--- /dev/null
+From c8a6d42c9ad510eade894b2a1f1553a3b62b2ac1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 22:00:33 -0700
+Subject: alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to
+ volatile
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 35a3f4ef0ab543daa1725b0c963eb8c05e3376f8 ]
+
+Some drivers pass a pointer to volatile data to virt_to_bus() and
+virt_to_phys(), and that works fine. One exception is alpha. This
+results in a number of compile errors such as
+
+ drivers/net/wan/lmc/lmc_main.c: In function 'lmc_softreset':
+ drivers/net/wan/lmc/lmc_main.c:1782:50: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+ drivers/atm/ambassador.c: In function 'do_loader_command':
+ drivers/atm/ambassador.c:1747:58: error:
+ passing argument 1 of 'virt_to_bus' discards 'volatile'
+ qualifier from pointer target type
+
+Declare the parameter of virt_to_phys and virt_to_bus as pointer to
+volatile to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/asm/io.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/alpha/include/asm/io.h b/arch/alpha/include/asm/io.h
+index 0fab5ac90775..c9cb554fbe54 100644
+--- a/arch/alpha/include/asm/io.h
++++ b/arch/alpha/include/asm/io.h
+@@ -60,7 +60,7 @@ extern inline void set_hae(unsigned long new_hae)
+ * Change virtual addresses to physical addresses and vv.
+ */
+ #ifdef USE_48_BIT_KSEG
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ return (unsigned long)address - IDENT_ADDR;
+ }
+@@ -70,7 +70,7 @@ static inline void * phys_to_virt(unsigned long address)
+ return (void *) (address + IDENT_ADDR);
+ }
+ #else
+-static inline unsigned long virt_to_phys(void *address)
++static inline unsigned long virt_to_phys(volatile void *address)
+ {
+ unsigned long phys = (unsigned long)address;
+
+@@ -106,7 +106,7 @@ static inline void * phys_to_virt(unsigned long address)
+ extern unsigned long __direct_map_base;
+ extern unsigned long __direct_map_size;
+
+-static inline unsigned long __deprecated virt_to_bus(void *address)
++static inline unsigned long __deprecated virt_to_bus(volatile void *address)
+ {
+ unsigned long phys = virt_to_phys(address);
+ unsigned long bus = phys + __direct_map_base;
+--
+2.33.0
+
--- /dev/null
+From 6899d0ef732225e71fc6425758a0d5fa148287bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Sep 2021 14:19:34 +0000
+Subject: amd/display: downgrade validation failure log level
+
+From: Simon Ser <contact@emersion.fr>
+
+[ Upstream commit 7bbee36d71502ab9a341505da89a017c7ae2e6b2 ]
+
+In amdgpu_dm_atomic_check, dc_validate_global_state is called. On
+failure this logs a warning to the kernel journal. However warnings
+shouldn't be used for atomic test-only commit failures: user-space
+might be perfoming a lot of atomic test-only commits to find the
+best hardware configuration.
+
+Downgrade the log to a regular DRM atomic message. While at it, use
+the new device-aware logging infrastructure.
+
+This fixes error messages in the kernel when running gamescope [1].
+
+[1]: https://github.com/Plagman/gamescope/issues/245
+
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Harry Wentland <hwentlan@amd.com>
+Cc: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 6a4c6c47dcfa..a4a4bb43c108 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -10469,7 +10469,8 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ goto fail;
+ status = dc_validate_global_state(dc, dm_state->context, false);
+ if (status != DC_OK) {
+- DC_LOG_WARNING("DC global validation failure: %s (%d)",
++ drm_dbg_atomic(dev,
++ "DC global validation failure: %s (%d)",
+ dc_status_to_str(status), status);
+ ret = -EINVAL;
+ goto fail;
+--
+2.33.0
+
--- /dev/null
+From 4ea66392d4ac100d0235a048d0b636a0dba7c000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 15:37:41 +0000
+Subject: amd/display: enable panel orientation quirks
+
+From: Simon Ser <contact@emersion.fr>
+
+[ Upstream commit cd51a57eb59fd56f3fe7ce9cadef444451bcf804 ]
+
+This patch allows panel orientation quirks from DRM core to be
+used. They attach a DRM connector property "panel orientation"
+which indicates in which direction the panel has been mounted.
+Some machines have the internal screen mounted with a rotation.
+
+Since the panel orientation quirks need the native mode from the
+EDID, check for it in amdgpu_dm_connector_ddc_get_modes.
+
+Signed-off-by: Simon Ser <contact@emersion.fr>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: Harry Wentland <hwentlan@amd.com>
+Cc: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 28 +++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index e7cf79b386da..3bb567ea2cef 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7514,6 +7514,32 @@ static void amdgpu_dm_connector_add_common_modes(struct drm_encoder *encoder,
+ }
+ }
+
++static void amdgpu_set_panel_orientation(struct drm_connector *connector)
++{
++ struct drm_encoder *encoder;
++ struct amdgpu_encoder *amdgpu_encoder;
++ const struct drm_display_mode *native_mode;
++
++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP &&
++ connector->connector_type != DRM_MODE_CONNECTOR_LVDS)
++ return;
++
++ encoder = amdgpu_dm_connector_to_encoder(connector);
++ if (!encoder)
++ return;
++
++ amdgpu_encoder = to_amdgpu_encoder(encoder);
++
++ native_mode = &amdgpu_encoder->native_mode;
++ if (native_mode->hdisplay == 0 || native_mode->vdisplay == 0)
++ return;
++
++ drm_connector_set_panel_orientation_with_quirk(connector,
++ DRM_MODE_PANEL_ORIENTATION_UNKNOWN,
++ native_mode->hdisplay,
++ native_mode->vdisplay);
++}
++
+ static void amdgpu_dm_connector_ddc_get_modes(struct drm_connector *connector,
+ struct edid *edid)
+ {
+@@ -7542,6 +7568,8 @@ static void amdgpu_dm_connector_ddc_get_modes(struct drm_connector *connector,
+ * restored here.
+ */
+ amdgpu_dm_update_freesync_caps(connector, edid);
++
++ amdgpu_set_panel_orientation(connector);
+ } else {
+ amdgpu_dm_connector->num_modes = 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 4ddab171c612f1d432a0bfb867d74e8f58524534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 17:44:02 +0800
+Subject: arm64: Mark __stack_chk_guard as __ro_after_init
+
+From: Dan Li <ashimida@linux.alibaba.com>
+
+[ Upstream commit 9fcb2e93f41c07a400885325e7dbdfceba6efaec ]
+
+__stack_chk_guard is setup once while init stage and never changed
+after that.
+
+Although the modification of this variable at runtime will usually
+cause the kernel to crash (so does the attacker), it should be marked
+as __ro_after_init, and it should not affect performance if it is
+placed in the ro_after_init section.
+
+Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1631612642-102881-1-git-send-email-ashimida@linux.alibaba.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index c8989b999250..c858b857c1ec 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -60,7 +60,7 @@
+
+ #if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_STACKPROTECTOR_PER_TASK)
+ #include <linux/stackprotector.h>
+-unsigned long __stack_chk_guard __read_mostly;
++unsigned long __stack_chk_guard __ro_after_init;
+ EXPORT_SYMBOL(__stack_chk_guard);
+ #endif
+
+--
+2.33.0
+
--- /dev/null
+From e5471cdd131c99d491451f5fa2d316523230956f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 12:26:05 +0800
+Subject: blk-cgroup: fix UAF by grabbing blkcg lock before destroying blkg pd
+
+From: Li Jinlin <lijinlin3@huawei.com>
+
+[ Upstream commit 858560b27645e7e97aca37ee8f232cccd658fbd2 ]
+
+KASAN reports a use-after-free report when doing fuzz test:
+
+[693354.104835] ==================================================================
+[693354.105094] BUG: KASAN: use-after-free in bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105336] Read of size 4 at addr ffff888be0a35664 by task sh/1453338
+
+[693354.105607] CPU: 41 PID: 1453338 Comm: sh Kdump: loaded Not tainted 4.18.0-147
+[693354.105610] Hardware name: Huawei 2288H V5/BC11SPSCB0, BIOS 0.81 07/02/2018
+[693354.105612] Call Trace:
+[693354.105621] dump_stack+0xf1/0x19b
+[693354.105626] ? show_regs_print_info+0x5/0x5
+[693354.105634] ? printk+0x9c/0xc3
+[693354.105638] ? cpumask_weight+0x1f/0x1f
+[693354.105648] print_address_description+0x70/0x360
+[693354.105654] kasan_report+0x1b2/0x330
+[693354.105659] ? bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105665] ? bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105670] bfq_io_set_weight_legacy+0xd3/0x160
+[693354.105675] ? bfq_cpd_init+0x20/0x20
+[693354.105683] cgroup_file_write+0x3aa/0x510
+[693354.105693] ? ___slab_alloc+0x507/0x540
+[693354.105698] ? cgroup_file_poll+0x60/0x60
+[693354.105702] ? 0xffffffff89600000
+[693354.105708] ? usercopy_abort+0x90/0x90
+[693354.105716] ? mutex_lock+0xef/0x180
+[693354.105726] kernfs_fop_write+0x1ab/0x280
+[693354.105732] ? cgroup_file_poll+0x60/0x60
+[693354.105738] vfs_write+0xe7/0x230
+[693354.105744] ksys_write+0xb0/0x140
+[693354.105749] ? __ia32_sys_read+0x50/0x50
+[693354.105760] do_syscall_64+0x112/0x370
+[693354.105766] ? syscall_return_slowpath+0x260/0x260
+[693354.105772] ? do_page_fault+0x9b/0x270
+[693354.105779] ? prepare_exit_to_usermode+0xf9/0x1a0
+[693354.105784] ? enter_from_user_mode+0x30/0x30
+[693354.105793] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+[693354.105875] Allocated by task 1453337:
+[693354.106001] kasan_kmalloc+0xa0/0xd0
+[693354.106006] kmem_cache_alloc_node_trace+0x108/0x220
+[693354.106010] bfq_pd_alloc+0x96/0x120
+[693354.106015] blkcg_activate_policy+0x1b7/0x2b0
+[693354.106020] bfq_create_group_hierarchy+0x1e/0x80
+[693354.106026] bfq_init_queue+0x678/0x8c0
+[693354.106031] blk_mq_init_sched+0x1f8/0x460
+[693354.106037] elevator_switch_mq+0xe1/0x240
+[693354.106041] elevator_switch+0x25/0x40
+[693354.106045] elv_iosched_store+0x1a1/0x230
+[693354.106049] queue_attr_store+0x78/0xb0
+[693354.106053] kernfs_fop_write+0x1ab/0x280
+[693354.106056] vfs_write+0xe7/0x230
+[693354.106060] ksys_write+0xb0/0x140
+[693354.106064] do_syscall_64+0x112/0x370
+[693354.106069] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+[693354.106114] Freed by task 1453336:
+[693354.106225] __kasan_slab_free+0x130/0x180
+[693354.106229] kfree+0x90/0x1b0
+[693354.106233] blkcg_deactivate_policy+0x12c/0x220
+[693354.106238] bfq_exit_queue+0xf5/0x110
+[693354.106241] blk_mq_exit_sched+0x104/0x130
+[693354.106245] __elevator_exit+0x45/0x60
+[693354.106249] elevator_switch_mq+0xd6/0x240
+[693354.106253] elevator_switch+0x25/0x40
+[693354.106257] elv_iosched_store+0x1a1/0x230
+[693354.106261] queue_attr_store+0x78/0xb0
+[693354.106264] kernfs_fop_write+0x1ab/0x280
+[693354.106268] vfs_write+0xe7/0x230
+[693354.106271] ksys_write+0xb0/0x140
+[693354.106275] do_syscall_64+0x112/0x370
+[693354.106280] entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+[693354.106329] The buggy address belongs to the object at ffff888be0a35580
+ which belongs to the cache kmalloc-1k of size 1024
+[693354.106736] The buggy address is located 228 bytes inside of
+ 1024-byte region [ffff888be0a35580, ffff888be0a35980)
+[693354.107114] The buggy address belongs to the page:
+[693354.107273] page:ffffea002f828c00 count:1 mapcount:0 mapping:ffff888107c17080 index:0x0 compound_mapcount: 0
+[693354.107606] flags: 0x17ffffc0008100(slab|head)
+[693354.107760] raw: 0017ffffc0008100 ffffea002fcbc808 ffffea0030bd3a08 ffff888107c17080
+[693354.108020] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000
+[693354.108278] page dumped because: kasan: bad access detected
+
+[693354.108511] Memory state around the buggy address:
+[693354.108671] ffff888be0a35500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[693354.116396] ffff888be0a35580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.124473] >ffff888be0a35600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.132421] ^
+[693354.140284] ffff888be0a35680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.147912] ffff888be0a35700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[693354.155281] ==================================================================
+
+blkgs are protected by both queue and blkcg locks and holding
+either should stabilize them. However, the path of destroying
+blkg policy data is only protected by queue lock in
+blkcg_activate_policy()/blkcg_deactivate_policy(). Other tasks
+can get the blkg policy data before the blkg policy data is
+destroyed, and use it after destroyed, which will result in a
+use-after-free.
+
+CPU0 CPU1
+blkcg_deactivate_policy
+ spin_lock_irq(&q->queue_lock)
+ bfq_io_set_weight_legacy
+ spin_lock_irq(&blkcg->lock)
+ blkg_to_bfqg(blkg)
+ pd_to_bfqg(blkg->pd[pol->plid])
+ ^^^^^^blkg->pd[pol->plid] != NULL
+ bfqg != NULL
+ pol->pd_free_fn(blkg->pd[pol->plid])
+ pd_to_bfqg(blkg->pd[pol->plid])
+ bfqg_put(bfqg)
+ kfree(bfqg)
+ blkg->pd[pol->plid] = NULL
+ spin_unlock_irq(q->queue_lock);
+ bfq_group_set_weight(bfqg, val, 0)
+ bfqg->entity.new_weight
+ ^^^^^^trigger uaf here
+ spin_unlock_irq(&blkcg->lock);
+
+Fix by grabbing the matching blkcg lock before trying to
+destroy blkg policy data.
+
+Suggested-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Li Jinlin <lijinlin3@huawei.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20210914042605.3260596-1-lijinlin3@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-cgroup.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
+index 26446f97deee..28e11decbac5 100644
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1385,10 +1385,14 @@ enomem:
+ /* alloc failed, nothing's initialized yet, free everything */
+ spin_lock_irq(&q->queue_lock);
+ list_for_each_entry(blkg, &q->blkg_list, q_node) {
++ struct blkcg *blkcg = blkg->blkcg;
++
++ spin_lock(&blkcg->lock);
+ if (blkg->pd[pol->plid]) {
+ pol->pd_free_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid] = NULL;
+ }
++ spin_unlock(&blkcg->lock);
+ }
+ spin_unlock_irq(&q->queue_lock);
+ ret = -ENOMEM;
+@@ -1420,12 +1424,16 @@ void blkcg_deactivate_policy(struct request_queue *q,
+ __clear_bit(pol->plid, q->blkcg_pols);
+
+ list_for_each_entry(blkg, &q->blkg_list, q_node) {
++ struct blkcg *blkcg = blkg->blkcg;
++
++ spin_lock(&blkcg->lock);
+ if (blkg->pd[pol->plid]) {
+ if (pol->pd_offline_fn)
+ pol->pd_offline_fn(blkg->pd[pol->plid]);
+ pol->pd_free_fn(blkg->pd[pol->plid]);
+ blkg->pd[pol->plid] = NULL;
+ }
++ spin_unlock(&blkcg->lock);
+ }
+
+ spin_unlock_irq(&q->queue_lock);
+--
+2.33.0
+
--- /dev/null
+From 30e3a58bc095a519dedb0292655b5eb7b815d27d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 14:50:03 +0800
+Subject: blk-mq: avoid to iterate over stale request
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 67f3b2f822b7e71cfc9b42dbd9f3144fa2933e0b ]
+
+blk-mq can't run allocating driver tag and updating ->rqs[tag]
+atomically, meantime blk-mq doesn't clear ->rqs[tag] after the driver
+tag is released.
+
+So there is chance to iterating over one stale request just after the
+tag is allocated and before updating ->rqs[tag].
+
+scsi_host_busy_iter() calls scsi_host_check_in_flight() to count scsi
+in-flight requests after scsi host is blocked, so no new scsi command can
+be marked as SCMD_STATE_INFLIGHT. However, driver tag allocation still can
+be run by blk-mq core. One request is marked as SCMD_STATE_INFLIGHT,
+but this request may have been kept in another slot of ->rqs[], meantime
+the slot can be allocated out but ->rqs[] isn't updated yet. Then this
+in-flight request is counted twice as SCMD_STATE_INFLIGHT. This way causes
+trouble in handling scsi error.
+
+Fixes the issue by not iterating over stale request.
+
+Cc: linux-scsi@vger.kernel.org
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Reported-by: luojiaxing <luojiaxing@huawei.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20210906065003.439019-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq-tag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
+index 86f87346232a..ff5caeb82542 100644
+--- a/block/blk-mq-tag.c
++++ b/block/blk-mq-tag.c
+@@ -208,7 +208,7 @@ static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags,
+
+ spin_lock_irqsave(&tags->lock, flags);
+ rq = tags->rqs[bitnr];
+- if (!rq || !refcount_inc_not_zero(&rq->ref))
++ if (!rq || rq->tag != bitnr || !refcount_inc_not_zero(&rq->ref))
+ rq = NULL;
+ spin_unlock_irqrestore(&tags->lock, flags);
+ return rq;
+--
+2.33.0
+
--- /dev/null
+From 3e201a536efc3b9c761b5a02b16988dc5809c41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 21:49:21 +0800
+Subject: blktrace: Fix uaf in blk_trace access after removing by sysfs
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]
+
+There is an use-after-free problem triggered by following process:
+
+ P1(sda) P2(sdb)
+ echo 0 > /sys/block/sdb/trace/enable
+ blk_trace_remove_queue
+ synchronize_rcu
+ blk_trace_free
+ relay_close
+rcu_read_lock
+__blk_add_trace
+ trace_note_tsk
+ (Iterate running_trace_list)
+ relay_close_buf
+ relay_destroy_buf
+ kfree(buf)
+ trace_note(sdb's bt)
+ relay_reserve
+ buf->offset <- nullptr deference (use-after-free) !!!
+rcu_read_unlock
+
+[ 502.714379] BUG: kernel NULL pointer dereference, address:
+0000000000000010
+[ 502.715260] #PF: supervisor read access in kernel mode
+[ 502.715903] #PF: error_code(0x0000) - not-present page
+[ 502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
+[ 502.717252] Oops: 0000 [#1] SMP
+[ 502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
+[ 502.732872] Call Trace:
+[ 502.733193] __blk_add_trace.cold+0x137/0x1a3
+[ 502.733734] blk_add_trace_rq+0x7b/0xd0
+[ 502.734207] blk_add_trace_rq_issue+0x54/0xa0
+[ 502.734755] blk_mq_start_request+0xde/0x1b0
+[ 502.735287] scsi_queue_rq+0x528/0x1140
+...
+[ 502.742704] sg_new_write.isra.0+0x16e/0x3e0
+[ 502.747501] sg_ioctl+0x466/0x1100
+
+Reproduce method:
+ ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sda, BLKTRACESTART)
+ ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
+ ioctl(/dev/sdb, BLKTRACESTART)
+
+ echo 0 > /sys/block/sdb/trace/enable &
+ // Add delay(mdelay/msleep) before kernel enters blk_trace_free()
+
+ ioctl$SG_IO(/dev/sda, SG_IO, ...)
+ // Enters trace_note_tsk() after blk_trace_free() returned
+ // Use mdelay in rcu region rather than msleep(which may schedule out)
+
+Remove blk_trace from running_list before calling blk_trace_free() by
+sysfs if blk_trace is at Blktrace_running state.
