--- /dev/null
+From a3f003c415c0965834f9c9b1ccd71e2a912b4293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Sep 2020 09:52:30 -0700
+Subject: ALSA: asihpi: fix iounmap in error handler
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ]
+
+clang static analysis flags this problem
+hpioctl.c:513:7: warning: Branch condition evaluates to
+ a garbage value
+ if (pci.ap_mem_base[idx]) {
+ ^~~~~~~~~~~~~~~~~~~~
+
+If there is a failure in the middle of the memory space loop,
+only some of the memory spaces need to be cleaned up.
+
+At the error handler, idx holds the number of successful
+memory spaces mapped. So rework the handler loop to use the
+old idx.
+
+There is a second problem, the memory space loop conditionally
+iomaps()/sets the mem_base so it is necessay to initize pci.
+
+Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/asihpi/hpioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
+index 7d049569012c1..3f06986fbecf8 100644
+--- a/sound/pci/asihpi/hpioctl.c
++++ b/sound/pci/asihpi/hpioctl.c
+@@ -350,7 +350,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
+ struct hpi_message hm;
+ struct hpi_response hr;
+ struct hpi_adapter adapter;
+- struct hpi_pci pci;
++ struct hpi_pci pci = { 0 };
+
+ memset(&adapter, 0, sizeof(adapter));
+
+@@ -506,7 +506,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
+ return 0;
+
+ err:
+- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) {
++ while (--idx >= 0) {
+ if (pci.ap_mem_base[idx]) {
+ iounmap(pci.ap_mem_base[idx]);
+ pci.ap_mem_base[idx] = NULL;
+--
+2.25.1
+
--- /dev/null
+From 91dec3b965181ed6a9ae9ac65e88b7e3df18541f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 10:51:03 +0800
+Subject: atm: eni: fix the missed pci_disable_device() for eni_init_one()
+
+From: Jing Xiangfeng <jingxiangfeng@huawei.com>
+
+[ Upstream commit c2b947879ca320ac5505c6c29a731ff17da5e805 ]
+
+eni_init_one() misses to call pci_disable_device() in an error path.
+Jump to err_disable to fix it.
+
+Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api")
+Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/eni.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
+index 7323e9210f4b1..38fec976e62d4 100644
+--- a/drivers/atm/eni.c
++++ b/drivers/atm/eni.c
+@@ -2243,7 +2243,7 @@ static int eni_init_one(struct pci_dev *pci_dev,
+
+ rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32));
+ if (rc < 0)
+- goto out;
++ goto err_disable;
+
+ rc = -ENOMEM;
+ eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL);
+--
+2.25.1
+
--- /dev/null
+From 608b5f93318244f380ebe5f716e90ee4c3a2579c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Sep 2020 13:58:16 +0200
+Subject: batman-adv: Add missing include for in_interrupt()
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 4bba9dab86b6ac15ca560ef1f2b5aa4529cbf784 ]
+
+The fix for receiving (internally generated) bla packets outside the
+interrupt context introduced the usage of in_interrupt(). But this
+functionality is only defined in linux/preempt.h which was not included
+with the same patch.
+
+Fixes: 279e89b2281a ("batman-adv: bla: use netif_rx_ni when not in interrupt context")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index e71a35a3950de..557d7fdf0b8dc 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -37,6 +37,7 @@
+ #include <linux/lockdep.h>
+ #include <linux/netdevice.h>
+ #include <linux/netlink.h>
++#include <linux/preempt.h>
+ #include <linux/rculist.h>
+ #include <linux/rcupdate.h>
+ #include <linux/seq_file.h>
+--
+2.25.1
+
--- /dev/null
+From 1473f389d6ae7dac5409babd98d9de8e6796ec86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 17:34:48 +0200
+Subject: batman-adv: bla: fix type misuse for backbone_gw hash indexing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <ll@simonwunderlich.de>
+
+[ Upstream commit 097930e85f90f252c44dc0d084598265dd44ca48 ]
+
+It seems that due to a copy & paste error the void pointer
+in batadv_choose_backbone_gw() is cast to the wrong type.
+
+Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct
+batadv_bla_claim" which better matches the caller's side.
+
+For now it seems that we were lucky because the two structs both have
+their orig/vid and addr/vid in the beginning. However I stumbled over
+this issue when I was trying to add some debug variables in front of
+"orig" in batadv_backbone_gw, which caused hash lookups to fail.
+
+Fixes: 07568d0369f9 ("batman-adv: don't rely on positions in struct for hashing")
+Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 9b8bf06ccb613..e71a35a3950de 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -96,11 +96,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size)
+ */
+ static inline u32 batadv_choose_backbone_gw(const void *data, u32 size)
+ {
+- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data;
++ const struct batadv_bla_backbone_gw *gw;
+ u32 hash = 0;
+
+- hash = jhash(&claim->addr, sizeof(claim->addr), hash);
+- hash = jhash(&claim->vid, sizeof(claim->vid), hash);
++ gw = (struct batadv_bla_backbone_gw *)data;
++ hash = jhash(&gw->orig, sizeof(gw->orig), hash);
++ hash = jhash(&gw->vid, sizeof(gw->vid), hash);
+
+ return hash % size;
+ }
+--
+2.25.1
+
--- /dev/null
+From d1c3dde97af84222e1322aa563daf8584dafd421 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:54:10 +0200
+Subject: batman-adv: mcast: fix duplicate mcast packets from BLA backbone to
+ mesh
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+[ Upstream commit 2369e827046920ef0599e6a36b975ac5c0a359c2 ]
+
+Scenario:
+* Multicast frame send from BLA backbone gateways (multiple nodes
+ with their bat0 bridged together, with BLA enabled) sharing the same
+ LAN to nodes in the mesh
+
+Issue:
+* Nodes receive the frame multiple times on bat0 from the mesh,
+ once from each foreign BLA backbone gateway which shares the same LAN
+ with another
+
+For multicast frames via batman-adv broadcast packets coming from the
+same BLA backbone but from different backbone gateways duplicates are
+currently detected via a CRC history of previously received packets.
+
+However this CRC so far was not performed for multicast frames received
+via batman-adv unicast packets. Fixing this by appyling the same check
+for such packets, too.
+
+Room for improvements in the future: Ideally we would introduce the
+possibility to not only claim a client, but a complete originator, too.
+This would allow us to only send a multicast-in-unicast packet from a BLA
+backbone gateway claiming the node and by that avoid potential redundant
+transmissions in the first place.
