commit 15a1c6b6f5162f7b70cf9a77cd8ed9771c1f0b53
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Apr 20 09:08:33 2022 +0200

    Linux 4.14.276
    
    Link: https://lore.kernel.org/r/20220418121210.689577360@linuxfoundation.org
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bdbbb9ceb986a846cd59454128e1d1f2b73358d4
Author: Martin Povišer <povik+lin@cutebit.org>
Date:   Tue Mar 29 20:38:17 2022 +0200

    i2c: pasemi: Wait for write xfers to finish
    
    commit bd8963e602c77adc76dbbbfc3417c3cf14fed76b upstream.
    
    Wait for completion of write transfers before returning from the driver.
    At first sight it may seem advantageous to leave write transfers queued
    for the controller to carry out on its own time, but there's a couple of
    issues with it:
    
     * Driver doesn't check for FIFO space.
    
     * The queued writes can complete while the driver is in its I2C read
       transfer path which means it will get confused by the raising of
       XEN (the 'transaction ended' signal). This can cause a spurious
       ENODATA error due to premature reading of the MRXFIFO register.
    
    Adding the wait fixes some unreliability issues with the driver. There's
    some efficiency cost to it (especially with pasemi_smb_waitready doing
    its polling), but that will be alleviated once the driver receives
    interrupt support.
    
    Fixes: beb58aa39e6e ("i2c: PA Semi SMBus driver")
    Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
    Reviewed-by: Sven Peter <sven@svenpeter.dev>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0f088623b6db0d533fe7fa787d0283b58a275b18
Author: Nadav Amit <namit@vmware.com>
Date:   Sat Mar 19 00:20:15 2022 -0700

    smp: Fix offline cpu check in flush_smp_call_function_queue()
    
    commit 9e949a3886356fe9112c6f6f34a6e23d1d35407f upstream.
    
    The check in flush_smp_call_function_queue() for callbacks that are sent
    to offline CPUs currently checks whether the queue is empty.
    
    However, flush_smp_call_function_queue() has just deleted all the
    callbacks from the queue and moved all the entries into a local list.
    This checks would only be positive if some callbacks were added in the
    short time after llist_del_all() was called. This does not seem to be
    the intention of this check.
    
    Change the check to look at the local list to which the entries were
    moved instead of the queue from which all the callbacks were just
    removed.
    
    Fixes: 8d056c48e4862 ("CPU hotplug, smp: flush any pending IPI callbacks before CPU offline")
    Signed-off-by: Nadav Amit <namit@vmware.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lore.kernel.org/r/20220319072015.1495036-1-namit@vmware.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a12b356d45cbb6e8a1b718d1436b3d6239a862f3
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Thu Dec 23 15:21:41 2021 -0700

    ARM: davinci: da850-evm: Avoid NULL pointer dereference
    
    commit 83a1cde5c74bfb44b49cb2a940d044bb2380f4ea upstream.
    
    With newer versions of GCC, there is a panic in da850_evm_config_emac()
    when booting multi_v5_defconfig in QEMU under the palmetto-bmc machine:
    
    Unable to handle kernel NULL pointer dereference at virtual address 00000020
    pgd = (ptrval)
    [00000020] *pgd=00000000
    Internal error: Oops: 5 [#1] PREEMPT ARM
    Modules linked in:
    CPU: 0 PID: 1 Comm: swapper Not tainted 5.15.0 #1
    Hardware name: Generic DT based system
    PC is at da850_evm_config_emac+0x1c/0x120
    LR is at do_one_initcall+0x50/0x1e0
    
    The emac_pdata pointer in soc_info is NULL because davinci_soc_info only
    gets populated on davinci machines but da850_evm_config_emac() is called
    on all machines via device_initcall().
    
    Move the rmii_en assignment below the machine check so that it is only
    dereferenced when running on a supported SoC.
    
    Fixes: bae105879f2f ("davinci: DA850/OMAP-L138 EVM: implement autodetect of RMII PHY")
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Reviewed-by: Arnd Bergmann <arnd@arndb.de>
    Reviewed-by: Bartosz Golaszewski <brgl@bgdev.pl>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/YcS4xVWs6bQlQSPC@archlinux-ax161/
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c3b2f23bfe5452b00eb1c842bc71098449e4ad9f
Author: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Date:   Sat Apr 9 03:26:55 2022 +0200

    ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
    
    commit 2f7a26abb8241a0208c68d22815aa247c5ddacab upstream.
    
    Syzbot reports "KASAN: null-ptr-deref Write in
    snd_pcm_format_set_silence".[1]
    
    It is due to missing validation of the "silence" field of struct
    "pcm_format_data" in "pcm_formats" array.
    
    Add a test for valid "pat" and, if it is not so, return -EINVAL.
    
    [1] https://lore.kernel.org/lkml/000000000000d188ef05dc2c7279@google.com/
    
    Reported-and-tested-by: syzbot+205eb15961852c2c5974@syzkaller.appspotmail.com
    Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220409012655.9399-1-fmdefrancesco@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 846737e63cfe7ee81788c4ca9babe0d3bf687677
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Wed Apr 6 00:28:15 2022 +0200

    gcc-plugins: latent_entropy: use /dev/urandom
    
    commit c40160f2998c897231f8454bf797558d30a20375 upstream.
    
    While the latent entropy plugin mostly doesn't derive entropy from
    get_random_const() for measuring the call graph, when __latent_entropy is
    applied to a constant, then it's initialized statically to output from
    get_random_const(). In that case, this data is derived from a 64-bit
    seed, which means a buffer of 512 bits doesn't really have that amount
    of compile-time entropy.
    
    This patch fixes that shortcoming by just buffering chunks of
    /dev/urandom output and doling it out as requested.
    
    At the same time, it's important that we don't break the use of
    -frandom-seed, for people who want the runtime benefits of the latent
    entropy plugin, while still having compile-time determinism. In that
    case, we detect whether gcc's set_random_seed() has been called by
    making a call to get_random_seed(noinit=true) in the plugin init
    function, which is called after set_random_seed() is called but before
    anything that calls get_random_seed(noinit=false), and seeing if it's
    zero or not. If it's not zero, we're in deterministic mode, and so we
    just generate numbers with a basic xorshift prng.
    
    Note that we don't detect if -frandom-seed is being used using the
    documented local_tick variable, because it's assigned via:
       local_tick = (unsigned) tv.tv_sec * 1000 + tv.tv_usec / 1000;
    which may well overflow and become -1 on its own, and so isn't
    reliable: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105171
    
    [kees: The 256 byte rnd_buf size was chosen based on average (250),
     median (64), and std deviation (575) bytes of used entropy for a
     defconfig x86_64 build]
    
    Fixes: 38addce8b600 ("gcc-plugins: Add latent_entropy plugin")
    Cc: stable@vger.kernel.org
    Cc: PaX Team <pageexec@freemail.hu>
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/20220405222815.21155-1-Jason@zx2c4.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 07f108f15fd75a9bff704eed718cc12f91b080dc
Author: Patrick Wang <patrick.wang.shcn@gmail.com>
Date:   Thu Apr 14 19:14:04 2022 -0700

    mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
    
    commit 23c2d497de21f25898fbea70aeb292ab8acc8c94 upstream.
    
    The kmemleak_*_phys() apis do not check the address for lowmem's min
    boundary, while the caller may pass an address below lowmem, which will
    trigger an oops:
    
      # echo scan > /sys/kernel/debug/kmemleak
      Unable to handle kernel paging request at virtual address ff5fffffffe00000
      Oops [#1]
      Modules linked in:
      CPU: 2 PID: 134 Comm: bash Not tainted 5.18.0-rc1-next-20220407 #33
      Hardware name: riscv-virtio,qemu (DT)
      epc : scan_block+0x74/0x15c
       ra : scan_block+0x72/0x15c
      epc : ffffffff801e5806 ra : ffffffff801e5804 sp : ff200000104abc30
       gp : ffffffff815cd4e8 tp : ff60000004cfa340 t0 : 0000000000000200
       t1 : 00aaaaaac23954cc t2 : 00000000000003ff s0 : ff200000104abc90
       s1 : ffffffff81b0ff28 a0 : 0000000000000000 a1 : ff5fffffffe01000
       a2 : ffffffff81b0ff28 a3 : 0000000000000002 a4 : 0000000000000001
       a5 : 0000000000000000 a6 : ff200000104abd7c a7 : 0000000000000005
       s2 : ff5fffffffe00ff9 s3 : ffffffff815cd998 s4 : ffffffff815d0e90
       s5 : ffffffff81b0ff28 s6 : 0000000000000020 s7 : ffffffff815d0eb0
       s8 : ffffffffffffffff s9 : ff5fffffffe00000 s10: ff5fffffffe01000
       s11: 0000000000000022 t3 : 00ffffffaa17db4c t4 : 000000000000000f
       t5 : 0000000000000001 t6 : 0000000000000000
      status: 0000000000000100 badaddr: ff5fffffffe00000 cause: 000000000000000d
        scan_gray_list+0x12e/0x1a6
        kmemleak_scan+0x2aa/0x57e
        kmemleak_write+0x32a/0x40c
        full_proxy_write+0x56/0x82
        vfs_write+0xa6/0x2a6
        ksys_write+0x6c/0xe2
        sys_write+0x22/0x2a
        ret_from_syscall+0x0/0x2
    
    The callers may not quite know the actual address they pass(e.g. from
    devicetree).  So the kmemleak_*_phys() apis should guarantee the address
    they finally use is in lowmem range, so check the address for lowmem's
    min boundary.
    
    Link: https://lkml.kernel.org/r/20220413122925.33856-1-patrick.wang.shcn@gmail.com
    Signed-off-by: Patrick Wang <patrick.wang.shcn@gmail.com>
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bd945e1e0b3aea3db5548afc5d316df0d336d4ec
Author: Juergen Gross <jgross@suse.com>
Date:   Thu Apr 14 19:13:43 2022 -0700

    mm, page_alloc: fix build_zonerefs_node()
    
    commit e553f62f10d93551eb883eca227ac54d1a4fad84 upstream.
    
    Since commit 6aa303defb74 ("mm, vmscan: only allocate and reclaim from
    zones with pages managed by the buddy allocator") only zones with free
    memory are included in a built zonelist.  This is problematic when e.g.
    all memory of a zone has been ballooned out when zonelists are being
    rebuilt.
    
    The decision whether to rebuild the zonelists when onlining new memory
    is done based on populated_zone() returning 0 for the zone the memory
    will be added to.  The new zone is added to the zonelists only, if it
    has free memory pages (managed_zone() returns a non-zero value) after
    the memory has been onlined.  This implies, that onlining memory will
    always free the added pages to the allocator immediately, but this is
    not true in all cases: when e.g. running as a Xen guest the onlined new
    memory will be added only to the ballooned memory list, it will be freed
    only when the guest is being ballooned up afterwards.
    
    Another problem with using managed_zone() for the decision whether a
    zone is being added to the zonelists is, that a zone with all memory
    used will in fact be removed from all zonelists in case the zonelists
    happen to be rebuilt.
    
    Use populated_zone() when building a zonelist as it has been done before
    that commit.
    
    There was a report that QubesOS (based on Xen) is hitting this problem.
    Xen has switched to use the zone device functionality in kernel 5.9 and
    QubesOS wants to use memory hotplugging for guests in order to be able
    to start a guest with minimal memory and expand it as needed.  This was
    the report leading to the patch.
    
    Link: https://lkml.kernel.org/r/20220407120637.9035-1-jgross@suse.com
    Fixes: 6aa303defb74 ("mm, vmscan: only allocate and reclaim from zones with pages managed by the buddy allocator")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Acked-by: David Hildenbrand <david@redhat.com>
    Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Reviewed-by: Wei Yang <richard.weiyang@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3fdb033f8f8c978489c7702a4a44494b7ae63424
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Tue Apr 5 21:22:06 2022 +0800

    drivers: net: slip: fix NPD bug in sl_tx_timeout()
    
    [ Upstream commit ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 ]
    
    When a slip driver is detaching, the slip_close() will act to
    cleanup necessary resources and sl->tty is set to NULL in
    slip_close(). Meanwhile, the packet we transmit is blocked,
    sl_tx_timeout() will be called. Although slip_close() and
    sl_tx_timeout() use sl->lock to synchronize, we don`t judge
    whether sl->tty equals to NULL in sl_tx_timeout() and the
    null pointer dereference bug will happen.
    
       (Thread 1)                 |      (Thread 2)
                                  | slip_close()
                                  |   spin_lock_bh(&sl->lock)
                                  |   ...
    ...                           |   sl->tty = NULL //(1)
    sl_tx_timeout()               |   spin_unlock_bh(&sl->lock)
      spin_lock(&sl->lock);       |
      ...                         |   ...
      tty_chars_in_buffer(sl->tty)|
        if (tty->ops->..) //(2)   |
        ...                       |   synchronize_rcu()
    
    We set NULL to sl->tty in position (1) and dereference sl->tty
    in position (2).
    
    This patch adds check in sl_tx_timeout(). If sl->tty equals to
    NULL, sl_tx_timeout() will goto out.
    
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Link: https://lore.kernel.org/r/20220405132206.55291-1-duoming@zju.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f2c1d05dac45830a23a39ce50fc80ea021478a95
Author: Alexey Galakhov <agalakhov@gmail.com>
Date:   Wed Mar 9 22:25:35 2022 +0100

    scsi: mvsas: Add PCI ID of RocketRaid 2640
    
    [ Upstream commit 5f2bce1e222028dc1c15f130109a17aa654ae6e8 ]
    
    The HighPoint RocketRaid 2640 is a low-cost SAS controller based on Marvell
    chip. The chip in question was already supported by the kernel, just the
    PCI ID of this particular board was missing.
    
    Link: https://lore.kernel.org/r/20220309212535.402987-1-agalakhov@gmail.com
    Signed-off-by: Alexey Galakhov <agalakhov@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 726236c5df5c1d096e0dafdba6750c3b4b9d1c8c
Author: Leo Ruan <tingquan.ruan@cn.bosch.com>
Date:   Mon Feb 7 16:14:11 2022 +0100

    gpu: ipu-v3: Fix dev_dbg frequency output
    
    [ Upstream commit 070a88fd4a03f921b73a2059e97d55faaa447dab ]
    
    This commit corrects the printing of the IPU clock error percentage if
    it is between -0.1% to -0.9%. For example, if the pixel clock requested
    is 27.2 MHz but only 27.0 MHz can be achieved the deviation is -0.8%.
    But the fixed point math had a flaw and calculated error of 0.2%.
    
    Before:
      Clocks: IPU 270000000Hz DI 24716667Hz Needed 27200000Hz
      IPU clock can give 27000000 with divider 10, error 0.2%
      Want 27200000Hz IPU 270000000Hz DI 24716667Hz using IPU, 27000000Hz
    
    After:
      Clocks: IPU 270000000Hz DI 24716667Hz Needed 27200000Hz
      IPU clock can give 27000000 with divider 10, error -0.8%
      Want 27200000Hz IPU 270000000Hz DI 24716667Hz using IPU, 27000000Hz
    
    Signed-off-by: Leo Ruan <tingquan.ruan@cn.bosch.com>
    Signed-off-by: Mark Jonas <mark.jonas@de.bosch.com>
    Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
    Link: https://lore.kernel.org/r/20220207151411.5009-1-mark.jonas@de.bosch.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9599f3668d2e479388daf5b9a57ab31abcb7e2fe
Author: Christian Lamparter <chunkeey@gmail.com>
Date:   Sat Mar 19 21:11:03 2022 +0100

    ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
    
    [ Upstream commit 5399752299396a3c9df6617f4b3c907d7aa4ded8 ]
    
    Samsung' 840 EVO with the latest firmware (EXT0DB6Q) locks up with
    the a message: "READ LOG DMA EXT failed, trying PIO" during boot.
    
    Initially this was discovered because it caused a crash
    with the sata_dwc_460ex controller on a WD MyBook Live DUO.
    
    The reporter "Tice Rex" which has the unique opportunity that he
    has two Samsung 840 EVO SSD! One with the older firmware "EXT0BB0Q"
    which booted fine and didn't expose "READ LOG DMA EXT". But the
    newer/latest firmware "EXT0DB6Q" caused the headaches.
    
    BugLink: https://github.com/openwrt/openwrt/issues/9505
    Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 84ddee4ea320411fa038d4f1fd9a0161f989b482
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Thu Mar 31 22:42:44 2022 -0700

    net: micrel: fix KS8851_MLL Kconfig
    
    [ Upstream commit c3efcedd272aa6dd5929e20cf902a52ddaa1197a ]
    
    KS8851_MLL selects MICREL_PHY, which depends on PTP_1588_CLOCK_OPTIONAL,
    so make KS8851_MLL also depend on PTP_1588_CLOCK_OPTIONAL since
    'select' does not follow any dependency chains.
    
    Fixes kconfig warning and build errors:
    
    WARNING: unmet direct dependencies detected for MICREL_PHY
      Depends on [m]: NETDEVICES [=y] && PHYLIB [=y] && PTP_1588_CLOCK_OPTIONAL [=m]
      Selected by [y]:
      - KS8851_MLL [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_MICREL [=y] && HAS_IOMEM [=y]
    
    ld: drivers/net/phy/micrel.o: in function `lan8814_ts_info':
    micrel.c:(.text+0xb35): undefined reference to `ptp_clock_index'
    ld: drivers/net/phy/micrel.o: in function `lan8814_probe':
    micrel.c:(.text+0x2586): undefined reference to `ptp_clock_register'
    
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Cc: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 43427547a3e42c499adbe32f4edb234dff9d49d9
Author: Tyrel Datwyler <tyreld@linux.ibm.com>
Date:   Tue Mar 22 12:44:43 2022 -0700

    scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
    
    [ Upstream commit 0bade8e53279157c7cc9dd95d573b7e82223d78a ]
    
    The adapter request_limit is hardcoded to be INITIAL_SRP_LIMIT which is
    currently an arbitrary value of 800. Increase this value to 1024 which
    better matches the characteristics of the typical IBMi Initiator that
    supports 32 LUNs and a queue depth of 32.
    
    This change also has the secondary benefit of being a power of two as
    required by the kfifo API. Since, Commit ab9bb6318b09 ("Partially revert
    "kfifo: fix kfifo_alloc() and kfifo_init()"") the size of IU pool for each
    target has been rounded down to 512 when attempting to kfifo_init() those
    pools with the current request_limit size of 800.
    
    Link: https://lore.kernel.org/r/20220322194443.678433-1-tyreld@linux.ibm.com
    Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d7c5d79e50be6e06b669141e3db1f977a0dd4e8e
Author: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Date:   Fri Mar 11 21:22:05 2022 +0800

    scsi: target: tcmu: Fix possible page UAF
    
    [ Upstream commit a6968f7a367f128d120447360734344d5a3d5336 ]
    
    tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not
    take refcount properly and just returns page pointer. When
    tcmu_try_get_data_page() returns, the returned page may have been freed by
    tcmu_blocks_release().
    
    We need to get_page() under cmdr_lock to avoid concurrent
    tcmu_blocks_release().
    
    Link: https://lore.kernel.org/r/20220311132206.24515-1-xiaoguang.wang@linux.alibaba.com
    Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
    Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3e876ea92c97dc819891a79dd97882dffac62f8f
Author: Michael Kelley <mikelley@microsoft.com>
Date:   Sun Mar 27 08:25:10 2022 -0700

    Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
    
    [ Upstream commit b6cae15b5710c8097aad26a2e5e752c323ee5348 ]
    
    When reading a packet from a host-to-guest ring buffer, there is no
    memory barrier between reading the write index (to see if there is
    a packet to read) and reading the contents of the packet. The Hyper-V
    host uses store-release when updating the write index to ensure that
    writes of the packet data are completed first. On the guest side,
    the processor can reorder and read the packet data before the write
    index, and sometimes get stale packet data. Getting such stale packet
    data has been observed in a reproducible case in a VM on ARM64.
    
    Fix this by using virt_load_acquire() to read the write index,
    ensuring that reads of the packet data cannot be reordered
    before it. Preventing such reordering is logically correct, and
    with this change, getting stale data can no longer be reproduced.
    
    Signed-off-by: Michael Kelley <mikelley@microsoft.com>
    Reviewed-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
    Link: https://lore.kernel.org/r/1648394710-33480-1-git-send-email-mikelley@microsoft.com
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 40bf32dbfef866c83a3e74800b81d79e52b6d20b
Author: QintaoShen <unSimple1993@163.com>
Date:   Thu Mar 24 16:26:23 2022 +0800

    drm/amdkfd: Check for potential null return of kmalloc_array()
    
    [ Upstream commit ebbb7bb9e80305820dc2328a371c1b35679f2667 ]
    
    As the kmalloc_array() may return null, the 'event_waiters[i].wait' would lead to null-pointer dereference.
    Therefore, it is better to check the return value of kmalloc_array() to avoid this confusion.
    
    Signed-off-by: QintaoShen <unSimple1993@163.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 47416843bb571ea37ee7eb5d5f6a2e4af956343a
Author: Aurabindo Pillai <aurabindo.pillai@amd.com>
Date:   Tue Mar 15 14:53:24 2022 -0400

    drm/amd: Add USBC connector ID
    
    [ Upstream commit c5c948aa894a831f96fccd025e47186b1ee41615 ]
    
    [Why&How] Add a dedicated AMDGPU specific ID for use with
    newer ASICs that support USB-C output
    
    Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1316c28569a80ab3596eeab05bf5e01991e7e739
Author: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Date:   Wed Apr 13 04:42:51 2022 -0700

    cifs: potential buffer overflow in handling symlinks
    
    [ Upstream commit 64c4a37ac04eeb43c42d272f6e6c8c12bfcf4304 ]
    
    Smatch printed a warning:
            arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error:
            __memcpy() 'dctx->buf' too small (16 vs u32max)
    
    It's caused because Smatch marks 'link_len' as untrusted since it comes
    from sscanf(). Add a check to ensure that 'link_len' is not larger than
    the size of the 'link_str' buffer.
    
    Fixes: c69c1b6eaea1 ("cifs: implement CIFSParseMFSymlink()")
    Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9d243aff5f7e6b04e907c617426bbdf26e996ac8
Author: Lin Ma <linma@zju.edu.cn>
Date:   Wed Apr 13 00:04:30 2022 +0800

    nfc: nci: add flush_workqueue to prevent uaf
    
    [ Upstream commit ef27324e2cb7bb24542d6cb2571740eefe6b00dc ]
    
    Our detector found a concurrent use-after-free bug when detaching an
    NCI device. The main reason for this bug is the unexpected scheduling
    between the used delayed mechanism (timer and workqueue).
    
    The race can be demonstrated below:
    
    Thread-1                           Thread-2
                                     | nci_dev_up()
                                     |   nci_open_device()
                                     |     __nci_request(nci_reset_req)
                                     |       nci_send_cmd
                                     |         queue_work(cmd_work)
    nci_unregister_device()          |
      nci_close_device()             | ...
        del_timer_sync(cmd_timer)[1] |
    ...                              | Worker
    nci_free_device()                | nci_cmd_work()
      kfree(ndev)[3]                 |   mod_timer(cmd_timer)[2]
    
    In short, the cleanup routine thought that the cmd_timer has already
    been detached by [1] but the mod_timer can re-attach the timer [2], even
    it is already released [3], resulting in UAF.
    
    This UAF is easy to trigger, crash trace by POC is like below
    
    [   66.703713] ==================================================================
    [   66.703974] BUG: KASAN: use-after-free in enqueue_timer+0x448/0x490
    [   66.703974] Write of size 8 at addr ffff888009fb7058 by task kworker/u4:1/33
    [   66.703974]
    [   66.703974] CPU: 1 PID: 33 Comm: kworker/u4:1 Not tainted 5.18.0-rc2 #5
    [   66.703974] Workqueue: nfc2_nci_cmd_wq nci_cmd_work
    [   66.703974] Call Trace:
    [   66.703974]  <TASK>
    [   66.703974]  dump_stack_lvl+0x57/0x7d
    [   66.703974]  print_report.cold+0x5e/0x5db
    [   66.703974]  ? enqueue_timer+0x448/0x490
    [   66.703974]  kasan_report+0xbe/0x1c0
    [   66.703974]  ? enqueue_timer+0x448/0x490
    [   66.703974]  enqueue_timer+0x448/0x490
    [   66.703974]  __mod_timer+0x5e6/0xb80
    [   66.703974]  ? mark_held_locks+0x9e/0xe0
    [   66.703974]  ? try_to_del_timer_sync+0xf0/0xf0
    [   66.703974]  ? lockdep_hardirqs_on_prepare+0x17b/0x410
    [   66.703974]  ? queue_work_on+0x61/0x80
    [   66.703974]  ? lockdep_hardirqs_on+0xbf/0x130
    [   66.703974]  process_one_work+0x8bb/0x1510
    [   66.703974]  ? lockdep_hardirqs_on_prepare+0x410/0x410
    [   66.703974]  ? pwq_dec_nr_in_flight+0x230/0x230
    [   66.703974]  ? rwlock_bug.part.0+0x90/0x90
    [   66.703974]  ? _raw_spin_lock_irq+0x41/0x50
    [   66.703974]  worker_thread+0x575/0x1190
    [   66.703974]  ? process_one_work+0x1510/0x1510
    [   66.703974]  kthread+0x2a0/0x340
    [   66.703974]  ? kthread_complete_and_exit+0x20/0x20
    [   66.703974]  ret_from_fork+0x22/0x30
    [   66.703974]  </TASK>
    [   66.703974]
    [   66.703974] Allocated by task 267:
    [   66.703974]  kasan_save_stack+0x1e/0x40
    [   66.703974]  __kasan_kmalloc+0x81/0xa0
    [   66.703974]  nci_allocate_device+0xd3/0x390
    [   66.703974]  nfcmrvl_nci_register_dev+0x183/0x2c0
    [   66.703974]  nfcmrvl_nci_uart_open+0xf2/0x1dd
    [   66.703974]  nci_uart_tty_ioctl+0x2c3/0x4a0
    [   66.703974]  tty_ioctl+0x764/0x1310
    [   66.703974]  __x64_sys_ioctl+0x122/0x190
    [   66.703974]  do_syscall_64+0x3b/0x90
    [   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [   66.703974]
    [   66.703974] Freed by task 406:
    [   66.703974]  kasan_save_stack+0x1e/0x40
    [   66.703974]  kasan_set_track+0x21/0x30
    [   66.703974]  kasan_set_free_info+0x20/0x30
    [   66.703974]  __kasan_slab_free+0x108/0x170
    [   66.703974]  kfree+0xb0/0x330
    [   66.703974]  nfcmrvl_nci_unregister_dev+0x90/0xd0
    [   66.703974]  nci_uart_tty_close+0xdf/0x180
    [   66.703974]  tty_ldisc_kill+0x73/0x110
    [   66.703974]  tty_ldisc_hangup+0x281/0x5b0
    [   66.703974]  __tty_hangup.part.0+0x431/0x890
    [   66.703974]  tty_release+0x3a8/0xc80
    [   66.703974]  __fput+0x1f0/0x8c0
    [   66.703974]  task_work_run+0xc9/0x170
    [   66.703974]  exit_to_user_mode_prepare+0x194/0x1a0
    [   66.703974]  syscall_exit_to_user_mode+0x19/0x50
    [   66.703974]  do_syscall_64+0x48/0x90
    [   66.703974]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    To fix the UAF, this patch adds flush_workqueue() to ensure the
    nci_cmd_work is finished before the following del_timer_sync.
    This combination will promise the timer is actually detached.
    
    Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
    Signed-off-by: Lin Ma <linma@zju.edu.cn>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 75e105d068cb98e43a6bb6b196fc006da52f9ee5
Author: Dinh Nguyen <dinguyen@kernel.org>
Date:   Thu Apr 7 08:25:21 2022 -0500

    net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
    
    [ Upstream commit a6aaa00324240967272b451bfa772547bd576ee6 ]
    
    When using a fixed-link, the altr_tse_pcs driver crashes
    due to null-pointer dereference as no phy_device is provided to
    tse_pcs_fix_mac_speed function. Fix this by adding a check for
    phy_dev before calling the tse_pcs_fix_mac_speed() function.
    
    Also clean up the tse_pcs_fix_mac_speed function a bit. There is
    no need to check for splitter_base and sgmii_adapter_base
    because the driver will fail if these 2 variables are not
    derived from the device tree.
    
    Fixes: fb3bbdb85989 ("net: ethernet: Add TSE PCS support to dwmac-socfpga")
    Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5867c4e88fe1e1b23d57f749900ec5511bac6aa7
Author: Vadim Pasternak <vadimp@nvidia.com>
Date:   Thu Apr 7 10:07:03 2022 +0300

    mlxsw: i2c: Fix initialization error flow
    
    [ Upstream commit d452088cdfd5a4ad9d96d847d2273fe958d6339b ]
    
    Add mutex_destroy() call in driver initialization error flow.
    
    Fixes: 6882b0aee180f ("mlxsw: Introduce support for I2C bus")
    Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Link: https://lore.kernel.org/r/20220407070703.2421076-1-idosch@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 64f42625d8b6a6ac8651cc1520bafebb0ab9552d
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat Mar 19 16:21:09 2022 -0700

    gpiolib: acpi: use correct format characters
    
    [ Upstream commit 213d266ebfb1621aab79cfe63388facc520a1381 ]
    
    When compiling with -Wformat, clang emits the following warning:
    
      gpiolib-acpi.c:393:4: warning: format specifies type 'unsigned char' but the argument has type 'int' [-Wformat]
                            pin);
                            ^~~
    
    So warning that '%hhX' is paired with an 'int' is all just completely
    mindless and wrong. Sadly, I can see a different bogus warning reason
    why people would want to use '%02hhX'.
    
    Again, the *sane* thing from a human perspective is to use '%02X. But
    if the compiler doesn't do any range analysis at all, it could decide
    that "Oh, that print format could need up to 8 bytes of space in the
    result". Using '%02hhX' would cut that down to two.
    
    And since we use
    
            char ev_name[5];
    
    and currently use "_%c%02hhX" as the format string, even a compiler
    that doesn't notice that "pin <= 255" test that guards this all will
    go "OK, that's at most 4 bytes and the final NUL termination, so it's
    fine".
    
    While a compiler - like gcc - that only sees that the original source
    of the 'pin' value is a 'unsigned short' array, and then doesn't take
    the "pin <= 255" into account, will warn like this:
    
      gpiolib-acpi.c: In function 'acpi_gpiochip_request_interrupt':
      gpiolib-acpi.c:206:24: warning: '%02X' directive writing between 2 and 4 bytes into a region of size 3 [-Wformat-overflow=]
           sprintf(ev_name, "_%c%02X",
                                ^~~~
      gpiolib-acpi.c:206:20: note: directive argument in the range [0, 65535]
    
    because gcc isn't being very good at that argument range analysis either.
    
    In other words, the original use of 'hhx' was bogus to begin with, and
    due to *another* compiler warning being bad, and we had that bad code
    being written back in 2016 to work around _that_ compiler warning
    (commit e40a3ae1f794: "gpio: acpi: work around false-positive
    -Wstring-overflow warning").
    
    Sadly, two different bad compiler warnings together does not make for
    one good one.
    
    It just makes for even more pain.
    
    End result: I think the simplest and cleanest option is simply the
    proposed change which undoes that '%hhX' change for gcc, and replaces
    it with just using a slightly bigger stack allocation. It's not like
    a 5-byte allocation is in any way likely to have saved any actual stack,
    since all the other variables in that function are 'int' or bigger.
    
    False-positive compiler warnings really do make people write worse
    code, and that's a problem. But on a scale of bad code, I feel that
    extending the buffer trivially is better than adding a pointless cast
    that literally makes no sense.
    
    At least in this case the end result isn't unreadable or buggy. We've
    had several cases of bad compiler warnings that caused changes that
    were actually horrendously wrong.
    
    Fixes: e40a3ae1f794 ("gpio: acpi: work around false-positive -Wstring-overflow warning")
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d417a859221f127e8edf09c14b76ab50f825e171
Author: Guillaume Nault <gnault@redhat.com>
Date:   Wed Apr 6 16:18:54 2022 +0200

    veth: Ensure eth header is in skb's linear part
    
    [ Upstream commit 726e2c5929de841fdcef4e2bf995680688ae1b87 ]
    
    After feeding a decapsulated packet to a veth device with act_mirred,
    skb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(),
    which expects at least ETH_HLEN byte of linear data (as
    __dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes
    unconditionally).
    
    Use pskb_may_pull() to ensure veth_xmit() respects this constraint.
    
    kernel BUG at include/linux/skbuff.h:2328!
    RIP: 0010:eth_type_trans+0xcf/0x140
    Call Trace:
     <IRQ>
     __dev_forward_skb2+0xe3/0x160
     veth_xmit+0x6e/0x250 [veth]
     dev_hard_start_xmit+0xc7/0x200
     __dev_queue_xmit+0x47f/0x520
     ? skb_ensure_writable+0x85/0xa0
     ? skb_mpls_pop+0x98/0x1c0
     tcf_mirred_act+0x442/0x47e [act_mirred]
     tcf_action_exec+0x86/0x140
     fl_classify+0x1d8/0x1e0 [cls_flower]
     ? dma_pte_clear_level+0x129/0x1a0
     ? dma_pte_clear_level+0x129/0x1a0
     ? prb_fill_curr_block+0x2f/0xc0
     ? skb_copy_bits+0x11a/0x220
     __tcf_classify+0x58/0x110
     tcf_classify_ingress+0x6b/0x140
     __netif_receive_skb_core.constprop.0+0x47d/0xfd0
     ? __iommu_dma_unmap_swiotlb+0x44/0x90
     __netif_receive_skb_one_core+0x3d/0xa0
     netif_receive_skb+0x116/0x170
     be_process_rx+0x22f/0x330 [be2net]
     be_poll+0x13c/0x370 [be2net]
     __napi_poll+0x2a/0x170
     net_rx_action+0x22f/0x2f0
     __do_softirq+0xca/0x2a8
     __irq_exit_rcu+0xc1/0xe0
     common_interrupt+0x83/0xa0
    
    Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.")
    Signed-off-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0b9cafcabd340f566ac53368e24e62c9a84f6d4a
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed Mar 9 11:01:43 2022 +0000

    memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
    
    [ Upstream commit 6f296a9665ba5ac68937bf11f96214eb9de81baa ]
    
    The device_node pointer is returned by of_parse_phandle() with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: 87108dc78eb8 ("memory: atmel-ebi: Enable the SMC clock if specified")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
    Link: https://lore.kernel.org/r/20220309110144.22412-1-linmq006@gmail.com
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 94c291577f5071c7189c6e5a9f9bf91a0daf9e1c
Author: Xin Long <lucien.xin@gmail.com>
Date:   Mon Jun 22 16:40:29 2020 +0800

    xfrm: policy: match with both mark and mask on user interfaces
    
    commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 upstream.
    
    In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
    it would take 'priority' to make a policy unique, and allow duplicated
    policies with different 'priority' to be added, which is not expected
    by userland, as Tobias reported in strongswan.
    
    To fix this duplicated policies issue, and also fix the issue in
    commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
    when doing add/del/get/update on user interfaces, this patch is to change
    to look up a policy with both mark and mask by doing:
    
      mark.v == pol->mark.v && mark.m == pol->mark.m
    
    and leave the check:
    
      (mark & pol->mark.m) == pol->mark.v
    
    for tx/rx path only.
    
    As the userland expects an exact mark and mask match to manage policies.
    
    v1->v2:
      - make xfrm_policy_mark_match inline and fix the changelog as
        Tobias suggested.
    
    Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
    Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
    Reported-by: Tobias Brunner <tobias@strongswan.org>
    Tested-by: Tobias Brunner <tobias@strongswan.org>
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2337c8257cd2a4f01bef92288458483955605bd1
Author: Tejun Heo <tj@kernel.org>
Date:   Thu Apr 14 12:24:21 2022 +0300

    cgroup: Use open-time cgroup namespace for process migration perm checks
    
    commit e57457641613fef0d147ede8bd6a3047df588b95 upstream.
    
    cgroup process migration permission checks are performed at write time as
    whether a given operation is allowed or not is dependent on the content of
    the write - the PID. This currently uses current's cgroup namespace which is
    a potential security weakness as it may allow scenarios where a less
    privileged process tricks a more privileged one into writing into a fd that
    it created.
    
    This patch makes cgroup remember the cgroup namespace at the time of open
    and uses it for migration permission checks instad of current's. Note that
    this only applies to cgroup2 as cgroup1 doesn't have namespace support.
    
    This also fixes a use-after-free bug on cgroupns reported in
    
     https://lore.kernel.org/r/00000000000048c15c05d0083397@google.com
    
    Note that backporting this fix also requires the preceding patch.
    
    Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
    Cc: Michal Koutný <mkoutny@suse.com>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    Reported-by: syzbot+50f5cf33a284ce738b62@syzkaller.appspotmail.com
    Link: https://lore.kernel.org/r/00000000000048c15c05d0083397@google.com
    Fixes: 5136f6365ce3 ("cgroup: implement "nsdelegate" mount option")
    Signed-off-by: Tejun Heo <tj@kernel.org>
    [mkoutny: v5.10: duplicate ns check in procs/threads write handler, adjust context]
    Signed-off-by: Michal Koutný <mkoutny@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [OP: backport to v4.14: drop changes to cgroup_attach_permissions() and
    cgroup_css_set_fork(), adjust cgroup_procs_write_permission() calls]
    Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f1ce7855afe6310f8cd9a472f6d52c872feb578b
Author: Tejun Heo <tj@kernel.org>
Date:   Thu Apr 14 12:24:20 2022 +0300

    cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
    
    commit 0d2b5955b36250a9428c832664f2079cbf723bec upstream.
    
    of->priv is currently used by each interface file implementation to store
    private information. This patch collects the current two private data usages
    into struct cgroup_file_ctx which is allocated and freed by the common path.
    This allows generic private data which applies to multiple files, which will
    be used to in the following patch.
    
    Note that cgroup_procs iterator is now embedded as procs.iter in the new
    cgroup_file_ctx so that it doesn't need to be allocated and freed
    separately.
    
    v2: union dropped from cgroup_file_ctx and the procs iterator is embedded in
        cgroup_file_ctx as suggested by Linus.
    
    v3: Michal pointed out that cgroup1's procs pidlist uses of->priv too.
        Converted. Didn't change to embedded allocation as cgroup1 pidlists get
        stored for caching.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    [mkoutny: v5.10: modify cgroup.pressure handlers, adjust context]
    Signed-off-by: Michal Koutný <mkoutny@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    [OP: backport to v4.14: drop changes to cgroup_pressure_*() functions]
    Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a70bcf9ed08f3628a9324f054b0e041697b26853
Author: Tejun Heo <tj@kernel.org>
Date:   Thu Apr 14 12:24:19 2022 +0300

    cgroup: Use open-time credentials for process migraton perm checks
    
    commit 1756d7994ad85c2479af6ae5a9750b92324685af upstream.
    
    cgroup process migration permission checks are performed at write time as
    whether a given operation is allowed or not is dependent on the content of
    the write - the PID. This currently uses current's credentials which is a
    potential security weakness as it may allow scenarios where a less
    privileged process tricks a more privileged one into writing into a fd that
    it created.
    
    This patch makes both cgroup2 and cgroup1 process migration interfaces to
    use the credentials saved at the time of open (file->f_cred) instead of
    current's.
    
