--- /dev/null
+From f6eb84fa596abf28959fc7e0b626f925eb1196c7 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sat, 29 May 2021 18:46:46 +0300
+Subject: ASoC: tegra: Set driver_name=tegra for all machine drivers
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit f6eb84fa596abf28959fc7e0b626f925eb1196c7 upstream.
+
+The driver_name="tegra" is now required by the newer ALSA UCMs, otherwise
+Tegra UCMs don't match by the path/name.
+
+All Tegra machine drivers are specifying the card's name, but it has no
+effect if model name is specified in the device-tree since it overrides
+the card's name. We need to set the driver_name to "tegra" in order to
+get a usable lookup path for the updated ALSA UCMs. The new UCM lookup
+path has a form of driver_name/card_name.
+
+The old lookup paths that are based on driver module name continue to
+work as before. Note that UCM matching never worked for Tegra ASoC drivers
+if they were compiled as built-in, this is fixed by supporting the new
+naming scheme.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/20210529154649.25936-2-digetx@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/tegra/tegra_alc5632.c | 1 +
+ sound/soc/tegra/tegra_max98090.c | 1 +
+ sound/soc/tegra/tegra_rt5640.c | 1 +
+ sound/soc/tegra/tegra_rt5677.c | 1 +
+ sound/soc/tegra/tegra_sgtl5000.c | 1 +
+ sound/soc/tegra/tegra_wm8753.c | 1 +
+ sound/soc/tegra/tegra_wm8903.c | 1 +
+ sound/soc/tegra/tegra_wm9712.c | 1 +
+ sound/soc/tegra/trimslice.c | 1 +
+ 9 files changed, 9 insertions(+)
+
+--- a/sound/soc/tegra/tegra_alc5632.c
++++ b/sound/soc/tegra/tegra_alc5632.c
+@@ -137,6 +137,7 @@ static struct snd_soc_dai_link tegra_alc
+
+ static struct snd_soc_card snd_soc_tegra_alc5632 = {
+ .name = "tegra-alc5632",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_alc5632_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_max98090.c
++++ b/sound/soc/tegra/tegra_max98090.c
+@@ -188,6 +188,7 @@ static struct snd_soc_dai_link tegra_max
+
+ static struct snd_soc_card snd_soc_tegra_max98090 = {
+ .name = "tegra-max98090",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_max98090_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_rt5640.c
++++ b/sound/soc/tegra/tegra_rt5640.c
+@@ -138,6 +138,7 @@ static struct snd_soc_dai_link tegra_rt5
+
+ static struct snd_soc_card snd_soc_tegra_rt5640 = {
+ .name = "tegra-rt5640",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_rt5640_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_rt5677.c
++++ b/sound/soc/tegra/tegra_rt5677.c
+@@ -181,6 +181,7 @@ static struct snd_soc_dai_link tegra_rt5
+
+ static struct snd_soc_card snd_soc_tegra_rt5677 = {
+ .name = "tegra-rt5677",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_rt5677_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_sgtl5000.c
++++ b/sound/soc/tegra/tegra_sgtl5000.c
+@@ -103,6 +103,7 @@ static struct snd_soc_dai_link tegra_sgt
+
+ static struct snd_soc_card snd_soc_tegra_sgtl5000 = {
+ .name = "tegra-sgtl5000",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_sgtl5000_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm8753.c
++++ b/sound/soc/tegra/tegra_wm8753.c
+@@ -110,6 +110,7 @@ static struct snd_soc_dai_link tegra_wm8
+
+ static struct snd_soc_card snd_soc_tegra_wm8753 = {
+ .name = "tegra-wm8753",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm8753_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm8903.c
++++ b/sound/soc/tegra/tegra_wm8903.c
+@@ -226,6 +226,7 @@ static struct snd_soc_dai_link tegra_wm8
+
+ static struct snd_soc_card snd_soc_tegra_wm8903 = {
+ .name = "tegra-wm8903",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm8903_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/tegra_wm9712.c
++++ b/sound/soc/tegra/tegra_wm9712.c
+@@ -59,6 +59,7 @@ static struct snd_soc_dai_link tegra_wm9
+
+ static struct snd_soc_card snd_soc_tegra_wm9712 = {
+ .name = "tegra-wm9712",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &tegra_wm9712_dai,
+ .num_links = 1,
+--- a/sound/soc/tegra/trimslice.c
++++ b/sound/soc/tegra/trimslice.c
+@@ -103,6 +103,7 @@ static struct snd_soc_dai_link trimslice
+
+ static struct snd_soc_card snd_soc_trimslice = {
+ .name = "tegra-trimslice",
++ .driver_name = "tegra",
+ .owner = THIS_MODULE,
+ .dai_link = &trimslice_tlv320aic23_dai,
+ .num_links = 1,
--- /dev/null
+From 5fae8a946ac2df879caf3f79a193d4766d00239b Mon Sep 17 00:00:00 2001
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Date: Mon, 14 Jun 2021 11:59:00 -0600
+Subject: coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
+
+From: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+
+commit 5fae8a946ac2df879caf3f79a193d4766d00239b upstream.