+
+Fixes: 279e89b2281a ("batman-adv: add broadcast duplicate check")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 103 +++++++++++++++++++++----
+ 1 file changed, 87 insertions(+), 16 deletions(-)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 3f76872d411bc..1401031f4bb4a 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1594,13 +1594,16 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
+ }
+
+ /**
+- * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup.
++ * batadv_bla_check_duplist() - Check if a frame is in the broadcast dup.
+ * @bat_priv: the bat priv with all the soft interface information
+- * @skb: contains the bcast_packet to be checked
++ * @skb: contains the multicast packet to be checked
++ * @payload_ptr: pointer to position inside the head buffer of the skb
++ * marking the start of the data to be CRC'ed
++ * @orig: originator mac address, NULL if unknown
+ *
+- * check if it is on our broadcast list. Another gateway might
+- * have sent the same packet because it is connected to the same backbone,
+- * so we have to remove this duplicate.
++ * Check if it is on our broadcast list. Another gateway might have sent the
++ * same packet because it is connected to the same backbone, so we have to
++ * remove this duplicate.
+ *
+ * This is performed by checking the CRC, which will tell us
+ * with a good chance that it is the same packet. If it is furthermore
+@@ -1609,19 +1612,17 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
+ *
+ * Return: true if a packet is in the duplicate list, false otherwise.
+ */
+-bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
+- struct sk_buff *skb)
++static bool batadv_bla_check_duplist(struct batadv_priv *bat_priv,
++ struct sk_buff *skb, u8 *payload_ptr,
++ const u8 *orig)
+ {
+- int i, curr;
+- __be32 crc;
+- struct batadv_bcast_packet *bcast_packet;
+ struct batadv_bcast_duplist_entry *entry;
+ bool ret = false;
+-
+- bcast_packet = (struct batadv_bcast_packet *)skb->data;
++ int i, curr;
++ __be32 crc;
+
+ /* calculate the crc ... */
+- crc = batadv_skb_crc32(skb, (u8 *)(bcast_packet + 1));
++ crc = batadv_skb_crc32(skb, payload_ptr);
+
+ spin_lock_bh(&bat_priv->bla.bcast_duplist_lock);
+
+@@ -1640,8 +1641,21 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
+ if (entry->crc != crc)
+ continue;
+
+- if (batadv_compare_eth(entry->orig, bcast_packet->orig))
+- continue;
++ /* are the originators both known and not anonymous? */
++ if (orig && !is_zero_ether_addr(orig) &&
++ !is_zero_ether_addr(entry->orig)) {
++ /* If known, check if the new frame came from
++ * the same originator:
++ * We are safe to take identical frames from the
++ * same orig, if known, as multiplications in
++ * the mesh are detected via the (orig, seqno) pair.
++ * So we can be a bit more liberal here and allow
++ * identical frames from the same orig which the source
++ * host might have sent multiple times on purpose.
++ */
++ if (batadv_compare_eth(entry->orig, orig))
++ continue;
++ }
+
+ /* this entry seems to match: same crc, not too old,
+ * and from another gw. therefore return true to forbid it.
+@@ -1657,7 +1671,14 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
+ entry = &bat_priv->bla.bcast_duplist[curr];
+ entry->crc = crc;
+ entry->entrytime = jiffies;
+- ether_addr_copy(entry->orig, bcast_packet->orig);
++
++ /* known originator */
++ if (orig)
++ ether_addr_copy(entry->orig, orig);
++ /* anonymous originator */
++ else
++ eth_zero_addr(entry->orig);
++
+ bat_priv->bla.bcast_duplist_curr = curr;
+
+ out:
+@@ -1666,6 +1687,48 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
+ return ret;
+ }
+
++/**
++ * batadv_bla_check_ucast_duplist() - Check if a frame is in the broadcast dup.
++ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: contains the multicast packet to be checked, decapsulated from a
++ * unicast_packet
++ *
++ * Check if it is on our broadcast list. Another gateway might have sent the
++ * same packet because it is connected to the same backbone, so we have to
++ * remove this duplicate.
++ *
++ * Return: true if a packet is in the duplicate list, false otherwise.
++ */
++static bool batadv_bla_check_ucast_duplist(struct batadv_priv *bat_priv,
++ struct sk_buff *skb)
++{
++ return batadv_bla_check_duplist(bat_priv, skb, (u8 *)skb->data, NULL);
++}
++
++/**
++ * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup.
++ * @bat_priv: the bat priv with all the soft interface information
++ * @skb: contains the bcast_packet to be checked
++ *
++ * Check if it is on our broadcast list. Another gateway might have sent the
++ * same packet because it is connected to the same backbone, so we have to
++ * remove this duplicate.
++ *
++ * Return: true if a packet is in the duplicate list, false otherwise.
++ */
++bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
++ struct sk_buff *skb)
++{
++ struct batadv_bcast_packet *bcast_packet;
++ u8 *payload_ptr;
++
++ bcast_packet = (struct batadv_bcast_packet *)skb->data;
++ payload_ptr = (u8 *)(bcast_packet + 1);
++
++ return batadv_bla_check_duplist(bat_priv, skb, payload_ptr,
++ bcast_packet->orig);
++}
++
+ /**
+ * batadv_bla_is_backbone_gw_orig() - Check if the originator is a gateway for
+ * the VLAN identified by vid.
+@@ -1880,6 +1943,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ packet_type == BATADV_UNICAST)
+ goto handled;
+
++ /* potential duplicates from foreign BLA backbone gateways via
++ * multicast-in-unicast packets
++ */
++ if (is_multicast_ether_addr(ethhdr->h_dest) &&
++ packet_type == BATADV_UNICAST &&
++ batadv_bla_check_ucast_duplist(bat_priv, skb))
++ goto handled;
++
+ ether_addr_copy(search_claim.addr, ethhdr->h_source);
+ search_claim.vid = vid;
+ claim = batadv_claim_hash_find(bat_priv, &search_claim);
+--
+2.25.1
+
--- /dev/null
+From a57e9b2247c2a913aa15e5ce4903fa820f990230 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 09:54:09 +0200
+Subject: batman-adv: mcast: fix duplicate mcast packets in BLA backbone from
+ mesh
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+[ Upstream commit 74c09b7275126da1b642b90c9cdc3ae8b729ad4b ]
+
+Scenario:
+* Multicast frame send from mesh to a BLA backbone (multiple nodes
+ with their bat0 bridged together, with BLA enabled)
+
+Issue:
+* BLA backbone nodes receive the frame multiple times on bat0,
+ once from mesh->bat0 and once from each backbone_gw from LAN
+
+For unicast, a node will send only to the best backbone gateway
+according to the TQ. However for multicast we currently cannot determine
+if multiple destination nodes share the same backbone if they don't share
+the same backbone with us. So we need to keep sending the unicasts to
+all backbone gateways and let the backbone gateways decide which one
+will forward the frame. We can use the CLAIM mechanism to make this
+decision.