+
+Fixes: c71a896154119f ("blktrace: add ftrace plugin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/blktrace.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
+index c221e4c3f625..fa91f398f28b 100644
+--- a/kernel/trace/blktrace.c
++++ b/kernel/trace/blktrace.c
+@@ -1605,6 +1605,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
+ if (bt == NULL)
+ return -EINVAL;
+
++ if (bt->trace_state == Blktrace_running) {
++ bt->trace_state = Blktrace_stopped;
++ spin_lock_irq(&running_trace_lock);
++ list_del_init(&bt->running_list);
++ spin_unlock_irq(&running_trace_lock);
++ relay_flush(bt->rchan);
++ }
++
+ put_probe_ref();
+ synchronize_rcu();
+ blk_trace_free(bt);
+--
+2.33.0
+
--- /dev/null
+From 78df999d0d1dd8c159139c3ad11a3a6a91ad59c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 09:06:55 +0200
+Subject: block: check if a profile is actually registered in
+ blk_integrity_unregister
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 783a40a1b3ac7f3714d2776fa8ac8cce3535e4f6 ]
+
+While clearing the profile itself is harmless, we really should not clear
+the stable writes flag if it wasn't set due to a registered integrity
+profile.
+
+Reported-by: Lihong Kou <koulihong@huawei.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Link: https://lore.kernel.org/r/20210914070657.87677-2-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-integrity.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-integrity.c b/block/blk-integrity.c
+index 410da060d1f5..e9f943de377a 100644
+--- a/block/blk-integrity.c
++++ b/block/blk-integrity.c
+@@ -426,8 +426,12 @@ EXPORT_SYMBOL(blk_integrity_register);
+ */
+ void blk_integrity_unregister(struct gendisk *disk)
+ {
++ struct blk_integrity *bi = &disk->queue->integrity;
++
++ if (!bi->profile)
++ return;
+ blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue);
+- memset(&disk->queue->integrity, 0, sizeof(struct blk_integrity));
++ memset(bi, 0, sizeof(*bi));
+ }
+ EXPORT_SYMBOL(blk_integrity_unregister);
+
+--
+2.33.0
+
--- /dev/null
+From 725400c5318c24b36514d6df734924cd8db86056 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 09:06:56 +0200
+Subject: block: flush the integrity workqueue in blk_integrity_unregister
+
+From: Lihong Kou <koulihong@huawei.com>
+
+[ Upstream commit 3df49967f6f1d2121b0c27c381ca1c8386b1dab9 ]
+
+When the integrity profile is unregistered there can still be integrity
+reads queued up which could see a NULL verify_fn as shown by the race
+window below:
+
+CPU0 CPU1
+ process_one_work nvme_validate_ns
+ bio_integrity_verify_fn nvme_update_ns_info
+ nvme_update_disk_info
+ blk_integrity_unregister
+ ---set queue->integrity as 0
+ bio_integrity_process
+ --access bi->profile->verify_fn(bi is a pointer of queue->integity)
+
+Before calling blk_integrity_unregister in nvme_update_disk_info, we must
+make sure that there is no work item in the kintegrityd_wq. Just call
+blk_flush_integrity to flush the work queue so the bug can be resolved.
+
+Signed-off-by: Lihong Kou <koulihong@huawei.com>
+[hch: split up and shortened the changelog]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Link: https://lore.kernel.org/r/20210914070657.87677-3-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-integrity.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/block/blk-integrity.c b/block/blk-integrity.c
+index e9f943de377a..9e83159f5a52 100644
+--- a/block/blk-integrity.c
++++ b/block/blk-integrity.c
+@@ -430,6 +430,9 @@ void blk_integrity_unregister(struct gendisk *disk)
+
+ if (!bi->profile)
+ return;
++
++ /* ensure all bios are off the integrity workqueue */
++ blk_flush_integrity();
+ blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue);
+ memset(bi, 0, sizeof(*bi));
+ }
+--
+2.33.0
+
--- /dev/null
+From b94f4ecef0d8475fcce000a98070952dd8e4f361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Sep 2021 08:55:57 +0800
+Subject: bpf: Add oversize check before call kvcalloc()
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 0e6491b559704da720f6da09dd0a52c4df44c514 ]
+
+Commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls") add the
+oversize check. When the allocation is larger than what kmalloc() supports,
+the following warning triggered:
+
+WARNING: CPU: 0 PID: 8408 at mm/util.c:597 kvmalloc_node+0x108/0x110 mm/util.c:597
+Modules linked in:
+CPU: 0 PID: 8408 Comm: syz-executor221 Not tainted 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:kvmalloc_node+0x108/0x110 mm/util.c:597
+Call Trace:
+ kvmalloc include/linux/mm.h:806 [inline]
+ kvmalloc_array include/linux/mm.h:824 [inline]
+ kvcalloc include/linux/mm.h:829 [inline]
+ check_btf_line kernel/bpf/verifier.c:9925 [inline]
+ check_btf_info kernel/bpf/verifier.c:10049 [inline]
+ bpf_check+0xd634/0x150d0 kernel/bpf/verifier.c:13759
+ bpf_prog_load kernel/bpf/syscall.c:2301 [inline]
+ __sys_bpf+0x11181/0x126e0 kernel/bpf/syscall.c:4587
+ __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
+ __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
+ __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4689
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Reported-by: syzbot+f3e749d4c662818ae439@syzkaller.appspotmail.com
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210911005557.45518-1-cuibixuan@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 9d94ac6ff50c..592b9b68cbd9 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -9641,6 +9641,8 @@ static int check_btf_line(struct bpf_verifier_env *env,
+ nr_linfo = attr->line_info_cnt;
+ if (!nr_linfo)
+ return 0;
++ if (nr_linfo > INT_MAX / sizeof(struct bpf_line_info))
++ return -EINVAL;
+
+ rec_size = attr->line_info_rec_size;
+ if (rec_size < MIN_BPF_LINEINFO_SIZE ||
+--
+2.33.0
+
--- /dev/null
+From 65b91cc68871b6f8166f0fb0b66b7f9353d2e91d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Sep 2021 23:33:35 +0300
+Subject: cifs: fix a sign extension bug
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e946d3c887a9dc33aa82a349c6284f4a084163f4 ]
+
+The problem is the mismatched types between "ctx->total_len" which is
+an unsigned int, "rc" which is an int, and "ctx->rc" which is a
+ssize_t. The code does:
+
+ ctx->rc = (rc == 0) ? ctx->total_len : rc;
+
+We want "ctx->rc" to store the negative "rc" error code. But what
+happens is that "rc" is type promoted to a high unsigned int and
+'ctx->rc" will store the high positive value instead of a negative
+value.
+
+The fix is to change "rc" from an int to a ssize_t.
+
+Fixes: c610c4b619e5 ("CIFS: Add asynchronous write support through kernel AIO")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/file.c b/fs/cifs/file.c
+index 9d3bc6784771..ab2734159c19 100644
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -3110,7 +3110,7 @@ static void collect_uncached_write_data(struct cifs_aio_ctx *ctx)
+ struct cifs_tcon *tcon;
+ struct cifs_sb_info *cifs_sb;
+ struct dentry *dentry = ctx->cfile->dentry;
+- int rc;
++ ssize_t rc;
+
+ tcon = tlink_tcon(ctx->cfile->tlink);
+ cifs_sb = CIFS_SB(dentry->d_sb);
+--
+2.33.0
+
--- /dev/null
+From 6627ba51336b3bda64ec2a9b6c5df3c4d0234028 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:24 -0700
+Subject: compiler.h: Introduce absolute_pointer macro
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit f6b5f1a56987de837f8e25cd560847106b8632a8 ]
+
+absolute_pointer() disassociates a pointer from its originating symbol
+type and context. Use it to prevent compiler warnings/errors such as
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Such warnings may be reported by gcc 11.x for string and memory
+operations on fixed addresses.
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index b67261a1e3e9..3d5af56337bd 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -188,6 +188,8 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
+ (typeof(ptr)) (__ptr + (off)); })
+ #endif
+
++#define absolute_pointer(val) RELOC_HIDE((void *)(val), 0)
++
+ #ifndef OPTIMIZER_HIDE_VAR
+ /* Make the optimizer believe the variable can be manipulated arbitrarily. */
+ #define OPTIMIZER_HIDE_VAR(var) \
+--
+2.33.0
+
--- /dev/null
+From cc1d4a403d7801f58263d10be969be077083f4eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Sep 2021 11:50:29 -0700
+Subject: cpufreq: intel_pstate: Override parameters if HWP forced by BIOS
+
+From: Doug Smythies <doug.smythies@gmail.com>
+
+[ Upstream commit d9a7e9df731670acdc69e81748941ad338f47fab ]
+
+If HWP has been already been enabled by BIOS, it may be
+necessary to override some kernel command line parameters.
+Once it has been enabled it requires a reset to be disabled.
+
+Suggested-by: Rafael J. Wysocki <rafael@kernel.org>
+Signed-off-by: Doug Smythies <dsmythies@telus.net>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/intel_pstate.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
+index bb4549959b11..e7cd3882bda4 100644
+--- a/drivers/cpufreq/intel_pstate.c
++++ b/drivers/cpufreq/intel_pstate.c
+@@ -3251,11 +3251,15 @@ static int __init intel_pstate_init(void)
+ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
+ return -ENODEV;
+
+- if (no_load)
+- return -ENODEV;
+-
+ id = x86_match_cpu(hwp_support_ids);
+ if (id) {
++ bool hwp_forced = intel_pstate_hwp_is_enabled();
++
++ if (hwp_forced)
++ pr_info("HWP enabled by BIOS\n");
++ else if (no_load)
++ return -ENODEV;
++
+ copy_cpu_funcs(&core_funcs);
+ /*
+ * Avoid enabling HWP for processors without EPP support,
+@@ -3265,8 +3269,7 @@ static int __init intel_pstate_init(void)
+ * If HWP is enabled already, though, there is no choice but to
+ * deal with it.
+ */
+- if ((!no_hwp && boot_cpu_has(X86_FEATURE_HWP_EPP)) ||
+- intel_pstate_hwp_is_enabled()) {
++ if ((!no_hwp && boot_cpu_has(X86_FEATURE_HWP_EPP)) || hwp_forced) {
+ hwp_active++;
+ hwp_mode_bdw = id->driver_data;
+ intel_pstate.attr = hwp_cpufreq_attrs;
+@@ -3278,7 +3281,11 @@ static int __init intel_pstate_init(void)
+
+ goto hwp_cpu_matched;
+ }
++ pr_info("HWP not enabled\n");
+ } else {
++ if (no_load)
++ return -ENODEV;
++
+ id = x86_match_cpu(intel_pstate_cpu_ids);
+ if (!id) {
+ pr_info("CPU model not supported\n");
+@@ -3357,10 +3364,9 @@ static int __init intel_pstate_setup(char *str)
+ else if (!strcmp(str, "passive"))
+ default_driver = &intel_cpufreq;
+
+- if (!strcmp(str, "no_hwp")) {
+- pr_info("HWP disabled\n");
++ if (!strcmp(str, "no_hwp"))
+ no_hwp = 1;
+- }
++
+ if (!strcmp(str, "force"))
+ force_load = 1;
+ if (!strcmp(str, "hwp_only"))
+--
+2.33.0
+
--- /dev/null
+From 9e2ca5e8d80cfd7a80d3d9dbcf0597c8745bce04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 19:53:37 -0400
+Subject: dma-debug: prevent an error message from causing runtime problems
+
+From: Hamza Mahfooz <someguy@effective-light.com>
+
+[ Upstream commit 510e1a724ab1bf38150be2c1acabb303f98d0047 ]
+
+For some drivers, that use the DMA API. This error message can be reached
+several millions of times per second, causing spam to the kernel's printk
+buffer and bringing the CPU usage up to 100% (so, it should be rate
+limited). However, since there is at least one driver that is in the
+mainline and suffers from the error condition, it is more useful to
+err_printk() here instead of just rate limiting the error message (in hopes
+that it will make it easier for other drivers that suffer from this issue
+to be spotted).
+
+Link: https://lkml.kernel.org/r/fd67fbac-64bf-f0ea-01e1-5938ccfab9d0@arm.com
+Reported-by: Jeremy Linton <jeremy.linton@arm.com>
+Signed-off-by: Hamza Mahfooz <someguy@effective-light.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/dma/debug.c b/kernel/dma/debug.c
+index f2faa13534e5..70519f67556f 100644
+--- a/kernel/dma/debug.c
++++ b/kernel/dma/debug.c
+@@ -567,7 +567,8 @@ static void add_dma_entry(struct dma_debug_entry *entry)
+ pr_err("cacheline tracking ENOMEM, dma-debug disabled\n");
+ global_disable = true;
+ } else if (rc == -EEXIST) {
+- pr_err("cacheline tracking EEXIST, overlapping mappings aren't supported\n");
++ err_printk(entry->dev, entry,
++ "cacheline tracking EEXIST, overlapping mappings aren't supported\n");
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From fc2904418b0e7ad8b98ef818b8d459948a30273d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 06:58:38 -0400
+Subject: drm/amd/display: Fix unstable HPCP compliance on Chrome Barcelo
+
+From: Qingqing Zhuo <qingqing.zhuo@amd.com>
+
+[ Upstream commit 4e00a434a08e0654a4dd9347485d9ec85deee1ef ]
+
+[Why]
+Intermittently, there presents two occurrences of 0 stream
+commits in a single HPD event. Current HDCP sequence does
+not consider such scenerio, and will thus disable HDCP.
+
+[How]
+Add condition check to include stream remove and re-enable
+case for HDCP enable.
+
+Reviewed-by: Bhawanpreet Lakha <bhawanpreet.lakha@amd.com>
+Acked-by: Mikita Lipski <mikita.lipski@amd.com>
+Signed-off-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 22 +++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index a4a4bb43c108..e7cf79b386da 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8051,8 +8051,26 @@ static bool is_content_protection_different(struct drm_connector_state *state,
+ state->content_protection == DRM_MODE_CONTENT_PROTECTION_ENABLED)
+ state->content_protection = DRM_MODE_CONTENT_PROTECTION_DESIRED;
+
+- /* Check if something is connected/enabled, otherwise we start hdcp but nothing is connected/enabled
+- * hot-plug, headless s3, dpms
++ /* Stream removed and re-enabled
++ *
++ * Can sometimes overlap with the HPD case,
++ * thus set update_hdcp to false to avoid
++ * setting HDCP multiple times.
++ *
++ * Handles: DESIRED -> DESIRED (Special case)
++ */
++ if (!(old_state->crtc && old_state->crtc->enabled) &&
++ state->crtc && state->crtc->enabled &&
++ connector->state->content_protection == DRM_MODE_CONTENT_PROTECTION_DESIRED) {
++ dm_con_state->update_hdcp = false;
++ return true;
++ }
++
++ /* Hot-plug, headless s3, dpms
++ *
++ * Only start HDCP if the display is connected/enabled.
++ * update_hdcp flag will be set to false until the next
++ * HPD comes in.
+ *
+ * Handles: DESIRED -> DESIRED (Special case)
+ */
+--
+2.33.0
+
--- /dev/null
+From 6ab81c0ca7d6d1363fe5c48aa95720c166114eee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 14:01:10 -0400
+Subject: drm/amd/display: Link training retry fix for abort case
+
+From: Meenakshikumar Somasundaram <meenakshikumar.somasundaram@amd.com>
+
+[ Upstream commit 71ae30997a8f1791835167d3ceb8d1fab32407db ]
+
+[Why]
+If link training is aborted, it shall be retried if sink is present.
+
+[How]
+Check hpd status to find out whether sink is present or not. If sink is
+present, then link training shall be tried again with same settings.
+Otherwise, link training shall be aborted.
+
+Reviewed-by: Jimmy Kizito <Jimmy.Kizito@amd.com>
+Acked-by: Mikita Lipski <mikita.lipski@amd.com>
+Signed-off-by: Meenakshikumar Somasundaram <meenakshikumar.somasundaram@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+index a6d0fd24fd02..83ef72a3ebf4 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+@@ -1849,9 +1849,13 @@ bool perform_link_training_with_retries(
+ dp_disable_link_phy(link, signal);
+
+ /* Abort link training if failure due to sink being unplugged. */
+- if (status == LINK_TRAINING_ABORT)
+- break;
+- else if (do_fallback) {
++ if (status == LINK_TRAINING_ABORT) {
++ enum dc_connection_type type = dc_connection_none;
++
++ dc_link_detect_sink(link, &type);
++ if (type == dc_connection_none)
++ break;
++ } else if (do_fallback) {
+ decide_fallback_link_setting(*link_setting, ¤t_setting, status);
+ /* Fail link training if reduced link bandwidth no longer meets
+ * stream requirements.
+--
+2.33.0
+
--- /dev/null
+From 66800cbc4aa6d16778af7c798f838e838cb4d32f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Aug 2021 17:42:15 -0400
+Subject: drm/amdkfd: make needs_pcie_atomics FW-version dependent
+
+From: Felix Kuehling <Felix.Kuehling@amd.com>
+
+[ Upstream commit fb932dfeb87411a8a01c995576198bfc302df339 ]
+
+On some GPUs the PCIe atomic requirement for KFD depends on the MEC
+firmware version. Add a firmware version check for this. The minimum
+firmware version that works without atomics can be updated in the
+device_info structure for each GPU type.
+
+Move PCIe atomic detection from kgd2kfd_probe into kgd2kfd_device_init
+because the MEC firmware is not loaded yet at the probe stage.
+
+Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Reviewed-by: Guchun Chen <guchun.chen@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_device.c | 44 ++++++++++++++++---------
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 +
+ 2 files changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+index 9e52948d4992..5a872adcfdb9 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+@@ -447,6 +447,7 @@ static const struct kfd_device_info navi10_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 145,
+ .num_sdma_engines = 2,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -465,6 +466,7 @@ static const struct kfd_device_info navi12_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 145,
+ .num_sdma_engines = 2,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -483,6 +485,7 @@ static const struct kfd_device_info navi14_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 145,
+ .num_sdma_engines = 2,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -501,6 +504,7 @@ static const struct kfd_device_info sienna_cichlid_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 92,
+ .num_sdma_engines = 4,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -519,6 +523,7 @@ static const struct kfd_device_info navy_flounder_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 92,
+ .num_sdma_engines = 2,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -536,7 +541,8 @@ static const struct kfd_device_info vangogh_device_info = {
+ .mqd_size_aligned = MQD_SIZE_ALIGNED,
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+- .needs_pci_atomics = false,
++ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 92,
+ .num_sdma_engines = 1,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 2,
+@@ -555,6 +561,7 @@ static const struct kfd_device_info dimgrey_cavefish_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 92,
+ .num_sdma_engines = 2,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -573,6 +580,7 @@ static const struct kfd_device_info beige_goby_device_info = {
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 92,
+ .num_sdma_engines = 1,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 8,
+@@ -590,7 +598,8 @@ static const struct kfd_device_info yellow_carp_device_info = {
+ .mqd_size_aligned = MQD_SIZE_ALIGNED,
+ .needs_iommu_device = false,
+ .supports_cwsr = true,
+- .needs_pci_atomics = false,
++ .needs_pci_atomics = true,
++ .no_atomic_fw_version = 92,
+ .num_sdma_engines = 1,
+ .num_xgmi_sdma_engines = 0,
+ .num_sdma_queues_per_engine = 2,
+@@ -659,20 +668,6 @@ struct kfd_dev *kgd2kfd_probe(struct kgd_dev *kgd,
+ if (!kfd)
+ return NULL;
+
+- /* Allow BIF to recode atomics to PCIe 3.0 AtomicOps.
+- * 32 and 64-bit requests are possible and must be
+- * supported.
+- */
+- kfd->pci_atomic_requested = amdgpu_amdkfd_have_atomics_support(kgd);
+- if (device_info->needs_pci_atomics &&
+- !kfd->pci_atomic_requested) {
+- dev_info(kfd_device,
+- "skipped device %x:%x, PCI rejects atomics\n",
+- pdev->vendor, pdev->device);
+- kfree(kfd);
+- return NULL;
+- }
+-
+ kfd->kgd = kgd;
+ kfd->device_info = device_info;
+ kfd->pdev = pdev;
+@@ -772,6 +767,23 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd,
+ kfd->vm_info.vmid_num_kfd = kfd->vm_info.last_vmid_kfd
+ - kfd->vm_info.first_vmid_kfd + 1;
+
++ /* Allow BIF to recode atomics to PCIe 3.0 AtomicOps.
