Merge tag 'v4.19.215' of https://kernel.googlesource.com/pub/scm/linu…

…x/kernel/git/stable/linux-stable

    commit 00a95330f3b295d4a581c36a5f2949c731386e37
    Merge: 9e5a216016f0 a027d43cf3f2
    Author: warudo <[email protected]>
    Date:   Wed Sep 20 16:00:07 2023 +0800

        Merge tag 'v4.19.215'

        This is the 4.19.215 stable release

    commit a027d43cf3f2fdaabf467b4bcb92d0fe748c2eaf
    Author: Greg Kroah-Hartman <[email protected]>
    Date:   Tue Nov 2 18:26:46 2021 +0100

        Linux 4.19.215

        Link: https://lore.kernel.org/r/[email protected]
        Link: https://lore.kernel.org/r/[email protected]
        Tested-by: Jon Hunter <[email protected]>
        Tested-by: Shuah Khan <[email protected]>
        Tested-by: Guenter Roeck <[email protected]>
        Tested-by: Linux Kernel Functional Testing <[email protected]>
        Tested-by: Hulk Robot <[email protected]>
        Tested-by: Sudip Mukherjee <[email protected]>
        Tested-by: Pavel Machek (CIP) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 1ff3c379248ea579aa122d4ca245028e4bc9af23
    Author: Xin Long <[email protected]>
    Date:   Wed Oct 20 07:42:47 2021 -0400

        sctp: add vtag check in sctp_sf_ootb

        [ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ]

        sctp_sf_ootb() is called when processing DATA chunk in closed state,
        and many other places are also using it.

        The vtag in the chunk's sctphdr should be verified, otherwise, as
        later in chunk length check, it may send abort with the existent
        asoc's vtag, which can be exploited by one to cook a malicious
        chunk to terminate a SCTP asoc.

        When fails to verify the vtag from the chunk, this patch sets asoc
        to NULL, so that the abort will be made with the vtag from the
        received chunk later.

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
        Signed-off-by: Xin Long <[email protected]>
        Acked-by: Marcelo Ricardo Leitner <[email protected]>
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit d9a4f990aab48dd5c134a9e76c7b651d404b05d3
    Author: Xin Long <[email protected]>
    Date:   Wed Oct 20 07:42:46 2021 -0400

        sctp: add vtag check in sctp_sf_do_8_5_1_E_sa

        [ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ]

        sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
        in cookie_wait and cookie_echoed state.

        The vtag in the chunk's sctphdr should be verified, otherwise, as
        later in chunk length check, it may send abort with the existent
        asoc's vtag, which can be exploited by one to cook a malicious
        chunk to terminate a SCTP asoc.

        Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
        SHUTDOWN COMPLETE message will still be sent back to peer, but
        with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
        rfc4960#section-8.4.

        While at it, also remove the unnecessary chunk length check from
        sctp_sf_shut_8_4_5(), as it's already done in both places where
        it calls sctp_sf_shut_8_4_5().

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
        Signed-off-by: Xin Long <[email protected]>
        Acked-by: Marcelo Ricardo Leitner <[email protected]>
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit 7bf2f6a30d1851c530ad5e4ee7e5c45fb6be0128
    Author: Xin Long <[email protected]>
    Date:   Wed Oct 20 07:42:45 2021 -0400

        sctp: add vtag check in sctp_sf_violation

        [ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ]

        sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
        in cookie_wait state, and some other places are also using it.

        The vtag in the chunk's sctphdr should be verified, otherwise, as
        later in chunk length check, it may send abort with the existent
        asoc's vtag, which can be exploited by one to cook a malicious
        chunk to terminate a SCTP asoc.

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
        Signed-off-by: Xin Long <[email protected]>
        Acked-by: Marcelo Ricardo Leitner <[email protected]>
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit 86044244fc6f9eaec0070cb668e0d500de22dbba
    Author: Xin Long <[email protected]>
    Date:   Wed Oct 20 07:42:44 2021 -0400

        sctp: fix the processing for COOKIE_ECHO chunk

        [ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ]

        1. In closed state: in sctp_sf_do_5_1D_ce():

          When asoc is NULL, making packet for abort will use chunk's vtag
          in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
          should be verified before using peer.i.init_tag to make packet
          for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
          not correct.

        2. In the other states: in sctp_sf_do_5_2_4_dupcook():

          asoc always exists, but duplicate cookie_echo's vtag will be
          handled by sctp_tietags_compare() and then take actions, so before
          that we only verify the vtag for the abort sent for invalid chunk
          length.

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
        Signed-off-by: Xin Long <[email protected]>
        Acked-by: Marcelo Ricardo Leitner <[email protected]>
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit 1f52dfacca7bb315d89f5ece5660b0337809798e
    Author: Xin Long <[email protected]>
    Date:   Wed Oct 20 07:42:41 2021 -0400

        sctp: use init_tag from inithdr for ABORT chunk

        [ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ]

        Currently Linux SCTP uses the verification tag of the existing SCTP
        asoc when failing to process and sending the packet with the ABORT
        chunk. This will result in the peer accepting the ABORT chunk and
        removing the SCTP asoc. One could exploit this to terminate a SCTP
        asoc.

        This patch is to fix it by always using the initiate tag of the
        received INIT chunk for the ABORT chunk to be sent.

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
        Signed-off-by: Xin Long <[email protected]>
        Acked-by: Marcelo Ricardo Leitner <[email protected]>
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit b75fa48e42d022d6757b7de29178d531df8cf43b
    Author: Trevor Woerner <[email protected]>
    Date:   Sun Oct 24 13:50:02 2021 -0400

        net: nxp: lpc_eth.c: avoid hang when bringing interface down

        commit ace19b992436a257d9a793672e57abc28fe83e2e upstream.

        A hard hang is observed whenever the ethernet interface is brought
        down. If the PHY is stopped before the LPC core block is reset,
        the SoC will hang. Comparing lpc_eth_close() and lpc_eth_open() I
        re-arranged the ordering of the functions calls in lpc_eth_close() to
        reset the hardware before stopping the PHY.
        Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
        Signed-off-by: Trevor Woerner <[email protected]>
        Acked-by: Vladimir Zapolskiy <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 84a9eb9a2f179ea5e6398fe270560a8aaa16f996
    Author: Yuiko Oshino <[email protected]>
    Date:   Fri Oct 22 11:53:43 2021 -0400

        net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent

        commit 95a359c9553342d36d408d35331ff0bfce75272f upstream.

        The dma failure was reported in the raspberry pi github (issue #4117).
        https://github.com/raspberrypi/linux/issues/4117
        The use of dma_set_mask_and_coherent fixes the issue.
        Tested on 32/64-bit raspberry pi CM4 and 64-bit ubuntu x86 PC with EVB-LAN7430.

        Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
        Signed-off-by: Yuiko Oshino <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit fcda74cc95aa450a6d17780ccb1a8853cac7d0cd
    Author: Yuiko Oshino <[email protected]>
    Date:   Fri Oct 22 11:13:53 2021 -0400

        net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails

        commit d6423d2ec39cce2bfca418c81ef51792891576bc upstream.

        The driver needs to clean up and return when the initialization fails on resume.

        Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
        Signed-off-by: Yuiko Oshino <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 25d852a8adf017a478246d19c8b282e975521e8a
    Author: Guenter Roeck <[email protected]>
    Date:   Wed Oct 20 12:11:16 2021 -0700

        nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST

        commit 4a089e95b4d6bb625044d47aed0c442a8f7bd093 upstream.

        nios2:allmodconfig builds fail with

        make[1]: *** No rule to make target 'arch/nios2/boot/dts/""',
        	needed by 'arch/nios2/boot/dts/built-in.a'.  Stop.
        make: [Makefile:1868: arch/nios2/boot/dts] Error 2 (ignored)

        This is seen with compile tests since those enable NIOS2_DTB_SOURCE_BOOL,
        which in turn enables NIOS2_DTB_SOURCE. This causes the build error
        because the default value for NIOS2_DTB_SOURCE is an empty string.
        Disable NIOS2_DTB_SOURCE_BOOL for compile tests to avoid the error.

        Fixes: 2fc8483fdcde ("nios2: Build infrastructure")
        Signed-off-by: Guenter Roeck <[email protected]>
        Reviewed-by: Randy Dunlap <[email protected]>
        Signed-off-by: Dinh Nguyen <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 02302cbd52264337630a32848ac03648648e9685
    Author: Michael Chan <[email protected]>
    Date:   Mon Oct 25 05:05:28 2021 -0400

        net: Prevent infinite while loop in skb_tx_hash()

        commit 0c57eeecc559ca6bc18b8c4e2808bc78dbe769b0 upstream.

        Drivers call netdev_set_num_tc() and then netdev_set_tc_queue()
        to set the queue count and offset for each TC.  So the queue count
        and offset for the TCs may be zero for a short period after dev->num_tc
        has been set.  If a TX packet is being transmitted at this time in the
        code path netdev_pick_tx() -> skb_tx_hash(), skb_tx_hash() may see
        nonzero dev->num_tc but zero qcount for the TC.  The while loop that
        keeps looping while hash >= qcount will not end.

