--- /dev/null
+From 55f8c088e6fff16915dd198794eea467dd0d0059 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 18:14:41 +0200
+Subject: ALSA: hda - fix the 'Capture Switch' value change notifications
+
+From: Jaroslav Kysela <perex@perex.cz>
+
+[ Upstream commit a2befe9380dd04ee76c871568deca00eedf89134 ]
+
+The original code in the cap_put_caller() function does not
+handle correctly the positive values returned from the passed
+function for multiple iterations. It means that the change
+notifications may be lost.
+
+Fixes: 352f7f914ebb ("ALSA: hda - Merge Realtek parser code to generic parser")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213851
+Cc: <stable@kernel.org>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Link: https://lore.kernel.org/r/20210811161441.1325250-1-perex@perex.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_generic.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
+index 1f8018f9ce57..534c0df75172 100644
+--- a/sound/pci/hda/hda_generic.c
++++ b/sound/pci/hda/hda_generic.c
+@@ -3460,7 +3460,7 @@ static int cap_put_caller(struct snd_kcontrol *kcontrol,
+ struct hda_gen_spec *spec = codec->spec;
+ const struct hda_input_mux *imux;
+ struct nid_path *path;
+- int i, adc_idx, err = 0;
++ int i, adc_idx, ret, err = 0;
+
+ imux = &spec->input_mux;
+ adc_idx = kcontrol->id.index;
+@@ -3470,9 +3470,13 @@ static int cap_put_caller(struct snd_kcontrol *kcontrol,
+ if (!path || !path->ctls[type])
+ continue;
+ kcontrol->private_value = path->ctls[type];
+- err = func(kcontrol, ucontrol);
+- if (err < 0)
++ ret = func(kcontrol, ucontrol);
++ if (ret < 0) {
++ err = ret;
+ break;
++ }
++ if (ret > 0)
++ err = 1;
+ }
+ mutex_unlock(&codec->control_mutex);
+ if (err >= 0 && spec->cap_sync_hook)
+--
+2.30.2
+
--- /dev/null
+From 1be3a2226fa0dff139dd99ac6b231ae9d6e0900e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Aug 2021 15:46:05 -0700
+Subject: ALSA: hda/realtek: Enable 4-speaker output for Dell XPS 15 9510
+ laptop
+
+From: Kristin Paget <kristin@tombom.co.uk>
+
+[ Upstream commit da94692001ea45ffa1f5e9f17ecdef7aecd90c27 ]
+
+The 2021-model XPS 15 appears to use the same 4-speakers-on-ALC289 audio
+setup as the Precision models, so requires the same quirk to enable woofer
+output. Tested on my own 9510.
+
+Signed-off-by: Kristin Paget <kristin@tombom.co.uk>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/e1fc95c5-c10a-1f98-a5c2-dd6e336157e1@tombom.co.uk
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 6d8c4dedfe0f..6ab53352fc9b 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8272,6 +8272,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1028, 0x0a2e, "Dell", ALC236_FIXUP_DELL_AIO_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1028, 0x0a30, "Dell", ALC236_FIXUP_DELL_AIO_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1028, 0x0a58, "Dell", ALC255_FIXUP_DELL_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1028, 0x0a61, "Dell XPS 15 9510", ALC289_FIXUP_DUAL_SPK),
+ SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
+--
+2.30.2
+
--- /dev/null
+From b58d20d7e0c29c220a42842bb08aac964a42457f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 22:41:18 +0800
+Subject: ALSA: hda/realtek: Limit mic boost on HP ProBook 445 G8
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 8903376dc69949199301b290cc22dc64ae5d8a6d ]
+
+The mic has lots of noises if mic boost is enabled. So disable mic boost
+to get crystal clear audio capture.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210818144119.121738-1-kai.heng.feng@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 6ab53352fc9b..0c6be8509855 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6598,6 +6598,7 @@ enum {
+ ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP,
+ ALC623_FIXUP_LENOVO_THINKSTATION_P340,
+ ALC255_FIXUP_ACER_HEADPHONE_AND_MIC,
++ ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -8182,6 +8183,12 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC255_FIXUP_XIAOMI_HEADSET_MIC
+ },
++ [ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc269_fixup_limit_int_mic_boost,
++ .chained = true,
++ .chain_id = ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF,
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -8378,8 +8385,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+- SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+- SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+--
+2.30.2
+
--- /dev/null
+From 06e6be4112ba4d86bc8dd37bbd13db80a7f52aed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Aug 2021 07:24:32 +0200
+Subject: ALSA: hda/via: Apply runtime PM workaround for ASUS B23E
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4bf61ad5f0204b67ba570da6e5c052c2095e29df ]
+
+ASUS B23E requires the same workaround like other machines with
+VT1802, otherwise it looses the codec power on a few nodes and the
+sound kept silence.
+
+Fixes: a0645daf1610 ("ALSA: HDA: Early Forbid of runtime PM")
+Link: https://lore.kernel.org/r/ac2232f142efcd67fe6ac38897f704f7176bd200.camel@gmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210817052432.14751-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_via.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_via.c b/sound/pci/hda/patch_via.c
+index a5c1a2c4eae4..773a136161f1 100644
+--- a/sound/pci/hda/patch_via.c
++++ b/sound/pci/hda/patch_via.c
+@@ -1041,6 +1041,7 @@ static const struct hda_fixup via_fixups[] = {
+ };
+
+ static const struct snd_pci_quirk vt2002p_fixups[] = {
++ SND_PCI_QUIRK(0x1043, 0x13f7, "Asus B23E", VIA_FIXUP_POWER_SAVE),
+ SND_PCI_QUIRK(0x1043, 0x1487, "Asus G75", VIA_FIXUP_ASUS_G75),
+ SND_PCI_QUIRK(0x1043, 0x8532, "Asus X202E", VIA_FIXUP_INTMIC_BOOST),
+ SND_PCI_QUIRK_VENDOR(0x1558, "Clevo", VIA_FIXUP_POWER_SAVE),
+--
+2.30.2
+
--- /dev/null
+From 21352d2a7981b1513ed0c9fd41735488bcfdd889 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 23:17:55 +0000
+Subject: arm64: clean vdso & vdso32 files
+
+From: Andrew Delgadillo <adelg@google.com>
+
+[ Upstream commit 017f5fb9ce793e3558db94ee72068622bc0b79db ]
+
+commit a5b8ca97fbf8 ("arm64: do not descend to vdso directories twice")
+changes the cleaning behavior of arm64's vdso files, in that vdso.lds,
+vdso.so, and vdso.so.dbg are not removed upon a 'make clean/mrproper':
+
+$ make defconfig ARCH=arm64
+$ make ARCH=arm64
+$ make mrproper ARCH=arm64
+$ git clean -nxdf
+Would remove arch/arm64/kernel/vdso/vdso.lds
+Would remove arch/arm64/kernel/vdso/vdso.so
+Would remove arch/arm64/kernel/vdso/vdso.so.dbg
+
+To remedy this, manually descend into arch/arm64/kernel/vdso upon
+cleaning.
+
+After this commit:
+$ make defconfig ARCH=arm64
+$ make ARCH=arm64
+$ make mrproper ARCH=arm64
+$ git clean -nxdf
+<empty>
+
+Similar results are obtained for the vdso32 equivalent.
+
+Signed-off-by: Andrew Delgadillo <adelg@google.com>
+Cc: stable@vger.kernel.org
+Fixes: a5b8ca97fbf8 ("arm64: do not descend to vdso directories twice")
+Link: https://lore.kernel.org/r/20210810231755.1743524-1-adelg@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index b52481f0605d..02997b253dee 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -181,6 +181,8 @@ archprepare:
+ # We use MRPROPER_FILES and CLEAN_FILES now
+ archclean:
+ $(Q)$(MAKE) $(clean)=$(boot)
++ $(Q)$(MAKE) $(clean)=arch/arm64/kernel/vdso
++ $(Q)$(MAKE) $(clean)=arch/arm64/kernel/vdso32
+
+ ifeq ($(KBUILD_EXTMOD),)
+ # We need to generate vdso-offsets.h before compiling certain files in kernel/.
+--
+2.30.2
+
--- /dev/null
+From 3d248768ae4ed63d0ad491c5b285bcc1b18cfaac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 17:29:45 +0200
+Subject: ASoC: intel: atom: Fix breakage for PCM buffer address setup
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 65ca89c2b12cca0d473f3dd54267568ad3af55cc ]
+
+The commit 2e6b836312a4 ("ASoC: intel: atom: Fix reference to PCM
+buffer address") changed the reference of PCM buffer address to
+substream->runtime->dma_addr as the buffer address may change
+dynamically. However, I forgot that the dma_addr field is still not
+set up for the CONTINUOUS buffer type (that this driver uses) yet in
+5.14 and earlier kernels, and it resulted in garbage I/O. The problem
+will be fixed in 5.15, but we need to address it quickly for now.
+
+The fix is to deduce the address again from the DMA pointer with
+virt_to_phys(), but from the right one, substream->runtime->dma_area.
+
+Fixes: 2e6b836312a4 ("ASoC: intel: atom: Fix reference to PCM buffer address")
+Reported-and-tested-by: Hans de Goede <hdegoede@redhat.com>
+Cc: <stable@vger.kernel.org>
+Acked-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/2048c6aa-2187-46bd-6772-36a4fb3c5aeb@redhat.com
+Link: https://lore.kernel.org/r/20210819152945.8510-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/atom/sst-mfld-platform-pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+index 5db2f4865bbb..905c7965f653 100644
+--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+@@ -127,7 +127,7 @@ static void sst_fill_alloc_params(struct snd_pcm_substream *substream,
+ snd_pcm_uframes_t period_size;
+ ssize_t periodbytes;
+ ssize_t buffer_bytes = snd_pcm_lib_buffer_bytes(substream);
+- u32 buffer_addr = substream->runtime->dma_addr;
++ u32 buffer_addr = virt_to_phys(substream->runtime->dma_area);
+
+ channels = substream->runtime->channels;
+ period_size = substream->runtime->period_size;
+--
+2.30.2
+
--- /dev/null
+From 7c427c85a8d273299a237870e00495a52afd33a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 14:26:24 +1000
+Subject: btrfs: prevent rename2 from exchanging a subvol with a directory from
+ different parents
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 3f79f6f6247c83f448c8026c3ee16d4636ef8d4f ]
+
+Cross-rename lacks a check when that would prevent exchanging a
+directory and subvolume from different parent subvolume. This causes
+data inconsistencies and is caught before commit by tree-checker,
+turning the filesystem to read-only.
+
+Calling the renameat2 with RENAME_EXCHANGE flags like
+
+ renameat2(AT_FDCWD, namesrc, AT_FDCWD, namedest, (1 << 1))
+
+on two paths:
+
+ namesrc = dir1/subvol1/dir2
+ namedest = subvol2/subvol3
+
+will cause key order problem with following write time tree-checker
+report:
+
+ [1194842.307890] BTRFS critical (device loop1): corrupt leaf: root=5 block=27574272 slot=10 ino=258, invalid previous key objectid, have 257 expect 258
+ [1194842.322221] BTRFS info (device loop1): leaf 27574272 gen 8 total ptrs 11 free space 15444 owner 5
+ [1194842.331562] BTRFS info (device loop1): refs 2 lock_owner 0 current 26561
+ [1194842.338772] item 0 key (256 1 0) itemoff 16123 itemsize 160
+ [1194842.338793] inode generation 3 size 16 mode 40755
+ [1194842.338801] item 1 key (256 12 256) itemoff 16111 itemsize 12
+ [1194842.338809] item 2 key (256 84 2248503653) itemoff 16077 itemsize 34
+ [1194842.338817] dir oid 258 type 2
+ [1194842.338823] item 3 key (256 84 2363071922) itemoff 16043 itemsize 34
+ [1194842.338830] dir oid 257 type 2
+ [1194842.338836] item 4 key (256 96 2) itemoff 16009 itemsize 34
+ [1194842.338843] item 5 key (256 96 3) itemoff 15975 itemsize 34
+ [1194842.338852] item 6 key (257 1 0) itemoff 15815 itemsize 160
+ [1194842.338863] inode generation 6 size 8 mode 40755
+ [1194842.338869] item 7 key (257 12 256) itemoff 15801 itemsize 14
+ [1194842.338876] item 8 key (257 84 2505409169) itemoff 15767 itemsize 34
+ [1194842.338883] dir oid 256 type 2
+ [1194842.338888] item 9 key (257 96 2) itemoff 15733 itemsize 34
+ [1194842.338895] item 10 key (258 12 256) itemoff 15719 itemsize 14
+ [1194842.339163] BTRFS error (device loop1): block=27574272 write time tree block corruption detected
+ [1194842.339245] ------------[ cut here ]------------
+ [1194842.443422] WARNING: CPU: 6 PID: 26561 at fs/btrfs/disk-io.c:449 csum_one_extent_buffer+0xed/0x100 [btrfs]
+ [1194842.511863] CPU: 6 PID: 26561 Comm: kworker/u17:2 Not tainted 5.14.0-rc3-git+ #793
+ [1194842.511870] Hardware name: empty empty/S3993, BIOS PAQEX0-3 02/24/2008
+ [1194842.511876] Workqueue: btrfs-worker-high btrfs_work_helper [btrfs]
+ [1194842.511976] RIP: 0010:csum_one_extent_buffer+0xed/0x100 [btrfs]
+ [1194842.512068] RSP: 0018:ffffa2c284d77da0 EFLAGS: 00010282
+ [1194842.512074] RAX: 0000000000000000 RBX: 0000000000001000 RCX: ffff928867bd9978
+ [1194842.512078] RDX: 0000000000000000 RSI: 0000000000000027 RDI: ffff928867bd9970
+ [1194842.512081] RBP: ffff92876b958000 R08: 0000000000000001 R09: 00000000000c0003
+ [1194842.512085] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+ [1194842.512088] R13: ffff92875f989f98 R14: 0000000000000000 R15: 0000000000000000
+ [1194842.512092] FS: 0000000000000000(0000) GS:ffff928867a00000(0000) knlGS:0000000000000000
+ [1194842.512095] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [1194842.512099] CR2: 000055f5384da1f0 CR3: 0000000102fe4000 CR4: 00000000000006e0
+ [1194842.512103] Call Trace:
+ [1194842.512128] ? run_one_async_free+0x10/0x10 [btrfs]
+ [1194842.631729] btree_csum_one_bio+0x1ac/0x1d0 [btrfs]
+ [1194842.631837] run_one_async_start+0x18/0x30 [btrfs]
+ [1194842.631938] btrfs_work_helper+0xd5/0x1d0 [btrfs]
+ [1194842.647482] process_one_work+0x262/0x5e0
+ [1194842.647520] worker_thread+0x4c/0x320
+ [1194842.655935] ? process_one_work+0x5e0/0x5e0
+ [1194842.655946] kthread+0x135/0x160
+ [1194842.655953] ? set_kthread_struct+0x40/0x40
+ [1194842.655965] ret_from_fork+0x1f/0x30
+ [1194842.672465] irq event stamp: 1729
+ [1194842.672469] hardirqs last enabled at (1735): [<ffffffffbd1104f5>] console_trylock_spinning+0x185/0x1a0
+ [1194842.672477] hardirqs last disabled at (1740): [<ffffffffbd1104cc>] console_trylock_spinning+0x15c/0x1a0
+ [1194842.672482] softirqs last enabled at (1666): [<ffffffffbdc002e1>] __do_softirq+0x2e1/0x50a
+ [1194842.672491] softirqs last disabled at (1651): [<ffffffffbd08aab7>] __irq_exit_rcu+0xa7/0xd0
+
+The corrupted data will not be written, and filesystem can be unmounted
+and mounted again (all changes since the last commit will be lost).
+
+Add the missing check for new_ino so that all non-subvolumes must reside
+under the same parent subvolume. There's an exception allowing to
+exchange two subvolumes from any parents as the directory representing a
+subvolume is only a logical link and does not have any other structures
+related to the parent subvolume, unlike files, directories etc, that
+are always in the inode namespace of the parent subvolume.
+
+Fixes: cdd1fedf8261 ("btrfs: add support for RENAME_EXCHANGE and RENAME_WHITEOUT")
+CC: stable@vger.kernel.org # 4.7+
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 272eff4441bc..5d188d5af6fa 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9191,8 +9191,14 @@ static int btrfs_rename_exchange(struct inode *old_dir,
+ bool dest_log_pinned = false;
+ bool need_abort = false;
+
+- /* we only allow rename subvolume link between subvolumes */
+- if (old_ino != BTRFS_FIRST_FREE_OBJECTID && root != dest)
++ /*
++ * For non-subvolumes allow exchange only within one subvolume, in the
++ * same inode namespace. Two subvolumes (represented as directory) can
++ * be exchanged as they're a logical link and have a fixed inode number.
++ */
++ if (root != dest &&
++ (old_ino != BTRFS_FIRST_FREE_OBJECTID ||
++ new_ino != BTRFS_FIRST_FREE_OBJECTID))
+ return -EXDEV;
+
+ /* close the race window with snapshot create/destroy ioctl */
+--
+2.30.2
+
--- /dev/null
+From b0989d5b35ba3861cda068affc91e13bee27c473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 08:59:14 -0700
+Subject: cfi: Use rcu_read_{un}lock_sched_notrace
+
+From: Elliot Berman <quic_eberman@quicinc.com>
+
+[ Upstream commit 14c4c8e41511aa8fba7fb239b20b6539b5bce201 ]
+
+If rcu_read_lock_sched tracing is enabled, the tracing subsystem can
+perform a jump which needs to be checked by CFI. For example, stm_ftrace
+source is enabled as a module and hooks into enabled ftrace events. This
+can cause an recursive loop where find_shadow_check_fn ->
+rcu_read_lock_sched -> (call to stm_ftrace generates cfi slowpath) ->
+find_shadow_check_fn -> rcu_read_lock_sched -> ...
