--- /dev/null
+From e8a4155567b3c903f49cbf89b8017e9cc22c4fe4 Mon Sep 17 00:00:00 2001
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Date: Thu, 15 Apr 2021 13:17:48 +0530
+Subject: ch_ktls: do not send snd_una update to TCB in middle
+
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+
+commit e8a4155567b3c903f49cbf89b8017e9cc22c4fe4 upstream.
+
+snd_una update should not be done when the same skb is being
+sent out.chcr_short_record_handler() sends it again even
+though SND_UNA update is already sent for the skb in
+chcr_ktls_xmit(), which causes mismatch in un-acked
+TCP seq number, later causes problem in sending out
+complete record.
+
+Fixes: 429765a149f1 ("chcr: handle partial end part of a record")
+Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Signed-off-by: Rohit Maheshwari <rohitm@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c | 53 ----------
+ 1 file changed, 53 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
+@@ -1650,54 +1650,6 @@ static void chcr_ktls_copy_record_in_skb
+ }
+
+ /*
+- * chcr_ktls_update_snd_una: Reset the SEND_UNA. It will be done to avoid
+- * sending the same segment again. It will discard the segment which is before
+- * the current tx max.
+- * @tx_info - driver specific tls info.
+- * @q - TX queue.
+- * return: NET_TX_OK/NET_XMIT_DROP.
+- */
+-static int chcr_ktls_update_snd_una(struct chcr_ktls_info *tx_info,
+- struct sge_eth_txq *q)
+-{
+- struct fw_ulptx_wr *wr;
+- unsigned int ndesc;
+- int credits;
+- void *pos;
+- u32 len;
+-
+- len = sizeof(*wr) + roundup(CHCR_SET_TCB_FIELD_LEN, 16);
+- ndesc = DIV_ROUND_UP(len, 64);
+-
+- credits = chcr_txq_avail(&q->q) - ndesc;
+- if (unlikely(credits < 0)) {
+- chcr_eth_txq_stop(q);
+- return NETDEV_TX_BUSY;
+- }
+-
+- pos = &q->q.desc[q->q.pidx];
+-
+- wr = pos;
+- /* ULPTX wr */
+- wr->op_to_compl = htonl(FW_WR_OP_V(FW_ULPTX_WR));
+- wr->cookie = 0;
+- /* fill len in wr field */
+- wr->flowid_len16 = htonl(FW_WR_LEN16_V(DIV_ROUND_UP(len, 16)));
+-
+- pos += sizeof(*wr);
+-
+- pos = chcr_write_cpl_set_tcb_ulp(tx_info, q, tx_info->tid, pos,
+- TCB_SND_UNA_RAW_W,
+- TCB_SND_UNA_RAW_V(TCB_SND_UNA_RAW_M),
+- TCB_SND_UNA_RAW_V(0), 0);
+-
+- chcr_txq_advance(&q->q, ndesc);
+- cxgb4_ring_tx_db(tx_info->adap, &q->q, ndesc);
+-
+- return 0;
+-}
+-
+-/*
+ * chcr_end_part_handler: This handler will handle the record which
+ * is complete or if record's end part is received. T6 adapter has a issue that
+ * it can't send out TAG with partial record so if its an end part then we have
+@@ -1897,11 +1849,6 @@ static int chcr_short_record_handler(str
+ /* reset tcp_seq as per the prior_data_required len */
+ tcp_seq -= prior_data_len;
+ }
+- /* reset snd una, so the middle record won't send the already
+- * sent part.
+- */
+- if (chcr_ktls_update_snd_una(tx_info, q))
+- goto out;
+ atomic64_inc(&tx_info->adap->ch_ktls_stats.ktls_tx_middle_pkts);
+ } else {
+ atomic64_inc(&tx_info->adap->ch_ktls_stats.ktls_tx_start_pkts);
--- /dev/null
+From bc16efd2430652f894ae34b1de5eccc3bf0d2810 Mon Sep 17 00:00:00 2001
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Date: Thu, 15 Apr 2021 13:17:46 +0530
+Subject: ch_ktls: fix device connection close
+
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+
+commit bc16efd2430652f894ae34b1de5eccc3bf0d2810 upstream.
+
+When sge queue is full and chcr_ktls_xmit_wr_complete()
+returns failure, skb is not freed if it is not the last tls record in
+this skb, causes refcount never gets freed and tls_dev_del()
+never gets called on this connection.
+
+Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling")
+Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Signed-off-by: Rohit Maheshwari <rohitm@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
+@@ -1740,7 +1740,9 @@ static int chcr_end_part_handler(struct
+ struct sge_eth_txq *q, u32 skb_offset,
+ u32 tls_end_offset, bool last_wr)
+ {
++ bool free_skb_if_tx_fails = false;
+ struct sk_buff *nskb = NULL;
++
+ /* check if it is a complete record */
+ if (tls_end_offset == record->len) {
+ nskb = skb;
+@@ -1763,6 +1765,8 @@ static int chcr_end_part_handler(struct
+
+ if (last_wr)
+ dev_kfree_skb_any(skb);
++ else
++ free_skb_if_tx_fails = true;
+
+ last_wr = true;
+
+@@ -1774,6 +1778,8 @@ static int chcr_end_part_handler(struct
+ record->num_frags,
+ (last_wr && tcp_push_no_fin),
+ mss)) {
++ if (free_skb_if_tx_fails)
++ dev_kfree_skb_any(skb);
+ goto out;
+ }
+ tx_info->prev_seq = record->end_seq;
--- /dev/null
+From 1a73e427b824133940c2dd95ebe26b6dce1cbf10 Mon Sep 17 00:00:00 2001
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Date: Thu, 15 Apr 2021 13:17:45 +0530
+Subject: ch_ktls: Fix kernel panic
+
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+
+commit 1a73e427b824133940c2dd95ebe26b6dce1cbf10 upstream.
+
+Taking page refcount is not ideal and causes kernel panic
+sometimes. It's better to take tx_ctx lock for the complete
+skb transmit, to avoid page cleanup if ACK received in middle.
+
+Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling")
+Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Signed-off-by: Rohit Maheshwari <rohitm@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c | 24 ++--------
+ 1 file changed, 5 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
+@@ -2015,12 +2015,11 @@ static int chcr_ktls_xmit(struct sk_buff
+ * we will send the complete record again.
+ */
+
++ spin_lock_irqsave(&tx_ctx->base.lock, flags);
++
+ do {
+- int i;
+
+ cxgb4_reclaim_completed_tx(adap, &q->q, true);
+- /* lock taken */
+- spin_lock_irqsave(&tx_ctx->base.lock, flags);
+ /* fetch the tls record */
+ record = tls_get_record(&tx_ctx->base, tcp_seq,
+ &tx_info->record_no);
+@@ -2079,11 +2078,11 @@ static int chcr_ktls_xmit(struct sk_buff
+ tls_end_offset, skb_offset,
+ 0);
+
+- spin_unlock_irqrestore(&tx_ctx->base.lock, flags);
+ if (ret) {
+ /* free the refcount taken earlier */
+ if (tls_end_offset < data_len)
+ dev_kfree_skb_any(skb);
++ spin_unlock_irqrestore(&tx_ctx->base.lock, flags);
+ goto out;
+ }
+
+@@ -2093,16 +2092,6 @@ static int chcr_ktls_xmit(struct sk_buff
+ continue;
+ }
+
+- /* increase page reference count of the record, so that there
+- * won't be any chance of page free in middle if in case stack
+- * receives ACK and try to delete the record.
+- */
+- for (i = 0; i < record->num_frags; i++)
+- __skb_frag_ref(&record->frags[i]);
+- /* lock cleared */
+- spin_unlock_irqrestore(&tx_ctx->base.lock, flags);
+-
+-
+ /* if a tls record is finishing in this SKB */
+ if (tls_end_offset <= data_len) {
+ ret = chcr_end_part_handler(tx_info, skb, record,
+@@ -2127,13 +2116,9 @@ static int chcr_ktls_xmit(struct sk_buff
+ data_len = 0;
+ }
+
+- /* clear the frag ref count which increased locally before */
+- for (i = 0; i < record->num_frags; i++) {
+- /* clear the frag ref count */
+- __skb_frag_unref(&record->frags[i]);
+- }
+ /* if any failure, come out from the loop. */
+ if (ret) {
++ spin_unlock_irqrestore(&tx_ctx->base.lock, flags);
+ if (th->fin)
+ dev_kfree_skb_any(skb);
+
+@@ -2148,6 +2133,7 @@ static int chcr_ktls_xmit(struct sk_buff
+
+ } while (data_len > 0);
+
++ spin_unlock_irqrestore(&tx_ctx->base.lock, flags);
+ atomic64_inc(&port_stats->ktls_tx_encrypted_packets);
+ atomic64_add(skb_data_len, &port_stats->ktls_tx_encrypted_bytes);
+
--- /dev/null
+From 21d8c25e3f4b9052a471ced8f47b531956eb9963 Mon Sep 17 00:00:00 2001
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Date: Thu, 15 Apr 2021 13:17:47 +0530
+Subject: ch_ktls: tcb close causes tls connection failure
+
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+
+commit 21d8c25e3f4b9052a471ced8f47b531956eb9963 upstream.