        Fix it by checking the TC's qcount to be nonzero before using it.

        Fixes: eadec877ce9c ("net: Add support for subordinate traffic classes to netdev_pick_tx")
        Reviewed-by: Andy Gospodarek <[email protected]>
        Signed-off-by: Michael Chan <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit fbf150b16a3635634b7dfb7f229d8fcd643c6c51
    Author: Pavel Skripkin <[email protected]>
    Date:   Sun Oct 24 16:13:56 2021 +0300

        net: batman-adv: fix error handling

        commit 6f68cd634856f8ca93bafd623ba5357e0f648c68 upstream.

        Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was
        in wrong error handling in batadv_mesh_init().

        Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case
        of any batadv_*_init() calls failure. This approach may work well, when
        there is some kind of indicator, which can tell which parts of batadv are
        initialized; but there isn't any.

        All written above lead to cleaning up uninitialized fields. Even if we hide
        ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit
        GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]

        To fix these bugs we can unwind batadv_*_init() calls one by one.
        It is good approach for 2 reasons: 1) It fixes bugs on error handling
        path 2) It improves the performance, since we won't call unneeded
        batadv_*_free() functions.

        So, this patch makes all batadv_*_init() clean up all allocated memory
        before returning with an error to no call correspoing batadv_*_free()
        and open-codes batadv_mesh_free() with proper order to avoid touching
        uninitialized fields.

        Link: https://lore.kernel.org/netdev/[email protected]/ [1]
        Reported-and-tested-by: [email protected]
        Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
        Signed-off-by: Pavel Skripkin <[email protected]>
        Acked-by: Sven Eckelmann <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 3dae1a4eced3ee733d7222e69b8a55caf2d61091
    Author: Yang Yingliang <[email protected]>
    Date:   Tue Oct 12 10:37:35 2021 +0800

        regmap: Fix possible double-free in regcache_rbtree_exit()

        commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream.

        In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
        the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
        so 'rbnode->block' points a freed memory, in the error handling path of
        regcache_rbtree_init(), 'rbnode->block' will be freed again in
        regcache_rbtree_exit(), KASAN will report double-free as follows:

        BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
        Call Trace:
         slab_free_freelist_hook+0x10d/0x240
         kfree+0xce/0x390
         regcache_rbtree_exit+0x15d/0x1a0
         regcache_rbtree_init+0x224/0x2c0
         regcache_init+0x88d/0x1310
         __regmap_init+0x3151/0x4a80
         __devm_regmap_init+0x7d/0x100
         madera_spi_probe+0x10f/0x333 [madera_spi]
         spi_probe+0x183/0x210
         really_probe+0x285/0xc30

        To fix this, moving up the assignment of rbnode->block to immediately after
        the reallocation has succeeded so that the data structure stays valid even
        if the second reallocation fails.

        Reported-by: Hulk Robot <[email protected]>
        Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node")
        Signed-off-by: Yang Yingliang <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Mark Brown <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit cdaf7a469244b5e65ae5eda062ff5ea90172de62
    Author: Clément Bœsch <[email protected]>
    Date:   Sun Sep 5 02:20:27 2021 +0200

        arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node

        commit 0764e365dacd0b8f75c1736f9236be280649bd18 upstream.

        RX and TX delay are provided by ethernet PHY. Reflect that in ethernet
        node.

        Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes")
        Signed-off-by: Clément Bœsch <[email protected]>
        Reviewed-by: Jernej Skrabec <[email protected]>
        Reviewed-by: Andrew Lunn <[email protected]>
        Signed-off-by: Maxime Ripard <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 2864b6d54244b82a8c7d4628a43055c57bfba80c
    Author: Patrisious Haddad <[email protected]>
    Date:   Wed Oct 6 12:31:53 2021 +0300

        RDMA/mlx5: Set user priority for DCT

        commit 1ab52ac1e9bc9391f592c9fa8340a6e3e9c36286 upstream.

        Currently, the driver doesn't set the PCP-based priority for DCT, hence
        DCT response packets are transmitted without user priority.

        Fix it by setting user provided priority in the eth_prio field in the DCT
        context, which in turn sets the value in the transmitted packet.

        Fixes: 776a3906b692 ("IB/mlx5: Add support for DC target QP")
        Link: https://lore.kernel.org/r/5fd2d94a13f5742d8803c218927322257d53205c.1633512672.git.leonro@nvidia.com
        Signed-off-by: Patrisious Haddad <[email protected]>
        Reviewed-by: Maor Gottlieb <[email protected]>
        Signed-off-by: Leon Romanovsky <[email protected]>
        Signed-off-by: Jason Gunthorpe <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 326da4f6ffdbd8671e86f69ded7a714dcc12fecf
    Author: Johan Hovold <[email protected]>
    Date:   Tue Oct 26 12:36:17 2021 +0200

        net: lan78xx: fix division by zero in send path

        commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.

        Add the missing endpoint max-packet sanity check to probe() to avoid
        division by zero in lan78xx_tx_bh() in case a malicious device has
        broken descriptors (or when doing descriptor fuzz testing).

        Note that USB core will reject URBs submitted for endpoints with zero
        wMaxPacketSize but that drivers doing packet-size calculations still
        need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
        endpoint descriptors with maxpacket=0")).

        Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
        Cc: [email protected]      # 4.3
        Cc: [email protected] <[email protected]>
        Signed-off-by: Johan Hovold <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 2ff5289793fd61c56ac8774408f27350e5da865f
    Author: Haibo Chen <[email protected]>
    Date:   Fri Oct 15 10:00:36 2021 +0800

        mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit

        commit 9af372dc70e9fdcbb70939dac75365e7b88580b4 upstream.

        To reset standard tuning circuit completely, after clear ESDHC_MIX_CTRL_EXE_TUNE,
        also need to clear bit buffer_read_ready, this operation will finally clear the
        USDHC IP internal logic flag execute_tuning_with_clr_buf, make sure the following
        normal data transfer will not be impacted by standard tuning logic used before.

        Find this issue when do quick SD card insert/remove stress test. During standard
        tuning prodedure, if remove SD card, USDHC standard tuning logic can't clear the
        internal flag execute_tuning_with_clr_buf. Next time when insert SD card, all
        data related commands can't get any data related interrupts, include data transfer
        complete interrupt, data timeout interrupt, data CRC interrupt, data end bit interrupt.
        Always trigger software timeout issue. Even reset the USDHC through bits in register
        SYS_CTRL (0x2C, bit28 reset tuning, bit26 reset data, bit 25 reset command, bit 24
        reset all) can't recover this. From the user's point of view, USDHC stuck, SD can't
        be recognized any more.

        Fixes: d9370424c948 ("mmc: sdhci-esdhc-imx: reset tuning circuit when power on mmc card")
        Signed-off-by: Haibo Chen <[email protected]>
        Acked-by: Adrian Hunter <[email protected]>
        Cc: [email protected]
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Ulf Hansson <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 7824414c2903e2cfe56ea610387a22c0c88fb468
    Author: Shawn Guo <[email protected]>
    Date:   Mon Oct 4 10:49:35 2021 +0800

        mmc: sdhci: Map more voltage level to SDHCI_POWER_330

        commit 4217d07b9fb328751f877d3bd9550122014860a2 upstream.

        On Thundercomm TurboX CM2290, the eMMC OCR reports vdd = 23 (3.5 ~ 3.6 V),
        which is being treated as an invalid value by sdhci_set_power_noreg().
        And thus eMMC is totally broken on the platform.