++ * 32 and 64-bit requests are possible and must be
++ * supported.
++ */
++ kfd->pci_atomic_requested = amdgpu_amdkfd_have_atomics_support(kfd->kgd);
++ if (!kfd->pci_atomic_requested &&
++ kfd->device_info->needs_pci_atomics &&
++ (!kfd->device_info->no_atomic_fw_version ||
++ kfd->mec_fw_version < kfd->device_info->no_atomic_fw_version)) {
++ dev_info(kfd_device,
++ "skipped device %x:%x, PCI rejects atomics %d<%d\n",
++ kfd->pdev->vendor, kfd->pdev->device,
++ kfd->mec_fw_version,
++ kfd->device_info->no_atomic_fw_version);
++ return false;
++ }
++
+ /* Verify module parameters regarding mapped process number*/
+ if ((hws_max_conc_proc < 0)
+ || (hws_max_conc_proc > kfd->vm_info.vmid_num_kfd)) {
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+index 3426743ed228..b38a84a27438 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -206,6 +206,7 @@ struct kfd_device_info {
+ bool supports_cwsr;
+ bool needs_iommu_device;
+ bool needs_pci_atomics;
++ uint32_t no_atomic_fw_version;
+ unsigned int num_sdma_engines;
+ unsigned int num_xgmi_sdma_engines;
+ unsigned int num_sdma_queues_per_engine;
+--
+2.33.0
+
--- /dev/null
+From 1b89308b8160aac95a50647a59f165db46cc3d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Sep 2021 18:03:02 +0800
+Subject: drm/ttm: fix type mismatch error on sparc64
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Huang Rui <ray.huang@amd.com>
+
+[ Upstream commit 3ca706c189db861b2ca2019a0901b94050ca49d8 ]
+
+On sparc64, __fls() returns an "int", but the drm TTM code expected it
+to be "unsigned long" as on x86. As a result, on sparc (and arc, and
+m68k) you get build errors because 'min()' checks that the types match.
+
+As suggested by Linus, it can use min_t instead of min to force the type
+to be "unsigned int".
+
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Huang Rui <ray.huang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Cc: Alex Deucher <alexdeucher@gmail.com>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_pool.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
+index cb38b1a17b09..82cbb29a05aa 100644
+--- a/drivers/gpu/drm/ttm/ttm_pool.c
++++ b/drivers/gpu/drm/ttm/ttm_pool.c
+@@ -383,7 +383,8 @@ int ttm_pool_alloc(struct ttm_pool *pool, struct ttm_tt *tt,
+ else
+ gfp_flags |= GFP_HIGHUSER;
+
+- for (order = min(MAX_ORDER - 1UL, __fls(num_pages)); num_pages;
++ for (order = min_t(unsigned int, MAX_ORDER - 1, __fls(num_pages));
++ num_pages;
+ order = min_t(unsigned int, order, __fls(num_pages))) {
+ bool apply_caching = false;
+ struct ttm_pool_type *pt;
+--
+2.33.0
+
--- /dev/null
+From 57364df7a17c3314747038ceaf149433feef0b6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 14:40:42 +0800
+Subject: fpga: machxo2-spi: Fix missing error code in machxo2_write_complete()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit a1e4470823d99e75b596748086e120dea169ed3c ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'ret'.
+
+Eliminate the follow smatch warning:
+
+drivers/fpga/machxo2-spi.c:341 machxo2_write_complete()
+ warn: missing error code 'ret'.
+
+[mdf@kernel.org: Reworded commit message]
+Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support")
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/machxo2-spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c
+index b4a530a31302..ea2ec3c6815c 100644
+--- a/drivers/fpga/machxo2-spi.c
++++ b/drivers/fpga/machxo2-spi.c
+@@ -338,6 +338,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr,
+ break;
+ if (++refreshloop == MACHXO2_MAX_REFRESH_LOOP) {
+ machxo2_cleanup(mgr);
++ ret = -EINVAL;
+ goto fail;
+ }
+ } while (1);
+--
+2.33.0
+
--- /dev/null
+From 2bf388c1795eff953e758088cf5053db484718c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 09:40:36 -0700
+Subject: fpga: machxo2-spi: Return an error on failure
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 34331739e19fd6a293d488add28832ad49c9fc54 ]
+
+Earlier successes leave 'ret' in a non error state, so these errors are
+not reported. Set ret to -EINVAL before going to the error handler.
+
+This addresses two issues reported by smatch:
+drivers/fpga/machxo2-spi.c:229 machxo2_write_init()
+ warn: missing error code 'ret'
+
+drivers/fpga/machxo2-spi.c:316 machxo2_write_complete()
+ warn: missing error code 'ret'
+
+[mdf@kernel.org: Reworded commit message]
+Fixes: 88fb3a002330 ("fpga: lattice machxo2: Add Lattice MachXO2 support")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Moritz Fischer <mdf@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/machxo2-spi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/fpga/machxo2-spi.c b/drivers/fpga/machxo2-spi.c
+index 1afb41aa20d7..b4a530a31302 100644
+--- a/drivers/fpga/machxo2-spi.c
++++ b/drivers/fpga/machxo2-spi.c
+@@ -225,8 +225,10 @@ static int machxo2_write_init(struct fpga_manager *mgr,
+ goto fail;
+
+ get_status(spi, &status);
+- if (test_bit(FAIL, &status))
++ if (test_bit(FAIL, &status)) {
++ ret = -EINVAL;
+ goto fail;
++ }
+ dump_status_reg(&status);
+
+ spi_message_init(&msg);
+@@ -313,6 +315,7 @@ static int machxo2_write_complete(struct fpga_manager *mgr,
+ dump_status_reg(&status);
+ if (!test_bit(DONE, &status)) {
+ machxo2_cleanup(mgr);
++ ret = -EINVAL;
+ goto fail;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 2eb9b752ea6bb77e7e416de3300ea09fe7066a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 08:43:54 -0600
+Subject: io_uring: don't punt files update to io-wq unconditionally
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit cdb31c29d397a8076d81fd1458d091c647ef94ba ]
+
+There's no reason to punt it unconditionally, we just need to ensure that
+the submit lock grabbing is conditional.
+
+Fixes: 05f3fb3c5397 ("io_uring: avoid ring quiesce for fixed file set unregister and update")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 187eb1907bde..699a08d724c2 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -5919,19 +5919,16 @@ static int io_files_update(struct io_kiocb *req, unsigned int issue_flags)
+ struct io_uring_rsrc_update2 up;
+ int ret;
+
+- if (issue_flags & IO_URING_F_NONBLOCK)
+- return -EAGAIN;
+-
+ up.offset = req->rsrc_update.offset;
+ up.data = req->rsrc_update.arg;
+ up.nr = 0;
+ up.tags = 0;
+ up.resv = 0;
+
+- mutex_lock(&ctx->uring_lock);
++ io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
+ ret = __io_register_rsrc_update(ctx, IORING_RSRC_FILE,
+ &up, req->rsrc_update.nr_args);
+- mutex_unlock(&ctx->uring_lock);
++ io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
+
+ if (ret < 0)
+ req_set_fail(req);
+--
+2.33.0
+
--- /dev/null
+From 094285a50f040bc69e8c074f30cf7459026bde1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 18:12:37 +0800
+Subject: io_uring: fix missing set of EPOLLONESHOT for CQ ring overflow
+
+From: Hao Xu <haoxu@linux.alibaba.com>
+
+[ Upstream commit a62682f92eedb41c1cd8290fa875a4b85624fb9a ]
+
+We should set EPOLLONESHOT if cqring_fill_event() returns false since
+io_poll_add() decides to put req or not by it.
+
+Fixes: 5082620fb2ca ("io_uring: terminate multishot poll for CQ ring overflow")
+Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20210922101238.7177-3-haoxu@linux.alibaba.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 27a1c813f1e1..739e58ccc982 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4968,8 +4968,10 @@ static bool io_poll_complete(struct io_kiocb *req, __poll_t mask)
+ }
+ if (req->poll.events & EPOLLONESHOT)
+ flags = 0;
+- if (!io_cqring_fill_event(ctx, req->user_data, error, flags))
++ if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) {
++ req->poll.events |= EPOLLONESHOT;
+ flags = 0;
++ }
+ if (flags & IORING_CQE_F_MORE)
+ ctx->cq_extra++;
+
+--
+2.33.0
+
--- /dev/null
+From 2463ccfa8ddbfb67c569038aae873daa937c4319 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 18:12:36 +0800
+Subject: io_uring: fix race between poll completion and cancel_hash insertion
+
+From: Hao Xu <haoxu@linux.alibaba.com>
+
+[ Upstream commit bd99c71bd14072ce2920f6d0c2fe43df072c653c ]
+
+If poll arming and poll completion runs in parallel, there maybe races.
+For instance, run io_poll_add in iowq and io_poll_task_func in original
+context, then:
+
+ iowq original context
+ io_poll_add
+ vfs_poll
+ (interruption happens
+ tw queued to original
+ context) io_poll_task_func
+ generate cqe
+ del from cancel_hash[]
+ if !poll.done
+ insert to cancel_hash[]
+
+The entry left in cancel_hash[], similar case for fast poll.
+Fix it by set poll.done = true when del from cancel_hash[].
+
+Fixes: 5082620fb2ca ("io_uring: terminate multishot poll for CQ ring overflow")
+Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20210922101238.7177-2-haoxu@linux.alibaba.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 754d59f734d8..27a1c813f1e1 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4968,10 +4968,8 @@ static bool io_poll_complete(struct io_kiocb *req, __poll_t mask)
+ }
+ if (req->poll.events & EPOLLONESHOT)
+ flags = 0;
+- if (!io_cqring_fill_event(ctx, req->user_data, error, flags)) {
+- req->poll.done = true;
++ if (!io_cqring_fill_event(ctx, req->user_data, error, flags))
+ flags = 0;
+- }
+ if (flags & IORING_CQE_F_MORE)
+ ctx->cq_extra++;
+
+@@ -4993,6 +4991,7 @@ static void io_poll_task_func(struct io_kiocb *req)
+ if (done) {
+ io_poll_remove_double(req);
+ hash_del(&req->hash_node);
++ req->poll.done = true;
+ } else {
+ req->result = 0;
+ add_wait_queue(req->poll.head, &req->poll.wait);
+@@ -5126,6 +5125,7 @@ static void io_async_task_func(struct io_kiocb *req)
+
+ hash_del(&req->hash_node);
+ io_poll_remove_double(req);
++ apoll->poll.done = true;
+ spin_unlock_irq(&ctx->completion_lock);
+
+ if (!READ_ONCE(apoll->poll.canceled))
+--
+2.33.0
+
--- /dev/null
+From 3d2a0d0b3a1597944ff9a53105cdef8c4b2ede1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 07:39:08 -0600
+Subject: io_uring: put provided buffer meta data under memcg accounting
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 9990da93d2bf9892c2c14c958bef050d4e461a1a ]
+
+For each provided buffer, we allocate a struct io_buffer to hold the
+data associated with it. As a large number of buffers can be provided,
+account that data with memcg.
+
+Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 739e58ccc982..187eb1907bde 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4043,7 +4043,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head)
+ int i, bid = pbuf->bid;
+
+ for (i = 0; i < pbuf->nbufs; i++) {
+- buf = kmalloc(sizeof(*buf), GFP_KERNEL);
++ buf = kmalloc(sizeof(*buf), GFP_KERNEL_ACCOUNT);
+ if (!buf)
+ break;
+
+--
+2.33.0
+
--- /dev/null
+From 1e6f7a9658b549594fb759728797fb22f8c658ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Sep 2021 16:39:18 +0800
+Subject: ipv6: delay fib6_sernum increase in fib6_add
+
+From: zhang kai <zhangkaiheb@126.com>
+
+[ Upstream commit e87b5052271e39d62337ade531992b7e5d8c2cfa ]
+
+only increase fib6_sernum in net namespace after add fib6_info
+successfully.
+
+Signed-off-by: zhang kai <zhangkaiheb@126.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index ef75c9b05f17..68e94e9f5089 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1378,7 +1378,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
+ int err = -ENOMEM;
+ int allow_create = 1;
+ int replace_required = 0;
+- int sernum = fib6_new_sernum(info->nl_net);
+
+ if (info->nlh) {
+ if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
+@@ -1478,7 +1477,7 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
+ if (!err) {
+ if (rt->nh)
+ list_add(&rt->nh_list, &rt->nh->f6i_list);
+- __fib6_update_sernum_upto_root(rt, sernum);
++ __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net));
+ fib6_start_gc(info->nl_net, rt);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 5fc9f315bcbfb0e5fb31ae3e20148073c4d4ed0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 10:20:55 +0800
+Subject: irqchip/gic-v3-its: Fix potential VPE leak on error
+
+From: Kaige Fu <kaige.fu@linux.alibaba.com>
+
+[ Upstream commit 280bef512933b2dda01d681d8cbe499b98fc5bdd ]
+
+In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error,
+there is an off-by-one in the number of VPEs to be freed.
+
+Fix it by simply passing the number of VPEs allocated, which is the
+index of the loop iterating over the VPEs.
+
+Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
+Signed-off-by: Kaige Fu <kaige.fu@linux.alibaba.com>
+[maz: fixed commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/d9e36dee512e63670287ed9eff884a5d8d6d27f2.1631672311.git.kaige.fu@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index ba39668c3e08..51584f4cccf4 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -4501,7 +4501,7 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+
+ if (err) {
+ if (i > 0)
+- its_vpe_irq_domain_free(domain, virq, i - 1);
++ its_vpe_irq_domain_free(domain, virq, i);
+
+ its_lpi_free(bitmap, base, nr_ids);
+ its_free_prop_table(vprop_page);
+--
+2.33.0
+
--- /dev/null
+From 29a683b7166c0108bb4ffb9eb9ecc419503f54e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Sep 2021 09:25:19 -0700
+Subject: irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 969ac78db78c723a24e9410666b457cc1b0cb3c3 ]
+
+irq-goldfish-pic uses GENERIC_IRQ_CHIP interfaces so select that symbol
+to fix build errors.
+
+Fixes these build errors:
+
+mips-linux-ld: drivers/irqchip/irq-goldfish-pic.o: in function `goldfish_pic_of_init':
+irq-goldfish-pic.c:(.init.text+0xc0): undefined reference to `irq_alloc_generic_chip'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf4): undefined reference to `irq_gc_unmask_enable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0xf8): undefined reference to `irq_gc_unmask_enable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x100): undefined reference to `irq_gc_mask_disable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x104): undefined reference to `irq_gc_mask_disable_reg'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x11c): undefined reference to `irq_setup_generic_chip'
+mips-linux-ld: irq-goldfish-pic.c:(.init.text+0x168): undefined reference to `irq_remove_generic_chip'
+
+Fixes: 4235ff50cf98 ("irqchip/irq-goldfish-pic: Add Goldfish PIC driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Miodrag Dinic <miodrag.dinic@mips.com>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Goran Ferenc <goran.ferenc@mips.com>
+Cc: Aleksandar Markovic <aleksandar.markovic@mips.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20210905162519.21507-1-rdunlap@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
+index 4d5924e9f766..aca7b595c4c7 100644
+--- a/drivers/irqchip/Kconfig
++++ b/drivers/irqchip/Kconfig
+@@ -409,6 +409,7 @@ config MESON_IRQ_GPIO
+ config GOLDFISH_PIC
+ bool "Goldfish programmable interrupt controller"
+ depends on MIPS && (GOLDFISH || COMPILE_TEST)
++ select GENERIC_IRQ_CHIP
+ select IRQ_DOMAIN
+ help
+ Say yes here to enable Goldfish interrupt controller driver used
+--
+2.33.0
+
--- /dev/null
+From 808321ea84ed85e1642be56c7ea17f564c155f88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Sep 2021 22:44:40 -0700
+Subject: libperf evsel: Make use of FD robust.
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit aba5daeb645181ee5a046bc00c231fd045882aaa ]
+
+FD uses xyarray__entry that may return NULL if an index is out of
+bounds. If NULL is returned then a segv happens as FD unconditionally
+dereferences the pointer. This was happening in a case of with perf
+iostat as shown below. The fix is to make FD an "int*" rather than an
+int and handle the NULL case as either invalid input or a closed fd.
+
+ $ sudo gdb --args perf stat --iostat list
+ ...
+ Breakpoint 1, perf_evsel__alloc_fd (evsel=0x5555560951a0, ncpus=1, nthreads=1) at evsel.c:50
+ 50 {
+ (gdb) bt
+ #0 perf_evsel__alloc_fd (evsel=0x5555560951a0, ncpus=1, nthreads=1) at evsel.c:50
+ #1 0x000055555585c188 in evsel__open_cpu (evsel=0x5555560951a0, cpus=0x555556093410,
+ threads=0x555556086fb0, start_cpu=0, end_cpu=1) at util/evsel.c:1792
+ #2 0x000055555585cfb2 in evsel__open (evsel=0x5555560951a0, cpus=0x0, threads=0x555556086fb0)
+ at util/evsel.c:2045
+ #3 0x000055555585d0db in evsel__open_per_thread (evsel=0x5555560951a0, threads=0x555556086fb0)
+ at util/evsel.c:2065
+ #4 0x00005555558ece64 in create_perf_stat_counter (evsel=0x5555560951a0,
+ config=0x555555c34700 <stat_config>, target=0x555555c2f1c0 <target>, cpu=0) at util/stat.c:590
+ #5 0x000055555578e927 in __run_perf_stat (argc=1, argv=0x7fffffffe4a0, run_idx=0)
+ at builtin-stat.c:833
+ #6 0x000055555578f3c6 in run_perf_stat (argc=1, argv=0x7fffffffe4a0, run_idx=0)
+ at builtin-stat.c:1048
+ #7 0x0000555555792ee5 in cmd_stat (argc=1, argv=0x7fffffffe4a0) at builtin-stat.c:2534
+ #8 0x0000555555835ed3 in run_builtin (p=0x555555c3f540 <commands+288>, argc=3,
+ argv=0x7fffffffe4a0) at perf.c:313
+ #9 0x0000555555836154 in handle_internal_command (argc=3, argv=0x7fffffffe4a0) at perf.c:365
+ #10 0x000055555583629f in run_argv (argcp=0x7fffffffe2ec, argv=0x7fffffffe2e0) at perf.c:409
+ #11 0x0000555555836692 in main (argc=3, argv=0x7fffffffe4a0) at perf.c:539
+ ...
+ (gdb) c
+ Continuing.
+ Error:
+ The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (uncore_iio_0/event=0x83,umask=0x04,ch_mask=0xF,fc_mask=0x07/).
+ /bin/dmesg | grep -i perf may provide additional information.
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00005555559b03ea in perf_evsel__close_fd_cpu (evsel=0x5555560951a0, cpu=1) at evsel.c:166
+ 166 if (FD(evsel, cpu, thread) >= 0)
+
+v3. fixes a bug in perf_evsel__run_ioctl where the sense of a branch was
+ backward.