+
+commit 6f755e85c332 ("coresight: Add helper for inserting synchronization
+packets") removed trailing '\0' from barrier_pkt array and updated the
+call sites like etb_update_buffer() to have proper checks for barrier_pkt
+size before read but missed updating tmc_update_etf_buffer() which still
+reads barrier_pkt past the array size resulting in KASAN out-of-bounds
+bug. Fix this by adding a check for barrier_pkt size before accessing
+like it is done in etb_update_buffer().
+
+ BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698
+ Read of size 4 at addr ffffffd05b7d1030 by task perf/2629
+
+ Call trace:
+ dump_backtrace+0x0/0x27c
+ show_stack+0x20/0x2c
+ dump_stack+0x11c/0x188
+ print_address_description+0x3c/0x4a4
+ __kasan_report+0x140/0x164
+ kasan_report+0x10/0x18
+ __asan_report_load4_noabort+0x1c/0x24
+ tmc_update_etf_buffer+0x4b8/0x698
+ etm_event_stop+0x248/0x2d8
+ etm_event_del+0x20/0x2c
+ event_sched_out+0x214/0x6f0
+ group_sched_out+0xd0/0x270
+ ctx_sched_out+0x2ec/0x518
+ __perf_event_task_sched_out+0x4fc/0xe6c
+ __schedule+0x1094/0x16a0
+ preempt_schedule_irq+0x88/0x170
+ arm64_preempt_schedule_irq+0xf0/0x18c
+ el1_irq+0xe8/0x180
+ perf_event_exec+0x4d8/0x56c
+ setup_new_exec+0x204/0x400
+ load_elf_binary+0x72c/0x18c0
+ search_binary_handler+0x13c/0x420
+ load_script+0x500/0x6c4
+ search_binary_handler+0x13c/0x420
+ exec_binprm+0x118/0x654
+ __do_execve_file+0x77c/0xba4
+ __arm64_compat_sys_execve+0x98/0xac
+ el0_svc_common+0x1f8/0x5e0
+ el0_svc_compat_handler+0x84/0xb0
+ el0_svc_compat+0x10/0x50
+
+ The buggy address belongs to the variable:
+ barrier_pkt+0x10/0x40
+
+ Memory state around the buggy address:
+ ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
+ ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03
+ ^
+ ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa
+ ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
+ ==================================================================
+
+Link: https://lore.kernel.org/r/20210505093430.18445-1-saiprakash.ranjan@codeaurora.org
+Fixes: 0c3fc4d5fa26 ("coresight: Add barrier packet for synchronisation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20210614175901.532683-6-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c
+@@ -470,7 +470,7 @@ static void tmc_update_etf_buffer(struct
+ buf_ptr = buf->data_pages[cur] + offset;
+ *buf_ptr = readl_relaxed(drvdata->base + TMC_RRD);
+
+- if (lost && *barrier) {
++ if (lost && i < CORESIGHT_BARRIER_PKT_SIZE) {
+ *buf_ptr = *barrier;
+ barrier++;
+ }
--- /dev/null
+From b6e58b5466b2959f83034bead2e2e1395cca8aeb Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 17 Jun 2021 15:45:47 +0800
+Subject: dm btree remove: assign new_root only when removal succeeds
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit b6e58b5466b2959f83034bead2e2e1395cca8aeb upstream.
+
+remove_raw() in dm_btree_remove() may fail due to IO read error
+(e.g. read the content of origin block fails during shadowing),
+and the value of shadow_spine::root is uninitialized, but
+the uninitialized value is still assign to new_root in the
+end of dm_btree_remove().
+
+For dm-thin, the value of pmd->details_root or pmd->root will become
+an uninitialized value, so if trying to read details_info tree again
+out-of-bound memory may occur as showed below:
+
+ general protection fault, probably for non-canonical address 0x3fdcb14c8d7520
+ CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6
+ Hardware name: QEMU Standard PC
+ RIP: 0010:metadata_ll_load_ie+0x14/0x30
+ Call Trace:
+ sm_metadata_count_is_more_than_one+0xb9/0xe0
+ dm_tm_shadow_block+0x52/0x1c0
+ shadow_step+0x59/0xf0
+ remove_raw+0xb2/0x170
+ dm_btree_remove+0xf4/0x1c0
+ dm_pool_delete_thin_device+0xc3/0x140
+ pool_message+0x218/0x2b0
+ target_message+0x251/0x290
+ ctl_ioctl+0x1c4/0x4d0
+ dm_ctl_ioctl+0xe/0x20
+ __x64_sys_ioctl+0x7b/0xb0
+ do_syscall_64+0x40/0xb0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixing it by only assign new_root when removal succeeds
+
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/persistent-data/dm-btree-remove.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -549,7 +549,8 @@ int dm_btree_remove(struct dm_btree_info
+ delete_at(n, index);
+ }
+
+- *new_root = shadow_root(&spine);
++ if (!r)
++ *new_root = shadow_root(&spine);
+ exit_shadow_spine(&spine);
+
+ return r;
--- /dev/null
+From 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 Mon Sep 17 00:00:00 2001
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Date: Mon, 24 May 2021 02:32:05 -0700
+Subject: ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+commit 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 upstream.
+
+In the out_err_bus_register error branch of tpci200_pci_probe,
+tpci200->info->cfg_regs is freed by tpci200_uninstall()->
+tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
+in the first time.