+
+HW doesn't need marking TCB closed. This TCB state change
+sometimes causes problem to the new connection which gets
+the same tid.
+
+Fixes: 34aba2c45024 ("cxgb4/chcr : Register to tls add and del callback")
+Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Signed-off-by: Rohit Maheshwari <rohitm@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c | 19 ----------
+ 1 file changed, 19 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
++++ b/drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c
+@@ -355,18 +355,6 @@ static int chcr_set_tcb_field(struct chc
+ }
+
+ /*
+- * chcr_ktls_mark_tcb_close: mark tcb state to CLOSE
+- * @tx_info - driver specific tls info.
+- * return: NET_TX_OK/NET_XMIT_DROP.
+- */
+-static int chcr_ktls_mark_tcb_close(struct chcr_ktls_info *tx_info)
+-{
+- return chcr_set_tcb_field(tx_info, TCB_T_STATE_W,
+- TCB_T_STATE_V(TCB_T_STATE_M),
+- CHCR_TCB_STATE_CLOSED, 1);
+-}
+-
+-/*
+ * chcr_ktls_dev_del: call back for tls_dev_del.
+ * Remove the tid and l2t entry and close the connection.
+ * it per connection basis.
+@@ -400,8 +388,6 @@ static void chcr_ktls_dev_del(struct net
+
+ /* clear tid */
+ if (tx_info->tid != -1) {
+- /* clear tcb state and then release tid */
+- chcr_ktls_mark_tcb_close(tx_info);
+ cxgb4_remove_tid(&tx_info->adap->tids, tx_info->tx_chan,
+ tx_info->tid, tx_info->ip_family);
+ }
+@@ -579,7 +565,6 @@ static int chcr_ktls_dev_add(struct net_
+ return 0;
+
+ free_tid:
+- chcr_ktls_mark_tcb_close(tx_info);
+ #if IS_ENABLED(CONFIG_IPV6)
+ /* clear clip entry */
+ if (tx_info->ip_family == AF_INET6)
+@@ -677,10 +662,6 @@ static int chcr_ktls_cpl_act_open_rpl(st
+ if (tx_info->pending_close) {
+ spin_unlock(&tx_info->lock);
+ if (!status) {
+- /* it's a late success, tcb status is establised,
+- * mark it close.
+- */
+- chcr_ktls_mark_tcb_close(tx_info);
+ cxgb4_remove_tid(&tx_info->adap->tids, tx_info->tx_chan,
+ tid, tx_info->ip_family);
+ }
--- /dev/null
+From 16756d3e77ad58cd07e36cbed724aa13ae5a0278 Mon Sep 17 00:00:00 2001
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Tue, 13 Apr 2021 20:46:14 -0700
+Subject: ethtool: pause: make sure we init driver stats
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+commit 16756d3e77ad58cd07e36cbed724aa13ae5a0278 upstream.
+
+The intention was for pause statistics to not be reported
+when driver does not have the relevant callback (only
+report an empty netlink nest). What happens currently
+we report all 0s instead. Make sure statistics are
+initialized to "not set" (which is -1) so the dumping
+code skips them.
+
+Fixes: 9a27a33027f2 ("ethtool: add standard pause stats")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ethtool/pause.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ethtool/pause.c
++++ b/net/ethtool/pause.c
+@@ -38,16 +38,16 @@ static int pause_prepare_data(const stru
+ if (!dev->ethtool_ops->get_pauseparam)
+ return -EOPNOTSUPP;
+
++ ethtool_stats_init((u64 *)&data->pausestat,
++ sizeof(data->pausestat) / 8);
++
+ ret = ethnl_ops_begin(dev);
+ if (ret < 0)
+ return ret;
+ dev->ethtool_ops->get_pauseparam(dev, &data->pauseparam);
+ if (req_base->flags & ETHTOOL_FLAG_STATS &&
+- dev->ethtool_ops->get_pause_stats) {
+- ethtool_stats_init((u64 *)&data->pausestat,
+- sizeof(data->pausestat) / 8);
++ dev->ethtool_ops->get_pause_stats)
+ dev->ethtool_ops->get_pause_stats(dev, &data->pausestat);
+- }
+ ethnl_ops_complete(dev);
+
+ return 0;
--- /dev/null
+From 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 13 Apr 2021 05:41:35 -0700
+Subject: gro: ensure frag0 meets IP header alignment
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 upstream.
+
+After commit 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
+Guenter Roeck reported one failure in his tests using sh architecture.
+
+After much debugging, we have been able to spot silent unaligned accesses
+in inet_gro_receive()
+
+The issue at hand is that upper networking stacks assume their header
+is word-aligned. Low level drivers are supposed to reserve NET_IP_ALIGN
+bytes before the Ethernet header to make that happen.
+
+This patch hardens skb_gro_reset_offset() to not allow frag0 fast-path
+if the fragment is not properly aligned.
+
+Some arches like x86, arm64 and powerpc do not care and define NET_IP_ALIGN
+as 0, this extra check will be a NOP for them.
+
+Note that if frag0 is not used, GRO will call pskb_may_pull()
+as many times as needed to pull network and transport headers.
+
+Fixes: 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
+Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5867,7 +5867,8 @@ static void skb_gro_reset_offset(struct
+ NAPI_GRO_CB(skb)->frag0_len = 0;
+
+ if (!skb_headlen(skb) && pinfo->nr_frags &&
+- !PageHighMem(skb_frag_page(frag0))) {
++ !PageHighMem(skb_frag_page(frag0)) &&
++ (!NET_IP_ALIGN || !(skb_frag_off(frag0) & 3))) {
+ NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
+ NAPI_GRO_CB(skb)->frag0_len = min_t(unsigned int,
+ skb_frag_size(frag0),
--- /dev/null
+From 4e39a072a6a0fc422ba7da5e4336bdc295d70211 Mon Sep 17 00:00:00 2001
+From: Jason Xing <xingwanli@kuaishou.com>
+Date: Wed, 14 Apr 2021 10:34:28 +0800
+Subject: i40e: fix the panic when running bpf in xdpdrv mode
+
+From: Jason Xing <xingwanli@kuaishou.com>
+
+commit 4e39a072a6a0fc422ba7da5e4336bdc295d70211 upstream.
+
+Fix this panic by adding more rules to calculate the value of @rss_size_max
+which could be used in allocating the queues when bpf is loaded, which,
+however, could cause the failure and then trigger the NULL pointer of
+vsi->rx_rings. Prio to this fix, the machine doesn't care about how many
+cpus are online and then allocates 256 queues on the machine with 32 cpus
+online actually.
+
+Once the load of bpf begins, the log will go like this "failed to get
+tracking for 256 queues for VSI 0 err -12" and this "setup of MAIN VSI
+failed".
+
+Thus, I attach the key information of the crash-log here.