+
+Signed-off-by: Ian Rogers <irogers@google.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20210918054440.2350466-1-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/perf/evsel.c | 64 +++++++++++++++++++++++++++---------------
+ 1 file changed, 41 insertions(+), 23 deletions(-)
+
+diff --git a/tools/lib/perf/evsel.c b/tools/lib/perf/evsel.c
+index d8886720e83d..8441e3e1aaac 100644
+--- a/tools/lib/perf/evsel.c
++++ b/tools/lib/perf/evsel.c
+@@ -43,7 +43,7 @@ void perf_evsel__delete(struct perf_evsel *evsel)
+ free(evsel);
+ }
+
+-#define FD(e, x, y) (*(int *) xyarray__entry(e->fd, x, y))
++#define FD(e, x, y) ((int *) xyarray__entry(e->fd, x, y))
+ #define MMAP(e, x, y) (e->mmap ? ((struct perf_mmap *) xyarray__entry(e->mmap, x, y)) : NULL)
+
+ int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads)
+@@ -54,7 +54,10 @@ int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads)
+ int cpu, thread;
+ for (cpu = 0; cpu < ncpus; cpu++) {
+ for (thread = 0; thread < nthreads; thread++) {
+- FD(evsel, cpu, thread) = -1;
++ int *fd = FD(evsel, cpu, thread);
++
++ if (fd)
++ *fd = -1;
+ }
+ }
+ }
+@@ -80,7 +83,7 @@ sys_perf_event_open(struct perf_event_attr *attr,
+ static int get_group_fd(struct perf_evsel *evsel, int cpu, int thread, int *group_fd)
+ {
+ struct perf_evsel *leader = evsel->leader;
+- int fd;
++ int *fd;
+
+ if (evsel == leader) {
+ *group_fd = -1;
+@@ -95,10 +98,10 @@ static int get_group_fd(struct perf_evsel *evsel, int cpu, int thread, int *grou
+ return -ENOTCONN;
+
+ fd = FD(leader, cpu, thread);
+- if (fd == -1)
++ if (fd == NULL || *fd == -1)
+ return -EBADF;
+
+- *group_fd = fd;
++ *group_fd = *fd;
+
+ return 0;
+ }
+@@ -138,7 +141,11 @@ int perf_evsel__open(struct perf_evsel *evsel, struct perf_cpu_map *cpus,
+
+ for (cpu = 0; cpu < cpus->nr; cpu++) {
+ for (thread = 0; thread < threads->nr; thread++) {
+- int fd, group_fd;
++ int fd, group_fd, *evsel_fd;
++
++ evsel_fd = FD(evsel, cpu, thread);
++ if (evsel_fd == NULL)
++ return -EINVAL;
+
+ err = get_group_fd(evsel, cpu, thread, &group_fd);
+ if (err < 0)
+@@ -151,7 +158,7 @@ int perf_evsel__open(struct perf_evsel *evsel, struct perf_cpu_map *cpus,
+ if (fd < 0)
+ return -errno;
+
+- FD(evsel, cpu, thread) = fd;
++ *evsel_fd = fd;
+ }
+ }
+
+@@ -163,9 +170,12 @@ static void perf_evsel__close_fd_cpu(struct perf_evsel *evsel, int cpu)
+ int thread;
+
+ for (thread = 0; thread < xyarray__max_y(evsel->fd); ++thread) {
+- if (FD(evsel, cpu, thread) >= 0)
+- close(FD(evsel, cpu, thread));
+- FD(evsel, cpu, thread) = -1;
++ int *fd = FD(evsel, cpu, thread);
++
++ if (fd && *fd >= 0) {
++ close(*fd);
++ *fd = -1;
++ }
+ }
+ }
+
+@@ -209,13 +219,12 @@ void perf_evsel__munmap(struct perf_evsel *evsel)
+
+ for (cpu = 0; cpu < xyarray__max_x(evsel->fd); cpu++) {
+ for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) {
+- int fd = FD(evsel, cpu, thread);
+- struct perf_mmap *map = MMAP(evsel, cpu, thread);
++ int *fd = FD(evsel, cpu, thread);
+
+- if (fd < 0)
++ if (fd == NULL || *fd < 0)
+ continue;
+
+- perf_mmap__munmap(map);
++ perf_mmap__munmap(MMAP(evsel, cpu, thread));
+ }
+ }
+
+@@ -239,15 +248,16 @@ int perf_evsel__mmap(struct perf_evsel *evsel, int pages)
+
+ for (cpu = 0; cpu < xyarray__max_x(evsel->fd); cpu++) {
+ for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) {
+- int fd = FD(evsel, cpu, thread);
+- struct perf_mmap *map = MMAP(evsel, cpu, thread);
++ int *fd = FD(evsel, cpu, thread);
++ struct perf_mmap *map;
+
+- if (fd < 0)
++ if (fd == NULL || *fd < 0)
+ continue;
+
++ map = MMAP(evsel, cpu, thread);
+ perf_mmap__init(map, NULL, false, NULL);
+
+- ret = perf_mmap__mmap(map, &mp, fd, cpu);
++ ret = perf_mmap__mmap(map, &mp, *fd, cpu);
+ if (ret) {
+ perf_evsel__munmap(evsel);
+ return ret;
+@@ -260,7 +270,9 @@ int perf_evsel__mmap(struct perf_evsel *evsel, int pages)
+
+ void *perf_evsel__mmap_base(struct perf_evsel *evsel, int cpu, int thread)
+ {
+- if (FD(evsel, cpu, thread) < 0 || MMAP(evsel, cpu, thread) == NULL)
++ int *fd = FD(evsel, cpu, thread);
++
++ if (fd == NULL || *fd < 0 || MMAP(evsel, cpu, thread) == NULL)
+ return NULL;
+
+ return MMAP(evsel, cpu, thread)->base;
+@@ -295,17 +307,18 @@ int perf_evsel__read(struct perf_evsel *evsel, int cpu, int thread,
+ struct perf_counts_values *count)
+ {
+ size_t size = perf_evsel__read_size(evsel);
++ int *fd = FD(evsel, cpu, thread);
+
+ memset(count, 0, sizeof(*count));
+
+- if (FD(evsel, cpu, thread) < 0)
++ if (fd == NULL || *fd < 0)
+ return -EINVAL;
+
+ if (MMAP(evsel, cpu, thread) &&
+ !perf_mmap__read_self(MMAP(evsel, cpu, thread), count))
+ return 0;
+
+- if (readn(FD(evsel, cpu, thread), count->values, size) <= 0)
++ if (readn(*fd, count->values, size) <= 0)
+ return -errno;
+
+ return 0;
+@@ -318,8 +331,13 @@ static int perf_evsel__run_ioctl(struct perf_evsel *evsel,
+ int thread;
+
+ for (thread = 0; thread < xyarray__max_y(evsel->fd); thread++) {
+- int fd = FD(evsel, cpu, thread),
+- err = ioctl(fd, ioc, arg);
++ int err;
++ int *fd = FD(evsel, cpu, thread);
++
++ if (fd == NULL || *fd < 0)
++ return -1;
++
++ err = ioctl(*fd, ioc, arg);
+
+ if (err)
+ return err;
+--
+2.33.0
+
--- /dev/null
+From 9c2aa1c5206532b189a56da3c55fd63aba0baa2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 23:07:29 -0700
+Subject: m68k: Double cast io functions to unsigned long
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit b1a89856fbf63fffde6a4771d8f1ac21df549e50 ]
+
+m68k builds fail widely with errors such as
+
+arch/m68k/include/asm/raw_io.h:20:19: error:
+ cast to pointer from integer of different size
+arch/m68k/include/asm/raw_io.h:30:32: error:
+ cast to pointer from integer of different size [-Werror=int-to-p
+
+On m68k, io functions are defined as macros. The problem is seen if the
+macro parameter variable size differs from the size of a pointer. Cast
+the parameter of all io macros to unsigned long before casting it to
+a pointer to fix the problem.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210907060729.2391992-1-linux@roeck-us.net
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/include/asm/raw_io.h | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/m68k/include/asm/raw_io.h b/arch/m68k/include/asm/raw_io.h
+index 911826ea83ce..80eb2396d01e 100644
+--- a/arch/m68k/include/asm/raw_io.h
++++ b/arch/m68k/include/asm/raw_io.h
+@@ -17,21 +17,21 @@
+ * two accesses to memory, which may be undesirable for some devices.
+ */
+ #define in_8(addr) \
+- ({ u8 __v = (*(__force volatile u8 *) (addr)); __v; })
++ ({ u8 __v = (*(__force volatile u8 *) (unsigned long)(addr)); __v; })
+ #define in_be16(addr) \
+- ({ u16 __v = (*(__force volatile u16 *) (addr)); __v; })
++ ({ u16 __v = (*(__force volatile u16 *) (unsigned long)(addr)); __v; })
+ #define in_be32(addr) \
+- ({ u32 __v = (*(__force volatile u32 *) (addr)); __v; })
++ ({ u32 __v = (*(__force volatile u32 *) (unsigned long)(addr)); __v; })
+ #define in_le16(addr) \
+- ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (addr)); __v; })
++ ({ u16 __v = le16_to_cpu(*(__force volatile __le16 *) (unsigned long)(addr)); __v; })
+ #define in_le32(addr) \
+- ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (addr)); __v; })
++ ({ u32 __v = le32_to_cpu(*(__force volatile __le32 *) (unsigned long)(addr)); __v; })
+
+-#define out_8(addr,b) (void)((*(__force volatile u8 *) (addr)) = (b))
+-#define out_be16(addr,w) (void)((*(__force volatile u16 *) (addr)) = (w))
+-#define out_be32(addr,l) (void)((*(__force volatile u32 *) (addr)) = (l))
+-#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (addr)) = cpu_to_le16(w))
+-#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (addr)) = cpu_to_le32(l))
++#define out_8(addr,b) (void)((*(__force volatile u8 *) (unsigned long)(addr)) = (b))
++#define out_be16(addr,w) (void)((*(__force volatile u16 *) (unsigned long)(addr)) = (w))
++#define out_be32(addr,l) (void)((*(__force volatile u32 *) (unsigned long)(addr)) = (l))
++#define out_le16(addr,w) (void)((*(__force volatile __le16 *) (unsigned long)(addr)) = cpu_to_le16(w))
++#define out_le32(addr,l) (void)((*(__force volatile __le32 *) (unsigned long)(addr)) = cpu_to_le32(l))
+
+ #define raw_inb in_8
+ #define raw_inw in_be16
+--
+2.33.0
+
--- /dev/null
+From 6ebc679d202f662fb44df84c7af5a42d1105788b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 13:38:29 +0200
+Subject: md: fix a lock order reversal in md_alloc
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 7df835a32a8bedf7ce88efcfa7c9b245b52ff139 ]
+
+Commit b0140891a8cea3 ("md: Fix race when creating a new md device.")
+not only moved assigning mddev->gendisk before calling add_disk, which
+fixes the races described in the commit log, but also added a
+mddev->open_mutex critical section over add_disk and creation of the
+md kobj. Adding a kobject after add_disk is racy vs deleting the gendisk
+right after adding it, but md already prevents against that by holding
+a mddev->active reference.
+
+On the other hand taking this lock added a lock order reversal with what
+is not disk->open_mutex (used to be bdev->bd_mutex when the commit was
+added) for partition devices, which need that lock for the internal open
+for the partition scan, and a recent commit also takes it for
+non-partitioned devices, leading to further lockdep splatter.
+
+Fixes: b0140891a8ce ("md: Fix race when creating a new md device.")
+Fixes: d62633873590 ("block: support delayed holder registration")
+Reported-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: syzbot+fadc0aaf497e6a493b9f@syzkaller.appspotmail.com
+Reviewed-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index ae8fe54ea358..6c0c3d0d905a 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5700,10 +5700,6 @@ static int md_alloc(dev_t dev, char *name)
+ disk->flags |= GENHD_FL_EXT_DEVT;
+ disk->events |= DISK_EVENT_MEDIA_CHANGE;
+ mddev->gendisk = disk;
+- /* As soon as we call add_disk(), another thread could get
+- * through to md_open, so make sure it doesn't get too far
+- */
+- mutex_lock(&mddev->open_mutex);
+ add_disk(disk);
+
+ error = kobject_add(&mddev->kobj, &disk_to_dev(disk)->kobj, "%s", "md");
+@@ -5718,7 +5714,6 @@ static int md_alloc(dev_t dev, char *name)
+ if (mddev->kobj.sd &&
+ sysfs_create_group(&mddev->kobj, &md_bitmap_group))
+ pr_debug("pointless warning\n");
+- mutex_unlock(&mddev->open_mutex);
+ abort:
+ mutex_unlock(&disks_mutex);
+ if (!error && mddev->kobj.sd) {
+--
+2.33.0
+
--- /dev/null
+From f09f33bd8e209fe89c45d057d10cb472e806e895 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 20:57:43 -0700
+Subject: net: 6pack: Fix tx timeout and slot time
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 3c0d2a46c0141913dc6fd126c57d0615677d946e ]
+
+tx timeout and slot time are currently specified in units of HZ. On
+Alpha, HZ is defined as 1024. When building alpha:allmodconfig, this
+results in the following error message.
+
+ drivers/net/hamradio/6pack.c: In function 'sixpack_open':
+ drivers/net/hamradio/6pack.c:71:41: error:
+ unsigned conversion from 'int' to 'unsigned char'
+ changes value from '256' to '0'
+
+In the 6PACK protocol, tx timeout is specified in units of 10 ms and
+transmitted over the wire:
+
+ https://www.linux-ax25.org/wiki/6PACK
+
+Defining a value dependent on HZ doesn't really make sense, and
+presumably comes from the (very historical) situation where HZ was
+originally 100.
+
+Note that the SIXP_SLOTTIME use explicitly is about 10ms granularity:
+
+ mod_timer(&sp->tx_t, jiffies + ((when + 1) * HZ) / 100);
+
+and the SIXP_TXDELAY walue is sent as a byte over the wire.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/6pack.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
+index 8fe8887d506a..6192244b304a 100644
+--- a/drivers/net/hamradio/6pack.c
++++ b/drivers/net/hamradio/6pack.c
+@@ -68,9 +68,9 @@
+ #define SIXP_DAMA_OFF 0
+
+ /* default level 2 parameters */
+-#define SIXP_TXDELAY (HZ/4) /* in 1 s */
++#define SIXP_TXDELAY 25 /* 250 ms */
+ #define SIXP_PERSIST 50 /* in 256ths */
+-#define SIXP_SLOTTIME (HZ/10) /* in 1 s */
++#define SIXP_SLOTTIME 10 /* 100 ms */
+ #define SIXP_INIT_RESYNC_TIMEOUT (3*HZ/2) /* in 1 s */
+ #define SIXP_RESYNC_TIMEOUT 5*HZ /* in 1 s */
+
+--
+2.33.0
+
--- /dev/null
+From b8896c3b42a87817e1c53f1538693a65568f2ef6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 20:52:25 -0700
+Subject: net: i825xx: Use absolute_pointer for memcpy from fixed memory
+ location
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit dff2d13114f0beec448da9b3716204eb34b0cf41 ]
+
+gcc 11.x reports the following compiler warning/error.
+
+ drivers/net/ethernet/i825xx/82596.c: In function 'i82596_probe':
+ arch/m68k/include/asm/string.h:72:25: error:
+ '__builtin_memcpy' reading 6 bytes from a region of size 0 [-Werror=stringop-overread]
+
+Use absolute_pointer() to work around the problem.
+
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/82596.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/82596.c b/drivers/net/ethernet/i825xx/82596.c
+index fc8c7cd67471..8b12a5ab3818 100644
+--- a/drivers/net/ethernet/i825xx/82596.c
++++ b/drivers/net/ethernet/i825xx/82596.c
+@@ -1155,7 +1155,7 @@ struct net_device * __init i82596_probe(int unit)
+ err = -ENODEV;
+ goto out;
+ }
+- memcpy(eth_addr, (void *) 0xfffc1f2c, ETH_ALEN); /* YUCK! Get addr from NOVRAM */
++ memcpy(eth_addr, absolute_pointer(0xfffc1f2c), ETH_ALEN); /* YUCK! Get addr from NOVRAM */
+ dev->base_addr = MVME_I596_BASE;
+ dev->irq = (unsigned) MVME16x_IRQ_I596;
+ goto found;
+--
+2.33.0
+
--- /dev/null
+From 66bd5d5dd93ab54340a9ecd87677746cd7275108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 12:02:32 -0700
+Subject: net: macb: fix use after free on rmmod
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit d82d5303c4c539db86588ffb5dc5b26c3f1513e8 ]
+
+plat_dev->dev->platform_data is released by platform_device_unregister(),
+use of pclk and hclk is a use-after-free. Since device unregister won't
+need a clk device we adjust the function call sequence to fix this issue.
+
+[ 31.261225] BUG: KASAN: use-after-free in macb_remove+0x77/0xc6 [macb_pci]
+[ 31.275563] Freed by task 306:
+[ 30.276782] platform_device_release+0x25/0x80
+
+Suggested-by: Nicolas Ferre <Nicolas.Ferre@microchip.com>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_pci.c b/drivers/net/ethernet/cadence/macb_pci.c
+index 8b7b59908a1a..f66d22de5168 100644
+--- a/drivers/net/ethernet/cadence/macb_pci.c
++++ b/drivers/net/ethernet/cadence/macb_pci.c
+@@ -111,9 +111,9 @@ static void macb_remove(struct pci_dev *pdev)
+ struct platform_device *plat_dev = pci_get_drvdata(pdev);
+ struct macb_platform_data *plat_data = dev_get_platdata(&plat_dev->dev);
+
+- platform_device_unregister(plat_dev);
+ clk_unregister(plat_data->pclk);
+ clk_unregister(plat_data->hclk);
++ platform_device_unregister(plat_dev);
+ }
+
+ static const struct pci_device_id dev_id_table[] = {
+--
+2.33.0
+
--- /dev/null
+From 163a52593772e305436711522d5fa513bfaaf7f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Sep 2021 05:14:49 +0000
+Subject: net: phylink: Update SFP selected interface on advertising changes
+
+From: Nathan Rossi <nathan.rossi@digi.com>
+
+[ Upstream commit ea269a6f720782ed94171fb962b14ce07c372138 ]
+
+Currently changes to the advertising state via ethtool do not cause any
+reselection of the configured interface mode after the SFP is already
+inserted and initially configured.
+
+While it is not typical to change the advertised link modes for an
+interface using an SFP in certain use cases it is desirable. In the case
+of a SFP port that is capable of handling both SFP and SFP+ modules it
+will automatically select between 1G and 10G modes depending on the
+supported mode of the SFP. However if the SFP module is capable of
+working in multiple modes (e.g. a SFP+ DAC that can operate at 1G or
+10G), one end of the cable may be attached to a SFP 1000base-x port thus
+the SFP+ end must be manually configured to the 1000base-x mode in order
+for the link to be established.
+
+This change causes the ethtool setting of advertised mode changes to
+reselect the interface mode so that the link can be established.
+Additionally when a module is inserted the advertising mode is reset to
+match the supported modes of the module.
+
+Signed-off-by: Nathan Rossi <nathan.rossi@digi.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phylink.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c
+index 42e5a681183f..0d3d9c3ee83c 100644
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -1604,6 +1604,32 @@ int phylink_ethtool_ksettings_set(struct phylink *pl,
+ if (config.an_enabled && phylink_is_empty_linkmode(config.advertising))
+ return -EINVAL;
+
++ /* If this link is with an SFP, ensure that changes to advertised modes
++ * also cause the associated interface to be selected such that the
++ * link can be configured correctly.
++ */
++ if (pl->sfp_port && pl->sfp_bus) {
++ config.interface = sfp_select_interface(pl->sfp_bus,
++ config.advertising);
++ if (config.interface == PHY_INTERFACE_MODE_NA) {
++ phylink_err(pl,
++ "selection of interface failed, advertisement %*pb\n",
++ __ETHTOOL_LINK_MODE_MASK_NBITS,
++ config.advertising);
++ return -EINVAL;
++ }
++
++ /* Revalidate with the selected interface */
++ linkmode_copy(support, pl->supported);
++ if (phylink_validate(pl, support, &config)) {
++ phylink_err(pl, "validation of %s/%s with support %*pb failed\n",
++ phylink_an_mode_str(pl->cur_link_an_mode),
++ phy_modes(config.interface),
++ __ETHTOOL_LINK_MODE_MASK_NBITS, support);
++ return -EINVAL;
++ }
++ }
++
+ mutex_lock(&pl->state_mutex);
+ pl->link_config.speed = config.speed;
+ pl->link_config.duplex = config.duplex;
+@@ -2183,7 +2209,9 @@ static int phylink_sfp_config(struct phylink *pl, u8 mode,
+ if (phy_interface_mode_is_8023z(iface) && pl->phydev)
+ return -EINVAL;
+
+- changed = !linkmode_equal(pl->supported, support);
++ changed = !linkmode_equal(pl->supported, support) ||
++ !linkmode_equal(pl->link_config.advertising,
++ config.advertising);
+ if (changed) {
+ linkmode_copy(pl->supported, support);
+ linkmode_copy(pl->link_config.advertising, config.advertising);
+--
+2.33.0
+
--- /dev/null
+From 0ba7aa5ca9a827e17a28acb0526f8333a8cf73c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 21:55:34 +0200
+Subject: net: stmmac: allow CSR clock of 300MHz
+
+From: Jesper Nilsson <jesper.nilsson@axis.com>
+
+[ Upstream commit 08dad2f4d541fcfe5e7bfda72cc6314bbfd2802f ]
+
+The Synopsys Ethernet IP uses the CSR clock as a base clock for MDC.