    Reported-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
    Fixes: 187fe84067bd ("cgroup: require write perm on common ancestor when moving processes on the default hierarchy")
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    Signed-off-by: Tejun Heo <tj@kernel.org>
    [OP: backport to v4.14: apply original __cgroup_procs_write() changes to
    cgroup_threads_write() and cgroup_procs_write()]
    Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 45ac758ee0eec41bed41434dc800d698ac912fbf
Author: Waiman Long <longman@redhat.com>
Date:   Fri Apr 8 13:09:01 2022 -0700

    mm/sparsemem: fix 'mem_section' will never be NULL gcc 12 warning
    
    commit a431dbbc540532b7465eae4fc8b56a85a9fc7d17 upstream.
    
    The gcc 12 compiler reports a "'mem_section' will never be NULL" warning
    on the following code:
    
        static inline struct mem_section *__nr_to_section(unsigned long nr)
        {
        #ifdef CONFIG_SPARSEMEM_EXTREME
            if (!mem_section)
                    return NULL;
        #endif
            if (!mem_section[SECTION_NR_TO_ROOT(nr)])
                    return NULL;
           :
    
    It happens with CONFIG_SPARSEMEM_EXTREME off.  The mem_section definition
    is
    
        #ifdef CONFIG_SPARSEMEM_EXTREME
        extern struct mem_section **mem_section;
        #else
        extern struct mem_section mem_section[NR_SECTION_ROOTS][SECTIONS_PER_ROOT];
        #endif
    
    In the !CONFIG_SPARSEMEM_EXTREME case, mem_section is a static
    2-dimensional array and so the check "!mem_section[SECTION_NR_TO_ROOT(nr)]"
    doesn't make sense.
    
    Fix this warning by moving the "!mem_section[SECTION_NR_TO_ROOT(nr)]"
    check up inside the CONFIG_SPARSEMEM_EXTREME block and adding an
    explicit NR_SECTION_ROOTS check to make sure that there is no
    out-of-bound array access.
    
    Link: https://lkml.kernel.org/r/20220331180246.2746210-1-longman@redhat.com
    Fixes: 3e347261a80b ("sparsemem extreme implementation")
    Signed-off-by: Waiman Long <longman@redhat.com>
    Reported-by: Justin Forbes <jforbes@redhat.com>
    Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Rafael Aquini <aquini@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 324d3d6663310b0aed69b8531b7e45f8741622c4
Author: Fangrui Song <maskray@google.com>
Date:   Fri Feb 18 00:12:09 2022 -0800

    arm64: module: remove (NOLOAD) from linker script
    
    commit 4013e26670c590944abdab56c4fa797527b74325 upstream.
    
    On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually
    inappropriate for .plt and .text.* sections which are always
    SHT_PROGBITS.
    
    In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway
    and (NOLOAD) will be essentially ignored. In ld.lld, since
    https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=<value>) to
    customize the output section type"), ld.lld will report a `section type
    mismatch` error. Just remove (NOLOAD) to fix the error.
    
    [1] https://lld.llvm.org/ELF/linker_script.html As of today, "The
    section should be marked as not loadable" on
    https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is
    outdated for ELF.
    
    Tested-by: Nathan Chancellor <nathan@kernel.org>
    Reported-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Fangrui Song <maskray@google.com>
    Acked-by: Ard Biesheuvel <ardb@kernel.org>
    Link: https://lore.kernel.org/r/20220218081209.354383-1-maskray@google.com
    Signed-off-by: Will Deacon <will@kernel.org>
    [nathan: Fix conflicts due to lack of 596b0474d3d9]
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d3cb86e633f1eeb38e043be777886f93610e7f20
Author: Peter Xu <peterx@redhat.com>
Date:   Tue Mar 22 14:42:15 2022 -0700

    mm: don't skip swap entry even if zap_details specified
    
    commit 5abfd71d936a8aefd9f9ccd299dea7a164a5d455 upstream.
    
    Patch series "mm: Rework zap ptes on swap entries", v5.
    
    Patch 1 should fix a long standing bug for zap_pte_range() on
    zap_details usage.  The risk is we could have some swap entries skipped
    while we should have zapped them.
    
    Migration entries are not the major concern because file backed memory
    always zap in the pattern that "first time without page lock, then
    re-zap with page lock" hence the 2nd zap will always make sure all
    migration entries are already recovered.
    
    However there can be issues with real swap entries got skipped
    errornoously.  There's a reproducer provided in commit message of patch
    1 for that.
    
    Patch 2-4 are cleanups that are based on patch 1.  After the whole
    patchset applied, we should have a very clean view of zap_pte_range().
    
    Only patch 1 needs to be backported to stable if necessary.
    
    This patch (of 4):
    
    The "details" pointer shouldn't be the token to decide whether we should
    skip swap entries.
    
    For example, when the callers specified details->zap_mapping==NULL, it
    means the user wants to zap all the pages (including COWed pages), then
    we need to look into swap entries because there can be private COWed
    pages that was swapped out.
    
    Skipping some swap entries when details is non-NULL may lead to wrongly
    leaving some of the swap entries while we should have zapped them.
    
    A reproducer of the problem:
    
    ===8<===
            #define _GNU_SOURCE         /* See feature_test_macros(7) */
            #include <stdio.h>
            #include <assert.h>
            #include <unistd.h>
            #include <sys/mman.h>
            #include <sys/types.h>
    
            int page_size;
            int shmem_fd;
            char *buffer;
    
            void main(void)
            {
                    int ret;
                    char val;
    
                    page_size = getpagesize();
                    shmem_fd = memfd_create("test", 0);
                    assert(shmem_fd >= 0);
    
                    ret = ftruncate(shmem_fd, page_size * 2);
                    assert(ret == 0);
    
                    buffer = mmap(NULL, page_size * 2, PROT_READ | PROT_WRITE,
                                    MAP_PRIVATE, shmem_fd, 0);
                    assert(buffer != MAP_FAILED);
    
                    /* Write private page, swap it out */
                    buffer[page_size] = 1;
                    madvise(buffer, page_size * 2, MADV_PAGEOUT);
    
                    /* This should drop private buffer[page_size] already */
                    ret = ftruncate(shmem_fd, page_size);
                    assert(ret == 0);
                    /* Recover the size */
                    ret = ftruncate(shmem_fd, page_size * 2);
                    assert(ret == 0);
    
                    /* Re-read the data, it should be all zero */
                    val = buffer[page_size];
                    if (val == 0)
                            printf("Good\n");
                    else
                            printf("BUG\n");
            }
    ===8<===
    
    We don't need to touch up the pmd path, because pmd never had a issue with
    swap entries.  For example, shmem pmd migration will always be split into
    pte level, and same to swapping on anonymous.
    
    Add another helper should_zap_cows() so that we can also check whether we
    should zap private mappings when there's no page pointer specified.
    
    This patch drops that trick, so we handle swap ptes coherently.  Meanwhile
    we should do the same check upon migration entry, hwpoison entry and
    genuine swap entries too.
    
    To be explicit, we should still remember to keep the private entries if
    even_cows==false, and always zap them when even_cows==true.
    
    The issue seems to exist starting from the initial commit of git.
    
    [peterx@redhat.com: comment tweaks]
      Link: https://lkml.kernel.org/r/20220217060746.71256-2-peterx@redhat.com
    
    Link: https://lkml.kernel.org/r/20220217060746.71256-1-peterx@redhat.com
    Link: https://lkml.kernel.org/r/20220216094810.60572-1-peterx@redhat.com
    Link: https://lkml.kernel.org/r/20220216094810.60572-2-peterx@redhat.com
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Peter Xu <peterx@redhat.com>
    Reviewed-by: John Hubbard <jhubbard@nvidia.com>
    Cc: David Hildenbrand <david@redhat.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Alistair Popple <apopple@nvidia.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Yang Shi <shy828301@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e05a6ae66d99ec297d8f90f58801bee4d1bae960
Author: Vinod Koul <vkoul@kernel.org>
Date:   Thu Mar 10 10:13:20 2022 +0530

    dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
    
    commit d143f939a95696d38ff800ada14402fa50ebbd6c upstream.
    
    This reverts commit 455896c53d5b ("dmaengine: shdma: Fix runtime PM
    imbalance on error") as the patch wrongly reduced the count on error and
    did not bail out. So drop the count by reverting the patch .
    
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f31fb76d175cd0aed650f81782b9ce77b5867ae8
Author: Arnaldo Carvalho de Melo <acme@redhat.com>
Date:   Mon Apr 4 17:28:48 2022 -0300

    tools build: Use $(shell ) instead of `` to get embedded libperl's ccopts
    
    commit 541f695cbcb6932c22638b06e0cbe1d56177e2e9 upstream.
    
    Just like its done for ldopts and for both in tools/perf/Makefile.config.
    
    Using `` to initialize PERL_EMBED_CCOPTS somehow precludes using:
    
      $(filter-out SOMETHING_TO_FILTER,$(PERL_EMBED_CCOPTS))
    
    And we need to do it to allow for building with versions of clang where
    some gcc options selected by distros are not available.
    
    Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # Debian/Selfmade LLVM-14 (x86-64)
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Fangrui Song <maskray@google.com>
    Cc: Florian Fainelli <f.fainelli@gmail.com>
    Cc: Ian Rogers <irogers@google.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: John Keeping <john@metanate.com>
    Cc: Leo Yan <leo.yan@linaro.org>
    Cc: Michael Petlan <mpetlan@redhat.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Nathan Chancellor <nathan@kernel.org>
    Cc: Nick Desaulniers <ndesaulniers@google.com>
    Link: http://lore.kernel.org/lkml/YktYX2OnLtyobRYD@kernel.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9cb434100cf007961811f962332ed81c2357cd82
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Sun Mar 27 13:57:33 2022 +0800

    perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator
    
    commit 2012a9e279013933885983cbe0a5fe828052563b upstream.
    
    The bug is here:
            return cluster;
    
    The list iterator value 'cluster' will *always* be set and non-NULL
    by list_for_each_entry(), so it is incorrect to assume that the
    iterator value will be NULL if the list is empty or no element
    is found.
    
    To fix the bug, return 'cluster' when found, otherwise return NULL.
    
    Cc: stable@vger.kernel.org
    Fixes: 21bdbb7102ed ("perf: add qcom l2 cache perf events driver")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Link: https://lore.kernel.org/r/20220327055733.4070-1-xiam0nd.tong@gmail.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1af9f31983fc808492df004d1ceebaf7fe6541e9
Author: Guo Ren <guoren@kernel.org>
Date:   Thu Apr 7 15:33:20 2022 +0800

    arm64: patch_text: Fixup last cpu should be master
    
    commit 31a099dbd91e69fcab55eef4be15ed7a8c984918 upstream.
    
    These patch_text implementations are using stop_machine_cpuslocked
    infrastructure with atomic cpu_count. The original idea: When the
    master CPU patch_text, the others should wait for it. But current
    implementation is using the first CPU as master, which couldn't
    guarantee the remaining CPUs are waiting. This patch changes the
    last CPU as the master to solve the potential risk.
    
    Fixes: ae16480785de ("arm64: introduce interfaces to hotpatch kernel and module code")
    Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
    Signed-off-by: Guo Ren <guoren@kernel.org>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220407073323.743224-2-guoren@kernel.org
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0355387ea5b02d353c9415613fab908fac5c52a6
Author: Ethan Lien <ethanlien@synology.com>
Date:   Mon Mar 7 18:00:04 2022 +0800

    btrfs: fix qgroup reserve overflow the qgroup limit
    
    commit b642b52d0b50f4d398cb4293f64992d0eed2e2ce upstream.
    
    We use extent_changeset->bytes_changed in qgroup_reserve_data() to record
    how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the
    bytes_changed is set as "unsigned int", and it will overflow if we try to
    fallocate a range larger than 4GiB. The result is we reserve less bytes
    and eventually break the qgroup limit.
    
    Unlike regular buffered/direct write, which we use one changeset for
    each ordered extent, which can never be larger than 256M.  For
    fallocate, we use one changeset for the whole range, thus it no longer
    respects the 256M per extent limit, and caused the problem.
    
    The following example test script reproduces the problem:
    
      $ cat qgroup-overflow.sh
      #!/bin/bash
    
      DEV=/dev/sdj
      MNT=/mnt/sdj
    
      mkfs.btrfs -f $DEV
      mount $DEV $MNT
    
      # Set qgroup limit to 2GiB.
      btrfs quota enable $MNT
      btrfs qgroup limit 2G $MNT
    
      # Try to fallocate a 3GiB file. This should fail.
      echo
      echo "Try to fallocate a 3GiB file..."
      fallocate -l 3G $MNT/3G.file
    
      # Try to fallocate a 5GiB file.
      echo
      echo "Try to fallocate a 5GiB file..."
      fallocate -l 5G $MNT/5G.file
    
      # See we break the qgroup limit.
      echo
      sync
      btrfs qgroup show -r $MNT
    
      umount $MNT
    
    When running the test:
    
      $ ./qgroup-overflow.sh
      (...)
    
      Try to fallocate a 3GiB file...
      fallocate: fallocate failed: Disk quota exceeded
    
      Try to fallocate a 5GiB file...
    
      qgroupid         rfer         excl     max_rfer
      --------         ----         ----     --------
      0/5           5.00GiB      5.00GiB      2.00GiB
    
    Since we have no control of how bytes_changed is used, it's better to
    set it to u64.
    
    CC: stable@vger.kernel.org # 4.14+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Ethan Lien <ethanlien@synology.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7b5f17024f115b6aa42d2a079326dd0ca8e3449b
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date:   Mon Apr 4 17:35:45 2022 -0700

    x86/speculation: Restore speculation related MSRs during S3 resume
    
    commit e2a1256b17b16f9b9adf1b6fea56819e7b68e463 upstream.
    
    After resuming from suspend-to-RAM, the MSRs that control CPU's
    speculative execution behavior are not being restored on the boot CPU.
    
    These MSRs are used to mitigate speculative execution vulnerabilities.
    Not restoring them correctly may leave the CPU vulnerable.  Secondary
    CPU's MSRs are correctly being restored at S3 resume by
    identify_secondary_cpu().
    
    During S3 resume, restore these MSRs for boot CPU when restoring its
    processor state.
    
    Fixes: 772439717dbf ("x86/bugs/intel: Set proper CPU features and setup RDS")
    Reported-by: Neelima Krishnan <neelima.krishnan@intel.com>
    Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Tested-by: Neelima Krishnan <neelima.krishnan@intel.com>
    Acked-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef4600563174396ee38b413dbae6de61eb543c65
Author: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date:   Mon Apr 4 17:34:19 2022 -0700

    x86/pm: Save the MSR validity status at context setup
    
    commit 73924ec4d560257004d5b5116b22a3647661e364 upstream.
    
    The mechanism to save/restore MSRs during S3 suspend/resume checks for
    the MSR validity during suspend, and only restores the MSR if its a
    valid MSR.  This is not optimal, as an invalid MSR will unnecessarily
    throw an exception for every suspend cycle.  The more invalid MSRs,
    higher the impact will be.
    
    Check and save the MSR validity at setup.  This ensures that only valid
    MSRs that are guaranteed to not throw an exception will be attempted
    during suspend.
    
    Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume")
    Suggested-by: Dave Hansen <dave.hansen@linux.intel.com>
    Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
    Acked-by: Borislav Petkov <bp@suse.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5e16dc5378abd749a836daa9ee4ab2c8d2668999
Author: Miaohe Lin <linmiaohe@huawei.com>
Date:   Fri Apr 8 13:09:07 2022 -0700

    mm/mempolicy: fix mpol_new leak in shared_policy_replace
    
    commit 4ad099559b00ac01c3726e5c95dc3108ef47d03e upstream.
    
    If mpol_new is allocated but not used in restart loop, mpol_new will be
    freed via mpol_put before returning to the caller.  But refcnt is not
    initialized yet, so mpol_put could not do the right things and might
    leak the unused mpol_new.  This would happen if mempolicy was updated on
    the shared shmem file while the sp->lock has been dropped during the
    memory allocation.
    
    This issue could be triggered easily with the below code snippet if
    there are many processes doing the below work at the same time:
    
      shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);
      shm = shmat(shmid, 0, 0);
      loop many times {
        mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);
        mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,
              maxnode, 0);
      }
    
    Link: https://lkml.kernel.org/r/20220329111416.27954-1-linmiaohe@huawei.com
    Fixes: 42288fe366c4 ("mm: mempolicy: Convert shared_policy mutex to spinlock")
    Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: <stable@vger.kernel.org>    [3.8]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eeaf28e2a0128147d687237e59d5407ee1b14693
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Fri Apr 8 13:09:04 2022 -0700

    mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
    
    commit 01e67e04c28170c47700c2c226d732bbfedb1ad0 upstream.
    
    If an mremap() syscall with old_size=0 ends up in move_page_tables(), it
    will call invalidate_range_start()/invalidate_range_end() unnecessarily,
    i.e.  with an empty range.
    
    This causes a WARN in KVM's mmu_notifier.  In the past, empty ranges
    have been diagnosed to be off-by-one bugs, hence the WARNing.  Given the
    low (so far) number of unique reports, the benefits of detecting more
    buggy callers seem to outweigh the cost of having to fix cases such as
    this one, where userspace is doing something silly.  In this particular
    case, an early return from move_page_tables() is enough to fix the
    issue.
    
    Link: https://lkml.kernel.org/r/20220329173155.172439-1-pbonzini@redhat.com
    Reported-by: syzbot+6bde52d89cfdf9f61425@syzkaller.appspotmail.com
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Sean Christopherson <seanjc@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 053435146f9eca9d12eab9cecdb7ddb7e8a261d1
Author: Pali Rohár <pali@kernel.org>
Date:   Fri Mar 18 15:14:41 2022 +0100

    Revert "mmc: sdhci-xenon: fix annoying 1.8V regulator warning"
    
    commit 7e2646ed47542123168d43916b84b954532e5386 upstream.
    
    This reverts commit bb32e1987bc55ce1db400faf47d85891da3c9b9f.
    
    Commit 1a3ed0dc3594 ("mmc: sdhci-xenon: fix 1.8v regulator stabilization")
    contains proper fix for the issue described in commit bb32e1987bc5 ("mmc:
    sdhci-xenon: fix annoying 1.8V regulator warning").
    
    Fixes: 8d876bf472db ("mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable")
    Cc: stable@vger.kernel.org # 1a3ed0dc3594 ("mmc: sdhci-xenon: fix 1.8v regulator stabilization")
    Signed-off-by: Pali Rohár <pali@kernel.org>
    Reviewed-by: Marek Behún <kabel@kernel.org>
    Reviewed-by: Marcin Wojtas <mw@semihalf.com>
    Link: https://lore.kernel.org/r/20220318141441.32329-1-pali@kernel.org
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dcf6be17b5c53b741898d2223b23e66d682de300
Author: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Date:   Wed Apr 6 21:04:43 2022 +0200

    drbd: Fix five use after free bugs in get_initial_state
    
    [ Upstream commit aadb22ba2f656581b2f733deb3a467c48cc618f6 ]
    
    In get_initial_state, it calls notify_initial_state_done(skb,..) if
    cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
    the skb will be freed by nlmsg_free(skb).
    Then get_initial_state will goto out and the freed skb will be used by
    return value skb->len, which is a uaf bug.
    
    What's worse, the same problem goes even further: skb can also be
    freed in the notify_*_state_change -> notify_*_state calls below.
    Thus 4 additional uaf bugs happened.
    
    My patch lets the problem callee functions: notify_initial_state_done
    and notify_*_state_change return an error code if errors happen.
    So that the error codes could be propagated and the uaf bugs can be avoid.
    
    v2 reports a compilation warning. This v3 fixed this warning and built
    successfully in my local environment with no additional warnings.
    v2: https://lore.kernel.org/patchwork/patch/1435218/
    
    Fixes: a29728463b254 ("drbd: Backport the "events2" command")
    Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 38bf605bd8c83d942c8dcffaef3633b7d8b37549
Author: José Expósito <jose.exposito89@gmail.com>
Date:   Sat Jan 8 17:52:30 2022 +0100

    drm/imx: Fix memory leak in imx_pd_connector_get_modes
    
    [ Upstream commit bce81feb03a20fca7bbdd1c4af16b4e9d5c0e1d3 ]
    
    Avoid leaking the display mode variable if of_get_drm_display_mode
    fails.
    
    Fixes: 76ecd9c9fb24 ("drm/imx: parallel-display: check return code from of_get_drm_display_mode()")
    Addresses-Coverity-ID: 1443943 ("Resource leak")
    Signed-off-by: José Expósito <jose.exposito89@gmail.com>
    Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
    Link: https://lore.kernel.org/r/20220108165230.44610-1-jose.exposito89@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5c6c1014094e3522fbeafc2c04424e55475111b7
Author: Chen-Yu Tsai <wens@csie.org>
Date:   Fri Apr 1 02:48:32 2022 +0800

    net: stmmac: Fix unset max_speed difference between DT and non-DT platforms
    
    [ Upstream commit c21cabb0fd0b54b8b54235fc1ecfe1195a23bcb2 ]
    
    In commit 9cbadf094d9d ("net: stmmac: support max-speed device tree
    property"), when DT platforms don't set "max-speed", max_speed is set to
    -1; for non-DT platforms, it stays the default 0.
    
    Prior to commit eeef2f6b9f6e ("net: stmmac: Start adding phylink support"),
    the check for a valid max_speed setting was to check if it was greater
    than zero. This commit got it right, but subsequent patches just checked
    for non-zero, which is incorrect for DT platforms.
    
    In commit 92c3807b9ac3 ("net: stmmac: convert to phylink_get_linkmodes()")
    the conversion switched completely to checking for non-zero value as a
    valid value, which caused 1000base-T to stop getting advertised by
    default.
    
    Instead of trying to fix all the checks, simply leave max_speed alone if
    DT property parsing fails.
    
    Fixes: 9cbadf094d9d ("net: stmmac: support max-speed device tree property")
    Fixes: 92c3807b9ac3 ("net: stmmac: convert to phylink_get_linkmodes()")
    Signed-off-by: Chen-Yu Tsai <wens@csie.org>
    Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20220331184832.16316-1-wens@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1e0c01319dedf1e63ec5df37ead048e17afd92ba
Author: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Date:   Sat Mar 19 08:01:24 2022 +0100

    scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
    
    [ Upstream commit 16ed828b872d12ccba8f07bcc446ae89ba662f9c ]
    
    The error handling path of the probe releases a resource that is not freed
    in the remove function. In some cases, a ioremap() must be undone.
    
    Add the missing iounmap() call in the remove function.
    
    Link: https://lore.kernel.org/r/247066a3104d25f9a05de8b3270fc3c848763bcc.1647673264.git.christophe.jaillet@wanadoo.fr
    Fixes: 45804fbb00ee ("[SCSI] 53c700: Amiga Zorro NCR53c710 SCSI")
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dd3a74d9e1b7ce143f0aec04da8691a764392f67
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Mar 16 11:41:48 2022 +0300

    drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire()
    
    [ Upstream commit 1647b54ed55d4d48c7199d439f8834626576cbe9 ]
    
    This post-op should be a pre-op so that we do not pass -1 as the bit
    number to test_bit().  The current code will loop downwards from 63 to
    -1.  After changing to a pre-op, it loops from 63 to 0.
    
    Fixes: 71c37505e7ea ("drm/amdgpu/gfx: move more common KIQ code to amdgpu_gfx.c")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 106392f5a39cb86969b06f34e707487b07abf28d
Author: Mauricio Faria de Oliveira <mfo@canonical.com>
Date:   Thu Apr 7 16:14:31 2022 -0300

    mm: fix race between MADV_FREE reclaim and blkdev direct IO read
    
    commit 6c8e2a256915a223f6289f651d6b926cd7135c9e upstream.
    
    Problem:
    =======
    
    Userspace might read the zero-page instead of actual data from a direct IO
    read on a block device if the buffers have been called madvise(MADV_FREE)
    on earlier (this is discussed below) due to a race between page reclaim on
    MADV_FREE and blkdev direct IO read.
    
    - Race condition:
      ==============
    
    During page reclaim, the MADV_FREE page check in try_to_unmap_one() checks
    if the page is not dirty, then discards its rmap PTE(s) (vs.  remap back
    if the page is dirty).
    
    However, after try_to_unmap_one() returns to shrink_page_list(), it might
    keep the page _anyway_ if page_ref_freeze() fails (it expects exactly
    _one_ page reference, from the isolation for page reclaim).
    
    Well, blkdev_direct_IO() gets references for all pages, and on READ
    operations it only sets them dirty _later_.
    
    So, if MADV_FREE'd pages (i.e., not dirty) are used as buffers for direct
    IO read from block devices, and page reclaim happens during
    __blkdev_direct_IO[_simple]() exactly AFTER bio_iov_iter_get_pages()
    returns, but BEFORE the pages are set dirty, the situation happens.
    
    The direct IO read eventually completes.  Now, when userspace reads the
    buffers, the PTE is no longer there and the page fault handler
    do_anonymous_page() services that with the zero-page, NOT the data!
    
    A synthetic reproducer is provided.
    
    - Page faults:
      ===========
    
    If page reclaim happens BEFORE bio_iov_iter_get_pages() the issue doesn't
    happen, because that faults-in all pages as writeable, so
    do_anonymous_page() sets up a new page/rmap/PTE, and that is used by
    direct IO.  The userspace reads don't fault as the PTE is there (thus
    zero-page is not used/setup).
    
    But if page reclaim happens AFTER it / BEFORE setting pages dirty, the PTE
    is no longer there; the subsequent page faults can't help:
    
    The data-read from the block device probably won't generate faults due to
    DMA (no MMU) but even in the case it wouldn't use DMA, that happens on
    different virtual addresses (not user-mapped addresses) because `struct
    bio_vec` stores `struct page` to figure addresses out (which are different
    from user-mapped addresses) for the read.
    
    Thus userspace reads (to user-mapped addresses) still fault, then
    do_anonymous_page() gets another `struct page` that would address/ map to
    other memory than the `struct page` used by `struct bio_vec` for the read.
    (The original `struct page` is not available, since it wasn't freed, as
    page_ref_freeze() failed due to more page refs.  And even if it were
    available, its data cannot be trusted anymore.)
    
    Solution:
    ========
    
    One solution is to check for the expected page reference count in
    try_to_unmap_one().
    
    There should be one reference from the isolation (that is also checked in
    shrink_page_list() with page_ref_freeze()) plus one or more references
    from page mapping(s) (put in discard: label).  Further references mean
    that rmap/PTE cannot be unmapped/nuked.
    
    (Note: there might be more than one reference from mapping due to
    fork()/clone() without CLONE_VM, which use the same `struct page` for
    references, until the copy-on-write page gets copied.)
    
    So, additional page references (e.g., from direct IO read) now prevent the
    rmap/PTE from being unmapped/dropped; similarly to the page is not freed
    per shrink_page_list()/page_ref_freeze()).
    
    - Races and Barriers:
      ==================
    
    The new check in try_to_unmap_one() should be safe in races with
    bio_iov_iter_get_pages() in get_user_pages() fast and slow paths, as it's
    done under the PTE lock.
    
    The fast path doesn't take the lock, but it checks if the PTE has changed
    and if so, it drops the reference and leaves the page for the slow path
    (which does take that lock).
    
    The fast path requires synchronization w/ full memory barrier: it writes
    the page reference count first then it reads the PTE later, while
    try_to_unmap() writes PTE first then it reads page refcount.
    
    And a second barrier is needed, as the page dirty flag should not be read
    before the page reference count (as in __remove_mapping()).  (This can be
    a load memory barrier only; no writes are involved.)
    
    Call stack/comments:
    
    - try_to_unmap_one()
      - page_vma_mapped_walk()
        - map_pte()                 # see pte_offset_map_lock():
            pte_offset_map()
            spin_lock()
    
      - ptep_get_and_clear()        # write PTE
      - smp_mb()                    # (new barrier) GUP fast path
      - page_ref_count()            # (new check) read refcount
    
      - page_vma_mapped_walk_done() # see pte_unmap_unlock():
          pte_unmap()
          spin_unlock()
    
    - bio_iov_iter_get_pages()
      - __bio_iov_iter_get_pages()
        - iov_iter_get_pages()
          - get_user_pages_fast()
            - internal_get_user_pages_fast()
    
              # fast path
              - lockless_pages_from_mm()
                - gup_{pgd,p4d,pud,pmd,pte}_range()
                    ptep = pte_offset_map()         # not _lock()
                    pte = ptep_get_lockless(ptep)
    
                    page = pte_page(pte)
                    try_grab_compound_head(page)    # inc refcount
                                                    # (RMW/barrier
                                                    #  on success)
    
                    if (pte_val(pte) != pte_val(*ptep)) # read PTE
                            put_compound_head(page) # dec refcount
                                                    # go slow path
    
              # slow path
              - __gup_longterm_unlocked()
                - get_user_pages_unlocked()
                  - __get_user_pages_locked()
                    - __get_user_pages()
                      - follow_{page,p4d,pud,pmd}_mask()
                        - follow_page_pte()
                            ptep = pte_offset_map_lock()
                            pte = *ptep
                            page = vm_normal_page(pte)
                            try_grab_page(page)     # inc refcount
                            pte_unmap_unlock()
    
    - Huge Pages:
      ==========
    
    Regarding transparent hugepages, that logic shouldn't change, as MADV_FREE
    (aka lazyfree) pages are PageAnon() && !PageSwapBacked()
    (madvise_free_pte_range() -> mark_page_lazyfree() -> lru_lazyfree_fn())
    thus should reach shrink_page_list() -> split_huge_page_to_list() before
    try_to_unmap[_one](), so it deals with normal pages only.
    
    (And in case unlikely/TTU_SPLIT_HUGE_PMD/split_huge_pmd_address() happens,
    which should not or be rare, the page refcount should be greater than
    mapcount: the head page is referenced by tail pages.  That also prevents
    checking the head `page` then incorrectly call page_remove_rmap(subpage)
    for a tail page, that isn't even in the shrink_page_list()'s page_list (an
    effect of split huge pmd/pmvw), as it might happen today in this unlikely
    scenario.)
    
    MADV_FREE'd buffers:
    ===================
    
    So, back to the "if MADV_FREE pages are used as buffers" note.  The case
    is arguable, and subject to multiple interpretations.
    
    The madvise(2) manual page on the MADV_FREE advice value says:
    
    1) 'After a successful MADV_FREE ... data will be lost when
       the kernel frees the pages.'
    2) 'the free operation will be canceled if the caller writes
       into the page' / 'subsequent writes ... will succeed and
       then [the] kernel cannot free those dirtied pages'
    3) 'If there is no subsequent write, the kernel can free the
       pages at any time.'
    
    Thoughts, questions, considerations... respectively:
    
    1) Since the kernel didn't actually free the page (page_ref_freeze()
       failed), should the data not have been lost? (on userspace read.)
    2) Should writes performed by the direct IO read be able to cancel
       the free operation?
       - Should the direct IO read be considered as 'the caller' too,
         as it's been requested by 'the caller'?
       - Should the bio technique to dirty pages on return to userspace
         (bio_check_pages_dirty() is called/used by __blkdev_direct_IO())
         be considered in another/special way here?
    3) Should an upcoming write from a previously requested direct IO
       read be considered as a subsequent write, so the kernel should
       not free the pages? (as it's known at the time of page reclaim.)
    
    And lastly:
    
    Technically, the last point would seem a reasonable consideration and
    balance, as the madvise(2) manual page apparently (and fairly) seem to
    assume that 'writes' are memory access from the userspace process (not
    explicitly considering writes from the kernel or its corner cases; again,
    fairly)..  plus the kernel fix implementation for the corner case of the
    largely 'non-atomic write' encompassed by a direct IO read operation, is
    relatively simple; and it helps.
    
    Reproducer:
    ==========
    
    @ test.c (simplified, but works)
    
            #define _GNU_SOURCE
            #include <fcntl.h>
            #include <stdio.h>
            #include <unistd.h>
            #include <sys/mman.h>
    
            int main() {
                    int fd, i;
                    char *buf;
    
                    fd = open(DEV, O_RDONLY | O_DIRECT);
    
                    buf = mmap(NULL, BUF_SIZE, PROT_READ | PROT_WRITE,
                               MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
    
                    for (i = 0; i < BUF_SIZE; i += PAGE_SIZE)
                            buf[i] = 1; // init to non-zero
    
                    madvise(buf, BUF_SIZE, MADV_FREE);
    
                    read(fd, buf, BUF_SIZE);
    
                    for (i = 0; i < BUF_SIZE; i += PAGE_SIZE)
                            printf("%p: 0x%x\n", &buf[i], buf[i]);
    
                    return 0;
            }
    
    @ block/fops.c (formerly fs/block_dev.c)
    
            +#include <linux/swap.h>
            ...
            ... __blkdev_direct_IO[_simple](...)
            {
            ...
            +       if (!strcmp(current->comm, "good"))
            +               shrink_all_memory(ULONG_MAX);
            +
                    ret = bio_iov_iter_get_pages(...);
            +
            +       if (!strcmp(current->comm, "bad"))
            +               shrink_all_memory(ULONG_MAX);
            ...
            }
    
    @ shell
    
            # NUM_PAGES=4
            # PAGE_SIZE=$(getconf PAGE_SIZE)
    
            # yes | dd of=test.img bs=${PAGE_SIZE} count=${NUM_PAGES}
            # DEV=$(losetup -f --show test.img)
    
            # gcc -DDEV=\"$DEV\" \
                  -DBUF_SIZE=$((PAGE_SIZE * NUM_PAGES)) \
                  -DPAGE_SIZE=${PAGE_SIZE} \
                   test.c -o test
    
            # od -tx1 $DEV
            0000000 79 0a 79 0a 79 0a 79 0a 79 0a 79 0a 79 0a 79 0a
            *
            0040000
    
            # mv test good
            # ./good
            0x7f7c10418000: 0x79
            0x7f7c10419000: 0x79
            0x7f7c1041a000: 0x79
            0x7f7c1041b000: 0x79
    
            # mv good bad
            # ./bad
            0x7fa1b8050000: 0x0
            0x7fa1b8051000: 0x0
            0x7fa1b8052000: 0x0
            0x7fa1b8053000: 0x0
    
    Note: the issue is consistent on v5.17-rc3, but it's intermittent with the
    support of MADV_FREE on v4.5 (60%-70% error; needs swap).  [wrap
    do_direct_IO() in do_blockdev_direct_IO() @ fs/direct-io.c].
    
    - v5.17-rc3:
    
            # for i in {1..1000}; do ./good; done \
                | cut -d: -f2 | sort | uniq -c
               4000  0x79
    
            # mv good bad
            # for i in {1..1000}; do ./bad; done \
                | cut -d: -f2 | sort | uniq -c
               4000  0x0
    
            # free | grep Swap
            Swap:             0           0           0
    
    - v4.5:
    
            # for i in {1..1000}; do ./good; done \
                | cut -d: -f2 | sort | uniq -c
               4000  0x79
    
            # mv good bad
            # for i in {1..1000}; do ./bad; done \
                | cut -d: -f2 | sort | uniq -c
               2702  0x0
               1298  0x79
    
            # swapoff -av
            swapoff /swap
    
            # for i in {1..1000}; do ./bad; done \
                | cut -d: -f2 | sort | uniq -c
               4000  0x79
    
    Ceph/TCMalloc:
    =============
    
    For documentation purposes, the use case driving the analysis/fix is Ceph
    on Ubuntu 18.04, as the TCMalloc library there still uses MADV_FREE to
    release unused memory to the system from the mmap'ed page heap (might be
    committed back/used again; it's not munmap'ed.) - PageHeap::DecommitSpan()
    -> TCMalloc_SystemRelease() -> madvise() - PageHeap::CommitSpan() ->
    TCMalloc_SystemCommit() -> do nothing.
    
    Note: TCMalloc switched back to MADV_DONTNEED a few commits after the
    release in Ubuntu 18.04 (google-perftools/gperftools 2.5), so the issue
    just 'disappeared' on Ceph on later Ubuntu releases but is still present
    in the kernel, and can be hit by other use cases.
    
    The observed issue seems to be the old Ceph bug #22464 [1], where checksum
    mismatches are observed (and instrumentation with buffer dumps shows
    zero-pages read from mmap'ed/MADV_FREE'd page ranges).
    
    The issue in Ceph was reasonably deemed a kernel bug (comment #50) and
    mostly worked around with a retry mechanism, but other parts of Ceph could
    still hit that (rocksdb).  Anyway, it's less likely to be hit again as
    TCMalloc switched out of MADV_FREE by default.
    
    (Some kernel versions/reports from the Ceph bug, and relation with
    the MADV_FREE introduction/changes; TCMalloc versions not checked.)
    - 4.4 good
    - 4.5 (madv_free: introduction)
    - 4.9 bad
    - 4.10 good? maybe a swapless system
    - 4.12 (madv_free: no longer free instantly on swapless systems)
    - 4.13 bad
    
    [1] https://tracker.ceph.com/issues/22464
    
    Thanks:
    ======
    
    Several people contributed to analysis/discussions/tests/reproducers in
    the first stages when drilling down on ceph/tcmalloc/linux kernel:
    
    - Dan Hill
    - Dan Streetman
    - Dongdong Tao
    - Gavin Guo
    - Gerald Yang
    - Heitor Alves de Siqueira
    - Ioanna Alifieraki
    - Jay Vosburgh
    - Matthew Ruffell
    - Ponnuvel Palaniyappan
    
    Reviews, suggestions, corrections, comments:
    
    - Minchan Kim
    - Yu Zhao
    - Huang, Ying
    - John Hubbard
    - Christoph Hellwig
    
    [mfo@canonical.com: v4]
      Link: https://lkml.kernel.org/r/20220209202659.183418-1-mfo@canonical.comLink: https://lkml.kernel.org/r/20220131230255.789059-1-mfo@canonical.com
    
    Fixes: 802a3a92ad7a ("mm: reclaim MADV_FREE pages")
    Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
    Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
    Cc: Minchan Kim <minchan@kernel.org>
    Cc: Yu Zhao <yuzhao@google.com>
    Cc: Yang Shi <shy828301@gmail.com>
    Cc: Miaohe Lin <linmiaohe@huawei.com>
    Cc: Dan Hill <daniel.hill@canonical.com>
    Cc: Dan Streetman <dan.streetman@canonical.com>
    Cc: Dongdong Tao <dongdong.tao@canonical.com>
    Cc: Gavin Guo <gavin.guo@canonical.com>
    Cc: Gerald Yang <gerald.yang@canonical.com>
    Cc: Heitor Alves de Siqueira <halves@canonical.com>
    Cc: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
    Cc: Jay Vosburgh <jay.vosburgh@canonical.com>
    Cc: Matthew Ruffell <matthew.ruffell@canonical.com>
    Cc: Ponnuvel Palaniyappan <ponnuvel.palaniyappan@canonical.com>
    Cc: <stable@vger.kernel.org>
    Cc: Christoph Hellwig <hch@infradead.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    [mfo: backport: replace folio/test_flag with page/flag equivalents;
     mmu_notifier_invalidate_range() is called in the 'discard:' label;
     real Fixes: 854e9ed09ded ("mm: support madvise(MADV_FREE)") in v4.]
    Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit add668be8f5e53f4471a075edaa70a7cb85fd036
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Apr 6 22:29:55 2022 +0300

    net: add missing SOF_TIMESTAMPING_OPT_ID support
    
    [ Upstream commit 8f932f762e7928d250e21006b00ff9b7718b0a64 ]
    
    SOF_TIMESTAMPING_OPT_ID is supported on TCP, UDP and RAW sockets.
    But it was missing on RAW with IPPROTO_IP, PF_PACKET and CAN.
    