+
+BUG: unable to handle kernel NULL pointer dereference at
+0000000000000000
+RIP: 0010:i40e_xdp+0xdd/0x1b0 [i40e]
+Call Trace:
+[2160294.717292] ? i40e_reconfig_rss_queues+0x170/0x170 [i40e]
+[2160294.717666] dev_xdp_install+0x4f/0x70
+[2160294.718036] dev_change_xdp_fd+0x11f/0x230
+[2160294.718380] ? dev_disable_lro+0xe0/0xe0
+[2160294.718705] do_setlink+0xac7/0xe70
+[2160294.719035] ? __nla_parse+0xed/0x120
+[2160294.719365] rtnl_newlink+0x73b/0x860
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Co-developed-by: Shujin Li <lishujin@kuaishou.com>
+Signed-off-by: Shujin Li <lishujin@kuaishou.com>
+Signed-off-by: Jason Xing <xingwanli@kuaishou.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11863,6 +11863,7 @@ static int i40e_sw_init(struct i40e_pf *
+ {
+ int err = 0;
+ int size;
++ u16 pow;
+
+ /* Set default capability flags */
+ pf->flags = I40E_FLAG_RX_CSUM_ENABLED |
+@@ -11881,6 +11882,11 @@ static int i40e_sw_init(struct i40e_pf *
+ pf->rss_table_size = pf->hw.func_caps.rss_table_size;
+ pf->rss_size_max = min_t(int, pf->rss_size_max,
+ pf->hw.func_caps.num_tx_qp);
++
++ /* find the next higher power-of-2 of num cpus */
++ pow = roundup_pow_of_two(num_online_cpus());
++ pf->rss_size_max = min_t(int, pf->rss_size_max, pow);
++
+ if (pf->hw.func_caps.rss) {
+ pf->flags |= I40E_FLAG_RSS_ENABLED;
+ pf->alloc_rss_size = min_t(int, pf->rss_size_max,
--- /dev/null
+From 19d000d93303e05bd7b1326e3de9df05a41b25b5 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Fri, 16 Apr 2021 15:46:06 -0700
+Subject: ia64: remove duplicate entries in generic_defconfig
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 19d000d93303e05bd7b1326e3de9df05a41b25b5 upstream.
+
+Fix ia64 generic_defconfig duplicate entries, as warned by:
+
+ arch/ia64/configs/generic_defconfig: warning: override: reassigning to symbol ATA: => 58
+ arch/ia64/configs/generic_defconfig: warning: override: reassigning to symbol ATA_PIIX: => 59
+
+These 2 symbols still have the same value as in the removed lines.
+
+Link: https://lkml.kernel.org/r/20210411020255.18052-1-rdunlap@infradead.org
+Fixes: c331649e6371 ("ia64: Use libata instead of the legacy ide driver in defconfigs")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/ia64/configs/generic_defconfig | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/ia64/configs/generic_defconfig
++++ b/arch/ia64/configs/generic_defconfig
+@@ -55,8 +55,6 @@ CONFIG_CHR_DEV_SG=m
+ CONFIG_SCSI_FC_ATTRS=y
+ CONFIG_SCSI_SYM53C8XX_2=y
+ CONFIG_SCSI_QLOGIC_1280=y
+-CONFIG_ATA=y
+-CONFIG_ATA_PIIX=y
+ CONFIG_SATA_VITESSE=y
+ CONFIG_MD=y
+ CONFIG_BLK_DEV_MD=m
--- /dev/null
+From 17786fea414393813b56e33a1a01b2dfa03c0915 Mon Sep 17 00:00:00 2001
+From: John Paul Adrian Glaubitz <glaubitz () physik ! fu-berlin ! de>
+Date: Fri, 16 Apr 2021 15:46:12 -0700
+Subject: ia64: tools: remove inclusion of ia64-specific version of errno.h header
+
+From: John Paul Adrian Glaubitz <glaubitz () physik ! fu-berlin ! de>
+
+commit 17786fea414393813b56e33a1a01b2dfa03c0915 upstream.
+
+There is no longer an ia64-specific version of the errno.h header below
+arch/ia64/include/uapi/asm/, so trying to build tools/bpf fails with:
+
+ CC /usr/src/linux/tools/bpf/bpftool/btf_dumper.o
+ In file included from /usr/src/linux/tools/include/linux/err.h:8,
+ from btf_dumper.c:11:
+ /usr/src/linux/tools/include/uapi/asm/errno.h:13:10: fatal error: ../../../arch/ia64/include/uapi/asm/errno.h: No such file or directory
+ 13 | #include "../../../arch/ia64/include/uapi/asm/errno.h"
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ compilation terminated.
+
+Thus, just remove the inclusion of the ia64-specific errno.h so that the
+build will use the generic errno.h header on this target which was used
+there anyway as the ia64-specific errno.h was just a wrapper for the
+generic header.
+
+Fixes: c25f867ddd00 ("ia64: remove unneeded uapi asm-generic wrappers")
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/uapi/asm/errno.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/tools/include/uapi/asm/errno.h
++++ b/tools/include/uapi/asm/errno.h
+@@ -9,8 +9,6 @@
+ #include "../../../arch/alpha/include/uapi/asm/errno.h"
+ #elif defined(__mips__)
+ #include "../../../arch/mips/include/uapi/asm/errno.h"
+-#elif defined(__ia64__)
+-#include "../../../arch/ia64/include/uapi/asm/errno.h"
+ #elif defined(__xtensa__)
+ #include "../../../arch/xtensa/include/uapi/asm/errno.h"
+ #else
--- /dev/null
+From 0775ebc4cf8554bdcd2c212669a0868ab68df5c0 Mon Sep 17 00:00:00 2001
+From: Lijun Pan <lijunp213@gmail.com>
+Date: Wed, 14 Apr 2021 02:46:14 -0500
+Subject: ibmvnic: avoid calling napi_disable() twice
+
+From: Lijun Pan <lijunp213@gmail.com>
+
+commit 0775ebc4cf8554bdcd2c212669a0868ab68df5c0 upstream.
+
+__ibmvnic_open calls napi_disable without checking whether NAPI polling
+has already been disabled or not. This could cause napi_disable
+being called twice, which could generate deadlock. For example,
+the first napi_disable will spin until NAPI_STATE_SCHED is cleared
+by napi_complete_done, then set it again.
+When napi_disable is called the second time, it will loop infinitely
+because no dev->poll will be running to clear NAPI_STATE_SCHED.
+
+To prevent above scenario from happening, call ibmvnic_napi_disable()
+which checks if napi is disabled or not before calling napi_disable.
+
+Fixes: bfc32f297337 ("ibmvnic: Move resource initialization to its own routine")
+Suggested-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: Lijun Pan <lijunp213@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1159,8 +1159,7 @@ static int __ibmvnic_open(struct net_dev
+
+ rc = set_link_state(adapter, IBMVNIC_LOGICAL_LNK_UP);
+ if (rc) {
+- for (i = 0; i < adapter->req_rx_queues; i++)
+- napi_disable(&adapter->napi[i]);
++ ibmvnic_napi_disable(adapter);
+ release_resources(adapter);
+ return rc;
+ }
--- /dev/null
+From d3a6abccbd272aea7dc2c6f984bb5a2c11278e44 Mon Sep 17 00:00:00 2001
+From: Lijun Pan <lijunp213@gmail.com>
+Date: Wed, 14 Apr 2021 02:46:15 -0500
+Subject: ibmvnic: remove duplicate napi_schedule call in do_reset function
+
+From: Lijun Pan <lijunp213@gmail.com>
+
+commit d3a6abccbd272aea7dc2c6f984bb5a2c11278e44 upstream.
+
+During adapter reset, do_reset/do_hard_reset calls ibmvnic_open(),
+which will calls napi_schedule if previous state is VNIC_CLOSED
+(i.e, the reset case, and "ifconfig down" case). So there is no need
+for do_reset to call napi_schedule again at the end of the function
+though napi_schedule will neglect the request if napi is already
+scheduled.
+
+Fixes: ed651a10875f ("ibmvnic: Updated reset handling")
+Signed-off-by: Lijun Pan <lijunp213@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1941,7 +1941,7 @@ static int do_reset(struct ibmvnic_adapt
+ u64 old_num_rx_queues, old_num_tx_queues;
+ u64 old_num_rx_slots, old_num_tx_slots;
+ struct net_device *netdev = adapter->netdev;
+- int i, rc;
++ int rc;
+
+ netdev_dbg(adapter->netdev,
+ "[S:%d FOP:%d] Reset reason %d, reset_state %d\n",
+@@ -2087,10 +2087,6 @@ static int do_reset(struct ibmvnic_adapt
+ /* refresh device's multicast list */
+ ibmvnic_set_multi(netdev);
+
+- /* kick napi */
+- for (i = 0; i < adapter->req_rx_queues; i++)
+- napi_schedule(&adapter->napi[i]);
+-
+ if (adapter->reset_reason == VNIC_RESET_FAILOVER ||
+ adapter->reset_reason == VNIC_RESET_MOBILITY) {
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, netdev);
--- /dev/null
+From 7c451f3ef676c805a4b77a743a01a5c21a250a73 Mon Sep 17 00:00:00 2001
+From: Lijun Pan <lijunp213@gmail.com>
+Date: Wed, 14 Apr 2021 02:46:16 -0500
+Subject: ibmvnic: remove duplicate napi_schedule call in open function
+
+From: Lijun Pan <lijunp213@gmail.com>
+
+commit 7c451f3ef676c805a4b77a743a01a5c21a250a73 upstream.
