--- /dev/null
+From 4724d01978098acc8984d16d08e9a8e27dccff25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Apr 2022 09:44:51 +0100
+Subject: ARM: 9196/1: spectre-bhb: enable for Cortex-A15
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 0dc14aa94ccd8ba35eb17a0f9b123d1566efd39e ]
+
+The Spectre-BHB mitigations were inadvertently left disabled for
+Cortex-A15, due to the fact that cpu_v7_bugs_init() is not called in
+that case. So fix that.
+
+Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mm/proc-v7-bugs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mm/proc-v7-bugs.c b/arch/arm/mm/proc-v7-bugs.c
+index 06dbfb968182..fb9f3eb6bf48 100644
+--- a/arch/arm/mm/proc-v7-bugs.c
++++ b/arch/arm/mm/proc-v7-bugs.c
+@@ -288,6 +288,7 @@ void cpu_v7_ca15_ibe(void)
+ {
+ if (check_spectre_auxcr(this_cpu_ptr(&spectre_warned), BIT(0)))
+ cpu_v7_spectre_v2_init();
++ cpu_v7_spectre_bhb_init();
+ }
+
+ void cpu_v7_bugs_init(void)
+--
+2.35.1
+
--- /dev/null
+From 6f0d7bddb7d32cc0431217f879b97577133b44c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Apr 2022 09:46:17 +0100
+Subject: ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+[ Upstream commit 3cfb3019979666bdf33a1010147363cf05e0f17b ]
+
+In Thumb2, 'b . + 4' produces a branch instruction that uses a narrow
+encoding, and so it does not jump to the following instruction as
+expected. So use W(b) instead.
+
+Fixes: 6c7cb60bff7a ("ARM: fix Thumb2 regression with Spectre BHB")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/entry-armv.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
+index c3ebe3584103..030351d169aa 100644
+--- a/arch/arm/kernel/entry-armv.S
++++ b/arch/arm/kernel/entry-armv.S
+@@ -1043,7 +1043,7 @@ vector_bhb_loop8_\name:
+
+ @ bhb workaround
+ mov r0, #8
+-3: b . + 4
++3: W(b) . + 4
+ subs r0, r0, #1
+ bne 3b
+ dsb
+--
+2.35.1
+
--- /dev/null
+From ea72b5c8113b40d082dc15fcec56615235c2f16e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Mar 2022 10:39:32 -0700
+Subject: ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group
+
+From: Jae Hyun Yoo <quic_jaehyoo@quicinc.com>
+
+[ Upstream commit 890362d41b244536ab63591f813393f5fdf59ed7 ]
+
+Fix incorrect function mappings in pinctrl_qspi1_default and
+pinctrl_qspi2_default since their function should be SPI1 and
+SPI2 respectively.
+
+Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes")
+Signed-off-by: Jae Hyun Yoo <quic_jaehyoo@quicinc.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Link: https://lore.kernel.org/r/20220329173932.2588289-8-quic_jaehyoo@quicinc.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
+index 546ce37f3f4e..1ef89dd55d92 100644
+--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
+@@ -648,12 +648,12 @@ pinctrl_pwm9g1_default: pwm9g1_default {
+ };
+
+ pinctrl_qspi1_default: qspi1_default {
+- function = "QSPI1";
++ function = "SPI1";
+ groups = "QSPI1";
+ };
+
+ pinctrl_qspi2_default: qspi2_default {
+- function = "QSPI2";
++ function = "SPI2";
+ groups = "QSPI2";
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 18da8e14890e1182062b5e7d865e1e7be85429cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Mar 2022 10:39:26 -0700
+Subject: ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi
+
+From: Jae Hyun Yoo <quic_jaehyoo@quicinc.com>
+
+[ Upstream commit efddaa397cceefb61476e383c26fafd1f8ab6356 ]
+
+FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove
+FWQSPID group in pinctrl dtsi. These pins must be used with the
+FWSPI pins that are dedicated for boot SPI interface which provides
+same 3.3v logic level.
+
+Fixes: 2f6edb6bcb2f ("ARM: dts: aspeed: Fix AST2600 quad spi group")
+Signed-off-by: Jae Hyun Yoo <quic_jaehyoo@quicinc.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Link: https://lore.kernel.org/r/20220329173932.2588289-2-quic_jaehyoo@quicinc.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
+index a362714ae9fc..546ce37f3f4e 100644
+--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi
+@@ -117,11 +117,6 @@ pinctrl_fwspid_default: fwspid_default {
+ groups = "FWSPID";
+ };
+
+- pinctrl_fwqspid_default: fwqspid_default {
+- function = "FWSPID";
+- groups = "FWQSPID";
+- };
+-
+ pinctrl_fwspiwp_default: fwspiwp_default {
+ function = "FWSPIWP";
+ groups = "FWSPIWP";
+--
+2.35.1
+
--- /dev/null
+From eed7129b5b1e1b1500b748013f4b6e36a3c324d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 May 2022 16:31:34 +0530
+Subject: arm64: Enable repeat tlbi workaround on KRYO4XX gold CPUs
+
+From: Shreyas K K <quic_shrekk@quicinc.com>
+
+[ Upstream commit 51f559d66527e238f9a5f82027bff499784d4eac ]
+
+Add KRYO4XX gold/big cores to the list of CPUs that need the
+repeat TLBI workaround. Apply this to the affected
+KRYO4XX cores (rcpe to rfpe).
+
+The variant and revision bits are implementation defined and are
+different from the their Cortex CPU counterparts on which they are
+based on, i.e., (r0p0 to r3p0) is equivalent to (rcpe to rfpe).
+
+Signed-off-by: Shreyas K K <quic_shrekk@quicinc.com>
+Reviewed-by: Sai Prakash Ranjan <quic_saipraka@quicinc.com>
+Link: https://lore.kernel.org/r/20220512110134.12179-1-quic_shrekk@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/arm64/silicon-errata.rst | 3 +++
+ arch/arm64/kernel/cpu_errata.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst
+index 719510247292..f01eed0ee23a 100644
+--- a/Documentation/arm64/silicon-errata.rst
++++ b/Documentation/arm64/silicon-errata.rst
+@@ -160,6 +160,9 @@ stable kernels.
+ +----------------+-----------------+-----------------+-----------------------------+
+ | Qualcomm Tech. | Kryo4xx Silver | N/A | ARM64_ERRATUM_1024718 |
+ +----------------+-----------------+-----------------+-----------------------------+
++| Qualcomm Tech. | Kryo4xx Gold | N/A | ARM64_ERRATUM_1286807 |
+++----------------+-----------------+-----------------+-----------------------------+
++
+ +----------------+-----------------+-----------------+-----------------------------+
+ | Fujitsu | A64FX | E#010001 | FUJITSU_ERRATUM_010001 |
+ +----------------+-----------------+-----------------+-----------------------------+
+diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
+index 533559c7d2b3..ca42d58e8c82 100644
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -220,6 +220,8 @@ static const struct arm64_cpu_capabilities arm64_repeat_tlbi_list[] = {
+ #ifdef CONFIG_ARM64_ERRATUM_1286807
+ {
+ ERRATA_MIDR_RANGE(MIDR_CORTEX_A76, 0, 0, 3, 0),
++ /* Kryo4xx Gold (rcpe to rfpe) => (r0p0 to r3p0) */
++ ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe),
+ },
+ #endif
+ {},
+--
+2.35.1
+
--- /dev/null
+From a602af8caa998997437622580ca66ac3c52d8a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2022 10:13:18 +0300
+Subject: clk: at91: generated: consider range when calculating best rate
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+[ Upstream commit d0031e6fbed955ff8d5f5bbc8fe7382482559cec ]
+
+clk_generated_best_diff() helps in finding the parent and the divisor to
+compute a rate closest to the required one. However, it doesn't take into
+account the request's range for the new rate. Make sure the new rate
+is within the required range.
+
+Fixes: 8a8f4bf0c480 ("clk: at91: clk-generated: create function to find best_diff")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Link: https://lore.kernel.org/r/20220413071318.244912-1-codrin.ciubotariu@microchip.com
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/at91/clk-generated.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clk/at91/clk-generated.c b/drivers/clk/at91/clk-generated.c
+index b656d25a9767..fe772baeb15f 100644
+--- a/drivers/clk/at91/clk-generated.c
++++ b/drivers/clk/at91/clk-generated.c
+@@ -106,6 +106,10 @@ static void clk_generated_best_diff(struct clk_rate_request *req,
+ tmp_rate = parent_rate;
+ else
+ tmp_rate = parent_rate / div;
++
++ if (tmp_rate < req->min_rate || tmp_rate > req->max_rate)
++ return;
++
+ tmp_diff = abs(req->rate - tmp_rate);
+
+ if (*best_diff < 0 || *best_diff >= tmp_diff) {
+--
+2.35.1
+
--- /dev/null
+From b26840666874e88e7309524b347f7238b4ee4ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 17:42:50 +0800
+Subject: ethernet: tulip: fix missing pci_disable_device() on error in
+ tulip_init_one()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 51ca86b4c9c7c75f5630fa0dbe5f8f0bd98e3c3e ]
+
+Fix the missing pci_disable_device() before return
+from tulip_init_one() in the error handling case.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20220506094250.3630615-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/tulip_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/dec/tulip/tulip_core.c b/drivers/net/ethernet/dec/tulip/tulip_core.c
+index e7b0d7de40fd..c22d945a79fd 100644
+--- a/drivers/net/ethernet/dec/tulip/tulip_core.c
++++ b/drivers/net/ethernet/dec/tulip/tulip_core.c
+@@ -1396,8 +1396,10 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ /* alloc_etherdev ensures aligned and zeroed private structures */
+ dev = alloc_etherdev (sizeof (*tp));
+- if (!dev)
++ if (!dev) {
++ pci_disable_device(pdev);
+ return -ENOMEM;
++ }
+
+ SET_NETDEV_DEV(dev, &pdev->dev);
+ if (pci_resource_len (pdev, 0) < tulip_tbl[chip_idx].io_size) {
+@@ -1774,6 +1776,7 @@ static int tulip_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ err_out_free_netdev:
+ free_netdev (dev);
++ pci_disable_device(pdev);
+ return -ENODEV;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5fd7aa018377ec179a231cc6ed1fe5ddf3b3abde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 10:15:04 +0800
+Subject: gpio: gpio-vf610: do not touch other bits when set the target bit
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit 9bf3ac466faa83d51a8fe9212131701e58fdef74 ]
+
+For gpio controller contain register PDDR, when set one target bit,
+current logic will clear all other bits, this is wrong. Use operator
+'|=' to fix it.
