commit 7ab67fdecd1fd954fa44d6c3f3003bb67a933c4d
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Jun 14 16:59:40 2022 +0200

    Linux 4.19.247
    
    Link: https://lore.kernel.org/r/20220613094923.832156175@linuxfoundation.org
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f2845e1504a3bc4f3381394f057e8b63cb5f3f7a
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 27 14:28:29 2022 -0700

    tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
    
    commit 11825765291a93d8e7f44230da67b9f607c777bf upstream.
    
    syzbot got a new report [1] finally pointing to a very old bug,
    added in initial support for MTU probing.
    
    tcp_mtu_probe() has checks about starting an MTU probe if
    tcp_snd_cwnd(tp) >= 11.
    
    But nothing prevents tcp_snd_cwnd(tp) to be reduced later
    and before the MTU probe succeeds.
    
    This bug would lead to potential zero-divides.
    
    Debugging added in commit 40570375356c ("tcp: add accessors
    to read/set tp->snd_cwnd") has paid off :)
    
    While we are at it, address potential overflows in this code.
    
    [1]
    WARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
    Modules linked in:
    CPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]
    RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
    Code: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff
    RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287
    RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000
    RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f
    RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520
    R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50
    R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000
    FS:  00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356
     tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861
     tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973
     tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476
     sk_backlog_rcv include/net/sock.h:1061 [inline]
     __release_sock+0x1d8/0x4c0 net/core/sock.c:2849
     release_sock+0x5d/0x1c0 net/core/sock.c:3404
     sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145
     tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410
     tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448
     sock_sendmsg_nosec net/socket.c:714 [inline]
     sock_sendmsg net/socket.c:734 [inline]
     __sys_sendto+0x439/0x5c0 net/socket.c:2119
     __do_sys_sendto net/socket.c:2131 [inline]
     __se_sys_sendto net/socket.c:2127 [inline]
     __x64_sys_sendto+0xda/0xf0 net/socket.c:2127
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
    RIP: 0033:0x7f6431289109
    Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
    RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109
    RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a
    RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
    R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000
    
    Fixes: 5d424d5a674f ("[TCP]: MTU probing")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Acked-by: Yuchung Cheng <ycheng@google.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 22a7ea95d4f2f90b1cbc6b08bc979c7318d5221d
Author: Tokunori Ikegami <ikegami.t@gmail.com>
Date:   Thu Mar 24 02:04:56 2022 +0900

    mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N
    
    commit 0a8e98305f63deaf0a799d5cf5532cc83af035d1 upstream.
    
    Since commit dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to
    check correct value") buffered writes fail on S29GL064N. This is
    because, on S29GL064N, reads return 0xFF at the end of DQ polling for
    write completion, where as, chip_good() check expects actual data
    written to the last location to be returned post DQ polling completion.
    Fix is to revert to using chip_good() for S29GL064N which only checks
    for DQ lines to settle down to determine write completion.
    
    Link: https://lore.kernel.org/r/b687c259-6413-26c9-d4c9-b3afa69ea124@pengutronix.de/
    Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
    Cc: stable@vger.kernel.org
    Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com>
    Acked-by: Vignesh Raghavendra <vigneshr@ti.com>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20220323170458.5608-3-ikegami.t@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a20c3ed0bce445a657d242b5cda0fc7fdfcfbd48
Author: Tokunori Ikegami <ikegami.t@gmail.com>
Date:   Thu Mar 24 02:04:55 2022 +0900

    mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write
    
    commit 083084df578a8bdb18334f69e7b32d690aaa3247 upstream.
    
    This is a preparation patch for the S29GL064N buffer writes fix. There
    is no functional change.
    
    Link: https://lore.kernel.org/r/b687c259-6413-26c9-d4c9-b3afa69ea124@pengutronix.de/
    Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
    Signed-off-by: Tokunori Ikegami <ikegami.t@gmail.com>
    Cc: stable@vger.kernel.org
    Acked-by: Vignesh Raghavendra <vigneshr@ti.com>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20220323170458.5608-2-ikegami.t@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fcfcc52ea4cf405e6dd450f0e08ee03871c32f2a
Author: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date:   Wed Apr 13 08:53:56 2022 +0200

    md/raid0: Ignore RAID0 layout if the second zone has only one device
    
    commit ea23994edc4169bd90d7a9b5908c6ccefd82fa40 upstream.
    
    The RAID0 layout is irrelevant if all members have the same size so the
    array has only one zone. It is *also* irrelevant if the array has two
    zones and the second zone has only one device, for example if the array
    has two members of different sizes.
    
    So in that case it makes sense to allow assembly even when the layout is
    undefined, like what is done when the array has only one zone.
    
    Reviewed-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Pascal Hambourg <pascal@plouf.fr.eu.org>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a0e38a2808ea708beb4196a8873cecc23efb8e64
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Tue Jun 7 00:34:56 2022 +1000

    powerpc/32: Fix overread/overwrite of thread_struct via ptrace
    
    commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 upstream.
    
    The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process
    to read/write registers of another process.
    
    To get/set a register, the API takes an index into an imaginary address
    space called the "USER area", where the registers of the process are
    laid out in some fashion.
    
    The kernel then maps that index to a particular register in its own data
    structures and gets/sets the value.
    
    The API only allows a single machine-word to be read/written at a time.
    So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels.
    
    The way floating point registers (FPRs) are addressed is somewhat
    complicated, because double precision float values are 64-bit even on
    32-bit CPUs. That means on 32-bit kernels each FPR occupies two
    word-sized locations in the USER area. On 64-bit kernels each FPR
    occupies one word-sized location in the USER area.
    
    Internally the kernel stores the FPRs in an array of u64s, or if VSX is
    enabled, an array of pairs of u64s where one half of each pair stores
    the FPR. Which half of the pair stores the FPR depends on the kernel's
    endianness.
    
    To handle the different layouts of the FPRs depending on VSX/no-VSX and
    big/little endian, the TS_FPR() macro was introduced.
    
    Unfortunately the TS_FPR() macro does not take into account the fact
    that the addressing of each FPR differs between 32-bit and 64-bit
    kernels. It just takes the index into the "USER area" passed from
    userspace and indexes into the fp_state.fpr array.
    
    On 32-bit there are 64 indexes that address FPRs, but only 32 entries in
    the fp_state.fpr array, meaning the user can read/write 256 bytes past
    the end of the array. Because the fp_state sits in the middle of the
    thread_struct there are various fields than can be overwritten,
    including some pointers. As such it may be exploitable.
    
    It has also been observed to cause systems to hang or otherwise
    misbehave when using gdbserver, and is probably the root cause of this
    report which could not be easily reproduced:
      https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/
    
    Rather than trying to make the TS_FPR() macro even more complicated to
    fix the bug, or add more macros, instead add a special-case for 32-bit
    kernels. This is more obvious and hopefully avoids a similar bug
    happening again in future.
    
    Note that because 32-bit kernels never have VSX enabled the code doesn't
    need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to
    ensure that 32-bit && VSX is never enabled.
    
    Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds")
    Cc: stable@vger.kernel.org # v3.13+
    Reported-by: Ariel Miculas <ariel.miculas@belden.com>
    Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 29d95d5325e296b258eb01c5b0b6878d5e30d87a
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Tue Jun 7 12:11:33 2022 -0700

    Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
    
    commit c42e65664390be7c1ef3838cd84956d3a2739d60 upstream.
    
    The bcm5974 driver does the allocation and dma mapping of the usb urb
    data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag
    to let usb core know the buffer is already mapped.
    
    usb core tries to map the already mapped buffer, causing a warning:
    "xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory"
    
    Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core
    know buffer is already mapped by bcm5974 driver
    
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Cc: stable@vger.kernel.org
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890
    Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9cb5ea7e66391100ba58bd2989d3b831a3d04590
Author: Olivier Matz <olivier.matz@6wind.com>
Date:   Wed Apr 6 11:52:52 2022 +0200

    ixgbe: fix unexpected VLAN Rx in promisc mode on VF
    
    commit 7bb0fb7c63df95d6027dc50d6af3bc3bbbc25483 upstream.
    
    When the promiscuous mode is enabled on a VF, the IXGBE_VMOLR_VPE
    bit (VLAN Promiscuous Enable) is set. This means that the VF will
    receive packets whose VLAN is not the same than the VLAN of the VF.
    
    For instance, in this situation:
    
    ┌────────┐    ┌────────┐    ┌────────┐
    │        │    │        │    │        │
    │        │    │        │    │        │
    │     VF0├────┤VF1  VF2├────┤VF3     │
    │        │    │        │    │        │
    └────────┘    └────────┘    └────────┘
       VM1           VM2           VM3
    
    vf 0:  vlan 1000
    vf 1:  vlan 1000
    vf 2:  vlan 1001
    vf 3:  vlan 1001
    
    If we tcpdump on VF3, we see all the packets, even those transmitted
    on vlan 1000.
    
    This behavior prevents to bridge VF1 and VF2 in VM2, because it will
    create a loop: packets transmitted on VF1 will be received by VF2 and
    vice-versa, and bridged again through the software bridge.
    
    This patch remove the activation of VLAN Promiscuous when a VF enables
    the promiscuous mode. However, the IXGBE_VMOLR_UPE bit (Unicast
    Promiscuous) is kept, so that a VF receives all packets that has the
    same VLAN, whatever the destination MAC address.
    
    Fixes: 8443c1a4b192 ("ixgbe, ixgbevf: Add new mbox API xcast mode")
    Cc: stable@vger.kernel.org
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
    Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 48f2235ba40c016246d85b3d06c393a5334d5dd0
Author: Olivier Matz <olivier.matz@6wind.com>
Date:   Wed Apr 6 11:52:51 2022 +0200

    ixgbe: fix bcast packets Rx on VF after promisc removal
    
    commit 803e9895ea2b0fe80bc85980ae2d7a7e44037914 upstream.
    
    After a VF requested to remove the promiscuous flag on an interface, the
    broadcast packets are not received anymore. This breaks some protocols
    like ARP.
    
    In ixgbe_update_vf_xcast_mode(), we should keep the IXGBE_VMOLR_BAM
    bit (Broadcast Accept) on promiscuous removal.
    
    This flag is already set by default in ixgbe_set_vmolr() on VF reset.
    
    Fixes: 8443c1a4b192 ("ixgbe, ixgbevf: Add new mbox API xcast mode")
    Cc: stable@vger.kernel.org
    Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
    Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
    Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6fce324b530dd74750ad870699e33eeed1029ded
Author: Martin Faltesek <mfaltesek@google.com>
Date:   Mon Jun 6 21:57:28 2022 -0500

    nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
    
    commit 996419e0594abb311fb958553809f24f38e7abbe upstream.
    
    Error paths do not free previously allocated memory. Add devm_kfree() to
    those failure paths.
    
    Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
    Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
    Cc: stable@vger.kernel.org
    Signed-off-by: Martin Faltesek <mfaltesek@google.com>
    Reviewed-by: Guenter Roeck <groeck@chromium.org>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2146a57e1abc4a1c237323f58a4bac39ea16bcbc
Author: Martin Faltesek <mfaltesek@google.com>
Date:   Mon Jun 6 21:57:27 2022 -0500

    nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
    
    commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream.
    
    The first validation check for EVT_TRANSACTION has two different checks
    tied together with logical AND. One is a check for minimum packet length,
    and the other is for a valid aid_tag. If either condition is true (fails),
    then an error should be triggered.  The fix is to change && to ||.
    
    Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Martin Faltesek <mfaltesek@google.com>
    Reviewed-by: Guenter Roeck <groeck@chromium.org>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 502773224e6d640ab288f885416626c39eb25b39
Author: Adrian Hunter <adrian.hunter@intel.com>
Date:   Tue May 31 20:19:22 2022 +0300

    mmc: block: Fix CQE recovery reset success
    
    commit a051246b786af7e4a9d9219cc7038a6e8a411531 upstream.
    
    The intention of the use of mmc_blk_reset_success() in
    mmc_blk_cqe_recovery() was to prevent repeated resets when retrying and
    getting the same error. However, that may not be the case - any amount
    of time and I/O may pass before another recovery is needed, in which
    case there would be no reason to deny it the opportunity to recover via
    a reset if necessary. CQE recovery is expected seldom and failure to
    recover (if the clear tasks command fails), even more seldom, so it is
    better to allow the reset always, which can be done by calling
    mmc_blk_reset_success() always.
    
    Fixes: 1e8e55b67030c6 ("mmc: block: Add CQE support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
    Link: https://lore.kernel.org/r/20220531171922.76080-1-adrian.hunter@intel.com
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a650ccd6381e5004e7ac3e86222bbef7a455370a
Author: Sergey Shtylyov <s.shtylyov@omp.ru>
Date:   Wed Jun 8 22:51:07 2022 +0300

    ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files
    
    commit 72aad489f992871e908ff6d9055b26c6366fb864 upstream.
    
    The {dma|pio}_mode sysfs files are incorrectly documented as having a
    list of the supported DMA/PIO transfer modes, while the corresponding
    fields of the *struct* ata_device hold the transfer mode IDs, not masks.
    
    To match these docs, the {dma|pio}_mode (and even xfer_mode!) sysfs
    files are handled by the ata_bitfield_name_match() macro which leads to
    reading such kind of nonsense from them:
    
    $ cat /sys/class/ata_device/dev3.0/pio_mode
    XFER_UDMA_7, XFER_UDMA_6, XFER_UDMA_5, XFER_UDMA_4, XFER_MW_DMA_4,
    XFER_PIO_6, XFER_PIO_5, XFER_PIO_4, XFER_PIO_3, XFER_PIO_2, XFER_PIO_1,
    XFER_PIO_0
    
    Using the correct ata_bitfield_name_search() macro fixes that:
    
    $ cat /sys/class/ata_device/dev3.0/pio_mode
    XFER_PIO_4
    
    While fixing the file documentation, somewhat reword the {dma|pio}_mode
    file doc and add a note about being mostly useful for PATA devices to
    the xfer_mode file doc...
    
    Fixes: d9027470b886 ("[libata] Add ATA transport class")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
    Cc: stable@vger.kernel.org
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a31e05be47f5a47366615c0db36d70a9640d52c
Author: Shyam Prasad N <sprasad@microsoft.com>
Date:   Tue May 31 12:31:05 2022 +0000

    cifs: return errors during session setup during reconnects
    
    commit 8ea21823aa584b55ba4b861307093b78054b0c1b upstream.
    
    During reconnects, we check the return value from
    cifs_negotiate_protocol, and have handlers for both success
    and failures. But if that passes, and cifs_setup_session
    returns any errors other than -EACCES, we do not handle
    that. This fix adds a handler for that, so that we don't
    go ahead and try a tree_connect on a failed session.
    
    Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
    Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8abe88f9653a0396e01afb12e6eeaf45af49106d
Author: huangwenhui <huangwenhuia@uniontech.com>
Date:   Tue Jun 7 14:56:31 2022 +0800

    ALSA: hda/conexant - Fix loopback issue with CX20632
    
    commit d5ea7544c32ba27c2c5826248e4ff58bd50a2518 upstream.
    
    On a machine with CX20632, Alsamixer doesn't have 'Loopback
    Mixing' and 'Line'.
    
    Signed-off-by: huangwenhui <huangwenhuia@uniontech.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220607065631.10708-1-huangwenhuia@uniontech.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4511b505057b86a5e898b7244c715422ce59864f
Author: Xie Yongji <xieyongji@bytedance.com>
Date:   Thu May 5 18:09:10 2022 +0800

    vringh: Fix loop descriptors check in the indirect cases
    
    [ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]
    
    We should use size of descriptor chain to test loop condition
    in the indirect case. And another statistical count is also introduced
    for indirect descriptors to avoid conflict with the statistical count
    of direct descriptors.
    
    Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
    Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
    Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
    Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 727d7f62e782786e8f95c28fa42082d0412f5e69
Author: Kees Cook <keescook@chromium.org>
Date:   Wed May 18 13:52:23 2022 -0700

    nodemask: Fix return values to be unsigned
    
    [ Upstream commit 0dfe54071d7c828a02917b595456bfde1afdddc9 ]
    
    The nodemask routines had mixed return values that provided potentially
    signed return values that could never happen. This was leading to the
    compiler getting confusing about the range of possible return values
    (it was thinking things could be negative where they could not be). Fix
    all the nodemask routines that should be returning unsigned
    (or bool) values. Silences:
    
     mm/swapfile.c: In function ‘setup_swap_info’:
     mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds of ‘struct plist_node[]’ [-Werror=array-bounds]
      2291 |                                 p->avail_lists[i].prio = 1;
           |                                 ~~~~~~~~~~~~~~^~~
     In file included from mm/swapfile.c:16:
     ./include/linux/swap.h:292:27: note: while referencing ‘avail_lists’
       292 |         struct plist_node avail_lists[]; /*
           |                           ^~~~~~~~~~~
    
    Reported-by: Christophe de Dinechin <dinechin@redhat.com>
    Link: https://lore.kernel.org/lkml/20220414150855.2407137-3-dinechin@redhat.com/
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Cc: Yury Norov <yury.norov@gmail.com>
    Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Zhen Lei <thunder.leizhen@huawei.com>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Yury Norov <yury.norov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 62d227f67a8c25d5e16f40e5290607f9306d2188
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Sat May 21 15:37:47 2022 +0800

    nbd: fix io hung while disconnecting device
    
    [ Upstream commit 09dadb5985023e27d4740ebd17e6fea4640110e5 ]
    
    In our tests, "qemu-nbd" triggers a io hung:
    
    INFO: task qemu-nbd:11445 blocked for more than 368 seconds.
          Not tainted 5.18.0-rc3-next-20220422-00003-g2176915513ca #884
    "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
    task:qemu-nbd        state:D stack:    0 pid:11445 ppid:     1 flags:0x00000000
    Call Trace:
     <TASK>
     __schedule+0x480/0x1050
     ? _raw_spin_lock_irqsave+0x3e/0xb0
     schedule+0x9c/0x1b0
     blk_mq_freeze_queue_wait+0x9d/0xf0
     ? ipi_rseq+0x70/0x70
     blk_mq_freeze_queue+0x2b/0x40
     nbd_add_socket+0x6b/0x270 [nbd]
     nbd_ioctl+0x383/0x510 [nbd]
     blkdev_ioctl+0x18e/0x3e0
     __x64_sys_ioctl+0xac/0x120
     do_syscall_64+0x35/0x80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7fd8ff706577
    RSP: 002b:00007fd8fcdfebf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
    RAX: ffffffffffffffda RBX: 0000000040000000 RCX: 00007fd8ff706577
    RDX: 000000000000000d RSI: 000000000000ab00 RDI: 000000000000000f
    RBP: 000000000000000f R08: 000000000000fbe8 R09: 000055fe497c62b0
    R10: 00000002aff20000 R11: 0000000000000246 R12: 000000000000006d
    R13: 0000000000000000 R14: 00007ffe82dc5e70 R15: 00007fd8fcdff9c0
    
    "qemu-ndb -d" will call ioctl 'NBD_DISCONNECT' first, however, following
    message was found:
    
    block nbd0: Send disconnect failed -32
    
    Which indicate that something is wrong with the server. Then,
    "qemu-nbd -d" will call ioctl 'NBD_CLEAR_SOCK', however ioctl can't clear
    requests after commit 2516ab1543fd("nbd: only clear the queue on device
    teardown"). And in the meantime, request can't complete through timeout
    because nbd_xmit_timeout() will always return 'BLK_EH_RESET_TIMER', which
    means such request will never be completed in this situation.
    
    Now that the flag 'NBD_CMD_INFLIGHT' can make sure requests won't
    complete multiple times, switch back to call nbd_clear_sock() in
    nbd_clear_sock_ioctl(), so that inflight requests can be cleared.
    
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Link: https://lore.kernel.org/r/20220521073749.3146892-5-yukuai3@huawei.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2573f2375b64280be977431701ed5d33b75b9ad0
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Sat May 21 15:37:45 2022 +0800

    nbd: fix race between nbd_alloc_config() and module removal
    
    [ Upstream commit c55b2b983b0fa012942c3eb16384b2b722caa810 ]
    
    When nbd module is being removing, nbd_alloc_config() may be
    called concurrently by nbd_genl_connect(), although try_module_get()
    will return false, but nbd_alloc_config() doesn't handle it.
    
    The race may lead to the leak of nbd_config and its related
    resources (e.g, recv_workq) and oops in nbd_read_stat() due
    to the unload of nbd module as shown below:
    
      BUG: kernel NULL pointer dereference, address: 0000000000000040
      Oops: 0000 [#1] SMP PTI
      CPU: 5 PID: 13840 Comm: kworker/u17:33 Not tainted 5.14.0+ #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
      Workqueue: knbd16-recv recv_work [nbd]
      RIP: 0010:nbd_read_stat.cold+0x130/0x1a4 [nbd]
      Call Trace:
       recv_work+0x3b/0xb0 [nbd]
       process_one_work+0x1ed/0x390
       worker_thread+0x4a/0x3d0
       kthread+0x12a/0x150
       ret_from_fork+0x22/0x30
    
    Fixing it by checking the return value of try_module_get()
    in nbd_alloc_config(). As nbd_alloc_config() may return ERR_PTR(-ENODEV),
    assign nbd->config only when nbd_alloc_config() succeeds to ensure
    the value of nbd->config is binary (valid or NULL).
    
    Also adding a debug message to check the reference counter
    of nbd_config during module removal.
    
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Link: https://lore.kernel.org/r/20220521073749.3146892-3-yukuai3@huawei.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 013a79f1b5c89290e2e97f1ebf14b14e0cf5fe5c
Author: Yu Kuai <yukuai3@huawei.com>
Date:   Sat May 21 15:37:44 2022 +0800

    nbd: call genl_unregister_family() first in nbd_cleanup()
    
    [ Upstream commit 06c4da89c24e7023ea448cadf8e9daf06a0aae6e ]
    
    Otherwise there may be race between module removal and the handling of
    netlink command, which can lead to the oops as shown below:
    
      BUG: kernel NULL pointer dereference, address: 0000000000000098
      Oops: 0002 [#1] SMP PTI
      CPU: 1 PID: 31299 Comm: nbd-client Tainted: G            E     5.14.0-rc4
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
      RIP: 0010:down_write+0x1a/0x50
      Call Trace:
       start_creating+0x89/0x130
       debugfs_create_dir+0x1b/0x130
       nbd_start_device+0x13d/0x390 [nbd]
       nbd_genl_connect+0x42f/0x748 [nbd]
       genl_family_rcv_msg_doit.isra.0+0xec/0x150
       genl_rcv_msg+0xe5/0x1e0
       netlink_rcv_skb+0x55/0x100
       genl_rcv+0x29/0x40
       netlink_unicast+0x1a8/0x250
       netlink_sendmsg+0x21b/0x430
       ____sys_sendmsg+0x2a4/0x2d0
       ___sys_sendmsg+0x81/0xc0
       __sys_sendmsg+0x62/0xb0
       __x64_sys_sendmsg+0x1f/0x30
       do_syscall_64+0x3b/0xc0
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      Modules linked in: nbd(E-)
    
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Link: https://lore.kernel.org/r/20220521073749.3146892-2-yukuai3@huawei.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6c71ef8fc3a42e2ab0e9b35968f9ad025926d624
Author: Masahiro Yamada <masahiroy@kernel.org>
Date:   Tue May 24 01:46:22 2022 +0900

    modpost: fix undefined behavior of is_arm_mapping_symbol()
    
    [ Upstream commit d6b732666a1bae0df3c3ae06925043bba34502b1 ]
    
    The return value of is_arm_mapping_symbol() is unpredictable when "$"
    is passed in.
    
    strchr(3) says:
      The strchr() and strrchr() functions return a pointer to the matched
      character or NULL if the character is not found. The terminating null
      byte is considered part of the string, so that if c is specified as
      '\0', these functions return a pointer to the terminator.
    
    When str[1] is '\0', strchr("axtd", str[1]) is not NULL, and str[2] is
    referenced (i.e. buffer overrun).
    
    Test code
    ---------
    
      char str1[] = "abc";
      char str2[] = "ab";
    
      strcpy(str1, "$");
      strcpy(str2, "$");
    
      printf("test1: %d\n", is_arm_mapping_symbol(str1));
      printf("test2: %d\n", is_arm_mapping_symbol(str2));
    
    Result
    ------
    
      test1: 0
      test2: 1
    
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8a89bfeef9abe93371e3ea8796377f2d132eee29
Author: Gong Yuanjun <ruc_gongyuanjun@163.com>
Date:   Tue May 17 17:57:00 2022 +0800

    drm/radeon: fix a possible null pointer dereference
    
    [ Upstream commit a2b28708b645c5632dc93669ab06e97874c8244f ]
    
    In radeon_fp_native_mode(), the return value of drm_mode_duplicate()
    is assigned to mode, which will lead to a NULL pointer dereference
    on failure of drm_mode_duplicate(). Add a check to avoid npd.
    
    The failure status of drm_cvt_mode() on the other path is checked too.
    
    Signed-off-by: Gong Yuanjun <ruc_gongyuanjun@163.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9266323283c909bc673936507f8e1682eedbdbb3
Author: Venky Shankar <vshankar@redhat.com>
Date:   Thu Mar 10 09:34:19 2022 -0500

    ceph: allow ceph.dir.rctime xattr to be updatable
    
    [ Upstream commit d7a2dc523085f8b8c60548ceedc696934aefeb0e ]
    
    `rctime' has been a pain point in cephfs due to its buggy
    nature - inconsistent values reported and those sorts.
    Fixing rctime is non-trivial needing an overall redesign
    of the entire nested statistics infrastructure.
    
    As a workaround, PR
    
         http://github.com/ceph/ceph/pull/37938
    
    allows this extended attribute to be manually set. This allows
    users to "fixup" inconsistent rctime values. While this sounds
    messy, its probably the wisest approach allowing users/scripts
    to workaround buggy rctime values.
    
    The above PR enables Ceph MDS to allow manually setting
    rctime extended attribute with the corresponding user-land
    changes. We may as well allow the same to be done via kclient
    for parity.
    
    Signed-off-by: Venky Shankar <vshankar@redhat.com>
    Reviewed-by: Xiubo Li <xiubli@redhat.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b8196fd30de4336151dd7451fe9599842cebda90
Author: Michal Kubecek <mkubecek@suse.cz>
Date:   Mon May 23 22:05:24 2022 +0200

    Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
    
    [ Upstream commit 9c90c9b3e50e16d03c7f87d63e9db373974781e0 ]
    
    This reverts commit 4dc2a5a8f6754492180741facf2a8787f2c415d7.
    
    A non-zero return value from pfkey_broadcast() does not necessarily mean
    an error occurred as this function returns -ESRCH when no registered
    listener received the message. In particular, a call with
    BROADCAST_PROMISC_ONLY flag and null one_sk argument can never return
    zero so that this commit in fact prevents processing any PF_KEY message.
    One visible effect is that racoon daemon fails to find encryption
    algorithms like aes and refuses to start.
    
    Excluding -ESRCH return value would fix this but it's not obvious that
    we really want to bail out here and most other callers of
    pfkey_broadcast() also ignore the return value. Also, as pointed out by
    Steffen Klassert, PF_KEY is kind of deprecated and newer userspace code
    should use netlink instead so that we should only disturb the code for
    really important fixes.
    
    v2: add a comment explaining why is the return value ignored
    
    Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
    Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 734d31837fa9b04547f920395d821635d9d26a4e
Author: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
Date:   Fri Apr 29 16:49:09 2022 +0800

    md: protect md_unregister_thread from reentrancy
    
    [ Upstream commit 1e267742283a4b5a8ca65755c44166be27e9aa0f ]
    
    Generally, the md_unregister_thread is called with reconfig_mutex, but
    raid_message in dm-raid doesn't hold reconfig_mutex to unregister thread,
    so md_unregister_thread can be called simulitaneously from two call sites
    in theory.
    
    Then after previous commit which remove the protection of reconfig_mutex
    for md_unregister_thread completely, the potential issue could be worse
    than before.
    
    Let's take pers_lock at the beginning of function to ensure reentrancy.
    
    Reported-by: Donald Buczek <buczek@molgen.mpg.de>
    Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e1762fc1a4ebf1ebf70e1271081ddcdc557a5d7d
Author: Hao Luo <haoluo@google.com>
Date:   Mon May 16 12:09:51 2022 -0700

    kernfs: Separate kernfs_pr_cont_buf and rename_lock.
    
    [ Upstream commit 1a702dc88e150487c9c173a249b3d236498b9183 ]
    
    Previously the protection of kernfs_pr_cont_buf was piggy backed by
    rename_lock, which means that pr_cont() needs to be protected under
    rename_lock. This can cause potential circular lock dependencies.
    
    If there is an OOM, we have the following call hierarchy:
    
     -> cpuset_print_current_mems_allowed()
       -> pr_cont_cgroup_name()
         -> pr_cont_kernfs_name()
    
    pr_cont_kernfs_name() will grab rename_lock and call printk. So we have
    the following lock dependencies:
    
     kernfs_rename_lock -> console_sem
    
    Sometimes, printk does a wakeup before releasing console_sem, which has
    the dependence chain:
    
     console_sem -> p->pi_lock -> rq->lock
    
    Now, imagine one wants to read cgroup_name under rq->lock, for example,
    printing cgroup_name in a tracepoint in the scheduler code. They will
    be holding rq->lock and take rename_lock:
    
     rq->lock -> kernfs_rename_lock
    
    Now they will deadlock.
    
    A prevention to this circular lock dependency is to separate the
    protection of pr_cont_buf from rename_lock. In principle, rename_lock
    is to protect the integrity of cgroup name when copying to buf. Once
    pr_cont_buf has got its content, rename_lock can be dropped. So it's
    safe to drop rename_lock after kernfs_name_locked (and
    kernfs_path_from_node_locked) and rely on a dedicated pr_cont_lock
    to protect pr_cont_buf.
    
    Acked-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Hao Luo <haoluo@google.com>
    Link: https://lore.kernel.org/r/20220516190951.3144144-1-haoluo@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1b4e7e56616679d2cb3fc318b72057668a7f574c
Author: John Ogness <john.ogness@linutronix.de>
Date:   Fri May 6 23:39:24 2022 +0206

    serial: msm_serial: disable interrupts in __msm_console_write()
    
    [ Upstream commit aabdbb1b7a5819e18c403334a31fb0cc2c06ad41 ]
    
    __msm_console_write() assumes that interrupts are disabled, but
    with threaded console printers it is possible that the write()
    callback of the console is called with interrupts enabled.
    
    Explicitly disable interrupts using local_irq_save() to preserve
    the assumed context.
    
    Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Reviewed-by: Petr Mladek <pmladek@suse.com>
    Signed-off-by: John Ogness <john.ogness@linutronix.de>
    Link: https://lore.kernel.org/r/20220506213324.470461-1-john.ogness@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a6535d00a9d54ce1c2a8d86a85001ffb6844f9b2
Author: Wang Cheng <wanngchenng@gmail.com>
Date:   Mon May 16 17:22:41 2022 +0800

    staging: rtl8712: fix uninit-value in r871xu_drv_init()
    
    [ Upstream commit 0458e5428e5e959d201a40ffe71d762a79ecedc4 ]
    
    When 'tmpU1b' returns from r8712_read8(padapter, EE_9346CR) is 0,
    'mac[6]' will not be initialized.
    
    BUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541
     r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541
     usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396
     really_probe+0x653/0x14b0 drivers/base/dd.c:596
     __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
     driver_probe_device drivers/base/dd.c:782 [inline]
     __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
     bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
     __device_attach+0x593/0x8e0 drivers/base/dd.c:970
     device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
     bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
     device_add+0x1fff/0x26e0 drivers/base/core.c:3405
     usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170
     usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238
     usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293
     really_probe+0x653/0x14b0 drivers/base/dd.c:596
     __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752
     driver_probe_device drivers/base/dd.c:782 [inline]
     __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899
     bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427
     __device_attach+0x593/0x8e0 drivers/base/dd.c:970
     device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017
     bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487
     device_add+0x1fff/0x26e0 drivers/base/core.c:3405
     usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566
     hub_port_connect drivers/usb/core/hub.c:5358 [inline]
     hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
     port_event drivers/usb/core/hub.c:5660 [inline]
     hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742
     process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307
     worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454
     kthread+0x3c7/0x500 kernel/kthread.c:377
     ret_from_fork+0x1f/0x30
    
    Local variable mac created at:
     r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394
     usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396
    
    KMSAN: uninit-value in r871xu_drv_init
    https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8
    
    Reported-by: <syzbot+6f5ecd144854c0d8580b@syzkaller.appspotmail.com>
    Tested-by: <syzbot+6f5ecd144854c0d8580b@syzkaller.appspotmail.com>
    Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Wang Cheng <wanngchenng@gmail.com>
    Link: https://lore.kernel.org/r/14c3886173dfa4597f0704547c414cfdbcd11d16.1652618244.git.wanngchenng@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 661a101b1ac07e5ecbef132170a3495f3f81d5bc
Author: Andre Przywara <andre.przywara@arm.com>
Date:   Fri May 6 17:25:22 2022 +0100

    clocksource/drivers/sp804: Avoid error on multiple instances
    
    [ Upstream commit a98399cbc1e05f7b977419f03905501d566cf54e ]
    
    When a machine sports more than one SP804 timer instance, we only bring
    up the first one, since multiple timers of the same kind are not useful
    to Linux. As this is intentional behaviour, we should not return an
    error message, as we do today:
    ===============
    [    0.000800] Failed to initialize '/bus@8000000/motherboard-bus@8000000/iofpga-bus@300000000/timer@120000': -22
    ===============
    
    Replace the -EINVAL return with a debug message and return 0 instead.
    
    Also we do not reach the init function anymore if the DT node is
    disabled (as this is now handled by OF_DECLARE), so remove the explicit
    check for that case.
    
    This fixes a long standing bogus error when booting ARM's fastmodels.
    
    Signed-off-by: Andre Przywara <andre.przywara@arm.com>
    Reviewed-by: Robin Murphy <robin.murphy@arm.com>
    Link: https://lore.kernel.org/r/20220506162522.3675399-1-andre.przywara@arm.com
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cb81ea998c461868d1168411a867d8ffee12f23f
Author: bumwoo lee <bw365.lee@samsung.com>
Date:   Wed Apr 27 12:00:05 2022 +0900

    extcon: Modify extcon device to be created after driver data is set
    
    [ Upstream commit 5dcc2afe716d69f5112ce035cb14f007461ff189 ]
    
    Currently, someone can invoke the sysfs such as state_show()
    intermittently before dev_set_drvdata() is done.
    And it can be a cause of kernel Oops because of edev is Null at that time.
    So modified the driver registration to after setting drviver data.
    
    - Oops's backtrace.
    
    Backtrace:
    [<c067865c>] (state_show) from [<c05222e8>] (dev_attr_show)
    [<c05222c0>] (dev_attr_show) from [<c02c66e0>] (sysfs_kf_seq_show)
    [<c02c6648>] (sysfs_kf_seq_show) from [<c02c496c>] (kernfs_seq_show)
    [<c02c4938>] (kernfs_seq_show) from [<c025e2a0>] (seq_read)
    [<c025e11c>] (seq_read) from [<c02c50a0>] (kernfs_fop_read)
    [<c02c5064>] (kernfs_fop_read) from [<c0231cac>] (__vfs_read)
    [<c0231c5c>] (__vfs_read) from [<c0231ee0>] (vfs_read)
    [<c0231e34>] (vfs_read) from [<c0232464>] (ksys_read)
    [<c02323f0>] (ksys_read) from [<c02324fc>] (sys_read)
    [<c02324e4>] (sys_read) from [<c00091d0>] (__sys_trace_return)
    
    Signed-off-by: bumwoo lee <bw365.lee@samsung.com>
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fae28ee165358930d4cd4adcaeac85072a16782f
Author: Shuah Khan <skhan@linuxfoundation.org>
Date:   Fri Apr 29 15:09:13 2022 -0600

    misc: rtsx: set NULL intfdata when probe fails
    
    [ Upstream commit f861d36e021e1ac4a0a2a1f6411d623809975d63 ]
    
    rtsx_usb_probe() doesn't call usb_set_intfdata() to null out the
    interface pointer when probe fails. This leaves a stale pointer.
    Noticed the missing usb_set_intfdata() while debugging an unrelated
    invalid DMA mapping problem.
    
    Fix it with a call to usb_set_intfdata(..., NULL).
    
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Link: https://lore.kernel.org/r/20220429210913.46804-1-skhan@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bee8f9808a7e82addfc73a0973b16a8bb684205b
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Thu May 5 12:46:18 2022 +0200

    usb: dwc2: gadget: don't reset gadget's driver->bus
    
    [ Upstream commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a ]
    
    UDC driver should not touch gadget's driver internals, especially it
    should not reset driver->bus. This wasn't harmful so far, but since
    commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget
    subsystem got it's own bus and messing with ->bus triggers the
    following NULL pointer dereference:
    
    dwc2 12480000.hsotg: bound driver g_ether
    8<--- cut here ---
    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    [00000000] *pgd=00000000
    Internal error: Oops: 5 [#1] SMP ARM
    Modules linked in: ...
    CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862
    Hardware name: Samsung Exynos (Flattened Device Tree)
    PC is at module_add_driver+0x44/0xe8
    LR is at sysfs_do_create_link_sd+0x84/0xe0
    ...
    Process modprobe (pid: 620, stack limit = 0x(ptrval))
    ...
     module_add_driver from bus_add_driver+0xf4/0x1e4
     bus_add_driver from driver_register+0x78/0x10c
     driver_register from usb_gadget_register_driver_owner+0x40/0xb4
     usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0
     do_one_initcall from do_init_module+0x44/0x1c8
     do_init_module from load_module+0x19b8/0x1b9c
     load_module from sys_finit_module+0xdc/0xfc
     sys_finit_module from ret_fast_syscall+0x0/0x54
    Exception stack(0xf1771fa8 to 0xf1771ff0)
    ...
    dwc2 12480000.hsotg: new device is high-speed
    ---[ end trace 0000000000000000 ]---
    
    Fix this by removing driver->bus entry reset.
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Link: https://lore.kernel.org/r/20220505104618.22729-1-m.szyprowski@samsung.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aa3544e8309d9be1dd5625d15cbd930368e4c909
Author: Evan Green <evgreen@chromium.org>
Date:   Thu Apr 21 10:39:27 2022 -0700

    USB: hcd-pci: Fully suspend across freeze/thaw cycle
    
    [ Upstream commit 63acaa8e9c65dc34dc249440216f8e977f5d2748 ]
    
    The documentation for the freeze() method says that it "should quiesce
    the device so that it doesn't generate IRQs or DMA". The unspoken
    consequence of not doing this is that MSIs aimed at non-boot CPUs may
    get fully lost if they're sent during the period where the target CPU is
    offline.
    
    The current callbacks for USB HCD do not fully quiesce interrupts,
    specifically on XHCI. Change to use the full suspend/resume flow for
    freeze/thaw to ensure interrupts are fully quiesced. This fixes issues
    where USB devices fail to thaw during hibernation because XHCI misses
    its interrupt and cannot recover.
    
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Evan Green <evgreen@chromium.org>
    Link: https://lore.kernel.org/r/20220421103751.v3.2.I8226c7fdae88329ef70957b96a39b346c69a914e@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8242044c91cafbba9e320b0fb31abf2429a3221
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Sun Apr 17 20:03:05 2022 +0800

    drivers: usb: host: Fix deadlock in oxu_bus_suspend()
    
    [ Upstream commit 4d378f2ae58138d4c55684e1d274e7dd94aa6524 ]
    
    There is a deadlock in oxu_bus_suspend(), which is shown below:
    
       (Thread 1)              |      (Thread 2)
                               | timer_action()
    oxu_bus_suspend()          |  mod_timer()
     spin_lock_irq() //(1)     |  (wait a time)
     ...                       | oxu_watchdog()
     del_timer_sync()          |  spin_lock_irq() //(2)
     (wait timer to stop)      |  ...
    
    We hold oxu->lock in position (1) of thread 1, and use
    del_timer_sync() to wait timer to stop, but timer handler
    also need oxu->lock in position (2) of thread 2. As a result,
    oxu_bus_suspend() will block forever.
    
    This patch extracts del_timer_sync() from the protection of
    spin_lock_irq(), which could let timer handler to obtain
    the needed lock.
    
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Link: https://lore.kernel.org/r/20220417120305.64577-1-duoming@zju.edu.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 920f0ae7a129ffee98a106e3bbdfd61a2a59e939
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Sun Apr 17 19:16:26 2022 +0800

    drivers: tty: serial: Fix deadlock in sa1100_set_termios()
    
    [ Upstream commit 62b2caef400c1738b6d22f636c628d9f85cd4c4c ]
    
    There is a deadlock in sa1100_set_termios(), which is shown
    below:
    
       (Thread 1)              |      (Thread 2)
                               | sa1100_enable_ms()
    sa1100_set_termios()       |  mod_timer()
     spin_lock_irqsave() //(1) |  (wait a time)
     ...                       | sa1100_timeout()
     del_timer_sync()          |  spin_lock_irqsave() //(2)
     (wait timer to stop)      |  ...
    
    We hold sport->port.lock in position (1) of thread 1 and
    use del_timer_sync() to wait timer to stop, but timer handler
    also need sport->port.lock in position (2) of thread 2. As a result,
    sa1100_set_termios() will block forever.
    
    This patch moves del_timer_sync() before spin_lock_irqsave()
    in order to prevent the deadlock.
    
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Link: https://lore.kernel.org/r/20220417111626.7802-1-duoming@zju.edu.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3825db88d8c704e7992b685618a03f82bffcf2ef
Author: Zhen Ni <nizhen@uniontech.com>
Date:   Wed Mar 2 11:37:16 2022 +0800

    USB: host: isp116x: check return value after calling platform_get_resource()
    
    [ Upstream commit 134a3408c2d3f7e23eb0e4556e0a2d9f36c2614e ]
    
    It will cause null-ptr-deref if platform_get_resource() returns NULL,
    we need check the return value.
    