    Add skb_setup_tx_timestamp that configures both tx_flags and tskey
    for these paths that do not need corking or use bytestream keys.
    
    Fixes: 09c2d251b707 ("net-timestamp: add key to disambiguate concurrent datagrams")
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a96c57a72f477b42ab238fad3c2c1f8e8c091256
Author: Willem de Bruijn <willemb@google.com>
Date:   Wed Apr 6 22:29:54 2022 +0300

    ipv6: add missing tx timestamping on IPPROTO_RAW
    
    [ Upstream commit fbfb2321e950918b430e7225546296b2dcadf725 ]
    
    Raw sockets support tx timestamping, but one case is missing.
    
    IPPROTO_RAW takes a separate packet construction path. raw_send_hdrinc
    has an explicit call to sock_tx_timestamp, but rawv6_send_hdrinc does
    not. Add it.
    
    Fixes: 11878b40ed5c ("net-timestamp: SOCK_RAW and PING timestamping")
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 52b66c46bb9f5fb270673327c41dec50171939c1
Author: Helge Deller <deller@gmx.de>
Date:   Sun Mar 27 15:46:26 2022 +0200

    parisc: Fix CPU affinity for Lasi, WAX and Dino chips
    
    [ Upstream commit 939fc856676c266c3bc347c1c1661872a3725c0f ]
    
    Add the missing logic to allow Lasi, WAX and Dino to set the
    CPU affinity. This fixes IRQ migration to other CPUs when a
    CPU is shutdown which currently holds the IRQs for one of those
    chips.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 33bd243566a9b1ca94261dcc2e16c7b9e3a71c15
Author: Haimin Zhang <tcs_kernel@tencent.com>
Date:   Tue Mar 22 21:59:17 2022 +0800

    jfs: prevent NULL deref in diFree
    
    [ Upstream commit a53046291020ec41e09181396c1e829287b48d47 ]
    
    Add validation check for JFS_IP(ipimap)->i_imap to prevent a NULL deref
    in diFree since diFree uses it without do any validations.
    When function jfs_mount calls diMount to initialize fileset inode
    allocation map, it can fail and JFS_IP(ipimap)->i_imap won't be
    initialized. Then it calls diFreeSpecial to close fileset inode allocation
    map inode and it will flow into jfs_evict_inode. Function jfs_evict_inode
    just validates JFS_SBI(inode->i_sb)->ipimap, then calls diFree. diFree use
    JFS_IP(ipimap)->i_imap directly, then it will cause a NULL deref.
    
    Reported-by: TCS Robot <tcs_robot@tencent.com>
    Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7deaddb704713608e0ae559e27185581b9af71a0
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Wed Mar 16 12:20:03 2022 -0700

    virtio_console: eliminate anonymous module_init & module_exit
    
    [ Upstream commit fefb8a2a941338d871e2d83fbd65fbfa068857bd ]
    
    Eliminate anonymous module_init() and module_exit(), which can lead to
    confusion or ambiguity when reading System.map, crashes/oops/bugs,
    or an initcall_debug log.
    
    Give each of these init and exit functions unique driver-specific
    names to eliminate the anonymous names.
    
    Example 1: (System.map)
     ffffffff832fc78c t init
     ffffffff832fc79e t init
     ffffffff832fc8f8 t init
    
    Example 2: (initcall_debug log)
     calling  init+0x0/0x12 @ 1
     initcall init+0x0/0x12 returned 0 after 15 usecs
     calling  init+0x0/0x60 @ 1
     initcall init+0x0/0x60 returned 0 after 2 usecs
     calling  init+0x0/0x9a @ 1
     initcall init+0x0/0x9a returned 0 after 74 usecs
    
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reviewed-by: Amit Shah <amit@kernel.org>
    Cc: virtualization@lists.linux-foundation.org
    Cc: Arnd Bergmann <arnd@arndb.de>
    Link: https://lore.kernel.org/r/20220316192010.19001-3-rdunlap@infradead.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 18f72552e452fbd379e13703a447583eeb333c09
Author: Jiri Slaby <jirislaby@kernel.org>
Date:   Tue Mar 8 12:51:53 2022 +0100

    serial: samsung_tty: do not unlock port->lock for uart_write_wakeup()
    
    [ Upstream commit 988c7c00691008ea1daaa1235680a0da49dab4e8 ]
    
    The commit c15c3747ee32 (serial: samsung: fix potential soft lockup
    during uart write) added an unlock of port->lock before
    uart_write_wakeup() and a lock after it. It was always problematic to
    write data from tty_ldisc_ops::write_wakeup and it was even documented
    that way. We fixed the line disciplines to conform to this recently.
    So if there is still a missed one, we should fix them instead of this
    workaround.
    
    On the top of that, s3c24xx_serial_tx_dma_complete() in this driver
    still holds the port->lock while calling uart_write_wakeup().
    
    So revert the wrap added by the commit above.
    
    Cc: Thomas Abraham <thomas.abraham@linaro.org>
    Cc: Kyungmin Park <kyungmin.park@samsung.com>
    Cc: Hyeonkook Kim <hk619.kim@samsung.com>
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Link: https://lore.kernel.org/r/20220308115153.4225-1-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7e907c022e8fdb619d34f25a4b65cc93be8602de
Author: NeilBrown <neilb@suse.de>
Date:   Mon Mar 7 10:41:44 2022 +1100

    NFS: swap-out must always use STABLE writes.
    
    [ Upstream commit c265de257f558a05c1859ee9e3fed04883b9ec0e ]
    
    The commit handling code is not safe against memory-pressure deadlocks
    when writing to swap.  In particular, nfs_commitdata_alloc() blocks
    indefinitely waiting for memory, and this can consume all available
    workqueue threads.
    
    swap-out most likely uses STABLE writes anyway as COND_STABLE indicates
    that a stable write should be used if the write fits in a single
    request, and it normally does.  However if we ever swap with a small
    wsize, or gather unusually large numbers of pages for a single write,
    this might change.
    
    For safety, make it explicit in the code that direct writes used for swap
    must always use FLUSH_STABLE.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4e70b56438166c327301152776b0311374c936ee
Author: NeilBrown <neilb@suse.de>
Date:   Mon Mar 7 10:41:44 2022 +1100

    NFS: swap IO handling is slightly different for O_DIRECT IO
    
    [ Upstream commit 64158668ac8b31626a8ce48db4cad08496eb8340 ]
    
    1/ Taking the i_rwsem for swap IO triggers lockdep warnings regarding
       possible deadlocks with "fs_reclaim".  These deadlocks could, I believe,
       eventuate if a buffered read on the swapfile was attempted.
    
       We don't need coherence with the page cache for a swap file, and
       buffered writes are forbidden anyway.  There is no other need for
       i_rwsem during direct IO.  So never take it for swap_rw()
    
    2/ generic_write_checks() explicitly forbids writes to swap, and
       performs checks that are not needed for swap.  So bypass it
       for swap_rw().
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5364fe29920dc39b0ecafdaa8c2c0e975a6985b3
Author: NeilBrown <neilb@suse.de>
Date:   Mon Mar 7 10:41:44 2022 +1100

    SUNRPC/call_alloc: async tasks mustn't block waiting for memory
    
    [ Upstream commit c487216bec83b0c5a8803e5c61433d33ad7b104d ]
    
    When memory is short, new worker threads cannot be created and we depend
    on the minimum one rpciod thread to be able to handle everything.
    So it must not block waiting for memory.
    
    mempools are particularly a problem as memory can only be released back
    to the mempool by an async rpc task running.  If all available
    workqueue threads are waiting on the mempool, no thread is available to
    return anything.
    
    rpc_malloc() can block, and this might cause deadlocks.
    So check RPC_IS_ASYNC(), rather than RPC_IS_SWAPPER() to determine if
    blocking is acceptable.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aba111deed002b98c1034053c5ade17c982155d0
Author: Lucas Denefle <lucas.denefle@converge.io>
Date:   Wed Feb 23 11:35:55 2022 +0000

    w1: w1_therm: fixes w1_seq for ds28ea00 sensors
    
    [ Upstream commit 41a92a89eee819298f805c40187ad8b02bb53426 ]
    
    w1_seq was failing due to several devices responding to the
    CHAIN_DONE at the same time. Now properly selects the current
    device in the chain with MATCH_ROM. Also acknowledgment was
    read twice.
    
    Signed-off-by: Lucas Denefle <lucas.denefle@converge.io>
    Link: https://lore.kernel.org/r/20220223113558.232750-1-lucas.denefle@converge.io
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a861234d5741c104009d06d3ca3bef84a772e5df
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Wed Mar 23 16:06:14 2022 -0700

    init/main.c: return 1 from handled __setup() functions
    
    [ Upstream commit f9a40b0890658330c83c95511f9d6b396610defc ]
    
    initcall_blacklist() should return 1 to indicate that it handled its
    cmdline arguments.
    
    set_debug_rodata() should return 1 to indicate that it handled its
    cmdline arguments.  Print a warning if the option string is invalid.
    
    This prevents these strings from being added to the 'init' program's
    environment as they are not init arguments/parameters.
    
    Link: https://lkml.kernel.org/r/20220221050901.23985-1-rdunlap@infradead.org
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Cc: Ingo Molnar <mingo@kernel.org>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 643a6c26bd32e339d00ad97b8822b6db009e803c
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Fri Mar 11 13:19:33 2022 -0800

    Bluetooth: Fix use after free in hci_send_acl
    
    [ Upstream commit f63d24baff787e13b723d86fe036f84bdbc35045 ]
    
    This fixes the following trace caused by receiving
    HCI_EV_DISCONN_PHY_LINK_COMPLETE which does call hci_conn_del without
    first checking if conn->type is in fact AMP_LINK and in case it is
    do properly cleanup upper layers with hci_disconn_cfm:
    
     ==================================================================
        BUG: KASAN: use-after-free in hci_send_acl+0xaba/0xc50
        Read of size 8 at addr ffff88800e404818 by task bluetoothd/142
    
        CPU: 0 PID: 142 Comm: bluetoothd Not tainted
        5.17.0-rc5-00006-gda4022eeac1a #7
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
        Call Trace:
         <TASK>
         dump_stack_lvl+0x45/0x59
         print_address_description.constprop.0+0x1f/0x150
         kasan_report.cold+0x7f/0x11b
         hci_send_acl+0xaba/0xc50
         l2cap_do_send+0x23f/0x3d0
         l2cap_chan_send+0xc06/0x2cc0
         l2cap_sock_sendmsg+0x201/0x2b0
         sock_sendmsg+0xdc/0x110
         sock_write_iter+0x20f/0x370
         do_iter_readv_writev+0x343/0x690
         do_iter_write+0x132/0x640
         vfs_writev+0x198/0x570
         do_writev+0x202/0x280
         do_syscall_64+0x38/0x90
         entry_SYSCALL_64_after_hwframe+0x44/0xae
        RSP: 002b:00007ffce8a099b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
        Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
        0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 14 00 00 00 0f 05
        <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
        RDX: 0000000000000001 RSI: 00007ffce8a099e0 RDI: 0000000000000015
        RAX: ffffffffffffffda RBX: 00007ffce8a099e0 RCX: 00007f788fc3cf77
        R10: 00007ffce8af7080 R11: 0000000000000246 R12: 000055e4ccf75580
        RBP: 0000000000000015 R08: 0000000000000002 R09: 0000000000000001
        </TASK>
        R13: 000055e4ccf754a0 R14: 000055e4ccf75cd0 R15: 000055e4ccf4a6b0
    
        Allocated by task 45:
            kasan_save_stack+0x1e/0x40
            __kasan_kmalloc+0x81/0xa0
            hci_chan_create+0x9a/0x2f0
            l2cap_conn_add.part.0+0x1a/0xdc0
            l2cap_connect_cfm+0x236/0x1000
            le_conn_complete_evt+0x15a7/0x1db0
            hci_le_conn_complete_evt+0x226/0x2c0
            hci_le_meta_evt+0x247/0x450
            hci_event_packet+0x61b/0xe90
            hci_rx_work+0x4d5/0xc50
            process_one_work+0x8fb/0x15a0
            worker_thread+0x576/0x1240
            kthread+0x29d/0x340
            ret_from_fork+0x1f/0x30
    
        Freed by task 45:
            kasan_save_stack+0x1e/0x40
            kasan_set_track+0x21/0x30
            kasan_set_free_info+0x20/0x30
            __kasan_slab_free+0xfb/0x130
            kfree+0xac/0x350
            hci_conn_cleanup+0x101/0x6a0
            hci_conn_del+0x27e/0x6c0
            hci_disconn_phylink_complete_evt+0xe0/0x120
            hci_event_packet+0x812/0xe90
            hci_rx_work+0x4d5/0xc50
            process_one_work+0x8fb/0x15a0
            worker_thread+0x576/0x1240
            kthread+0x29d/0x340
            ret_from_fork+0x1f/0x30
    
        The buggy address belongs to the object at ffff88800c0f0500
        The buggy address is located 24 bytes inside of
        which belongs to the cache kmalloc-128 of size 128
        The buggy address belongs to the page:
        128-byte region [ffff88800c0f0500, ffff88800c0f0580)
        flags: 0x100000000000200(slab|node=0|zone=1)
        page:00000000fe45cd86 refcount:1 mapcount:0
        mapping:0000000000000000 index:0x0 pfn:0xc0f0
        raw: 0000000000000000 0000000080100010 00000001ffffffff
        0000000000000000
        raw: 0100000000000200 ffffea00003a2c80 dead000000000004
        ffff8880078418c0
        page dumped because: kasan: bad access detected
        ffff88800c0f0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
        Memory state around the buggy address:
        >ffff88800c0f0500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
        ffff88800c0f0480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
        ffff88800c0f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                    ^
        ==================================================================
        ffff88800c0f0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    
    Reported-by: Sönke Huster <soenke.huster@eknoes.de>
    Tested-by: Sönke Huster <soenke.huster@eknoes.de>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cac5d2a9c6a49879444c9845d7cecc6f722b6902
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Thu Mar 17 02:49:41 2022 -0700

    xtensa: fix DTC warning unit_address_format
    
    [ Upstream commit e85d29ba4b24f68e7a78cb85c55e754362eeb2de ]
    
    DTC issues the following warnings when building xtfpga device trees:
    
     /soc/flash@00000000/partition@0x0: unit name should not have leading "0x"
     /soc/flash@00000000/partition@0x6000000: unit name should not have leading "0x"
     /soc/flash@00000000/partition@0x6800000: unit name should not have leading "0x"
     /soc/flash@00000000/partition@0x7fe0000: unit name should not have leading "0x"
    
    Drop leading 0x from flash partition unit names.
    
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2e50be51601f8d80d1587e885c9fbc63e5ec10c1
Author: H. Nikolaus Schaller <hns@goldelico.com>
Date:   Tue Mar 8 14:03:37 2022 +0100

    usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
    
    [ Upstream commit ac01df343e5a6c6bcead2ed421af1fde30f73e7e ]
    
    Usually, the vbus_regulator (smps10 on omap5evm) boots up disabled.
    
    Hence calling regulator_disable() indirectly through dwc3_omap_set_mailbox()
    during probe leads to:
    
    [   10.332764] WARNING: CPU: 0 PID: 1628 at drivers/regulator/core.c:2853 _regulator_disable+0x40/0x164
    [   10.351919] unbalanced disables for smps10_out1
    [   10.361298] Modules linked in: dwc3_omap(+) clk_twl6040 at24 gpio_twl6040 palmas_gpadc palmas_pwrbutton
    industrialio snd_soc_omap_mcbsp(+) snd_soc_ti_sdma display_connector ti_tpd12s015 drm leds_gpio
    drm_panel_orientation_quirks ip_tables x_tables ipv6 autofs4
    [   10.387818] CPU: 0 PID: 1628 Comm: systemd-udevd Not tainted 5.17.0-rc1-letux-lpae+ #8139
    [   10.405129] Hardware name: Generic OMAP5 (Flattened Device Tree)
    [   10.411455]  unwind_backtrace from show_stack+0x10/0x14
    [   10.416970]  show_stack from dump_stack_lvl+0x40/0x4c
    [   10.422313]  dump_stack_lvl from __warn+0xb8/0x170
    [   10.427377]  __warn from warn_slowpath_fmt+0x70/0x9c
    [   10.432595]  warn_slowpath_fmt from _regulator_disable+0x40/0x164
    [   10.439037]  _regulator_disable from regulator_disable+0x30/0x64
    [   10.445382]  regulator_disable from dwc3_omap_set_mailbox+0x8c/0xf0 [dwc3_omap]
    [   10.453116]  dwc3_omap_set_mailbox [dwc3_omap] from dwc3_omap_probe+0x2b8/0x394 [dwc3_omap]
    [   10.467021]  dwc3_omap_probe [dwc3_omap] from platform_probe+0x58/0xa8
    [   10.481762]  platform_probe from really_probe+0x168/0x2fc
    [   10.481782]  really_probe from __driver_probe_device+0xc4/0xd8
    [   10.481782]  __driver_probe_device from driver_probe_device+0x24/0xa4
    [   10.503762]  driver_probe_device from __driver_attach+0xc4/0xd8
    [   10.510018]  __driver_attach from bus_for_each_dev+0x64/0xa0
    [   10.516001]  bus_for_each_dev from bus_add_driver+0x148/0x1a4
    [   10.524880]  bus_add_driver from driver_register+0xb4/0xf8
    [   10.530678]  driver_register from do_one_initcall+0x90/0x1c4
    [   10.536661]  do_one_initcall from do_init_module+0x4c/0x200
    [   10.536683]  do_init_module from load_module+0x13dc/0x1910
    [   10.551159]  load_module from sys_finit_module+0xc8/0xd8
    [   10.561319]  sys_finit_module from __sys_trace_return+0x0/0x18
    [   10.561336] Exception stack(0xc344bfa8 to 0xc344bff0)
    [   10.561341] bfa0:                   b6fb5778 b6fab8d8 00000007 b6ecfbb8 00000000 b6ed0398
    [   10.561341] bfc0: b6fb5778 b6fab8d8 855c0500 0000017b 00020000 b6f9a3cc 00000000 b6fb5778
    [   10.595500] bfe0: bede18f8 bede18e8 b6ec9aeb b6dda1c2
    [   10.601345] ---[ end trace 0000000000000000 ]---
    
    Fix this unnecessary warning by checking if the regulator is enabled.
    
    Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
    Link: https://lore.kernel.org/r/af3b750dc2265d875deaabcf5f80098c9645da45.1646744616.git.hns@goldelico.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 499d198494e77b6533251b9b909baf5c101129cb
Author: Jianglei Nie <niejianglei2021@163.com>
Date:   Thu Mar 3 09:51:15 2022 +0800

    scsi: libfc: Fix use after free in fc_exch_abts_resp()
    
    [ Upstream commit 271add11994ba1a334859069367e04d2be2ebdd4 ]
    
    fc_exch_release(ep) will decrease the ep's reference count. When the
    reference count reaches zero, it is freed. But ep is still used in the
    following code, which will lead to a use after free.
    
    Return after the fc_exch_release() call to avoid use after free.
    
    Link: https://lore.kernel.org/r/20220303015115.459778-1-niejianglei2021@163.com
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e7036df78359213bbf104b342a28ba67aba8c9b8
Author: Alexander Lobakin <alobakin@pm.me>
Date:   Wed Feb 23 01:30:23 2022 +0000

    MIPS: fix fortify panic when copying asm exception handlers
    
    [ Upstream commit d17b66417308996e7e64b270a3c7f3c1fbd4cfc8 ]
    
    With KCFLAGS="-O3", I was able to trigger a fortify-source
    memcpy() overflow panic on set_vi_srs_handler().
    Although O3 level is not supported in the mainline, under some
    conditions that may've happened with any optimization settings,
    it's just a matter of inlining luck. The panic itself is correct,
    more precisely, 50/50 false-positive and not at the same time.
    From the one side, no real overflow happens. Exception handler
    defined in asm just gets copied to some reserved places in the
    memory.
    But the reason behind is that C code refers to that exception
    handler declares it as `char`, i.e. something of 1 byte length.
    It's obvious that the asm function itself is way more than 1 byte,
    so fortify logics thought we are going to past the symbol declared.
    The standard way to refer to asm symbols from C code which is not
    supposed to be called from C is to declare them as
    `extern const u8[]`. This is fully correct from any point of view,
    as any code itself is just a bunch of bytes (including 0 as it is
    for syms like _stext/_etext/etc.), and the exact size is not known
    at the moment of compilation.
    Adjust the type of the except_vec_vi_*() and related variables.
    Make set_handler() take `const` as a second argument to avoid
    cast-away warnings and give a little more room for optimization.
    
    Signed-off-by: Alexander Lobakin <alobakin@pm.me>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 44011dcc079e50bc81108bc02775901117f88e5e
Author: Michael Chan <michael.chan@broadcom.com>
Date:   Sat Mar 5 03:54:39 2022 -0500

    bnxt_en: Eliminate unintended link toggle during FW reset
    
    [ Upstream commit 7c492a2530c1f05441da541307c2534230dfd59b ]
    
    If the flow control settings have been changed, a subsequent FW reset
    may cause the ethernet link to toggle unnecessarily.  This link toggle
    will increase the down time by a few seconds.
    
    The problem is caused by bnxt_update_phy_setting() detecting a false
    mismatch in the flow control settings between the stored software
    settings and the current FW settings after the FW reset.  This mismatch
    is caused by the AUTONEG bit added to link_info->req_flow_ctrl in an
    inconsistent way in bnxt_set_pauseparam() in autoneg mode.  The AUTONEG
    bit should not be added to link_info->req_flow_ctrl.
    
    Reviewed-by: Colin Winegarden <colin.winegarden@broadcom.com>
    Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6abfcac74c8bc0a1eb059fb46fc097f70431f428
Author: Sven Eckelmann <sven@narfation.org>
Date:   Mon Feb 28 01:32:40 2022 +0100

    macvtap: advertise link netns via netlink
    
    [ Upstream commit a02192151b7dbf855084c38dca380d77c7658353 ]
    
    Assign rtnl_link_ops->get_link_net() callback so that IFLA_LINK_NETNSID is
    added to rtnetlink messages. This fixes iproute2 which otherwise resolved
    the link interface to an interface in the wrong namespace.
    
    Test commands:
    
      ip netns add nst
      ip link add dummy0 type dummy
      ip link add link macvtap0 link dummy0 type macvtap
      ip link set macvtap0 netns nst
      ip -netns nst link show macvtap0
    
    Before:
    
      10: macvtap0@gre0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 500
          link/ether 5e:8f:ae:1d:60:50 brd ff:ff:ff:ff:ff:ff
    
    After:
    
      10: macvtap0@if2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 500
          link/ether 5e:8f:ae:1d:60:50 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    
    Reported-by: Leonardo Mörlein <freifunk@irrelefant.net>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Link: https://lore.kernel.org/r/20220228003240.1337426-1-sven@narfation.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 841304d177c20f21cc3577fe78a4ccebde7ab04c
Author: Dust Li <dust.li@linux.alibaba.com>
Date:   Tue Mar 1 17:44:00 2022 +0800

    net/smc: correct settings of RMB window update limit
    
    [ Upstream commit 6bf536eb5c8ca011d1ff57b5c5f7c57ceac06a37 ]
    
    rmbe_update_limit is used to limit announcing receive
    window updating too frequently. RFC7609 request a minimal
    increase in the window size of 10% of the receive buffer
    space. But current implementation used:
    
      min_t(int, rmbe_size / 10, SOCK_MIN_SNDBUF / 2)
    
    and SOCK_MIN_SNDBUF / 2 == 2304 Bytes, which is almost
    always less then 10% of the receive buffer space.
    
    This causes the receiver always sending CDC message to
    update its consumer cursor when it consumes more then 2K
    of data. And as a result, we may encounter something like
    "TCP silly window syndrome" when sending 2.5~8K message.
    
    This patch fixes this using max(rmbe_size / 10, SOCK_MIN_SNDBUF / 2).
    
    With this patch and SMC autocorking enabled, qperf 2K/4K/8K
    tcp_bw test shows 45%/75%/40% increase in throughput respectively.
    
    Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 273a2e62e5eb68e78c1f648305bbc4916e8626ba
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Feb 22 16:06:23 2022 -0800

    scsi: aha152x: Fix aha152x_setup() __setup handler return value
    
    [ Upstream commit cc8294ec4738d25e2bb2d71f7d82a9bf7f4a157b ]
    
    __setup() handlers should return 1 if the command line option is handled
    and 0 if not (or maybe never return 0; doing so just pollutes init's
    environment with strings that are not init arguments/parameters).
    
    Return 1 from aha152x_setup() to indicate that the boot option has been
    handled.
    
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Link: https://lore.kernel.org/r/20220223000623.5920-1-rdunlap@infradead.org
    Cc: "Juergen E. Fischer" <fischer@norbit.de>
    Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
    Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3a15300fe378595dac83204b3d4ca243c13c8c79
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Sun Feb 20 12:17:57 2022 +0900

    scsi: pm8001: Fix pm8001_mpi_task_abort_resp()
    
    [ Upstream commit 7e6b7e740addcea450041b5be8e42f0a4ceece0f ]
    
    The call to pm8001_ccb_task_free() at the end of
    pm8001_mpi_task_abort_resp() already frees the ccb tag. So when the device
    NCQ_ABORT_ALL_FLAG is set, the tag should not be freed again.  Also change
    the hardcoded 0xBFFFFFFF value to ~NCQ_ABORT_ALL_FLAG as it ought to be.
    
    Link: https://lore.kernel.org/r/20220220031810.738362-19-damien.lemoal@opensource.wdc.com
    Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 58880025e3362024f6d8ea01cb0c7a5df6c84ba6
Author: Jordy Zomer <jordy@jordyzomer.github.io>
Date:   Sat Jan 29 15:58:39 2022 +0100

    dm ioctl: prevent potential spectre v1 gadget
    
    [ Upstream commit cd9c88da171a62c4b0f1c70e50c75845969fbc18 ]
    
    It appears like cmd could be a Spectre v1 gadget as it's supplied by a
    user and used as an array index. Prevent the contents of kernel memory
    from being leaked to userspace via speculative execution by using
    array_index_nospec.
    
    Signed-off-by: Jordy Zomer <jordy@pwning.systems>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5e580cce4d58b35e0ceb875578a53b49cc2e98b1
Author: Zhou Guanghui <zhouguanghui1@huawei.com>
Date:   Wed Jan 19 07:07:54 2022 +0000

    iommu/arm-smmu-v3: fix event handling soft lockup
    
    [ Upstream commit 30de2b541af98179780054836b48825fcfba4408 ]
    
    During event processing, events are read from the event queue one
    by one until the queue is empty.If the master device continuously
    requests address access at the same time and the SMMU generates
    events, the cyclic processing of the event takes a long time and
    softlockup warnings may be reported.
    
    arm-smmu-v3 arm-smmu-v3.34.auto: event 0x0a received:
    arm-smmu-v3 arm-smmu-v3.34.auto:        0x00007f220000280a
    arm-smmu-v3 arm-smmu-v3.34.auto:        0x000010000000007e
    arm-smmu-v3 arm-smmu-v3.34.auto:        0x00000000034e8670
    watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [irq/268-arm-smm:247]
    Call trace:
     _dev_info+0x7c/0xa0
     arm_smmu_evtq_thread+0x1c0/0x230
     irq_thread_fn+0x30/0x80
     irq_thread+0x128/0x210
     kthread+0x134/0x138
     ret_from_fork+0x10/0x1c
    Kernel panic - not syncing: softlockup: hung tasks
    
    Fix this by calling cond_resched() after the event information is
    printed.
    
    Signed-off-by: Zhou Guanghui <zhouguanghui1@huawei.com>
    Link: https://lore.kernel.org/r/20220119070754.26528-1-zhouguanghui1@huawei.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d7f87c7849d498c186cbde1e6e8de3e729bf2f19
Author: Pali Rohár <pali@kernel.org>
Date:   Mon Jan 10 02:49:58 2022 +0100

    PCI: aardvark: Fix support for MSI interrupts
    
    [ Upstream commit b0b0b8b897f8e12b2368e868bd7cdc5742d5c5a9 ]
    
    Aardvark hardware supports Multi-MSI and MSI_FLAG_MULTI_PCI_MSI is already
    set for the MSI chip. But when allocating MSI interrupt numbers for
    Multi-MSI, the numbers need to be properly aligned, otherwise endpoint
    devices send MSI interrupt with incorrect numbers.
    
    Fix this issue by using function bitmap_find_free_region() instead of
    bitmap_find_next_zero_area().
    
    To ensure that aligned MSI interrupt numbers are used by endpoint devices,
    we cannot use Linux virtual irq numbers (as they are random and not
    properly aligned). Instead we need to use the aligned hwirq numbers.
    
    This change fixes receiving MSI interrupts on Armada 3720 boards and
    allows using NVMe disks which use Multi-MSI feature with 3 interrupts.
    
    Without this NVMe disks freeze booting as linux nvme-core.c is waiting
    60s for an interrupt.
    
    Link: https://lore.kernel.org/r/20220110015018.26359-4-kabel@kernel.org
    Signed-off-by: Pali Rohár <pali@kernel.org>
    Signed-off-by: Marek Behún <kabel@kernel.org>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3fc06760daf4afdf28cb540e90eaffc0d0cbc5c0
Author: Sourabh Jain <sourabhjain@linux.ibm.com>
Date:   Fri Feb 4 14:26:01 2022 +0530

    powerpc: Set crashkernel offset to mid of RMA region
    
    [ Upstream commit 7c5ed82b800d8615cdda00729e7b62e5899f0b13 ]
    
    On large config LPARs (having 192 and more cores), Linux fails to boot
    due to insufficient memory in the first memblock. It is due to the
    memory reservation for the crash kernel which starts at 128MB offset of
    the first memblock. This memory reservation for the crash kernel doesn't
    leave enough space in the first memblock to accommodate other essential
    system resources.
    
    The crash kernel start address was set to 128MB offset by default to
    ensure that the crash kernel get some memory below the RMA region which
    is used to be of size 256MB. But given that the RMA region size can be
    512MB or more, setting the crash kernel offset to mid of RMA size will
    leave enough space for the kernel to allocate memory for other system
    resources.
    
    Since the above crash kernel offset change is only applicable to the LPAR
    platform, the LPAR feature detection is pushed before the crash kernel
    reservation. The rest of LPAR specific initialization will still
    be done during pseries_probe_fw_features as usual.
    
    This patch is dependent on changes to paca allocation for boot CPU. It
    expect boot CPU to discover 1T segment support which is introduced by
    the patch posted here:
    https://lists.ozlabs.org/pipermail/linuxppc-dev/2022-January/239175.html
    
    Reported-by: Abdul haleem <abdhalee@linux.vnet.ibm.com>
    Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220204085601.107257-1-sourabhjain@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 724e76c087ac7855cf608f6c076cb99b3b1e9f07
Author: Evgeny Boger <boger@wirenboard.com>
Date:   Wed Jan 12 11:47:27 2022 +0300

    power: supply: axp20x_battery: properly report current when discharging
    
    [ Upstream commit d4f408cdcd26921c1268cb8dcbe8ffb6faf837f3 ]
    
    As stated in [1], negative current values are used for discharging
    batteries.
    
    AXP PMICs internally have two different ADC channels for shunt current
    measurement: one used during charging and one during discharging.
    The values reported by these ADCs are unsigned.
    While the driver properly selects ADC channel to get the data from,
    it doesn't apply negative sign when reporting discharging current.
    
    [1] Documentation/ABI/testing/sysfs-class-power
    
    Signed-off-by: Evgeny Boger <boger@wirenboard.com>
    Acked-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f33720070d2755d417779b81c60058023d6d2e3a
Author: Yang Guang <yang.guang5@zte.com.cn>
Date:   Thu Jan 27 08:03:46 2022 +0800

    scsi: bfa: Replace snprintf() with sysfs_emit()
    
    [ Upstream commit 2245ea91fd3a04cafbe2f54911432a8657528c3b ]
    
    coccinelle report:
    ./drivers/scsi/bfa/bfad_attr.c:908:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:860:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:888:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:853:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:808:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:728:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:822:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:927:9-17:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:900:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:874:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:714:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/bfa/bfad_attr.c:839:8-16:
    WARNING: use scnprintf or sprintf
    
    Use sysfs_emit() instead of scnprintf() or sprintf().
    
    Link: https://lore.kernel.org/r/def83ff75faec64ba592b867a8499b1367bae303.1643181468.git.yang.guang5@zte.com.cn
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Yang Guang <yang.guang5@zte.com.cn>
    Signed-off-by: David Yang <davidcomponentone@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d065ad743180ab9110b71dffe720ac5643a1dec0
Author: Yang Guang <yang.guang5@zte.com.cn>
Date:   Thu Jan 27 08:00:59 2022 +0800

    scsi: mvsas: Replace snprintf() with sysfs_emit()
    
    [ Upstream commit 0ad3867b0f13e45cfee5a1298bfd40eef096116c ]
    
    coccinelle report:
    ./drivers/scsi/mvsas/mv_init.c:699:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/scsi/mvsas/mv_init.c:747:8-16:
    WARNING: use scnprintf or sprintf
    
    Use sysfs_emit() instead of scnprintf() or sprintf().
    
    Link: https://lore.kernel.org/r/c1711f7cf251730a8ceb5bdfc313bf85662b3395.1643182948.git.yang.guang5@zte.com.cn
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Yang Guang <yang.guang5@zte.com.cn>
    Signed-off-by: David Yang <davidcomponentone@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0dff88c6ec1da2f79ae96337ef0f238db956d29e
Author: Maxim Kiselev <bigunclemax@gmail.com>
Date:   Thu Dec 30 18:11:21 2021 +0300

    powerpc: dts: t104xrdb: fix phy type for FMAN 4/5
    
    [ Upstream commit 17846485dff91acce1ad47b508b633dffc32e838 ]
    
    T1040RDB has two RTL8211E-VB phys which requires setting
    of internal delays for correct work.
    
    Changing the phy-connection-type property to `rgmii-id`
    will fix this issue.
    
    Signed-off-by: Maxim Kiselev <bigunclemax@gmail.com>
    Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
    Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20211230151123.1258321-1-bigunclemax@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8eff95bcb3c1580568face8a2b0369c48b22f5cd
Author: Yang Guang <yang.guang5@zte.com.cn>
Date:   Thu Jan 27 08:02:36 2022 +0800

    ptp: replace snprintf with sysfs_emit
    
    [ Upstream commit e2cf07654efb0fd7bbcb475c6f74be7b5755a8fd ]
    
    coccinelle report:
    ./drivers/ptp/ptp_sysfs.c:17:8-16:
    WARNING: use scnprintf or sprintf
    ./drivers/ptp/ptp_sysfs.c:390:8-16:
    WARNING: use scnprintf or sprintf
    
    Use sysfs_emit instead of scnprintf or sprintf makes more sense.
    
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Yang Guang <yang.guang5@zte.com.cn>
    Signed-off-by: David Yang <davidcomponentone@gmail.com>
    Acked-by: Richard Cochran <richardcochran@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84
Author: Zekun Shen <bruceshenzk@gmail.com>
Date:   Sun Dec 26 22:12:13 2021 -0500

    ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
    
    [ Upstream commit 564d4eceb97eaf381dd6ef6470b06377bb50c95a ]
    
    The bug was found during fuzzing. Stacktrace locates it in
    ath5k_eeprom_convert_pcal_info_5111.
    When none of the curve is selected in the loop, idx can go
    up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.
    pd = &chinfo[pier].pd_curves[idx];
    
    There are many OOB writes using pd later in the code. So I
    added a sanity check for idx. Checks for other loops involving
    AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not
    used outside the loops.
    
    The patch is NOT tested with real device.
    
    The following is the fuzzing report
    
    BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
    Write of size 1 at addr ffff8880174a4d60 by task modprobe/214
    
    CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1
    Call Trace:
     dump_stack+0x76/0xa0
     print_address_description.constprop.0+0x16/0x200
     ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
     ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
     __kasan_report.cold+0x37/0x7c
     ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
     kasan_report+0xe/0x20
     ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]
     ? apic_timer_interrupt+0xa/0x20
     ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
     ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]
     ath5k_eeprom_init+0x2513/0x6290 [ath5k]
     ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]
     ? usleep_range+0xb8/0x100
     ? apic_timer_interrupt+0xa/0x20
     ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]
     ath5k_hw_init+0xb60/0x1970 [ath5k]
     ath5k_init_ah+0x6fe/0x2530 [ath5k]
     ? kasprintf+0xa6/0xe0
     ? ath5k_stop+0x140/0x140 [ath5k]
     ? _dev_notice+0xf6/0xf6
     ? apic_timer_interrupt+0xa/0x20
     ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]
     ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
     ? mutex_lock+0x89/0xd0
     ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]
     local_pci_probe+0xd3/0x160
     pci_device_probe+0x23f/0x3e0
     ? pci_device_remove+0x280/0x280
     ? pci_device_remove+0x280/0x280
     really_probe+0x209/0x5d0
    
    Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
    Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/YckvDdj3mtCkDRIt@a-10-27-26-18.dynapool.vpn.nyu.edu
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f15c05f476437c6d55055c29463c2228e9e4251e
Author: Jim Mattson <jmattson@google.com>
Date:   Sat Feb 26 15:41:31 2022 -0800

    KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs
    
    [ Upstream commit 9b026073db2f1ad0e4d8b61c83316c8497981037 ]
    
    AMD EPYC CPUs never raise a #GP for a WRMSR to a PerfEvtSeln MSR. Some
    reserved bits are cleared, and some are not. Specifically, on
    Zen3/Milan, bits 19 and 42 are not cleared.
    
    When emulating such a WRMSR, KVM should not synthesize a #GP,
    regardless of which bits are set. However, undocumented bits should
    not be passed through to the hardware MSR. So, rather than checking
    for reserved bits and synthesizing a #GP, just clear the reserved
    bits.
    
    This may seem pedantic, but since KVM currently does not support the
    "Host/Guest Only" bits (41:40), it is necessary to clear these bits
    rather than synthesizing #GP, because some popular guests (e.g Linux)
    will set the "Host Only" bit even on CPUs that don't support
    EFER.SVME, and they don't expect a #GP.
    
    For example,
    
    root@Ubuntu1804:~# perf stat -e r26 -a sleep 1
    
     Performance counter stats for 'system wide':
    
                     0      r26
    
           1.001070977 seconds time elapsed
    
    Feb 23 03:59:58 Ubuntu1804 kernel: [  405.379957] unchecked MSR access error: WRMSR to 0xc0010200 (tried to write 0x0000020000130026) at rIP: 0xffffffff9b276a28 (native_write_msr+0x8/0x30)
    Feb 23 03:59:58 Ubuntu1804 kernel: [  405.379958] Call Trace:
    Feb 23 03:59:58 Ubuntu1804 kernel: [  405.379963]  amd_pmu_disable_event+0x27/0x90
    
    Fixes: ca724305a2b0 ("KVM: x86/vPMU: Implement AMD vPMU code for KVM")
    Reported-by: Lotus Fenn <lotusf@google.com>
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Reviewed-by: Like Xu <likexu@tencent.com>
    Reviewed-by: David Dunn <daviddunn@google.com>
    Message-Id: <20220226234131.2167175-1-jmattson@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3166859b0e22609132c124349ac804b97b3ae410
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Sat Mar 12 07:36:09 2022 +0100

    ARM: 9187/1: JIVE: fix return value of __setup handler
    
    [ Upstream commit 8b2360c7157b462c4870d447d1e65d30ef31f9aa ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled.
    A return of 0 causes the boot option/value to be listed as an Unknown
    kernel parameter and added to init's (limited) argument or environment
    strings. Also, error return codes don't mean anything to
    obsolete_checksetup() -- only non-zero (usually 1) or zero.
    So return 1 from jive_mtdset().
    