+
+To avoid the recursion, either the ftrace codes needs to be marked with
+__no_cfi or CFI should not trace. Use the "_notrace" in CFI to avoid
+tracing so that CFI can guard ftrace.
+
+Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Cc: stable@vger.kernel.org
+Fixes: cf68fffb66d6 ("add support for Clang CFI")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210811155914.19550-1-quic_eberman@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cfi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/cfi.c b/kernel/cfi.c
+index e17a56639766..9594cfd1cf2c 100644
+--- a/kernel/cfi.c
++++ b/kernel/cfi.c
+@@ -248,9 +248,9 @@ static inline cfi_check_fn find_shadow_check_fn(unsigned long ptr)
+ {
+ cfi_check_fn fn;
+
+- rcu_read_lock_sched();
++ rcu_read_lock_sched_notrace();
+ fn = ptr_to_check_fn(rcu_dereference_sched(cfi_shadow), ptr);
+- rcu_read_unlock_sched();
++ rcu_read_unlock_sched_notrace();
+
+ return fn;
+ }
+@@ -269,11 +269,11 @@ static inline cfi_check_fn find_module_check_fn(unsigned long ptr)
+ cfi_check_fn fn = NULL;
+ struct module *mod;
+
+- rcu_read_lock_sched();
++ rcu_read_lock_sched_notrace();
+ mod = __module_address(ptr);
+ if (mod)
+ fn = mod->cfi_check;
+- rcu_read_unlock_sched();
++ rcu_read_unlock_sched_notrace();
+
+ return fn;
+ }
+--
+2.30.2
+
--- /dev/null
+From 7cbeb6063b2f1f4ce804ff54516171b6f2920fb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 16:54:38 +0800
+Subject: clk: imx6q: fix uart earlycon unwork
+
+From: Dong Aisheng <aisheng.dong@nxp.com>
+
+[ Upstream commit 283f1b9a0401859c53fdd6483ab66f1c4fadaea5 ]
+
+The earlycon depends on the bootloader setup UART clocks being retained.
+There're actually two uart clocks (ipg, per) on MX6QDL,
+but the 'Fixes' commit change to register only one which means
+another clock may be disabled during booting phase
+and result in the earlycon unwork.
+
+Cc: stable@vger.kernel.org # v5.10+
+Fixes: 379c9a24cc23 ("clk: imx: Fix reparenting of UARTs not associated with stdout")
+Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
+Link: https://lore.kernel.org/r/20210702085438.1988087-1-aisheng.dong@nxp.com
+Reviewed-by: Abel Vesa <abel.vesa@nxp.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx6q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/imx/clk-imx6q.c b/drivers/clk/imx/clk-imx6q.c
+index 496900de0b0b..de36f58d551c 100644
+--- a/drivers/clk/imx/clk-imx6q.c
++++ b/drivers/clk/imx/clk-imx6q.c
+@@ -974,6 +974,6 @@ static void __init imx6q_clocks_init(struct device_node *ccm_node)
+ hws[IMX6QDL_CLK_PLL3_USB_OTG]->clk);
+ }
+
+- imx_register_uart_clocks(1);
++ imx_register_uart_clocks(2);
+ }
+ CLK_OF_DECLARE(imx6q, "fsl,imx6q-ccm", imx6q_clocks_init);
+--
+2.30.2
+
--- /dev/null
+From 63fe4d3ad9ad9a48aa2bc1491dda8d3c68733e27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 15:40:56 -0700
+Subject: clk: qcom: gdsc: Ensure regulator init state matches GDSC state
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 9711759a87a041705148161b937ec847048d882e ]
+
+As GDSCs are registered and found to be already enabled gdsc_init()
+ensures that 1) the kernel state matches the hardware state, and 2)
+votable GDSCs are properly enabled from this master as well.
+
+But as the (optional) supply regulator is enabled deep into
+gdsc_toggle_logic(), which is only executed for votable GDSCs, the
+kernel's state of the regulator might not match the hardware. The
+regulator might be automatically turned off if no other users are
+present or the next call to gdsc_disable() would cause an unbalanced
+regulator_disable().
+
+Given that the votable case deals with an already enabled GDSC, most of
+gdsc_enable() and gdsc_toggle_logic() can be skipped. Reduce it to just
+clearing the SW_COLLAPSE_MASK and enabling hardware control to simply
+call regulator_enable() in both cases.
+
+The enablement of hardware control seems to be an independent property
+from the GDSC being enabled, so this is moved outside that conditional
+segment.
+
+Lastly, as the propagation of ALWAYS_ON to GENPD_FLAG_ALWAYS_ON needs to
+happen regardless of the initial state this is grouped together with the
+other sc->pd updates at the end of the function.
+
+Cc: stable@vger.kernel.org
+Fixes: 37416e554961 ("clk: qcom: gdsc: Handle GDSC regulator supplies")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20210721224056.3035016-1-bjorn.andersson@linaro.org
+[sboyd@kernel.org: Rephrase commit text]
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gdsc.c | 54 +++++++++++++++++++++++++++--------------
+ 1 file changed, 36 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c
+index 51ed640e527b..4ece326ea233 100644
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -357,27 +357,43 @@ static int gdsc_init(struct gdsc *sc)
+ if (on < 0)
+ return on;
+
+- /*
+- * Votable GDSCs can be ON due to Vote from other masters.
+- * If a Votable GDSC is ON, make sure we have a Vote.
+- */
+- if ((sc->flags & VOTABLE) && on)
+- gdsc_enable(&sc->pd);
++ if (on) {
++ /* The regulator must be on, sync the kernel state */
++ if (sc->rsupply) {
++ ret = regulator_enable(sc->rsupply);
++ if (ret < 0)
++ return ret;
++ }
+
+- /*
+- * Make sure the retain bit is set if the GDSC is already on, otherwise
+- * we end up turning off the GDSC and destroying all the register
+- * contents that we thought we were saving.
+- */
+- if ((sc->flags & RETAIN_FF_ENABLE) && on)
+- gdsc_retain_ff_on(sc);
++ /*
++ * Votable GDSCs can be ON due to Vote from other masters.
++ * If a Votable GDSC is ON, make sure we have a Vote.
++ */
++ if (sc->flags & VOTABLE) {
++ ret = regmap_update_bits(sc->regmap, sc->gdscr,
++ SW_COLLAPSE_MASK, val);
++ if (ret)
++ return ret;
++ }
++
++ /* Turn on HW trigger mode if supported */
++ if (sc->flags & HW_CTRL) {
++ ret = gdsc_hwctrl(sc, true);
++ if (ret < 0)
++ return ret;
++ }
+
+- /* If ALWAYS_ON GDSCs are not ON, turn them ON */
+- if (sc->flags & ALWAYS_ON) {
+- if (!on)
+- gdsc_enable(&sc->pd);
++ /*
++ * Make sure the retain bit is set if the GDSC is already on,
++ * otherwise we end up turning off the GDSC and destroying all
++ * the register contents that we thought we were saving.
++ */
++ if (sc->flags & RETAIN_FF_ENABLE)
++ gdsc_retain_ff_on(sc);
++ } else if (sc->flags & ALWAYS_ON) {
++ /* If ALWAYS_ON GDSCs are not ON, turn them ON */
++ gdsc_enable(&sc->pd);
+ on = true;
+- sc->pd.flags |= GENPD_FLAG_ALWAYS_ON;
+ }
+
+ if (on || (sc->pwrsts & PWRSTS_RET))
+@@ -385,6 +401,8 @@ static int gdsc_init(struct gdsc *sc)
+ else
+ gdsc_clear_mem_on(sc);
+
++ if (sc->flags & ALWAYS_ON)
++ sc->pd.flags |= GENPD_FLAG_ALWAYS_ON;
+ if (!sc->pd.power_off)
+ sc->pd.power_off = gdsc_disable;
+ if (!sc->pd.power_on)
+--
+2.30.2
+
--- /dev/null
+From 9d244f3e38afd9f46a5b9b44582fa8a8c3d6aa7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 09:29:50 -0400
+Subject: fs: warn about impending deprecation of mandatory locks
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit fdd92b64d15bc4aec973caa25899afd782402e68 ]
+
+We've had CONFIG_MANDATORY_FILE_LOCKING since 2015 and a lot of distros
+have disabled it. Warn the stragglers that still use "-o mand" that
+we'll be dropping support for that mount option.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index caad091fb204..03770bae9dd5 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1716,8 +1716,12 @@ static inline bool may_mount(void)
+ }
+
+ #ifdef CONFIG_MANDATORY_FILE_LOCKING
+-static inline bool may_mandlock(void)
++static bool may_mandlock(void)
+ {
++ pr_warn_once("======================================================\n"
++ "WARNING: the mand mount option is being deprecated and\n"
++ " will be removed in v5.15!\n"
++ "======================================================\n");
+ return capable(CAP_SYS_ADMIN);
+ }
+ #else
+--
+2.30.2
+
--- /dev/null
+From 4bdbec65684aeda1a9a19844006daaf717cb35de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 19:04:33 -0700
+Subject: hugetlb: don't pass page cache pages to restore_reserve_on_error
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+[ Upstream commit c7b1850dfb41d0b4154aca8dbc04777fbd75616f ]
+
+syzbot hit kernel BUG at fs/hugetlbfs/inode.c:532 as described in [1].
+This BUG triggers if the HPageRestoreReserve flag is set on a page in
+the page cache. It should never be set, as the routine
+huge_add_to_page_cache explicitly clears the flag after adding a page to
+the cache.
+
+The only code other than huge page allocation which sets the flag is
+restore_reserve_on_error. It will potentially set the flag in rare out
+of memory conditions. syzbot was injecting errors to cause memory
+allocation errors which exercised this specific path.
+
+The code in restore_reserve_on_error is doing the right thing. However,
+there are instances where pages in the page cache were being passed to
+restore_reserve_on_error. This is incorrect, as once a page goes into
+the cache reservation information will not be modified for the page
+until it is removed from the cache. Error paths do not remove pages
+from the cache, so even in the case of error, the page will remain in
+the cache and no reservation adjustment is needed.
+
+Modify routines that potentially call restore_reserve_on_error with a
+page cache page to no longer do so.
+
+Note on fixes tag: Prior to commit 846be08578ed ("mm/hugetlb: expand
+restore_reserve_on_error functionality") the routine would not process
+page cache pages because the HPageRestoreReserve flag is not set on such
+pages. Therefore, this issue could not be trigggered. The code added
+by commit 846be08578ed ("mm/hugetlb: expand restore_reserve_on_error
+functionality") is needed and correct. It exposed incorrect calls to
+restore_reserve_on_error which is the root cause addressed by this
+commit.
+
+[1] https://lore.kernel.org/linux-mm/00000000000050776d05c9b7c7f0@google.com/
+
+Link: https://lkml.kernel.org/r/20210818213304.37038-1-mike.kravetz@oracle.com
+Fixes: 846be08578ed ("mm/hugetlb: expand restore_reserve_on_error functionality")
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Reported-by: <syzbot+67654e51e54455f1c585@syzkaller.appspotmail.com>
+Cc: Mina Almasry <almasrymina@google.com>
+Cc: Axel Rasmussen <axelrasmussen@google.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Naoya Horiguchi <naoya.horiguchi@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/hugetlb.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 6e35481a0a6b..6ad419e7e0a4 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -2286,7 +2286,7 @@ void restore_reserve_on_error(struct hstate *h, struct vm_area_struct *vma,
+ if (!rc) {
+ /*
+ * This indicates there is an entry in the reserve map
+- * added by alloc_huge_page. We know it was added
++ * not added by alloc_huge_page. We know it was added
+ * before the alloc_huge_page call, otherwise
+ * HPageRestoreReserve would be set on the page.
+ * Remove the entry so that a subsequent allocation
+@@ -4465,7 +4465,9 @@ static vm_fault_t hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
+ spin_unlock(ptl);
+ mmu_notifier_invalidate_range_end(&range);
+ out_release_all:
+- restore_reserve_on_error(h, vma, haddr, new_page);
++ /* No restore in case of successful pagetable update (Break COW) */
++ if (new_page != old_page)
++ restore_reserve_on_error(h, vma, haddr, new_page);
+ put_page(new_page);
+ out_release_old:
+ put_page(old_page);
+@@ -4581,7 +4583,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm,
+ pte_t new_pte;
+ spinlock_t *ptl;
+ unsigned long haddr = address & huge_page_mask(h);
+- bool new_page = false;
++ bool new_page, new_pagecache_page = false;
+
+ /*
+ * Currently, we are forced to kill the process in the event the
+@@ -4604,6 +4606,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm,
+ goto out;
+
+ retry:
++ new_page = false;
+ page = find_lock_page(mapping, idx);
+ if (!page) {
+ /* Check for page in userfault range */
+@@ -4647,6 +4650,7 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm,
+ goto retry;
+ goto out;
+ }
++ new_pagecache_page = true;
+ } else {
+ lock_page(page);
+ if (unlikely(anon_vma_prepare(vma))) {
+@@ -4731,7 +4735,9 @@ static vm_fault_t hugetlb_no_page(struct mm_struct *mm,
+ spin_unlock(ptl);
+ backout_unlocked:
+ unlock_page(page);
+- restore_reserve_on_error(h, vma, haddr, page);
++ /* restore reserve for newly allocated pages not in page cache */
++ if (new_page && !new_pagecache_page)
++ restore_reserve_on_error(h, vma, haddr, page);
+ put_page(page);
+ goto out;
+ }
+@@ -4940,6 +4946,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
+ int ret;
+ struct page *page;
+ int writable;
++ bool new_pagecache_page = false;
+
+ mapping = dst_vma->vm_file->f_mapping;
+ idx = vma_hugecache_offset(h, dst_vma, dst_addr);
+@@ -5004,6 +5011,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
+ ret = huge_add_to_page_cache(page, mapping, idx);
+ if (ret)
+ goto out_release_nounlock;
++ new_pagecache_page = true;
+ }
+
+ ptl = huge_pte_lockptr(h, dst_mm, dst_pte);
+@@ -5067,7 +5075,8 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
+ if (vm_shared || is_continue)
+ unlock_page(page);
+ out_release_nounlock:
+- restore_reserve_on_error(h, dst_vma, dst_addr, page);
++ if (!new_pagecache_page)
++ restore_reserve_on_error(h, dst_vma, dst_addr, page);
+ put_page(page);
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From 7a8ba1dc61486cb06d24d9a36cee316ed06b1daa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 15:09:57 +0100
+Subject: io_uring: fix code style problems
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit fe7e325750299126b9cc86d3071af594b46c4518 ]
+
+Fix a bunch of problems mostly found by checkpatch.pl
+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/cfaf9a2f27b43934144fe9422a916bd327099f44.1624543113.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 0a5f105c657c..00746109e0c8 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -165,7 +165,7 @@ struct io_rings {
+ * Written by the application, shouldn't be modified by the
+ * kernel.
+ */
+- u32 cq_flags;
++ u32 cq_flags;
+ /*
+ * Number of completion events lost because the queue was full;
+ * this should be avoided by the application by making sure
+@@ -850,7 +850,7 @@ struct io_kiocb {
+ struct hlist_node hash_node;
+ struct async_poll *apoll;
+ struct io_wq_work work;
+- const struct cred *creds;
++ const struct cred *creds;
+
+ /* store used ubuf, so we can prevent reloading */
+ struct io_mapped_ubuf *imu;
+@@ -1721,7 +1721,7 @@ static struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx)
+ {
+ struct io_submit_state *state = &ctx->submit_state;
+
+- BUILD_BUG_ON(IO_REQ_ALLOC_BATCH > ARRAY_SIZE(state->reqs));
++ BUILD_BUG_ON(ARRAY_SIZE(state->reqs) < IO_REQ_ALLOC_BATCH);
+
+ if (!state->free_reqs) {
+ gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
+@@ -2778,7 +2778,7 @@ static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
+ else
+ io_rw_done(kiocb, ret);
+
+- if (check_reissue && req->flags & REQ_F_REISSUE) {
++ if (check_reissue && (req->flags & REQ_F_REISSUE)) {
+ req->flags &= ~REQ_F_REISSUE;
+ if (io_resubmit_prep(req)) {
+ req_ref_get(req);
+@@ -3608,7 +3608,7 @@ static int io_shutdown(struct io_kiocb *req, unsigned int issue_flags)
+ static int __io_splice_prep(struct io_kiocb *req,
+ const struct io_uring_sqe *sqe)
+ {
+- struct io_splice* sp = &req->splice;
++ struct io_splice *sp = &req->splice;
+ unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
+
+ if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
+@@ -3662,7 +3662,7 @@ static int io_tee(struct io_kiocb *req, unsigned int issue_flags)
+
+ static int io_splice_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
+ {
+- struct io_splice* sp = &req->splice;
++ struct io_splice *sp = &req->splice;
+
+ sp->off_in = READ_ONCE(sqe->splice_off_in);
+ sp->off_out = READ_ONCE(sqe->off);
+@@ -8563,6 +8563,7 @@ static int io_eventfd_register(struct io_ring_ctx *ctx, void __user *arg)
+ ctx->cq_ev_fd = eventfd_ctx_fdget(fd);
+ if (IS_ERR(ctx->cq_ev_fd)) {
+ int ret = PTR_ERR(ctx->cq_ev_fd);
++
+ ctx->cq_ev_fd = NULL;
+ return ret;
+ }
+@@ -9362,9 +9363,8 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
+ io_cqring_overflow_flush(ctx, false);
+
+ ret = -EOWNERDEAD;
+- if (unlikely(ctx->sq_data->thread == NULL)) {
++ if (unlikely(ctx->sq_data->thread == NULL))
+ goto out;
+- }
+ if (flags & IORING_ENTER_SQ_WAKEUP)
+ wake_up(&ctx->sq_data->wait);
+ if (flags & IORING_ENTER_SQ_WAIT) {
+--
+2.30.2
+
--- /dev/null
+From 8fff17ee89ab3c60f9214a71426a37e2797ef7e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Aug 2021 14:53:59 -0600
+Subject: io_uring: fix xa_alloc_cycle() error return value check
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit a30f895ad3239f45012e860d4f94c1a388b36d14 ]
+
+We currently check for ret != 0 to indicate error, but '1' is a valid
+return and just indicates that the allocation succeeded with a wrap.
