commit 47cccb1eb2fec6c639261847ff4fea1e2c2656aa
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Tue Feb 1 17:27:16 2022 +0100

    Linux 5.15.19
    
    Link: https://lore.kernel.org/r/20220131105229.959216821@linuxfoundation.org
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a9739362c7b5bb61736e40d90a3364acf66b3ae3
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Mon Nov 22 14:21:38 2021 +0100

    mtd: rawnand: mpc5121: Remove unused variable in ads5121_select_chip()
    
    commit 33a0da68fb073360d36ce1a0e852f75fede7c21e upstream.
    
    drivers/mtd/nand/raw/mpc5121_nfc.c: In function ‘ads5121_select_chip’:
    drivers/mtd/nand/raw/mpc5121_nfc.c:294:19: warning: unused variable ‘mtd’ [-Wunused-variable]
      294 |  struct mtd_info *mtd = nand_to_mtd(nand);
          |                   ^~~
    
    Fixes: 758b56f58b66bebc ("mtd: rawnand: Pass a nand_chip object to chip->select_chip()")
    Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20211122132138.3899138-1-geert@linux-m68k.org
    Cc: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4633a79ff8bc82770486a063a08b55e5162521d8
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Sun Jan 9 18:36:43 2022 +0900

    block: Fix wrong offset in bio_truncate()
    
    commit 3ee859e384d453d6ac68bfd5971f630d9fa46ad3 upstream.
    
    bio_truncate() clears the buffer outside of last block of bdev, however
    current bio_truncate() is using the wrong offset of page. So it can
    return the uninitialized data.
    
    This happened when both of truncated/corrupted FS and userspace (via
    bdev) are trying to read the last of bdev.
    
    Reported-by: syzbot+ac94ae5f68b84197f41c@syzkaller.appspotmail.com
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Reviewed-by: Ming Lei <ming.lei@redhat.com>
    Link: https://lore.kernel.org/r/875yqt1c9g.fsf@mail.parknet.co.jp
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d7b7272ce9deb7157670f584274f37d8b12f81f
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Thu Jan 20 23:53:04 2022 +0200

    fsnotify: invalidate dcache before IN_DELETE event
    
    commit a37d9a17f099072fe4d3a9048b0321978707a918 upstream.
    
    Apparently, there are some applications that use IN_DELETE event as an
    invalidation mechanism and expect that if they try to open a file with
    the name reported with the delete event, that it should not contain the
    content of the deleted file.
    
    Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of
    d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify
    will have access to a positive dentry.
    
    This allowed a race where opening the deleted file via cached dentry
    is now possible after receiving the IN_DELETE event.
    
    To fix the regression, create a new hook fsnotify_delete() that takes
    the unlinked inode as an argument and use a helper d_delete_notify() to
    pin the inode, so we can pass it to fsnotify_delete() after d_delete().
    
    Backporting hint: this regression is from v5.3. Although patch will
    apply with only trivial conflicts to v5.4 and v5.10, it won't build,
    because fsnotify_delete() implementation is different in each of those
    versions (see fsnotify_link()).
    
    A follow up patch will fix the fsnotify_unlink/rmdir() calls in pseudo
    filesystem that do not need to call d_delete().
    
    Link: https://lore.kernel.org/r/20220120215305.282577-1-amir73il@gmail.com
    Reported-by: Ivan Delalande <colona@arista.com>
    Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/
    Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()")
    Cc: stable@vger.kernel.org # v5.3+
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e8421a9d7bb39ee7a386fd7bc6b3b913fe78ae5e
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Mon Jan 3 04:24:02 2022 +0300

    usr/include/Makefile: add linux/nfc.h to the compile-test coverage
    
    commit 10756dc5b02bff370ddd351d7744bc99ada659c2 upstream.
    
    As linux/nfc.h userspace compilation was finally fixed by commits
    79b69a83705e ("nfc: uapi: use kernel size_t to fix user-space builds")
    and 7175f02c4e5f ("uapi: fix linux/nfc.h userspace compilation errors"),
    there is no need to keep the compile-test exception for it in
    usr/include/Makefile.
    
    Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c571505aa0fcbb52fc30d45ae12857e0fa1cefbd
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Thu Jan 27 16:15:00 2022 -0600

    usb: dwc3: xilinx: fix uninitialized return value
    
    commit b470947c3672f7eb7c4c271d510383d896831cc2 upstream.
    
    A previous patch to skip part of the initialization when a USB3 PHY was
    not present could result in the return value being uninitialized in that
    case, causing spurious probe failures. Initialize ret to 0 to avoid this.
    
    Fixes: 9678f3361afc ("usb: dwc3: xilinx: Skip resets and USB3 register settings for USB2.0 mode")
    Cc: <stable@vger.kernel.org>
    Reviewed-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Link: https://lore.kernel.org/r/20220127221500.177021-1-robert.hancock@calian.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 442414e8c4745e2be807866e5c775d3b780a775a
Author: Suren Baghdasaryan <surenb@google.com>
Date:   Sat Jan 29 13:41:20 2022 -0800

    psi: fix "defined but not used" warnings when CONFIG_PROC_FS=n
    
    commit 44585f7bc0cb01095bc2ad4258049c02bbad21ef upstream.
    
    When CONFIG_PROC_FS is disabled psi code generates the following
    warnings:
    
      kernel/sched/psi.c:1364:30: warning: 'psi_cpu_proc_ops' defined but not used [-Wunused-const-variable=]
          1364 | static const struct proc_ops psi_cpu_proc_ops = {
               |                              ^~~~~~~~~~~~~~~~
      kernel/sched/psi.c:1355:30: warning: 'psi_memory_proc_ops' defined but not used [-Wunused-const-variable=]
          1355 | static const struct proc_ops psi_memory_proc_ops = {
               |                              ^~~~~~~~~~~~~~~~~~~
      kernel/sched/psi.c:1346:30: warning: 'psi_io_proc_ops' defined but not used [-Wunused-const-variable=]
          1346 | static const struct proc_ops psi_io_proc_ops = {
               |                              ^~~~~~~~~~~~~~~
    
    Make definitions of these structures and related functions conditional
    on CONFIG_PROC_FS config.
    
    Link: https://lkml.kernel.org/r/20220119223940.787748-3-surenb@google.com
    Fixes: 0e94682b73bf ("psi: introduce psi monitor")
    Signed-off-by: Suren Baghdasaryan <surenb@google.com>
    Reported-by: kernel test robot <lkp@intel.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 949c4c188955f2cf486ae776aed142c10d15cedf
Author: Suren Baghdasaryan <surenb@google.com>
Date:   Sat Jan 29 13:41:17 2022 -0800

    psi: fix "no previous prototype" warnings when CONFIG_CGROUPS=n
    
    commit 51e50fbd3efc6064c30ed73a5e009018b36e290a upstream.
    
    When CONFIG_CGROUPS is disabled psi code generates the following
    warnings:
    
      kernel/sched/psi.c:1112:21: warning: no previous prototype for 'psi_trigger_create' [-Wmissing-prototypes]
          1112 | struct psi_trigger *psi_trigger_create(struct psi_group *group,
               |                     ^~~~~~~~~~~~~~~~~~
      kernel/sched/psi.c:1182:6: warning: no previous prototype for 'psi_trigger_destroy' [-Wmissing-prototypes]
          1182 | void psi_trigger_destroy(struct psi_trigger *t)
               |      ^~~~~~~~~~~~~~~~~~~
      kernel/sched/psi.c:1249:10: warning: no previous prototype for 'psi_trigger_poll' [-Wmissing-prototypes]
          1249 | __poll_t psi_trigger_poll(void **trigger_ptr,
               |          ^~~~~~~~~~~~~~~~
    
    Change the declarations of these functions in the header to provide the
    prototypes even when they are unused.
    
    Link: https://lkml.kernel.org/r/20220119223940.787748-2-surenb@google.com
    Fixes: 0e94682b73bf ("psi: introduce psi monitor")
    Signed-off-by: Suren Baghdasaryan <surenb@google.com>
    Reported-by: kernel test robot <lkp@intel.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fd26531855e62fa210015dcd493e1c8c3814aea1
Author: Namhyung Kim <namhyung@kernel.org>
Date:   Mon Jan 24 11:58:08 2022 -0800

    perf/core: Fix cgroup event list management
    
    commit c5de60cd622a2607c043ba65e25a6e9998a369f9 upstream.
    
    The active cgroup events are managed in the per-cpu cgrp_cpuctx_list.
    This list is only accessed from current cpu and not protected by any
    locks.  But from the commit ef54c1a476ae ("perf: Rework
    perf_event_exit_event()"), it's possible to access (actually modify)
    the list from another cpu.
    
    In the perf_remove_from_context(), it can remove an event from the
    context without an IPI when the context is not active.  This is not
    safe with cgroup events which can have some active events in the
    context even if ctx->is_active is 0 at the moment.  The target cpu
    might be in the middle of list iteration at the same time.
    
    If the event is enabled when it's about to be closed, it might call
    perf_cgroup_event_disable() and list_del() with the cgrp_cpuctx_list
    on a different cpu.
    
    This resulted in a crash due to an invalid list pointer access during
    the cgroup list traversal on the cpu which the event belongs to.
    
    Let's fallback to IPI to access the cgrp_cpuctx_list from that cpu.
    Similarly, perf_install_in_context() should use IPI for the cgroup
    events too.
    
    Fixes: ef54c1a476ae ("perf: Rework perf_event_exit_event()")
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/20220124195808.2252071-1-namhyung@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit cba7bdc0472040550e2e573dac0f0f02b9aac7b3
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Fri Jan 14 18:47:41 2022 +0100

    dt-bindings: can: tcan4x5x: fix mram-cfg RX FIFO config
    
    commit 17a30422621c0e04cb6060d20d7edcefd7463347 upstream.
    
    This tcan4x5x only comes with 2K of MRAM, a RX FIFO with a dept of 32
    doesn't fit into the MRAM. Use a depth of 16 instead.
    
    Fixes: 4edd396a1911 ("dt-bindings: can: tcan4x5x: Add DT bindings for TCAN4x5X driver")
    Link: https://lore.kernel.org/all/20220119062951.2939851-1-mkl@pengutronix.de
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e905e1b65ce997bdf5bed4b5eb8c14ec26cbf0ed
Author: Sander Vanheule <sander@svanheule.net>
Date:   Sun Jan 9 15:54:33 2022 +0100

    irqchip/realtek-rtl: Fix off-by-one in routing
    
    commit 91351b5dd0fd494eb2d85e1bb6aca77b067447e0 upstream.
    
    There is an offset between routing values (1..6) and the connected MIPS
    CPU interrupts (2..7), but no distinction was made between these two
    values.
    
    This issue was previously hidden during testing, because an interrupt
    mapping was used where for each required interrupt another (unused)
    routing was configured, with an offset of +1.
    
    Offset the CPU IRQ numbers by -1 to retrieve the correct routing value.
    
    Fixes: 9f3a0f34b84a ("irqchip: Add support for Realtek RTL838x/RTL839x interrupt controller")
    Signed-off-by: Sander Vanheule <sander@svanheule.net>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/177b920aa8d8610615692d0e657e509f363c85ca.1641739718.git.sander@svanheule.net
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f67594cbf3c8e6226b7e15ba978f5213bba8a75a
Author: Sander Vanheule <sander@svanheule.net>
Date:   Sun Jan 9 15:54:32 2022 +0100

    irqchip/realtek-rtl: Map control data to virq
    
    commit 291e79c7e2eb6fdc016453597b78482e06199d0f upstream.
    
    The driver assigned the irqchip and irq handler to the hardware irq,
    instead of the virq. This is incorrect, and only worked because these
    irq numbers happened to be the same on the devices used for testing the
    original driver.
    
    Fixes: 9f3a0f34b84a ("irqchip: Add support for Realtek RTL838x/RTL839x interrupt controller")
    Signed-off-by: Sander Vanheule <sander@svanheule.net>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/4b4936606480265db47df152f00bc2ed46340599.1641739718.git.sander@svanheule.net
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bcea886771c3f22a590c8c8b9139a107bd7f1e1c
Author: Brian Gix <brian.gix@intel.com>
Date:   Wed Nov 24 12:16:28 2021 -0800

    Bluetooth: refactor malicious adv data check
    
    commit 899663be5e75dc0174dc8bda0b5e6826edf0b29a upstream.
    
    Check for out-of-bound read was being performed at the end of while
    num_reports loop, and would fill journal with false positives. Added
    check to beginning of loop processing so that it doesn't get checked
    after ptr has been advanced.
    
    Signed-off-by: Brian Gix <brian.gix@intel.com>
    Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
    Cc: syphyr <syphyr@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c5e216e880fa6f2cd9d4a6541269377657163098
Author: Tim Yi <tim.yi@pica8.com>
Date:   Thu Jan 27 15:49:53 2022 +0800

    net: bridge: vlan: fix memory leak in __allowed_ingress
    
    [ Upstream commit fd20d9738395cf8e27d0a17eba34169699fccdff ]
    
    When using per-vlan state, if vlan snooping and stats are disabled,
    untagged or priority-tagged ingress frame will go to check pvid state.
    If the port state is forwarding and the pvid state is not
    learning/forwarding, untagged or priority-tagged frame will be dropped
    but skb memory is not freed.
    Should free skb when __allowed_ingress returns false.
    
    Fixes: a580c76d534c ("net: bridge: vlan: add per-vlan state")
    Signed-off-by: Tim Yi <tim.yi@pica8.com>
    Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
    Link: https://lore.kernel.org/r/20220127074953.12632-1-tim.yi@pica8.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8861857ccc9dcfb7f30980f494689d517b75731d
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jan 26 17:34:04 2022 -0800

    ipv4: remove sparse error in ip_neigh_gw4()
    
    [ Upstream commit 3c42b2019863b327caa233072c50739d4144dd16 ]
    
    ./include/net/route.h:373:48: warning: incorrect type in argument 2 (different base types)
    ./include/net/route.h:373:48:    expected unsigned int [usertype] key
    ./include/net/route.h:373:48:    got restricted __be32 [usertype] daddr
    
    Fixes: 5c9f7c1dfc2e ("ipv4: Add helpers for neigh lookup for nexthop")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Link: https://lore.kernel.org/r/20220127013404.1279313-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d887a33724eca80319b603602f80603167f80db4
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jan 26 17:10:21 2022 -0800

    ipv4: tcp: send zero IPID in SYNACK messages
    
    [ Upstream commit 970a5a3ea86da637471d3cd04d513a0755aba4bf ]
    
    In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and
    ACK sent in SYN-RECV and TIME-WAIT state") we took care of some
    ctl packets sent by TCP.
    
    It turns out we need to use a similar strategy for SYNACK packets.
    
    By default, they carry IP_DF and IPID==0, but there are ways
    to ask them to use the hashed IP ident generator and thus
    be used to build off-path attacks.
    (Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)
    
    One of this way is to force (before listener is started)
    echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc
    
    Another way is using forged ICMP ICMP_FRAG_NEEDED
    with a very small MTU (like 68) to force a false return from
    ip_dont_fragment()
    
    In this patch, ip_build_and_send_pkt() uses the following
    heuristics.
    
    1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore
    can use IP_DF regardless of the listener or route pmtu setting.
    
    2) In case the SYNACK packet is bigger than IPV4_MIN_MTU,
    we use prandom_u32() generator instead of the IPv4 hashed ident one.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Ray Che <xijiache@gmail.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Cc: Geoff Alexander <alexandg@cs.unm.edu>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4d0bd948ee86f40e4f1f01cf5f8fc791661097be
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jan 26 16:51:16 2022 -0800

    ipv4: raw: lock the socket in raw_bind()
    
    [ Upstream commit 153a0d187e767c68733b8e9f46218eb1f41ab902 ]
    
    For some reason, raw_bind() forgot to lock the socket.
    
    BUG: KCSAN: data-race in __ip4_datagram_connect / raw_bind
    
    write to 0xffff8881170d4308 of 4 bytes by task 5466 on cpu 0:
     raw_bind+0x1b0/0x250 net/ipv4/raw.c:739
     inet_bind+0x56/0xa0 net/ipv4/af_inet.c:443
     __sys_bind+0x14b/0x1b0 net/socket.c:1697
     __do_sys_bind net/socket.c:1708 [inline]
     __se_sys_bind net/socket.c:1706 [inline]
     __x64_sys_bind+0x3d/0x50 net/socket.c:1706
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    read to 0xffff8881170d4308 of 4 bytes by task 5468 on cpu 1:
     __ip4_datagram_connect+0xb7/0x7b0 net/ipv4/datagram.c:39
     ip4_datagram_connect+0x2a/0x40 net/ipv4/datagram.c:89
     inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576
     __sys_connect_file net/socket.c:1900 [inline]
     __sys_connect+0x197/0x1b0 net/socket.c:1917
     __do_sys_connect net/socket.c:1927 [inline]
     __se_sys_connect net/socket.c:1924 [inline]
     __x64_sys_connect+0x3d/0x50 net/socket.c:1924
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    value changed: 0x00000000 -> 0x0003007f
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 5468 Comm: syz-executor.5 Not tainted 5.17.0-rc1-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2387357199a096a332d9533822e606a511808cb6
Author: Nikolay Aleksandrov <nikolay@nvidia.com>
Date:   Wed Jan 26 15:10:25 2022 +0200

    net: bridge: vlan: fix single net device option dumping
    
    [ Upstream commit dcb2c5c6ca9b9177f04abaf76e5a983d177c9414 ]
    
    When dumping vlan options for a single net device we send the same
    entries infinitely because user-space expects a 0 return at the end but
    we keep returning skb->len and restarting the dump on retry. Fix it by
    returning the value from br_vlan_dump_dev() if it completed or there was
    an error. The only case that must return skb->len is when the dump was
    incomplete and needs to continue (-EMSGSIZE).
    
    Reported-by: Benjamin Poirier <bpoirier@nvidia.com>
    Fixes: 8dcea187088b ("net: bridge: vlan: add rtm definitions and dump support")
    Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e406345f8a26af5963936bc3aca32534adc30f16
Author: Guillaume Nault <gnault@redhat.com>
Date:   Wed Jan 26 16:38:52 2022 +0100

    Revert "ipv6: Honor all IPv6 PIO Valid Lifetime values"
    
    [ Upstream commit 36268983e90316b37000a005642af42234dabb36 ]
    
    This reverts commit b75326c201242de9495ff98e5d5cff41d7fc0d9d.
    
    This commit breaks Linux compatibility with USGv6 tests. The RFC this
    commit was based on is actually an expired draft: no published RFC
    currently allows the new behaviour it introduced.
    
    Without full IETF endorsement, the flash renumbering scenario this
    patch was supposed to enable is never going to work, as other IPv6
    equipements on the same LAN will keep the 2 hours limit.
    
    Fixes: b75326c20124 ("ipv6: Honor all IPv6 PIO Valid Lifetime values")
    Signed-off-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1ac025f24b89cfcb31184f8da8186c815c5f977c
Author: Catherine Sullivan <csully@google.com>
Date:   Tue Jan 25 16:38:43 2022 -0800

    gve: Fix GFP flags when allocing pages
    
    [ Upstream commit a92f7a6feeb3884c69c1c7c1f13bccecb2228ad0 ]
    
    Use GFP_ATOMIC when allocating pages out of the hotpath,
    continue to use GFP_KERNEL when allocating pages during setup.
    
    GFP_KERNEL will allow blocking which allows it to succeed
    more often in a low memory enviornment but in the hotpath we do
    not want to allow the allocation to block.
    
    Fixes: f5cedc84a30d2 ("gve: Add transmit and receive support")
    Signed-off-by: Catherine Sullivan <csully@google.com>
    Signed-off-by: David Awogbemila <awogbemila@google.com>
    Link: https://lore.kernel.org/r/20220126003843.3584521-1-awogbemila@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 35b092d3b57f47af50b6e5da77bb73fc4e66c704
Author: Xiubo Li <xiubli@redhat.com>
Date:   Wed Jan 12 12:29:04 2022 +0800

    ceph: put the requests/sessions when it fails to alloc memory
    
    [ Upstream commit 89d43d0551a848e70e63d9ba11534aaeabc82443 ]
    
    When failing to allocate the sessions memory we should make sure
    the req1 and req2 and the sessions get put. And also in case the
    max_sessions decreased so when kreallocate the new memory some
    sessions maybe missed being put.
    
    And if the max_sessions is 0 krealloc will return ZERO_SIZE_PTR,
    which will lead to a distinct access fault.
    
    URL: https://tracker.ceph.com/issues/53819
    Fixes: e1a4541ec0b9 ("ceph: flush the mdlog before waiting on unsafe reqs")
    Signed-off-by: Xiubo Li <xiubli@redhat.com>
    Reviewed-by: Venky Shankar <vshankar@redhat.com>
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0536379e9d9dd59504a2ccd6338cd87a2eb25653
Author: Sean Christopherson <seanjc@google.com>
Date:   Tue Jan 25 22:17:25 2022 +0000

    KVM: selftests: Don't skip L2's VMCALL in SMM test for SVM guest
    
    [ Upstream commit 4cf3d3ebe8794c449af3e0e8c1d790c97e461d20 ]
    
    Don't skip the vmcall() in l2_guest_code() prior to re-entering L2, doing
    so will result in L2 running to completion, popping '0' off the stack for
    RET, jumping to address '0', and ultimately dying with a triple fault
    shutdown.
    
    It's not at all obvious why the test re-enters L2 and re-executes VMCALL,
    but presumably it serves a purpose.  The VMX path doesn't skip vmcall(),
    and the test can't possibly have passed on SVM, so just do what VMX does.
    
    Fixes: d951b2210c1a ("KVM: selftests: smm_test: Test SMM enter from L2")
    Cc: Maxim Levitsky <mlevitsk@redhat.com>
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220125221725.2101126-1-seanjc@google.com>
    Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Tested-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9b6be5b1a05309253d19fbefd6c412e4d9e4dc7a
Author: Dave Airlie <airlied@redhat.com>
Date:   Thu Jan 20 14:05:27 2022 +1000

    Revert "drm/ast: Support 1600x900 with 108MHz PCLK"
    
    [ Upstream commit 76cea3d95513fe40000d06a3719c4bb6b53275e2 ]
    
    This reverts commit 9bb7b689274b67ecb3641e399e76f84adc627df1.
    
    This caused a regression reported to Red Hat.
    
    Fixes: 9bb7b689274b ("drm/ast: Support 1600x900 with 108MHz PCLK")
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20220120040527.552068-1-airlied@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1714199af7ec0a70c4ab10fc620ea9902d7f3ee0
Author: Maxim Mikityanskiy <maximmi@nvidia.com>
Date:   Tue Jan 25 12:06:54 2022 +0200

    sch_htb: Fail on unsupported parameters when offload is requested
    
    [ Upstream commit 429c3be8a5e2695b5b92a6a12361eb89eb185495 ]
    
    The current implementation of HTB offload doesn't support some
    parameters. Instead of ignoring them, actively return the EINVAL error
    when they are set to non-defaults.
    
    As this patch goes to stable, the driver API is not changed here. If
    future drivers support more offload parameters, the checks can be moved
    to the driver side.
    
    Note that the buffer and cbuffer parameters are also not supported, but
    the tc userspace tool assigns some default values derived from rate and
    ceil, and identifying these defaults in sch_htb would be unreliable, so
    they are still ignored.
    
    Fixes: d03b195b5aa0 ("sch_htb: Hierarchical QoS hardware offload")
    Reported-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
    Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
    Link: https://lore.kernel.org/r/20220125100654.424570-1-maximmi@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3e662ceb3e6d3e3fb15430612c69b8af8d5014aa
Author: Yufeng Mo <moyufeng@huawei.com>
Date:   Tue Jan 25 15:03:12 2022 +0800

    net: hns3: handle empty unknown interrupt for VF
    
    [ Upstream commit 2f61353cd2f789a4229b6f5c1c24a40a613357bb ]
    
    Since some interrupt states may be cleared by hardware, the driver
    may receive an empty interrupt. Currently, the VF driver directly
    disables the vector0 interrupt in this case. As a result, the VF
    is unavailable. Therefore, the vector0 interrupt should be enabled
    in this case.
    
    Fixes: b90fcc5bd904 ("net: hns3: add reset handling for VF when doing Core/Global/IMP reset")
    Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 925181ea76b52fc247b622aa855a0cb094d683a5
Author: Toke Høiland-Jørgensen <toke@redhat.com>
Date:   Mon Jan 24 15:35:29 2022 +0100

    net: cpsw: Properly initialise struct page_pool_params
    
    [ Upstream commit c63003e3d99761afb280add3b30de1cf30fa522b ]
    
    The cpsw driver didn't properly initialise the struct page_pool_params
    before calling page_pool_create(), which leads to crashes after the struct
    has been expanded with new parameters.
    
