--- /dev/null
+From efdc4e721a6f6777544d59cc7a3846e1bfedf921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 12:54:42 +0100
+Subject: amdgpu: avoid incorrect %hu format string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7d98d416c2cc1c1f7d9508e887de4630e521d797 ]
+
+clang points out that the %hu format string does not match the type
+of the variables here:
+
+drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c:263:7: warning: format specifies type 'unsigned short' but the argument has type 'unsigned int' [-Wformat]
+ version_major, version_minor);
+ ^~~~~~~~~~~~~
+include/drm/drm_print.h:498:19: note: expanded from macro 'DRM_ERROR'
+ __drm_err(fmt, ##__VA_ARGS__)
+ ~~~ ^~~~~~~~~~~
+
+Change it to a regular %u, the same way a previous patch did for
+another instance of the same warning.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
+index b2c364b8695f..cfa8324b9f51 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_uvd.c
+@@ -231,7 +231,7 @@ int amdgpu_uvd_sw_init(struct amdgpu_device *adev)
+ if ((adev->asic_type == CHIP_POLARIS10 ||
+ adev->asic_type == CHIP_POLARIS11) &&
+ (adev->uvd.fw_version < FW_1_66_16))
+- DRM_ERROR("POLARIS10/11 UVD firmware version %hu.%hu is too old.\n",
++ DRM_ERROR("POLARIS10/11 UVD firmware version %u.%u is too old.\n",
+ version_major, version_minor);
+ } else {
+ unsigned int enc_major, enc_minor, dec_minor;
+--
+2.30.2
+
--- /dev/null
+From ffb356331ab9ece0f7e02c26306c5615ec6be24b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 18:24:36 +0800
+Subject: ata: ahci: Disable SXS for Hisilicon Kunpeng920
+
+From: Xingui Yang <yangxingui@huawei.com>
+
+[ Upstream commit 234e6d2c18f5b080cde874483c4c361f3ae7cffe ]
+
+On Hisilicon Kunpeng920, ESP is set to 1 by default for all ports of
+SATA controller. In some scenarios, some ports are not external SATA ports,
+and it cause disks connected to these ports to be identified as removable
+disks. So disable the SXS capability on the software side to prevent users
+from mistakenly considering non-removable disks as removable disks and
+performing related operations.
+
+Signed-off-by: Xingui Yang <yangxingui@huawei.com>
+Signed-off-by: Luo Jiaxing <luojiaxing@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Link: https://lore.kernel.org/r/1615544676-61926-1-git-send-email-luojiaxing@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 5 +++++
+ drivers/ata/ahci.h | 1 +
+ drivers/ata/libahci.c | 5 +++++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index d33528033042..8beb418ce167 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -1728,6 +1728,11 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ hpriv->flags |= AHCI_HFLAG_NO_DEVSLP;
+
+ #ifdef CONFIG_ARM64
++ if (pdev->vendor == PCI_VENDOR_ID_HUAWEI &&
++ pdev->device == 0xa235 &&
++ pdev->revision < 0x30)
++ hpriv->flags |= AHCI_HFLAG_NO_SXS;
++
+ if (pdev->vendor == 0x177d && pdev->device == 0xa01c)
+ hpriv->irq_handler = ahci_thunderx_irq_handler;
+ #endif
+diff --git a/drivers/ata/ahci.h b/drivers/ata/ahci.h
+index 9ef62e647cd2..732912cd4e08 100644
+--- a/drivers/ata/ahci.h
++++ b/drivers/ata/ahci.h
+@@ -242,6 +242,7 @@ enum {
+ suspend/resume */
+ AHCI_HFLAG_IGN_NOTSUPP_POWER_ON = (1 << 27), /* ignore -EOPNOTSUPP
+ from phy_power_on() */
++ AHCI_HFLAG_NO_SXS = (1 << 28), /* SXS not supported */
+
+ /* ap->flags bits */
+
+diff --git a/drivers/ata/libahci.c b/drivers/ata/libahci.c
+index ea5bf5f4cbed..fec2e9754aed 100644
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -493,6 +493,11 @@ void ahci_save_initial_config(struct device *dev, struct ahci_host_priv *hpriv)
+ cap |= HOST_CAP_ALPM;
+ }
+
++ if ((cap & HOST_CAP_SXS) && (hpriv->flags & AHCI_HFLAG_NO_SXS)) {
++ dev_info(dev, "controller does not support SXS, disabling CAP_SXS\n");
++ cap &= ~HOST_CAP_SXS;
++ }
++
+ if (hpriv->force_port_map && port_map != hpriv->force_port_map) {
+ dev_info(dev, "forcing port_map 0x%x -> 0x%x\n",
+ port_map, hpriv->force_port_map);
+--
+2.30.2
+
--- /dev/null
+From ade4b90cfd7f385a8d0687bc5be1a173370a1bbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 15:25:21 -0500
+Subject: btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 7a9213a93546e7eaef90e6e153af6b8fc7553f10 ]
+
+A few BUG_ON()'s in replace_path are purely to keep us from making
+logical mistakes, so replace them with ASSERT()'s.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 68b5d7c4aa49..ba68b0b41dff 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1836,8 +1836,8 @@ int replace_path(struct btrfs_trans_handle *trans, struct reloc_control *rc,
+ int ret;
+ int slot;
+
+- BUG_ON(src->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+- BUG_ON(dest->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++ ASSERT(src->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID);
++ ASSERT(dest->root_key.objectid != BTRFS_TREE_RELOC_OBJECTID);
+
+ last_snapshot = btrfs_root_last_snapshot(&src->root_item);
+ again:
+@@ -1871,7 +1871,7 @@ again:
+ struct btrfs_key first_key;
+
+ level = btrfs_header_level(parent);
+- BUG_ON(level < lowest_level);
++ ASSERT(level >= lowest_level);
+
+ ret = btrfs_bin_search(parent, &key, level, &slot);
+ if (ret < 0)
+--
+2.30.2
+
--- /dev/null
+From 12f6e8d9335cb2f5408e42ed3d3838eb427784f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 11:35:07 +0200
+Subject: bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 4700a00755fb5a4bb5109128297d6fd2d1272ee6 ]
+
+We want to probe l4_wkup and l4_cfg interconnect devices first to avoid
+issues with missing resources. Otherwise we attempt to probe l4_per
+devices first causing pointless deferred probe and also annoyingh
+renumbering of the MMC devices for example.
+
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/ti-sysc.c | 49 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
+index f9ff6d433dfe..d59e1ca9990b 100644
+--- a/drivers/bus/ti-sysc.c
++++ b/drivers/bus/ti-sysc.c
+@@ -602,6 +602,51 @@ static int sysc_parse_and_check_child_range(struct sysc *ddata)
+ return 0;
+ }
+
++/* Interconnect instances to probe before l4_per instances */
++static struct resource early_bus_ranges[] = {
++ /* am3/4 l4_wkup */
++ { .start = 0x44c00000, .end = 0x44c00000 + 0x300000, },
++ /* omap4/5 and dra7 l4_cfg */
++ { .start = 0x4a000000, .end = 0x4a000000 + 0x300000, },
++ /* omap4 l4_wkup */
++ { .start = 0x4a300000, .end = 0x4a300000 + 0x30000, },
++ /* omap5 and dra7 l4_wkup without dra7 dcan segment */
++ { .start = 0x4ae00000, .end = 0x4ae00000 + 0x30000, },
++};
++
++static atomic_t sysc_defer = ATOMIC_INIT(10);
++
++/**
++ * sysc_defer_non_critical - defer non_critical interconnect probing
++ * @ddata: device driver data
++ *
++ * We want to probe l4_cfg and l4_wkup interconnect instances before any
++ * l4_per instances as l4_per instances depend on resources on l4_cfg and
++ * l4_wkup interconnects.
++ */
++static int sysc_defer_non_critical(struct sysc *ddata)
++{
++ struct resource *res;
++ int i;
++
++ if (!atomic_read(&sysc_defer))
++ return 0;
++
++ for (i = 0; i < ARRAY_SIZE(early_bus_ranges); i++) {
++ res = &early_bus_ranges[i];
++ if (ddata->module_pa >= res->start &&
++ ddata->module_pa <= res->end) {
++ atomic_set(&sysc_defer, 0);
++
++ return 0;
++ }
++ }
++
++ atomic_dec_if_positive(&sysc_defer);
++
++ return -EPROBE_DEFER;
++}
++
+ static struct device_node *stdout_path;
+
+ static void sysc_init_stdout_path(struct sysc *ddata)
+@@ -826,6 +871,10 @@ static int sysc_map_and_check_registers(struct sysc *ddata)
+ if (error)
+ return error;
+
++ error = sysc_defer_non_critical(ddata);
++ if (error)
++ return error;
++
+ sysc_check_children(ddata);
+
+ error = sysc_parse_registers(ddata);
+--
+2.30.2
+
--- /dev/null
+From 549607e8111e01217e69ffd818bd84b5e35e3e77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 18:01:15 +0100
+Subject: clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 657d4d1934f75a2d978c3cf2086495eaa542e7a9 ]
+
+There is an error return path that is not kfree'ing socfpga_clk leading
+to a memory leak. Fix this by adding in the missing kfree call.
+
+Addresses-Coverity: ("Resource leak")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210406170115.430990-1-colin.king@canonical.com
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/socfpga/clk-gate-a10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/socfpga/clk-gate-a10.c b/drivers/clk/socfpga/clk-gate-a10.c
+index cd5df9103614..d62778884208 100644
+--- a/drivers/clk/socfpga/clk-gate-a10.c
++++ b/drivers/clk/socfpga/clk-gate-a10.c
+@@ -146,6 +146,7 @@ static void __init __socfpga_gate_init(struct device_node *node,
+ if (IS_ERR(socfpga_clk->sys_mgr_base_addr)) {
+ pr_err("%s: failed to find altr,sys-mgr regmap!\n",
+ __func__);
++ kfree(socfpga_clk);
+ return;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 3fd6c33be401ca634ed69da2426b694e503434c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 21:33:03 +0100
+Subject: crypto: api - check for ERR pointers in crypto_destroy_tfm()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 83681f2bebb34dbb3f03fecd8f570308ab8b7c2c ]
+
+Given that crypto_alloc_tfm() may return ERR pointers, and to avoid
+crashes on obscure error paths where such pointers are presented to
+crypto_destroy_tfm() (such as [0]), add an ERR_PTR check there
+before dereferencing the second argument as a struct crypto_tfm
+pointer.
+
+[0] https://lore.kernel.org/linux-crypto/000000000000de949705bc59e0f6@google.com/
+
+Reported-by: syzbot+12cf5fbfdeba210a89dd@syzkaller.appspotmail.com
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/api.c | 2 +-
+ include/crypto/acompress.h | 2 ++
+ include/crypto/aead.h | 2 ++
+ include/crypto/akcipher.h | 2 ++
+ include/crypto/hash.h | 4 ++++
+ include/crypto/kpp.h | 2 ++
+ include/crypto/rng.h | 2 ++
+ include/crypto/skcipher.h | 2 ++
+ 8 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/api.c b/crypto/api.c
+index eda0c56b8615..c71d1485541c 100644
+--- a/crypto/api.c
++++ b/crypto/api.c
+@@ -568,7 +568,7 @@ void crypto_destroy_tfm(void *mem, struct crypto_tfm *tfm)
+ {
+ struct crypto_alg *alg;
+
+- if (unlikely(!mem))
++ if (IS_ERR_OR_NULL(mem))
+ return;
+
+ alg = tfm->__crt_alg;
+diff --git a/include/crypto/acompress.h b/include/crypto/acompress.h
+index d873f999b334..3a801a7d3a0e 100644
+--- a/include/crypto/acompress.h
++++ b/include/crypto/acompress.h
+@@ -147,6 +147,8 @@ static inline struct crypto_acomp *crypto_acomp_reqtfm(struct acomp_req *req)
+ * crypto_free_acomp() -- free ACOMPRESS tfm handle
+ *
+ * @tfm: ACOMPRESS tfm handle allocated with crypto_alloc_acomp()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_acomp(struct crypto_acomp *tfm)
+ {
+diff --git a/include/crypto/aead.h b/include/crypto/aead.h
+index 3c245b1859e7..3b870b4e8275 100644
+--- a/include/crypto/aead.h
++++ b/include/crypto/aead.h
+@@ -179,6 +179,8 @@ static inline struct crypto_tfm *crypto_aead_tfm(struct crypto_aead *tfm)
+ /**
+ * crypto_free_aead() - zeroize and free aead handle
+ * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_aead(struct crypto_aead *tfm)
+ {
+diff --git a/include/crypto/akcipher.h b/include/crypto/akcipher.h
+index 6924b091adec..8913b42fcb34 100644
+--- a/include/crypto/akcipher.h
++++ b/include/crypto/akcipher.h
+@@ -174,6 +174,8 @@ static inline struct crypto_akcipher *crypto_akcipher_reqtfm(
+ * crypto_free_akcipher() - free AKCIPHER tfm handle
+ *
+ * @tfm: AKCIPHER tfm handle allocated with crypto_alloc_akcipher()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_akcipher(struct crypto_akcipher *tfm)
+ {
+diff --git a/include/crypto/hash.h b/include/crypto/hash.h
+index 84e9f2380edf..e993c6beec07 100644
+--- a/include/crypto/hash.h
++++ b/include/crypto/hash.h
+@@ -260,6 +260,8 @@ static inline struct crypto_tfm *crypto_ahash_tfm(struct crypto_ahash *tfm)
+ /**
+ * crypto_free_ahash() - zeroize and free the ahash handle
+ * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_ahash(struct crypto_ahash *tfm)
+ {
+@@ -703,6 +705,8 @@ static inline struct crypto_tfm *crypto_shash_tfm(struct crypto_shash *tfm)
+ /**
+ * crypto_free_shash() - zeroize and free the message digest handle
+ * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_shash(struct crypto_shash *tfm)
+ {
+diff --git a/include/crypto/kpp.h b/include/crypto/kpp.h
+index cd9a9b500624..19a2eadbef61 100644
+--- a/include/crypto/kpp.h
++++ b/include/crypto/kpp.h
+@@ -154,6 +154,8 @@ static inline void crypto_kpp_set_flags(struct crypto_kpp *tfm, u32 flags)
+ * crypto_free_kpp() - free KPP tfm handle
+ *
+ * @tfm: KPP tfm handle allocated with crypto_alloc_kpp()
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_kpp(struct crypto_kpp *tfm)
+ {
+diff --git a/include/crypto/rng.h b/include/crypto/rng.h
+index 8b4b844b4eef..17bb3673d3c1 100644
+--- a/include/crypto/rng.h
++++ b/include/crypto/rng.h
+@@ -111,6 +111,8 @@ static inline struct rng_alg *crypto_rng_alg(struct crypto_rng *tfm)
+ /**
+ * crypto_free_rng() - zeroize and free RNG handle
+ * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_rng(struct crypto_rng *tfm)
+ {
+diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h
+index aada87916918..0bce6005d325 100644
+--- a/include/crypto/skcipher.h
++++ b/include/crypto/skcipher.h
+@@ -203,6 +203,8 @@ static inline struct crypto_tfm *crypto_skcipher_tfm(
+ /**
+ * crypto_free_skcipher() - zeroize and free cipher handle
+ * @tfm: cipher handle to be freed
++ *
++ * If @tfm is a NULL or error pointer, this function does nothing.
+ */
+ static inline void crypto_free_skcipher(struct crypto_skcipher *tfm)
+ {
+--
+2.30.2
+
--- /dev/null
+From 94f02ea7939ba92dc3fcf9f246a66ed9e0689c19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:18:39 +0800
+Subject: crypto: omap-aes - Fix PM reference leak on omap-aes.c
+
+From: Shixin Liu <liushixin2@huawei.com>
+
+[ Upstream commit 1f34cc4a8da34fbb250efb928f9b8c6fe7ee0642 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Signed-off-by: Shixin Liu <liushixin2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/omap-aes.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c
+index 103e704c1469..72edb10181b8 100644
+--- a/drivers/crypto/omap-aes.c
++++ b/drivers/crypto/omap-aes.c
+@@ -103,7 +103,7 @@ static int omap_aes_hw_init(struct omap_aes_dev *dd)
+ dd->err = 0;
+ }
+
+- err = pm_runtime_get_sync(dd->dev);
++ err = pm_runtime_resume_and_get(dd->dev);
+ if (err < 0) {
+ dev_err(dd->dev, "failed to get sync: %d\n", err);
+ return err;
+@@ -1153,7 +1153,7 @@ static int omap_aes_probe(struct platform_device *pdev)
+ pm_runtime_set_autosuspend_delay(dev, DEFAULT_AUTOSUSPEND_DELAY);
+
+ pm_runtime_enable(dev);
+- err = pm_runtime_get_sync(dev);
++ err = pm_runtime_resume_and_get(dev);
+ if (err < 0) {
+ dev_err(dev, "%s: failed to get_sync(%d)\n",
+ __func__, err);
+@@ -1318,7 +1318,7 @@ static int omap_aes_suspend(struct device *dev)
+
+ static int omap_aes_resume(struct device *dev)
+ {
+- pm_runtime_get_sync(dev);
++ pm_runtime_resume_and_get(dev);
+ return 0;
+ }
+ #endif
+--
+2.30.2
+
--- /dev/null
+From e4365c111fc9b6bef547518d5652c3d7867289fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Mar 2021 14:35:01 +0800
+Subject: crypto: qat - fix unmap invalid dma address
+
+From: Hui Tang <tanghui20@huawei.com>
+
+[ Upstream commit 792b32fad548281e1b7fe14df9063a96c54b32a2 ]
+
+'dma_mapping_error' return a negative value if 'dma_addr' is equal to
+'DMA_MAPPING_ERROR' not zero, so fix initialization of 'dma_addr'.
+
+Signed-off-by: Hui Tang <tanghui20@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/qat/qat_common/qat_algs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c
+index 0d67cf5ede51..6b8ad3d67481 100644
+--- a/drivers/crypto/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/qat/qat_common/qat_algs.c
+@@ -715,7 +715,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ struct qat_alg_buf_list *bufl;
+ struct qat_alg_buf_list *buflout = NULL;
+ dma_addr_t blp;
+- dma_addr_t bloutp = 0;
++ dma_addr_t bloutp;
+ struct scatterlist *sg;
+ size_t sz_out, sz = struct_size(bufl, bufers, n + 1);
+
+@@ -727,6 +727,9 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ if (unlikely(!bufl))
+ return -ENOMEM;
+
++ for_each_sg(sgl, sg, n, i)
++ bufl->bufers[i].addr = DMA_MAPPING_ERROR;
++
+ blp = dma_map_single(dev, bufl, sz, DMA_TO_DEVICE);
+ if (unlikely(dma_mapping_error(dev, blp)))
+ goto err_in;
+@@ -760,10 +763,14 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst,
+ dev_to_node(&GET_DEV(inst->accel_dev)));
+ if (unlikely(!buflout))
+ goto err_in;
++
++ bufers = buflout->bufers;
++ for_each_sg(sglout, sg, n, i)
++ bufers[i].addr = DMA_MAPPING_ERROR;
++
+ bloutp = dma_map_single(dev, buflout, sz_out, DMA_TO_DEVICE);
+ if (unlikely(dma_mapping_error(dev, bloutp)))
+ goto err_out;
+- bufers = buflout->bufers;
+ for_each_sg(sglout, sg, n, i) {
+ int y = sg_nctr;
+
+--
+2.30.2
+
--- /dev/null
+From 0150c8092e380f34e65f89dd41491240278248c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:18:36 +0800
+Subject: crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c
+
+From: Shixin Liu <liushixin2@huawei.com>
+
+[ Upstream commit 747bf30fd944f02f341b5f3bc7d97a13f2ae2fbe ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Signed-off-by: Shixin Liu <liushixin2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-cryp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c
+index ba5ea6434f9c..9b3511236ba2 100644
+--- a/drivers/crypto/stm32/stm32-cryp.c
++++ b/drivers/crypto/stm32/stm32-cryp.c
+@@ -537,7 +537,7 @@ static int stm32_cryp_hw_init(struct stm32_cryp *cryp)
+ int ret;
+ u32 cfg, hw_mode;
+
+- pm_runtime_get_sync(cryp->dev);
++ pm_runtime_resume_and_get(cryp->dev);
+
+ /* Disable interrupt */
+ stm32_cryp_write(cryp, CRYP_IMSCR, 0);
+@@ -2054,7 +2054,7 @@ static int stm32_cryp_remove(struct platform_device *pdev)
+ if (!cryp)
+ return -ENODEV;
+
+- ret = pm_runtime_get_sync(cryp->dev);
++ ret = pm_runtime_resume_and_get(cryp->dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From 0a6316071650babde8a02678f8c48baa27e9863e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 15:18:35 +0800
+Subject: crypto: stm32/hash - Fix PM reference leak on stm32-hash.c
+
+From: Shixin Liu <liushixin2@huawei.com>
+
+[ Upstream commit 1cb3ad701970e68f18a9e5d090baf2b1b703d729 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Signed-off-by: Shixin Liu <liushixin2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/stm32/stm32-hash.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/stm32/stm32-hash.c b/drivers/crypto/stm32/stm32-hash.c
+index cfc8e0e37bee..dcce15b55809 100644
+--- a/drivers/crypto/stm32/stm32-hash.c
++++ b/drivers/crypto/stm32/stm32-hash.c
+@@ -810,7 +810,7 @@ static void stm32_hash_finish_req(struct ahash_request *req, int err)
+ static int stm32_hash_hw_init(struct stm32_hash_dev *hdev,
+ struct stm32_hash_request_ctx *rctx)
+ {
+- pm_runtime_get_sync(hdev->dev);
++ pm_runtime_resume_and_get(hdev->dev);
+
+ if (!(HASH_FLAGS_INIT & hdev->flags)) {
+ stm32_hash_write(hdev, HASH_CR, HASH_CR_INIT);
+@@ -959,7 +959,7 @@ static int stm32_hash_export(struct ahash_request *req, void *out)
+ u32 *preg;
+ unsigned int i;
+
+- pm_runtime_get_sync(hdev->dev);
++ pm_runtime_resume_and_get(hdev->dev);
+
+ while ((stm32_hash_read(hdev, HASH_SR) & HASH_SR_BUSY))
+ cpu_relax();
+@@ -997,7 +997,7 @@ static int stm32_hash_import(struct ahash_request *req, const void *in)
+
+ preg = rctx->hw_context;
+
+- pm_runtime_get_sync(hdev->dev);
++ pm_runtime_resume_and_get(hdev->dev);
+
+ stm32_hash_write(hdev, HASH_IMR, *preg++);
+ stm32_hash_write(hdev, HASH_STR, *preg++);
+@@ -1553,7 +1553,7 @@ static int stm32_hash_remove(struct platform_device *pdev)
+ if (!hdev)
+ return -ENODEV;
+
+- ret = pm_runtime_get_sync(hdev->dev);
++ ret = pm_runtime_resume_and_get(hdev->dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From f88ca7199ef284660fef03f3b6f8a8f9f182a3c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 12:56:26 -0800
+Subject: drm: Added orientation quirk for OneGX1 Pro
+
+From: Jared Baldridge <jrb@expunge.us>
+
+[ Upstream commit 81ad7f9f78e4ff80e95be8282423f511b84f1166 ]
+
+The OneGX1 Pro has a fairly unique combination of generic strings,
+but we additionally match on the BIOS date just to be safe.
+
+Signed-off-by: Jared Baldridge <jrb@expunge.us>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/41288ccb-1012-486b-81c1-a24c31850c91@www.fastmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 58f5dc2f6dd5..f6bdec7fa925 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -84,6 +84,13 @@ static const struct drm_dmi_panel_orientation_data itworks_tw891 = {
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+ };
+
++static const struct drm_dmi_panel_orientation_data onegx1_pro = {
++ .width = 1200,
++ .height = 1920,
++ .bios_dates = (const char * const []){ "12/17/2020", NULL },
++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
++};
++
+ static const struct drm_dmi_panel_orientation_data lcd720x1280_rightside_up = {
+ .width = 720,
+ .height = 1280,
+@@ -211,6 +218,13 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
++ }, { /* OneGX1 Pro */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SYSTEM_MANUFACTURER"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "SYSTEM_PRODUCT_NAME"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Default string"),
++ },
++ .driver_data = (void *)&onegx1_pro,
+ }, { /* VIOS LTH17 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"),
+--
+2.30.2
+
--- /dev/null
+From f5c34fe221fc019305bcb21621fa8e024283410f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Feb 2021 17:09:52 -0500
+Subject: drm/amd/display: Check for DSC support instead of ASIC revision
+
+From: Eryk Brol <eryk.brol@amd.com>
+
+[ Upstream commit 349a19b2f1b01e713268c7de9944ad669ccdf369 ]
+
+[why]
+This check for ASIC revision is no longer useful and causes
+lightup issues after a topology change in MST DSC scenario.
+In this case, DSC configs should be recalculated for the new
+topology. This check prevented that from happening on certain
+ASICs that do, in fact, support DSC.
+
+[how]
+Change the ASIC revision to instead check if DSC is supported.
+
+Signed-off-by: Eryk Brol <eryk.brol@amd.com>
+Acked-by: Bindu Ramamurthy <bindu.r@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index fbbe611d4873..2626aacf492f 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7330,7 +7330,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ }
+
+ #if defined(CONFIG_DRM_AMD_DC_DCN)
+- if (adev->asic_type >= CHIP_NAVI10) {
++ if (dc_resource_is_dsc_encoding_supported(dc)) {
+ for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) {
+ if (drm_atomic_crtc_needs_modeset(new_crtc_state)) {
+ ret = add_affected_mst_dsc_crtcs(state, crtc);
+--
+2.30.2
+
--- /dev/null
+From 8d9cbf686c58c2469a60d1ae50286a840b4e281e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Feb 2021 18:13:59 -0500
+Subject: drm/amd/display: Don't optimize bandwidth before disabling planes
+
+From: Aric Cyr <aric.cyr@amd.com>
+
+[ Upstream commit 6ad98e8aeb0106f453bb154933e8355849244990 ]
+
+[Why]
+There is a window of time where we optimize bandwidth due to no streams
+enabled will enable PSTATE changing but HUBPs are not disabled yet.
