--- /dev/null
+From 21c3aadb457603298bf0d54238301b40a4fb988a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 13:19:23 +0200
+Subject: ALSA: core: remove redundant spin_lock pair in snd_card_disconnect
+
+From: Jia Zhou <zhou.jia2@zte.com.cn>
+
+[ Upstream commit abc21649b3e5c34b143bf86f0c78e33d5815e250 ]
+
+modification in commit 2a3f7221acdd ("ALSA: core: Fix card races between
+register and disconnect") resulting in this problem.
+
+Fixes: 2a3f7221acdd ("ALSA: core: Fix card races between register and disconnect")
+Signed-off-by: Jia Zhou <zhou.jia2@zte.com.cn>
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Link: https://lore.kernel.org/r/1616989007-34429-1-git-send-email-wang.yi59@zte.com.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/init.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/sound/core/init.c b/sound/core/init.c
+index 02e96c580cb7..59377e579adb 100644
+--- a/sound/core/init.c
++++ b/sound/core/init.c
+@@ -406,10 +406,8 @@ int snd_card_disconnect(struct snd_card *card)
+ return 0;
+ }
+ card->shutdown = 1;
+- spin_unlock(&card->files_lock);
+
+ /* replace file->f_op with special dummy operations */
+- spin_lock(&card->files_lock);
+ list_for_each_entry(mfile, &card->files_list, list) {
+ /* it's critical part, use endless loop */
+ /* we have no room to fail */
+--
+2.30.2
+
--- /dev/null
+From 8601af781103c8dabf03b1da18ebb064dd0d0356 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 13:35:34 +0200
+Subject: ALSA: usb-audio: Add error checks for usb_driver_claim_interface()
+ calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5fb45414ae03421255593fd5556aa2d1d82303aa ]
+
+There are a few calls of usb_driver_claim_interface() but all of those
+miss the proper error checks, as reported by Coverity. This patch
+adds those missing checks.
+
+Along with it, replace the magic pointer with -1 with a constant
+USB_AUDIO_IFACE_UNUSED for better readability.
+
+Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
+Addresses-Coverity-ID: 1475943 ("Error handling issues")
+Addresses-Coverity-ID: 1475944 ("Error handling issues")
+Addresses-Coverity-ID: 1475945 ("Error handling issues")
+Fixes: b1ce7ba619d9 ("ALSA: usb-audio: claim autodetected PCM interfaces all at once")
+Fixes: e5779998bf8b ("ALSA: usb-audio: refactor code")
+Link: https://lore.kernel.org/r/202104051059.FB7F3016@keescook
+Link: https://lore.kernel.org/r/20210406113534.30455-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/card.c | 14 +++++++-------
+ sound/usb/quirks.c | 16 ++++++++++++----
+ sound/usb/usbaudio.h | 2 ++
+ 3 files changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/sound/usb/card.c b/sound/usb/card.c
+index 023a36a4922b..6c5be4e3cb9d 100644
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -183,9 +183,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
+ ctrlif, interface);
+ return -EINVAL;
+ }
+- usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
+-
+- return 0;
++ return usb_driver_claim_interface(&usb_audio_driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
+ }
+
+ if ((altsd->bInterfaceClass != USB_CLASS_AUDIO &&
+@@ -205,7 +204,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
+
+ if (! snd_usb_parse_audio_interface(chip, interface)) {
+ usb_set_interface(dev, interface, 0); /* reset the current interface */
+- usb_driver_claim_interface(&usb_audio_driver, iface, (void *)-1L);
++ return usb_driver_claim_interface(&usb_audio_driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
+ }
+
+ return 0;
+@@ -665,7 +665,7 @@ static void usb_audio_disconnect(struct usb_interface *intf)
+ struct snd_card *card;
+ struct list_head *p;
+
+- if (chip == (void *)-1L)
++ if (chip == USB_AUDIO_IFACE_UNUSED)
+ return;
+
+ card = chip->card;
+@@ -765,7 +765,7 @@ static int usb_audio_suspend(struct usb_interface *intf, pm_message_t message)
+ struct usb_mixer_interface *mixer;
+ struct list_head *p;
+
+- if (chip == (void *)-1L)
++ if (chip == USB_AUDIO_IFACE_UNUSED)
+ return 0;
+
+ if (!chip->num_suspended_intf++) {
+@@ -795,7 +795,7 @@ static int __usb_audio_resume(struct usb_interface *intf, bool reset_resume)
+ struct list_head *p;
+ int err = 0;
+
+- if (chip == (void *)-1L)
++ if (chip == USB_AUDIO_IFACE_UNUSED)
+ return 0;
+
+ atomic_inc(&chip->active); /* avoid autopm */
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index 6b9e6b57d58d..02b4d0638e00 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -66,8 +66,12 @@ static int create_composite_quirk(struct snd_usb_audio *chip,
+ if (!iface)
+ continue;
+ if (quirk->ifnum != probed_ifnum &&
+- !usb_interface_claimed(iface))
+- usb_driver_claim_interface(driver, iface, (void *)-1L);
++ !usb_interface_claimed(iface)) {
++ err = usb_driver_claim_interface(driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
++ if (err < 0)
++ return err;
++ }
+ }
+
+ return 0;
+@@ -399,8 +403,12 @@ static int create_autodetect_quirks(struct snd_usb_audio *chip,
+ continue;
+
+ err = create_autodetect_quirk(chip, iface, driver);
+- if (err >= 0)
+- usb_driver_claim_interface(driver, iface, (void *)-1L);
++ if (err >= 0) {
++ err = usb_driver_claim_interface(driver, iface,
++ USB_AUDIO_IFACE_UNUSED);
++ if (err < 0)
++ return err;
++ }
+ }
+
+ return 0;
+diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
+index f4ee83c8e0b2..62456a806bb4 100644
+--- a/sound/usb/usbaudio.h
++++ b/sound/usb/usbaudio.h
+@@ -63,6 +63,8 @@ struct snd_usb_audio {
+ struct usb_host_interface *ctrl_intf; /* the audio control interface */
+ };
+
++#define USB_AUDIO_IFACE_UNUSED ((void *)-1L)
++
+ #define usb_audio_err(chip, fmt, args...) \
+ dev_err(&(chip)->dev->dev, fmt, ##args)
+ #define usb_audio_warn(chip, fmt, args...) \
+--
+2.30.2
+
--- /dev/null
+From 90c40f2e8c05faa27d116cda17e1513484a59d90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:25:24 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit f6368c60561370e4a92fac22982a3bd656172170 ]
+
+The Maxim PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. Without specifying the
+interrupt type in Devicetree, kernel might apply some fixed
+configuration, not necessarily working for this hardware.
+
+Additionally, the interrupt line is shared so using level sensitive
+interrupt is here especially important to avoid races.
+
+Fixes: 47580e8d94c2 ("ARM: dts: Specify MAX77686 pmic interrupt for exynos5250-smdk5250")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20201210212534.216197-8-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5250-smdk5250.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5250-smdk5250.dts b/arch/arm/boot/dts/exynos5250-smdk5250.dts
+index a97a785ccc6b..f0906d67a107 100644
+--- a/arch/arm/boot/dts/exynos5250-smdk5250.dts
++++ b/arch/arm/boot/dts/exynos5250-smdk5250.dts
+@@ -134,7 +134,7 @@
+ compatible = "maxim,max77686";
+ reg = <0x09>;
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_NONE>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&max77686_irq>;
+ wakeup-source;
+--
+2.30.2
+
--- /dev/null
+From 2860e5ab7fa1e3874d9ecd9ec65fda8faf1746db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 22:25:25 +0100
+Subject: ARM: dts: exynos: correct PMIC interrupt trigger level on Snow
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 8987efbb17c2522be8615085df9a14da2ab53d34 ]
+
+The Maxim PMIC datasheets describe the interrupt line as active low
+with a requirement of acknowledge from the CPU. Without specifying the
+interrupt type in Devicetree, kernel might apply some fixed
+configuration, not necessarily working for this hardware.
+
+Additionally, the interrupt line is shared so using level sensitive
+interrupt is here especially important to avoid races.
+
+Fixes: c61248afa819 ("ARM: dts: Add max77686 RTC interrupt to cros5250-common")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20201210212534.216197-9-krzk@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/exynos5250-snow-common.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/exynos5250-snow-common.dtsi b/arch/arm/boot/dts/exynos5250-snow-common.dtsi
+index d5d51916bb74..b24a77781e75 100644
+--- a/arch/arm/boot/dts/exynos5250-snow-common.dtsi
++++ b/arch/arm/boot/dts/exynos5250-snow-common.dtsi
+@@ -280,7 +280,7 @@
+ max77686: max77686@09 {
+ compatible = "maxim,max77686";
+ interrupt-parent = <&gpx3>;
+- interrupts = <2 IRQ_TYPE_NONE>;
++ interrupts = <2 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&max77686_irq>;
+ wakeup-source;
+--
+2.30.2
+
--- /dev/null
+From 23292dcfaa3e47476660f2335f794cd482d6dc1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 23:15:06 +0300
+Subject: ata: libahci_platform: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit b30d0040f06159de97ad9c0b1536f47250719d7d ]
+
+Iff platform_get_irq() returns 0, ahci_platform_init_host() would return 0
+early (as if the call was successful). Override IRQ0 with -EINVAL instead
+as the 'libata' regards 0 as "no IRQ" (thus polling) anyway...
+
+Fixes: c034640a32f8 ("ata: libahci: properly propagate return value of platform_get_irq()")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/4448c8cc-331f-2915-0e17-38ea34e251c8@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libahci_platform.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c
+index 0b80502bc1c5..bfa2e5eec263 100644
+--- a/drivers/ata/libahci_platform.c
++++ b/drivers/ata/libahci_platform.c
+@@ -518,11 +518,13 @@ int ahci_platform_init_host(struct platform_device *pdev,
+ int i, irq, n_ports, rc;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq <= 0) {
++ if (irq < 0) {
+ if (irq != -EPROBE_DEFER)
+ dev_err(dev, "no irq\n");
+ return irq;
+ }
++ if (!irq)
++ return -EINVAL;
+
+ hpriv->irq = irq;
+
+--
+2.30.2
+
--- /dev/null
+From 5e428bd448691daa6e2f23cd850285d0745a633c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 19:08:19 +0100
+Subject: ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 7dd9a40fd6e0d0f1fd8e1931c007e080801dfdce ]
+
+When the error check in ath9k_hw_read_revisions() was added, it checked for
+-EIO which is what ath9k_regread() in the ath9k_htc driver uses. However,
+for plain ath9k, the register read function uses ioread32(), which just
+returns -1 on error. So if such a read fails, it still gets passed through
+and ends up as a weird mac revision in the log output.
+
+Fix this by changing ath9k_regread() to return -1 on error like ioread32()
+does, and fix the error check to look for that instead of -EIO.
+
+Fixes: 2f90c7e5d094 ("ath9k: Check for errors when reading SREV register")
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210326180819.142480-1-toke@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_init.c | 2 +-
+ drivers/net/wireless/ath/ath9k/hw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+index 15a0036dcc6e..09d737f3461b 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+@@ -246,7 +246,7 @@ static unsigned int ath9k_regread(void *hw_priv, u32 reg_offset)
+ if (unlikely(r)) {
+ ath_dbg(common, WMI, "REGISTER READ FAILED: (0x%04x, %d)\n",
+ reg_offset, r);
+- return -EIO;
++ return -1;
+ }
+
+ return be32_to_cpu(val);
+diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
+index e7fca78cdd96..9d664398a41b 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -285,7 +285,7 @@ static bool ath9k_hw_read_revisions(struct ath_hw *ah)
+
+ srev = REG_READ(ah, AR_SREV);
+
+- if (srev == -EIO) {
++ if (srev == -1) {
+ ath_err(ath9k_hw_common(ah),
+ "Failed to read SREV register");
+ return false;
+--
+2.30.2
+
--- /dev/null
+From 5d2078e1cfa439ef2b9c5bda5b91d1b9ca38aa44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 03:49:07 -0800
+Subject: bus: qcom: Put child node before return
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit ac6ad7c2a862d682bb584a4bc904d89fa7721af8 ]
+
+Put child node before return to fix potential reference count leak.
+Generally, the reference count of child is incremented and decremented
+automatically in the macro for_each_available_child_of_node() and should
+be decremented manually if the loop is broken in loop body.
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Fixes: 335a12754808 ("bus: qcom: add EBI2 driver")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Link: https://lore.kernel.org/r/20210121114907.109267-1-bianpan2016@163.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/qcom-ebi2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bus/qcom-ebi2.c b/drivers/bus/qcom-ebi2.c
+index a6444244c411..bfb67aa00bec 100644
+--- a/drivers/bus/qcom-ebi2.c
++++ b/drivers/bus/qcom-ebi2.c
+@@ -357,8 +357,10 @@ static int qcom_ebi2_probe(struct platform_device *pdev)
+
+ /* Figure out the chipselect */
+ ret = of_property_read_u32(child, "reg", &csindex);
+- if (ret)
++ if (ret) {
++ of_node_put(child);
+ return ret;
++ }
+
+ if (csindex > 5) {
+ dev_err(dev,
+--
+2.30.2
+
--- /dev/null
+From 5ebc27fd7654a7e9f4095e95186cfcf54954fee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 10:01:03 +0100
+Subject: clk: uniphier: Fix potential infinite loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f6b1340dc751a6caa2a0567b667d0f4f4172cd58 ]
+
+The for-loop iterates with a u8 loop counter i and compares this
+with the loop upper limit of num_parents that is an int type.
+There is a potential infinite loop if num_parents is larger than
+the u8 loop counter. Fix this by making the loop counter the same
+type as num_parents. Also make num_parents an unsigned int to
+match the return type of the call to clk_hw_get_num_parents.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20210409090104.629722-1-colin.king@canonical.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/uniphier/clk-uniphier-mux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/uniphier/clk-uniphier-mux.c b/drivers/clk/uniphier/clk-uniphier-mux.c
+index 2c243a894f3b..3a52ab968ac2 100644
+--- a/drivers/clk/uniphier/clk-uniphier-mux.c
++++ b/drivers/clk/uniphier/clk-uniphier-mux.c
+@@ -40,10 +40,10 @@ static int uniphier_clk_mux_set_parent(struct clk_hw *hw, u8 index)
+ static u8 uniphier_clk_mux_get_parent(struct clk_hw *hw)
+ {
+ struct uniphier_clk_mux *mux = to_uniphier_clk_mux(hw);
+- int num_parents = clk_hw_get_num_parents(hw);
++ unsigned int num_parents = clk_hw_get_num_parents(hw);
+ int ret;
+ unsigned int val;
+- u8 i;
++ unsigned int i;
+
+ ret = regmap_read(mux->regmap, mux->reg, &val);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From 1c3369d00d8e3d38584c5dfbbee250e2e1e0a870 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Mar 2021 23:40:00 -0400
+Subject: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 8609f5cfdc872fc3a462efa6a3eca5cb1e2f6446 ]
+
+ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()
+before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however the
+vf2pf_lock is initialized in adf_dev_init(), which can fail and when it
+fail, the vf2pf_lock is either not initialized or destroyed, a subsequent
+use of vf2pf_lock will cause issue.
+To fix this issue, only set this flag if adf_dev_init() returns 0.
+
+[ 7.178404] BUG: KASAN: user-memory-access in __mutex_lock.isra.0+0x1ac/0x7c0
+[ 7.180345] Call Trace:
+[ 7.182576] mutex_lock+0xc9/0xd0
+[ 7.183257] adf_iov_putmsg+0x118/0x1a0 [intel_qat]
+[ 7.183541] adf_vf2pf_shutdown+0x4d/0x7b [intel_qat]
+[ 7.183834] adf_dev_shutdown+0x172/0x2b0 [intel_qat]
+[ 7.184127] adf_probe+0x5e9/0x600 [qat_dh895xccvf]
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Fixes: 25c6ffb249f6 ("crypto: qat - check if PF is running")
+Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_c3xxxvf/adf_drv.c | 4 ++--
+ drivers/crypto/qat/qat_c62xvf/adf_drv.c | 4 ++--
+ drivers/crypto/qat/qat_dh895xccvf/adf_drv.c | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
+index 0dd8d2dc2ec1..26931325dfa2 100644
+--- a/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_c3xxxvf/adf_drv.c
+@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto out_err_free_reg;
+
+- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+-
+ ret = adf_dev_init(accel_dev);
+ if (ret)
+ goto out_err_dev_shutdown;
+
++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
++
+ ret = adf_dev_start(accel_dev);
+ if (ret)
+ goto out_err_dev_stop;
+diff --git a/drivers/crypto/qat/qat_c62xvf/adf_drv.c b/drivers/crypto/qat/qat_c62xvf/adf_drv.c
+index cd9e63468b18..722a06aac9fa 100644
+--- a/drivers/crypto/qat/qat_c62xvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_c62xvf/adf_drv.c
+@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto out_err_free_reg;
+
+- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+-
+ ret = adf_dev_init(accel_dev);
+ if (ret)
+ goto out_err_dev_shutdown;
+
++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
++
+ ret = adf_dev_start(accel_dev);
+ if (ret)
+ goto out_err_dev_stop;
+diff --git a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
+index 15de9cbed3bf..cc3f5171a523 100644
+--- a/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
++++ b/drivers/crypto/qat/qat_dh895xccvf/adf_drv.c
+@@ -238,12 +238,12 @@ static int adf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ if (ret)
+ goto out_err_free_reg;
+
+- set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
+-
+ ret = adf_dev_init(accel_dev);
+ if (ret)
+ goto out_err_dev_shutdown;
+
++ set_bit(ADF_STATUS_PF_RUNNING, &accel_dev->status);
++
+ ret = adf_dev_start(accel_dev);
+ if (ret)
+ goto out_err_dev_stop;
+--
+2.30.2
+
--- /dev/null
+From 216206fc01e7a65de262ed2e663bb41c450054d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Mar 2021 23:39:59 -0400
+Subject: crypto: qat - don't release uninitialized resources
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit b66accaab3791e15ac99c92f236d0d3a6d5bd64e ]
+
+adf_vf_isr_resource_alloc() is not unwinding correctly when error
+happens and it want to release uninitialized resources.