    The second Fixes tag below is where the buggy code was introduced, but
    because the code was moved around this patch will only apply on top of the
    commit in the first Fixes tag.
    
    Fixes: c5013ac1dd0e ("net: ethernet: ti: cpsw: move set of common functions in cpsw_priv")
    Fixes: 9ed4050c0d75 ("net: ethernet: ti: cpsw: add XDP support")
    Reported-by: Colin Foster <colin.foster@in-advantage.com>
    Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
    Tested-by: Colin Foster <colin.foster@in-advantage.com>
    Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0690c3943ed0fa76654e600eca38cde6a13c87ac
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Mon Jan 24 11:29:54 2022 +0800

    yam: fix a memory leak in yam_siocdevprivate()
    
    [ Upstream commit 29eb31542787e1019208a2e1047bb7c76c069536 ]
    
    ym needs to be free when ym->cmd != SIOCYAMSMCS.
    
    Fixes: 0781168e23a2 ("yam: fix a missing-check bug")
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4d5c2dfbc120be82f1b9cced3606d2edc4ec7538
Author: Rob Clark <robdclark@chromium.org>
Date:   Thu Jan 13 08:32:13 2022 -0800

    drm/msm/a6xx: Add missing suspend_count increment
    
    [ Upstream commit 860a7b2a87b7c743154824d0597b6c3eb3b53154 ]
    
    Reported-by: Danylo Piliaiev <dpiliaiev@igalia.com>
    Fixes: 3ab1c5cc3939 ("drm/msm: Add param for userspace to query suspend count")
    Signed-off-by: Rob Clark <robdclark@chromium.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20220113163215.215367-1-robdclark@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8f069f6dde518dfebe86e848508c07e497bd9298
Author: José Expósito <jose.exposito89@gmail.com>
Date:   Sun Jan 9 20:24:31 2022 +0100

    drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc
    
    [ Upstream commit 170b22234d5495f5e0844246e23f004639ee89ba ]
    
    The function performs a check on the "ctx" input parameter, however, it
    is used before the check.
    
    Initialize the "base" variable after the sanity check to avoid a
    possible NULL pointer dereference.
    
    Fixes: 4259ff7ae509e ("drm/msm/dpu: add support for pcc color block in dpu driver")
    Addresses-Coverity-ID: 1493866 ("Null pointer dereference")
    Signed-off-by: José Expósito <jose.exposito89@gmail.com>
    Link: https://lore.kernel.org/r/20220109192431.135949-1-jose.exposito89@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 13bd31390cae1397c94dd7b97d8103bb5d587b9b
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Fri Jan 7 08:50:22 2022 +0000

    drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy
    
    [ Upstream commit 774fe0cd838d1b1419d41ab4ea0613c80d4ecbd7 ]
    
    The reference taken by 'of_find_device_by_node()' must be released when
    not needed anymore.
    Add the corresponding 'put_device()' in the error handling path.
    
    Fixes: e00012b256d4 ("drm/msm/hdmi: Make HDMI core get its PHY")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20220107085026.23831-1-linmq006@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 03a91f9fa93b55685601548f882df8d0e2eecc29
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Fri Jan 14 18:50:54 2022 +0100

    can: tcan4x5x: regmap: fix max register value
    
    [ Upstream commit e59986de5ff701494e14c722b78b6e6d513e0ab5 ]
    
    The MRAM of the tcan4x5x has a size of 2K and starts at 0x8000. There
    are no further registers in the tcan4x5x making 0x87fc the biggest
    addressable register.
    
    This patch fixes the max register value of the regmap config from
    0x8ffc to 0x87fc.
    
    Fixes: 6e1caaf8ed22 ("can: tcan4x5x: fix max register value")
    Link: https://lore.kernel.org/all/20220119064011.2943292-1-mkl@pengutronix.de
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d0a56e4ebc6be488055e4a51f22ead4cb60df6bd
Author: Michael Kelley <mikelley@microsoft.com>
Date:   Sun Jan 16 11:18:31 2022 -0800

    video: hyperv_fb: Fix validation of screen resolution
    
    [ Upstream commit 9ff5549b1d1d3c3a9d71220d44bd246586160f1d ]
    
    In the WIN10 version of the Synthetic Video protocol with Hyper-V,
    Hyper-V reports a list of supported resolutions as part of the protocol
    negotiation. The driver calculates the maximum width and height from
    the list of resolutions, and uses those maximums to validate any screen
    resolution specified in the video= option on the kernel boot line.
    
    This method of validation is incorrect. For example, the list of
    supported resolutions could contain 1600x1200 and 1920x1080, both of
    which fit in an 8 Mbyte frame buffer.  But calculating the max width
    and height yields 1920 and 1200, and 1920x1200 resolution does not fit
    in an 8 Mbyte frame buffer.  Unfortunately, this resolution is accepted,
    causing a kernel fault when the driver accesses memory outside the
    frame buffer.
    
    Instead, validate the specified screen resolution by calculating
    its size, and comparing against the frame buffer size.  Delete the
    code for calculating the max width and height from the list of
    resolutions, since these max values have no use.  Also add the
    frame buffer size to the info message to aid in understanding why
    a resolution might be rejected.
    
    Fixes: 67e7cdb4829d ("video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host")
    Signed-off-by: Michael Kelley <mikelley@microsoft.com>
    Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
    Acked-by: Helge Deller <deller@gmx.de>
    Link: https://lore.kernel.org/r/1642360711-2335-1-git-send-email-mikelley@microsoft.com
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 38f0bdd548fd2ef5d481b88d8a2bfef968452e34
Author: Wen Gu <guwen@linux.alibaba.com>
Date:   Sat Jan 22 17:43:09 2022 +0800

    net/smc: Transitional solution for clcsock race issue
    
    [ Upstream commit c0bf3d8a943b6f2e912b7c1de03e2ef28e76f760 ]
    
    We encountered a crash in smc_setsockopt() and it is caused by
    accessing smc->clcsock after clcsock was released.
    
     BUG: kernel NULL pointer dereference, address: 0000000000000020
     #PF: supervisor read access in kernel mode
     #PF: error_code(0x0000) - not-present page
     PGD 0 P4D 0
     Oops: 0000 [#1] PREEMPT SMP PTI
     CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E     5.16.0-rc4+ #53
     RIP: 0010:smc_setsockopt+0x59/0x280 [smc]
     Call Trace:
      <TASK>
      __sys_setsockopt+0xfc/0x190
      __x64_sys_setsockopt+0x20/0x30
      do_syscall_64+0x34/0x90
      entry_SYSCALL_64_after_hwframe+0x44/0xae
     RIP: 0033:0x7f16ba83918e
      </TASK>
    
    This patch tries to fix it by holding clcsock_release_lock and
    checking whether clcsock has already been released before access.
    
    In case that a crash of the same reason happens in smc_getsockopt()
    or smc_switch_to_fallback(), this patch also checkes smc->clcsock
    in them too. And the caller of smc_switch_to_fallback() will identify
    whether fallback succeeds according to the return value.
    
    Fixes: fd57770dd198 ("net/smc: wait for pending work before clcsock release_sock")
    Link: https://lore.kernel.org/lkml/5dd7ffd1-28e2-24cc-9442-1defec27375e@linux.ibm.com/T/
    Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
    Acked-by: Karsten Graul <kgraul@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fdcdc94b3d350ba53659021c43bc3904a374a887
Author: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Date:   Fri Jan 21 18:59:20 2022 -0800

    ibmvnic: don't spin in tasklet
    
    [ Upstream commit 48079e7fdd0269d66b1d7d66ae88bd03162464ad ]
    
    ibmvnic_tasklet() continuously spins waiting for responses to all
    capability requests. It does this to avoid encountering an error
    during initialization of the vnic. However if there is a bug in the
    VIOS and we do not receive a response to one or more queries the
    tasklet ends up spinning continuously leading to hard lock ups.
    
    If we fail to receive a message from the VIOS it is reasonable to
    timeout the login attempt rather than spin indefinitely in the tasklet.
    
    Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs")
    Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    Reviewed-by: Dany Madden <drt@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d4435164be133e936060be9a5fdcd3bdee8e664c
Author: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Date:   Fri Jan 21 18:59:19 2022 -0800

    ibmvnic: init ->running_cap_crqs early
    
    [ Upstream commit 151b6a5c06b678687f64f2d9a99fd04d5cd32b72 ]
    
    We use ->running_cap_crqs to determine when the ibmvnic_tasklet() should
    send out the next protocol message type. i.e when we get back responses
    to all our QUERY_CAPABILITY CRQs we send out REQUEST_CAPABILITY crqs.
    Similiary, when we get responses to all the REQUEST_CAPABILITY crqs, we
    send out the QUERY_IP_OFFLOAD CRQ.
    
    We currently increment ->running_cap_crqs as we send out each CRQ and
    have the ibmvnic_tasklet() send out the next message type, when this
    running_cap_crqs count drops to 0.
    
    This assumes that all the CRQs of the current type were sent out before
    the count drops to 0. However it is possible that we send out say 6 CRQs,
    get preempted and receive all the 6 responses before we send out the
    remaining CRQs. This can result in ->running_cap_crqs count dropping to
    zero before all messages of the current type were sent and we end up
    sending the next protocol message too early.
    
    Instead initialize the ->running_cap_crqs upfront so the tasklet will
    only send the next protocol message after all responses are received.
    
    Use the cap_reqs local variable to also detect any discrepancy (either
    now or in future) in the number of capability requests we actually send.
    
    Currently only send_query_cap() is affected by this behavior (of sending
    next message early) since it is called from the worker thread (during
    reset) and from application thread (during ->ndo_open()) and they can be
    preempted. send_request_cap() is only called from the tasklet  which
    processes CRQ responses sequentially, is not be affected.  But to
    maintain the existing symmtery with send_query_capability() we update
    send_request_capability() also.
    
    Fixes: 249168ad07cd ("ibmvnic: Make CRQ interrupt tasklet wait for all capabilities crqs")
    Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    Reviewed-by: Dany Madden <drt@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aa6ae2341a8ffc13cb5ca18601c8c543ac5381a7
Author: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
Date:   Fri Jan 21 18:59:18 2022 -0800

    ibmvnic: Allow extra failures before disabling
    
    [ Upstream commit db9f0e8bf79e6da7068b5818fea0ffd9d0d4b4da ]
    
    If auto-priority-failover (APF) is enabled and there are at least two
    backing devices of different priorities, some resets like fail-over,
    change-param etc can cause at least two back to back failovers. (Failover
    from high priority backing device to lower priority one and then back
    to the higher priority one if that is still functional).
    
    Depending on the timimg of the two failovers it is possible to trigger
    a "hard" reset and for the hard reset to fail due to failovers. When this
    occurs, the driver assumes that the network is unstable and disables the
    VNIC for a 60-second "settling time". This in turn can cause the ethtool
    command to fail with "No such device" while the vnic automatically recovers
    a little while later.
    
    Given that it's possible to have two back to back failures, allow for extra
    failures before disabling the vnic for the settling time.
    
    Fixes: f15fde9d47b8 ("ibmvnic: delay next reset if hard reset fails")
    Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    Reviewed-by: Dany Madden <drt@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9ae4cd5de2a5ecb87b7dc5dd4157ca3bdae9919d
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Fri Jan 21 16:57:31 2022 -0800

    ipv4: fix ip option filtering for locally generated fragments
    
    [ Upstream commit 27a8caa59babb96c5890569e131bc0eb6d45daee ]
    
    During IP fragmentation we sanitize IP options. This means overwriting
    options which should not be copied with NOPs. Only the first fragment
    has the original, full options.
    
    ip_fraglist_prepare() copies the IP header and options from previous
    fragment to the next one. Commit 19c3401a917b ("net: ipv4: place control
    buffer handling away from fragmentation iterators") moved sanitizing
    options before ip_fraglist_prepare() which means options are sanitized
    and then overwritten again with the old values.
    
    Fixing this is not enough, however, nor did the sanitization work
    prior to aforementioned commit.
    
    ip_options_fragment() (which does the sanitization) uses ipcb->opt.optlen
    for the length of the options. ipcb->opt of fragments is not populated
    (it's 0), only the head skb has the state properly built. So even when
    called at the right time ip_options_fragment() does nothing. This seems
    to date back all the way to v2.5.44 when the fast path for pre-fragmented
    skbs had been introduced. Prior to that ip_options_build() would have been
    called for every fragment (in fact ever since v2.5.44 the fragmentation
    handing in ip_options_build() has been dead code, I'll clean it up in
    -next).
    
    In the original patch (see Link) caixf mentions fixing the handling
    for fragments other than the second one, but I'm not sure how _any_
    fragment could have had their options sanitized with the code
    as it stood.
    
    Tested with python (MTU on lo lowered to 1000 to force fragmentation):
    
      import socket
      s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
      s.setsockopt(socket.IPPROTO_IP, socket.IP_OPTIONS,
                   bytearray([7,4,5,192, 20|0x80,4,1,0]))
      s.sendto(b'1'*2000, ('127.0.0.1', 1234))
    
    Before:
    
    IP (tos 0x0, ttl 64, id 1053, offset 0, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
        localhost.36500 > localhost.search-agent: UDP, length 2000
    IP (tos 0x0, ttl 64, id 1053, offset 968, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
        localhost > localhost: udp
    IP (tos 0x0, ttl 64, id 1053, offset 1936, flags [none], proto UDP (17), length 100, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
        localhost > localhost: udp
    
    After:
    
    IP (tos 0x0, ttl 96, id 42549, offset 0, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
        localhost.51607 > localhost.search-agent: UDP, bad length 2000 > 960
    IP (tos 0x0, ttl 96, id 42549, offset 968, flags [+], proto UDP (17), length 996, options (NOP,NOP,NOP,NOP,RA value 256))
        localhost > localhost: udp
    IP (tos 0x0, ttl 96, id 42549, offset 1936, flags [none], proto UDP (17), length 100, options (NOP,NOP,NOP,NOP,RA value 256))
        localhost > localhost: udp
    
    RA (20 | 0x80) is now copied as expected, RR (7) is "NOPed out".
    
    Link: https://lore.kernel.org/netdev/20220107080559.122713-1-ooppublic@163.com/
    Fixes: 19c3401a917b ("net: ipv4: place control buffer handling away from fragmentation iterators")
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: caixf <ooppublic@163.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 28aaed966e76807a71de79dd40a8eee9042374dd
Author: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Date:   Sat Jan 22 09:04:29 2022 +0530

    powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending
    
    [ Upstream commit fb6433b48a178d4672cb26632454ee0b21056eaa ]
    
    Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kernel
    triggered below warning:
    
    [  172.851380] ------------[ cut here ]------------
    [  172.851391] WARNING: CPU: 8 PID: 2901 at arch/powerpc/include/asm/hw_irq.h:246 power_pmu_disable+0x270/0x280
    [  172.851402] Modules linked in: dm_mod bonding nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables rfkill nfnetlink sunrpc xfs libcrc32c pseries_rng xts vmx_crypto uio_pdrv_genirq uio sch_fq_codel ip_tables ext4 mbcache jbd2 sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp fuse
    [  172.851442] CPU: 8 PID: 2901 Comm: lost_exception_ Not tainted 5.16.0-rc5-03218-g798527287598 #2
    [  172.851451] NIP:  c00000000013d600 LR: c00000000013d5a4 CTR: c00000000013b180
    [  172.851458] REGS: c000000017687860 TRAP: 0700   Not tainted  (5.16.0-rc5-03218-g798527287598)
    [  172.851465] MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 48004884  XER: 20040000
    [  172.851482] CFAR: c00000000013d5b4 IRQMASK: 1
    [  172.851482] GPR00: c00000000013d5a4 c000000017687b00 c000000002a10600 0000000000000004
    [  172.851482] GPR04: 0000000082004000 c0000008ba08f0a8 0000000000000000 00000008b7ed0000
    [  172.851482] GPR08: 00000000446194f6 0000000000008000 c00000000013b118 c000000000d58e68
    [  172.851482] GPR12: c00000000013d390 c00000001ec54a80 0000000000000000 0000000000000000
    [  172.851482] GPR16: 0000000000000000 0000000000000000 c000000015d5c708 c0000000025396d0
    [  172.851482] GPR20: 0000000000000000 0000000000000000 c00000000a3bbf40 0000000000000003
    [  172.851482] GPR24: 0000000000000000 c0000008ba097400 c0000000161e0d00 c00000000a3bb600
    [  172.851482] GPR28: c000000015d5c700 0000000000000001 0000000082384090 c0000008ba0020d8
    [  172.851549] NIP [c00000000013d600] power_pmu_disable+0x270/0x280
    [  172.851557] LR [c00000000013d5a4] power_pmu_disable+0x214/0x280
    [  172.851565] Call Trace:
    [  172.851568] [c000000017687b00] [c00000000013d5a4] power_pmu_disable+0x214/0x280 (unreliable)
    [  172.851579] [c000000017687b40] [c0000000003403ac] perf_pmu_disable+0x4c/0x60
    [  172.851588] [c000000017687b60] [c0000000003445e4] __perf_event_task_sched_out+0x1d4/0x660
    [  172.851596] [c000000017687c50] [c000000000d1175c] __schedule+0xbcc/0x12a0
    [  172.851602] [c000000017687d60] [c000000000d11ea8] schedule+0x78/0x140
    [  172.851608] [c000000017687d90] [c0000000001a8080] sys_sched_yield+0x20/0x40
    [  172.851615] [c000000017687db0] [c0000000000334dc] system_call_exception+0x18c/0x380
    [  172.851622] [c000000017687e10] [c00000000000c74c] system_call_common+0xec/0x268
    
    The warning indicates that MSR_EE being set(interrupt enabled) when
    there was an overflown PMC detected. This could happen in
    power_pmu_disable since it runs under interrupt soft disable
    condition ( local_irq_save ) and not with interrupts hard disabled.
    commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear
    pending PMI before resetting an overflown PMC") intended to clear
    PMI pending bit in Paca when disabling the PMU. It could happen
    that PMC gets overflown while code is in power_pmu_disable
    callback function. Hence add a check to see if PMI pending bit
    is set in Paca before clearing it via clear_pmi_pending.
    
    Fixes: 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clear pending PMI before resetting an overflown PMC")
    Reported-by: Sachin Sant <sachinp@linux.ibm.com>
    Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    Tested-by: Sachin Sant <sachinp@linux.ibm.com>
    Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220122033429.25395-1-atrajeev@linux.vnet.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b9dc12e481c0e20ee762fb7a3668c08acf8b2e7c
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Fri Jan 21 14:55:43 2022 +0300

    hwmon: (adt7470) Prevent divide by zero in adt7470_fan_write()
    
    [ Upstream commit c1ec0cabc36718efc7fe8b4157d41b82d08ec1d2 ]
    
    The "val" variable is controlled by the user and comes from
    hwmon_attr_store().  The FAN_RPM_TO_PERIOD() macro divides by "val"
    so a zero will crash the system.  Check for that and return -EINVAL.
    Negatives are also invalid so return -EINVAL for those too.
    
    Fixes: fc958a61ff6d ("hwmon: (adt7470) Convert to devm_hwmon_device_register_with_info API")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 774a6ef81458b86d0034dc663c9e5622879f81ea
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Mon Jan 10 23:23:31 2022 -0800

    hwmon: (lm90) Fix sysfs and udev notifications
    
    [ Upstream commit d379880d9adb9f1ada3f1266aa49ea2561328e08 ]
    
    sysfs and udev notifications need to be sent to the _alarm
    attributes, not to the value attributes.
    
    Fixes: 94dbd23ed88c ("hwmon: (lm90) Use hwmon_notify_event()")
    Cc: Dmitry Osipenko <digetx@gmail.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f4a61d7989d561a64a0513cd76ca860fd93c657d
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Jan 7 11:05:23 2022 -0800

    hwmon: (lm90) Mark alert as broken for MAX6654
    
    [ Upstream commit a53fff96f35763d132a36c620b183fdf11022d7a ]
    
    Experiments with MAX6654 show that its alert function is broken,
    similar to other chips supported by the lm90 driver. Mark it accordingly.
    
    Fixes: 229d495d8189 ("hwmon: (lm90) Add max6654 support to lm90 driver")
    Cc: Josh Lehan <krellan@google.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ccdf90878b8ba53ebd7236e2edf363ae30847a4c
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Sat Jan 8 11:37:19 2022 -0800

    hwmon: (lm90) Re-enable interrupts after alert clears
    
    [ Upstream commit bc341a1a98827925082e95db174734fc8bd68af6 ]
    
    If alert handling is broken, interrupts are disabled after an alert and
    re-enabled after the alert clears. However, if there is an interrupt
    handler, this does not apply if alerts were originally disabled and enabled
    when the driver was loaded. In that case, interrupts will stay disabled
    after an alert was handled though the alert handler even after the alert
    condition clears. Address the situation by always re-enabling interrupts
    after the alert condition clears if there is an interrupt handler.
    
    Fixes: 2abdc357c55d9 ("hwmon: (lm90) Unmask hardware interrupt")
    Cc: Dmitry Osipenko <digetx@gmail.com>
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit da20522eba44f6bdf72f755519246c30b8d172ac
Author: Yanming Liu <yanminglr@gmail.com>
Date:   Thu Jan 20 04:20:52 2022 +0800

    Drivers: hv: balloon: account for vmbus packet header in max_pkt_size
    
    [ Upstream commit 96d9d1fa5cd505078534113308ced0aa56d8da58 ]
    
    Commit adae1e931acd ("Drivers: hv: vmbus: Copy packets sent by Hyper-V
    out of the ring buffer") introduced a notion of maximum packet size in
    vmbus channel and used that size to initialize a buffer holding all
    incoming packet along with their vmbus packet header. hv_balloon uses
    the default maximum packet size VMBUS_DEFAULT_MAX_PKT_SIZE which matches
    its maximum message size, however vmbus_open expects this size to also
    include vmbus packet header. This leads to 4096 bytes
    dm_unballoon_request messages being truncated to 4080 bytes. When the
    driver tries to read next packet it starts from a wrong read_index,
    receives garbage and prints a lot of "Unhandled message: type:
    <garbage>" in dmesg.
    
    Allocate the buffer with HV_HYP_PAGE_SIZE more bytes to make room for
    the header.
    
    Fixes: adae1e931acd ("Drivers: hv: vmbus: Copy packets sent by Hyper-V out of the ring buffer")
    Suggested-by: Michael Kelley (LINUX) <mikelley@microsoft.com>
    Suggested-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
    Signed-off-by: Yanming Liu <yanminglr@gmail.com>
    Reviewed-by: Michael Kelley <mikelley@microsoft.com>
    Reviewed-by: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
    Link: https://lore.kernel.org/r/20220119202052.3006981-1-yanminglr@gmail.com
    Signed-off-by: Wei Liu <wei.liu@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 82cc3382e34e2254453cdfc0e0c3190357e27eed
Author: Dylan Yudaken <dylany@fb.com>
Date:   Fri Jan 21 04:38:56 2022 -0800

    io_uring: fix bug in slow unregistering of nodes
    
    [ Upstream commit b36a2050040b2d839bdc044007cdd57101d7f881 ]
    
    In some cases io_rsrc_ref_quiesce will call io_rsrc_node_switch_start,
    and then immediately flush the delayed work queue &ctx->rsrc_put_work.
    
    However the percpu_ref_put does not immediately destroy the node, it
    will be called asynchronously via RCU. That ends up with
    io_rsrc_node_ref_zero only being called after rsrc_put_work has been
    flushed, and so the process ends up sleeping for 1 second unnecessarily.
    
    This patch executes the put code immediately if we are busy
    quiescing.
    