+
+Remove the unnecessary napi_schedule() call in __ibmvnic_open() since
+interrupt_rx() calls napi_schedule_prep/__napi_schedule during every
+receive interrupt.
+
+Fixes: ed651a10875f ("ibmvnic: Updated reset handling")
+Signed-off-by: Lijun Pan <lijunp213@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1166,11 +1166,6 @@ static int __ibmvnic_open(struct net_dev
+
+ netif_tx_start_all_queues(netdev);
+
+- if (prev_state == VNIC_CLOSED) {
+- for (i = 0; i < adapter->req_rx_queues; i++)
+- napi_schedule(&adapter->napi[i]);
+- }
+-
+ adapter->state = VNIC_OPEN;
+ return rc;
+ }
--- /dev/null
+From ef963ae427aa4669905e0a96b3bd9d44dc85db32 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 31 Mar 2021 15:46:28 +0100
+Subject: ice: Fix potential infinite loop when using u8 loop counter
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit ef963ae427aa4669905e0a96b3bd9d44dc85db32 upstream.
+
+A for-loop is using a u8 loop counter that is being compared to
+a u32 cmp_dcbcfg->numapp to check for the end of the loop. If
+cmp_dcbcfg->numapp is larger than 255 then the counter j will wrap
+around to zero and hence an infinite loop occurs. Fix this by making
+counter j the same type as cmp_dcbcfg->numapp.
+
+Addresses-Coverity: ("Infinite loop")
+Fixes: aeac8ce864d9 ("ice: Recognize 860 as iSCSI port in CEE mode")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_dcb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_dcb.c
++++ b/drivers/net/ethernet/intel/ice/ice_dcb.c
+@@ -747,8 +747,8 @@ ice_cee_to_dcb_cfg(struct ice_aqc_get_ce
+ struct ice_port_info *pi)
+ {
+ u32 status, tlv_status = le32_to_cpu(cee_cfg->tlv_status);
+- u32 ice_aqc_cee_status_mask, ice_aqc_cee_status_shift;
+- u8 i, j, err, sync, oper, app_index, ice_app_sel_type;
++ u32 ice_aqc_cee_status_mask, ice_aqc_cee_status_shift, j;
++ u8 i, err, sync, oper, app_index, ice_app_sel_type;
+ u16 app_prio = le16_to_cpu(cee_cfg->oper_app_prio);
+ u16 ice_aqc_cee_app_mask, ice_aqc_cee_app_shift;
+ struct ice_dcbx_cfg *cmp_dcbcfg, *dcbcfg;
--- /dev/null
+From debb9df311582c83fe369baa35fa4b92e8a9c58a Mon Sep 17 00:00:00 2001
+From: Yongxin Liu <yongxin.liu@windriver.com>
+Date: Mon, 22 Mar 2021 15:14:48 +0800
+Subject: ixgbe: fix unbalanced device enable/disable in suspend/resume
+
+From: Yongxin Liu <yongxin.liu@windriver.com>
+
+commit debb9df311582c83fe369baa35fa4b92e8a9c58a upstream.
+
+pci_disable_device() called in __ixgbe_shutdown() decreases
+dev->enable_cnt by 1. pci_enable_device_mem() which increases
+dev->enable_cnt by 1, was removed from ixgbe_resume() in commit
+6f82b2558735 ("ixgbe: use generic power management"). This caused
+unbalanced increase/decrease. So add pci_enable_device_mem() back.
+
+Fix the following call trace.
+
+ ixgbe 0000:17:00.1: disabling already-disabled device
+ Call Trace:
+ __ixgbe_shutdown+0x10a/0x1e0 [ixgbe]
+ ixgbe_suspend+0x32/0x70 [ixgbe]
+ pci_pm_suspend+0x87/0x160
+ ? pci_pm_freeze+0xd0/0xd0
+ dpm_run_callback+0x42/0x170
+ __device_suspend+0x114/0x460
+ async_suspend+0x1f/0xa0
+ async_run_entry_fn+0x3c/0xf0
+ process_one_work+0x1dd/0x410
+ worker_thread+0x34/0x3f0
+ ? cancel_delayed_work+0x90/0x90
+ kthread+0x14c/0x170
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x1f/0x30
+
+Fixes: 6f82b2558735 ("ixgbe: use generic power management")
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -6896,6 +6896,11 @@ static int __maybe_unused ixgbe_resume(s
+
+ adapter->hw.hw_addr = adapter->io_addr;
+
++ err = pci_enable_device_mem(pdev);
++ if (err) {
++ e_dev_err("Cannot enable PCI device from suspend\n");
++ return err;
++ }
+ smp_mb__before_atomic();
+ clear_bit(__IXGBE_DISABLED, &adapter->state);
+ pci_set_master(pdev);
--- /dev/null
+From afd0be7299533bb2e2b09104399d8a467ecbd2c5 Mon Sep 17 00:00:00 2001
+From: Ciara Loftus <ciara.loftus@intel.com>
+Date: Thu, 8 Apr 2021 05:20:09 +0000
+Subject: libbpf: Fix potential NULL pointer dereference
+
+From: Ciara Loftus <ciara.loftus@intel.com>
+
+commit afd0be7299533bb2e2b09104399d8a467ecbd2c5 upstream.
+
+Wait until after the UMEM is checked for null to dereference it.
+
+Fixes: 43f1bc1efff1 ("libbpf: Restore umem state after socket create failure")
+Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210408052009.7844-1-ciara.loftus@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/lib/bpf/xsk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/tools/lib/bpf/xsk.c
++++ b/tools/lib/bpf/xsk.c
+@@ -703,18 +703,19 @@ int xsk_socket__create_shared(struct xsk
+ struct xsk_ring_cons *comp,
+ const struct xsk_socket_config *usr_config)
+ {
++ bool unmap, rx_setup_done = false, tx_setup_done = false;
+ void *rx_map = NULL, *tx_map = NULL;
+ struct sockaddr_xdp sxdp = {};
+ struct xdp_mmap_offsets off;
+ struct xsk_socket *xsk;
+ struct xsk_ctx *ctx;
+ int err, ifindex;
+- bool unmap = umem->fill_save != fill;
+- bool rx_setup_done = false, tx_setup_done = false;
+
+ if (!umem || !xsk_ptr || !(rx || tx))
+ return -EFAULT;
+
++ unmap = umem->fill_save != fill;
++
+ xsk = calloc(1, sizeof(*xsk));
+ if (!xsk)
+ return -ENOMEM;
--- /dev/null
+From a2948b17f6b936fc52f86c0f92c46d2f91928b79 Mon Sep 17 00:00:00 2001
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+Date: Fri, 2 Apr 2021 14:55:55 +0530
+Subject: libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC
+
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+
+commit a2948b17f6b936fc52f86c0f92c46d2f91928b79 upstream.
+
+In case a platform doesn't provide explicit flush-hints but provides an
+explicit flush callback via ND_REGION_ASYNC region flag, then
+nvdimm_has_flush() still returns '0' indicating that writes do not
+require flushing. This happens on PPC64 with patch at [1] applied, where
+'deep_flush' of a region was denied even though an explicit flush
+function was provided.
+
+Fix this by adding a condition to nvdimm_has_flush() to test for the
+ND_REGION_ASYNC flag on the region and see if a 'region->flush' callback
+is assigned.
+
+Link: http://lore.kernel.org/r/161703936121.36.7260632399582101498.stgit@e1fbed493c87 [1]
+Fixes: c5d4355d10d4 ("libnvdimm: nd_region flush callback support")
+Reported-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
+Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210402092555.208590-1-vaibhav@linux.ibm.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvdimm/region_devs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -1239,6 +1239,11 @@ int nvdimm_has_flush(struct nd_region *n
+ || !IS_ENABLED(CONFIG_ARCH_HAS_PMEM_API))
+ return -ENXIO;
+
++ /* Test if an explicit flush function is defined */
++ if (test_bit(ND_REGION_ASYNC, &nd_region->flags) && nd_region->flush)
++ return 1;
++
++ /* Test if any flush hints for the region are available */
+ for (i = 0; i < nd_region->ndr_mappings; i++) {
+ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
+ struct nvdimm *nvdimm = nd_mapping->nvdimm;
+@@ -1249,8 +1254,8 @@ int nvdimm_has_flush(struct nd_region *n
+ }
+
+ /*
+- * The platform defines dimm devices without hints, assume
+- * platform persistence mechanism like ADR
++ * The platform defines dimm devices without hints nor explicit flush,
++ * assume platform persistence mechanism like ADR
+ */
+ return 0;
+ }
--- /dev/null
+From 458376913d86bed2fb781b4952eb6861675ef3be Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+Date: Fri, 16 Apr 2021 15:46:20 -0700
+Subject: mm: ptdump: fix build failure
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+commit 458376913d86bed2fb781b4952eb6861675ef3be upstream.
