--- /dev/null
+From 629dcba1f548c410fa6b9cb75b2307208a3f1304 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 08:37:01 -0700
+Subject: arm64/alternatives: move length validation inside the subsection
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit 966a0acce2fca776391823381dba95c40e03c339 ]
+
+Commit f7b93d42945c ("arm64/alternatives: use subsections for replacement
+sequences") breaks LLVM's integrated assembler, because due to its
+one-pass design, it cannot compute instruction sequence lengths before the
+layout for the subsection has been finalized. This change fixes the build
+by moving the .org directives inside the subsection, so they are processed
+after the subsection layout is known.
+
+Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1078
+Link: https://lore.kernel.org/r/20200730153701.3892953-1-samitolvanen@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/alternative.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h
+index 1824768fb1ee9..3abb2dacb43f4 100644
+--- a/arch/arm64/include/asm/alternative.h
++++ b/arch/arm64/include/asm/alternative.h
+@@ -72,9 +72,9 @@ void apply_alternatives(void *start, size_t length);
+ "663:\n\t" \
+ newinstr "\n" \
+ "664:\n\t" \
+- ".previous\n\t" \
+ ".org . - (664b-663b) + (662b-661b)\n\t" \
+- ".org . - (662b-661b) + (664b-663b)\n" \
++ ".org . - (662b-661b) + (664b-663b)\n\t" \
++ ".previous\n" \
+ ".endif\n"
+
+ #define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \
+--
+2.25.1
+
--- /dev/null
+From 96299b50ed8217a4d02fb957caf379095ed9352f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 10:56:49 +0100
+Subject: arm64: csum: Fix handling of bad packets
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 05fb3dbda187bbd9cc1cd0e97e5d6595af570ac6 ]
+
+Although iph is expected to point to at least 20 bytes of valid memory,
+ihl may be bogus, for example on reception of a corrupt packet. If it
+happens to be less than 5, we really don't want to run away and
+dereference 16GB worth of memory until it wraps back to exactly zero...
+
+Fixes: 0e455d8e80aa ("arm64: Implement optimised IP checksum helpers")
+Reported-by: guodeqing <geffrey.guo@huawei.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/checksum.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h
+index 0b6f5a7d4027c..fd11e0d70e446 100644
+--- a/arch/arm64/include/asm/checksum.h
++++ b/arch/arm64/include/asm/checksum.h
+@@ -30,16 +30,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl)
+ {
+ __uint128_t tmp;
+ u64 sum;
++ int n = ihl; /* we want it signed */
+
+ tmp = *(const __uint128_t *)iph;
+ iph += 16;
+- ihl -= 4;
++ n -= 4;
+ tmp += ((tmp >> 64) | (tmp << 64));
+ sum = tmp >> 64;
+ do {
+ sum += *(const u32 *)iph;
+ iph += 4;
+- } while (--ihl);
++ } while (--n > 0);
+
+ sum += ((sum >> 32) | (sum << 32));
+ return csum_fold((__force u32)(sum >> 32));
+--
+2.25.1
+
--- /dev/null
+From 09f1c554a84ef78e29b21add6d9dcf2b86a75435 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 21:09:12 -0700
+Subject: bpf: Fix map leak in HASH_OF_MAPS map
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 1d4e1eab456e1ee92a94987499b211db05f900ea ]
+
+Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update()
+operation. This is due to per-cpu extra_elems optimization, which bypassed
+free_htab_elem() logic doing proper clean ups. Make sure that inner map is put
+properly in optimized case as well.
+
+Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20200729040913.2815687-1-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index 505e69854eb88..6cc090d015f66 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -656,15 +656,20 @@ static void htab_elem_free_rcu(struct rcu_head *head)
+ preempt_enable();
+ }
+
+-static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
++static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l)
+ {
+ struct bpf_map *map = &htab->map;
++ void *ptr;
+
+ if (map->ops->map_fd_put_ptr) {
+- void *ptr = fd_htab_map_get_ptr(map, l);
+-
++ ptr = fd_htab_map_get_ptr(map, l);
+ map->ops->map_fd_put_ptr(ptr);
+ }
++}
++
++static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
++{
++ htab_put_fd_value(htab, l);
+
+ if (htab_is_prealloc(htab)) {
+ __pcpu_freelist_push(&htab->freelist, &l->fnode);
+@@ -725,6 +730,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
+ */
+ pl_new = this_cpu_ptr(htab->extra_elems);
+ l_new = *pl_new;
++ htab_put_fd_value(htab, old_elem);
+ *pl_new = old_elem;
+ } else {
+ struct pcpu_freelist_node *l;
+--
+2.25.1
+
--- /dev/null
+From 03dc69e90babcef7561293bacfab125d3511c6bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 21:58:39 -0500
+Subject: cxgb4: add missing release on skb in uld_send()
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit e6827d1abdc9b061a57d7b7d3019c4e99fabea2f ]
+
+In the implementation of uld_send(), the skb is consumed on all
+execution paths except one. Release skb when returning NET_XMIT_DROP.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/sge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+index 0a5c4c7da5052..006f8b8aaa7dc 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -1812,6 +1812,7 @@ static inline int uld_send(struct adapter *adap, struct sk_buff *skb,
+ txq_info = adap->sge.uld_txq_info[tx_uld_type];
+ if (unlikely(!txq_info)) {
+ WARN_ON(true);
++ kfree_skb(skb);
+ return NET_XMIT_DROP;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 5699398fc01e1a4a68af196493208e4232c8cc4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 16:36:32 -0500
+Subject: ibmvnic: Fix IRQ mapping disposal in error path
+
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+
+[ Upstream commit 27a2145d6f826d1fad9de06ac541b1016ced3427 ]
+
+RX queue IRQ mappings are disposed in both the TX IRQ and RX IRQ
+error paths. Fix this and dispose of TX IRQ mappings correctly in
+case of an error.