+Correct the check to be for < 0, like it was before the xarray
+conversion.
+
+Cc: stable@vger.kernel.org
+Fixes: 61cf93700fe6 ("io_uring: Convert personality_idr to XArray")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 221b80ae831f..9df82eee440a 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -9835,10 +9835,11 @@ static int io_register_personality(struct io_ring_ctx *ctx)
+
+ ret = xa_alloc_cyclic(&ctx->personalities, &id, (void *)creds,
+ XA_LIMIT(0, USHRT_MAX), &ctx->pers_next, GFP_KERNEL);
+- if (!ret)
+- return id;
+- put_cred(creds);
+- return ret;
++ if (ret < 0) {
++ put_cred(creds);
++ return ret;
++ }
++ return id;
+ }
+
+ static int io_register_restrictions(struct io_ring_ctx *ctx, void __user *arg,
+--
+2.30.2
+
--- /dev/null
+From ecbbeca9362ae9b584d56d7ec907e65381c3f181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Aug 2021 09:04:40 -0600
+Subject: io_uring: only assign io_uring_enter() SQPOLL error in actual error
+ case
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 21f965221e7c42609521342403e8fb91b8b3e76e ]
+
+If an SQPOLL based ring is newly created and an application issues an
+io_uring_enter(2) system call on it, then we can return a spurious
+-EOWNERDEAD error. This happens because there's nothing to submit, and
+if the caller doesn't specify any other action, the initial error
+assignment of -EOWNERDEAD never gets overwritten. This causes us to
+return it directly, even if it isn't valid.
+
+Move the error assignment into the actual failure case instead.
+
+Cc: stable@vger.kernel.org
+Fixes: d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death")
+Reported-by: Sherlock Holo sherlockya@gmail.com
+Link: https://github.com/axboe/liburing/issues/413
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 00746109e0c8..221b80ae831f 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -9362,9 +9362,10 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
+ if (ctx->flags & IORING_SETUP_SQPOLL) {
+ io_cqring_overflow_flush(ctx, false);
+
+- ret = -EOWNERDEAD;
+- if (unlikely(ctx->sq_data->thread == NULL))
++ if (unlikely(ctx->sq_data->thread == NULL)) {
++ ret = -EOWNERDEAD;
+ goto out;
++ }
+ if (flags & IORING_ENTER_SQ_WAKEUP)
+ wake_up(&ctx->sq_data->wait);
+ if (flags & IORING_ENTER_SQ_WAIT) {
+--
+2.30.2
+
--- /dev/null
+From 6182250028c2c601bca089f06964074d54618290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 22:05:52 -0300
+Subject: iommu/dma: Fix leak in non-contiguous API
+
+From: Ezequiel Garcia <ezequiel@collabora.com>
+
+[ Upstream commit 0fbea680540108b09db7b26d9f4d24236d58a6ad ]
+
+Currently, iommu_dma_alloc_noncontiguous() allocates a
+struct dma_sgt_handle object to hold some state needed for
+iommu_dma_free_noncontiguous().
+
+However, the handle is neither freed nor returned explicitly by
+the ->alloc_noncontiguous method, and therefore seems leaked.
+This was found by code inspection, so please review carefully and test.
+
+As a side note, it appears the struct dma_sgt_handle type is exposed
+to users of the DMA-API by linux/dma-map-ops.h, but is has no users
+or functions returning the type explicitly.
+
+This may indicate it's a good idea to move the struct dma_sgt_handle type
+to drivers/iommu/dma-iommu.c. The decision is left to maintainers :-)
+
+Cc: stable@vger.kernel.org
+Fixes: e817ee5f2f95c ("dma-iommu: implement ->alloc_noncontiguous")
+Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20210723010552.50969-1-ezequiel@collabora.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/dma-iommu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c
+index 5d96fcc45fec..698707699327 100644
+--- a/drivers/iommu/dma-iommu.c
++++ b/drivers/iommu/dma-iommu.c
+@@ -768,6 +768,7 @@ static void iommu_dma_free_noncontiguous(struct device *dev, size_t size,
+ __iommu_dma_unmap(dev, sgt->sgl->dma_address, size);
+ __iommu_dma_free_pages(sh->pages, PAGE_ALIGN(size) >> PAGE_SHIFT);
+ sg_free_table(&sh->sgt);
++ kfree(sh);
+ }
+ #endif /* CONFIG_DMA_REMAP */
+
+--
+2.30.2
+
--- /dev/null
+From aba13e1c50afecc829e661fbbfb2fcd92db127d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 18:03:18 +0800
+Subject: ipack: tpci200: fix many double free issues in tpci200_pci_probe
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 57a1681095f912239c7fb4d66683ab0425973838 ]
+
+The function tpci200_register called by tpci200_install and
+tpci200_unregister called by tpci200_uninstall are in pair. However,
+tpci200_unregister has some cleanup operations not in the
+tpci200_register. So the error handling code of tpci200_pci_probe has
+many different double free issues.
+
+Fix this problem by moving those cleanup operations out of
+tpci200_unregister, into tpci200_pci_remove and reverting
+the previous commit 9272e5d0028d ("ipack/carriers/tpci200:
+Fix a double free in tpci200_pci_probe").
+
+Fixes: 9272e5d0028d ("ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe")
+Cc: stable@vger.kernel.org
+Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20210810100323.3938492-1-mudongliangabcd@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ipack/carriers/tpci200.c | 36 ++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/ipack/carriers/tpci200.c b/drivers/ipack/carriers/tpci200.c
+index e1822e87ec3d..33a1b17a2628 100644
+--- a/drivers/ipack/carriers/tpci200.c
++++ b/drivers/ipack/carriers/tpci200.c
+@@ -91,16 +91,13 @@ static void tpci200_unregister(struct tpci200_board *tpci200)
+ free_irq(tpci200->info->pdev->irq, (void *) tpci200);
+
+ pci_iounmap(tpci200->info->pdev, tpci200->info->interface_regs);
+- pci_iounmap(tpci200->info->pdev, tpci200->info->cfg_regs);
+
+ pci_release_region(tpci200->info->pdev, TPCI200_IP_INTERFACE_BAR);
+ pci_release_region(tpci200->info->pdev, TPCI200_IO_ID_INT_SPACES_BAR);
+ pci_release_region(tpci200->info->pdev, TPCI200_MEM16_SPACE_BAR);
+ pci_release_region(tpci200->info->pdev, TPCI200_MEM8_SPACE_BAR);
+- pci_release_region(tpci200->info->pdev, TPCI200_CFG_MEM_BAR);
+
+ pci_disable_device(tpci200->info->pdev);
+- pci_dev_put(tpci200->info->pdev);
+ }
+
+ static void tpci200_enable_irq(struct tpci200_board *tpci200,
+@@ -529,7 +526,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
+ tpci200->info = kzalloc(sizeof(struct tpci200_infos), GFP_KERNEL);
+ if (!tpci200->info) {
+ ret = -ENOMEM;
+- goto out_err_info;
++ goto err_tpci200;
+ }
+
+ pci_dev_get(pdev);
+@@ -540,7 +537,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
+ if (ret) {
+ dev_err(&pdev->dev, "Failed to allocate PCI Configuration Memory");
+ ret = -EBUSY;
+- goto out_err_pci_request;
++ goto err_tpci200_info;
+ }
+ tpci200->info->cfg_regs = ioremap(
+ pci_resource_start(pdev, TPCI200_CFG_MEM_BAR),
+@@ -548,7 +545,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
+ if (!tpci200->info->cfg_regs) {
+ dev_err(&pdev->dev, "Failed to map PCI Configuration Memory");
+ ret = -EFAULT;
+- goto out_err_ioremap;
++ goto err_request_region;
+ }
+
+ /* Disable byte swapping for 16 bit IP module access. This will ensure
+@@ -571,7 +568,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
+ if (ret) {
+ dev_err(&pdev->dev, "error during tpci200 install\n");
+ ret = -ENODEV;
+- goto out_err_install;
++ goto err_cfg_regs;
+ }
+
+ /* Register the carrier in the industry pack bus driver */
+@@ -583,7 +580,7 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
+ dev_err(&pdev->dev,
+ "error registering the carrier on ipack driver\n");
+ ret = -EFAULT;
+- goto out_err_bus_register;
++ goto err_tpci200_install;
+ }
+
+ /* save the bus number given by ipack to logging purpose */
+@@ -594,19 +591,16 @@ static int tpci200_pci_probe(struct pci_dev *pdev,
+ tpci200_create_device(tpci200, i);
+ return 0;
+
+-out_err_bus_register:
++err_tpci200_install:
+ tpci200_uninstall(tpci200);
+- /* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */
+- tpci200->info->cfg_regs = NULL;
+-out_err_install:
+- if (tpci200->info->cfg_regs)
+- iounmap(tpci200->info->cfg_regs);
+-out_err_ioremap:
++err_cfg_regs:
++ pci_iounmap(tpci200->info->pdev, tpci200->info->cfg_regs);
++err_request_region:
+ pci_release_region(pdev, TPCI200_CFG_MEM_BAR);
+-out_err_pci_request:
+- pci_dev_put(pdev);
++err_tpci200_info:
+ kfree(tpci200->info);
+-out_err_info:
++ pci_dev_put(pdev);
++err_tpci200:
+ kfree(tpci200);
+ return ret;
+ }
+@@ -616,6 +610,12 @@ static void __tpci200_pci_remove(struct tpci200_board *tpci200)
+ ipack_bus_unregister(tpci200->info->ipack_bus);
+ tpci200_uninstall(tpci200);
+
++ pci_iounmap(tpci200->info->pdev, tpci200->info->cfg_regs);
++
++ pci_release_region(tpci200->info->pdev, TPCI200_CFG_MEM_BAR);
++
++ pci_dev_put(tpci200->info->pdev);
++
+ kfree(tpci200->info);
+ kfree(tpci200);
+ }
+--
+2.30.2
+
--- /dev/null
+From 273085b7dbd9b6a58422034ac15a06509c13e535 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 18:03:19 +0800
+Subject: ipack: tpci200: fix memory leak in the tpci200_register
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 50f05bd114a46a74726e432bf81079d3f13a55b7 ]
+
+The error handling code in tpci200_register does not free interface_regs
+allocated by ioremap and the current version of error handling code is
+problematic.
+
+Fix this by refactoring the error handling code and free interface_regs
+when necessary.
+
+Fixes: 43986798fd50 ("ipack: add error handling for ioremap_nocache")
+Cc: stable@vger.kernel.org
+Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20210810100323.3938492-2-mudongliangabcd@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ipack/carriers/tpci200.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/ipack/carriers/tpci200.c b/drivers/ipack/carriers/tpci200.c
+index 33a1b17a2628..c1098f40e03f 100644
+--- a/drivers/ipack/carriers/tpci200.c
++++ b/drivers/ipack/carriers/tpci200.c
+@@ -256,7 +256,7 @@ static int tpci200_register(struct tpci200_board *tpci200)
+ "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 2 !",
+ tpci200->info->pdev->bus->number,
+ tpci200->info->pdev->devfn);
+- goto out_disable_pci;
++ goto err_disable_device;
+ }
+
+ /* Request IO ID INT space (Bar 3) */
+@@ -268,7 +268,7 @@ static int tpci200_register(struct tpci200_board *tpci200)
+ "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 3 !",
+ tpci200->info->pdev->bus->number,
+ tpci200->info->pdev->devfn);
+- goto out_release_ip_space;
++ goto err_ip_interface_bar;
+ }
+
+ /* Request MEM8 space (Bar 5) */
+@@ -279,7 +279,7 @@ static int tpci200_register(struct tpci200_board *tpci200)
+ "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 5!",
+ tpci200->info->pdev->bus->number,
+ tpci200->info->pdev->devfn);
+- goto out_release_ioid_int_space;
++ goto err_io_id_int_spaces_bar;
+ }
+
+ /* Request MEM16 space (Bar 4) */
+@@ -290,7 +290,7 @@ static int tpci200_register(struct tpci200_board *tpci200)
+ "(bn 0x%X, sn 0x%X) failed to allocate PCI resource for BAR 4!",
+ tpci200->info->pdev->bus->number,
+ tpci200->info->pdev->devfn);
+- goto out_release_mem8_space;
++ goto err_mem8_space_bar;
+ }
+
+ /* Map internal tpci200 driver user space */
+@@ -304,7 +304,7 @@ static int tpci200_register(struct tpci200_board *tpci200)
+ tpci200->info->pdev->bus->number,
+ tpci200->info->pdev->devfn);
+ res = -ENOMEM;
+- goto out_release_mem8_space;
++ goto err_mem16_space_bar;
+ }
+
+ /* Initialize lock that protects interface_regs */
+@@ -343,18 +343,22 @@ static int tpci200_register(struct tpci200_board *tpci200)
+ "(bn 0x%X, sn 0x%X) unable to register IRQ !",
+ tpci200->info->pdev->bus->number,
+ tpci200->info->pdev->devfn);
+- goto out_release_ioid_int_space;
++ goto err_interface_regs;
+ }
+
+ return 0;
+
+-out_release_mem8_space:
++err_interface_regs:
++ pci_iounmap(tpci200->info->pdev, tpci200->info->interface_regs);
++err_mem16_space_bar:
++ pci_release_region(tpci200->info->pdev, TPCI200_MEM16_SPACE_BAR);
++err_mem8_space_bar:
+ pci_release_region(tpci200->info->pdev, TPCI200_MEM8_SPACE_BAR);
+-out_release_ioid_int_space:
++err_io_id_int_spaces_bar:
+ pci_release_region(tpci200->info->pdev, TPCI200_IO_ID_INT_SPACES_BAR);
+-out_release_ip_space:
++err_ip_interface_bar:
+ pci_release_region(tpci200->info->pdev, TPCI200_IP_INTERFACE_BAR);
+-out_disable_pci:
++err_disable_device:
+ pci_disable_device(tpci200->info->pdev);
+ return res;
+ }
+--
+2.30.2
+
--- /dev/null
+From 08a26464dc770d6e5ac68e668160a30c62aa268a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 19:04:30 -0700
+Subject: kfence: fix is_kfence_address() for addresses below KFENCE_POOL_SIZE
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit a7cb5d23eaea148f8582229846f8dfff192f05c3 ]
+
+Originally the addr != NULL check was meant to take care of the case
+where __kfence_pool == NULL (KFENCE is disabled). However, this does
+not work for addresses where addr > 0 && addr < KFENCE_POOL_SIZE.
+
+This can be the case on NULL-deref where addr > 0 && addr < PAGE_SIZE or
+any other faulting access with addr < KFENCE_POOL_SIZE. While the
+kernel would likely crash, the stack traces and report might be
+confusing due to double faults upon KFENCE's attempt to unprotect such
+an address.
+
+Fix it by just checking that __kfence_pool != NULL instead.
+
+Link: https://lkml.kernel.org/r/20210818130300.2482437-1-elver@google.com
+Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
+Signed-off-by: Marco Elver <elver@google.com>
+Reported-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
+Acked-by: Alexander Potapenko <glider@google.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org> [5.12+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kfence.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/kfence.h b/include/linux/kfence.h
+index a70d1ea03532..3fe6dd8a18c1 100644
+--- a/include/linux/kfence.h
++++ b/include/linux/kfence.h
+@@ -51,10 +51,11 @@ extern atomic_t kfence_allocation_gate;
+ static __always_inline bool is_kfence_address(const void *addr)
+ {
+ /*
+- * The non-NULL check is required in case the __kfence_pool pointer was
+- * never initialized; keep it in the slow-path after the range-check.
++ * The __kfence_pool != NULL check is required to deal with the case
++ * where __kfence_pool == NULL && addr < KFENCE_POOL_SIZE. Keep it in
++ * the slow-path after the range-check!
+ */
+- return unlikely((unsigned long)((char *)addr - __kfence_pool) < KFENCE_POOL_SIZE && addr);
++ return unlikely((unsigned long)((char *)addr - __kfence_pool) < KFENCE_POOL_SIZE && __kfence_pool);
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From 266084e6da40fe6941a4cfa65d4b812cb5d16a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 19:43:17 -0700
+Subject: mm,hwpoison: make get_hwpoison_page() call get_any_page()
+
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+
+[ Upstream commit 0ed950d1f28142ccd9a9453c60df87853530d778 ]
+
+__get_hwpoison_page() could fail to grab refcount by some race condition,
+so it's helpful if we can handle it by retrying. We already have retry
+logic, so make get_hwpoison_page() call get_any_page() when called from
+memory_failure().
