86262 ]
+
+When looking into another nfs xfstests report, I found acl and
+default_acl in nfs3_proc_create() and nfs3_proc_mknod() error
+paths are possibly leaked. Fix them in advance.
+
+Fixes: 013cdf1088d7 ("nfs: use generic posix ACL infrastructure for v3 Posix ACLs")
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
+Cc: Anna Schumaker <anna.schumaker@netapp.com>
+Cc: Christoph Hellwig <hch@infradead.org>
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs3proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
+index cb28cceefebe..9f365b004453 100644
+--- a/fs/nfs/nfs3proc.c
++++ b/fs/nfs/nfs3proc.c
+@@ -363,7 +363,7 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
+ break;
+
+ case NFS3_CREATE_UNCHECKED:
+- goto out;
++ goto out_release_acls;
+ }
+ nfs_fattr_init(data->res.dir_attr);
+ nfs_fattr_init(data->res.fattr);
+@@ -708,7 +708,7 @@ nfs3_proc_mknod(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
+ break;
+ default:
+ status = -EINVAL;
+- goto out;
++ goto out_release_acls;
+ }
+
+ status = nfs3_do_create(dir, dentry, data);
+--
+2.30.2
+
--- /dev/null
+From 94e4a8a8e555ff26e8408404bae02c3db236ece7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 00:01:12 +0000
+Subject: PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Wilczyński <kw@linux.com>
+
+[ Upstream commit bdcdaa13ad96f1a530711c29e6d4b8311eff767c ]
+
+"utf16s_to_utf8s(..., buf, PAGE_SIZE)" puts up to PAGE_SIZE bytes into
+"buf" and returns the number of bytes it actually put there. If it wrote
+PAGE_SIZE bytes, the newline added by dsm_label_utf16s_to_utf8s() would
+overrun "buf".
+
+Reduce the size available for utf16s_to_utf8s() to use so there is always
+space for the newline.
+
+[bhelgaas: reorder patch in series, commit log]
+Fixes: 6058989bad05 ("PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs")
+Link: https://lore.kernel.org/r/20210603000112.703037-7-kw@linux.com
+Reported-by: Joe Perches <joe@perches.com>
+Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci-label.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci-label.c b/drivers/pci/pci-label.c
+index 024b5c179348..7d200a88cd74 100644
+--- a/drivers/pci/pci-label.c
++++ b/drivers/pci/pci-label.c
+@@ -157,7 +157,7 @@ static void dsm_label_utf16s_to_utf8s(union acpi_object *obj, char *buf)
+ len = utf16s_to_utf8s((const wchar_t *)obj->buffer.pointer,
+ obj->buffer.length,
+ UTF16_LITTLE_ENDIAN,
+- buf, PAGE_SIZE);
++ buf, PAGE_SIZE - 1);
+ buf[len] = '\n';
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b181057a6650631f5eee4f7cb743e1cda7e92186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 11:14:59 +0800
+Subject: power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit ed3443fb4df4e140a22f65144546c8a8e1e27f4e ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/gpio-poweroff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/reset/gpio-poweroff.c b/drivers/power/reset/gpio-poweroff.c
+index be3d81ff51cc..a44e3427fdeb 100644
+--- a/drivers/power/reset/gpio-poweroff.c
++++ b/drivers/power/reset/gpio-poweroff.c
+@@ -84,6 +84,7 @@ static const struct of_device_id of_gpio_poweroff_match[] = {
+ { .compatible = "gpio-poweroff", },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, of_gpio_poweroff_match);
+
+ static struct platform_driver gpio_poweroff_driver = {
+ .probe = gpio_poweroff_probe,
+--
+2.30.2
+
--- /dev/null
+From 039bca84c49c08f2f92f5d805c9ac25d3748a7f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 09:21:41 +0800
+Subject: power: supply: ab8500: add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit dfe52db13ab8d24857a9840ec7ca75eef800c26c ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/ab8500_btemp.c | 1 +
+ drivers/power/ab8500_charger.c | 1 +
+ drivers/power/ab8500_fg.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/drivers/power/ab8500_btemp.c b/drivers/power/ab8500_btemp.c
+index 8f8044e1acf3..24732df01cf9 100644
+--- a/drivers/power/ab8500_btemp.c
++++ b/drivers/power/ab8500_btemp.c
+@@ -1186,6 +1186,7 @@ static const struct of_device_id ab8500_btemp_match[] = {
+ { .compatible = "stericsson,ab8500-btemp", },
+ { },
+ };
++MODULE_DEVICE_TABLE(of, ab8500_btemp_match);
+
+ static struct platform_driver ab8500_btemp_driver = {
+ .probe = ab8500_btemp_probe,
+diff --git a/drivers/power/ab8500_charger.c b/drivers/power/ab8500_charger.c
+index 98724c3a28e5..1a7013ec0caf 100644
+--- a/drivers/power/ab8500_charger.c
++++ b/drivers/power/ab8500_charger.c
+@@ -3756,6 +3756,7 @@ static const struct of_device_id ab8500_charger_match[] = {
+ { .compatible = "stericsson,ab8500-charger", },
+ { },
+ };
++MODULE_DEVICE_TABLE(of, ab8500_charger_match);
+
+ static struct platform_driver ab8500_charger_driver = {
+ .probe = ab8500_charger_probe,
+diff --git a/drivers/power/ab8500_fg.c b/drivers/power/ab8500_fg.c
+index d91111200dde..c58b496ca05a 100644
+--- a/drivers/power/ab8500_fg.c
++++ b/drivers/power/ab8500_fg.c
+@@ -3239,6 +3239,7 @@ static const struct of_device_id ab8500_fg_match[] = {
+ { .compatible = "stericsson,ab8500-fg", },
+ { },
+ };
++MODULE_DEVICE_TABLE(of, ab8500_fg_match);
+
+ static struct platform_driver ab8500_fg_driver = {
+ .probe = ab8500_fg_probe,
+--
+2.30.2
+
--- /dev/null
+From 25dc9abfc4fdcb9a5f8bc575059b51c01b1f3cca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 May 2021 00:50:41 +0200
+Subject: power: supply: ab8500: Avoid NULL pointers
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 5bcb5087c9dd3dca1ff0ebd8002c5313c9332b56 ]
+
+Sometimes the code will crash because we haven't enabled
+AC or USB charging and thus not created the corresponding
+psy device. Fix it by checking that it is there before
+notifying.
+
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/ab8500_charger.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/ab8500_charger.c b/drivers/power/ab8500_charger.c
+index e388171f4e58..98724c3a28e5 100644
+--- a/drivers/power/ab8500_charger.c
++++ b/drivers/power/ab8500_charger.c
+@@ -409,6 +409,14 @@ disable_otp:
+ static void ab8500_power_supply_changed(struct ab8500_charger *di,
+ struct power_supply *psy)
+ {
++ /*
++ * This happens if we get notifications or interrupts and
++ * the platform has been configured not to support one or
++ * other type of charging.