        [    1.436599] ------------[ cut here ]------------
        [    1.436606] mmc0: Invalid vdd 0x17
        [    1.436640] WARNING: CPU: 2 PID: 69 at drivers/mmc/host/sdhci.c:2048 sdhci_set_power_noreg+0x168/0x2b4
        [    1.436655] Modules linked in:
        [    1.436662] CPU: 2 PID: 69 Comm: kworker/u8:1 Tainted: G        W         5.15.0-rc1+ #137
        [    1.436669] Hardware name: Thundercomm TurboX CM2290 (DT)
        [    1.436674] Workqueue: events_unbound async_run_entry_fn
        [    1.436685] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
        [    1.436692] pc : sdhci_set_power_noreg+0x168/0x2b4
        [    1.436698] lr : sdhci_set_power_noreg+0x168/0x2b4
        [    1.436703] sp : ffff800010803a60
        [    1.436705] x29: ffff800010803a60 x28: ffff6a9102465f00 x27: ffff6a9101720a70
        [    1.436715] x26: ffff6a91014de1c0 x25: ffff6a91014de010 x24: ffff6a91016af280
        [    1.436724] x23: ffffaf7b1b276640 x22: 0000000000000000 x21: ffff6a9101720000
        [    1.436733] x20: ffff6a9101720370 x19: ffff6a9101720580 x18: 0000000000000020
        [    1.436743] x17: 0000000000000000 x16: 0000000000000004 x15: ffffffffffffffff
        [    1.436751] x14: 0000000000000000 x13: 00000000fffffffd x12: ffffaf7b1b84b0bc
        [    1.436760] x11: ffffaf7b1b720d10 x10: 000000000000000a x9 : ffff800010803a60
        [    1.436769] x8 : 000000000000000a x7 : 000000000000000f x6 : 00000000fffff159
        [    1.436778] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000ffffffff
        [    1.436787] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff6a9101718d80
        [    1.436797] Call trace:
        [    1.436800]  sdhci_set_power_noreg+0x168/0x2b4
        [    1.436805]  sdhci_set_ios+0xa0/0x7fc
        [    1.436811]  mmc_power_up.part.0+0xc4/0x164
        [    1.436818]  mmc_start_host+0xa0/0xb0
        [    1.436824]  mmc_add_host+0x60/0x90
        [    1.436830]  __sdhci_add_host+0x174/0x330
        [    1.436836]  sdhci_msm_probe+0x7c0/0x920
        [    1.436842]  platform_probe+0x68/0xe0
        [    1.436850]  really_probe.part.0+0x9c/0x31c
        [    1.436857]  __driver_probe_device+0x98/0x144
        [    1.436863]  driver_probe_device+0xc8/0x15c
        [    1.436869]  __device_attach_driver+0xb4/0x120
        [    1.436875]  bus_for_each_drv+0x78/0xd0
        [    1.436881]  __device_attach_async_helper+0xac/0xd0
        [    1.436888]  async_run_entry_fn+0x34/0x110
        [    1.436895]  process_one_work+0x1d0/0x354
        [    1.436903]  worker_thread+0x13c/0x470
        [    1.436910]  kthread+0x150/0x160
        [    1.436915]  ret_from_fork+0x10/0x20
        [    1.436923] ---[ end trace fcfac44cb045c3a8 ]---

        Fix the issue by mapping MMC_VDD_35_36 (and MMC_VDD_34_35) to
        SDHCI_POWER_330 as well.

        Signed-off-by: Shawn Guo <[email protected]>
        Acked-by: Adrian Hunter <[email protected]>
        Cc: [email protected]
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Ulf Hansson <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 29d56f3790e684e630d56f500b59e834fa382209
    Author: Jaehoon Chung <[email protected]>
    Date:   Fri Oct 22 17:21:06 2021 +0900

        mmc: dw_mmc: exynos: fix the finding clock sample value

        commit 697542bceae51f7620af333b065dd09d213629fb upstream.

        Even though there are candiates value if can't find best value, it's
        returned -EIO. It's not proper behavior.
        If there is not best value, use a first candiate value to work eMMC.

        Signed-off-by: Jaehoon Chung <[email protected]>
        Tested-by: Marek Szyprowski <[email protected]>
        Tested-by: Christian Hewitt <[email protected]>
        Cc: [email protected]
        Fixes: c537a1c5ff63 ("mmc: dw_mmc: exynos: add variable delay tuning sequence")
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Ulf Hansson <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 24f8658690477e8983f88cbfe21fb7f4062ad837
    Author: Wenbin Mei <[email protected]>
    Date:   Tue Oct 26 15:08:12 2021 +0800

        mmc: cqhci: clear HALT state after CQE enable

        commit 92b18252b91de567cd875f2e84722b10ab34ee28 upstream.

        While mmc0 enter suspend state, we need halt CQE to send legacy cmd(flush
        cache) and disable cqe, for resume back, we enable CQE and not clear HALT
        state.
        In this case MediaTek mmc host controller will keep the value for HALT
        state after CQE disable/enable flow, so the next CQE transfer after resume
        will be timeout due to CQE is in HALT state, the log as below:
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: timeout for tag 2
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: ============ CQHCI REGISTER DUMP ===========
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Caps:      0x100020b6 | Version:  0x00000510
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Config:    0x00001103 | Control:  0x00000001
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Int stat:  0x00000000 | Int enab: 0x00000006
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Int sig:   0x00000006 | Int Coal: 0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: TDL base:  0xfd05f000 | TDL up32: 0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Doorbell:  0x8000203c | TCN:      0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Dev queue: 0x00000000 | Dev Pend: 0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Task clr:  0x00000000 | SSC1:     0x00001000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: SSC2:      0x00000001 | DCMD rsp: 0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: RED mask:  0xfdf9a080 | TERRI:    0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: Resp idx:  0x00000000 | Resp arg: 0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: CRNQP:     0x00000000 | CRNQDUN:  0x00000000
        <4>.(4)[318:kworker/4:1H]mmc0: cqhci: CRNQIS:    0x00000000 | CRNQIE:   0x00000000

        This change check HALT state after CQE enable, if CQE is in HALT state, we
        will clear it.

        Signed-off-by: Wenbin Mei <[email protected]>
        Cc: [email protected]
        Acked-by: Adrian Hunter <[email protected]>
        Fixes: a4080225f51d ("mmc: cqhci: support for command queue enabled host")
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Ulf Hansson <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 99641238575c26c2e47fa593f562dae476709d68
    Author: Johan Hovold <[email protected]>
    Date:   Mon Oct 25 13:56:08 2021 +0200

        mmc: vub300: fix control-message timeouts

        commit 8c8171929116cc23f74743d99251eedadf62341a upstream.

        USB control-message timeouts are specified in milliseconds and should
        specifically not vary with CONFIG_HZ.

        Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
        Cc: [email protected]      # 3.0
        Signed-off-by: Johan Hovold <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Ulf Hansson <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit c6d0d68d6da68159948cad3d808d61bb291a0283
    Author: Eric Dumazet <[email protected]>
    Date:   Sun Aug 29 15:16:14 2021 -0700

        ipv6: make exception cache less predictible

        commit a00df2caffed3883c341d5685f830434312e4a43 upstream.

        Even after commit 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()"),
        an attacker can still use brute force to learn some secrets from a victim
        linux host.

        One way to defeat these attacks is to make the max depth of the hash
        table bucket a random value.

        Before this patch, each bucket of the hash table used to store exceptions
        could contain 6 items under attack.

        After the patch, each bucket would contains a random number of items,
        between 6 and 10. The attacker can no longer infer secrets.

        This is slightly increasing memory size used by the hash table,
        we do not expect this to be a problem.

        Following patch is dealing with the same issue in IPv4.

        Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")
        Signed-off-by: Eric Dumazet <[email protected]>
        Reported-by: Keyu Man <[email protected]>
        Cc: Wei Wang <[email protected]>
        Cc: Martin KaFai Lau <[email protected]>
        Reviewed-by: David Ahern <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        [OP: adjusted context for 4.19 stable]
        Signed-off-by: Ovidiu Panait <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit ad829847ad59af8e26a1f1c345716099abbc7a58
    Author: Eric Dumazet <[email protected]>
    Date:   Fri Oct 29 10:50:26 2021 +0300

        ipv6: use siphash in rt6_exception_hash()

        commit 4785305c05b25a242e5314cc821f54ade4c18810 upstream.

        A group of security researchers brought to our attention
        the weakness of hash function used in rt6_exception_hash()

        Lets use siphash instead of Jenkins Hash, to considerably
        reduce security risks.

        Following patch deals with IPv4.

        Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")
        Signed-off-by: Eric Dumazet <[email protected]>
        Reported-by: Keyu Man <[email protected]>
        Cc: Wei Wang <[email protected]>
        Cc: Martin KaFai Lau <[email protected]>
        Acked-by: Wei Wang <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        [OP: adjusted context for 4.19 stable]
        Signed-off-by: Ovidiu Panait <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 6e2856767eb1a9cfcfcd82136928037f04920e97
    Author: Eric Dumazet <[email protected]>
    Date:   Fri Oct 29 10:50:25 2021 +0300

        ipv4: use siphash instead of Jenkins in fnhe_hashfun()

        commit 6457378fe796815c973f631a1904e147d6ee33b1 upstream.

        A group of security researchers brought to our attention
        the weakness of hash function used in fnhe_hashfun().

        Lets use siphash instead of Jenkins Hash, to considerably
        reduce security risks.

        Also remove the inline keyword, this really is distracting.

        Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()")
        Signed-off-by: Eric Dumazet <[email protected]>
        Reported-by: Keyu Man <[email protected]>
        Cc: Willy Tarreau <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        [OP: adjusted context for 4.19 stable]
        Signed-off-by: Ovidiu Panait <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 8121d0d4fd108280f5cd7b7fe8c6592adaa37be9
    Author: Pavel Skripkin <[email protected]>
    Date:   Thu Sep 30 20:49:42 2021 +0300

        Revert "net: mdiobus: Fix memory leak in __mdiobus_register"

        commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.

        This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.

        This patch is correct in the sense that we _should_ call device_put() in
        case of device_register() failure, but the problem in this code is more
        vast.

        We need to set bus->state to UNMDIOBUS_REGISTERED before calling
        device_register() to correctly release the device in mdiobus_free().
        This patch prevents us from doing it, since in case of device_register()
        failure put_device() will be called 2 times and it will cause UAF or
        something else.