+
+As a result, get_hwpoison_page() can return negative values (i.e. error
+code), so some callers are also changed to handle error cases.
+soft_offline_page() does nothing for -EBUSY because that's enough and
+users in userspace can easily handle it. unpoison_memory() is also
+unchanged because it's broken and need thorough fixes (will be done
+later).
+
+Link: https://lkml.kernel.org/r/20210603233632.2964832-3-nao.horiguchi@gmail.com
+Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/hugetlb.c | 2 +
+ mm/memory-failure.c | 194 +++++++++++++++++++++++++-------------------
+ 2 files changed, 111 insertions(+), 85 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 8363f737d5ad..6e35481a0a6b 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -5930,6 +5930,8 @@ int get_hwpoison_huge_page(struct page *page, bool *hugetlb)
+ *hugetlb = true;
+ if (HPageFreed(page) || HPageMigratable(page))
+ ret = get_page_unless_zero(page);
++ else
++ ret = -EBUSY;
+ }
+ spin_unlock_irq(&hugetlb_lock);
+ return ret;
+diff --git a/mm/memory-failure.c b/mm/memory-failure.c
+index 6f5f78885ab4..18e83150194a 100644
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -974,13 +974,6 @@ static inline bool HWPoisonHandlable(struct page *page)
+ return PageLRU(page) || __PageMovable(page);
+ }
+
+-/**
+- * __get_hwpoison_page() - Get refcount for memory error handling:
+- * @page: raw error page (hit by memory error)
+- *
+- * Return: return 0 if failed to grab the refcount, otherwise true (some
+- * non-zero value.)
+- */
+ static int __get_hwpoison_page(struct page *page)
+ {
+ struct page *head = compound_head(page);
+@@ -1025,15 +1018,6 @@ static int __get_hwpoison_page(struct page *page)
+ return 0;
+ }
+
+-/*
+- * Safely get reference count of an arbitrary page.
+- *
+- * Returns 0 for a free page, 1 for an in-use page,
+- * -EIO for a page-type we cannot handle and -EBUSY if we raced with an
+- * allocation.
+- * We only incremented refcount in case the page was already in-use and it
+- * is a known type we can handle.
+- */
+ static int get_any_page(struct page *p, unsigned long flags)
+ {
+ int ret = 0, pass = 0;
+@@ -1043,50 +1027,77 @@ static int get_any_page(struct page *p, unsigned long flags)
+ count_increased = true;
+
+ try_again:
+- if (!count_increased && !__get_hwpoison_page(p)) {
+- if (page_count(p)) {
+- /* We raced with an allocation, retry. */
+- if (pass++ < 3)
+- goto try_again;
+- ret = -EBUSY;
+- } else if (!PageHuge(p) && !is_free_buddy_page(p)) {
+- /* We raced with put_page, retry. */
++ if (!count_increased) {
++ ret = __get_hwpoison_page(p);
++ if (!ret) {
++ if (page_count(p)) {
++ /* We raced with an allocation, retry. */
++ if (pass++ < 3)
++ goto try_again;
++ ret = -EBUSY;
++ } else if (!PageHuge(p) && !is_free_buddy_page(p)) {
++ /* We raced with put_page, retry. */
++ if (pass++ < 3)
++ goto try_again;
++ ret = -EIO;
++ }
++ goto out;
++ } else if (ret == -EBUSY) {
++ /* We raced with freeing huge page to buddy, retry. */
+ if (pass++ < 3)
+ goto try_again;
+- ret = -EIO;
++ goto out;
+ }
++ }
++
++ if (PageHuge(p) || HWPoisonHandlable(p)) {
++ ret = 1;
+ } else {
+- if (PageHuge(p) || HWPoisonHandlable(p)) {
+- ret = 1;
+- } else {
+- /*
+- * A page we cannot handle. Check whether we can turn
+- * it into something we can handle.
+- */
+- if (pass++ < 3) {
+- put_page(p);
+- shake_page(p, 1);
+- count_increased = false;
+- goto try_again;
+- }
++ /*
++ * A page we cannot handle. Check whether we can turn
++ * it into something we can handle.
++ */
++ if (pass++ < 3) {
+ put_page(p);
+- ret = -EIO;
++ shake_page(p, 1);
++ count_increased = false;
++ goto try_again;
+ }
++ put_page(p);
++ ret = -EIO;
+ }
+-
++out:
+ return ret;
+ }
+
+-static int get_hwpoison_page(struct page *p, unsigned long flags,
+- enum mf_flags ctxt)
++/**
++ * get_hwpoison_page() - Get refcount for memory error handling
++ * @p: Raw error page (hit by memory error)
++ * @flags: Flags controlling behavior of error handling
++ *
++ * get_hwpoison_page() takes a page refcount of an error page to handle memory
++ * error on it, after checking that the error page is in a well-defined state
++ * (defined as a page-type we can successfully handle the memor error on it,
++ * such as LRU page and hugetlb page).
++ *
++ * Memory error handling could be triggered at any time on any type of page,
++ * so it's prone to race with typical memory management lifecycle (like
++ * allocation and free). So to avoid such races, get_hwpoison_page() takes
++ * extra care for the error page's state (as done in __get_hwpoison_page()),
++ * and has some retry logic in get_any_page().
++ *
++ * Return: 0 on failure,
++ * 1 on success for in-use pages in a well-defined state,
++ * -EIO for pages on which we can not handle memory errors,
++ * -EBUSY when get_hwpoison_page() has raced with page lifecycle
++ * operations like allocation and free.
++ */
++static int get_hwpoison_page(struct page *p, unsigned long flags)
+ {
+ int ret;
+
+ zone_pcp_disable(page_zone(p));
+- if (ctxt == MF_SOFT_OFFLINE)
+- ret = get_any_page(p, flags);
+- else
+- ret = __get_hwpoison_page(p);
++ ret = get_any_page(p, flags);
+ zone_pcp_enable(page_zone(p));
+
+ return ret;
+@@ -1272,27 +1283,33 @@ static int memory_failure_hugetlb(unsigned long pfn, int flags)
+
+ num_poisoned_pages_inc();
+
+- if (!(flags & MF_COUNT_INCREASED) && !get_hwpoison_page(p, flags, 0)) {
+- /*
+- * Check "filter hit" and "race with other subpage."
+- */
+- lock_page(head);
+- if (PageHWPoison(head)) {
+- if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
+- || (p != head && TestSetPageHWPoison(head))) {
+- num_poisoned_pages_dec();
+- unlock_page(head);
+- return 0;
++ if (!(flags & MF_COUNT_INCREASED)) {
++ res = get_hwpoison_page(p, flags);
++ if (!res) {
++ /*
++ * Check "filter hit" and "race with other subpage."
++ */
++ lock_page(head);
++ if (PageHWPoison(head)) {
++ if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
++ || (p != head && TestSetPageHWPoison(head))) {
++ num_poisoned_pages_dec();
++ unlock_page(head);
++ return 0;
++ }
+ }
++ unlock_page(head);
++ res = MF_FAILED;
++ if (!dissolve_free_huge_page(p) && take_page_off_buddy(p)) {
++ page_ref_inc(p);
++ res = MF_RECOVERED;
++ }
++ action_result(pfn, MF_MSG_FREE_HUGE, res);
++ return res == MF_RECOVERED ? 0 : -EBUSY;
++ } else if (res < 0) {
++ action_result(pfn, MF_MSG_UNKNOWN, MF_IGNORED);
++ return -EBUSY;
+ }
+- unlock_page(head);
+- res = MF_FAILED;
+- if (!dissolve_free_huge_page(p) && take_page_off_buddy(p)) {
+- page_ref_inc(p);
+- res = MF_RECOVERED;
+- }
+- action_result(pfn, MF_MSG_FREE_HUGE, res);
+- return res == MF_RECOVERED ? 0 : -EBUSY;
+ }
+
+ lock_page(head);
+@@ -1493,28 +1510,35 @@ int memory_failure(unsigned long pfn, int flags)
+ * In fact it's dangerous to directly bump up page count from 0,
+ * that may make page_ref_freeze()/page_ref_unfreeze() mismatch.
+ */
+- if (!(flags & MF_COUNT_INCREASED) && !get_hwpoison_page(p, flags, 0)) {
+- if (is_free_buddy_page(p)) {
+- if (take_page_off_buddy(p)) {
+- page_ref_inc(p);
+- res = MF_RECOVERED;
+- } else {
+- /* We lost the race, try again */
+- if (retry) {
+- ClearPageHWPoison(p);
+- num_poisoned_pages_dec();
+- retry = false;
+- goto try_again;
++ if (!(flags & MF_COUNT_INCREASED)) {
++ res = get_hwpoison_page(p, flags);
++ if (!res) {
++ if (is_free_buddy_page(p)) {
++ if (take_page_off_buddy(p)) {
++ page_ref_inc(p);
++ res = MF_RECOVERED;
++ } else {
++ /* We lost the race, try again */
++ if (retry) {
++ ClearPageHWPoison(p);
++ num_poisoned_pages_dec();
++ retry = false;
++ goto try_again;
++ }
++ res = MF_FAILED;
+ }
+- res = MF_FAILED;
++ action_result(pfn, MF_MSG_BUDDY, res);
++ res = res == MF_RECOVERED ? 0 : -EBUSY;
++ } else {
++ action_result(pfn, MF_MSG_KERNEL_HIGH_ORDER, MF_IGNORED);
++ res = -EBUSY;
+ }
+- action_result(pfn, MF_MSG_BUDDY, res);
+- res = res == MF_RECOVERED ? 0 : -EBUSY;
+- } else {
+- action_result(pfn, MF_MSG_KERNEL_HIGH_ORDER, MF_IGNORED);
++ goto unlock_mutex;
++ } else if (res < 0) {
++ action_result(pfn, MF_MSG_UNKNOWN, MF_IGNORED);
+ res = -EBUSY;
++ goto unlock_mutex;
+ }
+- goto unlock_mutex;
+ }
+
+ if (PageTransHuge(hpage)) {
+@@ -1792,7 +1816,7 @@ int unpoison_memory(unsigned long pfn)
+ return 0;
+ }
+
+- if (!get_hwpoison_page(p, flags, 0)) {
++ if (!get_hwpoison_page(p, flags)) {
+ if (TestClearPageHWPoison(p))
+ num_poisoned_pages_dec();
+ unpoison_pr_info("Unpoison: Software-unpoisoned free page %#lx\n",
+@@ -2008,7 +2032,7 @@ int soft_offline_page(unsigned long pfn, int flags)
+
+ retry:
+ get_online_mems();
+- ret = get_hwpoison_page(page, flags, MF_SOFT_OFFLINE);
++ ret = get_hwpoison_page(page, flags);
+ put_online_mems();
+
+ if (ret > 0) {
+--
+2.30.2
+
--- /dev/null
+From 73c15dd5e5fa65e102f864b2934636d456afe237 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 19:04:24 -0700
+Subject: mm/hwpoison: retry with shake_page() for unhandlable pages
+
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+
+[ Upstream commit fcc00621d88b274b5dffd8daeea71d0e4c28b84e ]
+
+HWPoisonHandlable() sometimes returns false for typical user pages due
+to races with average memory events like transfers over LRU lists. This
+causes failures in hwpoison handling.
+
+There's retry code for such a case but does not work because the retry
+loop reaches the retry limit too quickly before the page settles down to
+handlable state. Let get_any_page() call shake_page() to fix it.
+
+[naoya.horiguchi@nec.com: get_any_page(): return -EIO when retry limit reached]
+ Link: https://lkml.kernel.org/r/20210819001958.2365157-1-naoya.horiguchi@linux.dev
+
+Link: https://lkml.kernel.org/r/20210817053703.2267588-1-naoya.horiguchi@linux.dev
+Fixes: 25182f05ffed ("mm,hwpoison: fix race with hugetlb page allocation")
+Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Reported-by: Tony Luck <tony.luck@intel.com>
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: <stable@vger.kernel.org> [5.13+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory-failure.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/mm/memory-failure.c b/mm/memory-failure.c
+index 18e83150194a..624763fdecc5 100644
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -990,7 +990,7 @@ static int __get_hwpoison_page(struct page *page)
+ * unexpected races caused by taking a page refcount.
+ */
+ if (!HWPoisonHandlable(head))
+- return 0;
++ return -EBUSY;
+
+ if (PageTransHuge(head)) {
+ /*
+@@ -1043,9 +1043,15 @@ static int get_any_page(struct page *p, unsigned long flags)
+ }
+ goto out;
+ } else if (ret == -EBUSY) {
+- /* We raced with freeing huge page to buddy, retry. */
+- if (pass++ < 3)
++ /*
++ * We raced with (possibly temporary) unhandlable
++ * page, retry.
++ */
++ if (pass++ < 3) {
++ shake_page(p, 1);
+ goto try_again;
++ }
++ ret = -EIO;
+ goto out;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 469a2cce9e8880ef4c199737001dbd18c88548c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 19:04:21 -0700
+Subject: mm: memcontrol: fix occasional OOMs due to proportional memory.low
+ reclaim
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+[ Upstream commit f56ce412a59d7d938b81de8878faef128812482c ]
+
+We've noticed occasional OOM killing when memory.low settings are in
+effect for cgroups. This is unexpected and undesirable as memory.low is
+supposed to express non-OOMing memory priorities between cgroups.
+
+The reason for this is proportional memory.low reclaim. When cgroups
+are below their memory.low threshold, reclaim passes them over in the
+first round, and then retries if it couldn't find pages anywhere else.
+But when cgroups are slightly above their memory.low setting, page scan
+force is scaled down and diminished in proportion to the overage, to the
+point where it can cause reclaim to fail as well - only in that case we
+currently don't retry, and instead trigger OOM.
+
+To fix this, hook proportional reclaim into the same retry logic we have
+in place for when cgroups are skipped entirely. This way if reclaim
+fails and some cgroups were scanned with diminished pressure, we'll try
+another full-force cycle before giving up and OOMing.
+
+[akpm@linux-foundation.org: coding-style fixes]
+
+Link: https://lkml.kernel.org/r/20210817180506.220056-1-hannes@cmpxchg.org
+Fixes: 9783aa9917f8 ("mm, memcg: proportional memory.{low,min} reclaim")
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reported-by: Leon Yang <lnyng@fb.com>
+Reviewed-by: Rik van Riel <riel@surriel.com>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Acked-by: Chris Down <chris@chrisdown.name>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: <stable@vger.kernel.org> [5.4+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/memcontrol.h | 29 +++++++++++++++--------------
+ mm/vmscan.c | 27 +++++++++++++++++++--------
+ 2 files changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/include/linux/memcontrol.h b/include/linux/memcontrol.h
+index c193be760709..63f751faa5c1 100644
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -613,12 +613,15 @@ static inline bool mem_cgroup_disabled(void)
+ return !cgroup_subsys_enabled(memory_cgrp_subsys);
+ }
+
+-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root,
+- struct mem_cgroup *memcg,
+- bool in_low_reclaim)
++static inline void mem_cgroup_protection(struct mem_cgroup *root,
++ struct mem_cgroup *memcg,
++ unsigned long *min,
++ unsigned long *low)
+ {
++ *min = *low = 0;
++
+ if (mem_cgroup_disabled())
+- return 0;
++ return;
+
+ /*
+ * There is no reclaim protection applied to a targeted reclaim.
+@@ -654,13 +657,10 @@ static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root,
+ *
+ */
+ if (root == memcg)
+- return 0;
+-
+- if (in_low_reclaim)
+- return READ_ONCE(memcg->memory.emin);
++ return;
+
+- return max(READ_ONCE(memcg->memory.emin),
+- READ_ONCE(memcg->memory.elow));
++ *min = READ_ONCE(memcg->memory.emin);
++ *low = READ_ONCE(memcg->memory.elow);
+ }
+
+ void mem_cgroup_calculate_protection(struct mem_cgroup *root,
+@@ -1165,11 +1165,12 @@ static inline void memcg_memory_event_mm(struct mm_struct *mm,
+ {
+ }
+
+-static inline unsigned long mem_cgroup_protection(struct mem_cgroup *root,
+- struct mem_cgroup *memcg,
+- bool in_low_reclaim)
++static inline void mem_cgroup_protection(struct mem_cgroup *root,
++ struct mem_cgroup *memcg,
++ unsigned long *min,
++ unsigned long *low)
+ {
+- return 0;
++ *min = *low = 0;
+ }
+
+ static inline void mem_cgroup_calculate_protection(struct mem_cgroup *root,
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index 5199b9696bab..f62d81f61b56 100644
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -100,9 +100,12 @@ struct scan_control {
+ unsigned int may_swap:1;
+
+ /*
+- * Cgroups are not reclaimed below their configured memory.low,
+- * unless we threaten to OOM. If any cgroups are skipped due to
+- * memory.low and nothing was reclaimed, go back for memory.low.
++ * Cgroup memory below memory.low is protected as long as we
++ * don't threaten to OOM. If any cgroup is reclaimed at
++ * reduced force or passed over entirely due to its memory.low
++ * setting (memcg_low_skipped), and nothing is reclaimed as a
++ * result, then go back for one more cycle that reclaims the protected
++ * memory (memcg_low_reclaim) to avert OOM.