+
+READ_ONCE() cannot be used for reading PTEs. Use ptep_get() instead, to
+avoid the following errors:
+
+ CC mm/ptdump.o
+ In file included from <command-line>:
+ mm/ptdump.c: In function 'ptdump_pte_entry':
+ include/linux/compiler_types.h:320:38: error: call to '__compiletime_assert_207' declared with attribute error: Unsupported access size for {READ,WRITE}_ONCE().
+ 320 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^
+ include/linux/compiler_types.h:301:4: note: in definition of macro '__compiletime_assert'
+ 301 | prefix ## suffix(); \
+ | ^~~~~~
+ include/linux/compiler_types.h:320:2: note: in expansion of macro '_compiletime_assert'
+ 320 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^~~~~~~~~~~~~~~~~~~
+ include/asm-generic/rwonce.h:36:2: note: in expansion of macro 'compiletime_assert'
+ 36 | compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \
+ | ^~~~~~~~~~~~~~~~~~
+ include/asm-generic/rwonce.h:49:2: note: in expansion of macro 'compiletime_assert_rwonce_type'
+ 49 | compiletime_assert_rwonce_type(x); \
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ mm/ptdump.c:114:14: note: in expansion of macro 'READ_ONCE'
+ 114 | pte_t val = READ_ONCE(*pte);
+ | ^~~~~~~~~
+ make[2]: *** [mm/ptdump.o] Error 1
+
+See commit 481e980a7c19 ("mm: Allow arches to provide ptep_get()") and
+commit c0e1c8c22beb ("powerpc/8xx: Provide ptep_get() with 16k pages")
+for details.
+
+Link: https://lkml.kernel.org/r/912b349e2bcaa88939904815ca0af945740c6bd4.1618478922.git.christophe.leroy@csgroup.eu
+Fixes: 30d621f6723b ("mm: add generic ptdump")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Steven Price <steven.price@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/ptdump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -108,7 +108,7 @@ static int ptdump_pte_entry(pte_t *pte,
+ unsigned long next, struct mm_walk *walk)
+ {
+ struct ptdump_state *st = walk->private;
+- pte_t val = READ_ONCE(*pte);
++ pte_t val = ptep_get(pte);
+
+ if (st->effective_prot)
+ st->effective_prot(st, 4, pte_val(val));
--- /dev/null
+From 31457db3750c0b0ed229d836f2609fdb8a5b790e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 11 Apr 2021 11:02:08 +0200
+Subject: net: davicom: Fix regulator not turned off on failed probe
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 31457db3750c0b0ed229d836f2609fdb8a5b790e upstream.
+
+When the probe fails, we must disable the regulator that was previously
+enabled.
+
+This patch is a follow-up to commit ac88c531a5b3
+("net: davicom: Fix regulator not turned off on failed probe") which missed
+one case.
+
+Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/davicom/dm9000.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/davicom/dm9000.c
++++ b/drivers/net/ethernet/davicom/dm9000.c
+@@ -1474,8 +1474,10 @@ dm9000_probe(struct platform_device *pde
+
+ /* Init network device */
+ ndev = alloc_etherdev(sizeof(struct board_info));
+- if (!ndev)
+- return -ENOMEM;
++ if (!ndev) {
++ ret = -ENOMEM;
++ goto out_regulator_disable;
++ }
+
+ SET_NETDEV_DEV(ndev, &pdev->dev);
+
--- /dev/null
+From 941ea91e87a6e879ed82dad4949f6234f2702bec Mon Sep 17 00:00:00 2001
+From: Hristo Venev <hristo@venev.name>
+Date: Mon, 12 Apr 2021 20:41:17 +0300
+Subject: net: ip6_tunnel: Unregister catch-all devices
+
+From: Hristo Venev <hristo@venev.name>
+
+commit 941ea91e87a6e879ed82dad4949f6234f2702bec upstream.
+
+Similarly to the sit case, we need to remove the tunnels with no
+addresses that have been moved to another network namespace.
+
+Fixes: 0bd8762824e73 ("ip6tnl: add x-netns support")
+Signed-off-by: Hristo Venev <hristo@venev.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -2275,6 +2275,16 @@ static void __net_exit ip6_tnl_destroy_t
+ t = rtnl_dereference(t->next);
+ }
+ }
++
++ t = rtnl_dereference(ip6n->tnls_wc[0]);
++ while (t) {
++ /* If dev is in the same netns, it has already
++ * been added to the list by the previous loop.
++ */
++ if (!net_eq(dev_net(t->dev), net))
++ unregister_netdevice_queue(t->dev, list);
++ t = rtnl_dereference(t->next);
++ }
+ }
+
+ static int __net_init ip6_tnl_init_net(struct net *net)
--- /dev/null
+From a714e27ea8bdee2b238748029d31472d0a65b611 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+Date: Wed, 14 Apr 2021 14:20:29 +0300
+Subject: net: macb: fix the restore of cmp registers
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+commit a714e27ea8bdee2b238748029d31472d0a65b611 upstream.
+
+Commit a14d273ba159 ("net: macb: restore cmp registers on resume path")
+introduces the restore of CMP registers on resume path. In case the IP
+doesn't support type 2 screeners (zero on DCFG8 register) the
+struct macb::rx_fs_list::list is not initialized and thus the
+list_for_each_entry(item, &bp->rx_fs_list.list, list) loop introduced in
+commit a14d273ba159 ("net: macb: restore cmp registers on resume path")
+will access an uninitialized list leading to crash. Thus, initialize
+the struct macb::rx_fs_list::list without taking into account if the
+IP supports type 2 screeners or not.
+
+Fixes: a14d273ba159 ("net: macb: restore cmp registers on resume path")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3777,6 +3777,7 @@ static int macb_init(struct platform_dev
+ reg = gem_readl(bp, DCFG8);
+ bp->max_tuples = min((GEM_BFEXT(SCR2CMP, reg) / 3),
+ GEM_BFEXT(T2SCR, reg));
++ INIT_LIST_HEAD(&bp->rx_fs_list.list);
+ if (bp->max_tuples > 0) {
+ /* also needs one ethtype match to check IPv4 */
+ if (GEM_BFEXT(SCR2ETH, reg) > 0) {
+@@ -3787,7 +3788,6 @@ static int macb_init(struct platform_dev
+ /* Filtering is supported in hw but don't enable it in kernel now */
+ dev->hw_features |= NETIF_F_NTUPLE;
+ /* init Rx flow definitions */
+- INIT_LIST_HEAD(&bp->rx_fs_list.list);
+ bp->rx_fs_list.count = 0;
+ spin_lock_init(&bp->rx_fs_lock);
+ } else
--- /dev/null
+From 97684f0970f6e112926de631fdd98d9693c7e5c1 Mon Sep 17 00:00:00 2001
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+Date: Tue, 13 Apr 2021 03:08:48 -0400
+Subject: net: Make tcp_allowed_congestion_control readonly in non-init netns
+
+From: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+
+commit 97684f0970f6e112926de631fdd98d9693c7e5c1 upstream.
+
+Currently, tcp_allowed_congestion_control is global and writable;
+writing to it in any net namespace will leak into all other net
+namespaces.
+
+tcp_available_congestion_control and tcp_allowed_congestion_control are
+the only sysctls in ipv4_net_table (the per-netns sysctl table) with a
+NULL data pointer; their handlers (proc_tcp_available_congestion_control
+and proc_allowed_congestion_control) have no other way of referencing a
+struct net. Thus, they operate globally.
+
+Because ipv4_net_table does not use designated initializers, there is no
+easy way to fix up this one "bad" table entry. However, the data pointer
+updating logic shouldn't be applied to NULL pointers anyway, so we
+instead force these entries to be read-only.
+
+These sysctls used to exist in ipv4_table (init-net only), but they were
+moved to the per-net ipv4_net_table, presumably without realizing that
+tcp_allowed_congestion_control was writable and thus introduced a leak.
+
+Because the intent of that commit was only to know (i.e. read) "which
+congestion algorithms are available or allowed", this read-only solution
+should be sufficient.