    Fixes: 4a38aed2a0a7 ("io_uring: batch reap of dead file registrations")
    Signed-off-by: Dylan Yudaken <dylany@fb.com>
    Link: https://lore.kernel.org/r/20220121123856.3557884-1-dylany@fb.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fa005a5c5d4dc1eb1bcf99761fc1f678bfd46a08
Author: Mihai Carabas <mihai.carabas@oracle.com>
Date:   Wed Jan 19 18:14:27 2022 +0200

    efi/libstub: arm64: Fix image check alignment at entry
    
    [ Upstream commit e9b7c3a4263bdcfd31bc3d03d48ce0ded7a94635 ]
    
    The kernel is aligned at SEGMENT_SIZE and this is the size populated in the PE
    headers:
    
    arch/arm64/kernel/efi-header.S: .long   SEGMENT_ALIGN // SectionAlignment
    
    EFI_KIMG_ALIGN is defined as: (SEGMENT_ALIGN > THREAD_ALIGN ? SEGMENT_ALIGN :
    THREAD_ALIGN)
    
    So it depends on THREAD_ALIGN. On newer builds this message started to appear
    even though the loader is taking into account the PE header (which is stating
    SEGMENT_ALIGN).
    
    Fixes: c32ac11da3f8 ("efi/libstub: arm64: Double check image alignment at entry")
    Signed-off-by: Mihai Carabas <mihai.carabas@oracle.com>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 42ff00c23b16bf397eb467bd2f66e48c1a0040dc
Author: David Howells <dhowells@redhat.com>
Date:   Fri Jan 21 23:12:58 2022 +0000

    rxrpc: Adjust retransmission backoff
    
    [ Upstream commit 2c13c05c5ff4b9fc907b07f7311821910ebaaf8a ]
    
    Improve retransmission backoff by only backing off when we retransmit data
    packets rather than when we set the lost ack timer.
    
    To this end:
    
     (1) In rxrpc_resend(), use rxrpc_get_rto_backoff() when setting the
         retransmission timer and only tell it that we are retransmitting if we
         actually have things to retransmit.
    
         Note that it's possible for the retransmission algorithm to race with
         the processing of a received ACK, so we may see no packets needing
         retransmission.
    
     (2) In rxrpc_send_data_packet(), don't bump the backoff when setting the
         ack_lost_at timer, as it may then get bumped twice.
    
    With this, when looking at one particular packet, the retransmission
    intervals were seen to be 1.5ms, 2ms, 3ms, 5ms, 9ms, 17ms, 33ms, 71ms,
    136ms, 264ms, 544ms, 1.088s, 2.1s, 4.2s and 8.3s.
    
    Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout")
    Suggested-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
    Tested-by: Marc Dionne <marc.dionne@auristor.com>
    cc: linux-afs@lists.infradead.org
    Link: https://lore.kernel.org/r/164138117069.2023386.17446904856843997127.stgit@warthog.procyon.org.uk/
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 437b6b3bd88ca698dca10747d85480a74f6d15ca
Author: Subbaraya Sundeep <sbhatta@marvell.com>
Date:   Fri Jan 21 12:04:46 2022 +0530

    octeontx2-pf: Forward error codes to VF
    
    [ Upstream commit a8db854be28622a2477cb21cdf7f829adbb2c42d ]
    
    PF forwards its VF messages to AF and corresponding
    replies from AF to VF. AF sets proper error code in the
    replies after processing message requests. Currently PF
    checks the error codes in replies and sends invalid
    message to VF. This way VF lacks the information of
    error code set by AF for its messages. This patch
    changes that such that PF simply forwards AF replies
    so that VF can handle error codes.
    
    Fixes: d424b6c02415 ("octeontx2-pf: Enable SRIOV and added VF mbox handling")
    Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 689620df208088281e627c0d9f64fc532265dff8
Author: Geetha sowjanya <gakula@marvell.com>
Date:   Fri Jan 21 12:04:45 2022 +0530

    octeontx2-af: cn10k: Do not enable RPM loopback for LPC interfaces
    
    [ Upstream commit df66b6ebc5dcf7253e35a640b9ec4add54195c25 ]
    
    Internal looback is not supported to low rate LPCS interface like
    SGMII/QSGMII. Hence don't allow to enable for such interfaces.
    
    Fixes: 3ad3f8f93c81 ("octeontx2-af: cn10k: MAC internal loopback support")
    Signed-off-by: Geetha sowjanya <gakula@marvell.com>
    Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 35dd0b7e5a13dec6a7623c8db7c57c59f9110ffb
Author: Geetha sowjanya <gakula@marvell.com>
Date:   Fri Jan 21 12:04:44 2022 +0530

    octeontx2-af: Increase link credit restore polling timeout
    
    [ Upstream commit 1581d61b42d985cefe7b71eea67ab3bfcbf34d0f ]
    
    It's been observed that sometimes link credit restore takes
    a lot of time than the current timeout. This patch increases
    the default timeout value and return the proper error value
    on failure.
    
    Fixes: 1c74b89171c3 ("octeontx2-af: Wait for TX link idle for credits change")
    Signed-off-by: Geetha sowjanya <gakula@marvell.com>
    Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f13bf41cbe2d1dbf9ede3569bd5d75353ab68f01
Author: Hariprasad Kelam <hkelam@marvell.com>
Date:   Fri Sep 17 18:40:24 2021 +0530

    octeontx2-af: verify CQ context updates
    
    [ Upstream commit 14e94f9445a9e91d460f5d4b519f8892c3fb14bb ]
    
    As per HW errata AQ modification to CQ could be discarded on heavy
    traffic. This patch implements workaround for the same after each
    CQ write by AQ check whether the requested fields (except those
    which HW can update eg: avg_level) are properly updated or not.
    
    If CQ context is not updated then perform AQ write again.
    
    Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4070cf004da3b9f6a6395d62fe3d24b38ae1a3ef
Author: Geetha sowjanya <gakula@marvell.com>
Date:   Fri Jan 21 12:04:43 2022 +0530

    octeontx2-pf: cn10k: Ensure valid pointers are freed to aura
    
    [ Upstream commit c5d731c54a17677939bd59ee8be4ed74d7485ba4 ]
    
    While freeing SQB pointers to aura, driver first memcpy to
    target address and then triggers lmtst operation to free pointer
    to the aura. We need to ensure(by adding dmb barrier)that memcpy
    is finished before pointers are freed to the aura. This patch also
    adds the missing sq context structure entry in debugfs.
    
    Fixes: ef6c8da71eaf ("octeontx2-pf: cn10K: Reserve LMTST lines per core")
    Signed-off-by: Geetha sowjanya <gakula@marvell.com>
    Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a332a1050ac662ea2f768ef9a802195d97130806
Author: Geetha sowjanya <gakula@marvell.com>
Date:   Fri Jan 21 12:04:41 2022 +0530

    octeontx2-af: Retry until RVU block reset complete
    
    [ Upstream commit 03ffbc9914bd1130fba464f0a41c01372e5fc359 ]
    
    Few RVU blocks like SSO require more time for reset on some
    silicons. Hence retrying the block reset until success.
    
    Fixes: c0fa2cff8822c ("octeontx2-af: Handle return value in block reset")
    Signed-off-by: Geetha sowjanya <gakula@marvell.com>
    Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b578044bf4dee7e62e2f6ce1a2415831b1c1f76e
Author: Sunil Goutham <sgoutham@marvell.com>
Date:   Fri Jan 21 12:04:40 2022 +0530

    octeontx2-af: Fix LBK backpressure id count
    
    [ Upstream commit 00bfe94e388fe12bfd0d4f6361b1b1343374ff5b ]
    
    In rvu_nix_get_bpid() lbk_bpid_cnt is being read from
    wrong register. Due to this backpressure enable is failing
    for LBK VF32 onwards. This patch fixes that.
    
    Fixes: fe1939bb2340 ("octeontx2-af: Add SDP interface support")
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: Subbaraya Sundeep <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 77c5abff9330dc4acac2758b0134110e894c25a3
Author: Subbaraya Sundeep <sbhatta@marvell.com>
Date:   Fri Jan 21 12:04:39 2022 +0530

    octeontx2-af: Do not fixup all VF action entries
    
    [ Upstream commit d225c449ab2be25273a3674f476c6c0b57c50254 ]
    
    AF modifies all the rules destined for VF to use
    the action same as default RSS action. This fixup
    was needed because AF only installs default rules with
    RSS action. But the action in rules installed by a PF
    for its VFs should not be changed by this fixup.
    This is because action can be drop or direct to
    queue as specified by user(ntuple filters).
    This patch fixes that problem.
    
    Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet")
    Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
    Signed-off-by: Naveen Mamindlapalli <naveenm@marvell.com>
    Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit aefaccd19379d6c4620269a162bfb88ff687f289
Author: Marek Behún <kabel@kernel.org>
Date:   Wed Jan 19 17:27:48 2022 +0100

    phylib: fix potential use-after-free
    
    [ Upstream commit cbda1b16687580d5beee38273f6241ae3725960c ]
    
    Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call
    to phy_device_reset(phydev) after the put_device() call in phy_detach().
    
    The comment before the put_device() call says that the phydev might go
    away with put_device().
    
    Fix potential use-after-free by calling phy_device_reset() before
    put_device().
    
    Fixes: bafbdd527d56 ("phylib: Add device reset GPIO support")
    Signed-off-by: Marek Behún <kabel@kernel.org>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://lore.kernel.org/r/20220119162748.32418-1-kabel@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 82688a07cc025f5242f0b03db5e790a63bb54f14
Author: Yuji Ishikawa <yuji2.ishikawa@toshiba.co.jp>
Date:   Wed Jan 19 13:46:48 2022 +0900

    net: stmmac: dwmac-visconti: Fix clock configuration for RMII mode
    
    [ Upstream commit 0959bc4bd4206433ed101a1332a23e93ad16ec77 ]
    
    Bit pattern of the ETHER_CLOCK_SEL register for RMII/MII mode should be fixed.
    Also, some control bits should be modified with a specific sequence.
    
    Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver")
    Signed-off-by: Yuji Ishikawa <yuji2.ishikawa@toshiba.co.jp>
    Reviewed-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 27e249cafa4fb35ad28fe9952b93ca515c16f52c
Author: Yuji Ishikawa <yuji2.ishikawa@toshiba.co.jp>
Date:   Wed Jan 19 13:46:47 2022 +0900

    net: stmmac: dwmac-visconti: Fix bit definitions for ETHER_CLK_SEL
    
    [ Upstream commit 1ba1a4a90fa416a6f389206416c5f488cf8b1543 ]
    
    just 0 should be used to represent cleared bits
    
    * ETHER_CLK_SEL_DIV_SEL_20
    * ETHER_CLK_SEL_TX_CLK_EXT_SEL_IN
    * ETHER_CLK_SEL_RX_CLK_EXT_SEL_IN
    * ETHER_CLK_SEL_TX_CLK_O_TX_I
    * ETHER_CLK_SEL_RMII_CLK_SEL_IN
    
    Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver")
    Signed-off-by: Yuji Ishikawa <yuji2.ishikawa@toshiba.co.jp>
    Reviewed-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 36c7e4f4a3ec57ed663011e7b3acd77f3becfa9d
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Tue Jan 18 15:52:43 2022 -0600

    net: phy: broadcom: hook up soft_reset for BCM54616S
    
    [ Upstream commit d15c7e875d44367005370e6a82e8f3a382a04f9b ]
    
    A problem was encountered with the Bel-Fuse 1GBT-SFP05 SFP module (which
    is a 1 Gbps copper module operating in SGMII mode with an internal
    BCM54616S PHY device) using the Xilinx AXI Ethernet MAC core, where the
    module would work properly on the initial insertion or boot of the
    device, but after the device was rebooted, the link would either only
    come up at 100 Mbps speeds or go up and down erratically.
    
    I found no meaningful changes in the PHY configuration registers between
    the working and non-working boots, but the status registers seemed to
    have a lot of error indications set on the SERDES side of the device on
    the non-working boot. I suspect the problem is that whatever happens on
    the SGMII link when the device is rebooted and the FPGA logic gets
    reloaded ends up putting the module's onboard PHY into a bad state.
    
    Since commit 6e2d85ec0559 ("net: phy: Stop with excessive soft reset")
    the genphy_soft_reset call is not made automatically by the PHY core
    unless the callback is explicitly specified in the driver structure. For
    most of these Broadcom devices, there is probably a hardware reset that
    gets asserted to reset the PHY during boot, however for SFP modules
    (where the BCM54616S is commonly found) no such reset line exists, so if
    the board keeps the SFP cage powered up across a reboot, it will end up
    with no reset occurring during reboots.
    
    Hook up the genphy_soft_reset callback for BCM54616S to ensure that a
    PHY reset is performed before the device is initialized. This appears to
    fix the issue with erratic operation after a reboot with this SFP
    module.
    
    Fixes: 6e2d85ec0559 ("net: phy: Stop with excessive soft reset")
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 58e81159b4f7ce89d69d350c1dcebca763f587ac
Author: Vincent Guittot <vincent.guittot@linaro.org>
Date:   Tue Jan 11 14:46:56 2022 +0100

    sched/pelt: Relax the sync of util_sum with util_avg
    
    [ Upstream commit 98b0d890220d45418cfbc5157b3382e6da5a12ab ]
    
    Rick reported performance regressions in bugzilla because of cpu frequency
    being lower than before:
        https://bugzilla.kernel.org/show_bug.cgi?id=215045
    
    He bisected the problem to:
    commit 1c35b07e6d39 ("sched/fair: Ensure _sum and _avg values stay consistent")
    
    This commit forces util_sum to be synced with the new util_avg after
    removing the contribution of a task and before the next periodic sync. By
    doing so util_sum is rounded to its lower bound and might lost up to
    LOAD_AVG_MAX-1 of accumulated contribution which has not yet been
    reflected in util_avg.
    
    Instead of always setting util_sum to the low bound of util_avg, which can
    significantly lower the utilization of root cfs_rq after propagating the
    change down into the hierarchy, we revert the change of util_sum and
    propagate the difference.
    
    In addition, we also check that cfs's util_sum always stays above the
    lower bound for a given util_avg as it has been observed that
    sched_entity's util_sum is sometimes above cfs one.
    
    Fixes: 1c35b07e6d39 ("sched/fair: Ensure _sum and _avg values stay consistent")
    Reported-by: Rick Yiu <rickyiu@google.com>
    Signed-off-by: Vincent Guittot <vincent.guittot@linaro.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
    Tested-by: Sachin Sant <sachinp@linux.ibm.com>
    Link: https://lkml.kernel.org/r/20220111134659.24961-2-vincent.guittot@linaro.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 767060539ac4fe683300a9004e7956b1f6dbd657
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Mon Dec 20 13:19:52 2021 +0100

    perf: Fix perf_event_read_local() time
    
    [ Upstream commit 09f5e7dc7ad705289e1b1ec065439aa3c42951c4 ]
    
    Time readers that cannot take locks (due to NMI etc..) currently make
    use of perf_event::shadow_ctx_time, which, for that event gives:
    
      time' = now + (time - timestamp)
    
    or, alternatively arranged:
    
      time' = time + (now - timestamp)
    
    IOW, the progression of time since the last time the shadow_ctx_time
    was updated.
    
    There's problems with this:
    
     A) the shadow_ctx_time is per-event, even though the ctx_time it
        reflects is obviously per context. The direct concequence of this
        is that the context needs to iterate all events all the time to
        keep the shadow_ctx_time in sync.
    
     B) even with the prior point, the context itself might not be active
        meaning its time should not advance to begin with.
    
     C) shadow_ctx_time isn't consistently updated when ctx_time is
    
    There are 3 users of this stuff, that suffer differently from this:
    
     - calc_timer_values()
       - perf_output_read()
       - perf_event_update_userpage()       /* A */
    
     - perf_event_read_local()              /* A,B */
    
    In particular, perf_output_read() doesn't suffer at all, because it's
    sample driven and hence only relevant when the event is actually
    running.
    
    This same was supposed to be true for perf_event_update_userpage(),
    after all self-monitoring implies the context is active *HOWEVER*, as
    per commit f79256532682 ("perf/core: fix userpage->time_enabled of
    inactive events") this goes wrong when combined with counter
    overcommit, in that case those events that do not get scheduled when
    the context becomes active (task events typically) miss out on the
    EVENT_TIME update and ENABLED time is inflated (for a little while)
    with the time the context was inactive. Once the event gets rotated
    in, this gets corrected, leading to a non-monotonic timeflow.
    
    perf_event_read_local() made things even worse, it can request time at
    any point, suffering all the problems perf_event_update_userpage()
    does and more. Because while perf_event_update_userpage() is limited
    by the context being active, perf_event_read_local() users have no
    such constraint.
    
    Therefore, completely overhaul things and do away with
    perf_event::shadow_ctx_time. Instead have regular context time updates
    keep track of this offset directly and provide perf_event_time_now()
    to complement perf_event_time().
    
    perf_event_time_now() will, in adition to being context wide, also
    take into account if the context is active. For inactive context, it
    will not advance time.
    
    This latter property means the cgroup perf_cgroup_info context needs
    to grow addition state to track this.
    
    Additionally, since all this is strictly per-cpu, we can use barrier()
    to order context activity vs context time.
    
    Fixes: 7d9285e82db5 ("perf/bpf: Extend the perf_event_read_local() interface, a.k.a. "bpf: perf event change needed for subsequent bpf helpers"")
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Tested-by: Song Liu <song@kernel.org>
    Tested-by: Namhyung Kim <namhyung@kernel.org>
    Link: https://lkml.kernel.org/r/YcB06DasOBtU0b00@hirez.programming.kicks-ass.net
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 498e6604a3aeadbbb8013375c00c4b76527f91fc
Author: Nicholas Piggin <npiggin@gmail.com>
Date:   Mon Jan 17 23:44:03 2022 +1000

    powerpc/64s: Mask SRR0 before checking against the masked NIP
    
    [ Upstream commit aee101d7b95a03078945681dd7f7ea5e4a1e7686 ]
    
    Commit 314f6c23dd8d ("powerpc/64s: Mask NIP before checking against
    SRR0") masked off the low 2 bits of the NIP value in the interrupt
    stack frame in case they are non-zero and mis-compare against a SRR0
    register value of a CPU which always reads back 0 from the 2 low bits
    which are reserved.
    
    This now causes the opposite problem that an implementation which does
    implement those bits in SRR0 will mis-compare against the masked NIP
    value in which they have been cleared. QEMU is one such implementation,
    and this is allowed by the architecture.
    
    This can be triggered by sigfuz by setting low bits of PT_NIP in the
    signal context.
    
    Fix this for now by masking the SRR0 bits as well. Cleaner is probably
    to sanitise these values before putting them in registers or stack, but
    this is the quick and backportable fix.
    
    Fixes: 314f6c23dd8d ("powerpc/64s: Mask NIP before checking against SRR0")
    Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220117134403.2995059-1-npiggin@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3dc90add0ca9b3cfd9a35d95f80a92c79c11f07e
Author: Florian Westphal <fw@strlen.de>
Date:   Thu Jan 13 21:37:58 2022 +0100

    netfilter: conntrack: don't increment invalid counter on NF_REPEAT
    
    [ Upstream commit 830af2eba40327abec64325a5b08b1e85c37a2e0 ]
    
    The packet isn't invalid, REPEAT means we're trying again after cleaning
    out a stale connection, e.g. via tcp tracker.
    
    This caused increases of invalid stat counter in a test case involving
    frequent connection reuse, even though no packet is actually invalid.
    
    Fixes: 56a62e2218f5 ("netfilter: conntrack: fix NF_REPEAT handling")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3bfbc00587dc883eaed383558ae512a351c2cd09
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Jan 6 17:15:12 2022 +0530

    powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06
    
    [ Upstream commit 3f5f766d5f7f95a69a630da3544a1a0cee1cdddf ]
    
    Johan reported the below crash with test_bpf on ppc64 e5500:
    
      test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1
      Oops: Exception in kernel mode, sig: 4 [#1]
      BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500
      Modules linked in: test_bpf(+)
      CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1
      NIP:  8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18
      REGS: c0000000032d3420 TRAP: 0700   Not tainted (5.14.0-03771-g98c2059e008a-dirty)
      MSR:  0000000080089000 <EE,ME>  CR: 88002822  XER: 20000000 IRQMASK: 0
      <...>
      NIP [8000000000061c3c] 0x8000000000061c3c
      LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf]
      Call Trace:
       .__run_one+0x60/0x17c [test_bpf] (unreliable)
       .test_bpf_init+0x6a8/0xdc8 [test_bpf]
       .do_one_initcall+0x6c/0x28c
       .do_init_module+0x68/0x28c
       .load_module+0x2460/0x2abc
       .__do_sys_init_module+0x120/0x18c
       .system_call_exception+0x110/0x1b8
       system_call_common+0xf0/0x210
      --- interrupt: c00 at 0x101d0acc
      <...>
      ---[ end trace 47b2bf19090bb3d0 ]---
    
      Illegal instruction
    
    The illegal instruction turned out to be 'ldbrx' emitted for
    BPF_FROM_[L|B]E, which was only introduced in ISA v2.06. Guard use of
    the same and implement an alternative approach for older processors.
    
    Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
    Reported-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
    Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/d1e51c6fdf572062cf3009a751c3406bda01b832.1641468127.git.naveen.n.rao@linux.vnet.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d66377ed9a206632d6f6d2a88a0094c8f635e3d0
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Thu Jan 13 12:20:36 2022 -0500

    SUNRPC: Don't dereference xprt->snd_task if it's a cookie
    
    [ Upstream commit aed28b7a2d620cb5cd0c554cb889075c02e25e8e ]
    
    Fixes: e26d9972720e ("SUNRPC: Clean up scheduling of autoclose")
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8ea839e3a59edac64dbcf0f88e1c95eeea76ac42
Author: Chuck Lever <chuck.lever@oracle.com>
Date:   Sat Oct 16 18:02:38 2021 -0400

    SUNRPC: Use BIT() macro in rpc_show_xprt_state()
    
    [ Upstream commit 76497b1adb89175eee85afc437f08a68247314b3 ]
    
    Clean up: BIT() is preferred over open-coding the shift.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 19d4d09c2f163d90ed6bfea778f9bc4f70a3c534
Author: Marc Zyngier <maz@kernel.org>
Date:   Fri Jan 14 08:57:58 2022 +0000

    KVM: arm64: pkvm: Use the mm_ops indirection for cache maintenance
    
    [ Upstream commit 094d00f8ca58c5d29b25e23b4daaed1ff1f13b41 ]
    
    CMOs issued from EL2 cannot directly use the kernel helpers,
    as EL2 doesn't have a mapping of the guest pages. Oops.
    
    Instead, use the mm_ops indirection to use helpers that will
    perform a mapping at EL2 and allow the CMO to be effective.
    
    Fixes: 25aa28691bb9 ("KVM: arm64: Move guest CMOs to the fault handlers")
    Reviewed-by: Quentin Perret <qperret@google.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20220114125038.1336965-1-maz@kernel.org
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ee062665fbaef1a5d9092acdc156c0e3fde114a6
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Wed Dec 15 16:38:16 2021 -0500

    NFS: Ensure the server has an up to date ctime before renaming
    
    [ Upstream commit 6ff9d99bb88faebf134ca668842349d9718e5464 ]
    
    Renaming a file is required by POSIX to update the file ctime, so
    ensure that the file data is synced to disk so that we don't clobber the
    updated ctime by writing back after creating the hard link.
    
    Fixes: f2c2c552f119 ("NFS: Move delegation recall into the NFSv4 callback for rename_setup()")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7a784c2eaae868ddd57cd2a6d7f307e5d504dea7
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Wed Dec 15 16:38:15 2021 -0500

    NFS: Ensure the server has an up to date ctime before hardlinking
    
    [ Upstream commit 204975036b34f55237bc44c8a302a88468ef21b5 ]
    
    Creating a hard link is required by POSIX to update the file ctime, so
    ensure that the file data is synced to disk so that we don't clobber the
    updated ctime by writing back after creating the hard link.
    
    Fixes: 9f7682728728 ("NFS: Move the delegation return down into nfs4_proc_link()")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fe36a67e82c846eeaceeae2b6c281ccab2e8239a
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jan 20 09:41:12 2022 -0800

    ipv6: annotate accesses to fn->fn_sernum
    
    commit aafc2e3285c2d7a79b7ee15221c19fbeca7b1509 upstream.
    
    struct fib6_node's fn_sernum field can be
    read while other threads change it.
    
    Add READ_ONCE()/WRITE_ONCE() annotations.
    