    Fixes: 9db829f485c5 ("[ARM] JIVE: Initial machine support for Logitech Jive")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Ben Dooks <ben-linux@fluff.org>
    Cc: Krzysztof Kozlowski <krzk@kernel.org>
    Cc: Alim Akhtar <alim.akhtar@samsung.com>
    Cc: linux-arm-kernel@lists.infradead.org
    Cc: linux-samsung-soc@vger.kernel.org
    Cc: patches@armlinux.org.uk
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0e2c26dd11d75c60de8986df0585ed74dd49cda2
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Thu Mar 3 16:50:30 2022 +0800

    rtc: wm8350: Handle error for wm8350_register_irq
    
    [ Upstream commit 43f0269b6b89c1eec4ef83c48035608f4dcdd886 ]
    
    As the potential failure of the wm8350_register_irq(),
    it should be better to check it and return error if fails.
    Also, it need not free 'wm_rtc->rtc' since it will be freed
    automatically.
    
    Fixes: 077eaf5b40ec ("rtc: rtc-wm8350: add support for WM8350 RTC")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Link: https://lore.kernel.org/r/20220303085030.291793-1-jiasheng@iscas.ac.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f7e252d7e430aa37996d46d1b718d8abd31013ae
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Mon Dec 27 11:22:38 2021 +0800

    ubifs: Rectify space amount budget for mkdir/tmpfile operations
    
    [ Upstream commit a6dab6607d4681d227905d5198710b575dbdb519 ]
    
    UBIFS should make sure the flash has enough space to store dirty (Data
    that is newer than disk) data (in memory), space budget is exactly
    designed to do that. If space budget calculates less data than we need,
    'make_reservation()' will do more work(return -ENOSPC if no free space
    lelf, sometimes we can see "cannot reserve xxx bytes in jhead xxx, error
    -28" in ubifs error messages) with ubifs inodes locked, which may effect
    other syscalls.
    
    A simple way to decide how much space do we need when make a budget:
    See how much space is needed by 'make_reservation()' in ubifs_jnl_xxx()
    function according to corresponding operation.
    
    It's better to report ENOSPC in ubifs_budget_space(), as early as we can.
    
    Fixes: 474b93704f32163 ("ubifs: Implement O_TMPFILE")
    Fixes: 1e51764a3c2ac05 ("UBIFS: add new flash file system")
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3362843aa71898fc2850a90950debcef2897dd60
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Fri Mar 25 14:21:40 2022 +0100

    KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
    
    commit b1e34d325397a33d97d845e312d7cf2a8b646b44 upstream.
    
    Setting non-zero values to SYNIC/STIMER MSRs activates certain features,
    this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated.
    
    Note, it would've been better to forbid writing anything to SYNIC/STIMER
    MSRs, including zeroes, however, at least QEMU tries clearing
    HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat
    'special' as writing zero there triggers an action, this also should not
    happen when SynIC wasn't activated.
    
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Message-Id: <20220325132140.25650-4-vkuznets@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1dd678930b382bff27b48d278d8f433f165af974
Author: Martin Varghese <martin.varghese@nokia.com>
Date:   Mon Mar 28 11:11:48 2022 +0530

    openvswitch: Fixed nd target mask field in the flow dump.
    
    commit f19c44452b58a84d95e209b847f5495d91c9983a upstream.
    
    IPv6 nd target mask was not getting populated in flow dump.
    
    In the function __ovs_nla_put_key the icmp code mask field was checked
    instead of icmp code key field to classify the flow as neighbour discovery.
    
    ufid:bdfbe3e5-60c2-43b0-a5ff-dfcac1c37328, recirc_id(0),dp_hash(0/0),
    skb_priority(0/0),in_port(ovs-nm1),skb_mark(0/0),ct_state(0/0),
    ct_zone(0/0),ct_mark(0/0),ct_label(0/0),
    eth(src=00:00:00:00:00:00/00:00:00:00:00:00,
    dst=00:00:00:00:00:00/00:00:00:00:00:00),
    eth_type(0x86dd),
    ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),
    icmpv6(type=135,code=0),
    nd(target=2001::2/::,
    sll=00:00:00:00:00:00/00:00:00:00:00:00,
    tll=00:00:00:00:00:00/00:00:00:00:00:00),
    packets:10, bytes:860, used:0.504s, dp:ovs, actions:ovs-nm2
    
    Fixes: e64457191a25 (openvswitch: Restructure datapath.c and flow.c)
    Signed-off-by: Martin Varghese <martin.varghese@nokia.com>
    Link: https://lore.kernel.org/r/20220328054148.3057-1-martinvarghesenokia@gmail.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5fc5e965c2b8f5f7b637fce7918797c51b587d02
Author: Kuldeep Singh <singh.kuldeep87k@gmail.com>
Date:   Sat Mar 26 09:53:09 2022 +0530

    ARM: dts: spear13xx: Update SPI dma properties
    
    commit 31d3687d6017c7ce6061695361598d9cda70807a upstream.
    
    Reorder dmas and dma-names property for spi controller node to make it
    compliant with bindings.
    
    Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT")
    Signed-off-by: Kuldeep Singh <singh.kuldeep87k@gmail.com>
    Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
    Link: https://lore.kernel.org/r/20220326042313.97862-2-singh.kuldeep87k@gmail.com'
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 89f1b6abbd79def7044cd39bf2fc5cee0b1cb3fd
Author: Kuldeep Singh <singh.kuldeep87k@gmail.com>
Date:   Sat Mar 26 09:53:10 2022 +0530

    ARM: dts: spear1340: Update serial node properties
    
    commit 583d6b0062640def86f3265aa1042ecb6672516e upstream.
    
    Reorder dma and dma-names property for serial node to make it compliant
    with bindings.
    
    Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT")
    Signed-off-by: Kuldeep Singh <singh.kuldeep87k@gmail.com>
    Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
    Link: https://lore.kernel.org/r/20220326042313.97862-3-singh.kuldeep87k@gmail.com'
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bab8585ef5804ba8bf11a9d205b6523b283f69b0
Author: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Date:   Wed Jan 12 18:00:29 2022 +0100

    ASoC: topology: Allow TLV control to be either read or write
    
    commit feb00b736af64875560f371fe7f58b0b7f239046 upstream.
    
    There is no reason to force readwrite access on TLV controls. It can be
    either read, write or both. This is further evidenced in code where it
    performs following checks:
                    if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_READ) && !sbe->get)
                            return -EINVAL;
                    if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_WRITE) && !sbe->put)
                            return -EINVAL;
    
    Fixes: 1a3232d2f61d ("ASoC: topology: Add support for TLV bytes controls")
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Link: https://lore.kernel.org/r/20220112170030.569712-3-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 801d547fdee363b4eecb06e88fc32a55bfc93c55
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Mon Dec 27 11:22:42 2021 +0800

    ubi: fastmap: Return error code if memory allocation fails in add_aeb()
    
    commit c3c07fc25f37c157fde041b3a0c3dfcb1590cbce upstream.
    
    Abort fastmap scanning and return error code if memory allocation fails
    in add_aeb(). Otherwise ubi will get wrong peb statistics information
    after scanning.
    
    Fixes: dbb7d2a88d2a7b ("UBI: Add fastmap core")
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7ebdd69e871c9e7a0891c9d6efb2c8d21ce2c083
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Mar 22 14:40:31 2022 -0700

    mm/memcontrol: return 1 from cgroup.memory __setup() handler
    
    commit 460a79e18842caca6fa0c415de4a3ac1e671ac50 upstream.
    
    __setup() handlers should return 1 if the command line option is handled
    and 0 if not (or maybe never return 0; it just pollutes init's
    environment).
    
    The only reason that this particular __setup handler does not pollute
    init's environment is that the setup string contains a '.', as in
    "cgroup.memory".  This causes init/main.c::unknown_boottoption() to
    consider it to be an "Unused module parameter" and ignore it.  (This is
    for parsing of loadable module parameters any time after kernel init.)
    Otherwise the string "cgroup.memory=whatever" would be added to init's
    environment strings.
    
    Instead of relying on this '.' quirk, just return 1 to indicate that the
    boot option has been handled.
    
    Note that there is no warning message if someone enters:
            cgroup.memory=anything_invalid
    
    Link: https://lkml.kernel.org/r/20220222005811.10672-1-rdunlap@infradead.org
    Fixes: f7e1cb6ec51b0 ("mm: memcontrol: account socket memory in unified hierarchy memory controller")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Reviewed-by: Michal Koutný <mkoutny@suse.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Michal Hocko <mhocko@kernel.org>
    Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
    Cc: Roman Gushchin <roman.gushchin@linux.dev>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c8acbd2997431941d2c91ca7cd0ee4234448e9b8
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Mar 22 14:42:27 2022 -0700

    mm/mmap: return 1 from stack_guard_gap __setup() handler
    
    commit e6d094936988910ce6e8197570f2753898830081 upstream.
    
    __setup() handlers should return 1 if the command line option is handled
    and 0 if not (or maybe never return 0; it just pollutes init's
    environment).  This prevents:
    
      Unknown kernel command line parameters \
      "BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100", will be \
      passed to user space.
    
      Run /sbin/init as init process
       with arguments:
         /sbin/init
       with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc5
         stack_guard_gap=100
    
    Return 1 to indicate that the boot option has been handled.
    
    Note that there is no warning message if someone enters:
            stack_guard_gap=anything_invalid
    and 'val' and stack_guard_gap are both set to 0 due to the use of
    simple_strtoul(). This could be improved by using kstrtoxxx() and
    checking for an error.
    
    It appears that having stack_guard_gap == 0 is valid (if unexpected) since
    using "stack_guard_gap=0" on the kernel command line does that.
    
    Link: https://lkml.kernel.org/r/20220222005817.11087-1-rdunlap@infradead.org
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Fixes: 1be7107fbe18e ("mm: larger stack guard gap, between vmas")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Cc: Hugh Dickins <hughd@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d208ea44e25b31db5a4d5e8c31df51787a3e9303
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Tue Mar 22 17:02:05 2022 +0100

    ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
    
    commit 40d8abf364bcab23bc715a9221a3c8623956257b upstream.
    
    If the NumEntries field in the _CPC return package is less than 2, do
    not attempt to access the "Revision" element of that package, because
    it may not be present then.
    
    Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC")
    BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Reviewed-by: Huang Rui <ray.huang@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f149b1bd213820363731aa119e5011ca892a2aac
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Nov 5 17:30:22 2021 +0800

    ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
    
    commit 3cbf0e392f173ba0ce425968c8374a6aa3e90f2e upstream.
    
    Hulk Robot reported a KASAN report about use-after-free:
     ==================================================================
     BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160
     Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385
     [...]
     Call Trace:
      klist_dec_and_del+0xa7/0x4a0
      klist_put+0xc7/0x1a0
      device_del+0x4d4/0xed0
      cdev_device_del+0x1a/0x80
      ubi_attach_mtd_dev+0x2951/0x34b0 [ubi]
      ctrl_cdev_ioctl+0x286/0x2f0 [ubi]
    
     Allocated by task 1414:
      device_add+0x60a/0x18b0
      cdev_device_add+0x103/0x170
      ubi_create_volume+0x1118/0x1a10 [ubi]
      ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi]
    
     Freed by task 1385:
      cdev_device_del+0x1a/0x80
      ubi_remove_volume+0x438/0x6c0 [ubi]
      ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi]
     [...]
     ==================================================================
    
    The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held
    by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be
    concurrent.
    
    ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach.
    ubi_detach is bug-free because it uses reference counting to prevent
    concurrency. However, uif_init and uif_close in ubi_attach may race with
    ubi_cdev_ioctl.
    
    uif_init will race with ubi_cdev_ioctl as in the following stack.
               cpu1                   cpu2                  cpu3
    _______________________|________________________|______________________
    ctrl_cdev_ioctl
     ubi_attach_mtd_dev
      uif_init
                               ubi_cdev_ioctl
                                ubi_create_volume
                                 cdev_device_add
       ubi_add_volume
       // sysfs exist
       kill_volumes
                                                        ubi_cdev_ioctl
                                                         ubi_remove_volume
                                                          cdev_device_del
                                                           // first free
        ubi_free_volume
         cdev_del
         // double free
       cdev_device_del
    
    And uif_close will race with ubi_cdev_ioctl as in the following stack.
               cpu1                   cpu2                  cpu3
    _______________________|________________________|______________________
    ctrl_cdev_ioctl
     ubi_attach_mtd_dev
      uif_init
                               ubi_cdev_ioctl
                                ubi_create_volume
                                 cdev_device_add
      ubi_debugfs_init_dev
      //error goto out_uif;
      uif_close
       kill_volumes
                                                        ubi_cdev_ioctl
                                                         ubi_remove_volume
                                                          cdev_device_del
                                                           // first free
        ubi_free_volume
        // double free
    
    The cause of this problem is that commit 714fb87e8bc0 make device
    "available" before it becomes accessible via sysfs. Therefore, we
    roll back the modification. We will fix the race condition between
    ubi device creation and udev by removing ubi_get_device in
    vol_attribute_show and dev_attribute_show.This avoids accessing
    uninitialized ubi_devices[ubi_num].
    
    ubi_get_device is used to prevent devices from being deleted during
    sysfs execution. However, now kernfs ensures that devices will not
    be deleted before all reference counting are released.
    The key process is shown in the following stack.
    
    device_del
      device_remove_attrs
        device_remove_groups
          sysfs_remove_groups
            sysfs_remove_group
              remove_files
                kernfs_remove_by_name
                  kernfs_remove_by_name_ns
                    __kernfs_remove
                      kernfs_drain
    
    Fixes: 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 37850c7291dac345ddedd0248793b8a1ac053d58
Author: Chen-Yu Tsai <wenst@chromium.org>
Date:   Tue Mar 8 18:09:46 2022 +0800

    pinctrl: pinconf-generic: Print arguments for bias-pull-*
    
    commit 188e5834b930acd03ad3cf7c5e7aa24db9665a29 upstream.
    
    The bias-pull-* properties, or PIN_CONFIG_BIAS_PULL_* pin config
    parameters, accept optional arguments in ohms denoting the strength of
    the pin bias.
    
    Print these values out in debugfs as well.
    
    Fixes: eec450713e5c ("pinctrl: pinconf-generic: Add flag to print arguments")
    Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Link: https://lore.kernel.org/r/20220308100956.2750295-2-wenst@chromium.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a598bd99b0643961b84e5eb2a812dd9a37260502
Author: Andrew Price <anprice@redhat.com>
Date:   Tue Mar 22 19:05:51 2022 +0000

    gfs2: Make sure FITRIM minlen is rounded up to fs block size
    
    commit 27ca8273fda398638ca994a207323a85b6d81190 upstream.
    
    Per fstrim(8) we must round up the minlen argument to the fs block size.
    The current calculation doesn't take into account devices that have a
    discard granularity and requested minlen less than 1 fs block, so the
    value can get shifted away to zero in the translation to fs blocks.
    
    The zero minlen passed to gfs2_rgrp_send_discards() then allows
    sb_issue_discard() to be called with nr_sects == 0 which returns -EINVAL
    and results in gfs2_rgrp_send_discards() returning -EIO.
    
    Make sure minlen is never < 1 fs block by taking the max of the
    requested minlen and the fs block size before comparing to the device's
    discard granularity and shifting to fs blocks.
    
    Fixes: 076f0faa764ab ("GFS2: Fix FITRIM argument handling")
    Signed-off-by: Andrew Price <anprice@redhat.com>
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5598442edc29e8f6f2380e4b471dc1a3fcd80508
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Sun Mar 13 13:09:03 2022 +0300

    can: mcba_usb: properly check endpoint type
    
    commit 136bed0bfd3bc9c95c88aafff2d22ecb3a919f23 upstream.
    
    Syzbot reported warning in usb_submit_urb() which is caused by wrong
    endpoint type. We should check that in endpoint is actually present to
    prevent this warning.
    
    Found pipes are now saved to struct mcba_priv and code uses them
    directly instead of making pipes in place.
    
    Fail log:
    
    | usb 5-1: BOGUS urb xfer, pipe 3 != type 1
    | WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
    | Modules linked in:
    | CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0
    | Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
    | Workqueue: usb_hub_wq hub_event
    | RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
    | ...
    | Call Trace:
    |  <TASK>
    |  mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]
    |  mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858
    |  usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
    |  call_driver_probe drivers/base/dd.c:517 [inline]
    
    Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
    Link: https://lore.kernel.org/all/20220313100903.10868-1-paskripkin@gmail.com
    Reported-and-tested-by: syzbot+3bc1dce0cc0052d60fde@syzkaller.appspotmail.com
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cdced1015a63a7f100b5867ebb9a40271f891411
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Fri Mar 11 16:02:08 2022 +0800

    can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
    
    commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174 upstream.
    
    There is no need to call dev_kfree_skb() when usb_submit_urb() fails
    because can_put_echo_skb() deletes original skb and
    can_free_echo_skb() deletes the cloned skb.
    
    Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
    Link: https://lore.kernel.org/all/20220311080208.45047-1-hbh25y@gmail.com
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d6a8cbe9169c9fe700d64a83eee5698d3f30b8ab
Author: Baokun Li <libaokun1@huawei.com>
Date:   Tue Feb 15 12:07:36 2022 +0800

    ubifs: rename_whiteout: correct old_dir size computing
    
    commit 705757274599e2e064dd3054aabc74e8af31a095 upstream.
    
    When renaming the whiteout file, the old whiteout file is not deleted.
    Therefore, we add the old dentry size to the old dir like XFS.
    Otherwise, an error may be reported due to `fscki->calc_sz != fscki->size`
    in check_indes.
    
    Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
    Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit defaaeaae32f68183dbe6fc07609e93167b5c3e2
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Mon Dec 27 11:22:39 2021 +0800

    ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
    
    commit 1b83ec057db16b4d0697dc21ef7a9743b6041f72 upstream.
    
    Make 'ui->data_len' aligned with 8 bytes before it is assigned to
    dirtied_ino_d. Since 8871d84c8f8b0c6b("ubifs: convert to fileattr")
    applied, 'setflags()' only affects regular files and directories, only
    xattr inode, symlink inode and special inode(pipe/char_dev/block_dev)
    have none- zero 'ui->data_len' field, so assertion
    '!(req->dirtied_ino_d & 7)' cannot fail in ubifs_budget_space().
    To avoid assertion fails in future evolution(eg. setflags can operate
    special inodes), it's better to make dirtied_ino_d 8 bytes aligned,
    after all aligned size is still zero for regular files.
    
    Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a94ab3ad70d0f4f7f6461786e924cc45be067b6f
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Mon Dec 27 11:22:35 2021 +0800

    ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
    
    commit 716b4573026bcbfa7b58ed19fe15554bac66b082 upstream.
    
    whiteout inode should be put when do_tmpfile() failed if inode has been
    initialized. Otherwise we will get following warning during umount:
      UBIFS error (ubi0:0 pid 1494): ubifs_assert_failed [ubifs]: UBIFS
      assert failed: c->bi.dd_growth == 0, in fs/ubifs/super.c:1930
      VFS: Busy inodes after unmount of ubifs. Self-destruct in 5 seconds.
    
    Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Suggested-by: Sascha Hauer <s.hauer@pengutronix.de>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8b3c7be16f3f4dfd6e15ac651484e59d3fa36274
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Mon Dec 27 11:22:32 2021 +0800

    ubifs: rename_whiteout: Fix double free for whiteout_ui->data
    
    commit 40a8f0d5e7b3999f096570edab71c345da812e3e upstream.
    
    'whiteout_ui->data' will be freed twice if space budget fail for
    rename whiteout operation as following process:
    
    rename_whiteout
      dev = kmalloc
      whiteout_ui->data = dev
      kfree(whiteout_ui->data)  // Free first time
      iput(whiteout)
        ubifs_free_inode
          kfree(ui->data)       // Double free!
    
    KASAN reports:
    ==================================================================
    BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70
    Call Trace:
      kfree+0x117/0x490
      ubifs_free_inode+0x4f/0x70 [ubifs]
      i_callback+0x30/0x60
      rcu_do_batch+0x366/0xac0
      __do_softirq+0x133/0x57f
    
    Allocated by task 1506:
      kmem_cache_alloc_trace+0x3c2/0x7a0
      do_rename+0x9b7/0x1150 [ubifs]
      ubifs_rename+0x106/0x1f0 [ubifs]
      do_syscall_64+0x35/0x80
    
    Freed by task 1506:
      kfree+0x117/0x490
      do_rename.cold+0x53/0x8a [ubifs]
      ubifs_rename+0x106/0x1f0 [ubifs]
      do_syscall_64+0x35/0x80
    
    The buggy address belongs to the object at ffff88810238bed8 which
    belongs to the cache kmalloc-8 of size 8
    ==================================================================
    
    Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused
    assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode()
    -> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it
    (because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release',
     and the nlink of whiteout inode is 0).
    
    Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c1dd3547c191dc9724884cbc37432af2df382702
Author: David Matlack <dmatlack@google.com>
Date:   Thu Mar 3 18:33:27 2022 +0000

    KVM: Prevent module exit until all VMs are freed
    
    commit 5f6de5cbebee925a612856fce6f9182bb3eee0db upstream.
    
    Tie the lifetime the KVM module to the lifetime of each VM via
    kvm.users_count. This way anything that grabs a reference to the VM via
    kvm_get_kvm() cannot accidentally outlive the KVM module.
    
    Prior to this commit, the lifetime of the KVM module was tied to the
    lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU
    file descriptors by their respective file_operations "owner" field.
    This approach is insufficient because references grabbed via
    kvm_get_kvm() do not prevent closing any of the aforementioned file
    descriptors.
    
    This fixes a long standing theoretical bug in KVM that at least affects
    async page faults. kvm_setup_async_pf() grabs a reference via
    kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing
    prevents the VM file descriptor from being closed and the KVM module
    from being unloaded before this callback runs.
    
    Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out")
    Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations")
    Cc: stable@vger.kernel.org
    Suggested-by: Ben Gardon <bgardon@google.com>
    [ Based on a patch from Ben implemented for Google's kernel. ]
    Signed-off-by: David Matlack <dmatlack@google.com>
    Message-Id: <20220303183328.1499189-2-dmatlack@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43195a0c620761fbb88db04e2475313855b948a4
Author: Saurav Kashyap <skashyap@marvell.com>
Date:   Sun Jan 9 21:02:15 2022 -0800

    scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
    
    commit a60447e7d451df42c7bde43af53b34f10f34f469 upstream.
    
    [   12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020
    [   12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]
    [   12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G          I      --------- ---  5.14.0-29.el9.x86_64 #1
    [   12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018
    [   12.356356] Call Trace:
    [   12.358821]  dump_stack_lvl+0x34/0x44
    [   12.362514]  check_preemption_disabled+0xd9/0xe0
    [   12.367164]  qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx]
    [   12.372481]  qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx]
    [   12.377617]  ? _raw_spin_lock_irqsave+0x19/0x40
    [   12.384284]  local_pci_probe+0x42/0x80
    [   12.390162]  ? pci_match_device+0xd7/0x110
    [   12.396366]  pci_device_probe+0xfd/0x1b0
    [   12.402372]  really_probe+0x1e7/0x3e0
    [   12.408114]  __driver_probe_device+0xfe/0x180
    [   12.414544]  driver_probe_device+0x1e/0x90
    [   12.420685]  __driver_attach+0xc0/0x1c0
    [   12.426536]  ? __device_attach_driver+0xe0/0xe0
    [   12.433061]  ? __device_attach_driver+0xe0/0xe0
    [   12.439538]  bus_for_each_dev+0x78/0xc0
    [   12.445294]  bus_add_driver+0x12b/0x1e0
    [   12.451021]  driver_register+0x8f/0xe0
    [   12.456631]  ? 0xffffffffc07bc000
    [   12.461773]  qla2x00_module_init+0x1be/0x229 [qla2xxx]
    [   12.468776]  do_one_initcall+0x44/0x200
    [   12.474401]  ? load_module+0xad3/0xba0
    [   12.479908]  ? kmem_cache_alloc_trace+0x45/0x410
    [   12.486268]  do_init_module+0x5c/0x280
    [   12.491730]  __do_sys_init_module+0x12e/0x1b0
    [   12.497785]  do_syscall_64+0x3b/0x90
    [   12.503029]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [   12.509764] RIP: 0033:0x7f554f73ab2e
    
    Link: https://lore.kernel.org/r/20220110050218.3958-15-njavali@marvell.com
    Cc: stable@vger.kernel.org
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
    Signed-off-by: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 70f9425812635f0c70d6bf52750e079bf7a32798
Author: Nilesh Javali <njavali@marvell.com>
Date:   Sun Jan 9 21:02:12 2022 -0800

    scsi: qla2xxx: Fix warning for missing error code
    
    commit 14cb838d245ae0d523b2f7804af5a02c22e79f5a upstream.
    
    Fix smatch-reported warning message:
    
    drivers/scsi/qla2xxx/qla_target.c:3324 qlt_xmit_response() warn: missing error
    code 'res'
    
    Link: https://lore.kernel.org/r/20220110050218.3958-12-njavali@marvell.com
    Fixes: 4a8f71014b4d ("scsi: qla2xxx: Fix unmap of already freed sgl")
    Cc: stable@vger.kernel.org
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 66632fdd97749cafc08b25b4a95913b8452ae668
Author: Anders Roxell <anders.roxell@linaro.org>
Date:   Thu Feb 24 17:22:15 2022 +0100

    powerpc/lib/sstep: Fix build errors with newer binutils
    
    commit 8219d31effa7be5dbc7ff915d7970672e028c701 upstream.
    
    Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian
    2.37.90.20220207) the following build error shows up:
    
      {standard input}: Assembler messages:
      {standard input}:10576: Error: unrecognized opcode: `stbcx.'
      {standard input}:10680: Error: unrecognized opcode: `lharx'
      {standard input}:10694: Error: unrecognized opcode: `lbarx'
    
    Rework to add assembler directives [1] around the instruction.  The
    problem with this might be that we can trick a power6 into
    single-stepping through an stbcx. for instance, and it will execute that
    in kernel mode.
    
    [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo
    
    Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code")
    Cc: stable@vger.kernel.org # v4.14+
    Co-developed-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
    Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220224162215.3406642-3-anders.roxell@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aebe0422f2f0716a2ea2b5c514029196d16587db
Author: Anders Roxell <anders.roxell@linaro.org>
Date:   Thu Feb 24 17:22:13 2022 +0100

    powerpc/lib/sstep: Fix 'sthcx' instruction
    
    commit a633cb1edddaa643fadc70abc88f89a408fa834a upstream.
    
    Looks like there been a copy paste mistake when added the instruction
    'stbcx' twice and one was probably meant to be 'sthcx'. Changing to
    'sthcx' from 'stbcx'.
    
    Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code")
    Cc: stable@vger.kernel.org # v4.14+
    Reported-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220224162215.3406642-1-anders.roxell@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3fac2cb56ba5205547e296b193e52871f9dc3845
Author: Ulf Hansson <ulf.hansson@linaro.org>
Date:   Thu Mar 3 17:51:42 2022 +0100

    mmc: host: Return an error when ->enable_sdio_irq() ops is missing
    
    [ Upstream commit d6c9219ca1139b74541b2a98cee47a3426d754a9 ]
    
    Even if the current WARN() notifies the user that something is severely
    wrong, we can still end up in a PANIC() when trying to invoke the missing
    ->enable_sdio_irq() ops. Therefore, let's also return an error code and
    prevent the host from being added.
    
    While at it, move the code into a separate function to prepare for
    subsequent changes and for further host caps validations.
    
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Link: https://lore.kernel.org/r/20220303165142.129745-1-ulf.hansson@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dd551d0ab0eec9a7334ea7a5ecb3e48a5d03f6c5
Author: Dongliang Mu <mudongliangabcd@gmail.com>
Date:   Fri Feb 18 10:41:30 2022 +0100

    media: hdpvr: initialize dev->worker at hdpvr_register_videodev
    
    [ Upstream commit 07922937e9a580825f9965c46fd15e23ba5754b6 ]
    
    hdpvr_register_videodev is responsible to initialize a worker in
    hdpvr_device. However, the worker is only initialized at
    hdpvr_start_streaming other than hdpvr_register_videodev.
    When hdpvr_probe does not initialize its worker, the hdpvr_disconnect
    will encounter one WARN in flush_work.The stack trace is as follows:
    
     hdpvr_disconnect+0xb8/0xf2 drivers/media/usb/hdpvr/hdpvr-core.c:425
     usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458
     __device_release_driver drivers/base/dd.c:1206 [inline]
     device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1237
     bus_remove_device+0x108/0x160 drivers/base/bus.c:529
     device_del+0x1fe/0x510 drivers/base/core.c:3592
     usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419
     usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2228
    
    Fix this by moving the initialization of dev->worker to the starting of
    hdpvr_register_videodev
    
    Reported-by: syzkaller <syzkaller@googlegroups.com>
    Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0ec746674296c94137f074309c26d17e644c0498
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Wed Mar 2 22:33:11 2022 +0800

    video: fbdev: sm712fb: Fix crash in smtcfb_write()
    
    [ Upstream commit 4f01d09b2bbfbcb47b3eb305560a7f4857a32260 ]
    
    When the sm712fb driver writes three bytes to the framebuffer, the
    driver will crash:
    
        BUG: unable to handle page fault for address: ffffc90001ffffff
        RIP: 0010:smtcfb_write+0x454/0x5b0
        Call Trace:
         vfs_write+0x291/0xd60
         ? do_sys_openat2+0x27d/0x350
         ? __fget_light+0x54/0x340
         ksys_write+0xce/0x190
         do_syscall_64+0x43/0x90
         entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Fix it by removing the open-coded endianness fixup-code.
    
    Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 82d919fbdea37f2281457c97fde5a56ed6265e61
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Mon Jul 26 22:01:58 2021 +0200

    ARM: mmp: Fix failure to remove sram device
    
    [ Upstream commit 4036b29a146b2749af3bb213b003eb69f3e5ecc4 ]
    
    Make sure in .probe() to set driver data before the function is left to
    make it possible in .remove() to undo the actions done.
    
    This fixes a potential memory leak and stops returning an error code in
    .remove() that is ignored by the driver core anyhow.
    
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3733f47f904e4dc4cdb91c7c220e8c3f6cddbc36
Author: Richard Leitner <richard.leitner@skidata.com>
Date:   Wed Dec 1 17:11:48 2021 +0100

    ARM: tegra: tamonten: Fix I2C3 pad setting
    
    [ Upstream commit 0092c25b541a5422d7e71892a13c55ee91abc34b ]
    
    This patch fixes the tristate configuration for i2c3 function assigned
    to the dtf pins on the Tamonten Tegra20 SoM.
    
    Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a85f8e3f89dd51d81db790b763f4efe9d6a0b048
Author: Daniel González Cabanelas <dgcbueu@gmail.com>
Date:   Sun Feb 20 19:19:50 2022 +0100

    media: cx88-mpeg: clear interrupt status register before streaming video
    
    [ Upstream commit 56cb61f70e547e1b0cdfe6ff5a1f1ce6242e6d96 ]
    
    Some cx88 video cards may have transport stream status interrupts set
    to 1 from cold start, causing errors like this:
    
      cx88xx: cx88_print_irqbits: core:irq mpeg  [0x100000] ts_err?*
      cx8802: cx8802_mpeg_irq: mpeg:general errors: 0x00100000
    
    According to CX2388x datasheet, the interrupt status register should be
    cleared before enabling IRQs to stream video.
    
    Fix it by clearing the Transport Stream Interrupt Status register.
    
    Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7c58a0a840ba1e02ac3a127e3d953394b1a5839e
Author: Shengjiu Wang <shengjiu.wang@nxp.com>
Date:   Thu Feb 10 19:19:12 2022 +0800

    ASoC: soc-core: skip zero num_dai component in searching dai name
    
    [ Upstream commit f7d344a2bd5ec81fbd1ce76928fd059e57ec9bea ]
    
    In the case like dmaengine which's not a dai but as a component, the
    num_dai is zero, dmaengine component has the same component_of_node
    as cpu dai, when cpu dai component is not ready, but dmaengine component
    is ready, try to get cpu dai name, the snd_soc_get_dai_name() return
    -EINVAL, not -EPROBE_DEFER, that cause below error:
    
    asoc-simple-card <card name>: parse error -22
    asoc-simple-card: probe of <card name> failed with error -22
    
    The sound card failed to probe.
    
    So this patch fixes the issue above by skipping the zero num_dai
    component in searching dai name.
    
    Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
    Link: https://lore.kernel.org/r/1644491952-7457-1-git-send-email-shengjiu.wang@nxp.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a131063223a4bada7e19f0abb9643c8eb41e1bdb
Author: Jing Yao <yao.jing2@zte.com.cn>
Date:   Fri Nov 5 08:20:44 2021 +0000

    video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()
    
    [ Upstream commit c07a039cbb96748f54c02995bae8131cc9a73b0a ]
    
    Use sysfs_emit instead of scnprintf, snprintf or sprintf.
    
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Jing Yao <yao.jing2@zte.com.cn>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f419488df057957cc2e965ba3686ff408788403e
Author: Jing Yao <yao.jing2@zte.com.cn>
Date:   Fri Nov 5 08:13:33 2021 +0000

    video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()
    
    [ Upstream commit f63658a59c3d439c8ad7b290f8ec270980e0f384 ]
    
    Use sysfs_emit instead of scnprintf, snprintf or sprintf.
    
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Jing Yao <yao.jing2@zte.com.cn>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4ee0f9aa73303a90141f1e236f20fe3aa88ba542
Author: Richard Schleich <rs@noreya.tech>
Date:   Sat Dec 18 21:00:09 2021 +0100

    ARM: dts: bcm2837: Add the missing L1/L2 cache information
    
    [ Upstream commit bdf8762da268d2a34abf517c36528413906e9cd5 ]
    
    This patch fixes the kernel warning
    "cacheinfo: Unable to detect cache hierarchy for CPU 0"
    for the bcm2837 on newer kernel versions.
    
    Signed-off-by: Richard Schleich <rs@noreya.tech>
    Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
    [florian: Align and remove comments matching property values]
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 85cd89abbb9f4c0f9e868d4ba31b81bbc95d01fd
Author: David Heidelberg <david@ixit.cz>
Date:   Sat Jan 8 18:42:28 2022 +0100

    ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960
    
    [ Upstream commit 6f7e221e7a5cfc3299616543fce42b36e631497b ]
    
    IRQ types blindly copied from very similar APQ8064.
    
    Fixes warnings as:
    WARNING: CPU: 0 PID: 1 at drivers/irqchip/irq-gic.c:1080 gic_irq_domain_translate+0x118/0x120
    ...
    
    Tested-by: LogicalErzor <logicalerzor@gmail.com> # boot-tested on Samsung S3
    Signed-off-by: David Heidelberg <david@ixit.cz>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220108174229.60384-1-david@ixit.cz
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4f50db5f3631c91884fcec5a0d093a0b7a197abe
Author: Yang Guang <yang.guang5@zte.com.cn>
Date:   Tue Nov 30 08:06:03 2021 +0800

    video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit
    
    [ Upstream commit 24565bc4115961db7ee64fcc7ad2a7437c0d0a49 ]
    
    coccinelle report:
    ./drivers/video/fbdev/omap2/omapfb/displays/panel-sony-acx565akm.c:
    479:9-17: WARNING: use scnprintf or sprintf
    
    Use sysfs_emit instead of scnprintf or sprintf makes more sense.
    
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Yang Guang <yang.guang5@zte.com.cn>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1d3fb46439ad4e8f0c5739eb33d1875ac9e0f135
Author: George Kennedy <george.kennedy@oracle.com>
Date:   Wed Oct 27 15:30:13 2021 -0500

    video: fbdev: cirrusfb: check pixclock to avoid divide by zero
    
    [ Upstream commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379 ]
    
    Do a sanity check on pixclock value to avoid divide by zero.
    
    If the pixclock value is zero, the cirrusfb driver will round up
    pixclock to get the derived frequency as close to maxclock as
    possible.
    
    Syzkaller reported a divide error in cirrusfb_check_pixclock.
    
    divide error: 0000 [#1] SMP KASAN PTI
    CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2
    RIP: 0010:cirrusfb_check_var+0x6f1/0x1260
    
    Call Trace:
     fb_set_var+0x398/0xf90
     do_fb_ioctl+0x4b8/0x6f0
     fb_ioctl+0xeb/0x130
     __x64_sys_ioctl+0x19d/0x220
     do_syscall_64+0x3a/0x80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Signed-off-by: George Kennedy <george.kennedy@oracle.com>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 944db00102496995904028abdd5b714635bc9492
Author: Evgeny Novikov <novikov@ispras.ru>
Date:   Wed Aug 11 19:58:26 2021 +0300

    video: fbdev: w100fb: Reset global state
    
    [ Upstream commit 8738ddcac644964ae128ccd3d80d48773c8d528e ]
    
    w100fb_probe() did not reset the global state to its initial state. This
    can result in invocation of iounmap() even when there was not the
    appropriate successful call of ioremap(). For instance, this may be the
    case if first probe fails after two successful ioremap() while second
    probe fails when first ioremap() fails. The similar issue is with
    w100fb_remove(). The patch fixes both bugs.
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
    Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
    Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 580e5d3815474b8349250c25c16416585a72c7fe
Author: Tim Gardner <tim.gardner@canonical.com>
Date:   Mon Sep 27 09:45:02 2021 -0600

    video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
    
    [ Upstream commit 37a1a2e6eeeb101285cd34e12e48a881524701aa ]
    
    Coverity complains of a possible buffer overflow. However,
    given the 'static' scope of nvidia_setup_i2c_bus() it looks
    like that can't happen after examiniing the call sites.
    
    CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW)
    1. fixed_size_dest: You might overrun the 48-character fixed-size string
      chan->adapter.name by copying name without checking the length.
    2. parameter_as_source: Note: This defect has an elevated risk because the
      source argument is a parameter of the current function.
     89        strcpy(chan->adapter.name, name);
    
    Fix this warning by using strscpy() which will silence the warning and
    prevent any future buffer overflows should the names used to identify the
    channel become much longer.
    
    Cc: Antonino Daplas <adaplas@gmail.com>
    Cc: linux-fbdev@vger.kernel.org
    Cc: dri-devel@lists.freedesktop.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 21d490232f323ed4053eb9924615e6fea291f154
Author: Dongliang Mu <mudongliangabcd@gmail.com>
Date:   Tue Mar 22 14:38:39 2022 -0700

    ntfs: add sanity check on allocation size
    
    [ Upstream commit 714fbf2647b1a33d914edd695d4da92029c7e7c0 ]
    
    ntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation
    size.  It triggers one BUG in the __ntfs_malloc function.
    
    Fix this by adding sanity check on ni->attr_list_size.
    
    Link: https://lkml.kernel.org/r/20220120094914.47736-1-dzm91@hust.edu.cn
    Reported-by: syzbot+3c765c5248797356edaa@syzkaller.appspotmail.com
    Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
    Acked-by: Anton Altaparmakov <anton@tuxera.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d666dfaa571465a19f014534a214c255ea33f301
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Mar 3 09:38:47 2022 -0500

    ext4: don't BUG if someone dirty pages without asking ext4 first
    
    [ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ]
    
    [un]pin_user_pages_remote is dirtying pages without properly warning
    the file system in advance.  A related race was noted by Jan Kara in
    2018[1]; however, more recently instead of it being a very hard-to-hit
    race, it could be reliably triggered by process_vm_writev(2) which was
    discovered by Syzbot[2].
    