+
+The logic added in recent commit
+31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls")
+does not and cannot check for NULL data pointers, because
+other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have
+.data=NULL but use other methods (.extra2) to access the struct net.
+
+Fixes: 9cb8e048e5d9 ("net/ipv4/sysctl: show tcp_{allowed, available}_congestion_control in non-initial netns")
+Signed-off-by: Jonathon Reinhart <jonathon.reinhart@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/sysctl_net_ipv4.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -1369,9 +1369,19 @@ static __net_init int ipv4_sysctl_init_n
+ if (!table)
+ goto err_alloc;
+
+- /* Update the variables to point into the current struct net */
+- for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++)
+- table[i].data += (void *)net - (void *)&init_net;
++ for (i = 0; i < ARRAY_SIZE(ipv4_net_table) - 1; i++) {
++ if (table[i].data) {
++ /* Update the variables to point into
++ * the current struct net
++ */
++ table[i].data += (void *)net - (void *)&init_net;
++ } else {
++ /* Entries without data pointer are global;
++ * Make them read-only in non-init_net ns
++ */
++ table[i].mode &= ~0222;
++ }
++ }
+ }
+
+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
--- /dev/null
+From e3e0f9b279705154b951d579dc3d8b7041710e24 Mon Sep 17 00:00:00 2001
+From: wenxu <wenxu@ucloud.cn>
+Date: Fri, 9 Apr 2021 13:33:48 +0800
+Subject: net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta
+
+From: wenxu <wenxu@ucloud.cn>
+
+commit e3e0f9b279705154b951d579dc3d8b7041710e24 upstream.
+
+In the nft_offload there is the mate flow_dissector with no
+ingress_ifindex but with ingress_iftype that only be used
+in the software. So if the mask of ingress_ifindex in meta is
+0, this meta check should be bypass.
+
+Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support")
+Signed-off-by: wenxu <wenxu@ucloud.cn>
+Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2196,6 +2196,9 @@ static int mlx5e_flower_parse_meta(struc
+ return 0;
+
+ flow_rule_match_meta(rule, &match);
++ if (!match.mask->ingress_ifindex)
++ return 0;
++
+ if (match.mask->ingress_ifindex != 0xFFFFFFFF) {
+ NL_SET_ERR_MSG_MOD(extack, "Unsupported ingress ifindex mask");
+ return -EOPNOTSUPP;
--- /dev/null
+From 7a320c9db3e73fb6c4f9a331087df9df18767221 Mon Sep 17 00:00:00 2001
+From: Aya Levin <ayal@nvidia.com>
+Date: Sun, 11 Apr 2021 09:33:12 +0300
+Subject: net/mlx5e: Fix setting of RS FEC mode
+
+From: Aya Levin <ayal@nvidia.com>
+
+commit 7a320c9db3e73fb6c4f9a331087df9df18767221 upstream.
+
+Change register setting from bit number to bit mask.
+
+Fixes: b5ede32d3329 ("net/mlx5e: Add support for FEC modes based on 50G per lane links")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/port.c | 23 +++-------------------
+ 1 file changed, 4 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
+@@ -387,21 +387,6 @@ enum mlx5e_fec_supported_link_mode {
+ *_policy = MLX5_GET(pplm_reg, _buf, fec_override_admin_##link); \
+ } while (0)
+
+-#define MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(buf, policy, write, link) \
+- do { \
+- unsigned long policy_long; \
+- u16 *__policy = &(policy); \
+- bool _write = (write); \
+- \
+- policy_long = *__policy; \
+- if (_write && *__policy) \
+- *__policy = find_first_bit(&policy_long, \
+- sizeof(policy_long) * BITS_PER_BYTE);\
+- MLX5E_FEC_OVERRIDE_ADMIN_POLICY(buf, *__policy, _write, link); \
+- if (!_write && *__policy) \
+- *__policy = 1 << *__policy; \
+- } while (0)
+-
+ /* get/set FEC admin field for a given speed */
+ static int mlx5e_fec_admin_field(u32 *pplm, u16 *fec_policy, bool write,
+ enum mlx5e_fec_supported_link_mode link_mode)
+@@ -423,16 +408,16 @@ static int mlx5e_fec_admin_field(u32 *pp
+ MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 100g);
+ break;
+ case MLX5E_FEC_SUPPORTED_LINK_MODE_50G_1X:
+- MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 50g_1x);
++ MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 50g_1x);
+ break;
+ case MLX5E_FEC_SUPPORTED_LINK_MODE_100G_2X:
+- MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 100g_2x);
++ MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 100g_2x);
+ break;
+ case MLX5E_FEC_SUPPORTED_LINK_MODE_200G_4X:
+- MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 200g_4x);
++ MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 200g_4x);
+ break;
+ case MLX5E_FEC_SUPPORTED_LINK_MODE_400G_8X:
+- MLX5E_FEC_OVERRIDE_ADMIN_50G_POLICY(pplm, *fec_policy, write, 400g_8x);
++ MLX5E_FEC_OVERRIDE_ADMIN_POLICY(pplm, *fec_policy, write, 400g_8x);
+ break;
+ default:
+ return -EINVAL;
--- /dev/null
+From 610f8c0fc8d46e0933955ce13af3d64484a4630a Mon Sep 17 00:00:00 2001
+From: Hristo Venev <hristo@venev.name>
+Date: Mon, 12 Apr 2021 20:41:16 +0300
+Subject: net: sit: Unregister catch-all devices
+
+From: Hristo Venev <hristo@venev.name>
+
+commit 610f8c0fc8d46e0933955ce13af3d64484a4630a upstream.
+
+A sit interface created without a local or a remote address is linked
+into the `sit_net::tunnels_wc` list of its original namespace. When
+deleting a network namespace, delete the devices that have been moved.
+
+The following script triggers a null pointer dereference if devices
+linked in a deleted `sit_net` remain:
+
+ for i in `seq 1 30`; do
+ ip netns add ns-test
+ ip netns exec ns-test ip link add dev veth0 type veth peer veth1
+ ip netns exec ns-test ip link add dev sit$i type sit dev veth0
+ ip netns exec ns-test ip link set dev sit$i netns $$
+ ip netns del ns-test
+ done
+ for i in `seq 1 30`; do
+ ip link del dev sit$i
+ done
+
+Fixes: 5e6700b3bf98f ("sit: add support of x-netns")
+Signed-off-by: Hristo Venev <hristo@venev.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1867,9 +1867,9 @@ static void __net_exit sit_destroy_tunne
+ if (dev->rtnl_link_ops == &sit_link_ops)
+ unregister_netdevice_queue(dev, head);
+
+- for (prio = 1; prio < 4; prio++) {
++ for (prio = 0; prio < 4; prio++) {
+ int h;
+- for (h = 0; h < IP6_SIT_HASH_SIZE; h++) {
++ for (h = 0; h < (prio ? IP6_SIT_HASH_SIZE : 1); h++) {
+ struct ip_tunnel *t;
+
+ t = rtnl_dereference(sitn->tunnels[prio][h]);
--- /dev/null
+From d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Apr 2021 21:43:40 +0200
+Subject: netfilter: arp_tables: add pre_exit hook for table unregister
+
+From: Florian Westphal <fw@strlen.de>
+
+commit d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 upstream.
+
+Same problem that also existed in iptables/ip(6)tables, when
+arptable_filter is removed there is no longer a wait period before the
+table/ruleset is free'd.
+
+Unregister the hook in pre_exit, then remove the table in the exit
+function.
+This used to work correctly because the old nf_hook_unregister API
+did unconditional synchronize_net.
+
+The per-net hook unregister function uses call_rcu instead.