    Signed-off-by: Zhen Ni <nizhen@uniontech.com>
    Link: https://lore.kernel.org/r/20220302033716.31272-1-nizhen@uniontech.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 08bacf871c019163ccd1389d0bc957a43324967a
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Sun Apr 17 22:16:41 2022 +0800

    drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()
    
    [ Upstream commit 9b6bdbd9337de3917945847bde262a34a87a6303 ]
    
    There is a deadlock in rtllib_beacons_stop(), which is shown
    below:
    
       (Thread 1)              |      (Thread 2)
                               | rtllib_send_beacon()
    rtllib_beacons_stop()      |  mod_timer()
     spin_lock_irqsave() //(1) |  (wait a time)
     ...                       | rtllib_send_beacon_cb()
     del_timer_sync()          |  spin_lock_irqsave() //(2)
     (wait timer to stop)      |  ...
    
    We hold ieee->beacon_lock in position (1) of thread 1 and
    use del_timer_sync() to wait timer to stop, but timer handler
    also need ieee->beacon_lock in position (2) of thread 2.
    As a result, rtllib_beacons_stop() will block forever.
    
    This patch extracts del_timer_sync() from the protection of
    spin_lock_irqsave(), which could let timer handler to obtain
    the needed lock.
    
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b465bb2ebf666116c1ac745cb80c65154dc0d27e
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Sun Apr 17 21:54:07 2022 +0800

    drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()
    
    [ Upstream commit 806c7b53414934ba2a39449b31fd1a038e500273 ]
    
    There is a deadlock in ieee80211_beacons_stop(), which is shown below:
    
       (Thread 1)              |      (Thread 2)
                               | ieee80211_send_beacon()
    ieee80211_beacons_stop()   |  mod_timer()
     spin_lock_irqsave() //(1) |  (wait a time)
     ...                       | ieee80211_send_beacon_cb()
     del_timer_sync()          |  spin_lock_irqsave() //(2)
     (wait timer to stop)      |  ...
    
    We hold ieee->beacon_lock in position (1) of thread 1 and use
    del_timer_sync() to wait timer to stop, but timer handler
    also need ieee->beacon_lock in position (2) of thread 2.
    As a result, ieee80211_beacons_stop() will block forever.
    
    This patch extracts del_timer_sync() from the protection of
    spin_lock_irqsave(), which could let timer handler to obtain
    the needed lock.
    
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Link: https://lore.kernel.org/r/20220417135407.109536-1-duoming@zju.edu.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a2df0b4d080cc770b4da7bff487048c803dfd07e
Author: Huang Guobin <huangguobin4@huawei.com>
Date:   Thu Mar 31 17:10:05 2022 +0800

    tty: Fix a possible resource leak in icom_probe
    
    [ Upstream commit ee157a79e7c82b01ae4c25de0ac75899801f322c ]
    
    When pci_read_config_dword failed, call pci_release_regions() and
    pci_disable_device() to recycle the resource previously allocated.
    
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Signed-off-by: Huang Guobin <huangguobin4@huawei.com>
    Link: https://lore.kernel.org/r/20220331091005.3290753-1-huangguobin4@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ba08cbc5b53e151d0acf1930fb526fc65b7f3e65
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sun Apr 10 19:48:14 2022 +0800

    tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()
    
    [ Upstream commit 689ca31c542687709ba21ec2195c1fbce34fd029 ]
    
    When the driver fails at alloc_hdlcdev(), and then we remove the driver
    module, we will get the following splat:
    
    [   25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI
    [   25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17]
    [   25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0
    [   25.077709] Call Trace:
    [   25.077924]  <TASK>
    [   25.078108]  unregister_hdlc_device+0x16/0x30
    [   25.078481]  slgt_cleanup+0x157/0x9f0 [synclink_gt]
    
    Fix this by checking whether the 'info->netdev' is a null pointer first.
    
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
    Link: https://lore.kernel.org/r/20220410114814.3920474-1-zheyuma97@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f00863b470c9f15f3c7cf9c361d608af74691cd2
Author: Kees Cook <keescook@chromium.org>
Date:   Wed Feb 16 12:15:03 2022 -0800

    lkdtm/usercopy: Expand size of "out of frame" object
    
    [ Upstream commit f387e86d3a74407bdd9c5815820ac9d060962840 ]
    
    To be sufficiently out of range for the usercopy test to see the lifetime
    mismatch, expand the size of the "bad" buffer, which will let it be
    beyond current_stack_pointer regardless of stack growth direction.
    Paired with the recent addition of stack depth checking under
    CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again.
    
    Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
    Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 00a3e80fa4aa63ea7672ec7caaf1e9b14ba0a1b7
Author: Xiaoke Wang <xkernel.wang@foxmail.com>
Date:   Sat Mar 5 11:14:05 2022 +0800

    iio: dummy: iio_simple_dummy: check the return value of kstrdup()
    
    [ Upstream commit ba93642188a6fed754bf7447f638bc410e05a929 ]
    
    kstrdup() is also a memory allocation-related function, it returns NULL
    when some memory errors happen. So it is better to check the return
    value of it so to catch the memory error in time. Besides, there should
    have a kfree() to clear up the allocation if we get a failure later in
    this function to prevent memory leak.
    
    Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
    Link: https://lore.kernel.org/r/tencent_C920CFCC33B9CC1C63141FE1334A39FF8508@qq.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b78299cee32270333b70312c737d67eec245b690
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Jun 8 16:59:29 2022 -0700

    drm: imx: fix compiler warning with gcc-12
    
    [ Upstream commit 7aefd8b53815274f3ef398d370a3c9b27dd9f00c ]
    
    Gcc-12 correctly warned about this code using a non-NULL pointer as a
    truth value:
    
      drivers/gpu/drm/imx/ipuv3-crtc.c: In function ‘ipu_crtc_disable_planes’:
      drivers/gpu/drm/imx/ipuv3-crtc.c:72:21: error: the comparison will always evaluate as ‘true’ for the address of ‘plane’ will never be NULL [-Werror=address]
         72 |                 if (&ipu_crtc->plane[1] && plane == &ipu_crtc->plane[1]->base)
            |                     ^
    
    due to the extraneous '&' address-of operator.
    
    Philipp Zabel points out that The mistake had no adverse effect since
    the following condition doesn't actually dereference the NULL pointer,
    but the intent of the code was obviously to check for it, not to take
    the address of the member.
    
    Fixes: eb8c88808c83 ("drm/imx: add deferred plane disabling")
    Acked-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5cd0e22fa11f4a21a8c09cc258f20b1474c95801
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Tue Jun 7 08:11:43 2022 +0400

    net: altera: Fix refcount leak in altera_tse_mdio_create
    
    [ Upstream commit 11ec18b1d8d92b9df307d31950dcba0b3dd7283c ]
    
    Every iteration of for_each_child_of_node() decrements
    the reference count of the previous node.
    When break from a for_each_child_of_node() loop,
    we need to explicitly call of_node_put() on the child node when
    not need anymore.
    Add missing of_node_put() to avoid refcount leak.
    
    Fixes: bbd2190ce96d ("Altera TSE: Add main and header file for Altera Ethernet Driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220607041144.7553-1-linmq006@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7596bd7920985f7fc8579a92e48bc53ce4475b21
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Jun 6 09:21:07 2022 -0400

    ip_gre: test csum_start instead of transport header
    
    [ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ]
    
    GRE with TUNNEL_CSUM will apply local checksum offload on
    CHECKSUM_PARTIAL packets.
    
    ipgre_xmit must validate csum_start after an optional skb_pull,
    else lco_csum may trigger an overflow. The original check was
    
            if (csum && skb_checksum_start(skb) < skb->data)
                    return -EINVAL;
    
    This had false positives when skb_checksum_start is undefined:
    when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement
    was straightforward
    
            if (csum && skb->ip_summed == CHECKSUM_PARTIAL &&
                skb_checksum_start(skb) < skb->data)
                    return -EINVAL;
    
    But was eventually revised more thoroughly:
    - restrict the check to the only branch where needed, in an
      uncommon GRE path that uses header_ops and calls skb_pull.
    - test skb_transport_header, which is set along with csum_start
      in skb_partial_csum_set in the normal header_ops datapath.
    
    Turns out skbs can arrive in this branch without the transport
    header set, e.g., through BPF redirection.
    
    Revise the check back to check csum_start directly, and only if
    CHECKSUM_PARTIAL. Do leave the check in the updated location.
    Check field regardless of whether TUNNEL_CSUM is configured.
    
    Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/
    Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u
    Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Willem de Bruijn <willemb@google.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
    Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9e19f93fe1fc0ebb4b22835dc97e220c7d79c72d
Author: Feras Daoud <ferasda@nvidia.com>
Date:   Sat Mar 19 21:47:48 2022 +0200

    net/mlx5: Rearm the FW tracer after each tracer event
    
    [ Upstream commit 8bf94e6414c9481bfa28269022688ab445d0081d ]
    
    The current design does not arm the tracer if traces are available before
    the tracer string database is fully loaded, leading to an unfunctional tracer.
    This fix will rearm the tracer every time the FW triggers tracer event
    regardless of the tracer strings database status.
    
    Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
    Signed-off-by: Feras Daoud <ferasda@nvidia.com>
    Signed-off-by: Roy Novich <royno@nvidia.com>
    Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ab8b2c2de273ec1d698a18e399896a6febb5cda0
Author: Masahiro Yamada <masahiroy@kernel.org>
Date:   Mon Jun 6 13:53:55 2022 +0900

    net: ipv6: unexport __init-annotated seg6_hmac_init()
    
    [ Upstream commit 5801f064e35181c71857a80ff18af4dbec3c5f5c ]
    
    EXPORT_SYMBOL and __init is a bad combination because the .init.text
    section is freed up after the initialization. Hence, modules cannot
    use symbols annotated __init. The access to a freed symbol may end up
    with kernel panic.
    
    modpost used to detect it, but it has been broken for a decade.
    
    Recently, I fixed modpost so it started to warn it again, then this
    showed up in linux-next builds.
    
    There are two ways to fix it:
    
      - Remove __init
      - Remove EXPORT_SYMBOL
    
    I chose the latter for this case because the caller (net/ipv6/seg6.c)
    and the callee (net/ipv6/seg6_hmac.c) belong to the same module.
    It seems an internal function call in ipv6.ko.
    
    Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
    Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 31f3c6a4dcd3260a386e62cef2d5b36e902600a1
Author: Masahiro Yamada <masahiroy@kernel.org>
Date:   Mon Jun 6 13:53:54 2022 +0900

    net: xfrm: unexport __init-annotated xfrm4_protocol_init()
    
    [ Upstream commit 4a388f08d8784af48f352193d2b72aaf167a57a1 ]
    
    EXPORT_SYMBOL and __init is a bad combination because the .init.text
    section is freed up after the initialization. Hence, modules cannot
    use symbols annotated __init. The access to a freed symbol may end up
    with kernel panic.
    
    modpost used to detect it, but it has been broken for a decade.
    
    Recently, I fixed modpost so it started to warn it again, then this
    showed up in linux-next builds.
    
    There are two ways to fix it:
    
      - Remove __init
      - Remove EXPORT_SYMBOL
    
    I chose the latter for this case because the only in-tree call-site,
    net/ipv4/xfrm4_policy.c is never compiled as modular.
    (CONFIG_XFRM is boolean)
    
    Fixes: 2f32b51b609f ("xfrm: Introduce xfrm_input_afinfo to access the the callbacks properly")
    Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5534bcd7c40299862237c4a8fd9c5031b3db1538
Author: Masahiro Yamada <masahiroy@kernel.org>
Date:   Mon Jun 6 13:53:53 2022 +0900

    net: mdio: unexport __init-annotated mdio_bus_init()
    
    [ Upstream commit 35b42dce619701f1300fb8498dae82c9bb1f0263 ]
    
    EXPORT_SYMBOL and __init is a bad combination because the .init.text
    section is freed up after the initialization. Hence, modules cannot
    use symbols annotated __init. The access to a freed symbol may end up
    with kernel panic.
    
    modpost used to detect it, but it has been broken for a decade.
    
    Recently, I fixed modpost so it started to warn it again, then this
    showed up in linux-next builds.
    
    There are two ways to fix it:
    
      - Remove __init
      - Remove EXPORT_SYMBOL
    
    I chose the latter for this case because the only in-tree call-site,
    drivers/net/phy/phy_device.c is never compiled as modular.
    (CONFIG_PHYLIB is boolean)
    
    Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs")
    Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b42b281ee6faf97eddfc5ba3d3f61b6e274893dd
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Tue Jun 7 16:47:52 2022 -0400

    SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()
    
    [ Upstream commit 6c254bf3b637dd4ef4f78eb78c7447419c0161d7 ]
    
    I found that NFSD's new NFSv3 READDIRPLUS XDR encoder was screwing up
    right at the end of the page array. xdr_get_next_encode_buffer() does
    not compute the value of xdr->end correctly:
    
     * The check to see if we're on the final available page in xdr->buf
       needs to account for the space consumed by @nbytes.
    
     * The new xdr->end value needs to account for the portion of @nbytes
       that is to be encoded into the previous buffer.
    
    Fixes: 2825a7f90753 ("nfsd4: allow encoding across page boundaries")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Reviewed-by: NeilBrown <neilb@suse.de>
    Reviewed-by: J. Bruce Fields <bfields@fieldses.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit db58f575c5f79b309e5b97a5df80a25c5ce6f544
Author: Gal Pressman <gal@nvidia.com>
Date:   Mon Jun 6 14:57:18 2022 +0300

    net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure
    
    [ Upstream commit f5826c8c9d57210a17031af5527056eefdc2b7eb ]
    
    The ioctl EEPROM query wrongly returns success on read failures, fix
    that by returning the appropriate error code.
    
    Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support")
    Signed-off-by: Gal Pressman <gal@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Link: https://lore.kernel.org/r/20220606115718.14233-1-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aaf61a312af63e1cfe2264c4c5b8cd4ea3626025
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue May 31 14:51:13 2022 -0700

    bpf, arm64: Clear prog->jited_len along prog->jited
    
    [ Upstream commit 10f3b29c65bb2fe0d47c2945cd0b4087be1c5218 ]
    
    syzbot reported an illegal copy_to_user() attempt
    from bpf_prog_get_info_by_fd() [1]
    
    There was no repro yet on this bug, but I think
    that commit 0aef499f3172 ("mm/usercopy: Detect vmalloc overruns")
    is exposing a prior bug in bpf arm64.
    
    bpf_prog_get_info_by_fd() looks at prog->jited_len
    to determine if the JIT image can be copied out to user space.
    
    My theory is that syzbot managed to get a prog where prog->jited_len
    has been set to 43, while prog->bpf_func has ben cleared.
    
    It is not clear why copy_to_user(uinsns, NULL, ulen) is triggering
    this particular warning.
    
    I thought find_vma_area(NULL) would not find a vm_struct.
    As we do not hold vmap_area_lock spinlock, it might be possible
    that the found vm_struct was garbage.
    
    [1]
    usercopy: Kernel memory exposure attempt detected from vmalloc (offset 792633534417210172, size 43)!
    kernel BUG at mm/usercopy.c:101!
    Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 0 PID: 25002 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-10139-g8291eaafed36 #0
    Hardware name: linux,dummy-virt (DT)
    pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : usercopy_abort+0x90/0x94 mm/usercopy.c:101
    lr : usercopy_abort+0x90/0x94 mm/usercopy.c:89
    sp : ffff80000b773a20
    x29: ffff80000b773a30 x28: faff80000b745000 x27: ffff80000b773b48
    x26: 0000000000000000 x25: 000000000000002b x24: 0000000000000000
    x23: 00000000000000e0 x22: ffff80000b75db67 x21: 0000000000000001
    x20: 000000000000002b x19: ffff80000b75db3c x18: 00000000fffffffd
    x17: 2820636f6c6c616d x16: 76206d6f72662064 x15: 6574636574656420
    x14: 74706d6574746120 x13: 2129333420657a69 x12: 73202c3237313031
    x11: 3237313434333533 x10: 3336323937207465 x9 : 657275736f707865
    x8 : ffff80000a30c550 x7 : ffff80000b773830 x6 : ffff80000b773830
    x5 : 0000000000000000 x4 : ffff00007fbbaa10 x3 : 0000000000000000
    x2 : 0000000000000000 x1 : f7ff000028fc0000 x0 : 0000000000000064
    Call trace:
     usercopy_abort+0x90/0x94 mm/usercopy.c:89
     check_heap_object mm/usercopy.c:186 [inline]
     __check_object_size mm/usercopy.c:252 [inline]
     __check_object_size+0x198/0x36c mm/usercopy.c:214
     check_object_size include/linux/thread_info.h:199 [inline]
     check_copy_size include/linux/thread_info.h:235 [inline]
     copy_to_user include/linux/uaccess.h:159 [inline]
     bpf_prog_get_info_by_fd.isra.0+0xf14/0xfdc kernel/bpf/syscall.c:3993
     bpf_obj_get_info_by_fd+0x12c/0x510 kernel/bpf/syscall.c:4253
     __sys_bpf+0x900/0x2150 kernel/bpf/syscall.c:4956
     __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
     __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
     __arm64_sys_bpf+0x28/0x40 kernel/bpf/syscall.c:5019
     __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
     invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:52
     el0_svc_common.constprop.0+0x44/0xec arch/arm64/kernel/syscall.c:142
     do_el0_svc+0xa0/0xc0 arch/arm64/kernel/syscall.c:206
     el0_svc+0x44/0xb0 arch/arm64/kernel/entry-common.c:624
     el0t_64_sync_handler+0x1ac/0x1b0 arch/arm64/kernel/entry-common.c:642
     el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:581
    Code: aa0003e3 d00038c0 91248000 97fff65f (d4210000)
    
    Fixes: db496944fdaa ("bpf: arm64: add JIT support for multi-function programs")
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Song Liu <songliubraving@fb.com>
    Link: https://lore.kernel.org/bpf/20220531215113.1100754-1-eric.dumazet@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 95f0ba806277733bf6024e23e27e1be773701cca
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Sun Jun 5 16:23:25 2022 -0700

    af_unix: Fix a data-race in unix_dgram_peer_wake_me().
    
    [ Upstream commit 662a80946ce13633ae90a55379f1346c10f0c432 ]
    
    unix_dgram_poll() calls unix_dgram_peer_wake_me() without `other`'s
    lock held and check if its receive queue is full.  Here we need to
    use unix_recvq_full_lockless() instead of unix_recvq_full(), otherwise
    KCSAN will report a data-race.
    
    Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://lore.kernel.org/r/20220605232325.11804-1-kuniyu@amazon.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8d8ad067b90f231b8fdb14acee673ca4012f6045
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed Jun 1 12:59:26 2022 +0400

    ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe
    
    [ Upstream commit 10d6bdf532902be1d8aa5900b3c03c5671612aa2 ]
    
    of_find_device_by_node() takes reference, we should use put_device()
    to release it when not need anymore.
    Add missing put_device() to avoid refcount leak.
    
    Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 998d35a2aff4b81a1c784f3aa45cd3afff6814c1
Author: Kinglong Mee <kinglongmee@gmail.com>
Date:   Sun May 22 20:36:48 2022 +0800

    xprtrdma: treat all calls not a bcall when bc_serv is NULL
    
    [ Upstream commit 11270e7ca268e8d61b5d9e5c3a54bd1550642c9c ]
    
    When a rdma server returns a fault format reply, nfs v3 client may
    treats it as a bcall when bc service is not exist.
    
    The debug message at rpcrdma_bc_receive_call are,
    
    [56579.837169] RPC:       rpcrdma_bc_receive_call: callback XID
    00000001, length=20
    [56579.837174] RPC:       rpcrdma_bc_receive_call: 00 00 00 01 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 04
    
    After that, rpcrdma_bc_receive_call will meets NULL pointer as,
    
    [  226.057890] BUG: unable to handle kernel NULL pointer dereference at
    00000000000000c8
    ...
    [  226.058704] RIP: 0010:_raw_spin_lock+0xc/0x20
    ...
    [  226.059732] Call Trace:
    [  226.059878]  rpcrdma_bc_receive_call+0x138/0x327 [rpcrdma]
    [  226.060011]  __ib_process_cq+0x89/0x170 [ib_core]
    [  226.060092]  ib_cq_poll_work+0x26/0x80 [ib_core]
    [  226.060257]  process_one_work+0x1a7/0x360
    [  226.060367]  ? create_worker+0x1a0/0x1a0
    [  226.060440]  worker_thread+0x30/0x390
    [  226.060500]  ? create_worker+0x1a0/0x1a0
    [  226.060574]  kthread+0x116/0x130
    [  226.060661]  ? kthread_flush_work_fn+0x10/0x10
    [  226.060724]  ret_from_fork+0x35/0x40
    ...
    
    Signed-off-by: Kinglong Mee <kinglongmee@gmail.com>
    Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3f55b80f76353d51771d2b87445eff3626639d0a
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Fri May 13 18:05:41 2022 +0800

    video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()
    
    [ Upstream commit d87ad457f7e1b8d2492ca5b1531eb35030a1cc8f ]
    
    In pxa3xx_gcu_probe(), the sequence of error lable is wrong, it will
    leads some resource leaked, so adjust the sequence to handle the error
    correctly, and if pxa3xx_gcu_add_buffer() fails, pxa3xx_gcu_free_buffers()
    need be called.
    In pxa3xx_gcu_remove(), add missing clk_disable_unpreprare().
    
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6b3fc1496e7227cd6a39a80bbfb7588ef7c7a010
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Sat May 14 10:08:14 2022 -0400

    NFSv4: Don't hold the layoutget locks across multiple RPC calls
    
    [ Upstream commit 6949493884fe88500de4af182588e071cf1544ee ]
    
    When doing layoutget as part of the open() compound, we have to be
    careful to release the layout locks before we can call any further RPC
    calls, such as setattr(). The reason is that those calls could trigger
    a recall, which could deadlock.
    
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c4bf25d23ff848701d4a34065787ed038548d212
Author: Greg Ungerer <gerg@linux-m68k.org>
Date:   Fri May 13 17:27:39 2022 +1000

    m68knommu: fix undefined reference to `_init_sp'
    
    [ Upstream commit a71b9e66fee47c59b3ec34e652b5c23bc6550794 ]
    
    When configuring a nommu classic m68k system enabling the uboot parameter
    passing support (CONFIG_UBOOT) will produce the following compile error:
    
       m68k-linux-ld: arch/m68k/kernel/uboot.o: in function `process_uboot_commandline':
       uboot.c:(.init.text+0x32): undefined reference to `_init_sp'
    
    The logic to support this option is only used on ColdFire based platforms
    (in its head.S startup code). So make the selection of this option
    depend on building for a ColdFire based platform.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5b4b2c249c8292e057bb31b8161a510bd50d2dff
Author: Greg Ungerer <gerg@linux-m68k.org>
Date:   Wed Apr 20 23:27:47 2022 +1000

    m68knommu: set ZERO_PAGE() to the allocated zeroed page
    
    [ Upstream commit dc068f46217970d9516f16cd37972a01d50dc055 ]
    
    The non-MMU m68k pagetable ZERO_PAGE() macro is being set to the
    somewhat non-sensical value of "virt_to_page(0)". The zeroth page
    is not in any way guaranteed to be a page full of "0". So the result
    is that ZERO_PAGE() will almost certainly contain random values.
    
    We already allocate a real "empty_zero_page" in the mm setup code shared
    between MMU m68k and non-MMU m68k. It is just not hooked up to the
    ZERO_PAGE() macro for the non-MMU m68k case.
    
    Fix ZERO_PAGE() to use the allocated "empty_zero_page" pointer.
    
    I am not aware of any specific issues caused by the old code.
    
    Link: https://lore.kernel.org/linux-m68k/2a462b23-5b8e-bbf4-ec7d-778434a3b9d7@google.com/T/#t
    Reported-by: Hugh Dickens <hughd@google.com>
    Signed-off-by: Greg Ungerer <gerg@linux-m68k.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 460dc21d2b91b3a54fb3bfc77840458d1708041f
Author: Lucas Tanure <tanureal@opensource.cirrus.com>
Date:   Wed Apr 13 10:14:10 2022 +0100

    i2c: cadence: Increase timeout per message if necessary
    
    [ Upstream commit 96789dce043f5bff8b7d62aa28d52a7c59403a84 ]
    
    Timeout as 1 second sets an upper limit on the length
    of the transfer executed, but there is no maximum length
    of a write or read message set in i2c_adapter_quirks for
    this controller.
    
    This upper limit affects devices that require sending
    large firmware blobs over I2C.
    
    To remove that limitation, calculate the minimal time
    necessary, plus some wiggle room, for every message and
    use it instead of the default one second, if more than
    one second.
    
    Signed-off-by: Lucas Tanure <tanureal@opensource.cirrus.com>
    Acked-by: Michal Simek <michal.simek@xilinx.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8258fb4ef288e0467d1964653c1d1250e0a3ac81
Author: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
Date:   Tue Apr 26 20:24:06 2022 +0800

    tracing: Avoid adding tracer option before update_tracer_options
    
    [ Upstream commit ef9188bcc6ca1d8a2ad83e826b548e6820721061 ]
    
    To prepare for support asynchronous tracer_init_tracefs initcall,
    avoid calling create_trace_option_files before __update_tracer_options.
    Otherwise, create_trace_option_files will show warning because
    some tracers in trace_types list are already in tr->topts.
    
    For example, hwlat_tracer call register_tracer in late_initcall,
    and global_trace.dir is already created in tracing_init_dentry,
    hwlat_tracer will be put into tr->topts.
    Then if the __update_tracer_options is executed after hwlat_tracer
    registered, create_trace_option_files find that hwlat_tracer is
    already in tr->topts.
    
    Link: https://lkml.kernel.org/r/20220426122407.17042-2-mark-pk.tsai@mediatek.com
    
    Link: https://lore.kernel.org/lkml/20220322133339.GA32582@xsang-OptiPlex-9020/
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 40f9fde06b25884baa0c4bd138b909a9b67218b4
Author: Jun Miao <jun.miao@intel.com>
Date:   Tue Apr 19 09:39:10 2022 +0800

    tracing: Fix sleeping function called from invalid context on RT kernel
    
    [ Upstream commit 12025abdc8539ed9d5014e2d647a3fd1bd3de5cd ]
    
    When setting bootparams="trace_event=initcall:initcall_start tp_printk=1" in the
    cmdline, the output_printk() was called, and the spin_lock_irqsave() was called in the
    atomic and irq disable interrupt context suitation. On the PREEMPT_RT kernel,
    these locks are replaced with sleepable rt-spinlock, so the stack calltrace will
    be triggered.
    Fix it by raw_spin_lock_irqsave when PREEMPT_RT and "trace_event=initcall:initcall_start
    tp_printk=1" enabled.
    
     BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
     in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
     preempt_count: 2, expected: 0
     RCU nest depth: 0, expected: 0
     Preemption disabled at:
     [<ffffffff8992303e>] try_to_wake_up+0x7e/0xba0
     CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.1-rt17+ #19 34c5812404187a875f32bee7977f7367f9679ea7
     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
     Call Trace:
      <TASK>
      dump_stack_lvl+0x60/0x8c
      dump_stack+0x10/0x12
      __might_resched.cold+0x11d/0x155
      rt_spin_lock+0x40/0x70
      trace_event_buffer_commit+0x2fa/0x4c0
      ? map_vsyscall+0x93/0x93
      trace_event_raw_event_initcall_start+0xbe/0x110
      ? perf_trace_initcall_finish+0x210/0x210
      ? probe_sched_wakeup+0x34/0x40
      ? ttwu_do_wakeup+0xda/0x310
      ? trace_hardirqs_on+0x35/0x170
      ? map_vsyscall+0x93/0x93
      do_one_initcall+0x217/0x3c0
      ? trace_event_raw_event_initcall_level+0x170/0x170
      ? push_cpu_stop+0x400/0x400
      ? cblist_init_generic+0x241/0x290
      kernel_init_freeable+0x1ac/0x347
      ? _raw_spin_unlock_irq+0x65/0x80
      ? rest_init+0xf0/0xf0
      kernel_init+0x1e/0x150
      ret_from_fork+0x22/0x30
      </TASK>
    
    Link: https://lkml.kernel.org/r/20220419013910.894370-1-jun.miao@intel.com
    
    Signed-off-by: Jun Miao <jun.miao@intel.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 961ee8a6eeef4632a215d995d837b204f8c7c2d4
Author: Gong Yuanjun <ruc_gongyuanjun@163.com>
Date:   Thu Apr 7 12:26:57 2022 +0800

    mips: cpc: Fix refcount leak in mips_cpc_default_phys_base
    
    [ Upstream commit 4107fa700f314592850e2c64608f6ede4c077476 ]
    
    Add the missing of_node_put() to release the refcount incremented
    by of_find_compatible_node().
    
    Signed-off-by: Gong Yuanjun <ruc_gongyuanjun@163.com>
    Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7c9719433bc9f02b7bd69545162d98b6a3c61d6e
Author: Leo Yan <leo.yan@linaro.org>
Date:   Mon May 30 16:42:53 2022 +0800

    perf c2c: Fix sorting in percent_rmt_hitm_cmp()
    
    [ Upstream commit b24192a17337abbf3f44aaa75e15df14a2d0016e ]
    
    The function percent_rmt_hitm_cmp() wrongly uses local HITMs for
    sorting remote HITMs.
    
    Since this function is to sort cache lines for remote HITMs, this patch
    changes to use 'rmt_hitm' field for correct sorting.
    
    Fixes: 9cb3500afc0980c5 ("perf c2c report: Add hitm/store percent related sort keys")
    Signed-off-by: Leo Yan <leo.yan@linaro.org>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Joe Mario <jmario@redhat.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20220530084253.750190-1-leo.yan@linaro.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f07670871f4d19e613740eebe210e7e9ea535973
Author: Hoang Le <hoang.h.le@dektech.com.au>
Date:   Thu Jun 2 13:30:53 2022 +0700

    tipc: check attribute length for bearer name
    
    [ Upstream commit 7f36f798f89bf32c0164049cb0e3fd1af613d0bb ]
    
    syzbot reported uninit-value:
    =====================================================
    BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:644 [inline]
    BUG: KMSAN: uninit-value in string+0x4f9/0x6f0 lib/vsprintf.c:725
     string_nocheck lib/vsprintf.c:644 [inline]
     string+0x4f9/0x6f0 lib/vsprintf.c:725
     vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806
     vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158
     vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256
     vprintk_default+0x86/0xa0 kernel/printk/printk.c:2283
     vprintk+0x15f/0x180 kernel/printk/printk_safe.c:50
     _printk+0x18d/0x1cf kernel/printk/printk.c:2293
     tipc_enable_bearer net/tipc/bearer.c:371 [inline]
     __tipc_nl_bearer_enable+0x2022/0x22a0 net/tipc/bearer.c:1033
     tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:1042
     genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline]
    
    - Do sanity check the attribute length for TIPC_NLA_BEARER_NAME.
    - Do not use 'illegal name' in printing message.
    
    Reported-by: syzbot+e820fdc8ce362f2dea51@syzkaller.appspotmail.com
    Fixes: cb30a63384bc ("tipc: refactor function tipc_enable_bearer()")
    Acked-by: Jon Maloy <jmaloy@redhat.com>
    Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
    Link: https://lore.kernel.org/r/20220602063053.5892-1-hoang.h.le@dektech.com.au
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8a867608b2ec5446b3665df535c2a6ce1447bf98
Author: David Howells <dhowells@redhat.com>
Date:   Tue May 31 09:30:40 2022 +0100

    afs: Fix infinite loop found by xfstest generic/676
    
    [ Upstream commit 17eabd42560f4636648ad65ba5b20228071e2363 ]
    
    In AFS, a directory is handled as a file that the client downloads and
    parses locally for the purposes of performing lookup and getdents
    operations.  The in-kernel afs filesystem has a number of functions that
    do this.
    
    A directory file is arranged as a series of 2K blocks divided into
    32-byte slots, where a directory entry occupies one or more slots, plus
    each block starts with one or more metadata blocks.
    
    When parsing a block, if the last slots are occupied by a dirent that
    occupies more than a single slot and the file position points at a slot
    that's not the initial one, the logic in afs_dir_iterate_block() that
    skips over it won't advance the file pointer to the end of it.  This
    will cause an infinite loop in getdents() as it will keep retrying that
    block and failing to advance beyond the final entry.
    
    Fix this by advancing the file pointer if the next entry will be beyond
    it when we skip a block.
    
    This was found by the generic/676 xfstest but can also be triggered with
    something like:
    
            ~/xfstests-dev/src/t_readdir_3 /xfstest.test/z 4000 1
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: David Howells <dhowells@redhat.com>
    Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
    Tested-by: Marc Dionne <marc.dionne@auristor.com>
    cc: linux-afs@lists.infradead.org
    Link: http://lore.kernel.org/r/165391973497.110268.2939296942213894166.stgit@warthog.procyon.org.uk/
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 58bd38cbc961fd799842b7be8c5222310f04b908
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon May 30 14:37:13 2022 -0700

    tcp: tcp_rtx_synack() can be called from process context
    
    [ Upstream commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b ]
    
    Laurent reported the enclosed report [1]
    
    This bug triggers with following coditions:
    
    0) Kernel built with CONFIG_DEBUG_PREEMPT=y
    
    1) A new passive FastOpen TCP socket is created.
       This FO socket waits for an ACK coming from client to be a complete
       ESTABLISHED one.
    2) A socket operation on this socket goes through lock_sock()
       release_sock() dance.
    3) While the socket is owned by the user in step 2),
       a retransmit of the SYN is received and stored in socket backlog.
    4) At release_sock() time, the socket backlog is processed while
       in process context.
    5) A SYNACK packet is cooked in response of the SYN retransmit.
    6) -> tcp_rtx_synack() is called in process context.
    
    Before blamed commit, tcp_rtx_synack() was always called from BH handler,
    from a timer handler.
    
    Fix this by using TCP_INC_STATS() & NET_INC_STATS()
    which do not assume caller is in non preemptible context.
    
    [1]
    BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180
    caller is tcp_rtx_synack.part.0+0x36/0xc0
    CPU: 10 PID: 2180 Comm: epollpep Tainted: G           OE     5.16.0-0.bpo.4-amd64 #1  Debian 5.16.12-1~bpo11+1
    Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021
    Call Trace:
     <TASK>
     dump_stack_lvl+0x48/0x5e
     check_preemption_disabled+0xde/0xe0
     tcp_rtx_synack.part.0+0x36/0xc0
     tcp_rtx_synack+0x8d/0xa0
     ? kmem_cache_alloc+0x2e0/0x3e0
     ? apparmor_file_alloc_security+0x3b/0x1f0
     inet_rtx_syn_ack+0x16/0x30
     tcp_check_req+0x367/0x610
     tcp_rcv_state_process+0x91/0xf60
     ? get_nohz_timer_target+0x18/0x1a0
     ? lock_timer_base+0x61/0x80
     ? preempt_count_add+0x68/0xa0
     tcp_v4_do_rcv+0xbd/0x270
     __release_sock+0x6d/0xb0
     release_sock+0x2b/0x90
     sock_setsockopt+0x138/0x1140
     ? __sys_getsockname+0x7e/0xc0
     ? aa_sk_perm+0x3e/0x1a0
     __sys_setsockopt+0x198/0x1e0
     __x64_sys_setsockopt+0x21/0x30
     do_syscall_64+0x38/0xc0
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Laurent Fasnacht <laurent.fasnacht@proton.ch>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Link: https://lore.kernel.org/r/20220530213713.601888-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fedea7efbf7bd6569177a1f553c21a8270140425
Author: Maxim Mikityanskiy <maximmi@nvidia.com>
Date:   Mon May 23 15:39:13 2022 +0300

    net/mlx5e: Update netdev features after changing XDP state
    
    [ Upstream commit f6279f113ad593971999c877eb69dc3d36a75894 ]
    
    Some features (LRO, HW GRO) conflict with XDP. If there is an attempt to
    enable such features while XDP is active, they will be set to `off
    [requested on]`. In order to activate these features after XDP is turned
    off, the driver needs to call netdev_update_features(). This commit adds
    this missing call after XDP state changes.
    
    Fixes: cf6e34c8c22f ("net/mlx5e: Properly block LRO when XDP is enabled")
    Fixes: b0617e7b3500 ("net/mlx5e: Properly block HW GRO when XDP is enabled")
    Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
    Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a8d6b6382688ee8d8f5d7aee86ec604f8118a127
Author: Yu Xiao <yu.xiao@corigine.com>
Date:   Fri May 27 20:24:24 2022 +0200

    nfp: only report pause frame configuration for physical device
    
    [ Upstream commit 0649e4d63420ebc8cbebef3e9d39e12ffc5eb9fa ]
    
    Only report pause frame configuration for physical device. Logical
    port of both PCI PF and PCI VF do not support it.
    
    Fixes: 9fdc5d85a8fe ("nfp: update ethtool reporting of pauseframe control")
    Signed-off-by: Yu Xiao <yu.xiao@corigine.com>
    Signed-off-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit abb67043060f2bf4c03d7c3debb9ae980e2b6db3
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Tue May 10 20:31:26 2022 +0800

    ubi: ubi_create_volume: Fix use-after-free when volume creation failed
    
    [ Upstream commit 8c03a1c21d72210f81cb369cc528e3fde4b45411 ]
    
    There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s
    error handling path:
    
      ubi_eba_replace_table(vol, eba_tbl)
        vol->eba_tbl = tbl
    out_mapping:
      ubi_eba_destroy_table(eba_tbl)   // Free 'eba_tbl'
    out_unlock:
      put_device(&vol->dev)
        vol_release
          kfree(tbl->entries)         // UAF
    
    Fix it by removing redundant 'eba_tbl' releasing.
    Fetch a reproducer in [Link].
    
    Fixes: 493cfaeaa0c9b ("mtd: utilize new cdev_device_add helper function")
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 28048a4cf3813b7cf5cc8cce629dfdc7951cb1c2
Author: Baokun Li <libaokun1@huawei.com>
Date:   Tue Apr 12 17:38:16 2022 +0800

    jffs2: fix memory leak in jffs2_do_fill_super
    
    [ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ]
    
    If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
    an error, we can observe the following kmemleak report:
    
    --------------------------------------------
    unreferenced object 0xffff888105a65340 (size 64):
      comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<ffffffff859c45e5>] kmem_cache_alloc_trace+0x475/0x8a0
        [<ffffffff86160146>] jffs2_sum_init+0x96/0x1a0
        [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
        [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
        [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
        [...]
    unreferenced object 0xffff8881bd7f0000 (size 65536):
      comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
      hex dump (first 32 bytes):
        bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
        bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
      backtrace:
        [<ffffffff858579ba>] kmalloc_order+0xda/0x110
        [<ffffffff85857a11>] kmalloc_order_trace+0x21/0x130
        [<ffffffff859c2ed1>] __kmalloc+0x711/0x8a0
        [<ffffffff86160189>] jffs2_sum_init+0xd9/0x1a0
        [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
        [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
        [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
        [...]
    --------------------------------------------
    
    This is because the resources allocated in jffs2_sum_init() are not
    released. Call jffs2_sum_exit() to release these resources to solve
    the problem.
    
    Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 03bd6eaab3e1cbd4e5060b36a67000165f6e0482
Author: Alexander Lobakin <alexandr.lobakin@intel.com>
Date:   Tue May 24 17:27:18 2022 +0200

    modpost: fix removing numeric suffixes
    
    [ Upstream commit b5beffa20d83c4e15306c991ffd00de0d8628338 ]
    
    With the `-z unique-symbol` linker flag or any similar mechanism,
    it is possible to trigger the following:
    
    ERROR: modpost: "param_set_uint.0" [vmlinux] is a static EXPORT_SYMBOL
    
    The reason is that for now the condition from remove_dot():
    
    if (m && (s[n + m] == '.' || s[n + m] == 0))
    
    which was designed to test if it's a dot or a '\0' after the suffix
    is never satisfied.
    This is due to that `s[n + m]` always points to the last digit of a
    numeric suffix, not on the symbol next to it (from a custom debug
    print added to modpost):
    
    param_set_uint.0, s[n + m] is '0', s[n + m + 1] is '\0'
    
    So it's off-by-one and was like that since 2014.
    
    Fix this for the sake of any potential upcoming features, but don't
    bother stable-backporting, as it's well hidden -- apart from that
    LD flag, it can be triggered only with GCC LTO which never landed
    upstream.
    
    Fixes: fcd38ed0ff26 ("scripts: modpost: fix compilation warning")
    Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
    Reviewed-by: Petr Mladek <pmladek@suse.com>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 86c3c5f8e4bd1325e24f6fba9017cade29933377
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Thu May 26 18:52:08 2022 +0400

    net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register
    
    [ Upstream commit 02ded5a173619b11728b8bf75a3fd995a2c1ff28 ]
    
    of_get_child_by_name() returns a node pointer with refcount
    incremented, we should use of_node_put() on it when done.
    
    mv88e6xxx_mdio_register() pass the device node to of_mdiobus_register().
    We don't need the device node after it.
    
    Add missing of_node_put() to avoid refcount leak.
    
    Fixes: a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Marek Behún <kabel@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 657e7174603f0aab2cdedc64ac81edffd2a87afe
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu May 26 11:02:42 2022 +0300

    net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()
    
    [ Upstream commit e7e7104e2d5ddf3806a28695670f21bef471f1e1 ]
    
    The "fsp->location" variable comes from user via ethtool_get_rxnfc().
    Check that it is valid to prevent an out of bounds read.
    
    Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2798944556a2ba898b945cc0b06fb4aaff2a9e3c
Author: Jann Horn <jannh@google.com>
Date:   Tue May 17 16:30:47 2022 +0200

    s390/crypto: fix scatterwalk_unmap() callers in AES-GCM
    
    [ Upstream commit bd52cd5e23f134019b23f0c389db0f9a436e4576 ]
    
    The argument of scatterwalk_unmap() is supposed to be the void* that was
    returned by the previous scatterwalk_map() call.
    The s390 AES-GCM implementation was instead passing the pointer to the
    struct scatter_walk.
    
    This doesn't actually break anything because scatterwalk_unmap() only uses
    its argument under CONFIG_HIGHMEM and ARCH_HAS_FLUSH_ON_KUNMAP.
    
    Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.")
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Harald Freudenberger <freude@linux.ibm.com>
    Link: https://lore.kernel.org/r/20220517143047.3054498-1-jannh@google.com
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 852261e4bd2eba5caaafef2aa5f614de2633a551
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Fri Apr 22 12:41:01 2022 +0200

    clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value
    
    [ Upstream commit 9c04a8ff03def4df3f81219ffbe1ec9b44ff5348 ]
    
    The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
    
    Fixes: 89355274e1f7 ("clocksource/drivers/oxnas-rps: Add Oxford Semiconductor RPS Dual Timer")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
    Link: https://lore.kernel.org/r/20220422104101.55754-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b5465f8e8be39f4b2f9529a4f85840751247b80e
Author: Tony Lindgren <tony@atomide.com>
Date:   Thu May 12 08:30:21 2022 +0300

    bus: ti-sysc: Fix warnings for unbind for serial
    
    [ Upstream commit c337125b8834f9719dfda0e40b25eaa266f1b8cf ]
    
    We can get "failed to disable" clock_unprepare warnings on unbind at least
    for the serial console device if the unbind is done before the device has
    been idled.
    