    This is technically a bug in mm/gup.c, but arguably ext4 is fragile in
    that if some other kernel subsystem dirty pages without properly
    notifying the file system using page_mkwrite(), ext4 will BUG, while
    other file systems will not BUG (although data will still be lost).
    
    So instead of crashing with a BUG, issue a warning (since there may be
    potential data loss) and just mark the page as clean to avoid
    unprivileged denial of service attacks until the problem can be
    properly fixed.  More discussion and background can be found in the
    thread starting at [2].
    
    [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz
    [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com
    
    Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com
    Reported-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 29b0cbee425c70b9928f94dcf6ed75cd967c2451
Author: Minghao Chi <chi.minghao@zte.com.cn>
Date:   Tue Mar 15 02:31:38 2022 +0000

    spi: tegra20: Use of_device_get_match_data()
    
    [ Upstream commit c9839acfcbe20ce43d363c2a9d0772472d9921c0 ]
    
    Use of_device_get_match_data() to simplify the code.
    
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn>
    Link: https://lore.kernel.org/r/20220315023138.2118293-1-chi.minghao@zte.com.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 78c4d68b952f5f537788dbd454031ea9bf50f642
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Sat Mar 5 14:02:14 2022 +0300

    PM: core: keep irq flags in device_pm_check_callbacks()
    
    [ Upstream commit 524bb1da785a7ae43dd413cd392b5071c6c367f8 ]
    
    The function device_pm_check_callbacks() can be called under the spin
    lock (in the reported case it happens from genpd_add_device() ->
    dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes.
    
    However this function uncoditionally uses spin_lock_irq() /
    spin_unlock_irq(), thus not preserving the CPU flags. Use the
    irqsave/irqrestore instead.
    
    The backtrace for the reference:
    [    2.752010] ------------[ cut here ]------------
    [    2.756769] raw_local_irq_restore() called with IRQs enabled
    [    2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50
    [    2.772338] Modules linked in:
    [    2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S                5.17.0-rc6-00384-ge330d0d82eff-dirty #684
    [    2.781384] Freeing initrd memory: 46024K
    [    2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [    2.785841] pc : warn_bogus_irq_restore+0x34/0x50
    [    2.785844] lr : warn_bogus_irq_restore+0x34/0x50
    [    2.785846] sp : ffff80000805b7d0
    [    2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002
    [    2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800
    [    2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00
    [    2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff
    [    2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7
    [    2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8
    [    2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0
    [    2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0
    [    2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000
    [    2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000
    [    2.889774] Call trace:
    [    2.892290]  warn_bogus_irq_restore+0x34/0x50
    [    2.896770]  _raw_spin_unlock_irqrestore+0x94/0xa0
    [    2.901690]  genpd_unlock_spin+0x20/0x30
    [    2.905724]  genpd_add_device+0x100/0x2d0
    [    2.909850]  __genpd_dev_pm_attach+0xa8/0x23c
    [    2.914329]  genpd_dev_pm_attach_by_id+0xc4/0x190
    [    2.919167]  genpd_dev_pm_attach_by_name+0x3c/0xd0
    [    2.924086]  dev_pm_domain_attach_by_name+0x24/0x30
    [    2.929102]  psci_dt_attach_cpu+0x24/0x90
    [    2.933230]  psci_cpuidle_probe+0x2d4/0x46c
    [    2.937534]  platform_probe+0x68/0xe0
    [    2.941304]  really_probe.part.0+0x9c/0x2fc
    [    2.945605]  __driver_probe_device+0x98/0x144
    [    2.950085]  driver_probe_device+0x44/0x15c
    [    2.954385]  __device_attach_driver+0xb8/0x120
    [    2.958950]  bus_for_each_drv+0x78/0xd0
    [    2.962896]  __device_attach+0xd8/0x180
    [    2.966843]  device_initial_probe+0x14/0x20
    [    2.971144]  bus_probe_device+0x9c/0xa4
    [    2.975092]  device_add+0x380/0x88c
    [    2.978679]  platform_device_add+0x114/0x234
    [    2.983067]  platform_device_register_full+0x100/0x190
    [    2.988344]  psci_idle_init+0x6c/0xb0
    [    2.992113]  do_one_initcall+0x74/0x3a0
    [    2.996060]  kernel_init_freeable+0x2fc/0x384
    [    3.000543]  kernel_init+0x28/0x130
    [    3.004132]  ret_from_fork+0x10/0x20
    [    3.007817] irq event stamp: 319826
    [    3.011404] hardirqs last  enabled at (319825): [<ffffd40e7eda0268>] __up_console_sem+0x78/0x84
    [    3.020332] hardirqs last disabled at (319826): [<ffffd40e7fd6d9d8>] el1_dbg+0x24/0x8c
    [    3.028458] softirqs last  enabled at (318312): [<ffffd40e7ec90410>] _stext+0x410/0x588
    [    3.036678] softirqs last disabled at (318299): [<ffffd40e7ed1bf68>] __irq_exit_rcu+0x158/0x174
    [    3.045607] ---[ end trace 0000000000000000 ]---
    
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 160fd763277ec1e20441f68dd36c0f4c7067f0ed
Author: Darren Hart <darren@os.amperecomputing.com>
Date:   Tue Mar 8 10:50:48 2022 -0800

    ACPI/APEI: Limit printable size of BERT table data
    
    [ Upstream commit 3f8dec116210ca649163574ed5f8df1e3b837d07 ]
    
    Platforms with large BERT table data can trigger soft lockup errors
    while attempting to print the entire BERT table data to the console at
    boot:
    
      watchdog: BUG: soft lockup - CPU#160 stuck for 23s! [swapper/0:1]
    
    Observed on Ampere Altra systems with a single BERT record of ~250KB.
    
    The original bert driver appears to have assumed relatively small table
    data. Since it is impractical to reassemble large table data from
    interwoven console messages, and the table data is available in
    
      /sys/firmware/acpi/tables/data/BERT
    
    limit the size for tables printed to the console to 1024 (for no reason
    other than it seemed like a good place to kick off the discussion, would
    appreciate feedback from existing users in terms of what size would
    maintain their current usage model).
    
    Alternatively, we could make printing a CONFIG option, use the
    bert_disable boot arg (or something similar), or use a debug log level.
    However, all those solutions require extra steps or change the existing
    behavior for small table data. Limiting the size preserves existing
    behavior on existing platforms with small table data, and eliminates the
    soft lockups for platforms with large table data, while still making it
    available.
    
    Signed-off-by: Darren Hart <darren@os.amperecomputing.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9e496fc395cf537c36054b91eaa27314e19c6bbe
Author: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Date:   Mon Mar 7 20:28:26 2022 +0100

    ACPICA: Avoid walking the ACPI Namespace if it is not there
    
    [ Upstream commit 0c9992315e738e7d6e927ef36839a466b080dba6 ]
    
    ACPICA commit b1c3656ef4950098e530be68d4b589584f06cddc
    
    Prevent acpi_ns_walk_namespace() from crashing when called with
    start_node equal to ACPI_ROOT_OBJECT if the Namespace has not been
    instantiated yet and acpi_gbl_root_node is NULL.
    
    For instance, this can happen if the kernel is run with "acpi=off"
    in the command line.
    
    Link: https://github.com/acpica/acpica/commit/b1c3656ef4950098e530be68d4b589584f06cddc
    Link: https://lore.kernel.org/linux-acpi/CAJZ5v0hJWW_vZ3wwajE7xT38aWjY7cZyvqMJpXHzUL98-SiCVQ@mail.gmail.com/
    Reported-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f7790ed2e68f0b7e7941225b3765b4cec679bf87
Author: Souptick Joarder (HPE) <jrdr.linux@gmail.com>
Date:   Fri Feb 18 22:03:03 2022 +0530

    irqchip/nvic: Release nvic_base upon failure
    
    [ Upstream commit e414c25e3399b2b3d7337dc47abccab5c71b7c8f ]
    
    smatch warning was reported as below ->
    
    smatch warnings:
    drivers/irqchip/irq-nvic.c:131 nvic_of_init()
    warn: 'nvic_base' not released on lines: 97.
    
    Release nvic_base upon failure.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Souptick Joarder (HPE) <jrdr.linux@gmail.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20220218163303.33344-1-jrdr.linux@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 79dc407094308ce1ecd9abede396f3547738378c
Author: Casey Schaufler <casey@schaufler-ca.com>
Date:   Mon Feb 28 15:45:32 2022 -0800

    Fix incorrect type in assignment of ipv6 port for audit
    
    [ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ]
    
    Remove inappropriate use of ntohs() and assign the
    port value directly.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 27f5f2b834a4bf4f8522692f45c8d700d0e542c2
Author: Chaitanya Kulkarni <kch@nvidia.com>
Date:   Tue Feb 15 13:33:07 2022 -0800

    loop: use sysfs_emit() in the sysfs xxx show()
    
    [ Upstream commit b27824d31f09ea7b4a6ba2c1b18bd328df3e8bed ]
    
    sprintf does not know the PAGE_SIZE maximum of the temporary buffer
    used for outputting sysfs content and it's possible to overrun the
    PAGE_SIZE buffer length.
    
    Use a generic sysfs_emit function that knows the size of the
    temporary buffer and ensures that no overrun is done for offset
    attribute in
    loop_attr_[offset|sizelimit|autoclear|partscan|dio]_show() callbacks.
    
    Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Link: https://lore.kernel.org/r/20220215213310.7264-2-kch@nvidia.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 87b05d87a93675f7ccc8476a42a15af428bccb3b
Author: Christian Göttsche <cgzones@googlemail.com>
Date:   Thu Feb 17 15:21:25 2022 +0100

    selinux: use correct type for context length
    
    [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ]
    
    security_sid_to_context() expects a pointer to an u32 as the address
    where to store the length of the computed context.
    
    Reported by sparse:
    
        security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4
                                        (different signedness)
        security/selinux/xfrm.c:359:39:    expected unsigned int
                                           [usertype] *scontext_len
        security/selinux/xfrm.c:359:39:    got int *
    
    Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
    [PM: wrapped commit description]
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fdf2c2e4ff14dab7648e7d4431e10c0c18df2ff8
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Mar 24 08:52:07 2022 +0300

    lib/test: use after free in register_test_dev_kmod()
    
    [ Upstream commit dc0ce6cc4b133f5f2beb8b47dacae13a7d283c2c ]
    
    The "test_dev" pointer is freed but then returned to the caller.
    
    Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9b54b4d062d343b1d2351d5d1205df8d339aff94
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Mon Mar 28 08:36:34 2022 -0400

    NFSv4/pNFS: Fix another issue with a list iterator pointing to the head
    
    [ Upstream commit 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 ]
    
    In nfs4_callback_devicenotify(), if we don't find a matching entry for
    the deviceid, we're left with a pointer to 'struct nfs_server' that
    actually points to the list of super blocks associated with our struct
    nfs_client.
    Furthermore, even if we have a valid pointer, nothing pins the super
    block, and so the struct nfs_server could end up getting freed while
    we're using it.
    
    Since all we want is a pointer to the struct pnfs_layoutdriver_type,
    let's skip all the iteration over super blocks, and just use APIs to
    find the layout driver directly.
    
    Reported-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 858642789ada1b48630f322e59416ca9fca3e6b7
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Sat Mar 26 18:43:46 2022 +0800

    net/x25: Fix null-ptr-deref caused by x25_disconnect
    
    [ Upstream commit 7781607938c8371d4c2b243527430241c62e39c2 ]
    
    When the link layer is terminating, x25->neighbour will be set to NULL
    in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in
    x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is
    shown below.
    
        (Thread 1)                 |  (Thread 2)
    x25_link_terminated()          | x25_recvmsg()
     x25_kill_by_neigh()           |  ...
      x25_disconnect()             |  lock_sock(sk)
       ...                         |  ...
       x25->neighbour = NULL //(1) |
       ...                         |  x25->neighbour->extended //(2)
    
    The code sets NULL to x25->neighbour in position (1) and dereferences
    x25->neighbour in position (2), which could cause null-ptr-deref bug.
    
    This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize
    with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the
    sock held by lock_sock() is not NULL, because it is extracted from x25_list
    and uses x25_list_lock to synchronize.
    
    Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Reviewed-by: Lin Ma <linma@zju.edu.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c517359d76e60bcb3a7a722d8f1b1d5035b43bfb
Author: Tom Rix <trix@redhat.com>
Date:   Sat Mar 26 10:20:03 2022 -0700

    qlcnic: dcb: default to returning -EOPNOTSUPP
    
    [ Upstream commit 1521db37f0d42334a88e8ff28198a27d1ed5cd7b ]
    
    Clang static analysis reports this issue
    qlcnic_dcb.c:382:10: warning: Assigned value is
      garbage or undefined
      mbx_out = *val;
              ^ ~~~~
    
    val is set in the qlcnic_dcb_query_hw_capability() wrapper.
    If there is no query_hw_capability op in dcp, success is
    returned without setting the val.
    
    For this and similar wrappers, return -EOPNOTSUPP.
    
    Fixes: 14d385b99059 ("qlcnic: dcb: Query adapter DCB capabilities.")
    Signed-off-by: Tom Rix <trix@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 85b7ffb181b3c69e05f866eb88589e8e59a8362f
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Thu Mar 24 16:24:38 2022 -0700

    net: phy: broadcom: Fix brcm_fet_config_init()
    
    [ Upstream commit bf8bfc4336f7a34e48b3bbd19b1542bf085bdc3d ]
    
    A Broadcom AC201 PHY (same entry as 5241) would be flagged by the
    Broadcom UniMAC MDIO controller as not completing the turn around
    properly since the PHY expects 65 MDC clock cycles to complete a write
    cycle, and the MDIO controller was only sending 64 MDC clock cycles as
    determined by looking at a scope shot.
    
    This would make the subsequent read fail with the UniMAC MDIO controller
    command field having MDIO_READ_FAIL set and we would abort the
    brcm_fet_config_init() function and thus not probe the PHY at all.
    
    After issuing a software reset, wait for at least 1ms which is well
    above the 1us reset delay advertised by the datasheet and issue a dummy
    read to let the PHY turn around the line properly. This read
    specifically ignores -EIO which would be returned by MDIO controllers
    checking for the line being turned around.
    
    If we have a genuine reaad failure, the next read of the interrupt
    status register would pick it up anyway.
    
    Fixes: d7a2ed9248a3 ("broadcom: Add AC131 phy support")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Link: https://lore.kernel.org/r/20220324232438.1156812-1-f.fainelli@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e9f72105cf4a16bb185093b60fc12dbc82fe15b5
Author: Juergen Gross <jgross@suse.com>
Date:   Fri Mar 25 15:20:02 2022 +0100

    xen: fix is_xen_pmu()
    
    [ Upstream commit de2ae403b4c0e79a3410e63bc448542fbb9f9bfc ]
    
    is_xen_pmu() is taking the cpu number as parameter, but it is not using
    it. Instead it just tests whether the Xen PMU initialization on the
    current cpu did succeed. As this test is done by checking a percpu
    pointer, preemption needs to be disabled in order to avoid switching
    the cpu while doing the test. While resuming from suspend() this seems
    not to be the case:
    
    [   88.082751] ACPI: PM: Low-level resume complete
    [   88.087933] ACPI: EC: EC started
    [   88.091464] ACPI: PM: Restoring platform NVS memory
    [   88.097166] xen_acpi_processor: Uploading Xen processor PM info
    [   88.103850] Enabling non-boot CPUs ...
    [   88.108128] installing Xen timer for CPU 1
    [   88.112763] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-sleep/7138
    [   88.122256] caller is is_xen_pmu+0x12/0x30
    [   88.126937] CPU: 0 PID: 7138 Comm: systemd-sleep Tainted: G        W         5.16.13-2.fc32.qubes.x86_64 #1
    [   88.137939] Hardware name: Star Labs StarBook/StarBook, BIOS 7.97 03/21/2022
    [   88.145930] Call Trace:
    [   88.148757]  <TASK>
    [   88.151193]  dump_stack_lvl+0x48/0x5e
    [   88.155381]  check_preemption_disabled+0xde/0xe0
    [   88.160641]  is_xen_pmu+0x12/0x30
    [   88.164441]  xen_smp_intr_init_pv+0x75/0x100
    
    Fix that by replacing is_xen_pmu() by a simple boolean variable which
    reflects the Xen PMU initialization state on cpu 0.
    
    Modify xen_pmu_init() to return early in case it is being called for a
    cpu other than cpu 0 and the boolean variable not being set.
    
    Fixes: bf6dfb154d93 ("xen/PMU: PMU emulation code")
    Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Link: https://lore.kernel.org/r/20220325142002.31789-1-jgross@suse.com
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6923164d2efad8ad25404d01012d63baf3c45b10
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Mar 21 11:38:32 2022 +0100

    netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
    
    [ Upstream commit f2dd495a8d589371289981d5ed33e6873df94ecc ]
    
    Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios
    coming before the TCP window tracking, otherwise such connections will
    fail in the window check.
    
    Update tcp_options() to leave this flag in place and add a new helper
    function to reset the tcp window state.
    
    Based on patch from Sven Auhagen.
    
    Fixes: c4832c7bbc3f ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking")
    Tested-by: Sven Auhagen <sven.auhagen@voleatech.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c73c5c5632978cd3c52169090770833bb0a7ccea
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Sat Mar 19 22:30:00 2022 +0300

    jfs: fix divide error in dbNextAG
    
    [ Upstream commit 2cc7cc01c15f57d056318c33705647f87dcd4aab ]
    
    Syzbot reported divide error in dbNextAG(). The problem was in missing
    validation check for malicious image.
    
    Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any
    validation checks, but dbNextAG() blindly use bmp->db_numag in divide
    expression
    
    Fix it by validating bmp->db_numag in dbMount() and return an error if
    image is malicious
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b245b17e79a82a0a2bda8473aff3eea6219c1747
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon Mar 7 19:32:55 2022 -0800

    kgdbts: fix return value of __setup handler
    
    [ Upstream commit 96c9e802c64014a7716865332d732cc9c7f24593 ]
    
    __setup() handlers should return 1 to indicate that the boot option
    has been handled. A return of 0 causes the boot option/value to be
    listed as an Unknown kernel parameter and added to init's (limited)
    environment strings. So return 1 from kgdbts_option_setup().
    
    Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7
      kgdboc=kbd kgdbts=", will be passed to user space.
    
     Run /sbin/init as init process
       with arguments:
         /sbin/init
       with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc7
         kgdboc=kbd
         kgdbts=
    
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite")
    Cc: kgdb-bugreport@lists.sourceforge.net
    Cc: Jason Wessel <jason.wessel@windriver.com>
    Cc: Daniel Thompson <daniel.thompson@linaro.org>
    Cc: Douglas Anderson <dianders@chromium.org>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Reviewed-by: Douglas Anderson <dianders@chromium.org>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Link: https://lore.kernel.org/r/20220308033255.22118-1-rdunlap@infradead.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7a24a174143ef91f763b5b4f7213bf8a16896a1
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Mar 8 19:30:18 2022 -0800

    kgdboc: fix return value of __setup handler
    
    [ Upstream commit ab818c7aa7544bf8d2dd4bdf68878b17a02eb332 ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled.
    A return of 0 causes the boot option/value to be listed as an Unknown
    kernel parameter and added to init's (limited) environment strings.
    So return 1 from kgdboc_option_setup().
    
    Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7
      kgdboc=kbd kgdbts=", will be passed to user space.
    
     Run /sbin/init as init process
       with arguments:
         /sbin/init
       with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc7
         kgdboc=kbd
         kgdbts=
    
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Fixes: 1bd54d851f50 ("kgdboc: Passing ekgdboc to command line causes panic")
    Fixes: f2d937f3bf00 ("consoles: polling support, kgdboc")
    Cc: He Zhe <zhe.he@windriver.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Jiri Slaby <jirislaby@kernel.org>
    Cc: kgdb-bugreport@lists.sourceforge.net
    Cc: Jason Wessel <jason.wessel@windriver.com>
    Cc: Daniel Thompson <daniel.thompson@linaro.org>
    Cc: Douglas Anderson <dianders@chromium.org>
    Cc: linux-serial@vger.kernel.org
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Reviewed-by: Douglas Anderson <dianders@chromium.org>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Link: https://lore.kernel.org/r/20220309033018.17936-1-rdunlap@infradead.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3f99d9ddc8cc3371ea8983df031ecdfc6c20084b
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon Mar 7 18:42:28 2022 -0800

    tty: hvc: fix return value of __setup handler
    
    [ Upstream commit 53819a0d97aace1425bb042829e3446952a9e8a9 ]
    
    __setup() handlers should return 1 to indicate that the boot option
    has been handled or 0 to indicate that it was not handled.
    Add a pr_warn() message if the option value is invalid and then
    always return 1.
    
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Fixes: 86b40567b917 ("tty: replace strict_strtoul() with kstrtoul()")
    Cc: Jingoo Han <jg1.han@samsung.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Jiri Slaby <jirislaby@kernel.org>
    Cc: Michael Ellerman <mpe@ellerman.id.au>
    Cc: Julian Wiedmann <jwi@linux.ibm.com>
    Cc: Vasily Gorbik <gor@linux.ibm.com>
    Cc: linuxppc-dev@lists.ozlabs.org
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Link: https://lore.kernel.org/r/20220308024228.20477-1-rdunlap@infradead.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d4d5cc4b19b10fc387c99d8ce9beebdf64952a11
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 12:02:34 2022 +0000

    pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
    
    [ Upstream commit 89388f8730699c259f8090ec435fb43569efe4ac ]
    
    The device_node pointer is returned by of_parse_phandle()  with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: 1e747e59cc4d ("pinctrl: rockchip: base regmap supplied by a syscon")
    Fixes: 14dee8677e19 ("pinctrl: rockchip: let pmu registers be supplied by a syscon")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220307120234.28657-1-linmq006@gmail.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0356d4b64a03d23daf99a2a29d7d7d91d6ec2ea8
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 11:51:16 2022 +0000

    pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
    
    [ Upstream commit c09ac191b1f97cfa06f394dbfd7a5db07986cefc ]
    
    This node pointer is returned by of_parse_phandle() with refcount
    incremented in this function. Calling of_node_put() to avoid
    the refcount leak.
    
    Fixes: 32e67eee670e ("pinctrl: nomadik: Allow prcm_base to be extracted from Device Tree")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220307115116.25316-1-linmq006@gmail.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4f514e6ab4879e0d4b5bce7674803b0e55ce4ec2
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Tue Mar 8 07:11:54 2022 +0000

    pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init
    
    [ Upstream commit dab4df9ca919f59e5b9dd84385eaf34d4f20dbb0 ]
    
    The device_node pointer is returned by of_parse_phandle()  with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: a6df410d420a ("pinctrl: mediatek: Add Pinctrl/GPIO driver for mt8135.")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Link: https://lore.kernel.org/r/20220308071155.21114-1-linmq006@gmail.com
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a5ddd85bad671bee4a98e1dee3c23e8aff78288f
Author: Alexey Khoroshilov <khoroshilov@ispras.ru>
Date:   Tue Feb 15 13:17:04 2022 +0300

    NFS: remove unneeded check in decode_devicenotify_args()
    
    [ Upstream commit cb8fac6d2727f79f211e745b16c9abbf4d8be652 ]
    
    [You don't often get email from khoroshilov@ispras.ru. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.]
    
    Overflow check in not needed anymore after we switch to kmalloc_array().
    
    Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
    Fixes: a4f743a6bb20 ("NFSv4.1: Convert open-coded array allocation calls to kmalloc_array()")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e5ec5b7701923f8d5a56f2101508ce944f300af4
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed Jan 12 10:45:01 2022 +0000

    clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver
    
    [ Upstream commit 6d6ef58c2470da85a99119f74d34216c8074b9f0 ]
    
    The reference taken by 'of_find_device_by_node()' must be released when
    not needed anymore.
    Add the corresponding 'put_device()' in the error handling path.
    
    Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Acked-by: Thierry Reding <treding@nvidia.com>
    Link: https://lore.kernel.org/r/20220112104501.30655-1-linmq006@gmail.com
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 492a7a075eaaf9b73a8c022abd92d03c21ea036f
Author: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Date:   Fri Feb 18 01:09:20 2022 +0100

    clk: clps711x: Terminate clk_div_table with sentinel element
    
    [ Upstream commit 8bed4ed5aa3431085d9d27afc35d684856460eda ]
    
    In order that the end of a clk_div_table can be detected, it must be
    terminated with a sentinel element (.div = 0).
    
    Fixes: 631c53478973d ("clk: Add CLPS711X clk driver")
    Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    Link: https://lore.kernel.org/r/20220218000922.134857-5-j.neuschaefer@gmx.net
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c5f00a4b329594e1c7054abe6d7457a75429e529
Author: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Date:   Fri Feb 18 01:09:18 2022 +0100

    clk: loongson1: Terminate clk_div_table with sentinel element
    
    [ Upstream commit 3eb00f89162e80083dfcaa842468b510462cfeaa ]
    
    In order that the end of a clk_div_table can be detected, it must be
    terminated with a sentinel element (.div = 0).
    
    Fixes: b4626a7f4892 ("CLK: Add Loongson1C clock support")
    Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
    Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
    Link: https://lore.kernel.org/r/20220218000922.134857-3-j.neuschaefer@gmx.net
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 29922729f17d7d75d01ff9eb8c3e6768203e9c15
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Tue Mar 8 06:31:02 2022 +0000

    remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region
    
    [ Upstream commit 8f90161a66bc3d6b9fe8dde4d9028d20eae1b62a ]
    
    The device_node pointer is returned by of_parse_phandle()  with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220308063102.10049-1-linmq006@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 775be2311ae448df6eeb027412e836d75211caed
Author: Taniya Das <tdas@codeaurora.org>
Date:   Sun Feb 27 23:25:36 2022 +0530

    clk: qcom: clk-rcg2: Update the frac table for pixel clock
    
    [ Upstream commit b527358cb4cd58a8279c9062b0786f1fab628fdc ]
    
    Support the new numerator and denominator for pixel clock on SM8350 and
    support rgb101010, RGB888 use cases on SM8450.
    
    Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks")
    Signed-off-by: Taniya Das <tdas@codeaurora.org>
    Reviewed-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220227175536.3131-2-tdas@codeaurora.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 35b1cf7e2f61af1b4b9a28449cb6f8b0109f4fe0
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Thu Feb 24 14:28:49 2022 +0800

    iio: adc: Add check for devm_request_threaded_irq
    
    [ Upstream commit b30537a4cedcacf0ade2f33ebb7610178ed1e7d7 ]
    
    As the potential failure of the devm_request_threaded_irq(),
    it should be better to check the return value and return
    error if fails.
    
    Fixes: fa659a40b80b ("iio: adc: twl6030-gpadc: Use devm_* API family")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20220224062849.3280966-1-jiasheng@iscas.ac.cn
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 48db011da841427638ff26a1981e266fedc666e8
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Tue Feb 15 17:02:36 2022 +0100

    serial: 8250: Fix race condition in RTS-after-send handling
    
    [ Upstream commit dedab69fd650ea74710b2e626e63fd35584ef773 ]
    
    Set em485->active_timer = NULL isn't always enough to take out the stop
    timer. While there is a check that it acts in the right state (i.e.
    waiting for RTS-after-send to pass after sending some chars) but the
    following might happen:
    
     - CPU1: some chars send, shifter becomes empty, stop tx timer armed
     - CPU0: more chars send before RTS-after-send expired
     - CPU0: shifter empty irq, port lock taken
     - CPU1: tx timer triggers, waits for port lock
     - CPU0: em485->active_timer = &em485->stop_tx_timer, hrtimer_start(),
       releases lock()
     - CPU1: get lock, see em485->active_timer == &em485->stop_tx_timer,
       tear down RTS too early
    
    This fix bases on research done by Steffen Trumtrar.
    
    Fixes: b86f86e8e7c5 ("serial: 8250: fix potential deadlock in rs485-mode")
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Link: https://lore.kernel.org/r/20220215160236.344236-1-u.kleine-koenig@pengutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1345af488af65e42594d9ed07c6196296a82a79c
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Tue Feb 15 12:09:20 2022 +0200

    serial: 8250_mid: Balance reference count for PCI DMA device
    
    [ Upstream commit 67ec6dd0b257bd81b4e9fcac89b29da72f6265e5 ]
    
    The pci_get_slot() increases its reference count, the caller
    must decrement the reference count by calling pci_dev_put().
    
    Fixes: 90b9aacf912a ("serial: 8250_pci: add Intel Tangier support")
    Fixes: f549e94effa1 ("serial: 8250_pci: add Intel Penwell ports")
    Reported-by: Qing Wang <wangqing@vivo.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Depends-on: d9eda9bab237 ("serial: 8250_pci: Intel MID UART support to its own driver")
    Link: https://lore.kernel.org/r/20220215100920.41984-1-andriy.shevchenko@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 96219d36fe57af2027beb273dfb59ecfdb433105
Author: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Date:   Sun Feb 6 19:03:09 2022 +0000

    staging:iio:adc:ad7280a: Fix handing of device address bit reversing.
    
    [ Upstream commit f281e4ddbbc0b60f061bc18a2834e9363ba85f9f ]
    
    The bit reversal was wrong for bits 1 and 3 of the 5 bits.
    Result is driver failure to probe if you have more than 2 daisy-chained
    devices.  Discovered via QEMU based device emulation.
    
    Fixes tag is for when this moved from a macro to a function, but it
    was broken before that.
    
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Fixes: 065a7c0b1fec ("Staging: iio: adc: ad7280a.c: Fixed Macro argument reuse")
    Reviewed-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
    Link: https://lore.kernel.org/r/20220206190328.333093-2-jic23@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fac80bb24539c6245c9c1c71ebf1be43b5e16cb0
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Wed Nov 10 09:49:48 2021 +0100

    pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
    
    [ Upstream commit 0401f24cd238ae200a23a13925f98de3d2c883b8 ]
    
    When a driver calls pwmchip_add() it has to be prepared to immediately
    get its callbacks called. So move allocation of driver data and hardware
    initialization before the call to pwmchip_add().
    
    This fixes a potential NULL pointer exception and a race condition on
    register writes.
    
    Fixes: 841e6f90bb78 ("pwm: NXP LPC18xx PWM/SCT driver")
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 125b7c929fc9b1e5eaa344bceb6367dfa6fd3f9d
Author: Jiri Slaby <jirislaby@kernel.org>
Date:   Mon Jan 24 08:14:24 2022 +0100

    mxser: fix xmit_buf leak in activate when LSR == 0xff
    
    [ Upstream commit cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 ]
    
    When LSR is 0xff in ->activate() (rather unlike), we return an error.
    Provided ->shutdown() is not called when ->activate() fails, nothing
    actually frees the buffer in this case.
    
    Fix this by properly freeing the buffer in a designated label. We jump
    there also from the "!info->type" if now too.
    
    Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method")
    Signed-off-by: Jiri Slaby <jslaby@suse.cz>
    Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit edaccad5e09e42ac433526eafc70b06a19598120
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 07:29:47 2022 +0000

    mfd: asic3: Add missing iounmap() on error asic3_mfd_probe
    
    [ Upstream commit e84ee1a75f944a0fe3c277aaa10c426603d2b0bc ]
    
    Add the missing iounmap() before return from asic3_mfd_probe
    in the error handling case.
    
    Fixes: 64e8867ba809 ("mfd: tmio_mmc hardware abstraction for CNF area")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Link: https://lore.kernel.org/r/20220307072947.5369-1-linmq006@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5082185eb5b919ff179d3beb954821e0960e7426
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Mon Mar 21 09:59:57 2022 -0700

    tcp: ensure PMTU updates are processed during fastopen
    
    [ Upstream commit ed0c99dc0f499ff8b6e75b5ae6092ab42be1ad39 ]
    
    tp->rx_opt.mss_clamp is not populated, yet, during TFO send so we
    rise it to the local MSS. tp->mss_cache is not updated, however:
    
    tcp_v6_connect():
      tp->rx_opt.mss_clamp = IPV6_MIN_MTU - headers;
      tcp_connect():
         tcp_connect_init():
           tp->mss_cache = min(mtu, tp->rx_opt.mss_clamp)
         tcp_send_syn_data():
           tp->rx_opt.mss_clamp = tp->advmss
    
    After recent fixes to ICMPv6 PTB handling we started dropping
    PMTU updates higher than tp->mss_cache. Because of the stale
    tp->mss_cache value PMTU updates during TFO are always dropped.
    
    Thanks to Wei for helping zero in on the problem and the fix!
    
    Fixes: c7bb4b89033b ("ipv6: tcp: drop silly ICMPv6 packet too big messages")
    Reported-by: Andre Nash <alnash@fb.com>
    Reported-by: Neil Spring <ntspring@fb.com>
    Reviewed-by: Wei Wang <weiwan@google.com>
    Acked-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Martin KaFai Lau <kafai@fb.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://lore.kernel.org/r/20220321165957.1769954-1-kuba@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 97452456c1e47d0e65c47a3e2c65cace178f3cb3
Author: Peter Rosin <peda@axentia.se>
Date:   Wed Mar 2 12:22:35 2022 +0100

    i2c: mux: demux-pinctrl: do not deactivate a master that is not active
    
    [ Upstream commit 1a22aabf20adf89cb216f566913196128766f25b ]
    
    Attempting to rollback the activation of the current master when
    the current master has not been activated is bad. priv->cur_chan
    and priv->cur_adap are both still zeroed out and the rollback
    may result in attempts to revert an of changeset that has not been
    applied and do result in calls to both del and put the zeroed out
    i2c_adapter. Maybe it crashes, or whatever, but it's bad in any
    case.
    
    Fixes: e9d1a0a41d44 ("i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'")
    Signed-off-by: Peter Rosin <peda@axentia.se>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ac5883a8890a11c00b32a19949a25d4afeaa2f5a
Author: Petr Machata <petrm@nvidia.com>
Date:   Thu Mar 17 15:53:06 2022 +0100

    af_netlink: Fix shift out of bounds in group mask calculation
    
    [ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ]
    
    When a netlink message is received, netlink_recvmsg() fills in the address
    of the sender. One of the fields is the 32-bit bitfield nl_groups, which
    carries the multicast group on which the message was received. The least
    significant bit corresponds to group 1, and therefore the highest group
    that the field can represent is 32. Above that, the UB sanitizer flags the
    out-of-bounds shift attempts.
    
    Which bits end up being set in such case is implementation defined, but
    it's either going to be a wrong non-zero value, or zero, which is at least
    not misleading. Make the latter choice deterministic by always setting to 0
    for higher-numbered multicast groups.
    
    To get information about membership in groups >= 32, userspace is expected
    to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO
    socket option.
    [0] https://lwn.net/Articles/147608/
    
    The way to trigger this issue is e.g. through monitoring the BRVLAN group:
    
            # bridge monitor vlan &
            # ip link add name br type bridge
    
    Which produces the following citation:
    
            UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19
            shift exponent 32 is too large for 32-bit type 'int'
    
    Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family")
    Signed-off-by: Petr Machata <petrm@nvidia.com>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9e2e19d079cee80ece401f6d83a72a61ded3b7b9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Mar 4 10:35:04 2022 +0300

    USB: storage: ums-realtek: fix error code in rts51x_read_mem()
    
    [ Upstream commit b07cabb8361dc692522538205552b1b9dab134be ]
    
    The rts51x_read_mem() function should return negative error codes.
    Currently if the kmalloc() fails it returns USB_STOR_TRANSPORT_ERROR (3)
    which is treated as success by the callers.
    
    Fixes: 065e60964e29 ("ums_realtek: do not use stack memory for DMA")
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Link: https://lore.kernel.org/r/20220304073504.GA26464@kili
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0856bf27057561f42b37df111603cf5a0d040294
Author: Xin Xiong <xiongx18@fudan.edu.cn>
Date:   Fri Mar 4 16:53:32 2022 +0800

    mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
    
    [ Upstream commit fecbd4a317c95d73c849648c406bcf1b6a0ec1cf ]
    
    The reference counting issue happens in several error handling paths
    on a refcounted object "nc->dmac". In these paths, the function simply
    returns the error code, forgetting to balance the reference count of
    "nc->dmac", increased earlier by dma_request_channel(), which may
    cause refcount leaks.
    
    Fix it by decrementing the refcount of specific object in those error
    paths.
    
    Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
    Co-developed-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Co-developed-by: Xin Tan <tanxin.ctf@gmail.com>
    Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
    Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
    Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20220304085330.3610-1-xiongx18@fudan.edu.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bf273a7175b3afa4bed4fde75d4c0d917d82cace
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Fri Mar 11 20:20:26 2022 -0800

    MIPS: RB532: fix return value of __setup handler
    
    [ Upstream commit 8755d57ba1ff910666572fab9e32890e8cc6ed3b ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled.
    A return of 0 causes the boot option/value to be listed as an Unknown
    kernel parameter and added to init's (limited) argument or environment
    strings. Also, error return codes don't mean anything to
    obsolete_checksetup() -- only non-zero (usually 1) or zero.
    So return 1 from setup_kmac().
    
    Fixes: 9e21c7e40b7e ("MIPS: RB532: Replace parse_mac_addr() with mac_pton().")
    Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    From: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Cc: linux-mips@vger.kernel.org
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Cc: Phil Sutter <n0-1@freewrt.org>
    Cc: Florian Fainelli <f.fainelli@gmail.com>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Daniel Walter <dwalter@google.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 421612370a11dd9f7d18b0139dfce3983e41f7ec
Author: Oliver Hartkopp <socketcan@hartkopp.net>
Date:   Wed Mar 9 13:04:16 2022 +0100

    vxcan: enable local echo for sent CAN frames
    
    [ Upstream commit 259bdba27e32368b4404f69d613b1c1014c07cbf ]
    
    The vxcan driver provides a pair of virtual CAN interfaces to exchange
    CAN traffic between different namespaces - analogue to veth.
    
    In opposite to the vcan driver the local sent CAN traffic on this interface
    is not echo'ed back but only sent to the remote peer. This is unusual and
    can be easily fixed by removing IFF_ECHO from the netdevice flags that
    are set for vxcan interfaces by default at startup.
    
    Without IFF_ECHO set on driver level, the local sent CAN frames are echo'ed
    in af_can.c in can_send(). This patch makes vxcan interfaces adopt the
    same local echo behavior and procedures as known from the vcan interfaces.
    
    Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)")
    Link: https://lore.kernel.org/all/20220309120416.83514-5-socketcan@hartkopp.net
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f9a945d8058ff84fb6408421aa5c0d2746daafce
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Thu Feb 24 10:23:31 2022 +0800

    mfd: mc13xxx: Add check for mc13xxx_irq_request
    
    [ Upstream commit e477e51a41cb5d6034f3c5ea85a71ad4613996b9 ]
    
    As the potential failure of the devm_request_threaded_irq(),
    it should be better to check the return value of the
    mc13xxx_irq_request() and return error if fails.
    
    Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Link: https://lore.kernel.org/r/20220224022331.3208275-1-jiasheng@iscas.ac.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9aeea41fa6cdb3b009585182314f1bd93e0dd1c3
Author: Jakob Koschel <jakobkoschel@gmail.com>
Date:   Mon Feb 28 15:24:33 2022 +0100

    powerpc/sysdev: fix incorrect use to determine if list is empty
    
    [ Upstream commit fa1321b11bd01752f5be2415e74a0e1a7c378262 ]
    
    'gtm' will *always* be set by list_for_each_entry().
    It is incorrect to assume that the iterator value will be NULL if the
    list is empty.
    