+
+Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support")
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-vf610.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c
+index 58776f2d69ff..1ae612c796ee 100644
+--- a/drivers/gpio/gpio-vf610.c
++++ b/drivers/gpio/gpio-vf610.c
+@@ -125,9 +125,13 @@ static int vf610_gpio_direction_output(struct gpio_chip *chip, unsigned gpio,
+ {
+ struct vf610_gpio_port *port = gpiochip_get_data(chip);
+ unsigned long mask = BIT(gpio);
++ u32 val;
+
+- if (port->sdata && port->sdata->have_paddr)
+- vf610_gpio_writel(mask, port->gpio_base + GPIO_PDDR);
++ if (port->sdata && port->sdata->have_paddr) {
++ val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR);
++ val |= mask;
++ vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR);
++ }
+
+ vf610_gpio_set(chip, gpio, value);
+
+--
+2.35.1
+
--- /dev/null
+From 9d2769b62c949439632929459487e922c13752c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 09:58:56 +0200
+Subject: gpio: mvebu/pwm: Refuse requests with inverted polarity
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 3ecb10175b1f776f076553c24e2689e42953fef5 ]
+
+The driver doesn't take struct pwm_state::polarity into account when
+configuring the hardware, so refuse requests for inverted polarity.
+
+Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-mvebu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpio/gpio-mvebu.c b/drivers/gpio/gpio-mvebu.c
+index ed7c5fc47f52..2ab34a8e6273 100644
+--- a/drivers/gpio/gpio-mvebu.c
++++ b/drivers/gpio/gpio-mvebu.c
+@@ -700,6 +700,9 @@ static int mvebu_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ unsigned long flags;
+ unsigned int on, off;
+
++ if (state->polarity != PWM_POLARITY_NORMAL)
++ return -EINVAL;
++
+ val = (unsigned long long) mvpwm->clk_rate * state->duty_cycle;
+ do_div(val, NSEC_PER_SEC);
+ if (val > UINT_MAX)
+--
+2.35.1
+
--- /dev/null
+From 6e4ad03290537076d8adc9ad1f346c07ba493083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Apr 2022 14:11:42 -0700
+Subject: ice: fix possible under reporting of ethtool Tx and Rx statistics
+
+From: Paul Greenwalt <paul.greenwalt@intel.com>
+
+[ Upstream commit 31b6298fd8e29effe9ed6b77351ac5969be56ce0 ]
+
+The hardware statistics counters are not cleared during resets so the
+drivers first access is to initialize the baseline and then subsequent
+reads are for reporting the counters. The statistics counters are read
+during the watchdog subtask when the interface is up. If the baseline
+is not initialized before the interface is up, then there can be a brief
+window in which some traffic can be transmitted/received before the
+initial baseline reading takes place.
+
+Directly initialize ethtool statistics in driver open so the baseline will
+be initialized when the interface is up, and any dropped packets
+incremented before the interface is up won't be reported.
+
+Fixes: 28dc1b86f8ea9 ("ice: ignore dropped packets during init")
+Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index eb0625b52e45..aae79fdd5172 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -5271,9 +5271,10 @@ static int ice_up_complete(struct ice_vsi *vsi)
+ netif_carrier_on(vsi->netdev);
+ }
+
+- /* clear this now, and the first stats read will be used as baseline */
+- vsi->stat_offsets_loaded = false;
+-
++ /* Perform an initial read of the statistics registers now to
++ * set the baseline so counters are ready when interface is up
++ */
++ ice_update_eth_stats(vsi);
+ ice_service_task_schedule(pf);
+
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 4f1c0f489853400e978384d458b7968873b67799 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 May 2022 11:01:05 -0700
+Subject: igb: skip phy status check where unavailable
+
+From: Kevin Mitchell <kevmitch@arista.com>
+
+[ Upstream commit 942d2ad5d2e0df758a645ddfadffde2795322728 ]
+
+igb_read_phy_reg() will silently return, leaving phy_data untouched, if
+hw->ops.read_reg isn't set. Depending on the uninitialized value of
+phy_data, this led to the phy status check either succeeding immediately
+or looping continuously for 2 seconds before emitting a noisy err-level
+timeout. This message went out to the console even though there was no
+actual problem.
+
+Instead, first check if there is read_reg function pointer. If not,
+proceed without trying to check the phy status register.
+
+Fixes: b72f3f72005d ("igb: When GbE link up, wait for Remote receiver status condition")
+Signed-off-by: Kevin Mitchell <kevmitch@arista.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index f854d41c6c94..5e67c9c119d2 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -5499,7 +5499,8 @@ static void igb_watchdog_task(struct work_struct *work)
+ break;
+ }
+
+- if (adapter->link_speed != SPEED_1000)
++ if (adapter->link_speed != SPEED_1000 ||
++ !hw->phy.ops.read_reg)
+ goto no_wait;
+
+ /* wait for Remote receiver status OK */
+--
+2.35.1
+
--- /dev/null
+From e181fd194352968d5015d1c075e1a58b38928a53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Apr 2022 12:50:38 +0200
+Subject: mac80211: fix rx reordering with non explicit / psmp ack policy
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 5e469ed9764d4722c59562da13120bd2dc6834c5 ]
+
+When the QoS ack policy was set to non explicit / psmp ack, frames are treated
+as not being part of a BA session, which causes extra latency on reordering.
+Fix this by only bypassing reordering for packets with no-ack policy
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20220420105038.36443-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 1e7614abd947..e991abb45f68 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1387,8 +1387,7 @@ static void ieee80211_rx_reorder_ampdu(struct ieee80211_rx_data *rx,
+ goto dont_reorder;
+
+ /* not part of a BA session */
+- if (ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_BLOCKACK &&
+- ack_policy != IEEE80211_QOS_CTL_ACK_POLICY_NORMAL)
++ if (ack_policy == IEEE80211_QOS_CTL_ACK_POLICY_NOACK)
+ goto dont_reorder;
+
+ /* new, potentially un-ordered, ampdu frame - process it */
+--
+2.35.1
+
--- /dev/null
+From 15d095254571b9aee7d4643c996e2b566ac47d57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 May 2022 17:42:31 +0800
+Subject: net: af_key: add check for pfkey_broadcast in function pfkey_process
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 4dc2a5a8f6754492180741facf2a8787f2c415d7 ]
+
+If skb_clone() returns null pointer, pfkey_broadcast() will
+return error.
+Therefore, it should be better to check the return value of
+pfkey_broadcast() and return error if fails.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index bd9b5c573b5a..61505b0df57d 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2830,8 +2830,10 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb
+ void *ext_hdrs[SADB_EXT_MAX];
+ int err;
+
+- pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
+- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
++ err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL,
++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk));
++ if (err)
++ return err;
+
+ memset(ext_hdrs, 0, sizeof(ext_hdrs));
+ err = parse_exthdrs(skb, hdr, ext_hdrs);
+--
+2.35.1
+
--- /dev/null
+From f4bcda8e3a24737b925bba9fafb65622fe40a5aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 19:28:25 -0700
+Subject: net: atlantic: add check for MAX_SKB_FRAGS
+
+From: Grant Grundler <grundler@chromium.org>
+
+[ Upstream commit 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f ]
+
+Enforce that the CPU can not get stuck in an infinite loop.
+
+Reported-by: Aashay Shringarpure <aashay@google.com>
+Reported-by: Yi Chou <yich@google.com>
+Reported-by: Shervin Oloumi <enlightened@google.com>
+Signed-off-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+index 339efdfb1d49..e9c6f1fa0b1a 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+@@ -362,6 +362,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ continue;
+
+ if (!buff->is_eop) {
++ unsigned int frag_cnt = 0U;
+ buff_ = buff;
+ do {
+ bool is_rsc_completed = true;
+@@ -370,6 +371,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ err = -EIO;
+ goto err_exit;
+ }
++
++ frag_cnt++;
+ next_ = buff_->next,
+ buff_ = &self->buff_ring[next_];
+ is_rsc_completed =
+@@ -377,7 +380,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ next_,
+ self->hw_head);
+
+- if (unlikely(!is_rsc_completed)) {
++ if (unlikely(!is_rsc_completed) ||
++ frag_cnt > MAX_SKB_FRAGS) {
+ err = 0;
+ goto err_exit;
+ }
+--
+2.35.1
+
--- /dev/null
+From bdd2b1c50854b66c5f5f8b9e9a5d31facf232a50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 19:28:23 -0700
+Subject: net: atlantic: fix "frag[0] not initialized"
+
+From: Grant Grundler <grundler@chromium.org>
+
+[ Upstream commit 62e0ae0f4020250f961cf8d0103a4621be74e077 ]
+
+In aq_ring_rx_clean(), if buff->is_eop is not set AND
+buff->len < AQ_CFG_RX_HDR_SIZE, then hdr_len remains equal to
+buff->len and skb_add_rx_frag(xxx, *0*, ...) is not called.