+This results in underflow counter increasing in some hotplug scenarios.
+
+[How]
+Set the optimize-bandwidth flag for later processing once all the HUBPs
+are properly disabled.
+
+Signed-off-by: Aric Cyr <aric.cyr@amd.com>
+Acked-by: Bindu Ramamurthy <bindu.r@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index 68d56a91d44b..092db590087c 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -1961,7 +1961,8 @@ static void commit_planes_do_stream_update(struct dc *dc,
+ if (pipe_ctx->stream_res.audio && !dc->debug.az_endpoint_mute_only)
+ pipe_ctx->stream_res.audio->funcs->az_disable(pipe_ctx->stream_res.audio);
+
+- dc->hwss.optimize_bandwidth(dc, dc->current_state);
++ dc->optimized_required = true;
++
+ } else {
+ if (!dc->optimize_seamless_boot)
+ dc->hwss.prepare_bandwidth(dc, dc->current_state);
+--
+2.30.2
+
--- /dev/null
+From 11afb75ab9162c8c563c7e6dee20f0aeaecf31eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 11:04:26 -0500
+Subject: drm/amd/display: fix dml prefetch validation
+
+From: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+
+[ Upstream commit 8ee0fea4baf90e43efe2275de208a7809f9985bc ]
+
+Incorrect variable used, missing initialization during validation.
+
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Reviewed-by: Eric Bernstein <Eric.Bernstein@amd.com>
+Acked-by: Solomon Chiu <solomon.chiu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c | 1 +
+ drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c
+index 6c6c486b774a..945d23ca3677 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20.c
+@@ -3435,6 +3435,7 @@ void dml20_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l
+ mode_lib->vba.DCCEnabledInAnyPlane = true;
+ }
+ }
++ mode_lib->vba.UrgentLatency = mode_lib->vba.UrgentLatencyPixelDataOnly;
+ for (i = 0; i <= mode_lib->vba.soc.num_states; i++) {
+ locals->FabricAndDRAMBandwidthPerState[i] = dml_min(
+ mode_lib->vba.DRAMSpeedPerState[i] * mode_lib->vba.NumberOfChannels
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c
+index 0fafd693ffb4..5b5ed1be19ba 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_mode_vba_20v2.c
+@@ -3467,6 +3467,7 @@ void dml20v2_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode
+ mode_lib->vba.DCCEnabledInAnyPlane = true;
+ }
+ }
++ mode_lib->vba.UrgentLatency = mode_lib->vba.UrgentLatencyPixelDataOnly;
+ for (i = 0; i <= mode_lib->vba.soc.num_states; i++) {
+ locals->FabricAndDRAMBandwidthPerState[i] = dml_min(
+ mode_lib->vba.DRAMSpeedPerState[i] * mode_lib->vba.NumberOfChannels
+--
+2.30.2
+
--- /dev/null
+From adf31c0f6bedf43891f2574ff8939bab495b6173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 16:16:36 -0500
+Subject: drm/amd/display: Fix UBSAN warning for not a valid value for type
+ '_Bool'
+
+From: Anson Jacob <Anson.Jacob@amd.com>
+
+[ Upstream commit 6a30a92997eee49554f72b462dce90abe54a496f ]
+
+[Why]
+dc_cursor_position do not initialise position.translate_by_source when
+crtc or plane->state->fb is NULL. UBSAN caught this error in
+dce110_set_cursor_position, as the value was garbage.
+
+[How]
+Initialise dc_cursor_position structure elements to 0 in handle_cursor_update
+before calling get_cursor_position.
+
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1471
+Reported-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Anson Jacob <Anson.Jacob@amd.com>
+Reviewed-by: Aurabindo Jayamohanan Pillai <Aurabindo.Pillai@amd.com>
+Acked-by: Solomon Chiu <solomon.chiu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 2626aacf492f..1aec841fda35 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -5372,10 +5372,6 @@ static int get_cursor_position(struct drm_plane *plane, struct drm_crtc *crtc,
+ int x, y;
+ int xorigin = 0, yorigin = 0;
+
+- position->enable = false;
+- position->x = 0;
+- position->y = 0;
+-
+ if (!crtc || !plane->state->fb)
+ return 0;
+
+@@ -5427,7 +5423,7 @@ static void handle_cursor_update(struct drm_plane *plane,
+ struct dm_crtc_state *crtc_state = crtc ? to_dm_crtc_state(crtc->state) : NULL;
+ struct amdgpu_crtc *amdgpu_crtc = to_amdgpu_crtc(crtc);
+ uint64_t address = afb ? afb->address : 0;
+- struct dc_cursor_position position;
++ struct dc_cursor_position position = {0};
+ struct dc_cursor_attributes attributes;
+ int ret;
+
+--
+2.30.2
+
--- /dev/null
+From 22fa469981e334bf1be1cab60f457388b9d269b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 10:30:15 -0500
+Subject: drm/amdgpu : Fix asic reset regression issue introduce by
+ 8f211fe8ac7c4f
+
+From: shaoyunl <shaoyun.liu@amd.com>
+
+[ Upstream commit c8941550aa66b2a90f4b32c45d59e8571e33336e ]
+
+This recent change introduce SDMA interrupt info printing with irq->process function.
+These functions do not require a set function to enable/disable the irq
+
+Signed-off-by: shaoyunl <shaoyun.liu@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+index 2a3f5ec298db..76429932035e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+@@ -469,7 +469,7 @@ void amdgpu_irq_gpu_reset_resume_helper(struct amdgpu_device *adev)
+ for (j = 0; j < AMDGPU_MAX_IRQ_SRC_ID; ++j) {
+ struct amdgpu_irq_src *src = adev->irq.client[i].sources[j];
+
+- if (!src)
++ if (!src || !src->funcs || !src->funcs->set)
+ continue;
+ for (k = 0; k < src->num_types; k++)
+ amdgpu_irq_update(adev, src, k);
+--
+2.30.2
+
--- /dev/null
+From 32a1ce4539839742b42225613ac3f49a3b40ca1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Mar 2021 17:52:18 +0800
+Subject: drm/amdgpu: fix NULL pointer dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 3c3dc654333f6389803cdcaf03912e94173ae510 ]
+
+ttm->sg needs to be checked before accessing its child member.
+
+Call Trace:
+ amdgpu_ttm_backend_destroy+0x12/0x70 [amdgpu]
+ ttm_bo_cleanup_memtype_use+0x3a/0x60 [ttm]
+ ttm_bo_release+0x17d/0x300 [ttm]
+ amdgpu_bo_unref+0x1a/0x30 [amdgpu]
+ amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x78b/0x8b0 [amdgpu]
+ kfd_ioctl_alloc_memory_of_gpu+0x118/0x220 [amdgpu]
+ kfd_ioctl+0x222/0x400 [amdgpu]
+ ? kfd_dev_is_large_bar+0x90/0x90 [amdgpu]
+ __x64_sys_ioctl+0x8e/0xd0
+ ? __context_tracking_exit+0x52/0x90
+ do_syscall_64+0x33/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7f97f264d317
+Code: b3 66 90 48 8b 05 71 4b 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 41 4b 2d 00 f7 d8 64 89 01 48
+RSP: 002b:00007ffdb402c338 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f97f3cc63a0 RCX: 00007f97f264d317
+RDX: 00007ffdb402c380 RSI: 00000000c0284b16 RDI: 0000000000000003
+RBP: 00007ffdb402c380 R08: 00007ffdb402c428 R09: 00000000c4000004
+R10: 00000000c4000004 R11: 0000000000000246 R12: 00000000c0284b16
+R13: 0000000000000003 R14: 00007f97f3cc63a0 R15: 00007f8836200000
+
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index c6a1dfe79e80..91e3a87b1de8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -984,7 +984,7 @@ static void amdgpu_ttm_tt_unpin_userptr(struct ttm_tt *ttm)
+ DMA_BIDIRECTIONAL : DMA_TO_DEVICE;
+
+ /* double check that we don't free the table twice */
+- if (!ttm->sg->sgl)
++ if (!ttm->sg || !ttm->sg->sgl)
+ return;
+
+ /* unmap the pages mapped to the device */
+--
+2.30.2
+
--- /dev/null
+From 164c442056a6ba9f07997c2874450984c27697ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jan 2021 15:24:59 -0500
+Subject: drm/amdgpu: mask the xgmi number of hops reported from psp to kfd
+
+From: Jonathan Kim <jonathan.kim@amd.com>
+
+[ Upstream commit 4ac5617c4b7d0f0a8f879997f8ceaa14636d7554 ]
+
+The psp supplies the link type in the upper 2 bits of the psp xgmi node
+information num_hops field. With a new link type, Aldebaran has these
+bits set to a non-zero value (1 = xGMI3) so the KFD topology will report
+the incorrect IO link weights without proper masking.
+The actual number of hops is located in the 3 least significant bits of
+this field so mask if off accordingly before passing it to the KFD.
+
+Signed-off-by: Jonathan Kim <jonathan.kim@amd.com>
+Reviewed-by: Amber Lin <amber.lin@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c
+index 65aae75f80fd..ce1048bad158 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c
+@@ -311,15 +311,22 @@ int amdgpu_xgmi_update_topology(struct amdgpu_hive_info *hive, struct amdgpu_dev
+ }
+
+
++/*
++ * NOTE psp_xgmi_node_info.num_hops layout is as follows:
++ * num_hops[7:6] = link type (0 = xGMI2, 1 = xGMI3, 2/3 = reserved)
++ * num_hops[5:3] = reserved
++ * num_hops[2:0] = number of hops
++ */
+ int amdgpu_xgmi_get_hops_count(struct amdgpu_device *adev,
+ struct amdgpu_device *peer_adev)
+ {
+ struct psp_xgmi_topology_info *top = &adev->psp.xgmi_context.top_info;
++ uint8_t num_hops_mask = 0x7;
+ int i;
+
+ for (i = 0 ; i < top->num_nodes; ++i)
+ if (top->nodes[i].node_id == peer_adev->gmc.xgmi.node_id)
+- return top->nodes[i].num_hops;
++ return top->nodes[i].num_hops & num_hops_mask;
+ return -EINVAL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ec984f19f578651e5480b58bf485624d91cdf6c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 16:28:18 +0800
+Subject: drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug
+
+From: Qu Huang <jinsdb@126.com>
+
+[ Upstream commit d73610211eec8aa027850982b1a48980aa1bc96e ]
+
+Here is the system crash log:
+[ 1272.884438] BUG: unable to handle kernel NULL pointer dereference at
+(null)
+[ 1272.884444] IP: [< (null)>] (null)
+[ 1272.884447] PGD 825b09067 PUD 8267c8067 PMD 0
+[ 1272.884452] Oops: 0010 [#1] SMP
+[ 1272.884509] CPU: 13 PID: 3485 Comm: cat Kdump: loaded Tainted: G
+[ 1272.884515] task: ffff9a38dbd4d140 ti: ffff9a37cd3b8000 task.ti:
+ffff9a37cd3b8000
+[ 1272.884517] RIP: 0010:[<0000000000000000>] [< (null)>]
+(null)
+[ 1272.884520] RSP: 0018:ffff9a37cd3bbe68 EFLAGS: 00010203
+[ 1272.884522] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
+0000000000014d5f
+[ 1272.884524] RDX: fffffffffffffff4 RSI: 0000000000000001 RDI:
+ffff9a38aca4d200
+[ 1272.884526] RBP: ffff9a37cd3bbed0 R08: ffff9a38dcd5f1a0 R09:
+ffff9a31ffc07300
+[ 1272.884527] R10: ffff9a31ffc07300 R11: ffffffffaddd5e9d R12:
+ffff9a38b4e0fb00
+[ 1272.884529] R13: 0000000000000001 R14: ffff9a37cd3bbf18 R15:
+ffff9a38aca4d200
+[ 1272.884532] FS: 00007feccaa67740(0000) GS:ffff9a38dcd40000(0000)
+knlGS:0000000000000000
+[ 1272.884534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1272.884536] CR2: 0000000000000000 CR3: 00000008267c0000 CR4:
+00000000003407e0
+[ 1272.884537] Call Trace:
+[ 1272.884544] [<ffffffffade68940>] ? seq_read+0x130/0x440
+[ 1272.884548] [<ffffffffade40f8f>] vfs_read+0x9f/0x170
+[ 1272.884552] [<ffffffffade41e4f>] SyS_read+0x7f/0xf0
+[ 1272.884557] [<ffffffffae374ddb>] system_call_fastpath+0x22/0x27
+[ 1272.884558] Code: Bad RIP value.
+[ 1272.884562] RIP [< (null)>] (null)
+[ 1272.884564] RSP <ffff9a37cd3bbe68>
+[ 1272.884566] CR2: 0000000000000000
+
+Signed-off-by: Qu Huang <jinsdb@126.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c b/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c
+index 511712c2e382..673d5e34f213 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_debugfs.c
+@@ -33,6 +33,11 @@ static int kfd_debugfs_open(struct inode *inode, struct file *file)
+
+ return single_open(file, show, NULL);
+ }
++static int kfd_debugfs_hang_hws_read(struct seq_file *m, void *data)
++{
++ seq_printf(m, "echo gpu_id > hang_hws\n");
++ return 0;
++}
+
+ static ssize_t kfd_debugfs_hang_hws_write(struct file *file,
+ const char __user *user_buf, size_t size, loff_t *ppos)
+@@ -94,7 +99,7 @@ void kfd_debugfs_init(void)
+ debugfs_create_file("rls", S_IFREG | 0444, debugfs_root,
+ kfd_debugfs_rls_by_device, &kfd_debugfs_fops);
+ debugfs_create_file("hang_hws", S_IFREG | 0200, debugfs_root,
+- NULL, &kfd_debugfs_hang_hws_fops);
++ kfd_debugfs_hang_hws_read, &kfd_debugfs_hang_hws_fops);
+ }
+
+ void kfd_debugfs_fini(void)
+--
+2.30.2
+
--- /dev/null
+From 46bea7d5eb16c82068b3e8cca18df8bae89c72de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 12:33:15 -0500
+Subject: drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
+
+From: Anson Jacob <Anson.Jacob@amd.com>
+
+[ Upstream commit 50e2fc36e72d4ad672032ebf646cecb48656efe0 ]
+
+If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up
+doing a shift operation where the number of bits shifted equals
+number of bits in the operand. This behaviour is undefined.
+
+Set num_sdma_queues or num_xgmi_sdma_queues to ULLONG_MAX, if the
+count is >= number of bits in the operand.
+
+Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1472
+
+Reported-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Anson Jacob <Anson.Jacob@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Tested-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/amdkfd/kfd_device_queue_manager.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index e9a278440079..ab69898c9cb7 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1011,6 +1011,9 @@ static int set_sched_resources(struct device_queue_manager *dqm)
+
+ static int initialize_cpsch(struct device_queue_manager *dqm)
+ {
++ uint64_t num_sdma_queues;
++ uint64_t num_xgmi_sdma_queues;
++
+ pr_debug("num of pipes: %d\n", get_pipes_per_mec(dqm));
+
+ mutex_init(&dqm->lock_hidden);
+@@ -1019,8 +1022,18 @@ static int initialize_cpsch(struct device_queue_manager *dqm)
+ dqm->sdma_queue_count = 0;
+ dqm->xgmi_sdma_queue_count = 0;
+ dqm->active_runlist = false;
+- dqm->sdma_bitmap = ~0ULL >> (64 - get_num_sdma_queues(dqm));
+- dqm->xgmi_sdma_bitmap = ~0ULL >> (64 - get_num_xgmi_sdma_queues(dqm));
++
++ num_sdma_queues = get_num_sdma_queues(dqm);
++ if (num_sdma_queues >= BITS_PER_TYPE(dqm->sdma_bitmap))
++ dqm->sdma_bitmap = ULLONG_MAX;
++ else
++ dqm->sdma_bitmap = (BIT_ULL(num_sdma_queues) - 1);
++
++ num_xgmi_sdma_queues = get_num_xgmi_sdma_queues(dqm);
++ if (num_xgmi_sdma_queues >= BITS_PER_TYPE(dqm->xgmi_sdma_bitmap))
++ dqm->xgmi_sdma_bitmap = ULLONG_MAX;
++ else
++ dqm->xgmi_sdma_bitmap = (BIT_ULL(num_xgmi_sdma_queues) - 1);
+
+ INIT_WORK(&dqm->hw_exception_work, kfd_process_hw_exception);
+
+--
+2.30.2
+
--- /dev/null
+From 2821d1bcfa6505de280ff19749dd30a09cc56c5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 23:47:24 +0200
+Subject: drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2ad52bdb220de5ab348098e3482b01235d15a842 ]
+
+Leaving this at a close-to-maximum register value 0xFFF0 means it takes
+very long for the MDSS to generate a software vsync interrupt when the
+hardware TE interrupt doesn't arrive. Configuring this to double the
+vtotal (like some downstream kernels) leads to a frame to take at most
+twice before the vsync signal, until hardware TE comes up.
+
+In this case the hardware interrupt responsible for providing this
+signal - "disp-te" gpio - is not hooked up to the mdp5 vsync/pp logic at
+all. This solves severe panel update issues observed on at least the
+Xperia Loire and Tone series, until said gpio is properly hooked up to
+an irq.
+
+Suggested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20210406214726.131534-2-marijn.suijten@somainline.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
+index eeef41fcd4e1..288f18cbf62d 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
+@@ -70,9 +70,17 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+ | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN;
+ cfg |= MDP5_PP_SYNC_CONFIG_VSYNC_COUNT(vclks_line);
+
++ /*
++ * Tearcheck emits a blanking signal every vclks_line * vtotal * 2 ticks on
++ * the vsync_clk equating to roughly half the desired panel refresh rate.
++ * This is only necessary as stability fallback if interrupts from the
++ * panel arrive too late or not at all, but is currently used by default
++ * because these panel interrupts are not wired up yet.
++ */
+ mdp5_write(mdp5_kms, REG_MDP5_PP_SYNC_CONFIG_VSYNC(pp_id), cfg);
+ mdp5_write(mdp5_kms,
+- REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), 0xfff0);
++ REG_MDP5_PP_SYNC_CONFIG_HEIGHT(pp_id), (2 * mode->vtotal));
++
+ mdp5_write(mdp5_kms,
+ REG_MDP5_PP_VSYNC_INIT_VAL(pp_id), mode->vdisplay);
+ mdp5_write(mdp5_kms, REG_MDP5_PP_RD_PTR_IRQ(pp_id), mode->vdisplay + 1);
+--
+2.30.2
+
--- /dev/null
+From 122704217c2bca7bd359f230588460ca0d42d7cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 23:47:25 +0200
+Subject: drm/msm/mdp5: Do not multiply vclk line count by 100
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 377569f82ea8228c421cef4da33e056a900b58ca ]
+
+Neither vtotal nor drm_mode_vrefresh contain a value that is
+premultiplied by 100 making the x100 variable name incorrect and
+resulting in vclks_line to become 100 times larger than it is supposed
+to be. The hardware counts 100 clockticks too many before tearcheck,
+leading to severe panel issues on at least the Sony Xperia lineup.
+
+This is likely an artifact from the original MDSS DSI panel driver where
+the calculation [1] corrected for a premultiplied reference framerate by
+100 [2]. It does not appear that the above values were ever
+premultiplied in the history of the DRM MDP5 driver.
+
+With this change applied the value written to the SYNC_CONFIG_VSYNC
+register is now identical to downstream kernels.
+
+[1]: https://source.codeaurora.org/quic/la/kernel/msm-3.18/tree/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c?h=LA.UM.8.6.c26-02400-89xx.0#n288
+[2]: https://source.codeaurora.org/quic/la/kernel/msm-3.18/tree/drivers/video/msm/mdss/mdss_dsi_panel.c?h=LA.UM.8.6.c26-02400-89xx.0#n1648
+
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Link: https://lore.kernel.org/r/20210406214726.131534-3-marijn.suijten@somainline.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
+index 288f18cbf62d..0425400f44db 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_cmd_encoder.c
+@@ -41,7 +41,7 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+ {
+ struct mdp5_kms *mdp5_kms = get_kms(encoder);
+ struct device *dev = encoder->dev->dev;
+- u32 total_lines_x100, vclks_line, cfg;
++ u32 total_lines, vclks_line, cfg;
+ long vsync_clk_speed;
+ struct mdp5_hw_mixer *mixer = mdp5_crtc_get_mixer(encoder->crtc);
+ int pp_id = mixer->pp;
+@@ -51,8 +51,8 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+ return -EINVAL;
+ }
+
+- total_lines_x100 = mode->vtotal * drm_mode_vrefresh(mode);
+- if (!total_lines_x100) {
++ total_lines = mode->vtotal * drm_mode_vrefresh(mode);
++ if (!total_lines) {
+ DRM_DEV_ERROR(dev, "%s: vtotal(%d) or vrefresh(%d) is 0\n",
+ __func__, mode->vtotal, drm_mode_vrefresh(mode));
+ return -EINVAL;
+@@ -64,7 +64,7 @@ static int pingpong_tearcheck_setup(struct drm_encoder *encoder,
+ vsync_clk_speed);
+ return -EINVAL;
+ }
+- vclks_line = vsync_clk_speed * 100 / total_lines_x100;
++ vclks_line = vsync_clk_speed / total_lines;
+
+ cfg = MDP5_PP_SYNC_CONFIG_VSYNC_COUNTER_EN
+ | MDP5_PP_SYNC_CONFIG_VSYNC_IN_EN;
+--
+2.30.2
+
--- /dev/null
+From b1b1a2af135e0ed16d501b8ed3862f043da1ed6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Feb 2021 15:57:06 +0100
+Subject: drm/qxl: release shadow on shutdown
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+[ Upstream commit 4ca77c513537700d3fae69030879f781dde1904c ]
+
+In case we have a shadow surface on shutdown release
+it so it doesn't leak.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210204145712.1531203-6-kraxel@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/qxl/qxl_display.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c
+index 9abf3dc5ef99..a6ee10cbcfdd 100644
+--- a/drivers/gpu/drm/qxl/qxl_display.c
++++ b/drivers/gpu/drm/qxl/qxl_display.c
+@@ -1237,6 +1237,10 @@ int qxl_modeset_init(struct qxl_device *qdev)
+
+ void qxl_modeset_fini(struct qxl_device *qdev)
+ {
++ if (qdev->dumb_shadow_bo) {
++ drm_gem_object_put(&qdev->dumb_shadow_bo->tbo.base);
++ qdev->dumb_shadow_bo = NULL;
++ }
+ qxl_destroy_monitors_object(qdev);
+ drm_mode_config_cleanup(&qdev->ddev);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8f9d6bbd3a43b40b67c1d6d0e07dc4ccd0999a3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 14:28:40 +0100
+Subject: drm/vkms: fix misuse of WARN_ON
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+[ Upstream commit b4142fc4d52d051d4d8df1fb6c569e5b445d369e ]
+
+vkms_vblank_simulate() uses WARN_ON for timing-dependent condition
+(timer overrun). This is a mis-use of WARN_ON, WARN_ON must be used
+to denote kernel bugs. Use pr_warn() instead.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: syzbot+4fc21a003c8332eb0bdd@syzkaller.appspotmail.com
+Cc: Rodrigo Siqueira <rodrigosiqueiramelo@gmail.com>
+Cc: Melissa Wen <melissa.srw@gmail.com>
+Cc: Haneen Mohammed <hamohammed.sa@gmail.com>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: David Airlie <airlied@linux.ie>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Melissa Wen <melissa.srw@gmail.com>
+Signed-off-by: Melissa Wen <melissa.srw@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210320132840.1315853-1-dvyukov@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vkms/vkms_crtc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
+index 927dafaebc76..8b01fae65f43 100644
+--- a/drivers/gpu/drm/vkms/vkms_crtc.c
++++ b/drivers/gpu/drm/vkms/vkms_crtc.c
+@@ -20,7 +20,8 @@ static enum hrtimer_restart vkms_vblank_simulate(struct hrtimer *timer)
+
+ ret_overrun = hrtimer_forward_now(&output->vblank_hrtimer,
+ output->period_ns);
+- WARN_ON(ret_overrun != 1);
++ if (ret_overrun != 1)
++ pr_warn("%s: vblank timer overrun\n", __func__);
+
+ ret = drm_crtc_handle_vblank(crtc);
+ if (!ret)
+--
+2.30.2
+
--- /dev/null
+From 72ae0d8ade767effebd0a95ed5ed64cb0b4ceac9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Mar 2021 16:17:56 +0100
+Subject: extcon: arizona: Fix some issues when HPDET IRQ fires after the jack
+ has been unplugged
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit c309a3e8793f7e01c4a4ec7960658380572cb576 ]
+
+When the jack is partially inserted and then removed again it may be
+removed while the hpdet code is running. In this case the following
+may happen:
+
+1. The "JACKDET rise" or ""JACKDET fall" IRQ triggers
+2. arizona_jackdet runs and takes info->lock
+3. The "HPDET" IRQ triggers
+4. arizona_hpdet_irq runs, blocks on info->lock
+5. arizona_jackdet calls arizona_stop_mic() and clears info->hpdet_done
+6. arizona_jackdet releases info->lock
+7. arizona_hpdet_irq now can continue running and:
+7.1 Calls arizona_start_mic() (if a mic was detected)
+7.2 sets info->hpdet_done
+
+Step 7 is undesirable / a bug:
+7.1 causes the device to stay in a high power-state (with MICVDD enabled)
+7.2 causes hpdet to not run on the next jack insertion, which in turn
+ causes the EXTCON_JACK_HEADPHONE state to never get set
+
+This fixes both issues by skipping these 2 steps when arizona_hpdet_irq
+runs after the jack has been unplugged.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index e970134c95fa..7f1cd61443ff 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -597,7 +597,7 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+ struct arizona *arizona = info->arizona;
+ int id_gpio = arizona->pdata.hpdet_id_gpio;
+ unsigned int report = EXTCON_JACK_HEADPHONE;
+- int ret, reading;
++ int ret, reading, state;
+ bool mic = false;
+
+ mutex_lock(&info->lock);
+@@ -610,12 +610,11 @@ static irqreturn_t arizona_hpdet_irq(int irq, void *data)
+ }
+
+ /* If the cable was removed while measuring ignore the result */
+- ret = extcon_get_state(info->edev, EXTCON_MECHANICAL);
+- if (ret < 0) {
+- dev_err(arizona->dev, "Failed to check cable state: %d\n",
+- ret);
++ state = extcon_get_state(info->edev, EXTCON_MECHANICAL);
++ if (state < 0) {
++ dev_err(arizona->dev, "Failed to check cable state: %d\n", state);
+ goto out;
+- } else if (!ret) {
++ } else if (!state) {
+ dev_dbg(arizona->dev, "Ignoring HPDET for removed cable\n");
+ goto done;
+ }
+@@ -668,7 +667,7 @@ done:
+ ARIZONA_ACCDET_MODE_MASK, ARIZONA_ACCDET_MODE_MIC);
+
+ /* If we have a mic then reenable MICDET */
+- if (mic || info->mic)
++ if (state && (mic || info->mic))
+ arizona_start_mic(info);
+
+ if (info->hpdet_active) {
+@@ -676,7 +675,9 @@ done:
+ info->hpdet_active = false;
+ }
+
+- info->hpdet_done = true;
++ /* Do not set hp_det done when the cable has been unplugged */
++ if (state)
++ info->hpdet_done = true;
+
+ out:
+ mutex_unlock(&info->lock);
+--
+2.30.2
+
--- /dev/null
+From 9b1b6d2215b6dbbb07cb56fdbd46a7ac84cc557c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Mar 2021 16:17:57 +0100
+Subject: extcon: arizona: Fix various races on driver unbind
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit e5b499f6fb17bc95a813e85d0796522280203806 ]
+
+We must free/disable all interrupts and cancel all pending works
+before doing further cleanup.