+ */
+ unsigned int memcg_low_reclaim:1;
+ unsigned int memcg_low_skipped:1;
+@@ -2521,15 +2524,14 @@ static void get_scan_count(struct lruvec *lruvec, struct scan_control *sc,
+ for_each_evictable_lru(lru) {
+ int file = is_file_lru(lru);
+ unsigned long lruvec_size;
++ unsigned long low, min;
+ unsigned long scan;
+- unsigned long protection;
+
+ lruvec_size = lruvec_lru_size(lruvec, lru, sc->reclaim_idx);
+- protection = mem_cgroup_protection(sc->target_mem_cgroup,
+- memcg,
+- sc->memcg_low_reclaim);
++ mem_cgroup_protection(sc->target_mem_cgroup, memcg,
++ &min, &low);
+
+- if (protection) {
++ if (min || low) {
+ /*
+ * Scale a cgroup's reclaim pressure by proportioning
+ * its current usage to its memory.low or memory.min
+@@ -2560,6 +2562,15 @@ static void get_scan_count(struct lruvec *lruvec, struct scan_control *sc,
+ * hard protection.
+ */
+ unsigned long cgroup_size = mem_cgroup_size(memcg);
++ unsigned long protection;
++
++ /* memory.low scaling, make sure we retry before OOM */
++ if (!sc->memcg_low_reclaim && low > min) {
++ protection = low;
++ sc->memcg_low_skipped = 1;
++ } else {
++ protection = min;
++ }
+
+ /* Avoid TOCTOU with earlier protection check */
+ cgroup_size = max(cgroup_size, protection);
+--
+2.30.2
+
--- /dev/null
+From 377652179653f5e80ae5bf842df2597647eb1287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 12:22:32 +0200
+Subject: mmc: dw_mmc: Fix hang on data CRC error
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 25f8203b4be1937c4939bb98623e67dcfd7da4d1 ]
+
+When a Data CRC interrupt is received, the driver disables the DMA, then
+sends the stop/abort command and then waits for Data Transfer Over.
+
+However, sometimes, when a data CRC error is received in the middle of a
+multi-block write transfer, the Data Transfer Over interrupt is never
+received, and the driver hangs and never completes the request.
+
+The driver sets the BMOD.SWR bit (SDMMC_IDMAC_SWRESET) when stopping the
+DMA, but according to the manual CMD.STOP_ABORT_CMD should be programmed
+"before assertion of SWR". Do these operations in the recommended
+order. With this change the Data Transfer Over is always received
+correctly in my tests.
+
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210630102232.16011-1-vincent.whitchurch@axis.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/dw_mmc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
+index d333130d1531..c3229d8c7041 100644
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -2018,8 +2018,8 @@ static void dw_mci_tasklet_func(struct tasklet_struct *t)
+ continue;
+ }
+
+- dw_mci_stop_dma(host);
+ send_stop_abort(host, data);
++ dw_mci_stop_dma(host);
+ state = STATE_SENDING_STOP;
+ break;
+ }
+@@ -2043,10 +2043,10 @@ static void dw_mci_tasklet_func(struct tasklet_struct *t)
+ */
+ if (test_and_clear_bit(EVENT_DATA_ERROR,
+ &host->pending_events)) {
+- dw_mci_stop_dma(host);
+ if (!(host->data_status & (SDMMC_INT_DRTO |
+ SDMMC_INT_EBE)))
+ send_stop_abort(host, data);
++ dw_mci_stop_dma(host);
+ state = STATE_DATA_ERROR;
+ break;
+ }
+@@ -2079,10 +2079,10 @@ static void dw_mci_tasklet_func(struct tasklet_struct *t)
+ */
+ if (test_and_clear_bit(EVENT_DATA_ERROR,
+ &host->pending_events)) {
+- dw_mci_stop_dma(host);
+ if (!(host->data_status & (SDMMC_INT_DRTO |
+ SDMMC_INT_EBE)))
+ send_stop_abort(host, data);
++ dw_mci_stop_dma(host);
+ state = STATE_DATA_ERROR;
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From 321279533ec24e0cdd9bfa686a0a0170974d2304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 16:33:53 +0200
+Subject: mmc: mmci: stm32: Check when the voltage switch procedure should be
+ done
+
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+
+[ Upstream commit d8e193f13b07e6c0ffaa1a999386f1989f2b4c5e ]
+
+If the card has not been power cycled, it may still be using 1.8V
+signaling. This situation is detected in mmc_sd_init_card function and
+should be handled in mmci stm32 variant. The host->pwr_reg variable is
+also correctly protected with spin locks.
+
+Fixes: 94b94a93e355 ("mmc: mmci_sdmmc: Implement signal voltage callbacks")
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Signed-off-by: Yann Gautier <yann.gautier@foss.st.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210701143353.13188-1-yann.gautier@foss.st.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/mmci_stm32_sdmmc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/mmci_stm32_sdmmc.c b/drivers/mmc/host/mmci_stm32_sdmmc.c
+index 51db30acf4dc..fdaa11f92fe6 100644
+--- a/drivers/mmc/host/mmci_stm32_sdmmc.c
++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c
+@@ -479,8 +479,9 @@ static int sdmmc_post_sig_volt_switch(struct mmci_host *host,
+ u32 status;
+ int ret = 0;
+
+- if (ios->signal_voltage == MMC_SIGNAL_VOLTAGE_180) {
+- spin_lock_irqsave(&host->lock, flags);
++ spin_lock_irqsave(&host->lock, flags);
++ if (ios->signal_voltage == MMC_SIGNAL_VOLTAGE_180 &&
++ host->pwr_reg & MCI_STM32_VSWITCHEN) {
+ mmci_write_pwrreg(host, host->pwr_reg | MCI_STM32_VSWITCH);
+ spin_unlock_irqrestore(&host->lock, flags);
+
+@@ -492,9 +493,11 @@ static int sdmmc_post_sig_volt_switch(struct mmci_host *host,
+
+ writel_relaxed(MCI_STM32_VSWENDC | MCI_STM32_CKSTOPC,
+ host->base + MMCICLEAR);
++ spin_lock_irqsave(&host->lock, flags);
+ mmci_write_pwrreg(host, host->pwr_reg &
+ ~(MCI_STM32_VSWITCHEN | MCI_STM32_VSWITCH));
+ }
++ spin_unlock_irqrestore(&host->lock, flags);
+
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 9898db62a1c2effc073e516510cf14bbd9724112 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 13:06:35 +0200
+Subject: mmc: sdhci-iproc: Cap min clock frequency on BCM2711
+
+From: Nicolas Saenz Julienne <nsaenz@kernel.org>
+
+[ Upstream commit c9107dd0b851777d7e134420baf13a5c5343bc16 ]
+
+There is a known bug on BCM2711's SDHCI core integration where the
+controller will hang when the difference between the core clock and the
+bus clock is too great. Specifically this can be reproduced under the
+following conditions:
+
+- No SD card plugged in, polling thread is running, probing cards at
+ 100 kHz.
+- BCM2711's core clock configured at 500MHz or more.
+
+So set 200 kHz as the minimum clock frequency available for that board.
+
+For more information on the issue see this:
+https://lore.kernel.org/linux-mmc/20210322185816.27582-1-nsaenz@kernel.org/T/#m11f2783a09b581da6b8a15f302625b43a6ecdeca
+
+Fixes: f84e411c85be ("mmc: sdhci-iproc: Add support for emmc2 of the BCM2711")
+Signed-off-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1628334401-6577-5-git-send-email-stefan.wahren@i2se.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-iproc.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c
+index ddeaf8e1f72f..b9eb2ec61a83 100644
+--- a/drivers/mmc/host/sdhci-iproc.c
++++ b/drivers/mmc/host/sdhci-iproc.c
+@@ -173,6 +173,23 @@ static unsigned int sdhci_iproc_get_max_clock(struct sdhci_host *host)
+ return pltfm_host->clock;
+ }
+
++/*
++ * There is a known bug on BCM2711's SDHCI core integration where the
++ * controller will hang when the difference between the core clock and the bus
++ * clock is too great. Specifically this can be reproduced under the following
++ * conditions:
++ *
++ * - No SD card plugged in, polling thread is running, probing cards at
++ * 100 kHz.
++ * - BCM2711's core clock configured at 500MHz or more
++ *
++ * So we set 200kHz as the minimum clock frequency available for that SoC.
++ */
++static unsigned int sdhci_iproc_bcm2711_get_min_clock(struct sdhci_host *host)
++{
++ return 200000;
++}
++
+ static const struct sdhci_ops sdhci_iproc_ops = {
+ .set_clock = sdhci_set_clock,
+ .get_max_clock = sdhci_iproc_get_max_clock,
+@@ -271,6 +288,7 @@ static const struct sdhci_ops sdhci_iproc_bcm2711_ops = {
+ .set_clock = sdhci_set_clock,
+ .set_power = sdhci_set_power_and_bus_voltage,
+ .get_max_clock = sdhci_iproc_get_max_clock,
++ .get_min_clock = sdhci_iproc_bcm2711_get_min_clock,
+ .set_bus_width = sdhci_set_bus_width,
+ .reset = sdhci_reset,
+ .set_uhs_signaling = sdhci_set_uhs_signaling,
+--
+2.30.2
+
--- /dev/null
+From 60f6318bf1778e5d2dcade10d1eebc6f1c4a76f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 13:06:36 +0200
+Subject: mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711
+
+From: Nicolas Saenz Julienne <nsaenz@kernel.org>
+
+[ Upstream commit 419dd626e357e89fc9c4e3863592c8b38cfe1571 ]
+
+The controller doesn't seem to pick-up on clock changes, so set the
+SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN flag to query the clock frequency
+directly from the clock.
+
+Fixes: f84e411c85be ("mmc: sdhci-iproc: Add support for emmc2 of the BCM2711")
+Signed-off-by: Nicolas Saenz Julienne <nsaenz@kernel.org>
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1628334401-6577-6-git-send-email-stefan.wahren@i2se.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-iproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/host/sdhci-iproc.c b/drivers/mmc/host/sdhci-iproc.c
+index b9eb2ec61a83..9f0eef97ebdd 100644
+--- a/drivers/mmc/host/sdhci-iproc.c
++++ b/drivers/mmc/host/sdhci-iproc.c
+@@ -295,7 +295,8 @@ static const struct sdhci_ops sdhci_iproc_bcm2711_ops = {
+ };
+
+ static const struct sdhci_pltfm_data sdhci_bcm2711_pltfm_data = {
+- .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12,
++ .quirks = SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 |
++ SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN,
+ .ops = &sdhci_iproc_bcm2711_ops,
+ };
+
+--
+2.30.2
+
--- /dev/null
+From d668fd7043c9b873f18ee8c817f65f231312f601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 17:16:14 +0530
+Subject: mmc: sdhci-msm: Update the software timeout value for sdhc
+
+From: Shaik Sajida Bhanu <sbhanu@codeaurora.org>
+
+[ Upstream commit 67b13f3e221ed81b46a657e2b499bf8b20162476 ]
+
+Whenever SDHC run at clock rate 50MHZ or below, the hardware data
+timeout value will be 21.47secs, which is approx. 22secs and we have
+a current software timeout value as 10secs. We have to set software
+timeout value more than the hardware data timeout value to avioid seeing
+the below register dumps.
+
+[ 332.953670] mmc2: Timeout waiting for hardware interrupt.
+[ 332.959608] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
+[ 332.966450] mmc2: sdhci: Sys addr: 0x00000000 | Version: 0x00007202
+[ 332.973256] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000001
+[ 332.980054] mmc2: sdhci: Argument: 0x00000000 | Trn mode: 0x00000027
+[ 332.986864] mmc2: sdhci: Present: 0x01f801f6 | Host ctl: 0x0000001f
+[ 332.993671] mmc2: sdhci: Power: 0x00000001 | Blk gap: 0x00000000
+[ 333.000583] mmc2: sdhci: Wake-up: 0x00000000 | Clock: 0x00000007
+[ 333.007386] mmc2: sdhci: Timeout: 0x0000000e | Int stat: 0x00000000
+[ 333.014182] mmc2: sdhci: Int enab: 0x03ff100b | Sig enab: 0x03ff100b
+[ 333.020976] mmc2: sdhci: ACmd stat: 0x00000000 | Slot int: 0x00000000
+[ 333.027771] mmc2: sdhci: Caps: 0x322dc8b2 | Caps_1: 0x0000808f
+[ 333.034561] mmc2: sdhci: Cmd: 0x0000183a | Max curr: 0x00000000
+[ 333.041359] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0x00000000
+[ 333.048157] mmc2: sdhci: Resp[2]: 0x00000000 | Resp[3]: 0x00000000
+[ 333.054945] mmc2: sdhci: Host ctl2: 0x00000000
+[ 333.059657] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr:
+0x0000000ffffff218
+[ 333.067178] mmc2: sdhci_msm: ----------- VENDOR REGISTER DUMP
+-----------
+[ 333.074343] mmc2: sdhci_msm: DLL sts: 0x00000000 | DLL cfg:
+0x6000642c | DLL cfg2: 0x0020a000
+[ 333.083417] mmc2: sdhci_msm: DLL cfg3: 0x00000000 | DLL usr ctl:
+0x00000000 | DDR cfg: 0x80040873
+[ 333.092850] mmc2: sdhci_msm: Vndr func: 0x00008a9c | Vndr func2 :
+0xf88218a8 Vndr func3: 0x02626040
+[ 333.102371] mmc2: sdhci: ============================================
+
+So, set software timeout value more than hardware timeout value.
+
+Signed-off-by: Shaik Sajida Bhanu <sbhanu@codeaurora.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1626435974-14462-1-git-send-email-sbhanu@codeaurora.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index e44b7a66b73c..290a14cdc1cf 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -2089,6 +2089,23 @@ static void sdhci_msm_cqe_disable(struct mmc_host *mmc, bool recovery)
+ sdhci_cqe_disable(mmc, recovery);
+ }
+
++static void sdhci_msm_set_timeout(struct sdhci_host *host, struct mmc_command *cmd)
++{
++ u32 count, start = 15;
++
++ __sdhci_set_timeout(host, cmd);
++ count = sdhci_readb(host, SDHCI_TIMEOUT_CONTROL);
++ /*
++ * Update software timeout value if its value is less than hardware data
++ * timeout value. Qcom SoC hardware data timeout value was calculated
++ * using 4 * MCLK * 2^(count + 13). where MCLK = 1 / host->clock.
++ */
++ if (cmd && cmd->data && host->clock > 400000 &&
++ host->clock <= 50000000 &&
++ ((1 << (count + start)) > (10 * host->clock)))
++ host->data_timeout = 22LL * NSEC_PER_SEC;
++}
++
+ static const struct cqhci_host_ops sdhci_msm_cqhci_ops = {
+ .enable = sdhci_msm_cqe_enable,
+ .disable = sdhci_msm_cqe_disable,
+@@ -2438,6 +2455,7 @@ static const struct sdhci_ops sdhci_msm_ops = {
+ .irq = sdhci_msm_cqe_irq,
+ .dump_vendor_regs = sdhci_msm_dump_vendor_regs,
+ .set_power = sdhci_set_power_noreg,
++ .set_timeout = sdhci_msm_set_timeout,
+ };
+
+ static const struct sdhci_pltfm_data sdhci_msm_pdata = {
+--
+2.30.2
+
--- /dev/null
+From e4e6b423d56c5d791b01468af753ae56f43f4ca0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Aug 2021 19:43:44 +0300
+Subject: opp: Drop empty-table checks from _put functions
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit c3ddfe66d2bb511f7fbcdc8e64952c7859e7e69d ]
+
+The current_opp is released only when whole OPP table is released,
+otherwise it's only marked as removed by dev_pm_opp_remove_table().
+Functions like dev_pm_opp_put_clkname() and dev_pm_opp_put_supported_hw()
+are checking whether OPP table is empty and it's not if current_opp is
+set since it holds the refcount of OPP, this produces a noisy warning
+from these functions about busy OPP table. Remove the checks to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 81c4d8a3c414 ("opp: Keep track of currently programmed OPP")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/opp/core.c | 15 ---------------
+ 1 file changed, 15 deletions(-)
+
+diff --git a/drivers/opp/core.c b/drivers/opp/core.c
+index e366218d6736..4c23b5736c77 100644
+--- a/drivers/opp/core.c
++++ b/drivers/opp/core.c
+@@ -1846,9 +1846,6 @@ void dev_pm_opp_put_supported_hw(struct opp_table *opp_table)
+ if (unlikely(!opp_table))
+ return;
+
+- /* Make sure there are no concurrent readers while updating opp_table */
+- WARN_ON(!list_empty(&opp_table->opp_list));
+-
+ kfree(opp_table->supported_hw);
+ opp_table->supported_hw = NULL;
+ opp_table->supported_hw_count = 0;
+@@ -1934,9 +1931,6 @@ void dev_pm_opp_put_prop_name(struct opp_table *opp_table)
+ if (unlikely(!opp_table))
+ return;
+
+- /* Make sure there are no concurrent readers while updating opp_table */
+- WARN_ON(!list_empty(&opp_table->opp_list));
+-
+ kfree(opp_table->prop_name);
+ opp_table->prop_name = NULL;
+
+@@ -2046,9 +2040,6 @@ void dev_pm_opp_put_regulators(struct opp_table *opp_table)
+ if (!opp_table->regulators)
+ goto put_opp_table;
+
+- /* Make sure there are no concurrent readers while updating opp_table */
+- WARN_ON(!list_empty(&opp_table->opp_list));
+-
+ if (opp_table->enabled) {
+ for (i = opp_table->regulator_count - 1; i >= 0; i--)
+ regulator_disable(opp_table->regulators[i]);
+@@ -2168,9 +2159,6 @@ void dev_pm_opp_put_clkname(struct opp_table *opp_table)
+ if (unlikely(!opp_table))
+ return;
+
+- /* Make sure there are no concurrent readers while updating opp_table */
+- WARN_ON(!list_empty(&opp_table->opp_list));
+-
+ clk_put(opp_table->clk);
+ opp_table->clk = ERR_PTR(-EINVAL);
+
+@@ -2269,9 +2257,6 @@ void dev_pm_opp_unregister_set_opp_helper(struct opp_table *opp_table)
+ if (unlikely(!opp_table))
+ return;
+
+- /* Make sure there are no concurrent readers while updating opp_table */
+- WARN_ON(!list_empty(&opp_table->opp_list));
+-
+ opp_table->set_opp = NULL;
+
+ mutex_lock(&opp_table->lock);
+--
+2.30.2
+
--- /dev/null
+From 0c8432c16fb1e2c0ede82b92e280812a8b0d5f27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 22:58:58 -0400
+Subject: PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI
+
+From: Marcin Bachry <hegel666@gmail.com>
+
+[ Upstream commit e0bff43220925b7e527f9d3bc9f5c624177c959e ]
+
+The Renoir XHCI controller apparently doesn't resume reliably with the
+standard D3hot-to-D0 delay. Increase it to 20ms.