+
+The loop following this code starts calling skb_add_rx_frag() starting
+with i=1 and thus frag[0] is never initialized. Since i is initialized
+to zero at the top of the primary loop, we can just reference and
+post-increment i instead of hardcoding the 0 when calling
+skb_add_rx_frag() the first time.
+
+Reported-by: Aashay Shringarpure <aashay@google.com>
+Reported-by: Yi Chou <yich@google.com>
+Reported-by: Shervin Oloumi <enlightened@google.com>
+Signed-off-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+index 72f8751784c3..7cf5a48e9a7d 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+@@ -445,7 +445,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ ALIGN(hdr_len, sizeof(long)));
+
+ if (buff->len - hdr_len > 0) {
+- skb_add_rx_frag(skb, 0, buff->rxdata.page,
++ skb_add_rx_frag(skb, i++, buff->rxdata.page,
+ buff->rxdata.pg_off + hdr_len,
+ buff->len - hdr_len,
+ AQ_CFG_RX_FRAME_MAX);
+@@ -454,7 +454,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+
+ if (!buff->is_eop) {
+ buff_ = buff;
+- i = 1U;
+ do {
+ next_ = buff_->next;
+ buff_ = &self->buff_ring[next_];
+--
+2.35.1
+
--- /dev/null
+From ef60e40479639ea352c07ddbaa3787afb12e5059 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 19:28:24 -0700
+Subject: net: atlantic: reduce scope of is_rsc_complete
+
+From: Grant Grundler <grundler@chromium.org>
+
+[ Upstream commit 79784d77ebbd3ec516b7a5ce555d979fb7946202 ]
+
+Don't defer handling the err case outside the loop. That's pointless.
+
+And since is_rsc_complete is only used inside this loop, declare
+it inside the loop to reduce it's scope.
+
+Signed-off-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+index 7cf5a48e9a7d..339efdfb1d49 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+@@ -345,7 +345,6 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ int budget)
+ {
+ struct net_device *ndev = aq_nic_get_ndev(self->aq_nic);
+- bool is_rsc_completed = true;
+ int err = 0;
+
+ for (; (self->sw_head != self->hw_head) && budget;
+@@ -365,6 +364,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ if (!buff->is_eop) {
+ buff_ = buff;
+ do {
++ bool is_rsc_completed = true;
++
+ if (buff_->next >= self->size) {
+ err = -EIO;
+ goto err_exit;
+@@ -376,18 +377,16 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
+ next_,
+ self->hw_head);
+
+- if (unlikely(!is_rsc_completed))
+- break;
++ if (unlikely(!is_rsc_completed)) {
++ err = 0;
++ goto err_exit;
++ }
+
+ buff->is_error |= buff_->is_error;
+ buff->is_cso_err |= buff_->is_cso_err;
+
+ } while (!buff_->is_eop);
+
+- if (!is_rsc_completed) {
+- err = 0;
+- goto err_exit;
+- }
+ if (buff->is_error ||
+ (buff->is_lro && buff->is_cso_err)) {
+ buff_ = buff;
+--
+2.35.1
+
--- /dev/null
+From 6f1c341091dd2e41baa6aed405d14595a71865f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 19:28:26 -0700
+Subject: net: atlantic: verify hw_head_ lies within TX buffer ring
+
+From: Grant Grundler <grundler@chromium.org>
+
+[ Upstream commit 2120b7f4d128433ad8c5f503a9584deba0684901 ]
+
+Bounds check hw_head index provided by NIC to verify it lies
+within the TX buffer ring.
+
+Reported-by: Aashay Shringarpure <aashay@google.com>
+Reported-by: Yi Chou <yich@google.com>
+Reported-by: Shervin Oloumi <enlightened@google.com>
+Signed-off-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+index 9f1b15077e7d..45c17c585d74 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+@@ -889,6 +889,13 @@ int hw_atl_b0_hw_ring_tx_head_update(struct aq_hw_s *self,
+ err = -ENXIO;
+ goto err_exit;
+ }
++
++ /* Validate that the new hw_head_ is reasonable. */
++ if (hw_head_ >= ring->size) {
++ err = -ENXIO;
++ goto err_exit;
++ }
++
+ ring->hw_head = hw_head_;
+ err = aq_hw_err_from_flags(self);
+
+--
+2.35.1
+
--- /dev/null
+From 282bfd22055b34a12c025ef72796a480a24facb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 May 2022 02:58:40 +0200
+Subject: net: bridge: Clear offload_fwd_mark when passing frame up bridge
+ interface.
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit fbb3abdf2223cd0dfc07de85fe5a43ba7f435bdf ]
+
+It is possible to stack bridges on top of each other. Consider the
+following which makes use of an Ethernet switch:
+
+ br1
+ / \
+ / \
+ / \
+ br0.11 wlan0
+ |
+ br0
+ / | \
+p1 p2 p3
+
+br0 is offloaded to the switch. Above br0 is a vlan interface, for
+vlan 11. This vlan interface is then a slave of br1. br1 also has a
+wireless interface as a slave. This setup trunks wireless lan traffic
+over the copper network inside a VLAN.
+
+A frame received on p1 which is passed up to the bridge has the
+skb->offload_fwd_mark flag set to true, indicating that the switch has
+dealt with forwarding the frame out ports p2 and p3 as needed. This
+flag instructs the software bridge it does not need to pass the frame
+back down again. However, the flag is not getting reset when the frame
+is passed upwards. As a result br1 sees the flag, wrongly interprets
+it, and fails to forward the frame to wlan0.
+
+When passing a frame upwards, clear the flag. This is the Rx
+equivalent of br_switchdev_frame_unmark() in br_dev_xmit().
+
+Fixes: f1c2eddf4cb6 ("bridge: switchdev: Use an helper to clear forward mark")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Tested-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20220518005840.771575-1-andrew@lunn.ch
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_input.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 59a318b9f646..bf5bf148091f 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -43,6 +43,13 @@ static int br_pass_frame_up(struct sk_buff *skb)
+ u64_stats_update_end(&brstats->syncp);
+
+ vg = br_vlan_group_rcu(br);
++
++ /* Reset the offload_fwd_mark because there could be a stacked
++ * bridge above, and it should not think this bridge it doing
++ * that bridge's work forwarding out its ports.
++ */
++ br_switchdev_frame_unmark(skb);
++
+ /* Bridge is just like any other port. Make sure the
+ * packet is allowed except in promisc modue when someone
+ * may be running packet capture.
+--
+2.35.1
+
--- /dev/null
+From 8e778e5329205df9439b96403c45454fec5fbfa1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Nov 2020 20:35:15 +0100
+Subject: net: evaluate net.ipvX.conf.all.disable_policy and disable_xfrm
+
+From: Vincent Bernat <vincent@bernat.ch>
+
+[ Upstream commit 62679a8d3aa4ba15ff63574a43e5686078d7b804 ]
+
+The disable_policy and disable_xfrm are a per-interface sysctl to
+disable IPsec policy or encryption on an interface. However, while a
+"all" variant is exposed, it was a noop since it was never evaluated.
+We use the usual "or" logic for this kind of sysctls.
+
+Signed-off-by: Vincent Bernat <vincent@bernat.ch>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 4080e3c6c50d..9bd3cd2177f4 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1776,7 +1776,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ flags |= RTCF_LOCAL;
+
+ rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST,
+- IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
++ IN_DEV_ORCONF(in_dev, NOPOLICY), false);
+ if (!rth)
+ return -ENOBUFS;
+
+@@ -1893,8 +1893,8 @@ static int __mkroute_input(struct sk_buff *skb,
+ }
+
+ rth = rt_dst_alloc(out_dev->dev, 0, res->type,
+- IN_DEV_CONF_GET(in_dev, NOPOLICY),
+- IN_DEV_CONF_GET(out_dev, NOXFRM));
++ IN_DEV_ORCONF(in_dev, NOPOLICY),
++ IN_DEV_ORCONF(out_dev, NOXFRM));
+ if (!rth) {
+ err = -ENOBUFS;
+ goto cleanup;
+@@ -2276,7 +2276,7 @@ out: return err;
+
+ rth = rt_dst_alloc(ip_rt_get_dev(net, res),
+ flags | RTCF_LOCAL, res->type,
+- IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
++ IN_DEV_ORCONF(in_dev, NOPOLICY), false);
+ if (!rth)
+ goto e_nobufs;
+
+@@ -2499,8 +2499,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
+
+ add:
+ rth = rt_dst_alloc(dev_out, flags, type,
+- IN_DEV_CONF_GET(in_dev, NOPOLICY),
+- IN_DEV_CONF_GET(in_dev, NOXFRM));
++ IN_DEV_ORCONF(in_dev, NOPOLICY),
++ IN_DEV_ORCONF(in_dev, NOXFRM));
+ if (!rth)
+ return ERR_PTR(-ENOBUFS);
+
+--
+2.35.1
+
--- /dev/null
+From 249f60b69118ee606321b6fa730190ef9c8a8254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 May 2022 10:10:32 -0500
+Subject: net: ipa: record proper RX transaction count
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit d8290cbe1111105f92f0c8ab455bec8bf98d0630 ]
+
+Each time we are notified that some number of transactions on an RX
+channel has completed, we record the number of bytes that have been
+transferred since the previous notification. We also track the
+number of transactions completed, but that is not currently being
+calculated correctly; we're currently counting the number of such
+notifications, but each notification can represent many transaction
+completions. Fix this.