+To fix this, only release initialized resources.
+
+[ 1.792845] Trying to free already-free IRQ 11
+[ 1.793091] WARNING: CPU: 0 PID: 182 at kernel/irq/manage.c:1821 free_irq+0x202/0x380
+[ 1.801340] Call Trace:
+[ 1.801477] adf_vf_isr_resource_free+0x32/0xb0 [intel_qat]
+[ 1.801785] adf_vf_isr_resource_alloc+0x14d/0x150 [intel_qat]
+[ 1.802105] adf_dev_init+0xba/0x140 [intel_qat]
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Fixes: dd0f368398ea ("crypto: qat - Add qat dh895xcc VF driver")
+Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_vf_isr.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+index bf99e11a3403..4c1217ba83ae 100644
+--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c
+@@ -304,17 +304,26 @@ int adf_vf_isr_resource_alloc(struct adf_accel_dev *accel_dev)
+ goto err_out;
+
+ if (adf_setup_pf2vf_bh(accel_dev))
+- goto err_out;
++ goto err_disable_msi;
+
+ if (adf_setup_bh(accel_dev))
+- goto err_out;
++ goto err_cleanup_pf2vf_bh;
+
+ if (adf_request_msi_irq(accel_dev))
+- goto err_out;
++ goto err_cleanup_bh;
+
+ return 0;
++
++err_cleanup_bh:
++ adf_cleanup_bh(accel_dev);
++
++err_cleanup_pf2vf_bh:
++ adf_cleanup_pf2vf_bh(accel_dev);
++
++err_disable_msi:
++ adf_disable_msi(accel_dev);
++
+ err_out:
+- adf_vf_isr_resource_free(accel_dev);
+ return -EFAULT;
+ }
+ EXPORT_SYMBOL_GPL(adf_vf_isr_resource_alloc);
+--
+2.30.2
+
--- /dev/null
+From 2c3f2a1b9ba871169ef1e8d22e4c22c4738a2cca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 10:13:48 -0700
+Subject: crypto: qat - Fix a double free in adf_create_ring
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit f7cae626cabb3350b23722b78fe34dd7a615ca04 ]
+
+In adf_create_ring, if the callee adf_init_ring() failed, the callee will
+free the ring->base_addr by dma_free_coherent() and return -EFAULT. Then
+adf_create_ring will goto err and the ring->base_addr will be freed again
+in adf_cleanup_ring().
+
+My patch sets ring->base_addr to NULL after the first freed to avoid the
+double free.
+
+Fixes: a672a9dc872ec ("crypto: qat - Intel(R) QAT transport code")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_transport.c b/drivers/crypto/qat/qat_common/adf_transport.c
+index 57d2622728a5..4c0067f8c079 100644
+--- a/drivers/crypto/qat/qat_common/adf_transport.c
++++ b/drivers/crypto/qat/qat_common/adf_transport.c
+@@ -197,6 +197,7 @@ static int adf_init_ring(struct adf_etr_ring_data *ring)
+ dev_err(&GET_DEV(accel_dev), "Ring address not aligned\n");
+ dma_free_coherent(&GET_DEV(accel_dev), ring_size_bytes,
+ ring->base_addr, ring->dma_addr);
++ ring->base_addr = NULL;
+ return -EFAULT;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e346988ed633b79889f075a62b2ee15ef24f3f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 08:34:18 +0000
+Subject: crypto: qat - fix error path in adf_isr_resource_alloc()
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 83dc1173d73f80cbce2fee4d308f51f87b2f26ae ]
+
+The function adf_isr_resource_alloc() is not unwinding correctly in case
+of error.
+This patch fixes the error paths and propagate the errors to the caller.
+
+Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/adf_isr.c | 29 ++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/adf_isr.c b/drivers/crypto/qat/qat_common/adf_isr.c
+index 06d49017a52b..2c0be14309cf 100644
+--- a/drivers/crypto/qat/qat_common/adf_isr.c
++++ b/drivers/crypto/qat/qat_common/adf_isr.c
+@@ -330,19 +330,32 @@ int adf_isr_resource_alloc(struct adf_accel_dev *accel_dev)
+
+ ret = adf_isr_alloc_msix_entry_table(accel_dev);
+ if (ret)
+- return ret;
+- if (adf_enable_msix(accel_dev))
+ goto err_out;
+
+- if (adf_setup_bh(accel_dev))
+- goto err_out;
++ ret = adf_enable_msix(accel_dev);
++ if (ret)
++ goto err_free_msix_table;
+
+- if (adf_request_irqs(accel_dev))
+- goto err_out;
++ ret = adf_setup_bh(accel_dev);
++ if (ret)
++ goto err_disable_msix;
++
++ ret = adf_request_irqs(accel_dev);
++ if (ret)
++ goto err_cleanup_bh;
+
+ return 0;
++
++err_cleanup_bh:
++ adf_cleanup_bh(accel_dev);
++
++err_disable_msix:
++ adf_disable_msix(&accel_dev->accel_pci_dev);
++
++err_free_msix_table:
++ adf_isr_free_msix_entry_table(accel_dev);
++
+ err_out:
+- adf_isr_resource_free(accel_dev);
+- return -EFAULT;
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(adf_isr_resource_alloc);
+--
+2.30.2
+
--- /dev/null
+From 8146d820618bee3dafa668ab3ba9b633b086d9c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 21:48:09 -0700
+Subject: Drivers: hv: vmbus: Increase wait time for VMbus unload
+
+From: Michael Kelley <mikelley@microsoft.com>
+
+[ Upstream commit 77db0ec8b7764cb9b09b78066ebfd47b2c0c1909 ]
+
+When running in Azure, disks may be connected to a Linux VM with
+read/write caching enabled. If a VM panics and issues a VMbus
+UNLOAD request to Hyper-V, the response is delayed until all dirty
+data in the disk cache is flushed. In extreme cases, this flushing
+can take 10's of seconds, depending on the disk speed and the amount
+of dirty data. If kdump is configured for the VM, the current 10 second
+timeout in vmbus_wait_for_unload() may be exceeded, and the UNLOAD
+complete message may arrive well after the kdump kernel is already
+running, causing problems. Note that no problem occurs if kdump is
+not enabled because Hyper-V waits for the cache flush before doing
+a reboot through the BIOS/UEFI code.
+
+Fix this problem by increasing the timeout in vmbus_wait_for_unload()
+to 100 seconds. Also output periodic messages so that if anyone is
+watching the serial console, they won't think the VM is completely
+hung.
+
+Fixes: 911e1987efc8 ("Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload")
+Signed-off-by: Michael Kelley <mikelley@microsoft.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Link: https://lore.kernel.org/r/1618894089-126662-1-git-send-email-mikelley@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index 7bf5e2fe1751..60c122b355ea 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -675,6 +675,12 @@ static void init_vp_index(struct vmbus_channel *channel, u16 dev_type)
+ channel->target_vp = hv_context.vp_index[cur_cpu];
+ }
+
++#define UNLOAD_DELAY_UNIT_MS 10 /* 10 milliseconds */
++#define UNLOAD_WAIT_MS (100*1000) /* 100 seconds */
++#define UNLOAD_WAIT_LOOPS (UNLOAD_WAIT_MS/UNLOAD_DELAY_UNIT_MS)
++#define UNLOAD_MSG_MS (5*1000) /* Every 5 seconds */
++#define UNLOAD_MSG_LOOPS (UNLOAD_MSG_MS/UNLOAD_DELAY_UNIT_MS)
++
+ static void vmbus_wait_for_unload(void)
+ {
+ int cpu;
+@@ -692,12 +698,17 @@ static void vmbus_wait_for_unload(void)
+ * vmbus_connection.unload_event. If not, the last thing we can do is
+ * read message pages for all CPUs directly.
+ *
+- * Wait no more than 10 seconds so that the panic path can't get
+- * hung forever in case the response message isn't seen.
++ * Wait up to 100 seconds since an Azure host must writeback any dirty
++ * data in its disk cache before the VMbus UNLOAD request will
++ * complete. This flushing has been empirically observed to take up
++ * to 50 seconds in cases with a lot of dirty data, so allow additional
++ * leeway and for inaccuracies in mdelay(). But eventually time out so
++ * that the panic path can't get hung forever in case the response
++ * message isn't seen.
+ */
+- for (i = 0; i < 1000; i++) {
++ for (i = 1; i <= UNLOAD_WAIT_LOOPS; i++) {
+ if (completion_done(&vmbus_connection.unload_event))
+- break;
++ goto completed;
+
+ for_each_online_cpu(cpu) {
+ page_addr = hv_context.synic_message_page[cpu];
+@@ -717,9 +728,18 @@ static void vmbus_wait_for_unload(void)
+ vmbus_signal_eom(msg, message_type);
+ }
+
+- mdelay(10);
++ /*
++ * Give a notice periodically so someone watching the
++ * serial output won't think it is completely hung.
++ */
++ if (!(i % UNLOAD_MSG_LOOPS))
++ pr_notice("Waiting for VMBus UNLOAD to complete\n");
++
++ mdelay(UNLOAD_DELAY_UNIT_MS);
+ }
++ pr_err("Continuing even though VMBus UNLOAD did not complete\n");
+
++completed:
+ /*
+ * We're crashing and already got the UNLOAD_RESPONSE, cleanup all
+ * maybe-pending messages on all CPUs to be able to receive new
+--
+2.30.2
+
--- /dev/null
+From 5c652ab84c2eb45c52dbefc032ab0977e179dbeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 05:42:00 -0400
+Subject: firmware: qcom-scm: Fix QCOM_SCM configuration
+
+From: He Ying <heying24@huawei.com>
+
+[ Upstream commit 2954a6f12f250890ec2433cec03ba92784d613e8 ]
+
+When CONFIG_QCOM_SCM is y and CONFIG_HAVE_ARM_SMCCC
+is not set, compiling errors are encountered as follows:
+
+drivers/firmware/qcom_scm-smc.o: In function `__scm_smc_do_quirk':
+qcom_scm-smc.c:(.text+0x36): undefined reference to `__arm_smccc_smc'
+drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call':
+qcom_scm-legacy.c:(.text+0xe2): undefined reference to `__arm_smccc_smc'
+drivers/firmware/qcom_scm-legacy.o: In function `scm_legacy_call_atomic':
+qcom_scm-legacy.c:(.text+0x1f0): undefined reference to `__arm_smccc_smc'
+
+Note that __arm_smccc_smc is defined when HAVE_ARM_SMCCC is y.
+So add dependency on HAVE_ARM_SMCCC in QCOM_SCM configuration.
+
+Fixes: 916f743da354 ("firmware: qcom: scm: Move the scm driver to drivers/firmware")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: He Ying <heying24@huawei.com>
+Link: https://lore.kernel.org/r/20210406094200.60952-1-heying24@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
+index 854df538ae01..1fc29fca27c8 100644
+--- a/drivers/firmware/Kconfig
++++ b/drivers/firmware/Kconfig
+@@ -194,6 +194,7 @@ config FW_CFG_SYSFS_CMDLINE
+ config QCOM_SCM
+ bool
+ depends on ARM || ARM64
++ depends on HAVE_ARM_SMCCC
+ select RESET_CONTROLLER
+
+ config QCOM_SCM_32
+--
+2.30.2
+
--- /dev/null
+From 67f288323ed5bcb6eb129d262f5544b5ee1db846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:15 +0100
+Subject: fotg210-udc: Complete OUT requests on short packets
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 75bb93be0027123b5db6cbcce89eb62f0f6b3c5b ]
+
+A short packet indicates the end of a transfer and marks the request as
+complete.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-8-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index b2910bc65e51..9e102ba9cf66 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -856,12 +856,16 @@ static void fotg210_out_fifo_handler(struct fotg210_ep *ep)
+ {
+ struct fotg210_request *req = list_entry(ep->queue.next,
+ struct fotg210_request, queue);
++ int disgr1 = ioread32(ep->fotg210->reg + FOTG210_DISGR1);
+
+ fotg210_start_dma(ep, req);
+
+- /* finish out transfer */
++ /* Complete the request when it's full or a short packet arrived.
++ * Like other drivers, short_not_ok isn't handled.
++ */
++
+ if (req->req.length == req->req.actual ||
+- req->req.actual < ep->ep.maxpacket)
++ (disgr1 & DISGR1_SPK_INT(ep->epnum - 1)))
+ fotg210_done(ep, req, 0);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From c3c38392a99b68ccc318cef0346a1fa3283e3329 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:14 +0100
+Subject: fotg210-udc: Don't DMA more than the buffer can take
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 3e7c2510bdfe89a9ec223dd7acd6bfc8bb1cbeb6 ]
+
+Before this, it wrote as much as available into the buffer, even if it
+didn't fit.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-7-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 491b04dd6db7..b2910bc65e51 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -340,8 +340,9 @@ static void fotg210_start_dma(struct fotg210_ep *ep,
+ } else {
+ buffer = req->req.buf + req->req.actual;
+ length = ioread32(ep->fotg210->reg +
+- FOTG210_FIBCR(ep->epnum - 1));
+- length &= FIBCR_BCFX;
++ FOTG210_FIBCR(ep->epnum - 1)) & FIBCR_BCFX;
++ if (length > req->req.length - req->req.actual)
++ length = req->req.length - req->req.actual;
+ }
+ } else {
+ buffer = req->req.buf + req->req.actual;
+--
+2.30.2
+
--- /dev/null
+From f2f2fd48b54517db26d168f89a64a393031a3c53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:09 +0100
+Subject: fotg210-udc: Fix DMA on EP0 for length > max packet size
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 755915fc28edfc608fa89a163014acb2f31c1e19 ]
+
+For a 75 Byte request, it would send the first 64 separately, then detect
+that the remaining 11 Byte fit into a single DMA, but due to this bug set
+the length to the original 75 Bytes. This leads to a DMA failure (which is
+ignored...) and the request completes without the remaining bytes having
+been sent.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-2-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 76e991557116..7831c556a40b 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -348,7 +348,7 @@ static void fotg210_start_dma(struct fotg210_ep *ep,
+ if (req->req.length - req->req.actual > ep->ep.maxpacket)
+ length = ep->ep.maxpacket;
+ else
+- length = req->req.length;
++ length = req->req.length - req->req.actual;
+ }
+
+ d = dma_map_single(NULL, buffer, length,
+--
+2.30.2
+
--- /dev/null
+From 1808c22faa8f98d60c97909da52c16c1ab1f5814 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:10 +0100
+Subject: fotg210-udc: Fix EP0 IN requests bigger than two packets
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 078ba935651e149c92c41161e0322e3372cc2705 ]
+
+For a 134 Byte packet, it sends the first two 64 Byte packets just fine,
+but then notice that less than a packet is remaining and call fotg210_done
+without actually sending the rest.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-3-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 7831c556a40b..1eda6fc750c1 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -827,7 +827,7 @@ static void fotg210_ep0in(struct fotg210_udc *fotg210)
+ if (req->req.length)
+ fotg210_start_dma(ep, req);
+
+- if ((req->req.length - req->req.actual) < ep->ep.maxpacket)
++ if (req->req.actual == req->req.length)
+ fotg210_done(ep, req, 0);
+ } else {
+ fotg210_set_cxdone(fotg210);
+--
+2.30.2
+
--- /dev/null
+From 16b6953c697132f85b22415ea785f5978a47424b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:12 +0100
+Subject: fotg210-udc: Mask GRP2 interrupts we don't handle
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit 9aee3a23d6455200702f3a57e731fa11e8408667 ]
+
+Currently it leaves unhandled interrupts unmasked, but those are never
+acked. In the case of a "device idle" interrupt, this leads to an
+effectively frozen system until plugging it in.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-5-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index d0a9ce7d0635..491b04dd6db7 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -1033,6 +1033,12 @@ static void fotg210_init(struct fotg210_udc *fotg210)
+ value &= ~DMCR_GLINT_EN;
+ iowrite32(value, fotg210->reg + FOTG210_DMCR);
+
++ /* enable only grp2 irqs we handle */
++ iowrite32(~(DISGR2_DMA_ERROR | DISGR2_RX0BYTE_INT | DISGR2_TX0BYTE_INT
++ | DISGR2_ISO_SEQ_ABORT_INT | DISGR2_ISO_SEQ_ERR_INT
++ | DISGR2_RESM_INT | DISGR2_SUSP_INT | DISGR2_USBRST_INT),
++ fotg210->reg + FOTG210_DMISGR2);
++
+ /* disable all fifo interrupt */
+ iowrite32(~(u32)0, fotg210->reg + FOTG210_DMISGR1);
+
+--
+2.30.2
+
--- /dev/null
+From 6ef595dce6385aaadcdc2a53e208db12cb9e62ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 15:11:11 +0100
+Subject: fotg210-udc: Remove a dubious condition leading to fotg210_done
+
+From: Fabian Vogt <fabian@ritter-vogt.de>
+
+[ Upstream commit c7f755b243494d6043aadcd9a2989cb157958b95 ]
+
+When the EP0 IN request was not completed but less than a packet sent,
+it would complete the request successfully. That doesn't make sense
+and can't really happen as fotg210_start_dma always sends
+min(length, maxpkt) bytes.