+
+Before this commit arizona_extcon_remove() was doing several
+register writes to shut things down before disabling the IRQs
+and it was cancelling only 1 of the 3 different works used.
+
+Move all the register-writes shutting things down to after
+the disabling of the IRQs and add the 2 missing
+cancel_delayed_work_sync() calls.
+
+This fixes various possible races on driver unbind. One of which
+would always trigger on devices using the mic-clamp feature for
+jack detection. The ARIZONA_MICD_CLAMP_MODE_MASK update was
+done before disabling the IRQs, causing:
+1. arizona_jackdet() to run
+2. detect a jack being inserted (clamp disabled means jack inserted)
+3. call arizona_start_mic() which:
+3.1 Enables the MICVDD regulator
+3.2 takes a pm_runtime_reference
+
+And this was all happening after the ARIZONA_MICD_ENA bit clearing,
+which would undo 3.1 and 3.2 because the ARIZONA_MICD_CLAMP_MODE_MASK
+update was being done after the ARIZONA_MICD_ENA bit clearing.
+
+So this means that arizona_extcon_remove() would exit with
+1. MICVDD enabled and 2. The pm_runtime_reference being unbalanced.
+
+MICVDD still being enabled caused the following oops when the
+regulator is released by the devm framework:
+
+[ 2850.745757] ------------[ cut here ]------------
+[ 2850.745827] WARNING: CPU: 2 PID: 2098 at drivers/regulator/core.c:2123 _regulator_put.part.0+0x19f/0x1b0
+[ 2850.745835] Modules linked in: extcon_arizona ...
+...
+[ 2850.746909] Call Trace:
+[ 2850.746932] regulator_put+0x2d/0x40
+[ 2850.746946] release_nodes+0x22a/0x260
+[ 2850.746984] __device_release_driver+0x190/0x240
+[ 2850.747002] driver_detach+0xd4/0x120
+...
+[ 2850.747337] ---[ end trace f455dfd7abd9781f ]---
+
+Note this oops is just one of various theoretically possible races caused
+by the wrong ordering inside arizona_extcon_remove(), this fixes the
+ordering fixing all possible races, including the reported oops.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/extcon/extcon-arizona.c | 40 +++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
+index 7f1cd61443ff..9a6103ac7118 100644
+--- a/drivers/extcon/extcon-arizona.c
++++ b/drivers/extcon/extcon-arizona.c
+@@ -1725,25 +1725,6 @@ static int arizona_extcon_remove(struct platform_device *pdev)
+ bool change;
+ int ret;
+
+- ret = regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
+- ARIZONA_MICD_ENA, 0,
+- &change);
+- if (ret < 0) {
+- dev_err(&pdev->dev, "Failed to disable micd on remove: %d\n",
+- ret);
+- } else if (change) {
+- regulator_disable(info->micvdd);
+- pm_runtime_put(info->dev);
+- }
+-
+- gpiod_put(info->micd_pol_gpio);
+-
+- pm_runtime_disable(&pdev->dev);
+-
+- regmap_update_bits(arizona->regmap,
+- ARIZONA_MICD_CLAMP_CONTROL,
+- ARIZONA_MICD_CLAMP_MODE_MASK, 0);
+-
+ if (info->micd_clamp) {
+ jack_irq_rise = ARIZONA_IRQ_MICD_CLAMP_RISE;
+ jack_irq_fall = ARIZONA_IRQ_MICD_CLAMP_FALL;
+@@ -1759,10 +1740,31 @@ static int arizona_extcon_remove(struct platform_device *pdev)
+ arizona_free_irq(arizona, jack_irq_rise, info);
+ arizona_free_irq(arizona, jack_irq_fall, info);
+ cancel_delayed_work_sync(&info->hpdet_work);
++ cancel_delayed_work_sync(&info->micd_detect_work);
++ cancel_delayed_work_sync(&info->micd_timeout_work);
++
++ ret = regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
++ ARIZONA_MICD_ENA, 0,
++ &change);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Failed to disable micd on remove: %d\n",
++ ret);
++ } else if (change) {
++ regulator_disable(info->micvdd);
++ pm_runtime_put(info->dev);
++ }
++
++ regmap_update_bits(arizona->regmap,
++ ARIZONA_MICD_CLAMP_CONTROL,
++ ARIZONA_MICD_CLAMP_MODE_MASK, 0);
+ regmap_update_bits(arizona->regmap, ARIZONA_JACK_DETECT_ANALOGUE,
+ ARIZONA_JD1_ENA, 0);
+ arizona_clk32k_disable(arizona);
+
++ gpiod_put(info->micd_pol_gpio);
++
++ pm_runtime_disable(&pdev->dev);
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2851398385c9a65a5680207947b9ca4494ae0473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 12:18:23 +0100
+Subject: genirq/matrix: Prevent allocation counter corruption
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit c93a5e20c3c2dabef8ea360a3d3f18c6f68233ab ]
+
+When irq_matrix_free() is called for an unallocated vector the
+managed_allocated and total_allocated counters get out of sync with the
+real state of the matrix. Later, when the last interrupt is freed, these
+counters will underflow resulting in UINTMAX because the counters are
+unsigned.
+
+While this is certainly a problem of the calling code, this can be catched
+in the allocator by checking the allocation bit for the to be freed vector
+which simplifies debugging.
+
+An example of the problem described above:
+https://lore.kernel.org/lkml/20210318192819.636943062@linutronix.de/
+
+Add the missing sanity check and emit a warning when it triggers.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20210319111823.1105248-1-vkuznets@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/matrix.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c
+index 651a4ad6d711..8e586858bcf4 100644
+--- a/kernel/irq/matrix.c
++++ b/kernel/irq/matrix.c
+@@ -423,7 +423,9 @@ void irq_matrix_free(struct irq_matrix *m, unsigned int cpu,
+ if (WARN_ON_ONCE(bit < m->alloc_start || bit >= m->alloc_end))
+ return;
+
+- clear_bit(bit, cm->alloc_map);
++ if (WARN_ON_ONCE(!test_and_clear_bit(bit, cm->alloc_map)))
++ return;
++
+ cm->allocated--;
+ if(managed)
+ cm->managed_allocated--;
+--
+2.30.2
+
--- /dev/null
+From a243b894db231d84f033f1ed70e92901c2751ed1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 20:12:49 +0300
+Subject: intel_th: Consistency and off-by-one fix
+
+From: Pavel Machek <pavel@ucw.cz>
+
+[ Upstream commit 18ffbc47d45a1489b664dd68fb3a7610a6e1dea3 ]
+
+Consistently use "< ... +1" in for loops.
+
+Fix of-by-one in for_each_set_bit().
+
+Signed-off-by: Pavel Machek <pavel@denx.de>
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Link: https://lore.kernel.org/lkml/20190724095841.GA6952@amd/
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210414171251.14672-6-alexander.shishkin@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/intel_th/gth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c
+index f72803a02391..28509b02a0b5 100644
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -543,7 +543,7 @@ static void intel_th_gth_disable(struct intel_th_device *thdev,
+ output->active = false;
+
+ for_each_set_bit(master, gth->output[output->port].master,
+- TH_CONFIGURABLE_MASTERS) {
++ TH_CONFIGURABLE_MASTERS + 1) {
+ gth_master_set(gth, master, -1);
+ }
+ spin_unlock(>h->gth_lock);
+@@ -697,7 +697,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev,
+ othdev->output.port = -1;
+ othdev->output.active = false;
+ gth->output[port].output = NULL;
+- for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++)
++ for (master = 0; master < TH_CONFIGURABLE_MASTERS + 1; master++)
+ if (gth->master[master] == port)
+ gth->master[master] = -1;
+ spin_unlock(>h->gth_lock);
+--
+2.30.2
+
--- /dev/null
+From 760f8f60b048aca9451d908947ee02c920f21e06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:42:46 +0200
+Subject: media: adv7604: fix possible use-after-free in adv76xx_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7604.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index 2dedd6ebb236..b887299ac195 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -3606,7 +3606,7 @@ static int adv76xx_remove(struct i2c_client *client)
+ io_write(sd, 0x6e, 0);
+ io_write(sd, 0x73, 0);
+
+- cancel_delayed_work(&state->delayed_work_enable_hotplug);
++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+ v4l2_async_unregister_subdev(sd);
+ media_entity_cleanup(&sd->entity);
+ adv76xx_unregister_clients(to_state(sd));
+--
+2.30.2
+
--- /dev/null
+From 361d7ce95316773ac40da13bd116fa6694a9a3d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Feb 2021 09:06:58 +0100
+Subject: media: drivers: media: pci: sta2x11: fix Kconfig dependency on
+ GPIOLIB
+
+From: Julian Braha <julianbraha@gmail.com>
+
+[ Upstream commit 24df8b74c8b2fb42c49ffe8585562da0c96446ff ]
+
+When STA2X11_VIP is enabled, and GPIOLIB is disabled,
+Kbuild gives the following warning:
+
+WARNING: unmet direct dependencies detected for VIDEO_ADV7180
+ Depends on [n]: MEDIA_SUPPORT [=y] && GPIOLIB [=n] && VIDEO_V4L2 [=y] && I2C [=y]
+ Selected by [y]:
+ - STA2X11_VIP [=y] && MEDIA_SUPPORT [=y] && MEDIA_PCI_SUPPORT [=y] && MEDIA_CAMERA_SUPPORT [=y] && PCI [=y] && VIDEO_V4L2 [=y] && VIRT_TO_BUS [=y] && I2C [=y] && (STA2X11 [=n] || COMPILE_TEST [=y]) && MEDIA_SUBDRV_AUTOSELECT [=y]
+
+This is because STA2X11_VIP selects VIDEO_ADV7180
+without selecting or depending on GPIOLIB,
+despite VIDEO_ADV7180 depending on GPIOLIB.
+
+Signed-off-by: Julian Braha <julianbraha@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/sta2x11/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/pci/sta2x11/Kconfig b/drivers/media/pci/sta2x11/Kconfig
+index 011b766f0bff..d613feee8176 100644
+--- a/drivers/media/pci/sta2x11/Kconfig
++++ b/drivers/media/pci/sta2x11/Kconfig
+@@ -2,6 +2,7 @@
+ config STA2X11_VIP
+ tristate "STA2X11 VIP Video For Linux"
+ depends on STA2X11 || COMPILE_TEST
++ select GPIOLIB if MEDIA_SUBDRV_AUTOSELECT
+ select VIDEO_ADV7180 if MEDIA_SUBDRV_AUTOSELECT
+ select VIDEOBUF2_DMA_CONTIG
+ depends on PCI && VIDEO_V4L2 && VIRT_TO_BUS
+--
+2.30.2
+
--- /dev/null
+From 3bf163cc7de6fe64b350402fdaf60313638c93d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 21:32:19 +0200
+Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit b7cd0da982e3043f2eec7235ac5530cb18d6af1d ]
+
+syzbot reported memory leak in dvb-usb. The problem was
+in invalid error handling in dvb_usb_adapter_init().
+
+for (n = 0; n < d->props.num_adapters; n++) {
+....
+ if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+ (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+ (ret = dvb_usb_adapter_frontend_init(adap))) {
+ return ret;
+ }
+...
+ d->num_adapters_initialized++;
+...
+}
+
+In case of error in dvb_usb_adapter_dvb_init() or
+dvb_usb_adapter_dvb_init() d->num_adapters_initialized won't be
+incremented, but dvb_usb_adapter_exit() relies on it:
+
+ for (n = 0; n < d->num_adapters_initialized; n++)
+
+So, allocated objects won't be freed.
+
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reported-by: syzbot+3c2be7424cea3b932b0e@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dvb-usb-init.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+index 16a0b4a359ea..7c32c7b96520 100644
+--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
+@@ -79,11 +79,17 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+ }
+ }
+
+- if ((ret = dvb_usb_adapter_stream_init(adap)) ||
+- (ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs)) ||
+- (ret = dvb_usb_adapter_frontend_init(adap))) {
++ ret = dvb_usb_adapter_stream_init(adap);
++ if (ret)
+ return ret;
+- }
++
++ ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
++ if (ret)
++ goto dvb_init_err;
++
++ ret = dvb_usb_adapter_frontend_init(adap);
++ if (ret)
++ goto frontend_init_err;
+
+ /* use exclusive FE lock if there is multiple shared FEs */
+ if (adap->fe_adap[1].fe)
+@@ -103,6 +109,12 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
+ }
+
+ return 0;
++
++frontend_init_err:
++ dvb_usb_adapter_dvb_exit(adap);
++dvb_init_err:
++ dvb_usb_adapter_stream_exit(adap);
++ return ret;
+ }
+
+ static int dvb_usb_adapter_exit(struct dvb_usb_device *d)
+--
+2.30.2
+
--- /dev/null
+From 2f01eb2bd7a923b58b6b5fdd034c499ba1ae2a3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 19:07:53 +0100
+Subject: media: em28xx: fix memory leak
+
+From: Muhammad Usama Anjum <musamaanjum@gmail.com>
+
+[ Upstream commit 0ae10a7dc8992ee682ff0b1752ff7c83d472eef1 ]
+
+If some error occurs, URB buffers should also be freed. If they aren't
+freed with the dvb here, the em28xx_dvb_fini call doesn't frees the URB
+buffers as dvb is set to NULL. The function in which error occurs should
+do all the cleanup for the allocations it had done.
+
+Tested the patch with the reproducer provided by syzbot. This patch
+fixes the memleak.
+
+Reported-by: syzbot+889397c820fa56adf25d@syzkaller.appspotmail.com
+Signed-off-by: Muhammad Usama Anjum <musamaanjum@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/em28xx/em28xx-dvb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/usb/em28xx/em28xx-dvb.c b/drivers/media/usb/em28xx/em28xx-dvb.c
+index a73faf12f7e4..e1946237ac8c 100644
+--- a/drivers/media/usb/em28xx/em28xx-dvb.c
++++ b/drivers/media/usb/em28xx/em28xx-dvb.c
+@@ -1924,6 +1924,7 @@ ret:
+ return result;
+
+ out_free:
++ em28xx_uninit_usb_xfer(dev, EM28XX_DIGITAL_MODE);
+ kfree(dvb);
+ dev->dvb = NULL;
+ goto ret;
+--
+2.30.2
+
--- /dev/null
+From 830fa12cdc134d4c3e89f57870f389246eb8e73c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 12:31:20 +0200
+Subject: media: gscpa/stv06xx: fix memory leak
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4f4e6644cd876c844cdb3bea2dd7051787d5ae25 ]
+
+For two of the supported sensors the stv06xx driver allocates memory which
+is stored in sd->sensor_priv. This memory is freed on a disconnect, but if
+the probe() fails, then it isn't freed and so this leaks memory.
+
+Add a new probe_error() op that drivers can use to free any allocated
+memory in case there was a probe failure.
+
+Thanks to Pavel Skripkin <paskripkin@gmail.com> for discovering the cause
+of the memory leak.
+
+Reported-and-tested-by: syzbot+e7f4c64a4248a0340c37@syzkaller.appspotmail.com
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/gspca.c | 2 ++
+ drivers/media/usb/gspca/gspca.h | 1 +
+ drivers/media/usb/gspca/stv06xx/stv06xx.c | 9 +++++++++
+ 3 files changed, 12 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/gspca.c b/drivers/media/usb/gspca/gspca.c
+index 4210826cc910..e4d78e676e74 100644
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -1576,6 +1576,8 @@ out:
+ #endif
+ v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+ v4l2_device_unregister(&gspca_dev->v4l2_dev);
++ if (sd_desc->probe_error)
++ sd_desc->probe_error(gspca_dev);
+ kfree(gspca_dev->usb_buf);
+ kfree(gspca_dev);
+ return ret;
+diff --git a/drivers/media/usb/gspca/gspca.h b/drivers/media/usb/gspca/gspca.h
+index b0ced2e14006..a6554d5e9e1a 100644
+--- a/drivers/media/usb/gspca/gspca.h
++++ b/drivers/media/usb/gspca/gspca.h
+@@ -105,6 +105,7 @@ struct sd_desc {
+ cam_cf_op config; /* called on probe */
+ cam_op init; /* called on probe and resume */
+ cam_op init_controls; /* called on probe */
++ cam_v_op probe_error; /* called if probe failed, do cleanup here */
+ cam_op start; /* called on stream on after URBs creation */
+ cam_pkt_op pkt_scan;
+ /* optional operations */
+diff --git a/drivers/media/usb/gspca/stv06xx/stv06xx.c b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+index 95673fc0a99c..d9bc2aacc885 100644
+--- a/drivers/media/usb/gspca/stv06xx/stv06xx.c
++++ b/drivers/media/usb/gspca/stv06xx/stv06xx.c
+@@ -529,12 +529,21 @@ static int sd_int_pkt_scan(struct gspca_dev *gspca_dev,
+ static int stv06xx_config(struct gspca_dev *gspca_dev,
+ const struct usb_device_id *id);
+
++static void stv06xx_probe_error(struct gspca_dev *gspca_dev)
++{
++ struct sd *sd = (struct sd *)gspca_dev;
++
++ kfree(sd->sensor_priv);
++ sd->sensor_priv = NULL;
++}
++
+ /* sub-driver description */
+ static const struct sd_desc sd_desc = {
+ .name = MODULE_NAME,
+ .config = stv06xx_config,
+ .init = stv06xx_init,
+ .init_controls = stv06xx_init_controls,
++ .probe_error = stv06xx_probe_error,
+ .start = stv06xx_start,
+ .stopN = stv06xx_stopN,
+ .pkt_scan = stv06xx_pkt_scan,
+--
+2.30.2
+
--- /dev/null
+From 1339552288d078d8c420229635dd6b79c5efe5ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 15:46:40 +0100
+Subject: media: gspca/sq905.c: fix uninitialized variable
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit eaaea4681984c79d2b2b160387b297477f0c1aab ]
+
+act_len can be uninitialized if usb_bulk_msg() returns an error.
+Set it to 0 to avoid a KMSAN error.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+a4e309017a5f3a24c7b3@syzkaller.appspotmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/sq905.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/gspca/sq905.c b/drivers/media/usb/gspca/sq905.c
+index 863c485f4275..65a74060986a 100644
+--- a/drivers/media/usb/gspca/sq905.c
++++ b/drivers/media/usb/gspca/sq905.c
+@@ -158,7 +158,7 @@ static int
+ sq905_read_data(struct gspca_dev *gspca_dev, u8 *data, int size, int need_lock)
+ {
+ int ret;
+- int act_len;
++ int act_len = 0;
+
+ gspca_dev->usb_buf[0] = '\0';
+ if (need_lock)
+--
+2.30.2
+
--- /dev/null
+From 9eeb5474cc1684db6b7701af4c7d6b082508ba0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:48:12 +0200
+Subject: media: i2c: adv7511-v4l2: fix possible use-after-free in
+ adv7511_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 2c9541720c66899adf6f3600984cf3ef151295ad ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7511-v4l2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c
+index 62763ec4cd07..809fa44ed988 100644
+--- a/drivers/media/i2c/adv7511-v4l2.c
++++ b/drivers/media/i2c/adv7511-v4l2.c
+@@ -1964,7 +1964,7 @@ static int adv7511_remove(struct i2c_client *client)
+
+ adv7511_set_isr(sd, false);
+ adv7511_init_setup(sd);
+- cancel_delayed_work(&state->edid_handler);
++ cancel_delayed_work_sync(&state->edid_handler);
+ i2c_unregister_device(state->i2c_edid);
+ i2c_unregister_device(state->i2c_cec);
+ i2c_unregister_device(state->i2c_pktmem);
+--
+2.30.2
+
--- /dev/null
+From 09a61498fd3756e05fce4d37b0019d3aa529d19b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:50:53 +0200
+Subject: media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 4a15275b6a18597079f18241c87511406575179a ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7842.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
+index 885619841719..02cbab826d0b 100644
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -3586,7 +3586,7 @@ static int adv7842_remove(struct i2c_client *client)
+ struct adv7842_state *state = to_state(sd);
+
+ adv7842_irq_enable(sd, false);
+- cancel_delayed_work(&state->delayed_work_enable_hotplug);
++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+ v4l2_device_unregister_subdev(sd);
+ media_entity_cleanup(&sd->entity);
+ adv7842_unregister_clients(sd);
+--
+2.30.2
+
--- /dev/null
+From ff4fbd66df6e918fdc8b24a86cdc6ba8b2c53b2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:49:45 +0200
+Subject: media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7f820ab5d4eebfe2d970d32a76ae496a6c286f0f ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tda1997x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c
+index 5e68182001ec..e43d8327b810 100644
+--- a/drivers/media/i2c/tda1997x.c
++++ b/drivers/media/i2c/tda1997x.c
+@@ -2804,7 +2804,7 @@ static int tda1997x_remove(struct i2c_client *client)
+ media_entity_cleanup(&sd->entity);
+ v4l2_ctrl_handler_free(&state->hdl);
+ regulator_bulk_disable(TDA1997X_NUM_SUPPLIES, state->supplies);
+- cancel_delayed_work(&state->delayed_work_enable_hpd);
++ cancel_delayed_work_sync(&state->delayed_work_enable_hpd);
+ mutex_destroy(&state->page_lock);
+ mutex_destroy(&state->lock);
+
+--
+2.30.2
+
--- /dev/null
+From 3d439fafe684148ee6633bd9de2957ec1b06a11b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 05:26:47 +0100
+Subject: media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt()
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit cc271b6754691af74d710b761eaf027e3743e243 ]
+
+The correct return code to report an invalid pipeline configuration is
+-EPIPE. Return it instead of -EINVAL from __capture_legacy_try_fmt()
+when the capture format doesn't match the media bus format of the
+connected subdev.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-capture.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-capture.c b/drivers/staging/media/imx/imx-media-capture.c
+index d151cd6d3188..fabbfceaa107 100644
+--- a/drivers/staging/media/imx/imx-media-capture.c
++++ b/drivers/staging/media/imx/imx-media-capture.c
+@@ -553,7 +553,7 @@ static int capture_validate_fmt(struct capture_priv *priv)
+ priv->vdev.fmt.fmt.pix.height != f.fmt.pix.height ||
+ priv->vdev.cc->cs != cc->cs ||
+ priv->vdev.compose.width != compose.width ||
+- priv->vdev.compose.height != compose.height) ? -EINVAL : 0;
++ priv->vdev.compose.height != compose.height) ? -EPIPE : 0;
+ }
+
+ static int capture_start_streaming(struct vb2_queue *vq, unsigned int count)
+--
+2.30.2
+
--- /dev/null
+From ffe18919fbc86dda42e3dc6bad23a89031e692b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Feb 2021 09:08:35 +0100
+Subject: media: ite-cir: check for receive overflow
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 28c7afb07ccfc0a939bb06ac1e7afe669901c65a ]
+
+It's best if this condition is reported.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/ite-cir.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/ite-cir.c b/drivers/media/rc/ite-cir.c
+index 3ab6cec0dc3b..4b8aee390518 100644
+--- a/drivers/media/rc/ite-cir.c
++++ b/drivers/media/rc/ite-cir.c
+@@ -276,8 +276,14 @@ static irqreturn_t ite_cir_isr(int irq, void *data)
+ /* read the interrupt flags */
+ iflags = dev->params.get_irq_causes(dev);
+
++ /* Check for RX overflow */
++ if (iflags & ITE_IRQ_RX_FIFO_OVERRUN) {
++ dev_warn(&dev->rdev->dev, "receive overflow\n");
++ ir_raw_event_reset(dev->rdev);
++ }
++
+ /* check for the receive interrupt */
+- if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) {
++ if (iflags & ITE_IRQ_RX_FIFO) {
+ /* read the FIFO bytes */
+ rx_bytes =
+ dev->params.get_rx_bytes(dev, rx_buf,
+--
+2.30.2
+
--- /dev/null
+From d05f0fb116a4b9bb9e0e933c91023ca84dd6ddcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 03:53:00 +0100
+Subject: media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
+
+From: Daniel Niv <danielniv3@gmail.com>
+
+[ Upstream commit c759b2970c561e3b56aa030deb13db104262adfe ]
+
+Add a fix for the memory leak bugs that can occur when the
+saa7164_encoder_register() function fails.
+The function allocates memory without explicitly freeing
+it when errors occur.
+Add a better error handling that deallocate the unused buffers before the
+function exits during a fail.