    Do not change existing smp barriers in fib6_get_cookie_safe()
    and __fib6_update_sernum_upto_root()
    
    syzbot reported:
    
    BUG: KCSAN: data-race in fib6_clean_node / inet6_csk_route_socket
    
    write to 0xffff88813df62e2c of 4 bytes by task 1920 on cpu 1:
     fib6_clean_node+0xc2/0x260 net/ipv6/ip6_fib.c:2178
     fib6_walk_continue+0x38e/0x430 net/ipv6/ip6_fib.c:2112
     fib6_walk net/ipv6/ip6_fib.c:2160 [inline]
     fib6_clean_tree net/ipv6/ip6_fib.c:2240 [inline]
     __fib6_clean_all+0x1a9/0x2e0 net/ipv6/ip6_fib.c:2256
     fib6_flush_trees+0x6c/0x80 net/ipv6/ip6_fib.c:2281
     rt_genid_bump_ipv6 include/net/net_namespace.h:488 [inline]
     addrconf_dad_completed+0x57f/0x870 net/ipv6/addrconf.c:4230
     addrconf_dad_work+0x908/0x1170
     process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
     worker_thread+0x616/0xa70 kernel/workqueue.c:2454
     kthread+0x1bf/0x1e0 kernel/kthread.c:359
     ret_from_fork+0x1f/0x30
    
    read to 0xffff88813df62e2c of 4 bytes by task 15701 on cpu 0:
     fib6_get_cookie_safe include/net/ip6_fib.h:285 [inline]
     rt6_get_cookie include/net/ip6_fib.h:306 [inline]
     ip6_dst_store include/net/ip6_route.h:234 [inline]
     inet6_csk_route_socket+0x352/0x3c0 net/ipv6/inet6_connection_sock.c:109
     inet6_csk_xmit+0x91/0x1e0 net/ipv6/inet6_connection_sock.c:121
     __tcp_transmit_skb+0x1323/0x1840 net/ipv4/tcp_output.c:1402
     tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
     tcp_write_xmit+0x1450/0x4460 net/ipv4/tcp_output.c:2680
     __tcp_push_pending_frames+0x68/0x1c0 net/ipv4/tcp_output.c:2864
     tcp_push+0x2d9/0x2f0 net/ipv4/tcp.c:725
     mptcp_push_release net/mptcp/protocol.c:1491 [inline]
     __mptcp_push_pending+0x46c/0x490 net/mptcp/protocol.c:1578
     mptcp_sendmsg+0x9ec/0xa50 net/mptcp/protocol.c:1764
     inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:643
     sock_sendmsg_nosec net/socket.c:705 [inline]
     sock_sendmsg net/socket.c:725 [inline]
     kernel_sendmsg+0x97/0xd0 net/socket.c:745
     sock_no_sendpage+0x84/0xb0 net/core/sock.c:3086
     inet_sendpage+0x9d/0xc0 net/ipv4/af_inet.c:834
     kernel_sendpage+0x187/0x200 net/socket.c:3492
     sock_sendpage+0x5a/0x70 net/socket.c:1007
     pipe_to_sendpage+0x128/0x160 fs/splice.c:364
     splice_from_pipe_feed fs/splice.c:418 [inline]
     __splice_from_pipe+0x207/0x500 fs/splice.c:562
     splice_from_pipe fs/splice.c:597 [inline]
     generic_splice_sendpage+0x94/0xd0 fs/splice.c:746
     do_splice_from fs/splice.c:767 [inline]
     direct_splice_actor+0x80/0xa0 fs/splice.c:936
     splice_direct_to_actor+0x345/0x650 fs/splice.c:891
     do_splice_direct+0x106/0x190 fs/splice.c:979
     do_sendfile+0x675/0xc40 fs/read_write.c:1245
     __do_sys_sendfile64 fs/read_write.c:1310 [inline]
     __se_sys_sendfile64 fs/read_write.c:1296 [inline]
     __x64_sys_sendfile64+0x102/0x140 fs/read_write.c:1296
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    value changed: 0x0000026f -> 0x00000271
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 0 PID: 15701 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    
    The Fixes tag I chose is probably arbitrary, I do not think
    we need to backport this patch to older kernels.
    
    Fixes: c5cff8561d2d ("ipv6: add rcu grace period before freeing fib6_node")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Link: https://lore.kernel.org/r/20220120174112.1126644-1-eric.dumazet@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 56480fb10b976581a363fd168dc2e4fbee87a1a7
Author: José Expósito <jose.exposito89@gmail.com>
Date:   Sun Jan 16 19:18:44 2022 +0100

    drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable
    
    commit 5e761a2287234bc402ba7ef07129f5103bcd775c upstream.
    
    The function performs a check on the "phy" input parameter, however, it
    is used before the check.
    
    Initialize the "dev" variable after the sanity check to avoid a possible
    NULL pointer dereference.
    
    Fixes: 5c8290284402b ("drm/msm/dsi: Split PHY drivers to separate files")
    Addresses-Coverity-ID: 1493860 ("Null pointer dereference")
    Signed-off-by: José Expósito <jose.exposito89@gmail.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20220116181844.7400-1-jose.exposito89@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0069c2331be061668afb758f8dfc84dd160a57b8
Author: Miaoqian Lin <linmq006@gmail.com>
Date:   Thu Dec 30 07:09:40 2021 +0000

    drm/msm/dsi: Fix missing put_device() call in dsi_get_phy
    
    commit c04c3148ca12227d92f91b355b4538cc333c9922 upstream.
    
    If of_find_device_by_node() succeeds, dsi_get_phy() doesn't
    a corresponding put_device(). Thus add put_device() to fix the exception
    handling.
    
    Fixes: ec31abf ("drm/msm/dsi: Separate PHY to another platform device")
    Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20211230070943.18116-1-linmq006@gmail.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 971754f4681c4c9b042c49f094e1f1d7bbdc608c
Author: Xianting Tian <xianting.tian@linux.alibaba.com>
Date:   Wed Jan 12 20:33:34 2022 +0800

    drm/msm: Fix wrong size calculation
    
    commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e upstream.
    
    For example, memory-region in .dts as below,
            reg = <0x0 0x50000000 0x0 0x20000000>
    
    We can get below values,
    struct resource r;
    r.start = 0x50000000;
    r.end   = 0x6fffffff;
    
    So the size should be:
    size = r.end - r.start + 1 = 0x20000000
    
    Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
    Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem")
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d70d2aa49acebb936f38e38c10f4b0c1590c8c98
Author: Jianguo Wu <wujianguo@chinatelecom.cn>
Date:   Fri Jan 21 17:15:31 2022 +0800

    net-procfs: show net devices bound packet types
    
    commit 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 upstream.
    
    After commit:7866a621043f ("dev: add per net_device packet type chains"),
    we can not get packet types that are bound to a specified net device by
    /proc/net/ptype, this patch fix the regression.
    
    Run "tcpdump -i ens192 udp -nns0" Before and after apply this patch:
    
    Before:
      [root@localhost ~]# cat /proc/net/ptype
      Type Device      Function
      0800          ip_rcv
      0806          arp_rcv
      86dd          ipv6_rcv
    
    After:
      [root@localhost ~]# cat /proc/net/ptype
      Type Device      Function
      ALL  ens192   tpacket_rcv
      0800          ip_rcv
      0806          arp_rcv
      86dd          ipv6_rcv
    
    v1 -> v2:
      - fix the regression rather than adding new /proc API as
        suggested by Stephen Hemminger.
    
    Fixes: 7866a621043f ("dev: add per net_device packet type chains")
    Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d7396948cf389b3107fa9365fca5043e19e0e0c5
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Thu Jan 6 18:24:03 2022 -0500

    NFSv4: nfs_atomic_open() can race when looking up a non-regular file
    
    commit 1751fc1db36f6f411709e143d5393f92d12137a9 upstream.
    
    If the file type changes back to being a regular file on the server
    between the failed OPEN and our LOOKUP, then we need to re-run the OPEN.
    
    Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4c36ca387af4a9b5d775e46a6cb9dc2d151bf057
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Thu Jan 6 18:24:02 2022 -0500

    NFSv4: Handle case where the lookup of a directory fails
    
    commit ac795161c93699d600db16c1a8cc23a65a1eceaf upstream.
    
    If the application sets the O_DIRECTORY flag, and tries to open a
    regular file, nfs_atomic_open() will punt to doing a regular lookup.
    If the server then returns a regular file, we will happily return a
    file descriptor with uninitialised open state.
    
    The fix is to return the expected ENOTDIR error in these cases.
    
    Reported-by: Lyu Tao <tao.lyu@epfl.ch>
    Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 72edb228b420efa70ced62593ca05b92c6496b2c
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Thu Jan 6 11:48:52 2022 -0800

    hwmon: (lm90) Reduce maximum conversion rate for G781
    
    [ Upstream commit a66c5ed539277b9f2363bbace0dba88b85b36c26 ]
    
    According to its datasheet, G781 supports a maximum conversion rate value
    of 8 (62.5 ms). However, chips labeled G781 and G780 were found to only
    support a maximum conversion rate value of 7 (125 ms). On the other side,
    chips labeled G781-1 and G784 were found to support a conversion rate value
    of 8. There is no known means to distinguish G780 from G781 or G784; all
    chips report the same manufacturer ID and chip revision.
    Setting the conversion rate register value to 8 on chips not supporting
    it causes unexpected behavior since the real conversion rate is set to 0
    (16 seconds) if a value of 8 is written into the conversion rate register.
    Limit the conversion rate register value to 7 for all G78x chips to avoid
    the problem.
    
    Fixes: ae544f64cc7b ("hwmon: (lm90) Add support for GMT G781")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit dee686cbfdd13ca022f20be344a14f595a93f303
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jan 26 17:10:22 2022 -0800

    ipv4: avoid using shared IP generator for connected sockets
    
    commit 23f57406b82de51809d5812afd96f210f8b627f3 upstream.
    
    ip_select_ident_segs() has been very conservative about using
    the connected socket private generator only for packets with IP_DF
    set, claiming it was needed for some VJ compression implementations.
    
    As mentioned in this referenced document, this can be abused.
    (Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)
    
    Before switching to pure random IPID generation and possibly hurt
    some workloads, lets use the private inet socket generator.
    
    Not only this will remove one vulnerability, this will also
    improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT
    
    Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Reported-by: Ray Che <xijiache@gmail.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eeb0c916b0f861d1687f528a75e13e8808a970cf
Author: Xin Long <lucien.xin@gmail.com>
Date:   Sat Jan 22 06:40:56 2022 -0500

    ping: fix the sk_bound_dev_if match in ping_lookup
    
    commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 upstream.
    
    When 'ping' changes to use PING socket instead of RAW socket by:
    
       # sysctl -w net.ipv4.ping_group_range="0 100"
    
    the selftests 'router_broadcast.sh' will fail, as such command
    
      # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b
    
    can't receive the response skb by the PING socket. It's caused by mismatch
    of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket,
    as dif is vrf-h1 if dif's master was set to vrf-h1.
    
    This patch is to fix this regression by also checking the sk_bound_dev_if
    against sdif so that the packets can stil be received even if the socket
    is not bound to the vrf device but to the real iif.
    
    Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
    Reported-by: Hangbin Liu <liuhangbin@gmail.com>
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4d647a2b607423951d4fd22acc33f21c476f4dc5
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Jan 7 11:11:00 2022 -0800

    hwmon: (lm90) Mark alert as broken for MAX6680
    
    commit 94746b0ba479743355e0d3cc1cb9cfe3011fb8be upstream.
    
    Experiments with MAX6680 and MAX6681 show that the alert function of those
    chips is broken, similar to other chips supported by the lm90 driver.
    Mark it accordingly.
    
    Fixes: 4667bcb8d8fc ("hwmon: (lm90) Introduce chip parameter structure")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 38cfdc0ef4745bda3227629c86d72288d5a141a2
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Jan 7 12:36:41 2022 -0800

    hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649
    
    commit f614629f9c1080dcc844a8430e3fb4c37ebbf05d upstream.
    
    Experiments with MAX6646 and MAX6648 show that the alert function of those
    chips is broken, similar to other chips supported by the lm90 driver.
    Mark it accordingly.
    
    Fixes: 4667bcb8d8fc ("hwmon: (lm90) Introduce chip parameter structure")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e43669c77cb3a742b7d84ecdc7c68c4167a7709b
Author: Congyu Liu <liu3101@purdue.edu>
Date:   Tue Jan 18 14:20:13 2022 -0500

    net: fix information leakage in /proc/net/ptype
    
    commit 47934e06b65637c88a762d9c98329ae6e3238888 upstream.
    
    In one net namespace, after creating a packet socket without binding
    it to a device, users in other net namespaces can observe the new
    `packet_type` added by this packet socket by reading `/proc/net/ptype`
    file. This is minor information leakage as packet socket is
    namespace aware.
    
    Add a net pointer in `packet_type` to keep the net namespace of
    of corresponding packet socket. In `ptype_seq_show`, this net pointer
    must be checked when it is not NULL.
    
    Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.")
    Signed-off-by: Congyu Liu <liu3101@purdue.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1515e72aae803fc6b466adf918e71c4e4c9d5b3d
Author: sparkhuang <huangshaobo6@huawei.com>
Date:   Wed Dec 15 10:08:23 2021 +0100

    ARM: 9170/1: fix panic when kasan and kprobe are enabled
    
    commit 8b59b0a53c840921b625378f137e88adfa87647e upstream.
    
    arm32 uses software to simulate the instruction replaced
    by kprobe. some instructions may be simulated by constructing
    assembly functions. therefore, before executing instruction
    simulation, it is necessary to construct assembly function
    execution environment in C language through binding registers.
    after kasan is enabled, the register binding relationship will
    be destroyed, resulting in instruction simulation errors and
    causing kernel panic.
    
    the kprobe emulate instruction function is distributed in three
    files: actions-common.c actions-arm.c actions-thumb.c, so disable
    KASAN when compiling these files.
    
    for example, use kprobe insert on cap_capable+20 after kasan
    enabled, the cap_capable assembly code is as follows:
    <cap_capable>:
    e92d47f0        push    {r4, r5, r6, r7, r8, r9, sl, lr}
    e1a05000        mov     r5, r0
    e280006c        add     r0, r0, #108    ; 0x6c
    e1a04001        mov     r4, r1
    e1a06002        mov     r6, r2
    e59fa090        ldr     sl, [pc, #144]  ;
    ebfc7bf8        bl      c03aa4b4 <__asan_load4>
    e595706c        ldr     r7, [r5, #108]  ; 0x6c
    e2859014        add     r9, r5, #20
    ......
    The emulate_ldr assembly code after enabling kasan is as follows:
    c06f1384 <emulate_ldr>:
    e92d47f0        push    {r4, r5, r6, r7, r8, r9, sl, lr}
    e282803c        add     r8, r2, #60     ; 0x3c
    e1a05000        mov     r5, r0
    e7e37855        ubfx    r7, r5, #16, #4
    e1a00008        mov     r0, r8
    e1a09001        mov     r9, r1
    e1a04002        mov     r4, r2
    ebf35462        bl      c03c6530 <__asan_load4>
    e357000f        cmp     r7, #15
    e7e36655        ubfx    r6, r5, #12, #4
    e205a00f        and     sl, r5, #15
    0a000001        beq     c06f13bc <emulate_ldr+0x38>
    e0840107        add     r0, r4, r7, lsl #2
    ebf3545c        bl      c03c6530 <__asan_load4>
    e084010a        add     r0, r4, sl, lsl #2
    ebf3545a        bl      c03c6530 <__asan_load4>
    e2890010        add     r0, r9, #16
    ebf35458        bl      c03c6530 <__asan_load4>
    e5990010        ldr     r0, [r9, #16]
    e12fff30        blx     r0
    e356000f        cm      r6, #15
    1a000014        bne     c06f1430 <emulate_ldr+0xac>
    e1a06000        mov     r6, r0
    e2840040        add     r0, r4, #64     ; 0x40
    ......
    
    when running in emulate_ldr to simulate the ldr instruction, panic
    occurred, and the log is as follows:
    Unable to handle kernel NULL pointer dereference at virtual address
    00000090
    pgd = ecb46400
    [00000090] *pgd=2e0fa003, *pmd=00000000
    Internal error: Oops: 206 [#1] SMP ARM
    PC is at cap_capable+0x14/0xb0
    LR is at emulate_ldr+0x50/0xc0
    psr: 600d0293 sp : ecd63af8  ip : 00000004  fp : c0a7c30c
    r10: 00000000  r9 : c30897f4  r8 : ecd63cd4
    r7 : 0000000f  r6 : 0000000a  r5 : e59fa090  r4 : ecd63c98
    r3 : c06ae294  r2 : 00000000  r1 : b7611300  r0 : bf4ec008
    Flags: nZCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
    Control: 32c5387d  Table: 2d546400  DAC: 55555555
    Process bash (pid: 1643, stack limit = 0xecd60190)
    (cap_capable) from (kprobe_handler+0x218/0x340)
    (kprobe_handler) from (kprobe_trap_handler+0x24/0x48)
    (kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)
    (do_undefinstr) from (__und_svc_finish+0x0/0x30)
    (__und_svc_finish) from (cap_capable+0x18/0xb0)
    (cap_capable) from (cap_vm_enough_memory+0x38/0x48)
    (cap_vm_enough_memory) from
    (security_vm_enough_memory_mm+0x48/0x6c)
    (security_vm_enough_memory_mm) from
    (copy_process.constprop.5+0x16b4/0x25c8)
    (copy_process.constprop.5) from (_do_fork+0xe8/0x55c)
    (_do_fork) from (SyS_clone+0x1c/0x24)
    (SyS_clone) from (__sys_trace_return+0x0/0x10)
    Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)
    
    Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support")
    Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
    Signed-off-by: huangshaobo <huangshaobo6@huawei.com>
    Acked-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 88e32f7b37a0fce0aa6ee97f5fe546c3f2c0e21c
Author: Ido Schimmel <idosch@nvidia.com>
Date:   Thu Jan 20 10:05:46 2022 +0200

    ipv6_tunnel: Rate limit warning messages
    
    commit 6cee105e7f2ced596373951d9ea08dacc3883c68 upstream.
    
    The warning messages can be invoked from the data path for every packet
    transmitted through an ip6gre netdev, leading to high CPU utilization.
    
    Fix that by rate limiting the messages.
    
    Fixes: 09c6bbf090ec ("[IPV6]: Do mandatory IPv6 tunnel endpoint checks in realtime")
    Reported-by: Maksym Yaremchuk <maksymy@nvidia.com>
    Tested-by: Maksym Yaremchuk <maksymy@nvidia.com>
    Signed-off-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Amit Cohen <amcohen@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b11e34f7bab21df36f02a5e54fb69e858c09a65d
Author: John Meneghini <jmeneghi@redhat.com>
Date:   Fri Jan 14 23:00:44 2022 -0500

    scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()
    
    commit 847f9ea4c5186fdb7b84297e3eeed9e340e83fce upstream.
    
    The bnx2fc_destroy() functions are removing the interface before calling
    destroy_work. This results multiple WARNings from sysfs_remove_group() as
    the controller rport device attributes are removed too early.
    
    Replace the fcoe_port's destroy_work queue. It's not needed.
    
    The problem is easily reproducible with the following steps.
    
    Example:
    
      $ dmesg -w &
      $ systemctl enable --now fcoe
      $ fipvlan -s -c ens2f1
      $ fcoeadm -d ens2f1.802
      [  583.464488] host2: libfc: Link down on port (7500a1)
      [  583.472651] bnx2fc: 7500a1 - rport not created Yet!!
      [  583.490468] ------------[ cut here ]------------
      [  583.538725] sysfs group 'power' not found for kobject 'rport-2:0-0'
      [  583.568814] WARNING: CPU: 3 PID: 192 at fs/sysfs/group.c:279 sysfs_remove_group+0x6f/0x80
      [  583.607130] Modules linked in: dm_service_time 8021q garp mrp stp llc bnx2fc cnic uio rpcsec_gss_krb5 auth_rpcgss nfsv4 ...
      [  583.942994] CPU: 3 PID: 192 Comm: kworker/3:2 Kdump: loaded Not tainted 5.14.0-39.el9.x86_64 #1
      [  583.984105] Hardware name: HP ProLiant DL120 G7, BIOS J01 07/01/2013
      [  584.016535] Workqueue: fc_wq_2 fc_rport_final_delete [scsi_transport_fc]
      [  584.050691] RIP: 0010:sysfs_remove_group+0x6f/0x80
      [  584.074725] Code: ff 5b 48 89 ef 5d 41 5c e9 ee c0 ff ff 48 89 ef e8 f6 b8 ff ff eb d1 49 8b 14 24 48 8b 33 48 c7 c7 ...
      [  584.162586] RSP: 0018:ffffb567c15afdc0 EFLAGS: 00010282
      [  584.188225] RAX: 0000000000000000 RBX: ffffffff8eec4220 RCX: 0000000000000000
      [  584.221053] RDX: ffff8c1586ce84c0 RSI: ffff8c1586cd7cc0 RDI: ffff8c1586cd7cc0
      [  584.255089] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffb567c15afc00
      [  584.287954] R10: ffffb567c15afbf8 R11: ffffffff8fbe7f28 R12: ffff8c1486326400
      [  584.322356] R13: ffff8c1486326480 R14: ffff8c1483a4a000 R15: 0000000000000004
      [  584.355379] FS:  0000000000000000(0000) GS:ffff8c1586cc0000(0000) knlGS:0000000000000000
      [  584.394419] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  584.421123] CR2: 00007fe95a6f7840 CR3: 0000000107674002 CR4: 00000000000606e0
      [  584.454888] Call Trace:
      [  584.466108]  device_del+0xb2/0x3e0
      [  584.481701]  device_unregister+0x13/0x60
      [  584.501306]  bsg_unregister_queue+0x5b/0x80
      [  584.522029]  bsg_remove_queue+0x1c/0x40
      [  584.541884]  fc_rport_final_delete+0xf3/0x1d0 [scsi_transport_fc]
      [  584.573823]  process_one_work+0x1e3/0x3b0
      [  584.592396]  worker_thread+0x50/0x3b0
      [  584.609256]  ? rescuer_thread+0x370/0x370
      [  584.628877]  kthread+0x149/0x170
      [  584.643673]  ? set_kthread_struct+0x40/0x40
      [  584.662909]  ret_from_fork+0x22/0x30
      [  584.680002] ---[ end trace 53575ecefa942ece ]---
    
    Link: https://lore.kernel.org/r/20220115040044.1013475-1-jmeneghi@redhat.com
    Fixes: 0cbf32e1681d ("[SCSI] bnx2fc: Avoid calling bnx2fc_if_destroy with unnecessary locks")
    Tested-by: Guangwu Zhang <guazhang@redhat.com>
    Co-developed-by: Maurizio Lombardi <mlombard@redhat.com>
    Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
    Signed-off-by: John Meneghini <jmeneghi@redhat.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9c2ece4852a628dadb716e3596e6c9c3aa198b3f
Author: Yang Yingliang <yangyingliang@huawei.com>
Date:   Tue Jan 11 09:24:41 2022 +0800

    scsi: elx: efct: Don't use GFP_KERNEL under spin lock
    
    commit 61263b3a11a2594b4e898f166c31162236182b5c upstream.
    
    GFP_KERNEL/GFP_DMA can't be used under a spin lock. According the comment,
    els_ios_lock is used to protect els ios list so we can move down the spin
    lock to avoid using this flag under the lock.
    
    Link: https://lore.kernel.org/r/20220111012441.3232527-1-yangyingliang@huawei.com
    Fixes: 8f406ef72859 ("scsi: elx: libefc: Extended link Service I/O handling")
    Reported-by: Hulk Robot <hulkci@huawei.com>
    Reviewed-by: James Smart <jsmart2021@gmail.com>
    Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit daf9ac79e75b1e396c3c4f2113d5344e3ce27dcb
Author: Matthias Kaehlcke <mka@chromium.org>
Date:   Mon Jan 10 10:47:37 2022 -0800

    rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev
    
    commit 7a534ae89e34e9b51acb5a63dd0f88308178b46a upstream.
    
    struct rpmsg_eptdev contains a struct cdev. The current code frees
    the rpmsg_eptdev struct in rpmsg_eptdev_destroy(), but the cdev is
    a managed object, therefore its release is not predictable and the
    rpmsg_eptdev could be freed before the cdev is entirely released.
    
    The cdev_device_add/del() API was created to address this issue
    (see commit '233ed09d7fda ("chardev: add helper function to register
    char devs with a struct device")'), use it instead of cdev add/del().
    
    Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
    Suggested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
    Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    Reviewed-by: Stephen Boyd <swboyd@chromium.org>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220110104706.v6.2.Idde68b05b88d4a2e6e54766c653f3a6d9e419ce6@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 85aba11a8ea92a8eef2de95ebbe063086fd62d9c
Author: Sujit Kautkar <sujitka@chromium.org>
Date:   Mon Jan 10 10:47:36 2022 -0800

    rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
    
    commit b7fb2dad571d1e21173c06cef0bced77b323990a upstream.
    
    struct rpmsg_ctrldev contains a struct cdev. The current code frees
    the rpmsg_ctrldev struct in rpmsg_ctrldev_release_device(), but the
    cdev is a managed object, therefore its release is not predictable
    and the rpmsg_ctrldev could be freed before the cdev is entirely
    released, as in the backtrace below.
    
    [   93.625603] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x7c
    [   93.636115] WARNING: CPU: 0 PID: 12 at lib/debugobjects.c:488 debug_print_object+0x13c/0x1b0
    [   93.644799] Modules linked in: veth xt_cgroup xt_MASQUERADE rfcomm algif_hash algif_skcipher af_alg uinput ip6table_nat fuse uvcvideo videobuf2_vmalloc venus_enc venus_dec videobuf2_dma_contig hci_uart btandroid btqca snd_soc_rt5682_i2c bluetooth qcom_spmi_temp_alarm snd_soc_rt5682v
    [   93.715175] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G    B             5.4.163-lockdep #26
    [   93.723855] Hardware name: Google Lazor (rev3 - 8) with LTE (DT)
    [   93.730055] Workqueue: events kobject_delayed_cleanup
    [   93.735271] pstate: 60c00009 (nZCv daif +PAN +UAO)
    [   93.740216] pc : debug_print_object+0x13c/0x1b0
    [   93.744890] lr : debug_print_object+0x13c/0x1b0
    [   93.749555] sp : ffffffacf5bc7940
    [   93.752978] x29: ffffffacf5bc7940 x28: dfffffd000000000
    [   93.758448] x27: ffffffacdb11a800 x26: dfffffd000000000
    [   93.763916] x25: ffffffd0734f856c x24: dfffffd000000000
    [   93.769389] x23: 0000000000000000 x22: ffffffd0733c35b0
    [   93.774860] x21: ffffffd0751994a0 x20: ffffffd075ec27c0
    [   93.780338] x19: ffffffd075199100 x18: 00000000000276e0
    [   93.785814] x17: 0000000000000000 x16: dfffffd000000000
    [   93.791291] x15: ffffffffffffffff x14: 6e6968207473696c
    [   93.796768] x13: 0000000000000000 x12: ffffffd075e2b000
    [   93.802244] x11: 0000000000000001 x10: 0000000000000000
    [   93.807723] x9 : d13400dff1921900 x8 : d13400dff1921900
    [   93.813200] x7 : 0000000000000000 x6 : 0000000000000000
    [   93.818676] x5 : 0000000000000080 x4 : 0000000000000000
    [   93.824152] x3 : ffffffd0732a0fa4 x2 : 0000000000000001
    [   93.829628] x1 : ffffffacf5bc7580 x0 : 0000000000000061
    [   93.835104] Call trace:
    [   93.837644]  debug_print_object+0x13c/0x1b0
    [   93.841963]  __debug_check_no_obj_freed+0x25c/0x3c0
    [   93.846987]  debug_check_no_obj_freed+0x18/0x20
    [   93.851669]  slab_free_freelist_hook+0xbc/0x1e4
    [   93.856346]  kfree+0xfc/0x2f4
    [   93.859416]  rpmsg_ctrldev_release_device+0x78/0xb8
    [   93.864445]  device_release+0x84/0x168
    [   93.868310]  kobject_cleanup+0x12c/0x298
    [   93.872356]  kobject_delayed_cleanup+0x10/0x18
    [   93.876948]  process_one_work+0x578/0x92c
    [   93.881086]  worker_thread+0x804/0xcf8
    [   93.884963]  kthread+0x2a8/0x314
    [   93.888303]  ret_from_fork+0x10/0x18
    
    The cdev_device_add/del() API was created to address this issue (see
    commit '233ed09d7fda ("chardev: add helper function to register char
    devs with a struct device")'), use it instead of cdev add/del().
    
    Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
    Signed-off-by: Sujit Kautkar <sujitka@chromium.org>
    Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
    Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Reviewed-by: Stephen Boyd <swboyd@chromium.org>
    Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Link: https://lore.kernel.org/r/20220110104706.v6.1.Iaac908f3e3149a89190ce006ba166e2d3fd247a3@changeid
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a1f7aa8d60bf8234f5fa4678f556192380afd281
Author: Linyu Yuan <quic_linyyuan@quicinc.com>
Date:   Mon Jan 10 20:43:28 2022 +0800

    usb: roles: fix include/linux/usb/role.h compile issue
    
    commit 945c37ed564770c78dfe6b9f08bed57a1b4e60ef upstream.
    
    when CONFIG_USB_ROLE_SWITCH is not defined,
    add usb_role_switch_find_by_fwnode() definition which return NULL.
    
    Fixes: c6919d5e0cd1 ("usb: roles: Add usb_role_switch_find_by_fwnode()")
    Signed-off-by: Linyu Yuan <quic_linyyuan@quicinc.com>
    Link: https://lore.kernel.org/r/1641818608-25039-1-git-send-email-quic_linyyuan@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d22045c802836b8de3a649c55ffa61e54fe2bd6c
Author: Joe Damato <jdamato@fastly.com>
Date:   Wed Dec 8 17:56:33 2021 -0800

    i40e: fix unsigned stat widths
    
    commit 3b8428b84539c78fdc8006c17ebd25afd4722d51 upstream.
    
    Change i40e_update_vsi_stats and struct i40e_vsi to use u64 fields to match
    the width of the stats counters in struct i40e_rx_queue_stats.
    
    Update debugfs code to use the correct format specifier for u64.
    
    Fixes: 41c445ff0f48 ("i40e: main driver core")
    Signed-off-by: Joe Damato <jdamato@fastly.com>
    Reported-by: kernel test robot <lkp@intel.com>
    Tested-by: Gurucharan G <gurucharanx.g@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d49582860d33237d1a595545455a0069457fdadb
Author: Karen Sornek <karen.sornek@intel.com>
Date:   Thu Dec 2 12:52:01 2021 +0100

    i40e: Fix for failed to init adminq while VF reset
    
    commit 0f344c8129a5337dae50e31b817dd50a60ff238c upstream.
    
    Fix for failed to init adminq: -53 while VF is resetting via MAC
    address changing procedure.
    Added sync module to avoid reading deadbeef value in reinit adminq
    during software reset.
    Without this patch it is possible to trigger VF reset procedure
    during reinit adminq. This resulted in an incorrect reading of
    value from the AQP registers and generated the -53 error.
    
    Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface")
    Signed-off-by: Grzegorz Szczurek <grzegorzx.szczurek@intel.com>
    Signed-off-by: Karen Sornek <karen.sornek@intel.com>
    Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 00eddb0e4ea115154581d1049507a996acfc2d3e
Author: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
Date:   Fri Nov 26 11:11:22 2021 +0100

    i40e: Fix queues reservation for XDP
    
    commit 92947844b8beee988c0ce17082b705c2f75f0742 upstream.
    
    When XDP was configured on a system with large number of CPUs
    and X722 NIC there was a call trace with NULL pointer dereference.
    
    i40e 0000:87:00.0: failed to get tracking for 256 queues for VSI 0 err -12
    i40e 0000:87:00.0: setup of MAIN VSI failed
    
    BUG: kernel NULL pointer dereference, address: 0000000000000000
    RIP: 0010:i40e_xdp+0xea/0x1b0 [i40e]
    Call Trace:
    ? i40e_reconfig_rss_queues+0x130/0x130 [i40e]
    dev_xdp_install+0x61/0xe0
    dev_xdp_attach+0x18a/0x4c0
    dev_change_xdp_fd+0x1e6/0x220
    do_setlink+0x616/0x1030
    ? ahci_port_stop+0x80/0x80
    ? ata_qc_issue+0x107/0x1e0
    ? lock_timer_base+0x61/0x80
    ? __mod_timer+0x202/0x380
    rtnl_setlink+0xe5/0x170
    ? bpf_lsm_binder_transaction+0x10/0x10
    ? security_capable+0x36/0x50
    rtnetlink_rcv_msg+0x121/0x350
    ? rtnl_calcit.isra.0+0x100/0x100
    netlink_rcv_skb+0x50/0xf0
    netlink_unicast+0x1d3/0x2a0
    netlink_sendmsg+0x22a/0x440
    sock_sendmsg+0x5e/0x60
    __sys_sendto+0xf0/0x160
    ? __sys_getsockname+0x7e/0xc0
    ? _copy_from_user+0x3c/0x80
    ? __sys_setsockopt+0xc8/0x1a0
    __x64_sys_sendto+0x20/0x30
    do_syscall_64+0x33/0x40
    entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7f83fa7a39e0
    
    This was caused by PF queue pile fragmentation due to
    flow director VSI queue being placed right after main VSI.
    Because of this main VSI was not able to resize its
    queue allocation for XDP resulting in no queues allocated
    for main VSI when XDP was turned on.
    
    Fix this by always allocating last queue in PF queue pile
    for a flow director VSI.
    
    Fixes: 41c445ff0f48 ("i40e: main driver core")
    Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action")
    Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
    Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
    Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Tested-by: Kiran Bhandare <kiranx.bhandare@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 98b70add75762331dc936fe9b3712087d18d533d
Author: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Date:   Fri Nov 5 11:17:00 2021 +0000

    i40e: Fix issue when maximum queues is exceeded
    
    commit d701658a50a471591094b3eb3961b4926cc8f104 upstream.
    
    Before this patch VF interface vanished when
    maximum queue number was exceeded. Driver tried
    to add next queues even if there was not enough
    space. PF sent incorrect number of queues to
    the VF when there were not enough of them.
    
    Add an additional condition introduced to check
    available space in 'qp_pile' before proceeding.
    This condition makes it impossible to add queues
    if they number is greater than the number resulting
    from available space.
    Also add the search for free space in PF queue
    pair piles.
    
    Without this patch VF interfaces are not seen
    when available space for queues has been
    exceeded and following logs appears permanently
    in dmesg:
    "Unable to get VF config (-32)".
    "VF 62 failed opcode 3, retval: -5"
    "Unable to get VF config due to PF error condition, not retrying"
    
    Fixes: 7daa6bf3294e ("i40e: driver core headers")
    Fixes: 41c445ff0f48 ("i40e: main driver core")
    Signed-off-by: Jaroslaw Gawin <jaroslawx.gawin@intel.com>
    Signed-off-by: Slawomir Laba <slawomirx.laba@intel.com>
    Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
    Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d12f5a7c48a93020827a2681cc96a1c1a6325829
Author: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
Date:   Thu Oct 28 13:51:14 2021 +0000

    i40e: Increase delay to 1 s after global EMP reset
    
    commit 9b13bd53134c9ddd544a790125199fdbdb505e67 upstream.
    
    Recently simplified i40e_rebuild causes that FW sometimes
    is not ready after NVM update, the ping does not return.
    
    Increase the delay in case of EMP reset.
    Old delay of 300 ms was introduced for specific cards for 710 series.
    Now it works for all the cards and delay was increased.
    
    Fixes: 1fa51a650e1d ("i40e: Add delay after EMP reset for firmware to recover")
    Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
    Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
    Tested-by: Gurucharan G <gurucharanx.g@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c894d2f9fd536c4dfc750cd1fe9c6bcd42a422dc
Author: Christophe Leroy <christophe.leroy@csgroup.eu>
Date:   Wed Dec 22 13:07:31 2021 +0000

    powerpc/32: Fix boot failure with GCC latent entropy plugin
    
    commit bba496656a73fc1d1330b49c7f82843836e9feb1 upstream.
    
    Boot fails with GCC latent entropy plugin enabled.
    
    This is due to early boot functions trying to access 'latent_entropy'
    global data while the kernel is not relocated at its final
    destination yet.
    
    As there is no way to tell GCC to use PTRRELOC() to access it,
    disable latent entropy plugin in early_32.o and feature-fixups.o and
    code-patching.o
    
    Fixes: 38addce8b600 ("gcc-plugins: Add latent_entropy plugin")
    Cc: stable@vger.kernel.org # v4.9+
    Reported-by: Erhard Furtner <erhard_f@mailbox.org>
    Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215217
    Link: https://lore.kernel.org/r/2bac55483b8daf5b1caa163a45fa5f9cdbe18be4.1640178426.git.christophe.leroy@csgroup.eu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit db37befafa536d1eed293fa5765ad781c3152071
Author: Christophe Leroy <christophe.leroy@csgroup.eu>
Date:   Mon Jan 10 15:29:25 2022 +0000

    powerpc/32s: Fix kasan_init_region() for KASAN
    
    commit d37823c3528e5e0705fc7746bcbc2afffb619259 upstream.
    
    It has been reported some configuration where the kernel doesn't
    boot with KASAN enabled.
    
    This is due to wrong BAT allocation for the KASAN area:
    
            ---[ Data Block Address Translation ]---
            0: 0xc0000000-0xcfffffff 0x00000000       256M Kernel rw      m
            1: 0xd0000000-0xdfffffff 0x10000000       256M Kernel rw      m
            2: 0xe0000000-0xefffffff 0x20000000       256M Kernel rw      m
            3: 0xf8000000-0xf9ffffff 0x2a000000        32M Kernel rw      m
            4: 0xfa000000-0xfdffffff 0x2c000000        64M Kernel rw      m
    
    A BAT must have both virtual and physical addresses alignment matching
    the size of the BAT. This is not the case for BAT 4 above.
    
    Fix kasan_init_region() by using block_size() function that is in
    book3s32/mmu.c. To be able to reuse it here, make it non static and
    change its name to bat_block_size() in order to avoid name conflict
    with block_size() defined in <linux/blkdev.h>
    
    Also reuse find_free_bat() to avoid an error message from setbat()
    when no BAT is available.
    
    And allocate memory outside of linear memory mapping to avoid
    wasting that precious space.
    
    With this change we get correct alignment for BATs and KASAN shadow
    memory is allocated outside the linear memory space.
    
            ---[ Data Block Address Translation ]---
            0: 0xc0000000-0xcfffffff 0x00000000       256M Kernel rw
            1: 0xd0000000-0xdfffffff 0x10000000       256M Kernel rw
            2: 0xe0000000-0xefffffff 0x20000000       256M Kernel rw
            3: 0xf8000000-0xfbffffff 0x7c000000        64M Kernel rw
            4: 0xfc000000-0xfdffffff 0x7a000000        32M Kernel rw
    
    Fixes: 7974c4732642 ("powerpc/32s: Implement dedicated kasan_init_region()")
    Cc: stable@vger.kernel.org
    Reported-by: Maxime Bizon <mbizon@freebox.fr>
    Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Tested-by: Maxime Bizon <mbizon@freebox.fr>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/7a50ef902494d1325227d47d33dada01e52e5518.1641818726.git.christophe.leroy@csgroup.eu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 569c81c077eb8a22d84825f2ef1cd7fd4327d241
Author: Christophe Leroy <christophe.leroy@csgroup.eu>
Date:   Fri Nov 26 13:40:35 2021 +0100

    powerpc/32s: Allocate one 256k IBAT instead of two consecutives 128k IBATs
    
    commit 37eb7ca91b692e8e49e7dd50158349a6c8fb5b09 upstream.
    
    Today we have the following IBATs allocated:
    
            ---[ Instruction Block Address Translation ]---
            0: 0xc0000000-0xc03fffff 0x00000000         4M Kernel   x     m
            1: 0xc0400000-0xc05fffff 0x00400000         2M Kernel   x     m
            2: 0xc0600000-0xc06fffff 0x00600000         1M Kernel   x     m
            3: 0xc0700000-0xc077ffff 0x00700000       512K Kernel   x     m
            4: 0xc0780000-0xc079ffff 0x00780000       128K Kernel   x     m
            5: 0xc07a0000-0xc07bffff 0x007a0000       128K Kernel   x     m
            6:         -
            7:         -
    
    The two 128K should be a single 256K instead.
    
    When _etext is not aligned to 128Kbytes, the system will allocate
    all necessary BATs to the lower 128Kbytes boundary, then allocate
    an additional 128Kbytes BAT for the remaining block.
    
    Instead, align the top to 128Kbytes so that the function directly
    allocates a 256Kbytes last block:
    
            ---[ Instruction Block Address Translation ]---
            0: 0xc0000000-0xc03fffff 0x00000000         4M Kernel   x     m
            1: 0xc0400000-0xc05fffff 0x00400000         2M Kernel   x     m
            2: 0xc0600000-0xc06fffff 0x00600000         1M Kernel   x     m
            3: 0xc0700000-0xc077ffff 0x00700000       512K Kernel   x     m
            4: 0xc0780000-0xc07bffff 0x00780000       256K Kernel   x     m
            5:         -
            6:         -
            7:         -
    
    Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/ab58b296832b0ec650e2203200e060adbcb2677d.1637930421.git.christophe.leroy@csgroup.eu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 190753f63fc090d0c88e7beec9b60351a3708037
Author: Tony Luck <tony.luck@intel.com>
Date:   Fri Jan 21 09:47:38 2022 -0800

    x86/cpu: Add Xeon Icelake-D to list of CPUs that support PPIN
    
    commit e464121f2d40eabc7d11823fb26db807ce945df4 upstream.
    
    Missed adding the Icelake-D CPU to the list. It uses the same MSRs
    to control and read the inventory number as all the other models.
    
    Fixes: dc6b025de95b ("x86/mce: Add Xeon Icelake to list of CPUs that support PPIN")
    Reported-by: Ailin Xu <ailin.xu@intel.com>
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220121174743.1875294-2-tony.luck@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 98ccfec9eae6ac4175779a2e44899529b6a4d7e3
Author: Yazen Ghannam <yazen.ghannam@amd.com>
Date:   Mon Jan 17 16:13:28 2022 +0000

    x86/MCE/AMD: Allow thresholding interface updates after init
    
    commit 1f52b0aba6fd37653416375cb8a1ca673acf8d5f upstream.
    
    Changes to the AMD Thresholding sysfs code prevents sysfs writes from
    updating the underlying registers once CPU init is completed, i.e.
    "threshold_banks" is set.
    
    Allow the registers to be updated if the thresholding interface is
    already initialized or if in the init path. Use the "set_lvt_off" value
    to indicate if running in the init path, since this value is only set
    during init.
    
    Fixes: a037f3ca0ea0 ("x86/mce/amd: Make threshold bank setting hotplug robust")
    Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20220117161328.19148-1-yazen.ghannam@amd.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74e88eceb0afeec4d000d0d63df27b1363fd0a77
Author: Bjorn Helgaas <bhelgaas@google.com>
Date:   Wed Jan 26 09:40:01 2022 -0600

    PCI/sysfs: Find shadow ROM before static attribute initialization
    
    commit 66d28b21fe6b3da8d1e9f0a7ba38bc61b6c547e1 upstream.
    
    Ville reported that the sysfs "rom" file for VGA devices disappeared after
    527139d738d7 ("PCI/sysfs: Convert "rom" to static attribute").
    
    Prior to 527139d738d7, FINAL fixups, including pci_fixup_video() where we
    find shadow ROMs, were run before pci_create_sysfs_dev_files() created the
    sysfs "rom" file.
    
    After 527139d738d7, "rom" is a static attribute and is created before FINAL
    fixups are run, so we didn't create "rom" files for shadow ROMs:
    
      acpi_pci_root_add
        ...
          pci_scan_single_device
            pci_device_add
              pci_fixup_video                    # <-- new HEADER fixup
              device_add
                ...
                  if (grp->is_visible())
                    pci_dev_rom_attr_is_visible  # after 527139d738d7
        pci_bus_add_devices
          pci_bus_add_device
            pci_fixup_device(pci_fixup_final)
              pci_fixup_video                    # <-- previous FINAL fixup
            pci_create_sysfs_dev_files
              if (pci_resource_len(pdev, PCI_ROM_RESOURCE))
                sysfs_create_bin_file("rom")     # before 527139d738d7
    
    Change pci_fixup_video() to be a HEADER fixup so it runs before sysfs
    static attributes are initialized.
    
    Rename the Loongson pci_fixup_radeon() to pci_fixup_video() and make its
    dmesg logging identical to the others since it is doing the same job.
    
    Link: https://lore.kernel.org/r/YbxqIyrkv3GhZVxx@intel.com
    Fixes: 527139d738d7 ("PCI/sysfs: Convert "rom" to static attribute")
    Link: https://lore.kernel.org/r/20220126154001.16895-1-helgaas@kernel.org
    Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Tested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org                      # v5.13+
    Cc: Huacai Chen <chenhuacai@kernel.org>
    Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
    Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Krzysztof Wilczyński <kw@linux.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cef9335c465d26830a39a4da10c6801265079985
Author: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date:   Mon Jan 17 15:30:10 2022 -0500

    sched/membarrier: Fix membarrier-rseq fence command missing from query bitmask
    
    commit 809232619f5b15e31fb3563985e705454f32621f upstream.
    
    The membarrier command MEMBARRIER_CMD_QUERY allows querying the
    available membarrier commands. When the membarrier-rseq fence commands
    were added, a new MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ_BITMASK was
    introduced with the intent to expose them with the MEMBARRIER_CMD_QUERY
    command, the but it was never added to MEMBARRIER_CMD_BITMASK.
    
    The membarrier-rseq fence commands are therefore not wired up with the
    query command.
    
    Rename MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ_BITMASK to
    MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK (the bitmask is not a command
    per-se), and change the erroneous
    MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_RSEQ_BITMASK (which does not
    actually exist) to MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED_RSEQ.
    
    Wire up MEMBARRIER_PRIVATE_EXPEDITED_RSEQ_BITMASK in
    MEMBARRIER_CMD_BITMASK. Fixing this allows discovering availability of
    the membarrier-rseq fence feature.
    
    Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ")
    Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: <stable@vger.kernel.org> # 5.10+
    Link: https://lkml.kernel.org/r/20220117203010.30129-1-mathieu.desnoyers@efficios.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 61296272db59c38ed5f6a5dd1108a268300925ec
Author: Joseph Qi <joseph.qi@linux.alibaba.com>
Date:   Sat Jan 29 13:41:27 2022 -0800

    ocfs2: fix a deadlock when commit trans
    
    commit ddf4b773aa40790dfa936bd845c18e735a49c61c upstream.
    
    commit 6f1b228529ae introduces a regression which can deadlock as
    follows:
    
      Task1:                              Task2:
      jbd2_journal_commit_transaction     ocfs2_test_bg_bit_allocatable
      spin_lock(&jh->b_state_lock)        jbd_lock_bh_journal_head
      __jbd2_journal_remove_checkpoint    spin_lock(&jh->b_state_lock)
      jbd2_journal_put_journal_head
      jbd_lock_bh_journal_head
    
    Task1 and Task2 lock bh->b_state and jh->b_state_lock in different
    order, which finally result in a deadlock.
    
    So use jbd2_journal_[grab|put]_journal_head instead in
    ocfs2_test_bg_bit_allocatable() to fix it.
    
    Link: https://lkml.kernel.org/r/20220121071205.100648-3-joseph.qi@linux.alibaba.com
    Fixes: 6f1b228529ae ("ocfs2: fix race between searching chunks and release journal_head from buffer_head")
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Reported-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
    Tested-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
    Reported-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: Andreas Dilger <adilger.kernel@dilger.ca>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9f71d68fa813419afbbf7ec31c48bcf6eee26a94
Author: Joseph Qi <joseph.qi@linux.alibaba.com>
Date:   Sat Jan 29 13:41:23 2022 -0800

    jbd2: export jbd2_journal_[grab|put]_journal_head
    
    commit 4cd1103d8c66b2cdb7e64385c274edb0ac5e8887 upstream.
    
    Patch series "ocfs2: fix a deadlock case".
    
    This fixes a deadlock case in ocfs2.  We firstly export jbd2 symbols
    jbd2_journal_[grab|put]_journal_head as preparation and later use them
    in ocfs2 insread of jbd_[lock|unlock]_bh_journal_head to fix the
    deadlock.
    
    This patch (of 2):
    
    This exports symbols jbd2_journal_[grab|put]_journal_head, which will be
    used outside modules, e.g.  ocfs2.
    
    Link: https://lkml.kernel.org/r/20220121071205.100648-2-joseph.qi@linux.alibaba.com
    Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Gang He <ghe@suse.com>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: Andreas Dilger <adilger.kernel@dilger.ca>
    Cc: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
    Cc: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
    Cc: "Theodore Ts'o" <tytso@mit.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ca8a0bc83543a0d29a7f5a8b1e8ef3c23dab242
Author: Peter Collingbourne <pcc@google.com>
Date:   Sat Jan 29 13:41:14 2022 -0800

    mm, kasan: use compare-exchange operation to set KASAN page tag
    
    commit 27fe73394a1c6d0b07fa4d95f1bca116d1cc66e9 upstream.
    