        Also, Reported-by: tag in revered commit was wrong, since syzbot
        reported different leak in same function.

        Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
        Acked-by: Yanfei Xu <[email protected]>
        Signed-off-by: Pavel Skripkin <[email protected]>
        Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 4a9043ba1b0e9bea1da0fe34366222974f2c0f92
    Author: Krzysztof Kozlowski <[email protected]>
    Date:   Mon Oct 25 16:49:36 2021 +0200

        nfc: port100: fix using -ERRNO as command type mask

        commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.

        During probing, the driver tries to get a list (mask) of supported
        command types in port100_get_command_type_mask() function.  The value
        is u64 and 0 is treated as invalid mask (no commands supported).  The
        function however returns also -ERRNO as u64 which will be interpret as
        valid command mask.

        Return 0 on every error case of port100_get_command_type_mask(), so the
        probing will stop.

        Cc: <[email protected]>
        Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
        Signed-off-by: Krzysztof Kozlowski <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit a36119f9b3fb069437383a8eff4e65181b6e7e2f
    Author: Zheyu Ma <[email protected]>
    Date:   Fri Oct 22 09:12:26 2021 +0000

        ata: sata_mv: Fix the error handling of mv_chip_id()

        commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.

        mv_init_host() propagates the value returned by mv_chip_id() which in turn
        gets propagated by mv_pci_init_one() and hits local_pci_probe().

        During the process of driver probing, the probe function should return < 0
        for failure, otherwise, the kernel will treat value > 0 as success.

        Since this is a bug rather than a recoverable runtime error we should
        use dev_alert() instead of dev_err().

        Signed-off-by: Zheyu Ma <[email protected]>
        Signed-off-by: Damien Le Moal <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 78c2dc1cdf0bdfc83e473d78f23da4d2aeb98142
    Author: Wang Hai <[email protected]>
    Date:   Tue Oct 26 20:40:15 2021 +0800

        usbnet: fix error return code in usbnet_probe()

        commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.

        Return error code if usb_maxpacket() returns 0 in usbnet_probe()

        Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
        Reported-by: Hulk Robot <[email protected]>
        Signed-off-by: Wang Hai <[email protected]>
        Reviewed-by: Johan Hovold <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 002d82227c0abe29118cf80f7e2f396b22d448ed
    Author: Oliver Neukum <[email protected]>
    Date:   Thu Oct 21 14:29:44 2021 +0200

        usbnet: sanity check for maxpacket

        commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.

        maxpacket of 0 makes no sense and oopses as we need to divide
        by it. Give up.

        V2: fixed typo in log and stylistic issues

        Signed-off-by: Oliver Neukum <[email protected]>
        Reported-by: [email protected]
        Reviewed-by: Johan Hovold <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Jakub Kicinski <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit d725978abb0bac6e0c427548dfd6db86709a2a1e
    Author: Nathan Chancellor <[email protected]>
    Date:   Sat Jan 5 19:35:25 2019 +0100

        ARM: 8819/1: Remove '-p' from LDFLAGS

        commit 091bb549f7722723b284f63ac665e2aedcf9dec9 upstream.

        This option is not supported by lld:

            ld.lld: error: unknown argument: -p

        This has been a no-op in binutils since 2004 (see commit dea514f51da1 in
        that tree). Given that the lowest officially supported of binutils for
        the kernel is 2.20, which was released in 2009, nobody needs this flag
        around so just remove it. Commit 1a381d4a0a9a ("arm64: remove no-op -p
        linker flag") did the same for arm64.

        Signed-off-by: Nathan Chancellor <[email protected]>
        Acked-by: Ard Biesheuvel <[email protected]>
        Acked-by: Nicolas Pitre <[email protected]>
        Reviewed-by: Nick Desaulniers <[email protected]>
        Reviewed-by: Stefan Agner <[email protected]>
        Signed-off-by: Russell King <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit aaf4e1b05cab800b36b40c1aa09f7c13ef30de56
    Author: Robin Murphy <[email protected]>
    Date:   Mon Jul 12 15:27:46 2021 +0100

        arm64: Avoid premature usercopy failure

        commit 295cf156231ca3f9e3a66bde7fab5e09c41835e0 upstream.

        Al reminds us that the usercopy API must only return complete failure
        if absolutely nothing could be copied. Currently, if userspace does
        something silly like giving us an unaligned pointer to Device memory,
        or a size which overruns MTE tag bounds, we may fail to honour that
        requirement when faulting on a multi-byte access even though a smaller
        access could have succeeded.

        Add a mitigation to the fixup routines to fall back to a single-byte
        copy if we faulted on a larger access before anything has been written
        to the destination, to guarantee making *some* forward progress. We
        needn't be too concerned about the overall performance since this should
        only occur when callers are doing something a bit dodgy in the first
        place. Particularly broken userspace might still be able to trick
        generic_perform_write() into an infinite loop by targeting write() at
        an mmap() of some read-only device register where the fault-in load
        succeeds but any store synchronously aborts such that copy_to_user() is
        genuinely unable to make progress, but, well, don't do that...

        CC: [email protected]
        Reported-by: Chen Huang <[email protected]>
        Suggested-by: Al Viro <[email protected]>
        Reviewed-by: Catalin Marinas <[email protected]>
        Signed-off-by: Robin Murphy <[email protected]>
        Link: https://lore.kernel.org/r/dc03d5c675731a1f24a62417dba5429ad744234e.1626098433.git.robin.murphy@arm.com
        Signed-off-by: Will Deacon <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>
        Signed-off-by: Chen Huang <[email protected]>

    commit 5909b851b5e11d04f299e5f0a8937e9dcc807248
    Author: Naveen N. Rao <[email protected]>
    Date:   Wed Oct 6 01:55:22 2021 +0530

        powerpc/bpf: Fix BPF_MOD when imm == 1

        commit 8bbc9d822421d9ac8ff9ed26a3713c9afc69d6c8 upstream.

        Only ignore the operation if dividing by 1.

        Fixes: 156d0e290e969c ("powerpc/ebpf/jit: Implement JIT compiler for extended BPF")
        Signed-off-by: Naveen N. Rao <[email protected]>
        Tested-by: Johan Almbladh <[email protected]>
        Reviewed-by: Christophe Leroy <[email protected]>
        Acked-by: Song Liu <[email protected]>
        Acked-by: Johan Almbladh <[email protected]>
        Signed-off-by: Michael Ellerman <[email protected]>
        Link: https://lore.kernel.org/r/c674ca18c3046885602caebb326213731c675d06.1633464148.git.naveen.n.rao@linux.vnet.ibm.com
        [cascardo: use PPC_LI instead of EMIT(PPC_RAW_LI)]
        Signed-off-by: Thadeu Lima de Souza Cascardo <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 901741a53d7cf45be861e881c0e3cba5b4bd1f94
    Author: Arnd Bergmann <[email protected]>
    Date:   Mon Oct 18 15:30:37 2021 +0100

        ARM: 9141/1: only warn about XIP address when not compile testing

        commit 48ccc8edf5b90622cdc4f8878e0042ab5883e2ca upstream.

        In randconfig builds, we sometimes come across this warning:

        arm-linux-gnueabi-ld: XIP start address may cause MPU programming issues

        While this is helpful for actual systems to figure out why it
        fails, the warning does not provide any benefit for build testing,
        so guard it in a check for CONFIG_COMPILE_TEST, which is usually
        set on randconfig builds.

        Fixes: 216218308cfb ("ARM: 8713/1: NOMMU: Support MPU in XIP configuration")
        Signed-off-by: Arnd Bergmann <[email protected]>
        Signed-off-by: Russell King (Oracle) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit ee4b38ce37ed31beca29d3ebec7db3d5e87fe39e
    Author: Arnd Bergmann <[email protected]>
    Date:   Mon Oct 18 15:30:09 2021 +0100

        ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype

        commit 1f323127cab086e4fd618981b1e5edc396eaf0f4 upstream.

        With extra warnings enabled, gcc complains about this function
        definition:

        arch/arm/probes/kprobes/core.c: In function 'arch_init_kprobes':
        arch/arm/probes/kprobes/core.c:465:12: warning: old-style function definition [-Wold-style-definition]
          465 | int __init arch_init_kprobes()

        Link: https://lore.kernel.org/all/[email protected]/

        Fixes: 24ba613c9d6c ("ARM kprobes: core code")
        Acked-by: Masami Hiramatsu <[email protected]>
        Signed-off-by: Arnd Bergmann <[email protected]>
        Signed-off-by: Russell King (Oracle) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit c0b4f1db7feef31d401814121760b45aff7885c1
    Author: Arnd Bergmann <[email protected]>
    Date:   Mon Oct 18 15:30:04 2021 +0100

        ARM: 9134/1: remove duplicate memcpy() definition

        commit eaf6cc7165c9c5aa3c2f9faa03a98598123d0afb upstream.