+
+One catch: The batman-adv gateway feature for DHCP packets potentially
+sends multicast packets in the same batman-adv unicast header as the
+multicast optimizations code. And we are not allowed to drop those even
+if we did not claim the source address of the sender, as for such
+packets there is only this one multicast-in-unicast packet.
+
+How can we distinguish the two cases?
+
+The gateway feature uses a batman-adv unicast 4 address header. While
+the multicast-to-unicasts feature uses a simple, 3 address batman-adv
+unicast header. So let's use this to distinguish.
+
+Fixes: fe2da6ff27c7 ("batman-adv: check incoming packet type for bla")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 34 +++++++++++++++++++-------
+ net/batman-adv/bridge_loop_avoidance.h | 4 +--
+ net/batman-adv/soft-interface.c | 6 ++---
+ 3 files changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
+index 557d7fdf0b8dc..3f76872d411bc 100644
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1827,7 +1827,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: the frame to be checked
+ * @vid: the VLAN ID of the frame
+- * @is_bcast: the packet came in a broadcast packet type.
++ * @packet_type: the batman packet type this frame came in
+ *
+ * batadv_bla_rx avoidance checks if:
+ * * we have to race for a claim
+@@ -1839,7 +1839,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ * further process the skb.
+ */
+ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+- unsigned short vid, bool is_bcast)
++ unsigned short vid, int packet_type)
+ {
+ struct batadv_bla_backbone_gw *backbone_gw;
+ struct ethhdr *ethhdr;
+@@ -1861,9 +1861,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ goto handled;
+
+ if (unlikely(atomic_read(&bat_priv->bla.num_requests)))
+- /* don't allow broadcasts while requests are in flight */
+- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast)
+- goto handled;
++ /* don't allow multicast packets while requests are in flight */
++ if (is_multicast_ether_addr(ethhdr->h_dest))
++ /* Both broadcast flooding or multicast-via-unicasts
++ * delivery might send to multiple backbone gateways
++ * sharing the same LAN and therefore need to coordinate
++ * which backbone gateway forwards into the LAN,
++ * by claiming the payload source address.
++ *
++ * Broadcast flooding and multicast-via-unicasts
++ * delivery use the following two batman packet types.
++ * Note: explicitly exclude BATADV_UNICAST_4ADDR,
++ * as the DHCP gateway feature will send explicitly
++ * to only one BLA gateway, so the claiming process
++ * should be avoided there.
++ */
++ if (packet_type == BATADV_BCAST ||
++ packet_type == BATADV_UNICAST)
++ goto handled;
+
+ ether_addr_copy(search_claim.addr, ethhdr->h_source);
+ search_claim.vid = vid;
+@@ -1898,13 +1913,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ goto allow;
+ }
+
+- /* if it is a broadcast ... */
+- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) {
++ /* if it is a multicast ... */
++ if (is_multicast_ether_addr(ethhdr->h_dest) &&
++ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) {
+ /* ... drop it. the responsible gateway is in charge.
+ *
+- * We need to check is_bcast because with the gateway
++ * We need to check packet type because with the gateway
+ * feature, broadcasts (like DHCP requests) may be sent
+- * using a unicast packet type.
++ * using a unicast 4 address packet type. See comment above.
+ */
+ goto handled;
+ } else {
+diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h
+index 71f95a3e4d3f3..af28fdb01467c 100644
+--- a/net/batman-adv/bridge_loop_avoidance.h
++++ b/net/batman-adv/bridge_loop_avoidance.h
+@@ -48,7 +48,7 @@ static inline bool batadv_bla_is_loopdetect_mac(const uint8_t *mac)
+
+ #ifdef CONFIG_BATMAN_ADV_BLA
+ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+- unsigned short vid, bool is_bcast);
++ unsigned short vid, int packet_type);
+ bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ unsigned short vid);
+ bool batadv_bla_is_backbone_gw(struct sk_buff *skb,
+@@ -79,7 +79,7 @@ bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr,
+
+ static inline bool batadv_bla_rx(struct batadv_priv *bat_priv,
+ struct sk_buff *skb, unsigned short vid,
+- bool is_bcast)
++ int packet_type)
+ {
+ return false;
+ }
+diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
+index a2976adeeedce..6ff78080ec7fb 100644
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -426,10 +426,10 @@ void batadv_interface_rx(struct net_device *soft_iface,
+ struct vlan_ethhdr *vhdr;
+ struct ethhdr *ethhdr;
+ unsigned short vid;
+- bool is_bcast;
++ int packet_type;
+
+ batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data;
+- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST);
++ packet_type = batadv_bcast_packet->packet_type;
+
+ skb_pull_rcsum(skb, hdr_size);
+ skb_reset_mac_header(skb);
+@@ -472,7 +472,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
+ /* Let the bridge loop avoidance check the packet. If will
+ * not handle it, we can safely push it up.
+ */
+- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast))
++ if (batadv_bla_rx(bat_priv, skb, vid, packet_type))
+ goto out;
+
+ if (orig_node)
+--
+2.25.1
+
--- /dev/null
+From ac02e277589b67c73c07589c9500e0010f20956e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 20:28:00 +0200
+Subject: batman-adv: mcast/TT: fix wrongly dropped or rerouted packets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Linus Lüssing <linus.luessing@c0d3.blue>
+
+[ Upstream commit 7dda5b3384121181c4e79f6eaeac2b94c0622c8d ]
+
+The unicast packet rerouting code makes several assumptions. For
+instance it assumes that there is always exactly one destination in the
+TT. This breaks for multicast frames in a unicast packets in several ways:
+
+For one thing if there is actually no TT entry and the destination node
+was selected due to the multicast tvlv flags it announced. Then an
+intermediate node will wrongly drop the packet.
+
+For another thing if there is a TT entry but the TTVN of this entry is
+newer than the originally addressed destination node: Then the
+intermediate node will wrongly redirect the packet, leading to
+duplicated multicast packets at a multicast listener and missing
+packets at other multicast listeners or multicast routers.
+
+Fixing this by not applying the unicast packet rerouting to batman-adv
+unicast packets with a multicast payload. We are not able to detect a
+roaming multicast listener at the moment and will just continue to send
+the multicast frame to both the new and old destination for a while in
+case of such a roaming multicast listener.