    Instead of checking the pointer it should be checked if
    the list is empty.
    
    Fixes: 83ff9dcf375c ("powerpc/sysdev: implement FSL GTM support")
    Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220228142434.576226-1-jakobkoschel@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1c63f5ab2d5bd5ac606d4f5576f732d9fa704747
Author: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Date:   Thu Aug 6 16:14:55 2020 +1200

    PCI: Reduce warnings on possible RW1C corruption
    
    [ Upstream commit 92c45b63ce22c8898aa41806e8d6692bcd577510 ]
    
    For hardware that only supports 32-bit writes to PCI there is the
    possibility of clearing RW1C (write-one-to-clear) bits. A rate-limited
    messages was introduced by fb2659230120, but rate-limiting is not the best
    choice here. Some devices may not show the warnings they should if another
    device has just produced a bunch of warnings. Also, the number of messages
    can be a nuisance on devices which are otherwise working fine.
    
    Change the ratelimit to a single warning per bus. This ensures no bus is
    'starved' of emitting a warning and also that there isn't a continuous
    stream of warnings. It would be preferable to have a warning per device,
    but the pci_dev structure is not available here, and a lookup from devfn
    would be far too slow.
    
    Suggested-by: Bjorn Helgaas <helgaas@kernel.org>
    Fixes: fb2659230120 ("PCI: Warn on possible RW1C corruption for sub-32 bit config writes")
    Link: https://lore.kernel.org/r/20200806041455.11070-1-mark.tomlinson@alliedtelesis.co.nz
    Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Rob Herring <robh@kernel.org>
    Acked-by: Scott Branden <scott.branden@broadcom.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ae64b838bececea902b819a69731cb80cca8f31a
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Thu Mar 3 17:43:22 2022 +0800

    power: supply: wm8350-power: Add missing free in free_charger_irq
    
    [ Upstream commit 6dee930f6f6776d1e5a7edf542c6863b47d9f078 ]
    
    In free_charger_irq(), there is no free for 'WM8350_IRQ_CHG_FAST_RDY'.
    Therefore, it should be better to add it in order to avoid the memory leak.
    
    Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8daeb3d5c46b41fa2baaaadbeeecb251bd7398a5
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Fri Mar 4 09:57:51 2022 +0800

    power: supply: wm8350-power: Handle error for wm8350_register_irq
    
    [ Upstream commit b0b14b5ba11bec56fad344a4a0b2e16449cc8b94 ]
    
    As the potential failure of the wm8350_register_irq(),
    it should be better to check it and return error if fails.
    Also, use 'free_' in order to avoid same code.
    
    Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 820c1730b4723843c4881e2cbb462366d04021dc
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Thu Jan 27 11:50:13 2022 -0600

    i2c: xiic: Make bus names unique
    
    [ Upstream commit 1d366c2f9df8279df2adbb60471f86fc40a1c39e ]
    
    This driver is for an FPGA logic core, so there can be arbitrarily many
    instances of the bus on a given system. Previously all of the I2C bus
    names were "xiic-i2c" which caused issues with lm_sensors when trying to
    map human-readable names to sensor inputs because it could not properly
    distinguish the busses, for example. Append the platform device name to
    the I2C bus name so it is unique between different instances.
    
    Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface")
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Tested-by: Michal Simek <michal.simek@xilinx.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit de7055a08408c9d8797f7bf89900ce092bfa047b
Author: Hou Wenlong <houwenlong.hwl@antgroup.com>
Date:   Tue Feb 8 17:34:03 2022 +0800

    KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()
    
    [ Upstream commit ca85f002258fdac3762c57d12d5e6e401b6a41af ]
    
    Per Intel's SDM on the "Instruction Set Reference", when
    loading segment descriptor, not-present segment check should
    be after all type and privilege checks. But the emulator checks
    it first, then #NP is triggered instead of #GP if privilege fails
    and segment is not present. Put not-present segment check after
    type and privilege checks in __load_segment_descriptor().
    
    Fixes: 38ba30ba51a00 (KVM: x86 emulator: Emulate task switch in emulator.c)
    Reviewed-by: Sean Christopherson <seanjc@google.com>
    Signed-off-by: Hou Wenlong <houwenlong.hwl@antgroup.com>
    Message-Id: <52573c01d369f506cadcf7233812427cf7db81a7.1644292363.git.houwenlong.hwl@antgroup.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d430035316e53c8252e88562ed128057224d38ef
Author: Zhenzhong Duan <zhenzhong.duan@intel.com>
Date:   Thu Feb 10 17:45:06 2022 +0800

    KVM: x86: Fix emulation in writing cr8
    
    [ Upstream commit f66af9f222f08d5b11ea41c1bd6c07a0f12daa07 ]
    
    In emulation of writing to cr8, one of the lowest four bits in TPR[3:0]
    is kept.
    
    According to Intel SDM 10.8.6.1(baremetal scenario):
    "APIC.TPR[bits 7:4] = CR8[bits 3:0], APIC.TPR[bits 3:0] = 0";
    
    and SDM 28.3(use TPR shadow):
    "MOV to CR8. The instruction stores bits 3:0 of its source operand into
    bits 7:4 of VTPR; the remainder of VTPR (bits 3:0 and bits 31:8) are
    cleared.";
    
    and AMD's APM 16.6.4:
    "Task Priority Sub-class (TPS)-Bits 3 : 0. The TPS field indicates the
    current sub-priority to be used when arbitrating lowest-priority messages.
    This field is written with zero when TPR is written using the architectural
    CR8 register.";
    
    so in KVM emulated scenario, clear TPR[3:0] to make a consistent behavior
    as in other scenarios.
    
    This doesn't impact evaluation and delivery of pending virtual interrupts
    because processor does not use the processor-priority sub-class to
    determine which interrupts to delivery and which to inhibit.
    
    Sub-class is used by hardware to arbitrate lowest priority interrupts,
    but KVM just does a round-robin style delivery.
    
    Fixes: b93463aa59d6 ("KVM: Accelerated apic support")
    Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
    Reviewed-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220210094506.20181-1-zhenzhong.duan@intel.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 117d2bc54826de68a8c9d46e9cd9fc49755bb1dc
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Sat Feb 12 17:48:16 2022 +0100

    power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return
    
    [ Upstream commit f7731754fdce33dad19be746f647d6ac47c5d695 ]
    
    The datasheet says that the BQ24190_REG_POC_CHG_CONFIG bits can
    have a value of either 10(0x2) or 11(0x3) for OTG (5V boost regulator)
    mode.
    
    Sofar bq24190_vbus_is_enabled() was only checking for 10 but some BIOS-es
    uses 11 when enabling the regulator at boot.
    
    Make bq24190_vbus_is_enabled() also check for 11 so that it does not
    wrongly returns false when the bits are set to 11.
    
    Fixes: 66b6bef2c4e0 ("power: supply: bq24190_charger: Export 5V boost converter as regulator")
    Cc: Bastien Nocera <hadess@hadess.net>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5e8fdb6392d945d33fef959eab73f8c34bc0a63b
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Jan 10 06:53:16 2022 +0000

    drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
    
    [ Upstream commit 221e3638feb8bc42143833c9a704fa89b6c366bb ]
    
    The reference taken by 'of_find_device_by_node()' must be released when
    not needed anymore. Add put_device() call to fix this.
    
    Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Thierry Reding <treding@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 94fe9ee8d6d48235b44e14820c07271be3c25cff
Author: Zhang Yi <yi.zhang@huawei.com>
Date:   Sat Feb 12 13:05:32 2022 +0800

    ext2: correct max file size computing
    
    [ Upstream commit 50b3a818991074177a56c87124c7a7bdf5fa4f67 ]
    
    We need to calculate the max file size accurately if the total blocks
    that can address by block tree exceed the upper_limit. But this check is
    not correct now, it only compute the total data blocks but missing
    metadata blocks are needed. So in the case of "data blocks < upper_limit
    && total blocks > upper_limit", we will get wrong result. Fortunately,
    this case could not happen in reality, but it's confused and better to
    correct the computing.
    
      bits   data blocks   metadatablocks   upper_limit
      10        16843020            66051    2147483647
      11       134480396           263171    1073741823
      12      1074791436          1050627     536870911 (*)
      13      8594130956          4198403     268435455 (*)
      14     68736258060         16785411     134217727 (*)
      15    549822930956         67125251      67108863 (*)
      16   4398314962956        268468227      33554431 (*)
    
      [*] Need to calculate in depth.
    
    Fixes: 1c2d14212b15 ("ext2: Fix underflow in ext2_max_size()")
    Link: https://lore.kernel.org/r/20220212050532.179055-1-yi.zhang@huawei.com
    Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f00f9327af7ff131a30b0131004e25f0c4a48095
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Feb 22 13:45:33 2022 -0800

    TOMOYO: fix __setup handlers return values
    
    [ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ]
    
    __setup() handlers should return 1 if the parameter is handled.
    Returning 0 causes the entire string to be added to init's
    environment strings (limited to 32 strings), unnecessarily polluting it.
    
    Using the documented strings "TOMOYO_loader=string1" and
    "TOMOYO_trigger=string2" causes an Unknown parameter message:
      Unknown kernel command line parameters
        "BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \
         TOMOYO_trigger=string2", will be passed to user space.
    
    and these strings are added to init's environment string space:
      Run /sbin/init as init process
        with arguments:
         /sbin/init
        with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc5
         TOMOYO_loader=string1
         TOMOYO_trigger=string2
    
    With this change, these __setup handlers act as expected,
    and init's environment is not polluted with these strings.
    
    Fixes: 0e4ae0e0dec63 ("TOMOYO: Make several options configurable.")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Cc: James Morris <jmorris@namei.org>
    Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
    Cc: tomoyo-dev-en@lists.osdn.me
    Cc: "Serge E. Hallyn" <serge@hallyn.com>
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d6ec4471550cc53e96485a7124c5891e6a38d1c3
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Sun Feb 20 12:17:55 2022 +0900

    scsi: pm8001: Fix abort all task initialization
    
    [ Upstream commit 7f12845c8389855dbcc67baa068b6832dc4a396e ]
    
    In pm80xx_send_abort_all(), the n_elem field of the ccb used is not
    initialized to 0. This missing initialization sometimes lead to the task
    completion path seeing the ccb with a non-zero n_elem resulting in the
    execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(),
    causing a crash such as:
    
    [  197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280
    [  197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012
    [  197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0
    [  197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0
    [  197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b
    [  197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000
    [  197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000
    [  197.741493] FS:  0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000
    [  197.749659] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0
    [  197.762656] Call Trace:
    [  197.765127]  <IRQ>
    [  197.767162]  pm8001_ccb_task_free+0x5f1/0x820 [pm80xx]
    [  197.772364]  ? do_raw_spin_unlock+0x54/0x220
    [  197.776680]  pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx]
    [  197.782406]  process_oq+0xe85/0x7890 [pm80xx]
    [  197.786817]  ? lock_acquire+0x194/0x490
    [  197.790697]  ? handle_irq_event+0x10e/0x1b0
    [  197.794920]  ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx]
    [  197.800378]  ? __wake_up_bit+0x100/0x100
    [  197.804340]  ? lock_is_held_type+0x98/0x110
    [  197.808565]  pm80xx_chip_isr+0x94/0x130 [pm80xx]
    [  197.813243]  tasklet_action_common.constprop.0+0x24b/0x2f0
    [  197.818785]  __do_softirq+0x1b5/0x82d
    [  197.822485]  ? do_raw_spin_unlock+0x54/0x220
    [  197.826799]  __irq_exit_rcu+0x17e/0x1e0
    [  197.830678]  irq_exit_rcu+0xa/0x20
    [  197.834114]  common_interrupt+0x78/0x90
    [  197.840051]  </IRQ>
    [  197.844236]  <TASK>
    [  197.848397]  asm_common_interrupt+0x1e/0x40
    
    Avoid this issue by always initializing the ccb n_elem field to 0 in
    pm8001_send_abort_all(), pm8001_send_read_log() and
    pm80xx_send_abort_all().
    
    Link: https://lore.kernel.org/r/20220220031810.738362-17-damien.lemoal@opensource.wdc.com
    Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes")
    Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cf54511c5b3061fd14da48f08d13b194cef9fdcd
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Sun Feb 20 12:17:46 2022 +0900

    scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()
    
    [ Upstream commit bb225b12dbcc82d53d637d10b8d70b64494f8c16 ]
    
    The fields of the set_ctrl_cfg_req structure have the __le32 type, so use
    cpu_to_le32() to assign them. This removes the sparse warnings:
    
    warning: incorrect type in assignment (different base types)
        expected restricted __le32
        got unsigned int
    
    Link: https://lore.kernel.org/r/20220220031810.738362-8-damien.lemoal@opensource.wdc.com
    Fixes: 842784e0d15b ("pm80xx: Update For Thermal Page Code")
    Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files")
    Reviewed-by: John Garry <john.garry@huawei.com>
    Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 913d460f8ed69dda29129e50c61812d7059ad6d5
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Sun Feb 20 12:17:45 2022 +0900

    scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()
    
    [ Upstream commit cd2268a180117aa8ebb23e090ba204324b2d0e93 ]
    
    The ds_ads_m field of struct ssp_ini_tm_start_req has the type __le32.
    Assigning a value to it should thus use cpu_to_le32(). This fixes the
    sparse warning:
    
    warning: incorrect type in assignment (different base types)
       expected restricted __le32 [addressable] [assigned] [usertype] ds_ads_m
       got int
    
    Link: https://lore.kernel.org/r/20220220031810.738362-7-damien.lemoal@opensource.wdc.com
    Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver")
    Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b90cf4f2d754e50fd9434c2fa4d212cf963f7bbe
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Sun Feb 20 12:17:43 2022 +0900

    scsi: pm8001: Fix command initialization in pm80XX_send_read_log()
    
    [ Upstream commit 1a37b6738b58d86f6b144b3fc754ace0f2e0166d ]
    
    Since the sata_cmd struct is zeroed out before its fields are initialized,
    there is no need for using "|=" to initialize the ncqtag_atap_dir_m
    field. Using a standard assignment removes the sparse warning:
    
    warning: invalid assignment: |=
    
    Also, since the ncqtag_atap_dir_m field has type __le32, use cpu_to_le32()
    to generate the assigned value.
    
    Link: https://lore.kernel.org/r/20220220031810.738362-5-damien.lemoal@opensource.wdc.com
    Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes")
    Reviewed-by: John Garry <john.garry@huawei.com>
    Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 455750e8e91cd367a6087929a62e536e03c27b18
Author: Aashish Sharma <shraash@google.com>
Date:   Fri Feb 11 12:15:38 2022 +0000

    dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
    
    [ Upstream commit 6fc51504388c1a1a53db8faafe9fff78fccc7c87 ]
    
    Explicitly convert unsigned int in the right of the conditional
    expression to int to match the left side operand and the return type,
    fixing the following compiler warning:
    
    drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned
    type in conditional expression [-Wsign-compare]
    
    Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service")
    Signed-off-by: Aashish Sharma <shraash@google.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c120ca2386e33acad842a41a0d89e11c029963e2
Author: Colin Ian King <colin.king@intel.com>
Date:   Tue Sep 7 11:46:58 2021 +0100

    iwlwifi: Fix -EIO error code that is never returned
    
    [ Upstream commit c305c94bdc18e45b5ad1db54da4269f8cbfdff6b ]
    
    Currently the error -EIO is being assinged to variable ret when
    the READY_BIT is not set but the function iwlagn_mac_start returns
    0 rather than ret. Fix this by returning ret instead of 0.
    
    Addresses-Coverity: ("Unused value")
    Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place")
    Signed-off-by: Colin Ian King <colin.king@canonical.com>
    Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com
    Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 628f57bb8e95d16182448fb7923a922d58e65491
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Mon Jan 17 23:26:18 2022 -0800

    HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports
    
    [ Upstream commit a5e5e03e94764148a01757b2fa4737d3445c13a6 ]
    
    Internally kernel prepends all report buffers, for both numbered and
    unnumbered reports, with report ID, therefore to properly handle unnumbered
    reports we should prepend it ourselves.
    
    For the same reason we should skip the first byte of the buffer when
    calling i2c_hid_set_or_send_report() which then will take care of properly
    formatting the transfer buffer based on its separate report ID argument
    along with report payload.
    
    [jkosina@suse.cz: finalize trimmed sentence in changelog as spotted by Benjamin]
    Fixes: 9b5a9ae88573 ("HID: i2c-hid: implement ll_driver transport-layer callbacks")
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Tested-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 19aa3c98ed7b2616e105946cec804f897837ab84
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Jan 24 13:13:46 2022 +0000

    power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
    
    [ Upstream commit 6a4760463dbc6b603690938c468839985189ce0a ]
    
    kobject_init_and_add() takes reference even when it fails.
    According to the doc of kobject_init_and_add():
    
       If this function returns an error, kobject_put() must be called to
       properly clean up the memory associated with the object.
    
    Fix memory leak by calling kobject_put().
    
    Fixes: 8c0984e5a753 ("power: move power supply drivers to power/supply")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a2ccf3fddb5c5ae2b50e6d607415f10c30ce9fe0
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Thu Dec 30 10:29:26 2021 +0800

    ray_cs: Check ioremap return value
    
    [ Upstream commit 7e4760713391ee46dc913194b33ae234389a174e ]
    
    As the possible failure of the ioremap(), the 'local->sram' and other
    two could be NULL.
    Therefore it should be better to check it in order to avoid the later
    dev_dbg.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20211230022926.1846757-1-jiasheng@iscas.ac.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ab079f402a1716d337be33242da0d496d340dee4
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Thu Jan 20 10:46:54 2022 +0000

    power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
    
    [ Upstream commit ba18dad0fb880cd29aa97b6b75560ef14d1061ba ]
    
    platform_get_irq() returns negative error number instead 0 on failure.
    And the doc of platform_get_irq() provides a usage example:
    
        int irq = platform_get_irq(pdev, 0);
        if (irq < 0)
            return irq;
    
    Fix the check of return value to catch errors correctly.
    
    Fixes: f7a388d6cd1c ("power: reset: Add a driver for the Gemini poweroff")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e352acdd378e9263cc4c6018e588f2dac7161d07
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Wed Jan 19 10:52:37 2022 +0200

    ath9k_htc: fix uninit value bugs
    
    [ Upstream commit d1e0df1c57bd30871dd1c855742a7c346dbca853 ]
    
    Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing
    field initialization.
    
    In htc_connect_service() svc_meta_len and pad are not initialized. Based
    on code it looks like in current skb there is no service data, so simply
    initialize svc_meta_len to 0.
    
    htc_issue_send() does not initialize htc_frame_hdr::control array. Based
    on firmware code, it will initialize it by itself, so simply zero whole
    array to make KMSAN happy
    
    Fail logs:
    
    BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
     usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
     hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
     hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
     htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
     htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
    ...
    
    Uninit was created at:
     slab_post_alloc_hook mm/slab.h:524 [inline]
     slab_alloc_node mm/slub.c:3251 [inline]
     __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
     kmalloc_reserve net/core/skbuff.c:354 [inline]
     __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
     alloc_skb include/linux/skbuff.h:1126 [inline]
     htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
    ...
    
    Bytes 4-7 of 18 are uninitialized
    Memory access of size 18 starts at ffff888027377e00
    
    BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
     usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430
     hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline]
     hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479
     htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline]
     htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275
    ...
    
    Uninit was created at:
     slab_post_alloc_hook mm/slab.h:524 [inline]
     slab_alloc_node mm/slub.c:3251 [inline]
     __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
     kmalloc_reserve net/core/skbuff.c:354 [inline]
     __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
     alloc_skb include/linux/skbuff.h:1126 [inline]
     htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258
    ...
    
    Bytes 16-17 of 18 are uninitialized
    Memory access of size 18 starts at ffff888027377e00
    
    Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
    Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 97aa6361c20810f519f02f2909bb6f54d784a1ed
Author: Maxime Ripard <maxime@cerno.tech>
Date:   Thu Jan 20 16:16:11 2022 +0100

    drm/edid: Don't clear formats if using deep color
    
    [ Upstream commit 75478b3b393bcbdca4e6da76fe3a9f1a4133ec5d ]
    
    The current code, when parsing the EDID Deep Color depths, that the
    YUV422 cannot be used, referring to the HDMI 1.3 Specification.
    
    This specification, in its section 6.2.4, indeed states:
    
      For each supported Deep Color mode, RGB 4:4:4 shall be supported and
      optionally YCBCR 4:4:4 may be supported.
    
      YCBCR 4:2:2 is not permitted for any Deep Color mode.
    
    This indeed can be interpreted like the code does, but the HDMI 1.4
    specification further clarifies that statement in its section 6.2.4:
    
      For each supported Deep Color mode, RGB 4:4:4 shall be supported and
      optionally YCBCR 4:4:4 may be supported.
    
      YCBCR 4:2:2 is also 36-bit mode but does not require the further use
      of the Deep Color modes described in section 6.5.2 and 6.5.3.
    
    This means that, even though YUV422 can be used with 12 bit per color,
    it shouldn't be treated as a deep color mode.
    
    This is also broken with YUV444 if it's supported by the display, but
    DRM_EDID_HDMI_DC_Y444 isn't set. In such a case, the code will clear
    color_formats of the YUV444 support set previously in
    drm_parse_cea_ext(), but will not set it back.
    
    Since the formats supported are already setup properly in
    drm_parse_cea_ext(), let's just remove the code modifying the formats in
    drm_parse_hdmi_deep_color_info()
    
    Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.")
    Signed-off-by: Maxime Ripard <maxime@cerno.tech>
    Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-3-maxime@cerno.tech
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a94ef82db436612102475fa43edc31c20890a5af
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Wed Jan 5 00:26:58 2022 +0800

    mtd: onenand: Check for error irq
    
    [ Upstream commit 3e68f331c8c759c0daa31cc92c3449b23119a215 ]
    
    For the possible failure of the platform_get_irq(), the returned irq
    could be error number and will finally cause the failure of the
    request_irq().
    Consider that platform_get_irq() can now in certain cases return
    -EPROBE_DEFER, and the consequences of letting request_irq() effectively
    convert that into -EINVAL, even at probe time rather than later on.
    So it might be better to check just now.
    
    Fixes: 2c22120fbd01 ("MTD: OneNAND: interrupt based wait support")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20220104162658.1988142-1-jiasheng@iscas.ac.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9674267ad671c270bf7da597133320fd4c7379b1
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 08:45:22 2022 +0000

    ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe
    
    [ Upstream commit 375a347da4889f64d86e1ab7f4e6702b6e9bf299 ]
    
    Fix the missing clk_disable_unprepare() before return
    from msm8916_wcd_digital_probe in the error handling case.
    
    Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220307084523.28687-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 467dc431af0bb823fd22d0f48774bcceed445cf9
Author: Wang Wensheng <wangwensheng4@huawei.com>
Date:   Thu Mar 10 09:19:02 2022 +0000

    ASoC: imx-es8328: Fix error return code in imx_es8328_probe()
    
    [ Upstream commit 3b891513f95cba3944e72c1139ea706d04f3781b ]
    
    Fix to return a negative error code from the error handling case instead
    of 0, as done elsewhere in this function.
    
    Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver")
    Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com>
    Link: https://lore.kernel.org/r/20220310091902.129299-1-wangwensheng4@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 790d2628e3fcc819d8f5572eb5615113fb2e727a
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Tue Mar 8 02:01:44 2022 +0000

    ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
    
    [ Upstream commit 6ae0a4d8fec551ec581d620f0eb1fe31f755551c ]
    
    This function only calls of_node_put() in the regular path.
    And it will cause refcount leak in error paths.
    For example, when codec_np is NULL, saif_np[0] and saif_np[1]
    are not NULL, it will cause leaks.
    
    of_node_put() will check if the node pointer is NULL, so we can
    call it directly to release the refcount of regular pointers.
    
    Fixes: e968194b45c4 ("ASoC: mxs: add device tree support for mxs-sgtl5000")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220308020146.26496-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e49f0cedf12135893aad216253738fdcf9125170
Author: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
Date:   Mon Mar 7 14:21:57 2022 +0200

    ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
    
    [ Upstream commit 9a1e13440a4f2e7566fd4c5eae6a53e6400e08a4 ]
    
    Even if struct snd_dmaengine_pcm_config is used, prepare_slave_config()
    callback might not be set. Check if this callback is set before using it.
    
    Fixes: fa654e085300 ("ASoC: dmaengine-pcm: Provide default config")
    Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
    Link: https://lore.kernel.org/r/20220307122202.2251639-2-codrin.ciubotariu@microchip.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8fc66b552430490b82574f3c74640135bdeca714
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 12:38:12 2022 +0000

    video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
    
    [ Upstream commit a58c22cfbbf62fefca090334bbd35fd132e92a23 ]
    
    The device_node pointer is returned by of_parse_phandle()  with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dbb6095c2ab10a3e193a83a1804f3ff4bde3f9a3
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Wed Mar 2 14:28:44 2022 +0800

    ASoC: fsi: Add check for clk_enable
    
    [ Upstream commit 405afed8a728f23cfaa02f75bbc8bdd6b7322123 ]
    
    As the potential failure of the clk_enable(),
    it should be better to check it and return error
    if fails.
    
    Fixes: ab6f6d85210c ("ASoC: fsi: add master clock control functions")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20220302062844.46869-1-jiasheng@iscas.ac.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d1ab8ed66ee91f2d0361a0adddb1fe2d3dd63a91
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Fri Mar 4 10:38:21 2022 +0800

    ASoC: wm8350: Handle error for wm8350_register_irq
    
    [ Upstream commit db0350da8084ad549bca16cc0486c11cc70a1f9b ]
    
    As the potential failure of the wm8350_register_irq(),
    it should be better to check it and return error if fails.
    Also, use 'free_' in order to avoid the same code.
    
    Fixes: a6ba2b2dabb5 ("ASoC: Implement WM8350 headphone jack detection")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20220304023821.391936-1-jiasheng@iscas.ac.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8b7b9a0594715ecfbe6f18db2328d992242654a
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 12:45:39 2022 +0000

    ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
    
    [ Upstream commit f590797fa3c1bccdd19e55441592a23b46aef449 ]
    
    This node pointer is returned by of_parse_phandle() with refcount
    incremented in this function.
    Calling of_node_put() to avoid the refcount leak.
    
    Fixes: 531f67e41dcd ("ASoC: at91sam9g20ek-wm8731: convert to dt support")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
    Link: https://lore.kernel.org/r/20220307124539.1743-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 03054f22d5abd80ad89547512c2bfbfb2714d3ed
Author: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
Date:   Tue Jan 25 09:02:11 2022 +0100

    media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED
    
    [ Upstream commit fbe04b49a54e31f4321d632270207f0e6304cd16 ]
    
    If the callback 'start_streaming' fails, then all
    queued buffers in the driver should be returned with
    state 'VB2_BUF_STATE_QUEUED'. Currently, they are
    returned with 'VB2_BUF_STATE_ERROR' which is wrong.
    Fix this. This also fixes the warning:
    
    [   65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common]
    [   65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6
    [   65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G        W         5.16.0-rc4-62408-g32447129cb30-dirty #14
    [   65.590293] Hardware name: Radxa ROCK Pi 4B (DT)
    [   65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [   65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common]
    [   65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common]
    [   65.592395] sp : ffff800012bc3ad0
    [   65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8
    [   65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612
    [   65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0
    [   65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff
    [   65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78
    [   65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce
    [   65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228
    [   65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78
    [   65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880
    [   65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0
    [   65.598940] Call trace:
    [   65.599155]  vb2_start_streaming+0xd4/0x160 [videobuf2_common]
    [   65.599672]  vb2_core_streamon+0x17c/0x1a8 [videobuf2_common]
    [   65.600179]  vb2_streamon+0x54/0x88 [videobuf2_v4l2]
    [   65.600619]  vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2]
    [   65.601103]  v4l_streamon+0x3c/0x50 [videodev]
    [   65.601521]  __video_do_ioctl+0x1a4/0x428 [videodev]
    [   65.601977]  video_usercopy+0x320/0x828 [videodev]
    [   65.602419]  video_ioctl2+0x3c/0x58 [videodev]
    [   65.602830]  v4l2_ioctl+0x60/0x90 [videodev]
    [   65.603227]  __arm64_sys_ioctl+0xa8/0xe0
    [   65.603576]  invoke_syscall+0x54/0x118
    [   65.603911]  el0_svc_common.constprop.3+0x84/0x100
    [   65.604332]  do_el0_svc+0x34/0xa0
    [   65.604625]  el0_svc+0x1c/0x50
    [   65.604897]  el0t_64_sync_handler+0x88/0xb0
    [   65.605264]  el0t_64_sync+0x16c/0x170
    [   65.605587] ---[ end trace 578e0ba07742170d ]---
    
    Fixes: 8ac456495a33d ("[media] stk1160: Stop device and unqueue buffers when start_streaming() fails")
    Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com>
    Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b2b65c9013dc28836d82e25d0f0c94d794a14aba
Author: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Date:   Fri Mar 4 21:56:47 2022 +0900

    ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
    
    [ Upstream commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d ]
    
    AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA:
    firewire-lib: Add support for deferred transaction") while 'deferrable'
    flag can be uninitialized for non-control/notify AV/C transactions.
    UBSAN reports it:
    
    kernel: ================================================================================
    kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9
    kernel: load of value 158 is not a valid value for type '_Bool'
    kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P           OE     5.15.0-18-generic #18-Ubuntu
    kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019
    kernel: Call Trace:
    kernel:  <IRQ>
    kernel:  show_stack+0x52/0x58
    kernel:  dump_stack_lvl+0x4a/0x5f
    kernel:  dump_stack+0x10/0x12
    kernel:  ubsan_epilogue+0x9/0x45
    kernel:  __ubsan_handle_load_invalid_value.cold+0x44/0x49
    kernel:  fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]
    kernel:  fcp_response+0x28/0x30 [snd_firewire_lib]
    kernel:  fw_core_handle_request+0x230/0x3d0 [firewire_core]
    kernel:  handle_ar_packet+0x1d9/0x200 [firewire_ohci]
    kernel:  ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]
    kernel:  ? transmit_complete_callback+0x9f/0x120 [firewire_core]
    kernel:  ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]
    kernel:  tasklet_action_common.constprop.0+0xea/0xf0
    kernel:  tasklet_action+0x22/0x30
    kernel:  __do_softirq+0xd9/0x2e3
    kernel:  ? irq_finalize_oneshot.part.0+0xf0/0xf0
    kernel:  do_softirq+0x75/0xa0
    kernel:  </IRQ>
    kernel:  <TASK>
    kernel:  __local_bh_enable_ip+0x50/0x60
    kernel:  irq_forced_thread_fn+0x7e/0x90
    kernel:  irq_thread+0xba/0x190
    kernel:  ? irq_thread_fn+0x60/0x60
    kernel:  kthread+0x11e/0x140
    kernel:  ? irq_thread_check_affinity+0xf0/0xf0
    kernel:  ? set_kthread_struct+0x50/0x50
    kernel:  ret_from_fork+0x22/0x30
    kernel:  </TASK>
    kernel: ================================================================================
    
    This commit fixes the bug. The bug has no disadvantage for the non-
    control/notify AV/C transactions since the flag has an effect for AV/C
    response with INTERIM (0x0f) status which is not used for the transactions
    in AV/C general specification.
    
    Fixes: 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction")
    Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c4733b0a25cdadce16efdb97d4d9d4e428934f79
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Fri Feb 25 05:25:52 2022 -0800

    memory: emif: check the pointer temp in get_device_details()
    
    [ Upstream commit 5b5ab1bfa1898c6d52936a57c25c5ceba2cb2f87 ]
    
    The pointer temp is allocated by devm_kzalloc(), so it should be
    checked for error handling.
    
    Fixes: 7ec944538dde ("memory: emif: add basic infrastructure for EMIF driver")
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Link: https://lore.kernel.org/r/20220225132552.27894-1-baijiaju1990@gmail.com
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 54eee30e4f3977cc489aa273cf72b94f6581fe64
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Thu Feb 24 10:54:44 2022 +0800

    memory: emif: Add check for setup_interrupts
    
    [ Upstream commit fd7bd80b46373887b390852f490f21b07e209498 ]
    
    As the potential failure of the devm_request_threaded_irq(),
    it should be better to check the return value of the
    setup_interrupts() and return error if fails.
    
    Fixes: 68b4aee35d1f ("memory: emif: add interrupt and temperature handling")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20220224025444.3256530-1-jiasheng@iscas.ac.cn
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6e61d024d5f67bbe2d83d36e32887d1844074655
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Tue Mar 1 17:06:37 2022 +0800

    ASoC: atmel_ssc_dai: Handle errors for clk_enable
    
    [ Upstream commit f9e2ca0640e59d19af0ff285ee5591ed39069b09 ]
    
    As the potential failure of the clk_enable(),
    it should be better to check it and return error if fals.
    
    Fixes: cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20220301090637.3776558-1-jiasheng@iscas.ac.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e4baf488ab67556fb6d2b4c9748d1d56e25c5cee
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Tue Mar 1 16:17:17 2022 +0800

    ASoC: mxs-saif: Handle errors for clk_enable
    
    [ Upstream commit 2ecf362d220317debf5da376e0390e9f7a3f7b29 ]
    
    As the potential failure of the clk_enable(),
    it should be better to check it, like mxs_saif_trigger().
    
    Fixes: d0ba4c014934 ("ASoC: mxs-saif: set a base clock rate for EXTMASTER mode work")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20220301081717.3727190-1-jiasheng@iscas.ac.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 74de43caff2ce434683b95ca118bc098a1771053
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon Feb 28 14:05:56 2022 -0800

    printk: fix return value of printk.devkmsg __setup handler
    
    [ Upstream commit b665eae7a788c5e2bc10f9ac3c0137aa0ad1fc97 ]
    
    If an invalid option value is used with "printk.devkmsg=<value>",
    it is silently ignored.
    If a valid option value is used, it is honored but the wrong return
    value (0) is used, indicating that the command line option had an
    error and was not handled. This string is not added to init's
    environment strings due to init/main.c::unknown_bootoption()
    checking for a '.' in the boot option string and then considering
    that string to be an "Unused module parameter".
    
    Print a warning message if a bad option string is used.
    Always return 1 from the __setup handler to indicate that the command
    line option has been handled.
    
    Fixes: 750afe7babd1 ("printk: add kernel parameter to control writes to /dev/kmsg")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Cc: Borislav Petkov <bp@suse.de>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Petr Mladek <pmladek@suse.com>
    Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: John Ogness <john.ogness@linutronix.de>
    Reviewed-by: John Ogness <john.ogness@linutronix.de>
    Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
    Reviewed-by: Petr Mladek <pmladek@suse.com>
    Signed-off-by: Petr Mladek <pmladek@suse.com>
    Link: https://lore.kernel.org/r/20220228220556.23484-1-rdunlap@infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0458a23b4d4904840b5b4fed4a939ec68bebb8ee
Author: Frank Wunderlich <frank-w@public-files.de>
Date:   Tue Mar 1 16:24:18 2022 +0100

    arm64: dts: broadcom: Fix sata nodename
    
    [ Upstream commit 55927cb44db43a57699fa652e2437a91620385dc ]
    
    After converting ahci-platform txt binding to yaml nodename is reported
    as not matching the standard:
    
    arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dt.yaml:
    ahci@663f2000: $nodename:0: 'ahci@663f2000' does not match '^sata(@.*)?$'
    
    Fix it to match binding.
    
    Fixes: ac9aae00f0fc ("arm64: dts: Add SATA3 AHCI and SATA3 PHY DT nodes for NS2")
    Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5851281e545be087268c27514b7f46e86d38bcb4
Author: Kuldeep Singh <singh.kuldeep87k@gmail.com>
Date:   Mon Feb 28 16:39:03 2022 +0530

    arm64: dts: ns2: Fix spi-cpol and spi-cpha property
    
    [ Upstream commit c953c764e505428f59ffe6afb1c73b89b5b1ac35 ]
    
    Broadcom ns2 platform has spi-cpol and spi-cpho properties set
    incorrectly. As per spi-slave-peripheral-prop.yaml, these properties are
    of flag or boolean type and not integer type. Fix the values.
    
    Fixes: d69dbd9f41a7c (arm64: dts: Add ARM PL022 SPI DT nodes for NS2)
    Signed-off-by: Kuldeep Singh <singh.kuldeep87k@gmail.com>
    CC: Ray Jui <rjui@broadcom.com>
    CC: Scott Branden <sbranden@broadcom.com>
    CC: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f349bf081403c12820ec178c35ab1041b82caf91
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Mon Feb 28 10:28:39 2022 +0800

    ALSA: spi: Add check for clk_enable()
    
    [ Upstream commit ca1697eb09208f0168d94b88b72f57505339cbe5 ]
    
    As the potential failure of the clk_enable(),
    it should be better to check it and return error
    if fails.
    
    Fixes: 3568459a5113 ("ALSA: at73c213: manage SSC clock")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Link: https://lore.kernel.org/r/20220228022839.3547266-1-jiasheng@iscas.ac.cn
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 47e99b32f97b509b2e0618ff236f0f5a1b674682
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Mon Feb 28 11:15:40 2022 +0800

    ASoC: ti: davinci-i2s: Add check for clk_enable()
    
    [ Upstream commit ed7c9fef11931fc5d32a83d68017ff390bf5c280 ]
    
    As the potential failure of the clk_enable(),
    it should be better to check it and return error
    if fails.
    
    Fixes: 5f9a50c3e55e ("ASoC: Davinci: McBSP: add device tree support for McBSP")
    Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
    Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
    Link: https://lore.kernel.org/r/20220228031540.3571959-1-jiasheng@iscas.ac.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a97130cd5b0c00eec169b10a16d922b9ea67324a
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Feb 2 20:52:01 2022 +0300

    media: usb: go7007: s2250-board: fix leak in probe()
    
    [ Upstream commit 67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d ]
    
    Call i2c_unregister_device(audio) on this error path.
    
    Fixes: d3b2ccd9e307 ("[media] s2250: convert to the control framework")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8a8ddc414ebe9fafabd426630be01ede4fe5177a
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Fri Jan 14 06:28:40 2022 +0000

    soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe
    
    [ Upstream commit c3d66a164c726cc3b072232d3b6d87575d194084 ]
    
    platform_get_irq() returns negative error number instead 0 on failure.
    And the doc of platform_get_irq() provides a usage example:
    
        int irq = platform_get_irq(pdev, 0);
        if (irq < 0)
            return irq;
    
    Fix the check of return value to catch errors correctly.
    
    Fixes: cdd5de500b2c ("soc: ti: Add wkup_m3_ipc driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Nishanth Menon <nm@ti.com>
    Acked-by: Dave Gerlach <d-gerlach@ti.com>
    Link: https://lore.kernel.org/r/20220114062840.16620-1-linmq006@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1c445ce99f3747a9a988dcdcfb9736af38748a61
Author: Pavel Kubelun <be.dissent@gmail.com>
Date:   Mon Dec 20 18:03:52 2021 +0100

    ARM: dts: qcom: ipq4019: fix sleep clock
    
    [ Upstream commit 3d7e7980993d2c1ae42d3d314040fc2de6a9c45f ]
    
    It seems like sleep_clk was copied from ipq806x.
    Fix ipq40xx sleep_clk to the value QSDK defines.
    