+
+Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
+Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
+Link: https://lore.kernel.org/r/20210324141115.9384-4-fabian@ritter-vogt.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fotg210-udc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
+index 1eda6fc750c1..d0a9ce7d0635 100644
+--- a/drivers/usb/gadget/udc/fotg210-udc.c
++++ b/drivers/usb/gadget/udc/fotg210-udc.c
+@@ -385,8 +385,7 @@ static void fotg210_ep0_queue(struct fotg210_ep *ep,
+ }
+ if (ep->dir_in) { /* if IN */
+ fotg210_start_dma(ep, req);
+- if ((req->req.length == req->req.actual) ||
+- (req->req.actual < ep->ep.maxpacket))
++ if (req->req.length == req->req.actual)
+ fotg210_done(ep, req, 0);
+ } else { /* OUT */
+ u32 value = ioread32(ep->fotg210->reg + FOTG210_DMISGR0);
+--
+2.30.2
+
--- /dev/null
+From d33a8399f6f8ad38cc16fd997f5c0352aa89683c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Feb 2021 16:47:40 +0200
+Subject: HID: plantronics: Workaround for double volume key presses
+
+From: Maxim Mikityanskiy <maxtram95@gmail.com>
+
+[ Upstream commit f567d6ef8606fb427636e824c867229ecb5aefab ]
+
+Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice
+for each volume key press. This patch adds a quirk to hid-plantronics
+for this product ID, which will ignore the second volume key press if
+it happens within 5 ms from the last one that was handled.
+
+The patch was tested on the mentioned model only, it shouldn't affect
+other models, however, this quirk might be needed for them too.
+Auto-repeat (when a key is held pressed) is not affected, because the
+rate is about 3 times per second, which is far less frequent than once
+in 5 ms.
+
+Fixes: 81bb773faed7 ("HID: plantronics: Update to map volume up/down controls")
+Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-plantronics.c | 60 +++++++++++++++++++++++++++++++++--
+ include/linux/hid.h | 2 ++
+ 3 files changed, 61 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index c4a53fc648e9..1f641870d860 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -816,6 +816,7 @@
+ #define USB_DEVICE_ID_ORTEK_WKB2000 0x2000
+
+ #define USB_VENDOR_ID_PLANTRONICS 0x047f
++#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056
+
+ #define USB_VENDOR_ID_PANASONIC 0x04da
+ #define USB_DEVICE_ID_PANABOARD_UBT780 0x1044
+diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
+index 584b10d3fc3d..460711c1124a 100644
+--- a/drivers/hid/hid-plantronics.c
++++ b/drivers/hid/hid-plantronics.c
+@@ -16,6 +16,7 @@
+
+ #include <linux/hid.h>
+ #include <linux/module.h>
++#include <linux/jiffies.h>
+
+ #define PLT_HID_1_0_PAGE 0xffa00000
+ #define PLT_HID_2_0_PAGE 0xffa20000
+@@ -39,6 +40,16 @@
+ #define PLT_ALLOW_CONSUMER (field->application == HID_CP_CONSUMERCONTROL && \
+ (usage->hid & HID_USAGE_PAGE) == HID_UP_CONSUMER)
+
++#define PLT_QUIRK_DOUBLE_VOLUME_KEYS BIT(0)
++
++#define PLT_DOUBLE_KEY_TIMEOUT 5 /* ms */
++
++struct plt_drv_data {
++ unsigned long device_type;
++ unsigned long last_volume_key_ts;
++ u32 quirks;
++};
++
+ static int plantronics_input_mapping(struct hid_device *hdev,
+ struct hid_input *hi,
+ struct hid_field *field,
+@@ -46,7 +57,8 @@ static int plantronics_input_mapping(struct hid_device *hdev,
+ unsigned long **bit, int *max)
+ {
+ unsigned short mapped_key;
+- unsigned long plt_type = (unsigned long)hid_get_drvdata(hdev);
++ struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
++ unsigned long plt_type = drv_data->device_type;
+
+ /* special case for PTT products */
+ if (field->application == HID_GD_JOYSTICK)
+@@ -108,6 +120,30 @@ mapped:
+ return 1;
+ }
+
++static int plantronics_event(struct hid_device *hdev, struct hid_field *field,
++ struct hid_usage *usage, __s32 value)
++{
++ struct plt_drv_data *drv_data = hid_get_drvdata(hdev);
++
++ if (drv_data->quirks & PLT_QUIRK_DOUBLE_VOLUME_KEYS) {
++ unsigned long prev_ts, cur_ts;
++
++ /* Usages are filtered in plantronics_usages. */
++
++ if (!value) /* Handle key presses only. */
++ return 0;
++
++ prev_ts = drv_data->last_volume_key_ts;
++ cur_ts = jiffies;
++ if (jiffies_to_msecs(cur_ts - prev_ts) <= PLT_DOUBLE_KEY_TIMEOUT)
++ return 1; /* Ignore the repeated key. */
++
++ drv_data->last_volume_key_ts = cur_ts;
++ }
++
++ return 0;
++}
++
+ static unsigned long plantronics_device_type(struct hid_device *hdev)
+ {
+ unsigned i, col_page;
+@@ -136,15 +172,24 @@ exit:
+ static int plantronics_probe(struct hid_device *hdev,
+ const struct hid_device_id *id)
+ {
++ struct plt_drv_data *drv_data;
+ int ret;
+
++ drv_data = devm_kzalloc(&hdev->dev, sizeof(*drv_data), GFP_KERNEL);
++ if (!drv_data)
++ return -ENOMEM;
++
+ ret = hid_parse(hdev);
+ if (ret) {
+ hid_err(hdev, "parse failed\n");
+ goto err;
+ }
+
+- hid_set_drvdata(hdev, (void *)plantronics_device_type(hdev));
++ drv_data->device_type = plantronics_device_type(hdev);
++ drv_data->quirks = id->driver_data;
++ drv_data->last_volume_key_ts = jiffies - msecs_to_jiffies(PLT_DOUBLE_KEY_TIMEOUT);
++
++ hid_set_drvdata(hdev, drv_data);
+
+ ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT |
+ HID_CONNECT_HIDINPUT_FORCE | HID_CONNECT_HIDDEV_FORCE);
+@@ -156,15 +201,26 @@ err:
+ }
+
+ static const struct hid_device_id plantronics_devices[] = {
++ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
++ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
++ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
+ { }
+ };
+ MODULE_DEVICE_TABLE(hid, plantronics_devices);
+
++static const struct hid_usage_id plantronics_usages[] = {
++ { HID_CP_VOLUMEUP, EV_KEY, HID_ANY_ID },
++ { HID_CP_VOLUMEDOWN, EV_KEY, HID_ANY_ID },
++ { HID_TERMINATOR, HID_TERMINATOR, HID_TERMINATOR }
++};
++
+ static struct hid_driver plantronics_driver = {
+ .name = "plantronics",
+ .id_table = plantronics_devices,
++ .usage_table = plantronics_usages,
+ .input_mapping = plantronics_input_mapping,
++ .event = plantronics_event,
+ .probe = plantronics_probe,
+ };
+ module_hid_driver(plantronics_driver);
+diff --git a/include/linux/hid.h b/include/linux/hid.h
+index 981657075f05..41c372573a28 100644
+--- a/include/linux/hid.h
++++ b/include/linux/hid.h
+@@ -248,6 +248,8 @@ struct hid_item {
+ #define HID_CP_SELECTION 0x000c0080
+ #define HID_CP_MEDIASELECTION 0x000c0087
+ #define HID_CP_SELECTDISC 0x000c00ba
++#define HID_CP_VOLUMEUP 0x000c00e9
++#define HID_CP_VOLUMEDOWN 0x000c00ea
+ #define HID_CP_PLAYBACKSPEED 0x000c00f1
+ #define HID_CP_PROXIMITY 0x000c0109
+ #define HID_CP_SPEAKERSYSTEM 0x000c0160
+--
+2.30.2
+
--- /dev/null
+From e40a3cebd997f574d6b0b651ed382f842a605dee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 14:08:17 +0300
+Subject: HSI: core: fix resource leaks in hsi_add_client_from_dt()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 5c08b0f75575648032f309a6f58294453423ed93 ]
+
+If some of the allocations fail between the dev_set_name() and the
+device_register() then the name will not be freed. Fix this by
+moving dev_set_name() directly in front of the call to device_register().
+
+Fixes: a2aa24734d9d ("HSI: Add common DT binding for HSI client devices")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hsi/hsi_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/hsi/hsi_core.c b/drivers/hsi/hsi_core.c
+index c2a2a9795b0b..e9d63b966caf 100644
+--- a/drivers/hsi/hsi_core.c
++++ b/drivers/hsi/hsi_core.c
+@@ -223,8 +223,6 @@ static void hsi_add_client_from_dt(struct hsi_port *port,
+ if (err)
+ goto err;
+
+- dev_set_name(&cl->device, "%s", name);
+-
+ err = hsi_of_property_parse_mode(client, "hsi-mode", &mode);
+ if (err) {
+ err = hsi_of_property_parse_mode(client, "hsi-rx-mode",
+@@ -307,6 +305,7 @@ static void hsi_add_client_from_dt(struct hsi_port *port,
+ cl->device.release = hsi_client_release;
+ cl->device.of_node = client;
+
++ dev_set_name(&cl->device, "%s", name);
+ if (device_register(&cl->device) < 0) {
+ pr_err("hsi: failed to register client: %s\n", name);
+ put_device(&cl->device);
+--
+2.30.2
+
--- /dev/null
+From f2fa07ac28853b2f25c86fd8ab2626939bdc3541 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:14:35 +0300
+Subject: i2c: cadence: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 5581c2c5d02bc63a0edb53e061c8e97cd490646e ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index 45d6771fac8c..23ee1a423654 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -908,7 +908,10 @@ static int cdns_i2c_probe(struct platform_device *pdev)
+ if (IS_ERR(id->membase))
+ return PTR_ERR(id->membase);
+
+- id->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ return ret;
++ id->irq = ret;
+
+ id->adap.owner = THIS_MODULE;
+ id->adap.dev.of_node = pdev->dev.of_node;
+--
+2.30.2
+
--- /dev/null
+From a43baeb1971eb298e6891016c23857fdf4e95c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:16:41 +0300
+Subject: i2c: emev2: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit bb6129c32867baa7988f7fd2066cf18ed662d240 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: 5faf6e1f58b4 ("i2c: emev2: add driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-emev2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-emev2.c b/drivers/i2c/busses/i2c-emev2.c
+index 0218ba6eb26a..ad33c1e3a30f 100644
+--- a/drivers/i2c/busses/i2c-emev2.c
++++ b/drivers/i2c/busses/i2c-emev2.c
+@@ -398,7 +398,10 @@ static int em_i2c_probe(struct platform_device *pdev)
+
+ em_i2c_reset(&priv->adap);
+
+- priv->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ goto err_clk;
++ priv->irq = ret;
+ ret = devm_request_irq(&pdev->dev, priv->irq, em_i2c_irq_handler, 0,
+ "em_i2c", priv);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From c1eb165048322f540e78c7d8bc5a06e9dfaaa299 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:18:31 +0300
+Subject: i2c: jz4780: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit c5e5f7a8d931fb4beba245bdbc94734175fda9de ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-jz4780.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-jz4780.c b/drivers/i2c/busses/i2c-jz4780.c
+index 41ca9ff7b5da..4dd800c0db14 100644
+--- a/drivers/i2c/busses/i2c-jz4780.c
++++ b/drivers/i2c/busses/i2c-jz4780.c
+@@ -760,7 +760,10 @@ static int jz4780_i2c_probe(struct platform_device *pdev)
+
+ jz4780_i2c_writew(i2c, JZ4780_I2C_INTM, 0x0);
+
+- i2c->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ goto err;
++ i2c->irq = ret;
+ ret = devm_request_irq(&pdev->dev, i2c->irq, jz4780_i2c_irq, 0,
+ dev_name(&pdev->dev), i2c);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From 62f26608426bdf9ce72b3f7c8426702692070674 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 23:25:10 +0300
+Subject: i2c: sh7760: add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit e5b2e3e742015dd2aa6bc7bcef2cb59b2de1221c ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to devm_request_irq() (which
+takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding
+an original error code. Stop calling devm_request_irq() with invalid
+IRQ #s.
+
+Fixes: a26c20b1fa6d ("i2c: Renesas SH7760 I2C master driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-sh7760.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-sh7760.c b/drivers/i2c/busses/i2c-sh7760.c
+index c2005c789d2b..c79c9f542c5a 100644
+--- a/drivers/i2c/busses/i2c-sh7760.c
++++ b/drivers/i2c/busses/i2c-sh7760.c
+@@ -471,7 +471,10 @@ static int sh7760_i2c_probe(struct platform_device *pdev)
+ goto out2;
+ }
+
+- id->irq = platform_get_irq(pdev, 0);
++ ret = platform_get_irq(pdev, 0);
++ if (ret < 0)
++ return ret;
++ id->irq = ret;
+
+ id->adap.nr = pdev->id;
+ id->adap.algo = &sh7760_i2c_algo;
+--
+2.30.2
+
--- /dev/null
+From 0b524852b3cb89fe346fc6549db8750832e0c7e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Apr 2021 22:05:05 +0300
+Subject: i2c: sh7760: fix IRQ error path
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 92dfb27240fea2776f61c5422472cb6defca7767 ]
+
+While adding the invalid IRQ check after calling platform_get_irq(),
+I managed to overlook that the driver has a complex error path in its
+probe() method, thus a simple *return* couldn't be used. Use a proper
+*goto* instead!
+
+Fixes: e5b2e3e74201 ("i2c: sh7760: add IRQ check")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-sh7760.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-sh7760.c b/drivers/i2c/busses/i2c-sh7760.c
+index c79c9f542c5a..319d1fa617c8 100644
+--- a/drivers/i2c/busses/i2c-sh7760.c
++++ b/drivers/i2c/busses/i2c-sh7760.c
+@@ -473,7 +473,7 @@ static int sh7760_i2c_probe(struct platform_device *pdev)
+
+ ret = platform_get_irq(pdev, 0);
+ if (ret < 0)
+- return ret;
++ goto out3;
+ id->irq = ret;
+
+ id->adap.nr = pdev->id;
+--
+2.30.2
+
--- /dev/null
+From 397027034d454e3ad94e49e88938860ee15d7de6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 22:54:15 -0700
+Subject: kfifo: fix ternary sign extension bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 926ee00ea24320052b46745ef4b00d91c05bd03d ]
+
+The intent with this code was to return negative error codes but instead
+it returns positives.
+
+The problem is how type promotion works with ternary operations. These
+functions return long, "ret" is an int and "copied" is a u32. The
+negative error code is first cast to u32 so it becomes a high positive and
+then cast to long where it's still a positive.
+
+We could fix this by declaring "ret" as a ssize_t but let's just get rid
+of the ternaries instead.
+
+Link: https://lkml.kernel.org/r/YIE+/cK1tBzSuQPU@mwanda
+Fixes: 5bf2b19320ec ("kfifo: add example files to the kernel sample directory")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Stefani Seibold <stefani@seibold.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/kfifo/bytestream-example.c | 8 ++++++--
+ samples/kfifo/inttype-example.c | 8 ++++++--
+ samples/kfifo/record-example.c | 8 ++++++--
+ 3 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/samples/kfifo/bytestream-example.c b/samples/kfifo/bytestream-example.c
+index 2fca916d9edf..a7f5ee8b6edc 100644
+--- a/samples/kfifo/bytestream-example.c
++++ b/samples/kfifo/bytestream-example.c
+@@ -124,8 +124,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf,
+ ret = kfifo_from_user(&test, buf, count, &copied);
+
+ mutex_unlock(&write_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static ssize_t fifo_read(struct file *file, char __user *buf,
+@@ -140,8 +142,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf,
+ ret = kfifo_to_user(&test, buf, count, &copied);
+
+ mutex_unlock(&read_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static const struct file_operations fifo_fops = {
+diff --git a/samples/kfifo/inttype-example.c b/samples/kfifo/inttype-example.c
+index 8dc3c2e7105a..a326a37e9163 100644
+--- a/samples/kfifo/inttype-example.c
++++ b/samples/kfifo/inttype-example.c
+@@ -117,8 +117,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf,
+ ret = kfifo_from_user(&test, buf, count, &copied);
+
+ mutex_unlock(&write_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static ssize_t fifo_read(struct file *file, char __user *buf,
+@@ -133,8 +135,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf,
+ ret = kfifo_to_user(&test, buf, count, &copied);
+
+ mutex_unlock(&read_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static const struct file_operations fifo_fops = {
+diff --git a/samples/kfifo/record-example.c b/samples/kfifo/record-example.c
+index 2d7529eeb294..deb87a2e4e6b 100644
+--- a/samples/kfifo/record-example.c
++++ b/samples/kfifo/record-example.c
+@@ -131,8 +131,10 @@ static ssize_t fifo_write(struct file *file, const char __user *buf,
+ ret = kfifo_from_user(&test, buf, count, &copied);
+
+ mutex_unlock(&write_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static ssize_t fifo_read(struct file *file, char __user *buf,
+@@ -147,8 +149,10 @@ static ssize_t fifo_read(struct file *file, char __user *buf,
+ ret = kfifo_to_user(&test, buf, count, &copied);
+
+ mutex_unlock(&read_lock);
++ if (ret)
++ return ret;
+
+- return ret ? ret : copied;
++ return copied;
+ }
+
+ static const struct file_operations fifo_fops = {
+--
+2.30.2
+
--- /dev/null
+From c3deb412fff43eeaaaaf57d23521847571f5c0fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 11:12:48 +0100
+Subject: liquidio: Fix unintented sign extension of a left shift of a u16
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 298b58f00c0f86868ea717426beb5c1198772f81 ]
+
+The macro CN23XX_PEM_BAR1_INDEX_REG is being used to shift oct->pcie_port
+(a u16) left 24 places. There are two subtle issues here, first the
+shift gets promoted to an signed int and then sign extended to a u64.
+If oct->pcie_port is 0x80 or more then the upper bits get sign extended
+to 1. Secondly shfiting a u16 24 bits will lead to an overflow so it
+needs to be cast to a u64 for all the bits to not overflow.
+
+It is entirely possible that the u16 port value is never large enough
+for this to fail, but it is useful to fix unintended overflows such
+as this.