+
+Fixes: ea22d51a7831 ("ibmvnic: simplify and improve driver probe function")
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 85c11dafb4cd9..8b8a0c4fbc993 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -2324,7 +2324,7 @@ req_rx_irq_failed:
+ req_tx_irq_failed:
+ for (j = 0; j < i; j++) {
+ free_irq(adapter->tx_scrq[j]->irq, adapter->tx_scrq[j]);
+- irq_dispose_mapping(adapter->rx_scrq[j]->irq);
++ irq_dispose_mapping(adapter->tx_scrq[j]->irq);
+ }
+ release_sub_crqs(adapter);
+ return rc;
+--
+2.25.1
+
--- /dev/null
+From d96aea1596d5e9db8bf7e60ecf0e51ba6ae2fd75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jul 2020 15:50:07 +0200
+Subject: mac80211: mesh: Free ie data when leaving mesh
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 ]
+
+At ieee80211_join_mesh() some ie data could have been allocated (see
+copy_mesh_setup()) and need to be cleaned up when leaving the mesh.
+
+This fixes the following kmemleak report:
+
+unreferenced object 0xffff0000116bc600 (size 128):
+ comm "wpa_supplicant", pid 608, jiffies 4294898983 (age 293.484s)
+ hex dump (first 32 bytes):
+ 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0...............
+ 00 0f ac 08 00 00 00 00 c4 65 40 00 00 00 00 00 .........e@.....
+ backtrace:
+ [<00000000bebe439d>] __kmalloc_track_caller+0x1c0/0x330
+ [<00000000a349dbe1>] kmemdup+0x28/0x50
+ [<0000000075d69baa>] ieee80211_join_mesh+0x6c/0x3b8 [mac80211]
+ [<00000000683bb98b>] __cfg80211_join_mesh+0x1e8/0x4f0 [cfg80211]
+ [<0000000072cb507f>] nl80211_join_mesh+0x520/0x6b8 [cfg80211]
+ [<0000000077e9bcf9>] genl_family_rcv_msg+0x374/0x680
+ [<00000000b1bd936d>] genl_rcv_msg+0x78/0x108
+ [<0000000022c53788>] netlink_rcv_skb+0xb0/0x1c0
+ [<0000000011af8ec9>] genl_rcv+0x34/0x48
+ [<0000000069e41f53>] netlink_unicast+0x268/0x2e8
+ [<00000000a7517316>] netlink_sendmsg+0x320/0x4c0
+ [<0000000069cba205>] ____sys_sendmsg+0x354/0x3a0
+ [<00000000e06bab0f>] ___sys_sendmsg+0xd8/0x120
+ [<0000000037340728>] __sys_sendmsg+0xa4/0xf8
+ [<000000004fed9776>] __arm64_sys_sendmsg+0x44/0x58
+ [<000000001c1e5647>] el0_svc_handler+0xd0/0x1a0
+
+Fixes: c80d545da3f7 (mac80211: Let userspace enable and configure vendor specific path selection.)
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://lore.kernel.org/r/20200704135007.27292-1-repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index b1484b8316e87..c883cb67b7311 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1997,6 +1997,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev)
+ ieee80211_stop_mesh(sdata);
+ mutex_lock(&sdata->local->mtx);
+ ieee80211_vif_release_channel(sdata);
++ kfree(sdata->u.mesh.ie);
+ mutex_unlock(&sdata->local->mtx);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From ec75c25da8fbcc6d3e215d4d686f77db518e1ff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jul 2020 15:54:19 +0200
+Subject: mac80211: mesh: Free pending skb when destroying a mpath
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 ]
+
+A mpath object can hold reference on a list of skb that are waiting for
+mpath resolution to be sent. When destroying a mpath this skb list
+should be cleaned up in order to not leak memory.
+
+Fixing that kind of leak:
+
+unreferenced object 0xffff0000181c9300 (size 1088):
+ comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00 ..........6.....
+ 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
+ backtrace:
+ [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
+ [<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178
+ [<00000000ceeaa916>] sk_alloc+0x34/0x228
+ [<00000000ca1f1d04>] inet_create+0x198/0x518
+ [<0000000035626b1c>] __sock_create+0x134/0x328
+ [<00000000a12b3a87>] __sys_socket+0xb0/0x158
+ [<00000000ff859f23>] __arm64_sys_socket+0x40/0x58
+ [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
+ [<0000000005b5157d>] el0_svc+0x8/0xc
+unreferenced object 0xffff000012973a40 (size 216):
+ comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff ................