+
+Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
+Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/routing.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
+index cc3ed93a6d513..98af41e3810dc 100644
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -838,6 +838,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
+ vid = batadv_get_vid(skb, hdr_len);
+ ethhdr = (struct ethhdr *)(skb->data + hdr_len);
+
++ /* do not reroute multicast frames in a unicast header */
++ if (is_multicast_ether_addr(ethhdr->h_dest))
++ return true;
++
+ /* check if the destination client was served by this node and it is now
+ * roaming. In this case, it means that the node has got a ROAM_ADV
+ * message and that it knows the new destination in the mesh to re-route
+--
+2.25.1
+
--- /dev/null
+From 78087bd0fa74175d58235fc3a46bd91ad75f6bb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Sep 2020 17:44:01 -0700
+Subject: bpf: Fix a rcu warning for bpffs map pretty-print
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit ce880cb825fcc22d4e39046a6c3a3a7f6603883d ]
+
+Running selftest
+ ./btf_btf -p
+the kernel had the following warning:
+ [ 51.528185] WARNING: CPU: 3 PID: 1756 at kernel/bpf/hashtab.c:717 htab_map_get_next_key+0x2eb/0x300
+ [ 51.529217] Modules linked in:
+ [ 51.529583] CPU: 3 PID: 1756 Comm: test_btf Not tainted 5.9.0-rc1+ #878
+ [ 51.530346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.el7.centos 04/01/2014
+ [ 51.531410] RIP: 0010:htab_map_get_next_key+0x2eb/0x300
+ ...
+ [ 51.542826] Call Trace:
+ [ 51.543119] map_seq_next+0x53/0x80
+ [ 51.543528] seq_read+0x263/0x400
+ [ 51.543932] vfs_read+0xad/0x1c0
+ [ 51.544311] ksys_read+0x5f/0xe0
+ [ 51.544689] do_syscall_64+0x33/0x40
+ [ 51.545116] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The related source code in kernel/bpf/hashtab.c:
+ 709 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
+ 710 {
+ 711 struct bpf_htab *htab = container_of(map, struct bpf_htab, map);
+ 712 struct hlist_nulls_head *head;
+ 713 struct htab_elem *l, *next_l;
+ 714 u32 hash, key_size;
+ 715 int i = 0;
+ 716
+ 717 WARN_ON_ONCE(!rcu_read_lock_held());
+
+In kernel/bpf/inode.c, bpffs map pretty print calls map->ops->map_get_next_key()
+without holding a rcu_read_lock(), hence causing the above warning.
+To fix the issue, just surrounding map->ops->map_get_next_key() with rcu read lock.
+
+Fixes: a26ca7c982cb ("bpf: btf: Add pretty print support to the basic arraymap")
+Reported-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20200916004401.146277-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
+index c04815bb15cc1..11fade89c1f38 100644
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -207,10 +207,12 @@ static void *map_seq_next(struct seq_file *m, void *v, loff_t *pos)
+ else
+ prev_key = key;
+
++ rcu_read_lock();
+ if (map->ops->map_get_next_key(map, prev_key, key)) {
+ map_iter(m)->done = true;
+- return NULL;
++ key = NULL;
+ }
++ rcu_read_unlock();
+ return key;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From cca86ab58eb08012e196639adb0f27440b542d29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 00:04:10 +0200
+Subject: bpf: Fix clobbering of r2 in bpf_gen_ld_abs
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit e6a18d36118bea3bf497c9df4d9988b6df120689 ]
+
+Bryce reported that he saw the following with:
+
+ 0: r6 = r1
+ 1: r1 = 12
+ 2: r0 = *(u16 *)skb[r1]
+
+The xlated sequence was incorrectly clobbering r2 with pointer
+value of r6 ...
+
+ 0: (bf) r6 = r1
+ 1: (b7) r1 = 12
+ 2: (bf) r1 = r6
+ 3: (bf) r2 = r1
+ 4: (85) call bpf_skb_load_helper_16_no_cache#7692160
+
+... and hence call to the load helper never succeeded given the
+offset was too high. Fix it by reordering the load of r6 to r1.
+
+Other than that the insn has similar calling convention than BPF
+helpers, that is, r0 - r5 are scratch regs, so nothing else
+affected after the insn.
+
+Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf")
+Reported-by: Bryce Kahle <bryce.kahle@datadoghq.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/cace836e4d07bb63b1a53e49c5dfb238a040c298.1599512096.git.daniel@iogearbox.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 25a2c3186e14a..557bd5cc8f94c 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -5418,8 +5418,6 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig,
+ bool indirect = BPF_MODE(orig->code) == BPF_IND;
+ struct bpf_insn *insn = insn_buf;
+
+- /* We're guaranteed here that CTX is in R6. */
+- *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX);
+ if (!indirect) {
+ *insn++ = BPF_MOV64_IMM(BPF_REG_2, orig->imm);
+ } else {
+@@ -5427,6 +5425,8 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig,
+ if (orig->imm)
+ *insn++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, orig->imm);
+ }
++ /* We're guaranteed here that CTX is in R6. */
++ *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX);
+
+ switch (BPF_SIZE(orig->code)) {
+ case BPF_B:
+--
+2.25.1
+
--- /dev/null
+From 718b2bc2cdc05b44a6e4977bba5c1f696cf1aaac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 19:15:41 +0800
+Subject: clocksource/drivers/h8300_timer8: Fix wrong return value in
+ h8300_8timer_init()
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 400d033f5a599120089b5f0c54d14d198499af5a ]
+
+In the init function, if the call to of_iomap() fails, the return
+value is ENXIO instead of -ENXIO.
+
+Change to the right negative errno.
+
+Fixes: 691f8f878290f ("clocksource/drivers/h8300_timer8: Convert init function to return error")
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20200802111541.5429-1-tianjia.zhang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/h8300_timer8.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c
+index 1d740a8c42ab3..47114c2a7cb54 100644
+--- a/drivers/clocksource/h8300_timer8.c
++++ b/drivers/clocksource/h8300_timer8.c
+@@ -169,7 +169,7 @@ static int __init h8300_8timer_init(struct device_node *node)
+ return PTR_ERR(clk);
+ }
+
+- ret = ENXIO;
++ ret = -ENXIO;
+ base = of_iomap(node, 0);
+ if (!base) {
+ pr_err("failed to map registers for clockevent\n");
+--
+2.25.1
+
--- /dev/null
+From 98982ffb4849720d4945da4509cdf27c118d37d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Sep 2020 18:21:39 +0200
+Subject: drm/sun4i: sun8i-csc: Secondary CSC register correction
+
+From: Martin Cerveny <m.cerveny@computer.org>
+
+[ Upstream commit cab4c03b4ba54c8d9378298cacb8bc0fd74ceece ]
+
+"Allwinner V3s" has secondary video layer (VI).