+
+Fix this by casting the port parameter to the macro to a u64 before
+the shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+Fixes: 5bc67f587ba7 ("liquidio: CN23XX register definitions")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h
+index 03d79d95ab75..d7e0d2ce15c1 100644
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_regs.h
+@@ -526,7 +526,7 @@
+ #define CN23XX_BAR1_INDEX_OFFSET 3
+
+ #define CN23XX_PEM_BAR1_INDEX_REG(port, idx) \
+- (CN23XX_PEM_BAR1_INDEX_START + ((port) << CN23XX_PEM_OFFSET) + \
++ (CN23XX_PEM_BAR1_INDEX_START + (((u64)port) << CN23XX_PEM_OFFSET) + \
+ ((idx) << CN23XX_BAR1_INDEX_OFFSET))
+
+ /*############################ DPI #########################*/
+--
+2.30.2
+
--- /dev/null
+From acb9aea74a450c762f1993fa824dec29fb73a736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 14:31:50 +0200
+Subject: mac80211: bail out if cipher schemes are invalid
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit db878e27a98106a70315d264cc92230d84009e72 ]
+
+If any of the cipher schemes specified by the driver are invalid, bail
+out and fail the registration rather than just warning. Otherwise, we
+might later crash when we try to use the invalid cipher scheme, e.g.
+if the hdr_len is (significantly) less than the pn_offs + pn_len, we'd
+have an out-of-bounds access in RX validation.
+
+Fixes: 2475b1cc0d52 ("mac80211: add generic cipher scheme support")
+Link: https://lore.kernel.org/r/20210408143149.38a3a13a1b19.I6b7f5790fa0958ed8049cf02ac2a535c61e9bc96@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/main.c b/net/mac80211/main.c
+index f31fd21d59ba..5f8c6f9563b0 100644
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1036,8 +1036,11 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
+ if (local->hw.wiphy->max_scan_ie_len)
+ local->hw.wiphy->max_scan_ie_len -= local->scan_ies_len;
+
+- WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
+- local->hw.n_cipher_schemes));
++ if (WARN_ON(!ieee80211_cs_list_valid(local->hw.cipher_schemes,
++ local->hw.n_cipher_schemes))) {
++ result = -EINVAL;
++ goto fail_workqueue;
++ }
+
+ result = ieee80211_init_cipher_suites(local);
+ if (result < 0)
+--
+2.30.2
+
--- /dev/null
+From 08f1e8f7ea3f2b5ed87045ca345ff9d1a7b6b95a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 17:46:00 +0100
+Subject: media: dvb-usb-remote: fix dvb_usb_nec_rc_key_to_event type mismatch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 0fa430e96d3c3561a78701f51fd8593da68b8474 ]
+
+gcc-11 warns about the prototype not exactly matching the function
+definition:
+
+drivers/media/usb/dvb-usb/dvb-usb-remote.c:363:20: error: argument 2 of type ‘u8[5]’ {aka ‘unsigned char[5]’} with mismatched bound [-Werror=array-parameter=]
+ 363 | u8 keybuf[5], u32 *event, int *state)
+ | ~~~^~~~~~~~~
+In file included from drivers/media/usb/dvb-usb/dvb-usb-common.h:13,
+ from drivers/media/usb/dvb-usb/dvb-usb-remote.c:9:
+drivers/media/usb/dvb-usb/dvb-usb.h:490:65: note: previously declared as ‘u8[]’ {aka ‘unsigned char[]’}
+ 490 | extern int dvb_usb_nec_rc_key_to_event(struct dvb_usb_device *, u8[], u32 *, int *);
+ | ^~~~
+
+Fixes: 776338e121b9 ("[PATCH] dvb: Add generalized dvb-usb driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb.h b/drivers/media/usb/dvb-usb/dvb-usb.h
+index 107255b08b2b..704d57e3ea1c 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb.h
++++ b/drivers/media/usb/dvb-usb/dvb-usb.h
+@@ -471,7 +471,8 @@ extern int dvb_usb_generic_rw(struct dvb_usb_device *, u8 *, u16, u8 *, u16,int)
+ extern int dvb_usb_generic_write(struct dvb_usb_device *, u8 *, u16);
+
+ /* commonly used remote control parsing */
+-extern int dvb_usb_nec_rc_key_to_event(struct dvb_usb_device *, u8[], u32 *, int *);
++int dvb_usb_nec_rc_key_to_event(struct dvb_usb_device *d, u8 keybuf[5],
++ u32 *event, int *state);
+
+ /* commonly used firmware download types and function */
+ struct hexline {
+--
+2.30.2
+
--- /dev/null
+From e9655a63173ac4a17a0eadf3839e6a21367b1009 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Oct 2020 14:16:28 +0200
+Subject: media: m88rs6000t: avoid potential out-of-bounds reads on arrays
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9baa3d64e8e2373ddd11c346439e5dfccb2cbb0d ]
+
+There a 3 array for-loops that don't check the upper bounds of the
+index into arrays and this may lead to potential out-of-bounds
+reads. Fix this by adding array size upper bounds checks to be
+full safe.
+
+Addresses-Coverity: ("Out-of-bounds read")
+
+Link: https://lore.kernel.org/linux-media/20201007121628.20676-1-colin.king@canonical.com
+Fixes: 333829110f1d ("[media] m88rs6000t: add new dvb-s/s2 tuner for integrated chip M88RS6000")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/tuners/m88rs6000t.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/tuners/m88rs6000t.c b/drivers/media/tuners/m88rs6000t.c
+index 9f3e0fd4cad9..d4443f9c9fa3 100644
+--- a/drivers/media/tuners/m88rs6000t.c
++++ b/drivers/media/tuners/m88rs6000t.c
+@@ -534,7 +534,7 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
+ PGA2_cri = PGA2_GC >> 2;
+ PGA2_crf = PGA2_GC & 0x03;
+
+- for (i = 0; i <= RF_GC; i++)
++ for (i = 0; i <= RF_GC && i < ARRAY_SIZE(RFGS); i++)
+ RFG += RFGS[i];
+
+ if (RF_GC == 0)
+@@ -546,12 +546,12 @@ static int m88rs6000t_get_rf_strength(struct dvb_frontend *fe, u16 *strength)
+ if (RF_GC == 3)
+ RFG += 100;
+
+- for (i = 0; i <= IF_GC; i++)
++ for (i = 0; i <= IF_GC && i < ARRAY_SIZE(IFGS); i++)
+ IFG += IFGS[i];
+
+ TIAG = TIA_GC * TIA_GS;
+
+- for (i = 0; i <= BB_GC; i++)
++ for (i = 0; i <= BB_GC && i < ARRAY_SIZE(BBGS); i++)
+ BBG += BBGS[i];
+
+ PGA2G = PGA2_cri * PGA2_cri_GS + PGA2_crf * PGA2_crf_GS;
+--
+2.30.2
+
--- /dev/null
+From 12c3341d2432e98604187937e257db6788f9a314 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Nov 2020 03:50:41 +0100
+Subject: media: omap4iss: return error code when omap4iss_get() failed
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 8938c48fa25b491842ece9eb38f0bea0fcbaca44 ]
+
+If omap4iss_get() failed, it need return error code in iss_probe().
+
+Fixes: 59f0ad807681 ("[media] v4l: omap4iss: Add support for OMAP4...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/omap4iss/iss.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/omap4iss/iss.c b/drivers/staging/media/omap4iss/iss.c
+index c26c99fd4a24..1e10fe204d3b 100644
+--- a/drivers/staging/media/omap4iss/iss.c
++++ b/drivers/staging/media/omap4iss/iss.c
+@@ -1244,8 +1244,10 @@ static int iss_probe(struct platform_device *pdev)
+ if (ret < 0)
+ goto error;
+
+- if (!omap4iss_get(iss))
++ if (!omap4iss_get(iss)) {
++ ret = -EINVAL;
+ goto error;
++ }
+
+ ret = iss_reset(iss);
+ if (ret < 0)
+--
+2.30.2
+
--- /dev/null
+From ee1511c82131ef7417a618817b818f606132a436 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 16:43:27 +0100
+Subject: media: vivid: fix assignment of dev->fbuf_out_flags
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 5cde22fcc7271812a7944c47b40100df15908358 ]
+
+Currently the chroma_flags and alpha_flags are being zero'd with a bit-wise
+mask and the following statement should be bit-wise or'ing in the new flag
+bits but instead is making a direct assignment. Fix this by using the |=
+operator rather than an assignment.
+
+Addresses-Coverity: ("Unused value")
+
+Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-vid-out.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-vid-out.c b/drivers/media/platform/vivid/vivid-vid-out.c
+index 8fed2fbe91a9..f78caf72cb3e 100644
+--- a/drivers/media/platform/vivid/vivid-vid-out.c
++++ b/drivers/media/platform/vivid/vivid-vid-out.c
+@@ -1003,7 +1003,7 @@ int vivid_vid_out_s_fbuf(struct file *file, void *fh,
+ return -EINVAL;
+ }
+ dev->fbuf_out_flags &= ~(chroma_flags | alpha_flags);
+- dev->fbuf_out_flags = a->flags & (chroma_flags | alpha_flags);
++ dev->fbuf_out_flags |= a->flags & (chroma_flags | alpha_flags);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 52a5631ea956adef33388e7b2d8ff7bb7b1effad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Feb 2021 19:38:21 +0000
+Subject: memory: gpmc: fix out of bounds read and dereference on gpmc_cs[]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e004c3e67b6459c99285b18366a71af467d869f5 ]
+
+Currently the array gpmc_cs is indexed by cs before it cs is range checked
+and the pointer read from this out-of-index read is dereferenced. Fix this
+by performing the range check on cs before the read and the following
+pointer dereference.
+
+Addresses-Coverity: ("Negative array index read")
+Fixes: 9ed7a776eb50 ("ARM: OMAP2+: Fix support for multiple devices on a GPMC chip select")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20210223193821.17232-1-colin.king@canonical.com
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/omap-gpmc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
+index a9d47c06f80f..4af2f5b231dd 100644
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -1028,8 +1028,8 @@ EXPORT_SYMBOL(gpmc_cs_request);
+
+ void gpmc_cs_free(int cs)
+ {
+- struct gpmc_cs_data *gpmc = &gpmc_cs[cs];
+- struct resource *res = &gpmc->mem;
++ struct gpmc_cs_data *gpmc;
++ struct resource *res;
+
+ spin_lock(&gpmc_mem_lock);
+ if (cs >= gpmc_cs_num || cs < 0 || !gpmc_cs_reserved(cs)) {
+@@ -1038,6 +1038,9 @@ void gpmc_cs_free(int cs)
+ spin_unlock(&gpmc_mem_lock);
+ return;
+ }
++ gpmc = &gpmc_cs[cs];
++ res = &gpmc->mem;
++
+ gpmc_cs_disable_mem(cs);
+ if (res->flags)
+ release_resource(res);
+--
+2.30.2
+
--- /dev/null
+From 1274f5cbd06b4b9b2ac9f4a7386cb69f0ddaa602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 20:12:37 -0700
+Subject: MIPS: pci-legacy: stop using of_pci_range_to_resource
+
+From: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+
+[ Upstream commit 3ecb9dc1581eebecaee56decac70e35365260866 ]
+
+Mirror commit aeba3731b150 ("powerpc/pci: Fix IO space breakage after
+of_pci_range_to_resource() change").
+
+Most MIPS platforms do not define PCI_IOBASE, nor implement
+pci_address_to_pio(). Moreover, IO_SPACE_LIMIT is 0xffff for most MIPS
+platforms. of_pci_range_to_resource passes the _start address_ of the IO
+range into pci_address_to_pio, which then checks it against
+IO_SPACE_LIMIT and fails, because for MIPS platforms that use
+pci-legacy (pci-lantiq, pci-rt3883, pci-mt7620), IO ranges start much
+higher than 0xffff.
+
+In fact, pci-mt7621 in staging already works around this problem, see
+commit 09dd629eeabb ("staging: mt7621-pci: fix io space and properly set
+resource limits")
+
+So just stop using of_pci_range_to_resource, which does not work for
+MIPS.
+
+Fixes PCI errors like:
+ pci_bus 0000:00: root bus resource [io 0xffffffff]
+
+Fixes: 0b0b0893d49b ("of/pci: Fix the conversion of IO ranges into IO resources")
+Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+Cc: Liviu Dudau <Liviu.Dudau@arm.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/pci/pci-legacy.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/pci/pci-legacy.c b/arch/mips/pci/pci-legacy.c
+index 2d6886f09ba3..009b840ee5ef 100644
+--- a/arch/mips/pci/pci-legacy.c
++++ b/arch/mips/pci/pci-legacy.c
+@@ -158,8 +158,13 @@ void pci_load_of_ranges(struct pci_controller *hose, struct device_node *node)
+ res = hose->mem_resource;
+ break;
+ }
+- if (res != NULL)
+- of_pci_range_to_resource(&range, node, res);
++ if (res != NULL) {
++ res->name = node->full_name;
++ res->flags = range.flags;
++ res->start = range.cpu_addr;
++ res->end = range.cpu_addr + range.size - 1;
++ res->parent = res->child = res->sibling = NULL;
++ }
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From aae17dca25f0235dbca7218f3a8242fdb530a2e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 18:32:41 +0000
+Subject: mt7601u: fix always true expression
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 87fce88658ba047ae62e83497d3f3c5dc22fa6f9 ]
+
+Currently the expression ~nic_conf1 is always true because nic_conf1
+is a u16 and according to 6.5.3.3 of the C standard the ~ operator
+promotes the u16 to an integer before flipping all the bits. Thus
+the top 16 bits of the integer result are all set so the expression
+is always true. If the intention was to flip all the bits of nic_conf1
+then casting the integer result back to a u16 is a suitabel fix.
+
+Interestingly static analyzers seem to thing a bitwise ! should be
+used instead of ~ for this scenario, so I think the original intent
+of the expression may need some extra consideration.
+
+Addresses-Coverity: ("Logical vs. bitwise operator")
+Fixes: c869f77d6abb ("add mt7601u driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210225183241.1002129-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt7601u/eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt7601u/eeprom.c b/drivers/net/wireless/mediatek/mt7601u/eeprom.c
+index da6faea092d6..80d0f64205f8 100644
+--- a/drivers/net/wireless/mediatek/mt7601u/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt7601u/eeprom.c
+@@ -106,7 +106,7 @@ mt7601u_has_tssi(struct mt7601u_dev *dev, u8 *eeprom)
+ {
+ u16 nic_conf1 = get_unaligned_le16(eeprom + MT_EE_NIC_CONF_1);
+
+- return ~nic_conf1 && (nic_conf1 & MT_EE_NIC_CONF_1_TX_ALC_EN);
++ return (u16)~nic_conf1 && (nic_conf1 & MT_EE_NIC_CONF_1_TX_ALC_EN);
+ }
+
+ static void
+--
+2.30.2
+
--- /dev/null
+From 91ba9455ef43e80748a8913049ced579b0479bb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 23:09:05 -0700
+Subject: mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 076de75de1e53160e9b099f75872c1f9adf41a0b ]
+
+If the callee gpmi_alloc_dma_buffer() failed to alloc memory for
+this->raw_buffer, gpmi_free_dma_buffer() will be called to free
+this->auxiliary_virt. But this->auxiliary_virt is still a non-NULL
+and valid ptr.
+
+Then gpmi_alloc_dma_buffer() returns err and gpmi_free_dma_buffer()
+is called again to free this->auxiliary_virt in err_out. This causes
+a double free.
+
+As gpmi_free_dma_buffer() has already called in gpmi_alloc_dma_buffer's
+error path, so it should return err directly instead of releasing the dma
+buffer again.
+
+Fixes: 4d02423e9afe6 ("mtd: nand: gpmi: Fix gpmi_nand_init() error path")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210403060905.5251-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+index f4a99e91c250..c43bd945d93a 100644
+--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
+@@ -2020,7 +2020,7 @@ static int gpmi_nand_init(struct gpmi_nand_data *this)
+ this->bch_geometry.auxiliary_size = 128;
+ ret = gpmi_alloc_dma_buffer(this);
+ if (ret)
+- goto err_out;
++ return ret;
+
+ ret = nand_scan_ident(mtd, GPMI_IS_MX6(this) ? 2 : 1, NULL);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From 941d0df5831a2dacb4beb8927ddeafb73f2154aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 16:57:35 +0100
+Subject: mtd: require write permissions for locking and badblock ioctls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 1e97743fd180981bef5f01402342bb54bf1c6366 ]
+
+MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require
+write permission. Depending on the hardware MEMLOCK might even be
+write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK
+is always write-once.
+
+MEMSETBADBLOCK modifies the bad block table.
+
+Fixes: f7e6b19bc764 ("mtd: properly check all write ioctls for permissions")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Rafał Miłecki <rafal@milecki.pl>
+Acked-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdchar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
+index 331183548bc5..b43b8edc18ec 100644
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -689,16 +689,12 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg)
+ case MEMGETINFO:
+ case MEMREADOOB:
+ case MEMREADOOB64:
+- case MEMLOCK:
+- case MEMUNLOCK:
+ case MEMISLOCKED:
+ case MEMGETOOBSEL:
+ case MEMGETBADBLOCK:
+- case MEMSETBADBLOCK:
+ case OTPSELECT:
+ case OTPGETREGIONCOUNT:
+ case OTPGETREGIONINFO:
+- case OTPLOCK:
+ case ECCGETLAYOUT:
+ case ECCGETSTATS:
+ case MTDFILEMODE:
+@@ -709,9 +705,13 @@ static int mtdchar_ioctl(struct file *file, u_int cmd, u_long arg)
+ /* "dangerous" commands */
+ case MEMERASE:
+ case MEMERASE64:
++ case MEMLOCK:
++ case MEMUNLOCK:
++ case MEMSETBADBLOCK:
+ case MEMWRITEOOB:
+ case MEMWRITEOOB64:
+ case MEMWRITE:
++ case OTPLOCK:
+ if (!(file->f_mode & FMODE_WRITE))
+ return -EPERM;
+ break;
+--
+2.30.2
+
--- /dev/null
+From 4d97c6a97cd5b4a16a6f8318033ca1ecab56e257 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 11:26:27 -0700
+Subject: mwl8k: Fix a double Free in mwl8k_probe_hw
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit a8e083ee8e2a6c94c29733835adae8bf5b832748 ]
+
+In mwl8k_probe_hw, hw->priv->txq is freed at the first time by
+dma_free_coherent() in the call chain:
+if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i).