+ backtrace:
+ [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
+ [<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8
+ [<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320
+ [<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0
+ [<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28
+ [<000000006919d2dd>] __ip_append_data+0xba4/0x11f0
+ [<0000000083477587>] ip_make_skb+0x14c/0x1a8
+ [<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0
+ [<000000005aabe255>] inet_sendmsg+0x5c/0x80
+ [<000000008651ea08>] __sys_sendto+0x15c/0x218
+ [<000000003505c99b>] __arm64_sys_sendto+0x74/0x90
+ [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
+ [<0000000005b5157d>] el0_svc+0x8/0xc
+
+Fixes: 2bdaf386f99c (mac80211: mesh: move path tables into if_mesh)
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 1300220912051..933f26e2ff8be 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -554,6 +554,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl,
+ del_timer_sync(&mpath->timer);
+ atomic_dec(&sdata->u.mesh.mpaths);
+ atomic_dec(&tbl->entries);
++ mesh_path_flush_pending(mpath);
+ kfree_rcu(mpath, rcu);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 362dc295336cb5f799e122f316796f13df67d33a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 16:15:43 -0700
+Subject: mlx4: disable device on shutdown
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 3cab8c65525920f00d8f4997b3e9bb73aecb3a8e ]
+
+It appears that not disabling a PCI device on .shutdown may lead to
+a Hardware Error with particular (perhaps buggy) BIOS versions:
+
+ mlx4_en: eth0: Close port called
+ mlx4_en 0000:04:00.0: removed PHC
+ reboot: Restarting system
+ {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
+ {1}[Hardware Error]: event severity: fatal
+ {1}[Hardware Error]: Error 0, type: fatal
+ {1}[Hardware Error]: section_type: PCIe error
+ {1}[Hardware Error]: port_type: 4, root port
+ {1}[Hardware Error]: version: 1.16
+ {1}[Hardware Error]: command: 0x4010, status: 0x0143
+ {1}[Hardware Error]: device_id: 0000:00:02.2
+ {1}[Hardware Error]: slot: 0
+ {1}[Hardware Error]: secondary_bus: 0x04
+ {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2f06
+ {1}[Hardware Error]: class_code: 000604
+ {1}[Hardware Error]: bridge: secondary_status: 0x2000, control: 0x0003
+ {1}[Hardware Error]: aer_uncor_status: 0x00100000, aer_uncor_mask: 0x00000000
+ {1}[Hardware Error]: aer_uncor_severity: 0x00062030
+ {1}[Hardware Error]: TLP Header: 40000018 040000ff 791f4080 00000000
+[hw error repeats]
+ Kernel panic - not syncing: Fatal hardware error!
+ CPU: 0 PID: 2189 Comm: reboot Kdump: loaded Not tainted 5.6.x-blabla #1
+ Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 05/05/2017
+
+Fix the mlx4 driver.
+
+This is a very similar problem to what had been fixed in:
+commit 0d98ba8d70b0 ("scsi: hpsa: disable device during shutdown")
+to address https://bugzilla.kernel.org/show_bug.cgi?id=199779.
+
+Fixes: 2ba5fbd62b25 ("net/mlx4_core: Handle AER flow properly")
+Reported-by: Jake Lawrence <lawja@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
+index cf9011bb6e0f1..c6660b61e8361 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -4190,12 +4190,14 @@ end:
+ static void mlx4_shutdown(struct pci_dev *pdev)
+ {
+ struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev);
++ struct mlx4_dev *dev = persist->dev;
+
+ mlx4_info(persist->dev, "mlx4_shutdown was called\n");
+ mutex_lock(&persist->interface_state_mutex);
+ if (persist->interface_state & MLX4_INTERFACE_STATE_UP)
+ mlx4_unload_one(pdev);
+ mutex_unlock(&persist->interface_state_mutex);
++ mlx4_pci_disable_device(dev);
+ }
+
+ static const struct pci_error_handlers mlx4_err_handler = {
+--
+2.25.1
+
--- /dev/null
+From 1e827a27f31d39188e4b3b7f39e03300a48acecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 12:26:46 +0300
+Subject: mlxsw: core: Free EMAD transactions using kfree_rcu()
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 3c8ce24b037648a5a15b85888b259a74b05ff97d ]
+
+The lifetime of EMAD transactions (i.e., 'struct mlxsw_reg_trans') is
+managed using RCU. They are freed using kfree_rcu() once the transaction
+ends.
+
+However, in case the transaction failed it is freed immediately after being
+removed from the active transactions list. This is problematic because it is
+still possible for a different CPU to dereference the transaction from an RCU
+read-side critical section while traversing the active transaction list in
+mlxsw_emad_rx_listener_func(). In which case, a use-after-free is triggered
+[1].
+
+Fix this by freeing the transaction after a grace period by calling
+kfree_rcu().
+
+[1]
+BUG: KASAN: use-after-free in mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
+Read of size 8 at addr ffff88800b7964e8 by task syz-executor.2/2881
+
+CPU: 0 PID: 2881 Comm: syz-executor.2 Not tainted 5.8.0-rc4+ #44
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
+ mlxsw_core_skb_receive+0x571/0x700 drivers/net/ethernet/mellanox/mlxsw/core.c:2061
+ mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline]
+ mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651
+ tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550
+ __do_softirq+0x223/0x964 kernel/softirq.c:292
+ asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711
+ </IRQ>
+ __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
+ run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
+ do_softirq_own_stack+0x109/0x140 arch/x86/kernel/irq_64.c:77
+ invoke_softirq kernel/softirq.c:387 [inline]
+ __irq_exit_rcu kernel/softirq.c:417 [inline]
+ irq_exit_rcu+0x16f/0x1a0 kernel/softirq.c:429
+ sysvec_apic_timer_interrupt+0x4e/0xd0 arch/x86/kernel/apic/apic.c:1091
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:587
+RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
+RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
+RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
+Code: e8 2a c3 f4 fc 48 89 ef e8 12 96 f5 fc f6 c7 02 75 11 53 9d e8 d6 db 11 fd 65 ff 0d 1f 21 b3 56 5b 5d c3 e8 a7 d7 11 fd 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 05 21 b3 56 ff 74 24 08 48 8d
+RSP: 0018:ffff8880446ffd80 EFLAGS: 00000286
+RAX: 0000000000000006 RBX: 0000000000000286 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa94ecea9
+RBP: ffff888012934408 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000001 R11: fffffbfff57be301 R12: 1ffff110088dffc1
+R13: ffff888037b817c0 R14: ffff88802442415a R15: ffff888024424000
+ __do_sys_perf_event_open+0x1b5d/0x2bd0 kernel/events/core.c:11874
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x473dbd
+Code: Bad RIP value.