+
+Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netfilter_arp/arp_tables.h | 5 +++--
+ net/ipv4/netfilter/arp_tables.c | 9 +++++++--
+ net/ipv4/netfilter/arptable_filter.c | 10 +++++++++-
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+--- a/include/linux/netfilter_arp/arp_tables.h
++++ b/include/linux/netfilter_arp/arp_tables.h
+@@ -52,8 +52,9 @@ extern void *arpt_alloc_initial_table(co
+ int arpt_register_table(struct net *net, const struct xt_table *table,
+ const struct arpt_replace *repl,
+ const struct nf_hook_ops *ops, struct xt_table **res);
+-void arpt_unregister_table(struct net *net, struct xt_table *table,
+- const struct nf_hook_ops *ops);
++void arpt_unregister_table(struct net *net, struct xt_table *table);
++void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
++ const struct nf_hook_ops *ops);
+ extern unsigned int arpt_do_table(struct sk_buff *skb,
+ const struct nf_hook_state *state,
+ struct xt_table *table);
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1541,10 +1541,15 @@ out_free:
+ return ret;
+ }
+
+-void arpt_unregister_table(struct net *net, struct xt_table *table,
+- const struct nf_hook_ops *ops)
++void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
++ const struct nf_hook_ops *ops)
+ {
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
++}
++EXPORT_SYMBOL(arpt_unregister_table_pre_exit);
++
++void arpt_unregister_table(struct net *net, struct xt_table *table)
++{
+ __arpt_unregister_table(net, table);
+ }
+
+--- a/net/ipv4/netfilter/arptable_filter.c
++++ b/net/ipv4/netfilter/arptable_filter.c
+@@ -56,16 +56,24 @@ static int __net_init arptable_filter_ta
+ return err;
+ }
+
++static void __net_exit arptable_filter_net_pre_exit(struct net *net)
++{
++ if (net->ipv4.arptable_filter)
++ arpt_unregister_table_pre_exit(net, net->ipv4.arptable_filter,
++ arpfilter_ops);
++}
++
+ static void __net_exit arptable_filter_net_exit(struct net *net)
+ {
+ if (!net->ipv4.arptable_filter)
+ return;
+- arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops);
++ arpt_unregister_table(net, net->ipv4.arptable_filter);
+ net->ipv4.arptable_filter = NULL;
+ }
+
+ static struct pernet_operations arptable_filter_net_ops = {
+ .exit = arptable_filter_net_exit,
++ .pre_exit = arptable_filter_net_pre_exit,
+ };
+
+ static int __init arptable_filter_init(void)
--- /dev/null
+From 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Apr 2021 21:43:39 +0200
+Subject: netfilter: bridge: add pre_exit hooks for ebtable unregistration
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 upstream.
+
+Just like ip/ip6/arptables, the hooks have to be removed, then
+synchronize_rcu() has to be called to make sure no more packets are being
+processed before the ruleset data is released.
+
+Place the hook unregistration in the pre_exit hook, then call the new
+ebtables pre_exit function from there.
+
+Years ago, when first netns support got added for netfilter+ebtables,
+this used an older (now removed) netfilter hook unregister API, that did
+a unconditional synchronize_rcu().
+
+Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit
+handlers may free the ebtable ruleset while packets are still in flight.
+
+This can only happens on module removal, not during netns exit.
+
+The new function expects the table name, not the table struct.
+
+This is because upcoming patch set (targeting -next) will remove all
+net->xt.{nat,filter,broute}_table instances, this makes it necessary
+to avoid external references to those member variables.
+
+The existing APIs will be converted, so follow the upcoming scheme of
+passing name + hook type instead.
+
+Fixes: aee12a0a3727e ("ebtables: remove nf_hook_register usage")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netfilter_bridge/ebtables.h | 5 +++--
+ net/bridge/netfilter/ebtable_broute.c | 8 +++++++-
+ net/bridge/netfilter/ebtable_filter.c | 8 +++++++-
+ net/bridge/netfilter/ebtable_nat.c | 8 +++++++-
+ net/bridge/netfilter/ebtables.c | 30 +++++++++++++++++++++++++++---
+ 5 files changed, 51 insertions(+), 8 deletions(-)
+
+--- a/include/linux/netfilter_bridge/ebtables.h
++++ b/include/linux/netfilter_bridge/ebtables.h
+@@ -110,8 +110,9 @@ extern int ebt_register_table(struct net
+ const struct ebt_table *table,
+ const struct nf_hook_ops *ops,
+ struct ebt_table **res);
+-extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
+- const struct nf_hook_ops *);
++extern void ebt_unregister_table(struct net *net, struct ebt_table *table);
++void ebt_unregister_table_pre_exit(struct net *net, const char *tablename,
++ const struct nf_hook_ops *ops);
+ extern unsigned int ebt_do_table(struct sk_buff *skb,
+ const struct nf_hook_state *state,
+ struct ebt_table *table);
+--- a/net/bridge/netfilter/ebtable_broute.c
++++ b/net/bridge/netfilter/ebtable_broute.c
+@@ -105,14 +105,20 @@ static int __net_init broute_net_init(st
+ &net->xt.broute_table);
+ }
+
++static void __net_exit broute_net_pre_exit(struct net *net)
++{
++ ebt_unregister_table_pre_exit(net, "broute", &ebt_ops_broute);
++}
++
+ static void __net_exit broute_net_exit(struct net *net)
+ {
+- ebt_unregister_table(net, net->xt.broute_table, &ebt_ops_broute);
++ ebt_unregister_table(net, net->xt.broute_table);
+ }
+
+ static struct pernet_operations broute_net_ops = {
+ .init = broute_net_init,
+ .exit = broute_net_exit,
++ .pre_exit = broute_net_pre_exit,
+ };
+
+ static int __init ebtable_broute_init(void)
+--- a/net/bridge/netfilter/ebtable_filter.c
++++ b/net/bridge/netfilter/ebtable_filter.c
+@@ -99,14 +99,20 @@ static int __net_init frame_filter_net_i
+ &net->xt.frame_filter);
+ }
+
++static void __net_exit frame_filter_net_pre_exit(struct net *net)
++{
++ ebt_unregister_table_pre_exit(net, "filter", ebt_ops_filter);
++}
++
+ static void __net_exit frame_filter_net_exit(struct net *net)
+ {
+- ebt_unregister_table(net, net->xt.frame_filter, ebt_ops_filter);
++ ebt_unregister_table(net, net->xt.frame_filter);
+ }
+
+ static struct pernet_operations frame_filter_net_ops = {
+ .init = frame_filter_net_init,
+ .exit = frame_filter_net_exit,
++ .pre_exit = frame_filter_net_pre_exit,
+ };
+
+ static int __init ebtable_filter_init(void)
+--- a/net/bridge/netfilter/ebtable_nat.c
++++ b/net/bridge/netfilter/ebtable_nat.c
+@@ -99,14 +99,20 @@ static int __net_init frame_nat_net_init
+ &net->xt.frame_nat);
+ }
+
++static void __net_exit frame_nat_net_pre_exit(struct net *net)
++{
++ ebt_unregister_table_pre_exit(net, "nat", ebt_ops_nat);
++}
++
+ static void __net_exit frame_nat_net_exit(struct net *net)
+ {
+- ebt_unregister_table(net, net->xt.frame_nat, ebt_ops_nat);
++ ebt_unregister_table(net, net->xt.frame_nat);
+ }
+
+ static struct pernet_operations frame_nat_net_ops = {
+ .init = frame_nat_net_init,
+ .exit = frame_nat_net_exit,
++ .pre_exit = frame_nat_net_pre_exit,
+ };
+
+ static int __init ebtable_nat_init(void)
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1232,10 +1232,34 @@ out:
+ return ret;
+ }
+
+-void ebt_unregister_table(struct net *net, struct ebt_table *table,
+- const struct nf_hook_ops *ops)
++static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
++{
++ struct ebt_table *t;
++
++ mutex_lock(&ebt_mutex);
++
++ list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
++ if (strcmp(t->name, name) == 0) {
++ mutex_unlock(&ebt_mutex);
++ return t;
++ }
++ }
++
++ mutex_unlock(&ebt_mutex);
++ return NULL;
++}
++
++void ebt_unregister_table_pre_exit(struct net *net, const char *name, const struct nf_hook_ops *ops)
++{
++ struct ebt_table *table = __ebt_find_table(net, name);
++
++ if (table)
++ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
++}
++EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
++
++void ebt_unregister_table(struct net *net, struct ebt_table *table)
+ {
+- nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+ __ebt_unregister_table(net, table);
+ }
+
--- /dev/null
+From fbea31808ca124dd73ff6bb1e67c9af4607c3e32 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 31 Mar 2021 01:04:45 +0200
+Subject: netfilter: conntrack: do not print icmpv6 as unknown via /proc
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit fbea31808ca124dd73ff6bb1e67c9af4607c3e32 upstream.
+
+/proc/net/nf_conntrack shows icmpv6 as unknown.