        Both the decompressor code and the kasan logic try to override
        the memcpy() and memmove()  definitions, which leading to a clash
        in a KASAN-enabled kernel with XZ decompression:

        arch/arm/boot/compressed/decompress.c:50:9: error: 'memmove' macro redefined [-Werror,-Wmacro-redefined]
         #define memmove memmove
                ^
        arch/arm/include/asm/string.h:59:9: note: previous definition is here
         #define memmove(dst, src, len) __memmove(dst, src, len)
                ^
        arch/arm/boot/compressed/decompress.c:51:9: error: 'memcpy' macro redefined [-Werror,-Wmacro-redefined]
         #define memcpy memcpy
                ^
        arch/arm/include/asm/string.h:58:9: note: previous definition is here
         #define memcpy(dst, src, len) __memcpy(dst, src, len)
                ^

        Here we want the set of functions from the decompressor, so undefine
        the other macros before the override.

        Link: https://lore.kernel.org/linux-arm-kernel/CACRpkdZYJogU_SN3H9oeVq=zJkRgRT1gDz3xp59gdqWXxw-B=w@mail.gmail.com/
        Link: https://lore.kernel.org/lkml/[email protected]/

        Fixes: d6d51a96c7d6 ("ARM: 9014/2: Replace string mem* functions for KASan")
        Fixes: a7f464f3db93 ("ARM: 7001/2: Wire up support for the XZ decompressor")
        Reported-by: kernel test robot <[email protected]>
        Reviewed-by: Linus Walleij <[email protected]>
        Signed-off-by: Arnd Bergmann <[email protected]>
        Signed-off-by: Russell King (Oracle) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 00dcbb2d2cd3594faa2f977f2f7175cf23d4e326
    Author: Nick Desaulniers <[email protected]>
    Date:   Mon Oct 4 18:03:28 2021 +0100

        ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned

        commit e6a0c958bdf9b2e1b57501fc9433a461f0a6aadd upstream.

        A kernel built with CONFIG_THUMB2_KERNEL=y and using clang as the
        assembler could generate non-naturally-aligned v7wbi_tlb_fns which
        results in a boot failure. The original commit adding the macro missed
        the .align directive on this data.

        Link: https://github.com/ClangBuiltLinux/linux/issues/1447
        Link: https://lore.kernel.org/all/[email protected]/
        Debugged-by: Ard Biesheuvel <[email protected]>
        Debugged-by: Nathan Chancellor <[email protected]>
        Debugged-by: Richard Henderson <[email protected]>

        Fixes: 66a625a88174 ("ARM: mm: proc-macros: Add generic proc/cache/tlb struct definition macros")
        Suggested-by: Ard Biesheuvel <[email protected]>
        Acked-by: Ard Biesheuvel <[email protected]>
        Signed-off-by: Nick Desaulniers <[email protected]>
        Tested-by: Nathan Chancellor <[email protected]>
        Signed-off-by: Russell King (Oracle) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 38ec06730e44b2166e87fecca9e36380080801ac
    Author: Greg Kroah-Hartman <[email protected]>
    Date:   Wed Oct 27 09:53:15 2021 +0200

        Linux 4.19.214

        Link: https://lore.kernel.org/r/[email protected]
        Tested-by: Pavel Machek (CIP) <[email protected]>
        Tested-by: Linux Kernel Functional Testing <[email protected]>
        Tested-by: Shuah Khan <[email protected]>
        Tested-by: Sudip Mukherjee <[email protected]>
        Tested-by: Guenter Roeck <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 0b7d55ca605e611aceeadf7c29c75808faae951a
    Author: Nick Desaulniers <[email protected]>
    Date:   Wed Sep 8 19:25:59 2021 +0100

        ARM: 9122/1: select HAVE_FUTEX_CMPXCHG

        commit 9d417cbe36eee7afdd85c2e871685f8dab7c2dba upstream.

        tglx notes:
          This function [futex_detect_cmpxchg] is only needed when an
          architecture has to runtime discover whether the CPU supports it or
          not.  ARM has unconditional support for this, so the obvious thing to
          do is the below.

        Fixes linkage failure from Clang randconfigs:
        kernel/futex.o:(.text.fixup+0x5c): relocation truncated to fit: R_ARM_JUMP24 against `.init.text'
        and boot failures for CONFIG_THUMB2_KERNEL.

        Link: https://github.com/ClangBuiltLinux/linux/issues/325

        Comments from Nick Desaulniers:

         See-also: 03b8c7b623c8 ("futex: Allow architectures to skip
         futex_atomic_cmpxchg_inatomic() test")

        Reported-by: Arnd Bergmann <[email protected]>
        Reported-by: Nathan Chancellor <[email protected]>
        Suggested-by: Thomas Gleixner <[email protected]>
        Signed-off-by: Nick Desaulniers <[email protected]>
        Reviewed-by: Thomas Gleixner <[email protected]>
        Tested-by: Nathan Chancellor <[email protected]>
        Reviewed-by: Linus Walleij <[email protected]>
        Cc: [email protected] # v3.14+
        Reviewed-by: Arnd Bergmann <[email protected]>
        Signed-off-by: Russell King (Oracle) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 3de1ed125fc4c35bf7abb08260646100a6dcb04e
    Author: Steven Rostedt (VMware) <[email protected]>
    Date:   Mon Oct 18 15:44:12 2021 -0400

        tracing: Have all levels of checks prevent recursion

        commit ed65df63a39a3f6ed04f7258de8b6789e5021c18 upstream.

        While writing an email explaining the "bit = 0" logic for a discussion on
        making ftrace_test_recursion_trylock() disable preemption, I discovered a
        path that makes the "not do the logic if bit is zero" unsafe.

        The recursion logic is done in hot paths like the function tracer. Thus,
        any code executed causes noticeable overhead. Thus, tricks are done to try
        to limit the amount of code executed. This included the recursion testing
        logic.

        Having recursion testing is important, as there are many paths that can
        end up in an infinite recursion cycle when tracing every function in the
        kernel. Thus protection is needed to prevent that from happening.

        Because it is OK to recurse due to different running context levels (e.g.
        an interrupt preempts a trace, and then a trace occurs in the interrupt
        handler), a set of bits are used to know which context one is in (normal,
        softirq, irq and NMI). If a recursion occurs in the same level, it is
        prevented*.

        Then there are infrastructure levels of recursion as well. When more than
        one callback is attached to the same function to trace, it calls a loop
        function to iterate over all the callbacks. Both the callbacks and the
        loop function have recursion protection. The callbacks use the
        "ftrace_test_recursion_trylock()" which has a "function" set of context
        bits to test, and the loop function calls the internal
        trace_test_and_set_recursion() directly, with an "internal" set of bits.

        If an architecture does not implement all the features supported by ftrace
        then the callbacks are never called directly, and the loop function is
        called instead, which will implement the features of ftrace.

        Since both the loop function and the callbacks do recursion protection, it
        was seemed unnecessary to do it in both locations. Thus, a trick was made
        to have the internal set of recursion bits at a more significant bit
        location than the function bits. Then, if any of the higher bits were set,
        the logic of the function bits could be skipped, as any new recursion
        would first have to go through the loop function.

        This is true for architectures that do not support all the ftrace
        features, because all functions being traced must first go through the
        loop function before going to the callbacks. But this is not true for
        architectures that support all the ftrace features. That's because the
        loop function could be called due to two callbacks attached to the same
        function, but then a recursion function inside the callback could be
        called that does not share any other callback, and it will be called
        directly.

        i.e.

         traced_function_1: [ more than one callback tracing it ]
           call loop_func

         loop_func:
           trace_recursion set internal bit
           call callback

         callback:
           trace_recursion [ skipped because internal bit is set, return 0 ]
           call traced_function_2

         traced_function_2: [ only traced by above callback ]
           call callback

         callback:
           trace_recursion [ skipped because internal bit is set, return 0 ]
           call traced_function_2

         [ wash, rinse, repeat, BOOM! out of shampoo! ]

        Thus, the "bit == 0 skip" trick is not safe, unless the loop function is
        call for all functions.

        Since we want to encourage architectures to implement all ftrace features,
        having them slow down due to this extra logic may encourage the
        maintainers to update to the latest ftrace features. And because this
        logic is only safe for them, remove it completely.

         [*] There is on layer of recursion that is allowed, and that is to allow
             for the transition between interrupt context (normal -> softirq ->
             irq -> NMI), because a trace may occur before the context update is
             visible to the trace recursion logic.