+RSP: 002b:00007f21e5e9cc28 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
+RAX: ffffffffffffffda RBX: 000000000057bf00 RCX: 0000000000473dbd
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040
+RBP: 000000000057bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000003 R11: 0000000000000246 R12: 000000000057bf0c
+R13: 00007ffd0493503f R14: 00000000004d0f46 R15: 00007f21e5e9cd80
+
+Allocated by task 871:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc mm/kasan/common.c:494 [inline]
+ __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ mlxsw_core_reg_access_emad+0x70/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1812
+ mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
+ mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
+ update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
+ process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
+ worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
+ kthread+0x355/0x470 kernel/kthread.c:291
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
+
+Freed by task 871:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ kasan_set_free_info mm/kasan/common.c:316 [inline]
+ __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455
+ slab_free_hook mm/slub.c:1474 [inline]
+ slab_free_freelist_hook mm/slub.c:1507 [inline]
+ slab_free mm/slub.c:3072 [inline]
+ kfree+0xe6/0x320 mm/slub.c:4052
+ mlxsw_core_reg_access_emad+0xd45/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1819
+ mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
+ mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
+ update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
+ process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
+ worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
+ kthread+0x355/0x470 kernel/kthread.c:291
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
+
+The buggy address belongs to the object at ffff88800b796400
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 232 bytes inside of
+ 512-byte region [ffff88800b796400, ffff88800b796600)
+The buggy address belongs to the page:
+page:ffffea00002de500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00002de500 order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x100000000010200(slab|head)
+raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c402500
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88800b796380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88800b796400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88800b796480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88800b796500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88800b796580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
+index a2161b1409047..dc12ab33afffb 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -1361,7 +1361,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core,
+ err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans,
+ bulk_list, cb, cb_priv, tid);
+ if (err) {
+- kfree(trans);
++ kfree_rcu(trans, rcu);
+ return err;
+ }
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From eb1b70c035ad55faa0d2936c6679bb72f1e273be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 12:26:45 +0300
+Subject: mlxsw: core: Increase scope of RCU read-side critical section
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 7d8e8f3433dc8d1dc87c1aabe73a154978fb4c4d ]
+
+The lifetime of the Rx listener item ('rxl_item') is managed using RCU,
+but is dereferenced outside of RCU read-side critical section, which can
+lead to a use-after-free.
+
+Fix this by increasing the scope of the RCU read-side critical section.
+
+Fixes: 93c1edb27f9e ("mlxsw: Introduce Mellanox switch driver core")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
+index 96f9f267d16d4..a2161b1409047 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -1574,11 +1574,13 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb,
+ break;
+ }
+ }
+- rcu_read_unlock();
+- if (!found)
++ if (!found) {
++ rcu_read_unlock();
+ goto drop;
++ }
+
+ rxl->func(skb, local_port, rxl_item->priv);
++ rcu_read_unlock();
+ return;
+
+ drop:
+--
+2.25.1
+
--- /dev/null
+From 0ec40765b47ab13ebeafe0cd88e0053ac22c9f42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 15:23:12 +0900
+Subject: net: ethernet: ravb: exit if re-initialization fails in tx timeout
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 ]
+
+According to the report of [1], this driver is possible to cause
+the following error in ravb_tx_timeout_work().
+
+ravb e6800000.ethernet ethernet: failed to switch device to config mode
+
+This error means that the hardware could not change the state
+from "Operation" to "Configuration" while some tx and/or rx queue
+are operating. After that, ravb_config() in ravb_dmac_init() will fail,
+and then any descriptors will be not allocaled anymore so that NULL
+pointer dereference happens after that on ravb_start_xmit().
+
+To fix the issue, the ravb_tx_timeout_work() should check
+the return values of ravb_stop_dma() and ravb_dmac_init().
+If ravb_stop_dma() fails, ravb_tx_timeout_work() re-enables TX and RX
+and just exits. If ravb_dmac_init() fails, just exits.
+
+[1]
+https://lore.kernel.org/linux-renesas-soc/20200518045452.2390-1-dirk.behme@de.bosch.com/
+
+Reported-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 26 ++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index d73617cc3b159..9f4d93a16b7e5 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1482,6 +1482,7 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ struct ravb_private *priv = container_of(work, struct ravb_private,
+ work);
+ struct net_device *ndev = priv->ndev;
++ int error;
+
+ netif_tx_stop_all_queues(ndev);
+
+@@ -1490,15 +1491,36 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ ravb_ptp_stop(ndev);
+
+ /* Wait for DMA stopping */
+- ravb_stop_dma(ndev);
++ if (ravb_stop_dma(ndev)) {
++ /* If ravb_stop_dma() fails, the hardware is still operating
++ * for TX and/or RX. So, this should not call the following
++ * functions because ravb_dmac_init() is possible to fail too.
++ * Also, this should not retry ravb_stop_dma() again and again
++ * here because it's possible to wait forever. So, this just
++ * re-enables the TX and RX and skip the following
++ * re-initialization procedure.
