commit 3033e5726834e4c9c8c48cdb2273f33bd105f938
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Nov 6 13:58:45 2021 +0100

    Linux 4.19.216
    
    Link: https://lore.kernel.org/r/20211104141158.037189396@linuxfoundation.org
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de4868f6b081733490e1d2828644c4b157f19c87
Author: Wang Kefeng <wangkefeng.wang@huawei.com>
Date:   Mon Aug 23 10:41:42 2021 +0100

    ARM: 9120/1: Revert "amba: make use of -1 IRQs warn"
    
    commit eb4f756915875b0ea0757751cd29841f0504d547 upstream.
    
    After commit 77a7300abad7 ("of/irq: Get rid of NO_IRQ usage"),
    no irq case has been removed, irq_of_parse_and_map() will return
    0 in all cases when get error from parse and map an interrupt into
    linux virq space.
    
    amba_device_register() is only used on no-DT initialization, see
      s3c64xx_pl080_init()          arch/arm/mach-s3c/pl080.c
      ep93xx_init_devices()         arch/arm/mach-ep93xx/core.c
    
    They won't set -1 to irq[0], so no need the warn.
    
    This reverts commit 2eac58d5026e4ec8b17ff8b62877fea9e1d2f1b3.
    
    Reviewed-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d4fe42d646f277dfbc8a6cbc82bc4c8a12dd7798
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Wed Nov 11 17:52:58 2020 +0100

    arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed
    
    commit cef397038167ac15d085914493d6c86385773709 upstream.
    
    Stefan Agner reported a bug when using zsram on 32-bit Arm machines
    with RAM above the 4GB address boundary:
    
      Unable to handle kernel NULL pointer dereference at virtual address 00000000
      pgd = a27bd01c
      [00000000] *pgd=236a0003, *pmd=1ffa64003
      Internal error: Oops: 207 [#1] SMP ARM
      Modules linked in: mdio_bcm_unimac(+) brcmfmac cfg80211 brcmutil raspberrypi_hwmon hci_uart crc32_arm_ce bcm2711_thermal phy_generic genet
      CPU: 0 PID: 123 Comm: mkfs.ext4 Not tainted 5.9.6 #1
      Hardware name: BCM2711
      PC is at zs_map_object+0x94/0x338
      LR is at zram_bvec_rw.constprop.0+0x330/0xa64
      pc : [<c0602b38>]    lr : [<c0bda6a0>]    psr: 60000013
      sp : e376bbe0  ip : 00000000  fp : c1e2921c
      r10: 00000002  r9 : c1dda730  r8 : 00000000
      r7 : e8ff7a00  r6 : 00000000  r5 : 02f9ffa0  r4 : e3710000
      r3 : 000fdffe  r2 : c1e0ce80  r1 : ebf979a0  r0 : 00000000
      Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
      Control: 30c5383d  Table: 235c2a80  DAC: fffffffd
      Process mkfs.ext4 (pid: 123, stack limit = 0x495a22e6)
      Stack: (0xe376bbe0 to 0xe376c000)
    
    As it turns out, zsram needs to know the maximum memory size, which
    is defined in MAX_PHYSMEM_BITS when CONFIG_SPARSEMEM is set, or in
    MAX_POSSIBLE_PHYSMEM_BITS on the x86 architecture.
    
    The same problem will be hit on all 32-bit architectures that have a
    physical address space larger than 4GB and happen to not enable sparsemem
    and include asm/sparsemem.h from asm/pgtable.h.
    
    After the initial discussion, I suggested just always defining
    MAX_POSSIBLE_PHYSMEM_BITS whenever CONFIG_PHYS_ADDR_T_64BIT is
    set, or provoking a build error otherwise. This addresses all
    configurations that can currently have this runtime bug, but
    leaves all other configurations unchanged.
    
    I looked up the possible number of bits in source code and
    datasheets, here is what I found:
    
     - on ARC, CONFIG_ARC_HAS_PAE40 controls whether 32 or 40 bits are used
     - on ARM, CONFIG_LPAE enables 40 bit addressing, without it we never
       support more than 32 bits, even though supersections in theory allow
       up to 40 bits as well.
     - on MIPS, some MIPS32r1 or later chips support 36 bits, and MIPS32r5
       XPA supports up to 60 bits in theory, but 40 bits are more than
       anyone will ever ship
     - On PowerPC, there are three different implementations of 36 bit
       addressing, but 32-bit is used without CONFIG_PTE_64BIT
     - On RISC-V, the normal page table format can support 34 bit
       addressing. There is no highmem support on RISC-V, so anything
       above 2GB is unused, but it might be useful to eventually support
       CONFIG_ZRAM for high pages.
    