+
+Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed
+at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent().
+
+My patch set txq->txd to NULL after the first free to avoid the
+double free.
+
+Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index b1b400b59d86..66cd38d4f199 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -1459,6 +1459,7 @@ static int mwl8k_txq_init(struct ieee80211_hw *hw, int index)
+ txq->skb = kcalloc(MWL8K_TX_DESCS, sizeof(*txq->skb), GFP_KERNEL);
+ if (txq->skb == NULL) {
+ pci_free_consistent(priv->pdev, size, txq->txd, txq->txd_dma);
++ txq->txd = NULL;
+ return -ENOMEM;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 71ed904ff1243803ca4cfaa30ef9e2d21c1c6aa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 18:16:14 +0100
+Subject: net: davinci_emac: Fix incorrect masking of tx and rx error channel
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit d83b8aa5207d81f9f6daec9888390f079cc5db3f ]
+
+The bit-masks used for the TXERRCH and RXERRCH (tx and rx error channels)
+are incorrect and always lead to a zero result. The mask values are
+currently the incorrect post-right shifted values, fix this by setting
+them to the currect values.
+
+(I double checked these against the TMS320TCI6482 data sheet, section
+5.30, page 127 to ensure I had the correct mask values for the TXERRCH
+and RXERRCH fields in the MACSTATUS register).
+
+Addresses-Coverity: ("Operands don't affect result")
+Fixes: a6286ee630f6 ("net: Add TI DaVinci EMAC driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/davinci_emac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c
+index 413cf14dbacd..8b7596fef42a 100644
+--- a/drivers/net/ethernet/ti/davinci_emac.c
++++ b/drivers/net/ethernet/ti/davinci_emac.c
+@@ -183,11 +183,11 @@ static const char emac_version_string[] = "TI DaVinci EMAC Linux v6.1";
+ /* EMAC mac_status register */
+ #define EMAC_MACSTATUS_TXERRCODE_MASK (0xF00000)
+ #define EMAC_MACSTATUS_TXERRCODE_SHIFT (20)
+-#define EMAC_MACSTATUS_TXERRCH_MASK (0x7)
++#define EMAC_MACSTATUS_TXERRCH_MASK (0x70000)
+ #define EMAC_MACSTATUS_TXERRCH_SHIFT (16)
+ #define EMAC_MACSTATUS_RXERRCODE_MASK (0xF000)
+ #define EMAC_MACSTATUS_RXERRCODE_SHIFT (12)
+-#define EMAC_MACSTATUS_RXERRCH_MASK (0x7)
++#define EMAC_MACSTATUS_RXERRCH_MASK (0x700)
+ #define EMAC_MACSTATUS_RXERRCH_SHIFT (8)
+
+ /* EMAC RX register masks */
+--
+2.30.2
+
--- /dev/null
+From 000d1f96776ba5d76c0d11709887371fe43a35f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Apr 2021 09:06:25 -0700
+Subject: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57 ]
+
+In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..).
+If some error happens in emac_tx_fill_tpd(), the skb will be freed via
+dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd().
+But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len).
+
+As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len,
+thus my patch assigns skb->len to 'len' before the possible free and
+use 'len' instead of skb->len later.
+
+Fixes: b9b17debc69d2 ("net: emac: emac gigabit ethernet controller driver")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac-mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/emac/emac-mac.c b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+index 9d223ff65071..882f2b7ec6d1 100644
+--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c
+@@ -1504,6 +1504,7 @@ int emac_mac_tx_buf_send(struct emac_adapter *adpt, struct emac_tx_queue *tx_q,
+ {
+ struct emac_tpd tpd;
+ u32 prod_idx;
++ int len;
+
+ memset(&tpd, 0, sizeof(tpd));
+
+@@ -1523,9 +1524,10 @@ int emac_mac_tx_buf_send(struct emac_adapter *adpt, struct emac_tx_queue *tx_q,
+ if (skb_network_offset(skb) != ETH_HLEN)
+ TPD_TYP_SET(&tpd, 1);
+
++ len = skb->len;
+ emac_tx_fill_tpd(adpt, tx_q, skb, &tpd);
+
+- netdev_sent_queue(adpt->netdev, skb->len);
++ netdev_sent_queue(adpt->netdev, len);
+
+ /* Make sure the are enough free descriptors to hold one
+ * maximum-sized SKB. We need one desc for each fragment,
+--
+2.30.2
+
--- /dev/null
+From ea1afe2ff3ff11efaea74d5fa2cfe1c7a57f9f14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 23:23:09 -0800
+Subject: net: lapbether: Prevent racing when checking whether the netif is
+ running
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit 5acd0cfbfbb5a688da1bfb1a2152b0c855115a35 ]
+
+There are two "netif_running" checks in this driver. One is in
+"lapbeth_xmit" and the other is in "lapbeth_rcv". They serve to make
+sure that the LAPB APIs called in these functions are called before
+"lapb_unregister" is called by the "ndo_stop" function.
+
+However, these "netif_running" checks are unreliable, because it's
+possible that immediately after "netif_running" returns true, "ndo_stop"
+is called (which causes "lapb_unregister" to be called).
+
+This patch adds locking to make sure "lapbeth_xmit" and "lapbeth_rcv" can
+reliably check and ensure the netif is running while doing their work.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lapbether.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 666bbacb8cb4..24daa1d0e9c5 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -56,6 +56,8 @@ struct lapbethdev {
+ struct list_head node;
+ struct net_device *ethdev; /* link to ethernet device */
+ struct net_device *axdev; /* lapbeth device (lapb#) */
++ bool up;
++ spinlock_t up_lock; /* Protects "up" */
+ };
+
+ static LIST_HEAD(lapbeth_devices);
+@@ -103,8 +105,9 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
+ rcu_read_lock();
+ lapbeth = lapbeth_get_x25_dev(dev);
+ if (!lapbeth)
+- goto drop_unlock;
+- if (!netif_running(lapbeth->axdev))
++ goto drop_unlock_rcu;
++ spin_lock_bh(&lapbeth->up_lock);
++ if (!lapbeth->up)
+ goto drop_unlock;
+
+ len = skb->data[0] + skb->data[1] * 256;
+@@ -119,11 +122,14 @@ static int lapbeth_rcv(struct sk_buff *skb, struct net_device *dev, struct packe
+ goto drop_unlock;
+ }
+ out:
++ spin_unlock_bh(&lapbeth->up_lock);
+ rcu_read_unlock();
+ return 0;
+ drop_unlock:
+ kfree_skb(skb);
+ goto out;
++drop_unlock_rcu:
++ rcu_read_unlock();
+ drop:
+ kfree_skb(skb);
+ return 0;
+@@ -151,13 +157,11 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb)
+ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb,
+ struct net_device *dev)
+ {
++ struct lapbethdev *lapbeth = netdev_priv(dev);
+ int err;
+
+- /*
+- * Just to be *really* sure not to send anything if the interface
+- * is down, the ethernet device may have gone.
+- */
+- if (!netif_running(dev))
++ spin_lock_bh(&lapbeth->up_lock);
++ if (!lapbeth->up)
+ goto drop;
+
+ /* There should be a pseudo header of 1 byte added by upper layers.
+@@ -188,6 +192,7 @@ static netdev_tx_t lapbeth_xmit(struct sk_buff *skb,
+ goto drop;
+ }
+ out:
++ spin_unlock_bh(&lapbeth->up_lock);
+ return NETDEV_TX_OK;
+ drop:
+ kfree_skb(skb);
+@@ -279,6 +284,7 @@ static const struct lapb_register_struct lapbeth_callbacks = {
+ */
+ static int lapbeth_open(struct net_device *dev)
+ {
++ struct lapbethdev *lapbeth = netdev_priv(dev);
+ int err;
+
+ if ((err = lapb_register(dev, &lapbeth_callbacks)) != LAPB_OK) {
+@@ -286,13 +292,22 @@ static int lapbeth_open(struct net_device *dev)
+ return -ENODEV;
+ }
+
++ spin_lock_bh(&lapbeth->up_lock);
++ lapbeth->up = true;
++ spin_unlock_bh(&lapbeth->up_lock);
++
+ return 0;
+ }
+
+ static int lapbeth_close(struct net_device *dev)
+ {
++ struct lapbethdev *lapbeth = netdev_priv(dev);
+ int err;
+
++ spin_lock_bh(&lapbeth->up_lock);
++ lapbeth->up = false;
++ spin_unlock_bh(&lapbeth->up_lock);
++
+ if ((err = lapb_unregister(dev)) != LAPB_OK)
+ pr_err("lapb_unregister error: %d\n", err);
+
+@@ -350,6 +365,9 @@ static int lapbeth_new_device(struct net_device *dev)
+ dev_hold(dev);
+ lapbeth->ethdev = dev;
+
++ lapbeth->up = false;
++ spin_lock_init(&lapbeth->up_lock);
++
+ rc = -EIO;
+ if (register_netdevice(ndev))
+ goto fail;
+--
+2.30.2
+
--- /dev/null
+From ad135d26bae8e4606bc807c64d642708c3d66ca7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 09:22:58 -0700
+Subject: net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 75258586793efc521e5dd52a5bf6c7a4cf7002be ]
+
+In digital_tg_recv_dep_req, it calls nfc_tm_data_received(..,resp).
+If nfc_tm_data_received() failed, the callee will free the resp via
+kfree_skb() and return error. But in the exit branch, the resp
+will be freed again.
+
+My patch sets resp to NULL if nfc_tm_data_received() failed, to
+avoid the double free.
+
+Fixes: 1c7a4c24fbfd9 ("NFC Digital: Add target NFC-DEP support")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/digital_dep.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/nfc/digital_dep.c b/net/nfc/digital_dep.c
+index f864ce19e13d..582f97d035ef 100644
+--- a/net/nfc/digital_dep.c
++++ b/net/nfc/digital_dep.c
+@@ -1289,6 +1289,8 @@ static void digital_tg_recv_dep_req(struct nfc_digital_dev *ddev, void *arg,
+ }
+
+ rc = nfc_tm_data_received(ddev->nfc_dev, resp);
++ if (rc)
++ resp = NULL;
+
+ exit:
+ kfree_skb(ddev->chaining_skb);
+--
+2.30.2
+
--- /dev/null
+From ca949367675a733a8e1a4fa279d93c8f73e4f792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 14:07:26 +0100
+Subject: net: thunderx: Fix unintentional sign extension issue
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e701a25840360706fe4cf5de0015913ca19c274b ]
+
+The shifting of the u8 integers rq->caching by 26 bits to
+the left will be promoted to a 32 bit signed int and then
+sign-extended to a u64. In the event that rq->caching is
+greater than 0x1f then all then all the upper 32 bits of
+the u64 end up as also being set because of the int
+sign-extension. Fix this by casting the u8 values to a
+u64 before the 26 bit left shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+Fixes: 4863dea3fab0 ("net: Adding support for Cavium ThunderX network controller")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+index 747ef0882976..8f3d544bec0c 100644
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_queues.c
+@@ -537,7 +537,7 @@ static void nicvf_rcv_queue_config(struct nicvf *nic, struct queue_set *qs,
+ mbx.rq.msg = NIC_MBOX_MSG_RQ_CFG;
+ mbx.rq.qs_num = qs->vnic_id;
+ mbx.rq.rq_num = qidx;
+- mbx.rq.cfg = (rq->caching << 26) | (rq->cq_qs << 19) |
++ mbx.rq.cfg = ((u64)rq->caching << 26) | (rq->cq_qs << 19) |
+ (rq->cq_idx << 16) | (rq->cont_rbdr_qs << 9) |
+ (rq->cont_qs_rbdr_idx << 8) |
+ (rq->start_rbdr_qs << 1) | (rq->start_qs_rbdr_idx);
+--
+2.30.2
+
--- /dev/null
+From c943cb23789c76f11a5d7e294b0dac94ffdd7239 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Apr 2021 14:44:42 +0300
+Subject: nfc: pn533: prevent potential memory corruption
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ]
+
+If the "type_a->nfcid_len" is too large then it would lead to memory
+corruption in pn533_target_found_type_a() when we do:
+
+ memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
+
+Fixes: c3b1e1e8a76f ("NFC: Export NFCID1 from pn533")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/pn533/pn533.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
+index d9c55830b2b2..6c495664d2cb 100644
+--- a/drivers/nfc/pn533/pn533.c
++++ b/drivers/nfc/pn533/pn533.c
+@@ -678,6 +678,9 @@ static bool pn533_target_type_a_is_valid(struct pn533_target_type_a *type_a,
+ if (PN533_TYPE_A_SEL_CASCADE(type_a->sel_res) != 0)
+ return false;
+
++ if (type_a->nfcid_len > NFC_NFCID1_MAXSIZE)
++ return false;
++
+ return true;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4373b31434c447b7415638d8e41bf3f8feb53cbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 23:50:24 +0300
+Subject: pata_arasan_cf: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit c7e8f404d56b99c80990b19a402c3f640d74be05 ]
+
+The driver's probe() method is written as if platform_get_irq() returns 0
+on error, while actually it returns a negative error code (with all the
+other values considered valid IRQs). Rewrite the driver's IRQ checking code
+to pass the positive IRQ #s to ata_host_activate(), propagate upstream
+-EPROBE_DEFER, and set up the driver to polling mode on (negative) errors
+and IRQ0 (libata treats IRQ #0 as a polling mode anyway)...
+
+Fixes: a480167b23ef ("pata_arasan_cf: Adding support for arasan compact flash host controller")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_arasan_cf.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
+index b4d54771c9fe..623199fab8fe 100644
+--- a/drivers/ata/pata_arasan_cf.c
++++ b/drivers/ata/pata_arasan_cf.c
+@@ -819,12 +819,19 @@ static int arasan_cf_probe(struct platform_device *pdev)
+ else
+ quirk = CF_BROKEN_UDMA; /* as it is on spear1340 */
+
+- /* if irq is 0, support only PIO */
+- acdev->irq = platform_get_irq(pdev, 0);
+- if (acdev->irq)
++ /*
++ * If there's an error getting IRQ (or we do get IRQ0),
++ * support only PIO
++ */
++ ret = platform_get_irq(pdev, 0);
++ if (ret > 0) {
++ acdev->irq = ret;
+ irq_handler = arasan_cf_interrupt;
+- else
++ } else if (ret == -EPROBE_DEFER) {
++ return ret;
++ } else {
+ quirk |= CF_BROKEN_MWDMA | CF_BROKEN_UDMA;
++ }
+
+ acdev->pbase = res->start;
+ acdev->vbase = devm_ioremap_nocache(&pdev->dev, res->start,
+--
+2.30.2
+
--- /dev/null
+From 6a39c24a74e1837392bb7830d4c5e55ba56927e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 23:51:10 +0300
+Subject: pata_ipx4xx_cf: fix IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit e379b40cc0f179403ce0b82b7e539f635a568da5 ]
+
+The driver's probe() method is written as if platform_get_irq() returns 0
+on error, while actually it returns a negative error code (with all the
+other values considered valid IRQs). Rewrite the driver's IRQ checking
+code to pass the positive IRQ #s to ata_host_activate(), propagate errors
+upstream, and treat IRQ0 as error, returning -EINVAL, as the libata code
+treats 0 as an indication that polling should be used anyway...
+
+Fixes: 0df0d0a0ea9f ("[libata] ARM: add ixp4xx PATA driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_ixp4xx_cf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_ixp4xx_cf.c b/drivers/ata/pata_ixp4xx_cf.c
+index abda44183512..fb8d1f68f36f 100644
+--- a/drivers/ata/pata_ixp4xx_cf.c
++++ b/drivers/ata/pata_ixp4xx_cf.c
+@@ -169,8 +169,12 @@ static int ixp4xx_pata_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ irq = platform_get_irq(pdev, 0);
+- if (irq)
++ if (irq > 0)
+ irq_set_irq_type(irq, IRQ_TYPE_EDGE_RISING);
++ else if (irq < 0)
++ return irq;
++ else
++ return -EINVAL;
+
+ /* Setup expansion bus chip selects */
+ *data->cs0_cfg = data->cs0_bits;
+--
+2.30.2
+
--- /dev/null
+From 1ea002858866d2c9c77b16e0d6a6e74e795c327b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 11:17:51 -0300
+Subject: perf symbols: Fix dso__fprintf_symbols_by_name() to return the number
+ of printed chars
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 210e4c89ef61432040c6cd828fefa441f4887186 ]
+
+The 'ret' variable was initialized to zero but then it was not updated
+from the fprintf() return, fix it.