++ */
++ ravb_rcv_snd_enable(ndev);
++ goto out;
++ }
+
+ ravb_ring_free(ndev, RAVB_BE);
+ ravb_ring_free(ndev, RAVB_NC);
+
+ /* Device init */
+- ravb_dmac_init(ndev);
++ error = ravb_dmac_init(ndev);
++ if (error) {
++ /* If ravb_dmac_init() fails, descriptors are freed. So, this
++ * should return here to avoid re-enabling the TX and RX in
++ * ravb_emac_init().
++ */
++ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n",
++ __func__, error);
++ return;
++ }
+ ravb_emac_init(ndev);
+
++out:
+ /* Initialise PTP Clock driver */
+ if (priv->chip_id == RCAR_GEN2)
+ ravb_ptp_init(ndev, priv->pdev);
+--
+2.25.1
+
--- /dev/null
+From 6bc49b2b6b6060c8ca5c911aff4839abe5e24e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 14:10:29 +0200
+Subject: net: lan78xx: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 8d8e95fd6d69d774013f51e5f2ee10c6e6d1fc14 ]
+
+Add the missing endpoint sanity check to prevent a NULL-pointer
+dereference should a malicious device lack the expected endpoints.
+
+Note that the driver has a broken endpoint-lookup helper,
+lan78xx_get_endpoints(), which can end up accepting interfaces in an
+altsetting without endpoints as long as *some* altsetting has a bulk-in
+and a bulk-out endpoint.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index b179a96ea08ca..3be92fff89b1a 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3629,6 +3629,11 @@ static int lan78xx_probe(struct usb_interface *intf,
+ netdev->max_mtu = MAX_SINGLE_PACKET_SIZE;
+ netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER);
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) {
++ ret = -ENODEV;
++ goto out3;
++ }
++
+ dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0;
+ dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1;
+ dev->ep_intr = (intf->cur_altsetting)->endpoint + 2;
+--
+2.25.1
+
--- /dev/null
+From 0bc4009d722bbac1145d76832120fc29ac73bd5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 14:10:30 +0200
+Subject: net: lan78xx: fix transfer-buffer memory leak
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 63634aa679ba8b5e306ad0727120309ae6ba8a8e ]
+
+The interrupt URB transfer-buffer was never freed on disconnect or after
+probe errors.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 3be92fff89b1a..895f307979c82 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3658,6 +3658,7 @@ static int lan78xx_probe(struct usb_interface *intf,
+ usb_fill_int_urb(dev->urb_intr, dev->udev,
+ dev->pipe_intr, buf, maxp,
+ intr_complete, dev, period);
++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 36012bf6a93eac52db833de851cbb98239970789 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Jul 2020 00:31:49 -0500
+Subject: nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 1e8fd3a97f2d83a7197876ceb4f37b4c2b00a0f3 ]
+
+The implementation of s3fwrn5_recv_frame() is supposed to consume skb on
+all execution paths. Release skb before returning -ENODEV.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c
+index 9d9c8d57a042d..64b58455e620b 100644
+--- a/drivers/nfc/s3fwrn5/core.c
++++ b/drivers/nfc/s3fwrn5/core.c
+@@ -209,6 +209,7 @@ int s3fwrn5_recv_frame(struct nci_dev *ndev, struct sk_buff *skb,
+ case S3FWRN5_MODE_FW:
+ return s3fwrn5_fw_recv_frame(ndev, skb);
+ default:
++ kfree_skb(skb);
+ return -ENODEV;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 3a4bdd8c7b76c460c6c7284c9096baa4c24bcb41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Jul 2020 16:10:21 -0400
+Subject: parisc: add support for cmpxchg on u8 pointers
+
+From: Liam Beguin <liambeguin@gmail.com>
+
+[ Upstream commit b344d6a83d01c52fddbefa6b3b4764da5b1022a0 ]
+
+The kernel test bot reported[1] that using set_mask_bits on a u8 causes
+the following issue on parisc:
+
+ hppa-linux-ld: drivers/phy/ti/phy-tusb1210.o: in function `tusb1210_probe':
+ >> (.text+0x2f4): undefined reference to `__cmpxchg_called_with_bad_pointer'
+ >> hppa-linux-ld: (.text+0x324): undefined reference to `__cmpxchg_called_with_bad_pointer'
+ hppa-linux-ld: (.text+0x354): undefined reference to `__cmpxchg_called_with_bad_pointer'
+
+Add support for cmpxchg on u8 pointers.