+
+Fixes: 650d1603825d8 ("soc: qcom: ipa: the generic software interface")
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/gsi.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ipa/gsi.c b/drivers/net/ipa/gsi.c
+index 2a65efd3e8da..fe91b72eca36 100644
+--- a/drivers/net/ipa/gsi.c
++++ b/drivers/net/ipa/gsi.c
+@@ -1209,9 +1209,10 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index)
+ struct gsi_event *event_done;
+ struct gsi_event *event;
+ struct gsi_trans *trans;
++ u32 trans_count = 0;
+ u32 byte_count = 0;
+- u32 old_index;
+ u32 event_avail;
++ u32 old_index;
+
+ trans_info = &channel->trans_info;
+
+@@ -1232,6 +1233,7 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index)
+ do {
+ trans->len = __le16_to_cpu(event->len);
+ byte_count += trans->len;
++ trans_count++;
+
+ /* Move on to the next event and transaction */
+ if (--event_avail)
+@@ -1243,7 +1245,7 @@ static void gsi_evt_ring_rx_update(struct gsi_evt_ring *evt_ring, u32 index)
+
+ /* We record RX bytes when they are received */
+ channel->byte_count += byte_count;
+- channel->trans_count++;
++ channel->trans_count += trans_count;
+ }
+
+ /* Initialize a ring, including allocating DMA memory for its entries */
+--
+2.35.1
+
--- /dev/null
+From bbc3fe7c153d8718f04a7cc64f70caacb757ef96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 May 2022 22:49:00 +0530
+Subject: net: macb: Increment rx bd head after allocating skb and buffer
+
+From: Harini Katakam <harini.katakam@xilinx.com>
+
+[ Upstream commit 9500acc631dbb8b73166e25700e656b11f6007b6 ]
+
+In gem_rx_refill rx_prepared_head is incremented at the beginning of
+the while loop preparing the skb and data buffers. If the skb or data
+buffer allocation fails, this BD will be unusable BDs until the head
+loops back to the same BD (and obviously buffer allocation succeeds).
+In the unlikely event that there's a string of allocation failures,
+there will be an equal number of unusable BDs and an inconsistent RX
+BD chain. Hence increment the head at the end of the while loop to be
+clean.
+
+Fixes: 4df95131ea80 ("net/macb: change RX path for GEM")
+Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Link: https://lore.kernel.org/r/20220512171900.32593-1-harini.katakam@xilinx.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index bd13f91efe7c..792c8147c2c4 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1092,7 +1092,6 @@ static void gem_rx_refill(struct macb_queue *queue)
+ /* Make hw descriptor updates visible to CPU */
+ rmb();
+
+- queue->rx_prepared_head++;
+ desc = macb_rx_desc(queue, entry);
+
+ if (!queue->rx_skbuff[entry]) {
+@@ -1131,6 +1130,7 @@ static void gem_rx_refill(struct macb_queue *queue)
+ dma_wmb();
+ desc->addr &= ~MACB_BIT(RX_USED);
+ }
++ queue->rx_prepared_head++;
+ }
+
+ /* Make descriptor updates visible to hardware */
+--
+2.35.1
+
--- /dev/null
+From a4dd86152fb6bee13b2029bddeefeecb850c411f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 18:37:03 +0300
+Subject: net/mlx5e: Properly block LRO when XDP is enabled
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit cf6e34c8c22fba66bd21244b95ea47e235f68974 ]
+
+LRO is incompatible and mutually exclusive with XDP. However, the needed
+checks are only made when enabling XDP. If LRO is enabled when XDP is
+already active, the command will succeed, and XDP will be skipped in the
+data path, although still enabled.
+
+This commit fixes the bug by checking the XDP status in
+mlx5e_fix_features and disabling LRO if XDP is enabled.
+
+Fixes: 86994156c736 ("net/mlx5e: XDP fast RX drop bpf programs support")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 16e98ac47624..d9cc0ed6c5f7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4009,6 +4009,13 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev,
+ }
+ }
+
++ if (params->xdp_prog) {
++ if (features & NETIF_F_LRO) {
++ netdev_warn(netdev, "LRO is incompatible with XDP\n");
++ features &= ~NETIF_F_LRO;
++ }
++ }
++
+ if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) {
+ features &= ~NETIF_F_RXHASH;
+ if (netdev->features & NETIF_F_RXHASH)
+--
+2.35.1
+
--- /dev/null
+From 1485ac36655f62bd96771bf6b48404a89c323137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 May 2022 20:07:02 +0200
+Subject: net/qla3xxx: Fix a test in ql_reset_work()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5361448e45fac6fb96738df748229432a62d78b6 ]
+
+test_bit() tests if one bit is set or not.
+Here the logic seems to check of bit QL_RESET_PER_SCSI (i.e. 4) OR bit
+QL_RESET_START (i.e. 3) is set.
+
+In fact, it checks if bit 7 (4 | 3 = 7) is set, that is to say
+QL_ADAPTER_UP.
+
+This looks harmless, because this bit is likely be set, and when the
+ql_reset_work() delayed work is scheduled in ql3xxx_isr() (the only place
+that schedule this work), QL_RESET_START or QL_RESET_PER_SCSI is set.
+
+This has been spotted by smatch.
+
+Fixes: 5a4faa873782 ("[PATCH] qla3xxx NIC driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/80e73e33f390001d9c0140ffa9baddf6466a41a2.1652637337.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
+index c9f32fc50254..2219e4c59ae6 100644
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -3628,7 +3628,8 @@ static void ql_reset_work(struct work_struct *work)
+ qdev->mem_map_registers;
+ unsigned long hw_flags;
+
+- if (test_bit((QL_RESET_PER_SCSI | QL_RESET_START), &qdev->flags)) {
++ if (test_bit(QL_RESET_PER_SCSI, &qdev->flags) ||
++ test_bit(QL_RESET_START, &qdev->flags)) {
+ clear_bit(QL_LINK_MASTER, &qdev->flags);
+
+ /*
+--
+2.35.1
+
--- /dev/null
+From 6c25517e79be2565dae8208f8b19f2ca6c24f8e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 May 2022 11:27:06 +0200
+Subject: net/sched: act_pedit: sanitize shift argument before usage
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 4d42d54a7d6aa6d29221d3fd4f2ae9503e94f011 ]
+
+syzbot was able to trigger an Out-of-Bound on the pedit action:
+
+UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43
+shift exponent 1400735974 is too large for 32-bit type 'unsigned int'
+CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322
+ tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238
+ tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367
+ tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432
+ tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956
+ tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015
+ rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:725
+ ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2467
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fe36e9e1b59
+Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59
+RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
+RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+The 'shift' field is not validated, and any value above 31 will
+trigger out-of-bounds. The issue predates the git history, but
+syzbot was able to trigger it only after the commit mentioned in
+the fixes tag, and this change only applies on top of such commit.
+
+Address the issue bounding the 'shift' value to the maximum allowed
+by the relevant operator.
+
+Reported-and-tested-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com
+Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_pedit.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
+index 90510298b32a..0d5463ddfd62 100644
+--- a/net/sched/act_pedit.c
++++ b/net/sched/act_pedit.c
+@@ -232,6 +232,10 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
+ for (i = 0; i < p->tcfp_nkeys; ++i) {
+ u32 cur = p->tcfp_keys[i].off;
+
++ /* sanitize the shift value for any later use */
++ p->tcfp_keys[i].shift = min_t(size_t, BITS_PER_TYPE(int) - 1,
++ p->tcfp_keys[i].shift);
++
+ /* The AT option can read a single byte, we can bound the actual
+ * value with uchar max.
+ */
+--
+2.35.1
+
--- /dev/null
+From 6fb1c8179f46759cf59e21228441e248ae0e4df6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 May 2022 11:13:16 +0800
+Subject: net: stmmac: fix missing pci_disable_device() on error in
+ stmmac_pci_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0807ce0b010418a191e0e4009803b2d74c3245d5 ]
+
+Switch to using pcim_enable_device() to avoid missing pci_disable_device().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20220510031316.1780409-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+index 272cb47af9f2..a7a1227c9b92 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c
+@@ -175,7 +175,7 @@ static int stmmac_pci_probe(struct pci_dev *pdev,
+ return -ENOMEM;
+
+ /* Enable pci device */
+- ret = pci_enable_device(pdev);
++ ret = pcim_enable_device(pdev);
+ if (ret) {
+ dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n",
+ __func__);
+@@ -227,8 +227,6 @@ static void stmmac_pci_remove(struct pci_dev *pdev)
+ pcim_iounmap_regions(pdev, BIT(i));
+ break;
+ }
+-
+- pci_disable_device(pdev);
+ }
+
+ static int __maybe_unused stmmac_pci_suspend(struct device *dev)
+--
+2.35.1
+
--- /dev/null
+From 9f9b5d4284987be44134ff36af882f9b4937f819 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 May 2022 19:01:56 +0200
+Subject: net: systemport: Fix an error handling path in bcm_sysport_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ef6b1cd11962aec21c58d137006ab122dbc8d6fd ]
+
+if devm_clk_get_optional() fails, we still need to go through the error
+handling path.
+
+Add the missing goto.