        Link: https://lore.kernel.org/all/[email protected]/
        Link: https://lkml.kernel.org/r/[email protected]

        Cc: Linus Torvalds <[email protected]>
        Cc: Petr Mladek <[email protected]>
        Cc: Ingo Molnar <[email protected]>
        Cc: "James E.J. Bottomley" <[email protected]>
        Cc: Helge Deller <[email protected]>
        Cc: Michael Ellerman <[email protected]>
        Cc: Benjamin Herrenschmidt <[email protected]>
        Cc: Paul Mackerras <[email protected]>
        Cc: Paul Walmsley <[email protected]>
        Cc: Palmer Dabbelt <[email protected]>
        Cc: Albert Ou <[email protected]>
        Cc: Thomas Gleixner <[email protected]>
        Cc: Borislav Petkov <[email protected]>
        Cc: "H. Peter Anvin" <[email protected]>
        Cc: Josh Poimboeuf <[email protected]>
        Cc: Jiri Kosina <[email protected]>
        Cc: Miroslav Benes <[email protected]>
        Cc: Joe Lawrence <[email protected]>
        Cc: Colin Ian King <[email protected]>
        Cc: Masami Hiramatsu <[email protected]>
        Cc: "Peter Zijlstra (Intel)" <[email protected]>
        Cc: Nicholas Piggin <[email protected]>
        Cc: Jisheng Zhang <[email protected]>
        Cc: =?utf-8?b?546L6LSH?= <[email protected]>
        Cc: Guo Ren <[email protected]>
        Cc: [email protected]
        Fixes: edc15cafcbfa3 ("tracing: Avoid unnecessary multiple recursion checks")
        Signed-off-by: Steven Rostedt (VMware) <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit a9831afa2dc8a18205403907c41aa4e0950ac611
    Author: Yanfei Xu <[email protected]>
    Date:   Sun Sep 26 12:53:13 2021 +0800

        net: mdiobus: Fix memory leak in __mdiobus_register

        commit ab609f25d19858513919369ff3d9a63c02cd9e2e upstream.

        Once device_register() failed, we should call put_device() to
        decrement reference count for cleanup. Or it will cause memory
        leak.

        BUG: memory leak
        unreferenced object 0xffff888114032e00 (size 256):
          comm "kworker/1:3", pid 2960, jiffies 4294943572 (age 15.920s)
          hex dump (first 32 bytes):
            00 00 00 00 00 00 00 00 08 2e 03 14 81 88 ff ff  ................
            08 2e 03 14 81 88 ff ff 90 76 65 82 ff ff ff ff  .........ve.....
          backtrace:
            [<ffffffff8265cfab>] kmalloc include/linux/slab.h:591 [inline]
            [<ffffffff8265cfab>] kzalloc include/linux/slab.h:721 [inline]
            [<ffffffff8265cfab>] device_private_init drivers/base/core.c:3203 [inline]
            [<ffffffff8265cfab>] device_add+0x89b/0xdf0 drivers/base/core.c:3253
            [<ffffffff828dd643>] __mdiobus_register+0xc3/0x450 drivers/net/phy/mdio_bus.c:537
            [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
            [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
            [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
            [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
            [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
            [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
            [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
            [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
            [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
            [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
            [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
            [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
            [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969
            [<ffffffff82660916>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
            [<ffffffff8265cd0b>] device_add+0x5fb/0xdf0 drivers/base/core.c:3359
            [<ffffffff82c343b9>] usb_set_configuration+0x9d9/0xb90 drivers/usb/core/message.c:2170
            [<ffffffff82c4473c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238

        BUG: memory leak
        unreferenced object 0xffff888116f06900 (size 32):
          comm "kworker/0:2", pid 2670, jiffies 4294944448 (age 7.160s)
          hex dump (first 32 bytes):
            75 73 62 2d 30 30 31 3a 30 30 33 00 00 00 00 00  usb-001:003.....
            00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
          backtrace:
            [<ffffffff81484516>] kstrdup+0x36/0x70 mm/util.c:60
            [<ffffffff814845a3>] kstrdup_const+0x53/0x80 mm/util.c:83
            [<ffffffff82296ba2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
            [<ffffffff82358d4b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
            [<ffffffff826575f3>] dev_set_name+0x63/0x90 drivers/base/core.c:3147
            [<ffffffff828dd63b>] __mdiobus_register+0xbb/0x450 drivers/net/phy/mdio_bus.c:535
            [<ffffffff828cb835>] __devm_mdiobus_register+0x75/0xf0 drivers/net/phy/mdio_devres.c:87
            [<ffffffff82b92a00>] ax88772_init_mdio drivers/net/usb/asix_devices.c:676 [inline]
            [<ffffffff82b92a00>] ax88772_bind+0x330/0x480 drivers/net/usb/asix_devices.c:786
            [<ffffffff82baa33f>] usbnet_probe+0x3ff/0xdf0 drivers/net/usb/usbnet.c:1745
            [<ffffffff82c36e17>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
            [<ffffffff82661d17>] call_driver_probe drivers/base/dd.c:517 [inline]
            [<ffffffff82661d17>] really_probe.part.0+0xe7/0x380 drivers/base/dd.c:596
            [<ffffffff826620bc>] really_probe drivers/base/dd.c:558 [inline]
            [<ffffffff826620bc>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:751
            [<ffffffff826621ba>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:781
            [<ffffffff82662a26>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:898
            [<ffffffff8265eca7>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
            [<ffffffff826625a2>] __device_attach+0x122/0x260 drivers/base/dd.c:969

        Reported-by: [email protected]
        Signed-off-by: Yanfei Xu <[email protected]>
        Reviewed-by: Andrew Lunn <[email protected]>
        Signed-off-by: David S. Miller <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 629e870ca473bbf3ec2429d441efb0406869783d
    Author: Dexuan Cui <[email protected]>
    Date:   Thu Oct 7 21:35:46 2021 -0700

        scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma()

        commit 50b6cb3516365cb69753b006be2b61c966b70588 upstream.

        After commit ea2f0f77538c ("scsi: core: Cap scsi_host cmd_per_lun at
        can_queue"), a 416-CPU VM running on Hyper-V hangs during boot because the
        hv_storvsc driver sets scsi_driver.can_queue to an integer value that
        exceeds SHRT_MAX, and hence scsi_add_host_with_dma() sets
        shost->cmd_per_lun to a negative "short" value.

        Use min_t(int, ...) to work around the issue.

        Link: https://lore.kernel.org/r/[email protected]
        Fixes: ea2f0f77538c ("scsi: core: Cap scsi_host cmd_per_lun at can_queue")
        Cc: [email protected]
        Reviewed-by: Haiyang Zhang <[email protected]>
        Reviewed-by: Ming Lei <[email protected]>
        Reviewed-by: John Garry <[email protected]>
        Signed-off-by: Dexuan Cui <[email protected]>
        Signed-off-by: Martin K. Petersen <[email protected]>
        Signed-off-by: Greg Kroah-Hartman <[email protected]>

    commit 1360f9cde7eaaea4e6b48ab4ec544c706dbc6a8a
    Author: Kai Vehmanen <[email protected]>
    Date:   Tue Oct 12 17:29:35 2021 +0300

        ALSA: hda: avoid write to STATESTS if controller is in reset

        [ Upstream commit b37a15188eae9d4c49c5bb035e0c8d4058e4d9b3 ]

        The snd_hdac_bus_reset_link() contains logic to clear STATESTS register
        before performing controller reset. This code dates back to an old
        bugfix in commit e8a7f136f5ed ("[ALSA] hda-intel - Improve HD-audio
        codec probing robustness"). Originally the code was added to
        azx_reset().

        The code was moved around in commit a41d122449be ("ALSA: hda - Embed bus
        into controller object") and ended up to snd_hdac_bus_reset_link() and
        called primarily via snd_hdac_bus_init_chip().

        The logic to clear STATESTS is correct when snd_hdac_bus_init_chip() is
        called when controller is not in reset. In this case, STATESTS can be
        cleared. This can be useful e.g. when forcing a controller reset to retry
        codec probe. A normal non-power-on reset will not clear the bits.

        However, this old logic is problematic when controller is already in
        reset. The HDA specification states that controller must be taken out of
        reset before writing to registers other than GCTL.CRST (1.0a spec,
        3.3.7). The write to STATESTS in snd_hdac_bus_reset_link() will be lost
        if the controller is already in reset per the HDA specification mentioned.

        This has been harmless on older hardware. On newer generation of Intel
        PCIe based HDA controllers, if configured to report issues, this write
        will emit an unsupported request error. If ACPI Platform Error Interface
        (APEI) is enabled in kernel, this will end up to kernel log.

        Fix the code in snd_hdac_bus_reset_link() to only clear the STATESTS if
        the function is called when controller is not in reset. Otherwise
        clearing the bits is not possible and should be skipped.

        Signed-off-by: Kai Vehmanen <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Takashi Iwai <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit f7db1bc1cdb809fdd65d50485fb67bd418eadbd5
    Author: Prashant Malani <[email protected]>
    Date:   Tue Sep 28 03:19:34 2021 -0700

        platform/x86: intel_scu_ipc: Update timeout value in comment

        [ Upstream commit a0c5814b9933f25ecb6de169483c5b88cf632bca ]

        The comment decribing the IPC timeout hadn't been updated when the
        actual timeout was changed from 3 to 5 seconds in
        commit a7d53dbbc70a ("platform/x86: intel_scu_ipc: Increase virtual
        timeout from 3 to 5 seconds") .

        Since the value is anyway updated to 10s now, take this opportunity to
        update the value in the comment too.