+
+[1] https://lore.kernel.org/patchwork/patch/1272617/#1468946
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Liam Beguin <liambeguin@gmail.com>
+Tested-by: Dave Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/cmpxchg.h | 2 ++
+ arch/parisc/lib/bitops.c | 12 ++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h
+index ab5c215cf46c3..0689585758717 100644
+--- a/arch/parisc/include/asm/cmpxchg.h
++++ b/arch/parisc/include/asm/cmpxchg.h
+@@ -60,6 +60,7 @@ extern void __cmpxchg_called_with_bad_pointer(void);
+ extern unsigned long __cmpxchg_u32(volatile unsigned int *m, unsigned int old,
+ unsigned int new_);
+ extern u64 __cmpxchg_u64(volatile u64 *ptr, u64 old, u64 new_);
++extern u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new_);
+
+ /* don't worry...optimizer will get rid of most of this */
+ static inline unsigned long
+@@ -71,6 +72,7 @@ __cmpxchg(volatile void *ptr, unsigned long old, unsigned long new_, int size)
+ #endif
+ case 4: return __cmpxchg_u32((unsigned int *)ptr,
+ (unsigned int)old, (unsigned int)new_);
++ case 1: return __cmpxchg_u8((u8 *)ptr, (u8)old, (u8)new_);
+ }
+ __cmpxchg_called_with_bad_pointer();
+ return old;
+diff --git a/arch/parisc/lib/bitops.c b/arch/parisc/lib/bitops.c
+index 70ffbcf889b8e..2e4d1f05a9264 100644
+--- a/arch/parisc/lib/bitops.c
++++ b/arch/parisc/lib/bitops.c
+@@ -79,3 +79,15 @@ unsigned long __cmpxchg_u32(volatile unsigned int *ptr, unsigned int old, unsign
+ _atomic_spin_unlock_irqrestore(ptr, flags);
+ return (unsigned long)prev;
+ }
++
++u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new)
++{
++ unsigned long flags;
++ u8 prev;
++
++ _atomic_spin_lock_irqsave(ptr, flags);
++ if ((prev = *ptr) == old)
++ *ptr = new;
++ _atomic_spin_unlock_irqrestore(ptr, flags);
++ return prev;
++}
+--
+2.25.1
+
--- /dev/null
+From 53400b00607271c67610a346e93353294a0c0e77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 18:08:05 -0400
+Subject: qed: Disable "MFW indication via attention" SPAM every 5 minutes
+
+From: Laurence Oberman <loberman@redhat.com>
+
+[ Upstream commit 1d61e21852d3161f234b9656797669fe185c251b ]
+
+This is likely firmware causing this but its starting to annoy customers.
+Change the message level to verbose to prevent the spam.
+Note that this seems to only show up with ISCSI enabled on the HBA via the
+qedi driver.
+
+Signed-off-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index c5d9f290ec4c7..f8d1d02a3cd4a 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -1015,7 +1015,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn)
+ index, attn_bits, attn_acks, asserted_bits,
+ deasserted_bits, p_sb_attn_sw->known_attn);
+ } else if (asserted_bits == 0x100) {
+- DP_INFO(p_hwfn, "MFW indication via attention\n");
++ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR,
++ "MFW indication via attention\n");
+ } else {
+ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR,
+ "MFW indication [deassertion]\n");
+--
+2.25.1
+
--- /dev/null
+From 548afca5994eaa1bfe0de2e5c32daefc63f14ce7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jul 2020 19:25:49 +0530
+Subject: Revert "i2c: cadence: Fix the hold bit setting"
+
+From: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
+
+[ Upstream commit 0db9254d6b896b587759e2c844c277fb1a6da5b9 ]
+
+This reverts commit d358def706880defa4c9e87381c5bf086a97d5f9.
+
+There are two issues with "i2c: cadence: Fix the hold bit setting" commit.
+
+1. In case of combined message request from user space, when the HOLD
+bit is cleared in cdns_i2c_mrecv function, a STOP condition is sent
+on the bus even before the last message is started. This is because when
+the HOLD bit is cleared, the FIFOS are empty and there is no pending
+transfer. The STOP condition should occur only after the last message
+is completed.
+
+2. The code added by the commit is redundant. Driver is handling the
+setting/clearing of HOLD bit in right way before the commit.
+
+The setting of HOLD bit based on 'bus_hold_flag' is taken care in
+cdns_i2c_master_xfer function even before cdns_i2c_msend/cdns_i2c_recv
+functions.
+
+The clearing of HOLD bit is taken care at the end of cdns_i2c_msend and
+cdns_i2c_recv functions based on bus_hold_flag and byte count.
+Since clearing of HOLD bit is done after the slave address is written to
+the register (writing to address register triggers the message transfer),
+it is ensured that STOP condition occurs at the right time after
+completion of the pending transfer (last message).
+
+Signed-off-by: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index d917cefc5a19c..b136057182916 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -382,10 +382,8 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
++ if (id->recv_count > CDNS_I2C_FIFO_DEPTH)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
+- else
+- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+@@ -442,11 +440,8 @@ static void cdns_i2c_msend(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
++ if (id->send_count > CDNS_I2C_FIFO_DEPTH)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
+- else
+- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+-
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+ /* Clear the interrupts in interrupt status register. */
+--
+2.25.1
+
--- /dev/null
+From 241feb197cd70cc773ac8571f6d0d83320ecc6f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 12:25:28 -0400
+Subject: selftests/net: rxtimestamp: fix clang issues for target arch PowerPC
+
+From: Tanner Love <tannerlove@google.com>
+
+[ Upstream commit 955cbe91bcf782c09afe369c95a20f0a4b6dcc3c ]
+
+The signedness of char is implementation-dependent. Some systems
+(including PowerPC and ARM) use unsigned char. Clang 9 threw:
+warning: result of comparison of constant -1 with expression of type \
+'char' is always true [-Wtautological-constant-out-of-range-compare]
+ &arg_index)) != -1) {
+
+Tested: make -C tools/testing/selftests TARGETS="net" run_tests
+
+Fixes: 16e781224198 ("selftests/net: Add a test to validate behavior of rx timestamps")