+
+Fixes: 6328a126896ea ("net: systemport: Manage Wake-on-LAN clock")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/99d70634a81c229885ae9e4ee69b2035749f7edc.1652634040.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index 1a703b95208b..82d369d9f7a5 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2592,8 +2592,10 @@ static int bcm_sysport_probe(struct platform_device *pdev)
+ device_set_wakeup_capable(&pdev->dev, 1);
+
+ priv->wol_clk = devm_clk_get_optional(&pdev->dev, "sw_sysportwol");
+- if (IS_ERR(priv->wol_clk))
+- return PTR_ERR(priv->wol_clk);
++ if (IS_ERR(priv->wol_clk)) {
++ ret = PTR_ERR(priv->wol_clk);
++ goto err_deregister_fixed_link;
++ }
+
+ /* Set the needed headroom once and for all */
+ BUILD_BUG_ON(sizeof(struct bcm_tsb) != 8);
+--
+2.35.1
+
--- /dev/null
+From ef395f7471f3dfa1af9444e7330dc52bd30eacd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 May 2022 13:07:11 +0800
+Subject: net: vmxnet3: fix possible NULL pointer dereference in
+ vmxnet3_rq_cleanup()
+
+From: Zixuan Fu <r33s3n6@gmail.com>
+
+[ Upstream commit edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd ]
+
+In vmxnet3_rq_create(), when dma_alloc_coherent() fails,
+vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then
+vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all()
+-> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls
+vmxnet3_force_close() -> dev_close() in error handling code. And the driver
+calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all()
+-> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(),
+rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing
+a NULL pointer dereference.
+
+To fix this possible bug, an if statement is added to check whether
+rq->rx_ring[0].base is NULL in vmxnet3_rq_cleanup() and exit early if so.
+
+The error log in our fault-injection testing is shown as follows:
+
+[ 65.220135] BUG: kernel NULL pointer dereference, address: 0000000000000008
+...
+[ 65.222633] RIP: 0010:vmxnet3_rq_cleanup_all+0x396/0x4e0 [vmxnet3]
+...
+[ 65.227977] Call Trace:
+...
+[ 65.228262] vmxnet3_quiesce_dev+0x80f/0x8a0 [vmxnet3]
+[ 65.228580] vmxnet3_close+0x2c4/0x3f0 [vmxnet3]
+[ 65.228866] __dev_close_many+0x288/0x350
+[ 65.229607] dev_close_many+0xa4/0x480
+[ 65.231124] dev_close+0x138/0x230
+[ 65.231933] vmxnet3_force_close+0x1f0/0x240 [vmxnet3]
+[ 65.232248] vmxnet3_change_mtu+0x75d/0x920 [vmxnet3]
+...
+
+Fixes: d1a890fa37f27 ("net: VMware virtual Ethernet NIC driver: vmxnet3")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>
+Link: https://lore.kernel.org/r/20220514050711.2636709-1-r33s3n6@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index 530d555988ae..6678a734cc4d 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -1656,6 +1656,10 @@ vmxnet3_rq_cleanup(struct vmxnet3_rx_queue *rq,
+ u32 i, ring_idx;
+ struct Vmxnet3_RxDesc *rxd;
+
++ /* ring has already been cleaned up */
++ if (!rq->rx_ring[0].base)
++ return;
++
+ for (ring_idx = 0; ring_idx < 2; ring_idx++) {
+ for (i = 0; i < rq->rx_ring[ring_idx].size; i++) {
+ #ifdef __BIG_ENDIAN_BITFIELD
+--
+2.35.1
+
--- /dev/null
+From 2205982c5306e63bf18d88faf6114316f4ea4c63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 May 2022 13:06:56 +0800
+Subject: net: vmxnet3: fix possible use-after-free bugs in
+ vmxnet3_rq_alloc_rx_buf()
+
+From: Zixuan Fu <r33s3n6@gmail.com>
+
+[ Upstream commit 9e7fef9521e73ca8afd7da9e58c14654b02dfad8 ]
+
+In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is
+freed immediately. Similarly, in another branch, when dma_map_page() fails,
+rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf()
+returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all()
+-> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls
+vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page
+are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs.
+
+To fix these possible bugs, rbi->skb and rbi->page should be cleared after
+they are freed.
+
+The error log in our fault-injection testing is shown as follows:
+
+[ 14.319016] BUG: KASAN: use-after-free in consume_skb+0x2f/0x150
+...
+[ 14.321586] Call Trace:
+...
+[ 14.325357] consume_skb+0x2f/0x150
+[ 14.325671] vmxnet3_rq_cleanup_all+0x33a/0x4e0 [vmxnet3]
+[ 14.326150] vmxnet3_activate_dev+0xb9d/0x2ca0 [vmxnet3]
+[ 14.326616] vmxnet3_open+0x387/0x470 [vmxnet3]
+...
+[ 14.361675] Allocated by task 351:
+...
+[ 14.362688] __netdev_alloc_skb+0x1b3/0x6f0
+[ 14.362960] vmxnet3_rq_alloc_rx_buf+0x1b0/0x8d0 [vmxnet3]
+[ 14.363317] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3]
+[ 14.363661] vmxnet3_open+0x387/0x470 [vmxnet3]
+...
+[ 14.367309]
+[ 14.367412] Freed by task 351:
+...
+[ 14.368932] __dev_kfree_skb_any+0xd2/0xe0
+[ 14.369193] vmxnet3_rq_alloc_rx_buf+0x71e/0x8d0 [vmxnet3]
+[ 14.369544] vmxnet3_activate_dev+0x3e3/0x2ca0 [vmxnet3]
+[ 14.369883] vmxnet3_open+0x387/0x470 [vmxnet3]
+[ 14.370174] __dev_open+0x28a/0x420
+[ 14.370399] __dev_change_flags+0x192/0x590
+[ 14.370667] dev_change_flags+0x7a/0x180
+[ 14.370919] do_setlink+0xb28/0x3570
+[ 14.371150] rtnl_newlink+0x1160/0x1740
+[ 14.371399] rtnetlink_rcv_msg+0x5bf/0xa50
+[ 14.371661] netlink_rcv_skb+0x1cd/0x3e0
+[ 14.371913] netlink_unicast+0x5dc/0x840
+[ 14.372169] netlink_sendmsg+0x856/0xc40
+[ 14.372420] ____sys_sendmsg+0x8a7/0x8d0
+[ 14.372673] __sys_sendmsg+0x1c2/0x270
+[ 14.372914] do_syscall_64+0x41/0x90
+[ 14.373145] entry_SYSCALL_64_after_hwframe+0x44/0xae
+...
+
+Fixes: 5738a09d58d5a ("vmxnet3: fix checks for dma mapping errors")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Zixuan Fu <r33s3n6@gmail.com>
+Link: https://lore.kernel.org/r/20220514050656.2636588-1-r33s3n6@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index 932a39945cc6..530d555988ae 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -595,6 +595,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx,
+ if (dma_mapping_error(&adapter->pdev->dev,
+ rbi->dma_addr)) {
+ dev_kfree_skb_any(rbi->skb);
++ rbi->skb = NULL;
+ rq->stats.rx_buf_alloc_failure++;
+ break;
+ }
+@@ -619,6 +620,7 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_rx_queue *rq, u32 ring_idx,
+ if (dma_mapping_error(&adapter->pdev->dev,
+ rbi->dma_addr)) {
+ put_page(rbi->page);
++ rbi->page = NULL;
+ rq->stats.rx_buf_alloc_failure++;
+ break;
+ }
+--
+2.35.1
+
--- /dev/null
+From 9b89a0868d94e7c306455d222bdd32b2500e0c17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 19:38:18 +0300
+Subject: net: xfrm: fix shift-out-of-bounce
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 5d8dbb7fb82b8661c16d496644b931c0e2e3a12e ]
+
+We need to check up->dirmask to avoid shift-out-of-bounce bug,
+since up->dirmask comes from userspace.
+
+Also, added XFRM_USERPOLICY_DIRMASK_MAX constant to uapi to inform
+user-space that up->dirmask has maximum possible value
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Reported-and-tested-by: syzbot+9cd5837a045bbee5b810@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/xfrm.h | 1 +
+ net/xfrm/xfrm_user.c | 7 ++++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
+index b963e1acf65a..2a2c4dcb015f 100644
+--- a/include/uapi/linux/xfrm.h
++++ b/include/uapi/linux/xfrm.h
+@@ -521,6 +521,7 @@ struct xfrm_user_offload {
+ #define XFRM_OFFLOAD_INBOUND 2
+
+ struct xfrm_userpolicy_default {
++#define XFRM_USERPOLICY_DIRMASK_MAX (sizeof(__u8) * 8)
+ __u8 dirmask;
+ __u8 action;
+ };
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index dec24f280e83..026f29f80f88 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1919,9 +1919,14 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+ {
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
+- u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
++ u8 dirmask;
+ u8 old_default = net->xfrm.policy_default;
+
++ if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX)
++ return -EINVAL;
++
++ dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
++
+ net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
+ | (up->action << up->dirmask);
+
+--
+2.35.1
+
--- /dev/null
+From aa7427d8063b25fd0cfb10ecd66ed63e2d301bb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 May 2022 09:25:30 +0800
+Subject: NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 23dd4581350d4ffa23d58976ec46408f8f4c1e16 ]
+
+There are sleep in atomic context bugs when the request to secure
+element of st-nci is timeout. The root cause is that nci_skb_alloc
+with GFP_KERNEL parameter is called in st_nci_se_wt_timeout which is
+a timer handler. The call paths that could trigger bugs are shown below:
+
+ (interrupt context 1)
+st_nci_se_wt_timeout
+ nci_hci_send_event
+ nci_hci_send_data
+ nci_skb_alloc(..., GFP_KERNEL) //may sleep
+
+ (interrupt context 2)
+st_nci_se_wt_timeout
+ nci_hci_send_event
+ nci_hci_send_data
+ nci_send_data
+ nci_queue_tx_data_frags
+ nci_skb_alloc(..., GFP_KERNEL) //may sleep
+
+This patch changes allocation mode of nci_skb_alloc from GFP_KERNEL to
+GFP_ATOMIC in order to prevent atomic context sleeping. The GFP_ATOMIC
+flag makes memory allocation operation could be used in atomic context.