+
+But later, iounmap() is called to free tpci200->info->cfg_regs
+again.
+
+My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
+to avoid the double free.
+
+Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Link: https://lore.kernel.org/r/20210524093205.8333-1-lyl2019@mail.ustc.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ipack/carriers/tpci200.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/ipack/carriers/tpci200.c
++++ b/drivers/ipack/carriers/tpci200.c
+@@ -599,8 +599,11 @@ static int tpci200_pci_probe(struct pci_
+
+ out_err_bus_register:
+ tpci200_uninstall(tpci200);
++ /* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */
++ tpci200->info->cfg_regs = NULL;
+ out_err_install:
+- iounmap(tpci200->info->cfg_regs);
++ if (tpci200->info->cfg_regs)
++ iounmap(tpci200->info->cfg_regs);
+ out_err_ioremap:
+ pci_release_region(pdev, TPCI200_CFG_MEM_BAR);
+ out_err_pci_request:
--- /dev/null
+From 2253042d86f57d90a621ac2513a7a7a13afcf809 Mon Sep 17 00:00:00 2001
+From: Petr Pavlu <petr.pavlu@suse.com>
+Date: Thu, 13 May 2021 14:26:36 +0200
+Subject: ipmi/watchdog: Stop watchdog timer when the current action is 'none'
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+commit 2253042d86f57d90a621ac2513a7a7a13afcf809 upstream.
+
+When an IPMI watchdog timer is being stopped in ipmi_close() or
+ipmi_ioctl(WDIOS_DISABLECARD), the current watchdog action is updated to
+WDOG_TIMEOUT_NONE and _ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB) is called
+to install this action. The latter function ends up invoking
+__ipmi_set_timeout() which makes the actual 'Set Watchdog Timer' IPMI
+request.
+
+For IPMI 1.0, this operation results in fully stopping the watchdog timer.
+For IPMI >= 1.5, function __ipmi_set_timeout() always specifies the "don't
+stop" flag in the prepared 'Set Watchdog Timer' IPMI request. This causes
+that the watchdog timer has its action correctly updated to 'none' but the
+timer continues to run. A problem is that IPMI firmware can then still log
+an expiration event when the configured timeout is reached, which is
+unexpected because the watchdog timer was requested to be stopped.
+
+The patch fixes this problem by not setting the "don't stop" flag in
+__ipmi_set_timeout() when the current action is WDOG_TIMEOUT_NONE which
+results in stopping the watchdog timer. This makes the behaviour for
+IPMI >= 1.5 consistent with IPMI 1.0. It also matches the logic in
+__ipmi_heartbeat() which does not allow to reset the watchdog if the
+current action is WDOG_TIMEOUT_NONE as that would start the timer.
+
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Message-Id: <10a41bdc-9c99-089c-8d89-fa98ce5ea080@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -366,16 +366,18 @@ static int __ipmi_set_timeout(struct ipm
+ data[0] = 0;
+ WDOG_SET_TIMER_USE(data[0], WDOG_TIMER_USE_SMS_OS);
+
+- if ((ipmi_version_major > 1)
+- || ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
+- /* This is an IPMI 1.5-only feature. */
+- data[0] |= WDOG_DONT_STOP_ON_SET;
+- } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+- /*
+- * In ipmi 1.0, setting the timer stops the watchdog, we
+- * need to start it back up again.
+- */
+- hbnow = 1;
++ if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
++ if ((ipmi_version_major > 1) ||
++ ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
++ /* This is an IPMI 1.5-only feature. */
++ data[0] |= WDOG_DONT_STOP_ON_SET;
++ } else {
++ /*
++ * In ipmi 1.0, setting the timer stops the watchdog, we
++ * need to start it back up again.
++ */
++ hbnow = 1;
++ }
+ }
+
+ data[1] = 0;
--- /dev/null
+From 0a7790be182d32b9b332a37cb4206e24fe94b728 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Jun 2021 12:34:09 +0200
+Subject: media: subdev: disallow ioctl for saa6588/davinci
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 0a7790be182d32b9b332a37cb4206e24fe94b728 upstream.
+
+The saa6588_ioctl() function expects to get called from other kernel
+functions with a 'saa6588_command' pointer, but I found nothing stops it
+from getting called from user space instead, which seems rather dangerous.
+
+The same thing happens in the davinci vpbe driver with its VENC_GET_FLD
+command.
+
+As a quick fix, add a separate .command() callback pointer for this
+driver and change the two callers over to that. This change can easily
+get backported to stable kernels if necessary, but since there are only
+two drivers, we may want to eventually replace this with a set of more
+specialized callbacks in the long run.