+
+[Alex: I talked to the AMD USB hardware team and the AMD Windows team and
+they are not aware of any HW errata or specific issues. The HW works fine
+in Windows. I was told Windows uses a rather generous default delay of
+100ms for PCI state transitions.]
+
+Link: https://lore.kernel.org/r/20210722025858.220064-1-alexander.deucher@amd.com
+Signed-off-by: Marcin Bachry <hegel666@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Prike Liang <prike.liang@amd.com>
+Cc: Shyam Sundar S K <shyam-sundar.s-k@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 6d74386eadc2..ab3de1551b50 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -1900,6 +1900,7 @@ static void quirk_ryzen_xhci_d3hot(struct pci_dev *dev)
+ }
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x15e0, quirk_ryzen_xhci_d3hot);
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x15e1, quirk_ryzen_xhci_d3hot);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1639, quirk_ryzen_xhci_d3hot);
+
+ #ifdef CONFIG_X86_IO_APIC
+ static int dmi_disable_ioapicreroute(const struct dmi_system_id *d)
+--
+2.30.2
+
--- /dev/null
+From bee8557c00b6d9d2bf72c0f50cc449e19a342a06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Aug 2021 06:49:29 +0000
+Subject: powerpc/32s: Fix random crashes by adding isync() after
+ locking/unlocking KUEP
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit ef486bf448a057a6e2d50e40ae879f7add6585da ]
+
+Commit b5efec00b671 ("powerpc/32s: Move KUEP locking/unlocking in C")
+removed the 'isync' instruction after adding/removing NX bit in user
+segments. The reasoning behind this change was that when setting the
+NX bit we don't mind it taking effect with delay as the kernel never
+executes text from userspace, and when clearing the NX bit this is
+to return to userspace and then the 'rfi' should synchronise the
+context.
+
+However, it looks like on book3s/32 having a hash page table, at least
+on the G3 processor, we get an unexpected fault from userspace, then
+this is followed by something wrong in the verification of MSR_PR
+at end of another interrupt.
+
+This is fixed by adding back the removed isync() following update
+of NX bit in user segment registers. Only do it for cores with an
+hash table, as 603 cores don't exhibit that problem and the two isync
+increase ./null_syscall selftest by 6 cycles on an MPC 832x.
+
+First problem: unexpected WARN_ON() for mysterious PROTFAULT
+
+ WARNING: CPU: 0 PID: 1660 at arch/powerpc/mm/fault.c:354 do_page_fault+0x6c/0x5b0
+ Modules linked in:
+ CPU: 0 PID: 1660 Comm: Xorg Not tainted 5.13.0-pmac-00028-gb3c15b60339a #40
+ NIP: c001b5c8 LR: c001b6f8 CTR: 00000000
+ REGS: e2d09e40 TRAP: 0700 Not tainted (5.13.0-pmac-00028-gb3c15b60339a)
+ MSR: 00021032 <ME,IR,DR,RI> CR: 42d04f30 XER: 20000000
+ GPR00: c000424c e2d09f00 c301b680 e2d09f40 0000001e 42000000 00cba028 00000000
+ GPR08: 08000000 48000010 c301b680 e2d09f30 22d09f30 00c1fff0 00cba000 a7b7ba4c
+ GPR16: 00000031 00000000 00000000 00000000 00000000 00000000 a7b7b0d0 00c5c010
+ GPR24: a7b7b64c a7b7d2f0 00000004 00000000 c1efa6c0 00cba02c 00000300 e2d09f40
+ NIP [c001b5c8] do_page_fault+0x6c/0x5b0
+ LR [c001b6f8] do_page_fault+0x19c/0x5b0
+ Call Trace:
+ [e2d09f00] [e2d09f04] 0xe2d09f04 (unreliable)
+ [e2d09f30] [c000424c] DataAccess_virt+0xd4/0xe4
+ --- interrupt: 300 at 0xa7a261dc
+ NIP: a7a261dc LR: a7a253bc CTR: 00000000
+ REGS: e2d09f40 TRAP: 0300 Not tainted (5.13.0-pmac-00028-gb3c15b60339a)
+ MSR: 0000d032 <EE,PR,ME,IR,DR,RI> CR: 228428e2 XER: 20000000
+ DAR: 00cba02c DSISR: 42000000
+ GPR00: a7a27448 afa6b0e0 a74c35c0 a7b7b614 0000001e a7b7b614 00cba028 00000000
+ GPR08: 00020fd9 00000031 00cb9ff8 a7a273b0 220028e2 00c1fff0 00cba000 a7b7ba4c
+ GPR16: 00000031 00000000 00000000 00000000 00000000 00000000 a7b7b0d0 00c5c010
+ GPR24: a7b7b64c a7b7d2f0 00000004 00000002 0000001e a7b7b614 a7b7aff4 00000030
+ NIP [a7a261dc] 0xa7a261dc
+ LR [a7a253bc] 0xa7a253bc
+ --- interrupt: 300
+ Instruction dump:
+ 7c4a1378 810300a0 75278410 83820298 83a300a4 553b018c 551e0036 4082038c
+ 2e1b0000 40920228 75280800 41820220 <0fe00000> 3b600000 41920214 81420594
+
+Second problem: MSR PR is seen unset allthough the interrupt frame shows it set
+
+ kernel BUG at arch/powerpc/kernel/interrupt.c:458!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac
+ Modules linked in:
+ CPU: 0 PID: 1660 Comm: Xorg Tainted: G W 5.13.0-pmac-00028-gb3c15b60339a #40
+ NIP: c0011434 LR: c001629c CTR: 00000000
+ REGS: e2d09e70 TRAP: 0700 Tainted: G W (5.13.0-pmac-00028-gb3c15b60339a)
+ MSR: 00029032 <EE,ME,IR,DR,RI> CR: 42d09f30 XER: 00000000
+ GPR00: 00000000 e2d09f30 c301b680 e2d09f40 83440000 c44d0e68 e2d09e8c 00000000
+ GPR08: 00000002 00dc228a 00004000 e2d09f30 22d09f30 00c1fff0 afa6ceb4 00c26144
+ GPR16: 00c25fb8 00c26140 afa6ceb8 90000000 00c944d8 0000001c 00000000 00200000
+ GPR24: 00000000 000001fb afa6d1b4 00000001 00000000 a539a2a0 a530fd80 00000089
+ NIP [c0011434] interrupt_exit_kernel_prepare+0x10/0x70
+ LR [c001629c] interrupt_return+0x9c/0x144
+ Call Trace:
+ [e2d09f30] [c000424c] DataAccess_virt+0xd4/0xe4 (unreliable)
+ --- interrupt: 300 at 0xa09be008
+ NIP: a09be008 LR: a09bdfe8 CTR: a09bdfc0
+ REGS: e2d09f40 TRAP: 0300 Tainted: G W (5.13.0-pmac-00028-gb3c15b60339a)
+ MSR: 0000d032 <EE,PR,ME,IR,DR,RI> CR: 420028e2 XER: 20000000
+ DAR: a539a308 DSISR: 0a000000
+ GPR00: a7b90d50 afa6b2d0 a74c35c0 a0a8b690 a0a8b698 a5365d70 a4fa82a8 00000004
+ GPR08: 00000000 a09bdfc0 00000000 a5360000 a09bde7c 00c1fff0 afa6ceb4 00c26144
+ GPR16: 00c25fb8 00c26140 afa6ceb8 90000000 00c944d8 0000001c 00000000 00200000
+ GPR24: 00000000 000001fb afa6d1b4 00000001 00000000 a539a2a0 a530fd80 00000089
+ NIP [a09be008] 0xa09be008
+ LR [a09bdfe8] 0xa09bdfe8
+ --- interrupt: 300
+ Instruction dump:
+ 80010024 83e1001c 7c0803a6 4bffff80 3bc00800 4bffffd0 486b42fd 4bffffcc
+ 81430084 71480002 41820038 554a0462 <0f0a0000> 80620060 74630001 40820034
+
+Fixes: b5efec00b671 ("powerpc/32s: Move KUEP locking/unlocking in C")
+Cc: stable@vger.kernel.org # v5.13+
+Reported-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/4856f5574906e2aec0522be17bf3848a22b2cd0b.1629269345.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/book3s/32/kup.h | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h
+index 5353ea68b912..c6cfca9d2bd7 100644
+--- a/arch/powerpc/include/asm/book3s/32/kup.h
++++ b/arch/powerpc/include/asm/book3s/32/kup.h
+@@ -4,6 +4,8 @@
+
+ #include <asm/bug.h>
+ #include <asm/book3s/32/mmu-hash.h>
++#include <asm/mmu.h>
++#include <asm/synch.h>
+
+ #ifndef __ASSEMBLY__
+
+@@ -18,6 +20,15 @@ static inline void kuep_lock(void)
+ return;
+
+ update_user_segments(mfsr(0) | SR_NX);
++ /*
++ * This isync() shouldn't be necessary as the kernel is not excepted to
++ * run any instruction in userspace soon after the update of segments,
++ * but hash based cores (at least G3) seem to exhibit a random
++ * behaviour when the 'isync' is not there. 603 cores don't have this
++ * behaviour so don't do the 'isync' as it saves several CPU cycles.
++ */
++ if (mmu_has_feature(MMU_FTR_HPTE_TABLE))
++ isync(); /* Context sync required after mtsr() */
+ }
+
+ static inline void kuep_unlock(void)
+@@ -26,6 +37,15 @@ static inline void kuep_unlock(void)
+ return;
+
+ update_user_segments(mfsr(0) & ~SR_NX);
++ /*
++ * This isync() shouldn't be necessary as a 'rfi' will soon be executed
++ * to return to userspace, but hash based cores (at least G3) seem to
++ * exhibit a random behaviour when the 'isync' is not there. 603 cores
++ * don't have this behaviour so don't do the 'isync' as it saves several
++ * CPU cycles.
++ */
++ if (mmu_has_feature(MMU_FTR_HPTE_TABLE))
++ isync(); /* Context sync required after mtsr() */
+ }
+
+ #ifdef CONFIG_PPC_KUAP
+--
+2.30.2
+
--- /dev/null
+From 0e113bdf139f201f4f25ea0043149dd733fabd24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 08:41:36 +0000
+Subject: powerpc/32s: Move setup_{kuep/kuap}() into {kuep/kuap}.c
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 91ec66719d4c5c0e7b4e32585b01881660d1bc53 ]
+
+Avoids the #ifdef in mmu.c
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/0b7a13d414837e58264edc336b89c2fe9f35f9bc.1622708530.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/mm/book3s32/Makefile | 1 +
+ arch/powerpc/mm/book3s32/kuap.c | 11 +++++++++++
+ arch/powerpc/mm/book3s32/kuep.c | 8 ++++++++
+ arch/powerpc/mm/book3s32/mmu.c | 20 --------------------
+ 4 files changed, 20 insertions(+), 20 deletions(-)
+ create mode 100644 arch/powerpc/mm/book3s32/kuap.c
+
+diff --git a/arch/powerpc/mm/book3s32/Makefile b/arch/powerpc/mm/book3s32/Makefile
+index 7f0c8a78ba0c..15f4773643d2 100644
+--- a/arch/powerpc/mm/book3s32/Makefile
++++ b/arch/powerpc/mm/book3s32/Makefile
+@@ -10,3 +10,4 @@ obj-y += mmu.o mmu_context.o
+ obj-$(CONFIG_PPC_BOOK3S_603) += nohash_low.o
+ obj-$(CONFIG_PPC_BOOK3S_604) += hash_low.o tlb.o
+ obj-$(CONFIG_PPC_KUEP) += kuep.o
++obj-$(CONFIG_PPC_KUAP) += kuap.o
+diff --git a/arch/powerpc/mm/book3s32/kuap.c b/arch/powerpc/mm/book3s32/kuap.c
+new file mode 100644
+index 000000000000..1df55392878e
+--- /dev/null
++++ b/arch/powerpc/mm/book3s32/kuap.c
+@@ -0,0 +1,11 @@
++// SPDX-License-Identifier: GPL-2.0-or-later
++
++#include <asm/kup.h>
++
++void __init setup_kuap(bool disabled)
++{
++ pr_info("Activating Kernel Userspace Access Protection\n");
++
++ if (disabled)
++ pr_warn("KUAP cannot be disabled yet on 6xx when compiled in\n");
++}
+diff --git a/arch/powerpc/mm/book3s32/kuep.c b/arch/powerpc/mm/book3s32/kuep.c
+index 8ed1b8634839..6eafe7b2b031 100644
+--- a/arch/powerpc/mm/book3s32/kuep.c
++++ b/arch/powerpc/mm/book3s32/kuep.c
+@@ -38,3 +38,11 @@ void kuep_unlock(void)
+ {
+ kuep_update(mfsr(0) & ~SR_NX);
+ }
++
++void __init setup_kuep(bool disabled)
++{
++ pr_info("Activating Kernel Userspace Execution Prevention\n");
++
++ if (disabled)
++ pr_warn("KUEP cannot be disabled yet on 6xx when compiled in\n");
++}
+diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c
+index 159930351d9f..27061583a010 100644
+--- a/arch/powerpc/mm/book3s32/mmu.c
++++ b/arch/powerpc/mm/book3s32/mmu.c
+@@ -445,26 +445,6 @@ void __init print_system_hash_info(void)
+ pr_info("Hash_mask = 0x%lx\n", Hash_mask);
+ }
+
+-#ifdef CONFIG_PPC_KUEP
+-void __init setup_kuep(bool disabled)
+-{
+- pr_info("Activating Kernel Userspace Execution Prevention\n");
+-
+- if (disabled)
+- pr_warn("KUEP cannot be disabled yet on 6xx when compiled in\n");
+-}
+-#endif
+-
+-#ifdef CONFIG_PPC_KUAP
+-void __init setup_kuap(bool disabled)
+-{
+- pr_info("Activating Kernel Userspace Access Protection\n");
+-
+- if (disabled)
+- pr_warn("KUAP cannot be disabled yet on 6xx when compiled in\n");
+-}
+-#endif
+-
+ void __init early_init_mmu(void)
+ {
+ }
+--
+2.30.2
+
--- /dev/null
+From 714aa92b5161a606e474fc336a963ab0e0c53f33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 08:41:37 +0000
+Subject: powerpc/32s: Refactor update of user segment registers
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 91bb30822a2e1d7900f9f42e9e92647a9015f979 ]
+
+KUEP implements the update of user segment registers.
+
+Move it into mmu-hash.h in order to use it from other places.