        Signed-off-by: Prashant Malani <[email protected]>
        Cc: Benson Leung <[email protected]>
        Reviewed-by: Mika Westerberg <[email protected]>
        Link: https://lore.kernel.org/r/[email protected]
        Signed-off-by: Hans de Goede <[email protected]>
        Signed-off-by: Sasha Levin <[email protected]>

    commit a5b34409d3fc52114c828be4adbc30744fa3258b
    Author: Zheyu Ma <[email protected]>
    Date:   Sat Oct 9 11:33:49 2021 +0000

        isdn: mISDN: Fix sleeping function called from invalid context

        [ Upstream commit 6510e80a0b81b5d814e3aea6297ba42f5e76f73c ]

        The driver can call card->isac.release() function from an atomic
        context.

        Fix this by calling this function after releasing the lock.

        The following log reveals it:

        [   44.168226 ] BUG: sleeping function called from invalid context at kernel/workqueue.c:3018
        [   44.168941 ] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 5475, name: modprobe
        [   44.169574 ] INFO: lockdep is tu…

.gitignore

@@ -141,6 +141,6 @@ arch/arm64/boot/dts/vendor/
 
 
 build.sh
-kernelsu/
+KernelSU/
 out/
 build.log

Documentation/ABI/testing/evm

@@ -42,8 +42,30 @@ Description:
 		modification of EVM-protected metadata and
 		disable all further modification of policy
 
-		Note that once a key has been loaded, it will no longer be
-		possible to enable metadata modification.
+		Echoing a value is additive, the new value is added to the
+		existing initialization flags.
+
+		For example, after::
+
+		  echo 2 ><securityfs>/evm
+
+		another echo can be performed::
+
+		  echo 1 ><securityfs>/evm
+
+		and the resulting value will be 3.
+
+		Note that once an HMAC key has been loaded, it will no longer
+		be possible to enable metadata modification. Signaling that an
+		HMAC key has been loaded will clear the corresponding flag.
+		For example, if the current value is 6 (2 and 4 set)::
+
+		  echo 1 ><securityfs>/evm
+
+		will set the new value to 3 (4 cleared).
+
+		Loading an HMAC key is the only way to disable metadata
+		modification.
 
 		Until key loading has been signaled EVM can not create
 		or validate the 'security.evm' xattr, but returns

Documentation/admin-guide/devices.txt

@@ -2993,10 +2993,10 @@
 		65 = /dev/infiniband/issm1     Second InfiniBand IsSM device
 		  ...
 		127 = /dev/infiniband/issm63    63rd InfiniBand IsSM device
-		128 = /dev/infiniband/uverbs0   First InfiniBand verbs device
-		129 = /dev/infiniband/uverbs1   Second InfiniBand verbs device
+		192 = /dev/infiniband/uverbs0   First InfiniBand verbs device
+		193 = /dev/infiniband/uverbs1   Second InfiniBand verbs device
 		  ...
-		159 = /dev/infiniband/uverbs31  31st InfiniBand verbs device
+		223 = /dev/infiniband/uverbs31  31st InfiniBand verbs device
 
  232 char	Biometric Devices
 		0 = /dev/biometric/sensor0/fingerprint	first fingerprint sensor on first device

Documentation/admin-guide/kernel-parameters.txt

@@ -571,6 +571,12 @@
 			loops can be debugged more effectively on production
 			systems.
 
+	clocksource.max_cswd_read_retries= [KNL]
+			Number of clocksource_watchdog() retries due to
+			external delays before the clock will be marked
+			unstable.  Defaults to three retries, that is,
+			four attempts to read the clock under test.
+
 	clearcpuid=BITNUM[,BITNUM...] [X86]
 			Disable CPUID feature X for the kernel. See
 			arch/x86/include/asm/cpufeatures.h for the valid bit
@@ -2585,6 +2591,8 @@
 					       mds=off [X86]
 					       tsx_async_abort=off [X86]
 					       kvm.nx_huge_pages=off [X86]
+					       no_entry_flush [PPC]
+					       no_uaccess_flush [PPC]
 
 				Exceptions:
 					       This does not have any effect on
@@ -2895,6 +2903,8 @@
 
 	noefi		Disable EFI runtime services support.
 
+	no_entry_flush  [PPC] Don't flush the L1-D cache when entering the kernel.
+
 	noexec		[IA-64]
 
 	noexec		[X86]
@@ -2944,6 +2954,9 @@
 	nospec_store_bypass_disable
 			[HW] Disable all mitigations for the Speculative Store Bypass vulnerability
 
+	no_uaccess_flush
+	                [PPC] Don't flush the L1-D cache after accessing user data.
+
 	noxsave		[BUGS=X86] Disables x86 extended register state save
 			and restore using xsave. The kernel will fallback to
 			enabling legacy floating-point and sse state.
@@ -5028,6 +5041,7 @@
 					device);
 				j = NO_REPORT_LUNS (don't use report luns
 					command, uas only);
+				k = NO_SAME (do not use WRITE_SAME, uas only)
 				l = NOT_LOCKABLE (don't try to lock and
 					unlock ejectable media, not on uas);
 				m = MAX_SECTORS_64 (don't transfer more

Documentation/device-mapper/dm-integrity.txt

@@ -146,6 +146,13 @@ block_size:number
 	Supported values are 512, 1024, 2048 and 4096 bytes.  If not
 	specified the default block size is 512 bytes.
 
+legacy_recalculate
+	Allow recalculating of volumes with HMAC keys. This is disabled by
+	default for security reasons - an attacker could modify the volume,
+	set recalc_sector to zero, and the kernel would not detect the
+	modification.
+
+
 The journal mode (D/J), buffer_sectors, journal_watermark, commit_time can
 be changed when reloading the target (load an inactive table and swap the
 tables with suspend and resume). The other arguments should not be changed

Documentation/filesystems/mandatory-locking.txt

@@ -169,3 +169,13 @@ havoc if they lock crucial files. The way around it is to change the file
 permissions (remove the setgid bit) before trying to read or write to it.
 Of course, that might be a bit tricky if the system is hung :-(
 
+7. The "mand" mount option
+--------------------------
+Mandatory locking is disabled on all filesystems by default, and must be
+administratively enabled by mounting with "-o mand". That mount option
+is only allowed if the mounting task has the CAP_SYS_ADMIN capability.
+
+Since kernel v4.5, it is possible to disable mandatory locking
+altogether by setting CONFIG_MANDATORY_FILE_LOCKING to "n". A kernel
+with this disabled will reject attempts to mount filesystems with the
+"mand" mount option with the error status EPERM.

Documentation/filesystems/seq_file.txt

@@ -192,6 +192,12 @@ between the calls to start() and stop(), so holding a lock during that time
 is a reasonable thing to do. The seq_file code will also avoid taking any
 other locks while the iterator is active.
 
+The iterater value returned by start() or next() is guaranteed to be
+passed to a subsequent next() or stop() call.  This allows resources
+such as locks that were taken to be reliably released.  There is *no*
+guarantee that the iterator will be passed to show(), though in practice
+it often will be.
+
 
 Formatted output
 

Documentation/filesystems/sysfs.txt

@@ -211,12 +211,10 @@ Other notes:
   is 4096. 
 
 - show() methods should return the number of bytes printed into the
-  buffer. This is the return value of scnprintf().
+  buffer.
 
-- show() must not use snprintf() when formatting the value to be
-  returned to user space. If you can guarantee that an overflow
-  will never happen you can use sprintf() otherwise you must use
-  scnprintf().
+- show() should only use sysfs_emit() or sysfs_emit_at() when formatting
+  the value to be returned to user space.
 
 - store() should return the number of bytes used from the buffer. If the
   entire buffer has been used, just return the count argument.

Documentation/sphinx/parse-headers.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
 use strict;
 use Text::Tabs;
 use Getopt::Long;

Documentation/target/tcm_mod_builder.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 # The TCM v4 multi-protocol fabric module generation script for drivers/target/$NEW_MOD
 #
 # Copyright (c) 2010 Rising Tide Systems

Documentation/trace/histogram.rst

@@ -191,7 +191,7 @@ Documentation written by Tom Zanussi
                                 with the event, in nanoseconds.  May be
 			        modified by .usecs to have timestamps
 			        interpreted as microseconds.
-    cpu                    int  the cpu on which the event occurred.
+    common_cpu             int  the cpu on which the event occurred.
     ====================== ==== =======================================
 
 Extended error information

Documentation/trace/postprocess/decode_msr.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 # add symbolic names to read_msr / write_msr in trace
 # decode_msr msr-index.h < trace
 import sys

Documentation/trace/postprocess/trace-pagealloc-postprocess.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
 # This is a POC (proof of concept or piece of crap, take your pick) for reading the
 # text representation of trace output related to page allocation. It makes an attempt
 # to extract some high-level information on what is going on. The accuracy of the parser

Documentation/trace/postprocess/trace-vmscan-postprocess.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/env perl
 # This is a POC for reading the text representation of trace output related to
 # page reclaim. It makes an attempt to extract some high-level information on
 # what is going on. The accuracy of the parser may vary