+
+Fixes: c3fda7f835b0 ("V4L/DVB (10537): saa6588: convert to v4l2_subdev.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/saa6588.c | 4 ++--
+ drivers/media/pci/bt8xx/bttv-driver.c | 6 +++---
+ drivers/media/pci/saa7134/saa7134-video.c | 6 +++---
+ drivers/media/platform/davinci/vpbe_display.c | 2 +-
+ drivers/media/platform/davinci/vpbe_venc.c | 6 ++----
+ include/media/v4l2-subdev.h | 4 ++++
+ 6 files changed, 15 insertions(+), 13 deletions(-)
+
+--- a/drivers/media/i2c/saa6588.c
++++ b/drivers/media/i2c/saa6588.c
+@@ -392,7 +392,7 @@ static void saa6588_configure(struct saa
+
+ /* ---------------------------------------------------------------------- */
+
+-static long saa6588_ioctl(struct v4l2_subdev *sd, unsigned int cmd, void *arg)
++static long saa6588_command(struct v4l2_subdev *sd, unsigned int cmd, void *arg)
+ {
+ struct saa6588 *s = to_saa6588(sd);
+ struct saa6588_command *a = arg;
+@@ -445,7 +445,7 @@ static int saa6588_s_tuner(struct v4l2_s
+ /* ----------------------------------------------------------------------- */
+
+ static const struct v4l2_subdev_core_ops saa6588_core_ops = {
+- .ioctl = saa6588_ioctl,
++ .command = saa6588_command,
+ };
+
+ static const struct v4l2_subdev_tuner_ops saa6588_tuner_ops = {
+--- a/drivers/media/pci/bt8xx/bttv-driver.c
++++ b/drivers/media/pci/bt8xx/bttv-driver.c
+@@ -3243,7 +3243,7 @@ static int radio_release(struct file *fi
+
+ btv->radio_user--;
+
+- bttv_call_all(btv, core, ioctl, SAA6588_CMD_CLOSE, &cmd);
++ bttv_call_all(btv, core, command, SAA6588_CMD_CLOSE, &cmd);
+
+ if (btv->radio_user == 0)
+ btv->has_radio_tuner = 0;
+@@ -3324,7 +3324,7 @@ static ssize_t radio_read(struct file *f
+ cmd.result = -ENODEV;
+ radio_enable(btv);
+
+- bttv_call_all(btv, core, ioctl, SAA6588_CMD_READ, &cmd);
++ bttv_call_all(btv, core, command, SAA6588_CMD_READ, &cmd);
+
+ return cmd.result;
+ }
+@@ -3345,7 +3345,7 @@ static __poll_t radio_poll(struct file *
+ cmd.instance = file;
+ cmd.event_list = wait;
+ cmd.poll_mask = res;
+- bttv_call_all(btv, core, ioctl, SAA6588_CMD_POLL, &cmd);
++ bttv_call_all(btv, core, command, SAA6588_CMD_POLL, &cmd);
+
+ return cmd.poll_mask;
+ }
+--- a/drivers/media/pci/saa7134/saa7134-video.c
++++ b/drivers/media/pci/saa7134/saa7134-video.c
+@@ -1202,7 +1202,7 @@ static int video_release(struct file *fi
+
+ saa_call_all(dev, tuner, standby);
+ if (vdev->vfl_type == VFL_TYPE_RADIO)
+- saa_call_all(dev, core, ioctl, SAA6588_CMD_CLOSE, &cmd);
++ saa_call_all(dev, core, command, SAA6588_CMD_CLOSE, &cmd);
+ mutex_unlock(&dev->lock);
+
+ return 0;
+@@ -1221,7 +1221,7 @@ static ssize_t radio_read(struct file *f
+ cmd.result = -ENODEV;
+
+ mutex_lock(&dev->lock);
+- saa_call_all(dev, core, ioctl, SAA6588_CMD_READ, &cmd);
++ saa_call_all(dev, core, command, SAA6588_CMD_READ, &cmd);
+ mutex_unlock(&dev->lock);
+
+ return cmd.result;
+@@ -1237,7 +1237,7 @@ static __poll_t radio_poll(struct file *
+ cmd.event_list = wait;
+ cmd.poll_mask = 0;
+ mutex_lock(&dev->lock);
+- saa_call_all(dev, core, ioctl, SAA6588_CMD_POLL, &cmd);
++ saa_call_all(dev, core, command, SAA6588_CMD_POLL, &cmd);
+ mutex_unlock(&dev->lock);
+
+ return rc | cmd.poll_mask;
+--- a/drivers/media/platform/davinci/vpbe_display.c
++++ b/drivers/media/platform/davinci/vpbe_display.c
+@@ -60,7 +60,7 @@ static int venc_is_second_field(struct v
+
+ ret = v4l2_subdev_call(vpbe_dev->venc,
+ core,
+- ioctl,
++ command,
+ VENC_GET_FLD,
+ &val);
+ if (ret < 0) {
+--- a/drivers/media/platform/davinci/vpbe_venc.c
++++ b/drivers/media/platform/davinci/vpbe_venc.c
+@@ -534,9 +534,7 @@ static int venc_s_routing(struct v4l2_su
+ return ret;
+ }
+
+-static long venc_ioctl(struct v4l2_subdev *sd,
+- unsigned int cmd,
+- void *arg)
++static long venc_command(struct v4l2_subdev *sd, unsigned int cmd, void *arg)
+ {
+ u32 val;
+
+@@ -555,7 +553,7 @@ static long venc_ioctl(struct v4l2_subde
+ }
+
+ static const struct v4l2_subdev_core_ops venc_core_ops = {
+- .ioctl = venc_ioctl,
++ .command = venc_command,
+ };
+
+ static const struct v4l2_subdev_video_ops venc_video_ops = {
+--- a/include/media/v4l2-subdev.h
++++ b/include/media/v4l2-subdev.h
+@@ -171,6 +171,9 @@ struct v4l2_subdev_io_pin_config {
+ * @s_gpio: set GPIO pins. Very simple right now, might need to be extended with
+ * a direction argument if needed.