++ */
++ if (!psy)
++ return;
++
+ if (di->autopower_cfg) {
+ if (!di->usb.charger_connected &&
+ !di->ac.charger_connected &&
+@@ -435,7 +443,15 @@ static void ab8500_charger_set_usb_connected(struct ab8500_charger *di,
+ if (!connected)
+ di->flags.vbus_drop_end = false;
+
+- sysfs_notify(&di->usb_chg.psy->dev.kobj, NULL, "present");
++ /*
++ * Sometimes the platform is configured not to support
++ * USB charging and no psy has been created, but we still
++ * will get these notifications.
++ */
++ if (di->usb_chg.psy) {
++ sysfs_notify(&di->usb_chg.psy->dev.kobj, NULL,
++ "present");
++ }
+
+ if (connected) {
+ mutex_lock(&di->charger_attached_mutex);
+--
+2.30.2
+
--- /dev/null
+From 51b8878c2f15b44815ffa1168e5a97aaaf36b6d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 09:21:54 +0800
+Subject: power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 073b5d5b1f9cc94a3eea25279fbafee3f4f5f097 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/charger-manager.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c
+index 1ea5d1aa268b..6656f847ed93 100644
+--- a/drivers/power/charger-manager.c
++++ b/drivers/power/charger-manager.c
+@@ -1490,6 +1490,7 @@ static const struct of_device_id charger_manager_match[] = {
+ },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, charger_manager_match);
+
+ static struct charger_desc *of_cm_parse_desc(struct device *dev)
+ {
+--
+2.30.2
+
--- /dev/null
+From 51c3ec9cbed0252b80b9c51605b6e5abc96916dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 13:49:00 +1000
+Subject: powerpc/boot: Fixup device-tree on little endian
+
+From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+
+[ Upstream commit c93f80849bdd9b45d834053ae1336e28f0026c84 ]
+
+This fixes the core devtree.c functions and the ns16550 UART backend.
+
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
+Acked-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/YMwXrPT8nc4YUdJ9@thinks.paulus.ozlabs.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/devtree.c | 59 +++++++++++++++++++++----------------
+ arch/powerpc/boot/ns16550.c | 9 ++++--
+ 2 files changed, 41 insertions(+), 27 deletions(-)
+
+diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c
+index a7e21a35c03a..27c84b82b588 100644
+--- a/arch/powerpc/boot/devtree.c
++++ b/arch/powerpc/boot/devtree.c
+@@ -17,6 +17,7 @@
+ #include "string.h"
+ #include "stdio.h"
+ #include "ops.h"
++#include "of.h"
+
+ void dt_fixup_memory(u64 start, u64 size)
+ {
+@@ -27,21 +28,25 @@ void dt_fixup_memory(u64 start, u64 size)
+ root = finddevice("/");
+ if (getprop(root, "#address-cells", &naddr, sizeof(naddr)) < 0)
+ naddr = 2;
++ else
++ naddr = be32_to_cpu(naddr);
+ if (naddr < 1 || naddr > 2)
+ fatal("Can't cope with #address-cells == %d in /\n\r", naddr);
+
+ if (getprop(root, "#size-cells", &nsize, sizeof(nsize)) < 0)
+ nsize = 1;
++ else
++ nsize = be32_to_cpu(nsize);
+ if (nsize < 1 || nsize > 2)
+ fatal("Can't cope with #size-cells == %d in /\n\r", nsize);
+
+ i = 0;
+ if (naddr == 2)
+- memreg[i++] = start >> 32;
+- memreg[i++] = start & 0xffffffff;
++ memreg[i++] = cpu_to_be32(start >> 32);
++ memreg[i++] = cpu_to_be32(start & 0xffffffff);
+ if (nsize == 2)
+- memreg[i++] = size >> 32;
+- memreg[i++] = size & 0xffffffff;
++ memreg[i++] = cpu_to_be32(size >> 32);
++ memreg[i++] = cpu_to_be32(size & 0xffffffff);
+
+ memory = finddevice("/memory");
+ if (! memory) {
+@@ -49,9 +54,9 @@ void dt_fixup_memory(u64 start, u64 size)
+ setprop_str(memory, "device_type", "memory");
+ }
+
+- printf("Memory <- <0x%x", memreg[0]);
++ printf("Memory <- <0x%x", be32_to_cpu(memreg[0]));
+ for (i = 1; i < (naddr + nsize); i++)
+- printf(" 0x%x", memreg[i]);
++ printf(" 0x%x", be32_to_cpu(memreg[i]));
+ printf("> (%ldMB)\n\r", (unsigned long)(size >> 20));
+
+ setprop(memory, "reg", memreg, (naddr + nsize)*sizeof(u32));
+@@ -69,10 +74,10 @@ void dt_fixup_cpu_clocks(u32 cpu, u32 tb, u32 bus)
+ printf("CPU bus-frequency <- 0x%x (%dMHz)\n\r", bus, MHZ(bus));
+
+ while ((devp = find_node_by_devtype(devp, "cpu"))) {
+- setprop_val(devp, "clock-frequency", cpu);
+- setprop_val(devp, "timebase-frequency", tb);
++ setprop_val(devp, "clock-frequency", cpu_to_be32(cpu));
++ setprop_val(devp, "timebase-frequency", cpu_to_be32(tb));
+ if (bus > 0)
+- setprop_val(devp, "bus-frequency", bus);
++ setprop_val(devp, "bus-frequency", cpu_to_be32(bus));
+ }
+
+ timebase_period_ns = 1000000000 / tb;
+@@ -84,7 +89,7 @@ void dt_fixup_clock(const char *path, u32 freq)
+
+ if (devp) {
+ printf("%s: clock-frequency <- %x (%dMHz)\n\r", path, freq, MHZ(freq));
+- setprop_val(devp, "clock-frequency", freq);
++ setprop_val(devp, "clock-frequency", cpu_to_be32(freq));
+ }
+ }
+
+@@ -137,8 +142,12 @@ void dt_get_reg_format(void *node, u32 *naddr, u32 *nsize)
+ {
+ if (getprop(node, "#address-cells", naddr, 4) != 4)
+ *naddr = 2;
++ else
++ *naddr = be32_to_cpu(*naddr);
+ if (getprop(node, "#size-cells", nsize, 4) != 4)
+ *nsize = 1;
++ else
++ *nsize = be32_to_cpu(*nsize);
+ }
+
+ static void copy_val(u32 *dest, u32 *src, int naddr)
+@@ -167,9 +176,9 @@ static int add_reg(u32 *reg, u32 *add, int naddr)