+
+Signed-off-by: Daniel Niv <danielniv3@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/saa7164/saa7164-encoder.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/pci/saa7164/saa7164-encoder.c b/drivers/media/pci/saa7164/saa7164-encoder.c
+index 3fca7257a720..df494644b5b6 100644
+--- a/drivers/media/pci/saa7164/saa7164-encoder.c
++++ b/drivers/media/pci/saa7164/saa7164-encoder.c
+@@ -1008,7 +1008,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ printk(KERN_ERR "%s() failed (errno = %d), NO PCI configuration\n",
+ __func__, result);
+ result = -ENOMEM;
+- goto failed;
++ goto fail_pci;
+ }
+
+ /* Establish encoder defaults here */
+@@ -1062,7 +1062,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ 100000, ENCODER_DEF_BITRATE);
+ if (hdl->error) {
+ result = hdl->error;
+- goto failed;
++ goto fail_hdl;
+ }
+
+ port->std = V4L2_STD_NTSC_M;
+@@ -1080,7 +1080,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ printk(KERN_INFO "%s: can't allocate mpeg device\n",
+ dev->name);
+ result = -ENOMEM;
+- goto failed;
++ goto fail_hdl;
+ }
+
+ port->v4l_device->ctrl_handler = hdl;
+@@ -1091,10 +1091,7 @@ int saa7164_encoder_register(struct saa7164_port *port)
+ if (result < 0) {
+ printk(KERN_INFO "%s: can't register mpeg device\n",
+ dev->name);
+- /* TODO: We're going to leak here if we don't dealloc
+- The buffers above. The unreg function can't deal wit it.
+- */
+- goto failed;
++ goto fail_reg;
+ }
+
+ printk(KERN_INFO "%s: registered device video%d [mpeg]\n",
+@@ -1116,9 +1113,14 @@ int saa7164_encoder_register(struct saa7164_port *port)
+
+ saa7164_api_set_encoder(port);
+ saa7164_api_get_encoder(port);
++ return 0;
+
+- result = 0;
+-failed:
++fail_reg:
++ video_device_release(port->v4l_device);
++ port->v4l_device = NULL;
++fail_hdl:
++ v4l2_ctrl_handler_free(hdl);
++fail_pci:
+ return result;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2ca489f7bf4b06bea92a360e42b1350d45f41ad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 07:43:13 +0200
+Subject: media: platform: sti: Fix runtime PM imbalance in regs_show
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 69306a947b3ae21e0d1cbfc9508f00fec86c7297 ]
+
+pm_runtime_get_sync() will increase the runtime PM counter
+even it returns an error. Thus a pairing decrement is needed
+to prevent refcount leak. Fix this by replacing this API with
+pm_runtime_resume_and_get(), which will not change the runtime
+PM counter on error.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/sti/bdisp/bdisp-debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/sti/bdisp/bdisp-debug.c b/drivers/media/platform/sti/bdisp/bdisp-debug.c
+index 77ca7517fa3e..bae62af82643 100644
+--- a/drivers/media/platform/sti/bdisp/bdisp-debug.c
++++ b/drivers/media/platform/sti/bdisp/bdisp-debug.c
+@@ -480,7 +480,7 @@ static int regs_show(struct seq_file *s, void *data)
+ int ret;
+ unsigned int i;
+
+- ret = pm_runtime_get_sync(bdisp->dev);
++ ret = pm_runtime_resume_and_get(bdisp->dev);
+ if (ret < 0) {
+ seq_puts(s, "Cannot wake up IP\n");
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From cc3529625a122aaed4f5506511282750cc097053 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 15:39:29 +0200
+Subject: media: tc358743: fix possible use-after-free in tc358743_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 6107a4fdf8554a7aa9488bdc835bb010062fa8a9 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index cff99cf61ed4..114c084c4aec 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -2192,7 +2192,7 @@ static int tc358743_remove(struct i2c_client *client)
+ del_timer_sync(&state->timer);
+ flush_work(&state->work_i2c_poll);
+ }
+- cancel_delayed_work(&state->delayed_work_enable_hotplug);
++ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
+ cec_unregister_adapter(state->cec_adap);
+ v4l2_async_unregister_subdev(sd);
+ v4l2_device_unregister_subdev(sd);
+--
+2.30.2
+
--- /dev/null
+From 0d089083cbcaa352c25300d0f0e96f17c98ddb99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 08:48:21 +0100
+Subject: media: vivid: update EDID
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 443ec4bbc6116f6f492a7a1282bfd8422c862158 ]
+
+The EDID had a few mistakes as reported by edid-decode:
+
+Block 1, CTA-861 Extension Block:
+ Video Data Block: For improved preferred timing interoperability, set 'Native detailed modes' to 1.
+ Video Capability Data Block: S_PT is equal to S_IT and S_CE, so should be set to 0 instead.
+
+Fixed those.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-core.c b/drivers/media/platform/vivid/vivid-core.c
+index f6a5cdbd74e7..cc71aa425597 100644
+--- a/drivers/media/platform/vivid/vivid-core.c
++++ b/drivers/media/platform/vivid/vivid-core.c
+@@ -174,13 +174,13 @@ static const u8 vivid_hdmi_edid[256] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x7b,
+
+- 0x02, 0x03, 0x3f, 0xf0, 0x51, 0x61, 0x60, 0x5f,
++ 0x02, 0x03, 0x3f, 0xf1, 0x51, 0x61, 0x60, 0x5f,
+ 0x5e, 0x5d, 0x10, 0x1f, 0x04, 0x13, 0x22, 0x21,
+ 0x20, 0x05, 0x14, 0x02, 0x11, 0x01, 0x23, 0x09,
+ 0x07, 0x07, 0x83, 0x01, 0x00, 0x00, 0x6d, 0x03,
+ 0x0c, 0x00, 0x10, 0x00, 0x00, 0x3c, 0x21, 0x00,
+ 0x60, 0x01, 0x02, 0x03, 0x67, 0xd8, 0x5d, 0xc4,
+- 0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xea, 0xe3,
++ 0x01, 0x78, 0x00, 0x00, 0xe2, 0x00, 0xca, 0xe3,
+ 0x05, 0x00, 0x00, 0xe3, 0x06, 0x01, 0x00, 0x4d,
+ 0xd0, 0x00, 0xa0, 0xf0, 0x70, 0x3e, 0x80, 0x30,
+ 0x20, 0x35, 0x00, 0xc0, 0x1c, 0x32, 0x00, 0x00,
+@@ -189,7 +189,7 @@ static const u8 vivid_hdmi_edid[256] = {
+ 0x00, 0x00, 0x1a, 0x1a, 0x1d, 0x00, 0x80, 0x51,
+ 0xd0, 0x1c, 0x20, 0x40, 0x80, 0x35, 0x00, 0xc0,
+ 0x1c, 0x32, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00,
+- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x63,
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x82,
+ };
+
+ static int vidioc_querycap(struct file *file, void *priv,
+--
+2.30.2
+
--- /dev/null
+From 259e616ba57d16e224e7d86769ed4d9afef14b57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 13:11:49 +0800
+Subject: mfd: arizona: Fix rumtime PM imbalance on error
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit fe6df2b48043bbe1e852b2320501d3b169363c35 ]
+
+pm_runtime_get_sync() will increase the rumtime PM counter
+even it returns an error. Thus a pairing decrement is needed
+to prevent refcount leak. Fix this by replacing this API with
+pm_runtime_resume_and_get(), which will not change the runtime
+PM counter on error.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/arizona-irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/arizona-irq.c b/drivers/mfd/arizona-irq.c
+index 077d9ab112b7..d919ae9691e2 100644
+--- a/drivers/mfd/arizona-irq.c
++++ b/drivers/mfd/arizona-irq.c
+@@ -100,7 +100,7 @@ static irqreturn_t arizona_irq_thread(int irq, void *data)
+ unsigned int val;
+ int ret;
+
+- ret = pm_runtime_get_sync(arizona->dev);
++ ret = pm_runtime_resume_and_get(arizona->dev);
+ if (ret < 0) {
+ dev_err(arizona->dev, "Failed to resume device: %d\n", ret);
+ return IRQ_NONE;
+--
+2.30.2
+
--- /dev/null
+From 1094800cd90a490bc22f0d4f06e27e00b7cd518a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 07:53:56 +0200
+Subject: mmc: sdhci-pci: Add PCI IDs for Intel LKF
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit ee629112be8b4eff71d4d3d108a28bc7dc877e13 ]
+
+Add PCI IDs for Intel LKF eMMC and SD card host controllers.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20210322055356.24923-1-adrian.hunter@intel.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-pci-core.c | 2 ++
+ drivers/mmc/host/sdhci-pci.h | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-pci-core.c b/drivers/mmc/host/sdhci-pci-core.c
+index 4ca7ab92c815..a9151bd27211 100644
+--- a/drivers/mmc/host/sdhci-pci-core.c
++++ b/drivers/mmc/host/sdhci-pci-core.c
+@@ -1934,6 +1934,8 @@ static const struct pci_device_id pci_ids[] = {
+ SDHCI_PCI_DEVICE(INTEL, CMLH_SD, intel_byt_sd),
+ SDHCI_PCI_DEVICE(INTEL, JSL_EMMC, intel_glk_emmc),
+ SDHCI_PCI_DEVICE(INTEL, JSL_SD, intel_byt_sd),
++ SDHCI_PCI_DEVICE(INTEL, LKF_EMMC, intel_glk_emmc),
++ SDHCI_PCI_DEVICE(INTEL, LKF_SD, intel_byt_sd),
+ SDHCI_PCI_DEVICE(O2, 8120, o2),
+ SDHCI_PCI_DEVICE(O2, 8220, o2),
+ SDHCI_PCI_DEVICE(O2, 8221, o2),
+diff --git a/drivers/mmc/host/sdhci-pci.h b/drivers/mmc/host/sdhci-pci.h
+index 981bbbe63aff..779156ce1ee1 100644
+--- a/drivers/mmc/host/sdhci-pci.h
++++ b/drivers/mmc/host/sdhci-pci.h
+@@ -57,6 +57,8 @@
+ #define PCI_DEVICE_ID_INTEL_CMLH_SD 0x06f5
+ #define PCI_DEVICE_ID_INTEL_JSL_EMMC 0x4dc4
+ #define PCI_DEVICE_ID_INTEL_JSL_SD 0x4df8
++#define PCI_DEVICE_ID_INTEL_LKF_EMMC 0x98c4
++#define PCI_DEVICE_ID_INTEL_LKF_SD 0x98f8
+
+ #define PCI_DEVICE_ID_SYSKONNECT_8000 0x8000
+ #define PCI_DEVICE_ID_VIA_95D0 0x95d0
+--
+2.30.2
+
--- /dev/null
+From 07320e1da32fd8138440c87e66f302126ed6c6e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 16:51:40 +0100
+Subject: PCI: PM: Do not read power state in pci_enable_device_flags()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 4514d991d99211f225d83b7e640285f29f0755d0 ]
+
+It should not be necessary to update the current_state field of
+struct pci_dev in pci_enable_device_flags() before calling
+do_pci_enable_device() for the device, because none of the
+code between that point and the pci_set_power_state() call in
+do_pci_enable_device() invoked later depends on it.
+
+Moreover, doing that is actively harmful in some cases. For example,
+if the given PCI device depends on an ACPI power resource whose _STA
+method initially returns 0 ("off"), but the config space of the PCI
+device is accessible and the power state retrieved from the
+PCI_PM_CTRL register is D0, the current_state field in the struct
+pci_dev representing that device will get out of sync with the
+power.state of its ACPI companion object and that will lead to
+power management issues going forward.
+
+To avoid such issues it is better to leave the current_state value
+as is until it is changed to PCI_D0 by do_pci_enable_device() as
+appropriate. However, the power state of the device is not changed
+to PCI_D0 if it is already enabled when pci_enable_device_flags()
+gets called for it, so update its current_state in that case, but
+use pci_update_current_state() covering platform PM too for that.
+
+Link: https://lore.kernel.org/lkml/20210314000439.3138941-1-luzmaximilian@gmail.com/
+Reported-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 3c3bc9f58498..34a06e89e176 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -1666,20 +1666,10 @@ static int pci_enable_device_flags(struct pci_dev *dev, unsigned long flags)
+ int err;
+ int i, bars = 0;
+
+- /*
+- * Power state could be unknown at this point, either due to a fresh
+- * boot or a device removal call. So get the current power state
+- * so that things like MSI message writing will behave as expected
+- * (e.g. if the device really is in D0 at enable time).
+- */
+- if (dev->pm_cap) {
+- u16 pmcsr;
+- pci_read_config_word(dev, dev->pm_cap + PCI_PM_CTRL, &pmcsr);
+- dev->current_state = (pmcsr & PCI_PM_CTRL_STATE_MASK);
+- }
+-
+- if (atomic_inc_return(&dev->enable_cnt) > 1)
++ if (atomic_inc_return(&dev->enable_cnt) > 1) {
++ pci_update_current_state(dev, dev->current_state);
+ return 0; /* already enabled */
++ }
+
+ bridge = pci_upstream_bridge(dev);
+ if (bridge)
+--
+2.30.2
+
--- /dev/null
+From aee9c0f2d94f98a110c0b1c097db5f9c3dd5c834 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 16:02:41 +0000
+Subject: perf/arm_pmu_platform: Fix error handling
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit e338cb6bef254821a8c095018fd27254d74bfd6a ]
+
+If we're aborting after failing to register the PMU device,
+we probably don't want to leak the IRQs that we've claimed.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/53031a607fc8412a60024bfb3bb8cd7141f998f5.1616774562.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_pmu_platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/arm_pmu_platform.c b/drivers/perf/arm_pmu_platform.c
+index 933bd8410fc2..e35cb76c8d10 100644
+--- a/drivers/perf/arm_pmu_platform.c
++++ b/drivers/perf/arm_pmu_platform.c
+@@ -236,7 +236,7 @@ int arm_pmu_device_probe(struct platform_device *pdev,
+
+ ret = armpmu_register(pmu);
+ if (ret)
+- goto out_free;
++ goto out_free_irqs;
+
+ return 0;
+
+--
+2.30.2
+
--- /dev/null
+From 510de2a7c8cdfdfc23b228592c5dd8c656b19b65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:27:16 +0800
+Subject: phy: phy-twl4030-usb: Fix possible use-after-free in
+ twl4030_usb_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit e1723d8b87b73ab363256e7ca3af3ddb75855680 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20210407092716.3270248-1-yangyingliang@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/ti/phy-twl4030-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c
+index 9887f908f540..812e5409d359 100644
+--- a/drivers/phy/ti/phy-twl4030-usb.c
++++ b/drivers/phy/ti/phy-twl4030-usb.c
+@@ -779,7 +779,7 @@ static int twl4030_usb_remove(struct platform_device *pdev)
+
+ usb_remove_phy(&twl->phy);
+ pm_runtime_get_sync(twl->dev);
+- cancel_delayed_work(&twl->id_workaround_work);
++ cancel_delayed_work_sync(&twl->id_workaround_work);
+ device_remove_file(twl->dev, &dev_attr_vbus);
+
+ /* set transceiver mode to power on defaults */
+--
+2.30.2
+
--- /dev/null
+From 9a3fcbea27cb68765bcfceb6a31f7b8a7376c35a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 20:12:44 -0700
+Subject: platform/x86: intel_pmc_core: Don't use global pmcdev in quirks
+
+From: David E. Box <david.e.box@linux.intel.com>
+
+[ Upstream commit c9f86d6ca6b5e23d30d16ade4b9fff5b922a610a ]
+
+The DMI callbacks, used for quirks, currently access the PMC by getting
+the address a global pmc_dev struct. Instead, have the callbacks set a
+global quirk specific variable. In probe, after calling dmi_check_system(),
+pass pmc_dev to a function that will handle each quirk if its variable
+condition is met. This allows removing the global pmc_dev later.
+
+Signed-off-by: David E. Box <david.e.box@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Rajneesh Bhardwaj <irenic.rajneesh@gmail.com>
+Link: https://lore.kernel.org/r/20210417031252.3020837-2-david.e.box@linux.intel.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_pmc_core.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
+index 571b4754477c..4c1312f1616c 100644
+--- a/drivers/platform/x86/intel_pmc_core.c
++++ b/drivers/platform/x86/intel_pmc_core.c
+@@ -831,9 +831,15 @@ static const struct pci_device_id pmc_pci_ids[] = {
+ * the platform BIOS enforces 24Mhx Crystal to shutdown
+ * before PMC can assert SLP_S0#.
+ */
++static bool xtal_ignore;
+ static int quirk_xtal_ignore(const struct dmi_system_id *id)
+ {
+- struct pmc_dev *pmcdev = &pmc;
++ xtal_ignore = true;
++ return 0;
++}
++
++static void pmc_core_xtal_ignore(struct pmc_dev *pmcdev)
++{
+ u32 value;
+
+ value = pmc_core_reg_read(pmcdev, pmcdev->map->pm_vric1_offset);
+@@ -842,7 +848,6 @@ static int quirk_xtal_ignore(const struct dmi_system_id *id)
+ /* Low Voltage Mode Enable */
+ value &= ~SPT_PMC_VRIC1_SLPS0LVEN;
+ pmc_core_reg_write(pmcdev, pmcdev->map->pm_vric1_offset, value);
+- return 0;
+ }
+
+ static const struct dmi_system_id pmc_core_dmi_table[] = {
+@@ -857,6 +862,14 @@ static const struct dmi_system_id pmc_core_dmi_table[] = {
+ {}
+ };
+
++static void pmc_core_do_dmi_quirks(struct pmc_dev *pmcdev)
++{
++ dmi_check_system(pmc_core_dmi_table);
++
++ if (xtal_ignore)
++ pmc_core_xtal_ignore(pmcdev);
++}
++
+ static int pmc_core_probe(struct platform_device *pdev)
+ {
+ static bool device_initialized;
+@@ -898,7 +911,7 @@ static int pmc_core_probe(struct platform_device *pdev)
+ mutex_init(&pmcdev->lock);
+ platform_set_drvdata(pdev, pmcdev);
+ pmcdev->pmc_xram_read_bit = pmc_core_check_read_lock_bit();
+- dmi_check_system(pmc_core_dmi_table);
++ pmc_core_do_dmi_quirks(pmcdev);
+
+ pmc_core_dbgfs_register(pmcdev);
+
+--
+2.30.2
+
--- /dev/null
+From e66012ca54bff2bcb5816bc101c8371b642bc4c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 10:54:19 +0100
+Subject: power: supply: bq27xxx: fix power_avg for newer ICs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit c4d57c22ac65bd503716062a06fad55a01569cac ]
+
+On all newer bq27xxx ICs, the AveragePower register contains a signed
+value; in addition to handling the raw value as unsigned, the driver
+code also didn't convert it to µW as expected.
+
+At least for the BQ28Z610, the reference manual incorrectly states that
+the value is in units of 1mW and not 10mW. I have no way of knowing
+whether the manuals of other supported ICs contain the same error, or if
+there are models that actually use 1mW. At least, the new code shouldn't
+be *less* correct than the old version for any device.
+
+power_avg is removed from the cache structure, se we don't have to
+extend it to store both a signed value and an error code. Always getting
+an up-to-date value may be desirable anyways, as it avoids inconsistent
+current and power readings when switching between charging and
+discharging.
+
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq27xxx_battery.c | 51 ++++++++++++++------------
+ include/linux/power/bq27xxx_battery.h | 1 -
+ 2 files changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/power/supply/bq27xxx_battery.c b/drivers/power/supply/bq27xxx_battery.c
+index aff0a0a5e7f8..b1a37aa38880 100644
+--- a/drivers/power/supply/bq27xxx_battery.c
++++ b/drivers/power/supply/bq27xxx_battery.c
+@@ -1499,27 +1499,6 @@ static int bq27xxx_battery_read_time(struct bq27xxx_device_info *di, u8 reg)
+ return tval * 60;
+ }
+
+-/*
+- * Read an average power register.
+- * Return < 0 if something fails.
+- */
+-static int bq27xxx_battery_read_pwr_avg(struct bq27xxx_device_info *di)
+-{
+- int tval;
+-
+- tval = bq27xxx_read(di, BQ27XXX_REG_AP, false);
+- if (tval < 0) {
+- dev_err(di->dev, "error reading average power register %02x: %d\n",
+- BQ27XXX_REG_AP, tval);
+- return tval;
+- }
+-
+- if (di->opts & BQ27XXX_O_ZERO)
+- return (tval * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS;
+- else
+- return tval;
+-}
+-
+ /*
+ * Returns true if a battery over temperature condition is detected
+ */
+@@ -1604,8 +1583,6 @@ void bq27xxx_battery_update(struct bq27xxx_device_info *di)
+ }
+ if (di->regs[BQ27XXX_REG_CYCT] != INVALID_REG_ADDR)
+ cache.cycle_count = bq27xxx_battery_read_cyct(di);
+- if (di->regs[BQ27XXX_REG_AP] != INVALID_REG_ADDR)
+- cache.power_avg = bq27xxx_battery_read_pwr_avg(di);
+
+ /* We only have to read charge design full once */
+ if (di->charge_design_full <= 0)
+@@ -1668,6 +1645,32 @@ static int bq27xxx_battery_current(struct bq27xxx_device_info *di,
+ return 0;
+ }
+
++/*
++ * Get the average power in µW
++ * Return < 0 if something fails.
++ */
++static int bq27xxx_battery_pwr_avg(struct bq27xxx_device_info *di,
++ union power_supply_propval *val)
++{
++ int power;
++
++ power = bq27xxx_read(di, BQ27XXX_REG_AP, false);
++ if (power < 0) {
++ dev_err(di->dev,
++ "error reading average power register %02x: %d\n",
++ BQ27XXX_REG_AP, power);
++ return power;
++ }
++
++ if (di->opts & BQ27XXX_O_ZERO)
++ val->intval = (power * BQ27XXX_POWER_CONSTANT) / BQ27XXX_RS;
++ else
++ /* Other gauges return a signed value in units of 10mW */
++ val->intval = (int)((s16)power) * 10000;
++
++ return 0;
++}
++
+ static int bq27xxx_battery_status(struct bq27xxx_device_info *di,
+ union power_supply_propval *val)
+ {
+@@ -1835,7 +1838,7 @@ static int bq27xxx_battery_get_property(struct power_supply *psy,
+ ret = bq27xxx_simple_value(di->cache.energy, val);
+ break;
+ case POWER_SUPPLY_PROP_POWER_AVG:
+- ret = bq27xxx_simple_value(di->cache.power_avg, val);
++ ret = bq27xxx_battery_pwr_avg(di, val);
+ break;
+ case POWER_SUPPLY_PROP_HEALTH:
+ ret = bq27xxx_simple_value(di->cache.health, val);
+diff --git a/include/linux/power/bq27xxx_battery.h b/include/linux/power/bq27xxx_battery.h
+index 507c5e214c42..7413779484d5 100644
+--- a/include/linux/power/bq27xxx_battery.h
++++ b/include/linux/power/bq27xxx_battery.h
+@@ -50,7 +50,6 @@ struct bq27xxx_reg_cache {
+ int capacity;
+ int energy;
+ int flags;
+- int power_avg;
+ int health;
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 9f129251f09f159b344fe1cf93a62f7d0810c9e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:17:06 +0800
+Subject: power: supply: generic-adc-battery: fix possible use-after-free in
+ gab_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b6cfa007b3b229771d9588970adb4ab3e0487f49 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/generic-adc-battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c
+index bc462d1ec963..97b0e873e87d 100644
+--- a/drivers/power/supply/generic-adc-battery.c
++++ b/drivers/power/supply/generic-adc-battery.c
+@@ -382,7 +382,7 @@ static int gab_remove(struct platform_device *pdev)
+ }
+
+ kfree(adc_bat->psy_desc.properties);
+- cancel_delayed_work(&adc_bat->bat_work);
++ cancel_delayed_work_sync(&adc_bat->bat_work);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b6c414d7d6237071964ad84c4a9ea958b655ce8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 17:19:03 +0800
+Subject: power: supply: s3c_adc_battery: fix possible use-after-free in
+ s3c_adc_bat_remove()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 68ae256945d2abe9036a7b68af4cc65aff79d5b7 ]
+
+This driver's remove path calls cancel_delayed_work(). However, that
+function does not wait until the work function finishes. This means
+that the callback function may still be running after the driver's
+remove function has finished, which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+the work is properly cancelled, no longer running, and unable
+to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/s3c_adc_battery.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c
+index 3d00b35cafc9..8be31f80035c 100644
+--- a/drivers/power/supply/s3c_adc_battery.c
++++ b/drivers/power/supply/s3c_adc_battery.c
+@@ -394,7 +394,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev)
+ gpio_free(pdata->gpio_charge_finished);
+ }
+
+- cancel_delayed_work(&bat_work);
++ cancel_delayed_work_sync(&bat_work);
+
+ if (pdata->exit)
+ pdata->exit();
+--
+2.30.2
+
--- /dev/null
+From 7f59debe31f6208e64618ecc3ecbd04cf9b0c9d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 19:21:33 +0800
+Subject: power: supply: Use IRQF_ONESHOT
+
+From: dongjian <dongjian@yulong.com>
+
+[ Upstream commit 2469b836fa835c67648acad17d62bc805236a6ea ]
+
+Fixes coccicheck error:
+
+drivers/power/supply/pm2301_charger.c:1089:7-27: ERROR:
+drivers/power/supply/lp8788-charger.c:502:8-28: ERROR:
+drivers/power/supply/tps65217_charger.c:239:8-33: ERROR:
+drivers/power/supply/tps65090-charger.c:303:8-33: ERROR:
+
+Threaded IRQ with no primary handler requested without IRQF_ONESHOT
+
+Signed-off-by: dongjian <dongjian@yulong.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/lp8788-charger.c | 2 +-
+ drivers/power/supply/pm2301_charger.c | 2 +-
+ drivers/power/supply/tps65090-charger.c | 2 +-
+ drivers/power/supply/tps65217_charger.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/power/supply/lp8788-charger.c b/drivers/power/supply/lp8788-charger.c
+index e7931ffb7151..397e5a03b7d9 100644
+--- a/drivers/power/supply/lp8788-charger.c
++++ b/drivers/power/supply/lp8788-charger.c
+@@ -501,7 +501,7 @@ static int lp8788_set_irqs(struct platform_device *pdev,
+
+ ret = request_threaded_irq(virq, NULL,
+ lp8788_charger_irq_thread,
+- 0, name, pchg);
++ IRQF_ONESHOT, name, pchg);
+ if (ret)
+ break;
+ }
+diff --git a/drivers/power/supply/pm2301_charger.c b/drivers/power/supply/pm2301_charger.c
+index 17749fc90e16..d2aff1cf4f79 100644
+--- a/drivers/power/supply/pm2301_charger.c
++++ b/drivers/power/supply/pm2301_charger.c
+@@ -1095,7 +1095,7 @@ static int pm2xxx_wall_charger_probe(struct i2c_client *i2c_client,
+ ret = request_threaded_irq(gpio_to_irq(pm2->pdata->gpio_irq_number),
+ NULL,
+ pm2xxx_charger_irq[0].isr,
+- pm2->pdata->irq_type,
++ pm2->pdata->irq_type | IRQF_ONESHOT,
+ pm2xxx_charger_irq[0].name, pm2);
+
+ if (ret != 0) {
+diff --git a/drivers/power/supply/tps65090-charger.c b/drivers/power/supply/tps65090-charger.c
+index 6b0098e5a88b..0990b2fa6cd8 100644
+--- a/drivers/power/supply/tps65090-charger.c
++++ b/drivers/power/supply/tps65090-charger.c
+@@ -301,7 +301,7 @@ static int tps65090_charger_probe(struct platform_device *pdev)
+
+ if (irq != -ENXIO) {
+ ret = devm_request_threaded_irq(&pdev->dev, irq, NULL,
+- tps65090_charger_isr, 0, "tps65090-charger", cdata);
++ tps65090_charger_isr, IRQF_ONESHOT, "tps65090-charger", cdata);
+ if (ret) {
+ dev_err(cdata->dev,
+ "Unable to register irq %d err %d\n", irq,
+diff --git a/drivers/power/supply/tps65217_charger.c b/drivers/power/supply/tps65217_charger.c
+index 814c2b81fdfe..ba33d1617e0b 100644
+--- a/drivers/power/supply/tps65217_charger.c
++++ b/drivers/power/supply/tps65217_charger.c
+@@ -238,7 +238,7 @@ static int tps65217_charger_probe(struct platform_device *pdev)
+ for (i = 0; i < NUM_CHARGER_IRQS; i++) {
+ ret = devm_request_threaded_irq(&pdev->dev, irq[i], NULL,
+ tps65217_charger_irq,
+- 0, "tps65217-charger",
++ IRQF_ONESHOT, "tps65217-charger",
+ charger);
+ if (ret) {
+ dev_err(charger->dev,
+--
+2.30.2
+
--- /dev/null
+From 41b1aeeab33b4eacca39a53da028659b251e5931 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 08:23:12 +0200
+Subject: s390/archrandom: add parameter check for s390_arch_random_generate
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+[ Upstream commit 28096067686c5a5cbd4c35b079749bd805df5010 ]
+
+A review of the code showed, that this function which is exposed
+within the whole kernel should do a parameter check for the
+amount of bytes requested. If this requested bytes is too high
+an unsigned int overflow could happen causing this function to
+try to memcpy a really big memory chunk.