    It has been reported that the tag setting operation on newly-allocated
    pages can cause the page flags to be corrupted when performed
    concurrently with other flag updates as a result of the use of
    non-atomic operations.
    
    Fix the problem by using a compare-exchange loop to update the tag.
    
    Link: https://lkml.kernel.org/r/20220120020148.1632253-1-pcc@google.com
    Link: https://linux-review.googlesource.com/id/I456b24a2b9067d93968d43b4bb3351c0cec63101
    Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc")
    Signed-off-by: Peter Collingbourne <pcc@google.com>
    Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 28b346571edda1320523d9e36676563735b94c3f
Author: Sing-Han Chen <singhanc@nvidia.com>
Date:   Wed Jan 12 17:41:43 2022 +0800

    ucsi_ccg: Check DEV_INT bit only when starting CCG4
    
    commit 825911492eb15bf8bb7fb94bc0c0421fe7a6327d upstream.
    
    CCGx clears Bit 0:Device Interrupt in the INTR_REG
    if CCGx is reset successfully. However, there might
    be a chance that other bits in INTR_REG are not
    cleared due to internal data queued in PPM. This case
    misleads the driver that CCGx reset failed.
    
    The commit checks bit 0 in INTR_REG and ignores other
    bits. The ucsi driver would reset PPM later.
    
    Fixes: 247c554a14aa ("usb: typec: ucsi: add support for Cypress CCGx")
    Cc: stable@vger.kernel.org
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Sing-Han Chen <singhanc@nvidia.com>
    Signed-off-by: Wayne Chang <waynec@nvidia.com>
    Link: https://lore.kernel.org/r/20220112094143.628610-1-waynec@nvidia.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3cdaeb85ed1e2e9962361e9b95142cfa1497d300
Author: Badhri Jagan Sridharan <badhri@google.com>
Date:   Fri Jan 21 17:55:20 2022 -0800

    usb: typec: tcpm: Do not disconnect when receiving VSAFE0V
    
    commit 746f96e7d6f7a276726860f696671766bfb24cf0 upstream.
    
    With some chargers, vbus might momentarily raise above VSAFE5V and fall
    back to 0V causing VSAFE0V to be triggered. This will
    will report a VBUS off event causing TCPM to transition to
    SNK_UNATTACHED state where it should be waiting in either SNK_ATTACH_WAIT
    or SNK_DEBOUNCED state. This patch makes TCPM avoid VSAFE0V events
    while in SNK_ATTACH_WAIT or SNK_DEBOUNCED state.
    
    Stub from the spec:
        "4.5.2.2.4.2 Exiting from AttachWait.SNK State
        A Sink shall transition to Unattached.SNK when the state of both
        the CC1 and CC2 pins is SNK.Open for at least tPDDebounce.
        A DRP shall transition to Unattached.SRC when the state of both
        the CC1 and CC2 pins is SNK.Open for at least tPDDebounce."
    
    [23.194131] CC1: 0 -> 0, CC2: 0 -> 5 [state SNK_UNATTACHED, polarity 0, connected]
    [23.201777] state change SNK_UNATTACHED -> SNK_ATTACH_WAIT [rev3 NONE_AMS]
    [23.209949] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS]
    [23.300579] VBUS off
    [23.300668] state change SNK_ATTACH_WAIT -> SNK_UNATTACHED [rev3 NONE_AMS]
    [23.301014] VBUS VSAFE0V
    [23.301111] Start toggling
    
    Fixes: 28b43d3d746b8 ("usb: typec: tcpm: Introduce vsafe0v for vbus")
    Cc: stable@vger.kernel.org
    Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
    Link: https://lore.kernel.org/r/20220122015520.332507-2-badhri@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6b71fad7c86896f4eb5cb04c1d9f25da05c2bf22
Author: Badhri Jagan Sridharan <badhri@google.com>
Date:   Fri Jan 21 17:55:19 2022 -0800

    usb: typec: tcpm: Do not disconnect while receiving VBUS off
    
    commit 90b8aa9f5b09edae6928c0561f933fec9f7a9987 upstream.
    
    With some chargers, vbus might momentarily raise above VSAFE5V and fall
    back to 0V before tcpm gets to read port->tcpc->get_vbus. This will
    will report a VBUS off event causing TCPM to transition to
    SNK_UNATTACHED where it should be waiting in either SNK_ATTACH_WAIT
    or SNK_DEBOUNCED state. This patch makes TCPM avoid vbus off events
    while in SNK_ATTACH_WAIT or SNK_DEBOUNCED state.
    
    Stub from the spec:
        "4.5.2.2.4.2 Exiting from AttachWait.SNK State
        A Sink shall transition to Unattached.SNK when the state of both
        the CC1 and CC2 pins is SNK.Open for at least tPDDebounce.
        A DRP shall transition to Unattached.SRC when the state of both
        the CC1 and CC2 pins is SNK.Open for at least tPDDebounce."
    
    [23.194131] CC1: 0 -> 0, CC2: 0 -> 5 [state SNK_UNATTACHED, polarity 0, connected]
    [23.201777] state change SNK_UNATTACHED -> SNK_ATTACH_WAIT [rev3 NONE_AMS]
    [23.209949] pending state change SNK_ATTACH_WAIT -> SNK_DEBOUNCED @ 170 ms [rev3 NONE_AMS]
    [23.300579] VBUS off
    [23.300668] state change SNK_ATTACH_WAIT -> SNK_UNATTACHED [rev3 NONE_AMS]
    [23.301014] VBUS VSAFE0V
    [23.301111] Start toggling
    
    Fixes: f0690a25a140b8 ("staging: typec: USB Type-C Port Manager (tcpm)")
    Cc: stable@vger.kernel.org
    Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
    Link: https://lore.kernel.org/r/20220122015520.332507-1-badhri@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a1399fe6d3bab689900d85b34ebce8313662eb1d
Author: Xu Yang <xu.yang_2@nxp.com>
Date:   Thu Jan 13 17:29:43 2022 +0800

    usb: typec: tcpci: don't touch CC line if it's Vconn source
    
    commit 5638b0dfb6921f69943c705383ff40fb64b987f2 upstream.
    
    With the AMS and Collision Avoidance, tcpm often needs to change the CC's
    termination. When one CC line is sourcing Vconn, if we still change its
    termination, the voltage of the another CC line is likely to be fluctuant
    and unstable.
    
    Therefore, we should verify whether a CC line is sourcing Vconn before
    changing its termination and only change the termination that is not
    a Vconn line. This can be done by reading the Vconn Present bit of
    POWER_ STATUS register. To determine the polarity, we can read the
    Plug Orientation bit of TCPC_CONTROL register. Since Vconn can only be
    sourced if Plug Orientation is set.
    
    Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance")
    cc: <stable@vger.kernel.org>
    Reviewed-by: Guenter Roeck <linux@roeck-us.net>
    Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
    Link: https://lore.kernel.org/r/20220113092943.752372-1-xu.yang_2@nxp.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9340226388c66a7e090ebb00e91ed64a753b6c26
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Mon Jan 24 15:23:45 2022 -0500

    USB: core: Fix hang in usb_kill_urb by adding memory barriers
    
    commit 26fbe9772b8c459687930511444ce443011f86bf upstream.
    
    The syzbot fuzzer has identified a bug in which processes hang waiting
    for usb_kill_urb() to return.  It turns out the issue is not unlinking
    the URB; that works just fine.  Rather, the problem arises when the
    wakeup notification that the URB has completed is not received.
    
    The reason is memory-access ordering on SMP systems.  In outline form,
    usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on
    different CPUs perform the following actions:
    
    CPU 0                                   CPU 1
    ----------------------------            ---------------------------------
    usb_kill_urb():                         __usb_hcd_giveback_urb():
      ...                                     ...
      atomic_inc(&urb->reject);               atomic_dec(&urb->use_count);
      ...                                     ...
      wait_event(usb_kill_urb_queue,
            atomic_read(&urb->use_count) == 0);
                                              if (atomic_read(&urb->reject))
                                                    wake_up(&usb_kill_urb_queue);
    
    Confining your attention to urb->reject and urb->use_count, you can
    see that the overall pattern of accesses on CPU 0 is:
    
            write urb->reject, then read urb->use_count;
    
    whereas the overall pattern of accesses on CPU 1 is:
    
            write urb->use_count, then read urb->reject.
    
    This pattern is referred to in memory-model circles as SB (for "Store
    Buffering"), and it is well known that without suitable enforcement of
    the desired order of accesses -- in the form of memory barriers -- it
    is entirely possible for one or both CPUs to execute their reads ahead
    of their writes.  The end result will be that sometimes CPU 0 sees the
    old un-decremented value of urb->use_count while CPU 1 sees the old
    un-incremented value of urb->reject.  Consequently CPU 0 ends up on
    the wait queue and never gets woken up, leading to the observed hang
    in usb_kill_urb().
    
    The same pattern of accesses occurs in usb_poison_urb() and the
    failure pathway of usb_hcd_submit_urb().
    
    The problem is fixed by adding suitable memory barriers.  To provide
    proper memory-access ordering in the SB pattern, a full barrier is
    required on both CPUs.  The atomic_inc() and atomic_dec() accesses
    themselves don't provide any memory ordering, but since they are
    present, we can use the optimized smp_mb__after_atomic() memory
    barrier in the various routines to obtain the desired effect.
    
    This patch adds the necessary memory barriers.
    
    CC: <stable@vger.kernel.org>
    Reported-and-tested-by: syzbot+76629376e06e2c2ad626@syzkaller.appspotmail.com
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/Ye8K0QYee0Q0Nna2@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1cd3a86107f6278dd7289e57e6e0a923fb0a6dc9
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Tue Jan 25 18:02:51 2022 -0600

    usb: dwc3: xilinx: Fix error handling when getting USB3 PHY
    
    commit 2cc9b1c93b1c4caa2d971856c0780fb5f7d04692 upstream.
    
    The code that looked up the USB3 PHY was ignoring all errors other than
    EPROBE_DEFER in an attempt to handle the PHY not being present. Fix and
    simplify the code by using devm_phy_optional_get and dev_err_probe so
    that a missing PHY is not treated as an error and unexpected errors
    are handled properly.
    
    Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Link: https://lore.kernel.org/r/20220126000253.1586760-3-robert.hancock@calian.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 72d338bc467f7687a9c49328bad3a90b0629cdbe
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Tue Jan 25 18:02:50 2022 -0600

    usb: dwc3: xilinx: Skip resets and USB3 register settings for USB2.0 mode
    
    commit 9678f3361afc27a3124cd2824aec0227739986fb upstream.
    
    It appears that the PIPE clock should not be selected when only USB 2.0
    is being used in the design and no USB 3.0 reference clock is used.
    Also, the core resets are not required if a USB3 PHY is not in use, and
    will break things if USB3 is actually used but the PHY entry is not
    listed in the device tree.
    
    Skip core resets and register settings that are only required for
    USB3 mode when no USB3 PHY is specified in the device tree.
    
    Fixes: 84770f028fab ("usb: dwc3: Add driver for Xilinx platforms")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Link: https://lore.kernel.org/r/20220126000253.1586760-2-robert.hancock@calian.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 897d462d4d15dd932313644a151cba76e8b98709
Author: Pawel Laszczak <pawell@cadence.com>
Date:   Tue Jan 11 10:07:37 2022 +0100

    usb: cdnsp: Fix segmentation fault in cdns_lost_power function
    
    commit 79aa3e19fe8f5be30e846df8a436bfe306e8b1a6 upstream.
    
    CDNSP driver read not initialized cdns->otg_v0_regs
    which lead to segmentation fault. Patch fixes this issue.
    
    Fixes: 2cf2581cd229 ("usb: cdns3: add power lost support for system resume")
    cc: <stable@vger.kernel.org>
    Signed-off-by: Pawel Laszczak <pawell@cadence.com>
    Link: https://lore.kernel.org/r/20220111090737.10345-1-pawell@gli-login.cadence.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 27980463256060aaef8db0ddfcf40fd2342b96e8
Author: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Date:   Sat Jan 22 08:33:22 2022 +0530

    usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS
    
    commit 904edf8aeb459697129be5fde847e2a502f41fd9 upstream.
    
    Currently when gadget enumerates in super speed plus, the isoc
    endpoint request buffer size is not calculated correctly. Fix
    this by checking the gadget speed against USB_SPEED_SUPER_PLUS
    and update the request buffer size.
    
    Fixes: 90c4d05780d4 ("usb: fix various gadgets null ptr deref on 10gbps cabling.")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
    Link: https://lore.kernel.org/r/1642820602-20619-1-git-send-email-quic_pkondeti@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 42865e5544dab9ebe0c21f263f7a3aac1256c489
Author: Jon Hunter <jonathanh@nvidia.com>
Date:   Mon Jan 17 15:00:39 2022 +0000

    usb: common: ulpi: Fix crash in ulpi_match()
    
    commit 2e3dd4a6246945bf84ea6f478365d116e661554c upstream.
    
    Commit 7495af930835 ("ARM: multi_v7_defconfig: Enable drivers for
    DragonBoard 410c") enables the CONFIG_PHY_QCOM_USB_HS for the ARM
    multi_v7_defconfig. Enabling this Kconfig is causing the kernel to crash
    on the Tegra20 Ventana platform in the ulpi_match() function.
    
    The Qualcomm USB HS PHY driver that is enabled by CONFIG_PHY_QCOM_USB_HS,
    registers a ulpi_driver but this driver does not provide an 'id_table',
    so when ulpi_match() is called on the Tegra20 Ventana platform, it
    crashes when attempting to deference the id_table pointer which is not
    valid. The Qualcomm USB HS PHY driver uses device-tree for matching the
    ULPI driver with the device and so fix this crash by using device-tree
    for matching if the id_table is not valid.
    
    Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
    Link: https://lore.kernel.org/r/20220117150039.44058-1-jonathanh@nvidia.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d5755832a1e47f5d8773f0776e211ecd4e02da72
Author: Frank Li <Frank.Li@nxp.com>
Date:   Mon Jan 10 11:27:38 2022 -0600

    usb: xhci-plat: fix crash when suspend if remote wake enable
    
    commit 9df478463d9feb90dae24f183383961cf123a0ec upstream.
    
    Crashed at i.mx8qm platform when suspend if enable remote wakeup
    
    Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
    Modules linked in:
    CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12
    Hardware name: Freescale i.MX8QM MEK (DT)
    Workqueue: events_unbound async_run_entry_fn
    pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8
    lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8
    sp : ffff80001394bbf0
    x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578
    x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000
    x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001
    x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000
    x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
    x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000
    x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0
    x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453
    x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c
    x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620
    Call trace:
     xhci_disable_hub_port_wake.isra.62+0x60/0xf8
     xhci_suspend+0x58/0x510
     xhci_plat_suspend+0x50/0x78
     platform_pm_suspend+0x2c/0x78
     dpm_run_callback.isra.25+0x50/0xe8
     __device_suspend+0x108/0x3c0
    
    The basic flow:
            1. run time suspend call xhci_suspend, xhci parent devices gate the clock.
            2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend
            3. xhci_suspend call xhci_disable_hub_port_wake, which access register,
               but clock already gated by run time suspend.
    
    This problem was hidden by power domain driver, which call run time resume before it.
    
    But the below commit remove it and make this issue happen.
            commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()")
    
    This patch call run time resume before suspend to make sure clock is on
    before access register.
    
    Reviewed-by: Peter Chen <peter.chen@kernel.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Frank Li <Frank.Li@nxp.com>
    Testeb-by: Abel Vesa <abel.vesa@nxp.com>
    Link: https://lore.kernel.org/r/20220110172738.31686-1-Frank.Li@nxp.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a93284827cb287f2a76dee6080aff76d525a2bff
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Mon Jan 24 15:14:40 2022 -0500

    usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
    
    commit 5b67b315037250a61861119683e7fcb509deea25 upstream.
    
    Two people have reported (and mentioned numerous other reports on the
    web) that VIA's VL817 USB-SATA bridge does not work with the uas
    driver.  Typical log messages are:
    
    [ 3606.232149] sd 14:0:0:0: [sdg] tag#2 uas_zap_pending 0 uas-tag 1 inflight: CMD
    [ 3606.232154] sd 14:0:0:0: [sdg] tag#2 CDB: Write(16) 8a 00 00 00 00 00 18 0c c9 80 00 00 00 80 00 00
    [ 3606.306257] usb 4-4.4: reset SuperSpeed Plus Gen 2x1 USB device number 11 using xhci_hcd
    [ 3606.328584] scsi host14: uas_eh_device_reset_handler success
    
    Surprisingly, the devices do seem to work okay for some other people.
    The cause of the differing behaviors is not known.
    
    In the hope of getting the devices to work for the most users, even at
    the possible cost of degraded performance for some, this patch adds an
    unusual_devs entry for the VL817 to block it from binding to the uas
    driver by default.  Users will be able to override this entry by means
    of a module parameter, if they want.
    
    CC: <stable@vger.kernel.org>
    Reported-by: DocMAX <mail@vacharakis.de>
    Reported-and-tested-by: Thomas Weißschuh <linux@weissschuh.net>
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/Ye8IsK2sjlEv1rqU@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 209a523dea930c79efbfc365f0b291fcb47a189c
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Jan 27 08:33:04 2022 +0100

    kbuild: remove include/linux/cyclades.h from header file check
    
    commit d1ad2721b1eb05d54e81393a7ebc332d4a35c68f upstream.
    
    The file now rightfully throws up a big warning that it should never be
    included, so remove it from the header_check test.
    
    Fixes: f23653fe6447 ("tty: Partially revert the removal of the Cyclades public API")
    Cc: stable <stable@vger.kernel.org>
    Cc: Masahiro Yamada <masahiroy@kernel.org>
    Cc: "Maciej W. Rozycki" <macro@embecosm.com>
    Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
    Reported-by: kernel test robot <lkp@intel.com>
    Link: https://lore.kernel.org/r/20220127073304.42399-1-gregkh@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fa5180351abe936b0de626f255fa7828fbabf385
Author: Cameron Williams <cang1@live.co.uk>
Date:   Mon Jan 24 09:42:23 2022 +0000

    tty: Add support for Brainboxes UC cards.
    
    commit 152d1afa834c84530828ee031cf07a00e0fc0b8c upstream.
    
    This commit adds support for the some of the Brainboxes PCI range of
    cards, including the UC-101, UC-235/246, UC-257, UC-268, UC-275/279,
    UC-302, UC-310, UC-313, UC-320/324, UC-346, UC-357, UC-368
    and UC-420/431.
    
    Signed-off-by: Cameron Williams <cang1@live.co.uk>
    Cc: stable <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/AM5PR0202MB2564688493F7DD9B9C610827C45E9@AM5PR0202MB2564.eurprd02.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b51afdc797fe75c6efa229a19ec797046b7d047d
Author: Maciej W. Rozycki <macro@embecosm.com>
Date:   Wed Jan 26 09:22:54 2022 +0000

    tty: Partially revert the removal of the Cyclades public API
    
    commit f23653fe64479d96910bfda2b700b1af17c991ac upstream.
    
    Fix a user API regression introduced with commit f76edd8f7ce0 ("tty:
    cyclades, remove this orphan"), which removed a part of the API and
    caused compilation errors for user programs using said part, such as
    GCC 9 in its libsanitizer component[1]:
    
    .../libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc:160:10: fatal error: linux/cyclades.h: No such file or directory
      160 | #include <linux/cyclades.h>
          |          ^~~~~~~~~~~~~~~~~~
    compilation terminated.
    make[4]: *** [Makefile:664: sanitizer_platform_limits_posix.lo] Error 1
    
    As the absolute minimum required bring `struct cyclades_monitor' and
    ioctl numbers back then so as to make the library build again.  Add a
    preprocessor warning as to the obsolescence of the features provided.
    
    References:
    
    [1] GCC PR sanitizer/100379, "cyclades.h is removed from linux kernel
        header files", <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=100379>
    
    Fixes: f76edd8f7ce0 ("tty: cyclades, remove this orphan")
    Cc: stable@vger.kernel.org # v5.13+
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Maciej W. Rozycki <macro@embecosm.com>
    Link: https://lore.kernel.org/r/alpine.DEB.2.20.2201260733430.11348@tpp.orcam.me.uk
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ff79be505ad858dacf43772733e4a33c805317de
Author: daniel.starke@siemens.com <daniel.starke@siemens.com>
Date:   Thu Jan 20 02:18:57 2022 -0800

    tty: n_gsm: fix SW flow control encoding/handling
    
    commit 8838b2af23caf1ff0610caef2795d6668a013b2d upstream.
    
    n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
    See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
    The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
    the newer 27.010 here. Chapter 5.2.7.3 states that DC1 (XON) and DC3 (XOFF)
    are the control characters defined in ISO/IEC 646. These shall be quoted if
    seen in the data stream to avoid interpretation as flow control characters.
    
    ISO/IEC 646 refers to the set of ISO standards described as the ISO
    7-bit coded character set for information interchange. Its final version
    is also known as ITU T.50.
    See https://www.itu.int/rec/T-REC-T.50-199209-I/en
    
    To abide the standard it is needed to quote DC1 and DC3 correctly if these
    are seen as data bytes and not as control characters. The current
    implementation already tries to enforce this but fails to catch all
    defined cases. 3GPP 27.010 chapter 5.2.7.3 clearly states that the most
    significant bit shall be ignored for DC1 and DC3 handling. The current
    implementation handles only the case with the most significant bit set 0.
    Cases in which DC1 and DC3 have the most significant bit set 1 are left
    unhandled.
    
    This patch fixes this by masking the data bytes with ISO_IEC_646_MASK (only
    the 7 least significant bits set 1) before comparing them with XON
    (a.k.a. DC1) and XOFF (a.k.a. DC3) when testing which byte values need
    quotation via byte stuffing.
    
    Fixes: e1eaea46bb40 ("tty: n_gsm line discipline")
    Cc: stable@vger.kernel.org
    Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
    Link: https://lore.kernel.org/r/20220120101857.2509-1-daniel.starke@siemens.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 775fcd69038aa51f0690507cce4ed52fbfd53508
Author: Valentin Caron <valentin.caron@foss.st.com>
Date:   Tue Jan 11 17:44:41 2022 +0100

    serial: stm32: fix software flow control transfer
    
    commit 037b91ec7729524107982e36ec4b40f9b174f7a2 upstream.
    
    x_char is ignored by stm32_usart_start_tx() when xmit buffer is empty.
    
    Fix start_tx condition to allow x_char to be sent.
    
    Fixes: 48a6092fb41f ("serial: stm32-usart: Add STM32 USART Driver")
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Erwan Le Ray <erwan.leray@foss.st.com>
    Signed-off-by: Valentin Caron <valentin.caron@foss.st.com>
    Link: https://lore.kernel.org/r/20220111164441.6178-3-valentin.caron@foss.st.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f79903783db1129123262fc08c1ee842b423f276
Author: Robert Hancock <robert.hancock@calian.com>
Date:   Wed Jan 12 13:42:14 2022 -0600

    serial: 8250: of: Fix mapped region size when using reg-offset property
    
    commit d06b1cf28297e27127d3da54753a3a01a2fa2f28 upstream.
    
    8250_of supports a reg-offset property which is intended to handle
    cases where the device registers start at an offset inside the region
    of memory allocated to the device. The Xilinx 16550 UART, for which this
    support was initially added, requires this. However, the code did not
    adjust the overall size of the mapped region accordingly, causing the
    driver to request an area of memory past the end of the device's
    allocation. For example, if the UART was allocated an address of
    0xb0130000, size of 0x10000 and reg-offset of 0x1000 in the device
    tree, the region of memory reserved was b0131000-b0140fff, which caused
    the driver for the region starting at b0140000 to fail to probe.
    
    Fix this by subtracting reg-offset from the mapped region size.
    
    Fixes: b912b5e2cfb3 ([POWERPC] Xilinx: of_serial support for Xilinx uart 16550.)
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Robert Hancock <robert.hancock@calian.com>
    Link: https://lore.kernel.org/r/20220112194214.881844-1-robert.hancock@calian.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f0cb78064e1c1246394aeddbbf619198dd4ce980
Author: Jochen Mades <jochen@mades.net>
Date:   Sat Jan 23 05:10:14 2021 +0100

    serial: pl011: Fix incorrect rs485 RTS polarity on set_mctrl
    
    commit 62f676ff7898f6c1bd26ce014564773a3dc00601 upstream.
    