+Decoded video is displayed in wrong colors until
+secondary CSC registers are programmed correctly.
+
+Fixes: 883029390550 ("drm/sun4i: Add DE2 CSC library")
+Signed-off-by: Martin Cerveny <m.cerveny@computer.org>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@siol.net>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200906162140.5584-2-m.cerveny@computer.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun8i_csc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun8i_csc.h b/drivers/gpu/drm/sun4i/sun8i_csc.h
+index 880e8fbb08556..242752b2d328c 100644
+--- a/drivers/gpu/drm/sun4i/sun8i_csc.h
++++ b/drivers/gpu/drm/sun4i/sun8i_csc.h
+@@ -14,7 +14,7 @@ struct sun8i_mixer;
+
+ /* VI channel CSC units offsets */
+ #define CCSC00_OFFSET 0xAA050
+-#define CCSC01_OFFSET 0xFA000
++#define CCSC01_OFFSET 0xFA050
+ #define CCSC10_OFFSET 0xA0000
+ #define CCSC11_OFFSET 0xF0000
+
+--
+2.25.1
+
--- /dev/null
+From abc3b9089dc3519139b9ef1c410af6738b9a6b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jul 2020 09:39:49 +0200
+Subject: drm/vc4/vc4_hdmi: fill ASoC card owner
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit ec653df2a0cbc306a4bfcb0e3484d318fa779002 ]
+
+card->owner is a required property and since commit 81033c6b584b ("ALSA:
+core: Warn on empty module") a warning is issued if it is empty. Fix lack
+of it. This fixes following warning observed on RaspberryPi 3B board
+with ARM 32bit kernel and multi_v7_defconfig:
+
+------------[ cut here ]------------
+WARNING: CPU: 1 PID: 210 at sound/core/init.c:207 snd_card_new+0x378/0x398 [snd]
+Modules linked in: vc4(+) snd_soc_core ac97_bus snd_pcm_dmaengine bluetooth snd_pcm snd_timer crc32_arm_ce raspberrypi_hwmon snd soundcore ecdh_generic ecc bcm2835_thermal phy_generic
+CPU: 1 PID: 210 Comm: systemd-udevd Not tainted 5.8.0-rc1-00027-g81033c6b584b #1087
+Hardware name: BCM2835
+[<c03113c0>] (unwind_backtrace) from [<c030bcb4>] (show_stack+0x10/0x14)
+[<c030bcb4>] (show_stack) from [<c071cef8>] (dump_stack+0xd4/0xe8)
+[<c071cef8>] (dump_stack) from [<c0345bfc>] (__warn+0xdc/0xf4)
+[<c0345bfc>] (__warn) from [<c0345cc4>] (warn_slowpath_fmt+0xb0/0xb8)
+[<c0345cc4>] (warn_slowpath_fmt) from [<bf02ff74>] (snd_card_new+0x378/0x398 [snd])
+[<bf02ff74>] (snd_card_new [snd]) from [<bf11f0b4>] (snd_soc_bind_card+0x280/0x99c [snd_soc_core])
+[<bf11f0b4>] (snd_soc_bind_card [snd_soc_core]) from [<bf12f000>] (devm_snd_soc_register_card+0x34/0x6c [snd_soc_core])
+[<bf12f000>] (devm_snd_soc_register_card [snd_soc_core]) from [<bf165654>] (vc4_hdmi_bind+0x43c/0x5f4 [vc4])
+[<bf165654>] (vc4_hdmi_bind [vc4]) from [<c09d660c>] (component_bind_all+0xec/0x24c)
+[<c09d660c>] (component_bind_all) from [<bf15c44c>] (vc4_drm_bind+0xd4/0x174 [vc4])
+[<bf15c44c>] (vc4_drm_bind [vc4]) from [<c09d6ac0>] (try_to_bring_up_master+0x160/0x1b0)
+[<c09d6ac0>] (try_to_bring_up_master) from [<c09d6f38>] (component_master_add_with_match+0xd0/0x104)
+[<c09d6f38>] (component_master_add_with_match) from [<bf15c588>] (vc4_platform_drm_probe+0x9c/0xbc [vc4])
+[<bf15c588>] (vc4_platform_drm_probe [vc4]) from [<c09df740>] (platform_drv_probe+0x6c/0xa4)
+[<c09df740>] (platform_drv_probe) from [<c09dd6f0>] (really_probe+0x210/0x350)
+[<c09dd6f0>] (really_probe) from [<c09dd940>] (driver_probe_device+0x5c/0xb4)
+[<c09dd940>] (driver_probe_device) from [<c09ddb38>] (device_driver_attach+0x58/0x60)
+[<c09ddb38>] (device_driver_attach) from [<c09ddbc0>] (__driver_attach+0x80/0xbc)
+[<c09ddbc0>] (__driver_attach) from [<c09db820>] (bus_for_each_dev+0x68/0xb4)
+[<c09db820>] (bus_for_each_dev) from [<c09dc9f8>] (bus_add_driver+0x130/0x1e8)
+[<c09dc9f8>] (bus_add_driver) from [<c09de648>] (driver_register+0x78/0x110)
+[<c09de648>] (driver_register) from [<c0302038>] (do_one_initcall+0x50/0x220)
+[<c0302038>] (do_one_initcall) from [<c03db544>] (do_init_module+0x60/0x210)
+[<c03db544>] (do_init_module) from [<c03da4f8>] (load_module+0x1e34/0x2338)
+[<c03da4f8>] (load_module) from [<c03dac00>] (sys_finit_module+0xac/0xbc)
+[<c03dac00>] (sys_finit_module) from [<c03000c0>] (ret_fast_syscall+0x0/0x54)
+Exception stack(0xeded9fa8 to 0xeded9ff0)
+...
+---[ end trace 6414689569c2bc08 ]---
+
+Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support")
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200701073949.28941-1-m.szyprowski@samsung.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 86b98856756d9..1161662664577 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -1134,6 +1134,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *hdmi)
+ card->num_links = 1;
+ card->name = "vc4-hdmi";
+ card->dev = dev;
++ card->owner = THIS_MODULE;
+
+ /*
+ * Be careful, snd_soc_register_card() calls dev_set_drvdata() and
+--
+2.25.1
+
--- /dev/null
+From 714865e0e35490657eef028a610f3b97afd03b4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 Aug 2020 07:23:39 -0700
+Subject: ieee802154/adf7242: check status of adf7242_read_reg
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit e3914ed6cf44bfe1f169e26241f8314556fd1ac1 ]
+
+Clang static analysis reports this error
+
+adf7242.c:887:6: warning: Assigned value is garbage or undefined
+ len = len_u8;
+ ^ ~~~~~~
+
+len_u8 is set in
+ adf7242_read_reg(lp, 0, &len_u8);
+
+When this call fails, len_u8 is not set.