+ *
++ * @command: called by in-kernel drivers in order to call functions internal
++ * to subdev drivers driver that have a separate callback.
++ *
+ * @ioctl: called at the end of ioctl() syscall handler at the V4L2 core.
+ * used to provide support for private ioctls used on the driver.
+ *
+@@ -202,6 +205,7 @@ struct v4l2_subdev_core_ops {
+ int (*load_fw)(struct v4l2_subdev *sd);
+ int (*reset)(struct v4l2_subdev *sd, u32 val);
+ int (*s_gpio)(struct v4l2_subdev *sd, u32 val);
++ long (*command)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);
+ long (*ioctl)(struct v4l2_subdev *sd, unsigned int cmd, void *arg);
+ #ifdef CONFIG_COMPAT
+ long (*compat_ioctl32)(struct v4l2_subdev *sd, unsigned int cmd,
--- /dev/null
+From 8ceeac307a79f68c0d0c72d6e48b82fa424204ec Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
+Date: Thu, 24 Jun 2021 23:33:43 +0200
+Subject: PCI: aardvark: Fix checking for PIO Non-posted Request
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+commit 8ceeac307a79f68c0d0c72d6e48b82fa424204ec upstream.
+
+PIO_NON_POSTED_REQ for PIO_STAT register is incorrectly defined. Bit 10 in
+register PIO_STAT indicates the response is to a non-posted request.
+
+Link: https://lore.kernel.org/r/20210624213345.3617-2-pali@kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pci-aardvark.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/controller/pci-aardvark.c
++++ b/drivers/pci/controller/pci-aardvark.c
+@@ -54,7 +54,7 @@
+ #define PIO_COMPLETION_STATUS_UR 1
+ #define PIO_COMPLETION_STATUS_CRS 2
+ #define PIO_COMPLETION_STATUS_CA 4
+-#define PIO_NON_POSTED_REQ BIT(0)
++#define PIO_NON_POSTED_REQ BIT(10)
+ #define PIO_ADDR_LS (PIO_BASE_ADDR + 0x8)
+ #define PIO_ADDR_MS (PIO_BASE_ADDR + 0xc)
+ #define PIO_WR_DATA (PIO_BASE_ADDR + 0x10)
--- /dev/null
+From 4694ae373dc2114f9a82f6ae15737e65af0c6dea Mon Sep 17 00:00:00 2001
+From: Konstantin Kharlamov <Hi-Angel@yandex.ru>
+Date: Fri, 21 May 2021 02:55:01 +0300
+Subject: PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
+
+From: Konstantin Kharlamov <Hi-Angel@yandex.ru>
+
+commit 4694ae373dc2114f9a82f6ae15737e65af0c6dea upstream.
+
+On Macbook 2013, resuming from suspend-to-idle or standby resulted in the
+external monitor no longer being detected, a stacktrace, and errors like
+this in dmesg:
+
+ pcieport 0000:06:00.0: can't change power state from D3hot to D0 (config space inaccessible)
+
+The reason is that we know how to turn power to the Thunderbolt controller
+*off* via the SXIO/SXFP/SXLF methods, but we don't know how to turn power
+back on. We have to rely on firmware to turn the power back on.
+
+When going to the "suspend-to-idle" or "standby" system sleep states,
+firmware is not involved either on the suspend side or the resume side, so
+we can't use SXIO/SXFP/SXLF to turn the power off.
+
+Skip SXIO/SXFP/SXLF when firmware isn't involved in suspend, e.g., when
+we're going to the "suspend-to-idle" or "standby" system sleep states.
+
+Fixes: 1df5172c5c25 ("PCI: Suspend/resume quirks for Apple thunderbolt")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=212767
+Link: https://lore.kernel.org/r/20210520235501.917397-1-Hi-Angel@yandex.ru
+Signed-off-by: Konstantin Kharlamov <Hi-Angel@yandex.ru>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -28,6 +28,7 @@
+ #include <linux/nvme.h>
+ #include <linux/platform_data/x86/apple.h>
+ #include <linux/pm_runtime.h>
++#include <linux/suspend.h>
+ #include <linux/switchtec.h>
+ #include <asm/dma.h> /* isa_dma_bridge_buggy */
+ #include "pci.h"
+@@ -3573,6 +3574,16 @@ static void quirk_apple_poweroff_thunder
+ return;
+ if (pci_pcie_type(dev) != PCI_EXP_TYPE_UPSTREAM)
+ return;
++
++ /*
++ * SXIO/SXFP/SXLF turns off power to the Thunderbolt controller.
++ * We don't know how to turn it back on again, but firmware does,
++ * so we can only use SXIO/SXFP/SXLF if we're suspending via
++ * firmware.
++ */
++ if (!pm_suspend_via_firmware())
++ return;
++
+ bridge = ACPI_HANDLE(&dev->dev);
+ if (!bridge)
+ return;
--- /dev/null
+From f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sun, 27 Jun 2021 01:47:49 +0200
+Subject: power: supply: ab8500: Fix an old bug
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream.