    As some devices are using deferred idle, we must check the status for
    pending idle work to idle the device.
    
    Fixes: 76f0f772e469 ("bus: ti-sysc: Improve handling for no-reset-on-init and no-idle-on-init")
    Cc: Romain Naour <romain.naour@smile.fr>
    Reviewed-by: Romain Naour <romain.naour@smile.fr>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Link: https://lore.kernel.org/r/20220512053021.61650-1-tony@atomide.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c66cc3c62870a27ea8f060a7e4c1ad8d26dd3f0d
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed May 11 11:14:19 2022 +0400

    firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
    
    [ Upstream commit 660ba678f9998aca6db74f2dd912fa5124f0fa31 ]
    
    kobject_init_and_add() takes reference even when it fails.
    According to the doc of kobject_init_and_add()
    
       If this function returns an error, kobject_put() must be called to
       properly clean up the memory associated with the object.
    
    Fix this issue by calling kobject_put().
    
    Fixes: 948af1f0bbc8 ("firmware: Basic dmi-sysfs support")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220511071421.9769-1-linmq006@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a1c987d451e9a3c35f3fc92537a0004afa57fdac
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Thu May 19 11:18:07 2022 +0300

    serial: stm32-usart: Correct CSIZE, bits, and parity
    
    [ Upstream commit 1deeda8d2877c18bc2b9eeee10dd6d2628852848 ]
    
    Add CSIZE sanitization for unsupported CSIZE configurations. In
    addition, if parity is asked for but CSx was unsupported, the sensible
    result is CS8+parity which requires setting USART_CR1_M0 like with 9
    bits.
    
    Incorrect CSIZE results in miscalculation of the frame bits in
    tty_get_char_size() or in its predecessor where the roughly the same
    code is directly within uart_update_timeout().
    
    Fixes: c8a9d043947b (serial: stm32: fix word length configuration)
    Cc: Erwan Le Ray <erwan.leray@st.com>
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20220519081808.3776-9-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ef93537ca9a7d9725f06f4123c438c8f213c22f0
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Thu May 19 11:18:06 2022 +0300

    serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
    
    [ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ]
    
    Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or
    CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has
    to have parity, thus add PARENB.
    
    Incorrect CSIZE results in miscalculation of the frame bits in
    tty_get_char_size() or in its predecessor where the roughly the same
    code is directly within uart_update_timeout().
    
    Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.)
    Cc: Srinivas Kandagatla <srinivas.kandagatla@st.com>
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20220519081808.3776-8-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 67b136acaac4cfa9d876a556d2b126622dc92447
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Thu May 19 11:18:04 2022 +0300

    serial: sh-sci: Don't allow CS5-6
    
    [ Upstream commit 9b87162de8be26bf3156460b37deee6399fd0fcb ]
    
    Only CS7 and CS8 seem supported but CSIZE is not sanitized from
    CS5 or CS6 to CS8.
    
    Set CSIZE correctly so that userspace knows the effective value.
    Incorrect CSIZE also results in miscalculation of the frame bits in
    tty_get_char_size() or in its predecessor where the roughly the same
    code is directly within uart_update_timeout().
    
    Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20220519081808.3776-6-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5a418919e70ac6796658dd020832d2b4e0fdd4d9
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Thu May 19 11:18:03 2022 +0300

    serial: txx9: Don't allow CS5-6
    
    [ Upstream commit 79ac88655dc0551e3571ad16bdabdbe65d61553e ]
    
    Only CS7 and CS8 are supported but CSIZE is not sanitized with
    CS5 or CS6 to CS8.
    
    Set CSIZE correctly so that userspace knows the effective value.
    Incorrect CSIZE also results in miscalculation of the frame bits in
    tty_get_char_size() or in its predecessor where the roughly the same
    code is directly within uart_update_timeout().
    
    Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20220519081808.3776-5-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 49152e85cc323e03b9879694c6ba0809a96931f2
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Thu May 19 11:18:01 2022 +0300

    serial: digicolor-usart: Don't allow CS5-6
    
    [ Upstream commit fd63031b8c0763addcecdefe0e0c59d49646204e ]
    
    Only CS7 and CS8 seem supported but CSIZE is not sanitized to CS8 in
    the default: block.
    
    Set CSIZE correctly so that userspace knows the effective value.
    Incorrect CSIZE also results in miscalculation of the frame bits in
    tty_get_char_size() or in its predecessor where the roughly the same
    code is directly within uart_update_timeout().
    
    Fixes: 5930cb3511df (serial: driver for Conexant Digicolor USART)
    Acked-by: Baruch Siach <baruch@tkos.co.il>
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20220519081808.3776-3-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e78a321c14ad4e96f3d215aad8bcb6cb55ddc442
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Fri May 13 16:46:43 2022 +0300

    serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485
    
    [ Upstream commit af0179270977508df6986b51242825d7edd59caf ]
    
    SER_RS485_RTS_ON_SEND and SER_RS485_RTS_AFTER_SEND relate to behavior
    within RS485 operation. The driver checks if they have the same value
    which is not possible to realize with the hardware. The check is taken
    regardless of SER_RS485_ENABLED flag and -EINVAL is returned when the
    check fails, which creates problems.
    
    This check makes it unnecessarily complicated to turn RS485 mode off as
    simple zeroed serial_rs485 struct will trigger that equal values check.
    In addition, the driver itself memsets its rs485 structure to zero when
    RS485 is disabled but if userspace would try to make an TIOCSRS485
    ioctl() call with the very same struct, it would end up failing with
    -EINVAL which doesn't make much sense.
    
    Resolve the problem by moving the check inside SER_RS485_ENABLED block.
    
    Fixes: 7ecc77011c6f ("serial: 8250_fintek: Return -EINVAL on invalid configuration")
    Cc: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/035c738-8ea5-8b17-b1d7-84a7b3aeaa51@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6b4e44677aa7a03100e4bab9ff8c135ddc3801bd
Author: John Ogness <john.ogness@linutronix.de>
Date:   Sun May 8 12:41:47 2022 +0206

    serial: meson: acquire port->lock in startup()
    
    [ Upstream commit 589f892ac8ef244e47c5a00ffd8605daa1eaef8e ]
    
    The uart_ops startup() callback is called without interrupts
    disabled and without port->lock locked, relatively late during the
    boot process (from the call path of console_on_rootfs()). If the
    device is a console, it was already previously registered and could
    be actively printing messages.
    
    Since the startup() callback is reading/writing registers used by
    the console write() callback (AML_UART_CONTROL), its access must
    be synchronized using the port->lock. Currently it is not.
    
    The startup() callback is the only function that explicitly enables
    interrupts. Without the synchronization, it is possible that
    interrupts become accidentally permanently disabled.
    
    CPU0                           CPU1
    meson_serial_console_write     meson_uart_startup
    --------------------------     ------------------
    spin_lock(port->lock)
    val = readl(AML_UART_CONTROL)
    uart_console_write()
                                   writel(INT_EN, AML_UART_CONTROL)
    writel(val, AML_UART_CONTROL)
    spin_unlock(port->lock)
    
    Add port->lock synchronization to meson_uart_startup() to avoid
    racing with meson_serial_console_write().
    
    Also add detailed comments to meson_uart_reset() explaining why it
    is *not* using port->lock synchronization.
    
    Link: https://lore.kernel.org/lkml/2a82eae7-a256-f70c-fd82-4e510750906e@samsung.com
    Fixes: ff7693d079e5 ("ARM: meson: serial: add MesonX SoC on-chip uart driver")
    Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Reviewed-by: Petr Mladek <pmladek@suse.com>
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Acked-by: Neil Armstrong <narmstrong@baylibre.com>
    Signed-off-by: John Ogness <john.ogness@linutronix.de>
    Link: https://lore.kernel.org/r/20220508103547.626355-1-john.ogness@linutronix.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6ecd4d5c28408df36a1a6f0b1973f633c949ac1f
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Thu May 5 20:50:43 2022 +0800

    rtc: mt6397: check return value after calling platform_get_resource()
    
    [ Upstream commit d3b43eb505bffb8e4cdf6800c15660c001553fe6 ]
    
    It will cause null-ptr-deref if platform_get_resource() returns NULL,
    we need check the return value.
    
    Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
    Link: https://lore.kernel.org/r/20220505125043.1594771-1-yangyingliang@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3448aa3b941999f5fed7570ad6bad79972cbd18c
Author: Samuel Holland <samuel@sholland.org>
Date:   Sun May 8 20:21:21 2022 -0500

    clocksource/drivers/riscv: Events are stopped during CPU suspend
    
    [ Upstream commit 232ccac1bd9b5bfe73895f527c08623e7fa0752d ]
    
    Some implementations of the SBI time extension depend on hart-local
    state (for example, CSRs) that are lost or hardware that is powered
    down when a CPU is suspended. To be safe, the clockevents driver
    cannot assume that timer IRQs will be received during CPU suspend.
    
    Fixes: 62b019436814 ("clocksource: new RISC-V SBI timer driver")
    Signed-off-by: Samuel Holland <samuel@sholland.org>
    Reviewed-by: Anup Patel <anup@brainfault.org>
    Link: https://lore.kernel.org/r/20220509012121.40031-1-samuel@sholland.org
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 28133325526b92921f3269fdf97a20d90b92b217
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon May 16 11:20:10 2022 +0400

    soc: rockchip: Fix refcount leak in rockchip_grf_init
    
    [ Upstream commit 9b59588d8be91c96bfb0371e912ceb4f16315dbf ]
    
    of_find_matching_node_and_match returns a node pointer with refcount
    incremented, we should use of_node_put() on it when done.
    Add missing of_node_put() to avoid refcount leak.
    
    Fixes: 4c58063d4258 ("soc: rockchip: add driver handling grf setup")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220516072013.19731-1-linmq006@gmail.com
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d7b69816ddeb7cecdd0543a89e844d6577951eb4
Author: Guilherme G. Piccoli <gpiccoli@igalia.com>
Date:   Wed Apr 27 19:49:03 2022 -0300

    coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier
    
    [ Upstream commit 1adff542d67a2ed1120955cb219bfff8a9c53f59 ]
    
    The panic notifier infrastructure executes registered callbacks when
    a panic event happens - such callbacks are executed in atomic context,
    with interrupts and preemption disabled in the running CPU and all other
    CPUs disabled. That said, mutexes in such context are not a good idea.
    
    This patch replaces a regular mutex with a mutex_trylock safer approach;
    given the nature of the mutex used in the driver, it should be pretty
    uncommon being unable to acquire such mutex in the panic path, hence
    no functional change should be observed (and if it is, that would be
    likely a deadlock with the regular mutex).
    
    Fixes: 2227b7c74634 ("coresight: add support for CPU debug module")
    Cc: Leo Yan <leo.yan@linaro.org>
    Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
    Cc: Mike Leach <mike.leach@linaro.org>
    Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
    Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Link: https://lore.kernel.org/r/20220427224924.592546-10-gpiccoli@igalia.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e14ad3b4a6ab694fd2d57f4e8519d5359863f241
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sat Apr 23 11:39:32 2022 +0200

    rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails
    
    [ Upstream commit 59d6f72f6f9c92fec8757d9e29527da828e9281f ]
    
    irq_of_parse_and_map() returns 0 on failure, so this should not be
    passed further as error return code.
    
    Fixes: 1a358d350664 ("rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220423093932.32136-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5bf901f841306bae8f19515db9c3c56851474220
Author: Cixi Geng <cixi.geng1@unisoc.com>
Date:   Tue Apr 19 22:24:53 2022 +0800

    iio: adc: sc27xx: fix read big scale voltage not right
    
    [ Upstream commit ad930a75613282400179361e220e58b87386b8c7 ]
    
    Fix wrong configuration value of SC27XX_ADC_SCALE_MASK and
    SC27XX_ADC_SCALE_SHIFT by spec documetation.
    
    Fixes: 5df362a6cf49c (iio: adc: Add Spreadtrum SC27XX PMICs ADC support)
    Signed-off-by: Cixi Geng <cixi.geng1@unisoc.com>
    Reviewed-by: Baolin Wang <baolin.wang7@gmail.com>
    Link: https://lore.kernel.org/r/20220419142458.884933-3-gengcixi@gmail.com
    Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a307df3bfa8dcd800b4dad2a7aa4896737663f12
Author: Zheng Yongjun <zhengyongjun3@huawei.com>
Date:   Fri Apr 22 06:26:52 2022 +0000

    usb: dwc3: pci: Fix pm_runtime_get_sync() error checking
    
    [ Upstream commit a03e2ddab8e735e2cc315609b297b300e9cc60d2 ]
    
    If the device is already in a runtime PM enabled state
    pm_runtime_get_sync() will return 1, so a test for negative
    value should be used to check for errors.
    
    Fixes: 8eed00b237a28 ("usb: dwc3: pci: Runtime resume child device from wq")
    Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
    Link: https://lore.kernel.org/r/20220422062652.10575-1-zhengyongjun3@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 691376fedbe0237737bdff064a08c6bf04c2666a
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Fri Apr 22 12:53:26 2022 +0200

    rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
    
    [ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ]
    
    The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
    
    Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b52fcabe61a72e60175784a681624573cebf1767
Author: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Date:   Fri Apr 8 17:22:38 2022 +0200

    pwm: lp3943: Fix duty calculation in case period was clamped
    
    [ Upstream commit 5e3b07ca5cc78cd4a987e78446849e41288d87cb ]
    
    The hardware only supports periods <= 1.6 ms and if a bigger period is
    requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger
    than 1.6 ms and then the duty cycle register is written with a value
    bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly.
    
    Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver")
    Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 26fcef8efd7e1a3229e13b1b64447e0591851858
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed Mar 9 11:10:33 2022 +0000

    usb: musb: Fix missing of_node_put() in omap2430_probe
    
    [ Upstream commit 424bef51fa530389b0b9008c9e144e40c10e8458 ]
    
    The device_node pointer is returned by of_parse_phandle() with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220309111033.24487-1-linmq006@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit af49742c5496829da382d134f54f64764299e1af
Author: Lin Ma <linma@zju.edu.cn>
Date:   Tue Apr 12 22:43:59 2022 +0800

    USB: storage: karma: fix rio_karma_init return
    
    [ Upstream commit b92ffb1eddd9a66a90defc556dcbf65a43c196c7 ]
    
    The function rio_karam_init() should return -ENOMEM instead of
    value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails.
    
    Similarly, it should return -EIO when rio_karma_send_command() fails.
    
    Fixes: dfe0d3ba20e8 ("USB Storage: add rio karma eject support")
    Acked-by: Alan Stern <stern@rowland.harvard.edu>
    Signed-off-by: Lin Ma <linma@zju.edu.cn>
    Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c6c8c9367c91859525a41703bee7b3fe834128d1
Author: Niels Dossche <dossche.niels@gmail.com>
Date:   Tue Apr 12 18:50:55 2022 +0200

    usb: usbip: add missing device lock on tweak configuration cmd
    
    [ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ]
    
    The function documentation of usb_set_configuration says that its
    callers should hold the device lock. This lock is held for all
    callsites except tweak_set_configuration_cmd. The code path can be
    executed for example when attaching a remote USB device.
    The solution is to surround the call by the device lock.
    
    This bug was found using my experimental own-developed static analysis
    tool, which reported the missing lock on v5.17.2. I manually verified
    this bug report by doing code review as well. I runtime checked that
    the required lock is not held. I compiled and runtime tested this on
    x86_64 with a USB mouse. After applying this patch, my analyser no
    longer reports this potential bug.
    
    Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration")
    Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
    Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 247d3809e45a34d9e1a3a2bb7012e31ed8b46031
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Tue Apr 12 10:02:57 2022 +0800

    usb: usbip: fix a refcount leak in stub_probe()
    
    [ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ]
    
    usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
    after that, usb_put_dev() needs to be called to release the reference.
    
    Fix this by moving usb_put_dev() to sdev_free error path handling.
    
    Find this by code review.
    
    Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
    Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 326192b99c903a2193d820c30ed936cc2402382c
Author: Wang Weiyang <wangweiyang2@huawei.com>
Date:   Mon Mar 28 19:58:44 2022 +0800

    tty: goldfish: Use tty_port_destroy() to destroy port
    
    [ Upstream commit 507b05063d1b7a1fcb9f7d7c47586fc4f3508f98 ]
    
    In goldfish_tty_probe(), the port initialized through tty_port_init()
    should be destroyed in error paths.In goldfish_tty_remove(), qtty->port
    also should be destroyed or else might leak resources.
    
    Fix the above by calling tty_port_destroy().
    
    Fixes: 666b7793d4bf ("goldfish: tty driver")
    Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
    Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
    Link: https://lore.kernel.org/r/20220328115844.86032-1-wangweiyang2@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 25a1062836a8122e390b554f8494b28447103169
Author: Jakob Koschel <jakobkoschel@gmail.com>
Date:   Mon Mar 21 13:36:26 2022 +0100

    staging: greybus: codecs: fix type confusion of list iterator variable
    
    [ Upstream commit 84ef256550196bc06e6849a34224c998b45bd557 ]
    
    If the list does not exit early then data == NULL and 'module' does not
    point to a valid list element.
    Using 'module' in such a case is not valid and was therefore removed.
    
    Fixes: 6dd67645f22c ("greybus: audio: Use single codec driver registration")
    Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
    Reviewed-by: Mark Greer <mgreer@animalcreek.com>
    Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
    Link: https://lore.kernel.org/r/20220321123626.3068639-1-jakobkoschel@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a88f0ec363847332324ce98ebaf85d607b80b8a4
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Sun Jan 23 09:40:31 2022 -0800

    pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
    
    [ Upstream commit 3928cf08334ed895a31458cbebd8d4ec6d84c080 ]
    
    When the MIPS_ALCHEMY board selection is MIPS_XXS1500 instead of
    MIPS_DB1XXX, the PCMCIA driver 'db1xxx_ss' has build errors due
    to missing DB1XXX symbols. The PCMCIA driver should be restricted
    to MIPS_DB1XXX instead of MIPS_ALCHEMY to fix this build error.
    
    ERROR: modpost: "bcsr_read" [drivers/pcmcia/db1xxx_ss.ko] undefined!
    ERROR: modpost: "bcsr_mod" [drivers/pcmcia/db1xxx_ss.ko] undefined!
    
    Fixes: 42a4f17dc356 ("MIPS: Alchemy: remove SOC_AU1X00 in favor of MIPS_ALCHEMY")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: kernel test robot <lkp@intel.com>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Cc: linux-mips@vger.kernel.org
    Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
    Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fd6a0d88e31498c8c0ad15dcde860b2d37acef70
Author: Jia-Ju Bai <baijiaju1990@gmail.com>
Date:   Fri May 27 23:28:18 2022 +0800

    md: bcache: check the return value of kzalloc() in detached_dev_do_request()
    
    commit 40f567bbb3b0639d2ec7d1c6ad4b1b018f80cf19 upstream.
    
    The function kzalloc() in detached_dev_do_request() can fail, so its
    return value should be checked.
    
    Fixes: bc082a55d25c ("bcache: fix inaccurate io state for detached bcache devices")
    Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
    Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
    Signed-off-by: Coly Li <colyli@suse.de>
    Link: https://lore.kernel.org/r/20220527152818.27545-4-colyli@suse.de
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0e1afd004f1a80be87d8c690cb36fc9d3b0ae472
Author: Maciej W. Rozycki <macro@orcam.me.uk>
Date:   Sun May 1 23:14:16 2022 +0100

    MIPS: IP27: Remove incorrect `cpu_has_fpu' override
    
    commit 424c3781dd1cb401857585331eaaa425a13f2429 upstream.
    
    Remove unsupported forcing of `cpu_has_fpu' to 1, which makes the `nofpu'
    kernel parameter non-functional, and also causes a link error:
    
    ld: arch/mips/kernel/traps.o: in function `trap_init':
    ./arch/mips/include/asm/msa.h:(.init.text+0x348): undefined reference to `handle_fpe'
    ld: ./arch/mips/include/asm/msa.h:(.init.text+0x354): undefined reference to `handle_fpe'
    ld: ./arch/mips/include/asm/msa.h:(.init.text+0x360): undefined reference to `handle_fpe'
    
    where the CONFIG_MIPS_FP_SUPPORT configuration option has been disabled.
    
    Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
    Reported-by: Stephen Zhang <starzhangzsd@gmail.com>
    Fixes: 0ebb2f4159af ("MIPS: IP27: Update/restructure CPU overrides")
    Cc: stable@vger.kernel.org # v4.2+
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b2269f16b4932d36d25490ebbbd270421ca3d116
Author: Xiao Yang <yangx.jy@fujitsu.com>
Date:   Sun Apr 10 19:35:13 2022 +0800

    RDMA/rxe: Generate a completion for unsupported/invalid opcode
    
    commit 2f917af777011c88e977b9b9a5d00b280d3a59ce upstream.
    
    Current rxe_requester() doesn't generate a completion when processing an
    unsupported/invalid opcode. If rxe driver doesn't support a new opcode
    (e.g. RDMA Atomic Write) and RDMA library supports it, an application
    using the new opcode can reproduce this issue. Fix the issue by calling
    "goto err;".
    
    Fixes: 8700e3e7c485 ("Soft RoCE driver")
    Link: https://lore.kernel.org/r/20220410113513.27537-1-yangx.jy@fujitsu.com
    Signed-off-by: Xiao Yang <yangx.jy@fujitsu.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a39d9eccb333b8c07c43ebea1c6dfda122378a0f
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Wed Apr 27 08:32:42 2022 +0200

    phy: qcom-qmp: fix reset-controller leak on probe errors
    
    commit 4d2900f20edfe541f75756a00deeb2ffe7c66bc1 upstream.
    
    Make sure to release the lane reset controller in case of a late probe
    error (e.g. probe deferral).
    
    Note that due to the reset controller being defined in devicetree in
    "lane" child nodes, devm_reset_control_get_exclusive() cannot be used
    directly.
    
    Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
    Cc: stable@vger.kernel.org      # 4.12
    Cc: Vivek Gautam <vivek.gautam@codeaurora.org>
    Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220427063243.32576-3-johan+linaro@kernel.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 515d077ee3085ae343b6bea7fd031f9906645f38
Author: Tejun Heo <tj@kernel.org>
Date:   Fri May 13 20:55:45 2022 -1000

    blk-iolatency: Fix inflight count imbalances and IO hangs on offline
    
    commit 8a177a36da6c54c98b8685d4f914cb3637d53c0d upstream.
    
    iolatency needs to track the number of inflight IOs per cgroup. As this
    tracking can be expensive, it is disabled when no cgroup has iolatency
    configured for the device. To ensure that the inflight counters stay
    balanced, iolatency_set_limit() freezes the request_queue while manipulating
    the enabled counter, which ensures that no IO is in flight and thus all
    counters are zero.
    
    Unfortunately, iolatency_set_limit() isn't the only place where the enabled
    counter is manipulated. iolatency_pd_offline() can also dec the counter and
    trigger disabling. As this disabling happens without freezing the q, this
    can easily happen while some IOs are in flight and thus leak the counts.
    
    This can be easily demonstrated by turning on iolatency on an one empty
    cgroup while IOs are in flight in other cgroups and then removing the
    cgroup. Note that iolatency shouldn't have been enabled elsewhere in the
    system to ensure that removing the cgroup disables iolatency for the whole
    device.
    
    The following keeps flipping on and off iolatency on sda:
    
      echo +io > /sys/fs/cgroup/cgroup.subtree_control
      while true; do
          mkdir -p /sys/fs/cgroup/test
          echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency
          sleep 1
          rmdir /sys/fs/cgroup/test
          sleep 1
      done
    
    and there's concurrent fio generating direct rand reads:
    
      fio --name test --filename=/dev/sda --direct=1 --rw=randread \
          --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k
    
    while monitoring with the following drgn script:
    
      while True:
        for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):
            for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):
                blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')
                pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]
                if pd.value_() == 0:
                    continue
                iolat = container_of(pd, 'struct iolatency_grp', 'pd')
                inflight = iolat.rq_wait.inflight.counter.value_()
                if inflight:
                    print(f'inflight={inflight} {disk_name(blkg.q.disk).decode("utf-8")} '
                          f'{cgroup_path(css.cgroup).decode("utf-8")}')
        time.sleep(1)
    
    The monitoring output looks like the following:
    
      inflight=1 sda /user.slice
      inflight=1 sda /user.slice
      ...
      inflight=14 sda /user.slice
      inflight=13 sda /user.slice
      inflight=17 sda /user.slice
      inflight=15 sda /user.slice
      inflight=18 sda /user.slice
      inflight=17 sda /user.slice
      inflight=20 sda /user.slice
      inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19
      inflight=19 sda /user.slice
      inflight=19 sda /user.slice
    
    If a cgroup with stuck inflight ends up getting throttled, the throttled IOs
    will never get issued as there's no completion event to wake it up leading
    to an indefinite hang.
    
    This patch fixes the bug by unifying enable handling into a work item which
    is automatically kicked off from iolatency_set_min_lat_nsec() which is
    called from both iolatency_set_limit() and iolatency_pd_offline() paths.
    Punting to a work item is necessary as iolatency_pd_offline() is called
    under spinlocks while freezing a request_queue requires a sleepable context.
    
    This also simplifies the code reducing LOC sans the comments and avoids the
    unnecessary freezes which were happening whenever a cgroup's latency target
    is newly set or cleared.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Cc: Josef Bacik <josef@toxicpanda.com>
    Cc: Liu Bo <bo.liu@linux.alibaba.com>
    Fixes: 8c772a9bfc7c ("blk-iolatency: fix IO hang due to negative inflight counter")
    Cc: stable@vger.kernel.org # v5.0+
    Link: https://lore.kernel.org/r/Yn9ScX6Nx2qIiQQi@slm.duckdns.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7d34b700640c14a487d6efb925c738d790107755
Author: Dinh Nguyen <dinguyen@kernel.org>
Date:   Wed May 11 12:54:46 2022 -0500

    dt-bindings: gpio: altera: correct interrupt-cells
    
    commit 3a21c3ac93aff7b4522b152399df8f6a041df56d upstream.
    
    update documentation to correctly state the interrupt-cells to be 2.
    
    Cc: stable@vger.kernel.org
    Fixes: 4fd9bbc6e071 ("drivers/gpio: Altera soft IP GPIO driver devicetree binding")
    Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8c547cac6848e039eff6aa70db3605a69a12490c
Author: Akira Yokosawa <akiyks@gmail.com>
Date:   Wed Jun 1 23:34:06 2022 +0900

    docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0
    
    commit 627f01eab93d8671d4e4afee9b148f9998d20e7c upstream.
    
    One of the changes in Sphinx 5.0.0 [1] says [sic]:
    
        5.0.0 final
    
         - #10474: language does not accept None as it value.
           The default value of language becomes to 'en' now.
    
    [1]: https://www.sphinx-doc.org/en/master/changes.html#release-5-0-0-released-may-30-2022
    
    It results in a new warning from Sphinx 5.0.0 [sic]:
    
        WARNING: Invalid configuration value found: 'language = None'.
        Update your configuration to a valid langauge code. Falling
        back to 'en' (English).
    
    Silence the warning by using 'en'.
    It works with all the Sphinx versions required for building
    kernel documentation (1.7.9 or later).
    
    Signed-off-by: Akira Yokosawa <akiyks@gmail.com>
    Link: https://lore.kernel.org/r/bd0c2ddc-2401-03cb-4526-79ca664e1cbe@gmail.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Jonathan Corbet <corbet@lwn.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 621a4bcfb7aa031e7760d7b156bad7a45df58387
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Wed Apr 27 08:32:41 2022 +0200

    phy: qcom-qmp: fix struct clk leak on probe errors
    
    commit f0a4bc38a12f5a0cc5ad68670d9480e91e6a94df upstream.
    
    Make sure to release the pipe clock reference in case of a late probe
    error (e.g. probe deferral).
    
    Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets")
    Cc: stable@vger.kernel.org      # 4.12
    Cc: Vivek Gautam <vivek.gautam@codeaurora.org>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Link: https://lore.kernel.org/r/20220427063243.32576-2-johan+linaro@kernel.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit baf9709e88ab95a76f2a80bd2b409611cb57cc3a
Author: Kathiravan T <quic_kathirav@quicinc.com>
Date:   Fri Feb 11 17:44:15 2022 +0530

    arm64: dts: qcom: ipq8074: fix the sleep clock frequency
    
    commit f607dd767f5d6800ffbdce5b99ba81763b023781 upstream.
    
    Sleep clock frequency should be 32768Hz. Lets fix it.
    
    Cc: stable@vger.kernel.org
    Fixes: 41dac73e243d ("arm64: dts: Add ipq8074 SoC and HK01 board support")
    Link: https://lore.kernel.org/all/e2a447f8-6024-0369-f698-2027b6edcf9e@codeaurora.org/
    Signed-off-by: Kathiravan T <quic_kathirav@quicinc.com>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/1644581655-11568-1-git-send-email-quic_kathirav@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4c10e7febe28e2b88eea8d7ae91c6f12fdef4aac
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Sun Mar 27 13:20:28 2022 +0800

    gma500: fix an incorrect NULL check on list iterator
    
    commit bdef417d84536715145f6dc9cc3275c46f26295a upstream.
    
    The bug is here:
            return crtc;
    
    The list iterator value 'crtc' will *always* be set and non-NULL by
    list_for_each_entry(), so it is incorrect to assume that the iterator
    value will be NULL if the list is empty or no element is found.
    
    To fix the bug, return 'crtc' when found, otherwise return NULL.
    
    Cc: stable@vger.kernel.org
    fixes: 89c78134cc54d ("gma500: Add Poulsbo support")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220327052028.2013-1-xiam0nd.tong@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 06f86d4d3f6398948b95485cc1e201265ad161fe
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Mon Mar 28 20:28:20 2022 +0800

    carl9170: tx: fix an incorrect use of list iterator
    
    commit 54a6f29522da3c914da30e50721dedf51046449a upstream.
    
    If the previous list_for_each_entry_continue_rcu() don't exit early
    (no goto hit inside the loop), the iterator 'cvif' after the loop
    will be a bogus pointer to an invalid structure object containing
    the HEAD (&ar->vif_list). As a result, the use of 'cvif' after that
    will lead to a invalid memory access (i.e., 'cvif->id': the invalid
    pointer dereference when return back to/after the callsite in the
    carl9170_update_beacon()).
    
    The original intention should have been to return the valid 'cvif'
    when found in list, NULL otherwise. So just return NULL when no
    entry found, to fix this bug.
    
    Cc: stable@vger.kernel.org
    Fixes: 1f1d9654e183c ("carl9170: refactor carl9170_update_beacon")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Acked-by: Christian Lamparter <chunkeey@gmail.com>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20220328122820.1004-1-xiam0nd.tong@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b7d6b18438a4602c64681d8b1c4a65925821e53f
Author: Mark Brown <broonie@kernel.org>
Date:   Thu Apr 28 17:24:44 2022 +0100

    ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control
    
    commit 4213ff556740bb45e2d9ff0f50d056c4e7dd0921 upstream.
    
    The driver has a custom put function for "DSP Voice Wake Up" which does
    not generate event notifications on change, instead returning 0. Since we
    already exit early in the case that there is no change this can be fixed
    by unconditionally returning 1 at the end of the function.
    
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220428162444.3883147-1-broonie@kernel.org
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9d5e96cc1f1720019ce27b127a31695148d38bb0
Author: Alexander Wetzel <alexander@wetzel-home.de>
Date:   Fri Apr 22 16:52:28 2022 +0200

    rtl818x: Prevent using not initialized queues
    
    commit 746285cf81dc19502ab238249d75f5990bd2d231 upstream.
    
    Using not existing queues can panic the kernel with rtl8180/rtl8185 cards.
    Ignore the skb priority for those cards, they only have one tx queue. Pierre
    Asselin (pa@panix.com) reported the kernel crash in the Gentoo forum:
    
    https://forums.gentoo.org/viewtopic-t-1147832-postdays-0-postorder-asc-start-25.html
    
    He also confirmed that this patch fixes the issue. In summary this happened:
    
    After updating wpa_supplicant from 2.9 to 2.10 the kernel crashed with a
    "divide error: 0000" when connecting to an AP. Control port tx now tries to
    use IEEE80211_AC_VO for the priority, which wpa_supplicants starts to use in
    2.10.
    
    Since only the rtl8187se part of the driver supports QoS, the priority
    of the skb is set to IEEE80211_AC_BE (2) by mac80211 for rtl8180/rtl8185
    cards.
    
    rtl8180 is then unconditionally reading out the priority and finally crashes on
    drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c line 544 without this
    patch:
            idx = (ring->idx + skb_queue_len(&ring->queue)) % ring->entries
    
    "ring->entries" is zero for rtl8180/rtl8185 cards, tx_ring[2] never got
    initialized.
    
    Cc: stable@vger.kernel.org
    Reported-by: pa@panix.com
    Tested-by: pa@panix.com
    Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20220422145228.7567-1-alexander@wetzel-home.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d2d0ecb944ee2636b1ac73e09a55b9bc668e9614
Author: Mike Kravetz <mike.kravetz@oracle.com>
Date:   Tue May 24 13:50:03 2022 -0700

    hugetlb: fix huge_pmd_unshare address update
    
    commit 48381273f8734d28ef56a5bdf1966dd8530111bc upstream.
    
    The routine huge_pmd_unshare() is passed a pointer to an address
    associated with an area which may be unshared.  If unshare is successful
    this address is updated to 'optimize' callers iterating over huge page
    addresses.  For the optimization to work correctly, address should be
    updated to the last huge page in the unmapped/unshared area.  However, in
    the common case where the passed address is PUD_SIZE aligned, the address
    is incorrectly updated to the address of the preceding huge page.  That
    wastes CPU cycles as the unmapped/unshared range is scanned twice.
    
    Link: https://lkml.kernel.org/r/20220524205003.126184-1-mike.kravetz@oracle.com
    Fixes: 39dde65c9940 ("shared page table for hugetlb page")
    Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
    Acked-by: Muchun Song <songmuchun@bytedance.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8d8681d07fc82557d09d9cdc177f9ed529d9a4d8
Author: Christophe de Dinechin <dinechin@redhat.com>
Date:   Thu Apr 14 17:08:54 2022 +0200

    nodemask.h: fix compilation error with GCC12
    
    commit 37462a920392cb86541650a6f4121155f11f1199 upstream.
    
    With gcc version 12.0.1 20220401 (Red Hat 12.0.1-0), building with
    defconfig results in the following compilation error:
    
    |   CC      mm/swapfile.o
    | mm/swapfile.c: In function `setup_swap_info':
    | mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds
    |  of `struct plist_node[]' [-Werror=array-bounds]
    |  2291 |                                 p->avail_lists[i].prio = 1;
    |       |                                 ~~~~~~~~~~~~~~^~~
    | In file included from mm/swapfile.c:16:
    | ./include/linux/swap.h:292:27: note: while referencing `avail_lists'
    |   292 |         struct plist_node avail_lists[]; /*
    |       |                           ^~~~~~~~~~~
    
    This is due to the compiler detecting that the mask in
    node_states[__state] could theoretically be zero, which would lead to
    first_node() returning -1 through find_first_bit.
    
    I believe that the warning/error is legitimate.  I first tried adding a
    test to check that the node mask is not emtpy, since a similar test exists
    in the case where MAX_NUMNODES == 1.
    
    However, adding the if statement causes other warnings to appear in
    for_each_cpu_node_but, because it introduces a dangling else ambiguity.
    And unfortunately, GCC is not smart enough to detect that the added test
    makes the case where (node) == -1 impossible, so it still complains with
    the same message.
    
    This is why I settled on replacing that with a harmless, but relatively
    useless (node) >= 0 test.  Based on the warning for the dangling else, I
    also decided to fix the case where MAX_NUMNODES == 1 by moving the
    condition inside the for loop.  It will still only be tested once.  This
    ensures that the meaning of an else following for_each_node_mask or
    derivatives would not silently have a different meaning depending on the
    configuration.
    
    Link: https://lkml.kernel.org/r/20220414150855.2407137-3-dinechin@redhat.com
    Signed-off-by: Christophe de Dinechin <christophe@dinechin.org>
    Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Ben Segall <bsegall@google.com>
    Cc: "Michael S. Tsirkin" <mst@redhat.com>
    Cc: Steven Rostedt <rostedt@goodmis.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Mel Gorman <mgorman@suse.de>
    Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
    Cc: Vincent Guittot <vincent.guittot@linaro.org>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
    Cc: Jason Wang <jasowang@redhat.com>
    Cc: Zhen Lei <thunder.leizhen@huawei.com>
    Cc: Juri Lelli <juri.lelli@redhat.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d2090daa76ecded88372481b970312298826eed3
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Sun May 1 21:28:23 2022 +0800

    iommu/msm: Fix an incorrect NULL check on list iterator
    
    commit 8b9ad480bd1dd25f4ff4854af5685fa334a2f57a upstream.
    
    The bug is here:
            if (!iommu || iommu->dev->of_node != spec->np) {
    
    The list iterator value 'iommu' will *always* be set and non-NULL by
    list_for_each_entry(), so it is incorrect to assume that the iterator
    value will be NULL if the list is empty or no element is found (in fact,
    it will point to a invalid structure object containing HEAD).
    
    To fix the bug, use a new value 'iter' as the list iterator, while use
    the old value 'iommu' as a dedicated variable to point to the found one,
    and remove the unneeded check for 'iommu->dev->of_node != spec->np'
    outside the loop.
    
    Cc: stable@vger.kernel.org
    Fixes: f78ebca8ff3d6 ("iommu/msm: Add support for generic master bindings")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Link: https://lore.kernel.org/r/20220501132823.12714-1-xiam0nd.tong@gmail.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3549ab4b962cf619e8c55484a0d870a34b3f845f
Author: Vincent Whitchurch <vincent.whitchurch@axis.com>
Date:   Mon May 23 16:04:03 2022 +0200

    um: Fix out-of-bounds read in LDT setup
    
    commit 2a4a62a14be1947fa945c5c11ebf67326381a568 upstream.
    
    syscall_stub_data() expects the data_count parameter to be the number of
    longs, not bytes.
    
     ==================================================================
     BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
     Read of size 128 at addr 000000006411f6f0 by task swapper/1
    
     CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
     Call Trace:
      show_stack.cold+0x166/0x2a7
      __dump_stack+0x3a/0x43
      dump_stack_lvl+0x1f/0x27
      print_report.cold+0xdb/0xf81
      kasan_report+0x119/0x1f0
      kasan_check_range+0x3a3/0x440
      memcpy+0x52/0x140
      syscall_stub_data+0x70/0xe0
      write_ldt_entry+0xac/0x190
      init_new_ldt+0x515/0x960
      init_new_context+0x2c4/0x4d0
      mm_init.constprop.0+0x5ed/0x760
      mm_alloc+0x118/0x170
      0x60033f48
      do_one_initcall+0x1d7/0x860
      0x60003e7b
      kernel_init+0x6e/0x3d4
      new_thread_handler+0x1e7/0x2c0
    
     The buggy address belongs to stack of task swapper/1
      and is located at offset 64 in frame:
      init_new_ldt+0x0/0x960
    
     This frame has 2 objects:
      [32, 40) 'addr'
      [64, 80) 'desc'
     ==================================================================
    
    Fixes: 858259cf7d1c443c83 ("uml: maintain own LDT entries")
    Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f8dddfcdbc46796ef469031ef4182669a6dd3919
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri May 20 19:45:36 2022 +0200

    um: chan_user: Fix winch_tramp() return value
    
    commit 57ae0b67b747031bc41fb44643aa5344ab58607e upstream.
    
    The previous fix here was only partially correct, it did
    result in returning a proper error value in case of error,
    but it also clobbered the pid that we need to return from
    this function (not just zero for success).
    
    As a result, it returned 0 here, but later this is treated
    as a pid and used to kill the process, but since it's now
    0 we kill(0, SIGKILL), which makes UML kill itself rather
    than just the helper thread.
    
    Fix that and make it more obvious by using a separate
    variable for the pid.
    
    Fixes: ccf1236ecac4 ("um: fix error return code in winch_tramp()")
    Reported-and-tested-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d766673961c57c8b2e97c41451306b1bca452135
Author: Felix Fietkau <nbd@nbd.name>
Date:   Wed Apr 20 12:49:07 2022 +0200

    mac80211: upgrade passive scan to active scan on DFS channels after beacon rx
    
    commit b041b7b9de6e1d4362de855ab90f9d03ef323edd upstream.
    
    In client mode, we can't connect to hidden SSID APs or SSIDs not advertised
    in beacons on DFS channels, since we're forced to passive scan. Fix this by
    sending out a probe request immediately after the first beacon, if active
    scan was requested by the user.
    
    Cc: stable@vger.kernel.org
    Reported-by: Catrinel Catrinescu <cc@80211.de>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Link: https://lore.kernel.org/r/20220420104907.36275-1-nbd@nbd.name
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d9e584223dcc62a0a97d59fb7c57641bb08ed20
Author: Max Filippov <jcmvbkbc@gmail.com>
Date:   Tue Apr 26 09:01:18 2022 -0700

    irqchip: irq-xtensa-mx: fix initial IRQ affinity
    
    commit a255ee29252066d621df5d6b420bf534c6ba5bc0 upstream.
    
    When irq-xtensa-mx chip is used in non-SMP configuration its
    irq_set_affinity callback is not called leaving IRQ affinity set empty.
    As a result IRQ delivery does not work in that configuration.
    Initialize IRQ affinity of the xtensa MX interrupt distributor to CPU 0
    for all external IRQ lines.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80c7e8487db94c19fcca3ad968d8cd363117cd3f
Author: Pali Rohár <pali@kernel.org>
Date:   Mon Apr 25 13:37:05 2022 +0200

    irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x
    
    commit a3d66a76348daf559873f19afc912a2a7c2ccdaf upstream.
    