+ int i, carry = 0;
+
+ for (i = MAX_ADDR_CELLS - 1; i >= MAX_ADDR_CELLS - naddr; i--) {
+- u64 tmp = (u64)reg[i] + add[i] + carry;
++ u64 tmp = (u64)be32_to_cpu(reg[i]) + be32_to_cpu(add[i]) + carry;
+ carry = tmp >> 32;
+- reg[i] = (u32)tmp;
++ reg[i] = cpu_to_be32((u32)tmp);
+ }
+
+ return !carry;
+@@ -184,18 +193,18 @@ static int compare_reg(u32 *reg, u32 *range, u32 *rangesize)
+ u32 end;
+
+ for (i = 0; i < MAX_ADDR_CELLS; i++) {
+- if (reg[i] < range[i])
++ if (be32_to_cpu(reg[i]) < be32_to_cpu(range[i]))
+ return 0;
+- if (reg[i] > range[i])
++ if (be32_to_cpu(reg[i]) > be32_to_cpu(range[i]))
+ break;
+ }
+
+ for (i = 0; i < MAX_ADDR_CELLS; i++) {
+- end = range[i] + rangesize[i];
++ end = be32_to_cpu(range[i]) + be32_to_cpu(rangesize[i]);
+
+- if (reg[i] < end)
++ if (be32_to_cpu(reg[i]) < end)
+ break;
+- if (reg[i] > end)
++ if (be32_to_cpu(reg[i]) > end)
+ return 0;
+ }
+
+@@ -244,7 +253,6 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
+ return 0;
+
+ dt_get_reg_format(parent, &naddr, &nsize);
+-
+ if (nsize > 2)
+ return 0;
+
+@@ -256,10 +264,10 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
+
+ copy_val(last_addr, prop_buf + offset, naddr);
+
+- ret_size = prop_buf[offset + naddr];
++ ret_size = be32_to_cpu(prop_buf[offset + naddr]);
+ if (nsize == 2) {
+ ret_size <<= 32;
+- ret_size |= prop_buf[offset + naddr + 1];
++ ret_size |= be32_to_cpu(prop_buf[offset + naddr + 1]);
+ }
+
+ for (;;) {
+@@ -282,7 +290,6 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
+
+ offset = find_range(last_addr, prop_buf, prev_naddr,
+ naddr, prev_nsize, buflen / 4);
+-
+ if (offset < 0)
+ return 0;
+
+@@ -300,8 +307,7 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
+ if (naddr > 2)
+ return 0;
+
+- ret_addr = ((u64)last_addr[2] << 32) | last_addr[3];
+-
++ ret_addr = ((u64)be32_to_cpu(last_addr[2]) << 32) | be32_to_cpu(last_addr[3]);
+ if (sizeof(void *) == 4 &&
+ (ret_addr >= 0x100000000ULL || ret_size > 0x100000000ULL ||
+ ret_addr + ret_size > 0x100000000ULL))
+@@ -354,11 +360,14 @@ int dt_is_compatible(void *node, const char *compat)
+ int dt_get_virtual_reg(void *node, void **addr, int nres)
+ {
+ unsigned long xaddr;
+- int n;
++ int n, i;
+
+ n = getprop(node, "virtual-reg", addr, nres * 4);
+- if (n > 0)
++ if (n > 0) {
++ for (i = 0; i < n/4; i ++)
++ ((u32 *)addr)[i] = be32_to_cpu(((u32 *)addr)[i]);
+ return n / 4;
++ }
+
+ for (n = 0; n < nres; n++) {
+ if (!dt_xlate_reg(node, n, &xaddr, NULL))
+diff --git a/arch/powerpc/boot/ns16550.c b/arch/powerpc/boot/ns16550.c
+index 8c9ead94be06..cea34a20085c 100644
+--- a/arch/powerpc/boot/ns16550.c
++++ b/arch/powerpc/boot/ns16550.c
+@@ -14,6 +14,7 @@
+ #include "stdio.h"
+ #include "io.h"
+ #include "ops.h"
++#include "of.h"
+
+ #define UART_DLL 0 /* Out: Divisor Latch Low */
+ #define UART_DLM 1 /* Out: Divisor Latch High */
+@@ -57,16 +58,20 @@ int ns16550_console_init(void *devp, struct serial_console_data *scdp)
+ int n;
+ u32 reg_offset;
+
+- if (dt_get_virtual_reg(devp, (void **)®_base, 1) < 1)
++ if (dt_get_virtual_reg(devp, (void **)®_base, 1) < 1) {
++ printf("virt reg parse fail...\r\n");
+ return -1;
++ }
+
+ n = getprop(devp, "reg-offset", ®_offset, sizeof(reg_offset));
+ if (n == sizeof(reg_offset))
+- reg_base += reg_offset;
++ reg_base += be32_to_cpu(reg_offset);
+
+ n = getprop(devp, "reg-shift", ®_shift, sizeof(reg_shift));
+ if (n != sizeof(reg_shift))
+ reg_shift = 0;
++ else
++ reg_shift = be32_to_cpu(reg_shift);
+
+ scdp->open = ns16550_open;
+ scdp->putc = ns16550_putc;
+--
+2.30.2
+
--- /dev/null
+From 7e8f1b6bc3cd9b1aaa5eb1d7dba20da2a4b3459a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 19:17:02 +0000
+Subject: powerpc/ps3: Add dma_mask to ps3_dma_region
+
+From: Geoff Levand <geoff@infradead.org>
+
+[ Upstream commit 9733862e50fdba55e7f1554e4286fcc5302ff28e ]
+
+Commit f959dcd6ddfd29235030e8026471ac1b022ad2b0 (dma-direct: Fix
+potential NULL pointer dereference) added a null check on the
+dma_mask pointer of the kernel's device structure.
+
+Add a dma_mask variable to the ps3_dma_region structure and set
+the device structure's dma_mask pointer to point to this new variable.
+
+Fixes runtime errors like these:
+# WARNING: Fixes tag on line 10 doesn't match correct format
+# WARNING: Fixes tag on line 10 doesn't match correct format
+
+ ps3_system_bus_match:349: dev=8.0(sb_01), drv=8.0(ps3flash): match
+ WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:151 .dma_map_page_attrs+0x34/0x1e0
+ ps3flash sb_01: ps3stor_setup:193: map DMA region failed
+
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/562d0c9ea0100a30c3b186bcc7adb34b0bbd2cd7.1622746428.git.geoff@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/ps3.h | 2 ++
+ arch/powerpc/platforms/ps3/mm.c | 12 ++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/arch/powerpc/include/asm/ps3.h b/arch/powerpc/include/asm/ps3.h
+index a1bc7e758422..2d729b53a556 100644
+--- a/arch/powerpc/include/asm/ps3.h
++++ b/arch/powerpc/include/asm/ps3.h
+@@ -83,6 +83,7 @@ struct ps3_dma_region_ops;
+ * @bus_addr: The 'translated' bus address of the region.