+
+Trying to get the AB8500 charging driver working I ran into a bit
+of bitrot: we haven't used the driver for a while so errors in
+refactorings won't be noticed.
+
+This one is pretty self evident: use argument to the macro or we
+end up with a random pointer to something else.
+
+Cc: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Marcus Cooper <codekipper@gmail.com>
+Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mfd/abx500/ux500_chargalg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mfd/abx500/ux500_chargalg.h
++++ b/include/linux/mfd/abx500/ux500_chargalg.h
+@@ -15,7 +15,7 @@
+ * - POWER_SUPPLY_TYPE_USB,
+ * because only them store as drv_data pointer to struct ux500_charger.
+ */
+-#define psy_to_ux500_charger(x) power_supply_get_drvdata(psy)
++#define psy_to_ux500_charger(x) power_supply_get_drvdata(x)
+
+ /* Forward declaration */
+ struct ux500_charger;
--- /dev/null
+From fca41af18e10318e4de090db47d9fa7169e1bf2f Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 11 Feb 2021 12:42:58 -0700
+Subject: qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit fca41af18e10318e4de090db47d9fa7169e1bf2f upstream.
+
+fw_cfg_showrev() is called by an indirect call in kobj_attr_show(),
+which violates clang's CFI checking because fw_cfg_showrev()'s second
+parameter is 'struct attribute', whereas the ->show() member of 'struct
+kobj_structure' expects the second parameter to be of type 'struct
+kobj_attribute'.
+
+$ cat /sys/firmware/qemu_fw_cfg/rev
+3
+
+$ dmesg | grep "CFI failure"
+[ 26.016832] CFI failure (target: fw_cfg_showrev+0x0/0x8):
+
+Fix this by converting fw_cfg_rev_attr to 'struct kobj_attribute' where
+this would have been caught automatically by the incompatible pointer
+types compiler warning. Update fw_cfg_showrev() accordingly.
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1299
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210211194258.4137998-1-nathan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/qemu_fw_cfg.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -296,15 +296,13 @@ static int fw_cfg_do_platform_probe(stru
+ return 0;
+ }
+
+-static ssize_t fw_cfg_showrev(struct kobject *k, struct attribute *a, char *buf)
++static ssize_t fw_cfg_showrev(struct kobject *k, struct kobj_attribute *a,
++ char *buf)
+ {
+ return sprintf(buf, "%u\n", fw_cfg_rev);
+ }
+
+-static const struct {
+- struct attribute attr;
+- ssize_t (*show)(struct kobject *k, struct attribute *a, char *buf);
+-} fw_cfg_rev_attr = {
++static const struct kobj_attribute fw_cfg_rev_attr = {
+ .attr = { .name = "rev", .mode = S_IRUSR },
+ .show = fw_cfg_showrev,
+ };
--- /dev/null
+From d3b16034a24a112bb83aeb669ac5b9b01f744bb7 Mon Sep 17 00:00:00 2001
+From: Yun Zhou <yun.zhou@windriver.com>
+Date: Sat, 26 Jun 2021 11:21:55 +0800
+Subject: seq_buf: Fix overflow in seq_buf_putmem_hex()
+
+From: Yun Zhou <yun.zhou@windriver.com>
+
+commit d3b16034a24a112bb83aeb669ac5b9b01f744bb7 upstream.
+
+There's two variables being increased in that loop (i and j), and i
+follows the raw data, and j follows what is being written into the buffer.
+We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS.
+Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the
+destination buffer.
+
+Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/
+Link: https://lkml.kernel.org/r/20210626032156.47889-1-yun.zhou@windriver.com
+
+Cc: stable@vger.kernel.org
+Fixes: 5e3ca0ec76fce ("ftrace: introduce the "hex" output method")
+Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/seq_buf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/seq_buf.c
++++ b/lib/seq_buf.c
+@@ -228,8 +228,10 @@ int seq_buf_putmem_hex(struct seq_buf *s
+
+ WARN_ON(s->size == 0);
+
++ BUILD_BUG_ON(MAX_MEMHEX_BYTES * 2 >= HEX_CHARS);
++
+ while (len) {
+- start_len = min(len, HEX_CHARS - 1);
++ start_len = min(len, MAX_MEMHEX_BYTES);
+ #ifdef __BIG_ENDIAN
+ for (i = 0, j = 0; i < start_len; i++) {
+ #else
ata-ahci_sunxi-disable-dipm.patch
cpu-hotplug-cure-the-cpusets-trainwreck.patch
clocksource-arm_arch_timer-improve-allwinner-a64-timer-workaround.patch
+asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch
+qemu_fw_cfg-make-fw_cfg_rev_attr-a-proper-kobj_attribute.patch
+ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch
+power-supply-ab8500-fix-an-old-bug.patch
+seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch
+tracing-simplify-fix-saved_tgids-logic.patch
+tracing-resize-tgid_map-to-pid_max-not-pid_max_default.patch
+ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch
+coresight-tmc-etf-fix-global-out-of-bounds-in-tmc_update_etf_buffer.patch
+dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch
+pci-leave-apple-thunderbolt-controllers-on-for-s2idle-or-standby.patch
+pci-aardvark-fix-checking-for-pio-non-posted-request.patch
+media-subdev-disallow-ioctl-for-saa6588-davinci.patch
--- /dev/null
+From 4030a6e6a6a4a42ff8c18414c9e0c93e24cc70b8 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paulburton@google.com>
+Date: Thu, 1 Jul 2021 10:24:07 -0700
+Subject: tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT
+
+From: Paul Burton <paulburton@google.com>
+
+commit 4030a6e6a6a4a42ff8c18414c9e0c93e24cc70b8 upstream.