Documentation/virtual/kvm/mmu.txt

@@ -152,8 +152,8 @@ Shadow pages contain the following information:
     shadow pages) so role.quadrant takes values in the range 0..3.  Each
     quadrant maps 1GB virtual address space.
   role.access:
-    Inherited guest access permissions in the form uwx.  Note execute
-    permission is positive, not negative.
+    Inherited guest access permissions from the parent ptes in the form uwx.
+    Note execute permission is positive, not negative.
   role.invalid:
     The page is invalid and should not be used.  It is a root page that is
     currently pinned (by a cpu hardware register pointing to it); once it is

Documentation/vm/slub.rst

@@ -154,18 +154,18 @@ SLUB Debug output
 Here is a sample of slub debug output::
 
  ====================================================================
- BUG kmalloc-8: Redzone overwritten
+ BUG kmalloc-8: Right Redzone overwritten
  --------------------------------------------------------------------
 
  INFO: 0xc90f6d28-0xc90f6d2b. First byte 0x00 instead of 0xcc
  INFO: Slab 0xc528c530 flags=0x400000c3 inuse=61 fp=0xc90f6d58
  INFO: Object 0xc90f6d20 @offset=3360 fp=0xc90f6d58
  INFO: Allocated in get_modalias+0x61/0xf5 age=53 cpu=1 pid=554
 
- Bytes b4 0xc90f6d10:  00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
-   Object 0xc90f6d20:  31 30 31 39 2e 30 30 35                         1019.005
-  Redzone 0xc90f6d28:  00 cc cc cc                                     .
-  Padding 0xc90f6d50:  5a 5a 5a 5a 5a 5a 5a 5a                         ZZZZZZZZ
+ Bytes b4 (0xc90f6d10): 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a ........ZZZZZZZZ
+ Object   (0xc90f6d20): 31 30 31 39 2e 30 30 35                         1019.005
+ Redzone  (0xc90f6d28): 00 cc cc cc                                     .
+ Padding  (0xc90f6d50): 5a 5a 5a 5a 5a 5a 5a 5a                         ZZZZZZZZ
 
    [<c010523d>] dump_trace+0x63/0x1eb
    [<c01053df>] show_trace_log_lvl+0x1a/0x2f

Makefile

@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 4
 PATCHLEVEL = 19
-SUBLEVEL = 157
+SUBLEVEL = 215
 EXTRAVERSION =
 NAME = "People's Front"
 
@@ -365,10 +365,10 @@ else
 HOSTCC	= gcc
 HOSTCXX	= g++
 endif
-KBUILD_HOSTCFLAGS   := -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 \
+KBUILD_HOSTCFLAGS   := -Wall -Wmissing-prototypes -Wstrict-prototypes -O3 \
 		-fomit-frame-pointer -std=gnu89 $(HOST_LFS_CFLAGS) \
 		$(HOSTCFLAGS)
-KBUILD_HOSTCXXFLAGS := -O2 $(HOST_LFS_CFLAGS) $(HOSTCXXFLAGS)
+KBUILD_HOSTCXXFLAGS := -O3 $(HOST_LFS_CFLAGS) $(HOSTCXXFLAGS)
 KBUILD_HOSTLDFLAGS  := $(HOST_LFS_LDFLAGS) $(HOSTLDFLAGS)
 KBUILD_HOSTLDLIBS   := $(HOST_LFS_LIBS) $(HOSTLDLIBS)
 
@@ -400,7 +400,7 @@ YACC		= bison
 AWK		= awk
 GENKSYMS	= scripts/genksyms/genksyms
 INSTALLKERNEL  := installkernel
-DEPMOD		= /sbin/depmod
+DEPMOD		= depmod
 PERL		= perl
 PYTHON		= python
 PYTHON2		= python2
@@ -439,8 +439,7 @@ KBUILD_AFLAGS   := -D__ASSEMBLY__
 KBUILD_CFLAGS   := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
 		   -fno-strict-aliasing -fno-common -fshort-wchar \
 		   -Werror-implicit-function-declaration \
-		   -Wno-format-security \
-		   -D__CHECK_ENDIAN__ \
+		   -Werror=return-type -Wno-format-security \
 		   -std=gnu89
 KBUILD_CPPFLAGS := -D__KERNEL__
 KBUILD_AFLAGS_KERNEL :=
@@ -806,6 +805,7 @@ ifneq ($(LLVM_IAS),1)
 KBUILD_AFLAGS	+= -Wa,-gdwarf-2
 endif
 endif
+
 ifdef CONFIG_DEBUG_INFO_DWARF4
 KBUILD_CFLAGS	+= $(call cc-option, -gdwarf-4,)
 endif
@@ -978,12 +978,6 @@ KBUILD_CFLAGS   += $(call cc-option,-Werror=designated-init)
 # change __FILE__ to the relative path from the srctree
 KBUILD_CFLAGS	+= $(call cc-option,-fmacro-prefix-map=$(srctree)/=)
 
-# ensure -fcf-protection is disabled when using retpoline as it is
-# incompatible with -mindirect-branch=thunk-extern
-ifdef CONFIG_RETPOLINE
-KBUILD_CFLAGS += $(call cc-option,-fcf-protection=none)
-endif
-
 # use the deterministic mode of AR if available
 KBUILD_ARFLAGS := $(call ar-option,D)
 

arch/alpha/include/asm/io.h

@@ -61,7 +61,7 @@ extern inline void set_hae(unsigned long new_hae)
  * Change virtual addresses to physical addresses and vv.
  */
 #ifdef USE_48_BIT_KSEG
-static inline unsigned long virt_to_phys(void *address)
+static inline unsigned long virt_to_phys(volatile void *address)
 {
 	return (unsigned long)address - IDENT_ADDR;
 }
@@ -71,7 +71,7 @@ static inline void * phys_to_virt(unsigned long address)
 	return (void *) (address + IDENT_ADDR);
 }
 #else
-static inline unsigned long virt_to_phys(void *address)
+static inline unsigned long virt_to_phys(volatile void *address)
 {
         unsigned long phys = (unsigned long)address;
 
@@ -112,7 +112,7 @@ static inline dma_addr_t __deprecated isa_page_to_bus(struct page *page)
 extern unsigned long __direct_map_base;
 extern unsigned long __direct_map_size;
 
-static inline unsigned long __deprecated virt_to_bus(void *address)
+static inline unsigned long __deprecated virt_to_bus(volatile void *address)
 {
 	unsigned long phys = virt_to_phys(address);
 	unsigned long bus = phys + __direct_map_base;

arch/alpha/kernel/smp.c

@@ -585,7 +585,7 @@ void
 smp_send_stop(void)
 {
 	cpumask_t to_whom;
-	cpumask_copy(&to_whom, cpu_possible_mask);
+	cpumask_copy(&to_whom, cpu_online_mask);
 	cpumask_clear_cpu(smp_processor_id(), &to_whom);
 #ifdef DEBUG_IPI_MSG
 	if (hard_smp_processor_id() != boot_cpu_id)

arch/arc/Makefile

@@ -91,14 +91,9 @@ libs-y		+= arch/arc/lib/ $(LIBGCC)
 
 boot		:= arch/arc/boot
 
-#default target for make without any arguments.
-KBUILD_IMAGE	:= $(boot)/bootpImage
-
-all:	bootpImage
-bootpImage: vmlinux
-
-boot_targets += uImage uImage.bin uImage.gz
+boot_targets := uImage uImage.bin uImage.gz uImage.lzma
 
+PHONY += $(boot_targets)
 $(boot_targets): vmlinux
 	$(Q)$(MAKE) $(build)=$(boot) $(boot)/$@
 

arch/arc/include/asm/page.h

@@ -13,6 +13,7 @@
 #ifndef __ASSEMBLY__
 
 #define clear_page(paddr)		memset((paddr), 0, PAGE_SIZE)
+#define copy_user_page(to, from, vaddr, pg)	copy_page(to, from)
 #define copy_page(to, from)		memcpy((to), (from), PAGE_SIZE)
 
 struct vm_area_struct;

arch/arc/include/uapi/asm/sigcontext.h

@@ -18,6 +18,7 @@
  */
 struct sigcontext {
 	struct user_regs_struct regs;
+	struct user_regs_arcv2 v2abi;
 };
 
 #endif /* _ASM_ARC_SIGCONTEXT_H */

arch/arc/kernel/entry.S

@@ -169,7 +169,7 @@ tracesys:
 
 	; Do the Sys Call as we normally would.
 	; Validate the Sys Call number
-	cmp     r8,  NR_syscalls
+	cmp     r8,  NR_syscalls - 1
 	mov.hi  r0, -ENOSYS
 	bhi     tracesys_exit
 
@@ -252,7 +252,7 @@ ENTRY(EV_Trap)
 	;============ Normal syscall case
 
 	; syscall num shd not exceed the total system calls avail
-	cmp     r8,  NR_syscalls
+	cmp     r8,  NR_syscalls - 1
 	mov.hi  r0, -ENOSYS
 	bhi     .Lret_from_system_call