    Register ARMADA_370_XP_INT_FABRIC_MASK_OFFS is Armada 370 and XP specific
    and on new Armada platforms it has different meaning. It does not configure
    Performance Counter Overflow interrupt masking. So do not touch this
    register on non-A370/XP platforms (A375, A38x and A39x).
    
    Signed-off-by: Pali Rohár <pali@kernel.org>
    Cc: stable@vger.kernel.org
    Fixes: 28da06dfd9e4 ("irqchip: armada-370-xp: Enable the PMU interrupts")
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20220425113706.29310-1-pali@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 79c164e61f818054cd6012e9035701840d895c51
Author: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Date:   Fri May 20 14:37:12 2022 -0400

    RDMA/hfi1: Fix potential integer multiplication overflow errors
    
    commit f93e91a0372c922c20d5bee260b0f43b4b8a1bee upstream.
    
    When multiplying of different types, an overflow is possible even when
    storing the result in a larger type. This is because the conversion is
    done after the multiplication. So arithmetic overflow and thus in
    incorrect value is possible.
    
    Correct an instance of this in the inter packet delay calculation.  Fix by
    ensuring one of the operands is u64 which will promote the other to u64 as
    well ensuring no overflow.
    
    Cc: stable@vger.kernel.org
    Fixes: 7724105686e7 ("IB/hfi1: add driver files")
    Link: https://lore.kernel.org/r/20220520183712.48973.29855.stgit@awfm-01.cornelisnetworks.com
    Reviewed-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7deceef069ce452512ba21d2ed6e152de40bb10f
Author: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Date:   Wed Apr 6 21:23:43 2022 +0100

    media: coda: Add more H264 levels for CODA960
    
    commit eb2fd187abc878a2dfad46902becb74963473c7d upstream.
    
    Add H264 level 1.0, 4.1, 4.2 to the list of supported formats.
    While the hardware does not fully support these levels, it does support
    most of them. The constraints on frame size and pixel formats already
    cover the limitation.
    
    This fixes negotiation of level on GStreamer 1.17.1.
    
    Cc: stable@vger.kernel.org
    Fixes: 42a68012e67c2 ("media: coda: add read-only h.264 decoder profile/level controls")
    Suggested-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
    Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 292436d099f2a08b867d8c2c5102fd54efefab1c
Author: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Date:   Wed Apr 6 21:23:42 2022 +0100

    media: coda: Fix reported H264 profile
    
    commit 7110c08ea71953a7fc342f0b76046f72442cf26c upstream.
    
    The CODA960 manual states that ASO/FMO features of baseline are not
    supported, so for this reason this driver should only report
    constrained baseline support.
    
    This fixes negotiation issue with constrained baseline content
    on GStreamer 1.17.1.
    
    ASO/FMO features are unsupported for the encoder and untested for the
    decoder because there is currently no userspace support. Neither GStreamer
    parsers nor FFMPEG parsers support ASO/FMO.
    
    Cc: stable@vger.kernel.org
    Fixes: 42a68012e67c2 ("media: coda: add read-only h.264 decoder profile/level controls")
    Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
    Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
    Tested-by: Pascal Speck <kernel@iktek.de>
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3a18aa6faa4c3b9b84d56188ac94099ba22a4f11
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Fri Apr 8 16:47:15 2022 +0800

    md: fix an incorrect NULL check in md_reload_sb
    
    commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream.
    
    The bug is here:
            if (!rdev || rdev->desc_nr != nr) {
    
    The list iterator value 'rdev' will *always* be set and non-NULL
    by rdev_for_each_rcu(), so it is incorrect to assume that the
    iterator value will be NULL if the list is empty or no element
    found (In fact, it will be a bogus pointer to an invalid struct
    object containing the HEAD). Otherwise it will bypass the check
    and lead to invalid memory access passing the check.
    
    To fix the bug, use a new variable 'iter' as the list iterator,
    while using the original variable 'pdev' as a dedicated pointer to
    point to the found element.
    
    Cc: stable@vger.kernel.org
    Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fcb51189503b2f5a254910b85ad1b03295e09aab
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Fri Apr 8 16:37:28 2022 +0800

    md: fix an incorrect NULL check in does_sb_need_changing
    
    commit fc8738343eefc4ea8afb6122826dea48eacde514 upstream.
    
    The bug is here:
            if (!rdev)
    
    The list iterator value 'rdev' will *always* be set and non-NULL
    by rdev_for_each(), so it is incorrect to assume that the iterator
    value will be NULL if the list is empty or no element found.
    Otherwise it will bypass the NULL check and lead to invalid memory
    access passing the check.
    
    To fix the bug, use a new variable 'iter' as the list iterator,
    while using the original variable 'rdev' as a dedicated pointer to
    point to the found element.
    
    Cc: stable@vger.kernel.org
    Fixes: 2aa82191ac36 ("md-cluster: Perform a lazy update")
    Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97f35a4c66c6c4d8d1759476ab975f1a5a1bc47d
Author: Brian Norris <briannorris@chromium.org>
Date:   Tue Mar 1 18:11:38 2022 -0800

    drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX
    
    commit 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f upstream.
    
    If the display is not enable()d, then we aren't holding a runtime PM
    reference here. Thus, it's easy to accidentally cause a hang, if user
    space is poking around at /dev/drm_dp_aux0 at the "wrong" time.
    
    Let's get a runtime PM reference, and check that we "see" the panel.
    Don't force any panel power-up, etc., because that can be intrusive, and
    that's not what other drivers do (see
    drivers/gpu/drm/bridge/ti-sn65dsi86.c and
    drivers/gpu/drm/bridge/parade-ps8640.c.)
    
    Fixes: 0d97ad03f422 ("drm/bridge: analogix_dp: Remove duplicated code")
    Cc: <stable@vger.kernel.org>
    Cc: Tomeu Vizoso <tomeu.vizoso@collabora.com>
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Reviewed-by: Douglas Anderson <dianders@chromium.org>
    Signed-off-by: Douglas Anderson <dianders@chromium.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220301181107.v4.1.I773a08785666ebb236917b0c8e6c05e3de471e75@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 64d8ad57c93460e6ff8d1c519af762bc5c66dfbb
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Sun Mar 27 15:58:24 2022 +0800

    drm/nouveau/clk: Fix an incorrect NULL check on list iterator
    
    commit 1c3b2a27def609473ed13b1cd668cb10deab49b4 upstream.
    
    The bug is here:
            if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp))
                    return cstate;
    
    The list iterator value 'cstate' will *always* be set and non-NULL
    by list_for_each_entry_from_reverse(), so it is incorrect to assume
    that the iterator value will be unchanged if the list is empty or no
    element is found (In fact, it will be a bogus pointer to an invalid
    structure object containing the HEAD). Also it missed a NULL check
    at callsite and may lead to invalid memory access after that.
    
    To fix this bug, just return 'encoder' when found, otherwise return
    NULL. And add the NULL check.
    
    Cc: stable@vger.kernel.org
    Fixes: 1f7f3d91ad38a ("drm/nouveau/clk: Respect voltage limits in nvkm_cstate_prog")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Reviewed-by: Lyude Paul <lyude@redhat.com>
    Signed-off-by: Lyude Paul <lyude@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220327075824.11806-1-xiam0nd.tong@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15c3bcc9b5349d40207e5f8d4d799b8b4b7d13b8
Author: Dave Airlie <airlied@redhat.com>
Date:   Mon May 23 10:24:18 2022 +1000

    drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.
    
    commit 31ab27b14daaa75541a415c6794d6f3567fea44a upstream.
    
    Submitting a cs with 0 chunks, causes an oops later, found trying
    to execute the wrong userspace driver.
    
    MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo
    
    [172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8
    [172536.665188] #PF: supervisor read access in kernel mode
    [172536.665189] #PF: error_code(0x0000) - not-present page
    [172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0
    [172536.665195] Oops: 0000 [#1] SMP NOPTI
    [172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P           O      5.10.81 #1-NixOS
    [172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015
    [172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu]
    [172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10
    [172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246
    [172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
    [172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68
    [172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38
    [172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40
    [172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28
    [172536.665283] FS:  00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000
    [172536.665284] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0
    [172536.665287] Call Trace:
    [172536.665322]  ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
    [172536.665332]  drm_ioctl_kernel+0xaa/0xf0 [drm]
    [172536.665338]  drm_ioctl+0x201/0x3b0 [drm]
    [172536.665369]  ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu]
    [172536.665372]  ? selinux_file_ioctl+0x135/0x230
    [172536.665399]  amdgpu_drm_ioctl+0x49/0x80 [amdgpu]
    [172536.665403]  __x64_sys_ioctl+0x83/0xb0
    [172536.665406]  do_syscall_64+0x33/0x40
    [172536.665409]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Cc: stable@vger.kernel.org
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c4b7675ad5d03ed4b599785406df8d66ecfb8962
Author: Manivannan Sadhasivam <mani@kernel.org>
Date:   Wed May 4 14:12:10 2022 +0530

    scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled
    
    commit 8eecddfca30e1651dc1c74531ed5eef21dcce7e3 upstream.
    
    In ufs_qcom_dev_ref_clk_ctrl(), it was noted that the ref_clk needs to be
    stable for at least 1us. Even though there is wmb() to make sure the write
    gets "completed", there is no guarantee that the write actually reached the
    UFS device. There is a good chance that the write could be stored in a
    Write Buffer (WB). In that case, even though the CPU waits for 1us, the
    ref_clk might not be stable for that period.
    
    So lets do a readl() to make sure that the previous write has reached the
    UFS device before udelay().
    
    Also, the wmb() after writel_relaxed() is not really needed. Both writel()
    and readl() are ordered on all architectures and the CPU won't speculate
    instructions after readl() due to the in-built control dependency with read
    value on weakly ordered architectures. So it can be safely removed.
    
    Link: https://lore.kernel.org/r/20220504084212.11605-4-manivannan.sadhasivam@linaro.org
    Fixes: f06fcc7155dc ("scsi: ufs-qcom: add QUniPro hardware support and power optimizations")
    Cc: stable@vger.kernel.org
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 724bebc0a84936f8969c4bcbfe0786017edf52d4
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Thu Apr 14 12:02:31 2022 +0800

    scsi: dc395x: Fix a missing check on list iterator
    
    commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.
    
    The bug is here:
    
            p->target_id, p->target_lun);
    
    The list iterator 'p' will point to a bogus position containing HEAD if the
    list is empty or no element is found. This case must be checked before any
    use of the iterator, otherwise it will lead to an invalid memory access.
    
    To fix this bug, add a check. Use a new variable 'iter' as the list
    iterator, and use the original variable 'p' as a dedicated pointer to point
    to the found element.
    
    Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Cc: stable@vger.kernel.org
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 733a35c00ef363a1c774d7ea486e0735b7c13a15
Author: Junxiao Bi via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
Date:   Wed May 18 16:52:24 2022 -0700

    ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
    
    commit 863e0d81b6683c4cbc588ad831f560c90e494bef upstream.
    
    When user_dlm_destroy_lock failed, it didn't clean up the flags it set
    before exit.  For USER_LOCK_IN_TEARDOWN, if this function fails because of
    lock is still in used, next time when unlink invokes this function, it
    will return succeed, and then unlink will remove inode and dentry if lock
    is not in used(file closed), but the dlm lock is still linked in dlm lock
    resource, then when bast come in, it will trigger a panic due to
    user-after-free.  See the following panic call trace.  To fix this,
    USER_LOCK_IN_TEARDOWN should be reverted if fail.  And also error should
    be returned if USER_LOCK_IN_TEARDOWN is set to let user know that unlink
    fail.
    
    For the case of ocfs2_dlm_unlock failure, besides USER_LOCK_IN_TEARDOWN,
    USER_LOCK_BUSY is also required to be cleared.  Even though spin lock is
    released in between, but USER_LOCK_IN_TEARDOWN is still set, for
    USER_LOCK_BUSY, if before every place that waits on this flag,
    USER_LOCK_IN_TEARDOWN is checked to bail out, that will make sure no flow
    waits on the busy flag set by user_dlm_destroy_lock(), then we can
    simplely revert USER_LOCK_BUSY when ocfs2_dlm_unlock fails.  Fix
    user_dlm_cluster_lock() which is the only function not following this.
    
    [  941.336392] (python,26174,16):dlmfs_unlink:562 ERROR: unlink
    004fb0000060000b5a90b8c847b72e1, error -16 from destroy
    [  989.757536] ------------[ cut here ]------------
    [  989.757709] kernel BUG at fs/ocfs2/dlmfs/userdlm.c:173!
    [  989.757876] invalid opcode: 0000 [#1] SMP
    [  989.758027] Modules linked in: ksplice_2zhuk2jr_ib_ipoib_new(O)
    ksplice_2zhuk2jr(O) mptctl mptbase xen_netback xen_blkback xen_gntalloc
    xen_gntdev xen_evtchn cdc_ether usbnet mii ocfs2 jbd2 rpcsec_gss_krb5
    auth_rpcgss nfsv4 nfsv3 nfs_acl nfs fscache lockd grace ocfs2_dlmfs
    ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc
    fcoe libfcoe libfc scsi_transport_fc sunrpc ipmi_devintf bridge stp llc
    rds_rdma rds bonding ib_sdp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad
    rdma_cm ib_cm iw_cm falcon_lsm_serviceable(PE) falcon_nf_netcontain(PE)
    mlx4_vnic falcon_kal(E) falcon_lsm_pinned_13402(E) mlx4_ib ib_sa ib_mad
    ib_core ib_addr xenfs xen_privcmd dm_multipath iTCO_wdt iTCO_vendor_support
    pcspkr sb_edac edac_core i2c_i801 lpc_ich mfd_core ipmi_ssif i2c_core ipmi_si
    ipmi_msghandler
    [  989.760686]  ioatdma sg ext3 jbd mbcache sd_mod ahci libahci ixgbe dca ptp
    pps_core vxlan udp_tunnel ip6_udp_tunnel megaraid_sas mlx4_core crc32c_intel
    be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio
    libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi wmi
    dm_mirror dm_region_hash dm_log dm_mod [last unloaded:
    ksplice_2zhuk2jr_ib_ipoib_old]
    [  989.761987] CPU: 10 PID: 19102 Comm: dlm_thread Tainted: P           OE
    4.1.12-124.57.1.el6uek.x86_64 #2
    [  989.762290] Hardware name: Oracle Corporation ORACLE SERVER
    X5-2/ASM,MOTHERBOARD,1U, BIOS 30350100 06/17/2021
    [  989.762599] task: ffff880178af6200 ti: ffff88017f7c8000 task.ti:
    ffff88017f7c8000
    [  989.762848] RIP: e030:[<ffffffffc07d4316>]  [<ffffffffc07d4316>]
    __user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
    [  989.763185] RSP: e02b:ffff88017f7cbcb8  EFLAGS: 00010246
    [  989.763353] RAX: 0000000000000000 RBX: ffff880174d48008 RCX:
    0000000000000003
    [  989.763565] RDX: 0000000000120012 RSI: 0000000000000003 RDI:
    ffff880174d48170
    [  989.763778] RBP: ffff88017f7cbcc8 R08: ffff88021f4293b0 R09:
    0000000000000000
    [  989.763991] R10: ffff880179c8c000 R11: 0000000000000003 R12:
    ffff880174d48008
    [  989.764204] R13: 0000000000000003 R14: ffff880179c8c000 R15:
    ffff88021db7a000
    [  989.764422] FS:  0000000000000000(0000) GS:ffff880247480000(0000)
    knlGS:ffff880247480000
    [  989.764685] CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  989.764865] CR2: ffff8000007f6800 CR3: 0000000001ae0000 CR4:
    0000000000042660
    [  989.765081] Stack:
    [  989.765167]  0000000000000003 ffff880174d48040 ffff88017f7cbd18
    ffffffffc07d455f
    [  989.765442]  ffff88017f7cbd88 ffffffff816fb639 ffff88017f7cbd38
    ffff8800361b5600
    [  989.765717]  ffff88021db7a000 ffff88021f429380 0000000000000003
    ffffffffc0453020
    [  989.765991] Call Trace:
    [  989.766093]  [<ffffffffc07d455f>] user_bast+0x5f/0xf0 [ocfs2_dlmfs]
    [  989.766287]  [<ffffffff816fb639>] ? schedule_timeout+0x169/0x2d0
    [  989.766475]  [<ffffffffc0453020>] ? o2dlm_lock_ast_wrapper+0x20/0x20
    [ocfs2_stack_o2cb]
    [  989.766738]  [<ffffffffc045303a>] o2dlm_blocking_ast_wrapper+0x1a/0x20
    [ocfs2_stack_o2cb]
    [  989.767010]  [<ffffffffc0864ec6>] dlm_do_local_bast+0x46/0xe0 [ocfs2_dlm]
    [  989.767217]  [<ffffffffc084f5cc>] ? dlm_lockres_calc_usage+0x4c/0x60
    [ocfs2_dlm]
    [  989.767466]  [<ffffffffc08501f1>] dlm_thread+0xa31/0x1140 [ocfs2_dlm]
    [  989.767662]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.767834]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
    [  989.768006]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.768178]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
    [  989.768349]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.768521]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
    [  989.768693]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.768893]  [<ffffffff816f78ce>] ? __schedule+0x23e/0x810
    [  989.769067]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.769241]  [<ffffffff810ce4d0>] ? wait_woken+0x90/0x90
    [  989.769411]  [<ffffffffc084f7c0>] ? dlm_kick_thread+0x80/0x80 [ocfs2_dlm]
    [  989.769617]  [<ffffffff810a8bbb>] kthread+0xcb/0xf0
    [  989.769774]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.769945]  [<ffffffff816f78da>] ? __schedule+0x24a/0x810
    [  989.770117]  [<ffffffff810a8af0>] ? kthread_create_on_node+0x180/0x180
    [  989.770321]  [<ffffffff816fdaa1>] ret_from_fork+0x61/0x90
    [  989.770492]  [<ffffffff810a8af0>] ? kthread_create_on_node+0x180/0x180
    [  989.770689] Code: d0 00 00 00 f0 45 7d c0 bf 00 20 00 00 48 89 83 c0 00 00
    00 48 89 83 c8 00 00 00 e8 55 c1 8c c0 83 4b 04 10 48 83 c4 08 5b 5d c3 <0f>
    0b 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 83
    [  989.771892] RIP  [<ffffffffc07d4316>]
    __user_dlm_queue_lockres.part.4+0x76/0x80 [ocfs2_dlmfs]
    [  989.772174]  RSP <ffff88017f7cbcb8>
    [  989.772704] ---[ end trace ebd1e38cebcc93a8 ]---
    [  989.772907] Kernel panic - not syncing: Fatal exception
    [  989.773173] Kernel Offset: disabled
    
    Link: https://lkml.kernel.org/r/20220518235224.87100-2-junxiao.bi@oracle.com
    Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Joseph Qi <jiangqi903@gmail.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 477b206035c8a54af788822c0def637f5f615b6e
Author: Alexander Aring <aahringo@redhat.com>
Date:   Fri Apr 29 11:06:51 2022 -0400

    dlm: fix missing lkb refcount handling
    
    commit 1689c169134f4b5a39156122d799b7dca76d8ddb upstream.
    
    We always call hold_lkb(lkb) if we increment lkb->lkb_wait_count.
    So, we always need to call unhold_lkb(lkb) if we decrement
    lkb->lkb_wait_count. This patch will add missing unhold_lkb(lkb) if we
    decrement lkb->lkb_wait_count. In case of setting lkb->lkb_wait_count to
    zero we need to countdown until reaching zero and call unhold_lkb(lkb).
    The waiters list unhold_lkb(lkb) can be removed because it's done for
    the last lkb_wait_count decrement iteration as it's done in
    _remove_from_waiters().
    
    This issue was discovered by a dlm gfs2 test case which use excessively
    dlm_unlock(LKF_CANCEL) feature. Probably the lkb->lkb_wait_count value
    never reached above 1 if this feature isn't used and so it was not
    discovered before.
    
    The testcase ended in a rsb on the rsb keep data structure with a
    refcount of 1 but no lkb was associated with it, which is itself
    an invalid behaviour. A side effect of that was a condition in which
    the dlm was sending remove messages in a looping behaviour. With this
    patch that has not been reproduced.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Alexander Aring <aahringo@redhat.com>
    Signed-off-by: David Teigland <teigland@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5a1765adf9855cf0f6d3f7e0eb4b78ca66f70dee
Author: Alexander Aring <aahringo@redhat.com>
Date:   Mon Apr 4 16:06:30 2022 -0400

    dlm: fix plock invalid read
    
    commit 42252d0d2aa9b94d168241710a761588b3959019 upstream.
    
    This patch fixes an invalid read showed by KASAN. A unlock will allocate a
    "struct plock_op" and a followed send_op() will append it to a global
    send_list data structure. In some cases a followed dev_read() moves it
    to recv_list and dev_write() will cast it to "struct plock_xop" and access
    fields which are only available in those structures. At this point an
    invalid read happens by accessing those fields.
    
    To fix this issue the "callback" field is moved to "struct plock_op" to
    indicate that a cast to "plock_xop" is allowed and does the additional
    "plock_xop" handling if set.
    
    Example of the KASAN output which showed the invalid read:
    
    [ 2064.296453] ==================================================================
    [ 2064.304852] BUG: KASAN: slab-out-of-bounds in dev_write+0x52b/0x5a0 [dlm]
    [ 2064.306491] Read of size 8 at addr ffff88800ef227d8 by task dlm_controld/7484
    [ 2064.308168]
    [ 2064.308575] CPU: 0 PID: 7484 Comm: dlm_controld Kdump: loaded Not tainted 5.14.0+ #9
    [ 2064.310292] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
    [ 2064.311618] Call Trace:
    [ 2064.312218]  dump_stack_lvl+0x56/0x7b
    [ 2064.313150]  print_address_description.constprop.8+0x21/0x150
    [ 2064.314578]  ? dev_write+0x52b/0x5a0 [dlm]
    [ 2064.315610]  ? dev_write+0x52b/0x5a0 [dlm]
    [ 2064.316595]  kasan_report.cold.14+0x7f/0x11b
    [ 2064.317674]  ? dev_write+0x52b/0x5a0 [dlm]
    [ 2064.318687]  dev_write+0x52b/0x5a0 [dlm]
    [ 2064.319629]  ? dev_read+0x4a0/0x4a0 [dlm]
    [ 2064.320713]  ? bpf_lsm_kernfs_init_security+0x10/0x10
    [ 2064.321926]  vfs_write+0x17e/0x930
    [ 2064.322769]  ? __fget_light+0x1aa/0x220
    [ 2064.323753]  ksys_write+0xf1/0x1c0
    [ 2064.324548]  ? __ia32_sys_read+0xb0/0xb0
    [ 2064.325464]  do_syscall_64+0x3a/0x80
    [ 2064.326387]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [ 2064.327606] RIP: 0033:0x7f807e4ba96f
    [ 2064.328470] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 39 87 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 7c 87 f8 ff 48
    [ 2064.332902] RSP: 002b:00007ffd50cfe6e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
    [ 2064.334658] RAX: ffffffffffffffda RBX: 000055cc3886eb30 RCX: 00007f807e4ba96f
    [ 2064.336275] RDX: 0000000000000040 RSI: 00007ffd50cfe7e0 RDI: 0000000000000010
    [ 2064.337980] RBP: 00007ffd50cfe7e0 R08: 0000000000000000 R09: 0000000000000001
    [ 2064.339560] R10: 000055cc3886eb30 R11: 0000000000000293 R12: 000055cc3886eb80
    [ 2064.341237] R13: 000055cc3886eb00 R14: 000055cc3886f590 R15: 0000000000000001
    [ 2064.342857]
    [ 2064.343226] Allocated by task 12438:
    [ 2064.344057]  kasan_save_stack+0x1c/0x40
    [ 2064.345079]  __kasan_kmalloc+0x84/0xa0
    [ 2064.345933]  kmem_cache_alloc_trace+0x13b/0x220
    [ 2064.346953]  dlm_posix_unlock+0xec/0x720 [dlm]
    [ 2064.348811]  do_lock_file_wait.part.32+0xca/0x1d0
    [ 2064.351070]  fcntl_setlk+0x281/0xbc0
    [ 2064.352879]  do_fcntl+0x5e4/0xfe0
    [ 2064.354657]  __x64_sys_fcntl+0x11f/0x170
    [ 2064.356550]  do_syscall_64+0x3a/0x80
    [ 2064.358259]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [ 2064.360745]
    [ 2064.361511] Last potentially related work creation:
    [ 2064.363957]  kasan_save_stack+0x1c/0x40
    [ 2064.365811]  __kasan_record_aux_stack+0xaf/0xc0
    [ 2064.368100]  call_rcu+0x11b/0xf70
    [ 2064.369785]  dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
    [ 2064.372404]  receive_from_sock+0x290/0x770 [dlm]
    [ 2064.374607]  process_recv_sockets+0x32/0x40 [dlm]
    [ 2064.377290]  process_one_work+0x9a8/0x16e0
    [ 2064.379357]  worker_thread+0x87/0xbf0
    [ 2064.381188]  kthread+0x3ac/0x490
    [ 2064.383460]  ret_from_fork+0x22/0x30
    [ 2064.385588]
    [ 2064.386518] Second to last potentially related work creation:
    [ 2064.389219]  kasan_save_stack+0x1c/0x40
    [ 2064.391043]  __kasan_record_aux_stack+0xaf/0xc0
    [ 2064.393303]  call_rcu+0x11b/0xf70
    [ 2064.394885]  dlm_process_incoming_buffer+0x47d/0xfd0 [dlm]
    [ 2064.397694]  receive_from_sock+0x290/0x770 [dlm]
    [ 2064.399932]  process_recv_sockets+0x32/0x40 [dlm]
    [ 2064.402180]  process_one_work+0x9a8/0x16e0
    [ 2064.404388]  worker_thread+0x87/0xbf0
    [ 2064.406124]  kthread+0x3ac/0x490
    [ 2064.408021]  ret_from_fork+0x22/0x30
    [ 2064.409834]
    [ 2064.410599] The buggy address belongs to the object at ffff88800ef22780
    [ 2064.410599]  which belongs to the cache kmalloc-96 of size 96
    [ 2064.416495] The buggy address is located 88 bytes inside of
    [ 2064.416495]  96-byte region [ffff88800ef22780, ffff88800ef227e0)
    [ 2064.422045] The buggy address belongs to the page:
    [ 2064.424635] page:00000000b6bef8bc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xef22
    [ 2064.428970] flags: 0xfffffc0000200(slab|node=0|zone=1|lastcpupid=0x1fffff)
    [ 2064.432515] raw: 000fffffc0000200 ffffea0000d68b80 0000001400000014 ffff888001041780
    [ 2064.436110] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
    [ 2064.439813] page dumped because: kasan: bad access detected
    [ 2064.442548]
    [ 2064.443310] Memory state around the buggy address:
    [ 2064.445988]  ffff88800ef22680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
    [ 2064.449444]  ffff88800ef22700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
    [ 2064.452941] >ffff88800ef22780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
    [ 2064.456383]                                                     ^
    [ 2064.459386]  ffff88800ef22800: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
    [ 2064.462788]  ffff88800ef22880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
    [ 2064.466239] ==================================================================
    
    reproducer in python:
    
    import argparse
    import struct
    import fcntl
    import os
    
    parser = argparse.ArgumentParser()
    
    parser.add_argument('-f', '--file',
                        help='file to use fcntl, must be on dlm lock filesystem e.g. gfs2')
    
    args = parser.parse_args()
    
    f = open(args.file, 'wb+')
    
    lockdata = struct.pack('hhllhh', fcntl.F_WRLCK,0,0,0,0,0)
    fcntl.fcntl(f, fcntl.F_SETLK, lockdata)
    lockdata = struct.pack('hhllhh', fcntl.F_UNLCK,0,0,0,0,0)
    fcntl.fcntl(f, fcntl.F_SETLK, lockdata)
    
    Fixes: 586759f03e2e ("gfs2: nfs lock support for gfs2")
    Cc: stable@vger.kernel.org
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: Alexander Aring <aahringo@redhat.com>
    Signed-off-by: David Teigland <teigland@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c4cb6399f05642d2bac0eeaa4171e18dbc493d41
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Fri Apr 1 15:38:54 2022 +0200

    PCI: qcom: Fix unbalanced PHY init on probe errors
    
    commit 83013631f0f9961416abd812e228c8efbc2f6069 upstream.
    
    Undo the PHY initialisation (e.g. balance runtime PM) if host
    initialisation fails during probe.
    
    Link: https://lore.kernel.org/r/20220401133854.10421-3-johan+linaro@kernel.org
    Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Acked-by: Stanimir Varbanov <svarbanov@mm-sol.com>
    Cc: stable@vger.kernel.org      # 4.5
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c23628d3d293d02eff5a595cb941d4a64673ba2e
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Fri Apr 1 15:38:53 2022 +0200

    PCI: qcom: Fix runtime PM imbalance on probe errors
    
    commit 87d83b96c8d6c6c2d2096bd0bdba73bcf42b8ef0 upstream.
    
    Drop the leftover pm_runtime_disable() calls from the late probe error
    paths that would, for example, prevent runtime PM from being reenabled
    after a probe deferral.
    
    Link: https://lore.kernel.org/r/20220401133854.10421-2-johan+linaro@kernel.org
    Fixes: 6e5da6f7d824 ("PCI: qcom: Fix error handling in runtime PM support")
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Acked-by: Stanimir Varbanov <svarbanov@mm-sol.com>
    Cc: stable@vger.kernel.org      # 4.20
    Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b49fcf02f54e322e0902fbac67ec5dcc1cfa6dc2
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Thu May 26 16:52:23 2022 -0500

    PCI/PM: Fix bridge_d3_blacklist[] Elo i2 overwrite of Gigabyte X299
    
    commit 12068bb346db5776d0ec9bb4cd073f8427a1ac92 upstream.
    
    92597f97a40b ("PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold") omitted
    braces around the new Elo i2 entry, so it overwrote the existing Gigabyte
    X299 entry.  Add the appropriate braces.
    
    Found by:
    
      $ make W=1 drivers/pci/pci.o
        CC      drivers/pci/pci.o
      drivers/pci/pci.c:2974:12: error: initialized field overwritten [-Werror=override-init]
       2974 |   .ident = "Elo i2",
            |            ^~~~~~~~
    
    Link: https://lore.kernel.org/r/20220526221258.GA409855@bhelgaas
    Fixes: 92597f97a40b ("PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold")
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org  # v5.15+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f8b383f83cb573152c577eca1ef101e89995b72a
Author: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Date:   Mon Apr 25 06:37:38 2022 +0000

    tracing: Fix potential double free in create_var_ref()
    
    commit 99696a2592bca641eb88cc9a80c90e591afebd0f upstream.
    
    In create_var_ref(), init_var_ref() is called to initialize the fields
    of variable ref_field, which is allocated in the previous function call
    to create_hist_field(). Function init_var_ref() allocates the
    corresponding fields such as ref_field->system, but frees these fields
    when the function encounters an error. The caller later calls
    destroy_hist_field() to conduct error handling, which frees the fields
    and the variable itself. This results in double free of the fields which
    are already freed in the previous function.
    
    Fix this by storing NULL to the corresponding fields when they are freed
    in init_var_ref().
    
    Link: https://lkml.kernel.org/r/20220425063739.3859998-1-keitasuzuki.park@sslab.ics.keio.ac.jp
    
    Fixes: 067fe038e70f ("tracing: Add variable reference handling to hist triggers")
    CC: stable@vger.kernel.org
    Reviewed-by: Masami Hiramatsu <mhiramat@kernel.org>
    Reviewed-by: Tom Zanussi <zanussi@kernel.org>
    Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b3ad9ff6f06c1dc6abf7437691c88ca3d6da3ac0
Author: Jan Kara <jack@suse.cz>
Date:   Wed May 18 11:33:29 2022 +0200

    ext4: avoid cycles in directory h-tree
    
    commit 3ba733f879c2a88910744647e41edeefbc0d92b2 upstream.
    
    A maliciously corrupted filesystem can contain cycles in the h-tree
    stored inside a directory. That can easily lead to the kernel corrupting
    tree nodes that were already verified under its hands while doing a node
    split and consequently accessing unallocated memory. Fix the problem by
    verifying traversed block numbers are unique.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20220518093332.13986-2-jack@suse.cz
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 78398c2b2cc14f9a9c8592cf6d334c5a479ed611
Author: Jan Kara <jack@suse.cz>
Date:   Wed May 18 11:33:28 2022 +0200

    ext4: verify dir block before splitting it
    
    commit 46c116b920ebec58031f0a78c5ea9599b0d2a371 upstream.
    
    Before splitting a directory block verify its directory entries are sane
    so that the splitting code does not access memory it should not.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20220518093332.13986-1-jack@suse.cz
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit de1732b5c1693ad489c5d254f124f67cb775f37d
Author: Ye Bin <yebin10@huawei.com>
Date:   Mon May 16 20:26:34 2022 +0800

    ext4: fix bug_on in ext4_writepages
    
    commit ef09ed5d37b84d18562b30cf7253e57062d0db05 upstream.
    
    we got issue as follows:
    EXT4-fs error (device loop0): ext4_mb_generate_buddy:1141: group 0, block bitmap and bg descriptor inconsistent: 25 vs 31513 free cls
    ------------[ cut here ]------------
    kernel BUG at fs/ext4/inode.c:2708!
    invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
    CPU: 2 PID: 2147 Comm: rep Not tainted 5.18.0-rc2-next-20220413+ #155
    RIP: 0010:ext4_writepages+0x1977/0x1c10
    RSP: 0018:ffff88811d3e7880 EFLAGS: 00010246
    RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88811c098000
    RDX: 0000000000000000 RSI: ffff88811c098000 RDI: 0000000000000002
    RBP: ffff888128140f50 R08: ffffffffb1ff6387 R09: 0000000000000000
    R10: 0000000000000007 R11: ffffed10250281ea R12: 0000000000000001
    R13: 00000000000000a4 R14: ffff88811d3e7bb8 R15: ffff888128141028
    FS:  00007f443aed9740(0000) GS:ffff8883aef00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000020007200 CR3: 000000011c2a4000 CR4: 00000000000006e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
     do_writepages+0x130/0x3a0
     filemap_fdatawrite_wbc+0x83/0xa0
     filemap_flush+0xab/0xe0
     ext4_alloc_da_blocks+0x51/0x120
     __ext4_ioctl+0x1534/0x3210
     __x64_sys_ioctl+0x12c/0x170
     do_syscall_64+0x3b/0x90
    
    It may happen as follows:
    1. write inline_data inode
    vfs_write
      new_sync_write
        ext4_file_write_iter
          ext4_buffered_write_iter
            generic_perform_write
              ext4_da_write_begin
                ext4_da_write_inline_data_begin -> If inline data size too
                small will allocate block to write, then mapping will has
                dirty page
                    ext4_da_convert_inline_data_to_extent ->clear EXT4_STATE_MAY_INLINE_DATA
    2. fallocate
    do_vfs_ioctl
      ioctl_preallocate
        vfs_fallocate
          ext4_fallocate
            ext4_convert_inline_data
              ext4_convert_inline_data_nolock
                ext4_map_blocks -> fail will goto restore data
                ext4_restore_inline_data
                  ext4_create_inline_data
                  ext4_write_inline_data
                  ext4_set_inode_state -> set inode EXT4_STATE_MAY_INLINE_DATA
    3. writepages
    __ext4_ioctl
      ext4_alloc_da_blocks
        filemap_flush
          filemap_fdatawrite_wbc
            do_writepages
              ext4_writepages
                if (ext4_has_inline_data(inode))
                  BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
    
    The root cause of this issue is we destory inline data until call
    ext4_writepages under delay allocation mode.  But there maybe already
    convert from inline to extent.  To solve this issue, we call
    filemap_flush first..
    
    Cc: stable@kernel.org
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20220516122634.1690462-1-yebin10@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 10801095224de0d0ab06ae60698680c1f883a3ae
Author: Ye Bin <yebin10@huawei.com>
Date:   Thu Apr 14 10:52:23 2022 +0800

    ext4: fix use-after-free in ext4_rename_dir_prepare
    
    commit 0be698ecbe4471fcad80e81ec6a05001421041b3 upstream.
    
    We got issue as follows:
    EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue
    ext4_get_first_dir_block: bh->b_data=0xffff88810bee6000 len=34478
    ext4_get_first_dir_block: *parent_de=0xffff88810beee6ae bh->b_data=0xffff88810bee6000
    ext4_rename_dir_prepare: [1] parent_de=0xffff88810beee6ae
    ==================================================================
    BUG: KASAN: use-after-free in ext4_rename_dir_prepare+0x152/0x220
    Read of size 4 at addr ffff88810beee6ae by task rep/1895
    
    CPU: 13 PID: 1895 Comm: rep Not tainted 5.10.0+ #241
    Call Trace:
     dump_stack+0xbe/0xf9
     print_address_description.constprop.0+0x1e/0x220
     kasan_report.cold+0x37/0x7f
     ext4_rename_dir_prepare+0x152/0x220
     ext4_rename+0xf44/0x1ad0
     ext4_rename2+0x11c/0x170
     vfs_rename+0xa84/0x1440
     do_renameat2+0x683/0x8f0
     __x64_sys_renameat+0x53/0x60
     do_syscall_64+0x33/0x40
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x7f45a6fc41c9
    RSP: 002b:00007ffc5a470218 EFLAGS: 00000246 ORIG_RAX: 0000000000000108
    RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f45a6fc41c9
    RDX: 0000000000000005 RSI: 0000000020000180 RDI: 0000000000000005
    RBP: 00007ffc5a470240 R08: 00007ffc5a470160 R09: 0000000020000080
    R10: 00000000200001c0 R11: 0000000000000246 R12: 0000000000400bb0
    R13: 00007ffc5a470320 R14: 0000000000000000 R15: 0000000000000000
    
    The buggy address belongs to the page:
    page:00000000440015ce refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x10beee
    flags: 0x200000000000000()
    raw: 0200000000000000 ffffea00043ff4c8 ffffea0004325608 0000000000000000
    raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff88810beee580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffff88810beee600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    >ffff88810beee680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                      ^
     ffff88810beee700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffff88810beee780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    ==================================================================
    Disabling lock debugging due to kernel taint
    ext4_rename_dir_prepare: [2] parent_de->inode=3537895424
    ext4_rename_dir_prepare: [3] dir=0xffff888124170140
    ext4_rename_dir_prepare: [4] ino=2
    ext4_rename_dir_prepare: ent->dir->i_ino=2 parent=-757071872
    
    Reason is first directory entry which 'rec_len' is 34478, then will get illegal
    parent entry. Now, we do not check directory entry after read directory block
    in 'ext4_get_first_dir_block'.
    To solve this issue, check directory entry in 'ext4_get_first_dir_block'.
    
    [ Trigger an ext4_error() instead of just warning if the directory is
      missing a '.' or '..' entry.   Also make sure we return an error code
      if the file system is corrupted.  -TYT ]
    
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20220414025223.4113128-1-yebin10@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ed44398b45add3d9be56b7457cc9e05282e518b4
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Wed May 25 10:36:38 2022 +0200

    netfilter: nf_tables: disallow non-stateful expression in sets earlier
    
    commit 520778042ccca019f3ffa136dd0ca565c486cedd upstream.
    
    Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
    instantiation"), it is possible to attach stateful expressions to set
    elements.
    
    cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
    and destroy phase") introduces conditional destruction on the object to
    accomodate transaction semantics.
    
    nft_expr_init() calls expr->ops->init() first, then check for
    NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
    lookup expressions which points to a set, which might lead to UAF since
    the set is not properly detached from the set->binding for this case.
    Anyway, this combination is non-sense from nf_tables perspective.
    
    This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
    expr->ops->init() is called.
    
    The reporter provides a KASAN splat and a poc reproducer (similar to
    those autogenerated by syzbot to report use-after-free errors). It is
    unknown to me if they are using syzbot or if they use similar automated
    tool to locate the bug that they are reporting.
    
    For the record, this is the KASAN splat.
    
    [   85.431824] ==================================================================
    [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
    [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
    [   85.434756]
    [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
    [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
    
    Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
    Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    [Ajay: Regenerated the patch for v4.19.y]
    Signed-off-by: Ajay Kaher <akaher@vmware.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc8b5902ac540332e64d6d9ede6ca52224d6fef6
Author: Zhihao Cheng <chengzhihao1@huawei.com>
Date:   Tue May 10 21:38:05 2022 +0800

    fs-writeback: writeback_sb_inodes:Recalculate 'wrote' according skipped pages
    
    commit 68f4c6eba70df70a720188bce95c85570ddfcc87 upstream.
    
    Commit 505a666ee3fc ("writeback: plug writeback in wb_writeback() and
    writeback_inodes_wb()") has us holding a plug during wb_writeback, which
    may cause a potential ABBA dead lock:
    
        wb_writeback                fat_file_fsync
    blk_start_plug(&plug)
    for (;;) {
      iter i-1: some reqs have been added into plug->mq_list  // LOCK A
      iter i:
        progress = __writeback_inodes_wb(wb, work)
        . writeback_sb_inodes // fat's bdev
        .   __writeback_single_inode
        .   . generic_writepages
        .   .   __block_write_full_page
        .   .   . .             __generic_file_fsync
        .   .   . .               sync_inode_metadata
        .   .   . .                 writeback_single_inode
        .   .   . .                   __writeback_single_inode
        .   .   . .                     fat_write_inode
        .   .   . .                       __fat_write_inode
        .   .   . .                         sync_dirty_buffer       // fat's bdev
        .   .   . .                           lock_buffer(bh)       // LOCK B
        .   .   . .                             submit_bh
        .   .   . .                               blk_mq_get_tag    // LOCK A
        .   .   . trylock_buffer(bh)  // LOCK B
        .   .   .   redirty_page_for_writepage
        .   .   .     wbc->pages_skipped++
        .   .   --wbc->nr_to_write
        .   wrote += write_chunk - wbc.nr_to_write  // wrote > 0
        .   requeue_inode
        .     redirty_tail_locked
        if (progress)    // progress > 0
          continue;
      iter i+1:
          queue_io
          // similar process with iter i, infinite for-loop !
    }
    blk_finish_plug(&plug)   // flush plug won't be called
    
    Above process triggers a hungtask like:
    [  399.044861] INFO: task bb:2607 blocked for more than 30 seconds.
    [  399.046824]       Not tainted 5.18.0-rc1-00005-gefae4d9eb6a2-dirty
    [  399.051539] task:bb              state:D stack:    0 pid: 2607 ppid:
    2426 flags:0x00004000
    [  399.051556] Call Trace:
    [  399.051570]  __schedule+0x480/0x1050
    [  399.051592]  schedule+0x92/0x1a0
    [  399.051602]  io_schedule+0x22/0x50
    [  399.051613]  blk_mq_get_tag+0x1d3/0x3c0
    [  399.051640]  __blk_mq_alloc_requests+0x21d/0x3f0
    [  399.051657]  blk_mq_submit_bio+0x68d/0xca0
    [  399.051674]  __submit_bio+0x1b5/0x2d0
    [  399.051708]  submit_bio_noacct+0x34e/0x720
    [  399.051718]  submit_bio+0x3b/0x150
    [  399.051725]  submit_bh_wbc+0x161/0x230
    [  399.051734]  __sync_dirty_buffer+0xd1/0x420
    [  399.051744]  sync_dirty_buffer+0x17/0x20
    [  399.051750]  __fat_write_inode+0x289/0x310
    [  399.051766]  fat_write_inode+0x2a/0xa0
    [  399.051783]  __writeback_single_inode+0x53c/0x6f0
    [  399.051795]  writeback_single_inode+0x145/0x200
    [  399.051803]  sync_inode_metadata+0x45/0x70
    [  399.051856]  __generic_file_fsync+0xa3/0x150
    [  399.051880]  fat_file_fsync+0x1d/0x80
    [  399.051895]  vfs_fsync_range+0x40/0xb0
    [  399.051929]  __x64_sys_fsync+0x18/0x30
    
    In my test, 'need_resched()' (which is imported by 590dca3a71 "fs-writeback:
    unplug before cond_resched in writeback_sb_inodes") in function
    'writeback_sb_inodes()' seldom comes true, unless cond_resched() is deleted
    from write_cache_pages().
    