+
+Currently tgid_map is sized at PID_MAX_DEFAULT entries, which means that
+on systems where pid_max is configured higher than PID_MAX_DEFAULT the
+ftrace record-tgid option doesn't work so well. Any tasks with PIDs
+higher than PID_MAX_DEFAULT are simply not recorded in tgid_map, and
+don't show up in the saved_tgids file.
+
+In particular since systemd v243 & above configure pid_max to its
+highest possible 1<<22 value by default on 64 bit systems this renders
+the record-tgids option of little use.
+
+Increase the size of tgid_map to the configured pid_max instead,
+allowing it to cover the full range of PIDs up to the maximum value of
+PID_MAX_LIMIT if the system is configured that way.
+
+On 64 bit systems with pid_max == PID_MAX_LIMIT this will increase the
+size of tgid_map from 256KiB to 16MiB. Whilst this 64x increase in
+memory overhead sounds significant 64 bit systems are presumably best
+placed to accommodate it, and since tgid_map is only allocated when the
+record-tgid option is actually used presumably the user would rather it
+spends sufficient memory to actually record the tgids they expect.
+
+The size of tgid_map could also increase for CONFIG_BASE_SMALL=y
+configurations, but these seem unlikely to be systems upon which people
+are both configuring a large pid_max and running ftrace with record-tgid
+anyway.
+
+Of note is that we only allocate tgid_map once, the first time that the
+record-tgid option is enabled. Therefore its size is only set once, to
+the value of pid_max at the time the record-tgid option is first
+enabled. If a user increases pid_max after that point, the saved_tgids
+file will not contain entries for any tasks with pids beyond the earlier
+value of pid_max.
+
+Link: https://lkml.kernel.org/r/20210701172407.889626-2-paulburton@google.com
+
+Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks")
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Joel Fernandes <joelaf@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Paul Burton <paulburton@google.com>
+[ Fixed comment coding style ]
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 63 ++++++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 47 insertions(+), 16 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1729,8 +1729,15 @@ void tracing_reset_all_online_cpus(void)
+ }
+ }
+
++/*
++ * The tgid_map array maps from pid to tgid; i.e. the value stored at index i
++ * is the tgid last observed corresponding to pid=i.
++ */
+ static int *tgid_map;
+
++/* The maximum valid index into tgid_map. */
++static size_t tgid_map_max;
++
+ #define SAVED_CMDLINES_DEFAULT 128
+ #define NO_CMDLINE_MAP UINT_MAX
+ static arch_spinlock_t trace_cmdline_lock = __ARCH_SPIN_LOCK_UNLOCKED;
+@@ -2003,24 +2010,41 @@ void trace_find_cmdline(int pid, char co
+ preempt_enable();
+ }
+
++static int *trace_find_tgid_ptr(int pid)
++{
++ /*
++ * Pairs with the smp_store_release in set_tracer_flag() to ensure that
++ * if we observe a non-NULL tgid_map then we also observe the correct
++ * tgid_map_max.
++ */
++ int *map = smp_load_acquire(&tgid_map);
++
++ if (unlikely(!map || pid > tgid_map_max))
++ return NULL;
++
++ return &map[pid];
++}
++
+ int trace_find_tgid(int pid)
+ {
+- if (unlikely(!tgid_map || !pid || pid > PID_MAX_DEFAULT))
+- return 0;
++ int *ptr = trace_find_tgid_ptr(pid);
+
+- return tgid_map[pid];
++ return ptr ? *ptr : 0;
+ }
+
+ static int trace_save_tgid(struct task_struct *tsk)
+ {
++ int *ptr;
++
+ /* treat recording of idle task as a success */
+ if (!tsk->pid)
+ return 1;
+
+- if (unlikely(!tgid_map || tsk->pid > PID_MAX_DEFAULT))
++ ptr = trace_find_tgid_ptr(tsk->pid);
++ if (!ptr)
+ return 0;
+
+- tgid_map[tsk->pid] = tsk->tgid;
++ *ptr = tsk->tgid;
+ return 1;
+ }
+
+@@ -4355,6 +4379,8 @@ int trace_keep_overwrite(struct tracer *
+
+ int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled)
+ {
++ int *map;
++
+ if ((mask == TRACE_ITER_RECORD_TGID) ||
+ (mask == TRACE_ITER_RECORD_CMD))
+ lockdep_assert_held(&event_mutex);
+@@ -4377,10 +4403,19 @@ int set_tracer_flag(struct trace_array *
+ trace_event_enable_cmd_record(enabled);
+
+ if (mask == TRACE_ITER_RECORD_TGID) {
+- if (!tgid_map)
+- tgid_map = kvcalloc(PID_MAX_DEFAULT + 1,
+- sizeof(*tgid_map),
+- GFP_KERNEL);
++ if (!tgid_map) {
++ tgid_map_max = pid_max;
++ map = kvcalloc(tgid_map_max + 1, sizeof(*tgid_map),
++ GFP_KERNEL);
++
++ /*
++ * Pairs with smp_load_acquire() in
++ * trace_find_tgid_ptr() to ensure that if it observes
++ * the tgid_map we just allocated then it also observes
++ * the corresponding tgid_map_max value.