+
+This is not a security issue as there are only two invocations
+of this function from arch/s390/include/asm/archrandom.h and both
+are not exposed to userland.
+
+Reported-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/crypto/arch_random.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/s390/crypto/arch_random.c b/arch/s390/crypto/arch_random.c
+index dd95cdbd22ce..4cbb4b6d85a8 100644
+--- a/arch/s390/crypto/arch_random.c
++++ b/arch/s390/crypto/arch_random.c
+@@ -53,6 +53,10 @@ static DECLARE_DELAYED_WORK(arch_rng_work, arch_rng_refill_buffer);
+
+ bool s390_arch_random_generate(u8 *buf, unsigned int nbytes)
+ {
++ /* max hunk is ARCH_RNG_BUF_SIZE */
++ if (nbytes > ARCH_RNG_BUF_SIZE)
++ return false;
++
+ /* lock rng buffer */
+ if (!spin_trylock(&arch_rng_lock))
+ return false;
+--
+2.30.2
+
--- /dev/null
+From caf6aebf184feb370eb93032cb1aa0523fa9e3e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Apr 2021 23:06:26 +0100
+Subject: sched/fair: Ignore percpu threads for imbalance pulls
+
+From: Lingutla Chandrasekhar <clingutla@codeaurora.org>
+
+[ Upstream commit 9bcb959d05eeb564dfc9cac13a59843a4fb2edf2 ]
+
+During load balance, LBF_SOME_PINNED will be set if any candidate task
+cannot be detached due to CPU affinity constraints. This can result in
+setting env->sd->parent->sgc->group_imbalance, which can lead to a group
+being classified as group_imbalanced (rather than any of the other, lower
+group_type) when balancing at a higher level.
+
+In workloads involving a single task per CPU, LBF_SOME_PINNED can often be
+set due to per-CPU kthreads being the only other runnable tasks on any
+given rq. This results in changing the group classification during
+load-balance at higher levels when in reality there is nothing that can be
+done for this affinity constraint: per-CPU kthreads, as the name implies,
+don't get to move around (modulo hotplug shenanigans).
+
+It's not as clear for userspace tasks - a task could be in an N-CPU cpuset
+with N-1 offline CPUs, making it an "accidental" per-CPU task rather than
+an intended one. KTHREAD_IS_PER_CPU gives us an indisputable signal which
+we can leverage here to not set LBF_SOME_PINNED.
+
+Note that the aforementioned classification to group_imbalance (when
+nothing can be done) is especially problematic on big.LITTLE systems, which
+have a topology the likes of:
+
+ DIE [ ]
+ MC [ ][ ]
+ 0 1 2 3
+ L L B B
+
+ arch_scale_cpu_capacity(L) < arch_scale_cpu_capacity(B)
+
+Here, setting LBF_SOME_PINNED due to a per-CPU kthread when balancing at MC
+level on CPUs [0-1] will subsequently prevent CPUs [2-3] from classifying
+the [0-1] group as group_misfit_task when balancing at DIE level. Thus, if
+CPUs [0-1] are running CPU-bound (misfit) tasks, ill-timed per-CPU kthreads
+can significantly delay the upgmigration of said misfit tasks. Systems
+relying on ASYM_PACKING are likely to face similar issues.
+
+Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>
+[Use kthread_is_per_cpu() rather than p->nr_cpus_allowed]
+[Reword changelog]
+Signed-off-by: Valentin Schneider <valentin.schneider@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20210407220628.3798191-2-valentin.schneider@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 611adca1e6d0..93ab546b6e16 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -7300,6 +7300,10 @@ int can_migrate_task(struct task_struct *p, struct lb_env *env)
+ if (throttled_lb_pair(task_group(p), env->src_cpu, env->dst_cpu))
+ return 0;
+
++ /* Disregard pcpu kthreads; they are where they need to be. */
++ if ((p->flags & PF_KTHREAD) && kthread_is_per_cpu(p))
++ return 0;
++
+ if (!cpumask_test_cpu(env->dst_cpu, p->cpus_ptr)) {
+ int cpu;
+
+--
+2.30.2
+
--- /dev/null
+From 65a197f61f5ddaa97e0830d70fdc65562e2f3981 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 15:08:13 -0700
+Subject: scsi: libfc: Fix a format specifier
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 90d6697810f06aceea9de71ad836a8c7669789cd ]
+
+Since the 'mfs' member has been declared as 'u32' in include/scsi/libfc.h,
+use the %u format specifier instead of %hu. This patch fixes the following
+clang compiler warning:
+
+warning: format specifies type
+ 'unsigned short' but the argument has type 'u32' (aka 'unsigned int')
+ [-Wformat]
+ "lport->mfs:%hu\n", mfs, lport->mfs);
+ ~~~ ^~~~~~~~~~
+ %u
+
+Link: https://lore.kernel.org/r/20210415220826.29438-8-bvanassche@acm.org
+Cc: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index 684c5e361a28..9399e1455d59 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -1729,7 +1729,7 @@ void fc_lport_flogi_resp(struct fc_seq *sp, struct fc_frame *fp,
+
+ if (mfs < FC_SP_MIN_MAX_PAYLOAD || mfs > FC_SP_MAX_MAX_PAYLOAD) {
+ FC_LPORT_DBG(lport, "FLOGI bad mfs:%hu response, "
+- "lport->mfs:%hu\n", mfs, lport->mfs);
++ "lport->mfs:%u\n", mfs, lport->mfs);
+ fc_lport_error(lport, fp);
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From d3a2c70aca8eeb19ba81ef37f7a5a97ddf7696e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:13 -0700
+Subject: scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
+ response
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit fffd18ec6579c2d9c72b212169259062fe747888 ]
+
+Fix a crash caused by a double put on the node when the driver completed an
+ACC for an unsolicted abort on the same node. The second put was executed
+by lpfc_nlp_not_used() and is wrong because the completion routine executes
+the nlp_put when the iocbq was released. Additionally, the driver is
+issuing a LOGO then immediately calls lpfc_nlp_set_state to put the node
+into NPR. This call does nothing.
+
+Remove the lpfc_nlp_not_used call and additional set_state in the
+completion routine. Remove the lpfc_nlp_set_state post issue_logo. Isn't
+necessary.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-3-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 2 --
+ drivers/scsi/lpfc/lpfc_sli.c | 1 -
+ 2 files changed, 3 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index ea31711b1aeb..fdd87508c804 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -1961,8 +1961,6 @@ lpfc_cmpl_reglogin_reglogin_issue(struct lpfc_vport *vport,
+ ndlp->nlp_last_elscmd = ELS_CMD_PLOGI;
+
+ lpfc_issue_els_logo(vport, ndlp, 0);
+- ndlp->nlp_prev_state = NLP_STE_REG_LOGIN_ISSUE;
+- lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
+ return ndlp->nlp_state;
+ }
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index b9857d7b224f..79ae01bc7abf 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -17472,7 +17472,6 @@ lpfc_sli4_seq_abort_rsp_cmpl(struct lpfc_hba *phba,
+ if (cmd_iocbq) {
+ ndlp = (struct lpfc_nodelist *)cmd_iocbq->context1;
+ lpfc_nlp_put(ndlp);
+- lpfc_nlp_not_used(ndlp);
+ lpfc_sli_release_iocbq(phba, cmd_iocbq);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 1b298abe48e42e022a4a5b5814f4c88ef160ac64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:17 -0700
+Subject: scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL
+ mode
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 304ee43238fed517faa123e034b593905b8679f8 ]
+
+In SLI-4, when performing a mailbox command with MBX_POLL, the driver uses
+the BMBX register to send the command rather than the MQ. A flag is set
+indicating the BMBX register is active and saves the mailbox job struct
+(mboxq) in the mbox_active element of the adapter. The routine then waits
+for completion or timeout. The mailbox job struct is not freed by the
+routine. In cases of timeout, the adapter will be reset. The
+lpfc_sli_mbox_sys_flush() routine will clean up the mbox in preparation for
+the reset. It clears the BMBX active flag and marks the job structure as
+MBX_NOT_FINISHED. But, it never frees the mboxq job structure. Expectation
+in both normal completion and timeout cases is that the issuer of the mbx
+command will free the structure. Unfortunately, not all calling paths are
+freeing the memory in cases of error.
+
+All calling paths were looked at and updated, if missing, to free the mboxq
+memory regardless of completion status.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-7-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_attr.c | 75 +++++++++++++++++++++--------------
+ drivers/scsi/lpfc/lpfc_init.c | 9 ++---
+ drivers/scsi/lpfc/lpfc_sli.c | 42 ++++++++++----------
+ 3 files changed, 70 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
+index bb973901b672..45db19e31b34 100644
+--- a/drivers/scsi/lpfc/lpfc_attr.c
++++ b/drivers/scsi/lpfc/lpfc_attr.c
+@@ -1691,8 +1691,7 @@ lpfc_set_trunking(struct lpfc_hba *phba, char *buff_out)
+ lpfc_printf_log(phba, KERN_ERR, LOG_MBOX,
+ "0071 Set trunk mode failed with status: %d",
+ rc);
+- if (rc != MBX_TIMEOUT)
+- mempool_free(mbox, phba->mbox_mem_pool);
++ mempool_free(mbox, phba->mbox_mem_pool);
+
+ return 0;
+ }
+@@ -6608,15 +6607,19 @@ lpfc_get_stats(struct Scsi_Host *shost)
+ pmboxq->ctx_buf = NULL;
+ pmboxq->vport = vport;
+
+- if (vport->fc_flag & FC_OFFLINE_MODE)
++ if (vport->fc_flag & FC_OFFLINE_MODE) {
+ rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL);
+- else
+- rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
+-
+- if (rc != MBX_SUCCESS) {
+- if (rc != MBX_TIMEOUT)
++ if (rc != MBX_SUCCESS) {
+ mempool_free(pmboxq, phba->mbox_mem_pool);
+- return NULL;
++ return NULL;
++ }
++ } else {
++ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
++ if (rc != MBX_SUCCESS) {
++ if (rc != MBX_TIMEOUT)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
++ return NULL;
++ }
+ }
+
+ memset(hs, 0, sizeof (struct fc_host_statistics));
+@@ -6640,15 +6643,19 @@ lpfc_get_stats(struct Scsi_Host *shost)
+ pmboxq->ctx_buf = NULL;
+ pmboxq->vport = vport;
+
+- if (vport->fc_flag & FC_OFFLINE_MODE)
++ if (vport->fc_flag & FC_OFFLINE_MODE) {
+ rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL);
+- else
+- rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
+-
+- if (rc != MBX_SUCCESS) {
+- if (rc != MBX_TIMEOUT)
++ if (rc != MBX_SUCCESS) {
+ mempool_free(pmboxq, phba->mbox_mem_pool);
+- return NULL;
++ return NULL;
++ }
++ } else {
++ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
++ if (rc != MBX_SUCCESS) {
++ if (rc != MBX_TIMEOUT)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
++ return NULL;
++ }
+ }
+
+ hs->link_failure_count = pmb->un.varRdLnk.linkFailureCnt;
+@@ -6721,15 +6728,19 @@ lpfc_reset_stats(struct Scsi_Host *shost)
+ pmboxq->vport = vport;
+
+ if ((vport->fc_flag & FC_OFFLINE_MODE) ||
+- (!(psli->sli_flag & LPFC_SLI_ACTIVE)))
++ (!(psli->sli_flag & LPFC_SLI_ACTIVE))) {
+ rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL);
+- else
+- rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
+-
+- if (rc != MBX_SUCCESS) {
+- if (rc != MBX_TIMEOUT)
++ if (rc != MBX_SUCCESS) {
+ mempool_free(pmboxq, phba->mbox_mem_pool);
+- return;
++ return;
++ }
++ } else {
++ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
++ if (rc != MBX_SUCCESS) {
++ if (rc != MBX_TIMEOUT)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
++ return;
++ }
+ }
+
+ memset(pmboxq, 0, sizeof(LPFC_MBOXQ_t));
+@@ -6739,15 +6750,19 @@ lpfc_reset_stats(struct Scsi_Host *shost)
+ pmboxq->vport = vport;
+
+ if ((vport->fc_flag & FC_OFFLINE_MODE) ||
+- (!(psli->sli_flag & LPFC_SLI_ACTIVE)))
++ (!(psli->sli_flag & LPFC_SLI_ACTIVE))) {
+ rc = lpfc_sli_issue_mbox(phba, pmboxq, MBX_POLL);
+- else
++ if (rc != MBX_SUCCESS) {
++ mempool_free(pmboxq, phba->mbox_mem_pool);
++ return;
++ }
++ } else {
+ rc = lpfc_sli_issue_mbox_wait(phba, pmboxq, phba->fc_ratov * 2);
+-
+- if (rc != MBX_SUCCESS) {
+- if (rc != MBX_TIMEOUT)
+- mempool_free( pmboxq, phba->mbox_mem_pool);
+- return;
++ if (rc != MBX_SUCCESS) {
++ if (rc != MBX_TIMEOUT)
++ mempool_free(pmboxq, phba->mbox_mem_pool);
++ return;
++ }
+ }
+
+ lso->link_failure_count = pmb->un.varRdLnk.linkFailureCnt;
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index d4c83eca0ad2..9ff463b597d2 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -9387,8 +9387,7 @@ lpfc_sli4_queue_setup(struct lpfc_hba *phba)
+ "3250 QUERY_FW_CFG mailbox failed with status "
+ "x%x add_status x%x, mbx status x%x\n",
+ shdr_status, shdr_add_status, rc);
+- if (rc != MBX_TIMEOUT)
+- mempool_free(mboxq, phba->mbox_mem_pool);
++ mempool_free(mboxq, phba->mbox_mem_pool);
+ rc = -ENXIO;
+ goto out_error;
+ }
+@@ -9404,8 +9403,7 @@ lpfc_sli4_queue_setup(struct lpfc_hba *phba)
+ "ulp1_mode:x%x\n", phba->sli4_hba.fw_func_mode,
+ phba->sli4_hba.ulp0_mode, phba->sli4_hba.ulp1_mode);
+
+- if (rc != MBX_TIMEOUT)
+- mempool_free(mboxq, phba->mbox_mem_pool);
++ mempool_free(mboxq, phba->mbox_mem_pool);
+
+ /*
+ * Set up HBA Event Queues (EQs)
+@@ -10001,8 +9999,7 @@ lpfc_pci_function_reset(struct lpfc_hba *phba)
+ shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response);
+ shdr_add_status = bf_get(lpfc_mbox_hdr_add_status,
+ &shdr->response);
+- if (rc != MBX_TIMEOUT)
+- mempool_free(mboxq, phba->mbox_mem_pool);
++ mempool_free(mboxq, phba->mbox_mem_pool);
+ if (shdr_status || shdr_add_status || rc) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "0495 SLI_FUNCTION_RESET mailbox "
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 79ae01bc7abf..ef7cef316d21 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -5423,12 +5423,10 @@ lpfc_sli4_get_ctl_attr(struct lpfc_hba *phba)
+ phba->sli4_hba.lnk_info.lnk_no,
+ phba->BIOSVersion);
+ out_free_mboxq:
+- if (rc != MBX_TIMEOUT) {
+- if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG)
+- lpfc_sli4_mbox_cmd_free(phba, mboxq);
+- else
+- mempool_free(mboxq, phba->mbox_mem_pool);
+- }
++ if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG)
++ lpfc_sli4_mbox_cmd_free(phba, mboxq);
++ else
++ mempool_free(mboxq, phba->mbox_mem_pool);
+ return rc;
+ }
+
+@@ -5529,12 +5527,10 @@ retrieve_ppname:
+ }
+
+ out_free_mboxq:
+- if (rc != MBX_TIMEOUT) {
+- if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG)
+- lpfc_sli4_mbox_cmd_free(phba, mboxq);
+- else
+- mempool_free(mboxq, phba->mbox_mem_pool);
+- }
++ if (bf_get(lpfc_mqe_command, &mboxq->u.mqe) == MBX_SLI4_CONFIG)
++ lpfc_sli4_mbox_cmd_free(phba, mboxq);
++ else
++ mempool_free(mboxq, phba->mbox_mem_pool);
+ return rc;
+ }
+
+@@ -16485,8 +16481,7 @@ lpfc_rq_destroy(struct lpfc_hba *phba, struct lpfc_queue *hrq,
+ "2509 RQ_DESTROY mailbox failed with "
+ "status x%x add_status x%x, mbx status x%x\n",
+ shdr_status, shdr_add_status, rc);
+- if (rc != MBX_TIMEOUT)
+- mempool_free(mbox, hrq->phba->mbox_mem_pool);
++ mempool_free(mbox, hrq->phba->mbox_mem_pool);
+ return -ENXIO;
+ }
+ bf_set(lpfc_mbx_rq_destroy_q_id, &mbox->u.mqe.un.rq_destroy.u.request,
+@@ -16583,7 +16578,9 @@ lpfc_sli4_post_sgl(struct lpfc_hba *phba,
+ shdr = (union lpfc_sli4_cfg_shdr *) &post_sgl_pages->header.cfg_shdr;
+ shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response);
+ shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response);
+- if (rc != MBX_TIMEOUT)
++ if (!phba->sli4_hba.intr_enable)
++ mempool_free(mbox, phba->mbox_mem_pool);
++ else if (rc != MBX_TIMEOUT)
+ mempool_free(mbox, phba->mbox_mem_pool);
+ if (shdr_status || shdr_add_status || rc) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+@@ -16778,7 +16775,9 @@ lpfc_sli4_post_sgl_list(struct lpfc_hba *phba,
+ shdr = (union lpfc_sli4_cfg_shdr *) &sgl->cfg_shdr;
+ shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response);
+ shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response);
+- if (rc != MBX_TIMEOUT)
++ if (!phba->sli4_hba.intr_enable)
++ lpfc_sli4_mbox_cmd_free(phba, mbox);
++ else if (rc != MBX_TIMEOUT)
+ lpfc_sli4_mbox_cmd_free(phba, mbox);
+ if (shdr_status || shdr_add_status || rc) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+@@ -16891,7 +16890,9 @@ lpfc_sli4_post_io_sgl_block(struct lpfc_hba *phba, struct list_head *nblist,
+ shdr = (union lpfc_sli4_cfg_shdr *)&sgl->cfg_shdr;
+ shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response);
+ shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response);
+- if (rc != MBX_TIMEOUT)
++ if (!phba->sli4_hba.intr_enable)
++ lpfc_sli4_mbox_cmd_free(phba, mbox);
++ else if (rc != MBX_TIMEOUT)
+ lpfc_sli4_mbox_cmd_free(phba, mbox);
+ if (shdr_status || shdr_add_status || rc) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_SLI,
+@@ -18238,8 +18239,7 @@ lpfc_sli4_post_rpi_hdr(struct lpfc_hba *phba, struct lpfc_rpi_hdr *rpi_page)
+ shdr = (union lpfc_sli4_cfg_shdr *) &hdr_tmpl->header.cfg_shdr;
+ shdr_status = bf_get(lpfc_mbox_hdr_status, &shdr->response);
+ shdr_add_status = bf_get(lpfc_mbox_hdr_add_status, &shdr->response);
+- if (rc != MBX_TIMEOUT)
+- mempool_free(mboxq, phba->mbox_mem_pool);
++ mempool_free(mboxq, phba->mbox_mem_pool);
+ if (shdr_status || shdr_add_status || rc) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "2514 POST_RPI_HDR mailbox failed with "
+@@ -19464,7 +19464,9 @@ lpfc_wr_object(struct lpfc_hba *phba, struct list_head *dmabuf_list,
+ break;
+ }
+ }
+- if (rc != MBX_TIMEOUT)
++ if (!phba->sli4_hba.intr_enable)
++ mempool_free(mbox, phba->mbox_mem_pool);
++ else if (rc != MBX_TIMEOUT)
+ mempool_free(mbox, phba->mbox_mem_pool);
+ if (shdr_status || shdr_add_status || rc) {
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+--
+2.30.2
+
--- /dev/null
+From 6c9546a77fd470901634f0fbcd403397eabf6242 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 09:18:00 -0800
+Subject: scsi: lpfc: Fix incorrect dbde assignment when building target abts
+ wqe
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 9302154c07bff4e7f7f43c506a1ac84540303d06 ]
+
+The wqe_dbde field indicates whether a Data BDE is present in Words 0:2 and
+should therefore should be clear in the abts request wqe. By setting the
+bit we can be misleading fw into error cases.
+
+Clear the wqe_dbde field.
+
+Link: https://lore.kernel.org/r/20210301171821.3427-2-jsmart2021@gmail.com
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nvmet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c
+index f14394ab0e03..ce2e2b58fa7e 100644
+--- a/drivers/scsi/lpfc/lpfc_nvmet.c
++++ b/drivers/scsi/lpfc/lpfc_nvmet.c
+@@ -3204,7 +3204,6 @@ lpfc_nvmet_unsol_issue_abort(struct lpfc_hba *phba,
+ bf_set(wqe_rcvoxid, &wqe_abts->xmit_sequence.wqe_com, xri);
+
+ /* Word 10 */
+- bf_set(wqe_dbde, &wqe_abts->xmit_sequence.wqe_com, 1);
+ bf_set(wqe_iod, &wqe_abts->xmit_sequence.wqe_com, LPFC_WQE_IOD_WRITE);
+ bf_set(wqe_lenloc, &wqe_abts->xmit_sequence.wqe_com,
+ LPFC_WQE_LENLOC_WORD12);
+--
+2.30.2
+
--- /dev/null
+From 9ca9a81b2ee5482c003ee7d37d59de43e7a1eaaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 09:18:06 -0800
+Subject: scsi: lpfc: Fix pt2pt connection does not recover after LOGO
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit bd4f5100424d17d4e560d6653902ef8e49b2fc1f ]
+
+On a pt2pt setup, between 2 initiators, if one side issues a a LOGO, there
+is no relogin attempt. The FC specs are grey in this area on which port
+(higher wwn or not) is to re-login.
+
+As there is no spec guidance, unconditionally re-PLOGI after the logout to
+ensure a login is re-established.
+
+Link: https://lore.kernel.org/r/20210301171821.3427-8-jsmart2021@gmail.com
+Co-developed-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nportdisc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
+index 418d62e94554..ea31711b1aeb 100644
+--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
+@@ -888,9 +888,14 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
+ }
+ } else if ((!(ndlp->nlp_type & NLP_FABRIC) &&
+ ((ndlp->nlp_type & NLP_FCP_TARGET) ||
+- !(ndlp->nlp_type & NLP_FCP_INITIATOR))) ||
++ (ndlp->nlp_type & NLP_NVME_TARGET) ||
++ (vport->fc_flag & FC_PT2PT))) ||
+ (ndlp->nlp_state == NLP_STE_ADISC_ISSUE)) {
+- /* Only try to re-login if this is NOT a Fabric Node */
++ /* Only try to re-login if this is NOT a Fabric Node
++ * AND the remote NPORT is a FCP/NVME Target or we
++ * are in pt2pt mode. NLP_STE_ADISC_ISSUE is a special
++ * case for LOGO as a response to ADISC behavior.