+ * @len: The length in bytes of the region.
+ * @offset: The offset from the start of memory of the region.
++ * @dma_mask: Device dma_mask.
+ * @ioid: The IOID of the device who owns this region
+ * @chunk_list: Opaque variable used by the ioc page manager.
+ * @region_ops: struct ps3_dma_region_ops - dma region operations
+@@ -97,6 +98,7 @@ struct ps3_dma_region {
+ enum ps3_dma_region_type region_type;
+ unsigned long len;
+ unsigned long offset;
++ u64 dma_mask;
+
+ /* driver variables (set by ps3_dma_region_create) */
+ unsigned long bus_addr;
+diff --git a/arch/powerpc/platforms/ps3/mm.c b/arch/powerpc/platforms/ps3/mm.c
+index 19bae78b1f25..76cbf1be9962 100644
+--- a/arch/powerpc/platforms/ps3/mm.c
++++ b/arch/powerpc/platforms/ps3/mm.c
+@@ -18,6 +18,7 @@
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
++#include <linux/dma-mapping.h>
+ #include <linux/kernel.h>
+ #include <linux/export.h>
+ #include <linux/memblock.h>
+@@ -1132,6 +1133,7 @@ int ps3_dma_region_init(struct ps3_system_bus_device *dev,
+ enum ps3_dma_region_type region_type, void *addr, unsigned long len)
+ {
+ unsigned long lpar_addr;
++ int result;
+
+ lpar_addr = addr ? ps3_mm_phys_to_lpar(__pa(addr)) : 0;
+
+@@ -1143,6 +1145,16 @@ int ps3_dma_region_init(struct ps3_system_bus_device *dev,
+ r->offset -= map.r1.offset;
+ r->len = len ? len : _ALIGN_UP(map.total, 1 << r->page_size);
+
++ dev->core.dma_mask = &r->dma_mask;
++
++ result = dma_set_mask_and_coherent(&dev->core, DMA_BIT_MASK(32));
++
++ if (result < 0) {
++ dev_err(&dev->core, "%s:%d: dma_set_mask_and_coherent failed: %d\n",
++ __func__, __LINE__, result);
++ return result;
++ }
++
+ switch (dev->dev_type) {
+ case PS3_DEVICE_TYPE_SB:
+ r->region_ops = (USE_DYNAMIC_DMA)
+--
+2.30.2
+
--- /dev/null
+From db09ca7140404450c92ef945f4ef496ba4c075f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 11:05:24 +0200
+Subject: pwm: spear: Don't modify HW state in .remove callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit b601a18f12383001e7a8da238de7ca1559ebc450 ]
+
+A consumer is expected to disable a PWM before calling pwm_put(). And if
+they didn't there is hopefully a good reason (or the consumer needs
+fixing). Also if disabling an enabled PWM was the right thing to do,
+this should better be done in the framework instead of in each low level
+driver.
+
+So drop the hardware modification from the .remove() callback.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-spear.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/pwm/pwm-spear.c b/drivers/pwm/pwm-spear.c
+index 6c6b44fd3f43..2d11ac277de8 100644
+--- a/drivers/pwm/pwm-spear.c
++++ b/drivers/pwm/pwm-spear.c
+@@ -231,10 +231,6 @@ static int spear_pwm_probe(struct platform_device *pdev)
+ static int spear_pwm_remove(struct platform_device *pdev)
+ {
+ struct spear_pwm_chip *pc = platform_get_drvdata(pdev);
+- int i;
+-
+- for (i = 0; i < NUM_PWM; i++)
+- pwm_disable(&pc->chip.pwms[i]);
+
+ /* clk was prepared in probe, hence unprepare it here */
+ clk_unprepare(pc->clk);
+--
+2.30.2
+
--- /dev/null
+From 916489b5285bbed93336bd0fd4cc602a9f771829 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 17:45:47 +0900
+Subject: Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit 5d6fb80a142b5994355ce675c517baba6089d199 ]
+
+This reverts commit 0edabdfe89581669609eaac5f6a8d0ae6fe95e7f.
+
+I've explained that optional FireWire card for d.2 is also built-in to
+d.2 Pro, however it's wrong. The optional card uses DM1000 ASIC and has
+'Mackie DJ Mixer' in its model name of configuration ROM. On the other
+hand, built-in FireWire card for d.2 Pro and d.4 Pro uses OXFW971 ASIC
+and has 'd.Pro' in its model name according to manuals and user
+experiences. The former card is not the card for d.2 Pro. They are similar
+in appearance but different internally.
+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20210518084557.102681-2-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/Kconfig | 4 ++--
+ sound/firewire/bebob/bebob.c | 2 +-
+ sound/firewire/oxfw/oxfw.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig
+index fdc01466d143..4199cfc4a96a 100644
+--- a/sound/firewire/Kconfig
++++ b/sound/firewire/Kconfig
+@@ -36,7 +36,7 @@ config SND_OXFW
+ * Mackie(Loud) Onyx-i series (former models)
+ * Mackie(Loud) Onyx Satellite
+ * Mackie(Loud) Tapco Link.Firewire
+- * Mackie(Loud) d.4 pro
++ * Mackie(Loud) d.2 pro/d.4 pro (built-in FireWire card with OXFW971 ASIC)
+ * Mackie(Loud) U.420/U.420d
+ * TASCAM FireOne
+
+@@ -91,7 +91,7 @@ config SND_BEBOB
+ * PreSonus FIREBOX/FIREPOD/FP10/Inspire1394
+ * BridgeCo RDAudio1/Audio5
+ * Mackie Onyx 1220/1620/1640 (FireWire I/O Card)
+- * Mackie d.2 (FireWire Option) and d.2 Pro
++ * Mackie d.2 (optional FireWire card with DM1000 ASIC)
+ * Stanton FinalScratch 2 (ScratchAmp)
+ * Tascam IF-FW/DM
+ * Behringer XENIX UFX 1204/1604
+diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c
+index 088250ff2429..64dca7931272 100644
+--- a/sound/firewire/bebob/bebob.c
++++ b/sound/firewire/bebob/bebob.c
+@@ -362,7 +362,7 @@ static const struct ieee1394_device_id bebob_id_table[] = {
+ SND_BEBOB_DEV_ENTRY(VEN_BRIDGECO, 0x00010049, &spec_normal),
+ /* Mackie, Onyx 1220/1620/1640 (Firewire I/O Card) */
+ SND_BEBOB_DEV_ENTRY(VEN_MACKIE2, 0x00010065, &spec_normal),
+- // Mackie, d.2 (Firewire option card) and d.2 Pro (the card is built-in).