+
+And inline kuep_lock() and kuep_unlock(). Inlining kuep_lock() is
+important for system_call_exception(), otherwise system_call_exception()
+has to save into stack the system call parameters that are used just
+after, and doing that takes more instructions than kuep_lock() itself.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/24591ca480d14a62ef910e38a5273d551262c4a2.1622708530.git.christophe.leroy@csgroup.eu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/book3s/32/kup.h | 21 +++++++++++
+ arch/powerpc/include/asm/book3s/32/mmu-hash.h | 27 ++++++++++++++
+ arch/powerpc/include/asm/kup.h | 5 +--
+ arch/powerpc/mm/book3s32/kuep.c | 37 -------------------
+ 4 files changed, 49 insertions(+), 41 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/book3s/32/kup.h b/arch/powerpc/include/asm/book3s/32/kup.h
+index 1670dfe9d4f1..5353ea68b912 100644
+--- a/arch/powerpc/include/asm/book3s/32/kup.h
++++ b/arch/powerpc/include/asm/book3s/32/kup.h
+@@ -7,6 +7,27 @@
+
+ #ifndef __ASSEMBLY__
+
++static __always_inline bool kuep_is_disabled(void)
++{
++ return !IS_ENABLED(CONFIG_PPC_KUEP);
++}
++
++static inline void kuep_lock(void)
++{
++ if (kuep_is_disabled())
++ return;
++
++ update_user_segments(mfsr(0) | SR_NX);
++}
++
++static inline void kuep_unlock(void)
++{
++ if (kuep_is_disabled())
++ return;
++
++ update_user_segments(mfsr(0) & ~SR_NX);
++}
++
+ #ifdef CONFIG_PPC_KUAP
+
+ #include <linux/sched.h>
+diff --git a/arch/powerpc/include/asm/book3s/32/mmu-hash.h b/arch/powerpc/include/asm/book3s/32/mmu-hash.h
+index b85f8e114a9c..cc0284bbac86 100644
+--- a/arch/powerpc/include/asm/book3s/32/mmu-hash.h
++++ b/arch/powerpc/include/asm/book3s/32/mmu-hash.h
+@@ -102,6 +102,33 @@ extern s32 patch__hash_page_B, patch__hash_page_C;
+ extern s32 patch__flush_hash_A0, patch__flush_hash_A1, patch__flush_hash_A2;
+ extern s32 patch__flush_hash_B;
+
++#include <asm/reg.h>
++#include <asm/task_size_32.h>
++
++#define UPDATE_TWO_USER_SEGMENTS(n) do { \
++ if (TASK_SIZE > ((n) << 28)) \
++ mtsr(val1, (n) << 28); \
++ if (TASK_SIZE > (((n) + 1) << 28)) \
++ mtsr(val2, ((n) + 1) << 28); \
++ val1 = (val1 + 0x222) & 0xf0ffffff; \
++ val2 = (val2 + 0x222) & 0xf0ffffff; \
++} while (0)
++
++static __always_inline void update_user_segments(u32 val)
++{
++ int val1 = val;
++ int val2 = (val + 0x111) & 0xf0ffffff;
++
++ UPDATE_TWO_USER_SEGMENTS(0);
++ UPDATE_TWO_USER_SEGMENTS(2);
++ UPDATE_TWO_USER_SEGMENTS(4);
++ UPDATE_TWO_USER_SEGMENTS(6);
++ UPDATE_TWO_USER_SEGMENTS(8);
++ UPDATE_TWO_USER_SEGMENTS(10);
++ UPDATE_TWO_USER_SEGMENTS(12);
++ UPDATE_TWO_USER_SEGMENTS(14);
++}
++
+ #endif /* !__ASSEMBLY__ */
+
+ /* We happily ignore the smaller BATs on 601, we don't actually use
+diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h
+index ec96232529ac..4b94d4293777 100644
+--- a/arch/powerpc/include/asm/kup.h
++++ b/arch/powerpc/include/asm/kup.h
+@@ -46,10 +46,7 @@ void setup_kuep(bool disabled);
+ static inline void setup_kuep(bool disabled) { }
+ #endif /* CONFIG_PPC_KUEP */
+
+-#if defined(CONFIG_PPC_KUEP) && defined(CONFIG_PPC_BOOK3S_32)
+-void kuep_lock(void);
+-void kuep_unlock(void);
+-#else
++#ifndef CONFIG_PPC_BOOK3S_32
+ static inline void kuep_lock(void) { }
+ static inline void kuep_unlock(void) { }
+ #endif
+diff --git a/arch/powerpc/mm/book3s32/kuep.c b/arch/powerpc/mm/book3s32/kuep.c
+index 6eafe7b2b031..919595f47e25 100644
+--- a/arch/powerpc/mm/book3s32/kuep.c
++++ b/arch/powerpc/mm/book3s32/kuep.c
+@@ -1,43 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0-or-later
+
+ #include <asm/kup.h>
+-#include <asm/reg.h>
+-#include <asm/task_size_32.h>
+-#include <asm/mmu.h>
+-
+-#define KUEP_UPDATE_TWO_USER_SEGMENTS(n) do { \
+- if (TASK_SIZE > ((n) << 28)) \
+- mtsr(val1, (n) << 28); \
+- if (TASK_SIZE > (((n) + 1) << 28)) \
+- mtsr(val2, ((n) + 1) << 28); \
+- val1 = (val1 + 0x222) & 0xf0ffffff; \
+- val2 = (val2 + 0x222) & 0xf0ffffff; \
+-} while (0)
+-
+-static __always_inline void kuep_update(u32 val)
+-{
+- int val1 = val;
+- int val2 = (val + 0x111) & 0xf0ffffff;
+-
+- KUEP_UPDATE_TWO_USER_SEGMENTS(0);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(2);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(4);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(6);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(8);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(10);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(12);
+- KUEP_UPDATE_TWO_USER_SEGMENTS(14);
+-}
+-
+-void kuep_lock(void)
+-{
+- kuep_update(mfsr(0) | SR_NX);
+-}
+-
+-void kuep_unlock(void)
+-{
+- kuep_update(mfsr(0) & ~SR_NX);
+-}
+
+ void __init setup_kuep(bool disabled)
+ {
+--
+2.30.2
+
--- /dev/null
+From f96a34c8a41e3dc1c02a3fda69b8ab4d62b8c612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 19:54:50 +0200
+Subject: riscv: Fix a number of free'd resources in init_resources()
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+[ Upstream commit aa3e1ba32e553e611a58145c2eb349802feaa6eb ]
+
+Function init_resources() allocates a boot memory block to hold an array of
+resources which it adds to iomem_resource. The array is filled in from its
+end and the function then attempts to free any unused memory at the
+beginning. The problem is that size of the unused memory is incorrectly
+calculated and this can result in releasing memory which is in use by
+active resources. Their data then gets corrupted later when the memory is
+reused by a different part of the system.
+
+Fix the size of the released memory to correctly match the number of unused
+resource entries.
+
+Fixes: ffe0e5261268 ("RISC-V: Improve init_resources()")
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Reviewed-by: Sunil V L <sunilvl@ventanamicro.com>
+Acked-by: Nick Kossifidis <mick@ics.forth.gr>
+Tested-by: Sunil V L <sunilvl@ventanamicro.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/setup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
+index 9a1b7a0603b2..f2a9cd4284b0 100644
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -230,8 +230,8 @@ static void __init init_resources(void)
+ }
+
+ /* Clean-up any unused pre-allocated resources */
+- mem_res_sz = (num_resources - res_idx + 1) * sizeof(*mem_res);
+- memblock_free(__pa(mem_res), mem_res_sz);
++ if (res_idx >= 0)
++ memblock_free(__pa(mem_res), (res_idx + 1) * sizeof(*mem_res));
+ return;
+
+ error:
+--
+2.30.2
+
--- /dev/null
+From 43950f81790e1469510e61179b4e9bad5cea7882 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:11:16 +0200
+Subject: s390/pci: fix use after free of zpci_dev
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+[ Upstream commit 2a671f77ee49f3e78997b77fdee139467ff6a598 ]
+
+The struct pci_dev uses reference counting but zPCI assumed erroneously
+that the last reference would always be the local reference after
+calling pci_stop_and_remove_bus_device(). This is usually the case but
+not how reference counting works and thus inherently fragile.
+
+In fact one case where this causes a NULL pointer dereference when on an
+SRIOV device the function 0 was hot unplugged before another function of
+the same multi-function device. In this case the second function's
+pdev->sriov->dev reference keeps the struct pci_dev of function 0 alive
+even after the unplug. This bug was previously hidden by the fact that
+we were leaking the struct pci_dev which in turn means that it always
+outlived the struct zpci_dev. This was fixed in commit 0b13525c20fe
+("s390/pci: fix leak of PCI device structure") exposing the broken
+behavior.
+
+Fix this by accounting for the long living reference a struct pci_dev
+has to its underlying struct zpci_dev via the zbus->function[] array and
+only release that in pcibios_release_device() ensuring that the struct
+pci_dev is not left with a dangling reference. This is a minimal fix in
+the future it would probably better to use fine grained reference
+counting for struct zpci_dev.
+
+Fixes: 05bc1be6db4b2 ("s390/pci: create zPCI bus")
+Cc: stable@vger.kernel.org
+Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci.c | 6 ++++++
+ arch/s390/pci/pci_bus.h | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
+index b0993e05affe..8fcb7ecb7225 100644
+--- a/arch/s390/pci/pci.c
++++ b/arch/s390/pci/pci.c
+@@ -560,9 +560,12 @@ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev)
+
+ int pcibios_add_device(struct pci_dev *pdev)
+ {
++ struct zpci_dev *zdev = to_zpci(pdev);
+ struct resource *res;
+ int i;
+
++ /* The pdev has a reference to the zdev via its bus */
++ zpci_zdev_get(zdev);
+ if (pdev->is_physfn)
+ pdev->no_vf_scan = 1;
+
+@@ -582,7 +585,10 @@ int pcibios_add_device(struct pci_dev *pdev)
+
+ void pcibios_release_device(struct pci_dev *pdev)
+ {
++ struct zpci_dev *zdev = to_zpci(pdev);
++
+ zpci_unmap_resources(pdev);
++ zpci_zdev_put(zdev);
+ }
+
+ int pcibios_enable_device(struct pci_dev *pdev, int mask)
+diff --git a/arch/s390/pci/pci_bus.h b/arch/s390/pci/pci_bus.h
+index b877a97e6745..e359d2686178 100644
+--- a/arch/s390/pci/pci_bus.h
++++ b/arch/s390/pci/pci_bus.h
+@@ -22,6 +22,11 @@ static inline void zpci_zdev_put(struct zpci_dev *zdev)
+ kref_put(&zdev->kref, zpci_release_device);
+ }
+
++static inline void zpci_zdev_get(struct zpci_dev *zdev)
++{
++ kref_get(&zdev->kref);
++}
++
+ int zpci_alloc_domain(int domain);
+ void zpci_free_domain(int domain);
+ int zpci_setup_bus_resources(struct zpci_dev *zdev,
+--
+2.30.2
+
iavf-fix-ping-is-lost-after-untrusted-vf-had-tried-t.patch
revert-flow_offload-action-should-not-be-null-when-i.patch
net-dpaa2-switch-disable-the-control-interface-on-er.patch
+iommu-dma-fix-leak-in-non-contiguous-api.patch
+mmc-dw_mmc-fix-hang-on-data-crc-error.patch
+mmc-mmci-stm32-check-when-the-voltage-switch-procedu.patch
+mmc-sdhci-msm-update-the-software-timeout-value-for-.patch
+clk-imx6q-fix-uart-earlycon-unwork.patch
+clk-qcom-gdsc-ensure-regulator-init-state-matches-gd.patch
+arm64-clean-vdso-vdso32-files.patch
+cfi-use-rcu_read_-un-lock_sched_notrace.patch
+alsa-hda-fix-the-capture-switch-value-change-notific.patch
+tracing-define-needed-config-dynamic_ftrace_with_arg.patch
+tracing-histogram-fix-null-pointer-dereference-on-st.patch
+slimbus-messaging-start-transaction-ids-from-1-inste.patch
+slimbus-messaging-check-for-valid-transaction-id.patch
+slimbus-ngd-set-correct-device-for-pm.patch
+slimbus-ngd-reset-dma-setup-during-runtime-pm.patch
+ipack-tpci200-fix-many-double-free-issues-in-tpci200.patch
+ipack-tpci200-fix-memory-leak-in-the-tpci200_registe.patch
+io_uring-fix-code-style-problems.patch
+io_uring-only-assign-io_uring_enter-sqpoll-error-in-.patch
+alsa-hda-realtek-enable-4-speaker-output-for-dell-xp.patch
+opp-drop-empty-table-checks-from-_put-functions.patch
+mmc-sdhci-iproc-cap-min-clock-frequency-on-bcm2711.patch
+mmc-sdhci-iproc-set-sdhci_quirk_cap_clock_base_broke.patch
+btrfs-prevent-rename2-from-exchanging-a-subvol-with-.patch
+tracing-apply-trace-filters-on-all-output-channels.patch
+alsa-hda-via-apply-runtime-pm-workaround-for-asus-b2.patch
+s390-pci-fix-use-after-free-of-zpci_dev.patch
+usb-typec-tcpm-fix-vdms-sometimes-not-being-forwarde.patch
+powerpc-32s-move-setup_-kuep-kuap-into-kuep-kuap-.c.patch
+powerpc-32s-refactor-update-of-user-segment-register.patch
+powerpc-32s-fix-random-crashes-by-adding-isync-after.patch
+pci-increase-d3-delay-for-amd-renoir-cezanne-xhci.patch
+alsa-hda-realtek-limit-mic-boost-on-hp-probook-445-g.patch
+asoc-intel-atom-fix-breakage-for-pcm-buffer-address-.patch
+riscv-fix-a-number-of-free-d-resources-in-init_resou.patch
+mm-memcontrol-fix-occasional-ooms-due-to-proportiona.patch
+mm-hwpoison-make-get_hwpoison_page-call-get_any_page.patch
+mm-hwpoison-retry-with-shake_page-for-unhandlable-pa.patch
+kfence-fix-is_kfence_address-for-addresses-below-kfe.patch
+hugetlb-don-t-pass-page-cache-pages-to-restore_reser.patch
+io_uring-fix-xa_alloc_cycle-error-return-value-check.patch
+fs-warn-about-impending-deprecation-of-mandatory-loc.patch
--- /dev/null
+From 32741f9decad4a31284f43b33240ac27b225cdf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 09:24:26 +0100
+Subject: slimbus: messaging: check for valid transaction id
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit a263c1ff6abe0e66712f40d595bbddc7a35907f8 ]
+
+In some usecases transaction ids are dynamically allocated inside
+the controller driver after sending the messages which have generic
+acknowledge responses. So check for this before refcounting pm_runtime.
+
+Without this we would end up imbalancing runtime pm count by
+doing pm_runtime_put() in both slim_do_transfer() and slim_msg_response()
+for a single pm_runtime_get() in slim_do_transfer()
+
+Fixes: d3062a210930 ("slimbus: messaging: add slim_alloc/free_txn_tid()")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210809082428.11236-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/messaging.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/slimbus/messaging.c b/drivers/slimbus/messaging.c
+index 6097ddc43a35..e5ae26227bdb 100644
+--- a/drivers/slimbus/messaging.c
++++ b/drivers/slimbus/messaging.c
+@@ -131,7 +131,8 @@ int slim_do_transfer(struct slim_controller *ctrl, struct slim_msg_txn *txn)
+ goto slim_xfer_err;
+ }
+ }
+-
++ /* Initialize tid to invalid value */
++ txn->tid = 0;
+ need_tid = slim_tid_txn(txn->mt, txn->mc);
+
+ if (need_tid) {
+@@ -163,7 +164,7 @@ int slim_do_transfer(struct slim_controller *ctrl, struct slim_msg_txn *txn)
+ txn->mt, txn->mc, txn->la, ret);
+
+ slim_xfer_err:
+- if (!clk_pause_msg && (!need_tid || ret == -ETIMEDOUT)) {
++ if (!clk_pause_msg && (txn->tid == 0 || ret == -ETIMEDOUT)) {
+ /*
+ * remove runtime-pm vote if this was TX only, or
+ * if there was error during this transaction
+--
+2.30.2
+
--- /dev/null
+From 9e0bcf5a84adff21958bf721e89303931417d949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 09:24:25 +0100
+Subject: slimbus: messaging: start transaction ids from 1 instead of zero
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 9659281ce78de0f15a4aa124da8f7450b1399c09 ]
+
+As tid is unsigned its hard to figure out if the tid is valid or
+invalid. So Start the transaction ids from 1 instead of zero
+so that we could differentiate between a valid tid and invalid tids
+
+This is useful in cases where controller would add a tid for controller
+specific transfers.
+
+Fixes: d3062a210930 ("slimbus: messaging: add slim_alloc/free_txn_tid()")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210809082428.11236-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/messaging.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/slimbus/messaging.c b/drivers/slimbus/messaging.c
+index f2b5d347d227..6097ddc43a35 100644
+--- a/drivers/slimbus/messaging.c
++++ b/drivers/slimbus/messaging.c
+@@ -66,7 +66,7 @@ int slim_alloc_txn_tid(struct slim_controller *ctrl, struct slim_msg_txn *txn)
+ int ret = 0;
+
+ spin_lock_irqsave(&ctrl->txn_lock, flags);
+- ret = idr_alloc_cyclic(&ctrl->tid_idr, txn, 0,
++ ret = idr_alloc_cyclic(&ctrl->tid_idr, txn, 1,
+ SLIM_MAX_TIDS, GFP_ATOMIC);
+ if (ret < 0) {
+ spin_unlock_irqrestore(&ctrl->txn_lock, flags);
+--
+2.30.2
+
--- /dev/null
+From 391155dd5ea6463a80d0ca5a1fd64052cc78d635 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 09:24:28 +0100
+Subject: slimbus: ngd: reset dma setup during runtime pm
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit d77772538f00b7265deace6e77e555ee18365ad0 ]
+
+During suspend/resume NGD remote instance is power cycled along
+with remotely controlled bam dma engine.
+So Reset the dma configuration during this suspend resume path
+so that we are not dealing with any stale dma setup.
+
+Without this transactions timeout after first suspend resume path.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210809082428.11236-5-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
+index f3ee8e036372..7040293c2ee8 100644
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -1080,7 +1080,8 @@ static void qcom_slim_ngd_setup(struct qcom_slim_ngd_ctrl *ctrl)
+ {
+ u32 cfg = readl_relaxed(ctrl->ngd->base);
+
+- if (ctrl->state == QCOM_SLIM_NGD_CTRL_DOWN)
++ if (ctrl->state == QCOM_SLIM_NGD_CTRL_DOWN ||
++ ctrl->state == QCOM_SLIM_NGD_CTRL_ASLEEP)
+ qcom_slim_ngd_init_dma(ctrl);
+
+ /* By default enable message queues */
+@@ -1131,6 +1132,7 @@ static int qcom_slim_ngd_power_up(struct qcom_slim_ngd_ctrl *ctrl)
+ dev_info(ctrl->dev, "Subsys restart: ADSP active framer\n");
+ return 0;
+ }
++ qcom_slim_ngd_setup(ctrl);
+ return 0;
+ }
+
+@@ -1618,6 +1620,7 @@ static int __maybe_unused qcom_slim_ngd_runtime_suspend(struct device *dev)
+ struct qcom_slim_ngd_ctrl *ctrl = dev_get_drvdata(dev);
+ int ret = 0;
+
++ qcom_slim_ngd_exit_dma(ctrl);
+ if (!ctrl->qmi.handle)
+ return 0;
+
+--
+2.30.2
+
--- /dev/null
+From 55bede8a0535e4b599cff4ed55519b11f196c029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 09:24:27 +0100
+Subject: slimbus: ngd: set correct device for pm
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit c0e38eaa8d5102c138e4f16658ea762417d42a8f ]
+
+For some reason we ended up using wrong device in some places for pm_runtime calls.