+Signed-off-by: Tanner Love <tannerlove@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/networking/timestamping/rxtimestamp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/networking/timestamping/rxtimestamp.c b/tools/testing/selftests/networking/timestamping/rxtimestamp.c
+index 7a573fb4c1c4e..c6428f1ac22fb 100644
+--- a/tools/testing/selftests/networking/timestamping/rxtimestamp.c
++++ b/tools/testing/selftests/networking/timestamping/rxtimestamp.c
+@@ -328,8 +328,7 @@ int main(int argc, char **argv)
+ bool all_tests = true;
+ int arg_index = 0;
+ int failures = 0;
+- int s, t;
+- char opt;
++ int s, t, opt;
+
+ while ((opt = getopt_long(argc, argv, "", long_options,
+ &arg_index)) != -1) {
+--
+2.25.1
+
x86-vmlinux.lds-page-align-end-of-.page_aligned-sect.patch
rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
xfs-fix-missed-wakeup-on-l_flush_wait.patch
+selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch
+sh-fix-validation-of-system-call-number.patch
+net-lan78xx-add-missing-endpoint-sanity-check.patch
+net-lan78xx-fix-transfer-buffer-memory-leak.patch
+mlx4-disable-device-on-shutdown.patch
+mlxsw-core-increase-scope-of-rcu-read-side-critical-.patch
+mlxsw-core-free-emad-transactions-using-kfree_rcu.patch
+ibmvnic-fix-irq-mapping-disposal-in-error-path.patch
+bpf-fix-map-leak-in-hash_of_maps-map.patch
+mac80211-mesh-free-ie-data-when-leaving-mesh.patch
+mac80211-mesh-free-pending-skb-when-destroying-a-mpa.patch
+arm64-alternatives-move-length-validation-inside-the.patch
+arm64-csum-fix-handling-of-bad-packets.patch
+usb-hso-fix-debug-compile-warning-on-sparc32.patch
+qed-disable-mfw-indication-via-attention-spam-every-.patch
+nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch
+parisc-add-support-for-cmpxchg-on-u8-pointers.patch
+net-ethernet-ravb-exit-if-re-initialization-fails-in.patch
+revert-i2c-cadence-fix-the-hold-bit-setting.patch
+x86-unwind-orc-fix-orc-for-newly-forked-tasks.patch
+cxgb4-add-missing-release-on-skb-in-uld_send.patch
+xen-netfront-fix-potential-deadlock-in-xennet_remove.patch
--- /dev/null
+From a4c36f1550995409035bad10bda701f9acee9b68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 01:13:19 +0200
+Subject: sh: Fix validation of system call number
+
+From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
+
+[ Upstream commit 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 ]
+
+The slow path for traced system call entries accessed a wrong memory
+location to get the number of the maximum allowed system call number.
+Renumber the numbered "local" label for the correct location to avoid
+collisions with actual local labels.
+
+Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
+Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Fixes: f3a8308864f920d2 ("sh: Add a few missing irqflags tracing markers.")
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/kernel/entry-common.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S
+index 28cc61216b649..ed5b758c650d7 100644
+--- a/arch/sh/kernel/entry-common.S
++++ b/arch/sh/kernel/entry-common.S
+@@ -203,7 +203,7 @@ syscall_trace_entry:
+ mov.l @(OFF_R7,r15), r7 ! arg3
+ mov.l @(OFF_R3,r15), r3 ! syscall_nr
+ !
+- mov.l 2f, r10 ! Number of syscalls
++ mov.l 6f, r10 ! Number of syscalls
+ cmp/hs r10, r3
+ bf syscall_call
+ mov #-ENOSYS, r0
+@@ -357,7 +357,7 @@ ENTRY(system_call)
+ tst r9, r8
+ bf syscall_trace_entry
+ !
+- mov.l 2f, r8 ! Number of syscalls
++ mov.l 6f, r8 ! Number of syscalls
+ cmp/hs r8, r3
+ bt syscall_badsys
+ !
+@@ -396,7 +396,7 @@ syscall_exit:
+ #if !defined(CONFIG_CPU_SH2)
+ 1: .long TRA
+ #endif
+-2: .long NR_syscalls
++6: .long NR_syscalls
+ 3: .long sys_call_table
+ 7: .long do_syscall_trace_enter
+ 8: .long do_syscall_trace_leave
+--
+2.25.1
+
--- /dev/null
+From 43b4695a87e26f19cca3e503ef6bed947500e868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jul 2020 13:05:13 +0200
+Subject: usb: hso: Fix debug compile warning on sparc32
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit e0484010ec05191a8edf980413fc92f28050c1cc ]
+
+On sparc32, tcflag_t is "unsigned long", unlike on all other
+architectures, where it is "unsigned int":
+
+ drivers/net/usb/hso.c: In function ‘hso_serial_set_termios’:
+ include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 4 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=]
+ drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’
+ hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
+ ^~~~~~~
+ include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 5 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=]
+ drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’
+ hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
+ ^~~~~~~
+
+As "unsigned long" is 32-bit on sparc32, fix this by casting all tcflag_t
+parameters to "unsigned int".
+While at it, use "%u" to format unsigned numbers.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/hso.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index 6597d1f8d68c3..7988c41bff1d5 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -1402,8 +1402,9 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old)
+ unsigned long flags;
+
+ if (old)
+- hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
+- tty->termios.c_cflag, old->c_cflag);
++ hso_dbg(0x16, "Termios called with: cflags new[%u] - old[%u]\n",
++ (unsigned int)tty->termios.c_cflag,
++ (unsigned int)old->c_cflag);
+
+ /* the actual setup */
+ spin_lock_irqsave(&serial->serial_lock, flags);
+--
+2.25.1
+
--- /dev/null
+From 87359299ba4de55b1fd03604ef26fbcc9e36048b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 09:04:25 -0500
+Subject: x86/unwind/orc: Fix ORC for newly forked tasks
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit 372a8eaa05998cd45b3417d0e0ffd3a70978211a ]
+
+The ORC unwinder fails to unwind newly forked tasks which haven't yet
+run on the CPU. It correctly reads the 'ret_from_fork' instruction
+pointer from the stack, but it incorrectly interprets that value as a
+call stack address rather than a "signal" one, so the address gets
+incorrectly decremented in the call to orc_find(), resulting in bad ORC
+data.