    Fixes: 61989a80fb3a ("staging: zsmalloc: zsmalloc memory allocation library")
    Fixes: 02390b87a945 ("mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS")
    Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Reviewed-by: Stefan Agner <stefan@agner.ch>
    Tested-by: Stefan Agner <stefan@agner.ch>
    Acked-by: Mike Rapoport <rppt@linux.ibm.com>
    Link: https://lore.kernel.org/linux-mm/bdfa44bf1c570b05d6c70898e2bbb0acf234ecdf.1604762181.git.stefan@agner.ch/
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    [florian: patch arch/powerpc/include/asm/pte-common.h for 4.19.y]
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3659fd7e08cfad2717d3b61c4470d82c5942a4bb
Author: Erik Ekman <erik@kryo.se>
Date:   Sun Oct 17 19:16:57 2021 +0200

    sfc: Fix reading non-legacy supported link modes
    
    commit 041c61488236a5a84789083e3d9f0a51139b6edf upstream.
    
    Everything except the first 32 bits was lost when the pause flags were
    added. This makes the 50000baseCR2 mode flag (bit 34) not appear.
    
    I have tested this with a 10G card (SFN5122F-R7) by modifying it to
    return a non-legacy link mode (10000baseCR).
    
    Signed-off-by: Erik Ekman <erik@kryo.se>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 73d2892148aa4397a885b4f4afcfc5b27a325c42
Author: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Date:   Tue Oct 12 13:55:19 2021 -0400

    IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
    
    commit d39bf40e55e666b5905fdbd46a0dced030ce87be upstream.
    
    Overflowing either addrlimit or bytes_togo can allow userspace to trigger
    a buffer overflow of kernel memory. Check for overflows in all the places
    doing math on user controlled buffers.
    
    Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
    Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Reviewed-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cde048c5fe6ff79b6f26fb68d94c165d4a420c09
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Wed May 29 10:13:26 2019 -0500

    IB/qib: Use struct_size() helper
    
    commit 829ca44ecf60e9b6f83d0161a6ef10c1304c5060 upstream.
    
    Make use of the struct_size() helper instead of an open-coded version
    in order to avoid any potential type mistakes, in particular in the
    context in which this code is being used.
    
    So, replace the following form:
    
    sizeof(*pkt) + sizeof(pkt->addr[0])*n
    
    with:
    
    struct_size(pkt, addr, n)
    
    Also, notice that variable size is unnecessary, hence it is removed.
    
    This code was detected with the help of Coccinelle.
    
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Cc: Mile Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 53ec9dab4eb0a8140fc85760fb50effb526fe219
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Mon Jun 7 17:23:48 2021 +0200

    media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt()
    
    commit 35d2969ea3c7d32aee78066b1f3cf61a0d935a4e upstream.
    
    The bounds checking in avc_ca_pmt() is not strict enough.  It should
    be checking "read_pos + 4" because it's reading 5 bytes.  If the
    "es_info_length" is non-zero then it reads a 6th byte so there needs to
    be an additional check for that.
    
    I also added checks for the "write_pos".  I don't think these are
    required because "read_pos" and "write_pos" are tied together so
    checking one ought to be enough.  But they make the code easier to
    understand for me.  The check on write_pos is:
    
            if (write_pos + 4 >= sizeof(c->operand) - 4) {
    
    The first "+ 4" is because we're writing 5 bytes and the last " - 4"
    is to leave space for the CRC.
    
    The other problem is that "length" can be invalid.  It comes from
    "data_length" in fdtv_ca_pmt().
    
    Cc: stable@vger.kernel.org
    Reported-by: Luo Likang <luolikang@nsfocus.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c2df161f69fb1c67f63adbd193368b47f511edc0
Author: Ming Lei <ming.lei@redhat.com>
Date:   Fri Oct 8 13:01:18 2021 +0800

    scsi: core: Put LLD module refcnt after SCSI device is released
    
    commit f2b85040acec9a928b4eb1b57a989324e8e38d3f upstream.
    
    SCSI host release is triggered when SCSI device is freed. We have to make
    sure that the low-level device driver module won't be unloaded before SCSI
    host instance is released because shost->hostt is required in the release
    handler.
    
    Make sure to put LLD module refcnt after SCSI device is released.
    
    Fixes a kernel panic of 'BUG: unable to handle page fault for address'
    reported by Changhui and Yi.
    
    Link: https://lore.kernel.org/r/20211008050118.1440686-1-ming.lei@redhat.com
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reported-by: Changhui Zhong <czhong@redhat.com>
    Reported-by: Yi Zhang <yi.zhang@redhat.com>
    Tested-by: Yi Zhang <yi.zhang@redhat.com>
    Signed-off-by: Ming Lei <ming.lei@redhat.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>