+
+Reported-by: Yang Li <yang.lee@linux.alibaba.com>
+cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+cc: Ingo Molnar <mingo@redhat.com>
+cc: Jiri Olsa <jolsa@redhat.com>
+cc: Mark Rutland <mark.rutland@arm.com>
+cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Fixes: 90f18e63fbd00513 ("perf symbols: List symbols in a dso in ascending name order")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/symbol_fprintf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/symbol_fprintf.c b/tools/perf/util/symbol_fprintf.c
+index a680bdaa65dc..060957aeb79a 100644
+--- a/tools/perf/util/symbol_fprintf.c
++++ b/tools/perf/util/symbol_fprintf.c
+@@ -64,7 +64,7 @@ size_t dso__fprintf_symbols_by_name(struct dso *dso,
+
+ for (nd = rb_first(&dso->symbol_names[type]); nd; nd = rb_next(nd)) {
+ pos = rb_entry(nd, struct symbol_name_rb_node, rb_node);
+- fprintf(fp, "%s\n", pos->sym.name);
++ ret += fprintf(fp, "%s\n", pos->sym.name);
+ }
+
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 933eca21b27976e18b8ecea88cf1b8093be1331f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 17:24:03 +0000
+Subject: powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of
+ 'add')
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 8a87a507714386efc39c3ae6fa24d4f79846b522 ]
+
+ AS arch/powerpc/platforms/52xx/lite5200_sleep.o
+arch/powerpc/platforms/52xx/lite5200_sleep.S: Assembler messages:
+arch/powerpc/platforms/52xx/lite5200_sleep.S:184: Warning: invalid register expression
+
+In the following code, 'addi' is wrong, has to be 'add'
+
+ /* local udelay in sram is needed */
+ udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */
+ mullw r12, r12, r11
+ mftb r13 /* start */
+ addi r12, r13, r12 /* end */
+
+Fixes: ee983079ce04 ("[POWERPC] MPC5200 low power mode")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/cb4cec9131c8577803367f1699209a7e104cec2a.1619025821.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/52xx/lite5200_sleep.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/52xx/lite5200_sleep.S b/arch/powerpc/platforms/52xx/lite5200_sleep.S
+index 08ab6fefcf7a..5f44e9223413 100644
+--- a/arch/powerpc/platforms/52xx/lite5200_sleep.S
++++ b/arch/powerpc/platforms/52xx/lite5200_sleep.S
+@@ -180,7 +180,7 @@ sram_code:
+ udelay: /* r11 - tb_ticks_per_usec, r12 - usecs, overwrites r13 */
+ mullw r12, r12, r11
+ mftb r13 /* start */
+- addi r12, r13, r12 /* end */
++ add r12, r13, r12 /* end */
+ 1:
+ mftb r13 /* current */
+ cmp cr0, r13, r12
+--
+2.30.2
+
--- /dev/null
+From 23897b092ab199a5aab22859038f23fd7641e241 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Apr 2021 12:26:23 -0700
+Subject: powerpc: iommu: fix build when neither PCI or IBMVIO is set
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b27dadecdf9102838331b9a0b41ffc1cfe288154 ]
+
+When neither CONFIG_PCI nor CONFIG_IBMVIO is set/enabled, iommu.c has a
+build error. The fault injection code is not useful in that kernel config,
+so make the FAIL_IOMMU option depend on PCI || IBMVIO.
+
+Prevents this build error (warning escalated to error):
+../arch/powerpc/kernel/iommu.c:178:30: error: 'fail_iommu_bus_notifier' defined but not used [-Werror=unused-variable]
+ 178 | static struct notifier_block fail_iommu_bus_notifier = {
+
+Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection")
+Reported-by: kernel test robot <lkp@intel.com>
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210404192623.10697-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/Kconfig.debug | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
+index 63292f64b25a..f66326339bc8 100644
+--- a/arch/powerpc/Kconfig.debug
++++ b/arch/powerpc/Kconfig.debug
+@@ -348,6 +348,7 @@ config PPC_EARLY_DEBUG_CPM_ADDR
+ config FAIL_IOMMU
+ bool "Fault-injection capability for IOMMU"
+ depends on FAULT_INJECTION
++ depends on PCI || IBMVIO
+ help
+ Provide fault-injection capability for IOMMU. Each device can
+ be selectively enabled via the fail_iommu property.
+--
+2.30.2
+
--- /dev/null
+From 80e1a371c03461d1ca4ebd4bbcaf1f7fd79783e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 12:16:01 -0400
+Subject: powerpc/perf: Fix PMU constraint check for EBB events
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+[ Upstream commit 10f8f96179ecc7f69c927f6d231f6d02736cea83 ]
+
+The power PMU group constraints includes check for EBB events to make
+sure all events in a group must agree on EBB. This will prevent
+scheduling EBB and non-EBB events together. But in the existing check,
+settings for constraint mask and value is interchanged. Patch fixes the
+same.
+
+Before the patch, PMU selftest "cpu_event_pinned_vs_ebb_test" fails with
+below in dmesg logs. This happens because EBB event gets enabled along
+with a non-EBB cpu event.
+
+ [35600.453346] cpu_event_pinne[41326]: illegal instruction (4)
+ at 10004a18 nip 10004a18 lr 100049f8 code 1 in
+ cpu_event_pinned_vs_ebb_test[10000000+10000]
+
+Test results after the patch:
+
+ $ ./pmu/ebb/cpu_event_pinned_vs_ebb_test
+ test: cpu_event_pinned_vs_ebb
+ tags: git_version:v5.12-rc5-93-gf28c3125acd3-dirty
+ Binding to cpu 8
+ EBB Handler is at 0x100050c8
+ read error on event 0x7fffe6bd4040!
+ PM_RUN_INST_CMPL: result 9872 running/enabled 37930432
+ success: cpu_event_pinned_vs_ebb
+
+This bug was hidden by other logic until commit 1908dc911792 (perf:
+Tweak perf_event_attr::exclusive semantics).
+
+Fixes: 4df489991182 ("powerpc/perf: Add power8 EBB support")
+Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+[mpe: Mention commit 1908dc911792]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1617725761-1464-1-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/isa207-common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/perf/isa207-common.c b/arch/powerpc/perf/isa207-common.c
+index 7592a6491a9a..2d3557406424 100644
+--- a/arch/powerpc/perf/isa207-common.c
++++ b/arch/powerpc/perf/isa207-common.c
+@@ -139,8 +139,8 @@ ebb_bhrb:
+ * EBB events are pinned & exclusive, so this should never actually
+ * hit, but we leave it as a fallback in case.
+ */
+- mask |= CNST_EBB_VAL(ebb);
+- value |= CNST_EBB_MASK;
++ mask |= CNST_EBB_MASK;
++ value |= CNST_EBB_VAL(ebb);
+
+ *maskp = mask;
+ *valp = value;
+--
+2.30.2
+
--- /dev/null
+From 0779c62d4e55af9a3887ae1360262b2f97d923f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 13:08:29 -0700
+Subject: powerpc/prom: Mark identical_pvr_fixup as __init
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 1ef1dd9c7ed27b080445e1576e8a05957e0e4dfc ]
+
+If identical_pvr_fixup() is not inlined, there are two modpost warnings:
+
+WARNING: modpost: vmlinux.o(.text+0x54e8): Section mismatch in reference
+from the function identical_pvr_fixup() to the function
+.init.text:of_get_flat_dt_prop()
+The function identical_pvr_fixup() references
+the function __init of_get_flat_dt_prop().
+This is often because identical_pvr_fixup lacks a __init
+annotation or the annotation of of_get_flat_dt_prop is wrong.
+
+WARNING: modpost: vmlinux.o(.text+0x551c): Section mismatch in reference
+from the function identical_pvr_fixup() to the function
+.init.text:identify_cpu()
+The function identical_pvr_fixup() references
+the function __init identify_cpu().
+This is often because identical_pvr_fixup lacks a __init
+annotation or the annotation of identify_cpu is wrong.
+
+identical_pvr_fixup() calls two functions marked as __init and is only
+called by a function marked as __init so it should be marked as __init
+as well. At the same time, remove the inline keywork as it is not
+necessary to inline this function. The compiler is still free to do so
+if it feels it is worthwhile since commit 889b3c1245de ("compiler:
+remove CONFIG_OPTIMIZE_INLINING entirely").
+
+Fixes: 14b3d926a22b ("[POWERPC] 4xx: update 440EP(x)/440GR(x) identical PVR issue workaround")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1316
+Link: https://lore.kernel.org/r/20210302200829.2680663-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/prom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
+index b868f07c4246..11b4ecec04ee 100644
+--- a/arch/powerpc/kernel/prom.c
++++ b/arch/powerpc/kernel/prom.c
+@@ -262,7 +262,7 @@ static struct feature_property {
+ };
+
+ #if defined(CONFIG_44x) && defined(CONFIG_PPC_FPU)
+-static inline void identical_pvr_fixup(unsigned long node)
++static __init void identical_pvr_fixup(unsigned long node)
+ {
+ unsigned int pvr;
+ const char *model = of_get_flat_dt_prop(node, "model", NULL);
+--
+2.30.2
+
--- /dev/null
+From 46c6a5dc24d4f1637ac12de61b399a88870ff8fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 12:24:35 -0600
+Subject: powerpc/pseries: extract host bridge from pci_bus prior to bus
+ removal
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+[ Upstream commit 38d0b1c9cec71e6d0f3bddef0bbce41d05a3e796 ]
+
+The pci_bus->bridge reference may no longer be valid after
+pci_bus_remove() resulting in passing a bad value to device_unregister()
+for the associated bridge device.
+
+Store the host_bridge reference in a separate variable prior to
+pci_bus_remove().
+
+Fixes: 7340056567e3 ("powerpc/pci: Reorder pci bus/bridge unregistration during PHB removal")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210211182435.47968-1-tyreld@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/pci_dlpar.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/pseries/pci_dlpar.c b/arch/powerpc/platforms/pseries/pci_dlpar.c
+index 547fd13e4f8e..35d035d68dce 100644
+--- a/arch/powerpc/platforms/pseries/pci_dlpar.c
++++ b/arch/powerpc/platforms/pseries/pci_dlpar.c
+@@ -66,6 +66,7 @@ EXPORT_SYMBOL_GPL(init_phb_dynamic);
+ int remove_phb_dynamic(struct pci_controller *phb)
+ {
+ struct pci_bus *b = phb->bus;
++ struct pci_host_bridge *host_bridge = to_pci_host_bridge(b->bridge);
+ struct resource *res;
+ int rc, i;
+
+@@ -92,7 +93,8 @@ int remove_phb_dynamic(struct pci_controller *phb)
+ /* Remove the PCI bus and unregister the bridge device from sysfs */
+ phb->bus = NULL;
+ pci_remove_bus(b);
+- device_unregister(b->bridge);
++ host_bridge->bus = NULL;
++ device_unregister(&host_bridge->dev);
+
+ /* Now release the IO resource */
+ if (res->flags & IORESOURCE_IO)
+--
+2.30.2
+
--- /dev/null
+From 187c237bcf034d0003d2647b35e3a7331a8bb504 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 19:21:04 -0500
+Subject: RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails
+
+From: Sindhu Devale <sindhu.devale@intel.com>
+
+[ Upstream commit 783a11bf2400e5d5c42a943c3083dc0330751842 ]
+
+When i40iw_hmc_sd_one fails, chunk is freed without the deletion of chunk
+entry in the PBLE info list.
+
+Fix it by adding the chunk entry to the PBLE info list only after
+successful addition of SD in i40iw_hmc_sd_one.
+
+This fixes a static checker warning reported here:
+ https://lore.kernel.org/linux-rdma/YHV4CFXzqTm23AOZ@mwanda/
+
+Fixes: 9715830157be ("i40iw: add pble resource files")
+Link: https://lore.kernel.org/r/20210416002104.323-1-shiraz.saleem@intel.com
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
+Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/i40iw/i40iw_pble.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/i40iw/i40iw_pble.c b/drivers/infiniband/hw/i40iw/i40iw_pble.c
+index 85993dc44f6e..3fbf7a3b00de 100644
+--- a/drivers/infiniband/hw/i40iw/i40iw_pble.c
++++ b/drivers/infiniband/hw/i40iw/i40iw_pble.c
+@@ -399,12 +399,9 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev,
+ i40iw_debug(dev, I40IW_DEBUG_PBLE, "next_fpm_addr = %llx chunk_size[%u] = 0x%x\n",
+ pble_rsrc->next_fpm_addr, chunk->size, chunk->size);
+ pble_rsrc->unallocated_pble -= (chunk->size >> 3);
+- list_add(&chunk->list, &pble_rsrc->pinfo.clist);
+ sd_reg_val = (sd_entry_type == I40IW_SD_TYPE_PAGED) ?
+ sd_entry->u.pd_table.pd_page_addr.pa : sd_entry->u.bp.addr.pa;
+- if (sd_entry->valid)
+- return 0;
+- if (dev->is_pf) {
++ if (dev->is_pf && !sd_entry->valid) {
+ ret_code = i40iw_hmc_sd_one(dev, hmc_info->hmc_fn_id,
+ sd_reg_val, idx->sd_idx,
+ sd_entry->entry_type, true);
+@@ -415,6 +412,7 @@ static enum i40iw_status_code add_pble_pool(struct i40iw_sc_dev *dev,
+ }
+
+ sd_entry->valid = true;
++ list_add(&chunk->list, &pble_rsrc->pinfo.clist);
+ return 0;
+ error:
+ kfree(chunk);
+--
+2.30.2
+
--- /dev/null
+From ea5ce03421a00cbb8b5317fd86bdcba86c05da20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 00:13:49 +0300
+Subject: sata_mv: add IRQ checks
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit e6471a65fdd5efbb8dd2732dd0f063f960685ceb ]
+
+The function mv_platform_probe() neglects to check the results of the
+calls to platform_get_irq() and irq_of_parse_and_map() and blithely
+passes them to ata_host_activate() -- while the latter only checks
+for IRQ0 (treating it as a polling mode indicattion) and passes the
+negative values to devm_request_irq() causing it to fail as it takes
+unsigned values for the IRQ #...
+
+Add to mv_platform_probe() the proper IRQ checks to pass the positive IRQ
+#s to ata_host_activate(), propagate upstream the negative error codes,
+and override the IRQ0 with -EINVAL (as we don't want the polling mode).
+
+Fixes: f351b2d638c3 ("sata_mv: Support SoC controllers")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Link: https://lore.kernel.org/r/51436f00-27a1-e20b-c21b-0e817e0a7c86@omprussia.ru
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_mv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
+index 513ef298dd96..ded3a66049d2 100644
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -4112,6 +4112,10 @@ static int mv_platform_probe(struct platform_device *pdev)
+ n_ports = mv_platform_data->n_ports;
+ irq = platform_get_irq(pdev, 0);
+ }
++ if (irq < 0)
++ return irq;
++ if (!irq)
++ return -EINVAL;
+
+ host = ata_host_alloc_pinfo(&pdev->dev, ppi, n_ports);
+ hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL);
+--
+2.30.2
+
--- /dev/null
+From d218862eb10d3134337f3a6bc3212b679bbe7569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 17:46:59 +0100
+Subject: scsi: fcoe: Fix mismatched fcoe_wwn_from_mac declaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 5b11c9d80bde81f6896cc85b23aeaa9502a704ed ]
+
+An old cleanup changed the array size from MAX_ADDR_LEN to unspecified in
+the declaration, but now gcc-11 warns about this:
+
+drivers/scsi/fcoe/fcoe_ctlr.c:1972:37: error: argument 1 of type ‘unsigned char[32]’ with mismatched bound [-Werror=array-parameter=]
+ 1972 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN],
+ | ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
+In file included from /git/arm-soc/drivers/scsi/fcoe/fcoe_ctlr.c:33:
+include/scsi/libfcoe.h:252:37: note: previously declared as ‘unsigned char[]’
+ 252 | u64 fcoe_wwn_from_mac(unsigned char mac[], unsigned int, unsigned int);
+ | ~~~~~~~~~~~~~~^~~~~
+
+Change the type back to what the function definition uses.
+
+Link: https://lore.kernel.org/r/20210322164702.957810-1-arnd@kernel.org
+Fixes: fdd78027fd47 ("[SCSI] fcoe: cleans up libfcoe.h and adds fcoe.h for fcoe module")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/scsi/libfcoe.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/scsi/libfcoe.h b/include/scsi/libfcoe.h
+index 6be92eede5c0..a911f993219d 100644
+--- a/include/scsi/libfcoe.h
++++ b/include/scsi/libfcoe.h
+@@ -261,7 +261,7 @@ int fcoe_ctlr_recv_flogi(struct fcoe_ctlr *, struct fc_lport *,
+ struct fc_frame *);
+
+ /* libfcoe funcs */
+-u64 fcoe_wwn_from_mac(unsigned char mac[], unsigned int, unsigned int);
++u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
+ int fcoe_libfc_config(struct fc_lport *, struct fcoe_ctlr *,
+ const struct libfc_function_template *, int init_fcp);
+ u32 fcoe_fc_crc(struct fc_frame *fp);
+--
+2.30.2
+
--- /dev/null
+From dfef0c19b7e1a8640c040ac83acee501b07c1e7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 20:43:23 +0300
+Subject: scsi: jazz_esp: Add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 38fca15c29db6ed06e894ac194502633e2a7d1fb ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real
+error code. Stop calling request_irq() with the invalid IRQ #s.
+
+Link: https://lore.kernel.org/r/594aa9ae-2215-49f6-f73c-33bd38989912@omprussia.ru
+Fixes: 352e921f0dd4 ("[SCSI] jazz_esp: converted to use esp_core")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/jazz_esp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/jazz_esp.c b/drivers/scsi/jazz_esp.c
+index 9aaa74e349cc..65f0dbfc3a45 100644
+--- a/drivers/scsi/jazz_esp.c
++++ b/drivers/scsi/jazz_esp.c
+@@ -170,7 +170,9 @@ static int esp_jazz_probe(struct platform_device *dev)
+ if (!esp->command_block)
+ goto fail_unmap_regs;
+
+- host->irq = platform_get_irq(dev, 0);
++ host->irq = err = platform_get_irq(dev, 0);
++ if (err < 0)
++ goto fail_unmap_command_block;
+ err = request_irq(host->irq, scsi_esp_intr, IRQF_SHARED, "ESP", esp);
+ if (err < 0)
+ goto fail_unmap_command_block;
+--
+2.30.2
+
--- /dev/null
+From 7a5b130d0ca4ed43364a63b0e2380d5cea6eaf46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 20:45:12 +0300
+Subject: scsi: sni_53c710: Add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 1160d61bc51e87e509cfaf9da50a0060f67b6de4 ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #s), causing it to fail with -EINVAL (overridden by -ENODEV
+further below). Stop calling request_irq() with the invalid IRQ #s.