    Fix it by correcting wrote number according number of skipped pages
    in writeback_sb_inodes().
    
    Goto Link to find a reproducer.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215837
    Cc: stable@vger.kernel.org # v4.3
    Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Link: https://lore.kernel.org/r/20220510133805.1988292-1-chengzhihao1@huawei.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit aaf6e3ad74194ca836e8b9337665172fde03a698
Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Date:   Tue May 17 12:05:09 2022 +0300

    iwlwifi: mvm: fix assert 1F04 upon reconfig
    
    commit 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 upstream.
    
    When we reconfig we must not send the MAC_POWER command that relates to
    a MAC that was not yet added to the firmware.
    
    Ignore those in the iterator.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
    Link: https://lore.kernel.org/r/20220517120044.ed2ffc8ce732.If786e19512d0da4334a6382ea6148703422c7d7b@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9f1e5cc85ad77e52f54049a94db0407445ae2a34
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Wed Jun 1 09:19:36 2022 +0200

    wifi: mac80211: fix use-after-free in chanctx code
    
    commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e upstream.
    
    In ieee80211_vif_use_reserved_context(), when we have an
    old context and the new context's replace_state is set to
    IEEE80211_CHANCTX_REPLACE_NONE, we free the old context
    in ieee80211_vif_use_reserved_reassign(). Therefore, we
    cannot check the old_ctx anymore, so we should set it to
    NULL after this point.
    
    However, since the new_ctx replace state is clearly not
    IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do
    anything else in this function and can just return to
    avoid accessing the freed old_ctx.
    
    Cc: stable@vger.kernel.org
    Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations")
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6cc2086923b873a75223a86ed1bdf38133634d9f
Author: Chao Yu <chao@kernel.org>
Date:   Wed May 4 14:09:22 2022 +0800

    f2fs: fix deadloop in foreground GC
    
    commit cfd66bb715fd11fde3338d0660cffa1396adc27d upstream.
    
    As Yanming reported in bugzilla:
    
    https://bugzilla.kernel.org/show_bug.cgi?id=215914
    
    The root cause is: in a very small sized image, it's very easy to
    exceed threshold of foreground GC, if we calculate free space and
    dirty data based on section granularity, in corner case,
    has_not_enough_free_secs() will always return true, result in
    deadloop in f2fs_gc().
    
    So this patch refactors has_not_enough_free_secs() as below to fix
    this issue:
    1. calculate needed space based on block granularity, and separate
    all blocks to two parts, section part, and block part, comparing
    section part to free section, and comparing block part to free space
    in openned log.
    2. account F2FS_DIRTY_NODES, F2FS_DIRTY_IMETA and F2FS_DIRTY_DENTS
    as node block consumer;
    3. account F2FS_DIRTY_DENTS as data block consumer;
    
    Cc: stable@vger.kernel.org
    Reported-by: Ming Yan <yanming@tju.edu.cn>
    Signed-off-by: Chao Yu <chao.yu@oppo.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 82a3b7ef78cbc0a7a9a03f8b27ee09d4dbdb6491
Author: Zhengjun Xing <zhengjun.xing@linux.intel.com>
Date:   Wed May 25 22:04:10 2022 +0800

    perf jevents: Fix event syntax error caused by ExtSel
    
    [ Upstream commit f4df0dbbe62ee8e4405a57b27ccd54393971c773 ]
    
    In the origin code, when "ExtSel" is 1, the eventcode will change to
    "eventcode |= 1 << 21”. For event “UNC_Q_RxL_CREDITS_CONSUMED_VN0.DRS",
    its "ExtSel" is "1", its eventcode will change from 0x1E to 0x20001E,
    but in fact the eventcode should <=0x1FF, so this will cause the parse
    fail:
    
      # perf stat -e "UNC_Q_RxL_CREDITS_CONSUMED_VN0.DRS" -a sleep 0.1
      event syntax error: '.._RxL_CREDITS_CONSUMED_VN0.DRS'
                                        \___ value too big for format, maximum is 511
    
    On the perf kernel side, the kernel assumes the valid bits are continuous.
    It will adjust the 0x100 (bit 8 for perf tool) to bit 21 in HW.
    
    DEFINE_UNCORE_FORMAT_ATTR(event_ext, event, "config:0-7,21");
    
    So the perf tool follows the kernel side and just set bit8 other than bit21.
    
    Fixes: fedb2b518239cbc0 ("perf jevents: Add support for parsing uncore json files")
    Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
    Signed-off-by: Xing Zhengjun <zhengjun.xing@linux.intel.com>
    Acked-by: Ian Rogers <irogers@google.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: Alexander Shishkin <alexander.shishkin@intel.com>
    Cc: Andi Kleen <ak@linux.intel.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: https://lore.kernel.org/r/20220525140410.1706851-1-zhengjun.xing@linux.intel.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4af81f7e6988ff41850130fff23f02a8530660aa
Author: Leo Yan <leo.yan@linaro.org>
Date:   Thu May 26 22:54:00 2022 +0800

    perf c2c: Use stdio interface if slang is not supported
    
    [ Upstream commit c4040212bc97d16040712a410335f93bc94d2262 ]
    
    If the slang lib is not installed on the system, perf c2c tool disables TUI
    mode and roll back to use stdio mode;  but the flag 'c2c.use_stdio' is
    missed to set true and thus it wrongly applies UI quirks in the function
    ui_quirks().
    
    This commit forces to use stdio interface if slang is not supported, and
    it can avoid to apply the UI quirks and show the correct metric header.
    
    Before:
    
    =================================================
          Shared Cache Line Distribution Pareto
    =================================================
      -------------------------------------------------------------------------------
          0        0        0       99        0        0        0      0xaaaac17d6000
      -------------------------------------------------------------------------------
        0.00%    0.00%    6.06%    0.00%    0.00%    0.00%   0x20   N/A       0      0xaaaac17c25ac         0         0        43       375    18469         2  [.] 0x00000000000025ac  memstress         memstress[25ac]   0
        0.00%    0.00%   93.94%    0.00%    0.00%    0.00%   0x29   N/A       0      0xaaaac17c3e88         0         0       173       180      135         2  [.] 0x0000000000003e88  memstress         memstress[3e88]   0
    
    After:
    
    =================================================
          Shared Cache Line Distribution Pareto
    =================================================
      -------------------------------------------------------------------------------
          0        0        0       99        0        0        0      0xaaaac17d6000
      -------------------------------------------------------------------------------
               0.00%    0.00%    6.06%    0.00%    0.00%    0.00%                0x20   N/A       0      0xaaaac17c25ac         0         0        43       375    18469         2  [.] 0x00000000000025ac  memstress         memstress[25ac]   0
               0.00%    0.00%   93.94%    0.00%    0.00%    0.00%                0x29   N/A       0      0xaaaac17c3e88         0         0       173       180      135         2  [.] 0x0000000000003e88  memstress         memstress[3e88]   0
    
    Fixes: 5a1a99cd2e4e1557 ("perf c2c report: Add main TUI browser")
    Reported-by: Joe Mario <jmario@redhat.com>
    Signed-off-by: Leo Yan <leo.yan@linaro.org>
    Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Link: http://lore.kernel.org/lkml/20220526145400.611249-1-leo.yan@linaro.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b3c3c6d2642ca18da9a86c5c4367fc2f8adf0303
Author: Joerg Roedel <jroedel@suse.de>
Date:   Fri May 20 12:22:14 2022 +0200

    iommu/amd: Increase timeout waiting for GA log enablement
    
    [ Upstream commit 42bb5aa043382f09bef2cc33b8431be867c70f8e ]
    
    On some systems it can take a long time for the hardware to enable the
    GA log of the AMD IOMMU. The current wait time is only 0.1ms, but
    testing showed that it can take up to 14ms for the GA log to enter
    running state after it has been enabled.
    
    Sometimes the long delay happens when booting the system, sometimes
    only on resume. Adjust the timeout accordingly to not print a warning
    when hardware takes a longer than usual.
    
    There has already been an attempt to fix this with commit
    
            9b45a7738eec ("iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()")
    
    But that commit was based on some wrong math and did not fix the issue
    in all cases.
    
    Cc: "D. Ziegfeld" <dzigg@posteo.de>
    Cc: Jörg-Volker Peetz <jvpeetz@web.de>
    Fixes: 8bda0cfbdc1a ("iommu/amd: Detect and initialize guest vAPIC log")
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Link: https://lore.kernel.org/r/20220520102214.12563-1-joro@8bytes.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 54f345622429a4c7a0bdb5c5b9d3b8c4b5edde44
Author: Amelie Delaunay <amelie.delaunay@foss.st.com>
Date:   Wed May 4 17:53:20 2022 +0200

    dmaengine: stm32-mdma: remove GISR1 register
    
    [ Upstream commit 9d6a2d92e450926c483e45eaf426080a19219f4e ]
    
    GISR1 was described in a not up-to-date documentation when the stm32-mdma
    driver has been developed. This register has not been added in reference
    manual of STM32 SoC with MDMA, which have only 32 MDMA channels.
    So remove it from stm32-mdma driver.
    
    Fixes: a4ffb13c8946 ("dmaengine: Add STM32 MDMA driver")
    Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
    Link: https://lore.kernel.org/r/20220504155322.121431-2-amelie.delaunay@foss.st.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 51eb1bb6baeb478538dd4ec6459fd68c44a855b1
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Thu May 12 15:59:08 2022 +0400

    video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup
    
    [ Upstream commit b23789a59fa6f00e98a319291819f91fbba0deb8 ]
    
    of_parse_phandle() returns a node pointer with refcount incremented, we should
    use of_node_put() on it when not need anymore.  Add missing of_node_put() to
    avoid refcount leak.
    
    Fixes: d10715be03bd ("video: ARM CLCD: Add DT support")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f7820f6dba4dfce63d3a66672f249ba7ca8f359d
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Sat May 14 10:08:11 2022 -0400

    NFSv4/pNFS: Do not fail I/O when we fail to allocate the pNFS layout
    
    [ Upstream commit 3764a17e31d579cf9b4bd0a69894b577e8d75702 ]
    
    Commit 587f03deb69b caused pnfs_update_layout() to stop returning ENOMEM
    when the memory allocation fails, and hence causes it to fall back to
    trying to do I/O through the MDS. There is no guarantee that this will
    fare any better. If we're failing the pNFS layout allocation, then we
    should just redirty the page and retry later.
    
    Reported-by: Olga Kornievskaia <aglo@umich.edu>
    Fixes: 587f03deb69b ("pnfs: refactor send_layoutget")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 29a60ce7ce36a9b060b9dcb19fda15b8d4b34472
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Thu May 5 08:27:38 2022 -0700

    i2c: at91: Initialize dma_buf in at91_twi_xfer()
    
    [ Upstream commit 6977262c2eee111645668fe9e235ef2f5694abf7 ]
    
    Clang warns:
    
      drivers/i2c/busses/i2c-at91-master.c:707:6: warning: variable 'dma_buf' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
              if (dev->use_dma) {
                  ^~~~~~~~~~~~
      drivers/i2c/busses/i2c-at91-master.c:717:27: note: uninitialized use occurs here
              i2c_put_dma_safe_msg_buf(dma_buf, m_start, !ret);
                                       ^~~~~~~
    
    Initialize dma_buf to NULL, as i2c_put_dma_safe_msg_buf() is a no-op
    when the first argument is NULL, which will work for the !dev->use_dma
    case.
    
    Fixes: 03fbb903c8bf ("i2c: at91: use dma safe buffers")
    Link: https://github.com/ClangBuiltLinux/linux/issues/1629
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Reviewed-by: Michael Walle <michael@walle.cc>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a6d00d545b9ce3337201454591fd55ae2872a8df
Author: Michael Walle <michael@walle.cc>
Date:   Thu Apr 7 17:08:28 2022 +0200

    i2c: at91: use dma safe buffers
    
    [ Upstream commit 03fbb903c8bf7e53e101e8d9a7b261264317c411 ]
    
    The supplied buffer might be on the stack and we get the following error
    message:
    [    3.312058] at91_i2c e0070600.i2c: rejecting DMA map of vmalloc memory
    
    Use i2c_{get,put}_dma_safe_msg_buf() to get a DMA-able memory region if
    necessary.
    
    Fixes: 60937b2cdbf9 ("i2c: at91: add dma support")
    Signed-off-by: Michael Walle <michael@walle.cc>
    Reviewed-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 62a6c39926ffbc02c4d8e3b572ecbadd4338ad71
Author: Yong Wu <yong.wu@mediatek.com>
Date:   Tue May 3 15:13:56 2022 +0800

    iommu/mediatek: Add list_del in mtk_iommu_remove
    
    [ Upstream commit ee55f75e4bcade81d253163641b63bef3e76cac4 ]
    
    Lack the list_del in the mtk_iommu_remove, and remove
    bus_set_iommu(*, NULL) since there may be several iommu HWs.
    we can not bus_set_iommu null when one iommu driver unbind.
    
    This could be a fix for mt2712 which support 2 M4U HW and list them.
    
    Fixes: 7c3a2ec02806 ("iommu/mediatek: Merge 2 M4U HWs into one iommu domain")
    Signed-off-by: Yong Wu <yong.wu@mediatek.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
    Link: https://lore.kernel.org/r/20220503071427.2285-6-yong.wu@mediatek.com
    Signed-off-by: Joerg Roedel <jroedel@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 385edd3ce5b4b1e9d31f474a5e35a39779ec1110
Author: Jakob Koschel <jakobkoschel@gmail.com>
Date:   Fri Apr 1 00:34:14 2022 +0200

    f2fs: fix dereference of stale list iterator after loop body
    
    [ Upstream commit 2aaf51dd39afb6d01d13f1e6fe20b684733b37d5 ]
    
    The list iterator variable will be a bogus pointer if no break was hit.
    Dereferencing it (cur->page in this case) could load an out-of-bounds/undefined
    value making it unsafe to use that in the comparision to determine if the
    specific element was found.
    
    Since 'cur->page' *can* be out-ouf-bounds it cannot be guaranteed that
    by chance (or intention of an attacker) it matches the value of 'page'
    even though the correct element was not found.
    
    This is fixed by using a separate list iterator variable for the loop
    and only setting the original variable if a suitable element was found.
    Then determing if the element was found is simply checking if the
    variable is set.
    
    Fixes: 8c242db9b8c0 ("f2fs: fix stale ATOMIC_WRITTEN_PAGE private pointer")
    Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 66090815a24ce14cf51ef5453fc0218fe8a39bc2
Author: Douglas Miller <doug.miller@cornelisnetworks.com>
Date:   Fri May 20 14:37:01 2022 -0400

    RDMA/hfi1: Prevent use of lock before it is initialized
    
    [ Upstream commit 05c03dfd09c069c4ffd783b47b2da5dcc9421f2c ]
    
    If there is a failure during probe of hfi1 before the sdma_map_lock is
    initialized, the call to hfi1_free_devdata() will attempt to use a lock
    that has not been initialized. If the locking correctness validator is on
    then an INFO message and stack trace resembling the following may be seen:
    
      INFO: trying to register non-static key.
      The code is fine but needs lockdep annotation, or maybe
      you didn't initialize this object before use?
      turning off the locking correctness validator.
      Call Trace:
      register_lock_class+0x11b/0x880
      __lock_acquire+0xf3/0x7930
      lock_acquire+0xff/0x2d0
      _raw_spin_lock_irq+0x46/0x60
      sdma_clean+0x42a/0x660 [hfi1]
      hfi1_free_devdata+0x3a7/0x420 [hfi1]
      init_one+0x867/0x11a0 [hfi1]
      pci_device_probe+0x40e/0x8d0
    
    The use of sdma_map_lock in sdma_clean() is for freeing the sdma_map
    memory, and sdma_map is not allocated/initialized until after
    sdma_map_lock has been initialized. This code only needs to be run if
    sdma_map is not NULL, and so checking for that condition will avoid trying
    to use the lock before it is initialized.
    
    Fixes: 473291b3ea0e ("IB/hfi1: Fix for early release of sdma context")
    Fixes: 7724105686e7 ("IB/hfi1: add driver files")
    Link: https://lore.kernel.org/r/20220520183701.48973.72434.stgit@awfm-01.cornelisnetworks.com
    Reported-by: Zheyu Ma <zheyuma97@gmail.com>
    Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 16b5013fa14beb872b3ca91af3b99a5a985177c5
Author: Björn Ardö <bjorn.ardo@axis.com>
Date:   Thu Mar 31 09:01:15 2022 +0200

    mailbox: forward the hrtimer if not queued and under a lock
    
    [ Upstream commit bca1a1004615efe141fd78f360ecc48c60bc4ad5 ]
    
    This reverts commit c7dacf5b0f32957b24ef29df1207dc2cd8307743,
    "mailbox: avoid timer start from callback"
    
    The previous commit was reverted since it lead to a race that
    caused the hrtimer to not be started at all. The check for
    hrtimer_active() in msg_submit() will return true if the
    callback function txdone_hrtimer() is currently running. This
    function could return HRTIMER_NORESTART and then the timer
    will not be restarted, and also msg_submit() will not start
    the timer. This will lead to a message actually being submitted
    but no timer will start to check for its compleation.
    
    The original fix that added checking hrtimer_active() was added to
    avoid a warning with hrtimer_forward. Looking in the kernel
    another solution to avoid this warning is to check hrtimer_is_queued()
    before calling hrtimer_forward_now() instead. This however requires a
    lock so the timer is not started by msg_submit() inbetween this check
    and the hrtimer_forward() call.
    
    Fixes: c7dacf5b0f32 ("mailbox: avoid timer start from callback")
    Signed-off-by: Björn Ardö <bjorn.ardo@axis.com>
    Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5b8aa2ba38c010f47c965dd9bb5a8561813ed649
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Thu May 12 16:37:18 2022 +0400

    powerpc/fsl_rio: Fix refcount leak in fsl_rio_setup
    
    [ Upstream commit fcee96924ba1596ca80a6770b2567ca546f9a482 ]
    
    of_parse_phandle() returns a node pointer with refcount
    incremented, we should use of_node_put() on it when not need anymore.
    Add missing of_node_put() to avoid refcount leak.
    
    Fixes: abc3aeae3aaa ("fsl-rio: Add two ports and rapidio message units support")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220512123724.62931-1-linmq006@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fe82c82e96516f06ac45b220542fdfb00d30da1f
Author: Kajol Jain <kjain@linux.ibm.com>
Date:   Fri May 6 11:40:15 2022 +0530

    powerpc/perf: Fix the threshold compare group constraint for power9
    
    [ Upstream commit ab0cc6bbf0c812731c703ec757fcc3fc3a457a34 ]
    
    Thresh compare bits for a event is used to program thresh compare
    field in Monitor Mode Control Register A (MMCRA: 9-18 bits for power9).
    When scheduling events as a group, all events in that group should
    match value in threshold bits (like thresh compare, thresh control,
    thresh select). Otherwise event open for the sibling events should fail.
    But in the current code, incase thresh compare bits are not valid,
    we are not failing in group_constraint function which can result
    in invalid group schduling.
    
    Fix the issue by returning -1 incase event is threshold and threshold
    compare value is not valid.
    
    Thresh control bits in the event code is used to program thresh_ctl
    field in Monitor Mode Control Register A (MMCRA: 48-55). In below example,
    the scheduling of group events PM_MRK_INST_CMPL (873534401e0) and
    PM_THRESH_MET (8734340101ec) is expected to fail as both event
    request different thresh control bits and invalid thresh compare value.
    
    Result before the patch changes:
    
    [command]# perf stat -e "{r8735340401e0,r8734340101ec}" sleep 1
    
     Performance counter stats for 'sleep 1':
    
                11,048      r8735340401e0
                 1,967      r8734340101ec
    
           1.001354036 seconds time elapsed
    
           0.001421000 seconds user
           0.000000000 seconds sys
    
    Result after the patch changes:
    
    [command]# perf stat -e "{r8735340401e0,r8734340101ec}" sleep 1
    Error:
    The sys_perf_event_open() syscall returned with 22 (Invalid argument)
    for event (r8735340401e0).
    /bin/dmesg | grep -i perf may provide additional information.
    
    Fixes: 78a16d9fc1206 ("powerpc/perf: Avoid FAB_*_MATCH checks for power9")
    Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
    Reviewed-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220506061015.43916-2-kjain@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 353bc58ac6c782d4dcde9136a91d1f90867938fe
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon May 16 14:55:55 2022 -0700

    Input: sparcspkr - fix refcount leak in bbc_beep_probe
    
    [ Upstream commit c8994b30d71d64d5dcc9bc0edbfdf367171aa96f ]
    
    of_find_node_by_path() calls of_find_node_opts_by_path(),
    which returns a node pointer with refcount
    incremented, we should use of_node_put() on it when done.
    Add missing of_node_put() to avoid refcount leak.
    
    Fixes: 9c1a5077fdca ("input: Rewrite sparcspkr device probing.")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220516081018.42728-1-linmq006@gmail.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 04ee31678c128a6cc7bb057ea189a8624ba5a314
Author: Qi Zheng <zhengqi.arch@bytedance.com>
Date:   Thu May 12 20:38:37 2022 -0700

    tty: fix deadlock caused by calling printk() under tty_port->lock
    
    [ Upstream commit 6b9dbedbe3499fef862c4dff5217cf91f34e43b3 ]
    
    pty_write() invokes kmalloc() which may invoke a normal printk() to print
    failure message.  This can cause a deadlock in the scenario reported by
    syz-bot below:
    
           CPU0              CPU1                    CPU2
           ----              ----                    ----
                             lock(console_owner);
                                                     lock(&port_lock_key);
      lock(&port->lock);
                             lock(&port_lock_key);
                                                     lock(&port->lock);
      lock(console_owner);
    
    As commit dbdda842fe96 ("printk: Add console owner and waiter logic to
    load balance console writes") said, such deadlock can be prevented by
    using printk_deferred() in kmalloc() (which is invoked in the section
    guarded by the port->lock).  But there are too many printk() on the
    kmalloc() path, and kmalloc() can be called from anywhere, so changing
    printk() to printk_deferred() is too complicated and inelegant.
    
    Therefore, this patch chooses to specify __GFP_NOWARN to kmalloc(), so
    that printk() will not be called, and this deadlock problem can be
    avoided.
    
    Syzbot reported the following lockdep error:
    
    ======================================================
    WARNING: possible circular locking dependency detected
    5.4.143-00237-g08ccc19a-dirty #10 Not tainted
    ------------------------------------------------------
    syz-executor.4/29420 is trying to acquire lock:
    ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1752 [inline]
    ffffffff8aedb2a0 (console_owner){....}-{0:0}, at: vprintk_emit+0x2ca/0x470 kernel/printk/printk.c:2023
    
    but task is already holding lock:
    ffff8880119c9158 (&port->lock){-.-.}-{2:2}, at: pty_write+0xf4/0x1f0 drivers/tty/pty.c:120
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #2 (&port->lock){-.-.}-{2:2}:
           __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
           _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
           tty_port_tty_get drivers/tty/tty_port.c:288 [inline]                     <-- lock(&port->lock);
           tty_port_default_wakeup+0x1d/0xb0 drivers/tty/tty_port.c:47
           serial8250_tx_chars+0x530/0xa80 drivers/tty/serial/8250/8250_port.c:1767
           serial8250_handle_irq.part.0+0x31f/0x3d0 drivers/tty/serial/8250/8250_port.c:1854
           serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1827 [inline]  <-- lock(&port_lock_key);
           serial8250_default_handle_irq+0xb2/0x220 drivers/tty/serial/8250/8250_port.c:1870
           serial8250_interrupt+0xfd/0x200 drivers/tty/serial/8250/8250_core.c:126
           __handle_irq_event_percpu+0x109/0xa50 kernel/irq/handle.c:156
           [...]
    
    -> #1 (&port_lock_key){-.-.}-{2:2}:
           __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
           _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159
           serial8250_console_write+0x184/0xa40 drivers/tty/serial/8250/8250_port.c:3198
                                                                                    <-- lock(&port_lock_key);
           call_console_drivers kernel/printk/printk.c:1819 [inline]
           console_unlock+0x8cb/0xd00 kernel/printk/printk.c:2504
           vprintk_emit+0x1b5/0x470 kernel/printk/printk.c:2024                     <-- lock(console_owner);
           vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
           printk+0xba/0xed kernel/printk/printk.c:2084
           register_console+0x8b3/0xc10 kernel/printk/printk.c:2829
           univ8250_console_init+0x3a/0x46 drivers/tty/serial/8250/8250_core.c:681
           console_init+0x49d/0x6d3 kernel/printk/printk.c:2915
           start_kernel+0x5e9/0x879 init/main.c:713
           secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
    
    -> #0 (console_owner){....}-{0:0}:
           [...]
           lock_acquire+0x127/0x340 kernel/locking/lockdep.c:4734
           console_trylock_spinning kernel/printk/printk.c:1773 [inline]            <-- lock(console_owner);
           vprintk_emit+0x307/0x470 kernel/printk/printk.c:2023
           vprintk_func+0x8d/0x250 kernel/printk/printk_safe.c:394
           printk+0xba/0xed kernel/printk/printk.c:2084
           fail_dump lib/fault-inject.c:45 [inline]
           should_fail+0x67b/0x7c0 lib/fault-inject.c:144
           __should_failslab+0x152/0x1c0 mm/failslab.c:33
           should_failslab+0x5/0x10 mm/slab_common.c:1224
           slab_pre_alloc_hook mm/slab.h:468 [inline]
           slab_alloc_node mm/slub.c:2723 [inline]
           slab_alloc mm/slub.c:2807 [inline]
           __kmalloc+0x72/0x300 mm/slub.c:3871
           kmalloc include/linux/slab.h:582 [inline]
           tty_buffer_alloc+0x23f/0x2a0 drivers/tty/tty_buffer.c:175
           __tty_buffer_request_room+0x156/0x2a0 drivers/tty/tty_buffer.c:273
           tty_insert_flip_string_fixed_flag+0x93/0x250 drivers/tty/tty_buffer.c:318
           tty_insert_flip_string include/linux/tty_flip.h:37 [inline]
           pty_write+0x126/0x1f0 drivers/tty/pty.c:122                              <-- lock(&port->lock);
           n_tty_write+0xa7a/0xfc0 drivers/tty/n_tty.c:2356
           do_tty_write drivers/tty/tty_io.c:961 [inline]
           tty_write+0x512/0x930 drivers/tty/tty_io.c:1045
           __vfs_write+0x76/0x100 fs/read_write.c:494
           [...]
    
    other info that might help us debug this:
    
    Chain exists of:
      console_owner --> &port_lock_key --> &port->lock
    
    Link: https://lkml.kernel.org/r/20220511061951.1114-2-zhengqi.arch@bytedance.com
    Link: https://lkml.kernel.org/r/20220510113809.80626-2-zhengqi.arch@bytedance.com
    Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag")
    Signed-off-by: Qi Zheng <zhengqi.arch@bytedance.com>
    Acked-by: Jiri Slaby <jirislaby@kernel.org>
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Akinobu Mita <akinobu.mita@gmail.com>
    Cc: Vlastimil Babka <vbabka@suse.cz>
    Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 22b5a48ac899a138552fa05b3fc69a3a0588fdbc
Author: Alexey Dobriyan <adobriyan@gmail.com>
Date:   Mon May 9 18:29:19 2022 -0700

    proc: fix dentry/inode overinstantiating under /proc/${pid}/net
    
    [ Upstream commit 7055197705709c59b8ab77e6a5c7d46d61edd96e ]
    
    When a process exits, /proc/${pid}, and /proc/${pid}/net dentries are
    flushed.  However some leaf dentries like /proc/${pid}/net/arp_cache
    aren't.  That's because respective PDEs have proc_misc_d_revalidate() hook
    which returns 1 and leaves dentries/inodes in the LRU.
    
    Force revalidation/lookup on everything under /proc/${pid}/net by
    inheriting proc_net_dentry_ops.
    
    [akpm@linux-foundation.org: coding-style cleanups]
    Link: https://lkml.kernel.org/r/YjdVHgildbWO7diJ@localhost.localdomain
    Fixes: c6c75deda813 ("proc: fix lookup in /proc/net subdirectories after setns(2)")
    Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
    Reported-by: hui li <juanfengpy@gmail.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 87f7ca0411521162f1297588bb15d5b8e50a53da
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon May 2 12:29:41 2022 -0700

    powerpc/4xx/cpm: Fix return value of __setup() handler
    
    [ Upstream commit 5bb99fd4090fe1acfdb90a97993fcda7f8f5a3d6 ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled.
    
    A return of 0 causes the boot option/value to be listed as an Unknown
    kernel parameter and added to init's (limited) argument or environment
    strings.
    
    Also, error return codes don't mean anything to obsolete_checksetup() --
    only non-zero (usually 1) or zero. So return 1 from cpm_powersave_off().
    
    Fixes: d164f6d4f910 ("powerpc/4xx: Add suspend and idle support")
    Reported-by: Igor Zhbanov <izh1979@gmail.com>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220502192941.20955-1-rdunlap@infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d948a5b61c9830cd7aebd0adf588db8a3cc1eba4
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon May 2 12:29:25 2022 -0700

    powerpc/idle: Fix return value of __setup() handler
    
    [ Upstream commit b793a01000122d2bd133ba451a76cc135b5e162c ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled.
    
    A return of 0 causes the boot option/value to be listed as an Unknown
    kernel parameter and added to init's (limited) argument or environment
    strings.
    
    Also, error return codes don't mean anything to obsolete_checksetup() --
    only non-zero (usually 1) or zero. So return 1 from powersave_off().
    
    Fixes: 302eca184fb8 ("[POWERPC] cell: use ppc_md->power_save instead of cbe_idle_loop")
    Reported-by: Igor Zhbanov <izh1979@gmail.com>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220502192925.19954-1-rdunlap@infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8e39fef4f2f323d71dc36938a344a3846fed46f5
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Thu Jan 21 17:08:19 2021 -0800

    powerpc/8xx: export 'cpm_setbrg' for modules
    
    [ Upstream commit 22f8e625ebabd7ed3185b82b44b4f12fc0402113 ]
    
    Fix missing export for a loadable module build:
    
    ERROR: modpost: "cpm_setbrg" [drivers/tty/serial/cpm_uart/cpm_uart.ko] undefined!
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: kernel test robot <lkp@intel.com>
    [chleroy: Changed Fixes: tag]
    Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20210122010819.30986-1-rdunlap@infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fe550c6ef4060024918243a64f653c11331b16a9
Author: Muchun Song <songmuchun@bytedance.com>
Date:   Thu Apr 28 23:16:09 2022 -0700

    dax: fix cache flush on PMD-mapped pages
    
    [ Upstream commit e583b5c472bd23d450e06f148dc1f37be74f7666 ]
    
    The flush_cache_page() only remove a PAGE_SIZE sized range from the cache.
    However, it does not cover the full pages in a THP except a head page.
    Replace it with flush_cache_range() to fix this issue.  This is just a
    documentation issue with the respect to properly documenting the expected
    usage of cache flushing before modifying the pmd.  However, in practice
    this is not a problem due to the fact that DAX is not available on
    architectures with virtually indexed caches per:
    
      commit d92576f1167c ("dax: does not work correctly with virtual aliasing caches")
    
    Link: https://lkml.kernel.org/r/20220403053957.10770-3-songmuchun@bytedance.com
    Fixes: f729c8c9b24f ("dax: wrprotect pmd_t in dax_mapping_entry_mkclean")
    Signed-off-by: Muchun Song <songmuchun@bytedance.com>
    Reviewed-by: Dan Williams <dan.j.williams@intel.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Cc: Alistair Popple <apopple@nvidia.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Ralph Campbell <rcampbell@nvidia.com>
    Cc: Ross Zwisler <zwisler@kernel.org>
    Cc: Xiongchun Duan <duanxiongchun@bytedance.com>
    Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
    Cc: Yang Shi <shy828301@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f76ddc8fcf6d81fe89bfa4d3efcbc4fe69a91d48
Author: Miaohe Lin <linmiaohe@huawei.com>
Date:   Thu Apr 28 23:16:06 2022 -0700

    drivers/base/node.c: fix compaction sysfs file leak
    
    [ Upstream commit da63dc84befaa9e6079a0bc363ff0eaa975f9073 ]
    
    Compaction sysfs file is created via compaction_register_node in
    register_node.  But we forgot to remove it in unregister_node.  Thus
    compaction sysfs file is leaked.  Using compaction_unregister_node to fix
    this issue.
    
    Link: https://lkml.kernel.org/r/20220401070905.43679-1-linmiaohe@huawei.com
    Fixes: ed4a6d7f0676 ("mm: compaction: add /sys trigger for per-node memory compaction")
    Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
    Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Cc: Rafael J. Wysocki <rafael@kernel.org>
    Cc: Mel Gorman <mel@csn.ul.ie>
    Cc: Minchan Kim <minchan.kim@gmail.com>
    Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c47a9aff9f13a3b4c120a69e99bdc63add76153f
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Fri Apr 22 12:53:38 2022 +0200

    pinctrl: mvebu: Fix irq_of_parse_and_map() return value
    
    [ Upstream commit 71bc7cf3be65bab441e03667cf215c557712976c ]
    
    The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
    
    Fixes: 2f227605394b ("pinctrl: armada-37xx: Add irqchip support")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20220422105339.78810-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 444a2d27fe9867d0da4b28fc45b793f32e099ab8
Author: Cristian Marussi <cristian.marussi@arm.com>
Date:   Wed Mar 30 16:05:32 2022 +0100

    firmware: arm_scmi: Fix list protocols enumeration in the base protocol
    
    [ Upstream commit 8009120e0354a67068e920eb10dce532391361d0 ]
    
    While enumerating protocols implemented by the SCMI platform using
    BASE_DISCOVER_LIST_PROTOCOLS, the number of returned protocols is
    currently validated in an improper way since the check employs a sum
    between unsigned integers that could overflow and cause the check itself
    to be silently bypassed if the returned value 'loop_num_ret' is big
    enough.
    
    Fix the validation avoiding the addition.
    
    Link: https://lore.kernel.org/r/20220330150551.2573938-4-cristian.marussi@arm.com
    Fixes: b6f20ff8bd94 ("firmware: arm_scmi: add common infrastructure and support for base protocol")
    Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
    Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dffc9162fe85ca3bb8f3152c216933c511050230
Author: Gustavo A. R. Silva <gustavoars@kernel.org>
Date:   Thu Mar 3 17:55:21 2022 -0600

    scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac()
    
    [ Upstream commit 54db804d5d7d36709d1ce70bde3b9a6c61b290b6 ]
    
    Fix the following Wstringop-overflow warnings when building with GCC-11:
    
    drivers/scsi/fcoe/fcoe.c: In function ‘fcoe_netdev_config’:
    drivers/scsi/fcoe/fcoe.c:744:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
      744 |                         wwnn = fcoe_wwn_from_mac(ctlr->ctl_src_addr, 1, 0);
          |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/scsi/fcoe/fcoe.c:744:32: note: referencing argument 1 of type ‘unsigned char *’
    In file included from drivers/scsi/fcoe/fcoe.c:36:
    ./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
      252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
          |     ^~~~~~~~~~~~~~~~~
    drivers/scsi/fcoe/fcoe.c:747:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
      747 |                         wwpn = fcoe_wwn_from_mac(ctlr->ctl_src_addr,
          |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      748 |                                                  2, 0);
          |                                                  ~~~~~
    drivers/scsi/fcoe/fcoe.c:747:32: note: referencing argument 1 of type ‘unsigned char *’
    In file included from drivers/scsi/fcoe/fcoe.c:36:
    ./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
      252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
          |     ^~~~~~~~~~~~~~~~~
      CC      drivers/scsi/bnx2fc/bnx2fc_io.o
    In function ‘bnx2fc_net_config’,
        inlined from ‘bnx2fc_if_create’ at drivers/scsi/bnx2fc/bnx2fc_fcoe.c:1543:7:
    drivers/scsi/bnx2fc/bnx2fc_fcoe.c:833:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
      833 |                         wwnn = fcoe_wwn_from_mac(ctlr->ctl_src_addr,
          |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      834 |                                                  1, 0);
          |                                                  ~~~~~
    drivers/scsi/bnx2fc/bnx2fc_fcoe.c: In function ‘bnx2fc_if_create’:
    drivers/scsi/bnx2fc/bnx2fc_fcoe.c:833:32: note: referencing argument 1 of type ‘unsigned char *’
    In file included from drivers/scsi/bnx2fc/bnx2fc.h:53,
                     from drivers/scsi/bnx2fc/bnx2fc_fcoe.c:17:
    ./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
      252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
          |     ^~~~~~~~~~~~~~~~~
    In function ‘bnx2fc_net_config’,
        inlined from ‘bnx2fc_if_create’ at drivers/scsi/bnx2fc/bnx2fc_fcoe.c:1543:7:
    drivers/scsi/bnx2fc/bnx2fc_fcoe.c:839:32: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
      839 |                         wwpn = fcoe_wwn_from_mac(ctlr->ctl_src_addr,
          |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      840 |                                                  2, 0);
          |                                                  ~~~~~
    drivers/scsi/bnx2fc/bnx2fc_fcoe.c: In function ‘bnx2fc_if_create’:
    drivers/scsi/bnx2fc/bnx2fc_fcoe.c:839:32: note: referencing argument 1 of type ‘unsigned char *’
    In file included from drivers/scsi/bnx2fc/bnx2fc.h:53,
                     from drivers/scsi/bnx2fc/bnx2fc_fcoe.c:17:
    ./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
      252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
          |     ^~~~~~~~~~~~~~~~~
    drivers/scsi/qedf/qedf_main.c: In function ‘__qedf_probe’:
    drivers/scsi/qedf/qedf_main.c:3520:30: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
     3520 |                 qedf->wwnn = fcoe_wwn_from_mac(qedf->mac, 1, 0);
          |                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/scsi/qedf/qedf_main.c:3520:30: note: referencing argument 1 of type ‘unsigned char *’
    In file included from drivers/scsi/qedf/qedf.h:9,
                     from drivers/scsi/qedf/qedf_main.c:23:
    ./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
      252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
          |     ^~~~~~~~~~~~~~~~~
    drivers/scsi/qedf/qedf_main.c:3521:30: warning: ‘fcoe_wwn_from_mac’ accessing 32 bytes in a region of size 6 [-Wstringop-overflow=]
     3521 |                 qedf->wwpn = fcoe_wwn_from_mac(qedf->mac, 2, 0);
          |                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    drivers/scsi/qedf/qedf_main.c:3521:30: note: referencing argument 1 of type ‘unsigned char *’
    In file included from drivers/scsi/qedf/qedf.h:9,
                     from drivers/scsi/qedf/qedf_main.c:23:
    ./include/scsi/libfcoe.h:252:5: note: in a call to function ‘fcoe_wwn_from_mac’
      252 | u64 fcoe_wwn_from_mac(unsigned char mac[MAX_ADDR_LEN], unsigned int, unsigned int);
          |     ^~~~~~~~~~~~~~~~~
    
    by changing the array size to the correct value of ETH_ALEN in the
    argument declaration.
    
    Also, fix a couple of checkpatch warnings:
    WARNING: function definition argument 'unsigned int' should also have an identifier name
    
    This helps with the ongoing efforts to globally enable
    -Wstringop-overflow.
    
    Link: https://github.com/KSPP/linux/issues/181
    Fixes: 85b4aa4926a5 ("[SCSI] fcoe: Fibre Channel over Ethernet")
    Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d933a96580cd4cb6ca24eb3c59e83bdc47d0cd57
Author: Lv Ruyi <lv.ruyi@zte.com.cn>
Date:   Tue Apr 12 08:53:05 2022 +0000

    mfd: ipaq-micro: Fix error check return value of platform_get_irq()
    
    [ Upstream commit 3b49ae380ce1a3054e0c505dd9a356b82a5b48e8 ]
    
    platform_get_irq() return negative value on failure, so null check of
    irq is incorrect. Fix it by comparing whether it is less than zero.
    
    Fixes: dcc21cc09e3c ("mfd: Add driver for Atmel Microcontroller on iPaq h3xxx")
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Link: https://lore.kernel.org/r/20220412085305.2533030-1-lv.ruyi@zte.com.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7e0f2940921f952755a53e8352f6ede299918f1e
Author: Corentin Labbe <clabbe@baylibre.com>
Date:   Wed Apr 13 19:11:54 2022 +0000

    crypto: marvell/cesa - ECB does not IV
    
    [ Upstream commit 4ffa1763622ae5752961499588f3f8874315f974 ]
    
    The DES3 ECB has an IV size set but ECB does not need one.
    