+
+Fixes: ed06aeefdac3 ("nfc: st-nci: Rename st21nfcb to st-nci")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220517012530.75714-1-duoming@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/data.c | 2 +-
+ net/nfc/nci/hci.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
+index ce3382be937f..b002e18f38c8 100644
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -118,7 +118,7 @@ static int nci_queue_tx_data_frags(struct nci_dev *ndev,
+
+ skb_frag = nci_skb_alloc(ndev,
+ (NCI_DATA_HDR_SIZE + frag_len),
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (skb_frag == NULL) {
+ rc = -ENOMEM;
+ goto free_exit;
+diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
+index 04e55ccb3383..4fe336ff2bfa 100644
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -153,7 +153,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe,
+
+ i = 0;
+ skb = nci_skb_alloc(ndev, conn_info->max_pkt_payload_len +
+- NCI_DATA_HDR_SIZE, GFP_KERNEL);
++ NCI_DATA_HDR_SIZE, GFP_ATOMIC);
+ if (!skb)
+ return -ENOMEM;
+
+@@ -186,7 +186,7 @@ static int nci_hci_send_data(struct nci_dev *ndev, u8 pipe,
+ if (i < data_len) {
+ skb = nci_skb_alloc(ndev,
+ conn_info->max_pkt_payload_len +
+- NCI_DATA_HDR_SIZE, GFP_KERNEL);
++ NCI_DATA_HDR_SIZE, GFP_ATOMIC);
+ if (!skb)
+ return -ENOMEM;
+
+--
+2.35.1
+
--- /dev/null
+From d079b79f60ab9a4eac15d88919c4040714af86f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 May 2022 10:21:38 +0200
+Subject: nl80211: fix locking in nl80211_set_tx_bitrate_mask()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit f971e1887fdb3ab500c9bebf4b98f62d49a20655 ]
+
+This accesses the wdev's chandef etc., so cannot safely
+be used without holding the lock.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20220506102136.06b7205419e6.I2a87c05fbd8bc5e565e84d190d4cfd2e92695a90@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 283447df5fc6..f8d5f35cfc66 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -11095,18 +11095,23 @@ static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
+ struct cfg80211_bitrate_mask mask;
+ struct cfg80211_registered_device *rdev = info->user_ptr[0];
+ struct net_device *dev = info->user_ptr[1];
++ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ int err;
+
+ if (!rdev->ops->set_bitrate_mask)
+ return -EOPNOTSUPP;
+
++ wdev_lock(wdev);
+ err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
+ NL80211_ATTR_TX_RATES, &mask,
+ dev);
+ if (err)
+- return err;
++ goto out;
+
+- return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
++ err = rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
++out:
++ wdev_unlock(wdev);
++ return err;
+ }
+
+ static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
+--
+2.35.1
+
--- /dev/null
+From ad81c9229abd9e56203958f98d393266b5bd38a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Apr 2022 04:13:21 +0000
+Subject: nl80211: validate S1G channel width
+
+From: Kieran Frewen <kieran.frewen@morsemicro.com>
+
+[ Upstream commit 5d087aa759eb82b8208411913f6c2158bd85abc0 ]
+
+Validate the S1G channel width input by user to ensure it matches
+that of the requested channel
+
+Signed-off-by: Kieran Frewen <kieran.frewen@morsemicro.com>
+Signed-off-by: Bassem Dawood <bassem@morsemicro.com>
+Link: https://lore.kernel.org/r/20220420041321.3788789-2-kieran.frewen@morsemicro.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 12f44ad4e0d8..283447df5fc6 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -2955,6 +2955,15 @@ int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
+ } else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
+ chandef->width =
+ nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
++ if (chandef->chan->band == NL80211_BAND_S1GHZ) {
++ /* User input error for channel width doesn't match channel */
++ if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
++ NL_SET_ERR_MSG_ATTR(extack,
++ attrs[NL80211_ATTR_CHANNEL_WIDTH],
++ "bad channel width");
++ return -EINVAL;
++ }
++ }
+ if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
+ chandef->center_freq1 =
+ nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
+--
+2.35.1
+
--- /dev/null
+From b15d853bb376c132daf78b713b519b8d92e225ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 May 2022 10:11:58 +0200
+Subject: perf bench numa: Address compiler error on s390
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit f8ac1c478424a9a14669b8cef7389b1e14e5229d ]
+
+The compilation on s390 results in this error:
+
+ # make DEBUG=y bench/numa.o
+ ...
+ bench/numa.c: In function ‘__bench_numa’:
+ bench/numa.c:1749:81: error: ‘%d’ directive output may be truncated
+ writing between 1 and 11 bytes into a region of size between
+ 10 and 20 [-Werror=format-truncation=]
+ 1749 | snprintf(tname, sizeof(tname), "process%d:thread%d", p, t);
+ ^~
+ ...
+ bench/numa.c:1749:64: note: directive argument in the range
+ [-2147483647, 2147483646]
+ ...
+ #
+
+The maximum length of the %d replacement is 11 characters because of the
+negative sign. Therefore extend the array by two more characters.
+
+Output after:
+
+ # make DEBUG=y bench/numa.o > /dev/null 2>&1; ll bench/numa.o
+ -rw-r--r-- 1 root root 418320 May 19 09:11 bench/numa.o
+ #
+
+Fixes: 3aff8ba0a4c9c919 ("perf bench numa: Avoid possible truncation when using snprintf()")
+Suggested-by: Namhyung Kim <namhyung@gmail.com>
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/20220520081158.2990006-1-tmricht@linux.ibm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/bench/numa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
+index 11726ec6285f..88c11305bdd5 100644
+--- a/tools/perf/bench/numa.c
++++ b/tools/perf/bench/numa.c
+@@ -1656,7 +1656,7 @@ static int __bench_numa(const char *name)
+ "GB/sec,", "total-speed", "GB/sec total speed");
+
+ if (g->p.show_details >= 2) {
+- char tname[14 + 2 * 10 + 1];
++ char tname[14 + 2 * 11 + 1];
+ struct thread_data *td;
+ for (p = 0; p < g->p.nr_proc; p++) {
+ for (t = 0; t < g->p.nr_threads; t++) {
+--
+2.35.1
+
--- /dev/null
+From 10bf5d52d5249495c5699560235c43dd5341c114 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 May 2022 07:51:25 -0700
+Subject: perf regs x86: Fix arch__intr_reg_mask() for the hybrid platform
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 01b28e4a58152e8906eeb5f1b55a0c404c48c7c8 ]
+
+The X86 specific arch__intr_reg_mask() is to check whether the kernel
+and hardware can collect XMM registers. But it doesn't work on some
+hybrid platform.
+
+Without the patch on ADL-N:
+
+ $ perf record -I?
+ available registers: AX BX CX DX SI DI BP SP IP FLAGS CS SS R8 R9 R10
+ R11 R12 R13 R14 R15
+
+The config of the test event doesn't contain the PMU information. The
+kernel may fail to initialize it on the correct hybrid PMU and return
+the wrong non-supported information.
+
+Add the PMU information into the config for the hybrid platform. The
+same register set is supported among different hybrid PMUs. Checking
+the first available one is good enough.
+
+With the patch on ADL-N:
+
+ $ perf record -I?
+ available registers: AX BX CX DX SI DI BP SP IP FLAGS CS SS R8 R9 R10
+ R11 R12 R13 R14 R15 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 XMM9
+ XMM10 XMM11 XMM12 XMM13 XMM14 XMM15
+
+Fixes: 6466ec14aaf44ff1 ("perf regs x86: Add X86 specific arch__intr_reg_mask()")
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Acked-by: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Xing Zhengjun <zhengjun.xing@linux.intel.com>
+Link: https://lore.kernel.org/r/20220518145125.1494156-1-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/x86/util/perf_regs.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/perf/arch/x86/util/perf_regs.c b/tools/perf/arch/x86/util/perf_regs.c
+index fca81b39b09f..c46e2920e460 100644
+--- a/tools/perf/arch/x86/util/perf_regs.c
++++ b/tools/perf/arch/x86/util/perf_regs.c
+@@ -9,6 +9,8 @@
+ #include "../../../util/perf_regs.h"
+ #include "../../../util/debug.h"
+ #include "../../../util/event.h"
++#include "../../../util/pmu.h"
++#include "../../../util/pmu-hybrid.h"
+
+ const struct sample_reg sample_reg_masks[] = {
+ SMPL_REG(AX, PERF_REG_X86_AX),
+@@ -284,12 +286,22 @@ uint64_t arch__intr_reg_mask(void)
+ .disabled = 1,
+ .exclude_kernel = 1,
+ };
++ struct perf_pmu *pmu;
+ int fd;
+ /*
+ * In an unnamed union, init it here to build on older gcc versions
+ */
+ attr.sample_period = 1;
+
++ if (perf_pmu__has_hybrid()) {
++ /*
++ * The same register set is supported among different hybrid PMUs.