++ // Mackie, d.2 (optional Firewire card with DM1000).
+ SND_BEBOB_DEV_ENTRY(VEN_MACKIE1, 0x00010067, &spec_normal),
+ /* Stanton, ScratchAmp */
+ SND_BEBOB_DEV_ENTRY(VEN_STANTON, 0x00000001, &spec_normal),
+diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c
+index 2d310bf2f2b2..c700e11ab327 100644
+--- a/sound/firewire/oxfw/oxfw.c
++++ b/sound/firewire/oxfw/oxfw.c
+@@ -320,7 +320,7 @@ static const struct ieee1394_device_id oxfw_id_table[] = {
+ * Onyx-i series (former models): 0x081216
+ * Mackie Onyx Satellite: 0x00200f
+ * Tapco LINK.firewire 4x6: 0x000460
+- * d.4 pro: Unknown
++ * d.2 pro/d.4 pro (built-in card): Unknown
+ * U.420: Unknown
+ * U.420d: Unknown
+ */
+--
+2.30.2
+
--- /dev/null
+From cf45095adafe4bacab576d8125b192eb831e236e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 10:19:26 +0300
+Subject: rtc: fix snprintf() checking in is_rtc_hctosys()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 54b909436ede47e0ee07f1765da27ec2efa41e84 ]
+
+The scnprintf() function silently truncates the printf() and returns
+the number bytes that it was able to copy (not counting the NUL
+terminator). Thus, the highest value it can return here is
+"NAME_SIZE - 1" and the overflow check is dead code. Fix this by
+using the snprintf() function which returns the number of bytes that
+would have been copied if there was enough space and changing the
+condition from "> NAME_SIZE" to ">= NAME_SIZE".
+
+Fixes: 92589c986b33 ("rtc-proc: permit the /proc/driver/rtc device to use other devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/YJov/pcGmhLi2pEl@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/rtc-proc.c b/drivers/rtc/rtc-proc.c
+index ffa69e1c9245..4f10cb1561cc 100644
+--- a/drivers/rtc/rtc-proc.c
++++ b/drivers/rtc/rtc-proc.c
+@@ -26,8 +26,8 @@ static bool is_rtc_hctosys(struct rtc_device *rtc)
+ int size;
+ char name[NAME_SIZE];
+
+- size = scnprintf(name, NAME_SIZE, "rtc%d", rtc->id);
+- if (size > NAME_SIZE)
++ size = snprintf(name, NAME_SIZE, "rtc%d", rtc->id);
++ if (size >= NAME_SIZE)
+ return false;
+
+ return !strncmp(name, CONFIG_RTC_HCTOSYS_DEVICE, NAME_SIZE);
+--
+2.30.2
+
--- /dev/null
+From 9a9e9e1d31b9b462c7768f18f1e3f21eabbcd34b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 09:18:34 +0200
+Subject: scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 030e4138d11fced3b831c2761e4cecf347bae99c ]
+
+If an error occurs after a pci_enable_pcie_error_reporting() call, it must
+be undone by a corresponding pci_disable_pcie_error_reporting() call, as
+already done in the remove function.
+
+Link: https://lore.kernel.org/r/77adb02cfea7f1364e5603ecf3930d8597ae356e.1623482155.git.christophe.jaillet@wanadoo.fr
+Fixes: 3567f36a09d1 ("[SCSI] be2iscsi: Fix AER handling in driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/be2iscsi/be_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
+index 758f76e88704..c89aab5e0ef8 100644
+--- a/drivers/scsi/be2iscsi/be_main.c
++++ b/drivers/scsi/be2iscsi/be_main.c
+@@ -5812,6 +5812,7 @@ hba_free:
+ pci_disable_msix(phba->pcidev);
+ pci_dev_put(phba->pcidev);
+ iscsi_host_free(phba->shost);
++ pci_disable_pcie_error_reporting(pcidev);
+ pci_set_drvdata(pcidev, NULL);
+ disable_pci:
+ pci_release_regions(pcidev);
+--
+2.30.2
+
--- /dev/null
+From dced1efc39afd7b80c011880afef75d94614c138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 13:18:03 -0500
+Subject: scsi: iscsi: Add iscsi_cls_conn refcount helpers
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit b1d19e8c92cfb0ded180ef3376c20e130414e067 ]
+
+There are a couple places where we could free the iscsi_cls_conn while it's
+still in use. This adds some helpers to get/put a refcount on the struct
+and converts an exiting user. Subsequent commits will then use the helpers
+to fix 2 bugs in the eh code.
+
+Link: https://lore.kernel.org/r/20210525181821.7617-11-michael.christie@oracle.com
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 7 ++-----
+ drivers/scsi/scsi_transport_iscsi.c | 12 ++++++++++++
+ include/scsi/scsi_transport_iscsi.h | 2 ++
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index 18b8d86ef74b..0713d02cf112 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -1384,7 +1384,6 @@ void iscsi_session_failure(struct iscsi_session *session,
+ enum iscsi_err err)
+ {
+ struct iscsi_conn *conn;
+- struct device *dev;
+
+ spin_lock_bh(&session->frwd_lock);
+ conn = session->leadconn;
+@@ -1393,10 +1392,8 @@ void iscsi_session_failure(struct iscsi_session *session,
+ return;
+ }
+
+- dev = get_device(&conn->cls_conn->dev);
++ iscsi_get_conn(conn->cls_conn);
+ spin_unlock_bh(&session->frwd_lock);
+- if (!dev)
+- return;
+ /*
+ * if the host is being removed bypass the connection
+ * recovery initialization because we are going to kill
+@@ -1406,7 +1403,7 @@ void iscsi_session_failure(struct iscsi_session *session,
+ iscsi_conn_error_event(conn->cls_conn, err);
+ else
+ iscsi_conn_failure(conn, err);
+- put_device(dev);
++ iscsi_put_conn(conn->cls_conn);
+ }
+ EXPORT_SYMBOL_GPL(iscsi_session_failure);
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 42bc4b71b0ba..e0159e6a1065 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2328,6 +2328,18 @@ int iscsi_destroy_conn(struct iscsi_cls_conn *conn)
+ }
+ EXPORT_SYMBOL_GPL(iscsi_destroy_conn);
+
++void iscsi_put_conn(struct iscsi_cls_conn *conn)
++{
++ put_device(&conn->dev);
++}
++EXPORT_SYMBOL_GPL(iscsi_put_conn);
++
++void iscsi_get_conn(struct iscsi_cls_conn *conn)
++{
++ get_device(&conn->dev);
++}
++EXPORT_SYMBOL_GPL(iscsi_get_conn);
++
+ /*
+ * iscsi interface functions
+ */
+diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h
+index 6183d20a01fb..e673c7c9c5fb 100644
+--- a/include/scsi/scsi_transport_iscsi.h
++++ b/include/scsi/scsi_transport_iscsi.h
+@@ -437,6 +437,8 @@ extern void iscsi_free_session(struct iscsi_cls_session *session);
+ extern int iscsi_destroy_session(struct iscsi_cls_session *session);
+ extern struct iscsi_cls_conn *iscsi_create_conn(struct iscsi_cls_session *sess,
+ int dd_size, uint32_t cid);
++extern void iscsi_put_conn(struct iscsi_cls_conn *conn);
++extern void iscsi_get_conn(struct iscsi_cls_conn *conn);
+ extern int iscsi_destroy_conn(struct iscsi_cls_conn *conn);
+ extern void iscsi_unblock_session(struct iscsi_cls_session *session);
+ extern void iscsi_block_session(struct iscsi_cls_session *session);
+--
+2.30.2
+
--- /dev/null
+From 87fcd376fc59c23996ee56fe7cbd8e561431a2cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 12:55:51 -0700
+Subject: scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit e30d55137edef47434c40d7570276a0846fe922c ]
+
+An 'unexpected timeout' message may be seen in a point-2-point topology.