+
+Fixes: 09ec82f5af99 ("netfilter: conntrack: remove protocol name from l4proto struct")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_standalone.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -266,6 +266,7 @@ static const char* l4proto_name(u16 prot
+ case IPPROTO_GRE: return "gre";
+ case IPPROTO_SCTP: return "sctp";
+ case IPPROTO_UDPLITE: return "udplite";
++ case IPPROTO_ICMPV6: return "icmpv6";
+ }
+
+ return "unknown";
--- /dev/null
+From 0e07e25b481aa021e4b48085ecb8a049e9614510 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 30 Mar 2021 16:24:11 +0200
+Subject: netfilter: flowtable: fix NAT IPv6 offload mangling
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 0e07e25b481aa021e4b48085ecb8a049e9614510 upstream.
+
+Fix out-of-bound access in the address array.
+
+Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_flow_table_offload.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_flow_table_offload.c
++++ b/net/netfilter/nf_flow_table_offload.c
+@@ -305,12 +305,12 @@ static void flow_offload_ipv6_mangle(str
+ const __be32 *addr, const __be32 *mask)
+ {
+ struct flow_action_entry *entry;
+- int i;
++ int i, j;
+
+- for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32)) {
++ for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
+ entry = flow_action_entry_next(flow_rule);
+ flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
+- offset + i, &addr[i], mask);
++ offset + i, &addr[j], mask);
+ }
+ }
+
--- /dev/null
+From b895bdf5d643b6feb7c60856326dd4feb6981560 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 9 Apr 2021 08:49:39 -0700
+Subject: netfilter: nft_limit: avoid possible divide error in nft_limit_init
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b895bdf5d643b6feb7c60856326dd4feb6981560 upstream.
+
+div_u64() divides u64 by u32.
+
+nft_limit_init() wants to divide u64 by u64, use the appropriate
+math function (div64_u64)
+
+divide error: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]
+RIP: 0010:div_u64 include/linux/math64.h:127 [inline]
+RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85
+Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00
+RSP: 0018:ffffc90009447198 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003
+RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000
+R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]
+ nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713
+ nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160
+ nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321
+ nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456
+ nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
+ nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: c26844eda9d4 ("netfilter: nf_tables: Fix nft limit burst handling")
+Fixes: 3e0f64b7dd31 ("netfilter: nft_limit: fix packet ratelimiting")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Diagnosed-by: Luigi Rizzo <lrizzo@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_limit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_limit.c
++++ b/net/netfilter/nft_limit.c
+@@ -76,13 +76,13 @@ static int nft_limit_init(struct nft_lim
+ return -EOVERFLOW;
+
+ if (pkts) {
+- tokens = div_u64(limit->nsecs, limit->rate) * limit->burst;
++ tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst;
+ } else {
+ /* The token bucket size limits the number of tokens can be
+ * accumulated. tokens_max specifies the bucket size.
+ * tokens_max = unit * (rate + burst) / rate.
+ */
+- tokens = div_u64(limit->nsecs * (limit->rate + limit->burst),
++ tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst),
+ limit->rate);
+ }
+
--- /dev/null
+From 176ddd89171ddcf661862d90c5d257877f7326d6 Mon Sep 17 00:00:00 2001
+From: Jolly Shah <jollys@google.com>
+Date: Thu, 18 Mar 2021 15:56:32 -0700
+Subject: scsi: libsas: Reset num_scatter if libata marks qc as NODATA
+
+From: Jolly Shah <jollys@google.com>
+
+commit 176ddd89171ddcf661862d90c5d257877f7326d6 upstream.
+
+When the cache_type for the SCSI device is changed, the SCSI layer issues a
+MODE_SELECT command. The caching mode details are communicated via a
+request buffer associated with the SCSI command with data direction set as
+DMA_TO_DEVICE (scsi_mode_select()). When this command reaches the libata
+layer, as a part of generic initial setup, libata layer sets up the
+scatterlist for the command using the SCSI command (ata_scsi_qc_new()).
+This command is then translated by the libata layer into
+ATA_CMD_SET_FEATURES (ata_scsi_mode_select_xlat()). The libata layer treats
+this as a non-data command (ata_mselect_caching()), since it only needs an
+ATA taskfile to pass the caching on/off information to the device. It does
+not need the scatterlist that has been setup, so it does not perform
+dma_map_sg() on the scatterlist (ata_qc_issue()). Unfortunately, when this
+command reaches the libsas layer (sas_ata_qc_issue()), libsas layer sees it
+as a non-data command with a scatterlist. It cannot extract the correct DMA
+length since the scatterlist has not been mapped with dma_map_sg() for a
+DMA operation. When this partially constructed SAS task reaches pm80xx
+LLDD, it results in the following warning:
+
+"pm80xx_chip_sata_req 6058: The sg list address
+start_addr=0x0000000000000000 data_len=0x0end_addr_high=0xffffffff
+end_addr_low=0xffffffff has crossed 4G boundary"
+
+Update libsas to handle ATA non-data commands separately so num_scatter and
+total_xfer_len remain 0.
+
+Link: https://lore.kernel.org/r/20210318225632.2481291-1-jollys@google.com
+Fixes: 53de092f47ff ("scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA")
+Tested-by: Luo Jiaxing <luojiaxing@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jolly Shah <jollys@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_ata.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -201,18 +201,17 @@ static unsigned int sas_ata_qc_issue(str
+ memcpy(task->ata_task.atapi_packet, qc->cdb, qc->dev->cdb_len);
+ task->total_xfer_len = qc->nbytes;
+ task->num_scatter = qc->n_elem;
++ task->data_dir = qc->dma_dir;
++ } else if (qc->tf.protocol == ATA_PROT_NODATA) {
++ task->data_dir = DMA_NONE;
+ } else {
+ for_each_sg(qc->sg, sg, qc->n_elem, si)
+ xfer += sg_dma_len(sg);
+
+ task->total_xfer_len = xfer;
+ task->num_scatter = si;
+- }
+-
+- if (qc->tf.protocol == ATA_PROT_NODATA)
+- task->data_dir = DMA_NONE;
+- else
+ task->data_dir = qc->dma_dir;
++ }
+ task->scatter = qc->sg;
+ task->ata_task.retry_count = 1;
+ task->task_state_flags = SAS_TASK_STATE_PENDING;
arm64-alternatives-move-length-validation-in-alternative_-insn-endif.patch
vfio-pci-add-missing-range-check-in-vfio_pci_mmap.patch
riscv-fix-spelling-mistake-sparsemem-to-sparsmem.patch
+scsi-libsas-reset-num_scatter-if-libata-marks-qc-as-nodata.patch
+ixgbe-fix-unbalanced-device-enable-disable-in-suspend-resume.patch
+netfilter-flowtable-fix-nat-ipv6-offload-mangling.patch
+netfilter-conntrack-do-not-print-icmpv6-as-unknown-via-proc.patch
+ice-fix-potential-infinite-loop-when-using-u8-loop-counter.patch
+libnvdimm-region-fix-nvdimm_has_flush-to-handle-nd_region_async.patch
+netfilter-bridge-add-pre_exit-hooks-for-ebtable-unregistration.patch
+netfilter-arp_tables-add-pre_exit-hook-for-table-unregister.patch
+libbpf-fix-potential-null-pointer-dereference.patch
+net-macb-fix-the-restore-of-cmp-registers.patch
+net-mlx5e-fix-ingress_ifindex-check-in-mlx5e_flower_parse_meta.patch
+netfilter-nft_limit-avoid-possible-divide-error-in-nft_limit_init.patch
+net-mlx5e-fix-setting-of-rs-fec-mode.patch
+net-davicom-fix-regulator-not-turned-off-on-failed-probe.patch
+net-sit-unregister-catch-all-devices.patch
+net-ip6_tunnel-unregister-catch-all-devices.patch
+mm-ptdump-fix-build-failure.patch
+net-make-tcp_allowed_congestion_control-readonly-in-non-init-netns.patch
+i40e-fix-the-panic-when-running-bpf-in-xdpdrv-mode.patch
+ethtool-pause-make-sure-we-init-driver-stats.patch
+ia64-remove-duplicate-entries-in-generic_defconfig.patch
+ia64-tools-remove-inclusion-of-ia64-specific-version-of-errno.h-header.patch
+ibmvnic-avoid-calling-napi_disable-twice.patch
+ibmvnic-remove-duplicate-napi_schedule-call-in-do_reset-function.patch
+ibmvnic-remove-duplicate-napi_schedule-call-in-open-function.patch
+ch_ktls-fix-kernel-panic.patch
+ch_ktls-fix-device-connection-close.patch
+ch_ktls-tcb-close-causes-tls-connection-failure.patch
+ch_ktls-do-not-send-snd_una-update-to-tcb-in-middle.patch
+gro-ensure-frag0-meets-ip-header-alignment.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