++ * Only check the first available one.
++ */
++ pmu = list_first_entry(&perf_pmu__hybrid_pmus, typeof(*pmu), hybrid_list);
++ attr.config |= (__u64)pmu->type << PERF_PMU_TYPE_SHIFT;
++ }
++
+ event_attr_init(&attr);
+
+ fd = sys_perf_event_open(&attr, 0, -1, -1, 0);
+--
+2.35.1
+
--- /dev/null
+From 1a9e3e022ce9fa67db143731927e8d171b0af32d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Mar 2022 10:39:27 -0700
+Subject: pinctrl: pinctrl-aspeed-g6: remove FWQSPID group in pinctrl
+
+From: Jae Hyun Yoo <quic_jaehyoo@quicinc.com>
+
+[ Upstream commit 3eef2f48ba0933ba995529f522554ad5c276c39b ]
+
+FWSPIDQ2 and FWSPIDQ3 are not part of FWSPI18 interface so remove
+FWQSPID group in pinctrl. These pins must be used with the FWSPI
+pins that are dedicated for boot SPI interface which provides
+same 3.3v logic level.
+
+Fixes: 2eda1cdec49f ("pinctrl: aspeed: Add AST2600 pinmux support")
+Signed-off-by: Jae Hyun Yoo <quic_jaehyoo@quicinc.com>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Link: https://lore.kernel.org/r/20220329173932.2588289-3-quic_jaehyoo@quicinc.com
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c
+index 5c1a109842a7..c2ba4064ce5b 100644
+--- a/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c
++++ b/drivers/pinctrl/aspeed/pinctrl-aspeed-g6.c
+@@ -1224,18 +1224,12 @@ FUNC_GROUP_DECL(SALT8, AA12);
+ FUNC_GROUP_DECL(WDTRST4, AA12);
+
+ #define AE12 196
+-SIG_EXPR_LIST_DECL_SEMG(AE12, FWSPIDQ2, FWQSPID, FWSPID,
+- SIG_DESC_SET(SCU438, 4));
+ SIG_EXPR_LIST_DECL_SESG(AE12, GPIOY4, GPIOY4);
+-PIN_DECL_(AE12, SIG_EXPR_LIST_PTR(AE12, FWSPIDQ2),
+- SIG_EXPR_LIST_PTR(AE12, GPIOY4));
++PIN_DECL_(AE12, SIG_EXPR_LIST_PTR(AE12, GPIOY4));
+
+ #define AF12 197
+-SIG_EXPR_LIST_DECL_SEMG(AF12, FWSPIDQ3, FWQSPID, FWSPID,
+- SIG_DESC_SET(SCU438, 5));
+ SIG_EXPR_LIST_DECL_SESG(AF12, GPIOY5, GPIOY5);
+-PIN_DECL_(AF12, SIG_EXPR_LIST_PTR(AF12, FWSPIDQ3),
+- SIG_EXPR_LIST_PTR(AF12, GPIOY5));
++PIN_DECL_(AF12, SIG_EXPR_LIST_PTR(AF12, GPIOY5));
+
+ #define AC12 198
+ SSSF_PIN_DECL(AC12, GPIOY6, FWSPIABR, SIG_DESC_SET(SCU438, 6));
+@@ -1508,9 +1502,8 @@ SIG_EXPR_LIST_DECL_SEMG(Y4, EMMCDAT7, EMMCG8, EMMC, SIG_DESC_SET(SCU404, 3));
+ PIN_DECL_3(Y4, GPIO18E3, FWSPIDMISO, VBMISO, EMMCDAT7);
+
+ GROUP_DECL(FWSPID, Y1, Y2, Y3, Y4);
+-GROUP_DECL(FWQSPID, Y1, Y2, Y3, Y4, AE12, AF12);
+ GROUP_DECL(EMMCG8, AB4, AA4, AC4, AA5, Y5, AB5, AB6, AC5, Y1, Y2, Y3, Y4);
+-FUNC_DECL_2(FWSPID, FWSPID, FWQSPID);
++FUNC_DECL_1(FWSPID, FWSPID);
+ FUNC_GROUP_DECL(VB, Y1, Y2, Y3, Y4);
+ FUNC_DECL_3(EMMC, EMMCG1, EMMCG4, EMMCG8);
+ /*
+@@ -1906,7 +1899,6 @@ static const struct aspeed_pin_group aspeed_g6_groups[] = {
+ ASPEED_PINCTRL_GROUP(FSI2),
+ ASPEED_PINCTRL_GROUP(FWSPIABR),
+ ASPEED_PINCTRL_GROUP(FWSPID),
+- ASPEED_PINCTRL_GROUP(FWQSPID),
+ ASPEED_PINCTRL_GROUP(FWSPIWP),
+ ASPEED_PINCTRL_GROUP(GPIT0),
+ ASPEED_PINCTRL_GROUP(GPIT1),
+--
+2.35.1
+
--- /dev/null
+From b0ea55e2275f9a8ef83307422f83730ab3fe32d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Apr 2022 21:38:56 +0200
+Subject: riscv: dts: sifive: fu540-c000: align dma node name with dtschema
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit b17410182b6f98191fbf7f42d3b4a78512769d29 ]
+
+Fixes dtbs_check warnings like:
+
+ dma@3000000: $nodename:0: 'dma@3000000' does not match '^dma-controller(@.*)?$'
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20220407193856.18223-1-krzysztof.kozlowski@linaro.org
+Fixes: c5ab54e9945b ("riscv: dts: add support for PDMA device of HiFive Unleashed Rev A00")
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/boot/dts/sifive/fu540-c000.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi
+index 7db861053483..64c06c9b41dc 100644
+--- a/arch/riscv/boot/dts/sifive/fu540-c000.dtsi
++++ b/arch/riscv/boot/dts/sifive/fu540-c000.dtsi
+@@ -166,7 +166,7 @@ uart0: serial@10010000 {
+ clocks = <&prci PRCI_CLK_TLCLK>;
+ status = "disabled";
+ };
+- dma: dma@3000000 {
++ dma: dma-controller@3000000 {
+ compatible = "sifive,fu540-c000-pdma";
+ reg = <0x0 0x3000000 0x0 0x8000>;
+ interrupt-parent = <&plic0>;
+--
+2.35.1
+
--- /dev/null
+From 21fe2d4b22436d2b76598839bdba28c1fd3ab866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Apr 2022 12:42:29 +0000
+Subject: scsi: qla2xxx: Fix missed DMA unmap for aborted commands
+
+From: Gleb Chesnokov <Chesnokov.G@raidix.com>
+
+[ Upstream commit 26f9ce53817a8fd84b69a73473a7de852a24c897 ]
+
+Aborting commands that have already been sent to the firmware can
+cause BUG in qlt_free_cmd(): BUG_ON(cmd->sg_mapped)
+
+For instance:
+
+ - Command passes rdx_to_xfer state, maps sgl, sends to the firmware
+
+ - Reset occurs, qla2xxx performs ISP error recovery, aborts the command
+
+ - Target stack calls qlt_abort_cmd() and then qlt_free_cmd()
+
+ - BUG_ON(cmd->sg_mapped) in qlt_free_cmd() occurs because sgl was not
+ unmapped
+
+Thus, unmap sgl in qlt_abort_cmd() for commands with the aborted flag set.
+
+Link: https://lore.kernel.org/r/AS8PR10MB4952D545F84B6B1DFD39EC1E9DEE9@AS8PR10MB4952.EURPRD10.PROD.OUTLOOK.COM
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Gleb Chesnokov <Chesnokov.G@raidix.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_target.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c
+index cf9ae0ab489a..ba823e8eb902 100644
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -3773,6 +3773,9 @@ int qlt_abort_cmd(struct qla_tgt_cmd *cmd)
+
+ spin_lock_irqsave(&cmd->cmd_lock, flags);
+ if (cmd->aborted) {
++ if (cmd->sg_mapped)
++ qlt_unmap_sg(vha, cmd);
++
+ spin_unlock_irqrestore(&cmd->cmd_lock, flags);
+ /*
+ * It's normal to see 2 calls in this path:
+--
+2.35.1
+
--- /dev/null
+From c734f137c667d28c0ac0c034b4da37c3d485eeb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 May 2022 11:07:39 +0200
+Subject: selftests: add ping test with ping_group_range tuned
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit e71b7f1f44d3d88c677769c85ef0171caf9fc89f ]
+
+The 'ping' utility is able to manage two kind of sockets (raw or icmp),
+depending on the sysctl ping_group_range. By default, ping_group_range is
+set to '1 0', which forces ping to use an ip raw socket.
+
+Let's replay the ping tests by allowing 'ping' to use the ip icmp socket.
+After the previous patch, ipv4 tests results are the same with both kinds
+of socket. For ipv6, there are a lot a new failures (the previous patch
+fixes only two cases).