    Commit 8d479237727c ("serial: amba-pl011: add RS485 support") sought to
    keep RTS deasserted on set_mctrl if rs485 is enabled.  However it did so
    only if deasserted RTS polarity is high.  Fix it in case it's low.
    
    Fixes: 8d479237727c ("serial: amba-pl011: add RS485 support")
    Cc: stable@vger.kernel.org # v5.15+
    Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
    Signed-off-by: Jochen Mades <jochen@mades.net>
    [lukas: copyedit commit message, add stable designation]
    Signed-off-by: Lukas Wunner <lukas@wunner.de>
    Link: https://lore.kernel.org/r/85fa3323ba8c307943969b7343e23f34c3e652ba.1642909284.git.lukas@wunner.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 965bc27251f0eee9bb23c06dc708015630c97d1a
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Fri Jan 28 10:58:41 2022 -0500

    dm: properly fix redundant bio-based IO accounting
    
    commit b879f915bc48a18d4f4462729192435bb0f17052 upstream.
    
    Record the start_time for a bio but defer the starting block core's IO
    accounting until after IO is submitted using bio_start_io_acct_time().
    
    This approach avoids the need to mess around with any of the
    individual IO stats in response to a bio_split() that follows bio
    submission.
    
    Reported-by: Bud Brown <bubrown@redhat.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Cc: stable@vger.kernel.org
    Depends-on: e45c47d1f94e ("block: add bio_start_io_acct_time() to control start_time")
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Link: https://lore.kernel.org/r/20220128155841.39644-4-snitzer@redhat.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4cca3e3ef21da10eaa23410ce8ee953fa66c1f8b
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Fri Jan 28 10:58:39 2022 -0500

    block: add bio_start_io_acct_time() to control start_time
    
    commit e45c47d1f94e0cc7b6b079fdb4bcce2995e2adc4 upstream.
    
    bio_start_io_acct_time() interface is like bio_start_io_acct() that
    allows start_time to be passed in. This gives drivers the ability to
    defer starting accounting until after IO is issued (but possibily not
    entirely due to bio splitting).
    
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Link: https://lore.kernel.org/r/20220128155841.39644-2-snitzer@redhat.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86125006d88dae6945d557059336319b76f2287c
Author: Mike Snitzer <snitzer@redhat.com>
Date:   Fri Jan 28 10:58:40 2022 -0500

    dm: revert partial fix for redundant bio-based IO accounting
    
    commit f524d9c95fab54783d0038f7a3e8c014d5b56857 upstream.
    
    Reverts a1e1cb72d9649 ("dm: fix redundant IO accounting for bios that
    need splitting") because it was too narrow in scope (only addressed
    redundant 'sectors[]' accounting and not ios, nsecs[], etc).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Link: https://lore.kernel.org/r/20220128155841.39644-3-snitzer@redhat.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0af639c1adc50296e25c7754f3269c724268efa
Author: Nicholas Piggin <npiggin@gmail.com>
Date:   Sat Jan 22 20:55:30 2022 +1000

    KVM: PPC: Book3S HV Nested: Fix nested HFSCR being clobbered with multiple vCPUs
    
    commit 22f7ff0dea9491e90b6fe808ed40c30bd791e5c2 upstream.
    
    The L0 is storing HFSCR requested by the L1 for the L2 in struct
    kvm_nested_guest when the L1 requests a vCPU enter L2. kvm_nested_guest
    is not a per-vCPU structure. Hilarity ensues.
    
    Fix it by moving the nested hfscr into the vCPU structure together with
    the other per-vCPU nested fields.
    
    Fixes: 8b210a880b35 ("KVM: PPC: Book3S HV Nested: Make nested HFSCR state accessible")
    Cc: stable@vger.kernel.org # v5.15+
    Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
    Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/20220122105530.3477250-1-npiggin@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e668b527a259617f82ff83a0af008139900fe2f7
Author: Like Xu <likexu@tencent.com>
Date:   Wed Jan 26 17:22:26 2022 +0000

    KVM: x86: Sync the states size with the XCR0/IA32_XSS at, any time
    
    commit 05a9e065059e566f218f8778c4d17ee75db56c55 upstream.
    
    XCR0 is reset to 1 by RESET but not INIT and IA32_XSS is zeroed by
    both RESET and INIT. The kvm_set_msr_common()'s handling of MSR_IA32_XSS
    also needs to update kvm_update_cpuid_runtime(). In the above cases, the
    size in bytes of the XSAVE area containing all states enabled by XCR0 or
    (XCRO | IA32_XSS) needs to be updated.
    
    For simplicity and consistency, existing helpers are used to write values
    and call kvm_update_cpuid_runtime(), and it's not exactly a fast path.
    
    Fixes: a554d207dc46 ("KVM: X86: Processor States following Reset or INIT")
    Cc: stable@vger.kernel.org
    Signed-off-by: Like Xu <likexu@tencent.com>
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220126172226.2298529-4-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 096779d440871fc7ed54b6dae66c2e0286bf3b99
Author: Like Xu <likexu@tencent.com>
Date:   Wed Jan 26 17:22:25 2022 +0000

    KVM: x86: Update vCPU's runtime CPUID on write to MSR_IA32_XSS
    
    commit 4c282e51e4450b94680d6ca3b10f830483b1f243 upstream.
    
    Do a runtime CPUID update for a vCPU if MSR_IA32_XSS is written, as the
    size in bytes of the XSAVE area is affected by the states enabled in XSS.
    
    Fixes: 203000993de5 ("kvm: vmx: add MSR logic for XSAVES")
    Cc: stable@vger.kernel.org
    Signed-off-by: Like Xu <likexu@tencent.com>
    [sean: split out as a separate patch, adjust Fixes tag]
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220126172226.2298529-3-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5afeafcc59bbcd3506f47a6dda8263f5b43533cb
Author: Xiaoyao Li <xiaoyao.li@intel.com>
Date:   Wed Jan 26 17:22:24 2022 +0000

    KVM: x86: Keep MSR_IA32_XSS unchanged for INIT
    
    commit be4f3b3f82271c3193ce200a996dc70682c8e622 upstream.
    
    It has been corrected from SDM version 075 that MSR_IA32_XSS is reset to
    zero on Power up and Reset but keeps unchanged on INIT.
    
    Fixes: a554d207dc46 ("KVM: X86: Processor States following Reset or INIT")
    Cc: stable@vger.kernel.org
    Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220126172226.2298529-2-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e302786233e6bc512986d007c96458ccf5ca21c7
Author: Sean Christopherson <seanjc@google.com>
Date:   Tue Jan 25 22:03:58 2022 +0000

    KVM: x86: Forcibly leave nested virt when SMM state is toggled
    
    commit f7e570780efc5cec9b2ed1e0472a7da14e864fdb upstream.
    
    Forcibly leave nested virtualization operation if userspace toggles SMM
    state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS.  If userspace
    forces the vCPU out of SMM while it's post-VMXON and then injects an SMI,
    vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both
    vmxon=false and smm.vmxon=false, but all other nVMX state allocated.
    
    Don't attempt to gracefully handle the transition as (a) most transitions
    are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't
    sufficient information to handle all transitions, e.g. SVM wants access
    to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede
    KVM_SET_NESTED_STATE during state restore as the latter disallows putting
    the vCPU into L2 if SMM is active, and disallows tagging the vCPU as
    being post-VMXON in SMM if SMM is not active.
    
    Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX
    due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond
    just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU
    in an architecturally impossible state.
    
      WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]
      WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656
      Modules linked in:
      CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline]
      RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656
      Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00
      Call Trace:
       <TASK>
       kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123
       kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline]
       kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460
       kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline]
       kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676
       kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline]
       kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250
       kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273
       __fput+0x286/0x9f0 fs/file_table.c:311
       task_work_run+0xdd/0x1a0 kernel/task_work.c:164
       exit_task_work include/linux/task_work.h:32 [inline]
       do_exit+0xb29/0x2a30 kernel/exit.c:806
       do_group_exit+0xd2/0x2f0 kernel/exit.c:935
       get_signal+0x4b0/0x28c0 kernel/signal.c:2862
       arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
       handle_signal_work kernel/entry/common.c:148 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
       exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
       __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
       syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
       do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x44/0xae
       </TASK>
    
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+8112db3ab20e70d50c31@syzkaller.appspotmail.com
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20220125220358.2091737-1-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6f3e157e21b24d38c4a5d76cc40ddd4fdeb74d18
Author: Denis Valeev <lemniscattaden@gmail.com>
Date:   Sat Jan 22 23:13:57 2022 +0300

    KVM: x86: nSVM: skip eax alignment check for non-SVM instructions
    
    commit 47c28d436f409f5b009dc82bd82d4971088aa391 upstream.
    
    The bug occurs on #GP triggered by VMware backdoor when eax value is
    unaligned. eax alignment check should not be applied to non-SVM
    instructions because it leads to incorrect omission of the instructions
    emulation.
    Apply the alignment check only to SVM instructions to fix.
    
    Fixes: d1cba6c92237 ("KVM: x86: nSVM: test eax for 4K alignment for GP errata workaround")
    Signed-off-by: Denis Valeev <lemniscattaden@gmail.com>
    Message-Id: <Yexlhaoe1Fscm59u@q>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 575656560897a018de5bd4264f8ba49763be2376
Author: Sean Christopherson <seanjc@google.com>
Date:   Thu Jan 20 01:07:13 2022 +0000

    KVM: SVM: Don't intercept #GP for SEV guests
    
    commit 0b0be065b7563ac708aaa9f69dd4941c80b3446d upstream.
    
    Never intercept #GP for SEV guests as reading SEV guest private memory
    will return cyphertext, i.e. emulating on #GP can't work as intended.
    
    Cc: stable@vger.kernel.org
    Cc: Tom Lendacky <thomas.lendacky@amd.com>
    Cc: Brijesh Singh <brijesh.singh@amd.com>
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
    Message-Id: <20220120010719.711476-4-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3470722fac229594182d7c2b46041323560b1924
Author: Sean Christopherson <seanjc@google.com>
Date:   Thu Jan 20 01:07:11 2022 +0000

    KVM: SVM: Never reject emulation due to SMAP errata for !SEV guests
    
    commit 55467fcd55b89c622e62b4afe60ac0eb2fae91f2 upstream.
    
    Always signal that emulation is possible for !SEV guests regardless of
    whether or not the CPU provided a valid instruction byte stream.  KVM can
    read all guest state (memory and registers) for !SEV guests, i.e. can
    fetch the code stream from memory even if the CPU failed to do so because
    of the SMAP errata.
    
    Fixes: 05d5a4863525 ("KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP violation)")
    Cc: stable@vger.kernel.org
    Cc: Tom Lendacky <thomas.lendacky@amd.com>
    Cc: Brijesh Singh <brijesh.singh@amd.com>
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
    Message-Id: <20220120010719.711476-2-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 54b3439c8e70e0bcfea59aeef9dd98908cbbf655
Author: Wanpeng Li <wanpengli@tencent.com>
Date:   Tue Jan 25 01:17:00 2022 -0800

    KVM: LAPIC: Also cancel preemption timer during SET_LAPIC
    
    commit 35fe7cfbab2e81f1afb23fc4212210b1de6d9633 upstream.
    
    The below warning is splatting during guest reboot.
    
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]
      CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G          I       5.17.0-rc1+ #5
      RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]
      Call Trace:
       <TASK>
       kvm_vcpu_ioctl+0x279/0x710 [kvm]
       __x64_sys_ioctl+0x83/0xb0
       do_syscall_64+0x3b/0xc0
       entry_SYSCALL_64_after_hwframe+0x44/0xae
      RIP: 0033:0x7fd39797350b
    
    This can be triggered by not exposing tsc-deadline mode and doing a reboot in
    the guest. The lapic_shutdown() function which is called in sys_reboot path
    will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears
    APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode
    switch between tsc-deadline and oneshot/periodic, which can result in preemption
    timer be cancelled in apic_update_lvtt(). However, We can't depend on this when
    not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption
    timer. Qemu will synchronise states around reset, let's cancel preemption timer
    under KVM_SET_LAPIC.
    
    Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
    Message-Id: <1643102220-35667-1-git-send-email-wanpengli@tencent.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 548f20b39ec91fdd97194a84a0d9b2f68715762a
Author: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
Date:   Mon Jan 24 01:23:35 2022 +0100

    drm/amd/display: Fix FP start/end for dcn30_internal_validate_bw.
    
    commit 72a8d87b87270bff0c0b2fed4d59c48d0dd840d7 upstream.
    
    It calls populate_dml_pipes which uses doubles to initialize the
    scale_ratio_depth params. Mirrors the dcn20 logic.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 73740f948252e424a01465155d8737bceae23653
Author: Manasi Navare <manasi.d.navare@intel.com>
Date:   Mon Oct 4 04:59:13 2021 -0700

    drm/atomic: Add the crtc to affected crtc only if uapi.enable = true
    
    commit 5ec1cebd59300ddd26dbaa96c17c508764eef911 upstream.
    
    In case of a modeset where a mode gets split across multiple CRTCs
    in the driver specific implementation (bigjoiner in i915) we wrongly count
    the affected CRTCs based on the drm_crtc_mask and indicate the stolen CRTC as
    an affected CRTC in atomic_check_only().
    This triggers a warning since affected CRTCs doent match requested CRTC.
    
    To fix this in such bigjoiner configurations, we should only
    increment affected crtcs if that CRTC is enabled in UAPI not
    if it is just used internally in the driver to split the mode.
    
    v3: Add the same uapi crtc_state->enable check in requested
    crtc calc (Ville)
    
    Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Cc: Simon Ser <contact@emersion.fr>
    Cc: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
    Cc: Daniel Stone <daniels@collabora.com>
    Cc: Daniel Vetter <daniel.vetter@intel.com>
    Cc: dri-devel@lists.freedesktop.org
    Cc: <stable@vger.kernel.org> # v5.11+
    Fixes: 919c2299a893 ("drm/i915: Enable bigjoiner")
    Signed-off-by: Manasi Navare <manasi.d.navare@intel.com>
    Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20211004115913.23889-1-manasi.d.navare@intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 473aed10d16dbcb2236bc0d1ea651adc534d2c00
Author: Lucas Stach <l.stach@pengutronix.de>
Date:   Thu Jan 6 19:10:21 2022 +0100

    drm/etnaviv: relax submit size limits
    
    commit e3d26528e083e612314d4dcd713f3d5a26143ddc upstream.
    
    While all userspace tried to limit commandstreams to 64K in size,
    a bug in the Mesa driver lead to command streams of up to 128K
    being submitted. Allow those to avoid breaking existing userspace.
    
    Fixes: 6dfa2fab8ddd ("drm/etnaviv: limit submit sizes")
    Cc: stable@vger.kernel.org
    Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
    Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b7bfc2c6cdd28fc250f5f8c3177293342bfe14a5
Author: Kan Liang <kan.liang@linux.intel.com>
Date:   Tue Jan 11 10:20:38 2022 -0800

    perf/x86/intel: Add a quirk for the calculation of the number of counters on Alder Lake
    
    commit 7fa981cad216e9f64f49e22112f610c0bfed91bc upstream.
    
    For some Alder Lake machine with all E-cores disabled in a BIOS, the
    below warning may be triggered.
    
    [ 2.010766] hw perf events fixed 5 > max(4), clipping!
    
    Current perf code relies on the CPUID leaf 0xA and leaf 7.EDX[15] to
    calculate the number of the counters and follow the below assumption.
    
    For a hybrid configuration, the leaf 7.EDX[15] (X86_FEATURE_HYBRID_CPU)
    is set. The leaf 0xA only enumerate the common counters. Linux perf has
    to manually add the extra GP counters and fixed counters for P-cores.
    For a non-hybrid configuration, the X86_FEATURE_HYBRID_CPU should not
    be set. The leaf 0xA enumerates all counters.
    
    However, that's not the case when all E-cores are disabled in a BIOS.
    Although there are only P-cores in the system, the leaf 7.EDX[15]
    (X86_FEATURE_HYBRID_CPU) is still set. But the leaf 0xA is updated
    to enumerate all counters of P-cores. The inconsistency triggers the
    warning.
    
    Several software ways were considered to handle the inconsistency.
    - Drop the leaf 0xA and leaf 7.EDX[15] CPUID enumeration support.
      Hardcode the number of counters. This solution may be a problem for
      virtualization. A hypervisor cannot control the number of counters
      in a Linux guest via changing the guest CPUID enumeration anymore.
    - Find another CPUID bit that is also updated with E-cores disabled.
      There may be a problem in the virtualization environment too. Because
      a hypervisor may disable the feature/CPUID bit.
    - The P-cores have a maximum of 8 GP counters and 4 fixed counters on
      ADL. The maximum number can be used to detect the case.
      This solution is implemented in this patch.
    
    Fixes: ee72a94ea4a6 ("perf/x86/intel: Fix fixed counter check warning for some Alder Lake")
    Reported-by: Damjan Marion (damarion) <damarion@cisco.com>
    Reported-by: Chan Edison <edison_chan_gz@hotmail.com>
    Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Tested-by: Damjan Marion (damarion) <damarion@cisco.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/1641925238-149288-1-git-send-email-kan.liang@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1b4abcd997ade5cc0eac40cbb0c510015aa6fa0f
Author: Zhengjun Xing <zhengjun.xing@linux.intel.com>
Date:   Thu Dec 23 22:48:26 2021 +0800

    perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICX
    
    commit 96fd2e89fba1aaada6f4b1e5d25a9d9ecbe1943d upstream.
    
    The user recently report a perf issue in the ICX platform, when test by
    perf event “uncore_imc_x/cas_count_write”,the write bandwidth is always
    very small (only 0.38MB/s), it is caused by the wrong "umask" for the
    "cas_count_write" event. When double-checking, find "cas_count_read"
    also is wrong.
    
    The public document for ICX uncore:
    
    3rd Gen Intel® Xeon® Processor Scalable Family, Codename Ice Lake,Uncore
    Performance Monitoring Reference Manual, Revision 1.00, May 2021
    
    On 2.4.7, it defines Unit Masks for CAS_COUNT:
    RD b00001111
    WR b00110000
    
    So corrected both "cas_count_read" and "cas_count_write" for ICX.
    
    Old settings:
     hswep_uncore_imc_events
            INTEL_UNCORE_EVENT_DESC(cas_count_read,  "event=0x04,umask=0x03")
            INTEL_UNCORE_EVENT_DESC(cas_count_write, "event=0x04,umask=0x0c")
    
    New settings:
     snr_uncore_imc_events
            INTEL_UNCORE_EVENT_DESC(cas_count_read,  "event=0x04,umask=0x0f")
            INTEL_UNCORE_EVENT_DESC(cas_count_write, "event=0x04,umask=0x30")
    
    Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
    Signed-off-by: Zhengjun Xing <zhengjun.xing@linux.intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
    Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20211223144826.841267-1-zhengjun.xing@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b8140d7733e003926ac7eef645bce259323cb7be
Author: Christophe Leroy <christophe.leroy@csgroup.eu>
Date:   Fri Jan 14 11:26:25 2022 +0000

    powerpc/audit: Fix syscall_get_arch()
    
    commit 252745240ba0ae774d2f80c5e185ed59fbc4fb41 upstream.
    
    Commit 770cec16cdc9 ("powerpc/audit: Simplify syscall_get_arch()")
    and commit 898a1ef06ad4 ("powerpc/audit: Avoid unneccessary #ifdef
    in syscall_get_arguments()")
    replaced test_tsk_thread_flag(task, TIF_32BIT)) by is_32bit_task().
    
    But is_32bit_task() applies on current task while be want the test
    done on task 'task'
    
    So add a new macro is_tsk_32bit_task() to check any task.
    
    Fixes: 770cec16cdc9 ("powerpc/audit: Simplify syscall_get_arch()")
    Fixes: 898a1ef06ad4 ("powerpc/audit: Avoid unneccessary #ifdef in syscall_get_arguments()")
    Cc: stable@vger.kernel.org
    Reported-by: Dmitry V. Levin <ldv@altlinux.org>
    Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/c55cddb8f65713bf5859ed675d75a50cb37d5995.1642159570.git.christophe.leroy@csgroup.eu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d3e4c61e143e69671803ef3f52140cf7a7258ee7
Author: Suren Baghdasaryan <surenb@google.com>
Date:   Tue Jan 11 15:23:09 2022 -0800

    psi: Fix uaf issue when psi trigger is destroyed while being polled
    
    commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream.
    
    With write operation on psi files replacing old trigger with a new one,
    the lifetime of its waitqueue is totally arbitrary. Overwriting an
    existing trigger causes its waitqueue to be freed and pending poll()
    will stumble on trigger->event_wait which was destroyed.
    Fix this by disallowing to redefine an existing psi trigger. If a write
    operation is used on a file descriptor with an already existing psi
    trigger, the operation will fail with EBUSY error.
    Also bypass a check for psi_disabled in the psi_trigger_destroy as the
    flag can be flipped after the trigger is created, leading to a memory
    leak.
    
    Fixes: 0e94682b73bf ("psi: introduce psi monitor")
    Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
    Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
    Analyzed-by: Eric Biggers <ebiggers@kernel.org>
    Signed-off-by: Suren Baghdasaryan <surenb@google.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Eric Biggers <ebiggers@google.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b17cb93dda1dcdc9737c8b334e850c18dc6b0b7d
Author: Sean Christopherson <seanjc@google.com>
Date:   Thu Jan 20 01:07:12 2022 +0000

    Revert "KVM: SVM: avoid infinite loop on NPF from bad address"
    
    commit 31c25585695abdf03d6160aa6d829e855b256329 upstream.
    
    Revert a completely broken check on an "invalid" RIP in SVM's workaround
    for the DecodeAssists SMAP errata.  kvm_vcpu_gfn_to_memslot() obviously
    expects a gfn, i.e. operates in the guest physical address space, whereas
    RIP is a virtual (not even linear) address.  The "fix" worked for the
    problematic KVM selftest because the test identity mapped RIP.
    
    Fully revert the hack instead of trying to translate RIP to a GPA, as the
    non-SEV case is now handled earlier, and KVM cannot access guest page
    tables to translate RIP.
    
    This reverts commit e72436bc3a5206f95bb384e741154166ddb3202e.
    
    Fixes: e72436bc3a52 ("KVM: SVM: avoid infinite loop on NPF from bad address")
    Reported-by: Liam Merwick <liam.merwick@oracle.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
    Message-Id: <20220120010719.711476-3-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e6023ab8c729b9edb99c6bc5f0169f474deeabe5
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Thu Jan 20 23:53:05 2022 +0200

    fsnotify: fix fsnotify hooks in pseudo filesystems
    
    commit 29044dae2e746949ad4b9cbdbfb248994d1dcdb4 upstream.
    
    Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of
    d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify
    will have access to a positive dentry.
    
    This allowed a race where opening the deleted file via cached dentry
    is now possible after receiving the IN_DELETE event.
    
    To fix the regression in pseudo filesystems, convert d_delete() calls
    to d_drop() (see commit 46c46f8df9aa ("devpts_pty_kill(): don't bother
    with d_delete()") and move the fsnotify hook after d_drop().
    
    Add a missing fsnotify_unlink() hook in nfsdfs that was found during
    the audit of fsnotify hooks in pseudo filesystems.
    
    Note that the fsnotify hooks in simple_recursive_removal() follow
    d_invalidate(), so they require no change.
    
    Link: https://lore.kernel.org/r/20220120215305.282577-2-amir73il@gmail.com
    Reported-by: Ivan Delalande <colona@arista.com>
    Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/
    Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()")
    Cc: stable@vger.kernel.org # v5.3+
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2aac1eda4638e1be3530eaa3b69f3147d88ea2e6
Author: Jeff Layton <jlayton@kernel.org>
Date:   Wed Jan 26 12:36:49 2022 -0500

    ceph: set pool_ns in new inode layout for async creates
    
    commit 4584a768f22b7669cdebabc911543621ac661341 upstream.
    
    Dan reported that he was unable to write to files that had been
    asynchronously created when the client's OSD caps are restricted to a
    particular namespace.
    
    The issue is that the layout for the new inode is only partially being
    filled. Ensure that we populate the pool_ns_data and pool_ns_len in the
    iinfo before calling ceph_fill_inode.
    