++ */
+ mod_timer(&ndlp->nlp_delayfunc,
+ jiffies + msecs_to_jiffies(1000 * 1));
+ spin_lock_irq(shost->host_lock);
+--
+2.30.2
+
--- /dev/null
+From 8ce78fa510b58ca6cd6f24dec9fee35052d92fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 18:31:22 -0700
+Subject: scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit b62232ba8caccaf1954e197058104a6478fac1af ]
+
+SLI-4 does not contain a PORT_CAPABILITIES mailbox command (only SLI-3
+does, and SLI-3 doesn't use it), yet there are SLI-4 code paths that have
+code to issue the command. The command will always fail.
+
+Remove the code for the mailbox command and leave only the resulting
+"failure path" logic.
+
+Link: https://lore.kernel.org/r/20210412013127.2387-12-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_crtn.h | 3 -
+ drivers/scsi/lpfc/lpfc_hw4.h | 174 +---------------------------------
+ drivers/scsi/lpfc/lpfc_init.c | 103 +-------------------
+ drivers/scsi/lpfc/lpfc_mbox.c | 36 -------
+ 4 files changed, 3 insertions(+), 313 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_crtn.h b/drivers/scsi/lpfc/lpfc_crtn.h
+index 0f019e889ba6..bdb1f380e7d8 100644
+--- a/drivers/scsi/lpfc/lpfc_crtn.h
++++ b/drivers/scsi/lpfc/lpfc_crtn.h
+@@ -56,9 +56,6 @@ void lpfc_register_new_vport(struct lpfc_hba *, struct lpfc_vport *,
+ void lpfc_unreg_vpi(struct lpfc_hba *, uint16_t, LPFC_MBOXQ_t *);
+ void lpfc_init_link(struct lpfc_hba *, LPFC_MBOXQ_t *, uint32_t, uint32_t);
+ void lpfc_request_features(struct lpfc_hba *, struct lpfcMboxq *);
+-void lpfc_supported_pages(struct lpfcMboxq *);
+-void lpfc_pc_sli4_params(struct lpfcMboxq *);
+-int lpfc_pc_sli4_params_get(struct lpfc_hba *, LPFC_MBOXQ_t *);
+ int lpfc_sli4_mbox_rsrc_extent(struct lpfc_hba *, struct lpfcMboxq *,
+ uint16_t, uint16_t, bool);
+ int lpfc_get_sli4_parameters(struct lpfc_hba *, LPFC_MBOXQ_t *);
+diff --git a/drivers/scsi/lpfc/lpfc_hw4.h b/drivers/scsi/lpfc/lpfc_hw4.h
+index bd533475c86a..b8a772f80d6c 100644
+--- a/drivers/scsi/lpfc/lpfc_hw4.h
++++ b/drivers/scsi/lpfc/lpfc_hw4.h
+@@ -122,6 +122,7 @@ struct lpfc_sli_intf {
+ /* Define SLI4 Alignment requirements. */
+ #define LPFC_ALIGN_16_BYTE 16
+ #define LPFC_ALIGN_64_BYTE 64
++#define SLI4_PAGE_SIZE 4096
+
+ /* Define SLI4 specific definitions. */
+ #define LPFC_MQ_CQE_BYTE_OFFSET 256
+@@ -2962,62 +2963,6 @@ struct lpfc_mbx_request_features {
+ #define lpfc_mbx_rq_ftr_rsp_mrqp_WORD word3
+ };
+
+-struct lpfc_mbx_supp_pages {
+- uint32_t word1;
+-#define qs_SHIFT 0
+-#define qs_MASK 0x00000001
+-#define qs_WORD word1
+-#define wr_SHIFT 1
+-#define wr_MASK 0x00000001
+-#define wr_WORD word1
+-#define pf_SHIFT 8
+-#define pf_MASK 0x000000ff
+-#define pf_WORD word1
+-#define cpn_SHIFT 16
+-#define cpn_MASK 0x000000ff
+-#define cpn_WORD word1
+- uint32_t word2;
+-#define list_offset_SHIFT 0
+-#define list_offset_MASK 0x000000ff
+-#define list_offset_WORD word2
+-#define next_offset_SHIFT 8
+-#define next_offset_MASK 0x000000ff
+-#define next_offset_WORD word2
+-#define elem_cnt_SHIFT 16
+-#define elem_cnt_MASK 0x000000ff
+-#define elem_cnt_WORD word2
+- uint32_t word3;
+-#define pn_0_SHIFT 24
+-#define pn_0_MASK 0x000000ff
+-#define pn_0_WORD word3
+-#define pn_1_SHIFT 16
+-#define pn_1_MASK 0x000000ff
+-#define pn_1_WORD word3
+-#define pn_2_SHIFT 8
+-#define pn_2_MASK 0x000000ff
+-#define pn_2_WORD word3
+-#define pn_3_SHIFT 0
+-#define pn_3_MASK 0x000000ff
+-#define pn_3_WORD word3
+- uint32_t word4;
+-#define pn_4_SHIFT 24
+-#define pn_4_MASK 0x000000ff
+-#define pn_4_WORD word4
+-#define pn_5_SHIFT 16
+-#define pn_5_MASK 0x000000ff
+-#define pn_5_WORD word4
+-#define pn_6_SHIFT 8
+-#define pn_6_MASK 0x000000ff
+-#define pn_6_WORD word4
+-#define pn_7_SHIFT 0
+-#define pn_7_MASK 0x000000ff
+-#define pn_7_WORD word4
+- uint32_t rsvd[27];
+-#define LPFC_SUPP_PAGES 0
+-#define LPFC_BLOCK_GUARD_PROFILES 1
+-#define LPFC_SLI4_PARAMETERS 2
+-};
+-
+ struct lpfc_mbx_memory_dump_type3 {
+ uint32_t word1;
+ #define lpfc_mbx_memory_dump_type3_type_SHIFT 0
+@@ -3234,121 +3179,6 @@ struct user_eeprom {
+ uint8_t reserved191[57];
+ };
+
+-struct lpfc_mbx_pc_sli4_params {
+- uint32_t word1;
+-#define qs_SHIFT 0
+-#define qs_MASK 0x00000001
+-#define qs_WORD word1
+-#define wr_SHIFT 1
+-#define wr_MASK 0x00000001
+-#define wr_WORD word1
+-#define pf_SHIFT 8
+-#define pf_MASK 0x000000ff
+-#define pf_WORD word1
+-#define cpn_SHIFT 16
+-#define cpn_MASK 0x000000ff
+-#define cpn_WORD word1
+- uint32_t word2;
+-#define if_type_SHIFT 0
+-#define if_type_MASK 0x00000007
+-#define if_type_WORD word2
+-#define sli_rev_SHIFT 4
+-#define sli_rev_MASK 0x0000000f
+-#define sli_rev_WORD word2
+-#define sli_family_SHIFT 8
+-#define sli_family_MASK 0x000000ff
+-#define sli_family_WORD word2
+-#define featurelevel_1_SHIFT 16
+-#define featurelevel_1_MASK 0x000000ff
+-#define featurelevel_1_WORD word2
+-#define featurelevel_2_SHIFT 24
+-#define featurelevel_2_MASK 0x0000001f
+-#define featurelevel_2_WORD word2
+- uint32_t word3;
+-#define fcoe_SHIFT 0
+-#define fcoe_MASK 0x00000001
+-#define fcoe_WORD word3
+-#define fc_SHIFT 1
+-#define fc_MASK 0x00000001
+-#define fc_WORD word3
+-#define nic_SHIFT 2
+-#define nic_MASK 0x00000001
+-#define nic_WORD word3
+-#define iscsi_SHIFT 3
+-#define iscsi_MASK 0x00000001
+-#define iscsi_WORD word3
+-#define rdma_SHIFT 4
+-#define rdma_MASK 0x00000001
+-#define rdma_WORD word3
+- uint32_t sge_supp_len;
+-#define SLI4_PAGE_SIZE 4096
+- uint32_t word5;
+-#define if_page_sz_SHIFT 0
+-#define if_page_sz_MASK 0x0000ffff
+-#define if_page_sz_WORD word5
+-#define loopbk_scope_SHIFT 24
+-#define loopbk_scope_MASK 0x0000000f
+-#define loopbk_scope_WORD word5
+-#define rq_db_window_SHIFT 28
+-#define rq_db_window_MASK 0x0000000f
+-#define rq_db_window_WORD word5
+- uint32_t word6;
+-#define eq_pages_SHIFT 0
+-#define eq_pages_MASK 0x0000000f
+-#define eq_pages_WORD word6
+-#define eqe_size_SHIFT 8
+-#define eqe_size_MASK 0x000000ff
+-#define eqe_size_WORD word6
+- uint32_t word7;
+-#define cq_pages_SHIFT 0
+-#define cq_pages_MASK 0x0000000f
+-#define cq_pages_WORD word7
+-#define cqe_size_SHIFT 8
+-#define cqe_size_MASK 0x000000ff
+-#define cqe_size_WORD word7
+- uint32_t word8;
+-#define mq_pages_SHIFT 0
+-#define mq_pages_MASK 0x0000000f
+-#define mq_pages_WORD word8
+-#define mqe_size_SHIFT 8
+-#define mqe_size_MASK 0x000000ff
+-#define mqe_size_WORD word8
+-#define mq_elem_cnt_SHIFT 16
+-#define mq_elem_cnt_MASK 0x000000ff
+-#define mq_elem_cnt_WORD word8
+- uint32_t word9;
+-#define wq_pages_SHIFT 0
+-#define wq_pages_MASK 0x0000ffff
+-#define wq_pages_WORD word9
+-#define wqe_size_SHIFT 8
+-#define wqe_size_MASK 0x000000ff
+-#define wqe_size_WORD word9
+- uint32_t word10;
+-#define rq_pages_SHIFT 0
+-#define rq_pages_MASK 0x0000ffff
+-#define rq_pages_WORD word10
+-#define rqe_size_SHIFT 8
+-#define rqe_size_MASK 0x000000ff
+-#define rqe_size_WORD word10
+- uint32_t word11;
+-#define hdr_pages_SHIFT 0
+-#define hdr_pages_MASK 0x0000000f
+-#define hdr_pages_WORD word11
+-#define hdr_size_SHIFT 8
+-#define hdr_size_MASK 0x0000000f
+-#define hdr_size_WORD word11
+-#define hdr_pp_align_SHIFT 16
+-#define hdr_pp_align_MASK 0x0000ffff
+-#define hdr_pp_align_WORD word11
+- uint32_t word12;
+-#define sgl_pages_SHIFT 0
+-#define sgl_pages_MASK 0x0000000f
+-#define sgl_pages_WORD word12
+-#define sgl_pp_align_SHIFT 16
+-#define sgl_pp_align_MASK 0x0000ffff
+-#define sgl_pp_align_WORD word12
+- uint32_t rsvd_13_63[51];
+-};
+ #define SLI4_PAGE_ALIGN(addr) (((addr)+((SLI4_PAGE_SIZE)-1)) \
+ &(~((SLI4_PAGE_SIZE)-1)))
+
+@@ -3958,8 +3788,6 @@ struct lpfc_mqe {
+ struct lpfc_mbx_post_hdr_tmpl hdr_tmpl;
+ struct lpfc_mbx_query_fw_config query_fw_cfg;
+ struct lpfc_mbx_set_beacon_config beacon_config;
+- struct lpfc_mbx_supp_pages supp_pages;
+- struct lpfc_mbx_pc_sli4_params sli4_params;
+ struct lpfc_mbx_get_sli4_parameters get_sli4_parameters;
+ struct lpfc_mbx_set_link_diag_state link_diag_state;
+ struct lpfc_mbx_set_link_diag_loopback link_diag_loopback;
+diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
+index 9ff463b597d2..b5cee2a2ac66 100644
+--- a/drivers/scsi/lpfc/lpfc_init.c
++++ b/drivers/scsi/lpfc/lpfc_init.c
+@@ -6415,8 +6415,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+ LPFC_MBOXQ_t *mboxq;
+ MAILBOX_t *mb;
+ int rc, i, max_buf_size;
+- uint8_t pn_page[LPFC_MAX_SUPPORTED_PAGES] = {0};
+- struct lpfc_mqe *mqe;
+ int longs;
+ int extra;
+ uint64_t wwn;
+@@ -6640,32 +6638,6 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba)
+
+ lpfc_nvme_mod_param_dep(phba);
+
+- /* Get the Supported Pages if PORT_CAPABILITIES is supported by port. */
+- lpfc_supported_pages(mboxq);
+- rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL);
+- if (!rc) {
+- mqe = &mboxq->u.mqe;
+- memcpy(&pn_page[0], ((uint8_t *)&mqe->un.supp_pages.word3),
+- LPFC_MAX_SUPPORTED_PAGES);
+- for (i = 0; i < LPFC_MAX_SUPPORTED_PAGES; i++) {
+- switch (pn_page[i]) {
+- case LPFC_SLI4_PARAMETERS:
+- phba->sli4_hba.pc_sli4_params.supported = 1;
+- break;
+- default:
+- break;
+- }
+- }
+- /* Read the port's SLI4 Parameters capabilities if supported. */
+- if (phba->sli4_hba.pc_sli4_params.supported)
+- rc = lpfc_pc_sli4_params_get(phba, mboxq);
+- if (rc) {
+- mempool_free(mboxq, phba->mbox_mem_pool);
+- rc = -EIO;
+- goto out_free_bsmbx;
+- }
+- }
+-
+ /*
+ * Get sli4 parameters that override parameters from Port capabilities.
+ * If this call fails, it isn't critical unless the SLI4 parameters come
+@@ -11574,78 +11546,6 @@ lpfc_sli4_hba_unset(struct lpfc_hba *phba)
+ phba->pport->work_port_events = 0;
+ }
+
+- /**
+- * lpfc_pc_sli4_params_get - Get the SLI4_PARAMS port capabilities.
+- * @phba: Pointer to HBA context object.
+- * @mboxq: Pointer to the mailboxq memory for the mailbox command response.
+- *
+- * This function is called in the SLI4 code path to read the port's
+- * sli4 capabilities.
+- *
+- * This function may be be called from any context that can block-wait
+- * for the completion. The expectation is that this routine is called
+- * typically from probe_one or from the online routine.
+- **/
+-int
+-lpfc_pc_sli4_params_get(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+-{
+- int rc;
+- struct lpfc_mqe *mqe;
+- struct lpfc_pc_sli4_params *sli4_params;
+- uint32_t mbox_tmo;
+-
+- rc = 0;
+- mqe = &mboxq->u.mqe;
+-
+- /* Read the port's SLI4 Parameters port capabilities */
+- lpfc_pc_sli4_params(mboxq);
+- if (!phba->sli4_hba.intr_enable)
+- rc = lpfc_sli_issue_mbox(phba, mboxq, MBX_POLL);
+- else {
+- mbox_tmo = lpfc_mbox_tmo_val(phba, mboxq);
+- rc = lpfc_sli_issue_mbox_wait(phba, mboxq, mbox_tmo);
+- }
+-
+- if (unlikely(rc))
+- return 1;
+-
+- sli4_params = &phba->sli4_hba.pc_sli4_params;
+- sli4_params->if_type = bf_get(if_type, &mqe->un.sli4_params);
+- sli4_params->sli_rev = bf_get(sli_rev, &mqe->un.sli4_params);
+- sli4_params->sli_family = bf_get(sli_family, &mqe->un.sli4_params);
+- sli4_params->featurelevel_1 = bf_get(featurelevel_1,
+- &mqe->un.sli4_params);
+- sli4_params->featurelevel_2 = bf_get(featurelevel_2,
+- &mqe->un.sli4_params);
+- sli4_params->proto_types = mqe->un.sli4_params.word3;
+- sli4_params->sge_supp_len = mqe->un.sli4_params.sge_supp_len;
+- sli4_params->if_page_sz = bf_get(if_page_sz, &mqe->un.sli4_params);
+- sli4_params->rq_db_window = bf_get(rq_db_window, &mqe->un.sli4_params);
+- sli4_params->loopbk_scope = bf_get(loopbk_scope, &mqe->un.sli4_params);
+- sli4_params->eq_pages_max = bf_get(eq_pages, &mqe->un.sli4_params);
+- sli4_params->eqe_size = bf_get(eqe_size, &mqe->un.sli4_params);
+- sli4_params->cq_pages_max = bf_get(cq_pages, &mqe->un.sli4_params);
+- sli4_params->cqe_size = bf_get(cqe_size, &mqe->un.sli4_params);
+- sli4_params->mq_pages_max = bf_get(mq_pages, &mqe->un.sli4_params);
+- sli4_params->mqe_size = bf_get(mqe_size, &mqe->un.sli4_params);
+- sli4_params->mq_elem_cnt = bf_get(mq_elem_cnt, &mqe->un.sli4_params);
+- sli4_params->wq_pages_max = bf_get(wq_pages, &mqe->un.sli4_params);
+- sli4_params->wqe_size = bf_get(wqe_size, &mqe->un.sli4_params);
+- sli4_params->rq_pages_max = bf_get(rq_pages, &mqe->un.sli4_params);
+- sli4_params->rqe_size = bf_get(rqe_size, &mqe->un.sli4_params);
+- sli4_params->hdr_pages_max = bf_get(hdr_pages, &mqe->un.sli4_params);
+- sli4_params->hdr_size = bf_get(hdr_size, &mqe->un.sli4_params);
+- sli4_params->hdr_pp_align = bf_get(hdr_pp_align, &mqe->un.sli4_params);
+- sli4_params->sgl_pages_max = bf_get(sgl_pages, &mqe->un.sli4_params);
+- sli4_params->sgl_pp_align = bf_get(sgl_pp_align, &mqe->un.sli4_params);
+-
+- /* Make sure that sge_supp_len can be handled by the driver */
+- if (sli4_params->sge_supp_len > LPFC_MAX_SGE_SIZE)
+- sli4_params->sge_supp_len = LPFC_MAX_SGE_SIZE;
+-
+- return rc;
+-}
+-
+ /**
+ * lpfc_get_sli4_parameters - Get the SLI4 Config PARAMETERS.
+ * @phba: Pointer to HBA context object.
+@@ -11704,7 +11604,8 @@ lpfc_get_sli4_parameters(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq)
+ else
+ phba->sli3_options &= ~LPFC_SLI4_PHWQ_ENABLED;
+ sli4_params->sge_supp_len = mbx_sli4_parameters->sge_supp_len;
+- sli4_params->loopbk_scope = bf_get(loopbk_scope, mbx_sli4_parameters);
++ sli4_params->loopbk_scope = bf_get(cfg_loopbk_scope,
++ mbx_sli4_parameters);
+ sli4_params->oas_supported = bf_get(cfg_oas, mbx_sli4_parameters);
+ sli4_params->cqv = bf_get(cfg_cqv, mbx_sli4_parameters);
+ sli4_params->mqv = bf_get(cfg_mqv, mbx_sli4_parameters);
+diff --git a/drivers/scsi/lpfc/lpfc_mbox.c b/drivers/scsi/lpfc/lpfc_mbox.c
+index 8abe933bad09..4a331164086e 100644
+--- a/drivers/scsi/lpfc/lpfc_mbox.c
++++ b/drivers/scsi/lpfc/lpfc_mbox.c
+@@ -2622,39 +2622,3 @@ lpfc_resume_rpi(struct lpfcMboxq *mbox, struct lpfc_nodelist *ndlp)
+ resume_rpi->event_tag = ndlp->phba->fc_eventTag;
+ }
+
+-/**
+- * lpfc_supported_pages - Initialize the PORT_CAPABILITIES supported pages
+- * mailbox command.
+- * @mbox: pointer to lpfc mbox command to initialize.
+- *
+- * The PORT_CAPABILITIES supported pages mailbox command is issued to
+- * retrieve the particular feature pages supported by the port.
+- **/
+-void
+-lpfc_supported_pages(struct lpfcMboxq *mbox)
+-{
+- struct lpfc_mbx_supp_pages *supp_pages;
+-
+- memset(mbox, 0, sizeof(*mbox));
+- supp_pages = &mbox->u.mqe.un.supp_pages;
+- bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES);
+- bf_set(cpn, supp_pages, LPFC_SUPP_PAGES);
+-}
+-
+-/**
+- * lpfc_pc_sli4_params - Initialize the PORT_CAPABILITIES SLI4 Params mbox cmd.
+- * @mbox: pointer to lpfc mbox command to initialize.
+- *
+- * The PORT_CAPABILITIES SLI4 parameters mailbox command is issued to
+- * retrieve the particular SLI4 features supported by the port.
+- **/
+-void
+-lpfc_pc_sli4_params(struct lpfcMboxq *mbox)
+-{
+- struct lpfc_mbx_pc_sli4_params *sli4_params;
+-
+- memset(mbox, 0, sizeof(*mbox));
+- sli4_params = &mbox->u.mqe.un.sli4_params;
+- bf_set(lpfc_mqe_command, &mbox->u.mqe, MBX_PORT_CAPABILITIES);
+- bf_set(cpn, sli4_params, LPFC_SLI4_PARAMETERS);
+-}
+--
+2.30.2
+
--- /dev/null
+From f4c4b3443d789dcf3e3bd2159f541748d51201d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Mar 2021 16:23:58 -0700
+Subject: scsi: qla2xxx: Always check the return value of
+ qla24xx_get_isp_stats()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit a2b2cc660822cae08c351c7f6b452bfd1330a4f7 ]
+
+This patch fixes the following Coverity warning:
+
+ CID 361199 (#1 of 1): Unchecked return value (CHECKED_RETURN)
+ 3. check_return: Calling qla24xx_get_isp_stats without checking return
+ value (as is done elsewhere 4 out of 5 times).
+
+Link: https://lore.kernel.org/r/20210320232359.941-7-bvanassche@acm.org
+Cc: Quinn Tran <qutran@marvell.com>
+Cc: Mike Christie <michael.christie@oracle.com>
+Cc: Himanshu Madhani <himanshu.madhani@oracle.com>
+Cc: Daniel Wagner <dwagner@suse.de>
+Cc: Lee Duncan <lduncan@suse.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
+index bed7e8637217..580d30cd5c35 100644
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -2691,6 +2691,8 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+ vha->qla_stats.jiffies_at_last_reset = get_jiffies_64();
+
+ if (IS_FWI2_CAPABLE(ha)) {
++ int rval;
++
+ stats = dma_alloc_coherent(&ha->pdev->dev,
+ sizeof(*stats), &stats_dma, GFP_KERNEL);
+ if (!stats) {
+@@ -2700,7 +2702,11 @@ qla2x00_reset_host_stats(struct Scsi_Host *shost)
+ }
+
+ /* reset firmware statistics */
+- qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++ rval = qla24xx_get_isp_stats(base_vha, stats, stats_dma, BIT_0);
++ if (rval != QLA_SUCCESS)
++ ql_log(ql_log_warn, vha, 0x70de,
++ "Resetting ISP statistics failed: rval = %d\n",
++ rval);
+
+ dma_free_coherent(&ha->pdev->dev, sizeof(*stats),
+ stats, stats_dma);
+--
+2.30.2
+
--- /dev/null
+From 81c5e751b663363b04310668c8aa2431917aa288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 01:52:22 -0700
+Subject: scsi: qla2xxx: Fix use after free in bsg
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 2ce35c0821afc2acd5ee1c3f60d149f8b2520ce8 ]
+
+On bsg command completion, bsg_job_done() was called while qla driver
+continued to access the bsg_job buffer. bsg_job_done() would free up
+resources that ended up being reused by other task while the driver
+continued to access the buffers. As a result, driver was reading garbage
+data.
+
+localhost kernel: BUG: KASAN: use-after-free in sg_next+0x64/0x80
+localhost kernel: Read of size 8 at addr ffff8883228a3330 by task swapper/26/0
+localhost kernel:
+localhost kernel: CPU: 26 PID: 0 Comm: swapper/26 Kdump:
+loaded Tainted: G OE --------- - - 4.18.0-193.el8.x86_64+debug #1
+localhost kernel: Hardware name: HP ProLiant DL360
+Gen9/ProLiant DL360 Gen9, BIOS P89 08/12/2016
+localhost kernel: Call Trace:
+localhost kernel: <IRQ>
+localhost kernel: dump_stack+0x9a/0xf0
+localhost kernel: print_address_description.cold.3+0x9/0x23b
+localhost kernel: kasan_report.cold.4+0x65/0x95
+localhost kernel: debug_dma_unmap_sg.part.12+0x10d/0x2d0
+localhost kernel: qla2x00_bsg_sp_free+0xaf6/0x1010 [qla2xxx]
+
+Link: https://lore.kernel.org/r/20210329085229.4367-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
+index cbaf178fc979..ce55121910e8 100644
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -17,10 +17,11 @@ void qla2x00_bsg_job_done(srb_t *sp, int res)
+ struct bsg_job *bsg_job = sp->u.bsg_job;
+ struct fc_bsg_reply *bsg_reply = bsg_job->reply;
+
++ sp->free(sp);
++
+ bsg_reply->result = res;
+ bsg_job_done(bsg_job, bsg_reply->result,
+ bsg_reply->reply_payload_rcv_len);
+- sp->free(sp);
+ }
+
+ void qla2x00_bsg_sp_free(srb_t *sp)
+--
+2.30.2
+
--- /dev/null
+From 2d7d5901376f70efbac07460c0b81673bc3371bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 16:11:54 -0400
+Subject: scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+[ Upstream commit bc3f2b42b70eb1b8576e753e7d0e117bbb674496 ]
+
+Some arrays return ILLEGAL_REQUEST with ASC 00h if they don't support the
+RTPG extended header so remove the check for INVALID FIELD IN CDB.
+
+Link: https://lore.kernel.org/r/20210331201154.20348-1-emilne@redhat.com
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 308bda2e9c00..df5a3bbeba5e 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -565,10 +565,11 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg)
+ * even though it shouldn't according to T10.