+
+So check the return code.
+
+Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154")
+
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Michael Hennerich <michael.hennerich@analog.com>
+Link: https://lore.kernel.org/r/20200802142339.21091-1-trix@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/adf7242.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
+index 71be8524cca87..a686926bba71e 100644
+--- a/drivers/net/ieee802154/adf7242.c
++++ b/drivers/net/ieee802154/adf7242.c
+@@ -883,7 +883,9 @@ static int adf7242_rx(struct adf7242_local *lp)
+ int ret;
+ u8 lqi, len_u8, *data;
+
+- adf7242_read_reg(lp, 0, &len_u8);
++ ret = adf7242_read_reg(lp, 0, &len_u8);
++ if (ret)
++ return ret;
+
+ len = len_u8;
+
+--
+2.25.1
+
--- /dev/null
+From 9a5c9486b033e0dc561a7c62ef92b5372af0aa03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 22:33:15 +0800
+Subject: ieee802154: fix one possible memleak in ca8210_dev_com_init
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 88f46b3fe2ac41c381770ebad9f2ee49346b57a2 ]
+
+We should call destroy_workqueue to destroy mlme_workqueue in error branch.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20200720143315.40523-1-liujian56@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index 38a41651e451c..deace0aadad24 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2923,6 +2923,7 @@ static int ca8210_dev_com_init(struct ca8210_priv *priv)
+ );
+ if (!priv->irq_workqueue) {
+ dev_crit(&priv->spi->dev, "alloc of irq_workqueue failed!\n");
++ destroy_workqueue(priv->mlme_workqueue);
+ return -ENOMEM;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 9677bf2b6c4e31da3194bc48354c64b9f7d2dfa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 13:41:57 -0500
+Subject: KVM: SVM: Add a dedicated INVD intercept routine
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+[ Upstream commit 4bb05f30483fd21ea5413eaf1182768f251cf625 ]
+
+The INVD instruction intercept performs emulation. Emulation can't be done
+on an SEV guest because the guest memory is encrypted.
+
+Provide a dedicated intercept routine for the INVD intercept. And since
+the instruction is emulated as a NOP, just skip it instead.
+
+Fixes: 1654efcbc431 ("KVM: SVM: Add KVM_SEV_INIT command")
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Message-Id: <a0b9a19ffa7fef86a3cc700c7ea01cb2731e04e5.1600972918.git.thomas.lendacky@amd.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
+index 2aafb6c791345..cb09a0ec87500 100644
+--- a/arch/x86/kvm/svm.c
++++ b/arch/x86/kvm/svm.c
+@@ -3942,6 +3942,12 @@ static int iret_interception(struct vcpu_svm *svm)
+ return 1;
+ }
+
++static int invd_interception(struct vcpu_svm *svm)
++{
++ /* Treat an INVD instruction as a NOP and just skip it. */
++ return kvm_skip_emulated_instruction(&svm->vcpu);
++}
++
+ static int invlpg_interception(struct vcpu_svm *svm)
+ {
+ if (!static_cpu_has(X86_FEATURE_DECODEASSISTS))
+@@ -4831,7 +4837,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
+ [SVM_EXIT_RDPMC] = rdpmc_interception,
+ [SVM_EXIT_CPUID] = cpuid_interception,
+ [SVM_EXIT_IRET] = iret_interception,
+- [SVM_EXIT_INVD] = emulate_on_interception,
++ [SVM_EXIT_INVD] = invd_interception,
+ [SVM_EXIT_PAUSE] = pause_interception,
+ [SVM_EXIT_HLT] = halt_interception,
+ [SVM_EXIT_INVLPG] = invlpg_interception,
+--
+2.25.1
+
--- /dev/null
+From 8f73fcfafc95d272efd839fbbb4c9dd7ca82b6b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 14:53:52 -0700
+Subject: KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE
+
+From: Sean Christopherson <sean.j.christopherson@intel.com>
+
+[ Upstream commit 8d214c481611b29458a57913bd786f0ac06f0605 ]
+
+Reset the MMU context during kvm_set_cr4() if SMAP or PKE is toggled.
+Recent commits to (correctly) not reload PDPTRs when SMAP/PKE are
+toggled inadvertantly skipped the MMU context reset due to the mask
+of bits that triggers PDPTR loads also being used to trigger MMU context
+resets.
+
+Fixes: 427890aff855 ("kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode")
+Fixes: cb957adb4ea4 ("kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode")
+Cc: Jim Mattson <jmattson@google.com>
+Cc: Peter Shier <pshier@google.com>
+Cc: Oliver Upton <oupton@google.com>
+Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
+Message-Id: <20200923215352.17756-1-sean.j.christopherson@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 620ed1fa35119..dd182228be714 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -858,6 +858,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ unsigned long old_cr4 = kvm_read_cr4(vcpu);
+ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
+ X86_CR4_SMEP;
++ unsigned long mmu_role_bits = pdptr_bits | X86_CR4_SMAP | X86_CR4_PKE;
+
+ if (kvm_valid_cr4(vcpu, cr4))
+ return 1;
+@@ -885,7 +886,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ if (kvm_x86_ops->set_cr4(vcpu, cr4))
+ return 1;
+
+- if (((cr4 ^ old_cr4) & pdptr_bits) ||
++ if (((cr4 ^ old_cr4) & mmu_role_bits) ||
+ (!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE)))
+ kvm_mmu_reset_context(vcpu);
+
+--
+2.25.1
+
--- /dev/null
+From 47b9edd1d298868d2d010b160b82d5425a3523a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 03:40:25 -0700
+Subject: mac802154: tx: fix use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0ff4628f4c6c1ab87eef9f16b25355cadc426d64 ]
+
+syzbot reported a bug in ieee802154_tx() [1]
+
+A similar issue in ieee802154_xmit_worker() is also fixed in this patch.