+The message occurs when a PLOGI is received before the driver is notified
+of FLOGI completion. The FLOGI completion failure causes discovery to be
+triggered for a second time. The discovery timer is restarted but no new
+discovery activity is initiated, thus the timeout message eventually
+appears.
+
+In point-2-point, when discovery has progressed before the FLOGI completion
+is processed, it is not a failure. Add code to FLOGI completion to detect
+that discovery has progressed and exit the FLOGI handling (noop'ing it).
+
+Link: https://lore.kernel.org/r/20210514195559.119853-4-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_els.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
+index 5be938b47f48..b66b1ed6d2af 100644
+--- a/drivers/scsi/lpfc/lpfc_els.c
++++ b/drivers/scsi/lpfc/lpfc_els.c
+@@ -1142,6 +1142,15 @@ stop_rr_fcf_flogi:
+ phba->fcf.fcf_redisc_attempted = 0; /* reset */
+ goto out;
+ }
++ } else if (vport->port_state > LPFC_FLOGI &&
++ vport->fc_flag & FC_PT2PT) {
++ /*
++ * In a p2p topology, it is possible that discovery has
++ * already progressed, and this completion can be ignored.
++ * Recheck the indicated topology.
++ */
++ if (!sp->cmn.fPort)
++ goto out;
+ }
+
+ flogifail:
+--
+2.30.2
+
--- /dev/null
+From 52ea5c167b3d489d9c817b3b9a20785a4118b831 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 09:51:42 -0400
+Subject: selftests/powerpc: Fix "no_handler" EBB selftest
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit 45677c9aebe926192e59475b35a1ff35ff2d4217 ]
+
+The "no_handler_test" in ebb selftests attempts to read the PMU
+registers twice via helper function "dump_ebb_state". First dump is
+just before closing of event and the second invocation is done after
+closing of the event. The original intention of second
+dump_ebb_state was to dump the state of registers at the end of
+the test when the counters are frozen. But this will be achieved
+with the first call itself since sample period is set to low value
+and PMU will be frozen by then. Hence patch removes the
+dump which was done before closing of the event.
+
+Reported-by: Shirisha Ganta <shirisha.ganta1@ibm.com>
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com <mailto:rnsastry@linux.ibm.com>>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1621950703-1532-2-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c b/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c
+index 8341d7778d5e..87630d44fb4c 100644
+--- a/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c
++++ b/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c
+@@ -50,8 +50,6 @@ static int no_handler_test(void)
+
+ event_close(&event);
+
+- dump_ebb_state();
+-
+ /* The real test is that we never took an EBB at 0x0 */
+
+ return 0;
+--
+2.30.2
+
jfs-fix-gpf-in-difree.patch
kvm-x86-use-guest-maxphyaddr-from-cpuid.0x8000_0008-iff-tdp-is-enabled.patch
kvm-x86-disable-hardware-breakpoints-unconditionally-before-kvm_x86-run.patch
+tty-serial-fsl_lpuart-fix-the-potential-risk-of-divi.patch
+misc-libmasm-module-fix-two-use-after-free-in-ibmasm.patch
+revert-alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-.patch
+scsi-lpfc-fix-unexpected-timeout-error-in-direct-att.patch
+tty-serial-8250-serial_cs-fix-a-memory-leak-in-error.patch
+fs-jfs-fix-missing-error-code-in-lmloginit.patch
+scsi-iscsi-add-iscsi_cls_conn-refcount-helpers.patch
+mfd-da9052-stmpe-add-and-modify-module_device_table.patch
+alsa-sb-fix-potential-double-free-of-csp-mixer-eleme.patch
+powerpc-ps3-add-dma_mask-to-ps3_dma_region.patch
+gpio-zynq-check-return-value-of-pm_runtime_get_sync.patch
+alsa-ppc-fix-error-return-code-in-snd_pmac_probe.patch
+selftests-powerpc-fix-no_handler-ebb-selftest.patch
+asoc-soc-core-fix-the-error-return-code-in-snd_soc_o.patch
+alsa-bebob-add-support-for-toneweal-fw66.patch
+usb-gadget-f_hid-fix-endianness-issue-with-descripto.patch
+usb-gadget-hid-fix-error-return-code-in-hid_bind.patch
+powerpc-boot-fixup-device-tree-on-little-endian.patch
+backlight-lm3630a-fix-return-code-of-.update_status-.patch
+alsa-hda-add-irq-check-for-platform_get_irq.patch
+lib-decompress_unlz4.c-correctly-handle-zero-padding.patch
+pwm-spear-don-t-modify-hw-state-in-.remove-callback.patch
+power-supply-ab8500-avoid-null-pointers.patch
+power-reset-gpio-poweroff-add-missing-module_device_.patch
+arm-9087-1-kprobes-test-thumb-fix-for-llvm_ias-1.patch
+watchdog-fix-possible-use-after-free-in-wdt_startup.patch
+watchdog-sc520_wdt-fix-possible-use-after-free-in-wd.patch
+watchdog-fix-possible-use-after-free-by-calling-del_.patch
+ceph-remove-bogus-checks-and-warn_ons-from-ceph_set_.patch
+power-supply-charger-manager-add-missing-module_devi.patch
+power-supply-ab8500-add-missing-module_device_table.patch
+virtio-blk-fix-memory-leak-among-suspend-resume-proc.patch
+virtio_console-assure-used-length-from-device-is-lim.patch
+pci-sysfs-fix-dsm_label_utf16s_to_utf8s-buffer-overr.patch
+um-fix-error-return-code-in-slip_open.patch
+um-fix-error-return-code-in-winch_tramp.patch
+nfs-fix-acl-memory-leak-of-posix_acl_create.patch
+alsa-isa-fix-error-return-code-in-snd_cmi8330_probe.patch
+hexagon-use-common-discards-macro.patch
+arm-dts-exynos-fix-pwm-led-max-brightness-on-odroid-.patch
+rtc-fix-snprintf-checking-in-is_rtc_hctosys.patch
+memory-fsl_ifc-fix-leak-of-io-mapping-on-probe-failu.patch
+memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch
+scsi-be2iscsi-fix-an-error-handling-path-in-beiscsi_.patch
+mips-disable-branch-profiling-in-boot-decompress.o.patch
+mips-vdso-invalid-gic-access-through-vdso.patch
--- /dev/null
+From 1bb6857d6db7ba312b74baa4c4e26f61e216ece7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 21:44:04 +0200
+Subject: tty: serial: 8250: serial_cs: Fix a memory leak in error handling
+ path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit fad92b11047a748c996ebd6cfb164a63814eeb2e ]
+
+In the probe function, if the final 'serial_config()' fails, 'info' is
+leaking.