+ * The retry without rtpg_ext_hdr_req set
+ * handles this.
++ * Note: some arrays return a sense key of ILLEGAL_REQUEST
++ * with ASC 00h if they don't support the extended header.
+ */
+ if (!(pg->flags & ALUA_RTPG_EXT_HDR_UNSUPP) &&
+- sense_hdr.sense_key == ILLEGAL_REQUEST &&
+- sense_hdr.asc == 0x24 && sense_hdr.ascq == 0) {
++ sense_hdr.sense_key == ILLEGAL_REQUEST) {
+ pg->flags |= ALUA_RTPG_EXT_HDR_UNSUPP;
+ goto retry;
+ }
+--
+2.30.2
+
--- /dev/null
+From b44c1bad9f872a9f6833f386a78114257fd5dfa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 14:17:48 -0600
+Subject: scsi: smartpqi: Add new PCI IDs
+
+From: Kevin Barnett <kevin.barnett@microchip.com>
+
+[ Upstream commit 75fbeacca3ad30835e903002dba98dd909b4dfff ]
+
+Add support for newer hardware.
+
+Link: https://lore.kernel.org/r/161549386882.25025.2594251735886014958.stgit@brunhilda
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Acked-by: Martin Wilck <mwilck@suse.com>
+Signed-off-by: Kevin Barnett <kevin.barnett@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 156 ++++++++++++++++++++++++++
+ 1 file changed, 156 insertions(+)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 3480a0a66771..9bc451004184 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -8146,6 +8146,10 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x152d, 0x8a37)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x193d, 0x8460)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x193d, 0x1104)
+@@ -8218,6 +8222,22 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x1bd4, 0x004f)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0051)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0052)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0053)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1bd4, 0x0054)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x19e5, 0xd227)
+@@ -8374,6 +8394,122 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_ADAPTEC2, 0x1380)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1400)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1402)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1410)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1411)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1412)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1420)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1430)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1440)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1441)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1450)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1452)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1460)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1461)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1462)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1470)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1471)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1472)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1480)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1490)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x1491)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14a0)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14a1)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14b0)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14b1)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14c0)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14c1)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14d0)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14e0)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_ADAPTEC2, 0x14f0)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_ADVANTECH, 0x8312)
+@@ -8438,6 +8574,10 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_HP, 0x1001)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ PCI_VENDOR_ID_HP, 0x1002)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_HP, 0x1100)
+@@ -8446,6 +8586,22 @@ static const struct pci_device_id pqi_pci_id_table[] = {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ PCI_VENDOR_ID_HP, 0x1101)
+ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1590, 0x0294)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1590, 0x02db)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1590, 0x02dc)
++ },
++ {
++ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
++ 0x1590, 0x032e)
++ },
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x1d8d, 0x0800)
+--
+2.30.2
+
--- /dev/null
+From 3818600b9d2e455bdf2cfe95cf11e0a60951f01c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 14:15:03 -0600
+Subject: scsi: smartpqi: Correct request leakage during reset operations
+
+From: Murthy Bhat <Murthy.Bhat@microchip.com>
+
+[ Upstream commit b622a601a13ae5974c5b0aeecb990c224b8db0d9 ]
+
+While failing queued I/Os in TMF path, there was a request leak and hence
+stale entries in request pool with ref count being non-zero. In shutdown
+path we have a BUG_ON to catch stuck I/O either in firmware or in the
+driver. The stale requests caused a system crash. The I/O request pool
+leakage also lead to a significant performance drop.
+
+Link: https://lore.kernel.org/r/161549370379.25025.12793264112620796062.stgit@brunhilda
+Reviewed-by: Scott Teel <scott.teel@microchip.com>
+Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
+Reviewed-by: Kevin Barnett <kevin.barnett@microchip.com>
+Signed-off-by: Murthy Bhat <Murthy.Bhat@microchip.com>
+Signed-off-by: Don Brace <don.brace@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/smartpqi/smartpqi_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
+index 093ed5d1eef2..3480a0a66771 100644
+--- a/drivers/scsi/smartpqi/smartpqi_init.c
++++ b/drivers/scsi/smartpqi/smartpqi_init.c
+@@ -5513,6 +5513,8 @@ static void pqi_fail_io_queued_for_device(struct pqi_ctrl_info *ctrl_info,
+
+ list_del(&io_request->request_list_entry);
+ set_host_byte(scmd, DID_RESET);
++ pqi_free_io_request(io_request);
++ scsi_dma_unmap(scmd);
+ pqi_scsi_done(scmd);
+ }
+
+@@ -5549,6 +5551,8 @@ static void pqi_fail_io_queued_for_all_devices(struct pqi_ctrl_info *ctrl_info)
+
+ list_del(&io_request->request_list_entry);
+ set_host_byte(scmd, DID_RESET);
++ pqi_free_io_request(io_request);
++ scsi_dma_unmap(scmd);
+ pqi_scsi_done(scmd);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From beb47ffd92c419bf117452ad9a82fe5596dbd838 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Feb 2021 21:56:26 -0800
+Subject: scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+
+[ Upstream commit fd48c056a32ed6e7754c7c475490f3bed54ed378 ]
+
+This fixes a compilation warning in pscsi_complete_cmd():
+
+ drivers/target/target_core_pscsi.c: In function ‘pscsi_complete_cmd’:
+ drivers/target/target_core_pscsi.c:624:5: warning: suggest braces around empty body in an ‘if’ statement [-Wempty-body]
+ ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
+
+Link: https://lore.kernel.org/r/20210228055645.22253-5-chaitanya.kulkarni@wdc.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c
+index 5a047ce77bc0..55fe93296deb 100644
+--- a/drivers/target/target_core_pscsi.c
++++ b/drivers/target/target_core_pscsi.c
+@@ -620,8 +620,9 @@ static void pscsi_complete_cmd(struct se_cmd *cmd, u8 scsi_status,
+ unsigned char *buf;
+
+ buf = transport_kmap_data_sg(cmd);
+- if (!buf)
++ if (!buf) {
+ ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */
++ }
+
+ if (cdb[0] == MODE_SENSE_10) {
+ if (!(buf[3] & 0x80))
+--
+2.30.2
+
intel_th-pci-add-rocket-lake-cpu-support.patch
posix-timers-preserve-return-value-in-clock_adjtime32.patch
fbdev-zero-fill-colormap-in-fbcmap.c.patch
+bus-ti-sysc-probe-for-l4_wkup-and-l4_cfg-interconnec.patch
+staging-wimax-i2400m-fix-byte-order-issue.patch
+spi-ath79-always-call-chipselect-function.patch
+spi-ath79-remove-spi-master-setup-and-cleanup-assign.patch
+crypto-api-check-for-err-pointers-in-crypto_destroy_.patch
+crypto-qat-fix-unmap-invalid-dma-address.patch
+usb-gadget-uvc-add-binterval-checking-for-hs-mode.patch
+usb-webcam-invalid-size-of-processing-unit-descripto.patch
+genirq-matrix-prevent-allocation-counter-corruption.patch
+usb-gadget-f_uac2-validate-input-parameters.patch
+usb-gadget-f_uac1-validate-input-parameters.patch
+usb-dwc3-gadget-ignore-ep-queue-requests-during-bus-.patch
+usb-xhci-fix-port-minor-revision.patch
+pci-pm-do-not-read-power-state-in-pci_enable_device_.patch
+x86-build-propagate-clang_flags-to-realmode_flags.patch
+tee-optee-do-not-check-memref-size-on-return-from-se.patch
+perf-arm_pmu_platform-fix-error-handling.patch
+usb-xhci-mtk-support-quirk-to-disable-usb2-lpm.patch
+xhci-check-control-context-is-valid-before-dereferen.patch
+xhci-fix-potential-array-out-of-bounds-with-several-.patch
+spi-dln2-fix-reference-leak-to-master.patch
+spi-omap-100k-fix-reference-leak-to-master.patch
+spi-qup-fix-pm-reference-leak-in-spi_qup_remove.patch
+usb-musb-fix-pm-reference-leak-in-musb_irq_work.patch
+usb-core-hub-fix-pm-reference-leak-in-usb_port_resum.patch
+tty-n_gsm-check-error-while-registering-tty-devices.patch
+intel_th-consistency-and-off-by-one-fix.patch
+phy-phy-twl4030-usb-fix-possible-use-after-free-in-t.patch
+crypto-stm32-hash-fix-pm-reference-leak-on-stm32-has.patch
+crypto-stm32-cryp-fix-pm-reference-leak-on-stm32-cry.patch
+crypto-omap-aes-fix-pm-reference-leak-on-omap-aes.c.patch
+platform-x86-intel_pmc_core-don-t-use-global-pmcdev-.patch
+btrfs-convert-logic-bug_on-s-in-replace_path-to-asse.patch
+drm-added-orientation-quirk-for-onegx1-pro.patch
+drm-qxl-release-shadow-on-shutdown.patch
+drm-amd-display-check-for-dsc-support-instead-of-asi.patch
+drm-amd-display-don-t-optimize-bandwidth-before-disa.patch
+scsi-lpfc-fix-incorrect-dbde-assignment-when-buildin.patch
+scsi-lpfc-fix-pt2pt-connection-does-not-recover-afte.patch
+scsi-target-pscsi-fix-warning-in-pscsi_complete_cmd.patch
+media-ite-cir-check-for-receive-overflow.patch
+media-drivers-media-pci-sta2x11-fix-kconfig-dependen.patch
+media-imx-capture-return-epipe-from-__capture_legacy.patch
+power-supply-bq27xxx-fix-power_avg-for-newer-ics.patch
+extcon-arizona-fix-some-issues-when-hpdet-irq-fires-.patch
+extcon-arizona-fix-various-races-on-driver-unbind.patch
+media-media-saa7164-fix-saa7164_encoder_register-mem.patch
+media-gspca-sq905.c-fix-uninitialized-variable.patch
+power-supply-use-irqf_oneshot.patch
+drm-amdgpu-mask-the-xgmi-number-of-hops-reported-fro.patch
+drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch
+drm-amdgpu-fix-asic-reset-regression-issue-introduce.patch
+drm-amd-display-fix-ubsan-warning-for-not-a-valid-va.patch
+drm-amd-display-fix-dml-prefetch-validation.patch
+scsi-qla2xxx-always-check-the-return-value-of-qla24x.patch
+drm-vkms-fix-misuse-of-warn_on.patch
+scsi-qla2xxx-fix-use-after-free-in-bsg.patch
+mmc-sdhci-pci-add-pci-ids-for-intel-lkf.patch
+ata-ahci-disable-sxs-for-hisilicon-kunpeng920.patch
+scsi-smartpqi-correct-request-leakage-during-reset-o.patch
+scsi-smartpqi-add-new-pci-ids.patch
+scsi-scsi_dh_alua-remove-check-for-asc-24h-in-alua_r.patch
+media-em28xx-fix-memory-leak.patch
+media-vivid-update-edid.patch
+clk-socfpga-arria10-fix-memory-leak-of-socfpga_clk-o.patch
+power-supply-generic-adc-battery-fix-possible-use-af.patch
+power-supply-s3c_adc_battery-fix-possible-use-after-.patch
+media-tc358743-fix-possible-use-after-free-in-tc3587.patch
+media-adv7604-fix-possible-use-after-free-in-adv76xx.patch
+media-i2c-adv7511-v4l2-fix-possible-use-after-free-i.patch
+media-i2c-tda1997-fix-possible-use-after-free-in-tda.patch
+media-i2c-adv7842-fix-possible-use-after-free-in-adv.patch
+media-platform-sti-fix-runtime-pm-imbalance-in-regs_.patch
+media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch
+media-gscpa-stv06xx-fix-memory-leak.patch
+sched-fair-ignore-percpu-threads-for-imbalance-pulls.patch
+drm-msm-mdp5-configure-pp_sync_height-to-double-the-.patch
+drm-msm-mdp5-do-not-multiply-vclk-line-count-by-100.patch
+drm-amdkfd-fix-cat-debugfs-hang_hws-file-causes-syst.patch
+amdgpu-avoid-incorrect-hu-format-string.patch
+drm-amdgpu-fix-null-pointer-dereference.patch
+scsi-lpfc-fix-crash-when-a-reg_rpi-mailbox-fails-tri.patch
+scsi-lpfc-fix-error-handling-for-mailboxes-completed.patch
+scsi-lpfc-remove-unsupported-mbox-port_capabilities-.patch
+mfd-arizona-fix-rumtime-pm-imbalance-on-error.patch
+scsi-libfc-fix-a-format-specifier.patch
+s390-archrandom-add-parameter-check-for-s390_arch_ra.patch
--- /dev/null
+From e1785d1c6f9465ca3371ed41be27e415cd71706f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 17:08:36 +0100
+Subject: spi: ath79: always call chipselect function
+
+From: David Bauer <mail@david-bauer.net>
+
+[ Upstream commit 19e2132174583beb90c1bd3e9c842bc6d5c944d1 ]
+
+spi-bitbang has to call the chipselect function on the ath79 SPI driver
+in order to communicate with the SPI slave device, as the ath79 SPI
+driver has three dedicated chipselect lines but can also be used with
+GPIOs for the CS lines.
+
+Fixes commit 4a07b8bcd503 ("spi: bitbang: Make chipselect callback optional")
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+Link: https://lore.kernel.org/r/20210303160837.165771-1-mail@david-bauer.net
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ath79.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-ath79.c b/drivers/spi/spi-ath79.c
+index eb9a243e9526..436327fb58de 100644
+--- a/drivers/spi/spi-ath79.c
++++ b/drivers/spi/spi-ath79.c
+@@ -158,6 +158,7 @@ static int ath79_spi_probe(struct platform_device *pdev)
+ master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32);
+ master->setup = spi_bitbang_setup;
+ master->cleanup = spi_bitbang_cleanup;
++ master->flags = SPI_MASTER_GPIO_SS;
+ if (pdata) {
+ master->bus_num = pdata->bus_num;
+ master->num_chipselect = pdata->num_chipselect;
+--
+2.30.2
+
--- /dev/null
+From 35c4d593eebff43eb9eebb0a3fea7bdc4ee2802b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 17:08:37 +0100
+Subject: spi: ath79: remove spi-master setup and cleanup assignment
+
+From: David Bauer <mail@david-bauer.net>
+
+[ Upstream commit ffb597b2bd3cd78b9bfb68f536743cd46dbb2cc4 ]
+
+This removes the assignment of setup and cleanup functions for the ath79
+target. Assigning the setup-method will lead to 'setup_transfer' not
+being assigned in spi_bitbang_init. Because of this, performing any
+TX/RX operation will lead to a kernel oops.
+
+Also drop the redundant cleanup assignment, as it's also assigned in
+spi_bitbang_init.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+Link: https://lore.kernel.org/r/20210303160837.165771-2-mail@david-bauer.net
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ath79.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/spi/spi-ath79.c b/drivers/spi/spi-ath79.c
+index 436327fb58de..98ace748cd98 100644
+--- a/drivers/spi/spi-ath79.c
++++ b/drivers/spi/spi-ath79.c
+@@ -156,8 +156,6 @@ static int ath79_spi_probe(struct platform_device *pdev)
+
+ master->use_gpio_descriptors = true;
+ master->bits_per_word_mask = SPI_BPW_RANGE_MASK(1, 32);
+- master->setup = spi_bitbang_setup;
+- master->cleanup = spi_bitbang_cleanup;
+ master->flags = SPI_MASTER_GPIO_SS;
+ if (pdata) {
+ master->bus_num = pdata->bus_num;
+--
+2.30.2
+
--- /dev/null
+From d1ec6f1c99a7628d75a9ab1d8718889e40bf3ae1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:55 +0000
+Subject: spi: dln2: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 9b844b087124c1538d05f40fda8a4fec75af55be ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082955.2907950-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dln2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dln2.c b/drivers/spi/spi-dln2.c
+index 75b33d7d14b0..9a4d942fafcf 100644
+--- a/drivers/spi/spi-dln2.c
++++ b/drivers/spi/spi-dln2.c
+@@ -780,7 +780,7 @@ exit_free_master:
+
+ static int dln2_spi_remove(struct platform_device *pdev)
+ {
+- struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++ struct spi_master *master = platform_get_drvdata(pdev);
+ struct dln2_spi *dln2 = spi_master_get_devdata(master);
+
+ pm_runtime_disable(&pdev->dev);
+--
+2.30.2
+
--- /dev/null
+From 2a22b9a7f7d9f8e19427f92f56434b1fc03f7a1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 08:29:54 +0000
+Subject: spi: omap-100k: Fix reference leak to master
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit a23faea76d4cf5f75decb574491e66f9ecd707e7 ]
+
+Call spi_master_get() holds the reference count to master device, thus
+we need an additional spi_master_put() call to reduce the reference
+count, otherwise we will leak a reference to master.
+
+This commit fix it by removing the unnecessary spi_master_get().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210409082954.2906933-1-weiyongjun1@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-omap-100k.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
+index b955ca8796d2..b8e201c09484 100644
+--- a/drivers/spi/spi-omap-100k.c
++++ b/drivers/spi/spi-omap-100k.c
+@@ -426,7 +426,7 @@ err:
+
+ static int omap1_spi100k_remove(struct platform_device *pdev)
+ {
+- struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
++ struct spi_master *master = platform_get_drvdata(pdev);
+ struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+
+ pm_runtime_disable(&pdev->dev);
+@@ -440,7 +440,7 @@ static int omap1_spi100k_remove(struct platform_device *pdev)
+ #ifdef CONFIG_PM
+ static int omap1_spi100k_runtime_suspend(struct device *dev)
+ {
+- struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++ struct spi_master *master = dev_get_drvdata(dev);
+ struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+
+ clk_disable_unprepare(spi100k->ick);
+@@ -451,7 +451,7 @@ static int omap1_spi100k_runtime_suspend(struct device *dev)
+
+ static int omap1_spi100k_runtime_resume(struct device *dev)
+ {
+- struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
++ struct spi_master *master = dev_get_drvdata(dev);
+ struct omap1_spi100k *spi100k = spi_master_get_devdata(master);
+ int ret;
+
+--
+2.30.2
+
--- /dev/null
+From df1027a2fbb3bf0f8de701ce0e183d0b6c559df4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 09:54:58 +0000
+Subject: spi: qup: fix PM reference leak in spi_qup_remove()
+
+From: Wang Li <wangli74@huawei.com>
+
+[ Upstream commit cec77e0a249892ceb10061bf17b63f9fb111d870 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Li <wangli74@huawei.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20210409095458.29921-1-wangli74@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c
+index fa8079fbea77..d1dfb52008b4 100644
+--- a/drivers/spi/spi-qup.c
++++ b/drivers/spi/spi-qup.c
+@@ -1263,7 +1263,7 @@ static int spi_qup_remove(struct platform_device *pdev)
+ struct spi_qup *controller = spi_master_get_devdata(master);
+ int ret;
+
+- ret = pm_runtime_get_sync(&pdev->dev);
++ ret = pm_runtime_resume_and_get(&pdev->dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From 47c80f3b577e224a2c4973ecf9d2a90c1ee08ca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Feb 2021 21:01:05 +0530
+Subject: staging: wimax/i2400m: fix byte-order issue
+
+From: karthik alapati <mail@karthek.com>
+
+[ Upstream commit 0c37baae130df39b19979bba88bde2ee70a33355 ]
+
+fix sparse byte-order warnings by converting host byte-order
+type to __le16 byte-order types before assigning to hdr.length
+
+Signed-off-by: karthik alapati <mail@karthek.com>
+Link: https://lore.kernel.org/r/0ae5c5c4c646506d8be871e7be5705542671a1d5.1613921277.git.mail@karthek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c
+index 5c79f052cad2..34f81f16b5a0 100644
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -86,7 +86,7 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
+ if (cmd == NULL)
+ goto error_alloc;
+ cmd->hdr.type = cpu_to_le16(I2400M_MT_CMD_RF_CONTROL);
+- cmd->hdr.length = sizeof(cmd->sw_rf);
++ cmd->hdr.length = cpu_to_le16(sizeof(cmd->sw_rf));
+ cmd->hdr.version = cpu_to_le16(I2400M_L3L4_VERSION);
+ cmd->sw_rf.hdr.type = cpu_to_le16(I2400M_TLV_RF_OPERATION);
+ cmd->sw_rf.hdr.length = cpu_to_le16(sizeof(cmd->sw_rf.status));
+--
+2.30.2
+
--- /dev/null
+From d258ab1d57817b4304ed022534b58b3511b1634b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 11:40:37 +0100
+Subject: tee: optee: do not check memref size on return from Secure World
+
+From: Jerome Forissier <jerome@forissier.org>
+
+[ Upstream commit c650b8dc7a7910eb25af0aac1720f778b29e679d ]
+
+When Secure World returns, it may have changed the size attribute of the
+memory references passed as [in/out] parameters. The GlobalPlatform TEE
+Internal Core API specification does not restrict the values that this
+size can take. In particular, Secure World may increase the value to be
+larger than the size of the input buffer to indicate that it needs more.
+
+Therefore, the size check in optee_from_msg_param() is incorrect and
+needs to be removed. This fixes a number of failed test cases in the
+GlobalPlatform TEE Initial Configuratiom Test Suite v2_0_0_0-2017_06_09
+when OP-TEE is compiled without dynamic shared memory support
+(CFG_CORE_DYN_SHM=n).
+
+Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
+Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Jerome Forissier <jerome@forissier.org>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tee/optee/core.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/tee/optee/core.c b/drivers/tee/optee/core.c
+index b830e0a87fba..ba6cfba589a6 100644
+--- a/drivers/tee/optee/core.c
++++ b/drivers/tee/optee/core.c
+@@ -78,16 +78,6 @@ int optee_from_msg_param(struct tee_param *params, size_t num_params,
+ return rc;
+ p->u.memref.shm_offs = mp->u.tmem.buf_ptr - pa;
+ p->u.memref.shm = shm;
+-
+- /* Check that the memref is covered by the shm object */
+- if (p->u.memref.size) {
+- size_t o = p->u.memref.shm_offs +
+- p->u.memref.size - 1;
+-
+- rc = tee_shm_get_pa(shm, o, NULL);
+- if (rc)
+- return rc;
+- }
+ break;
+ case OPTEE_MSG_ATTR_TYPE_RMEM_INPUT:
+ case OPTEE_MSG_ATTR_TYPE_RMEM_OUTPUT:
+--
+2.30.2
+
--- /dev/null
+From 122b264d557225c0be7c2192a8c5515eb8dc1f73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Apr 2021 11:57:58 +0800
+Subject: tty: n_gsm: check error while registering tty devices
+
+From: Hillf Danton <hdanton@sina.com>
+
+[ Upstream commit 0a360e8b65d62fe1a994f0a8da4f8d20877b2100 ]
+
+Add the error path for registering tty devices and roll back in case of error
+in bid to avoid the UAF like the below one reported.
+
+Plus syzbot reported general protection fault in cdev_del() on Sep 24, 2020
+and both cases are down to the kobject_put() in tty_cdev_add().
+
+ ------------[ cut here ]------------
+ refcount_t: underflow; use-after-free.