    Fixes: 4ada483978237 ("crypto: marvell/cesa - add Triple-DES support")
    Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 61e99a05c2695af1d5221de480ebda5d4e077a23
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Mon Apr 11 22:01:41 2022 +0200

    ARM: dts: bcm2835-rpi-b: Fix GPIO line names
    
    [ Upstream commit 97bd8659c1c46c23e4daea7e040befca30939950 ]
    
    Recently this has been fixed in the vendor tree, so upstream this.
    
    Fixes: 731b26a6ac17 ("ARM: bcm2835: Add names for the Raspberry Pi GPIO lines")
    Signed-off-by: Phil Elwell <phil@raspberrypi.com>
    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 41e1c5505fc791fa6f4cee82e4e11d9fc789272d
Author: Phil Elwell <phil@raspberrypi.com>
Date:   Mon Apr 11 22:01:38 2022 +0200

    ARM: dts: bcm2835-rpi-zero-w: Fix GPIO line name for Wifi/BT
    
    [ Upstream commit 2c663e5e5bbf2a5b85e0f76ccb69663f583c3e33 ]
    
    The GPIOs 30 to 39 are connected to the Cypress CYW43438 (Wifi/BT).
    So fix the GPIO line names accordingly.
    
    Fixes: 2c7c040c73e9 ("ARM: dts: bcm2835: Add Raspberry Pi Zero W")
    Signed-off-by: Phil Elwell <phil@raspberrypi.com>
    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d6ab310ecdb25efff4c74f13fba615a54aa95708
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Mar 15 09:59:44 2022 +0300

    PCI: rockchip: Fix find_first_zero_bit() limit
    
    [ Upstream commit 096950e230b8d83645c7cf408b9f399f58c08b96 ]
    
    The ep->ob_region_map bitmap is a long and it has BITS_PER_LONG bits.
    
    Link: https://lore.kernel.org/r/20220315065944.GB13572@kili
    Fixes: cf590b078391 ("PCI: rockchip: Add EP driver for Rockchip PCIe controller")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5085bb8ae9b64e03211c40a4cc1ecd77d5a3cc67
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Mar 15 09:58:29 2022 +0300

    PCI: cadence: Fix find_first_zero_bit() limit
    
    [ Upstream commit 0aa3a0937feeb91a0e4e438c3c063b749b194192 ]
    
    The ep->ob_region_map bitmap is a long and it has BITS_PER_LONG bits.
    
    Link: https://lore.kernel.org/r/20220315065829.GA13572@kili
    Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6cc647a692db07d003b53fab267953b7cc7f827b
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Tue Mar 8 07:36:48 2022 +0000

    soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc
    
    [ Upstream commit aad66a3c78da668f4506356c2fdb70b7a19ecc76 ]
    
    The device_node pointer is returned by of_parse_phandle()  with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220308073648.24634-1-linmq006@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 427ba10a5185193e7fb6302f6e4aa785ec80daed
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Tue Mar 8 07:19:42 2022 +0000

    soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc
    
    [ Upstream commit 8fd3f18ea31a398ecce4a6d3804433658678b0a3 ]
    
    The device_node pointer is returned by of_parse_phandle()  with refcount
    incremented. We should use of_node_put() on it when done.
    
    Fixes: 50e99641413e ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220308071942.22942-1-linmq006@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b95cdbf353f57e238c49f9952fb05a01b3e78078
Author: David Howells <dhowells@redhat.com>
Date:   Sat May 21 09:03:11 2022 +0100

    rxrpc: Don't try to resend the request if we're receiving the reply
    
    [ Upstream commit 114af61f88fbe34d641b13922d098ffec4c1be1b ]
    
    rxrpc has a timer to trigger resending of unacked data packets in a call.
    This is not cancelled when a client call switches to the receive phase on
    the basis that most calls don't last long enough for it to ever expire.
    However, if it *does* expire after we've started to receive the reply, we
    shouldn't then go into trying to retransmit or pinging the server to find
    out if an ack got lost.
    
    Fix this by skipping the resend code if we're into receiving the reply to a
    client call.
    
    Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: linux-afs@lists.infradead.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4a3a78b7918bdd723d8c7c9786522ca969bffcc4
Author: David Howells <dhowells@redhat.com>
Date:   Sat May 21 09:03:04 2022 +0100

    rxrpc: Fix listen() setting the bar too high for the prealloc rings
    
    [ Upstream commit 88e22159750b0d55793302eeed8ee603f5c1a95c ]
    
    AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump
    up the sysctl), but whilst the preallocation circular buffers have 32 slots
    in them, one of them has to be a dead slot because we're using CIRC_CNT().
    
    This means that listen(rxrpc_sock, 32) will cause an oops when the socket
    is closed because rxrpc_service_prealloc_one() allocated one too many calls
    and rxrpc_discard_prealloc() won't then be able to get rid of them because
    it'll think the ring is empty.  rxrpc_release_calls_on_socket() then tries
    to abort them, but oopses because call->peer isn't yet set.
    
    Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match
    the ring capacity.
    
     BUG: kernel NULL pointer dereference, address: 0000000000000086
     ...
     RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]
     Call Trace:
      <TASK>
      ? __wake_up_common_lock+0x7a/0x90
      ? rxrpc_notify_socket+0x8e/0x140 [rxrpc]
      ? rxrpc_abort_call+0x4c/0x60 [rxrpc]
      rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]
      rxrpc_release+0xc9/0x1c0 [rxrpc]
      __sock_release+0x37/0xa0
      sock_close+0x11/0x20
      __fput+0x89/0x240
      task_work_run+0x59/0x90
      do_exit+0x319/0xaa0
    
    Fixes: 00e907127e6f ("rxrpc: Preallocate peers, conns and calls for incoming service requests")
    Reported-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: linux-afs@lists.infradead.org
    Link: https://lists.infradead.org/pipermail/linux-afs/2022-March/005079.html
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3bbbf0756bc5e038f0b25946fdf8c7ed17ea5fb6
Author: Duoming Zhou <duoming@zju.edu.cn>
Date:   Wed May 18 19:57:33 2022 +0800

    NFC: hci: fix sleep in atomic context bugs in nfc_hci_hcp_message_tx
    
    [ Upstream commit b413b0cb008646e9f24ce5253cb3cf7ee217aff6 ]
    
    There are sleep in atomic context bugs when the request to secure
    element of st21nfca is timeout. The root cause is that kzalloc and
    alloc_skb with GFP_KERNEL parameter and mutex_lock are called in
    st21nfca_se_wt_timeout which is a timer handler. The call tree shows
    the execution paths that could lead to bugs:
    
       (Interrupt context)
    st21nfca_se_wt_timeout
      nfc_hci_send_event
        nfc_hci_hcp_message_tx
          kzalloc(..., GFP_KERNEL) //may sleep
          alloc_skb(..., GFP_KERNEL) //may sleep
          mutex_lock() //may sleep
    
    This patch moves the operations that may sleep into a work item.
    The work item will run in another kernel thread which is in
    process context to execute the bottom half of the interrupt.
    So it could prevent atomic context from sleeping.
    
    Fixes: 2130fb97fecf ("NFC: st21nfca: Adding support for secure element")
    Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20220518115733.62111-1-duoming@zju.edu.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ba7043b668c45314926de3dd1effb070cebd2565
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Sat May 14 17:10:53 2022 +0800

    ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition()
    
    [ Upstream commit be2af740e2a9c7134f2d8ab4f104006e110b13de ]
    
    Fix the missing clk_disable_unprepare() before return
    from wm2000_anc_transition() in the error handling case.
    
    Fixes: 514cfd6dd725 ("ASoC: wm2000: Integrate with clock API")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20220514091053.686416-1-yangyingliang@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8cd192752a1f613b14eee77783c6f0aebb49691
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Mon May 9 14:11:25 2022 +0800

    drm: msm: fix possible memory leak in mdp5_crtc_cursor_set()
    
    [ Upstream commit 947a844bb3ebff0f4736d244d792ce129f6700d7 ]
    
    drm_gem_object_lookup will call drm_gem_object_get inside. So cursor_bo
    needs to be put when msm_gem_get_and_pin_iova fails.
    
    Fixes: e172d10a9c4a ("drm/msm/mdp5: Add hardware cursor support")
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Link: https://lore.kernel.org/r/20220509061125.18585-1-hbh25y@gmail.com
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6504fdbfe4f10348141d26e0619ae92f7bbb7211
Author: Eric Biggers <ebiggers@google.com>
Date:   Tue May 10 11:32:32 2022 -0700

    ext4: reject the 'commit' option on ext2 filesystems
    
    [ Upstream commit cb8435dc8ba33bcafa41cf2aa253794320a3b8df ]
    
    The 'commit' option is only applicable for ext3 and ext4 filesystems,
    and has never been accepted by the ext2 filesystem driver, so the ext4
    driver shouldn't allow it on ext2 filesystems.
    
    This fixes a failure in xfstest ext4/053.
    
    Fixes: 8dc0aa8cf0f7 ("ext4: check incompatible mount options while mounting ext2/3")
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
    Reviewed-by: Lukas Czerner <lczerner@redhat.com>
    Link: https://lore.kernel.org/r/20220510183232.172615-1-ebiggers@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5dbd7937423e90bbacdbe101f31bb30e0c7c36e1
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri May 13 11:55:42 2022 -0700

    sctp: read sk->sk_bound_dev_if once in sctp_rcv()
    
    [ Upstream commit a20ea298071f46effa3aaf965bf9bb34c901db3f ]
    
    sctp_rcv() reads sk->sk_bound_dev_if twice while the socket
    is not locked. Another cpu could change this field under us.
    
    Fixes: 0fd9a65a76e8 ("[SCTP] Support SO_BINDTODEVICE socket option on incoming packets.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Neil Horman <nhorman@tuxdriver.com>
    Cc: Vlad Yasevich <vyasevich@gmail.com>
    Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 21abe8b68274553344d9c4bbf4e52044ab80511e
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Fri May 13 14:50:28 2022 +0200

    m68k: math-emu: Fix dependencies of math emulation support
    
    [ Upstream commit ed6bc6bf0a7d75e80eb1df883c09975ebb74e590 ]
    
    If CONFIG_M54xx=y, CONFIG_MMU=y, and CONFIG_M68KFPU_EMU=y:
    
        {standard input}:272: Error: invalid instruction for this architecture; needs 68000 or higher (68000 [68ec000, 68hc000, 68hc001, 68008, 68302, 68306, 68307, 68322, 68356], 68010, 68020 [68k, 68ec020], 68030 [68ec030], 68040 [68ec040], 68060 [68ec060], cpu32 [68330, 68331, 68332, 68333, 68334, 68336, 68340, 68341, 68349, 68360], fidoa [fido]) -- statement `sub.b %d1,%d3' ignored
        {standard input}:609: Error: invalid instruction for this architecture; needs 68020 or higher (68020 [68k, 68ec020], 68030 [68ec030], 68040 [68ec040], 68060 [68ec060]) -- statement `bfextu 4(%a1){%d0,#8},%d0' ignored
        {standard input}:752: Error: operands mismatch -- statement `mulu.l 4(%a0),%d3:%d0' ignored
        {standard input}:1155: Error: operands mismatch -- statement `divu.l %d0,%d3:%d7' ignored
    
    The math emulation support code is intended for 68020 and higher, and
    uses several instructions or instruction modes not available on coldfire
    or 68000.
    
    Originally, the dependency of M68KFPU_EMU on MMU was fine, as MMU
    support was only available on 68020 or higher.  But this assumption
    was broken by the introduction of MMU support for M547x and M548x.
    
    Drop the dependency on MMU, as the code should work fine on 68020 and up
    without MMU (which are not yet supported by Linux, though).
    Add dependencies on M68KCLASSIC (to rule out Coldfire) and FPU (kernel
    has some type of floating-point support --- be it hardware or software
    emulated, to rule out anything below 68020).
    
    Fixes: 1f7034b9616e6f14 ("m68k: allow ColdFire 547x and 548x CPUs to be built with MMU enabled")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Reviewed-by: Greg Ungerer <gerg@linux-m68k.org>
    Link: https://lore.kernel.org/r/18c34695b7c95107f60ccca82a4ff252f3edf477.1652446117.git.geert@linux-m68k.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 390d82733a953c1fabf3de9c9618091a7a9c90a6
Author: Ying Hsu <yinghsu@chromium.org>
Date:   Sat Mar 26 07:09:28 2022 +0000

    Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
    
    [ Upstream commit 7aa1e7d15f8a5b65f67bacb100d8fc033b21efa2 ]
    
    Connecting the same socket twice consecutively in sco_sock_connect()
    could lead to a race condition where two sco_conn objects are created
    but only one is associated with the socket. If the socket is closed
    before the SCO connection is established, the timer associated with the
    dangling sco_conn object won't be canceled. As the sock object is being
    freed, the use-after-free problem happens when the timer callback
    function sco_sock_timeout() accesses the socket. Here's the call trace:
    
    dump_stack+0x107/0x163
    ? refcount_inc+0x1c/
    print_address_description.constprop.0+0x1c/0x47e
    ? refcount_inc+0x1c/0x7b
    kasan_report+0x13a/0x173
    ? refcount_inc+0x1c/0x7b
    check_memory_region+0x132/0x139
    refcount_inc+0x1c/0x7b
    sco_sock_timeout+0xb2/0x1ba
    process_one_work+0x739/0xbd1
    ? cancel_delayed_work+0x13f/0x13f
    ? __raw_spin_lock_init+0xf0/0xf0
    ? to_kthread+0x59/0x85
    worker_thread+0x593/0x70e
    kthread+0x346/0x35a
    ? drain_workqueue+0x31a/0x31a
    ? kthread_bind+0x4b/0x4b
    ret_from_fork+0x1f/0x30
    
    Link: https://syzkaller.appspot.com/bug?extid=2bef95d3ab4daa10155b
    Reported-by: syzbot+2bef95d3ab4daa10155b@syzkaller.appspotmail.com
    Fixes: e1dee2c1de2b ("Bluetooth: fix repeated calls to sco_sock_kill")
    Signed-off-by: Ying Hsu <yinghsu@chromium.org>
    Reviewed-by: Joseph Hwang <josephsih@chromium.org>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit af449da424383b3e099adc3a16ba7f86c6d86495
Author: Michael Rodin <mrodin@de.adit-jv.com>
Date:   Tue Nov 23 12:50:36 2021 +0100

    media: vsp1: Fix offset calculation for plane cropping
    
    [ Upstream commit 5f25abec8f21b7527c1223a354d23c270befddb3 ]
    
    The vertical subsampling factor is currently not considered in the
    offset calculation for plane cropping done in rpf_configure_partition.
    This causes a distortion (shift of the color plane) when formats with
    the vsub factor larger than 1 are used (e.g. NV12, see
    vsp1_video_formats in vsp1_pipe.c). This commit considers vsub factor
    for all planes except plane 0 (luminance).
    
    Drop generalization of the offset calculation to reduce the binary size.
    
    Fixes: e5ad37b64de9 ("[media] v4l: vsp1: Add cropping support")
    Signed-off-by: Michael Rodin <mrodin@de.adit-jv.com>
    Signed-off-by: LUU HOAI <hoai.luu.ub@renesas.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
    Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a3660e06675bccec4bf149c7229ea1d491ba10d7
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Fri Apr 15 23:24:48 2022 +0200

    media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
    
    [ Upstream commit 471bec68457aaf981add77b4f590d65dd7da1059 ]
    
    Syzbot reported that -1 is used as array index. The problem was in
    missing validation check.
    
    hdw->unit_number is initialized with -1 and then if init table walk fails
    this value remains unchanged. Since code blindly uses this member for
    array indexing adding sanity check is the easiest fix for that.
    
    hdw->workpoll initialization moved upper to prevent warning in
    __flush_work.
    
    Reported-and-tested-by: syzbot+1a247e36149ffd709a9b@syzkaller.appspotmail.com
    
    Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 099793c63030c5a4cf205b666a54dd9551753457
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Fri Mar 18 12:01:01 2022 +0100

    media: exynos4-is: Change clk_disable to clk_disable_unprepare
    
    [ Upstream commit 9fadab72a6916c7507d7fedcd644859eef995078 ]
    
    The corresponding API for clk_prepare_enable is clk_disable_unprepare,
    other than clk_disable.
    
    Fix this by changing clk_disable to clk_disable_unprepare.
    
    Fixes: b4155d7d5b2c ("[media] exynos4-is: Ensure fimc-is clocks are not enabled until properly configured")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d7998117aefd84cdab637067efeb10c9b66e12d7
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Mar 7 09:08:59 2022 +0100

    media: st-delta: Fix PM disable depth imbalance in delta_probe
    
    [ Upstream commit 94e3dba710fe0afc772172305444250023fc2d30 ]
    
    The pm_runtime_enable will decrease power disable depth.
    If the probe fails, we should use pm_runtime_disable() to balance
    pm_runtime_enable().
    
    Fixes: f386509e4959 ("[media] st-delta: STiH4xx multi-format video decoder v4l2 driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Acked-by: Hugues Fruchet <hugues.fruchet@foss.st.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f58c672ac379b90814dc3f9bf143a3fc275b9638
Author: Josh Poimboeuf <jpoimboe@kernel.org>
Date:   Thu May 12 12:05:27 2022 -0700

    scripts/faddr2line: Fix overlapping text section failures
    
    [ Upstream commit 1d1a0e7c5100d332583e20b40aa8c0a8ed3d7849 ]
    
    There have been some recent reports of faddr2line failures:
    
      $ scripts/faddr2line sound/soundcore.ko sound_devnode+0x5/0x35
      bad symbol size: base: 0x0000000000000000 end: 0x0000000000000000
    
      $ ./scripts/faddr2line vmlinux.o enter_from_user_mode+0x24
      bad symbol size: base: 0x0000000000005fe0 end: 0x0000000000005fe0
    
    The problem is that faddr2line is based on 'nm', which has a major
    limitation: it doesn't know how to distinguish between different text
    sections.  So if an offset exists in multiple text sections in the
    object, it may fail.
    
    Rewrite faddr2line to be section-aware, by basing it on readelf.
    
    Fixes: 67326666e2d4 ("scripts: add script for translating stack dump function offsets")
    Reported-by: Kaiwan N Billimoria <kaiwan.billimoria@gmail.com>
    Reported-by: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
    Link: https://lore.kernel.org/r/29ff99f86e3da965b6e46c1cc2d72ce6528c17c3.1652382321.git.jpoimboe@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 984cfef0675ed7398814e14af2c5323911723e1c
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed May 11 15:35:05 2022 +0400

    regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt
    
    [ Upstream commit afaa7b933ef00a2d3262f4d1252087613fb5c06d ]
    
    of_node_get() returns a node with refcount incremented.
    Calling of_node_put() to drop the reference when not needed anymore.
    
    Fixes: 3784b6d64dc5 ("regulator: pfuze100: add pfuze100 regulator driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220511113506.45185-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 30d110ca703ce60162ec337aa564a3e4da30715f
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Wed May 11 17:37:22 2022 +0400

    ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe
    
    [ Upstream commit 2be84f73785fa9ed6443e3c5b158730266f1c2ee ]
    
    of_parse_phandle() returns a node pointer with refcount
    incremented, we should use of_node_put() on it when done.
    
    Fixes: 08641c7c74dd ("ASoC: mxs: add device tree support for mxs-saif")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220511133725.39039-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d9e36c56c0ed8da74775c3a12a350d50c507ca3e
Author: Ravi Bangoria <ravi.bangoria@amd.com>
Date:   Fri Apr 29 10:44:41 2022 +0530

    perf/amd/ibs: Use interrupt regs ip for stack unwinding
    
    [ Upstream commit 3d47083b9ff46863e8374ad3bb5edb5e464c75f8 ]
    
    IbsOpRip is recorded when IBS interrupt is triggered. But there is
    a skid from the time IBS interrupt gets triggered to the time the
    interrupt is presented to the core. Meanwhile processor would have
    moved ahead and thus IbsOpRip will be inconsistent with rsp and rbp
    recorded as part of the interrupt regs. This causes issues while
    unwinding stack using the ORC unwinder as it needs consistent rip,
    rsp and rbp. Fix this by using rip from interrupt regs instead of
    IbsOpRip for stack unwinding.
    
    Fixes: ee9f8fce99640 ("x86/unwind: Add the ORC unwinder")
    Reported-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
    Suggested-by: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: Ravi Bangoria <ravi.bangoria@amd.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20220429051441.14251-1-ravi.bangoria@amd.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fc114ab6abae032b80ca1eedcef2a753955f317f
Author: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Date:   Sat Mar 19 11:22:22 2022 +0100

    media: uvcvideo: Fix missing check to determine if element is found in list
    
    [ Upstream commit 261f33388c29f6f3c12a724e6d89172b7f6d5996 ]
    
    The list iterator will point to a bogus position containing HEAD if
    the list is empty or the element is not found in list. This case
    should be checked before any use of the iterator, otherwise it will
    lead to a invalid memory access. The missing check here is before
    "pin = iterm->id;", just add check here to fix the security bug.
    
    In addition, the list iterator value will *always* be set and non-NULL
    by list_for_each_entry(), so it is incorrect to assume that the iterator
    value will be NULL if the element is not found in list, considering
    the (mis)use here: "if (iterm == NULL".
    
    Use a new value 'it' as the list iterator, while use the old value
    'iterm' as a dedicated pointer to point to the found element, which
    1. can fix this bug, due to 'iterm' is NULL only if it's not found.
    2. do not need to change all the uses of 'iterm' after the loop.
    3. can also limit the scope of the list iterator 'it' *only inside*
       the traversal loop by simply declaring 'it' inside the loop in the
       future, as usage of the iterator outside of the list_for_each_entry
       is considered harmful. https://lkml.org/lkml/2022/2/17/1032
    
    Fixes: d5e90b7a6cd1c ("[media] uvcvideo: Move to video_ioctl2")
    Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
    Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4d1d3331a5c00816fe51d4a00989299986218141
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu May 5 13:28:05 2022 +0300

    drm/msm: return an error pointer in msm_gem_prime_get_sg_table()
    
    [ Upstream commit cf575e31611eb6dccf08fad02e57e35b2187704d ]
    
    The msm_gem_prime_get_sg_table() needs to return error pointers on
    error.  This is called from drm_gem_map_dma_buf() and returning a
    NULL will lead to a crash in that function.
    
    Fixes: ac45146733b0 ("drm/msm: fix msm_gem_prime_get_sg_table()")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/485023/
    Link: https://lore.kernel.org/r/YnOmtS5tfENywR9m@kili
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1a5d1474026ea4f1a6f931075ca2adb884af39cf
Author: Jessica Zhang <quic_jesszhan@quicinc.com>
Date:   Thu May 5 14:40:51 2022 -0700

    drm/msm/mdp5: Return error code in mdp5_mixer_release when deadlock is detected
    
    [ Upstream commit ca75f6f7c6f89365e40f10f641b15981b1f07c31 ]
    
    There is a possibility for mdp5_get_global_state to return
    -EDEADLK when acquiring the modeset lock, but currently global_state in
    mdp5_mixer_release doesn't check for if an error is returned.
    
    To avoid a NULL dereference error, let's have mdp5_mixer_release
    check if an error is returned and propagate that error.
    
    Reported-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
    Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
    Fixes: 7907a0d77cb4 ("drm/msm/mdp5: Use the new private_obj state")
    Reviewed-by: Rob Clark <robdclark@gmail.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/485181/
    Link: https://lore.kernel.org/r/20220505214051.155-2-quic_jesszhan@quicinc.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 776f5c58bfe16cf322d71eeed3c5dda1eeac7e6b
Author: Jessica Zhang <quic_jesszhan@quicinc.com>
Date:   Thu May 5 14:40:50 2022 -0700

    drm/msm/mdp5: Return error code in mdp5_pipe_release when deadlock is detected
    
    [ Upstream commit d59be579fa932c46b908f37509f319cbd4ca9a68 ]
    
    mdp5_get_global_state runs the risk of hitting a -EDEADLK when acquiring
    the modeset lock, but currently mdp5_pipe_release doesn't check for if
    an error is returned. Because of this, there is a possibility of
    mdp5_pipe_release hitting a NULL dereference error.
    
    To avoid this, let's have mdp5_pipe_release check if
    mdp5_get_global_state returns an error and propogate that error.
    
    Changes since v1:
    - Separated declaration and initialization of *new_state to avoid
      compiler warning
    - Fixed some spelling mistakes in commit message
    
    Changes since v2:
    - Return 0 in case where hwpipe is NULL as this is considered normal
      behavior
    - Added 2nd patch in series to fix a similar NULL dereference issue in
      mdp5_mixer_release
    
    Reported-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
    Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
    Fixes: 7907a0d77cb4 ("drm/msm/mdp5: Use the new private_obj state")
    Reviewed-by: Rob Clark <robdclark@gmail.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/485179/
    Link: https://lore.kernel.org/r/20220505214051.155-1-quic_jesszhan@quicinc.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e5858de4556fa22a15b577b63b9358f3333af500
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Mon Mar 14 17:10:45 2022 -0700

    x86/mm: Cleanup the control_va_addr_alignment() __setup handler
    
    [ Upstream commit 1ef64b1e89e6d4018da46e08ffc32779a31160c7 ]
    
    Clean up control_va_addr_alignment():
    
    a. Make '=' required instead of optional (as documented).
    b. Print a warning if an invalid option value is used.
    c. Return 1 from the __setup handler when an invalid option value is
       used. This prevents the kernel from polluting init's (limited)
       environment space with the entire string.
    
    Fixes: dfb09f9b7ab0 ("x86, amd: Avoid cache aliasing penalties on AMD family 15h")
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Link: https://lore.kernel.org/r/20220315001045.7680-1-rdunlap@infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aba83145931b3a2c5e4aa1ef0c6725efbb601485
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Sat Apr 23 11:42:26 2022 +0200

    irqchip/aspeed-i2c-ic: Fix irq_of_parse_and_map() return value
    
    [ Upstream commit 50f0f26e7c8665763d0d7d3372dbcf191f94d077 ]
    
    The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
    
    Fixes: f48e699ddf70 ("irqchip/aspeed-i2c-ic: Add I2C IRQ controller for Aspeed")
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20220423094227.33148-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 61967ac7ba2814fefd033eb3979058057a18edc1
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Sun Mar 13 18:27:25 2022 -0700

    x86: Fix return value of __setup handlers
    
    [ Upstream commit 12441ccdf5e2f5a01a46e344976cbbd3d46845c9 ]
    
    __setup() handlers should return 1 to obsolete_checksetup() in
    init/main.c to indicate that the boot option has been handled. A return
    of 0 causes the boot option/value to be listed as an Unknown kernel
    parameter and added to init's (limited) argument (no '=') or environment
    (with '=') strings. So return 1 from these x86 __setup handlers.
    
    Examples:
    
      Unknown kernel command line parameters "apicpmtimer
        BOOT_IMAGE=/boot/bzImage-517rc8 vdso=1 ring3mwait=disable", will be
        passed to user space.
    
      Run /sbin/init as init process
       with arguments:
         /sbin/init
         apicpmtimer
       with environment:
         HOME=/
         TERM=linux
         BOOT_IMAGE=/boot/bzImage-517rc8
         vdso=1
         ring3mwait=disable
    
    Fixes: 2aae950b21e4 ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu")
    Fixes: 77b52b4c5c66 ("x86: add "debugpat" boot option")
    Fixes: e16fd002afe2 ("x86/cpufeature: Enable RING3MWAIT for Knights Landing")
    Fixes: b8ce33590687 ("x86_64: convert to clock events")
    Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
    Link: https://lore.kernel.org/r/20220314012725.26661-1-rdunlap@infradead.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6ff986e057bf28e2f7690dad410768b2270f9453
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Fri Apr 22 11:28:54 2022 +0800

    drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()
    
    [ Upstream commit f8c242908ad15bbd604d3bcb54961b7d454c43f8 ]
    
    It will cause null-ptr-deref in resource_size(), if platform_get_resource()
    returns NULL, move calling resource_size() after devm_ioremap_resource() that
    will check 'res' to avoid null-ptr-deref.
    
    Fixes: 2048e3286f34 ("drm: rockchip: Add basic drm driver")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220422032854.2995175-1-yangyingliang@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0978fcce91b90b561b8c82e7c492ba9fc8440eef
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Fri Apr 22 11:22:27 2022 +0800

    drm/msm/hdmi: check return value after calling platform_get_resource_byname()
    
    [ Upstream commit a36e506711548df923ceb7ec9f6001375be799a5 ]
    
    It will cause null-ptr-deref if platform_get_resource_byname() returns NULL,
    we need check the return value.
    
    Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)")
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/482992/
    Link: https://lore.kernel.org/r/20220422032227.2991553-1-yangyingliang@huawei.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9169cfced652998a71f8a2b60e4d17b39fba1447
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Sat Apr 2 02:11:04 2022 +0300

    drm/msm/dsi: fix error checks and return values for DSI xmit functions
    
    [ Upstream commit f0e7e9ed379c012c4d6b09a09b868accc426223c ]
    
    As noticed by Dan ([1] an the followup thread) there are multiple issues
    with the return values for MSM DSI command transmission callback. In
    the error case it can easily return a positive value when it should
    have returned a proper error code.
    
    This commits attempts to fix these issues both in TX and in RX paths.
    
    [1]: https://lore.kernel.org/linux-arm-msm/20211001123617.GH2283@kili/
    
    Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support")
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
    Tested-by: Marijn Suijten <marijn.suijten@somainline.org>
    Patchwork: https://patchwork.freedesktop.org/patch/480501/
    Link: https://lore.kernel.org/r/20220401231104.967193-1-dmitry.baryshkov@linaro.org
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aa4cb188988dc6f1b3f4917d4dbc452150a5d871
Author: Vinod Polimera <quic_vpolimer@quicinc.com>
Date:   Mon Apr 25 08:56:53 2022 +0530

    drm/msm/disp/dpu1: set vbif hw config to NULL to avoid use after memory free during pm runtime resume
    
    [ Upstream commit fa5186b279ecf44b14fb435540d2065be91cb1ed ]
    
    BUG: Unable to handle kernel paging request at virtual address 006b6b6b6b6b6be3
    
    Call trace:
      dpu_vbif_init_memtypes+0x40/0xb8
      dpu_runtime_resume+0xcc/0x1c0
      pm_generic_runtime_resume+0x30/0x44
      __genpd_runtime_resume+0x68/0x7c
      genpd_runtime_resume+0x134/0x258
      __rpm_callback+0x98/0x138
      rpm_callback+0x30/0x88
      rpm_resume+0x36c/0x49c
      __pm_runtime_resume+0x80/0xb0
      dpu_core_irq_uninstall+0x30/0xb0
      dpu_irq_uninstall+0x18/0x24
      msm_drm_uninit+0xd8/0x16c
    
    Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
    Signed-off-by: Vinod Polimera <quic_vpolimer@quicinc.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Patchwork: https://patchwork.freedesktop.org/patch/483255/
    Link: https://lore.kernel.org/r/1650857213-30075-1-git-send-email-quic_vpolimer@quicinc.com
    [DB: fixed Fixes tag]
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0d51aa71281799f93fadcdd354d10f6f46538f20
Author: Josh Poimboeuf <jpoimboe@kernel.org>
Date:   Mon Apr 25 16:40:02 2022 -0700

    x86/speculation: Add missing prototype for unpriv_ebpf_notify()
    
    [ Upstream commit 2147c438fde135d6c145a96e373d9348e7076f7f ]
    
    Fix the following warnings seen with "make W=1":
    
      kernel/sysctl.c:183:13: warning: no previous prototype for ‘unpriv_ebpf_notify’ [-Wmissing-prototypes]
        183 | void __weak unpriv_ebpf_notify(int new_state)
            |             ^~~~~~~~~~~~~~~~~~
    
      arch/x86/kernel/cpu/bugs.c:659:6: warning: no previous prototype for ‘unpriv_ebpf_notify’ [-Wmissing-prototypes]
        659 | void unpriv_ebpf_notify(int new_state)
            |      ^~~~~~~~~~~~~~~~~~
    
    Fixes: 44a3918c8245 ("x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting")
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Link: https://lore.kernel.org/r/5689d065f739602ececaee1e05e68b8644009608.1650930000.git.jpoimboe@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dc65f93dbcb9270f8d2a8ea643fda63cc89c75c0
Author: Matthieu Baerts <matthieu.baerts@tessares.net>
Date:   Sat Apr 23 20:24:10 2022 +0200

    x86/pm: Fix false positive kmemleak report in msr_build_context()
    
    [ Upstream commit b0b592cf08367719e1d1ef07c9f136e8c17f7ec3 ]
    
    Since
    
      e2a1256b17b1 ("x86/speculation: Restore speculation related MSRs during S3 resume")
    
    kmemleak reports this issue:
    
      unreferenced object 0xffff888009cedc00 (size 256):
        comm "swapper/0", pid 1, jiffies 4294693823 (age 73.764s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 48 00 00 00 00 00 00 00  ........H.......
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
          msr_build_context (include/linux/slab.h:621)
          pm_check_save_msr (arch/x86/power/cpu.c:520)
          do_one_initcall (init/main.c:1298)
          kernel_init_freeable (init/main.c:1370)
          kernel_init (init/main.c:1504)
          ret_from_fork (arch/x86/entry/entry_64.S:304)
    
    Reproducer:
    
      - boot the VM with a debug kernel config (see
        https://github.com/multipath-tcp/mptcp_net-next/issues/268)
      - wait ~1 minute
      - start a kmemleak scan
    
    The root cause here is alignment within the packed struct saved_context
    (from suspend_64.h). Kmemleak only searches for pointers that are
    aligned (see how pointers are scanned in kmemleak.c), but pahole shows
    that the saved_msrs struct member and all members after it in the
    structure are unaligned:
    
      struct saved_context {
        struct pt_regs             regs;                 /*     0   168 */
        /* --- cacheline 2 boundary (128 bytes) was 40 bytes ago --- */
        u16                        ds;                   /*   168     2 */
    
        ...
    
        u64                        misc_enable;          /*   232     8 */
        bool                       misc_enable_saved;    /*   240     1 */
    
       /* Note below odd offset values for the remainder of this struct */
    
        struct saved_msrs          saved_msrs;           /*   241    16 */
        /* --- cacheline 4 boundary (256 bytes) was 1 bytes ago --- */
        long unsigned int          efer;                 /*   257     8 */
        u16                        gdt_pad;              /*   265     2 */
        struct desc_ptr            gdt_desc;             /*   267    10 */
        u16                        idt_pad;              /*   277     2 */
        struct desc_ptr            idt;                  /*   279    10 */
        u16                        ldt;                  /*   289     2 */
        u16                        tss;                  /*   291     2 */
        long unsigned int          tr;                   /*   293     8 */
        long unsigned int          safety;               /*   301     8 */
        long unsigned int          return_address;       /*   309     8 */
    
        /* size: 317, cachelines: 5, members: 25 */
        /* last cacheline: 61 bytes */
      } __attribute__((__packed__));
    
    Move misc_enable_saved to the end of the struct declaration so that
    saved_msrs fits in before the cacheline 4 boundary.
    
    The comment above the saved_context declaration says to fix wakeup_64.S
    file and __save/__restore_processor_state() if the struct is modified:
    it looks like all the accesses in wakeup_64.S are done through offsets
    which are computed at build-time. Update that comment accordingly.
    
    At the end, the false positive kmemleak report is due to a limitation
    from kmemleak but it is always good to avoid unaligned members for
    optimisation purposes.
    
    Please note that it looks like this issue is not new, e.g.
    
      https://lore.kernel.org/all/9f1bb619-c4ee-21c4-a251-870bd4db04fa@lwfinger.net/
      https://lore.kernel.org/all/94e48fcd-1dbd-ebd2-4c91-f39941735909@molgen.mpg.de/
    
      [ bp: Massage + cleanup commit message. ]
    
    Fixes: 7a9c2dd08ead ("x86/pm: Introduce quirk framework to save/restore extra MSR registers around suspend/resume")
    Suggested-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
    Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Link: https://lore.kernel.org/r/20220426202138.498310-1-matthieu.baerts@tessares.net
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a4aa259cab0ea64f2ea0db4df43c1453b17766a4
Author: Kiwoong Kim <kwmad.kim@samsung.com>
Date:   Thu Mar 31 10:24:05 2022 +0900

    scsi: ufs: core: Exclude UECxx from SFR dump list
    
    [ Upstream commit ef60031022eb6d972aac86ca26c98c33e1289436 ]
    
    Some devices may return invalid or zeroed data during an UIC error
    condition. In addition, reading these SFRs will clear them. This means the
    subsequent error handling will not be able to see them and therefore no
    error handling will be scheduled.
    
    Skip reading these SFRs in ufshcd_dump_regs().
    
    Link: https://lore.kernel.org/r/1648689845-33521-1-git-send-email-kwmad.kim@samsung.com
    Fixes: d67247566450 ("scsi: ufs: Use explicit access size in ufshcd_dump_regs")
    Signed-off-by: Kiwoong Kim <kwmad.kim@samsung.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2e9df1b09f72d17d722224d6248a446542a0f75c
Author: Nuno Sá <nuno.sa@analog.com>
Date:   Wed Apr 20 15:02:05 2022 +0200

    of: overlay: do not break notify on NOTIFY_{OK|STOP}
    
    [ Upstream commit 5f756a2eaa4436d7d3dc1e040147f5e992ae34b5 ]
    
    We should not break overlay notifications on NOTIFY_{OK|STOP}
    otherwise we might break on the first fragment. We should only stop
    notifications if a *real* errno is returned by one of the listeners.
    
    Fixes: a1d19bd4cf1fe ("of: overlay: pr_err from return NOTIFY_OK to overlay apply/remove")
    Signed-off-by: Nuno Sá <nuno.sa@analog.com>
    Signed-off-by: Rob Herring <robh@kernel.org>
    Link: https://lore.kernel.org/r/20220420130205.89435-1-nuno.sa@analog.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 72632015277b56d5f8fd666ccd24cb0ed7ef1d72
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Fri Apr 22 15:03:14 2022 +0300

    fsnotify: fix wrong lockdep annotations
    
    [ Upstream commit 623af4f538b5df9b416e1b82f720af7371b4c771 ]
    
    Commit 6960b0d909cd ("fsnotify: change locking order") changed some
    of the mark_mutex locks in direct reclaim path to use:
      mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
    
    This change is explained:
     "...It uses nested locking to avoid deadlock in case we do the final
      iput() on an inode which still holds marks and thus would take the
      mutex again when calling fsnotify_inode_delete() in destroy_inode()."
    
    The problem is that the mutex_lock_nested() is not a nested lock at
    all. In fact, it has the opposite effect of preventing lockdep from
    warning about a very possible deadlock.
    
    Due to these wrong annotations, a deadlock that was introduced with
    nfsd filecache in kernel v5.4 went unnoticed in v5.4.y for over two
    years until it was reported recently by Khazhismel Kumykov, only to
    find out that the deadlock was already fixed in kernel v5.5.
    
    Fix the wrong lockdep annotations.
    
    Cc: Khazhismel Kumykov <khazhy@google.com>
    Fixes: 6960b0d909cd ("fsnotify: change locking order")
    Link: https://lore.kernel.org/r/20220321112310.vpr7oxro2xkz5llh@quack3.lan/
    Link: https://lore.kernel.org/r/20220422120327.3459282-4-amir73il@gmail.com
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a0f367da19d6da601d150057be41c2c58aa06830
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Fri Apr 22 15:03:12 2022 +0300

    inotify: show inotify mask flags in proc fdinfo
    
    [ Upstream commit a32e697cda27679a0327ae2cafdad8c7170f548f ]
    
    The inotify mask flags IN_ONESHOT and IN_EXCL_UNLINK are not "internal
    to kernel" and should be exposed in procfs fdinfo so CRIU can restore
    them.
    
    Fixes: 6933599697c9 ("inotify: hide internal kernel bits from fdinfo")
    Link: https://lore.kernel.org/r/20220422120327.3459282-2-amir73il@gmail.com
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4bdcf32c965c27f55ccc4ee71c1927131115b0bb
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Sat Apr 9 09:12:25 2022 +0300

    ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
    
    [ Upstream commit 2dc509305cf956381532792cb8dceef2b1504765 ]
    
    The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to
    ensure that it is within the bitmap.
    
    drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept()
    error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()'
    
    Fixes: 4ed1a8d4a257 ("ath9k_htc: use ath9k_cmn_rx_accept")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20220409061225.GA5447@kili
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e663ce18cafc55338da57daf2f756bef43d967e1
Author: Zheng Yongjun <zhengyongjun3@huawei.com>
Date:   Fri Apr 22 06:26:41 2022 +0000

    spi: img-spfi: Fix pm_runtime_get_sync() error checking
    
    [ Upstream commit cc470d55343056d6b2a5c32e10e0aad06f324078 ]
    
    If the device is already in a runtime PM enabled state
    pm_runtime_get_sync() will return 1, so a test for negative
    value should be used to check for errors.
    
    Fixes: deba25800a12b ("spi: Add driver for IMG SPFI controller")
    Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
    Link: https://lore.kernel.org/r/20220422062641.10486-1-zhengyongjun3@huawei.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c92ec22a991778a096342cf1a917ae36c5c86a90
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Sat Apr 16 07:37:21 2022 +0000

    HID: elan: Fix potential double free in elan_input_configured
    
    [ Upstream commit 1af20714fedad238362571620be0bd690ded05b6 ]
    
    'input' is a managed resource allocated with devm_input_allocate_device(),
    so there is no need to call input_free_device() explicitly or
    there will be a double free.
    
    According to the doc of devm_input_allocate_device():
     * Managed input devices do not need to be explicitly unregistered or
     * freed as it will be done automatically when owner device unbinds from
     * its driver (or binding fails).
    
    Fixes: b7429ea53d6c ("HID: elan: Fix memleak in elan_input_configured")
    Fixes: 9a6a4193d65b ("HID: Add driver for USB ELAN Touchpad")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9d458cca0360fa86479348dee6a631f422027fd4
Author: Jonathan Teh <jonathan.teh@outlook.com>
Date:   Sun Mar 13 19:48:18 2022 +0000

    HID: hid-led: fix maximum brightness for Dream Cheeky
    
    [ Upstream commit 116c3f4a78ebe478d5ad5a038baf931e93e7d748 ]
    
    Increase maximum brightness for Dream Cheeky to 63. Emperically
    determined based on testing in kernel 4.4 on this device:
    
    Bus 003 Device 002: ID 1d34:0004 Dream Cheeky Webmail Notifier
    
    Fixes: 6c7ad07e9e05 ("HID: migrate USB LED driver from usb misc to hid")
    Signed-off-by: Jonathan Teh <jonathan.teh@outlook.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9209beeb4dc22796e6b540562de789bc9461073c
Author: Jan Kiszka <jan.kiszka@siemens.com>
Date:   Fri Mar 4 07:36:37 2022 +0100

    efi: Add missing prototype for efi_capsule_setup_info
    
    [ Upstream commit aa480379d8bdb33920d68acfd90f823c8af32578 ]
    
    Fixes "no previous declaration for 'efi_capsule_setup_info'" warnings
    under W=1.
    