+
+Link: https://lore.kernel.org/r/8f4b8fa5-8251-b977-70a1-9099bcb4bb17@omprussia.ru
+Fixes: c27d85f3f3c5 ("[SCSI] SNI RM 53c710 driver")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sni_53c710.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sni_53c710.c b/drivers/scsi/sni_53c710.c
+index b0f5220ae23a..fad68cb028d6 100644
+--- a/drivers/scsi/sni_53c710.c
++++ b/drivers/scsi/sni_53c710.c
+@@ -71,6 +71,7 @@ static int snirm710_probe(struct platform_device *dev)
+ struct NCR_700_Host_Parameters *hostdata;
+ struct Scsi_Host *host;
+ struct resource *res;
++ int rc;
+
+ res = platform_get_resource(dev, IORESOURCE_MEM, 0);
+ if (!res)
+@@ -96,7 +97,9 @@ static int snirm710_probe(struct platform_device *dev)
+ goto out_kfree;
+ host->this_id = 7;
+ host->base = base;
+- host->irq = platform_get_irq(dev, 0);
++ host->irq = rc = platform_get_irq(dev, 0);
++ if (rc < 0)
++ goto out_put_host;
+ if(request_irq(host->irq, NCR_700_intr, IRQF_SHARED, "snirm710", host)) {
+ printk(KERN_ERR "snirm710: request_irq failed!\n");
+ goto out_put_host;
+--
+2.30.2
+
--- /dev/null
+From 5b9e1540d10d75a90ac7072a511e48c20db4e949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 20:44:08 +0300
+Subject: scsi: sun3x_esp: Add IRQ check
+
+From: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+
+[ Upstream commit 14b321380eb333c82853d7d612d0995f05f88fdc ]
+
+The driver neglects to check the result of platform_get_irq()'s call and
+blithely passes the negative error codes to request_irq() (which takes
+*unsigned* IRQ #), causing it to fail with -EINVAL, overriding the real
+error code. Stop calling request_irq() with the invalid IRQ #s.
+
+Link: https://lore.kernel.org/r/363eb4c8-a3bf-4dc9-2a9e-90f349030a15@omprussia.ru
+Fixes: 0bb67f181834 ("[SCSI] sun3x_esp: convert to esp_scsi")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sun3x_esp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sun3x_esp.c b/drivers/scsi/sun3x_esp.c
+index d50c5ed8f428..167ae2d29e47 100644
+--- a/drivers/scsi/sun3x_esp.c
++++ b/drivers/scsi/sun3x_esp.c
+@@ -233,7 +233,9 @@ static int esp_sun3x_probe(struct platform_device *dev)
+ if (!esp->command_block)
+ goto fail_unmap_regs_dma;
+
+- host->irq = platform_get_irq(dev, 0);
++ host->irq = err = platform_get_irq(dev, 0);
++ if (err < 0)
++ goto fail_unmap_command_block;
+ err = request_irq(host->irq, scsi_esp_intr, IRQF_SHARED,
+ "SUN3X ESP", esp);
+ if (err < 0)
+--
+2.30.2
+
--- /dev/null
+From d061eecec1ef3cf4543f9debb34d8023733ed9d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 17:22:58 +0100
+Subject: serial: stm32: fix incorrect characters on console
+
+From: Erwan Le Ray <erwan.leray@foss.st.com>
+
+[ Upstream commit f264c6f6aece81a9f8fbdf912b20bd3feb476a7a ]
+
+Incorrect characters are observed on console during boot. This issue occurs
+when init/main.c is modifying termios settings to open /dev/console on the
+rootfs.
+
+This patch adds a waiting loop in set_termios to wait for TX shift register
+empty (and TX FIFO if any) before stopping serial port.
+
+Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver")
+Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
+Link: https://lore.kernel.org/r/20210304162308.8984-4-erwan.leray@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index ea8b591dd46f..f325019887b2 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -476,8 +476,9 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios,
+ unsigned int baud;
+ u32 usartdiv, mantissa, fraction, oversampling;
+ tcflag_t cflag = termios->c_cflag;
+- u32 cr1, cr2, cr3;
++ u32 cr1, cr2, cr3, isr;
+ unsigned long flags;
++ int ret;
+
+ if (!stm32_port->hw_flow_control)
+ cflag &= ~CRTSCTS;
+@@ -486,6 +487,15 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios,
+
+ spin_lock_irqsave(&port->lock, flags);
+
++ ret = readl_relaxed_poll_timeout_atomic(port->membase + ofs->isr,
++ isr,
++ (isr & USART_SR_TC),
++ 10, 100000);
++
++ /* Send the TC error message only when ISR_TC is not set. */
++ if (ret)
++ dev_err(port->dev, "Transmission is not complete\n");
++
+ /* Stop serial port and reset value */
+ writel_relaxed(0, port->membase + ofs->cr1);
+
+--
+2.30.2
+
--- /dev/null
+From 2d843653785d83e84dd658e7ca9643ae0a42aaa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 17:23:07 +0100
+Subject: serial: stm32: fix tx_empty condition
+
+From: Erwan Le Ray <erwan.leray@foss.st.com>
+
+[ Upstream commit 3db1d52466dc11dca4e47ef12a6e6e97f846af62 ]
+
+In "tx_empty", we should poll TC bit in both DMA and PIO modes (instead of
+TXE) to check transmission data register has been transmitted independently
+of the FIFO mode. TC indicates that both transmit register and shift
+register are empty. When shift register is empty, tx_empty should return
+TIOCSER_TEMT instead of TC value.
+
+Cleans the USART_CR_TC TCCF register define (transmission complete clear
+flag) as it is duplicate of USART_ICR_TCCF.
+
+Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver")
+Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
+Link: https://lore.kernel.org/r/20210304162308.8984-13-erwan.leray@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/stm32-usart.c | 5 ++++-
+ drivers/tty/serial/stm32-usart.h | 3 ---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c
+index f325019887b2..25a92bf4067d 100644
+--- a/drivers/tty/serial/stm32-usart.c
++++ b/drivers/tty/serial/stm32-usart.c
+@@ -355,7 +355,10 @@ static unsigned int stm32_tx_empty(struct uart_port *port)
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
+
+- return readl_relaxed(port->membase + ofs->isr) & USART_SR_TXE;
++ if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC)
++ return TIOCSER_TEMT;
++
++ return 0;
+ }
+
+ static void stm32_set_mctrl(struct uart_port *port, unsigned int mctrl)
+diff --git a/drivers/tty/serial/stm32-usart.h b/drivers/tty/serial/stm32-usart.h
+index cd97ceb76e4f..377d510d77bc 100644
+--- a/drivers/tty/serial/stm32-usart.h
++++ b/drivers/tty/serial/stm32-usart.h
+@@ -99,9 +99,6 @@ struct stm32_usart_info stm32f7_info = {
+ /* Dummy bits */
+ #define USART_SR_DUMMY_RX BIT(16)
+
+-/* USART_ICR (F7) */
+-#define USART_CR_TC BIT(6)
+-
+ /* USART_DR */
+ #define USART_DR_MASK GENMASK(8, 0)
+
+--
+2.30.2
+
alsa-hda-realtek-re-order-alc269-lenovo-quirk-table-entries.patch
alsa-hda-realtek-remove-redundant-entry-for-alc861-haier-uniwill-devices.patch
usb-gadget-pch_udc-revert-d3cb25a12138-completely.patch
+memory-gpmc-fix-out-of-bounds-read-and-dereference-o.patch
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch
+arm-dts-exynos-correct-pmic-interrupt-trigger-level-.patch-28317
+serial-stm32-fix-incorrect-characters-on-console.patch
+serial-stm32-fix-tx_empty-condition.patch
+usb-gadget-pch_udc-replace-cpu_to_le32-by-lower_32_b.patch
+usb-gadget-pch_udc-check-if-driver-is-present-before.patch
+usb-gadget-pch_udc-check-for-dma-mapping-error.patch
+crypto-qat-don-t-release-uninitialized-resources.patch
+crypto-qat-adf_status_pf_running-should-be-set-after.patch
+fotg210-udc-fix-dma-on-ep0-for-length-max-packet-siz.patch
+fotg210-udc-fix-ep0-in-requests-bigger-than-two-pack.patch
+fotg210-udc-remove-a-dubious-condition-leading-to-fo.patch
+fotg210-udc-mask-grp2-interrupts-we-don-t-handle.patch
+fotg210-udc-don-t-dma-more-than-the-buffer-can-take.patch
+fotg210-udc-complete-out-requests-on-short-packets.patch
+mtd-require-write-permissions-for-locking-and-badblo.patch
+bus-qcom-put-child-node-before-return.patch
+crypto-qat-fix-error-path-in-adf_isr_resource_alloc.patch
+mtd-rawnand-gpmi-fix-a-double-free-in-gpmi_nand_init.patch
+staging-rtl8192u-fix-potential-infinite-loop.patch
+staging-greybus-uart-fix-unprivileged-tioccserial.patch
+crypto-qat-fix-a-double-free-in-adf_create_ring.patch
+usb-gadget-r8a66597-add-missing-null-check-on-return.patch
+usb-cdc-acm-fix-unprivileged-tioccserial.patch
+tty-actually-undefine-superseded-async-flags.patch
+tty-fix-return-value-for-unsupported-ioctls.patch
+firmware-qcom-scm-fix-qcom_scm-configuration.patch
+x86-platform-uv-fix-kexec-build-failure.patch
+drivers-hv-vmbus-increase-wait-time-for-vmbus-unload.patch
+ttyprintk-add-tty-hangup-callback.patch
+media-vivid-fix-assignment-of-dev-fbuf_out_flags.patch
+media-omap4iss-return-error-code-when-omap4iss_get-f.patch
+media-m88rs6000t-avoid-potential-out-of-bounds-reads.patch
+pata_arasan_cf-fix-irq-check.patch
+pata_ipx4xx_cf-fix-irq-check.patch
+sata_mv-add-irq-checks.patch
+ata-libahci_platform-fix-irq-check.patch
+scsi-fcoe-fix-mismatched-fcoe_wwn_from_mac-declarati.patch
+media-dvb-usb-remote-fix-dvb_usb_nec_rc_key_to_event.patch
+clk-uniphier-fix-potential-infinite-loop.patch
+scsi-jazz_esp-add-irq-check.patch
+scsi-sun3x_esp-add-irq-check.patch
+scsi-sni_53c710-add-irq-check.patch
+hsi-core-fix-resource-leaks-in-hsi_add_client_from_d.patch
+x86-events-amd-iommu-fix-sysfs-type-mismatch.patch
+hid-plantronics-workaround-for-double-volume-key-pre.patch
+perf-symbols-fix-dso__fprintf_symbols_by_name-to-ret.patch
+net-lapbether-prevent-racing-when-checking-whether-t.patch
+powerpc-prom-mark-identical_pvr_fixup-as-__init.patch
+alsa-core-remove-redundant-spin_lock-pair-in-snd_car.patch
+nfc-pn533-prevent-potential-memory-corruption.patch
+alsa-usb-audio-add-error-checks-for-usb_driver_claim.patch
+liquidio-fix-unintented-sign-extension-of-a-left-shi.patch
+powerpc-perf-fix-pmu-constraint-check-for-ebb-events.patch
+powerpc-iommu-fix-build-when-neither-pci-or-ibmvio-i.patch
+mac80211-bail-out-if-cipher-schemes-are-invalid.patch
+mt7601u-fix-always-true-expression.patch
+net-thunderx-fix-unintentional-sign-extension-issue.patch
+i2c-cadence-add-irq-check.patch
+i2c-emev2-add-irq-check.patch
+i2c-jz4780-add-irq-check.patch
+i2c-sh7760-add-irq-check.patch
+mips-pci-legacy-stop-using-of_pci_range_to_resource.patch
+powerpc-pseries-extract-host-bridge-from-pci_bus-pri.patch
+i2c-sh7760-fix-irq-error-path.patch
+mwl8k-fix-a-double-free-in-mwl8k_probe_hw.patch
+vsock-vmci-log-once-the-failed-queue-pair-allocation.patch
+rdma-i40iw-fix-error-unwinding-when-i40iw_hmc_sd_one.patch
+net-davinci_emac-fix-incorrect-masking-of-tx-and-rx-.patch
+ath9k-fix-error-check-in-ath9k_hw_read_revisions-for.patch
+powerpc-52xx-fix-an-invalid-asm-expression-addi-used.patch
+net-emac-emac-mac-fix-a-use-after-free-in-emac_mac_t.patch
+net-nfc-digital-fix-a-double-free-in-digital_tg_recv.patch
+kfifo-fix-ternary-sign-extension-bugs.patch
--- /dev/null
+From f441955d3dc2cc61ca92e02146203a92edcb26e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:24 +0200
+Subject: staging: greybus: uart: fix unprivileged TIOCCSERIAL
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 60c6b305c11b5fd167ce5e2ce42f3a9098c388f0 ]
+
+TIOCSSERIAL is a horrid, underspecified, legacy interface which for most
+serial devices is only useful for setting the close_delay and
+closing_wait parameters.
+
+A non-privileged user has only ever been able to set the since long
+deprecated ASYNC_SPD flags and trying to change any other *supported*
+feature should result in -EPERM being returned. Setting the current
+values for any supported features should return success.
+
+Fix the greybus implementation which instead indicated that the
+TIOCSSERIAL ioctl was not even implemented when a non-privileged user
+set the current values.
+
+Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-7-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/uart.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c
+index 9ef9cbfd8926..c35c9b766a00 100644
+--- a/drivers/staging/greybus/uart.c
++++ b/drivers/staging/greybus/uart.c
+@@ -661,8 +661,6 @@ static int set_serial_info(struct gb_tty *gb_tty,
+ if ((close_delay != gb_tty->port.close_delay) ||
+ (closing_wait != gb_tty->port.closing_wait))
+ retval = -EPERM;
+- else
+- retval = -EOPNOTSUPP;
+ } else {
+ gb_tty->port.close_delay = close_delay;
+ gb_tty->port.closing_wait = closing_wait;
+--
+2.30.2
+
--- /dev/null
+From 19333470af458496d8e1399aece5d15a40319934 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 16:03:08 +0100
+Subject: staging: rtl8192u: Fix potential infinite loop
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit f9b9263a25dc3d2eaaa829e207434db6951ca7bc ]
+
+The for-loop iterates with a u8 loop counter i and compares this
+with the loop upper limit of riv->ieee80211->LinkDetectInfo.SlotNum
+that is a u16 type. There is a potential infinite loop if SlotNum
+is larger than the u8 loop counter. Fix this by making the loop
+counter the same type as SlotNum.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210407150308.496623-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8192u/r8192U_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c
+index fa4c47c7d216..53b77c8ae328 100644
+--- a/drivers/staging/rtl8192u/r8192U_core.c
++++ b/drivers/staging/rtl8192u/r8192U_core.c
+@@ -3420,7 +3420,7 @@ static void rtl819x_update_rxcounts(struct r8192_priv *priv, u32 *TotalRxBcnNum,
+ u32 *TotalRxDataNum)
+ {
+ u16 SlotIndex;
+- u8 i;
++ u16 i;
+
+ *TotalRxBcnNum = 0;
+ *TotalRxDataNum = 0;
+--
+2.30.2
+
--- /dev/null
+From b94fd736fb1fe776907fc1b46293e37b2b330c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 11:52:01 +0200
+Subject: tty: actually undefine superseded ASYNC flags
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit d09845e98a05850a8094ea8fd6dd09a8e6824fff ]
+
+Some kernel-internal ASYNC flags have been superseded by tty-port flags
+and should no longer be used by kernel drivers.
+
+Fix the misspelled "__KERNEL__" compile guards which failed their sole
+purpose to break out-of-tree drivers that have not yet been updated.
+
+Fixes: 5c0517fefc92 ("tty: core: Undefine ASYNC_* flags superceded by TTY_PORT* flags")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407095208.31838-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/tty_flags.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/uapi/linux/tty_flags.h b/include/uapi/linux/tty_flags.h
+index 66e4d8bcb16f..9f9572b2a596 100644
+--- a/include/uapi/linux/tty_flags.h
++++ b/include/uapi/linux/tty_flags.h
+@@ -38,7 +38,7 @@
+ * WARNING: These flags are no longer used and have been superceded by the
+ * TTY_PORT_ flags in the iflags field (and not userspace-visible)
+ */
+-#ifndef _KERNEL_
++#ifndef __KERNEL__
+ #define ASYNCB_INITIALIZED 31 /* Serial port was initialized */
+ #define ASYNCB_SUSPENDED 30 /* Serial port is suspended */
+ #define ASYNCB_NORMAL_ACTIVE 29 /* Normal device is active */
+@@ -80,7 +80,7 @@
+ #define ASYNC_SPD_WARP (ASYNC_SPD_HI|ASYNC_SPD_SHI)
+ #define ASYNC_SPD_MASK (ASYNC_SPD_HI|ASYNC_SPD_VHI|ASYNC_SPD_SHI)
+
+-#ifndef _KERNEL_
++#ifndef __KERNEL__
+ /* These flags are no longer used (and were always masked from userspace) */
+ #define ASYNC_INITIALIZED (1U << ASYNCB_INITIALIZED)
+ #define ASYNC_NORMAL_ACTIVE (1U << ASYNCB_NORMAL_ACTIVE)
+--
+2.30.2
+
--- /dev/null
+From 2ed061da574773db487fea2671f6d709869c203c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 11:52:02 +0200
+Subject: tty: fix return value for unsupported ioctls
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1b8b20868a6d64cfe8174a21b25b74367bdf0560 ]
+
+Drivers should return -ENOTTY ("Inappropriate I/O control operation")
+when an ioctl isn't supported, while -EINVAL is used for invalid
+arguments.
+
+Fix up the TIOCMGET, TIOCMSET and TIOCGICOUNT helpers which returned
+-EINVAL when a tty driver did not implement the corresponding
+operations.
+
+Note that the TIOCMGET and TIOCMSET helpers predate git and do not get a
+corresponding Fixes tag below.
+
+Fixes: d281da7ff6f7 ("tty: Make tiocgicount a handler")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407095208.31838-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/tty_io.c | 8 ++++----
+ include/linux/tty_driver.h | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 7b4aca20cb29..e16a74b68cd0 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -2791,14 +2791,14 @@ out:
+ * @p: pointer to result
+ *
+ * Obtain the modem status bits from the tty driver if the feature
+- * is supported. Return -EINVAL if it is not available.