+The divisor used is set in the MAC_MDIO_Address register field CR
+(Clock Rate)
+
+The divisor is there to change the CSR clock into a clock that falls
+below the IEEE 802.3 specified max frequency of 2.5MHz.
+
+If the CSR clock is 300MHz, the code falls back to using the reset
+value in the MAC_MDIO_Address register, as described in the comment
+above this code.
+
+However, 300MHz is actually an allowed value and the proper divider
+can be estimated quite easily (it's just 1Hz difference!)
+
+A CSR frequency of 300MHz with the maximum clock rate value of 0x5
+(STMMAC_CSR_250_300M, a divisor of 124) gives somewhere around
+~2.42MHz which is below the IEEE 802.3 specified maximum.
+
+For the ARTPEC-8 SoC, the CSR clock is this problematic 300MHz,
+and unfortunately, the reset-value of the MAC_MDIO_Address CR field
+is 0x0.
+
+This leads to a clock rate of zero and a divisor of 42, and gives an
+MDC frequency of ~7.14MHz.
+
+Allow CSR clock of 300MHz by making the comparison inclusive.
+
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 0dbd189c2721..2218bc3a624b 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -309,7 +309,7 @@ static void stmmac_clk_csr_set(struct stmmac_priv *priv)
+ priv->clk_csr = STMMAC_CSR_100_150M;
+ else if ((clk_rate >= CSR_F_150M) && (clk_rate < CSR_F_250M))
+ priv->clk_csr = STMMAC_CSR_150_250M;
+- else if ((clk_rate >= CSR_F_250M) && (clk_rate < CSR_F_300M))
++ else if ((clk_rate >= CSR_F_250M) && (clk_rate <= CSR_F_300M))
+ priv->clk_csr = STMMAC_CSR_250_300M;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 86a5c1280973b82df74951e5bd6ac97678615dd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 08:38:20 +0200
+Subject: nvme: keep ctrl->namespaces ordered
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 298ba0e3d4af539cc37f982d4c011a0f07fca48c ]
+
+Various places in the nvme code that rely on ctrl->namespace to be
+ordered. Ensure that the namespae is inserted into the list at the
+right position from the start instead of sorting it after the fact.
+
+Fixes: 540c801c65eb ("NVMe: Implement namespace list scanning")
+Reported-by: Anton Eidelman <anton.eidelman@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 33 +++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 84e7cb9f1968..e2374319df61 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -13,7 +13,6 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/backing-dev.h>
+-#include <linux/list_sort.h>
+ #include <linux/slab.h>
+ #include <linux/types.h>
+ #include <linux/pr.h>
+@@ -3688,15 +3687,6 @@ out_unlock:
+ return ret;
+ }
+
+-static int ns_cmp(void *priv, const struct list_head *a,
+- const struct list_head *b)
+-{
+- struct nvme_ns *nsa = container_of(a, struct nvme_ns, list);
+- struct nvme_ns *nsb = container_of(b, struct nvme_ns, list);
+-
+- return nsa->head->ns_id - nsb->head->ns_id;
+-}
+-
+ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid)
+ {
+ struct nvme_ns *ns, *ret = NULL;
+@@ -3717,6 +3707,22 @@ struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid)
+ }
+ EXPORT_SYMBOL_NS_GPL(nvme_find_get_ns, NVME_TARGET_PASSTHRU);
+
++/*
++ * Add the namespace to the controller list while keeping the list ordered.
++ */
++static void nvme_ns_add_to_ctrl_list(struct nvme_ns *ns)
++{
++ struct nvme_ns *tmp;
++
++ list_for_each_entry_reverse(tmp, &ns->ctrl->namespaces, list) {
++ if (tmp->head->ns_id < ns->head->ns_id) {
++ list_add(&ns->list, &tmp->list);
++ return;
++ }
++ }
++ list_add(&ns->list, &ns->ctrl->namespaces);
++}
++
+ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid,
+ struct nvme_ns_ids *ids)
+ {
+@@ -3778,9 +3784,8 @@ static void nvme_alloc_ns(struct nvme_ctrl *ctrl, unsigned nsid,
+ }
+
+ down_write(&ctrl->namespaces_rwsem);
+- list_add_tail(&ns->list, &ctrl->namespaces);
++ nvme_ns_add_to_ctrl_list(ns);
+ up_write(&ctrl->namespaces_rwsem);
+-
+ nvme_get_ctrl(ctrl);
+
+ device_add_disk(ctrl->device, ns->disk, nvme_ns_id_attr_groups);
+@@ -4059,10 +4064,6 @@ static void nvme_scan_work(struct work_struct *work)
+ if (nvme_scan_ns_list(ctrl) != 0)
+ nvme_scan_ns_sequential(ctrl);
+ mutex_unlock(&ctrl->scan_lock);
+-
+- down_write(&ctrl->namespaces_rwsem);
+- list_sort(NULL, &ctrl->namespaces, ns_cmp);
+- up_write(&ctrl->namespaces_rwsem);
+ }
+
+ /*
+--
+2.33.0
+
--- /dev/null
+From 3d12c23cfea90bfa71eaf7a2d034f753b6a700df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Sep 2021 12:54:57 -0600
+Subject: nvme-multipath: fix ANA state updates when a namespace is not present
+
+From: Anton Eidelman <anton.eidelman@gmail.com>
+
+[ Upstream commit 79f528afa93918519574773ea49a444c104bc1bd ]
+
+nvme_update_ana_state() has a deficiency that results in a failure to
+properly update the ana state for a namespace in the following case:
+
+ NSIDs in ctrl->namespaces: 1, 3, 4
+ NSIDs in desc->nsids: 1, 2, 3, 4
+
+Loop iteration 0:
+ ns index = 0, n = 0, ns->head->ns_id = 1, nsid = 1, MATCH.
+Loop iteration 1:
+ ns index = 1, n = 1, ns->head->ns_id = 3, nsid = 2, NO MATCH.
+Loop iteration 2:
+ ns index = 2, n = 2, ns->head->ns_id = 4, nsid = 4, MATCH.
+
+Where the update to the ANA state of NSID 3 is missed. To fix this
+increment n and retry the update with the same ns when ns->head->ns_id is
+higher than nsid,
+
+Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 3f32c5e86bfc..abc9bdfd48bd 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -583,14 +583,17 @@ static int nvme_update_ana_state(struct nvme_ctrl *ctrl,
+
+ down_read(&ctrl->namespaces_rwsem);
+ list_for_each_entry(ns, &ctrl->namespaces, list) {
+- unsigned nsid = le32_to_cpu(desc->nsids[n]);
+-
++ unsigned nsid;
++again:
++ nsid = le32_to_cpu(desc->nsids[n]);
+ if (ns->head->ns_id < nsid)
+ continue;
+ if (ns->head->ns_id == nsid)
+ nvme_update_ns_ana_state(desc, ns);
+ if (++n == nr_nsids)
+ break;
++ if (ns->head->ns_id > nsid)
++ goto again;
+ }
+ up_read(&ctrl->namespaces_rwsem);
+ return 0;
+--
+2.33.0
+
--- /dev/null
+From ef36966ce2f2ac2d2bb2b4f98a5637a050f1b3c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 11:51:34 +0800
+Subject: nvme-rdma: destroy cm id before destroy qp to avoid use after free
+
+From: Ruozhu Li <liruozhu@huawei.com>
+
+[ Upstream commit 9817d763dbe15327b9b3ff4404fa6f27f927e744 ]
+
+We should always destroy cm_id before destroy qp to avoid to get cma
+event after qp was destroyed, which may lead to use after free.
+In RDMA connection establishment error flow, don't destroy qp in cm
+event handler.Just report cm_error to upper level, qp will be destroy
+in nvme_rdma_alloc_queue() after destroy cm id.
+
+Signed-off-by: Ruozhu Li <liruozhu@huawei.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index a68704e39084..042c594bc57e 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -656,8 +656,8 @@ static void nvme_rdma_free_queue(struct nvme_rdma_queue *queue)
+ if (!test_and_clear_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags))
+ return;
+
+- nvme_rdma_destroy_queue_ib(queue);
+ rdma_destroy_id(queue->cm_id);
++ nvme_rdma_destroy_queue_ib(queue);
+ mutex_destroy(&queue->queue_lock);
+ }
+
+@@ -1815,14 +1815,10 @@ static int nvme_rdma_conn_established(struct nvme_rdma_queue *queue)
+ for (i = 0; i < queue->queue_size; i++) {
+ ret = nvme_rdma_post_recv(queue, &queue->rsp_ring[i]);
+ if (ret)
+- goto out_destroy_queue_ib;
++ return ret;
+ }
+
+ return 0;
+-
+-out_destroy_queue_ib:
+- nvme_rdma_destroy_queue_ib(queue);
+- return ret;
+ }
+
+ static int nvme_rdma_conn_rejected(struct nvme_rdma_queue *queue,
+@@ -1916,14 +1912,10 @@ static int nvme_rdma_route_resolved(struct nvme_rdma_queue *queue)
+ if (ret) {
+ dev_err(ctrl->ctrl.device,
+ "rdma_connect_locked failed (%d).\n", ret);
+- goto out_destroy_queue_ib;
++ return ret;
+ }
+
+ return 0;
+-
+-out_destroy_queue_ib:
+- nvme_rdma_destroy_queue_ib(queue);
+- return ret;
+ }
+
+ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id,
+@@ -1954,8 +1946,6 @@ static int nvme_rdma_cm_handler(struct rdma_cm_id *cm_id,
+ case RDMA_CM_EVENT_ROUTE_ERROR:
+ case RDMA_CM_EVENT_CONNECT_ERROR:
+ case RDMA_CM_EVENT_UNREACHABLE:
+- nvme_rdma_destroy_queue_ib(queue);
+- fallthrough;
+ case RDMA_CM_EVENT_ADDR_ERROR:
+ dev_dbg(queue->ctrl->ctrl.device,
+ "CM error event %d\n", ev->event);
+--
+2.33.0
+
--- /dev/null
+From b7ad2165bfa3b8566104df5c94321da58702ca16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 18:38:55 +0300
+Subject: nvme-tcp: fix incorrect h2cdata pdu offset accounting
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit e371af033c560b9dd1e861f8f0b503142bf0a06c ]
+
+When the controller sends us multiple r2t PDUs in a single
+request we need to account for it correctly as our send/recv
+context run concurrently (i.e. we get a new r2t with r2t_offset
+before we updated our iterator and req->data_sent marker). This
+can cause wrong offsets to be sent to the controller.
+
+To fix that, we will first know that this may happen only in
+the send sequence of the last page, hence we will take
+the r2t_offset to the h2c PDU data_offset, and in
+nvme_tcp_try_send_data loop, we make sure to increment
+the request markers also when we completed a PDU but
+we are expecting more r2t PDUs as we still did not send
+the entire data of the request.
+
+Fixes: 825619b09ad3 ("nvme-tcp: fix possible use-after-completion")
+Reported-by: Nowak, Lukasz <Lukasz.Nowak@Dell.com>
+Tested-by: Nowak, Lukasz <Lukasz.Nowak@Dell.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 19a711395cdc..fd28a23d45ed 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -614,7 +614,7 @@ static int nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req,
+ cpu_to_le32(data->hdr.hlen + hdgst + req->pdu_len + ddgst);
+ data->ttag = pdu->ttag;
+ data->command_id = nvme_cid(rq);
+- data->data_offset = cpu_to_le32(req->data_sent);
++ data->data_offset = pdu->r2t_offset;
+ data->data_length = cpu_to_le32(req->pdu_len);
+ return 0;
+ }
+@@ -940,7 +940,15 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req)
+ nvme_tcp_ddgst_update(queue->snd_hash, page,
+ offset, ret);
+
+- /* fully successful last write*/
++ /*
++ * update the request iterator except for the last payload send
++ * in the request where we don't want to modify it as we may
++ * compete with the RX path completing the request.
++ */
++ if (req->data_sent + ret < req->data_len)
++ nvme_tcp_advance_req(req, ret);
++
++ /* fully successful last send in current PDU */
+ if (last && ret == len) {
+ if (queue->data_digest) {
+ nvme_tcp_ddgst_final(queue->snd_hash,
+@@ -952,7 +960,6 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req)
+ }
+ return 1;
+ }
+- nvme_tcp_advance_req(req, ret);
+ }
+ return -EAGAIN;
+ }
+--
+2.33.0
+
--- /dev/null
+From ddbacedc6432fb0c0a744de9f082c9af13101fda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 08:35:42 +0200
+Subject: parisc: Use absolute_pointer() to define PAGE0
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 90cc7bed1ed19f869ae7221a6b41887fe762a6a3 ]
+
+Use absolute_pointer() wrapper for PAGE0 to avoid this compiler warning:
+
+ arch/parisc/kernel/setup.c: In function 'start_parisc':
+ error: '__builtin_memcmp_eq' specified bound 8 exceeds source size 0
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Co-Developed-by: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/page.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h
+index d00313d1274e..0561568f7b48 100644
+--- a/arch/parisc/include/asm/page.h
++++ b/arch/parisc/include/asm/page.h
+@@ -184,7 +184,7 @@ extern int npmem_ranges;
+ #include <asm-generic/getorder.h>
+ #include <asm/pdc.h>
+
+-#define PAGE0 ((struct zeropage *)__PAGE_OFFSET)
++#define PAGE0 ((struct zeropage *)absolute_pointer(__PAGE_OFFSET))
+
+ /* DEFINITION OF THE ZERO-PAGE (PAG0) */
+ /* based on work by Jason Eckhardt (jason@equator.com) */
+--
+2.33.0
+
--- /dev/null
+From 42b05b95d7bdbcb08841db9b3bcba8532de38589 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 13:56:37 -0700
+Subject: qnx4: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit b7213ffa0e585feb1aee3e7173e965e66ee0abaa ]
+
+The qnx4 directory entries are 64-byte blocks that have different
+contents depending on the a status byte that is in the last byte of the
+block.
+
+In particular, a directory entry can be either a "link info" entry with
+a 48-byte name and pointers to the real inode information, or an "inode
+entry" with a smaller 16-byte name and the full inode information.
+
+But the code was written to always just treat the directory name as if
+it was part of that "inode entry", and just extend the name to the
+longer case if the status byte said it was a link entry.
+
+That work just fine and gives the right results, but now that gcc is
+tracking data structure accesses much more, the code can trigger a
+compiler error about using up to 48 bytes (the long name) in a structure
+that only has that shorter name in it:
+
+ fs/qnx4/dir.c: In function ‘qnx4_readdir’:
+ fs/qnx4/dir.c:51:32: error: ‘strnlen’ specified bound 48 exceeds source size 16 [-Werror=stringop-overread]
+ 51 | size = strnlen(de->di_fname, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+ In file included from fs/qnx4/qnx4.h:3,
+ from fs/qnx4/dir.c:16:
+ include/uapi/linux/qnx4_fs.h:45:25: note: source object declared here
+ 45 | char di_fname[QNX4_SHORT_NAME_MAX];
+ | ^~~~~~~~
+
+which is because the source code doesn't really make this whole "one of
+two different types" explicit.
+
+Fix this by introducing a very explicit union of the two types, and
+basically explaining to the compiler what is really going on.
+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/qnx4/dir.c | 51 ++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/fs/qnx4/dir.c b/fs/qnx4/dir.c
+index a6ee23aadd28..2a66844b7ff8 100644
+--- a/fs/qnx4/dir.c
++++ b/fs/qnx4/dir.c
+@@ -15,13 +15,27 @@
+ #include <linux/buffer_head.h>
+ #include "qnx4.h"
+
++/*
++ * A qnx4 directory entry is an inode entry or link info
++ * depending on the status field in the last byte. The
++ * first byte is where the name start either way, and a
++ * zero means it's empty.
++ */
++union qnx4_directory_entry {
++ struct {
++ char de_name;
++ char de_pad[62];
++ char de_status;
++ };
++ struct qnx4_inode_entry inode;
++ struct qnx4_link_info link;
++};
++
+ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ {
+ struct inode *inode = file_inode(file);
+ unsigned int offset;
+ struct buffer_head *bh;
+- struct qnx4_inode_entry *de;
+- struct qnx4_link_info *le;
+ unsigned long blknum;
+ int ix, ino;
+ int size;
+@@ -38,27 +52,30 @@ static int qnx4_readdir(struct file *file, struct dir_context *ctx)
+ }
+ ix = (ctx->pos >> QNX4_DIR_ENTRY_SIZE_BITS) % QNX4_INODES_PER_BLOCK;
+ for (; ix < QNX4_INODES_PER_BLOCK; ix++, ctx->pos += QNX4_DIR_ENTRY_SIZE) {
++ union qnx4_directory_entry *de;
++ const char *name;
++
+ offset = ix * QNX4_DIR_ENTRY_SIZE;
+- de = (struct qnx4_inode_entry *) (bh->b_data + offset);
+- if (!de->di_fname[0])
++ de = (union qnx4_directory_entry *) (bh->b_data + offset);
++
++ if (!de->de_name)
+ continue;
+- if (!(de->di_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
++ if (!(de->de_status & (QNX4_FILE_USED|QNX4_FILE_LINK)))
+ continue;
+- if (!(de->di_status & QNX4_FILE_LINK))
+- size = QNX4_SHORT_NAME_MAX;
+- else
+- size = QNX4_NAME_MAX;
+- size = strnlen(de->di_fname, size);
+- QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, de->di_fname));
+- if (!(de->di_status & QNX4_FILE_LINK))
++ if (!(de->de_status & QNX4_FILE_LINK)) {
++ size = sizeof(de->inode.di_fname);
++ name = de->inode.di_fname;
+ ino = blknum * QNX4_INODES_PER_BLOCK + ix - 1;
+- else {
+- le = (struct qnx4_link_info*)de;
+- ino = ( le32_to_cpu(le->dl_inode_blk) - 1 ) *
++ } else {
++ size = sizeof(de->link.dl_fname);
++ name = de->link.dl_fname;
++ ino = ( le32_to_cpu(de->link.dl_inode_blk) - 1 ) *
+ QNX4_INODES_PER_BLOCK +
+- le->dl_inode_ndx;
++ de->link.dl_inode_ndx;
+ }
+- if (!dir_emit(ctx, de->di_fname, size, ino, DT_UNKNOWN)) {
++ size = strnlen(name, size);
++ QNX4DEBUG((KERN_INFO "qnx4_readdir:%.*s\n", size, name));
++ if (!dir_emit(ctx, name, size, ino, DT_UNKNOWN)) {
+ brelse(bh);
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 1fac40f15c2365a70d234e57d2ccec5fa97ccbd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Sep 2021 10:06:46 -0700
+Subject: Revert drm/vc4 hdmi runtime PM changes
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit b1044a9b8100a0cc5c9d2e1e2f9ca4bb8e32b23a ]
+
+This reverts commits
+
+ 9984d6664ce9 ("drm/vc4: hdmi: Make sure the controller is powered in detect")
+ 411efa18e4b0 ("drm/vc4: hdmi: Move the HSM clock enable to runtime_pm")
+
+as Michael Stapelberg reports that the new runtime PM changes cause his
+Raspberry Pi 3 to hang on boot, probably due to interactions with other
+changes in the DRM tree (because a bisect points to the merge in commit
+e058a84bfddc: "Merge tag 'drm-next-2021-07-01' of git://.../drm").
+
+Revert these two commits until it's been resolved.