+
+[1]
+BUG: KASAN: use-after-free in ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88
+Read of size 4 at addr ffff8880251a8c70 by task syz-executor.3/928
+
+CPU: 0 PID: 928 Comm: syz-executor.3 Not tainted 5.9.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x198/0x1fd lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88
+ ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130
+ __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4648 [inline]
+ dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203
+ packet_snd net/packet/af_packet.c:2989 [inline]
+ packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:671
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45d5b9
+Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fc98e749c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000002ccc0 RCX: 000000000045d5b9
+RDX: 0000000000000000 RSI: 0000000020007780 RDI: 000000000000000b
+RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
+R13: 00007fff690c720f R14: 00007fc98e74a9c0 R15: 000000000118cfec
+
+Allocated by task 928:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
+ kasan_set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
+ slab_post_alloc_hook mm/slab.h:518 [inline]
+ slab_alloc_node mm/slab.c:3254 [inline]
+ kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574
+ __alloc_skb+0x71/0x550 net/core/skbuff.c:198
+ alloc_skb include/linux/skbuff.h:1094 [inline]
+ alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5771
+ sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2348
+ packet_alloc_skb net/packet/af_packet.c:2837 [inline]
+ packet_snd net/packet/af_packet.c:2932 [inline]
+ packet_sendmsg+0x19fb/0x5290 net/packet/af_packet.c:3014
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:671
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 928:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
+ kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
+ kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
+ __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
+ __cache_free mm/slab.c:3418 [inline]
+ kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
+ kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622
+ __kfree_skb net/core/skbuff.c:679 [inline]
+ consume_skb net/core/skbuff.c:838 [inline]
+ consume_skb+0xcf/0x160 net/core/skbuff.c:832
+ __dev_kfree_skb_any+0x9c/0xc0 net/core/dev.c:3107
+ fakelb_hw_xmit+0x20e/0x2a0 drivers/net/ieee802154/fakelb.c:81
+ drv_xmit_async net/mac802154/driver-ops.h:16 [inline]
+ ieee802154_tx+0x282/0x480 net/mac802154/tx.c:81
+ ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130
+ __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4648 [inline]
+ dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203
+ packet_snd net/packet/af_packet.c:2989 [inline]
+ packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:671
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff8880251a8c00
+ which belongs to the cache skbuff_head_cache of size 224
+The buggy address is located 112 bytes inside of
+ 224-byte region [ffff8880251a8c00, ffff8880251a8ce0)
+The buggy address belongs to the page:
+page:0000000062b6a4f1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251a8
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea0000435c88 ffffea00028b6c08 ffff8880a9055d00
+raw: 0000000000000000 ffff8880251a80c0 000000010000000c 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880251a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880251a8b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff8880251a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880251a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ ffff8880251a8d00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
+
+Fixes: 409c3b0c5f03 ("mac802154: tx: move stats tx increment")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Alexander Aring <alex.aring@gmail.com>
+Cc: Stefan Schmidt <stefan@datenfreihafen.org>
+Cc: linux-wpan@vger.kernel.org
+Link: https://lore.kernel.org/r/20200908104025.4009085-1-edumazet@google.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac802154/tx.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
+index bcd1a5e6ebf42..2f873a0dc5836 100644
+--- a/net/mac802154/tx.c
++++ b/net/mac802154/tx.c
+@@ -42,11 +42,11 @@ void ieee802154_xmit_worker(struct work_struct *work)
+ if (res)
+ goto err_tx;
+
+- ieee802154_xmit_complete(&local->hw, skb, false);
+-
+ dev->stats.tx_packets++;
+ dev->stats.tx_bytes += skb->len;
+
++ ieee802154_xmit_complete(&local->hw, skb, false);
++
+ return;
+
+ err_tx:
+@@ -86,6 +86,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
+
+ /* async is priority, otherwise sync is fallback */
+ if (local->ops->xmit_async) {
++ unsigned int len = skb->len;
++
+ ret = drv_xmit_async(local, skb);
+ if (ret) {
+ ieee802154_wake_queue(&local->hw);
+@@ -93,7 +95,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
+ }
+
+ dev->stats.tx_packets++;
+- dev->stats.tx_bytes += skb->len;
++ dev->stats.tx_bytes += len;
+ } else {
+ local->tx_skb = skb;
+ queue_work(local->workqueue, &local->tx_work);
+--
+2.25.1
+
--- /dev/null
+From 22cea15e798ed17622a9b860b84d1b8cacce5a52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 14:53:12 +0800
+Subject: MIPS: Add the missing 'CPU_1074K' into __get_cpu_type()
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit e393fbe6fa27af23f78df6e16a8fd2963578a8c4 ]
+
+Commit 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") split
+1074K from the 74K as an unique CPU type, while it missed to add the
+'CPU_1074K' in __get_cpu_type(). So let's add it back.
+
+Fixes: 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/cpu-type.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h
+index a45af3de075d9..d43e4ab20b238 100644
+--- a/arch/mips/include/asm/cpu-type.h
++++ b/arch/mips/include/asm/cpu-type.h
+@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type)
+ case CPU_34K:
+ case CPU_1004K:
+ case CPU_74K:
++ case CPU_1074K:
+ case CPU_M14KC:
+ case CPU_M14KEC:
+ case CPU_INTERAPTIV:
+--
+2.25.1
+
--- /dev/null
+From 3606871371283212e47025c7df4b86dce4dd3d1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Aug 2020 17:38:29 +0200
+Subject: mwifiex: Increase AES key storage size to 256 bits
+
+From: Maximilian Luz <luzmaximilian@gmail.com>
+
+[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ]
+
+Following commit e18696786548 ("mwifiex: Prevent memory corruption
+handling keys") the mwifiex driver fails to authenticate with certain
+networks, specifically networks with 256 bit keys, and repeatedly asks
+for the password. The kernel log repeats the following lines (id and
+bssid redacted):
+
+ mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
+ mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
+ mwifiex_pcie 0000:01:00.0: crypto keys added
+ mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3
+
+Tracking down this problem lead to the overflow check introduced by the
+aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
+check fails on networks with 256 bit keys due to the current storage
+size for AES keys in struct mwifiex_aes_param being only 128 bit.
+
+To fix this issue, increase the storage size for AES keys to 256 bit.