    Link: https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=d92ec59973484acc86dd24b67f10f8911b4b4b7d
    Link: https://patchwork.kernel.org/comment/22721613/
    Fixes: bec6ba4cdf2a ("qcom: ipq4019: Add basic board/dts support for IPQ4019 SoC")
    Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org> (clock-output-names)
    Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
    Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (removed clock rename)
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20211220170352.34591-1-chunkeey@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 817cd6ad4c2057fafaf57bf98548b3a9650fc714
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Sep 16 16:29:19 2021 +0300

    video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()
    
    [ Upstream commit 78482af095abd9f4f29f1aa3fe575d25c6ae3028 ]
    
    This code has two bugs:
    1) "cnt" is 255 but the size of the buffer is 256 so the last byte is
       not used.
    2) If we try to print more than 255 characters then "cnt" will be
       negative and that will trigger a WARN() in snprintf(). The fix for
       this is to use scnprintf() instead of snprintf().
    
    We can re-write this code to be cleaner:
    1) Rename "offset" to "off" because that's shorter.
    2) Get rid of the "cnt" variable and just use "size - off" directly.
    3) Get rid of the "read" variable and just increment "off" directly.
    
    Fixes: 96fe6a2109db ("fbdev: Add VESA Coordinated Video Timings (CVT) support")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0fd28daec73525382e5c992db8743bf76e42cd5c
Author: Wang Hai <wanghai38@huawei.com>
Date:   Thu Oct 14 21:22:31 2021 +0800

    video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
    
    [ Upstream commit 1791f487f877a9e83d81c8677bd3e7b259e7cb27 ]
    
    I got a null-ptr-deref report:
    
    BUG: kernel NULL pointer dereference, address: 0000000000000000
    ...
    RIP: 0010:fb_destroy_modelist+0x38/0x100
    ...
    Call Trace:
     ufx_usb_probe.cold+0x2b5/0xac1 [smscufx]
     usb_probe_interface+0x1aa/0x3c0 [usbcore]
     really_probe+0x167/0x460
    ...
     ret_from_fork+0x1f/0x30
    
    If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will
    be called to destroy modelist in the error handling path. But modelist
    has not been initialized yet, so it will result in null-ptr-deref.
    
    Initialize modelist before calling fb_alloc_cmap() to fix this bug.
    
    Fixes: 3c8a63e22a08 ("Add support for SMSC UFX6000/7000 USB display adapters")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7bc9395aeb08d4bb5caccc580929e33f5d997d2
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed Jan 12 12:05:54 2022 +0100

    media: coda: Fix missing put_device() call in coda_get_vdoa_data
    
    [ Upstream commit ca85d271531a1e1c86f24b892f57b7d0a3ddb5a6 ]
    
    The reference taken by 'of_find_device_by_node()' must be released when
    not needed anymore.
    Add the corresponding 'put_device()' in the error handling path.
    
    Fixes: e7f3c5481035 ("[media] coda: use VDOA for un-tiling custom macroblock format")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a615ea94a88a972ce75ad4e2bc6c4b7a44e40650
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Mon Jan 31 09:24:52 2022 +0200

    perf/x86/intel/pt: Fix address filter config for 32-bit kernel
    
    [ Upstream commit e5524bf1047eb3b3f3f33b5f59897ba67b3ade87 ]
    
    Change from shifting 'unsigned long' to 'u64' to prevent the config bits
    being lost on a 32-bit kernel.
    
    Fixes: eadf48cab4b6b0 ("perf/x86/intel/pt: Add support for address range filtering in PT")
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20220131072453.2839535-5-adrian.hunter@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1b306bed3026d0d5cb4fd3a38029274e961577b1
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Mon Jan 31 09:24:51 2022 +0200

    perf/core: Fix address filter parser for multiple filters
    
    [ Upstream commit d680ff24e9e14444c63945b43a37ede7cd6958f9 ]
    
    Reset appropriate variables in the parser loop between parsing separate
    filters, so that they do not interfere with parsing the next filter.
    
    Fixes: 375637bc524952 ("perf/core: Introduce address range filtering")
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20220131072453.2839535-4-adrian.hunter@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 55dc09d4958ceee3dd97b456f38eb5e0fc35df11
Author: Bharata B Rao <bharata@amd.com>
Date:   Tue Jan 18 10:35:15 2022 +0530

    sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
    
    [ Upstream commit 28c988c3ec29db74a1dda631b18785958d57df4f ]
    
    The older format of /proc/pid/sched printed home node info which
    required the mempolicy and task lock around mpol_get(). However
    the format has changed since then and there is no need for
    sched_show_numa() any more to have mempolicy argument,
    asssociated mpol_get/put and task_lock/unlock. Remove them.
    
    Fixes: 397f2378f1361 ("sched/numa: Fix numa balancing stats in /proc/pid/sched")
    Signed-off-by: Bharata B Rao <bharata@amd.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
    Acked-by: Mel Gorman <mgorman@suse.de>
    Link: https://lore.kernel.org/r/20220118050515.2973-1-bharata@amd.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 54aa7c1ea23c0c785a2da7070691397b4e996d8c
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Thu Mar 17 08:39:39 2022 -0700

    clocksource: acpi_pm: fix return value of __setup handler
    
    [ Upstream commit 6a861abceecb68497dd82a324fee45a5332dcece ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled.
    A return of 0 causes the boot option/value to be listed as an Unknown
    kernel parameter and added to init's (limited) environment strings.
    
    The __setup() handler interface isn't meant to handle negative return
    values -- they are non-zero, so they mean "handled" (like a return
    value of 1 does), but that's just a quirk. So return 1 from
    parse_pmtmr(). Also print a warning message if kstrtouint() returns
    an error.
    
    Fixes: 6b148507d3d0 ("pmtmr: allow command line override of ioport")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e6ee35c475b0d3d427b8f29b3402f5f539d80b75
Author: Brandon Wyman <bjwyman@gmail.com>
Date:   Thu Mar 17 23:21:23 2022 +0000

    hwmon: (pmbus) Add Vin unit off handling
    
    [ Upstream commit a5436af598779219b375c1977555c82def1c35d0 ]
    
    If there is an input undervoltage fault, reported in STATUS_INPUT
    command response, there is quite likely a "Unit Off For Insufficient
    Input Voltage" condition as well.
    
    Add a constant for bit 3 of STATUS_INPUT. Update the Vin limit
    attributes to include both bits in the mask for clearing faults.
    
    If an input undervoltage fault occurs, causing a unit off for
    insufficient input voltage, but the unit is off bit is not cleared, the
    STATUS_WORD will not be updated to clear the input fault condition.
    Including the unit is off bit (bit 3) allows for the input fault
    condition to completely clear.
    
    Signed-off-by: Brandon Wyman <bjwyman@gmail.com>
    Link: https://lore.kernel.org/r/20220317232123.2103592-1-bjwyman@gmail.com
    Fixes: b4ce237b7f7d3 ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers")
    [groeck: Dropped unnecessary ()]
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6233be14d41e36eb9c409c5da42c2c2fb04b1fab
Author: Dāvis Mosāns <davispuh@gmail.com>
Date:   Mon Feb 28 05:15:45 2022 +0200

    crypto: ccp - ccp_dmaengine_unregister release dma channels
    
    [ Upstream commit 54cce8ecb9254f971b40a72911c6da403720a2d2 ]
    
    ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list
    but ccp_dmaengine_unregister didn't remove them.
    That can cause crashes in various dmaengine methods that tries to use dma_dev->channels
    
    Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...")
    Signed-off-by: Dāvis Mosāns <davispuh@gmail.com>
    Acked-by: John Allen <john.allen@amd.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 12fdc58db4097bf930dc6d14adc53ac1d853c1c6
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Sat Mar 5 18:46:20 2022 -0800

    ACPI: APEI: fix return value of __setup handlers
    
    [ Upstream commit f3303ff649dbf7dcdc6a6e1a922235b12b3028f4 ]
    
    __setup() handlers should return 1 to indicate that the boot option
    has been handled. Returning 0 causes a boot option to be listed in
    the Unknown kernel command line parameters and also added to init's
    arg list (if no '=' sign) or environment list (if of the form 'a=b').
    
    Unknown kernel command line parameters "erst_disable
      bert_disable hest_disable BOOT_IMAGE=/boot/bzImage-517rc6", will be
      passed to user space.
    
     Run /sbin/init as init process
       with arguments:
         /sbin/init
         erst_disable
         bert_disable
         hest_disable
       with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc6
    
    Fixes: a3e2acc5e37b ("ACPI / APEI: Add Boot Error Record Table (BERT) support")
    Fixes: a08f82d08053 ("ACPI, APEI, Error Record Serialization Table (ERST) support")
    Fixes: 9dc966641677 ("ACPI, APEI, HEST table parsing")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5e018fa27d9a02b8750c2aad1c4f478aeafc6243
Author: Petr Vorel <pvorel@suse.cz>
Date:   Wed Feb 23 16:11:15 2022 +0100

    crypto: vmx - add missing dependencies
    
    [ Upstream commit 647d41d3952d726d4ae49e853a9eff68ebad3b3f ]
    
    vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or
    CRYPTO_XTS, thus add them.
    
    These dependencies are likely to be enabled, but if
    CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS
    and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built
    as module or disabled, alg_test() from crypto/testmgr.c complains during
    boot about failing to allocate the generic fallback implementations
    (2 == ENOENT):
    
    [    0.540953] Failed to allocate xts(aes) fallback: -2
    [    0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2
    [    0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2)
    [    0.544440] Failed to allocate ctr(aes) fallback: -2
    [    0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2
    [    0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2)
    [    0.547992] Failed to allocate cbc(aes) fallback: -2
    [    0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2
    [    0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2)
    [    0.550745] Failed to allocate transformation for 'aes': -2
    [    0.550801] alg: cipher: Failed to load transform for p8_aes: -2
    [    0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2)
    
    Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS")
    Fixes: d2e3ae6f3aba ("crypto: vmx - Enabling VMX module for PPC64")
    
    Suggested-by: Nicolai Stange <nstange@suse.de>
    Signed-off-by: Petr Vorel <pvorel@suse.cz>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 85f3f6b540088aa4698dd3260b38a4a0528a0679
Author: Claudiu Beznea <claudiu.beznea@microchip.com>
Date:   Mon Feb 21 09:59:23 2022 +0200

    hwrng: atmel - disable trng on failure path
    
    [ Upstream commit a223ea9f89ab960eb254ba78429efd42eaf845eb ]
    
    Call atmel_trng_disable() on failure path of probe.
    
    Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend")
    Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0f009684e368ef3f10b039c5620da0d75f32c472
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon Feb 28 14:05:44 2022 -0800

    PM: suspend: fix return value of __setup handler
    
    [ Upstream commit 7a64ca17e4dd50d5f910769167f3553902777844 ]
    
    If an invalid option is given for "test_suspend=<option>", the entire
    string is added to init's environment, so return 1 instead of 0 from
    the __setup handler.
    
      Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5
        test_suspend=invalid"
    
    and
    
     Run /sbin/init as init process
       with arguments:
         /sbin/init
       with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc5
         test_suspend=invalid
    
    Fixes: 2ce986892faf ("PM / sleep: Enhance test_suspend option with repeat capability")
    Fixes: 27ddcc6596e5 ("PM / sleep: Add state field to pm_states[] entries")
    Fixes: a9d7052363a6 ("PM: Separate suspend to RAM functionality from core")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 566dee27c204396208edd24019b619922de69a30
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon Feb 28 14:05:32 2022 -0800

    PM: hibernate: fix __setup handler error handling
    
    [ Upstream commit ba7ffcd4c4da374b0f64666354eeeda7d3827131 ]
    
    If an invalid value is used in "resumedelay=<seconds>", it is
    silently ignored. Add a warning message and then let the __setup
    handler return 1 to indicate that the kernel command line option
    has been handled.
    
    Fixes: 317cf7e5e85e3 ("PM / hibernate: convert simple_strtoul to kstrtoul")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit eb0276376ec9675368f60e0bdef93617904b7451
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Mon Jan 31 22:19:35 2022 +0100

    hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
    
    [ Upstream commit 647d6f09bea7dacf4cdb6d4ea7e3051883955297 ]
    
    If the watchdog was already enabled by the BIOS after booting, the
    watchdog infrastructure needs to regularly send keepalives to
    prevent a unexpected reset.
    WDOG_ACTIVE only serves as an status indicator for userspace,
    we want to use WDOG_HW_RUNNING instead.
    
    Since my Fujitsu Esprimo P720 does not support the watchdog,
    this change is compile-tested only.
    
    Suggested-by: Guenter Roeck <linux@roeck-us.net>
    Fixes: fb551405c0f8 (watchdog: sch56xx: Use watchdog core)
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://lore.kernel.org/r/20220131211935.3656-5-W_Armin@gmx.de
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 282e179192d7583a8f74090e1f477bd9509bfae5
Author: Patrick Rudolph <patrick.rudolph@9elements.com>
Date:   Fri Feb 25 17:06:09 2022 +0100

    hwmon: (pmbus) Add mutex to regulator ops
    
    [ Upstream commit 686d303ee6301261b422ea51e64833d7909a2c36 ]
    
    On PMBUS devices with multiple pages, the regulator ops need to be
    protected with the update mutex. This prevents accidentally changing
    the page in a separate thread while operating on the PMBUS_OPERATION
    register.
    
    Tested on Infineon xdpe11280 while a separate thread polls for sensor
    data.
    
    Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
    Signed-off-by: Marcello Sylvester Bauer <sylv@sylv.io>
    Link: https://lore.kernel.org/r/b991506bcbf665f7af185945f70bf9d5cf04637c.1645804976.git.sylv@sylv.io
    Fixes: ddbb4db4ced1b ("hwmon: (pmbus) Add regulator support")
    Cc: Alan Tull <atull@opensource.altera.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f4ba8ad2c91b6b3114676f0a83fa3924cee28425
Author: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Date:   Wed Feb 23 21:16:37 2022 +0200

    spi: pxa2xx-pci: Balance reference count for PCI DMA device
    
    [ Upstream commit 609d7ffdc42199a0ec949db057e3b4be6745d6c5 ]
    
    The pci_get_slot() increases its reference count, the caller
    must decrement the reference count by calling pci_dev_put().
    
    Fixes: 743485ea3bee ("spi: pxa2xx-pci: Do a specific setup in a separate function")
    Fixes: 25014521603f ("spi: pxa2xx-pci: Enable DMA for Intel Merrifield")
    Reported-by: Wang Qing <wangqing@vivo.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Link: https://lore.kernel.org/r/20220223191637.31147-1-andriy.shevchenko@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0fec07650159483203b1f19267958d1f36433772
Author: Muhammad Usama Anjum <usama.anjum@collabora.com>
Date:   Mon Feb 14 23:41:08 2022 +0500

    selftests/x86: Add validity check and allow field splitting
    
    [ Upstream commit b06e15ebd5bfb670f93c7f11a29b8299c1178bc6 ]
    
    Add check to test if CC has a string. CC can have multiple sub-strings
    like "ccache gcc". Erorr pops up if it is treated as single string and
    double quotes are used around it. This can be fixed by removing the
    quotes and not treating CC as a single string.
    
    Fixes: e9886ace222e ("selftests, x86: Rework x86 target architecture detection")
    Reported-by: "kernelci.org bot" <bot@kernelci.org>
    Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Link: https://lkml.kernel.org/r/20220214184109.3739179-2-usama.anjum@collabora.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 99fc432a7b9e62e0878699bda56d9000ea415997
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Fri Jan 28 16:52:38 2022 +0000

    spi: tegra114: Add missing IRQ check in tegra_spi_probe
    
    [ Upstream commit 4f92724d4b92c024e721063f520d66e11ca4b54b ]
    
    This func misses checking for platform_get_irq()'s call and may passes the
    negative error codes to request_threaded_irq(), which takes unsigned IRQ #,
    causing it to fail with -EINVAL, overriding an original error code.
    Stop calling request_threaded_irq() with invalid IRQ #s.
    
    Fixes: f333a331adfa ("spi/tegra114: add spi driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220128165238.25615-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f655997dcfa0c44ce05c1a3c7ff7a69f36f72cdb
Author: Tomas Paukrt <tomaspaukrt@email.cz>
Date:   Sat Jan 22 18:07:53 2022 +0100

    crypto: mxs-dcp - Fix scatterlist processing
    
    [ Upstream commit 28e9b6d8199a3f124682b143800c2dacdc3d70dd ]
    
    This patch fixes a bug in scatterlist processing that may cause incorrect AES block encryption/decryption.
    
    Fixes: 2e6d793e1bf0 ("crypto: mxs-dcp - Use sg_mapping_iter to copy data")
    Signed-off-by: Tomas Paukrt <tomaspaukrt@email.cz>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 582ba2867994da3ecd1ef90d1c0b4b2170cfc0fd
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Wed Jan 19 17:58:40 2022 +1100

    crypto: authenc - Fix sleep in atomic context in decrypt_tail
    
    [ Upstream commit 66eae850333d639fc278d6f915c6fc01499ea893 ]
    
    The function crypto_authenc_decrypt_tail discards its flags
    argument and always relies on the flags from the original request
    when starting its sub-request.
    
    This is clearly wrong as it may cause the SLEEPABLE flag to be
    set when it shouldn't.
    
    Fixes: 92d95ba91772 ("crypto: authenc - Convert to new AEAD interface")
    Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 312366a68163f26b2ab2c4a5cd0c0a3b741d14b7
Author: Liguang Zhang <zhangliguang@linux.alibaba.com>
Date:   Thu Nov 11 13:42:58 2021 +0800

    PCI: pciehp: Clear cmd_busy bit in polling mode
    
    commit 92912b175178c7e895f5e5e9f1e30ac30319162b upstream.
    
    Writes to a Downstream Port's Slot Control register are PCIe hotplug
    "commands."  If the Port supports Command Completed events, software must
    wait for a command to complete before writing to Slot Control again.
    
    pcie_do_write_cmd() sets ctrl->cmd_busy when it writes to Slot Control.  If
    software notification is enabled, i.e., PCI_EXP_SLTCTL_HPIE and
    PCI_EXP_SLTCTL_CCIE are set, ctrl->cmd_busy is cleared by pciehp_isr().
    
    But when software notification is disabled, as it is when pcie_init()
    powers off an empty slot, pcie_wait_cmd() uses pcie_poll_cmd() to poll for
    command completion, and it neglects to clear ctrl->cmd_busy, which leads to
    spurious timeouts:
    
      pcieport 0000:00:03.0: pciehp: Timeout on hotplug command 0x01c0 (issued 2264 msec ago)
      pcieport 0000:00:03.0: pciehp: Timeout on hotplug command 0x05c0 (issued 2288 msec ago)
    
    Clear ctrl->cmd_busy in pcie_poll_cmd() when it detects a Command Completed
    event (PCI_EXP_SLTSTA_CC).
    
    [bhelgaas: commit log]
    Fixes: a5dd4b4b0570 ("PCI: pciehp: Wait for hotplug command completion where necessary")
    Link: https://lore.kernel.org/r/20211111054258.7309-1-zhangliguang@linux.alibaba.com
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215143
    Link: https://lore.kernel.org/r/20211126173309.GA12255@wunner.de
    Signed-off-by: Liguang Zhang <zhangliguang@linux.alibaba.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Lukas Wunner <lukas@wunner.de>
    Cc: stable@vger.kernel.org      # v4.19+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fb223974f4d737ddb29fb54d098935691e1df8e1
Author: Hector Martin <marcan@marcan.st>
Date:   Tue Feb 1 01:07:09 2022 +0900

    brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
    
    commit 9466987f246758eb7e9071ae58005253f631271e upstream.
    
    The alignment check was wrong (e.g. & 4 instead of & 3), and the logic
    was also inefficient if the length was not a multiple of 4, since it
    would needlessly fall back to copying the entire buffer bytewise.
    
    We already have a perfectly good memcpy_toio function, so just call that
    instead of rolling our own copy logic here. brcmf_pcie_init_ringbuffers
    was already using it anyway.
    
    Fixes: 9e37f045d5e7 ("brcmfmac: Adding PCIe bus layer support.")
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Hector Martin <marcan@marcan.st>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20220131160713.245637-6-marcan@marcan.st
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c4c7172431c776135eec5b06480171300b38acab
Author: Hector Martin <marcan@marcan.st>
Date:   Tue Feb 1 01:07:06 2022 +0900

    brcmfmac: firmware: Allocate space for default boardrev in nvram
    
    commit d19d8e3ba256f81ea4a27209dbbd1f0a00ef1903 upstream.
    
    If boardrev is missing from the NVRAM we add a default one, but this
    might need more space in the output buffer than was allocated. Ensure
    we have enough padding for this in the buffer.
    
    Fixes: 46f2b38a91b0 ("brcmfmac: insert default boardrev in nvram data if missing")
    Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Hector Martin <marcan@marcan.st>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20220131160713.245637-3-marcan@marcan.st
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8e720f0fa49e13cffa5a7d61411ad819266af84c
Author: Johan Hovold <johan@kernel.org>
Date:   Wed Dec 22 15:20:22 2021 +0100

    media: davinci: vpif: fix unbalanced runtime PM get
    
    commit 4a321de239213300a714fa0353a5f1272d381a44 upstream.
    
    Make sure to balance the runtime PM usage counter on driver unbind.
    
    Fixes: 407ccc65bfd2 ("[media] davinci: vpif: add pm_runtime support")
    Cc: stable@vger.kernel.org      # 3.9
    Cc: Lad, Prabhakar <prabhakar.csengg@gmail.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Reviewed-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ba12400ed8b90bbdc1579efceba8cb67361ace60
Author: Maciej W. Rozycki <macro@orcam.me.uk>
Date:   Fri Mar 4 20:16:23 2022 +0000

    DEC: Limit PMAX memory probing to R3k systems
    
    commit 244eae91a94c6dab82b3232967d10eeb9dfa21c6 upstream.
    
    Recent tightening of the opcode table in binutils so as to consistently
    disallow the assembly or disassembly of CP0 instructions not supported
    by the processor architecture chosen has caused a regression like below:
    
    arch/mips/dec/prom/locore.S: Assembler messages:
    arch/mips/dec/prom/locore.S:29: Error: opcode not supported on this processor: r4600 (mips3) `rfe'
    
    in a piece of code used to probe for memory with PMAX DECstation models,
    which have non-REX firmware.  Those computers always have an R2000 CPU
    and consequently the exception handler used in memory probing uses the
    RFE instruction, which those processors use.
    
    While adding 64-bit support this code was correctly excluded for 64-bit
    configurations, however it should have also been excluded for irrelevant
    32-bit configurations.  Do this now then, and only enable PMAX memory
    probing for R3k systems.
    
    Reported-by: Jan-Benedict Glaw <jbglaw@lug-owl.de>
    Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable@vger.kernel.org # v2.6.12+
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1c01f607228829b12481e62ad7ce61d249b466b1
Author: Dirk Müller <dmueller@suse.de>
Date:   Tue Feb 8 17:50:50 2022 +0100

    lib/raid6/test: fix multiple definition linking error
    
    commit a5359ddd052860bacf957e65fe819c63e974b3a6 upstream.
    
    GCC 10+ defaults to -fno-common, which enforces proper declaration of
    external references using "extern". without this change a link would
    fail with:
    
      lib/raid6/test/algos.c:28: multiple definition of `raid6_call';
      lib/raid6/test/test.c:22: first defined here
    
    the pq.h header that is included already includes an extern declaration
    so we can just remove the redundant one here.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Dirk Müller <dmueller@suse.de>
    Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4339a4a6ae4866a16907b2cb02125e0cc98db3c9
Author: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Date:   Mon Mar 14 15:08:55 2022 -0700

    thermal: int340x: Increase bitmap size
    
    commit 668f69a5f863b877bc3ae129efe9a80b6f055141 upstream.
    
    The number of policies are 10, so can't be supported by the bitmap size
    of u8.
    
    Even though there are no platfoms with these many policies, but
    for correctness increase to u32.
    
    Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
    Fixes: 16fc8eca1975 ("thermal/int340x_thermal: Add additional UUIDs")
    Cc: 5.1+ <stable@vger.kernel.org> # 5.1+
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f02e2636a92f01116a5a86ad4cf2456019dddbc3
Author: Colin Ian King <colin.king@intel.com>
Date:   Tue Jan 25 00:44:06 2022 +0000

    carl9170: fix missing bit-wise or operator for tx_params
    
    commit 02a95374b5eebdbd3b6413fd7ddec151d2ea75a1 upstream.
    
    Currently tx_params is being re-assigned with a new value and the
    previous setting IEEE80211_HT_MCS_TX_RX_DIFF is being overwritten.
    The assignment operator is incorrect, the original intent was to
    bit-wise or the value in. Fix this by replacing the = operator
    with |= instead.
    
    Kudos to Christian Lamparter for suggesting the correct fix.
    
    Fixes: fe8ee9ad80b2 ("carl9170: mac80211 glue and command interface")
    Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
    Cc: <Stable@vger.kernel.org>
    Acked-by: Christian Lamparter <chunkeey@gmail.com>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20220125004406.344422-1-colin.i.king@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5dbda4d93a2016178a0b1adece9d3d74a2f21e1f
Author: Krzysztof Kozlowski <krzk@kernel.org>
Date:   Tue Feb 8 18:18:15 2022 +0100

    ARM: dts: exynos: add missing HDMI supplies on SMDK5420
    
    commit 453a24ded415f7fce0499c6b0a2c7b28f84911f2 upstream.
    
    Add required VDD supplies to HDMI block on SMDK5420.  Without them, the
    HDMI driver won't probe.  Because of lack of schematics, use same
    supplies as on Arndale Octa and Odroid XU3 boards (voltage matches).
    
    Cc: <stable@vger.kernel.org> # v3.15+
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
    Link: https://lore.kernel.org/r/20220208171823.226211-3-krzysztof.kozlowski@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 42c50c5071e722d53fd5e3273ea74c021dc5471c
Author: Krzysztof Kozlowski <krzk@kernel.org>
Date:   Tue Feb 8 18:18:14 2022 +0100

    ARM: dts: exynos: add missing HDMI supplies on SMDK5250
    
    commit 60a9914cb2061ba612a3f14f6ad329912b486360 upstream.
    
    Add required VDD supplies to HDMI block on SMDK5250.  Without them, the
    HDMI driver won't probe.  Because of lack of schematics, use same
    supplies as on Arndale 5250 board (voltage matches).
    
    Cc: <stable@vger.kernel.org> # v3.15+
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
    Link: https://lore.kernel.org/r/20220208171823.226211-2-krzysztof.kozlowski@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit edea262690a788429c0f3fa66c100add8c033ec2
Author: Krzysztof Kozlowski <krzk@kernel.org>
Date:   Thu Dec 30 20:53:23 2021 +0100

    ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
    
    commit 372d7027fed43c8570018e124cf78b89523a1f8e upstream.
    
    The gpa1-4 pin was put twice in UART3 pin configuration of Exynos5250,
    instead of proper pin gpa1-5.
    
    Fixes: f8bfe2b050f3 ("ARM: dts: add pin state information in client nodes for Exynos5 platforms")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
    Link: https://lore.kernel.org/r/20211230195325.328220-1-krzysztof.kozlowski@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75cb145a8b6497f849b489c322b9ce03b1cd18eb
Author: Tudor Ambarus <tudor.ambarus@microchip.com>
Date:   Tue Jan 11 15:23:01 2022 +0200

    ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
    
    commit 0fb578a529ac7aca326a9fa475b4a6f58a756fda upstream.
    
    PMERRLOC resource size was set to 0x100, which resulted in HSMC_ERRLOCx
    register being truncated to offset x = 21, causing error correction to
    fail if more than 22 bit errors and if 24 or 32 bit error correction
    was supported.
    
    Fixes: d9c41bf30cf8 ("ARM: dts: at91: Declare EBI/NAND controllers")
    Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
    Cc: <stable@vger.kernel.org> # 4.13.x
    Acked-by: Alexander Dahl <ada@thorsis.com>
    Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
    Link: https://lore.kernel.org/r/20220111132301.906712-1-tudor.ambarus@microchip.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 36ffb3d203fa42408c59553d47e371a692c3dcf4
Author: Michael Schmitz <schmitzmic@gmail.com>
Date:   Wed Feb 16 20:26:25 2022 +1300

    video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
    
    commit c8be5edbd36ceed2ff3d6b8f8e40643c3f396ea3 upstream.
    
    The code to set the shifter STe palette registers has a long
    standing operator precedence bug, manifesting as colors set
    on a 2 bits per pixel frame buffer coming up with a distinctive
    blue tint.
    
    Add parentheses around the calculation of the per-color palette
    data before shifting those into their respective bit field position.
    
    This bug goes back a long way (2.4 days at the very least) so there
    won't be a Fixes: tag.
    
    Tested on ARAnyM as well on Falcon030 hardware.
    
    Cc: stable@vger.kernel.org
    Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Link: https://lore.kernel.org/all/CAMuHMdU3ievhXxKR_xi_v3aumnYW7UNUO6qMdhgfyWTyVSsCkQ@mail.gmail.com
    Tested-by: Michael Schmitz <schmitzmic@gmail.com>
    Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2a616cc4513217c850865482cbc0bc6e7188580c
Author: Helge Deller <deller@gmx.de>
Date:   Sun Feb 27 08:43:56 2022 +0100

    video: fbdev: sm712fb: Fix crash in smtcfb_read()
    
    commit bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 upstream.
    
    Zheyu Ma reported this crash in the sm712fb driver when reading
    three bytes from the framebuffer:
    
     BUG: unable to handle page fault for address: ffffc90001ffffff
     RIP: 0010:smtcfb_read+0x230/0x3e0
     Call Trace:
      vfs_read+0x198/0xa00
      ? do_sys_openat2+0x27d/0x350
      ? __fget_light+0x54/0x340
      ksys_read+0xce/0x190
      do_syscall_64+0x43/0x90
    
    Fix it by removing the open-coded endianess fixup-code and
    by moving the pointer post decrement out the fb_readl() function.
    
    Reported-by: Zheyu Ma <zheyuma97@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Tested-by: Zheyu Ma <zheyuma97@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a2793cb58444d4411810cc555eb45b8f4a228018
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Thu Feb 17 09:43:03 2022 +0800

    drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
    
    commit efe4186e6a1b54bf38b9e05450d43b0da1fd7739 upstream.
    
    When a 6pack device is detaching, the sixpack_close() will act to cleanup
    necessary resources. Although del_timer_sync() in sixpack_close()
    won't return if there is an active timer, one could use mod_timer() in
    sp_xmit_on_air() to wake up timer again by calling userspace syscall such
    as ax25_sendmsg(), ax25_connect() and ax25_ioctl().
    
    This unexpected waked handler, sp_xmit_on_air(), realizes nothing about
    the undergoing cleanup and may still call pty_write() to use driver layer
    resources that have already been released.
    
    One of the possible race conditions is shown below:
    
          (USE)                      |      (FREE)
    ax25_sendmsg()                   |
     ax25_queue_xmit()               |
      ...                            |
      sp_xmit()                      |
       sp_encaps()                   | sixpack_close()
        sp_xmit_on_air()             |  del_timer_sync(&sp->tx_t)
         mod_timer(&sp->tx_t,...)    |  ...
                                     |  unregister_netdev()
                                     |  ...
         (wait a while)              | tty_release()
                                     |  tty_release_struct()
                                     |   release_tty()
        sp_xmit_on_air()             |    tty_kref_put(tty_struct) //FREE
         pty_write(tty_struct) //USE |    ...
    
    The corresponding fail log is shown below:
    ===============================================================
    BUG: KASAN: use-after-free in __run_timers.part.0+0x170/0x470
    Write of size 8 at addr ffff88800a652ab8 by task swapper/2/0
    ...
    Call Trace:
      ...
      queue_work_on+0x3f/0x50
      pty_write+0xcd/0xe0pty_write+0xcd/0xe0
      sp_xmit_on_air+0xb2/0x1f0
      call_timer_fn+0x28/0x150
      __run_timers.part.0+0x3c2/0x470
      run_timer_softirq+0x3b/0x80
      __do_softirq+0xf1/0x380
      ...
    
    This patch reorders the del_timer_sync() after the unregister_netdev()
    to avoid UAF bugs. Because the unregister_netdev() is well synchronized,
    it flushs out any pending queues, waits the refcount of net_device
    decreases to zero and removes net_device from kernel. There is not any
    running routines after executing unregister_netdev(). Therefore, we could
    not arouse timer from userspace again.
    
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Reviewed-by: Lin Ma <linma@zju.edu.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 923339c722f9f0557cec1fd6ea1e5e05a124e3a2
Author: Sakari Ailus <sakari.ailus@linux.intel.com>
Date:   Fri Jan 14 13:24:49 2022 +0200

    ACPI: properties: Consistently return -ENOENT if there are no more references
    
    commit babc92da5928f81af951663fc436997352e02d3a upstream.
    
    __acpi_node_get_property_reference() is documented to return -ENOENT if
    the caller requests a property reference at an index that does not exist,
    not -EINVAL which it actually does.
    
    Fix this by returning -ENOENT consistenly, independently of whether the
    property value is a plain reference or a package.
    
    Fixes: c343bc2ce2c6 ("ACPI: properties: Align return codes of __acpi_node_get_property_reference()")
    Cc: 4.14+ <stable@vger.kernel.org> # 4.14+
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0452d32bfb419df65f8e200f5ddbf460fef48082
Author: Lars Ellenberg <lars.ellenberg@linbit.com>
Date:   Wed Mar 30 20:55:51 2022 +0200

    drbd: fix potential silent data corruption
    
    commit f4329d1f848ac35757d9cc5487669d19dfc5979c upstream.
    
    Scenario:
    ---------
    
    bio chain generated by blk_queue_split().
    Some split bio fails and propagates its error status to the "parent" bio.
    But then the (last part of the) parent bio itself completes without error.
    
    We would clobber the already recorded error status with BLK_STS_OK,
    causing silent data corruption.
    
    Reproducer:
    -----------
    
    How to trigger this in the real world within seconds:
    
    DRBD on top of degraded parity raid,
    small stripe_cache_size, large read_ahead setting.
    Drop page cache (sysctl vm.drop_caches=1, fadvise "DONTNEED",
    umount and mount again, "reboot").
    
    Cause significant read ahead.
    
    Large read ahead request is split by blk_queue_split().
    Parts of the read ahead that are already in the stripe cache,
    or find an available stripe cache to use, can be serviced.
    Parts of the read ahead that would need "too much work",
    would need to wait for a "stripe_head" to become available,
    are rejected immediately.
    
    For larger read ahead requests that are split in many pieces, it is very
    likely that some "splits" will be serviced, but then the stripe cache is
    exhausted/busy, and the remaining ones will be rejected.
    
    Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
    Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
    Cc: <stable@vger.kernel.org> # 4.13.x
    Link: https://lore.kernel.org/r/20220330185551.3553196-1-christoph.boehmwalder@linbit.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit db9a101f93cab51ccf28adb7e2a6aa5a5e2ef3b2
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Sun Mar 27 14:08:22 2022 +0800

    ALSA: cs4236: fix an incorrect NULL check on list iterator
    
    commit 0112f822f8a6d8039c94e0bc9b264d7ffc5d4704 upstream.
    
    The bug is here:
            err = snd_card_cs423x_pnp(dev, card->private_data, pdev, cdev);
    
    The list iterator value 'cdev' will *always* be set and non-NULL
    by list_for_each_entry(), so it is incorrect to assume that the
    iterator value will be NULL if the list is empty or no element
    is found.
    
    To fix the bug, use a new variable 'iter' as the list iterator,
    while use the original variable 'cdev' as a dedicated pointer
    to point to the found element. And snd_card_cs423x_pnp() itself
    has NULL check for cdev.
    
    Cc: stable@vger.kernel.org
    Fixes: c2b73d1458014 ("ALSA: cs4236: cs4232 and cs4236 driver merge to solve PnP BIOS detection")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Link: https://lore.kernel.org/r/20220327060822.4735-1-xiam0nd.tong@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 385cc5a91d4c0479408837ee92e94d015bbdba49
Author: José Expósito <jose.exposito89@gmail.com>
Date:   Thu Mar 31 21:15:36 2022 -0700

    Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
    
    commit 8b188fba75195745026e11d408e4a7e94e01d701 upstream.
    
    This reverts commit 37ef4c19b4c659926ce65a7ac709ceaefb211c40.
    
    The touchpad present in the Dell Precision 7550 and 7750 laptops
    reports a HID_DG_BUTTONTYPE of type MT_BUTTONTYPE_CLICKPAD. However,
    the device is not a clickpad, it is a touchpad with physical buttons.
    
    In order to fix this issue, a quirk for the device was introduced in
    libinput [1] [2] to disable the INPUT_PROP_BUTTONPAD property:
    
            [Precision 7x50 Touchpad]
            MatchBus=i2c
            MatchUdevType=touchpad
            MatchDMIModalias=dmi:*svnDellInc.:pnPrecision7?50*
            AttrInputPropDisable=INPUT_PROP_BUTTONPAD
    
    However, because of the change introduced in 37ef4c19b4 ("Input: clear
    BTN_RIGHT/MIDDLE on buttonpads") the BTN_RIGHT key bit is not mapped
    anymore breaking the device right click button and making impossible to
    workaround it in user space.
    
    In order to avoid breakage on other present or future devices, revert
    the patch causing the issue.
    
    Signed-off-by: José Expósito <jose.exposito89@gmail.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
    Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220321184404.20025-1-jose.exposito89@gmail.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5305bf6043d6edd1bf4da8e24a13e799e7a07239
Author: Manish Chopra <manishc@marvell.com>
Date:   Wed Mar 2 02:52:22 2022 -0800

    qed: validate and restrict untrusted VFs vlan promisc mode
    
    commit cbcc44db2cf7b836896733acc0e5ea966136ed22 upstream.
    
    Today when VFs are put in promiscuous mode, they can request PF
    to configure device for them to receive all VLANs traffic regardless
    of what vlan is configured by the PF (via ip link) and PF allows this
    config request regardless of whether VF is trusted or not.
    
    From security POV, when VLAN is configured for VF through PF (via ip link),
    honour such config requests from VF only when they are configured to be
    trusted, otherwise restrict such VFs vlan promisc mode config.
    
    Cc: stable@vger.kernel.org
    Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
    Signed-off-by: Manish Chopra <manishc@marvell.com>
    Signed-off-by: Ariel Elior <aelior@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a45b2074a669fa3ba19932bddd0ea733b3e11515
Author: Manish Chopra <manishc@marvell.com>
Date:   Wed Mar 2 02:52:21 2022 -0800

    qed: display VF trust config
    
    commit 4e6e6bec7440b9b76f312f28b1f4e944eebb3abc upstream.
    
    Driver does support SR-IOV VFs trust configuration but
    it does not display it when queried via ip link utility.
    
    Cc: stable@vger.kernel.org
    Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
    Signed-off-by: Manish Chopra <manishc@marvell.com>
    Signed-off-by: Ariel Elior <aelior@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2bf80bc8ab9ef4e60a17829f85464f11045d08ae
Author: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Date:   Sun Feb 20 12:17:40 2022 +0900

    scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
    
    commit 8454563e4c2aafbfb81a383ab423ea8b9b430a25 upstream.
    
    To detect for the DMA_NONE (no data transfer) DMA direction,
    sas_ata_qc_issue() tests if the command protocol is ATA_PROT_NODATA.  This
    test does not include the ATA_CMD_NCQ_NON_DATA command as this command
    protocol is defined as ATA_PROT_NCQ_NODATA (equal to ATA_PROT_FLAG_NCQ) and
    not as ATA_PROT_NODATA.
    