+ WARNING: CPU: 1 PID: 8923 at lib/refcount.c:28
+ refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
+ Modules linked in:
+ CPU: 1 PID: 8923 Comm: executor Not tainted 5.12.0-rc5+ #8
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+ 1.13.0-1ubuntu1.1 04/01/2014
+ RIP: 0010:refcount_warn_saturate+0x1cf/0x210 -origin/lib/refcount.c:28
+ Code: 4f ff ff ff e8 32 fa b5 fe 48 c7 c7 3d f8 f6 86 e8 d6 ab c6 fe
+ c6 05 7c 34 67 04 01 48 c7 c7 68 f8 6d 86 31 c0 e8 81 2e 9d fe <0f> 0b
+ e9 22 ff ff ff e8 05 fa b5 fe 48 c7 c7 3e f8 f6 86 e8 a9 ab
+ RSP: 0018:ffffc90001633c60 EFLAGS: 00010246
+ RAX: 15d08b2e34b77800 RBX: 0000000000000003 RCX: ffff88804c056c80
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: 0000000000000003 R08: ffffffff813767aa R09: 0001ffffffffffff
+ R10: 0001ffffffffffff R11: ffff88804c056c80 R12: ffff888040b7d000
+ R13: ffff88804c206938 R14: ffff88804c206900 R15: ffff888041b18488
+ FS: 00000000022c9940(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f9f9b122008 CR3: 0000000044b4b000 CR4: 0000000000750ee0
+ PKRU: 55555554
+ Call Trace:
+ __refcount_sub_and_test -origin/./include/linux/refcount.h:283 [inline]
+ __refcount_dec_and_test -origin/./include/linux/refcount.h:315 [inline]
+ refcount_dec_and_test -origin/./include/linux/refcount.h:333 [inline]
+ kref_put -origin/./include/linux/kref.h:64 [inline]
+ kobject_put+0x17b/0x180 -origin/lib/kobject.c:753
+ cdev_del+0x4b/0x50 -origin/fs/char_dev.c:597
+ tty_unregister_device+0x99/0xd0 -origin/drivers/tty/tty_io.c:3343
+ gsmld_detach_gsm -origin/drivers/tty/n_gsm.c:2409 [inline]
+ gsmld_close+0x6c/0x140 -origin/drivers/tty/n_gsm.c:2478
+ tty_ldisc_close -origin/drivers/tty/tty_ldisc.c:488 [inline]
+ tty_ldisc_kill -origin/drivers/tty/tty_ldisc.c:636 [inline]
+ tty_ldisc_release+0x1b6/0x400 -origin/drivers/tty/tty_ldisc.c:809
+ tty_release_struct+0x19/0xb0 -origin/drivers/tty/tty_io.c:1714
+ tty_release+0x9ad/0xa00 -origin/drivers/tty/tty_io.c:1885
+ __fput+0x260/0x4e0 -origin/fs/file_table.c:280
+ ____fput+0x11/0x20 -origin/fs/file_table.c:313
+ task_work_run+0x8e/0x110 -origin/kernel/task_work.c:140
+ tracehook_notify_resume -origin/./include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop -origin/kernel/entry/common.c:174 [inline]
+ exit_to_user_mode_prepare+0x16b/0x1a0 -origin/kernel/entry/common.c:208
+ __syscall_exit_to_user_mode_work -origin/kernel/entry/common.c:290 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 -origin/kernel/entry/common.c:301
+ do_syscall_64+0x45/0x80 -origin/arch/x86/entry/common.c:56
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com
+Reported-and-tested-by: Hao Sun <sunhao.th@gmail.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Link: https://lore.kernel.org/r/20210412035758.1974-1-hdanton@sina.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/n_gsm.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 75408b9f232d..38eb49ba361f 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -2377,8 +2377,18 @@ static int gsmld_attach_gsm(struct tty_struct *tty, struct gsm_mux *gsm)
+ /* Don't register device 0 - this is the control channel and not
+ a usable tty interface */
+ base = mux_num_to_base(gsm); /* Base for this MUX */
+- for (i = 1; i < NUM_DLCI; i++)
+- tty_register_device(gsm_tty_driver, base + i, NULL);
++ for (i = 1; i < NUM_DLCI; i++) {
++ struct device *dev;
++
++ dev = tty_register_device(gsm_tty_driver,
++ base + i, NULL);
++ if (IS_ERR(dev)) {
++ for (i--; i >= 1; i--)
++ tty_unregister_device(gsm_tty_driver,
++ base + i);
++ return PTR_ERR(dev);
++ }
++ }
+ }
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From e95cf0cd9bf6db85a83e36153be0f2198258d857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 21:08:31 +0800
+Subject: usb: core: hub: Fix PM reference leak in usb_port_resume()
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 025f97d188006eeee4417bb475a6878d1e0eed3f ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+thus a pairing decrement is needed.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Link: https://lore.kernel.org/r/20210408130831.56239-1-cuibixuan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/hub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
+index 4d3de33885ff..cd61860cada5 100644
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -3537,7 +3537,7 @@ int usb_port_resume(struct usb_device *udev, pm_message_t msg)
+ u16 portchange, portstatus;
+
+ if (!test_and_set_bit(port1, hub->child_usage_bits)) {
+- status = pm_runtime_get_sync(&port_dev->dev);
++ status = pm_runtime_resume_and_get(&port_dev->dev);
+ if (status < 0) {
+ dev_dbg(&udev->dev, "can't resume usb port, status %d\n",
+ status);
+--
+2.30.2
+
--- /dev/null
+From b4bfe41929d063947b0bc5268e08714be4dcb54d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Mar 2021 02:31:25 -0700
+Subject: usb: dwc3: gadget: Ignore EP queue requests during bus reset
+
+From: Wesley Cheng <wcheng@codeaurora.org>
+
+[ Upstream commit 71ca43f30df9c642970f9dc9b2d6f463f4967e7b ]
+
+The current dwc3_gadget_reset_interrupt() will stop any active
+transfers, but only addresses blocking of EP queuing for while we are
+coming from a disconnected scenario, i.e. after receiving the disconnect
+event. If the host decides to issue a bus reset on the device, the
+connected parameter will still be set to true, allowing for EP queuing
+to continue while we are disabling the functions. To avoid this, set the
+connected flag to false until the stop active transfers is complete.
+
+Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
+Link: https://lore.kernel.org/r/1616146285-19149-3-git-send-email-wcheng@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 904b0043011c..aa520c343367 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2986,6 +2986,15 @@ static void dwc3_gadget_reset_interrupt(struct dwc3 *dwc)
+
+ dwc->connected = true;
+
++ /*
++ * Ideally, dwc3_reset_gadget() would trigger the function
++ * drivers to stop any active transfers through ep disable.
++ * However, for functions which defer ep disable, such as mass
++ * storage, we will need to rely on the call to stop active
++ * transfers here, and avoid allowing of request queuing.
++ */
++ dwc->connected = false;
++
+ /*
+ * WORKAROUND: DWC3 revisions <1.88a have an issue which
+ * would cause a missing Disconnect Event if there's a
+--
+2.30.2
+
--- /dev/null
+From 702436979c787473285586588514dd67d45f987f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 13:49:34 +0200
+Subject: usb: gadget: f_uac1: validate input parameters
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+[ Upstream commit a59c68a6a3d1b18e2494f526eb19893a34fa6ec6 ]
+
+Currently user can configure UAC1 function with
+parameters that violate UAC1 spec or are not supported
+by UAC1 gadget implementation.
+
+This can lead to incorrect behavior if such gadget
+is connected to the host - like enumeration failure
+or other issues depending on host's UAC1 driver
+implementation, bringing user to a long hours
+of debugging the issue.
+
+Instead of silently accept these parameters, throw
+an error if they are not valid.
+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/1614599375-8803-5-git-send-email-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac1.c | 43 ++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
+index 560382e0a8f3..e65f474ad7b3 100644
+--- a/drivers/usb/gadget/function/f_uac1.c
++++ b/drivers/usb/gadget/function/f_uac1.c
+@@ -19,6 +19,9 @@
+ #include "u_audio.h"
+ #include "u_uac1.h"
+
++/* UAC1 spec: 3.7.2.3 Audio Channel Cluster Format */
++#define UAC1_CHANNEL_MASK 0x0FFF
++
+ struct f_uac1 {
+ struct g_audio g_audio;
+ u8 ac_intf, as_in_intf, as_out_intf;
+@@ -30,6 +33,11 @@ static inline struct f_uac1 *func_to_uac1(struct usb_function *f)
+ return container_of(f, struct f_uac1, g_audio.func);
+ }
+
++static inline struct f_uac1_opts *g_audio_to_uac1_opts(struct g_audio *audio)
++{
++ return container_of(audio->func.fi, struct f_uac1_opts, func_inst);
++}
++
+ /*
+ * DESCRIPTORS ... most are static, but strings and full
+ * configuration descriptors are built on demand.
+@@ -505,11 +513,42 @@ static void f_audio_disable(struct usb_function *f)
+
+ /*-------------------------------------------------------------------------*/
+
++static int f_audio_validate_opts(struct g_audio *audio, struct device *dev)
++{
++ struct f_uac1_opts *opts = g_audio_to_uac1_opts(audio);
++
++ if (!opts->p_chmask && !opts->c_chmask) {
++ dev_err(dev, "Error: no playback and capture channels\n");
++ return -EINVAL;
++ } else if (opts->p_chmask & ~UAC1_CHANNEL_MASK) {
++ dev_err(dev, "Error: unsupported playback channels mask\n");
++ return -EINVAL;
++ } else if (opts->c_chmask & ~UAC1_CHANNEL_MASK) {
++ dev_err(dev, "Error: unsupported capture channels mask\n");
++ return -EINVAL;
++ } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) {
++ dev_err(dev, "Error: incorrect playback sample size\n");
++ return -EINVAL;
++ } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) {
++ dev_err(dev, "Error: incorrect capture sample size\n");
++ return -EINVAL;
++ } else if (!opts->p_srate) {
++ dev_err(dev, "Error: incorrect playback sampling rate\n");
++ return -EINVAL;
++ } else if (!opts->c_srate) {
++ dev_err(dev, "Error: incorrect capture sampling rate\n");
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ /* audio function driver setup/binding */
+ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f)
+ {
+ struct usb_composite_dev *cdev = c->cdev;
+ struct usb_gadget *gadget = cdev->gadget;
++ struct device *dev = &gadget->dev;
+ struct f_uac1 *uac1 = func_to_uac1(f);
+ struct g_audio *audio = func_to_g_audio(f);
+ struct f_uac1_opts *audio_opts;
+@@ -519,6 +558,10 @@ static int f_audio_bind(struct usb_configuration *c, struct usb_function *f)
+ int rate;
+ int status;
+
++ status = f_audio_validate_opts(audio, dev);
++ if (status)
++ return status;
++
+ audio_opts = container_of(f->fi, struct f_uac1_opts, func_inst);
+
+ us = usb_gstrings_attach(cdev, uac1_strings, ARRAY_SIZE(strings_uac1));
+--
+2.30.2
+
--- /dev/null
+From 7bfa9df46acfc22c17e22bf935ad9c7d0d5f9354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 13:49:33 +0200
+Subject: usb: gadget: f_uac2: validate input parameters
+
+From: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+
+[ Upstream commit 3713d5ceb04d5ab6a5e2b86dfca49170053f3a5e ]
+
+Currently user can configure UAC2 function with
+parameters that violate UAC2 spec or are not supported
+by UAC2 gadget implementation.
+
+This can lead to incorrect behavior if such gadget
+is connected to the host - like enumeration failure
+or other issues depending on host's UAC2 driver
+implementation, bringing user to a long hours
+of debugging the issue.
+
+Instead of silently accept these parameters, throw
+an error if they are not valid.
+
+Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
+Link: https://lore.kernel.org/r/1614599375-8803-4-git-send-email-ruslan.bilovol@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 39 ++++++++++++++++++++++++++--
+ 1 file changed, 37 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_uac2.c b/drivers/usb/gadget/function/f_uac2.c
+index 6f03e944e0e3..dd960cea642f 100644
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -14,6 +14,9 @@
+ #include "u_audio.h"
+ #include "u_uac2.h"
+
++/* UAC2 spec: 4.1 Audio Channel Cluster Descriptor */
++#define UAC2_CHANNEL_MASK 0x07FFFFFF
++
+ /*
+ * The driver implements a simple UAC_2 topology.
+ * USB-OUT -> IT_1 -> OT_3 -> ALSA_Capture
+@@ -604,6 +607,36 @@ static void setup_descriptor(struct f_uac2_opts *opts)
+ hs_audio_desc[i] = NULL;
+ }
+
++static int afunc_validate_opts(struct g_audio *agdev, struct device *dev)
++{
++ struct f_uac2_opts *opts = g_audio_to_uac2_opts(agdev);
++
++ if (!opts->p_chmask && !opts->c_chmask) {
++ dev_err(dev, "Error: no playback and capture channels\n");
++ return -EINVAL;
++ } else if (opts->p_chmask & ~UAC2_CHANNEL_MASK) {
++ dev_err(dev, "Error: unsupported playback channels mask\n");
++ return -EINVAL;
++ } else if (opts->c_chmask & ~UAC2_CHANNEL_MASK) {
++ dev_err(dev, "Error: unsupported capture channels mask\n");
++ return -EINVAL;
++ } else if ((opts->p_ssize < 1) || (opts->p_ssize > 4)) {
++ dev_err(dev, "Error: incorrect playback sample size\n");
++ return -EINVAL;
++ } else if ((opts->c_ssize < 1) || (opts->c_ssize > 4)) {
++ dev_err(dev, "Error: incorrect capture sample size\n");
++ return -EINVAL;
++ } else if (!opts->p_srate) {
++ dev_err(dev, "Error: incorrect playback sampling rate\n");
++ return -EINVAL;
++ } else if (!opts->c_srate) {
++ dev_err(dev, "Error: incorrect capture sampling rate\n");
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static int
+ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn)
+ {
+@@ -612,11 +645,13 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn)
+ struct usb_composite_dev *cdev = cfg->cdev;
+ struct usb_gadget *gadget = cdev->gadget;
+ struct device *dev = &gadget->dev;
+- struct f_uac2_opts *uac2_opts;
++ struct f_uac2_opts *uac2_opts = g_audio_to_uac2_opts(agdev);
+ struct usb_string *us;
+ int ret;
+
+- uac2_opts = container_of(fn->fi, struct f_uac2_opts, func_inst);
++ ret = afunc_validate_opts(agdev, dev);
++ if (ret)
++ return ret;
+
+ us = usb_gstrings_attach(cdev, fn_strings, ARRAY_SIZE(strings_fn));
+ if (IS_ERR(us))
+--
+2.30.2
+
--- /dev/null
+From 49794ca9080606570c60222441cedbef1346028c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Mar 2021 13:53:38 +0100
+Subject: usb: gadget: uvc: add bInterval checking for HS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 26adde04acdff14a1f28d4a5dce46a8513a3038b ]
+
+Patch adds extra checking for bInterval passed by configfs.
+The 5.6.4 chapter of USB Specification (rev. 2.0) say:
+"A high-bandwidth endpoint must specify a period of 1x125 µs
+(i.e., a bInterval value of 1)."
+
+The issue was observed during testing UVC class on CV.
+I treat this change as improvement because we can control
+bInterval by configfs.
+
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20210308125338.4824-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index fb0a892687c0..79ecdbb936c1 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -633,7 +633,12 @@ uvc_function_bind(struct usb_configuration *c, struct usb_function *f)
+
+ uvc_hs_streaming_ep.wMaxPacketSize =
+ cpu_to_le16(max_packet_size | ((max_packet_mult - 1) << 11));
+- uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
++
++ /* A high-bandwidth endpoint must specify a bInterval value of 1 */
++ if (max_packet_mult > 1)
++ uvc_hs_streaming_ep.bInterval = 1;
++ else
++ uvc_hs_streaming_ep.bInterval = opts->streaming_interval;
+
+ uvc_ss_streaming_ep.wMaxPacketSize = cpu_to_le16(max_packet_size);
+ uvc_ss_streaming_ep.bInterval = opts->streaming_interval;
+--
+2.30.2
+
--- /dev/null
+From 9157c15ee6dd580c99d37d20d75e8924a6811668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 17:18:36 +0800
+Subject: usb: musb: fix PM reference leak in musb_irq_work()
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit 9535b99533904e9bc1607575aa8e9539a55435d7 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+thus a pairing decrement is needed.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Link: https://lore.kernel.org/r/20210408091836.55227-1-cuibixuan@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/musb/musb_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/musb/musb_core.c b/drivers/usb/musb/musb_core.c
+index 166f68f639c2..70ef603f7bb9 100644
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -1932,7 +1932,7 @@ static void musb_irq_work(struct work_struct *data)
+ struct musb *musb = container_of(data, struct musb, irq_work.work);
+ int error;
+
+- error = pm_runtime_get_sync(musb->controller);
++ error = pm_runtime_resume_and_get(musb->controller);
+ if (error < 0) {
+ dev_err(musb->controller, "Could not enable: %i\n", error);
+
+--
+2.30.2
+
--- /dev/null
+From f8b49faab1707bdcf394aadc771c0476ab83cb2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Mar 2021 08:17:48 +0100
+Subject: usb: webcam: Invalid size of Processing Unit Descriptor
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 6a154ec9ef6762c774cd2b50215c7a8f0f08a862 ]
+
+According with USB Device Class Definition for Video Device the
+Processing Unit Descriptor bLength should be 12 (10 + bmControlSize),
+but it has 11.
+
+Invalid length caused that Processing Unit Descriptor Test Video form
+CV tool failed. To fix this issue patch adds bmVideoStandards into
+uvc_processing_unit_descriptor structure.
+
+The bmVideoStandards field was added in UVC 1.1 and it wasn't part of
+UVC 1.0a.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20210315071748.29706-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_uvc.c | 1 +
+ drivers/usb/gadget/legacy/webcam.c | 1 +
+ include/uapi/linux/usb/video.h | 3 ++-
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c
+index 79ecdbb936c1..c03b67aab1a8 100644
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -822,6 +822,7 @@ static struct usb_function_instance *uvc_alloc_inst(void)
+ pd->bmControls[0] = 1;
+ pd->bmControls[1] = 0;
+ pd->iProcessing = 0;
++ pd->bmVideoStandards = 0;
+
+ od = &opts->uvc_output_terminal;
+ od->bLength = UVC_DT_OUTPUT_TERMINAL_SIZE;
+diff --git a/drivers/usb/gadget/legacy/webcam.c b/drivers/usb/gadget/legacy/webcam.c
+index a9f8eb8e1c76..2c9eab2b863d 100644
+--- a/drivers/usb/gadget/legacy/webcam.c
++++ b/drivers/usb/gadget/legacy/webcam.c
+@@ -125,6 +125,7 @@ static const struct uvc_processing_unit_descriptor uvc_processing = {
+ .bmControls[0] = 1,
+ .bmControls[1] = 0,
+ .iProcessing = 0,
++ .bmVideoStandards = 0,
+ };
+
+ static const struct uvc_output_terminal_descriptor uvc_output_terminal = {
+diff --git a/include/uapi/linux/usb/video.h b/include/uapi/linux/usb/video.h
+index d854cb19c42c..bfdae12cdacf 100644
+--- a/include/uapi/linux/usb/video.h
++++ b/include/uapi/linux/usb/video.h
+@@ -302,9 +302,10 @@ struct uvc_processing_unit_descriptor {
+ __u8 bControlSize;
+ __u8 bmControls[2];
+ __u8 iProcessing;
++ __u8 bmVideoStandards;
+ } __attribute__((__packed__));
+
+-#define UVC_DT_PROCESSING_UNIT_SIZE(n) (9+(n))
++#define UVC_DT_PROCESSING_UNIT_SIZE(n) (10+(n))
+
+ /* 3.7.2.6. Extension Unit Descriptor */
+ struct uvc_extension_unit_descriptor {
+--
+2.30.2
+
--- /dev/null
+From 6b60fa57e4673103d3af81a52bc45ec458695915 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 19:43:21 -0800
+Subject: usb: xhci: Fix port minor revision
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 64364bc912c01b33bba6c22e3ccb849bfca96398 ]
+
+Some hosts incorrectly use sub-minor version for minor version (i.e.
+0x02 instead of 0x20 for bcdUSB 0x320 and 0x01 for bcdUSB 0x310).
+Currently the xHCI driver works around this by just checking for minor
+revision > 0x01 for USB 3.1 everywhere. With the addition of USB 3.2,
+checking this gets a bit cumbersome. Since there is no USB release with
+bcdUSB 0x301 to 0x309, we can assume that sub-minor version 01 to 09 is
+incorrect. Let's try to fix this and use the minor revision that matches
+with the USB/xHCI spec to help with the version checking within the
+driver.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/ed330e95a19dc367819c5b4d78bf7a541c35aa0a.1615432770.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 9764122c9cdf..7f9f302a73cd 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2134,6 +2134,15 @@ static void xhci_add_in_port(struct xhci_hcd *xhci, unsigned int num_ports,
+
+ if (major_revision == 0x03) {
+ rhub = &xhci->usb3_rhub;
++ /*
++ * Some hosts incorrectly use sub-minor version for minor
++ * version (i.e. 0x02 instead of 0x20 for bcdUSB 0x320 and 0x01
++ * for bcdUSB 0x310). Since there is no USB release with sub
++ * minor version 0x301 to 0x309, we can assume that they are
++ * incorrect and fix it here.
++ */
++ if (minor_revision > 0x00 && minor_revision < 0x10)
++ minor_revision <<= 4;
+ } else if (major_revision <= 0x02) {
+ rhub = &xhci->usb2_rhub;
+ } else {
+--
+2.30.2
+
--- /dev/null
+From a872a2d19656531aa8236d9adbbe5e46499bc9c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 17:05:53 +0800
+Subject: usb: xhci-mtk: support quirk to disable usb2 lpm
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+[ Upstream commit bee1f89aad2a51cd3339571bc8eadbb0dc88a683 ]
+
+The xHCI driver support usb2 HW LPM by default, here add support
+XHCI_HW_LPM_DISABLE quirk, then we can disable usb2 lpm when
+need it.
+
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/1617181553-3503-4-git-send-email-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mtk.c | 3 +++
+ drivers/usb/host/xhci-mtk.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mtk.c b/drivers/usb/host/xhci-mtk.c
+index 5fc3ea6d46c5..5c0eb35cd007 100644
+--- a/drivers/usb/host/xhci-mtk.c
++++ b/drivers/usb/host/xhci-mtk.c
+@@ -397,6 +397,8 @@ static void xhci_mtk_quirks(struct device *dev, struct xhci_hcd *xhci)
+ xhci->quirks |= XHCI_SPURIOUS_SUCCESS;
+ if (mtk->lpm_support)
+ xhci->quirks |= XHCI_LPM_SUPPORT;
++ if (mtk->u2_lpm_disable)
++ xhci->quirks |= XHCI_HW_LPM_DISABLE;
+
+ /*
+ * MTK xHCI 0.96: PSA is 1 by default even if doesn't support stream,
+@@ -469,6 +471,7 @@ static int xhci_mtk_probe(struct platform_device *pdev)
+ return ret;
+
+ mtk->lpm_support = of_property_read_bool(node, "usb3-lpm-capable");
++ mtk->u2_lpm_disable = of_property_read_bool(node, "usb2-lpm-disable");
+ /* optional property, ignore the error if it does not exist */
+ of_property_read_u32(node, "mediatek,u3p-dis-msk",
+ &mtk->u3p_dis_msk);
+diff --git a/drivers/usb/host/xhci-mtk.h b/drivers/usb/host/xhci-mtk.h
+index 734c5513aa1b..d9f438d078da 100644
+--- a/drivers/usb/host/xhci-mtk.h
++++ b/drivers/usb/host/xhci-mtk.h
+@@ -150,6 +150,7 @@ struct xhci_hcd_mtk {
+ struct phy **phys;
+ int num_phys;
+ bool lpm_support;
++ bool u2_lpm_disable;
+ /* usb remote wakeup */
+ bool uwk_en;
+ struct regmap *uwk;
+--
+2.30.2
+
--- /dev/null
+From 1fca5d83c5577c9890e8c81f5ee024cf96468674 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:04:33 -0700
+Subject: x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Millikin <john@john-millikin.com>
+
+[ Upstream commit 8abe7fc26ad8f28bfdf78adbed56acd1fa93f82d ]
+
+When cross-compiling with Clang, the `$(CLANG_FLAGS)' variable
+contains additional flags needed to build C and assembly sources
+for the target platform. Normally this variable is automatically
+included in `$(KBUILD_CFLAGS)' via the top-level Makefile.
+
+The x86 real-mode makefile builds `$(REALMODE_CFLAGS)' from a
+plain assignment and therefore drops the Clang flags. This causes
+Clang to not recognize x86-specific assembler directives:
+
+ arch/x86/realmode/rm/header.S:36:1: error: unknown directive
+ .type real_mode_header STT_OBJECT ; .size real_mode_header, .-real_mode_header
+ ^
+
+Explicit propagation of `$(CLANG_FLAGS)' to `$(REALMODE_CFLAGS)',
+which is inherited by real-mode make rules, fixes cross-compilation
+with Clang for x86 targets.
+
+Relevant flags:
+
+* `--target' sets the target architecture when cross-compiling. This
+ flag must be set for both compilation and assembly (`KBUILD_AFLAGS')
+ to support architecture-specific assembler directives.
+
+* `-no-integrated-as' tells clang to assemble with GNU Assembler
+ instead of its built-in LLVM assembler. This flag is set by default
+ unless `LLVM_IAS=1' is set, because the LLVM assembler can't yet
+ parse certain GNU extensions.
+
+Signed-off-by: John Millikin <john@john-millikin.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Link: https://lkml.kernel.org/r/20210326000435.4785-2-nathan@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 59942e349e5f..69f0cb01c666 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -40,6 +40,7 @@ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -ffreestanding
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -fno-stack-protector)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), -Wno-address-of-packed-member)
+ REALMODE_CFLAGS += $(call __cc-option, $(CC), $(REALMODE_CFLAGS), $(cc_stack_align4))
++REALMODE_CFLAGS += $(CLANG_FLAGS)
+ export REALMODE_CFLAGS
+
+ # BITS is used as extension for files which are available in a 32 bit
+--
+2.30.2
+
--- /dev/null
+From d43fa5edb5a05c6f8278fc7e4c4dd6f1f4d3bf64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 10:02:06 +0300
+Subject: xhci: check control context is valid before dereferencing it.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 597899d2f7c5619c87185ee7953d004bd37fd0eb ]
+
+Don't dereference ctrl_ctx before checking it's valid.
+Issue reported by Klockwork
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210406070208.3406266-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index b5080bc1689e..143e4002e561 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3227,6 +3227,14 @@ static void xhci_endpoint_reset(struct usb_hcd *hcd,
+
+ /* config ep command clears toggle if add and drop ep flags are set */
+ ctrl_ctx = xhci_get_input_control_ctx(cfg_cmd->in_ctx);
++ if (!ctrl_ctx) {
++ spin_unlock_irqrestore(&xhci->lock, flags);
++ xhci_free_command(xhci, cfg_cmd);
++ xhci_warn(xhci, "%s: Could not get input context, bad type.\n",
++ __func__);
++ goto cleanup;
++ }
++
+ xhci_setup_input_ctx_for_config_ep(xhci, cfg_cmd->in_ctx, vdev->out_ctx,
+ ctrl_ctx, ep_flag, ep_flag);
+ xhci_endpoint_copy(xhci, cfg_cmd->in_ctx, vdev->out_ctx, ep_index);
+--
+2.30.2
+
--- /dev/null
+From d9a1e8787a5fb45d5b11981e8d77a96ccfd92cc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Apr 2021 10:02:07 +0300
+Subject: xhci: fix potential array out of bounds with several interrupters
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 286fd02fd54b6acab65809549cf5fb3f2a886696 ]
+
+The Max Interrupters supported by the controller is given in a 10bit
+wide bitfield, but the driver uses a fixed 128 size array to index these
+interrupters.
+
+Klockwork reports a possible array out of bounds case which in theory
+is possible. In practice this hasn't been hit as a common number of Max
+Interrupters for new controllers is 8, not even close to 128.
+
+This needs to be fixed anyway
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210406070208.3406266-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index 143e4002e561..de05ac9d3ae1 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -228,6 +228,7 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
+ struct device *dev = xhci_to_hcd(xhci)->self.sysdev;
+ int err, i;
+ u64 val;
++ u32 intrs;
+
+ /*
+ * Some Renesas controllers get into a weird state if they are
+@@ -266,7 +267,10 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
+ if (upper_32_bits(val))
+ xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring);
+
+- for (i = 0; i < HCS_MAX_INTRS(xhci->hcs_params1); i++) {
++ intrs = min_t(u32, HCS_MAX_INTRS(xhci->hcs_params1),
++ ARRAY_SIZE(xhci->run_regs->ir_set));
++
++ for (i = 0; i < intrs; i++) {
+ struct xhci_intr_reg __iomem *ir;
+
+ ir = &xhci->run_regs->ir_set[i];
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