+
+Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Reported-by: Kaloyan Nikolov <konik98@gmail.com>
+Tested-by: Kaloyan Nikolov <konik98@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
+ drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
+index 1fb76d2f5d3fd..8b9d0809daf62 100644
+--- a/drivers/net/wireless/marvell/mwifiex/fw.h
++++ b/drivers/net/wireless/marvell/mwifiex/fw.h
+@@ -953,7 +953,7 @@ struct mwifiex_tkip_param {
+ struct mwifiex_aes_param {
+ u8 pn[WPA_PN_SIZE];
+ __le16 key_len;
+- u8 key[WLAN_KEY_LEN_CCMP];
++ u8 key[WLAN_KEY_LEN_CCMP_256];
+ } __packed;
+
+ struct mwifiex_wapi_param {
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
+index 797c2e9783943..7003767eef423 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
+@@ -620,7 +620,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
+ key_v2 = &resp->params.key_material_v2;
+
+ len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
+- if (len > WLAN_KEY_LEN_CCMP)
++ if (len > sizeof(key_v2->key_param_set.key_params.aes.key))
+ return -EINVAL;
+
+ if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
+@@ -636,7 +636,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
+ return 0;
+
+ memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
+- WLAN_KEY_LEN_CCMP);
++ sizeof(key_v2->key_param_set.key_params.aes.key));
+ priv->aes_key_v2.key_param_set.key_params.aes.key_len =
+ cpu_to_le16(len);
+ memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
+--
+2.25.1
+
--- /dev/null
+From f0bf7c9f51e24445c3136b4d13c1591f18e4d05e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Sep 2020 20:43:10 +0300
+Subject: net: qed: RDMA personality shouldn't fail VF load
+
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+
+[ Upstream commit ce1cf9e5025f4e2d2198728391f1847b3e168bc6 ]
+
+Fix the assert during VF driver installation when the personality is iWARP
+
+Fixes: 1fe614d10f45 ("qed: Relax VF firmware requirements")
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+index 71a7af134dd8e..886c7aae662fa 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+@@ -96,6 +96,7 @@ static int qed_sp_vf_start(struct qed_hwfn *p_hwfn, struct qed_vf_info *p_vf)
+ p_ramrod->personality = PERSONALITY_ETH;
+ break;
+ case QED_PCI_ETH_ROCE:
++ case QED_PCI_ETH_IWARP:
+ p_ramrod->personality = PERSONALITY_RDMA_AND_ETH;
+ break;
+ default:
+--
+2.25.1
+
--- /dev/null
+From aa8bc75617f8459d6dd5193c60325932f81b43ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 18:34:04 +0300
+Subject: regmap: fix page selection for noinc reads
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 4003324856311faebb46cbd56a1616bd3f3b67c2 ]
+
+Non-incrementing reads can fail if register + length crosses page
+border. However for non-incrementing reads we should not check for page
+border crossing. Fix this by passing additional flag to _regmap_raw_read
+and passing length to _regmap_select_page basing on the flag.
+
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Fixes: 74fe7b551f33 ("regmap: Add regmap_noinc_read API")
+Link: https://lore.kernel.org/r/20200917153405.3139200-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
+index d26b485ccc7d0..e8b3353c18eb8 100644
+--- a/drivers/base/regmap/regmap.c
++++ b/drivers/base/regmap/regmap.c
+@@ -2367,7 +2367,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg,
+ EXPORT_SYMBOL_GPL(regmap_raw_write_async);
+
+ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
+- unsigned int val_len)
++ unsigned int val_len, bool noinc)
+ {
+ struct regmap_range_node *range;
+ int ret;
+@@ -2380,7 +2380,7 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
+ range = _regmap_range_lookup(map, reg);
+ if (range) {
+ ret = _regmap_select_page(map, ®, range,
+- val_len / map->format.val_bytes);
++ noinc ? 1 : val_len / map->format.val_bytes);
+ if (ret != 0)
+ return ret;
+ }
+@@ -2418,7 +2418,7 @@ static int _regmap_bus_read(void *context, unsigned int reg,
+ if (!map->format.parse_val)
+ return -EINVAL;
+
+- ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes);
++ ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes, false);
+ if (ret == 0)
+ *val = map->format.parse_val(work_val);
+
+@@ -2536,7 +2536,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
+
+ /* Read bytes that fit into whole chunks */
+ for (i = 0; i < chunk_count; i++) {
+- ret = _regmap_raw_read(map, reg, val, chunk_bytes);
++ ret = _regmap_raw_read(map, reg, val, chunk_bytes, false);
+ if (ret != 0)
+ goto out;
+
+@@ -2547,7 +2547,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
+
+ /* Read remaining bytes */
+ if (val_len) {
+- ret = _regmap_raw_read(map, reg, val, val_len);
++ ret = _regmap_raw_read(map, reg, val, val_len, false);
+ if (ret != 0)
+ goto out;
+ }
+@@ -2622,7 +2622,7 @@ int regmap_noinc_read(struct regmap *map, unsigned int reg,
+ read_len = map->max_raw_read;
+ else
+ read_len = val_len;
+- ret = _regmap_raw_read(map, reg, val, read_len);
++ ret = _regmap_raw_read(map, reg, val, read_len, true);
+ if (ret)
+ goto out_unlock;
+ val = ((u8 *)val) + read_len;
+--
+2.25.1
+
drm-amdkfd-fix-a-memory-leak-issue.patch
i2c-core-call-i2c_acpi_install_space_handler-before-.patch
objtool-fix-noreturn-detection-for-ignored-functions.patch
+ieee802154-fix-one-possible-memleak-in-ca8210_dev_co.patch
+ieee802154-adf7242-check-status-of-adf7242_read_reg.patch
+clocksource-drivers-h8300_timer8-fix-wrong-return-va.patch
+mwifiex-increase-aes-key-storage-size-to-256-bits.patch
+batman-adv-bla-fix-type-misuse-for-backbone_gw-hash-.patch
+atm-eni-fix-the-missed-pci_disable_device-for-eni_in.patch
+batman-adv-mcast-tt-fix-wrongly-dropped-or-rerouted-.patch
+mac802154-tx-fix-use-after-free.patch
+bpf-fix-clobbering-of-r2-in-bpf_gen_ld_abs.patch
+drm-vc4-vc4_hdmi-fill-asoc-card-owner.patch
+net-qed-rdma-personality-shouldn-t-fail-vf-load.patch
+drm-sun4i-sun8i-csc-secondary-csc-register-correctio.patch
+batman-adv-add-missing-include-for-in_interrupt.patch
+batman-adv-mcast-fix-duplicate-mcast-packets-in-bla-.patch
+batman-adv-mcast-fix-duplicate-mcast-packets-from-bl.patch
+bpf-fix-a-rcu-warning-for-bpffs-map-pretty-print.patch
+alsa-asihpi-fix-iounmap-in-error-handler.patch
+regmap-fix-page-selection-for-noinc-reads.patch
+mips-add-the-missing-cpu_1074k-into-__get_cpu_type.patch
+kvm-x86-reset-mmu-context-if-guest-toggles-cr4.smap-.patch
+kvm-svm-add-a-dedicated-invd-intercept-routine.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