+
+Add a resource handling path to free this memory.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/dc25f96b7faebf42e60fe8d02963c941cf4d8124.1621971720.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/serial_cs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/8250/serial_cs.c b/drivers/tty/serial/8250/serial_cs.c
+index bf5feb2ea35a..92c64ed12295 100644
+--- a/drivers/tty/serial/8250/serial_cs.c
++++ b/drivers/tty/serial/8250/serial_cs.c
+@@ -305,6 +305,7 @@ static int serial_resume(struct pcmcia_device *link)
+ static int serial_probe(struct pcmcia_device *link)
+ {
+ struct serial_info *info;
++ int ret;
+
+ dev_dbg(&link->dev, "serial_attach()\n");
+
+@@ -319,7 +320,15 @@ static int serial_probe(struct pcmcia_device *link)
+ if (do_sound)
+ link->config_flags |= CONF_ENABLE_SPKR;
+
+- return serial_config(link);
++ ret = serial_config(link);
++ if (ret)
++ goto free_info;
++
++ return 0;
++
++free_info:
++ kfree(info);
++ return ret;
+ }
+
+ static void serial_detach(struct pcmcia_device *link)
+--
+2.30.2
+
--- /dev/null
+From fc452ff711658c42c620af5b31ed7d609c1a38e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 10:12:26 +0800
+Subject: tty: serial: fsl_lpuart: fix the potential risk of division or modulo
+ by zero
+
+From: Sherry Sun <sherry.sun@nxp.com>
+
+[ Upstream commit fcb10ee27fb91b25b68d7745db9817ecea9f1038 ]
+
+We should be very careful about the register values that will be used
+for division or modulo operations, althrough the possibility that the
+UARTBAUD register value is zero is very low, but we had better to deal
+with the "bad data" of hardware in advance to avoid division or modulo
+by zero leading to undefined kernel behavior.
+
+Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
+Link: https://lore.kernel.org/r/20210427021226.27468-1-sherry.sun@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/fsl_lpuart.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
+index 1544a7cc76ff..1319f3dd5b70 100644
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -1681,6 +1681,9 @@ lpuart32_console_get_options(struct lpuart_port *sport, int *baud,
+
+ bd = lpuart32_read(sport->port.membase + UARTBAUD);
+ bd &= UARTBAUD_SBR_MASK;
++ if (!bd)
++ return;
++
+ sbr = bd;
+ uartclk = clk_get_rate(sport->clk);
+ /*
+--
+2.30.2
+
--- /dev/null
+From 817ddd02389cf99133ffea029f3d734a962a6741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 11:13:54 +0800
+Subject: um: fix error return code in slip_open()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit b77e81fbe5f5fb4ad9a61ec80f6d1e30b6da093a ]
+
+Fix to return a negative error code from the error handling case instead
+of 0, as done elsewhere in this function.
+
+Fixes: a3c77c67a443 ("[PATCH] uml: slirp and slip driver cleanups and fixes")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Acked-By: anton.ivanov@cambridgegreys.com
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/slip_user.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/um/drivers/slip_user.c b/arch/um/drivers/slip_user.c
+index 0d6b66c64a81..76d155631c5d 100644
+--- a/arch/um/drivers/slip_user.c
++++ b/arch/um/drivers/slip_user.c
+@@ -145,7 +145,8 @@ static int slip_open(void *data)
+ }
+ sfd = err;
+
+- if (set_up_tty(sfd))
++ err = set_up_tty(sfd);
++ if (err)
+ goto out_close2;
+
+ pri->slave = sfd;
+--
+2.30.2
+
--- /dev/null
+From f59db04eb244b10ef224e7a5f4a7df15cbf3d6ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 11:22:39 +0800
+Subject: um: fix error return code in winch_tramp()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit ccf1236ecac476d9d2704866d9a476c86e387971 ]
+
+Fix to return a negative error code from the error handling case instead
+of 0, as done elsewhere in this function.
+
+Fixes: 89df6bfc0405 ("uml: DEBUG_SHIRQ fixes")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Acked-By: anton.ivanov@cambridgegreys.com
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/chan_user.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/um/drivers/chan_user.c b/arch/um/drivers/chan_user.c
+index 3fd7c3efdb18..feb7f5ab4084 100644
+--- a/arch/um/drivers/chan_user.c
++++ b/arch/um/drivers/chan_user.c
+@@ -256,7 +256,8 @@ static int winch_tramp(int fd, struct tty_port *port, int *fd_out,
+ goto out_close;
+ }
+
+- if (os_set_fd_block(*fd_out, 0)) {
++ err = os_set_fd_block(*fd_out, 0);
++ if (err) {
+ printk(UM_KERN_ERR "winch_tramp: failed to set thread_fd "
+ "non-blocking.\n");
+ goto out_close;
+--
+2.30.2
+
--- /dev/null
+From c67625b448832988cb257e1ffed05c97dd7f8ba3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 19:27:55 +0300
+Subject: usb: gadget: f_hid: fix endianness issue with descriptors
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+[ Upstream commit 33cb46c4676d01956811b68a29157ea969a5df70 ]
+
+Running sparse checker it shows warning message about
+incorrect endianness used for descriptor initialization:
+
+| f_hid.c:91:43: warning: incorrect type in initializer (different base types)
+| f_hid.c:91:43: expected restricted __le16 [usertype] bcdHID
+| f_hid.c:91:43: got int
+
+Fixing issue with cpu_to_le16() macro, however this is not a real issue
+as the value is the same both endians.