+
+Link: https://lore.kernel.org/all/871r5mp7h2.fsf@midna.i-did-not-set--mail-host-address--so-tickle-me/
+Reported-and-tested-by: Michael Stapelberg <michael@stapelberg.ch>
+Cc: Maxime Ripard <maxime@cerno.tech>
+Cc: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Cc: Dave Airlie <airlied@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 44 ++++++++--------------------------
+ 1 file changed, 10 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index f91d37beb113..3b391dee3044 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -166,8 +166,6 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+ struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector);
+ bool connected = false;
+
+- WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
+-
+ if (vc4_hdmi->hpd_gpio &&
+ gpiod_get_value_cansleep(vc4_hdmi->hpd_gpio)) {
+ connected = true;
+@@ -188,12 +186,10 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+ }
+ }
+
+- pm_runtime_put(&vc4_hdmi->pdev->dev);
+ return connector_status_connected;
+ }
+
+ cec_phys_addr_invalidate(vc4_hdmi->cec_adap);
+- pm_runtime_put(&vc4_hdmi->pdev->dev);
+ return connector_status_disconnected;
+ }
+
+@@ -635,6 +631,7 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder,
+ vc4_hdmi->variant->phy_disable(vc4_hdmi);
+
+ clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock);
++ clk_disable_unprepare(vc4_hdmi->hsm_clock);
+ clk_disable_unprepare(vc4_hdmi->pixel_clock);
+
+ ret = pm_runtime_put(&vc4_hdmi->pdev->dev);
+@@ -945,6 +942,13 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+ return;
+ }
+
++ ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
++ if (ret) {
++ DRM_ERROR("Failed to turn on HSM clock: %d\n", ret);
++ clk_disable_unprepare(vc4_hdmi->pixel_clock);
++ return;
++ }
++
+ vc4_hdmi_cec_update_clk_div(vc4_hdmi);
+
+ if (pixel_rate > 297000000)
+@@ -957,6 +961,7 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+ ret = clk_set_min_rate(vc4_hdmi->pixel_bvb_clock, bvb_rate);
+ if (ret) {
+ DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret);
++ clk_disable_unprepare(vc4_hdmi->hsm_clock);
+ clk_disable_unprepare(vc4_hdmi->pixel_clock);
+ return;
+ }
+@@ -964,6 +969,7 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+ ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock);
+ if (ret) {
+ DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret);
++ clk_disable_unprepare(vc4_hdmi->hsm_clock);
+ clk_disable_unprepare(vc4_hdmi->pixel_clock);
+ return;
+ }
+@@ -2110,29 +2116,6 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi)
+ return 0;
+ }
+
+-#ifdef CONFIG_PM
+-static int vc4_hdmi_runtime_suspend(struct device *dev)
+-{
+- struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
+-
+- clk_disable_unprepare(vc4_hdmi->hsm_clock);
+-
+- return 0;
+-}
+-
+-static int vc4_hdmi_runtime_resume(struct device *dev)
+-{
+- struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
+- int ret;
+-
+- ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
+- if (ret)
+- return ret;
+-
+- return 0;
+-}
+-#endif
+-
+ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+ {
+ const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev);
+@@ -2380,18 +2363,11 @@ static const struct of_device_id vc4_hdmi_dt_match[] = {
+ {}
+ };
+
+-static const struct dev_pm_ops vc4_hdmi_pm_ops = {
+- SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend,
+- vc4_hdmi_runtime_resume,
+- NULL)
+-};
+-
+ struct platform_driver vc4_hdmi_driver = {
+ .probe = vc4_hdmi_dev_probe,
+ .remove = vc4_hdmi_dev_remove,
+ .driver = {
+ .name = "vc4_hdmi",
+ .of_match_table = vc4_hdmi_dt_match,
+- .pm = &vc4_hdmi_pm_ops,
+ },
+ };
+--
+2.33.0
+
--- /dev/null
+From 91079c33aa4653b56e1183156998a5e66b80e739 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 16:53:36 +0800
+Subject: scsi: iscsi: Adjust iface sysfs attr detection
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 4e28550829258f7dab97383acaa477bd724c0ff4 ]
+
+ISCSI_NET_PARAM_IFACE_ENABLE belongs to enum iscsi_net_param instead of
+iscsi_iface_param so move it to ISCSI_NET_PARAM. Otherwise, when we call
+into the driver, we might not match and return that we don't want attr
+visible in sysfs. Found in code review.
+
+Link: https://lore.kernel.org/r/20210901085336.2264295-1-libaokun1@huawei.com
+Fixes: e746f3451ec7 ("scsi: iscsi: Fix iface sysfs attr detection")
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index d8b05d8b5470..922e4c7bd88e 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -441,9 +441,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct iscsi_transport *t = iface->transport;
+ int param = -1;
+
+- if (attr == &dev_attr_iface_enabled.attr)
+- param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
++ if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+ param = ISCSI_IFACE_PARAM_HDRDGST_EN;
+@@ -483,7 +481,9 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ if (param != -1)
+ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
+
+- if (attr == &dev_attr_iface_vlan_id.attr)
++ if (attr == &dev_attr_iface_enabled.attr)
++ param = ISCSI_NET_PARAM_IFACE_ENABLE;
++ else if (attr == &dev_attr_iface_vlan_id.attr)
+ param = ISCSI_NET_PARAM_VLAN_ID;
+ else if (attr == &dev_attr_iface_vlan_priority.attr)
+ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+--
+2.33.0
+
--- /dev/null
+From 0e394032d5d4197d25cce568720cbda2a9b44312 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 16:23:31 +0300
+Subject: scsi: lpfc: Use correct scnprintf() limit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 6dacc371b77f473770ec646e220303a84fe96c11 ]
+
+The limit should be "PAGE_SIZE - len" instead of "PAGE_SIZE". We're not
+going to hit the limit so this fix will not affect runtime.
+
+Link: https://lore.kernel.org/r/20210916132331.GE25094@kili
+Fixes: 5b9e70b22cc5 ("scsi: lpfc: raise sg count for nvme to use available sg resources")
+Reviewed-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index eb88aaaf36eb..c34a7f744601 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -6022,7 +6022,8 @@ lpfc_sg_seg_cnt_show(struct device *dev, struct device_attribute *attr,
+ len = scnprintf(buf, PAGE_SIZE, "SGL sz: %d total SGEs: %d\n",
+ phba->cfg_sg_dma_buf_size, phba->cfg_total_seg_cnt);
+
+- len += scnprintf(buf + len, PAGE_SIZE, "Cfg: %d SCSI: %d NVME: %d\n",
++ len += scnprintf(buf + len, PAGE_SIZE - len,
++ "Cfg: %d SCSI: %d NVME: %d\n",
+ phba->cfg_sg_seg_cnt, phba->cfg_scsi_seg_cnt,
+ phba->cfg_nvme_seg_cnt);
+ return len;
+--
+2.33.0
+
--- /dev/null
+From 63f1b03bcf91003125ea89d1f6c19bad9aece025 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 18:32:39 +0300
+Subject: scsi: qla2xxx: Restore initiator in dual mode
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 5f8579038842d77e6ce05e1df6bf9dd493b0e3ef ]
+
+In dual mode in case of disabling the target, the whole port goes offline
+and initiator is turned off too.
+
+Fix restoring initiator mode after disabling target in dual mode.
+
+Link: https://lore.kernel.org/r/20210915153239.8035-1-d.bogdanov@yadro.com
+Fixes: 0645cb8350cd ("scsi: qla2xxx: Add mode control for each physical port")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index f8f471157109..70b507d177f1 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -7014,7 +7014,8 @@ qla2x00_abort_isp(scsi_qla_host_t *vha)
+ return 0;
+ break;
+ case QLA2XXX_INI_MODE_DUAL:
+- if (!qla_dual_mode_enabled(vha))
++ if (!qla_dual_mode_enabled(vha) &&
++ !qla_ini_mode_enabled(vha))
+ return 0;
+ break;
+ case QLA2XXX_INI_MODE_ENABLED:
+--
+2.33.0
+
--- /dev/null
+From 2253faad6ab29a6bc2453dce6ec48d61ccd0aa4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Sep 2021 14:23:14 -0700
+Subject: scsi: sd_zbc: Support disks with more than 2**32 logical blocks
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 1d479e6c9cb2b40abfb455863a4e9335db882e33 ]
+
+This patch addresses the following Coverity report about the zno *
+sdkp->zone_blocks expression:
+
+CID 1475514 (#1 of 1): Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
+overflow_before_widen: Potentially overflowing expression zno *
+sdkp->zone_blocks with type unsigned int (32 bits, unsigned) is evaluated
+using 32-bit arithmetic, and then used in a context that expects an
+expression of type sector_t (64 bits, unsigned).
+
+Link: https://lore.kernel.org/r/20210917212314.2362324-1-bvanassche@acm.org
+Fixes: 5795eb443060 ("scsi: sd_zbc: emulate ZONE_APPEND commands")
+Cc: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Cc: Damien Le Moal <Damien.LeMoal@wdc.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd_zbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
+index ea8b3f6ee5cd..06ee1f045e97 100644
+--- a/drivers/scsi/sd_zbc.c
++++ b/drivers/scsi/sd_zbc.c
+@@ -280,7 +280,7 @@ static void sd_zbc_update_wp_offset_workfn(struct work_struct *work)
+ {
+ struct scsi_disk *sdkp;
+ unsigned long flags;
+- unsigned int zno;
++ sector_t zno;
+ int ret;
+
+ sdkp = container_of(work, struct scsi_disk, zone_wp_offset_work);
+--
+2.33.0
+
--- /dev/null
+From 28fa28cc38d098421aa076e47d4b56ce6b00ecaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 17:18:09 +0200
+Subject: scsi: target: Fix the pgr/alua_support_store functions
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit ef7ae7f746e95c6fa4ec2bcfacb949c36263da78 ]
+
+Commit 356ba2a8bc8d ("scsi: target: tcmu: Make pgr_support and alua_support
+attributes writable") introduced support for changeable alua_support and
+pgr_support target attributes. These can only be changed if the backstore
+is user-backed, otherwise the kernel returns -EINVAL.
+
+This triggers a warning in the targetcli/rtslib code when performing a
+target restore that includes non-userbacked backstores:
+
+ # targetctl restore
+ Storage Object block/storage1: Cannot set attribute alua_support:
+ [Errno 22] Invalid argument, skipped
+ Storage Object block/storage1: Cannot set attribute pgr_support:
+ [Errno 22] Invalid argument, skipped
+
+Fix this warning by returning an error code only if we are really going to
+flip the PGR/ALUA bit in the transport_flags field, otherwise we will do
+nothing and return success.
+
+Return ENOSYS instead of EINVAL if the pgr/alua attributes can not be
+changed, this way it will be possible for userspace to understand if the
+operation failed because an invalid value has been passed to strtobool() or
+because the attributes are fixed.
+
+Fixes: 356ba2a8bc8d ("scsi: target: tcmu: Make pgr_support and alua_support attributes writable")
+Link: https://lore.kernel.org/r/20210906151809.52811-1-mlombard@redhat.com
+Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_configfs.c | 32 +++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
+index 102ec644bc8a..023bd4516a68 100644
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -1110,20 +1110,24 @@ static ssize_t alua_support_store(struct config_item *item,
+ {
+ struct se_dev_attrib *da = to_attrib(item);
+ struct se_device *dev = da->da_dev;
+- bool flag;
++ bool flag, oldflag;
+ int ret;
+
++ ret = strtobool(page, &flag);
++ if (ret < 0)
++ return ret;
++
++ oldflag = !(dev->transport_flags & TRANSPORT_FLAG_PASSTHROUGH_ALUA);
++ if (flag == oldflag)
++ return count;
++
+ if (!(dev->transport->transport_flags_changeable &
+ TRANSPORT_FLAG_PASSTHROUGH_ALUA)) {
+ pr_err("dev[%p]: Unable to change SE Device alua_support:"
+ " alua_support has fixed value\n", dev);
+- return -EINVAL;
++ return -ENOSYS;
+ }
+
+- ret = strtobool(page, &flag);
+- if (ret < 0)
+- return ret;
+-
+ if (flag)
+ dev->transport_flags &= ~TRANSPORT_FLAG_PASSTHROUGH_ALUA;
+ else
+@@ -1145,20 +1149,24 @@ static ssize_t pgr_support_store(struct config_item *item,
+ {
+ struct se_dev_attrib *da = to_attrib(item);
+ struct se_device *dev = da->da_dev;
+- bool flag;
++ bool flag, oldflag;
+ int ret;
+
++ ret = strtobool(page, &flag);
++ if (ret < 0)
++ return ret;
++
++ oldflag = !(dev->transport_flags & TRANSPORT_FLAG_PASSTHROUGH_PGR);
++ if (flag == oldflag)
++ return count;
++
+ if (!(dev->transport->transport_flags_changeable &
+ TRANSPORT_FLAG_PASSTHROUGH_PGR)) {
+ pr_err("dev[%p]: Unable to change SE Device pgr_support:"
+ " pgr_support has fixed value\n", dev);
+- return -EINVAL;
++ return -ENOSYS;
+ }
+
+- ret = strtobool(page, &flag);
+- if (ret < 0)
+- return ret;
+-
+ if (flag)
+ dev->transport_flags &= ~TRANSPORT_FLAG_PASSTHROUGH_PGR;
+ else
+--
+2.33.0
+
--- /dev/null
+From 75e34d00f49764c124fd21a46352c204de956370 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 10:54:04 -0700
+Subject: scsi: ufs: core: Unbreak the reset handler
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit d04a968c33684b15d1206e23fc1119ce0f0587fb ]
+
+A command tag is passed as the second argument of the
+__ufshcd_transfer_req_compl() call in ufshcd_eh_device_reset_handler()
+instead of a bitmask. Fix this by passing a bitmask as argument instead of
+a command tag.
+
+Link: https://lore.kernel.org/r/20210916175408.2260084-1-bvanassche@acm.org
+Fixes: a45f937110fa ("scsi: ufs: Optimize host lock on transfer requests send/compl paths")
+Cc: Can Guo <cang@codeaurora.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index a858e7d998a6..3a204324151a 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -6858,7 +6858,7 @@ static int ufshcd_eh_device_reset_handler(struct scsi_cmnd *cmd)
+ err = ufshcd_clear_cmd(hba, pos);
+ if (err)
+ break;
+- __ufshcd_transfer_req_compl(hba, pos, /*retry_requests=*/true);
++ __ufshcd_transfer_req_compl(hba, 1U << pos, false);
+ }
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 68d6abafede93a988ae2936a0cc3c204071e5e5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 20:34:38 -0700
+Subject: scsi: ufs: Retry aborted SCSI commands instead of completing these
+ successfully
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 73dc3c4ac703c6fea4b40e8ed1ddd80564da3dea ]
+
+Neither SAM nor the UFS standard require that the UFS controller fills in
+the completion status of commands that have been aborted (LUN RESET aborts
+pending commands). Hence do not rely on the completion status provided by
+the UFS controller for aborted commands but instead ask the SCSI core to
+retry SCSI commands that have been aborted.
+
+Link: https://lore.kernel.org/r/20210722033439.26550-18-bvanassche@acm.org
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Stanley Chu <stanley.chu@mediatek.com>
+Cc: Can Guo <cang@codeaurora.org>
+Cc: Asutosh Das <asutoshd@codeaurora.org>
+Cc: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 35 +++++++++++++++++++++++------------
+ 1 file changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index b43abba84a6f..a858e7d998a6 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -5229,10 +5229,12 @@ static irqreturn_t ufshcd_uic_cmd_compl(struct ufs_hba *hba, u32 intr_status)
+ /**
+ * __ufshcd_transfer_req_compl - handle SCSI and query command completion
+ * @hba: per adapter instance
+- * @completed_reqs: requests to complete
++ * @completed_reqs: bitmask that indicates which requests to complete
++ * @retry_requests: whether to ask the SCSI core to retry completed requests
+ */
+ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba,
+- unsigned long completed_reqs)
++ unsigned long completed_reqs,
++ bool retry_requests)
+ {
+ struct ufshcd_lrb *lrbp;
+ struct scsi_cmnd *cmd;
+@@ -5250,7 +5252,8 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba,
+ if (unlikely(ufshcd_should_inform_monitor(hba, lrbp)))
+ ufshcd_update_monitor(hba, lrbp);
+ ufshcd_add_command_trace(hba, index, UFS_CMD_COMP);
+- result = ufshcd_transfer_rsp_status(hba, lrbp);
++ result = retry_requests ? DID_BUS_BUSY << 16 :
++ ufshcd_transfer_rsp_status(hba, lrbp);
+ scsi_dma_unmap(cmd);
+ cmd->result = result;
+ /* Mark completed command as NULL in LRB */
+@@ -5276,12 +5279,14 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba,
+ /**
+ * ufshcd_transfer_req_compl - handle SCSI and query command completion
+ * @hba: per adapter instance
++ * @retry_requests: whether or not to ask to retry requests
+ *
+ * Returns
+ * IRQ_HANDLED - If interrupt is valid
+ * IRQ_NONE - If invalid interrupt
+ */
+-static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba)
++static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba,
++ bool retry_requests)
+ {
+ unsigned long completed_reqs, flags;
+ u32 tr_doorbell;
+@@ -5303,7 +5308,8 @@ static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba)
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+ if (completed_reqs) {
+- __ufshcd_transfer_req_compl(hba, completed_reqs);
++ __ufshcd_transfer_req_compl(hba, completed_reqs,
++ retry_requests);
+ return IRQ_HANDLED;
+ } else {
+ return IRQ_NONE;
+@@ -5782,7 +5788,13 @@ out:
+ /* Complete requests that have door-bell cleared */
+ static void ufshcd_complete_requests(struct ufs_hba *hba)
+ {
+- ufshcd_transfer_req_compl(hba);
++ ufshcd_transfer_req_compl(hba, /*retry_requests=*/false);
++ ufshcd_tmc_handler(hba);
++}
++
++static void ufshcd_retry_aborted_requests(struct ufs_hba *hba)
++{
++ ufshcd_transfer_req_compl(hba, /*retry_requests=*/true);
+ ufshcd_tmc_handler(hba);
+ }
+
+@@ -6124,8 +6136,7 @@ static void ufshcd_err_handler(struct work_struct *work)
+ }
+
+ lock_skip_pending_xfer_clear:
+- /* Complete the requests that are cleared by s/w */
+- ufshcd_complete_requests(hba);
++ ufshcd_retry_aborted_requests(hba);
+
+ spin_lock_irqsave(hba->host->host_lock, flags);
+ hba->silence_err_logs = false;
+@@ -6423,7 +6434,7 @@ static irqreturn_t ufshcd_sl_intr(struct ufs_hba *hba, u32 intr_status)
+ retval |= ufshcd_tmc_handler(hba);
+
+ if (intr_status & UTP_TRANSFER_REQ_COMPL)
+- retval |= ufshcd_transfer_req_compl(hba);
++ retval |= ufshcd_transfer_req_compl(hba, /*retry_requests=*/false);
+
+ return retval;
+ }
+@@ -6847,7 +6858,7 @@ static int ufshcd_eh_device_reset_handler(struct scsi_cmnd *cmd)
+ err = ufshcd_clear_cmd(hba, pos);
+ if (err)
+ break;
+- __ufshcd_transfer_req_compl(hba, pos);
++ __ufshcd_transfer_req_compl(hba, pos, /*retry_requests=*/true);
+ }
+ }
+
+@@ -7018,7 +7029,7 @@ static int ufshcd_abort(struct scsi_cmnd *cmd)
+ dev_err(hba->dev,
+ "%s: cmd was completed, but without a notifying intr, tag = %d",
+ __func__, tag);
+- __ufshcd_transfer_req_compl(hba, 1UL << tag);
++ __ufshcd_transfer_req_compl(hba, 1UL << tag, /*retry_requests=*/false);
+ goto release;
+ }
+
+@@ -7083,7 +7094,7 @@ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba)
+ */
+ ufshcd_hba_stop(hba);
+ hba->silence_err_logs = true;
+- ufshcd_complete_requests(hba);
++ ufshcd_retry_aborted_requests(hba);
+ hba->silence_err_logs = false;
+
+ /* scale up clocks to max frequency before full reinitialization */
+--
+2.33.0
+
--- /dev/null
+From 0189a929fc6a6a867378e3077a0c128415bf43e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 20:34:32 -0700
+Subject: scsi: ufs: Revert "Utilize Transfer Request List Completion
+ Notification Register"
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 1f522c5049016cfea4f9d131ae9089e6fdba3980 ]
+
+Using the UTRLCNR register involves two MMIO accesses in the hot path while
+using the doorbell register only involves a single MMIO access. Since MMIO
+accesses take time, do not use the UTRLCNR register. The spinlock
+contention on the SCSI host lock that is reintroduced by this commit will
+be addressed later.