    To include both NCQ and non-NCQ commands when testing for the DMA_NONE DMA
    direction, use "!ata_is_data()".
    
    Link: https://lore.kernel.org/r/20220220031810.738362-2-damien.lemoal@opensource.wdc.com
    Fixes: 176ddd89171d ("scsi: libsas: Reset num_scatter if libata marks qc as NODATA")
    Cc: stable@vger.kernel.org
    Reviewed-by: John Garry <john.garry@huawei.com>
    Reviewed-by: Jack Wang <jinpu.wang@ionos.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce6d45f1fb605a58999538dcfb1c82e379ce75bb
Author: Hugh Dickins <hughd@google.com>
Date:   Tue Mar 22 14:45:59 2022 -0700

    mempolicy: mbind_range() set_policy() after vma_merge()
    
    commit 4e0906008cdb56381638aa17d9c32734eae6d37a upstream.
    
    v2.6.34 commit 9d8cebd4bcd7 ("mm: fix mbind vma merge problem") introduced
    vma_merge() to mbind_range(); but unlike madvise, mlock and mprotect, it
    put a "continue" to next vma where its precedents go to update flags on
    current vma before advancing: that left vma with the wrong setting in the
    infamous vma_merge() case 8.
    
    v3.10 commit 1444f92c8498 ("mm: merging memory blocks resets mempolicy")
    tried to fix that in vma_adjust(), without fully understanding the issue.
    
    v3.11 commit 3964acd0dbec ("mm: mempolicy: fix mbind_range() &&
    vma_adjust() interaction") reverted that, and went about the fix in the
    right way, but chose to optimize out an unnecessary mpol_dup() with a
    prior mpol_equal() test.  But on tmpfs, that also pessimized out the vital
    call to its ->set_policy(), leaving the new mbind unenforced.
    
    The user visible effect was that the pages got allocated on the local
    node (happened to be 0), after the mbind() caller had specifically
    asked for them to be allocated on node 1.  There was not any page
    migration involved in the case reported: the pages simply got allocated
    on the wrong node.
    
    Just delete that optimization now (though it could be made conditional on
    vma not having a set_policy).  Also remove the "next" variable: it turned
    out to be blameless, but also pointless.
    
    Link: https://lkml.kernel.org/r/319e4db9-64ae-4bca-92f0-ade85d342ff@google.com
    Fixes: 3964acd0dbec ("mm: mempolicy: fix mbind_range() && vma_adjust() interaction")
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4d6d259e5fa3647b5bc41a17276464ab8c2e1a44
Author: Alistair Popple <apopple@nvidia.com>
Date:   Tue Mar 22 14:43:26 2022 -0700

    mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node
    
    commit ddbc84f3f595cf1fc8234a191193b5d20ad43938 upstream.
    
    ZONE_MOVABLE uses the remaining memory in each node.  Its starting pfn
    is also aligned to MAX_ORDER_NR_PAGES.  It is possible for the remaining
    memory in a node to be less than MAX_ORDER_NR_PAGES, meaning there is
    not enough room for ZONE_MOVABLE on that node.
    
    Unfortunately this condition is not checked for.  This leads to
    zone_movable_pfn[] getting set to a pfn greater than the last pfn in a
    node.
    
    calculate_node_totalpages() then sets zone->present_pages to be greater
    than zone->spanned_pages which is invalid, as spanned_pages represents
    the maximum number of pages in a zone assuming no holes.
    
    Subsequently it is possible free_area_init_core() will observe a zone of
    size zero with present pages.  In this case it will skip setting up the
    zone, including the initialisation of free_lists[].
    
    However populated_zone() checks zone->present_pages to see if a zone has
    memory available.  This is used by iterators such as
    walk_zones_in_node().  pagetypeinfo_showfree() uses this to walk the
    free_list of each zone in each node, which are assumed to be initialised
    due to the zone not being empty.
    
    As free_area_init_core() never initialised the free_lists[] this results
    in the following kernel crash when trying to read /proc/pagetypeinfo:
    
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI
      CPU: 0 PID: 456 Comm: cat Not tainted 5.16.0 #461
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
      RIP: 0010:pagetypeinfo_show+0x163/0x460
      Code: 9e 82 e8 80 57 0e 00 49 8b 06 b9 01 00 00 00 4c 39 f0 75 16 e9 65 02 00 00 48 83 c1 01 48 81 f9 a0 86 01 00 0f 84 48 02 00 00 <48> 8b 00 4c 39 f0 75 e7 48 c7 c2 80 a2 e2 82 48 c7 c6 79 ef e3 82
      RSP: 0018:ffffc90001c4bd10 EFLAGS: 00010003
      RAX: 0000000000000000 RBX: ffff88801105f638 RCX: 0000000000000001
      RDX: 0000000000000001 RSI: 000000000000068b RDI: ffff8880163dc68b
      RBP: ffffc90001c4bd90 R08: 0000000000000001 R09: ffff8880163dc67e
      R10: 656c6261766f6d6e R11: 6c6261766f6d6e55 R12: ffff88807ffb4a00
      R13: ffff88807ffb49f8 R14: ffff88807ffb4580 R15: ffff88807ffb3000
      FS:  00007f9c83eff5c0(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 0000000013c8e000 CR4: 0000000000350ef0
      Call Trace:
       seq_read_iter+0x128/0x460
       proc_reg_read_iter+0x51/0x80
       new_sync_read+0x113/0x1a0
       vfs_read+0x136/0x1d0
       ksys_read+0x70/0xf0
       __x64_sys_read+0x1a/0x20
       do_syscall_64+0x3b/0xc0
       entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Fix this by checking that the aligned zone_movable_pfn[] does not exceed
    the end of the node, and if it does skip creating a movable zone on this
    node.
    
    Link: https://lkml.kernel.org/r/20220215025831.2113067-1-apopple@nvidia.com
    Fixes: 2a1e274acf0b ("Create the ZONE_MOVABLE zone")
    Signed-off-by: Alistair Popple <apopple@nvidia.com>
    Acked-by: David Hildenbrand <david@redhat.com>
    Acked-by: Mel Gorman <mgorman@techsingularity.net>
    Cc: John Hubbard <jhubbard@nvidia.com>
    Cc: Zi Yan <ziy@nvidia.com>
    Cc: Anshuman Khandual <anshuman.khandual@arm.com>
    Cc: Oscar Salvador <osalvador@suse.de>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b36bccb04e14cc0c1e2d0e92d477fe220314fad6
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Jan 14 18:28:54 2022 +0800

    jffs2: fix memory leak in jffs2_scan_medium
    
    commit 9cdd3128874f5fe759e2c4e1360ab7fb96a8d1df upstream.
    
    If an error is returned in jffs2_scan_eraseblock() and some memory
    has been added to the jffs2_summary *s, we can observe the following
    kmemleak report:
    
    --------------------------------------------
    unreferenced object 0xffff88812b889c40 (size 64):
      comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
      hex dump (first 32 bytes):
        40 48 b5 14 81 88 ff ff 01 e0 31 00 00 00 50 00  @H........1...P.
        00 00 01 00 00 00 01 00 00 00 02 00 00 00 09 08  ................
      backtrace:
        [<ffffffffae93a3a3>] __kmalloc+0x613/0x910
        [<ffffffffaf423b9c>] jffs2_sum_add_dirent_mem+0x5c/0xa0
        [<ffffffffb0f3afa8>] jffs2_scan_medium.cold+0x36e5/0x4794
        [<ffffffffb0f3dbe1>] jffs2_do_mount_fs.cold+0xa7/0x2267
        [<ffffffffaf40acf3>] jffs2_do_fill_super+0x383/0xc30
        [<ffffffffaf40c00a>] jffs2_fill_super+0x2ea/0x4c0
        [<ffffffffb0315d64>] mtd_get_sb+0x254/0x400
        [<ffffffffb0315f5f>] mtd_get_sb_by_nr+0x4f/0xd0
        [<ffffffffb0316478>] get_tree_mtd+0x498/0x840
        [<ffffffffaf40bd15>] jffs2_get_tree+0x25/0x30
        [<ffffffffae9f358d>] vfs_get_tree+0x8d/0x2e0
        [<ffffffffaea7a98f>] path_mount+0x50f/0x1e50
        [<ffffffffaea7c3d7>] do_mount+0x107/0x130
        [<ffffffffaea7c5c5>] __se_sys_mount+0x1c5/0x2f0
        [<ffffffffaea7c917>] __x64_sys_mount+0xc7/0x160
        [<ffffffffb10142f5>] do_syscall_64+0x45/0x70
    unreferenced object 0xffff888114b54840 (size 32):
      comm "mount", pid 692, jiffies 4294838325 (age 34.288s)
      hex dump (first 32 bytes):
        c0 75 b5 14 81 88 ff ff 02 e0 02 00 00 00 02 00  .u..............
        00 00 84 00 00 00 44 00 00 00 6b 6b 6b 6b 6b a5  ......D...kkkkk.
      backtrace:
        [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
        [<ffffffffaf423b04>] jffs2_sum_add_inode_mem+0x54/0x90
        [<ffffffffb0f3bd44>] jffs2_scan_medium.cold+0x4481/0x4794
        [...]
    unreferenced object 0xffff888114b57280 (size 32):
      comm "mount", pid 692, jiffies 4294838393 (age 34.357s)
      hex dump (first 32 bytes):
        10 d5 6c 11 81 88 ff ff 08 e0 05 00 00 00 01 00  ..l.............
        00 00 38 02 00 00 28 00 00 00 6b 6b 6b 6b 6b a5  ..8...(...kkkkk.
      backtrace:
        [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
        [<ffffffffaf423c34>] jffs2_sum_add_xattr_mem+0x54/0x90
        [<ffffffffb0f3a24f>] jffs2_scan_medium.cold+0x298c/0x4794
        [...]
    unreferenced object 0xffff8881116cd510 (size 16):
      comm "mount", pid 692, jiffies 4294838395 (age 34.355s)
      hex dump (first 16 bytes):
        00 00 00 00 00 00 00 00 09 e0 60 02 00 00 6b a5  ..........`...k.
      backtrace:
        [<ffffffffae93be24>] kmem_cache_alloc_trace+0x584/0x880
        [<ffffffffaf423cc4>] jffs2_sum_add_xref_mem+0x54/0x90
        [<ffffffffb0f3b2e3>] jffs2_scan_medium.cold+0x3a20/0x4794
        [...]
    --------------------------------------------
    
    Therefore, we should call jffs2_sum_reset_collected(s) on exit to
    release the memory added in s. In addition, a new tag "out_buf" is
    added to prevent the NULL pointer reference caused by s being NULL.
    (thanks to Zhang Yi for this analysis)
    
    Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
    Cc: stable@vger.kernel.org
    Co-developed-with: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9a0f6610c7daedd2eace430beeb08a8b7ac80699
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Jan 14 18:28:53 2022 +0800

    jffs2: fix memory leak in jffs2_do_mount_fs
    
    commit d051cef784de4d54835f6b6836d98a8f6935772c upstream.
    
    If jffs2_build_filesystem() in jffs2_do_mount_fs() returns an error,
    we can observe the following kmemleak report:
    
    --------------------------------------------
    unreferenced object 0xffff88811b25a640 (size 64):
      comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<ffffffffa493be24>] kmem_cache_alloc_trace+0x584/0x880
        [<ffffffffa5423a06>] jffs2_sum_init+0x86/0x130
        [<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
        [<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
        [<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
        [...]
    unreferenced object 0xffff88812c760000 (size 65536):
      comm "mount", pid 691, jiffies 4294957728 (age 71.952s)
      hex dump (first 32 bytes):
        bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
        bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      backtrace:
        [<ffffffffa493a449>] __kmalloc+0x6b9/0x910
        [<ffffffffa5423a57>] jffs2_sum_init+0xd7/0x130
        [<ffffffffa5400e58>] jffs2_do_mount_fs+0x798/0xac0
        [<ffffffffa540acf3>] jffs2_do_fill_super+0x383/0xc30
        [<ffffffffa540c00a>] jffs2_fill_super+0x2ea/0x4c0
        [...]
    --------------------------------------------
    
    This is because the resources allocated in jffs2_sum_init() are not
    released. Call jffs2_sum_exit() to release these resources to solve
    the problem.
    
    Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
    Cc: stable@vger.kernel.org
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3bd2454162ec6bbb5503233c804fce6e4b6dcec5
Author: Baokun Li <libaokun1@huawei.com>
Date:   Tue Dec 28 20:54:30 2021 +0800

    jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
    
    commit 4c7c44ee1650677fbe89d86edbad9497b7679b5c upstream.
    
    When we mount a jffs2 image, assume that the first few blocks of
    the image are normal and contain at least one xattr-related inode,
    but the next block is abnormal. As a result, an error is returned
    in jffs2_scan_eraseblock(). jffs2_clear_xattr_subsystem() is then
    called in jffs2_build_filesystem() and then again in
    jffs2_do_fill_super().
    
    Finally we can observe the following report:
     ==================================================================
     BUG: KASAN: use-after-free in jffs2_clear_xattr_subsystem+0x95/0x6ac
     Read of size 8 at addr ffff8881243384e0 by task mount/719
    
     Call Trace:
      dump_stack+0x115/0x16b
      jffs2_clear_xattr_subsystem+0x95/0x6ac
      jffs2_do_fill_super+0x84f/0xc30
      jffs2_fill_super+0x2ea/0x4c0
      mtd_get_sb+0x254/0x400
      mtd_get_sb_by_nr+0x4f/0xd0
      get_tree_mtd+0x498/0x840
      jffs2_get_tree+0x25/0x30
      vfs_get_tree+0x8d/0x2e0
      path_mount+0x50f/0x1e50
      do_mount+0x107/0x130
      __se_sys_mount+0x1c5/0x2f0
      __x64_sys_mount+0xc7/0x160
      do_syscall_64+0x45/0x70
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
     Allocated by task 719:
      kasan_save_stack+0x23/0x60
      __kasan_kmalloc.constprop.0+0x10b/0x120
      kasan_slab_alloc+0x12/0x20
      kmem_cache_alloc+0x1c0/0x870
      jffs2_alloc_xattr_ref+0x2f/0xa0
      jffs2_scan_medium.cold+0x3713/0x4794
      jffs2_do_mount_fs.cold+0xa7/0x2253
      jffs2_do_fill_super+0x383/0xc30
      jffs2_fill_super+0x2ea/0x4c0
     [...]
    
     Freed by task 719:
      kmem_cache_free+0xcc/0x7b0
      jffs2_free_xattr_ref+0x78/0x98
      jffs2_clear_xattr_subsystem+0xa1/0x6ac
      jffs2_do_mount_fs.cold+0x5e6/0x2253
      jffs2_do_fill_super+0x383/0xc30
      jffs2_fill_super+0x2ea/0x4c0
     [...]
    
     The buggy address belongs to the object at ffff8881243384b8
      which belongs to the cache jffs2_xattr_ref of size 48
     The buggy address is located 40 bytes inside of
      48-byte region [ffff8881243384b8, ffff8881243384e8)
     [...]
     ==================================================================
    
    The triggering of the BUG is shown in the following stack:
    -----------------------------------------------------------
    jffs2_fill_super
      jffs2_do_fill_super
        jffs2_do_mount_fs
          jffs2_build_filesystem
            jffs2_scan_medium
              jffs2_scan_eraseblock        <--- ERROR
            jffs2_clear_xattr_subsystem    <--- free
        jffs2_clear_xattr_subsystem        <--- free again
    -----------------------------------------------------------
    
    An error is returned in jffs2_do_mount_fs(). If the error is returned
    by jffs2_sum_init(), the jffs2_clear_xattr_subsystem() does not need to
    be executed. If the error is returned by jffs2_build_filesystem(), the
    jffs2_clear_xattr_subsystem() also does not need to be executed again.
    So move jffs2_clear_xattr_subsystem() from 'out_inohash' to 'out_root'
    to fix this UAF problem.
    
    Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version. 5)")
    Cc: stable@vger.kernel.org
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 29d967c18737ce04f372831c4542e71da1a8d5c8
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Mon Feb 28 16:36:39 2022 +0800

    can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
    
    commit c70222752228a62135cee3409dccefd494a24646 upstream.
    
    There is no need to call dev_kfree_skb() when usb_submit_urb() fails
    beacause can_put_echo_skb() deletes the original skb and
    can_free_echo_skb() deletes the cloned skb.
    
    Link: https://lore.kernel.org/all/20220228083639.38183-1-hbh25y@gmail.com
    Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
    Cc: stable@vger.kernel.org
    Cc: Sebastian Haas <haas@ems-wuensche.com>
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e4bc03a96374556962a3ba560ca5c9f8c99a72c9
Author: Krzysztof Kozlowski <krzk@kernel.org>
Date:   Tue Jan 11 21:13:59 2022 +0100

    pinctrl: samsung: drop pin banks references on error paths
    
    commit 50ebd19e3585b9792e994cfa8cbee8947fe06371 upstream.
    
    The driver iterates over its devicetree children with
    for_each_child_of_node() and stores for later found node pointer.  This
    has to be put in error paths to avoid leak during re-probing.
    
    Fixes: ab663789d697 ("pinctrl: samsung: Match pin banks with their device nodes")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
    Reviewed-by: Chanho Park <chanho61.park@samsung.com>
    Link: https://lore.kernel.org/r/20220111201426.326777-2-krzysztof.kozlowski@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 438068f4912183a59fcb6b7496a06437f7fd4e2b
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Mar 15 13:30:09 2022 +0300

    NFSD: prevent underflow in nfssvc_decode_writeargs()
    
    commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream.
    
    Smatch complains:
    
            fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()
            warn: no lower bound on 'args->len'
    
    Change the type to unsigned to prevent this issue.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dd7d3a609aac160bf3cbce5a4bc52358da346d10
Author: NeilBrown <neilb@suse.de>
Date:   Tue Mar 8 13:42:17 2022 +1100

    SUNRPC: avoid race between mod_timer() and del_timer_sync()
    
    commit 3848e96edf4788f772d83990022fa7023a233d83 upstream.
    
    xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync().
    Both xprt_unlock_connect() and xprt_release() call
     ->release_xprt()
    which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect()
    which calls mod_timer().
    
    This may result in mod_timer() being called *after* del_timer_sync().
    When this happens, the timer may fire long after the xprt has been freed,
    and run_timer_softirq() will probably crash.
    
    The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is
    always called under ->transport_lock.  So if we take ->transport_lock to
    call del_timer_sync(), we can be sure that mod_timer() will run first
    (if it runs at all).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2b54b8a6d704d398c2b2c4179fbe32a149109181
Author: Bagas Sanjaya <bagasdotme@gmail.com>
Date:   Mon Mar 14 18:33:29 2022 +0700

    Documentation: update stable tree link
    
    commit 555d44932c67e617d89bc13c81c7efac5b51fcfa upstream.
    
    The link to stable tree is redirected to
    https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git. Update
    accordingly.
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Sasha Levin <sashal@kernel.org>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: stable@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Link: https://lore.kernel.org/r/20220314113329.485372-6-bagasdotme@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit baa81082167dda509ec5ece53e9cd697f841af11
Author: Bagas Sanjaya <bagasdotme@gmail.com>
Date:   Mon Mar 14 18:33:28 2022 +0700

    Documentation: add link to stable release candidate tree
    
    commit 587d39b260c4d090166314d64be70b1f6a26b0b5 upstream.
    
    There is also stable release candidate tree. Mention it, however with a
    warning that the tree is for testing purposes.
    
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Sasha Levin <sashal@kernel.org>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: stable@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Link: https://lore.kernel.org/r/20220314113329.485372-5-bagasdotme@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f1442ed84c43610ca8ab77deb9ca991e7354746c
Author: Jann Horn <jannh@google.com>
Date:   Sat Mar 19 02:08:37 2022 +0100

    ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
    
    commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream.
    
    Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged
    operation because it allows the tracee to completely bypass all seccomp
    filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to
    be settable by a process with global CAP_SYS_ADMIN, and only if that
    process is not subject to any seccomp filters at all.
    
    However, while these permission checks were done on the PTRACE_SETOPTIONS
    path, they were missing on the PTRACE_SEIZE path, which also sets
    user-specified ptrace flags.
    
    Move the permissions checks out into a helper function and let both
    ptrace_attach() and ptrace_setoptions() call it.
    
    Cc: stable@kernel.org
    Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume")
    Signed-off-by: Jann Horn <jannh@google.com>
    Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com
    Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c2fbfa0769bb847501291a6415383a82f7380522
Author: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Date:   Wed Mar 9 15:55:18 2022 +0900

    clk: uniphier: Fix fixed-rate initialization
    
    commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream.
    
    Fixed-rate clocks in UniPhier don't have any parent clocks, however,
    initial data "init.flags" isn't initialized, so it might be determined
    that there is a parent clock for fixed-rate clock.
    
    This sets init.flags to zero as initialization.
    
    Cc: <stable@vger.kernel.org>
    Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver")
    Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 969a2985a1084add885d6d693d61d3af6e12edc8
Author: Liam Beguin <liambeguin@gmail.com>
Date:   Sat Jan 8 15:53:06 2022 -0500

    iio: inkern: make a best effort on offset calculation
    
    commit ca85123354e1a65a22170286387b4791997fe864 upstream.
    
    iio_convert_raw_to_processed_unlocked() assumes the offset is an
    integer. Make a best effort to get a valid offset value for fractional
    cases without breaking implicit truncations.
    
    Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
    Signed-off-by: Liam Beguin <liambeguin@gmail.com>
    Reviewed-by: Peter Rosin <peda@axentia.se>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 40e7d18871f3237bce2e49e56ce7e59a9f2d0c65
Author: Liam Beguin <liambeguin@gmail.com>
Date:   Sat Jan 8 15:53:05 2022 -0500

    iio: inkern: apply consumer scale when no channel scale is available
    
    commit 14b457fdde38de594a4bc4bd9075019319d978da upstream.
    
    When a consumer calls iio_read_channel_processed() and no channel scale
    is available, it's assumed that the scale is one and the raw value is
    returned as expected.
    
    On the other hand, if the consumer calls iio_convert_raw_to_processed()
    the scaling factor requested by the consumer is not applied.
    
    This for example causes the consumer to process mV when expecting uV.
    Make sure to always apply the scaling factor requested by the consumer.
    
    Fixes: adc8ec5ff183 ("iio: inkern: pass through raw values if no scaling")
    Signed-off-by: Liam Beguin <liambeguin@gmail.com>
    Reviewed-by: Peter Rosin <peda@axentia.se>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://lore.kernel.org/r/20220108205319.2046348-3-liambeguin@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bfa6a051e70db3031ab1bbb32249517d096d2cc3
Author: Liam Beguin <liambeguin@gmail.com>
Date:   Sat Jan 8 15:53:04 2022 -0500

    iio: inkern: apply consumer scale on IIO_VAL_INT cases
    
    commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream.
    
    When a consumer calls iio_read_channel_processed() and the channel has
    an integer scale, the scale channel scale is applied and the processed
    value is returned as expected.
    
    On the other hand, if the consumer calls iio_convert_raw_to_processed()
    the scaling factor requested by the consumer is not applied.
    
    This for example causes the consumer to process mV when expecting uV.
    Make sure to always apply the scaling factor requested by the consumer.
    
    Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
    Signed-off-by: Liam Beguin <liambeguin@gmail.com>
    Reviewed-by: Peter Rosin <peda@axentia.se>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com
    Cc: <Stable@vger.kernel.org>
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ee84d706cd363eafd43ef4cdc15c642ab44df36
Author: James Clark <james.clark@arm.com>
Date:   Thu Jan 20 11:30:47 2022 +0000

    coresight: Fix TRCCONFIGR.QE sysfs interface
    
    commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream.
    
    It's impossible to program a valid value for TRCCONFIGR.QE
    when TRCIDR0.QSUPP==0b10. In that case the following is true:
    
      Q element support is implemented, and only supports Q elements without
      instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11.
    
    Currently the low bit of QSUPP is checked to see if the low bit of QE can
    be written to, but as you can see when QSUPP==0b10 the low bit is cleared
    making it impossible to ever write the only valid value of 0b11 to QE.
    0b10 would be written instead, which is a reserved QE value even for all
    values of QSUPP.
    
    The fix is to allow writing the low bit of QE for any non zero value of
    QSUPP.
    
    This change also ensures that the low bit is always set, even when the
    user attempts to only set the high bit.
    
    Signed-off-by: James Clark <james.clark@arm.com>
    Reviewed-by: Mike Leach <mike.leach@linaro.org>
    Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com
    Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit afed7e5f7e1b84995598f0bf71e99408c3d1194e
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Thu Mar 17 16:39:10 2022 -0400

    USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
    
    commit 1892bf90677abcad7f06e897e308f5c3e3618dd4 upstream.
    
    The kernel test robot found a problem with the ene_ub6250 subdriver in
    usb-storage: It uses structures containing bitfields to represent
    hardware bits in its SD_STATUS, MS_STATUS, and SM_STATUS bytes.  This
    is not safe; it presumes a particular bit ordering and it assumes the
    compiler will not insert padding, neither of which is guaranteed.
    
    This patch fixes the problem by changing the structures to simple u8
    values, with the bitfields replaced by bitmask constants.
    
    CC: <stable@vger.kernel.org>
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/YjOcbuU106UpJ/V8@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 87dbe0322c6f7831df351d341489d58c29ef32a1
Author: Xie Yongji <xieyongji@bytedance.com>
Date:   Tue Oct 26 22:40:15 2021 +0800

    virtio-blk: Use blk_validate_block_size() to validate block size
    
    commit 57a13a5b8157d9a8606490aaa1b805bafe6c37e1 upstream.
    
    The block layer can't support a block size larger than
    page size yet. And a block size that's too small or
    not a power of two won't work either. If a misconfigured
    device presents an invalid block size in configuration space,
    it will result in the kernel crash something like below:
    
    [  506.154324] BUG: kernel NULL pointer dereference, address: 0000000000000008
    [  506.160416] RIP: 0010:create_empty_buffers+0x24/0x100
    [  506.174302] Call Trace:
    [  506.174651]  create_page_buffers+0x4d/0x60
    [  506.175207]  block_read_full_page+0x50/0x380
    [  506.175798]  ? __mod_lruvec_page_state+0x60/0xa0
    [  506.176412]  ? __add_to_page_cache_locked+0x1b2/0x390
    [  506.177085]  ? blkdev_direct_IO+0x4a0/0x4a0
    [  506.177644]  ? scan_shadow_nodes+0x30/0x30
    [  506.178206]  ? lru_cache_add+0x42/0x60
    [  506.178716]  do_read_cache_page+0x695/0x740
    [  506.179278]  ? read_part_sector+0xe0/0xe0
    [  506.179821]  read_part_sector+0x36/0xe0
    [  506.180337]  adfspart_check_ICS+0x32/0x320
    [  506.180890]  ? snprintf+0x45/0x70
    [  506.181350]  ? read_part_sector+0xe0/0xe0
    [  506.181906]  bdev_disk_changed+0x229/0x5c0
    [  506.182483]  blkdev_get_whole+0x6d/0x90
    [  506.183013]  blkdev_get_by_dev+0x122/0x2d0
    [  506.183562]  device_add_disk+0x39e/0x3c0
    [  506.184472]  virtblk_probe+0x3f8/0x79b [virtio_blk]
    [  506.185461]  virtio_dev_probe+0x15e/0x1d0 [virtio]
    
    So let's use a block layer helper to validate the block size.
    
    Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Link: https://lore.kernel.org/r/20211026144015.188-5-xieyongji@bytedance.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cb55a760a24b1458e856141c43922e88bd1fbcd8
Author: Xie Yongji <xieyongji@bytedance.com>
Date:   Tue Oct 26 22:40:12 2021 +0800

    block: Add a helper to validate the block size
    
    commit 570b1cac477643cbf01a45fa5d018430a1fddbce upstream.
    
    There are some duplicated codes to validate the block
    size in block drivers. This limitation actually comes
    from block layer, so this patch tries to add a new block
    layer helper for that.
    
    Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
    Link: https://lore.kernel.org/r/20211026144015.188-2-xieyongji@bytedance.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 473a66f99cb8173c14138c5a5c69bfad04e8f9ac
Author: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Date:   Wed Mar 2 10:43:53 2022 +0100

    tpm: fix reference counting for struct tpm_chip
    
    commit 7e0438f83dc769465ee663bb5dcf8cc154940712 upstream.
    
    The following sequence of operations results in a refcount warning:
    
    1. Open device /dev/tpmrm.
    2. Remove module tpm_tis_spi.
    3. Write a TPM command to the file descriptor opened at step 1.
    
    ------------[ cut here ]------------
    WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
    refcount_t: addition on 0; use-after-free.
    Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
    sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
    brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
    raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
    snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]
    CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2
    Hardware name: BCM2711
    [<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14)
    [<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8)
    [<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108)
    [<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8)
    [<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4)
    [<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm])
    [<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm])
    [<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0)
    [<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc)
    [<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c)
    Exception stack(0xc226bfa8 to 0xc226bff0)
    bfa0:                   00000000 000105b4 00000003 beafe664 00000014 00000000
    bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684
    bfe0: 0000006c beafe648 0001056c b6eb6944
    ---[ end trace d4b8409def9b8b1f ]---
    
    The reason for this warning is the attempt to get the chip->dev reference
    in tpm_common_write() although the reference counter is already zero.
    
    Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the
    extra reference used to prevent a premature zero counter is never taken,
    because the required TPM_CHIP_FLAG_TPM2 flag is never set.
    
    Fix this by moving the TPM 2 character device handling from
    tpm_chip_alloc() to tpm_add_char_device() which is called at a later point
    in time when the flag has been set in case of TPM2.
    
    Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
    already introduced function tpm_devs_release() to release the extra
    reference but did not implement the required put on chip->devs that results
    in the call of this function.
    
    Fix this by putting chip->devs in tpm_chip_unregister().
    
    Finally move the new implementation for the TPM 2 handling into a new
    function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the
    good case and error cases.
    
    Cc: stable@vger.kernel.org
    Fixes: fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
    Fixes: 8979b02aaf1d ("tpm: Fix reference count to main device")
    Co-developed-by: Jason Gunthorpe <jgg@ziepe.ca>
    Signed-off-by: Jason Gunthorpe <jgg@ziepe.ca>
    Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
    Tested-by: Stefan Berger <stefanb@linux.ibm.com>
    Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
    Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0ab55e14cf5fd40c39109969c8b04a25870f5d1e
Author: Miklos Szeredi <mszeredi@redhat.com>
Date:   Mon Mar 7 16:30:44 2022 +0100

    fuse: fix pipe buffer lifetime for direct_io
    
    commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 upstream.
    
    In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
    fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then
    imports the write buffer with fuse_get_user_pages(), which uses
    iov_iter_get_pages() to grab references to userspace pages instead of
    actually copying memory.
    
    On the filesystem device side, these pages can then either be read to
    userspace (via fuse_dev_read()), or splice()d over into a pipe using
    fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.
    
    This is wrong because after fuse_dev_do_read() unlocks the FUSE request,
    the userspace filesystem can mark the request as completed, causing write()
    to return. At that point, the userspace filesystem should no longer have
    access to the pipe buffer.
    
    Fix by copying pages coming from the user address space to new pipe
    buffers.
    
    Reported-by: Jann Horn <jannh@google.com>
    Fixes: c3021629a0d8 ("fuse: support splice() reading from fuse device")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
    Signed-off-by: Zach O'Keefe <zokeefe@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fcdaaeb7eb5d52941ceb2fdcec0e2170c9bf3031
Author: Haimin Zhang <tcs_kernel@tencent.com>
Date:   Tue Mar 8 11:20:28 2022 +0800

    af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
    
    [ Upstream commit 9a564bccb78a76740ea9d75a259942df8143d02c ]
    
    Add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
    to initialize the buffer of supp_skb to fix a kernel-info-leak issue.
    1) Function pfkey_register calls compose_sadb_supported to request
    a sk_buff. 2) compose_sadb_supported calls alloc_sbk to allocate
    a sk_buff, but it doesn't zero it. 3) If auth_len is greater 0, then
    compose_sadb_supported treats the memory as a struct sadb_supported and
    begins to initialize. But it just initializes the field sadb_supported_len
    and field sadb_supported_exttype without field sadb_supported_reserved.
    
    Reported-by: TCS Robot <tcs_robot@tencent.com>
    Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7a3d208f349de65e82a913a560edda002d1dc54d
Author: Biju Das <biju.das.jz@bp.renesas.com>
Date:   Wed Mar 16 17:53:17 2022 +0000

    spi: Fix erroneous sgs value with min_t()
    
    [ Upstream commit ebc4cb43ea5ada3db46c80156fca58a54b9bbca8 ]
    
    While computing sgs in spi_map_buf(), the data type
    used in min_t() for max_seg_size is 'unsigned int' where
    as that of ctlr->max_dma_len is 'size_t'.
    
    min_t(unsigned int,x,y) gives wrong results if one of x/y is
    'size_t'
    
    Consider the below examples on a 64-bit machine (ie size_t is
    64-bits, and unsigned int is 32-bit).
        case 1) min_t(unsigned int, 5, 0x100000001);
        case 2) min_t(size_t, 5, 0x100000001);
    
    Case 1 returns '1', where as case 2 returns '5'. As you can see
    the result from case 1 is wrong.
    
    This patch fixes the above issue by using the data type of the
    parameters that are used in min_t with maximum data length.
    
    Fixes: commit 1a4e53d2fc4f68aa ("spi: Fix invalid sgs value")
    Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
    Suggested-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
    Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    Link: https://lore.kernel.org/r/20220316175317.465-1-biju.das.jz@bp.renesas.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fa13ca630e73184cbda684fef7d33e8edc698041
Author: Biju Das <biju.das.jz@bp.renesas.com>
Date:   Mon Mar 7 18:48:43 2022 +0000

    spi: Fix invalid sgs value
    
    [ Upstream commit 1a4e53d2fc4f68aa654ad96d13ad042e1a8e8a7d ]
    
    max_seg_size is unsigned int and it can have a value up to 2^32
    (for eg:-RZ_DMAC driver sets dma_set_max_seg_size as U32_MAX)
    When this value is used in min_t() as an integer type, it becomes
    -1 and the value of sgs becomes 0.
    
    Fix this issue by replacing the 'int' data type with 'unsigned int'
    in min_t().
    
    Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
    Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Link: https://lore.kernel.org/r/20220307184843.9994-1-biju.das.jz@bp.renesas.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e4ba28fbe9035e79ac5c397c67fcb404aa439ec1
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sat Mar 5 14:55:04 2022 +0000

    ethernet: sun: Free the coherent when failing in probing
    
    [ Upstream commit bb77bd31c281f70ec77c9c4f584950a779e05cf8 ]
    
    When the driver fails to register net device, it should free the DMA
    region first, and then do other cleanup.
    
    Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ce1a7ed741357c08c520a44734afb51567fb0b07
Author: Michael S. Tsirkin <mst@redhat.com>
Date:   Tue Oct 5 03:04:10 2021 -0400

    virtio_console: break out of buf poll on remove
    
    [ Upstream commit 0e7174b9d5877130fec41fb4a16e0c2ee4958d44 ]
    
    A common pattern for device reset is currently:
    vdev->config->reset(vdev);
    .. cleanup ..
    
    reset prevents new interrupts from arriving and waits for interrupt
    handlers to finish.
    
    However if - as is common - the handler queues a work request which is
    flushed during the cleanup stage, we have code adding buffers / trying
    to get buffers while device is reset. Not good.
    
    This was reproduced by running
            modprobe virtio_console
            modprobe -r virtio_console
    in a loop.
    
    Fix this up by calling virtio_break_device + flush before reset.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1786239
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 46291a4f2cdb817a7f7c991a9ec0d7a3882c2421
Author: Yajun Deng <yajun.deng@linux.dev>
Date:   Thu Aug 5 19:54:34 2021 +0800

    netdevice: add the case if dev is NULL
    
    commit b37a466837393af72fe8bcb8f1436410f3f173f3 upstream.
    
    Add the case if dev is NULL in dev_{put, hold}, so the caller doesn't
    need to care whether dev is NULL or not.
    
    Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Pavel Machek <pavel@denx.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4c0cfd551d5fa7f79d2184959cff6143c9dee240
Author: Johan Hovold <johan@kernel.org>
Date:   Mon Feb 28 09:49:19 2022 +0100

    USB: serial: simple: add Nokia phone driver
    
    commit c4b9c570965f75d0d55e639747f1e5ccdad2fae0 upstream.
    
    Add a new "simple" driver for certain Nokia phones, including Nokia 130
    (RM-1035) which exposes two serial ports in "charging only" mode:
    
    Bus 001 Device 009: ID 0421:069a Nokia Mobile Phones 130 [RM-1035] (Charging only)
    Device Descriptor:
      bLength                18
      bDescriptorType         1
      bcdUSB               2.00
      bDeviceClass            0
      bDeviceSubClass         0
      bDeviceProtocol         0
      bMaxPacketSize0         8
      idVendor           0x0421 Nokia Mobile Phones
      idProduct          0x069a 130 [RM-1035] (Charging only)
      bcdDevice            1.00
      iManufacturer           1 Nokia
      iProduct                2 Nokia 130 (RM-1035)
      iSerial                 0
      bNumConfigurations      1
      Configuration Descriptor:
        bLength                 9
        bDescriptorType         2
        wTotalLength       0x0037
        bNumInterfaces          2
        bConfigurationValue     1
        iConfiguration          0
        bmAttributes         0x80
          (Bus Powered)
        MaxPower              500mA
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        0
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass    255 Vendor Specific Subclass
          bInterfaceProtocol    255 Vendor Specific Protocol
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x81  EP 1 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x01  EP 1 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               0
        Interface Descriptor:
          bLength                 9
          bDescriptorType         4
          bInterfaceNumber        1
          bAlternateSetting       0
          bNumEndpoints           2
          bInterfaceClass       255 Vendor Specific Class
          bInterfaceSubClass    255 Vendor Specific Subclass
          bInterfaceProtocol    255 Vendor Specific Protocol
          iInterface              0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x82  EP 2 IN
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               0
          Endpoint Descriptor:
            bLength                 7
            bDescriptorType         5
            bEndpointAddress     0x02  EP 2 OUT
            bmAttributes            2
              Transfer Type            Bulk
              Synch Type               None
              Usage Type               Data
            wMaxPacketSize     0x0040  1x 64 bytes
            bInterval               0
    Device Status:     0x0000
      (Bus Powered)
    
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220228084919.10656-1-johan@kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6485772ca4d0f7eab266f9d363d7715c339f2223
Author: Eddie James <eajames@linux.ibm.com>
Date:   Tue Mar 1 16:44:46 2022 -0600

    USB: serial: pl2303: add IBM device IDs
    
    commit e1d15646565b284e9ef2433234d6cfdaf66695f1 upstream.
    
    IBM manufactures a PL2303 device for UPS communications. Add the vendor
    and product IDs so that the PL2303 driver binds to the device.
    
    Signed-off-by: Eddie James <eajames@linux.ibm.com>
    Signed-off-by: Joel Stanley <joel@jms.id.au>
    Signed-off-by: Eddie James <eajames@linux.ibm.com>
    Link: https://lore.kernel.org/r/20220301224446.21236-1-eajames@linux.ibm.com
    Cc: stable@vger.kernel.org
    [ johan: amend the SoB chain ]
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>