    Cc: stable@vger.kernel.org
    URL: https://tracker.ceph.com/issues/54013
    Fixes: 9a8d03ca2e2c ("ceph: attempt to do async create when possible")
    Reported-by: Dan van der Ster <dan@vanderster.com>
    Signed-off-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 36d433ae3242aa714176378850e6d1a5a3e78f18
Author: Jeff Layton <jlayton@kernel.org>
Date:   Tue Jan 25 15:39:16 2022 -0500

    ceph: properly put ceph_string reference after async create attempt
    
    commit 932a9b5870d38b87ba0a9923c804b1af7d3605b9 upstream.
    
    The reference acquired by try_prep_async_create is currently leaked.
    Ensure we put it.
    
    Cc: stable@vger.kernel.org
    Fixes: 9a8d03ca2e2c ("ceph: attempt to do async create when possible")
    Signed-off-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4e5dcbedd48dcce9a02e035684a6765035a08da7
Author: Tom Zanussi <zanussi@kernel.org>
Date:   Thu Jan 27 15:44:18 2022 -0600

    tracing: Don't inc err_log entry count if entry allocation fails
    
    commit 67ab5eb71b37b55f7c5522d080a1b42823351776 upstream.
    
    tr->n_err_log_entries should only be increased if entry allocation
    succeeds.
    
    Doing it when it fails won't cause any problems other than wasting an
    entry, but should be fixed anyway.
    
    Link: https://lkml.kernel.org/r/cad1ab28f75968db0f466925e7cba5970cec6c29.1643319703.git.zanussi@kernel.org
    
    Cc: stable@vger.kernel.org
    Fixes: 2f754e771b1a6 ("tracing: Don't inc err_log entry count if entry allocation fails")
    Signed-off-by: Tom Zanussi <zanussi@kernel.org>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e33fa4a46ee22de88a700e2e3d033da8214a5175
Author: Xiaoke Wang <xkernel.wang@foxmail.com>
Date:   Tue Jan 25 12:07:15 2022 +0800

    tracing/histogram: Fix a potential memory leak for kstrdup()
    
    commit e629e7b525a179e29d53463d992bdee759c950fb upstream.
    
    kfree() is missing on an error path to free the memory allocated by
    kstrdup():
    
      p = param = kstrdup(data->params[i], GFP_KERNEL);
    
    So it is better to free it via kfree(p).
    
    Link: https://lkml.kernel.org/r/tencent_C52895FD37802832A3E5B272D05008866F0A@qq.com
    
    Cc: stable@vger.kernel.org
    Fixes: d380dcde9a07c ("tracing: Fix now invalid var_ref_vals assumption in trace action")
    Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
    Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fb9b60bbda5536dd268dcf00ca38a1f241ebb28b
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Jan 13 19:44:20 2022 +0100

    PM: wakeup: simplify the output logic of pm_show_wakelocks()
    
    commit c9d967b2ce40d71e968eb839f36c936b8a9cf1ea upstream.
    
    The buffer handling in pm_show_wakelocks() is tricky, and hopefully
    correct.  Ensure it really is correct by using sysfs_emit_at() which
    handles all of the tricky string handling logic in a PAGE_SIZE buffer
    for us automatically as this is a sysfs file being read from.
    
    Reviewed-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3df52448978802ae15dcebf66beba1029df957b4
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Wed Jan 12 11:14:13 2022 +0100

    efi: runtime: avoid EFIv2 runtime services on Apple x86 machines
    
    commit f5390cd0b43c2e54c7cf5506c7da4a37c5cef746 upstream.
    
    Aditya reports [0] that his recent MacbookPro crashes in the firmware
    when using the variable services at runtime. The culprit appears to be a
    call to QueryVariableInfo(), which we did not use to call on Apple x86
    machines in the past as they only upgraded from EFI v1.10 to EFI v2.40
    firmware fairly recently, and QueryVariableInfo() (along with
    UpdateCapsule() et al) was added in EFI v2.00.
    
    The only runtime service introduced in EFI v2.00 that we actually use in
    Linux is QueryVariableInfo(), as the capsule based ones are optional,
    generally not used at runtime (all the LVFS/fwupd firmware update
    infrastructure uses helper EFI programs that invoke capsule update at
    boot time, not runtime), and not implemented by Apple machines in the
    first place. QueryVariableInfo() is used to 'safely' set variables,
    i.e., only when there is enough space. This prevents machines with buggy
    firmwares from corrupting their NVRAMs when they run out of space.
    
    Given that Apple machines have been using EFI v1.10 services only for
    the longest time (the EFI v2.0 spec was released in 2006, and Linux
    support for the newly introduced runtime services was added in 2011, but
    the MacbookPro12,1 released in 2015 still claims to be EFI v1.10 only),
    let's avoid the EFI v2.0 ones on all Apple x86 machines.
    
    [0] https://lore.kernel.org/all/6D757C75-65B1-468B-842D-10410081A8E4@live.com/
    
    Cc: <stable@vger.kernel.org>
    Cc: Jeremy Kerr <jk@ozlabs.org>
    Cc: Matthew Garrett <mjg59@srcf.ucam.org>
    Reported-by: Aditya Garg <gargaditya08@live.com>
    Tested-by: Orlando Chamberlain <redecorating@protonmail.com>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Tested-by: Aditya Garg <gargaditya08@live.com>
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=215277
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cbf96c58e28b1fece9630102781a93ff32c347f7
Author: Jan Kara <jack@suse.cz>
Date:   Mon Jan 17 18:22:13 2022 +0100

    udf: Fix NULL ptr deref when converting from inline format
    
    commit 7fc3b7c2981bbd1047916ade327beccb90994eee upstream.
    
    udf_expand_file_adinicb() calls directly ->writepage to write data
    expanded into a page. This however misses to setup inode for writeback
    properly and so we can crash on inode->i_wb dereference when submitting
    page for IO like:
    
      BUG: kernel NULL pointer dereference, address: 0000000000000158
      #PF: supervisor read access in kernel mode
    ...
      <TASK>
      __folio_start_writeback+0x2ac/0x350
      __block_write_full_page+0x37d/0x490
      udf_expand_file_adinicb+0x255/0x400 [udf]
      udf_file_write_iter+0xbe/0x1b0 [udf]
      new_sync_write+0x125/0x1c0
      vfs_write+0x28e/0x400
    
    Fix the problem by marking the page dirty and going through the standard
    writeback path to write the page. Strictly speaking we would not even
    have to write the page but we want to catch e.g. ENOSPC errors early.
    
    Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
    CC: stable@vger.kernel.org
    Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks")
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2ea17d25be51ed8ea9fa59a66c9152d3c5ba0c7a
Author: Jan Kara <jack@suse.cz>
Date:   Tue Jan 18 09:57:25 2022 +0100

    udf: Restore i_lenAlloc when inode expansion fails
    
    commit ea8569194b43f0f01f0a84c689388542c7254a1f upstream.
    
    When we fail to expand inode from inline format to a normal format, we
    restore inode to contain the original inline formatting but we forgot to
    set i_lenAlloc back. The mismatch between i_lenAlloc and i_size was then
    causing further problems such as warnings and lost data down the line.
    
    Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
    CC: stable@vger.kernel.org
    Fixes: 7e49b6f2480c ("udf: Convert UDF to new truncate calling sequence")
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 172aa3b811824e4472042d259b4f5fe22df3a85f
Author: Steffen Maier <maier@linux.ibm.com>
Date:   Tue Jan 18 17:58:03 2022 +0100

    scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices
    
    commit 8c9db6679be4348b8aae108e11d4be2f83976e30 upstream.
    
    Suppose we have an environment with a number of non-NPIV FCP devices
    (virtual HBAs / FCP devices / zfcp "adapter"s) sharing the same physical
    FCP channel (HBA port) and its I_T nexus. Plus a number of storage target
    ports zoned to such shared channel. Now one target port logs out of the
    fabric causing an RSCN. Zfcp reacts with an ADISC ELS and subsequent port
    recovery depending on the ADISC result. This happens on all such FCP
    devices (in different Linux images) concurrently as they all receive a copy
    of this RSCN. In the following we look at one of those FCP devices.
    
    Requests other than FSF_QTCB_FCP_CMND can be slow until they get a
    response.
    
    Depending on which requests are affected by slow responses, there are
    different recovery outcomes. Here we want to fix failed recoveries on port
    or adapter level by avoiding recovery requests that can be slow.
    
    We need the cached N_Port_ID for the remote port "link" test with ADISC.
    Just before sending the ADISC, we now intentionally forget the old cached
    N_Port_ID. The idea is that on receiving an RSCN for a port, we have to
    assume that any cached information about this port is stale.  This forces a
    fresh new GID_PN [FC-GS] nameserver lookup on any subsequent recovery for
    the same port. Since we typically can still communicate with the nameserver
    efficiently, we now reach steady state quicker: Either the nameserver still
    does not know about the port so we stop recovery, or the nameserver already
    knows the port potentially with a new N_Port_ID and we can successfully and
    quickly perform open port recovery.  For the one case, where ADISC returns
    successfully, we re-initialize port->d_id because that case does not
    involve any port recovery.
    
    This also solves a problem if the storage WWPN quickly logs into the fabric
    again but with a different N_Port_ID. Such as on virtual WWPN takeover
    during target NPIV failover.
    [https://www.redbooks.ibm.com/abstracts/redp5477.html] In that case the
    RSCN from the storage FDISC was ignored by zfcp and we could not
    successfully recover the failover. On some later failback on the storage,
    we could have been lucky if the virtual WWPN got the same old N_Port_ID
    from the SAN switch as we still had cached.  Then the related RSCN
    triggered a successful port reopen recovery.  However, there is no
    guarantee to get the same N_Port_ID on NPIV FDISC.
    
    Even though NPIV-enabled FCP devices are not affected by this problem, this
    code change optimizes recovery time for gone remote ports as a side effect.
    The timely drop of cached N_Port_IDs prevents unnecessary slow open port
    attempts.
    
    While the problem might have been in code before v2.6.32 commit
    799b76d09aee ("[SCSI] zfcp: Decouple gid_pn requests from erp") this fix
    depends on the gid_pn_work introduced with that commit, so we mark it as
    culprit to satisfy fix dependencies.
    
    Note: Point-to-point remote port is already handled separately and gets its
    N_Port_ID from the cached peer_d_id. So resetting port->d_id in general
    does not affect PtP.
    
    Link: https://lore.kernel.org/r/20220118165803.3667947-1-maier@linux.ibm.com
    Fixes: 799b76d09aee ("[SCSI] zfcp: Decouple gid_pn requests from erp")
    Cc: <stable@vger.kernel.org> #2.6.32+
    Suggested-by: Benjamin Block <bblock@linux.ibm.com>
    Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
    Signed-off-by: Steffen Maier <maier@linux.ibm.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 348a8501e6029f9308ea7675edfa645b5e669c9e
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Mon Jan 24 12:46:50 2022 -0600

    ucount: Make get_ucount a safe get_user replacement
    
    commit f9d87929d451d3e649699d0f1d74f71f77ad38f5 upstream.
    
    When the ucount code was refactored to create get_ucount it was missed
    that some of the contexts in which a rlimit is kept elevated can be
    the only reference to the user/ucount in the system.
    
    Ordinary ucount references exist in places that also have a reference
    to the user namspace, but in POSIX message queues, the SysV shm code,
    and the SIGPENDING code there is no independent user namespace
    reference.
    
    Inspection of the the user_namespace show no instance of circular
    references between struct ucounts and the user_namespace.  So
    hold a reference from struct ucount to i's user_namespace to
    resolve this problem.
    
    Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/
    Reported-by: Qian Cai <quic_qiancai@quicinc.com>
    Reported-by: Mathias Krause <minipli@grsecurity.net>
    Tested-by: Mathias Krause <minipli@grsecurity.net>
    Reviewed-by: Mathias Krause <minipli@grsecurity.net>
    Reviewed-by: Alexey Gladkov <legion@kernel.org>
    Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
    Fixes: 6e52a9f0532f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
    Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
    Cc: stable@vger.kernel.org
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2dc0a8e0129fb0d4ac6a8be0e7e746633dbff722
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Jan 6 17:15:07 2022 +0530

    powerpc/bpf: Update ldimm64 instructions during extra pass
    
    commit f9320c49993ca3c0ec0f9a7026b313735306bb8b upstream.
    
    These instructions are updated after the initial JIT, so redo codegen
    during the extra pass. Rename bpf_jit_fixup_subprog_calls() to clarify
    that this is more than just subprog calls.
    
    Fixes: 69c087ba6225b5 ("bpf: Add bpf_for_each_map_elem() helper")
    Cc: stable@vger.kernel.org # v5.15
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Tested-by: Jiri Olsa <jolsa@redhat.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/7cc162af77ba918eb3ecd26ec9e7824bc44b1fae.1641468127.git.naveen.n.rao@linux.vnet.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2f262cadff57424e81e43bbccd381ae166da7a4b
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Jan 6 17:15:06 2022 +0530

    powerpc32/bpf: Fix codegen for bpf-to-bpf calls
    
    commit fab07611fb2e6a15fac05c4583045ca5582fd826 upstream.
    
    Pad instructions emitted for BPF_CALL so that the number of instructions
    generated does not change for different function addresses. This is
    especially important for calls to other bpf functions, whose address
    will only be known during extra pass.
    
    Fixes: 51c66ad849a703 ("powerpc/bpf: Implement extended BPF on PPC32")
    Cc: stable@vger.kernel.org # v5.13+
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/52d8fe51f7620a6f27f377791564d79d75463576.1641468127.git.naveen.n.rao@linux.vnet.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0bcd484587b3b3092e448d27dc369e347e1810c3
Author: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Date:   Thu Jan 6 17:15:05 2022 +0530

    bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack()
    
    commit b992f01e66150fc5e90be4a96f5eb8e634c8249e upstream.
    
    task_pt_regs() can return NULL on powerpc for kernel threads. This is
    then used in __bpf_get_stack() to check for user mode, resulting in a
    kernel oops. Guard against this by checking return value of
    task_pt_regs() before trying to obtain the call chain.
    
    Fixes: fa28dcb82a38f8 ("bpf: Introduce helper bpf_get_task_stack()")
    Cc: stable@vger.kernel.org # v5.9+
    Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Acked-by: Daniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://lore.kernel.org/r/d5ef83c361cc255494afd15ff1b4fb02a36e1dcf.1641468127.git.naveen.n.rao@linux.vnet.ibm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cfd2a7f8deaa6c86bcb12dad82a8b8a871d8aff2
Author: Christian Borntraeger <borntraeger@linux.ibm.com>
Date:   Mon Jan 17 18:40:32 2022 +0100

    s390/nmi: handle vector validity failures for KVM guests
    
    commit f094a39c6ba168f2df1edfd1731cca377af5f442 upstream.
    
    The machine check validity bit tells about the context. If a KVM guest
    was running the bit tells about the guest validity and the host state is
    not affected. As a guest can disable the guest validity this might
    result in unwanted host errors on machine checks.
    
    Cc: stable@vger.kernel.org
    Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest")
    Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c058e1ae9dd516cbc8b6a38dc6d67d70479dfbbf
Author: Christian Borntraeger <borntraeger@linux.ibm.com>
Date:   Thu Jan 13 11:44:19 2022 +0100

    s390/nmi: handle guarded storage validity failures for KVM guests
    
    commit 1ea1d6a847d2b1d17fefd9196664b95f052a0775 upstream.
    
    machine check validity bits reflect the state of the machine check. If a
    guest does not make use of guarded storage, the validity bit might be
    off. We can not use the host CR bit to decide if the validity bit must
    be on. So ignore "invalid" guarded storage controls for KVM guests in
    the host and rely on the machine check being forwarded to the guest.  If
    no other errors happen from a host perspective everything is fine and no
    process must be killed and the host can continue to run.
    
    Cc: stable@vger.kernel.org
    Fixes: c929500d7a5a ("s390/nmi: s390: New low level handling for machine check happening in guest")
    Reported-by: Carsten Otte <cotte@de.ibm.com>
    Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
    Tested-by: Carsten Otte <cotte@de.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4abcb06fdcb29ae150ab8ae6a7c34cb9a921fe97
Author: Vasily Gorbik <gor@linux.ibm.com>
Date:   Thu Jan 20 16:23:19 2022 +0100

    s390/hypfs: include z/VM guests with access control group set
    
    commit 663d34c8df98740f1e90241e78e456d00b3c6cad upstream.
    
    Currently if z/VM guest is allowed to retrieve hypervisor performance
    data globally for all guests (privilege class B) the query is formed in a
    way to include all guests but the group name is left empty. This leads to
    that z/VM guests which have access control group set not being included
    in the results (even local vm).
    
    Change the query group identifier from empty to "any" to retrieve
    information about all guests from any groups (or without a group set).
    
    Cc: stable@vger.kernel.org
    Fixes: 31cb4bd31a48 ("[S390] Hypervisor filesystem (s390_hypfs) for z/VM")
    Reviewed-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2025d5cb381e4bf8fecc78015da6ef6168f9ace8
Author: Ilya Leoshkevich <iii@linux.ibm.com>
Date:   Wed Jan 19 19:26:37 2022 +0100

    s390/module: fix loading modules with a lot of relocations
    
    commit f3b7e73b2c6619884351a3a0a7468642f852b8a2 upstream.
    
    If the size of the PLT entries generated by apply_rela() exceeds
    64KiB, the first ones can no longer reach __jump_r1 with brc. Fix by
    using brcl. An alternative solution is to add a __jump_r1 copy after
    every 64KiB, however, the space savings are quite small and do not
    justify the additional complexity.
    
    Fixes: f19fbd5ed642 ("s390: introduce execute-trampolines for branches")
    Cc: stable@vger.kernel.org
    Reported-by: Andrea Righi <andrea.righi@canonical.com>
    Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Cc: Vasily Gorbik <gor@linux.ibm.com>
    Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a3aa4850b37b1bc61014080a87864d0ff7beebd3
Author: Marc Zyngier <maz@kernel.org>
Date:   Fri Jan 21 18:42:07 2022 +0000

    KVM: arm64: Use shadow SPSR_EL1 when injecting exceptions on !VHE
    
    commit 278583055a237270fac70518275ba877bf9e4013 upstream.
    
    Injecting an exception into a guest with non-VHE is risky business.
    Instead of writing in the shadow register for the switch code to
    restore it, we override the CPU register instead. Which gets
    overriden a few instructions later by said restore code.
    
    The result is that although the guest correctly gets the exception,
    it will return to the original context in some random state,
    depending on what was there the first place... Boo.
    
    Fix the issue by writing to the shadow register. The original code
    is absolutely fine on VHE, as the state is already loaded, and writing
    to the shadow register in that case would actually be a bug.
    
    Fixes: bb666c472ca2 ("KVM: arm64: Inject AArch64 exceptions from HYP")
    Cc: stable@vger.kernel.org
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Reviewed-by: Fuad Tabba <tabba@google.com>
    Link: https://lore.kernel.org/r/20220121184207.423426-1-maz@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d9505958e1eecaa264c3bb352080d885dbbb031f
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Tue Jan 18 19:32:17 2022 +0100

    ARM: 9180/1: Thumb2: align ALT_UP() sections in modules sufficiently
    
    commit 9f80ccda53b9417236945bc7ece4b519037df74d upstream.
    
    When building for Thumb2, the .alt.smp.init sections that are emitted by
    the ALT_UP() patching code may not be 32-bit aligned, even though the
    fixup_smp_on_up() routine expects that. This results in alignment faults
    at module load time, which need to be fixed up by the fault handler.
    
    So let's align those sections explicitly, and prevent this from occurring.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cbab3cac94c69b95543c636bc1895701dfd3a00d
Author: Ard Biesheuvel <ardb@kernel.org>
Date:   Tue Jan 18 13:45:09 2022 +0100

    ARM: 9179/1: uaccess: avoid alignment faults in copy_[from|to]_kernel_nofault
    
    commit 15420269b02a63ed8c1841905d8b8b2403246004 upstream.
    
    The helpers that are used to implement copy_from_kernel_nofault() and
    copy_to_kernel_nofault() cast a void* to a pointer to a wider type,
    which may result in alignment faults on ARM if the compiler decides to
    use double-word or multiple-word load/store instructions.
    
    Only configurations that define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
    are affected, given that commit 2423de2e6f4d ("ARM: 9115/1: mm/maccess:
    fix unaligned copy_{from,to}_kernel_nofault") ensures that dst and src
    are sufficiently aligned otherwise.
    
    So use the unaligned accessors for accessing dst and src in cases where
    they may be misaligned.
    
    Cc: <stable@vger.kernel.org> # depends on 2423de2e6f4d
    Fixes: 2df4c9a741a0 ("ARM: 9112/1: uaccess: add __{get,put}_kernel_nofault")
    Reviewed-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e826ab1857177d1678f299a8d6860ec6f0fdd58f
Author: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
Date:   Wed Jan 26 17:47:23 2022 +0800

    net: stmmac: skip only stmmac_ptp_register when resume from suspend
    
    commit 0735e639f129dff455aeb91da291f5c578cc33db upstream.
    
    When resume from suspend, besides skipping PTP registration, it also
    skipping PTP HW initialization. This could cause PTP clock not able to
    operate properly when resume from suspend.
    
    To fix this, only stmmac_ptp_register() is skipped when resume from
    suspend.
    
    Fixes: fe1319291150 ("stmmac: Don't init ptp again when resume from suspend/hibernation")
    Cc: <stable@vger.kernel.org> # 5.15.x
    Signed-off-by: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9ef5a86d447a87e91295784cf917be6ef390a80b
Author: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
Date:   Wed Jan 26 17:47:22 2022 +0800

    net: stmmac: configure PTP clock source prior to PTP initialization
    
    commit 94c82de43e01ef5747a95e4a590880de863fe423 upstream.
    
    For Intel platform, it is required to configure PTP clock source prior PTP
    initialization in MAC. So, need to move ptp_clk_freq_config execution from
    stmmac_ptp_register() to stmmac_init_ptp().
    
    Fixes: 76da35dc99af ("stmmac: intel: Add PSE and PCH PTP clock source selection")
    Cc: <stable@vger.kernel.org> # 5.15.x
    Signed-off-by: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 30705f1f012ccd2232dade49cabac894d34580da
Author: Marek Behún <kabel@kernel.org>
Date:   Wed Jan 19 17:44:55 2022 +0100

    net: sfp: ignore disabled SFP node
    
    commit 2148927e6ed43a1667baf7c2ae3e0e05a44b51a0 upstream.
    
    Commit ce0aa27ff3f6 ("sfp: add sfp-bus to bridge between network devices
    and sfp cages") added code which finds SFP bus DT node even if the node
    is disabled with status = "disabled". Because of this, when phylink is
    created, it ends with non-null .sfp_bus member, even though the SFP
    module is not probed (because the node is disabled).
    
    We need to ignore disabled SFP bus node.
    
    Fixes: ce0aa27ff3f6 ("sfp: add sfp-bus to bridge between network devices and sfp cages")
    Signed-off-by: Marek Behún <kabel@kernel.org>
    Cc: stable@vger.kernel.org # 2203cbf2c8b5 ("net: sfp: move fwnode parsing into sfp-bus layer")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5e32b05c38610b5ab7591bd7097001054680fe82
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Fri Jan 14 15:35:01 2022 +0100

    can: m_can: m_can_fifo_{read,write}: don't read or write from/to FIFO if length is 0
    
    commit db72589c49fd260bfc99c7160c079675bc7417af upstream.
    
    In order to optimize FIFO access, especially on m_can cores attached
    to slow busses like SPI, in patch
    
    | e39381770ec9 ("can: m_can: Disable IRQs on FIFO bus errors")
    
    bulk read/write support has been added to the m_can_fifo_{read,write}
    functions.
    
    That change leads to the tcan driver to call
    regmap_bulk_{read,write}() with a length of 0 (for CAN frames with 0
    data length). regmap treats this as an error:
    
    | tcan4x5x spi1.0 tcan4x5x0: FIFO write returned -22
    
    This patch fixes the problem by not calling the
    cdev->ops->{read,write)_fifo() in case of a 0 length read/write.
    
    Fixes: e39381770ec9 ("can: m_can: Disable IRQs on FIFO bus errors")
    Link: https://lore.kernel.org/all/20220114155751.2651888-1-mkl@pengutronix.de
    Cc: stable@vger.kernel.org
    Cc: Matt Kline <matt@bitbashing.io>
    Cc: Chandrasekar Ramakrishnan <rcsekar@samsung.com>
    Reported-by: Michael Anochin <anochin@photo-meter.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>