+
+This reverts commit 6f7151729647e58ac7c522081255fd0c07b38105.
+
+Link: https://lore.kernel.org/r/20210722033439.26550-12-bvanassche@acm.org
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Stanley Chu <stanley.chu@mediatek.com>
+Cc: Can Guo <cang@codeaurora.org>
+Cc: Asutosh Das <asutoshd@codeaurora.org>
+Cc: Avri Altman <avri.altman@wdc.com>
+Tested-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 52 +++++++++++----------------------------
+ drivers/scsi/ufs/ufshcd.h | 5 ----
+ drivers/scsi/ufs/ufshci.h | 1 -
+ 3 files changed, 15 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
+index 15ac5fa14805..b43abba84a6f 100644
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -2112,6 +2112,7 @@ static inline
+ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag)
+ {
+ struct ufshcd_lrb *lrbp = &hba->lrb[task_tag];
++ unsigned long flags;
+
+ lrbp->issue_time_stamp = ktime_get();
+ lrbp->compl_time_stamp = ktime_set(0, 0);
+@@ -2120,19 +2121,10 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag)
+ ufshcd_clk_scaling_start_busy(hba);
+ if (unlikely(ufshcd_should_inform_monitor(hba, lrbp)))
+ ufshcd_start_monitor(hba, lrbp);
+- if (ufshcd_has_utrlcnr(hba)) {
+- set_bit(task_tag, &hba->outstanding_reqs);
+- ufshcd_writel(hba, 1 << task_tag,
+- REG_UTP_TRANSFER_REQ_DOOR_BELL);
+- } else {
+- unsigned long flags;
+-
+- spin_lock_irqsave(hba->host->host_lock, flags);
+- set_bit(task_tag, &hba->outstanding_reqs);
+- ufshcd_writel(hba, 1 << task_tag,
+- REG_UTP_TRANSFER_REQ_DOOR_BELL);
+- spin_unlock_irqrestore(hba->host->host_lock, flags);
+- }
++ spin_lock_irqsave(hba->host->host_lock, flags);
++ set_bit(task_tag, &hba->outstanding_reqs);
++ ufshcd_writel(hba, 1 << task_tag, REG_UTP_TRANSFER_REQ_DOOR_BELL);
++ spin_unlock_irqrestore(hba->host->host_lock, flags);
+ /* Make sure that doorbell is committed immediately */
+ wmb();
+ }
+@@ -5282,17 +5274,17 @@ static void __ufshcd_transfer_req_compl(struct ufs_hba *hba,
+ }
+
+ /**
+- * ufshcd_trc_handler - handle transfer requests completion
++ * ufshcd_transfer_req_compl - handle SCSI and query command completion
+ * @hba: per adapter instance
+- * @use_utrlcnr: get completed requests from UTRLCNR
+ *
+ * Returns
+ * IRQ_HANDLED - If interrupt is valid
+ * IRQ_NONE - If invalid interrupt
+ */
+-static irqreturn_t ufshcd_trc_handler(struct ufs_hba *hba, bool use_utrlcnr)
++static irqreturn_t ufshcd_transfer_req_compl(struct ufs_hba *hba)
+ {
+- unsigned long completed_reqs = 0;
++ unsigned long completed_reqs, flags;
++ u32 tr_doorbell;
+
+ /* Resetting interrupt aggregation counters first and reading the
+ * DOOR_BELL afterward allows us to handle all the completed requests.
+@@ -5305,24 +5297,10 @@ static irqreturn_t ufshcd_trc_handler(struct ufs_hba *hba, bool use_utrlcnr)
+ !(hba->quirks & UFSHCI_QUIRK_SKIP_RESET_INTR_AGGR))
+ ufshcd_reset_intr_aggr(hba);
+
+- if (use_utrlcnr) {
+- u32 utrlcnr;
+-
+- utrlcnr = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_LIST_COMPL);
+- if (utrlcnr) {
+- ufshcd_writel(hba, utrlcnr,
+- REG_UTP_TRANSFER_REQ_LIST_COMPL);
+- completed_reqs = utrlcnr;
+- }
+- } else {
+- unsigned long flags;
+- u32 tr_doorbell;
+-
+- spin_lock_irqsave(hba->host->host_lock, flags);
+- tr_doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
+- completed_reqs = tr_doorbell ^ hba->outstanding_reqs;
+- spin_unlock_irqrestore(hba->host->host_lock, flags);
+- }
++ spin_lock_irqsave(hba->host->host_lock, flags);
++ tr_doorbell = ufshcd_readl(hba, REG_UTP_TRANSFER_REQ_DOOR_BELL);
++ completed_reqs = tr_doorbell ^ hba->outstanding_reqs;
++ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+ if (completed_reqs) {
+ __ufshcd_transfer_req_compl(hba, completed_reqs);
+@@ -5804,7 +5782,7 @@ out:
+ /* Complete requests that have door-bell cleared */
+ static void ufshcd_complete_requests(struct ufs_hba *hba)
+ {
+- ufshcd_trc_handler(hba, false);
++ ufshcd_transfer_req_compl(hba);
+ ufshcd_tmc_handler(hba);
+ }
+
+@@ -6445,7 +6423,7 @@ static irqreturn_t ufshcd_sl_intr(struct ufs_hba *hba, u32 intr_status)
+ retval |= ufshcd_tmc_handler(hba);
+
+ if (intr_status & UTP_TRANSFER_REQ_COMPL)
+- retval |= ufshcd_trc_handler(hba, ufshcd_has_utrlcnr(hba));
++ retval |= ufshcd_transfer_req_compl(hba);
+
+ return retval;
+ }
+diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h
+index 194755c9ddfe..86d4765a17b8 100644
+--- a/drivers/scsi/ufs/ufshcd.h
++++ b/drivers/scsi/ufs/ufshcd.h
+@@ -1160,11 +1160,6 @@ static inline u32 ufshcd_vops_get_ufs_hci_version(struct ufs_hba *hba)
+ return ufshcd_readl(hba, REG_UFS_VERSION);
+ }
+
+-static inline bool ufshcd_has_utrlcnr(struct ufs_hba *hba)
+-{
+- return (hba->ufs_version >= ufshci_version(3, 0));
+-}
+-
+ static inline int ufshcd_vops_clk_scale_notify(struct ufs_hba *hba,
+ bool up, enum ufs_notify_change_status status)
+ {
+diff --git a/drivers/scsi/ufs/ufshci.h b/drivers/scsi/ufs/ufshci.h
+index 5affb1fce5ad..de95be5d11d4 100644
+--- a/drivers/scsi/ufs/ufshci.h
++++ b/drivers/scsi/ufs/ufshci.h
+@@ -39,7 +39,6 @@ enum {
+ REG_UTP_TRANSFER_REQ_DOOR_BELL = 0x58,
+ REG_UTP_TRANSFER_REQ_LIST_CLEAR = 0x5C,
+ REG_UTP_TRANSFER_REQ_LIST_RUN_STOP = 0x60,
+- REG_UTP_TRANSFER_REQ_LIST_COMPL = 0x64,
+ REG_UTP_TASK_REQ_LIST_BASE_L = 0x70,
+ REG_UTP_TASK_REQ_LIST_BASE_H = 0x74,
+ REG_UTP_TASK_REQ_DOOR_BELL = 0x78,
+--
+2.33.0
+
atlantic-fix-issue-in-the-pm-resume-flow.patch
drm-amdkfd-map-svm-range-with-correct-access-permiss.patch
drm-amdkfd-fix-dma-mapping-leaking-warning.patch
+scsi-iscsi-adjust-iface-sysfs-attr-detection.patch
+scsi-target-fix-the-pgr-alua_support_store-functions.patch
+tty-synclink_gt-rename-a-conflicting-function-name.patch
+fpga-machxo2-spi-return-an-error-on-failure.patch
+fpga-machxo2-spi-fix-missing-error-code-in-machxo2_w.patch
+x86-fault-fix-wrong-signal-when-vsyscall-fails-with-.patch
+nvme-tcp-fix-incorrect-h2cdata-pdu-offset-accounting.patch
+nvme-keep-ctrl-namespaces-ordered.patch
+thermal-core-potential-buffer-overflow-in-thermal_bu.patch
+cifs-fix-a-sign-extension-bug.patch
+scsi-sd_zbc-support-disks-with-more-than-2-32-logica.patch
+scsi-ufs-revert-utilize-transfer-request-list-comple.patch
+scsi-ufs-retry-aborted-scsi-commands-instead-of-comp.patch
+scsi-ufs-core-unbreak-the-reset-handler.patch
+scsi-qla2xxx-restore-initiator-in-dual-mode.patch
+scsi-lpfc-use-correct-scnprintf-limit.patch
+irqchip-goldfish-pic-select-generic_irq_chip-to-fix-.patch
+irqchip-gic-v3-its-fix-potential-vpe-leak-on-error.patch
+md-fix-a-lock-order-reversal-in-md_alloc.patch
+x86-asm-fix-setz-size-enqcmds-build-failure.patch
+io_uring-fix-race-between-poll-completion-and-cancel.patch
+io_uring-fix-missing-set-of-epolloneshot-for-cq-ring.patch
+io_uring-put-provided-buffer-meta-data-under-memcg-a.patch
+io_uring-don-t-punt-files-update-to-io-wq-unconditio.patch
+blktrace-fix-uaf-in-blk_trace-access-after-removing-.patch
+net-phylink-update-sfp-selected-interface-on-adverti.patch
+net-macb-fix-use-after-free-on-rmmod.patch
+net-stmmac-allow-csr-clock-of-300mhz.patch
+blk-mq-avoid-to-iterate-over-stale-request.patch
+m68k-double-cast-io-functions-to-unsigned-long.patch
+ipv6-delay-fib6_sernum-increase-in-fib6_add.patch
+dma-debug-prevent-an-error-message-from-causing-runt.patch
+cpufreq-intel_pstate-override-parameters-if-hwp-forc.patch
+bpf-add-oversize-check-before-call-kvcalloc.patch
+xen-balloon-use-a-kernel-thread-instead-a-workqueue.patch
+nvme-multipath-fix-ana-state-updates-when-a-namespac.patch
+nvme-rdma-destroy-cm-id-before-destroy-qp-to-avoid-u.patch
+sparc32-page-align-size-in-arch_dma_alloc.patch
+amd-display-downgrade-validation-failure-log-level.patch
+drm-ttm-fix-type-mismatch-error-on-sparc64.patch
+block-check-if-a-profile-is-actually-registered-in-b.patch
+block-flush-the-integrity-workqueue-in-blk_integrity.patch
+blk-cgroup-fix-uaf-by-grabbing-blkcg-lock-before-des.patch
+compiler.h-introduce-absolute_pointer-macro.patch
+net-i825xx-use-absolute_pointer-for-memcpy-from-fixe.patch
+sparc-avoid-stringop-overread-errors.patch
+qnx4-avoid-stringop-overread-errors.patch
+parisc-use-absolute_pointer-to-define-page0.patch
+drm-amdkfd-make-needs_pcie_atomics-fw-version-depend.patch
+drm-amd-display-fix-unstable-hpcp-compliance-on-chro.patch
+drm-amd-display-link-training-retry-fix-for-abort-ca.patch
+amd-display-enable-panel-orientation-quirks.patch
+arm64-mark-__stack_chk_guard-as-__ro_after_init.patch
+alpha-declare-virt_to_phys-and-virt_to_bus-parameter.patch
+net-6pack-fix-tx-timeout-and-slot-time.patch
+spi-fix-tegra20-build-with-config_pm-n.patch
+libperf-evsel-make-use-of-fd-robust.patch
+revert-drm-vc4-hdmi-runtime-pm-changes.patch
--- /dev/null
+From bd1cca633bd4949d4f953cb8a2109461071b4e43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Sep 2021 16:06:04 -0700
+Subject: sparc: avoid stringop-overread errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit fc7c028dcdbfe981bca75d2a7b95f363eb691ef3 ]
+
+The sparc mdesc code does pointer games with 'struct mdesc_hdr', but
+didn't describe to the compiler how that header is then followed by the
+data that the header describes.
+
+As a result, gcc is now unhappy since it does stricter pointer range
+tracking, and doesn't understand about how these things work. This
+results in various errors like:
+
+ arch/sparc/kernel/mdesc.c: In function ‘mdesc_node_by_name’:
+ arch/sparc/kernel/mdesc.c:647:22: error: ‘strcmp’ reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread]
+ 647 | if (!strcmp(names + ep[ret].name_offset, name))
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+which are easily avoided by just describing 'struct mdesc_hdr' better,
+and making the node_block() helper function look into that unsized
+data[] that follows the header.
+
+This makes the sparc64 build happy again at least for my cross-compiler
+version (gcc version 11.2.1).
+
+Link: https://lore.kernel.org/lkml/CAHk-=wi4NW3NC0xWykkw=6LnjQD6D_rtRtxY9g8gQAJXtQMi8A@mail.gmail.com/
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/mdesc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
+index 8e645ddac58e..30f171b7b00c 100644
+--- a/arch/sparc/kernel/mdesc.c
++++ b/arch/sparc/kernel/mdesc.c
+@@ -39,6 +39,7 @@ struct mdesc_hdr {
+ u32 node_sz; /* node block size */
+ u32 name_sz; /* name block size */
+ u32 data_sz; /* data block size */
++ char data[];
+ } __attribute__((aligned(16)));
+
+ struct mdesc_elem {
+@@ -612,7 +613,7 @@ EXPORT_SYMBOL(mdesc_get_node_info);
+
+ static struct mdesc_elem *node_block(struct mdesc_hdr *mdesc)
+ {
+- return (struct mdesc_elem *) (mdesc + 1);
++ return (struct mdesc_elem *) mdesc->data;
+ }
+
+ static void *name_block(struct mdesc_hdr *mdesc)
+--
+2.33.0
+
--- /dev/null
+From ecf21571e1a25b24e3acc7f8fa5ae0aefd3e5b83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 09:48:22 +0200
+Subject: sparc32: page align size in arch_dma_alloc
+
+From: Andreas Larsson <andreas@gaisler.com>
+
+[ Upstream commit 59583f747664046aaae5588d56d5954fab66cce8 ]
+
+Commit 53b7670e5735 ("sparc: factor the dma coherent mapping into
+helper") lost the page align for the calls to dma_make_coherent and
+srmmu_unmapiorange. The latter cannot handle a non page aligned len
+argument.
+
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sparc/kernel/ioport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/sparc/kernel/ioport.c b/arch/sparc/kernel/ioport.c
+index 8e1d72a16759..7ceae24b0ca9 100644
+--- a/arch/sparc/kernel/ioport.c
++++ b/arch/sparc/kernel/ioport.c
+@@ -356,7 +356,9 @@ err_nomem:
+ void arch_dma_free(struct device *dev, size_t size, void *cpu_addr,
+ dma_addr_t dma_addr, unsigned long attrs)
+ {
+- if (!sparc_dma_free_resource(cpu_addr, PAGE_ALIGN(size)))
++ size = PAGE_ALIGN(size);
++
++ if (!sparc_dma_free_resource(cpu_addr, size))
+ return;
+
+ dma_make_coherent(dma_addr, size);
+--
+2.33.0
+
--- /dev/null
+From 2712e1e306fd7c8b98b1faafa5b49fd395110118 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Sep 2021 10:05:06 -0700
+Subject: spi: Fix tegra20 build with CONFIG_PM=n
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit efafec27c5658ed987e720130772f8933c685e87 ]
+
+Without CONFIG_PM enabled, the SET_RUNTIME_PM_OPS() macro ends up being
+empty, and the only use of tegra_slink_runtime_{resume,suspend} goes
+away, resulting in
+
+ drivers/spi/spi-tegra20-slink.c:1200:12: error: ‘tegra_slink_runtime_resume’ defined but not used [-Werror=unused-function]
+ 1200 | static int tegra_slink_runtime_resume(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/spi/spi-tegra20-slink.c:1188:12: error: ‘tegra_slink_runtime_suspend’ defined but not used [-Werror=unused-function]
+ 1188 | static int tegra_slink_runtime_suspend(struct device *dev)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+mark the functions __maybe_unused to make the build happy.
+
+This hits the alpha allmodconfig build (and others).
+
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra20-slink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra20-slink.c b/drivers/spi/spi-tegra20-slink.c
+index 6a726c95ac7a..dc1a6899ba3b 100644
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1206,7 +1206,7 @@ static int tegra_slink_resume(struct device *dev)
+ }
+ #endif
+
+-static int tegra_slink_runtime_suspend(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_suspend(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+@@ -1218,7 +1218,7 @@ static int tegra_slink_runtime_suspend(struct device *dev)
+ return 0;
+ }
+
+-static int tegra_slink_runtime_resume(struct device *dev)
++static int __maybe_unused tegra_slink_runtime_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct tegra_slink_data *tspi = spi_master_get_devdata(master);
+--
+2.33.0
+
--- /dev/null
+From 743b225785c5fd7d49f618ec140171ca52a2d41b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 16:13:42 +0300
+Subject: thermal/core: Potential buffer overflow in
+ thermal_build_list_of_policies()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1bb30b20b49773369c299d4d6c65227201328663 ]
+
+After printing the list of thermal governors, then this function prints
+a newline character. The problem is that "size" has not been updated
+after printing the last governor. This means that it can write one
+character (the NUL terminator) beyond the end of the buffer.
+
+Get rid of the "size" variable and just use "PAGE_SIZE - count" directly.
+
+Fixes: 1b4f48494eb2 ("thermal: core: group functions related to governor handling")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210916131342.GB25094@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
+index 97ef9b040b84..51374f4e1cca 100644
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -222,15 +222,14 @@ int thermal_build_list_of_policies(char *buf)
+ {
+ struct thermal_governor *pos;
+ ssize_t count = 0;
+- ssize_t size = PAGE_SIZE;
+
+ mutex_lock(&thermal_governor_lock);
+
+ list_for_each_entry(pos, &thermal_governor_list, governor_list) {
+- size = PAGE_SIZE - count;
+- count += scnprintf(buf + count, size, "%s ", pos->name);
++ count += scnprintf(buf + count, PAGE_SIZE - count, "%s ",
++ pos->name);
+ }
+- count += scnprintf(buf + count, size, "\n");
++ count += scnprintf(buf + count, PAGE_SIZE - count, "\n");
+
+ mutex_unlock(&thermal_governor_lock);
+
+--
+2.33.0
+
--- /dev/null
+From 82c7a9c24961e75e15fcecb0ea60b73eb48fc794 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Sep 2021 17:38:06 -0700
+Subject: tty: synclink_gt: rename a conflicting function name
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 06e49073dfba24df4b1073a068631b13a0039c34 ]
+
+'set_signals()' in synclink_gt.c conflicts with an exported symbol
+in arch/um/, so change set_signals() to set_gtsignals(). Keep
+the function names similar by also changing get_signals() to
+get_gtsignals().