++ * is supported. Return -ENOTTY if it is not available.
+ *
+ * Locking: none (up to the driver)
+ */
+
+ static int tty_tiocmget(struct tty_struct *tty, int __user *p)
+ {
+- int retval = -EINVAL;
++ int retval = -ENOTTY;
+
+ if (tty->ops->tiocmget) {
+ retval = tty->ops->tiocmget(tty);
+@@ -2816,7 +2816,7 @@ static int tty_tiocmget(struct tty_struct *tty, int __user *p)
+ * @p: pointer to desired bits
+ *
+ * Set the modem status bits from the tty driver if the feature
+- * is supported. Return -EINVAL if it is not available.
++ * is supported. Return -ENOTTY if it is not available.
+ *
+ * Locking: none (up to the driver)
+ */
+@@ -2828,7 +2828,7 @@ static int tty_tiocmset(struct tty_struct *tty, unsigned int cmd,
+ unsigned int set, clear, val;
+
+ if (tty->ops->tiocmset == NULL)
+- return -EINVAL;
++ return -ENOTTY;
+
+ retval = get_user(val, p);
+ if (retval)
+diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
+index b742b5e47cc2..ae63c962fa22 100644
+--- a/include/linux/tty_driver.h
++++ b/include/linux/tty_driver.h
+@@ -235,7 +235,7 @@
+ *
+ * Called when the device receives a TIOCGICOUNT ioctl. Passed a kernel
+ * structure to complete. This method is optional and will only be called
+- * if provided (otherwise EINVAL will be returned).
++ * if provided (otherwise ENOTTY will be returned).
+ */
+
+ #include <linux/export.h>
+--
+2.30.2
+
--- /dev/null
+From 4d1b6d8305cf925e92bcb8fccef28190ad38706d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 09:22:22 +0900
+Subject: ttyprintk: Add TTY hangup callback.
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit c0070e1e60270f6a1e09442a9ab2335f3eaeaad2 ]
+
+syzbot is reporting hung task due to flood of
+
+ tty_warn(tty, "%s: tty->count = 1 port count = %d\n", __func__,
+ port->count);
+
+message [1], for ioctl(TIOCVHANGUP) prevents tty_port_close() from
+decrementing port->count due to tty_hung_up_p() == true.
+
+----------
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[])
+{
+ int i;
+ int fd[10];
+
+ for (i = 0; i < 10; i++)
+ fd[i] = open("/dev/ttyprintk", O_WRONLY);
+ ioctl(fd[0], TIOCVHANGUP);
+ for (i = 0; i < 10; i++)
+ close(fd[i]);
+ close(open("/dev/ttyprintk", O_WRONLY));
+ return 0;
+}
+----------
+
+When TTY hangup happens, port->count needs to be reset via
+"struct tty_operations"->hangup callback.
+
+[1] https://syzkaller.appspot.com/bug?id=39ea6caa479af471183997376dc7e90bc7d64a6a
+
+Reported-by: syzbot <syzbot+43e93968b964e369db0b@syzkaller.appspotmail.com>
+Reported-by: syzbot <syzbot+3ed715090790806d8b18@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+43e93968b964e369db0b@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: 24b4b67d17c308aa ("add ttyprintk driver")
+Link: https://lore.kernel.org/r/17e0652d-89b7-c8c0-fb53-e7566ac9add4@i-love.sakura.ne.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ttyprintk.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/char/ttyprintk.c b/drivers/char/ttyprintk.c
+index 774748497ace..e56ac5adb5fc 100644
+--- a/drivers/char/ttyprintk.c
++++ b/drivers/char/ttyprintk.c
+@@ -159,12 +159,23 @@ static int tpk_ioctl(struct tty_struct *tty,
+ return 0;
+ }
+
++/*
++ * TTY operations hangup function.
++ */
++static void tpk_hangup(struct tty_struct *tty)
++{
++ struct ttyprintk_port *tpkp = tty->driver_data;
++
++ tty_port_hangup(&tpkp->port);
++}
++
+ static const struct tty_operations ttyprintk_ops = {
+ .open = tpk_open,
+ .close = tpk_close,
+ .write = tpk_write,
+ .write_room = tpk_write_room,
+ .ioctl = tpk_ioctl,
++ .hangup = tpk_hangup,
+ };
+
+ static const struct tty_port_operations null_ops = { };
+--
+2.30.2
+
--- /dev/null
+From 732a896938e021c14c3bf094e08501c5a90a8c3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:16:01 +0200
+Subject: USB: cdc-acm: fix unprivileged TIOCCSERIAL
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit dd5619582d60007139f0447382d2839f4f9e339b ]
+
+TIOCSSERIAL is a horrid, underspecified, legacy interface which for most
+serial devices is only useful for setting the close_delay and
+closing_wait parameters.
+
+A non-privileged user has only ever been able to set the since long
+deprecated ASYNC_SPD flags and trying to change any other *supported*
+feature should result in -EPERM being returned. Setting the current
+values for any supported features should return success.
+
+Fix the cdc-acm implementation which instead indicated that the
+TIOCSSERIAL ioctl was not even implemented when a non-privileged user
+set the current values.
+
+Fixes: ba2d8ce9db0a ("cdc-acm: implement TIOCSSERIAL to avoid blocking close(2)")
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210408131602.27956-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/class/cdc-acm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 97b5b021a220..a70d2341ada6 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -870,8 +870,6 @@ static int set_serial_info(struct acm *acm,
+ if ((new_serial.close_delay != old_close_delay) ||
+ (new_serial.closing_wait != old_closing_wait))
+ retval = -EPERM;
+- else
+- retval = -EOPNOTSUPP;
+ } else {
+ acm->port.close_delay = close_delay;
+ acm->port.closing_wait = closing_wait;
+--
+2.30.2
+
--- /dev/null
+From 4cb76a3449981176b6840ec0a8d15596ef675db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 17:36:22 +0200
+Subject: usb: gadget: pch_udc: Check for DMA mapping error
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 4a28d77e359009b846951b06f7c0d8eec8dce298 ]
+
+DMA mapping might fail, we have to check it with dma_mapping_error().
+Otherwise DMA-API is not happy:
+
+ DMA-API: pch_udc 0000:02:02.4: device driver failed to check map error[device address=0x00000000027ee678] [size=64 bytes] [mapped as single]
+
+Fixes: abab0c67c061 ("usb: pch_udc: Fixed issue which does not work with g_serial")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210323153626.54908-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index 2363e3f66647..18ce19162804 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -2977,7 +2977,7 @@ static int init_dma_pools(struct pch_udc_dev *dev)
+ dev->dma_addr = dma_map_single(&dev->pdev->dev, ep0out_buf,
+ UDC_EP0OUT_BUFF_SIZE * 4,
+ DMA_FROM_DEVICE);
+- return 0;
++ return dma_mapping_error(&dev->pdev->dev, dev->dma_addr);
+ }
+
+ static int pch_udc_start(struct usb_gadget *g,
+--
+2.30.2
+
--- /dev/null
+From 8827b02436259a9d0241a5ef81c4619bb7b4c61c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 17:36:21 +0200
+Subject: usb: gadget: pch_udc: Check if driver is present before calling
+ ->setup()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit fbdbbe6d3ee502b3bdeb4f255196bb45003614be ]
+
+Since we have a separate routine for VBUS sense, the interrupt may occur
+before gadget driver is present. Hence, ->setup() call may oops the kernel:
+
+[ 55.245843] BUG: kernel NULL pointer dereference, address: 00000010
+...
+[ 55.245843] EIP: pch_udc_isr.cold+0x162/0x33f
+...
+[ 55.245843] <IRQ>
+[ 55.245843] ? pch_udc_svc_data_out+0x160/0x160
+
+Check if driver is present before calling ->setup().
+
+Fixes: f646cf94520e ("USB device driver of Topcliff PCH")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210323153626.54908-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index b143830285f6..2363e3f66647 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -2329,6 +2329,21 @@ static void pch_udc_svc_data_out(struct pch_udc_dev *dev, int ep_num)
+ pch_udc_set_dma(dev, DMA_DIR_RX);
+ }
+
++static int pch_udc_gadget_setup(struct pch_udc_dev *dev)
++ __must_hold(&dev->lock)
++{
++ int rc;
++
++ /* In some cases we can get an interrupt before driver gets setup */
++ if (!dev->driver)
++ return -ESHUTDOWN;
++
++ spin_unlock(&dev->lock);
++ rc = dev->driver->setup(&dev->gadget, &dev->setup_data);
++ spin_lock(&dev->lock);
++ return rc;
++}
++
+ /**
+ * pch_udc_svc_control_in() - Handle Control IN endpoint interrupts
+ * @dev: Reference to the device structure
+@@ -2400,15 +2415,12 @@ static void pch_udc_svc_control_out(struct pch_udc_dev *dev)
+ dev->gadget.ep0 = &dev->ep[UDC_EP0IN_IDX].ep;
+ else /* OUT */
+ dev->gadget.ep0 = &ep->ep;
+- spin_lock(&dev->lock);
+ /* If Mass storage Reset */
+ if ((dev->setup_data.bRequestType == 0x21) &&
+ (dev->setup_data.bRequest == 0xFF))
+ dev->prot_stall = 0;
+ /* call gadget with setup data received */
+- setup_supported = dev->driver->setup(&dev->gadget,
+- &dev->setup_data);
+- spin_unlock(&dev->lock);
++ setup_supported = pch_udc_gadget_setup(dev);
+
+ if (dev->setup_data.bRequestType & USB_DIR_IN) {
+ ep->td_data->status = (ep->td_data->status &
+@@ -2656,9 +2668,7 @@ static void pch_udc_svc_intf_interrupt(struct pch_udc_dev *dev)
+ dev->ep[i].halted = 0;
+ }
+ dev->stall = 0;
+- spin_unlock(&dev->lock);
+- dev->driver->setup(&dev->gadget, &dev->setup_data);
+- spin_lock(&dev->lock);
++ pch_udc_gadget_setup(dev);
+ }
+
+ /**
+@@ -2693,9 +2703,7 @@ static void pch_udc_svc_cfg_interrupt(struct pch_udc_dev *dev)
+ dev->stall = 0;
+
+ /* call gadget zero with setup data received */
+- spin_unlock(&dev->lock);
+- dev->driver->setup(&dev->gadget, &dev->setup_data);
+- spin_lock(&dev->lock);
++ pch_udc_gadget_setup(dev);
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From e780e03a8dc11ae35e428cb4044d3c5e2a98065d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 17:36:20 +0200
+Subject: usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 91356fed6afd1c83bf0d3df1fc336d54e38f0458 ]
+
+Either way ~0 will be in the correct byte order, hence
+replace cpu_to_le32() by lower_32_bits(). Moreover,
+it makes sparse happy, otherwise it complains:
+
+.../pch_udc.c:1813:27: warning: incorrect type in assignment (different base types)
+.../pch_udc.c:1813:27: expected unsigned int [usertype] dataptr
+.../pch_udc.c:1813:27: got restricted __le32 [usertype]
+
+Fixes: f646cf94520e ("USB device driver of Topcliff PCH")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210323153626.54908-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/pch_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/pch_udc.c b/drivers/usb/gadget/udc/pch_udc.c
+index fe0887578117..b143830285f6 100644
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -1786,7 +1786,7 @@ static struct usb_request *pch_udc_alloc_request(struct usb_ep *usbep,
+ }
+ /* prevent from using desc. - set HOST BUSY */
+ dma_desc->status |= PCH_UDC_BS_HST_BSY;
+- dma_desc->dataptr = cpu_to_le32(DMA_ADDR_INVALID);
++ dma_desc->dataptr = lower_32_bits(DMA_ADDR_INVALID);
+ req->td_data = dma_desc;
+ req->td_data_last = dma_desc;
+ req->chain_len = 1;
+--
+2.30.2
+
--- /dev/null
+From 5f6aa51827756d3fc649b8bd8e9fcc2b0df866ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 19:45:10 +0100
+Subject: usb: gadget: r8a66597: Add missing null check on return from
+ platform_get_resource
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 9c2076090c2815fe7c49676df68dde7e60a9b9fc ]
+
+The call to platform_get_resource can potentially return a NULL pointer
+on failure, so add this check and return -EINVAL if it fails.
+
+Fixes: c41442474a26 ("usb: gadget: R8A66597 peripheral controller support.")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Addresses-Coverity: ("Dereference null return")
+Link: https://lore.kernel.org/r/20210406184510.433497-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/r8a66597-udc.c b/drivers/usb/gadget/udc/r8a66597-udc.c
+index 230e3248f386..80503c3604ca 100644
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -1855,6 +1855,8 @@ static int r8a66597_probe(struct platform_device *pdev)
+ return PTR_ERR(reg);
+
+ ires = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
++ if (!ires)
++ return -EINVAL;
+ irq = ires->start;
+ irq_trigger = ires->flags & IRQF_TRIGGER_MASK;
+
+--
+2.30.2
+
--- /dev/null
+From 956a571b475a429edc3662e3df71b3d2407f3ea4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 12:44:16 +0200
+Subject: vsock/vmci: log once the failed queue pair allocation
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit e16edc99d658cd41c60a44cc14d170697aa3271f ]
+
+VMCI feature is not supported in conjunction with the vSphere Fault
+Tolerance (FT) feature.
+
+VMware Tools can repeatedly try to create a vsock connection. If FT is
+enabled the kernel logs is flooded with the following messages:
+
+ qp_alloc_hypercall result = -20
+ Could not attach to queue pair with -20
+
+"qp_alloc_hypercall result = -20" was hidden by commit e8266c4c3307
+("VMCI: Stop log spew when qp allocation isn't possible"), but "Could
+not attach to queue pair with -20" is still there flooding the log.
+
+Since the error message can be useful in some cases, print it only once.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/vmci_transport.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index 102bf9194662..c09efcdf72d2 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -593,8 +593,7 @@ vmci_transport_queue_pair_alloc(struct vmci_qp **qpair,
+ peer, flags, VMCI_NO_PRIVILEGE_FLAGS);
+ out:
+ if (err < 0) {
+- pr_err("Could not attach to queue pair with %d\n",
+- err);
++ pr_err_once("Could not attach to queue pair with %d\n", err);
+ err = vmci_transport_error_to_vsock_error(err);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d028ea1aa8fa6a8feef7862572c50a34d5cc5c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 17:11:11 -0700
+Subject: x86/events/amd/iommu: Fix sysfs type mismatch
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit de5bc7b425d4c27ae5faa00ea7eb6b9780b9a355 ]
+
+dev_attr_show() calls _iommu_event_show() via an indirect call but
+_iommu_event_show()'s type does not currently match the type of the
+show() member in 'struct device_attribute', resulting in a Control Flow
+Integrity violation.
+
+$ cat /sys/devices/amd_iommu_1/events/mem_dte_hit
+csource=0x0a
+
+$ dmesg | grep "CFI failure"
+[ 3526.735140] CFI failure (target: _iommu_event_show...):
+
+Change _iommu_event_show() and 'struct amd_iommu_event_desc' to
+'struct device_attribute' so that there is no more CFI violation.
+
+Fixes: 7be6296fdd75 ("perf/x86/amd: AMD IOMMU Performance Counter PERF uncore PMU implementation")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210415001112.3024673-1-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/iommu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/events/amd/iommu.c b/arch/x86/events/amd/iommu.c
+index b28200dea715..2bbf3fba8097 100644
+--- a/arch/x86/events/amd/iommu.c
++++ b/arch/x86/events/amd/iommu.c
+@@ -80,12 +80,12 @@ static struct attribute_group amd_iommu_format_group = {
+ * sysfs events attributes
+ *---------------------------------------------*/
+ struct amd_iommu_event_desc {
+- struct kobj_attribute attr;
++ struct device_attribute attr;
+ const char *event;
+ };
+
+-static ssize_t _iommu_event_show(struct kobject *kobj,
+- struct kobj_attribute *attr, char *buf)
++static ssize_t _iommu_event_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
+ {
+ struct amd_iommu_event_desc *event =
+ container_of(attr, struct amd_iommu_event_desc, attr);
+--
+2.30.2
+
--- /dev/null
+From def97e8546b1ee52f422d67f78c64a75c1108d16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 09:47:42 +0200
+Subject: x86/platform/uv: Fix !KEXEC build failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ingo Molnar <mingo@kernel.org>
+
+[ Upstream commit c2209ea55612efac75de0a58ef5f7394fae7fa0f ]
+
+When KEXEC is disabled, the UV build fails:
+
+ arch/x86/platform/uv/uv_nmi.c:875:14: error: ‘uv_nmi_kexec_failed’ undeclared (first use in this function)
+
+Since uv_nmi_kexec_failed is only defined in the KEXEC_CORE #ifdef branch,
+this code cannot ever have been build tested:
+
+ if (main)
+ pr_err("UV: NMI kdump: KEXEC not supported in this kernel\n");
+ atomic_set(&uv_nmi_kexec_failed, 1);
+
+Nor is this use possible in uv_handle_nmi():
+
+ atomic_set(&uv_nmi_kexec_failed, 0);
+
+These bugs were introduced in this commit:
+
+ d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails")
+
+Which added the uv_nmi_kexec_failed assignments to !KEXEC code, while making the
+definition KEXEC-only - apparently without testing the !KEXEC case.
+
+Instead of complicating the #ifdef maze, simplify the code by requiring X86_UV
+to depend on KEXEC_CORE. This pattern is present in other architectures as well.
+
+( We'll remove the untested, 7 years old !KEXEC complications from the file in a
+ separate commit. )
+
+Fixes: d0a9964e9873: ("x86/platform/uv: Implement simple dump failover if kdump fails")
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Mike Travis <travis@sgi.com>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 80636caee07c..3ce5b5bd1dc4 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -495,6 +495,7 @@ config X86_UV
+ depends on X86_EXTENDED_PLATFORM
+ depends on NUMA
+ depends on EFI
++ depends on KEXEC_CORE
+ depends on X86_X2APIC
+ depends on PCI
+ ---help---
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