    Fixes: 2959c95d510c ("efi/capsule: Add support for Quark security header")
    Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
    Link: https://lore.kernel.org/r/c28d3f86-dd72-27d1-e2c2-40971b8da6bd@siemens.com
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6abfaca8711803d0d7cc8c0fac1070a88509d463
Author: Lin Ma <linma@zju.edu.cn>
Date:   Tue Apr 12 13:32:08 2022 +0800

    NFC: NULL out the dev->rfkill to prevent UAF
    
    [ Upstream commit 1b0e81416a24d6e9b8c2341e22e8bf48f8b8bfc9 ]
    
    Commit 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
    assumes the device_is_registered() in function nfc_dev_up() will help
    to check when the rfkill is unregistered. However, this check only
    take effect when device_del(&dev->dev) is done in nfc_unregister_device().
    Hence, the rfkill object is still possible be dereferenced.
    
    The crash trace in latest kernel (5.18-rc2):
    
    [   68.760105] ==================================================================
    [   68.760330] BUG: KASAN: use-after-free in __lock_acquire+0x3ec1/0x6750
    [   68.760756] Read of size 8 at addr ffff888009c93018 by task fuzz/313
    [   68.760756]
    [   68.760756] CPU: 0 PID: 313 Comm: fuzz Not tainted 5.18.0-rc2 #4
    [   68.760756] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
    [   68.760756] Call Trace:
    [   68.760756]  <TASK>
    [   68.760756]  dump_stack_lvl+0x57/0x7d
    [   68.760756]  print_report.cold+0x5e/0x5db
    [   68.760756]  ? __lock_acquire+0x3ec1/0x6750
    [   68.760756]  kasan_report+0xbe/0x1c0
    [   68.760756]  ? __lock_acquire+0x3ec1/0x6750
    [   68.760756]  __lock_acquire+0x3ec1/0x6750
    [   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
    [   68.760756]  ? register_lock_class+0x18d0/0x18d0
    [   68.760756]  lock_acquire+0x1ac/0x4f0
    [   68.760756]  ? rfkill_blocked+0xe/0x60
    [   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
    [   68.760756]  ? mutex_lock_io_nested+0x12c0/0x12c0
    [   68.760756]  ? nla_get_range_signed+0x540/0x540
    [   68.760756]  ? _raw_spin_lock_irqsave+0x4e/0x50
    [   68.760756]  _raw_spin_lock_irqsave+0x39/0x50
    [   68.760756]  ? rfkill_blocked+0xe/0x60
    [   68.760756]  rfkill_blocked+0xe/0x60
    [   68.760756]  nfc_dev_up+0x84/0x260
    [   68.760756]  nfc_genl_dev_up+0x90/0xe0
    [   68.760756]  genl_family_rcv_msg_doit+0x1f4/0x2f0
    [   68.760756]  ? genl_family_rcv_msg_attrs_parse.constprop.0+0x230/0x230
    [   68.760756]  ? security_capable+0x51/0x90
    [   68.760756]  genl_rcv_msg+0x280/0x500
    [   68.760756]  ? genl_get_cmd+0x3c0/0x3c0
    [   68.760756]  ? lock_acquire+0x1ac/0x4f0
    [   68.760756]  ? nfc_genl_dev_down+0xe0/0xe0
    [   68.760756]  ? lockdep_hardirqs_on_prepare+0x410/0x410
    [   68.760756]  netlink_rcv_skb+0x11b/0x340
    [   68.760756]  ? genl_get_cmd+0x3c0/0x3c0
    [   68.760756]  ? netlink_ack+0x9c0/0x9c0
    [   68.760756]  ? netlink_deliver_tap+0x136/0xb00
    [   68.760756]  genl_rcv+0x1f/0x30
    [   68.760756]  netlink_unicast+0x430/0x710
    [   68.760756]  ? memset+0x20/0x40
    [   68.760756]  ? netlink_attachskb+0x740/0x740
    [   68.760756]  ? __build_skb_around+0x1f4/0x2a0
    [   68.760756]  netlink_sendmsg+0x75d/0xc00
    [   68.760756]  ? netlink_unicast+0x710/0x710
    [   68.760756]  ? netlink_unicast+0x710/0x710
    [   68.760756]  sock_sendmsg+0xdf/0x110
    [   68.760756]  __sys_sendto+0x19e/0x270
    [   68.760756]  ? __ia32_sys_getpeername+0xa0/0xa0
    [   68.760756]  ? fd_install+0x178/0x4c0
    [   68.760756]  ? fd_install+0x195/0x4c0
    [   68.760756]  ? kernel_fpu_begin_mask+0x1c0/0x1c0
    [   68.760756]  __x64_sys_sendto+0xd8/0x1b0
    [   68.760756]  ? lockdep_hardirqs_on+0xbf/0x130
    [   68.760756]  ? syscall_enter_from_user_mode+0x1d/0x50
    [   68.760756]  do_syscall_64+0x3b/0x90
    [   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [   68.760756] RIP: 0033:0x7f67fb50e6b3
    ...
    [   68.760756] RSP: 002b:00007f67fa91fe90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
    [   68.760756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f67fb50e6b3
    [   68.760756] RDX: 000000000000001c RSI: 0000559354603090 RDI: 0000000000000003
    [   68.760756] RBP: 00007f67fa91ff00 R08: 00007f67fa91fedc R09: 000000000000000c
    [   68.760756] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe824d496e
    [   68.760756] R13: 00007ffe824d496f R14: 00007f67fa120000 R15: 0000000000000003
    
    [   68.760756]  </TASK>
    [   68.760756]
    [   68.760756] Allocated by task 279:
    [   68.760756]  kasan_save_stack+0x1e/0x40
    [   68.760756]  __kasan_kmalloc+0x81/0xa0
    [   68.760756]  rfkill_alloc+0x7f/0x280
    [   68.760756]  nfc_register_device+0xa3/0x1a0
    [   68.760756]  nci_register_device+0x77a/0xad0
    [   68.760756]  nfcmrvl_nci_register_dev+0x20b/0x2c0
    [   68.760756]  nfcmrvl_nci_uart_open+0xf2/0x1dd
    [   68.760756]  nci_uart_tty_ioctl+0x2c3/0x4a0
    [   68.760756]  tty_ioctl+0x764/0x1310
    [   68.760756]  __x64_sys_ioctl+0x122/0x190
    [   68.760756]  do_syscall_64+0x3b/0x90
    [   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [   68.760756]
    [   68.760756] Freed by task 314:
    [   68.760756]  kasan_save_stack+0x1e/0x40
    [   68.760756]  kasan_set_track+0x21/0x30
    [   68.760756]  kasan_set_free_info+0x20/0x30
    [   68.760756]  __kasan_slab_free+0x108/0x170
    [   68.760756]  kfree+0xb0/0x330
    [   68.760756]  device_release+0x96/0x200
    [   68.760756]  kobject_put+0xf9/0x1d0
    [   68.760756]  nfc_unregister_device+0x77/0x190
    [   68.760756]  nfcmrvl_nci_unregister_dev+0x88/0xd0
    [   68.760756]  nci_uart_tty_close+0xdf/0x180
    [   68.760756]  tty_ldisc_kill+0x73/0x110
    [   68.760756]  tty_ldisc_hangup+0x281/0x5b0
    [   68.760756]  __tty_hangup.part.0+0x431/0x890
    [   68.760756]  tty_release+0x3a8/0xc80
    [   68.760756]  __fput+0x1f0/0x8c0
    [   68.760756]  task_work_run+0xc9/0x170
    [   68.760756]  exit_to_user_mode_prepare+0x194/0x1a0
    [   68.760756]  syscall_exit_to_user_mode+0x19/0x50
    [   68.760756]  do_syscall_64+0x48/0x90
    [   68.760756]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    This patch just add the null out of dev->rfkill to make sure such
    dereference cannot happen. This is safe since the device_lock() already
    protect the check/write from data race.
    
    Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
    Signed-off-by: Lin Ma <linma@zju.edu.cn>
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 674d414dd072ed20afdc9151d091a7232393ea7b
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Apr 11 11:10:33 2022 +0000

    spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout
    
    [ Upstream commit 8b1ea69a63eb62f97cef63e6d816b64ed84e8760 ]
    
    wait_for_completion_timeout() returns unsigned long not int.
    It returns 0 if timed out, and positive if completed.
    The check for <= 0 is ambiguous and should be == 0 here
    indicating timeout which is the only error case.
    
    Fixes: 5720ec0a6d26 ("spi: spi-ti-qspi: Add DMA support for QSPI mmap read")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220411111034.24447-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6861aacff9a9f40746d197cf03f3a1ac9713bb71
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Mar 18 13:46:57 2022 +0100

    nl80211: show SSID for P2P_GO interfaces
    
    [ Upstream commit a75971bc2b8453630e9f85e0beaa4da8db8277a3 ]
    
    There's no real reason not to send the SSID to userspace
    when it requests information about P2P_GO, it is, in that
    respect, exactly the same as AP interfaces. Fix that.
    
    Fixes: 44905265bc15 ("nl80211: don't expose wdev->ssid for most interfaces")
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Link: https://lore.kernel.org/r/20220318134656.14354ae223f0.Ia25e85a512281b92e1645d4160766a4b1a471597@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c4e427b77c6dd22f918f9c0d6ef4e38936d90f8b
Author: Maxime Ripard <maxime@cerno.tech>
Date:   Mon Mar 28 17:36:56 2022 +0200

    drm/vc4: txp: Force alpha to be 0xff if it's disabled
    
    [ Upstream commit 5453343a88ede8b12812fced81ecd24cb888ccc3 ]
    
    If we use a format that has padding instead of the alpha component (such
    as XRGB8888), it appears that the Transposer will fill the padding to 0,
    disregarding what was stored in the input buffer padding.
    
    This leads to issues with IGT, since it will set the padding to 0xff,
    but will then compare the CRC of the two frames which will thus fail.
    Another nice side effect is that it is now possible to just use the
    buffer as ARGB.
    
    Fixes: 008095e065a8 ("drm/vc4: Add support for the transposer block")
    Signed-off-by: Maxime Ripard <maxime@cerno.tech>
    Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://lore.kernel.org/r/20220328153659.2382206-4-maxime@cerno.tech
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bb59345bb77591d66089cc2d8050ba82ecb41b32
Author: Maxime Ripard <maxime@cerno.tech>
Date:   Mon Mar 28 17:36:55 2022 +0200

    drm/vc4: txp: Don't set TXP_VSTART_AT_EOF
    
    [ Upstream commit 234998df929f14d00cbf2f1e81a7facb69fd9266 ]
    
    The TXP_VSTART_AT_EOF will generate a second VSTART signal to the HVS.
    However, the HVS waits for VSTART to enable the FIFO and will thus start
    filling the FIFO before the start of the frame.
    
    This leads to corruption at the beginning of the first frame, and
    content from the previous frame at the beginning of the next frames.
    
    Since one VSTART is enough, let's get rid of it.
    
    Fixes: 008095e065a8 ("drm/vc4: Add support for the transposer block")
    Signed-off-by: Maxime Ripard <maxime@cerno.tech>
    Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://lore.kernel.org/r/20220328153659.2382206-3-maxime@cerno.tech
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 34a4ddeaced0b059d82f78541e2d9b1a79a25a9f
Author: Miles Chen <miles.chen@mediatek.com>
Date:   Wed Mar 16 07:23:00 2022 +0800

    drm/mediatek: Fix mtk_cec_mask()
    
    [ Upstream commit 2c5d69b0a141e1e98febe3111e6f4fd8420493a5 ]
    
    In current implementation, mtk_cec_mask() writes val into target register
    and ignores the mask. After talking to our hdmi experts, mtk_cec_mask()
    should read a register, clean only mask bits, and update (val | mask) bits
    to the register.
    
    Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220315232301.2434-1-miles.chen@mediatek.com/
    Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
    Signed-off-by: Miles Chen <miles.chen@mediatek.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
    Cc: Zhiqiang Lin <zhiqiang.lin@mediatek.com>
    Cc: CK Hu <ck.hu@mediatek.com>
    Cc: Matthias Brugger <matthias.bgg@gmail.com>
    Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 12ffed97ae3303c3c4bc772c9329a9977a9941d6
Author: Ammar Faizi <ammarfaizi2@gnuweeb.org>
Date:   Tue Mar 29 17:47:04 2022 +0700

    x86/delay: Fix the wrong asm constraint in delay_loop()
    
    [ Upstream commit b86eb74098a92afd789da02699b4b0dd3f73b889 ]
    
    The asm constraint does not reflect the fact that the asm statement can
    modify the value of the local variable loops. Which it does.
    
    Specifying the wrong constraint may lead to undefined behavior, it may
    clobber random stuff (e.g. local variable, important temporary value in
    regs, etc.). This is especially dangerous when the compiler decides to
    inline the function and since it doesn't know that the value gets
    modified, it might decide to use it from a register directly without
    reloading it.
    
    Change the constraint to "+a" to denote that the first argument is an
    input and an output argument.
    
      [ bp: Fix typo, massage commit message. ]
    
    Fixes: e01b70ef3eb3 ("x86: fix bug in arch/i386/lib/delay.c file, delay_loop function")
    Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Link: https://lore.kernel.org/r/20220329104705.65256-2-ammarfaizi2@gnuweeb.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9345122f5fb9f97a206f440f38bb656e53f46912
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Apr 4 09:35:25 2022 +0000

    ASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe
    
    [ Upstream commit 05654431a18fe24e5e46a375d98904134628a102 ]
    
    This node pointer is returned by of_parse_phandle() with
    refcount incremented in this function.
    Calling of_node_put() to avoid the refcount leak.
    
    Fixes: 8625c1dbd876 ("ASoC: mediatek: Add mt2701-wm8960 machine driver")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Link: https://lore.kernel.org/r/20220404093526.30004-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cc43b9fdca519c5b13be6a717bacbebccd628cf6
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Mon Apr 4 09:29:01 2022 +0000

    ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe
    
    [ Upstream commit 4f4e0454e226de3bf4efd7e7924d1edc571c52d5 ]
    
    Call of_node_put(platform_node) to avoid refcount leak in
    the error path.
    
    Fixes: 94319ba10eca ("ASoC: mediatek: Use platform_of_node for machine drivers")
    Fixes: 493433785df0 ("ASoC: mediatek: mt8173: fix device_node leak")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Link: https://lore.kernel.org/r/20220404092903.26725-1-linmq006@gmail.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b5433dca714686ecdb842da7ca7bbf37bc9d96aa
Author: Lucas Stach <l.stach@pengutronix.de>
Date:   Mon Mar 21 11:47:05 2022 +0100

    drm/bridge: adv7511: clean up CEC adapter when probe fails
    
    [ Upstream commit 7ed2b0dabf7a22874cb30f8878df239ef638eb53 ]
    
    When the probe routine fails we also need to clean up the
    CEC adapter registered in adv7511_cec_init().
    
    Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
    Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
    Reviewed-by: Robert Foss <robert.foss@linaro.org>
    Signed-off-by: Robert Foss <robert.foss@linaro.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220321104705.2804423-1-l.stach@pengutronix.de
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5233dae6659262628e561aacb1f73066982cfb17
Author: Jani Nikula <jani.nikula@intel.com>
Date:   Wed Mar 30 20:04:26 2022 +0300

    drm/edid: fix invalid EDID extension block filtering
    
    [ Upstream commit 3aefc722ff52076407203b6af9713de567993adf ]
    
    The invalid EDID block filtering uses the number of valid EDID
    extensions instead of all EDID extensions for looping the extensions in
    the copy. This is fine, by coincidence, if all the invalid blocks are at
    the end of the EDID. However, it's completely broken if there are
    invalid extensions in the middle; the invalid blocks are included and
    valid blocks are excluded.
    
    Fix it by modifying the base block after, not before, the copy.
    
    Fixes: 14544d0937bf ("drm/edid: Only print the bad edid when aborting")
    Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220330170426.349248-1-jani.nikula@intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ff77404b9a4dd03b59aa8942fc33554bef9a6b2b
Author: Wenli Looi <wlooi@ucalgary.ca>
Date:   Sun Mar 20 17:30:08 2022 -0600

    ath9k: fix ar9003_get_eepmisc
    
    [ Upstream commit 9aaff3864b603408c02c629957ae8d8ff5d5a4f2 ]
    
    The current implementation is reading the wrong eeprom type.
    
    Fixes: d8ec2e2a63e8 ("ath9k: Add an eeprom_ops callback for retrieving the eepmisc value")
    Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
    Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20220320233010.123106-5-wlooi@ucalgary.ca
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit faa6c1146b3f78aaae9eb37b53db4c4e7dccb81d
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sat May 28 11:08:48 2022 -0700

    drm: fix EDID struct for old ARM OABI format
    
    [ Upstream commit 47f15561b69e226bfc034e94ff6dbec51a4662af ]
    
    When building the kernel for arm with the "-mabi=apcs-gnu" option, gcc
    will force alignment of all structures and unions to a word boundary
    (see also STRUCTURE_SIZE_BOUNDARY and the "-mstructure-size-boundary=XX"
    option if you're a gcc person), even when the members of said structures
    do not want or need said alignment.
    
    This completely messes up the structure alignment of 'struct edid' on
    those targets, because even though all the embedded structures are
    marked with "__attribute__((packed))", the unions that contain them are
    not.
    
    This was exposed by commit f1e4c916f97f ("drm/edid: add EDID block count
    and size helpers"), but the bug is pre-existing.  That commit just made
    the structure layout problem cause a build failure due to the addition
    of the
    
            BUILD_BUG_ON(sizeof(*edid) != EDID_LENGTH);
    
    sanity check in drivers/gpu/drm/drm_edid.c:edid_block_data().
    
    This legacy union alignment should probably not be used in the first
    place, but we can fix the layout by adding the packed attribute to the
    union entries even when each member is already packed and it shouldn't
    matter in a sane build environment.
    
    You can see this issue with a trivial test program:
    
      union {
            struct {
                    char c[5];
            };
            struct {
                    char d;
                    unsigned e;
            } __attribute__((packed));
      } a = { "1234" };
    
    where building this with a normal "gcc -S" will result in the expected
    5-byte size of said union:
    
            .type   a, @object
            .size   a, 5
    
    but with an ARM compiler and the old ABI:
    
        arm-linux-gnu-gcc -mabi=apcs-gnu -mfloat-abi=soft -S t.c
    
    you get
    
            .type   a, %object
            .size   a, 8
    
    instead, because even though each member of the union is packed, the
    union itself still gets aligned.
    
    This was reported by Sudip for the spear3xx_defconfig target.
    
    Link: https://lore.kernel.org/lkml/YpCUzStDnSgQLNFN@debian/
    Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Cc: Maxime Ripard <mripard@kernel.org>
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Cc: David Airlie <airlied@linux.ie>
    Cc: Daniel Vetter <daniel@ffwll.ch>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0e4dda8b3f4c07ee9ea670a10ea3171a5e63a86f
Author: Douglas Miller <doug.miller@cornelisnetworks.com>
Date:   Fri May 20 14:37:06 2022 -0400

    RDMA/hfi1: Prevent panic when SDMA is disabled
    
    [ Upstream commit 629e052d0c98e46dde9f0824f0aa437f678d9b8f ]
    
    If the hfi1 module is loaded with HFI1_CAP_SDMA off, a call to
    hfi1_write_iter() will dereference a NULL pointer and panic. A typical
    stack frame is:
    
      sdma_select_user_engine [hfi1]
      hfi1_user_sdma_process_request [hfi1]
      hfi1_write_iter [hfi1]
      do_iter_readv_writev
      do_iter_write
      vfs_writev
      do_writev
      do_syscall_64
    
    The fix is to test for SDMA in hfi1_write_iter() and fail the I/O with
    EINVAL.
    
    Link: https://lore.kernel.org/r/20220520183706.48973.79803.stgit@awfm-01.cornelisnetworks.com
    Signed-off-by: Douglas Miller <doug.miller@cornelisnetworks.com>
    Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 542633306d18ef697c55603f52bc58b464a0479f
Author: Finn Thain <fthain@linux-m68k.org>
Date:   Thu Apr 7 20:11:32 2022 +1000

    macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled
    
    [ Upstream commit 86ce436e30d86327c9f5260f718104ae7b21f506 ]
    
    drivers/macintosh/via-pmu-event.o: In function `via_pmu_event':
    via-pmu-event.c:(.text+0x44): undefined reference to `input_event'
    via-pmu-event.c:(.text+0x68): undefined reference to `input_event'
    via-pmu-event.c:(.text+0x94): undefined reference to `input_event'
    via-pmu-event.c:(.text+0xb8): undefined reference to `input_event'
    drivers/macintosh/via-pmu-event.o: In function `via_pmu_event_init':
    via-pmu-event.c:(.init.text+0x20): undefined reference to `input_allocate_device'
    via-pmu-event.c:(.init.text+0xc4): undefined reference to `input_register_device'
    via-pmu-event.c:(.init.text+0xd4): undefined reference to `input_free_device'
    make[1]: *** [Makefile:1155: vmlinux] Error 1
    make: *** [Makefile:350: __build_one_by_one] Error 2
    
    Don't call into the input subsystem unless CONFIG_INPUT is built-in.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Finn Thain <fthain@linux-m68k.org>
    Tested-by: Randy Dunlap <rdunlap@infradead.org>
    Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Acked-by: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/5edbe76ce68227f71e09af4614cc4c1bd61c7ec8.1649326292.git.fthain@linux-m68k.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1d5c8cea85fb1680eae8d645b96b92146cb4633c
Author: Lv Ruyi <lv.ruyi@zte.com.cn>
Date:   Sat Apr 2 01:34:19 2022 +0000

    powerpc/xics: fix refcount leak in icp_opal_init()
    
    [ Upstream commit 5dd9e27ea4a39f7edd4bf81e9e70208e7ac0b7c9 ]
    
    The of_find_compatible_node() function returns a node pointer with
    refcount incremented, use of_node_put() on it when done.
    
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220402013419.2410298-1-lv.ruyi@zte.com.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 69f8cf91627abd9b233ec1dd1d607c1729fa4cdd
Author: Vasily Averin <vasily.averin@linux.dev>
Date:   Wed May 11 12:46:53 2022 +0300

    tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate
    
    [ Upstream commit 2b132903de7124dd9a758be0c27562e91a510848 ]
    
    Fixes following sparse warnings:
    
      CHECK   mm/vmscan.c
    mm/vmscan.c: note: in included file (through
    include/trace/trace_events.h, include/trace/define_trace.h,
    include/trace/events/vmscan.h):
    ./include/trace/events/vmscan.h:281:1: sparse: warning:
     cast to restricted isolate_mode_t
    ./include/trace/events/vmscan.h:281:1: sparse: warning:
     restricted isolate_mode_t degrades to integer
    
    Link: https://lkml.kernel.org/r/e85d7ff2-fd10-53f8-c24e-ba0458439c1b@openvz.org
    Signed-off-by: Vasily Averin <vvs@openvz.org>
    Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aed6d4d519210c28817948f34c53b6e058e0456c
Author: Yicong Yang <yangyicong@hisilicon.com>
Date:   Mon Apr 4 14:25:39 2022 +0800

    PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()
    
    [ Upstream commit a91ee0e9fca9d7501286cfbced9b30a33e52740a ]
    
    The sysfs sriov_numvfs_store() path acquires the device lock before the
    config space access lock:
    
      sriov_numvfs_store
        device_lock                 # A (1) acquire device lock
        sriov_configure
          vfio_pci_sriov_configure  # (for example)
            vfio_pci_core_sriov_configure
              pci_disable_sriov
                sriov_disable
                  pci_cfg_access_lock
                    pci_wait_cfg    # B (4) wait for dev->block_cfg_access == 0
    
    Previously, pci_dev_lock() acquired the config space access lock before the
    device lock:
    
      pci_dev_lock
        pci_cfg_access_lock
          dev->block_cfg_access = 1 # B (2) set dev->block_cfg_access = 1
        device_lock                 # A (3) wait for device lock
    
    Any path that uses pci_dev_lock(), e.g., pci_reset_function(), may
    deadlock with sriov_numvfs_store() if the operations occur in the sequence
    (1) (2) (3) (4).
    
    Avoid the deadlock by reversing the order in pci_dev_lock() so it acquires
    the device lock before the config space access lock, the same as the
    sriov_numvfs_store() path.
    
    [bhelgaas: combined and adapted commit log from Jay Zhou's independent
    subsequent posting:
    https://lore.kernel.org/r/20220404062539.1710-1-jianjay.zhou@huawei.com]
    Link: https://lore.kernel.org/linux-pci/1583489997-17156-1-git-send-email-yangyicong@hisilicon.com/
    Also-posted-by: Jay Zhou <jianjay.zhou@huawei.com>
    Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dd4be8ecfb41a29e7c4e551b4e866157ce4a3429
Author: Peng Wu <wupeng58@huawei.com>
Date:   Thu Apr 28 10:43:06 2022 +0000

    ARM: hisi: Add missing of_node_put after of_find_compatible_node
    
    [ Upstream commit 9bc72e47d4630d58a840a66a869c56b29554cfe4 ]
    
    of_find_compatible_node  will increment the refcount of the returned
    device_node. Calling of_node_put() to avoid the refcount leak
    
    Signed-off-by: Peng Wu <wupeng58@huawei.com>
    Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ef618baeed3f0031185616a016637cd29f729617
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Apr 26 20:34:43 2022 +0200

    ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM
    
    [ Upstream commit f038e8186fbc5723d7d38c6fa1d342945107347e ]
    
    The Samsung s524ad0xd1 EEPROM should use atmel,24c128 fallback,
    according to the AT24 EEPROM bindings.
    
    Reported-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20220426183443.243113-1-krzysztof.kozlowski@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a0fc05cd17617e63fc13ad0c01f3f0afd890d8ec
Author: Peng Wu <wupeng58@huawei.com>
Date:   Fri Apr 29 01:03:56 2022 +0200

    ARM: versatile: Add missing of_node_put in dcscb_init
    
    [ Upstream commit 23b44f9c649bbef10b45fa33080cd8b4166800ae ]
    
    The device_node pointer is returned by of_find_compatible_node
    with refcount incremented. We should use of_node_put() to avoid
    the refcount leak.
    
    Signed-off-by: Peng Wu <wupeng58@huawei.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Link: https://lore.kernel.org/r/20220428230356.69418-1-linus.walleij@linaro.org'
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2d03231e5cc5f1baf97090d82eac81fd53ab1b32
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Fri Apr 29 14:38:02 2022 -0700

    fat: add ratelimit to fat*_ent_bread()
    
    [ Upstream commit 183c3237c928109d2008c0456dff508baf692b20 ]
    
    fat*_ent_bread() can be the cause of too many report on I/O error path.
    So use fat_msg_ratelimit() instead.
    
    Link: https://lkml.kernel.org/r/87bkxogfeq.fsf@mail.parknet.co.jp
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Reported-by: qianfan <qianfanguijin@163.com>
    Tested-by: qianfan <qianfanguijin@163.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2d188e3b06ed5db9f1f477388d1551d632e1fd68
Author: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Date:   Sun Apr 10 15:07:54 2022 +0200

    ARM: OMAP1: clock: Fix UART rate reporting algorithm
    
    [ Upstream commit 338d5d476cde853dfd97378d20496baabc2ce3c0 ]
    
    Since its introduction to the mainline kernel, omap1_uart_recalc() helper
    makes incorrect use of clk->enable_bit as a ready to use bitmap mask while
    it only provides the bit number.  Fix it.
    
    Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
    Acked-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c381558c278a540c61dfef1f2b77ab817d5d302d
Author: Zixuan Fu <r33s3n6@gmail.com>
Date:   Mon Apr 11 18:45:34 2022 +0800

    fs: jfs: fix possible NULL pointer dereference in dbFree()
    
    [ Upstream commit 0d4837fdb796f99369cf7691d33de1b856bcaf1f ]
    
    In our fault-injection testing, the variable "nblocks" in dbFree() can be
    zero when kmalloc_array() fails in dtSearch(). In this case, the variable
     "mp" in dbFree() would be NULL and then it is dereferenced in
    "write_metapage(mp)".
    
    The failure log is listed as follows:
    
    [   13.824137] BUG: kernel NULL pointer dereference, address: 0000000000000020
    ...
    [   13.827416] RIP: 0010:dbFree+0x5f7/0x910 [jfs]
    [   13.834341] Call Trace:
    [   13.834540]  <TASK>
    [   13.834713]  txFreeMap+0x7b4/0xb10 [jfs]
    [   13.835038]  txUpdateMap+0x311/0x650 [jfs]
    [   13.835375]  jfs_lazycommit+0x5f2/0xc70 [jfs]
    [   13.835726]  ? sched_dynamic_update+0x1b0/0x1b0
    [   13.836092]  kthread+0x3c2/0x4a0
    [   13.836355]  ? txLockFree+0x160/0x160 [jfs]
    [   13.836763]  ? kthread_unuse_mm+0x160/0x160
    [   13.837106]  ret_from_fork+0x1f/0x30
    [   13.837402]  </TASK>
    ...
    
    This patch adds a NULL check of "mp" before "write_metapage(mp)" is called.
    
    Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
    Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>
    Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 664736e2cc09e504ce58ec61164d029d1f2651bb
Author: Brian Norris <briannorris@chromium.org>
Date:   Tue Mar 8 11:08:59 2022 -0800

    PM / devfreq: rk3399_dmc: Disable edev on remove()
    
    [ Upstream commit 2fccf9e6050e0e3b8b4cd275d41daf7f7fa22804 ]
    
    Otherwise we hit an unablanced enable-count when unbinding the DFI
    device:
    
    [ 1279.659119] ------------[ cut here ]------------
    [ 1279.659179] WARNING: CPU: 2 PID: 5638 at drivers/devfreq/devfreq-event.c:360 devfreq_event_remove_edev+0x84/0x8c
    ...
    [ 1279.659352] Hardware name: Google Kevin (DT)
    [ 1279.659363] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO BTYPE=--)
    [ 1279.659371] pc : devfreq_event_remove_edev+0x84/0x8c
    [ 1279.659380] lr : devm_devfreq_event_release+0x1c/0x28
    ...
    [ 1279.659571] Call trace:
    [ 1279.659582]  devfreq_event_remove_edev+0x84/0x8c
    [ 1279.659590]  devm_devfreq_event_release+0x1c/0x28
    [ 1279.659602]  release_nodes+0x1cc/0x244
    [ 1279.659611]  devres_release_all+0x44/0x60
    [ 1279.659621]  device_release_driver_internal+0x11c/0x1ac
    [ 1279.659629]  device_driver_detach+0x20/0x2c
    [ 1279.659641]  unbind_store+0x7c/0xb0
    [ 1279.659650]  drv_attr_store+0x2c/0x40
    [ 1279.659663]  sysfs_kf_write+0x44/0x58
    [ 1279.659672]  kernfs_fop_write_iter+0xf4/0x190
    [ 1279.659684]  vfs_write+0x2b0/0x2e4
    [ 1279.659693]  ksys_write+0x80/0xec
    [ 1279.659701]  __arm64_sys_write+0x24/0x30
    [ 1279.659714]  el0_svc_common+0xf0/0x1d8
    [ 1279.659724]  do_el0_svc_compat+0x28/0x3c
    [ 1279.659738]  el0_svc_compat+0x10/0x1c
    [ 1279.659746]  el0_sync_compat_handler+0xa8/0xcc
    [ 1279.659758]  el0_sync_compat+0x188/0x1c0
    [ 1279.659768] ---[ end trace cec200e5094155b4 ]---
    
    Signed-off-by: Brian Norris <briannorris@chromium.org>
    Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1fbb64036bfc6bce883b3e0d966b0cae8dbb8403
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Thu Apr 7 21:29:59 2022 +0200

    ARM: dts: ox820: align interrupt controller node name with dtschema
    
    [ Upstream commit fbcd5ad7a419ad40644a0bb8b4152bc660172d8a ]
    
    Fixes dtbs_check warnings like:
    
      gic@1000: $nodename:0: 'gic@1000' does not match '^interrupt-controller(@[0-9a-f,]+)*$'
    
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Acked-by: Neil Armstrong <narmstrong@baylibre.com>
    Link: https://lore.kernel.org/r/20220317115705.450427-1-krzysztof.kozlowski@canonical.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cb85d30a830a91f157940cd88b90528a4b658b81
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Fri May 20 12:56:05 2022 -0700

    eth: tg3: silence the GCC 12 array-bounds warning
    
    [ Upstream commit 9dec850fd7c210a04b4707df8e6c95bfafdd6a4b ]
    
    GCC 12 currently generates a rather inconsistent warning:
    
    drivers/net/ethernet/broadcom/tg3.c:17795:51: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ [-Warray-bounds]
    17795 |                 struct tg3_napi *tnapi = &tp->napi[i];
          |                                           ~~~~~~~~^~~
    
    i is guaranteed < tp->irq_max which in turn is either 1 or 5.
    There are more loops like this one in the driver, but strangely
    GCC 12 dislikes only this single one.
    
    Silence this silliness for now.
    
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3e257048a3cfdd923cd29be82135a5dee29802eb
Author: David Howells <dhowells@redhat.com>
Date:   Sat May 21 08:45:41 2022 +0100

    rxrpc: Return an error to sendmsg if call failed
    
    [ Upstream commit 4ba68c5192554876bd8c3afd904e3064d2915341 ]
    
    If at the end of rxrpc sendmsg() or rxrpc_kernel_send_data() the call that
    was being given data was aborted remotely or otherwise failed, return an
    error rather than returning the amount of data buffered for transmission.
    
    The call (presumably) did not complete, so there's not much point
    continuing with it.  AF_RXRPC considers it "complete" and so will be
    unwilling to do anything else with it - and won't send a notification for
    it, deeming the return from sendmsg sufficient.
    
    Not returning an error causes afs to incorrectly handle a StoreData
    operation that gets interrupted by a change of address due to NAT
    reconfiguration.
    
    This doesn't normally affect most operations since their request parameters
    tend to fit into a single UDP packet and afs_make_call() returns before the
    server responds; StoreData is different as it involves transmission of a
    lot of data.
    
    This can be triggered on a client by doing something like:
    
            dd if=/dev/zero of=/afs/example.com/foo bs=1M count=512
    
    at one prompt, and then changing the network address at another prompt,
    e.g.:
    
            ifconfig enp6s0 inet 192.168.6.2 && route add 192.168.6.1 dev enp6s0
    
    Tracing packets on an Auristor fileserver looks something like:
    
    192.168.6.1 -> 192.168.6.3  RX 107 ACK Idle  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
    192.168.6.3 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(64538) (64538)
    192.168.6.3 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(64538) (64538)
    192.168.6.1 -> 192.168.6.3  RX 107 ACK Idle  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
    <ARP exchange for 192.168.6.2>
    192.168.6.2 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(0) (0)
    192.168.6.2 -> 192.168.6.1  AFS (RX) 1482 FS Request: Unknown(0) (0)
    192.168.6.1 -> 192.168.6.2  RX 107 ACK Exceeds Window  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
    192.168.6.1 -> 192.168.6.2  RX 74 ABORT  Seq: 0  Call: 4  Source Port: 7000  Destination Port: 7001
    192.168.6.1 -> 192.168.6.2  RX 74 ABORT  Seq: 29321  Call: 4  Source Port: 7000  Destination Port: 7001
    
    The Auristor fileserver logs code -453 (RXGEN_SS_UNMARSHAL), but the abort
    code received by kafs is -5 (RX_PROTOCOL_ERROR) as the rx layer sees the
    condition and generates an abort first and the unmarshal error is a
    consequence of that at the application layer.
    
    Reported-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    cc: linux-afs@lists.infradead.org
    Link: http://lists.infradead.org/pipermail/linux-afs/2021-December/004810.html # v1
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f5af297158603dfef42b86d56b751a0799aadbc5
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Wed May 11 06:22:51 2022 -0700

    hwmon: Make chip parameter for with_info API mandatory
    
    [ Upstream commit ddaefa209c4ac791c1262e97c9b2d0440c8ef1d5 ]
    
    Various attempts were made recently to "convert" the old
    hwmon_device_register() API to devm_hwmon_device_register_with_info()
    by just changing the function name without actually converting the
    driver. Prevent this from happening by making the 'chip' parameter of
    devm_hwmon_device_register_with_info() mandatory.
    
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 381e50eedd3c11c0db1f60e7040daef22542714c
Author: Kwanghoon Son <k.son@samsung.com>
Date:   Wed Apr 27 03:16:45 2022 +0200

    media: exynos4-is: Fix compile warning
    
    [ Upstream commit e080f5c1f2b6d02c02ee5d674e0e392ccf63bbaf ]
    
    Declare static on function 'fimc_isp_video_device_unregister'.
    
    When VIDEO_EXYNOS4_ISP_DMA_CAPTURE=n, compiler warns about
    warning: no previous prototype for function [-Wmissing-prototypes]
    
    Reported-by: kernel test robot <lkp@intel.com>
    Signed-off-by: Kwanghoon Son <k.son@samsung.com>
    Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 91e720b32cba25fa58eaa4c88fe957009cffe9f3
Author: Fabio Estevam <festevam@denx.de>
Date:   Fri May 13 08:46:12 2022 -0300

    net: phy: micrel: Allow probing without .driver_data
    
    [ Upstream commit f2ef6f7539c68c6bd6c32323d8845ee102b7c450 ]
    
    Currently, if the .probe element is present in the phy_driver structure
    and the .driver_data is not, a NULL pointer dereference happens.
    
    Allow passing .probe without .driver_data by inserting NULL checks
    for priv->type.
    
    Signed-off-by: Fabio Estevam <festevam@denx.de>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://lore.kernel.org/r/20220513114613.762810-1-festevam@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0941150100173d4eaf3fe08ff4b16740e7c3026f
Author: Lin Ma <linma@zju.edu.cn>
Date:   Mon May 16 17:20:35 2022 +0800

    ASoC: rt5645: Fix errorenous cleanup order
    
    [ Upstream commit 2def44d3aec59e38d2701c568d65540783f90f2f ]
    
    There is a logic error when removing rt5645 device as the function
    rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and
    delete the &rt5645->btn_check_timer latter. However, since the timer
    handler rt5645_btn_check_callback() will re-queue the jack_detect_work,
    this cleanup order is buggy.
    
    That is, once the del_timer_sync in rt5645_i2c_remove is concurrently
    run with the rt5645_btn_check_callback, the canceled jack_detect_work
    will be rescheduled again, leading to possible use-after-free.
    
    This patch fix the issue by placing the del_timer_sync function before
    the cancel_delayed_work_sync.
    
    Signed-off-by: Lin Ma <linma@zju.edu.cn>
    Link: https://lore.kernel.org/r/20220516092035.28283-1-linma@zju.edu.cn
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8da2b7bdb47e94bbc4062a3978c708926bcb022c
Author: Smith, Kyle Miller (Nimble Kernel) <kyles@hpe.com>
Date:   Fri Apr 22 14:40:32 2022 +0000

    nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
    
    [ Upstream commit da42761181627e9bdc37d18368b827948a583929 ]
    
    In nvme_alloc_admin_tags, the admin_q can be set to an error (typically
    -ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which
    is checked immediately after the call. However, when we return the error
    message up the stack, to nvme_reset_work the error takes us to
    nvme_remove_dead_ctrl()
      nvme_dev_disable()
       nvme_suspend_queue(&dev->queues[0]).
    
    Here, we only check that the admin_q is non-NULL, rather than not
    an error or NULL, and begin quiescing a queue that never existed, leading
    to bad / NULL pointer dereference.
    
    Signed-off-by: Kyle Smith <kyles@hpe.com>
    Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
    Reviewed-by: Hannes Reinecke <hare@suse.de>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3da53f07f216c468d9b5ffd2c69fcd1940cd0573
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Sat Apr 23 21:11:41 2022 +0200

    openrisc: start CPU timer early in boot
    
    [ Upstream commit 516dd4aacd67a0f27da94f3fe63fe0f4dbab6e2b ]
    
    In order to measure the boot process, the timer should be switched on as
    early in boot as possible. As well, the commit defines the get_cycles
    macro, like the previous patches in this series, so that generic code is
    aware that it's implemented by the platform, as is done on other archs.
    
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Jonas Bonn <jonas@southpole.se>
    Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
    Acked-by: Stafford Horne <shorne@gmail.com>
    Reported-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8c473068d246419f88fa0ef48cabf967bd520670
Author: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Date:   Fri May 6 09:43:25 2022 +0200

    media: cec-adap.c: fix is_configuring state
    
    [ Upstream commit 59267fc34f4900dcd2ec3295f6be04b79aee2186 ]
    
    If an adapter is trying to claim a free logical address then it is
    in the 'is_configuring' state. If during that process the cable is
    disconnected (HPD goes low, which in turn invalidates the physical
    address), then cec_adap_unconfigure() is called, and that set the
    is_configuring boolean to false, even though the thread that's
    trying to claim an LA is still running.
    
    Don't touch the is_configuring bool in cec_adap_unconfigure(), it
    will eventually be cleared by the thread. By making that change
    the cec_config_log_addr() function also had to change: it was
    aborting if is_configuring became false (since that is what
    cec_adap_unconfigure() did), but that no longer works. Instead
    check if the physical address is invalid. That is a much
    more appropriate check anyway.
    
    This fixes a bug where the the adapter could be disabled even
    though the device was still configuring. This could cause POLL
    transmits to time out.
    
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit eceba751b6725792b1ec830717fbb30691a5996d
Author: Dongliang Mu <mudongliangabcd@gmail.com>
Date:   Wed May 11 09:44:52 2022 +0800

    rtlwifi: Use pr_warn instead of WARN_ONCE
    
    [ Upstream commit ad732da434a2936128769216eddaece3b1af4588 ]
    
    This memory allocation failure can be triggered by fault injection or
    high pressure testing, resulting a WARN.
    
    Fix this by replacing WARN with pr_warn.
    