++ */
++ smp_store_release(&tgid_map, map);
++ }
+ if (!tgid_map) {
+ tr->trace_flags &= ~TRACE_ITER_RECORD_TGID;
+ return -ENOMEM;
+@@ -4754,18 +4789,14 @@ static void *saved_tgids_next(struct seq
+ {
+ int pid = ++(*pos);
+
+- if (pid > PID_MAX_DEFAULT)
+- return NULL;
+-
+- return &tgid_map[pid];
++ return trace_find_tgid_ptr(pid);
+ }
+
+ static void *saved_tgids_start(struct seq_file *m, loff_t *pos)
+ {
+- if (!tgid_map || *pos > PID_MAX_DEFAULT)
+- return NULL;
++ int pid = *pos;
+
+- return &tgid_map[*pos];
++ return trace_find_tgid_ptr(pid);
+ }
+
+ static void saved_tgids_stop(struct seq_file *m, void *v)
--- /dev/null
+From b81b3e959adb107cd5b36c7dc5ba1364bbd31eb2 Mon Sep 17 00:00:00 2001
+From: Paul Burton <paulburton@google.com>
+Date: Tue, 29 Jun 2021 17:34:05 -0700
+Subject: tracing: Simplify & fix saved_tgids logic
+
+From: Paul Burton <paulburton@google.com>
+
+commit b81b3e959adb107cd5b36c7dc5ba1364bbd31eb2 upstream.
+
+The tgid_map array records a mapping from pid to tgid, where the index
+of an entry within the array is the pid & the value stored at that index
+is the tgid.
+
+The saved_tgids_next() function iterates over pointers into the tgid_map
+array & dereferences the pointers which results in the tgid, but then it
+passes that dereferenced value to trace_find_tgid() which treats it as a
+pid & does a further lookup within the tgid_map array. It seems likely
+that the intent here was to skip over entries in tgid_map for which the
+recorded tgid is zero, but instead we end up skipping over entries for
+which the thread group leader hasn't yet had its own tgid recorded in
+tgid_map.
+
+A minimal fix would be to remove the call to trace_find_tgid, turning:
+
+ if (trace_find_tgid(*ptr))
+
+into:
+
+ if (*ptr)
+
+..but it seems like this logic can be much simpler if we simply let
+seq_read() iterate over the whole tgid_map array & filter out empty
+entries by returning SEQ_SKIP from saved_tgids_show(). Here we take that
+approach, removing the incorrect logic here entirely.
+
+Link: https://lkml.kernel.org/r/20210630003406.4013668-1-paulburton@google.com
+
+Fixes: d914ba37d714 ("tracing: Add support for recording tgid of tasks")
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Joel Fernandes <joelaf@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Paul Burton <paulburton@google.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 38 +++++++++++++-------------------------
+ 1 file changed, 13 insertions(+), 25 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -4752,37 +4752,20 @@ static const struct file_operations trac
+
+ static void *saved_tgids_next(struct seq_file *m, void *v, loff_t *pos)
+ {
+- int *ptr = v;
++ int pid = ++(*pos);
+
+- if (*pos || m->count)
+- ptr++;
+-
+- (*pos)++;
+-
+- for (; ptr <= &tgid_map[PID_MAX_DEFAULT]; ptr++) {
+- if (trace_find_tgid(*ptr))
+- return ptr;
+- }
++ if (pid > PID_MAX_DEFAULT)
++ return NULL;
+
+- return NULL;
++ return &tgid_map[pid];
+ }
+
+ static void *saved_tgids_start(struct seq_file *m, loff_t *pos)
+ {
+- void *v;
+- loff_t l = 0;
+-
+- if (!tgid_map)
++ if (!tgid_map || *pos > PID_MAX_DEFAULT)
+ return NULL;
+
+- v = &tgid_map[0];
+- while (l <= *pos) {
+- v = saved_tgids_next(m, v, &l);
+- if (!v)
+- return NULL;
+- }
+-
+- return v;
++ return &tgid_map[*pos];
+ }
+
+ static void saved_tgids_stop(struct seq_file *m, void *v)
+@@ -4791,9 +4774,14 @@ static void saved_tgids_stop(struct seq_
+
+ static int saved_tgids_show(struct seq_file *m, void *v)
+ {
+- int pid = (int *)v - tgid_map;
++ int *entry = (int *)v;
++ int pid = entry - tgid_map;
++ int tgid = *entry;
++
++ if (tgid == 0)
++ return SEQ_SKIP;
+
+- seq_printf(m, "%d %d\n", pid, trace_find_tgid(pid));
++ seq_printf(m, "%d %d\n", pid, tgid);
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