+
+Cc: Fabien Chouteau <fabien.chouteau@barco.com>
+Cc: Segiy Stetsyuk <serg_stetsuk@ukr.net>
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/20210617162755.29676-1-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
+index a5dae5bb62ab..590e056d3618 100644
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -91,7 +91,7 @@ static struct usb_interface_descriptor hidg_interface_desc = {
+ static struct hid_descriptor hidg_desc = {
+ .bLength = sizeof hidg_desc,
+ .bDescriptorType = HID_DT_HID,
+- .bcdHID = 0x0101,
++ .bcdHID = cpu_to_le16(0x0101),
+ .bCountryCode = 0x00,
+ .bNumDescriptors = 0x1,
+ /*.desc[0].bDescriptorType = DYNAMIC */
+--
+2.30.2
+
--- /dev/null
+From 957343139f2e6224eb1586fdf5de81b6c13dcf99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 12:38:35 +0800
+Subject: usb: gadget: hid: fix error return code in hid_bind()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 88693f770bb09c196b1eb5f06a484a254ecb9924 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210618043835.2641360-1-yangyingliang@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/legacy/hid.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c
+index 7e5d2c48476e..97329ba5d382 100644
+--- a/drivers/usb/gadget/legacy/hid.c
++++ b/drivers/usb/gadget/legacy/hid.c
+@@ -175,8 +175,10 @@ static int hid_bind(struct usb_composite_dev *cdev)
+ struct usb_descriptor_header *usb_desc;
+
+ usb_desc = usb_otg_descriptor_alloc(gadget);
+- if (!usb_desc)
++ if (!usb_desc) {
++ status = -ENOMEM;
+ goto put;
++ }
+ usb_otg_descriptor_init(gadget, usb_desc);
+ otg_desc[0] = usb_desc;
+ otg_desc[1] = NULL;
+--
+2.30.2
+
--- /dev/null
+From 642029f29741c21dab8b857a314f82a5b9c5c82f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:43:32 +0800
+Subject: virtio-blk: Fix memory leak among suspend/resume procedure
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit b71ba22e7c6c6b279c66f53ee7818709774efa1f ]
+
+The vblk->vqs should be freed before we call init_vqs()
+in virtblk_restore().
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Link: https://lore.kernel.org/r/20210517084332.280-1-xieyongji@bytedance.com
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/virtio_blk.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
+index bdc3efacd0d2..2bcc2bc64149 100644
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -808,6 +808,8 @@ static int virtblk_freeze(struct virtio_device *vdev)
+ blk_mq_stop_hw_queues(vblk->disk->queue);
+
+ vdev->config->del_vqs(vdev);
++ kfree(vblk->vqs);
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 8709034d558f280c40785a8d2887618a6ebc7e32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 20:56:22 +0800
+Subject: virtio_console: Assure used length from device is limited
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ]
+
+The buf->len might come from an untrusted device. This
+ensures the value would not exceed the size of the buffer
+to avoid data corruption or loss.
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20210525125622.1203-1-xieyongji@bytedance.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/virtio_console.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
+index 226ccb7891d4..c2f1c921cb2c 100644
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -487,7 +487,7 @@ static struct port_buffer *get_inbuf(struct port *port)
+
+ buf = virtqueue_get_buf(port->in_vq, &len);
+ if (buf) {
+- buf->len = len;
++ buf->len = min_t(size_t, len, buf->size);
+ buf->offset = 0;
+ port->stats.bytes_received += len;
+ }
+@@ -1752,7 +1752,7 @@ static void control_work_handler(struct work_struct *work)
+ while ((buf = virtqueue_get_buf(vq, &len))) {
+ spin_unlock(&portdev->c_ivq_lock);
+
+- buf->len = len;
++ buf->len = min_t(size_t, len, buf->size);
+ buf->offset = 0;
+
+ handle_control_message(vq->vdev, portdev, buf);
+--
+2.30.2
+
--- /dev/null
+From b26ac737fa701ccdf2c403ebd55e37aae5a80902 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 14:57:56 +0800
+Subject: watchdog: Fix possible use-after-free by calling del_timer_sync()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ]
+
+This driver's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Vladimir Zapolskiy <vz@mleia.com>
+Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/lpc18xx_wdt.c | 2 +-
+ drivers/watchdog/w83877f_wdt.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c
+index ab7b8b185d99..fbdc0f32e666 100644
+--- a/drivers/watchdog/lpc18xx_wdt.c
++++ b/drivers/watchdog/lpc18xx_wdt.c
+@@ -309,7 +309,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev)
+ unregister_restart_handler(&lpc18xx_wdt->restart_handler);
+
+ dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n");
+- del_timer(&lpc18xx_wdt->timer);
++ del_timer_sync(&lpc18xx_wdt->timer);
+
+ watchdog_unregister_device(&lpc18xx_wdt->wdt_dev);
+ clk_disable_unprepare(lpc18xx_wdt->wdt_clk);
+diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c
+index f0483c75ed32..4b52cf321747 100644
+--- a/drivers/watchdog/w83877f_wdt.c
++++ b/drivers/watchdog/w83877f_wdt.c
+@@ -170,7 +170,7 @@ static void wdt_startup(void)
+ static void wdt_turnoff(void)
+ {
+ /* Stop the timer */
+- del_timer(&timer);
++ del_timer_sync(&timer);
+
+ wdt_change(WDT_DISABLE);
+
+--
+2.30.2
+
--- /dev/null
+From f5c0115ea21be91fa82805fca4efa0c1d4db821b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 15:01:35 +0800
+Subject: watchdog: Fix possible use-after-free in wdt_startup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit c08a6b31e4917034f0ed0cb457c3bb209576f542 ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/sbc60xxwdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c
+index 2eef58a0cf05..152db059d5aa 100644
+--- a/drivers/watchdog/sbc60xxwdt.c
++++ b/drivers/watchdog/sbc60xxwdt.c
+@@ -152,7 +152,7 @@ static void wdt_startup(void)
+ static void wdt_turnoff(void)
+ {
+ /* Stop the timer */
+- del_timer(&timer);
++ del_timer_sync(&timer);
+ inb_p(wdt_stop);
+ pr_info("Watchdog timer is now disabled...\n");
+ }
+--
+2.30.2
+
--- /dev/null
+From ee8abc886dfb196bba9808d2698f4d4c8fb00455 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 15:04:51 +0800
+Subject: watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/sc520_wdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c
+index 1cfd3f6a13d5..08500db8324f 100644
+--- a/drivers/watchdog/sc520_wdt.c
++++ b/drivers/watchdog/sc520_wdt.c
+@@ -190,7 +190,7 @@ static int wdt_startup(void)
+ static int wdt_turnoff(void)
+ {
+ /* Stop the timer */
+- del_timer(&timer);
++ del_timer_sync(&timer);
+
+ /* Stop the watchdog */
+ wdt_config(0);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