+
+../drivers/tty/synclink_gt.c:442:13: error: conflicting types for ‘set_signals’
+ static void set_signals(struct slgt_info *info);
+ ^~~~~~~~~~~
+In file included from ../include/linux/irqflags.h:16:0,
+ from ../include/linux/spinlock.h:58,
+ from ../include/linux/mm_types.h:9,
+ from ../include/linux/buildid.h:5,
+ from ../include/linux/module.h:14,
+ from ../drivers/tty/synclink_gt.c:46:
+../arch/um/include/asm/irqflags.h:6:5: note: previous declaration of ‘set_signals’ was here
+ int set_signals(int enable);
+ ^~~~~~~~~~~
+
+Fixes: 705b6c7b34f2 ("[PATCH] new driver synclink_gt")
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Paul Fulghum <paulkf@microgate.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20210902003806.17054-1-rdunlap@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/synclink_gt.c | 44 +++++++++++++++++++--------------------
+ 1 file changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
+index 5bb928b7873e..2f5fbd7db7ca 100644
+--- a/drivers/tty/synclink_gt.c
++++ b/drivers/tty/synclink_gt.c
+@@ -438,8 +438,8 @@ static void reset_tbufs(struct slgt_info *info);
+ static void tdma_reset(struct slgt_info *info);
+ static bool tx_load(struct slgt_info *info, const char *buf, unsigned int count);
+
+-static void get_signals(struct slgt_info *info);
+-static void set_signals(struct slgt_info *info);
++static void get_gtsignals(struct slgt_info *info);
++static void set_gtsignals(struct slgt_info *info);
+ static void set_rate(struct slgt_info *info, u32 data_rate);
+
+ static void bh_transmit(struct slgt_info *info);
+@@ -720,7 +720,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios)
+ if ((old_termios->c_cflag & CBAUD) && !C_BAUD(tty)) {
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+@@ -730,7 +730,7 @@ static void set_termios(struct tty_struct *tty, struct ktermios *old_termios)
+ if (!C_CRTSCTS(tty) || !tty_throttled(tty))
+ info->signals |= SerialSignal_RTS;
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+@@ -1181,7 +1181,7 @@ static inline void line_info(struct seq_file *m, struct slgt_info *info)
+
+ /* output current serial signal states */
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ stat_buf[0] = 0;
+@@ -1281,7 +1281,7 @@ static void throttle(struct tty_struct * tty)
+ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->signals &= ~SerialSignal_RTS;
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -1306,7 +1306,7 @@ static void unthrottle(struct tty_struct * tty)
+ if (C_CRTSCTS(tty)) {
+ spin_lock_irqsave(&info->lock,flags);
+ info->signals |= SerialSignal_RTS;
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+ }
+@@ -1477,7 +1477,7 @@ static int hdlcdev_open(struct net_device *dev)
+
+ /* inform generic HDLC layer of current DCD status */
+ spin_lock_irqsave(&info->lock, flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock, flags);
+ if (info->signals & SerialSignal_DCD)
+ netif_carrier_on(dev);
+@@ -2232,7 +2232,7 @@ static void isr_txeom(struct slgt_info *info, unsigned short status)
+ if (info->params.mode != MGSL_MODE_ASYNC && info->drop_rts_on_tx_done) {
+ info->signals &= ~SerialSignal_RTS;
+ info->drop_rts_on_tx_done = false;
+- set_signals(info);
++ set_gtsignals(info);
+ }
+
+ #if SYNCLINK_GENERIC_HDLC
+@@ -2397,7 +2397,7 @@ static void shutdown(struct slgt_info *info)
+
+ if (!info->port.tty || info->port.tty->termios.c_cflag & HUPCL) {
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_gtsignals(info);
+ }
+
+ flush_cond_wait(&info->gpio_wait_q);
+@@ -2425,7 +2425,7 @@ static void program_hw(struct slgt_info *info)
+ else
+ async_mode(info);
+
+- set_signals(info);
++ set_gtsignals(info);
+
+ info->dcd_chkcount = 0;
+ info->cts_chkcount = 0;
+@@ -2433,7 +2433,7 @@ static void program_hw(struct slgt_info *info)
+ info->dsr_chkcount = 0;
+
+ slgt_irq_on(info, IRQ_DCD | IRQ_CTS | IRQ_DSR | IRQ_RI);
+- get_signals(info);
++ get_gtsignals(info);
+
+ if (info->netcount ||
+ (info->port.tty && info->port.tty->termios.c_cflag & CREAD))
+@@ -2670,7 +2670,7 @@ static int wait_mgsl_event(struct slgt_info *info, int __user *mask_ptr)
+ spin_lock_irqsave(&info->lock,flags);
+
+ /* return immediately if state matches requested events */
+- get_signals(info);
++ get_gtsignals(info);
+ s = info->signals;
+
+ events = mask &
+@@ -3088,7 +3088,7 @@ static int tiocmget(struct tty_struct *tty)
+ unsigned long flags;
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+
+ result = ((info->signals & SerialSignal_RTS) ? TIOCM_RTS:0) +
+@@ -3127,7 +3127,7 @@ static int tiocmset(struct tty_struct *tty,
+ info->signals &= ~SerialSignal_DTR;
+
+ spin_lock_irqsave(&info->lock,flags);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ return 0;
+ }
+@@ -3138,7 +3138,7 @@ static int carrier_raised(struct tty_port *port)
+ struct slgt_info *info = container_of(port, struct slgt_info, port);
+
+ spin_lock_irqsave(&info->lock,flags);
+- get_signals(info);
++ get_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ return (info->signals & SerialSignal_DCD) ? 1 : 0;
+ }
+@@ -3153,7 +3153,7 @@ static void dtr_rts(struct tty_port *port, int on)
+ info->signals |= SerialSignal_RTS | SerialSignal_DTR;
+ else
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_gtsignals(info);
+ spin_unlock_irqrestore(&info->lock,flags);
+ }
+
+@@ -3951,10 +3951,10 @@ static void tx_start(struct slgt_info *info)
+
+ if (info->params.mode != MGSL_MODE_ASYNC) {
+ if (info->params.flags & HDLC_FLAG_AUTO_RTS) {
+- get_signals(info);
++ get_gtsignals(info);
+ if (!(info->signals & SerialSignal_RTS)) {
+ info->signals |= SerialSignal_RTS;
+- set_signals(info);
++ set_gtsignals(info);
+ info->drop_rts_on_tx_done = true;
+ }
+ }
+@@ -4008,7 +4008,7 @@ static void reset_port(struct slgt_info *info)
+ rx_stop(info);
+
+ info->signals &= ~(SerialSignal_RTS | SerialSignal_DTR);
+- set_signals(info);
++ set_gtsignals(info);
+
+ slgt_irq_off(info, IRQ_ALL | IRQ_MASTER);
+ }
+@@ -4430,7 +4430,7 @@ static void tx_set_idle(struct slgt_info *info)
+ /*
+ * get state of V24 status (input) signals
+ */
+-static void get_signals(struct slgt_info *info)
++static void get_gtsignals(struct slgt_info *info)
+ {
+ unsigned short status = rd_reg16(info, SSR);
+
+@@ -4492,7 +4492,7 @@ static void msc_set_vcr(struct slgt_info *info)
+ /*
+ * set state of V24 control (output) signals
+ */
+-static void set_signals(struct slgt_info *info)
++static void set_gtsignals(struct slgt_info *info)
+ {
+ unsigned char val = rd_reg8(info, VCR);
+ if (info->signals & SerialSignal_DTR)
+--
+2.33.0
+
--- /dev/null
+From 3c7900992e1ed1197ff20ebf44b0c1a601c43f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 15:33:32 -0700
+Subject: x86/asm: Fix SETZ size enqcmds() build failure
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit d81ff5fe14a950f53e2833cfa196e7bb3fd5d4e3 ]
+
+When building under GCC 4.9 and 5.5:
+
+ arch/x86/include/asm/special_insns.h: Assembler messages:
+ arch/x86/include/asm/special_insns.h:286: Error: operand size mismatch for `setz'
+
+Change the type to "bool" for condition code arguments, as documented.
+
+Fixes: 7f5933f81bd8 ("x86/asm: Add an enqcmds() wrapper for the ENQCMDS instruction")
+Co-developed-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Link: https://lkml.kernel.org/r/20210910223332.3224851-1-keescook@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/special_insns.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h
+index f3fbb84ff8a7..68c257a3de0d 100644
+--- a/arch/x86/include/asm/special_insns.h
++++ b/arch/x86/include/asm/special_insns.h
+@@ -275,7 +275,7 @@ static inline int enqcmds(void __iomem *dst, const void *src)
+ {
+ const struct { char _[64]; } *__src = src;
+ struct { char _[64]; } __iomem *__dst = dst;
+- int zf;
++ bool zf;
+
+ /*
+ * ENQCMDS %(rdx), rax
+--
+2.33.0
+
--- /dev/null
+From a2ea08f2477036015aa4910bd51c1cd366876ca7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Jul 2021 11:01:52 +0800
+Subject: x86/fault: Fix wrong signal when vsyscall fails with pkey
+
+From: Jiashuo Liang <liangjs@pku.edu.cn>
+
+[ Upstream commit d4ffd5df9d18031b6a53f934388726775b4452d3 ]
+
+The function __bad_area_nosemaphore() calls kernelmode_fixup_or_oops()
+with the parameter @signal being actually @pkey, which will send a
+signal numbered with the argument in @pkey.
+
+This bug can be triggered when the kernel fails to access user-given
+memory pages that are protected by a pkey, so it can go down the
+do_user_addr_fault() path and pass the !user_mode() check in
+__bad_area_nosemaphore().
+
+Most cases will simply run the kernel fixup code to make an -EFAULT. But
+when another condition current->thread.sig_on_uaccess_err is met, which
+is only used to emulate vsyscall, the kernel will generate the wrong
+signal.
+
+Add a new parameter @pkey to kernelmode_fixup_or_oops() to fix this.
+
+ [ bp: Massage commit message, fix build error as reported by the 0day
+ bot: https://lkml.kernel.org/r/202109202245.APvuT8BX-lkp@intel.com ]
+
+Fixes: 5042d40a264c ("x86/fault: Bypass no_context() for implicit kernel faults from usermode")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jiashuo Liang <liangjs@pku.edu.cn>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
+Link: https://lkml.kernel.org/r/20210730030152.249106-1-liangjs@pku.edu.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/pkeys.h | 2 --
+ arch/x86/mm/fault.c | 26 ++++++++++++++++++--------
+ include/linux/pkeys.h | 2 ++
+ 3 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h
+index 5c7bcaa79623..1d5f14aff5f6 100644
+--- a/arch/x86/include/asm/pkeys.h
++++ b/arch/x86/include/asm/pkeys.h
+@@ -2,8 +2,6 @@
+ #ifndef _ASM_X86_PKEYS_H
+ #define _ASM_X86_PKEYS_H
+
+-#define ARCH_DEFAULT_PKEY 0
+-
+ /*
+ * If more than 16 keys are ever supported, a thorough audit
+ * will be necessary to ensure that the types that store key
+diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
+index b2eefdefc108..84a2c8c4af73 100644
+--- a/arch/x86/mm/fault.c
++++ b/arch/x86/mm/fault.c
+@@ -710,7 +710,8 @@ oops:
+
+ static noinline void
+ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code,
+- unsigned long address, int signal, int si_code)
++ unsigned long address, int signal, int si_code,
++ u32 pkey)
+ {
+ WARN_ON_ONCE(user_mode(regs));
+
+@@ -735,8 +736,12 @@ kernelmode_fixup_or_oops(struct pt_regs *regs, unsigned long error_code,
+
+ set_signal_archinfo(address, error_code);
+
+- /* XXX: hwpoison faults will set the wrong code. */
+- force_sig_fault(signal, si_code, (void __user *)address);
++ if (si_code == SEGV_PKUERR) {
++ force_sig_pkuerr((void __user *)address, pkey);
++ } else {
++ /* XXX: hwpoison faults will set the wrong code. */
++ force_sig_fault(signal, si_code, (void __user *)address);
++ }
+ }
+
+ /*
+@@ -798,7 +803,8 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
+ struct task_struct *tsk = current;
+
+ if (!user_mode(regs)) {
+- kernelmode_fixup_or_oops(regs, error_code, address, pkey, si_code);
++ kernelmode_fixup_or_oops(regs, error_code, address,
++ SIGSEGV, si_code, pkey);
+ return;
+ }
+
+@@ -930,7 +936,8 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
+ {
+ /* Kernel mode? Handle exceptions or die: */
+ if (!user_mode(regs)) {
+- kernelmode_fixup_or_oops(regs, error_code, address, SIGBUS, BUS_ADRERR);
++ kernelmode_fixup_or_oops(regs, error_code, address,
++ SIGBUS, BUS_ADRERR, ARCH_DEFAULT_PKEY);
+ return;
+ }
+
+@@ -1396,7 +1403,8 @@ good_area:
+ */
+ if (!user_mode(regs))
+ kernelmode_fixup_or_oops(regs, error_code, address,
+- SIGBUS, BUS_ADRERR);
++ SIGBUS, BUS_ADRERR,
++ ARCH_DEFAULT_PKEY);
+ return;
+ }
+
+@@ -1416,7 +1424,8 @@ good_area:
+ return;
+
+ if (fatal_signal_pending(current) && !user_mode(regs)) {
+- kernelmode_fixup_or_oops(regs, error_code, address, 0, 0);
++ kernelmode_fixup_or_oops(regs, error_code, address,
++ 0, 0, ARCH_DEFAULT_PKEY);
+ return;
+ }
+
+@@ -1424,7 +1433,8 @@ good_area:
+ /* Kernel mode? Handle exceptions or die: */
+ if (!user_mode(regs)) {
+ kernelmode_fixup_or_oops(regs, error_code, address,
+- SIGSEGV, SEGV_MAPERR);
++ SIGSEGV, SEGV_MAPERR,
++ ARCH_DEFAULT_PKEY);
+ return;
+ }
+
+diff --git a/include/linux/pkeys.h b/include/linux/pkeys.h
+index 6beb26b7151d..86be8bf27b41 100644
+--- a/include/linux/pkeys.h
++++ b/include/linux/pkeys.h
+@@ -4,6 +4,8 @@
+
+ #include <linux/mm.h>
+
++#define ARCH_DEFAULT_PKEY 0
++
+ #ifdef CONFIG_ARCH_HAS_PKEYS
+ #include <asm/pkeys.h>
+ #else /* ! CONFIG_ARCH_HAS_PKEYS */
+--
+2.33.0
+
--- /dev/null
+From 1c19dc1a6dcd5f65af3fa67761aa15121ab1d025 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 14:32:06 +0200
+Subject: xen/balloon: use a kernel thread instead a workqueue
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 8480ed9c2bbd56fc86524998e5f2e3e22f5038f6 ]
+
+Today the Xen ballooning is done via delayed work in a workqueue. This
+might result in workqueue hangups being reported in case of large
+amounts of memory are being ballooned in one go (here 16GB):
+
+BUG: workqueue lockup - pool cpus=6 node=0 flags=0x0 nice=0 stuck for 64s!
+Showing busy workqueues and worker pools:
+workqueue events: flags=0x0
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=2/256 refcnt=3
+ in-flight: 229:balloon_process
+ pending: cache_reap
+workqueue events_freezable_power_: flags=0x84
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
+ pending: disk_events_workfn
+workqueue mm_percpu_wq: flags=0x8
+ pwq 12: cpus=6 node=0 flags=0x0 nice=0 active=1/256 refcnt=2
+ pending: vmstat_update
+pool 12: cpus=6 node=0 flags=0x0 nice=0 hung=64s workers=3 idle: 2222 43
+
+This can easily be avoided by using a dedicated kernel thread for doing
+the ballooning work.
+
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20210827123206.15429-1-jgross@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 62 +++++++++++++++++++++++++++++++------------
+ 1 file changed, 45 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index 671c71245a7b..2d2803883306 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -43,6 +43,8 @@
+ #include <linux/sched.h>
+ #include <linux/cred.h>
+ #include <linux/errno.h>
++#include <linux/freezer.h>
++#include <linux/kthread.h>
+ #include <linux/mm.h>
+ #include <linux/memblock.h>
+ #include <linux/pagemap.h>
+@@ -115,7 +117,7 @@ static struct ctl_table xen_root[] = {
+ #define EXTENT_ORDER (fls(XEN_PFN_PER_PAGE) - 1)
+
+ /*
+- * balloon_process() state:
++ * balloon_thread() state:
+ *
+ * BP_DONE: done or nothing to do,
+ * BP_WAIT: wait to be rescheduled,
+@@ -130,6 +132,8 @@ enum bp_state {
+ BP_ECANCELED
+ };
+
++/* Main waiting point for xen-balloon thread. */
++static DECLARE_WAIT_QUEUE_HEAD(balloon_thread_wq);
+
+ static DEFINE_MUTEX(balloon_mutex);
+
+@@ -144,10 +148,6 @@ static xen_pfn_t frame_list[PAGE_SIZE / sizeof(xen_pfn_t)];
+ static LIST_HEAD(ballooned_pages);
+ static DECLARE_WAIT_QUEUE_HEAD(balloon_wq);
+
+-/* Main work function, always executed in process context. */
+-static void balloon_process(struct work_struct *work);
+-static DECLARE_DELAYED_WORK(balloon_worker, balloon_process);
+-
+ /* When ballooning out (allocating memory to return to Xen) we don't really
+ want the kernel to try too hard since that can trigger the oom killer. */
+ #define GFP_BALLOON \
+@@ -366,7 +366,7 @@ static void xen_online_page(struct page *page, unsigned int order)
+ static int xen_memory_notifier(struct notifier_block *nb, unsigned long val, void *v)
+ {
+ if (val == MEM_ONLINE)
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+
+ return NOTIFY_OK;
+ }
+@@ -491,18 +491,43 @@ static enum bp_state decrease_reservation(unsigned long nr_pages, gfp_t gfp)
+ }
+
+ /*
+- * As this is a work item it is guaranteed to run as a single instance only.
++ * Stop waiting if either state is not BP_EAGAIN and ballooning action is
++ * needed, or if the credit has changed while state is BP_EAGAIN.
++ */
++static bool balloon_thread_cond(enum bp_state state, long credit)
++{
++ if (state != BP_EAGAIN)
++ credit = 0;
++
++ return current_credit() != credit || kthread_should_stop();
++}
++
++/*
++ * As this is a kthread it is guaranteed to run as a single instance only.
+ * We may of course race updates of the target counts (which are protected
+ * by the balloon lock), or with changes to the Xen hard limit, but we will
+ * recover from these in time.
+ */
+-static void balloon_process(struct work_struct *work)
++static int balloon_thread(void *unused)
+ {
+ enum bp_state state = BP_DONE;
+ long credit;
++ unsigned long timeout;
++
++ set_freezable();
++ for (;;) {
++ if (state == BP_EAGAIN)
++ timeout = balloon_stats.schedule_delay * HZ;
++ else
++ timeout = 3600 * HZ;
++ credit = current_credit();
+
++ wait_event_interruptible_timeout(balloon_thread_wq,
++ balloon_thread_cond(state, credit), timeout);
++
++ if (kthread_should_stop())
++ return 0;
+
+- do {
+ mutex_lock(&balloon_mutex);
+
+ credit = current_credit();
+@@ -529,12 +554,7 @@ static void balloon_process(struct work_struct *work)
+ mutex_unlock(&balloon_mutex);
+
+ cond_resched();
+-
+- } while (credit && state == BP_DONE);
+-
+- /* Schedule more work if there is some still to be done. */
+- if (state == BP_EAGAIN)
+- schedule_delayed_work(&balloon_worker, balloon_stats.schedule_delay * HZ);
++ }
+ }
+
+ /* Resets the Xen limit, sets new target, and kicks off processing. */
+@@ -542,7 +562,7 @@ void balloon_set_new_target(unsigned long target)
+ {
+ /* No need for lock. Not read-modify-write updates. */
+ balloon_stats.target_pages = target;
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+ }
+ EXPORT_SYMBOL_GPL(balloon_set_new_target);
+
+@@ -647,7 +667,7 @@ void free_xenballooned_pages(int nr_pages, struct page **pages)
+
+ /* The balloon may be too large now. Shrink it if needed. */
+ if (current_credit())
+- schedule_delayed_work(&balloon_worker, 0);
++ wake_up(&balloon_thread_wq);
+
+ mutex_unlock(&balloon_mutex);
+ }
+@@ -679,6 +699,8 @@ static void __init balloon_add_region(unsigned long start_pfn,
+
+ static int __init balloon_init(void)
+ {
++ struct task_struct *task;
++
+ if (!xen_domain())
+ return -ENODEV;
+
+@@ -722,6 +744,12 @@ static int __init balloon_init(void)
+ }
+ #endif
+
++ task = kthread_run(balloon_thread, NULL, "xen-balloon");
++ if (IS_ERR(task)) {
++ pr_err("xen-balloon thread could not be started, ballooning will not work!\n");
++ return PTR_ERR(task);
++ }
++
+ /* Init the xen-balloon driver. */
+ xen_balloon_init();
+
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