+
+Fix it by forcing 'ret_from_fork' frames to be signal frames.
+
+Reported-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lkml.kernel.org/r/f91a8778dde8aae7f71884b5df2b16d552040441.1594994374.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/unwind_orc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
+index a9a55e76a43f9..a5e2ce931f692 100644
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -346,8 +346,11 @@ bool unwind_next_frame(struct unwind_state *state)
+ /*
+ * Find the orc_entry associated with the text address.
+ *
+- * Decrement call return addresses by one so they work for sibling
+- * calls and calls to noreturn functions.
++ * For a call frame (as opposed to a signal frame), state->ip points to
++ * the instruction after the call. That instruction's stack layout
++ * could be different from the call instruction's layout, for example
++ * if the call was to a noreturn function. So get the ORC data for the
++ * call instruction itself.
+ */
+ orc = orc_find(state->signal ? state->ip : state->ip - 1);
+ if (!orc || orc->sp_reg == ORC_REG_UNDEFINED)
+@@ -550,6 +553,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ state->sp = task->thread.sp;
+ state->bp = READ_ONCE_NOCHECK(frame->bp);
+ state->ip = READ_ONCE_NOCHECK(frame->ret_addr);
++ state->signal = (void *)state->ip == ret_from_fork;
+ }
+
+ if (get_stack_info((unsigned long *)state->sp, state->task,
+--
+2.25.1
+
--- /dev/null
+From 6600b18ac9d0a9ac6ff932fc5c96b7f90828771b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 10:59:10 +0200
+Subject: xen-netfront: fix potential deadlock in xennet_remove()
+
+From: Andrea Righi <andrea.righi@canonical.com>
+
+[ Upstream commit c2c633106453611be07821f53dff9e93a9d1c3f0 ]
+
+There's a potential race in xennet_remove(); this is what the driver is
+doing upon unregistering a network device:
+
+ 1. state = read bus state
+ 2. if state is not "Closed":
+ 3. request to set state to "Closing"
+ 4. wait for state to be set to "Closing"
+ 5. request to set state to "Closed"
+ 6. wait for state to be set to "Closed"
+
+If the state changes to "Closed" immediately after step 1 we are stuck
+forever in step 4, because the state will never go back from "Closed" to
+"Closing".
+
+Make sure to check also for state == "Closed" in step 4 to prevent the
+deadlock.
+
+Also add a 5 sec timeout any time we wait for the bus state to change,
+to avoid getting stuck forever in wait_event().
+
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 64 +++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 91bf86cee2733..1131397454bd4 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -63,6 +63,8 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644);
+ MODULE_PARM_DESC(max_queues,
+ "Maximum number of queues per virtual interface");
+
++#define XENNET_TIMEOUT (5 * HZ)
++
+ static const struct ethtool_ops xennet_ethtool_ops;
+
+ struct netfront_cb {
+@@ -1336,12 +1338,15 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev)
+
+ netif_carrier_off(netdev);
+
+- xenbus_switch_state(dev, XenbusStateInitialising);
+- wait_event(module_wq,
+- xenbus_read_driver_state(dev->otherend) !=
+- XenbusStateClosed &&
+- xenbus_read_driver_state(dev->otherend) !=
+- XenbusStateUnknown);
++ do {
++ xenbus_switch_state(dev, XenbusStateInitialising);
++ err = wait_event_timeout(module_wq,
++ xenbus_read_driver_state(dev->otherend) !=
++ XenbusStateClosed &&
++ xenbus_read_driver_state(dev->otherend) !=
++ XenbusStateUnknown, XENNET_TIMEOUT);
++ } while (!err);
++
+ return netdev;
+
+ exit:
+@@ -2142,28 +2147,43 @@ static const struct attribute_group xennet_dev_group = {
+ };
+ #endif /* CONFIG_SYSFS */
+
+-static int xennet_remove(struct xenbus_device *dev)
++static void xennet_bus_close(struct xenbus_device *dev)
+ {
+- struct netfront_info *info = dev_get_drvdata(&dev->dev);
+-
+- dev_dbg(&dev->dev, "%s\n", dev->nodename);
++ int ret;
+
+- if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) {
++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed)
++ return;
++ do {
+ xenbus_switch_state(dev, XenbusStateClosing);
+- wait_event(module_wq,
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateClosing ||
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateUnknown);
++ ret = wait_event_timeout(module_wq,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosing ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosed ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateUnknown,
++ XENNET_TIMEOUT);
++ } while (!ret);
++
++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed)
++ return;
+
++ do {
+ xenbus_switch_state(dev, XenbusStateClosed);
+- wait_event(module_wq,
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateClosed ||
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateUnknown);
+- }
++ ret = wait_event_timeout(module_wq,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosed ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateUnknown,
++ XENNET_TIMEOUT);
++ } while (!ret);
++}
++
++static int xennet_remove(struct xenbus_device *dev)
++{
++ struct netfront_info *info = dev_get_drvdata(&dev->dev);
+
++ xennet_bus_close(dev);
+ xennet_disconnect_backend(info);
+
+ if (info->netdev->reg_state == NETREG_REGISTERED)
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