+Fix this so that NGG driver can do runtime pm correctly.
+
+Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20210809082428.11236-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/slimbus/qcom-ngd-ctrl.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
+index c054e83ab636..f3ee8e036372 100644
+--- a/drivers/slimbus/qcom-ngd-ctrl.c
++++ b/drivers/slimbus/qcom-ngd-ctrl.c
+@@ -618,7 +618,7 @@ static void qcom_slim_ngd_rx(struct qcom_slim_ngd_ctrl *ctrl, u8 *buf)
+ (mc == SLIM_USR_MC_GENERIC_ACK &&
+ mt == SLIM_MSG_MT_SRC_REFERRED_USER)) {
+ slim_msg_response(&ctrl->ctrl, &buf[4], buf[3], len - 4);
+- pm_runtime_mark_last_busy(ctrl->dev);
++ pm_runtime_mark_last_busy(ctrl->ctrl.dev);
+ }
+ }
+
+@@ -1257,13 +1257,14 @@ static int qcom_slim_ngd_enable(struct qcom_slim_ngd_ctrl *ctrl, bool enable)
+ }
+ /* controller state should be in sync with framework state */
+ complete(&ctrl->qmi.qmi_comp);
+- if (!pm_runtime_enabled(ctrl->dev) ||
+- !pm_runtime_suspended(ctrl->dev))
+- qcom_slim_ngd_runtime_resume(ctrl->dev);
++ if (!pm_runtime_enabled(ctrl->ctrl.dev) ||
++ !pm_runtime_suspended(ctrl->ctrl.dev))
++ qcom_slim_ngd_runtime_resume(ctrl->ctrl.dev);
+ else
+- pm_runtime_resume(ctrl->dev);
+- pm_runtime_mark_last_busy(ctrl->dev);
+- pm_runtime_put(ctrl->dev);
++ pm_runtime_resume(ctrl->ctrl.dev);
++
++ pm_runtime_mark_last_busy(ctrl->ctrl.dev);
++ pm_runtime_put(ctrl->ctrl.dev);
+
+ ret = slim_register_controller(&ctrl->ctrl);
+ if (ret) {
+@@ -1389,7 +1390,7 @@ static int qcom_slim_ngd_ssr_pdr_notify(struct qcom_slim_ngd_ctrl *ctrl,
+ /* Make sure the last dma xfer is finished */
+ mutex_lock(&ctrl->tx_lock);
+ if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) {
+- pm_runtime_get_noresume(ctrl->dev);
++ pm_runtime_get_noresume(ctrl->ctrl.dev);
+ ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN;
+ qcom_slim_ngd_down(ctrl);
+ qcom_slim_ngd_exit_dma(ctrl);
+--
+2.30.2
+
--- /dev/null
+From e6fbc5cb78076442aa117db8e1548c7cfa8ea260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Aug 2021 11:45:38 +0800
+Subject: tracing: Apply trace filters on all output channels
+
+From: Pingfan Liu <kernelfans@gmail.com>
+
+[ Upstream commit 6c34df6f350df9579ce99d887a2b5fa14cc13b32 ]
+
+The event filters are not applied on all of the output, which results in
+the flood of printk when using tp_printk. Unfolding
+event_trigger_unlock_commit_regs() into trace_event_buffer_commit(), so
+the filters can be applied on every output.
+
+Link: https://lkml.kernel.org/r/20210814034538.8428-1-kernelfans@gmail.com
+
+Cc: stable@vger.kernel.org
+Fixes: 0daa2302968c1 ("tracing: Add tp_printk cmdline to have tracepoints go to printk()")
+Signed-off-by: Pingfan Liu <kernelfans@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.c | 18 +++++++++++++++---
+ kernel/trace/trace.h | 32 --------------------------------
+ 2 files changed, 15 insertions(+), 35 deletions(-)
+
+diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
+index 018067e379f2..fa617a0a9eed 100644
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -2853,14 +2853,26 @@ int tracepoint_printk_sysctl(struct ctl_table *table, int write,
+
+ void trace_event_buffer_commit(struct trace_event_buffer *fbuffer)
+ {
++ enum event_trigger_type tt = ETT_NONE;
++ struct trace_event_file *file = fbuffer->trace_file;
++
++ if (__event_trigger_test_discard(file, fbuffer->buffer, fbuffer->event,
++ fbuffer->entry, &tt))
++ goto discard;
++
+ if (static_key_false(&tracepoint_printk_key.key))
+ output_printk(fbuffer);
+
+ if (static_branch_unlikely(&trace_event_exports_enabled))
+ ftrace_exports(fbuffer->event, TRACE_EXPORT_EVENT);
+- event_trigger_unlock_commit_regs(fbuffer->trace_file, fbuffer->buffer,
+- fbuffer->event, fbuffer->entry,
+- fbuffer->trace_ctx, fbuffer->regs);
++
++ trace_buffer_unlock_commit_regs(file->tr, fbuffer->buffer,
++ fbuffer->event, fbuffer->trace_ctx, fbuffer->regs);
++
++discard:
++ if (tt)
++ event_triggers_post_call(file, tt);
++
+ }
+ EXPORT_SYMBOL_GPL(trace_event_buffer_commit);
+
+diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
+index cd80d046c7a5..1b60ecf85391 100644
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -1391,38 +1391,6 @@ event_trigger_unlock_commit(struct trace_event_file *file,
+ event_triggers_post_call(file, tt);
+ }
+
+-/**
+- * event_trigger_unlock_commit_regs - handle triggers and finish event commit
+- * @file: The file pointer associated with the event
+- * @buffer: The ring buffer that the event is being written to
+- * @event: The event meta data in the ring buffer
+- * @entry: The event itself
+- * @trace_ctx: The tracing context flags.
+- *
+- * This is a helper function to handle triggers that require data
+- * from the event itself. It also tests the event against filters and
+- * if the event is soft disabled and should be discarded.
+- *
+- * Same as event_trigger_unlock_commit() but calls
+- * trace_buffer_unlock_commit_regs() instead of trace_buffer_unlock_commit().
+- */
+-static inline void
+-event_trigger_unlock_commit_regs(struct trace_event_file *file,
+- struct trace_buffer *buffer,
+- struct ring_buffer_event *event,
+- void *entry, unsigned int trace_ctx,
+- struct pt_regs *regs)
+-{
+- enum event_trigger_type tt = ETT_NONE;
+-
+- if (!__event_trigger_test_discard(file, buffer, event, entry, &tt))
+- trace_buffer_unlock_commit_regs(file->tr, buffer, event,
+- trace_ctx, regs);
+-
+- if (tt)
+- event_triggers_post_call(file, tt);
+-}
+-
+ #define FILTER_PRED_INVALID ((unsigned short)-1)
+ #define FILTER_PRED_IS_RIGHT (1 << 15)
+ #define FILTER_PRED_FOLD (1 << 15)
+--
+2.30.2
+
--- /dev/null
+From c847c6f709ac1b14d7e92e66064623139d87275c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 21:50:27 +0200
+Subject: tracing: define needed config DYNAMIC_FTRACE_WITH_ARGS
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit 12f9951d3f311acb1d4ffe8e839bc2c07983546f ]
+
+Commit 2860cd8a2353 ("livepatch: Use the default ftrace_ops instead of
+REGS when ARGS is available") intends to enable config LIVEPATCH when
+ftrace with ARGS is available. However, the chain of configs to enable
+LIVEPATCH is incomplete, as HAVE_DYNAMIC_FTRACE_WITH_ARGS is available,
+but the definition of DYNAMIC_FTRACE_WITH_ARGS, combining DYNAMIC_FTRACE
+and HAVE_DYNAMIC_FTRACE_WITH_ARGS, needed to enable LIVEPATCH, is missing
+in the commit.
+
+Fortunately, ./scripts/checkkconfigsymbols.py detects this and warns:
+
+DYNAMIC_FTRACE_WITH_ARGS
+Referencing files: kernel/livepatch/Kconfig
+
+So, define the config DYNAMIC_FTRACE_WITH_ARGS analogously to the already
+existing similar configs, DYNAMIC_FTRACE_WITH_REGS and
+DYNAMIC_FTRACE_WITH_DIRECT_CALLS, in ./kernel/trace/Kconfig to connect the
+chain of configs.
+
+Link: https://lore.kernel.org/kernel-janitors/CAKXUXMwT2zS9fgyQHKUUiqo8ynZBdx2UEUu1WnV_q0OCmknqhw@mail.gmail.com/
+Link: https://lkml.kernel.org/r/20210806195027.16808-1-lukas.bulwahn@gmail.com
+
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Jiri Kosina <jikos@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Miroslav Benes <mbenes@suse.cz>
+Cc: stable@vger.kernel.org
+Fixes: 2860cd8a2353 ("livepatch: Use the default ftrace_ops instead of REGS when ARGS is available")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/Kconfig | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
+index 7fa82778c3e6..682334e018dd 100644
+--- a/kernel/trace/Kconfig
++++ b/kernel/trace/Kconfig
+@@ -219,6 +219,11 @@ config DYNAMIC_FTRACE_WITH_DIRECT_CALLS
+ depends on DYNAMIC_FTRACE_WITH_REGS
+ depends on HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
+
++config DYNAMIC_FTRACE_WITH_ARGS
++ def_bool y
++ depends on DYNAMIC_FTRACE
++ depends on HAVE_DYNAMIC_FTRACE_WITH_ARGS
++
+ config FUNCTION_PROFILER
+ bool "Kernel function profiler"
+ depends on FUNCTION_TRACER
+--
+2.30.2
+
--- /dev/null
+From b9bbe0c1adbf986120693e162ceac20d3759cef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 00:30:11 -0400
+Subject: tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL
+ event name
+
+From: Steven Rostedt (VMware) <rostedt@goodmis.org>
+
+[ Upstream commit 5acce0bff2a0420ce87d4591daeb867f47d552c2 ]
+
+The following commands:
+
+ # echo 'read_max u64 size;' > synthetic_events
+ # echo 'hist:keys=common_pid:count=count:onmax($count).trace(read_max,count)' > events/syscalls/sys_enter_read/trigger
+
+Causes:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP
+ CPU: 4 PID: 1763 Comm: bash Not tainted 5.14.0-rc2-test+ #155
+ Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01
+v03.03 07/14/2016
+ RIP: 0010:strcmp+0xc/0x20
+ Code: 75 f7 31 c0 0f b6 0c 06 88 0c 02 48 83 c0 01 84 c9 75 f1 4c 89 c0
+c3 0f 1f 80 00 00 00 00 31 c0 eb 08 48 83 c0 01 84 d2 74 0f <0f> b6 14 07
+3a 14 06 74 ef 19 c0 83 c8 01 c3 31 c0 c3 66 90 48 89
+ RSP: 0018:ffffb5fdc0963ca8 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffffffffb3a4e040 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffff9714c0d0b640 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 00000022986b7cde R09: ffffffffb3a4dff8
+ R10: 0000000000000000 R11: 0000000000000000 R12: ffff9714c50603c8
+ R13: 0000000000000000 R14: ffff97143fdf9e48 R15: ffff9714c01a2210
+ FS: 00007f1fa6785740(0000) GS:ffff9714da400000(0000)
+knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 000000002d863004 CR4: 00000000001706e0
+ Call Trace:
+ __find_event_file+0x4e/0x80
+ action_create+0x6b7/0xeb0
+ ? kstrdup+0x44/0x60
+ event_hist_trigger_func+0x1a07/0x2130
+ trigger_process_regex+0xbd/0x110
+ event_trigger_write+0x71/0xd0
+ vfs_write+0xe9/0x310
+ ksys_write+0x68/0xe0
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ RIP: 0033:0x7f1fa6879e87
+
+The problem was the "trace(read_max,count)" where the "count" should be
+"$count" as "onmax()" only handles variables (although it really should be
+able to figure out that "count" is a field of sys_enter_read). But there's
+a path that does not find the variable and ends up passing a NULL for the
+event, which ends up getting passed to "strcmp()".
+
+Add a check for NULL to return and error on the command with:
+
+ # cat error_log
+ hist:syscalls:sys_enter_read: error: Couldn't create or find variable
+ Command: hist:keys=common_pid:count=count:onmax($count).trace(read_max,count)
+ ^
+Link: https://lkml.kernel.org/r/20210808003011.4037f8d0@oasis.local.home
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 50450603ec9cb tracing: Add 'onmax' hist trigger action support
+Reviewed-by: Tom Zanussi <zanussi@kernel.org>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_hist.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index c59793ffd59c..4a2e1d360437 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -3430,6 +3430,8 @@ trace_action_create_field_var(struct hist_trigger_data *hist_data,
+ event = data->match_data.event;
+ }
+
++ if (!event)
++ goto free;
+ /*
+ * At this point, we're looking at a field on another
+ * event. Because we can't modify a hist trigger on
+--
+2.30.2
+
--- /dev/null
+From 74a896db27a2920d09348ca050639613011719af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Aug 2021 17:46:32 +0200
+Subject: usb: typec: tcpm: Fix VDMs sometimes not being forwarded to alt-mode
+ drivers
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 5571ea3117ca22849072adb58074fb5a2fd12c00 ]
+
+Commit a20dcf53ea98 ("usb: typec: tcpm: Respond Not_Supported if no
+snk_vdo"), stops tcpm_pd_data_request() calling tcpm_handle_vdm_request()
+when port->nr_snk_vdo is not set. But the VDM might be intended for an
+altmode-driver, in which case nr_snk_vdo does not matter.
+
+This change breaks the forwarding of connector hotplug (HPD) events
+for displayport altmode on devices which don't set nr_snk_vdo.
+
+tcpm_pd_data_request() is the only caller of tcpm_handle_vdm_request(),
+so we can move the nr_snk_vdo check to inside it, at which point we
+have already looked up the altmode device so we can check for this too.
+
+Doing this check here also ensures that vdm_state gets set to
+VDM_STATE_DONE if it was VDM_STATE_BUSY, even if we end up with
+responding with PD_MSG_CTRL_NOT_SUPP later.
+
+Note that tcpm_handle_vdm_request() was already sending
+PD_MSG_CTRL_NOT_SUPP in some circumstances, after moving the nr_snk_vdo
+check the same error-path is now taken when that check fails. So that
+we have only one error-path for this and not two. Replace the
+tcpm_queue_message(PD_MSG_CTRL_NOT_SUPP) used by the existing error-path
+with the more robust tcpm_pd_handle_msg() from the (now removed) second
+error-path.
+
+Fixes: a20dcf53ea98 ("usb: typec: tcpm: Respond Not_Supported if no snk_vdo")
+Cc: stable <stable@vger.kernel.org>
+Cc: Kyle Tso <kyletso@google.com>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Acked-by: Kyle Tso <kyletso@google.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210816154632.381968-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
+index 426e37a1e78c..1b886d80ba1c 100644
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -1709,6 +1709,10 @@ static int tcpm_pd_svdm(struct tcpm_port *port, struct typec_altmode *adev,
+ return rlen;
+ }
+
++static void tcpm_pd_handle_msg(struct tcpm_port *port,
++ enum pd_msg_request message,
++ enum tcpm_ams ams);
++
+ static void tcpm_handle_vdm_request(struct tcpm_port *port,
+ const __le32 *payload, int cnt)
+ {
+@@ -1736,11 +1740,11 @@ static void tcpm_handle_vdm_request(struct tcpm_port *port,
+ port->vdm_state = VDM_STATE_DONE;
+ }
+
+- if (PD_VDO_SVDM(p[0])) {
++ if (PD_VDO_SVDM(p[0]) && (adev || tcpm_vdm_ams(port) || port->nr_snk_vdo)) {
+ rlen = tcpm_pd_svdm(port, adev, p, cnt, response, &adev_action);
+ } else {
+ if (port->negotiated_rev >= PD_REV30)
+- tcpm_queue_message(port, PD_MSG_CTRL_NOT_SUPP);
++ tcpm_pd_handle_msg(port, PD_MSG_CTRL_NOT_SUPP, NONE_AMS);
+ }
+
+ /*
+@@ -2443,10 +2447,7 @@ static void tcpm_pd_data_request(struct tcpm_port *port,
+ NONE_AMS);
+ break;
+ case PD_DATA_VENDOR_DEF:
+- if (tcpm_vdm_ams(port) || port->nr_snk_vdo)
+- tcpm_handle_vdm_request(port, msg->payload, cnt);
+- else if (port->negotiated_rev > PD_REV20)
+- tcpm_pd_handle_msg(port, PD_MSG_CTRL_NOT_SUPP, NONE_AMS);
++ tcpm_handle_vdm_request(port, msg->payload, cnt);
+ break;
+ case PD_DATA_BIST:
+ port->bist_request = le32_to_cpu(msg->payload[0]);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