    Reported-by: syzkaller <syzkaller@googlegroups.com>
    Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20220511014453.1621366-1-dzm91@hust.edu.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aca1b19df1f90cca91b1a1cdf48519915143a476
Author: Corey Minyard <cminyard@mvista.com>
Date:   Fri Apr 1 07:44:53 2022 -0500

    ipmi:ssif: Check for NULL msg when handling events and messages
    
    [ Upstream commit 7602b957e2404e5f98d9a40b68f1fd27f0028712 ]
    
    Even though it's not possible to get into the SSIF_GETTING_MESSAGES and
    SSIF_GETTING_EVENTS states without a valid message in the msg field,
    it's probably best to be defensive here and check and print a log, since
    that means something else went wrong.
    
    Also add a default clause to that switch statement to release the lock
    and print a log, in case the state variable gets messed up somehow.
    
    Reported-by: Haowen Bai <baihaowen@meizu.com>
    Signed-off-by: Corey Minyard <cminyard@mvista.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a4d4e55e34079bc72fbf2f63e9babcf67f8fe195
Author: Mikulas Patocka <mpatocka@redhat.com>
Date:   Tue May 10 13:17:32 2022 -0400

    dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC
    
    [ Upstream commit 84bc4f1dbbbb5f8aa68706a96711dccb28b518e5 ]
    
    We observed the error "cacheline tracking ENOMEM, dma-debug disabled"
    during a light system load (copying some files). The reason for this error
    is that the dma_active_cacheline radix tree uses GFP_NOWAIT allocation -
    so it can't access the emergency memory reserves and it fails as soon as
    anybody reaches the watermark.
    
    This patch changes GFP_NOWAIT to GFP_ATOMIC, so that it can access the
    emergency memory reserves.
    
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0f0629ecfac4256c615a495b8bf0bee13ffaeeba
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Fri May 6 11:33:19 2022 +0200

    s390/preempt: disable __preempt_count_add() optimization for PROFILE_ALL_BRANCHES
    
    [ Upstream commit 63678eecec57fc51b778be3da35a397931287170 ]
    
    gcc 12 does not (always) optimize away code that should only be generated
    if parameters are constant and within in a certain range. This depends on
    various obscure kernel config options, however in particular
    PROFILE_ALL_BRANCHES can trigger this compile error:
    
    In function ‘__atomic_add_const’,
        inlined from ‘__preempt_count_add.part.0’ at ./arch/s390/include/asm/preempt.h:50:3:
    ./arch/s390/include/asm/atomic_ops.h:80:9: error: impossible constraint in ‘asm’
       80 |         asm volatile(                                                   \
          |         ^~~
    
    Workaround this by simply disabling the optimization for
    PROFILE_ALL_BRANCHES, since the kernel will be so slow, that this
    optimization won't matter at all.
    
    Reported-by: Thomas Richter <tmricht@linux.ibm.com>
    Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d9bc55398e59d73873a7747db6444bfe186f960f
Author: Charles Keepax <ckeepax@opensource.cirrus.com>
Date:   Wed May 4 18:08:52 2022 +0100

    ASoC: tscs454: Add endianness flag in snd_soc_component_driver
    
    [ Upstream commit ff69ec96b87dccb3a29edef8cec5d4fefbbc2055 ]
    
    The endianness flag is used on the CODEC side to specify an
    ambivalence to endian, typically because it is lost over the hardware
    link. This device receives audio over an I2S DAI and as such should
    have endianness applied.
    
    A fixup is also required to use the width directly rather than relying
    on the format in hw_params, now both little and big endian would be
    supported. It is worth noting this changes the behaviour of S24_LE to
    use a word length of 24 rather than 32. This would appear to be a
    correction since the fact S24_LE is stored as 32 bits should not be
    presented over the bus.
    
    Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Link: https://lore.kernel.org/r/20220504170905.332415-26-ckeepax@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c7c903396b4c50841f58e92ac4f0c48be36f310e
Author: Petr Machata <petrm@nvidia.com>
Date:   Wed May 4 09:29:05 2022 +0300

    mlxsw: spectrum_dcb: Do not warn about priority changes
    
    [ Upstream commit b6b584562cbe7dc357083459d6dd5b171e12cadb ]
    
    The idea behind the warnings is that the user would get warned in case when
    more than one priority is configured for a given DSCP value on a netdevice.
    
    The warning is currently wrong, because dcb_ieee_getapp_mask() returns
    the first matching entry, not all of them, and the warning will then claim
    that some priority is "current", when in fact it is not.
    
    But more importantly, the warning is misleading in general. Consider the
    following commands:
    
     # dcb app flush dev swp19 dscp-prio
     # dcb app add dev swp19 dscp-prio 24:3
     # dcb app replace dev swp19 dscp-prio 24:2
    
    The last command will issue the following warning:
    
     mlxsw_spectrum3 0000:07:00.0 swp19: Ignoring new priority 2 for DSCP 24 in favor of current value of 3
    
    The reason is that the "replace" command works by first adding the new
    value, and then removing all old values. This is the only way to make the
    replacement without causing the traffic to be prioritized to whatever the
    chip defaults to. The warning is issued in response to adding the new
    priority, and then no warning is shown when the old priority is removed.
    The upshot is that the canonical way to change traffic prioritization
    always produces a warning about ignoring the new priority, but what gets
    configured is in fact what the user intended.
    
    An option to just emit warning every time that the prioritization changes
    just to make it clear that it happened is obviously unsatisfactory.
    
    Therefore, in this patch, remove the warnings.
    
    Reported-by: Maksym Yaremchuk <maksymy@nvidia.com>
    Signed-off-by: Petr Machata <petrm@nvidia.com>
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9cc7ba4f1531280d7fb18aa0481f1fd860fd82c0
Author: Mark Brown <broonie@kernel.org>
Date:   Thu Apr 28 17:18:32 2022 +0100

    ASoC: dapm: Don't fold register value changes into notifications
    
    [ Upstream commit ad685980469b9f9b99d4d6ea05f4cb8f57cb2234 ]
    
    DAPM tracks and reports the value presented to the user from DAPM controls
    separately to the register value, these may diverge during initialisation
    or when an autodisable control is in use.
    
    When writing DAPM controls we currently report that a change has occurred
    if either the DAPM value or the value stored in the register has changed,
    meaning that if the two are out of sync we may appear to report a spurious
    event to userspace. Since we use this folded in value for nothing other
    than the value reported to userspace simply drop the folding in of the
    register change.
    
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Link: https://lore.kernel.org/r/20220428161833.3690050-1-broonie@kernel.org
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d242dcb2a3343429a9ddc304f046a778c56e8c51
Author: jianghaoran <jianghaoran@kylinos.cn>
Date:   Fri Apr 29 13:38:02 2022 +0800

    ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL
    
    [ Upstream commit b52e1cce31ca721e937d517411179f9196ee6135 ]
    
    ARPHRD_TUNNEL interface can't process rs packets
    and will generate TX errors
    
    ex:
    ip tunnel add ethn mode ipip local 192.168.1.1 remote 192.168.1.2
    ifconfig ethn x.x.x.x
    
    ethn: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1480
            inet x.x.x.x  netmask 255.255.255.255  destination x.x.x.x
            inet6 fe80::5efe:ac1e:3cdb  prefixlen 64  scopeid 0x20<link>
            tunnel   txqueuelen 1000  (IPIP Tunnel)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 3  dropped 0 overruns 0  carrier 0  collisions 0
    
    Signed-off-by: jianghaoran <jianghaoran@kylinos.cn>
    Link: https://lore.kernel.org/r/20220429053802.246681-1-jianghaoran@kylinos.cn
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 030d376ed1f47223ef3cb1473a8a2945a7fe1f50
Author: Evan Quan <evan.quan@amd.com>
Date:   Mon Apr 25 10:16:46 2022 +0800

    drm/amd/pm: fix the compile warning
    
    [ Upstream commit 555238d92ac32dbad2d77ad2bafc48d17391990c ]
    
    Fix the compile warning below:
    drivers/gpu/drm/amd/amdgpu/../pm/legacy-dpm/kv_dpm.c:1641
    kv_get_acp_boot_level() warn: always true condition '(table->entries[i]->clk >= 0) => (0-u32max >= 0)'
    
    Reported-by: kernel test robot <lkp@intel.com>
    CC: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Evan Quan <evan.quan@amd.com>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4ab7e453a3ee88c274cf97bee9487ab92a66d313
Author: Steven Price <steven.price@arm.com>
Date:   Fri Dec 3 10:28:15 2021 +0000

    drm/plane: Move range check for format_count earlier
    
    [ Upstream commit 4b674dd69701c2e22e8e7770c1706a69f3b17269 ]
    
    While the check for format_count > 64 in __drm_universal_plane_init()
    shouldn't be hit (it's a WARN_ON), in its current position it will then
    leak the plane->format_types array and fail to call
    drm_mode_object_unregister() leaking the modeset identifier. Move it to
    the start of the function to avoid allocating those resources in the
    first place.
    
    Signed-off-by: Steven Price <steven.price@arm.com>
    Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
    Link: https://lore.kernel.org/dri-devel/20211203102815.38624-1-steven.price@arm.com/
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 80c79a036a322d9c8122e471534177de18404412
Author: Lv Ruyi <lv.ruyi@zte.com.cn>
Date:   Mon Apr 18 10:57:55 2022 +0000

    scsi: megaraid: Fix error check return value of register_chrdev()
    
    [ Upstream commit c5acd61dbb32b6bda0f3a354108f2b8dcb788985 ]
    
    If major equals 0, register_chrdev() returns an error code when it fails.
    This function dynamically allocates a major and returns its number on
    success, so we should use "< 0" to check it instead of "!".
    
    Link: https://lore.kernel.org/r/20220418105755.2558828-1-lv.ruyi@zte.com.cn
    Reported-by: Zeal Robot <zealci@zte.com.cn>
    Signed-off-by: Lv Ruyi <lv.ruyi@zte.com.cn>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 422e8f7ba1e08c8e0e88d375bcb550bc2bbfe96d
Author: Heming Zhao <heming.zhao@suse.com>
Date:   Fri Apr 1 10:13:16 2022 +0800

    md/bitmap: don't set sb values if can't pass sanity check
    
    [ Upstream commit e68cb83a57a458b01c9739e2ad9cb70b04d1e6d2 ]
    
    If bitmap area contains invalid data, kernel will crash then mdadm
    triggers "Segmentation fault".
    This is cluster-md speical bug. In non-clustered env, mdadm will
    handle broken metadata case. In clustered array, only kernel space
    handles bitmap slot info. But even this bug only happened in clustered
    env, current sanity check is wrong, the code should be changed.
    
    How to trigger: (faulty injection)
    
    dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sda
    dd if=/dev/zero bs=1M count=1 oflag=direct of=/dev/sdb
    mdadm -C /dev/md0 -b clustered -e 1.2 -n 2 -l mirror /dev/sda /dev/sdb
    mdadm -Ss
    echo aaa > magic.txt
     == below modifying slot 2 bitmap data ==
    dd if=magic.txt of=/dev/sda seek=16384 bs=1 count=3 <== destroy magic
    dd if=/dev/zero of=/dev/sda seek=16436 bs=1 count=4 <== ZERO chunksize
    mdadm -A /dev/md0 /dev/sda /dev/sdb
     == kernel crashes. mdadm outputs "Segmentation fault" ==
    
    Reason of kernel crash:
    
    In md_bitmap_read_sb (called by md_bitmap_create), bad bitmap magic didn't
    block chunksize assignment, and zero value made DIV_ROUND_UP_SECTOR_T()
    trigger "divide error".
    
    Crash log:
    
    kernel: md: md0 stopped.
    kernel: md/raid1:md0: not clean -- starting background reconstruction
    kernel: md/raid1:md0: active with 2 out of 2 mirrors
    kernel: dlm: ... ...
    kernel: md-cluster: Joined cluster 44810aba-38bb-e6b8-daca-bc97a0b254aa slot 1
    kernel: md0: invalid bitmap file superblock: bad magic
    kernel: md_bitmap_copy_from_slot can't get bitmap from slot 2
    kernel: md-cluster: Could not gather bitmaps from slot 2
    kernel: divide error: 0000 [#1] SMP NOPTI
    kernel: CPU: 0 PID: 1603 Comm: mdadm Not tainted 5.14.6-1-default
    kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
    kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
    kernel: RSP: 0018:ffffc22ac0843ba0 EFLAGS: 00010246
    kernel: ... ...
    kernel: Call Trace:
    kernel:  ? dlm_lock_sync+0xd0/0xd0 [md_cluster 77fe..7a0]
    kernel:  md_bitmap_copy_from_slot+0x2c/0x290 [md_mod 24ea..d3a]
    kernel:  load_bitmaps+0xec/0x210 [md_cluster 77fe..7a0]
    kernel:  md_bitmap_load+0x81/0x1e0 [md_mod 24ea..d3a]
    kernel:  do_md_run+0x30/0x100 [md_mod 24ea..d3a]
    kernel:  md_ioctl+0x1290/0x15a0 [md_mod 24ea....d3a]
    kernel:  ? mddev_unlock+0xaa/0x130 [md_mod 24ea..d3a]
    kernel:  ? blkdev_ioctl+0xb1/0x2b0
    kernel:  block_ioctl+0x3b/0x40
    kernel:  __x64_sys_ioctl+0x7f/0xb0
    kernel:  do_syscall_64+0x59/0x80
    kernel:  ? exit_to_user_mode_prepare+0x1ab/0x230
    kernel:  ? syscall_exit_to_user_mode+0x18/0x40
    kernel:  ? do_syscall_64+0x69/0x80
    kernel:  entry_SYSCALL_64_after_hwframe+0x44/0xae
    kernel: RIP: 0033:0x7f4a15fa722b
    kernel: ... ...
    kernel: ---[ end trace 8afa7612f559c868 ]---
    kernel: RIP: 0010:md_bitmap_create+0x1d1/0x850 [md_mod]
    
    Reported-by: kernel test robot <lkp@intel.com>
    Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
    Acked-by: Guoqing Jiang <guoqing.jiang@linux.dev>
    Signed-off-by: Heming Zhao <heming.zhao@suse.com>
    Signed-off-by: Song Liu <song@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 258639bc55a586ee6df92d89786ccf1c71546d70
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sun Apr 10 08:44:09 2022 +0100

    media: cx25821: Fix the warning when removing the module
    
    [ Upstream commit 2203436a4d24302871617373a7eb21bc17e38762 ]
    
    When removing the module, we will get the following warning:
    
    [   14.746697] remove_proc_entry: removing non-empty directory 'irq/21', leaking at least 'cx25821[1]'
    [   14.747449] WARNING: CPU: 4 PID: 368 at fs/proc/generic.c:717 remove_proc_entry+0x389/0x3f0
    [   14.751611] RIP: 0010:remove_proc_entry+0x389/0x3f0
    [   14.759589] Call Trace:
    [   14.759792]  <TASK>
    [   14.759975]  unregister_irq_proc+0x14c/0x170
    [   14.760340]  irq_free_descs+0x94/0xe0
    [   14.760640]  mp_unmap_irq+0xb6/0x100
    [   14.760937]  acpi_unregister_gsi_ioapic+0x27/0x40
    [   14.761334]  acpi_pci_irq_disable+0x1d3/0x320
    [   14.761688]  pci_disable_device+0x1ad/0x380
    [   14.762027]  ? _raw_spin_unlock_irqrestore+0x2d/0x60
    [   14.762442]  ? cx25821_shutdown+0x20/0x9f0 [cx25821]
    [   14.762848]  cx25821_finidev+0x48/0xc0 [cx25821]
    [   14.763242]  pci_device_remove+0x92/0x240
    
    Fix this by freeing the irq before call pci_disable_device().
    
    Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7b9978e1c94e569d65a0e7e719abb9340f5db4a0
Author: Zheyu Ma <zheyuma97@gmail.com>
Date:   Sun Apr 10 08:34:41 2022 +0100

    media: pci: cx23885: Fix the error handling in cx23885_initdev()
    
    [ Upstream commit e8123311cf06d7dae71e8c5fe78e0510d20cd30b ]
    
    When the driver fails to call the dma_set_mask(), the driver will get
    the following splat:
    
    [   55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240
    [   55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590
    [   55.856822] Call Trace:
    [   55.860327]  __process_removed_driver+0x3c/0x240
    [   55.861347]  bus_for_each_dev+0x102/0x160
    [   55.861681]  i2c_del_driver+0x2f/0x50
    
    This is because the driver has initialized the i2c related resources
    in cx23885_dev_setup() but not released them in error handling, fix this
    bug by modifying the error path that jumps after failing to call the
    dma_set_mask().
    
    Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a21d15dde21d7e8ae047eb8368677407db45d840
Author: Luca Weiss <luca.weiss@fairphone.com>
Date:   Fri Jan 14 11:02:26 2022 +0000

    media: venus: hfi: avoid null dereference in deinit
    
    [ Upstream commit 86594f6af867b5165d2ba7b5a71fae3a5961e56c ]
    
    If venus_probe fails at pm_runtime_put_sync the error handling first
    calls hfi_destroy and afterwards hfi_core_deinit. As hfi_destroy sets
    core->ops to NULL, hfi_core_deinit cannot call the core_deinit function
    anymore.
    
    Avoid this null pointer derefence by skipping the call when necessary.
    
    Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
    Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 33d5ef45525eb7d8255f3c746f086354dac84d11
Author: Thibaut VARÈNE <hacks+kernel@slashdirt.org>
Date:   Sun Apr 17 16:51:45 2022 +0200

    ath9k: fix QCA9561 PA bias level
    
    [ Upstream commit e999a5da28a0e0f7de242d841ef7d5e48f4646ae ]
    
    This patch fixes an invalid TX PA DC bias level on QCA9561, which
    results in a very low output power and very low throughput as devices
    are further away from the AP (compared to other 2.4GHz APs).
    
    This patch was suggested by Felix Fietkau, who noted[1]:
    "The value written to that register is wrong, because while the mask
    definition AR_CH0_TOP2_XPABIASLVL uses a different value for 9561, the
    shift definition AR_CH0_TOP2_XPABIASLVL_S is hardcoded to 12, which is
    wrong for 9561."
    
    In real life testing, without this patch the 2.4GHz throughput on
    Yuncore XD3200 is around 10Mbps sitting next to the AP, and closer to
    practical maximum with the patch applied.
    
    [1] https://lore.kernel.org/all/91c58969-c60e-2f41-00ac-737786d435ae@nbd.name
    
    Signed-off-by: Thibaut VARÈNE <hacks+kernel@slashdirt.org>
    Acked-by: Felix Fietkau <nbd@nbd.name>
    Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
    Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
    Link: https://lore.kernel.org/r/20220417145145.1847-1-hacks+kernel@slashdirt.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c0e811c4ccf3b42705976285e3a94cc82dea7300
Author: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Date:   Tue Apr 19 10:37:19 2022 +0000

    drm/amd/pm: fix double free in si_parse_power_table()
    
    [ Upstream commit f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd ]
    
    In function si_parse_power_table(), array adev->pm.dpm.ps and its member
    is allocated. If the allocation of each member fails, the array itself
    is freed and returned with an error code. However, the array is later
    freed again in si_dpm_fini() function which is called when the function
    returns an error.
    
    This leads to potential double free of the array adev->pm.dpm.ps, as
    well as leak of its array members, since the members are not freed in
    the allocation function and the array is not nulled when freed.
    In addition adev->pm.dpm.num_ps, which keeps track of the allocated
    array member, is not updated until the member allocation is
    successfully finished, this could also lead to either use after free,
    or uninitialized variable access in si_dpm_fini().
    
    Fix this by postponing the free of the array until si_dpm_fini() and
    increment adev->pm.dpm.num_ps everytime the array member is allocated.
    
    Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c093b62c40027c21d649c5534ad7aa3605a99b00
Author: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Date:   Tue Apr 12 11:16:28 2022 +0200

    ALSA: jack: Access input_dev under mutex
    
    [ Upstream commit 1b6a6fc5280e97559287b61eade2d4b363e836f2 ]
    
    It is possible when using ASoC that input_dev is unregistered while
    calling snd_jack_report, which causes NULL pointer dereference.
    In order to prevent this serialize access to input_dev using mutex lock.
    
    Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
    Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
    Link: https://lore.kernel.org/r/20220412091628.3056922-1-amadeuszx.slawinski@linux.intel.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6217a96f09a942400e7a3e70742b8be62fc25116
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date:   Wed Apr 6 02:29:38 2022 +0300

    ACPICA: Avoid cache flush inside virtual machines
    
    [ Upstream commit e2efb6359e620521d1e13f69b2257de8ceaa9475 ]
    
    While running inside virtual machine, the kernel can bypass cache
    flushing. Changing sleep state in a virtual machine doesn't affect the
    host system sleep state and cannot lead to data loss.
    
    Before entering sleep states, the ACPI code flushes caches to prevent
    data loss using the WBINVD instruction.  This mechanism is required on
    bare metal.
    
    But, any use WBINVD inside of a guest is worthless.  Changing sleep
    state in a virtual machine doesn't affect the host system sleep state
    and cannot lead to data loss, so most hypervisors simply ignore it.
    Despite this, the ACPI code calls WBINVD unconditionally anyway.
    It's useless, but also normally harmless.
    
    In TDX guests, though, WBINVD stops being harmless; it triggers a
    virtualization exception (#VE).  If the ACPI cache-flushing WBINVD
    were left in place, TDX guests would need handling to recover from
    the exception.
    
    Avoid using WBINVD whenever running under a hypervisor.  This both
    removes the useless WBINVDs and saves TDX from implementing WBINVD
    handling.
    
    Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
    Reviewed-by: Dan Williams <dan.j.williams@intel.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lkml.kernel.org/r/20220405232939.73860-30-kirill.shutemov@linux.intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7d372549b96cce5895c406a6524c4d77df37927c
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue Apr 5 23:03:31 2022 +0200

    fbcon: Consistently protect deferred_takeover with console_lock()
    
    [ Upstream commit 43553559121ca90965b572cf8a1d6d0fd618b449 ]
    
    This shouldn't be a problem in practice since until we've actually
    taken over the console there's nothing we've registered with the
    console/vt subsystem, so the exit/unbind path that check this can't
    do the wrong thing. But it's confusing, so fix it by moving it a tad
    later.
    
    Acked-by: Sam Ravnborg <sam@ravnborg.org>
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Cc: Daniel Vetter <daniel@ffwll.ch>
    Cc: Du Cheng <ducheng2@gmail.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Claudio Suarez <cssk@net-c.es>
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220405210335.3434130-14-daniel.vetter@ffwll.ch
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 459524eacaab4a4aef36875fade8da754b97f62e
Author: Niels Dossche <dossche.niels@gmail.com>
Date:   Mon Apr 4 01:15:24 2022 +0200

    ipv6: fix locking issues with loops over idev->addr_list
    
    [ Upstream commit 51454ea42c1ab4e0c2828bb0d4d53957976980de ]
    
    idev->addr_list needs to be protected by idev->lock. However, it is not
    always possible to do so while iterating and performing actions on
    inet6_ifaddr instances. For example, multiple functions (like
    addrconf_{join,leave}_anycast) eventually call down to other functions
    that acquire the idev->lock. The current code temporarily unlocked the
    idev->lock during the loops, which can cause race conditions. Moving the
    locks up is also not an appropriate solution as the ordering of lock
    acquisition will be inconsistent with for example mc_lock.
    
    This solution adds an additional field to inet6_ifaddr that is used
    to temporarily add the instances to a temporary list while holding
    idev->lock. The temporary list can then be traversed without holding
    idev->lock. This change was done in two places. In addrconf_ifdown, the
    list_for_each_entry_safe variant of the list loop is also no longer
    necessary as there is no deletion within that specific loop.
    
    Suggested-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Link: https://lore.kernel.org/r/20220403231523.45843-1-dossche.niels@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 167affc11781d7d35c4c3a7630a549ac74dd0b21
Author: Haowen Bai <baihaowen@meizu.com>
Date:   Fri Apr 1 15:10:54 2022 +0800

    ipw2x00: Fix potential NULL dereference in libipw_xmit()
    
    [ Upstream commit e8366bbabe1d207cf7c5b11ae50e223ae6fc278b ]
    
    crypt and crypt->ops could be null, so we need to checking null
    before dereference
    
    Signed-off-by: Haowen Bai <baihaowen@meizu.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/1648797055-25730-1-git-send-email-baihaowen@meizu.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 456b3950a555a34c70c48792b538e61052ba1dd6
Author: Haowen Bai <baihaowen@meizu.com>
Date:   Fri Mar 25 18:15:15 2022 +0800

    b43: Fix assigning negative value to unsigned variable
    
    [ Upstream commit 11800d893b38e0e12d636c170c1abc19c43c730c ]
    
    fix warning reported by smatch:
    drivers/net/wireless/broadcom/b43/phy_n.c:585 b43_nphy_adjust_lna_gain_table()
    warn: assigning (-2) to unsigned variable '*(lna_gain[0])'
    
    Signed-off-by: Haowen Bai <baihaowen@meizu.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/1648203315-28093-1-git-send-email-baihaowen@meizu.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a07d1582a327dc2ff28211180cbf475e169b1ed2
Author: Haowen Bai <baihaowen@meizu.com>
Date:   Fri Mar 25 18:17:13 2022 +0800

    b43legacy: Fix assigning negative value to unsigned variable
    
    [ Upstream commit 3f6b867559b3d43a7ce1b4799b755e812fc0d503 ]
    
    fix warning reported by smatch:
    drivers/net/wireless/broadcom/b43legacy/phy.c:1181 b43legacy_phy_lo_b_measure()
    warn: assigning (-772) to unsigned variable 'fval'
    
    Signed-off-by: Haowen Bai <baihaowen@meizu.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/1648203433-8736-1-git-send-email-baihaowen@meizu.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f72ebb8f07f0369a638d2ca3e895876fa40caa38
Author: Niels Dossche <dossche.niels@gmail.com>
Date:   Mon Mar 21 23:55:16 2022 +0100

    mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue
    
    [ Upstream commit 3e12968f6d12a34b540c39cbd696a760cc4616f0 ]
    
    cfg80211_ch_switch_notify uses ASSERT_WDEV_LOCK to assert that
    net_device->ieee80211_ptr->mtx (which is the same as priv->wdev.mtx)
    is held during the function's execution.
    mwifiex_dfs_chan_sw_work_queue is one of its callers, which does not
    hold that lock, therefore violating the assertion.
    Add a lock around the call.
    
    Disclaimer:
    I am currently working on a static analyser to detect missing locks.
    This was a reported case. I manually verified the report by looking
    at the code, so that I do not send wrong information or patches.
    After concluding that this seems to be a true positive, I created
    this patch.
    However, as I do not in fact have this particular hardware,
    I was unable to test it.
    
    Reviewed-by: Brian Norris <briannorris@chromium.org>
    Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://lore.kernel.org/r/20220321225515.32113-1-dossche.niels@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit edafcad84c4134ebec4bc24b29ca4497a1184eea
Author: Liu Zixian <liuzixian4@huawei.com>
Date:   Tue Mar 22 17:17:30 2022 +0800

    drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes
    
    [ Upstream commit 194d250cdc4a40ccbd179afd522a9e9846957402 ]
    
    drm_cvt_mode may return NULL and we should check it.
    
    This bug is found by syzkaller:
    
    FAULT_INJECTION stacktrace:
    [  168.567394] FAULT_INJECTION: forcing a failure.
    name failslab, interval 1, probability 0, space 0, times 1
    [  168.567403] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1
    [  168.567406] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
    [  168.567408] Call trace:
    [  168.567414]  dump_backtrace+0x0/0x310
    [  168.567418]  show_stack+0x28/0x38
    [  168.567423]  dump_stack+0xec/0x15c
    [  168.567427]  should_fail+0x3ac/0x3d0
    [  168.567437]  __should_failslab+0xb8/0x120
    [  168.567441]  should_failslab+0x28/0xc0
    [  168.567445]  kmem_cache_alloc_trace+0x50/0x640
    [  168.567454]  drm_mode_create+0x40/0x90
    [  168.567458]  drm_cvt_mode+0x48/0xc78
    [  168.567477]  virtio_gpu_conn_get_modes+0xa8/0x140 [virtio_gpu]
    [  168.567485]  drm_helper_probe_single_connector_modes+0x3a4/0xd80
    [  168.567492]  drm_mode_getconnector+0x2e0/0xa70
    [  168.567496]  drm_ioctl_kernel+0x11c/0x1d8
    [  168.567514]  drm_ioctl+0x558/0x6d0
    [  168.567522]  do_vfs_ioctl+0x160/0xf30
    [  168.567525]  ksys_ioctl+0x98/0xd8
    [  168.567530]  __arm64_sys_ioctl+0x50/0xc8
    [  168.567536]  el0_svc_common+0xc8/0x320
    [  168.567540]  el0_svc_handler+0xf8/0x160
    [  168.567544]  el0_svc+0x10/0x218
    
    KASAN stacktrace:
    [  168.567561] BUG: KASAN: null-ptr-deref in virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]
    [  168.567565] Read of size 4 at addr 0000000000000054 by task syz/6425
    [  168.567566]
    [  168.567571] CPU: 1 PID: 6425 Comm: syz Kdump: loaded Not tainted 4.19.90-vhulk2201.1.0.h1035.kasan.eulerosv2r10.aarch64 #1
    [  168.567573] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
    [  168.567575] Call trace:
    [  168.567578]  dump_backtrace+0x0/0x310
    [  168.567582]  show_stack+0x28/0x38
    [  168.567586]  dump_stack+0xec/0x15c
    [  168.567591]  kasan_report+0x244/0x2f0
    [  168.567594]  __asan_load4+0x58/0xb0
    [  168.567607]  virtio_gpu_conn_get_modes+0xb4/0x140 [virtio_gpu]
    [  168.567612]  drm_helper_probe_single_connector_modes+0x3a4/0xd80
    [  168.567617]  drm_mode_getconnector+0x2e0/0xa70
    [  168.567621]  drm_ioctl_kernel+0x11c/0x1d8
    [  168.567624]  drm_ioctl+0x558/0x6d0
    [  168.567628]  do_vfs_ioctl+0x160/0xf30
    [  168.567632]  ksys_ioctl+0x98/0xd8
    [  168.567636]  __arm64_sys_ioctl+0x50/0xc8
    [  168.567641]  el0_svc_common+0xc8/0x320
    [  168.567645]  el0_svc_handler+0xf8/0x160
    [  168.567649]  el0_svc+0x10/0x218
    
    Signed-off-by: Liu Zixian <liuzixian4@huawei.com>
    Link: http://patchwork.freedesktop.org/patch/msgid/20220322091730.1653-1-liuzixian4@huawei.com
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ad08decfbf90ccfccadeb076fde3ced84e103d09
Author: Qu Wenruo <wqu@suse.com>
Date:   Mon Feb 28 15:05:53 2022 +0800

    btrfs: repair super block num_devices automatically
    
    commit d201238ccd2f30b9bfcfadaeae0972e3a486a176 upstream.
    
    [BUG]
    There is a report that a btrfs has a bad super block num devices.
    
    This makes btrfs to reject the fs completely.
    
      BTRFS error (device sdd3): super_num_devices 3 mismatch with num_devices 2 found here
      BTRFS error (device sdd3): failed to read chunk tree: -22
      BTRFS error (device sdd3): open_ctree failed
    
    [CAUSE]
    During btrfs device removal, chunk tree and super block num devs are
    updated in two different transactions:
    
      btrfs_rm_device()
      |- btrfs_rm_dev_item(device)
      |  |- trans = btrfs_start_transaction()
      |  |  Now we got transaction X
      |  |
      |  |- btrfs_del_item()
      |  |  Now device item is removed from chunk tree
      |  |
      |  |- btrfs_commit_transaction()
      |     Transaction X got committed, super num devs untouched,
      |     but device item removed from chunk tree.
      |     (AKA, super num devs is already incorrect)
      |
      |- cur_devices->num_devices--;
      |- cur_devices->total_devices--;
      |- btrfs_set_super_num_devices()
         All those operations are not in transaction X, thus it will
         only be written back to disk in next transaction.
    
    So after the transaction X in btrfs_rm_dev_item() committed, but before
    transaction X+1 (which can be minutes away), a power loss happen, then
    we got the super num mismatch.
    
    This has been fixed by commit bbac58698a55 ("btrfs: remove device item
    and update super block in the same transaction").
    
    [FIX]
    Make the super_num_devices check less strict, converting it from a hard
    error to a warning, and reset the value to a correct one for the current
    or next transaction commit.
    
    As the number of device items is the critical information where the
    super block num_devices is only a cached value (and also useful for
    cross checking), it's safe to automatically update it. Other device
    related problems like missing device are handled after that and may
    require other means to resolve, like degraded mount. With this fix,
    potentially affected filesystems won't fail mount and require the manual
    repair by btrfs check.
    
    Reported-by: Luca Béla Palkovics <luca.bela.palkovics@gmail.com>
    Link: https://lore.kernel.org/linux-btrfs/CA+8xDSpvdm_U0QLBAnrH=zqDq_cWCOH5TiV46CKmp3igr44okQ@mail.gmail.com/
    CC: stable@vger.kernel.org # 4.14+
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 344153d796d0fbe7faac88bcc3c2dd3786ce9fe1
Author: Qu Wenruo <wqu@suse.com>
Date:   Tue May 10 15:10:18 2022 +0800

    btrfs: add "0x" prefix for unsupported optional features
    
    commit d5321a0fa8bc49f11bea0b470800962c17d92d8f upstream.
    
    The following error message lack the "0x" obviously:
    
      cannot mount because of unsupported optional features (4000)
    
    Add the prefix to make it less confusing. This can happen on older
    kernels that try to mount a filesystem with newer features so it makes
    sense to backport to older trees.
    
    CC: stable@vger.kernel.org # 4.14+
    Reviewed-by: Nikolay Borisov <nborisov@suse.com>
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 77508cd7695d09da1f7281e23907ad0ed70d8465
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Apr 29 09:23:55 2022 -0500

    ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
    
    commit 6a2d90ba027adba528509ffa27097cffd3879257 upstream.
    
    The current implementation of PTRACE_KILL is buggy and has been for
    many years as it assumes it's target has stopped in ptrace_stop.  At a
    quick skim it looks like this assumption has existed since ptrace
    support was added in linux v1.0.
    
    While PTRACE_KILL has been deprecated we can not remove it as
    a quick search with google code search reveals many existing
    programs calling it.
    
    When the ptracee is not stopped at ptrace_stop some fields would be
    set that are ignored except in ptrace_stop.  Making the userspace
    visible behavior of PTRACE_KILL a noop in those case.
    
    As the usual rules are not obeyed it is not clear what the
    consequences are of calling PTRACE_KILL on a running process.
    Presumably userspace does not do this as it achieves nothing.
    
    Replace the implementation of PTRACE_KILL with a simple
    send_sig_info(SIGKILL) followed by a return 0.  This changes the
    observable user space behavior only in that PTRACE_KILL on a process
    not stopped in ptrace_stop will also kill it.  As that has always
    been the intent of the code this seems like a reasonable change.
    
    Cc: stable@vger.kernel.org
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Link: https://lkml.kernel.org/r/20220505182645.497868-7-ebiederm@xmission.com
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c35ff84870309bd07fd35315f061ebf8c752f65e
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Tue Apr 26 16:45:37 2022 -0500

    ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP
    
    commit 4a3d2717d140401df7501a95e454180831a0c5af upstream.
    
    xtensa is the last user of the PT_SINGLESTEP flag.  Changing tsk->ptrace in
    user_enable_single_step and user_disable_single_step without locking could
    potentiallly cause problems.
    
    So use a thread info flag instead of a flag in tsk->ptrace.  Use TIF_SINGLESTEP
    that xtensa already had defined but unused.
    
    Remove the definitions of PT_SINGLESTEP and PT_BLOCKSTEP as they have no more users.
    
    Cc: stable@vger.kernel.org
    Acked-by: Max Filippov <jcmvbkbc@gmail.com>
    Tested-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: Oleg Nesterov <oleg@redhat.com>
    Link: https://lkml.kernel.org/r/20220505182645.497868-4-ebiederm@xmission.com
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0956f87c18df0764b6ccec4e78244eeeec76be4c
Author: Monish Kumar R <monish.kumar.r@intel.com>
Date:   Fri May 20 18:30:44 2022 +0530

    USB: new quirk for Dell Gen 2 devices
    
    commit 97fa5887cf283bb75ffff5f6b2c0e71794c02400 upstream.
    
    Add USB_QUIRK_NO_LPM and USB_QUIRK_RESET_RESUME quirks for Dell usb gen
    2 device to not fail during enumeration.
    
    Found this bug on own testing
    
    Signed-off-by: Monish Kumar R <monish.kumar.r@intel.com>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220520130044.17303-1-monish.kumar.r@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a037e4f3d37bc4bdd9a8f94f6b8c21242b9e0155
Author: Carl Yin(殷张成) <carl.yin@quectel.com>
Date:   Thu May 19 02:34:43 2022 +0000

    USB: serial: option: add Quectel BG95 modem
    
    commit 33b7af2f459df453feb0d44628d820c47fefe7a8 upstream.
    
    The BG95 modem has 3 USB configurations that are configurable via the AT
    command AT+QCFGEXT="usbnet",["ecm"|"modem"|"rmnet"] which make the modem
    enumerate with the following interfaces, respectively:
    
    "modem": Diag + GNSS + Modem + Modem
    "ecm"  : Diag + GNSS + Modem + ECM
    "rmnet": Diag + GNSS + Modem + QMI
             Don't support Full QMI messages (e.g WDS_START_NETWORK_INTERFACE)
    
    A detailed description of the USB configuration for each mode follows:
    
    +QCFGEXT: "usbnet","modem"
    --------------------------
    T:  Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0700 Rev= 0.00
    S:  Manufacturer=Quectel, Incorporated
    S:  Product=Quectel LPWA Module
    S:  SerialNumber=884328a2
    C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    +QCFGEXT: "usbnet","ecm"
    ------------------------
    T:  Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  4 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0700 Rev= 0.00
    S:  Manufacturer=Quectel, Incorporated
    S:  Product=Quectel LPWA Module
    S:  SerialNumber=884328a2
    C:* #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
    A:  FirstIf#= 3 IfCount= 2 Cls=02(comm.) Sub=00 Prot=00
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
    E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    I:  If#= 4 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    I:* If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    +QCFGEXT: "usbnet","rmnet"
    --------------------------
    T:  Bus=01 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#=  4 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0700 Rev= 0.00
    S:  Manufacturer=Quectel, Incorporated
    S:  Product=Quectel LPWA Module
    S:  SerialNumber=884328a2
    C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
    E:  Ad=83(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
    E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Carl Yin <carl.yin@quectel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fd03aed7ec3087dfea403d4b887e2b68c62326f4
Author: Marios Levogiannis <marios.levogiannis@gmail.com>
Date:   Mon May 30 10:41:31 2022 +0300

    ALSA: hda/realtek - Fix microphone noise on ASUS TUF B550M-PLUS
    
    commit 9bfa7b36343c7d84370bc61c9ed774635b05e4eb upstream.
    
    Set microphone pins 0x18 (rear) and 0x19 (front) to VREF_50 to fix the
    microphone noise on ASUS TUF B550M-PLUS which uses the ALCS1200A codec.
    The initial value was VREF_80.
    
    The same issue is also present on Windows using both the default Windows
    driver and all tested Realtek drivers before version 6.0.9049.1. Comparing
    Realtek driver 6.0.9049.1 (the first one without the microphone noise) to
    Realtek driver 6.0.9047.1 (the last one with the microphone noise)
    revealed that the fix is the result of setting pins 0x18 and 0x19 to
    VREF_50.
    
    This fix may also work for other boards that have been reported to have
    the same microphone issue and use the ALC1150 and ALCS1200A codecs, since
    these codecs are similar and the fix in the Realtek driver on Windows is
    common for both. However, it is currently enabled only for ASUS TUF
    B550M-PLUS as this is the only board that could be tested.
    
    Signed-off-by: Marios Levogiannis <marios.levogiannis@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220530074131.12258-1-marios.levogiannis@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0258add5fe8c23fe837fe5f3fdee245d8628e67c
Author: Niklas Cassel <niklas.cassel@wdc.com>
Date:   Thu Apr 14 11:10:18 2022 +0200

    binfmt_flat: do not stop relocating GOT entries prematurely on riscv
    
    commit 6045ab5fea4c849153ebeb0acb532da5f29d69c4 upstream.
    
    bFLT binaries are usually created using elf2flt.
    
    The linker script used by elf2flt has defined the .data section like the
    following for the last 19 years:
    
    .data : {
            _sdata = . ;
            __data_start = . ;
            data_start = . ;
            *(.got.plt)
            *(.got)
            FILL(0) ;
            . = ALIGN(0x20) ;
            LONG(-1)
            . = ALIGN(0x20) ;
            ...
    }
    
    It places the .got.plt input section before the .got input section.
    The same is true for the default linker script (ld --verbose) on most
    architectures except x86/x86-64.
    
    The binfmt_flat loader should relocate all GOT entries until it encounters
    a -1 (the LONG(-1) in the linker script).
    
    The problem is that the .got.plt input section starts with a GOTPLT header
    (which has size 16 bytes on elf64-riscv and 8 bytes on elf32-riscv), where
    the first word is set to -1. See the binutils implementation for riscv [1].
    
    This causes the binfmt_flat loader to stop relocating GOT entries
    prematurely and thus causes the application to crash when running.
    
    Fix this by skipping the whole GOTPLT header, since the whole GOTPLT header
    is reserved for the dynamic linker.
    
    The GOTPLT header will only be skipped for bFLT binaries with flag
    FLAT_FLAG_GOTPIC set. This flag is unconditionally set by elf2flt if the
    supplied ELF binary has the symbol _GLOBAL_OFFSET_TABLE_ defined.
    ELF binaries without a .got input section should thus remain unaffected.
    
    Tested on RISC-V Canaan Kendryte K210 and RISC-V QEMU nommu_virt_defconfig.
    
    [1] https://sourceware.org/git/?p=binutils-gdb.git;a=blob;f=bfd/elfnn-riscv.c;hb=binutils-2_38#l3275
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
    Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Link: https://lore.kernel.org/r/20220414091018.896737-1-niklas.cassel@wdc.com
    Fixed-by: kernel test robot <lkp@intel.com>
    Link: https://lore.kernel.org/lkml/202204182333.OIUOotK8-lkp@intel.com
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>