+
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fcnal-test.sh | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
+index ace976d89125..4a11ea2261cb 100755
+--- a/tools/testing/selftests/net/fcnal-test.sh
++++ b/tools/testing/selftests/net/fcnal-test.sh
+@@ -794,10 +794,16 @@ ipv4_ping()
+ setup
+ set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
+ ipv4_ping_novrf
++ setup
++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
++ ipv4_ping_novrf
+
+ log_subsection "With VRF"
+ setup "yes"
+ ipv4_ping_vrf
++ setup "yes"
++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
++ ipv4_ping_vrf
+ }
+
+ ################################################################################
+@@ -2261,10 +2267,16 @@ ipv6_ping()
+ log_subsection "No VRF"
+ setup
+ ipv6_ping_novrf
++ setup
++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
++ ipv6_ping_novrf
+
+ log_subsection "With VRF"
+ setup "yes"
+ ipv6_ping_vrf
++ setup "yes"
++ set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
++ ipv6_ping_vrf
+ }
+
+ ################################################################################
+--
+2.35.1
+
libceph-fix-potential-use-after-free-on-linger-ping-and-resends.patch
drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch
dma-buf-fix-use-of-dma_buf_set_name_-a-b-in-userspace.patch
+arm-dts-aspeed-g6-remove-fwqspid-group-in-pinctrl-dt.patch
+pinctrl-pinctrl-aspeed-g6-remove-fwqspid-group-in-pi.patch
+arm-dts-aspeed-g6-fix-spi1-spi2-quad-pin-group.patch
+net-ipa-record-proper-rx-transaction-count.patch
+net-macb-increment-rx-bd-head-after-allocating-skb-a.patch
+net-evaluate-net.ipvx.conf.all.disable_policy-and-di.patch
+xfrm-add-possibility-to-set-the-default-to-block-if-.patch
+net-xfrm-fix-shift-out-of-bounce.patch
+xfrm-make-user-policy-api-complete.patch
+xfrm-notify-default-policy-on-update.patch
+xfrm-fix-dflt-policy-check-when-there-is-no-policy-c.patch
+xfrm-rework-default-policy-structure.patch
+xfrm-fix-disable_policy-flag-use-when-arriving-from-.patch
+net-sched-act_pedit-sanitize-shift-argument-before-u.patch
+net-systemport-fix-an-error-handling-path-in-bcm_sys.patch
+net-vmxnet3-fix-possible-use-after-free-bugs-in-vmxn.patch
+net-vmxnet3-fix-possible-null-pointer-dereference-in.patch
+ice-fix-possible-under-reporting-of-ethtool-tx-and-r.patch
+clk-at91-generated-consider-range-when-calculating-b.patch
+net-qla3xxx-fix-a-test-in-ql_reset_work.patch
+nfc-nci-fix-sleep-in-atomic-context-bugs-caused-by-n.patch
+net-mlx5e-properly-block-lro-when-xdp-is-enabled.patch
+net-af_key-add-check-for-pfkey_broadcast-in-function.patch
+arm-9196-1-spectre-bhb-enable-for-cortex-a15.patch
+arm-9197-1-spectre-bhb-fix-loop8-sequence-for-thumb2.patch
+igb-skip-phy-status-check-where-unavailable.patch
+net-bridge-clear-offload_fwd_mark-when-passing-frame.patch
+riscv-dts-sifive-fu540-c000-align-dma-node-name-with.patch
+gpio-gpio-vf610-do-not-touch-other-bits-when-set-the.patch
+gpio-mvebu-pwm-refuse-requests-with-inverted-polarit.patch
+perf-regs-x86-fix-arch__intr_reg_mask-for-the-hybrid.patch
+perf-bench-numa-address-compiler-error-on-s390.patch
+scsi-qla2xxx-fix-missed-dma-unmap-for-aborted-comman.patch
+mac80211-fix-rx-reordering-with-non-explicit-psmp-ac.patch
+nl80211-validate-s1g-channel-width.patch
+selftests-add-ping-test-with-ping_group_range-tuned.patch
+nl80211-fix-locking-in-nl80211_set_tx_bitrate_mask.patch
+ethernet-tulip-fix-missing-pci_disable_device-on-err.patch
+net-stmmac-fix-missing-pci_disable_device-on-error-i.patch
+net-atlantic-fix-frag-0-not-initialized.patch
+net-atlantic-reduce-scope-of-is_rsc_complete.patch
+net-atlantic-add-check-for-max_skb_frags.patch
+net-atlantic-verify-hw_head_-lies-within-tx-buffer-r.patch
+arm64-enable-repeat-tlbi-workaround-on-kryo4xx-gold-.patch
--- /dev/null
+From 6f525b6c711ecdf03673955632b7a3d82641b90c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 09:11:06 +0200
+Subject: xfrm: Add possibility to set the default to block if we have no
+ policy
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 2d151d39073aff498358543801fca0f670fea981 ]
+
+As the default we assume the traffic to pass, if we have no
+matching IPsec policy. With this patch, we have a possibility to
+change this default from allow to block. It can be configured
+via netlink. Each direction (input/output/forward) can be
+configured separately. With the default to block configuered,
+we need allow policies for all packet flows we accept.
+We do not use default policy lookup for the loopback device.
+
+v1->v2
+ - fix compiling when XFRM is disabled
+ - Reported-by: kernel test robot <lkp@intel.com>
+
+Co-developed-by: Christian Langrock <christian.langrock@secunet.com>
+Signed-off-by: Christian Langrock <christian.langrock@secunet.com>
+Co-developed-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netns/xfrm.h | 7 ++++++
+ include/net/xfrm.h | 36 ++++++++++++++++++++++-----
+ include/uapi/linux/xfrm.h | 10 ++++++++
+ net/xfrm/xfrm_policy.c | 16 ++++++++++++
+ net/xfrm/xfrm_user.c | 52 +++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 115 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
+index 22e1bc72b979..b694ff0963cc 100644
+--- a/include/net/netns/xfrm.h
++++ b/include/net/netns/xfrm.h
+@@ -64,6 +64,13 @@ struct netns_xfrm {
+ u32 sysctl_aevent_rseqth;
+ int sysctl_larval_drop;
+ u32 sysctl_acq_expires;
++
++ u8 policy_default;
++#define XFRM_POL_DEFAULT_IN 1
++#define XFRM_POL_DEFAULT_OUT 2
++#define XFRM_POL_DEFAULT_FWD 4
++#define XFRM_POL_DEFAULT_MASK 7
++
+ #ifdef CONFIG_SYSCTL
+ struct ctl_table_header *sysctl_hdr;
+ #endif
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 0049a7459649..988886f95e5b 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1088,6 +1088,22 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un
+ }
+
+ #ifdef CONFIG_XFRM
++static inline bool
++xfrm_default_allow(struct net *net, int dir)
++{
++ u8 def = net->xfrm.policy_default;
++
++ switch (dir) {
++ case XFRM_POLICY_IN:
++ return def & XFRM_POL_DEFAULT_IN ? false : true;
++ case XFRM_POLICY_OUT:
++ return def & XFRM_POL_DEFAULT_OUT ? false : true;
++ case XFRM_POLICY_FWD:
++ return def & XFRM_POL_DEFAULT_FWD ? false : true;
++ }
++ return false;
++}
++
+ int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
+ unsigned short family);
+
+@@ -1101,9 +1117,13 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
+ if (sk && sk->sk_policy[XFRM_POLICY_IN])
+ return __xfrm_policy_check(sk, ndir, skb, family);
+
+- return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
+- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
+- __xfrm_policy_check(sk, ndir, skb, family);
++ if (xfrm_default_allow(net, dir))
++ return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
++ (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
++ __xfrm_policy_check(sk, ndir, skb, family);
++ else
++ return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
++ __xfrm_policy_check(sk, ndir, skb, family);
+ }
+
+ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
+@@ -1155,9 +1175,13 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ {
+ struct net *net = dev_net(skb->dev);
+
+- return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
+- (skb_dst(skb)->flags & DST_NOXFRM) ||
+- __xfrm_route_forward(skb, family);
++ if (xfrm_default_allow(net, XFRM_POLICY_FWD))
++ return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
++ (skb_dst(skb)->flags & DST_NOXFRM) ||
++ __xfrm_route_forward(skb, family);
++ else
++ return (skb_dst(skb)->flags & DST_NOXFRM) ||
++ __xfrm_route_forward(skb, family);
+ }
+
+ static inline int xfrm4_route_forward(struct sk_buff *skb)
+diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
+index 90ddb49fce84..b963e1acf65a 100644
+--- a/include/uapi/linux/xfrm.h
++++ b/include/uapi/linux/xfrm.h
+@@ -213,6 +213,11 @@ enum {
+ XFRM_MSG_GETSPDINFO,
+ #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
+
++ XFRM_MSG_SETDEFAULT,
++#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
++ XFRM_MSG_GETDEFAULT,
++#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
++
+ XFRM_MSG_MAPPING,
+ #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
+ __XFRM_MSG_MAX
+@@ -515,6 +520,11 @@ struct xfrm_user_offload {
+ #define XFRM_OFFLOAD_IPV6 1
+ #define XFRM_OFFLOAD_INBOUND 2
+
++struct xfrm_userpolicy_default {
++ __u8 dirmask;
++ __u8 action;
++};
++
+ #ifndef __KERNEL__
+ /* backwards compatibility for userspace */
+ #define XFRMGRP_ACQUIRE 1
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 3d0ffd927004..2c701fb3a61b 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3161,6 +3161,11 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net,
+ return dst;
+
+ nopol:
++ if (!(dst_orig->dev->flags & IFF_LOOPBACK) &&
++ !xfrm_default_allow(net, dir)) {
++ err = -EPERM;
++ goto error;
++ }
+ if (!(flags & XFRM_LOOKUP_ICMP)) {
+ dst = dst_orig;
+ goto ok;
+@@ -3608,6 +3613,11 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+
+ if (!pol) {
++ if (!xfrm_default_allow(net, dir)) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
++ return 0;
++ }
++
+ if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) {
+ xfrm_secpath_reject(xerr_idx, skb, &fl);
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
+@@ -3662,6 +3672,12 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ tpp[ti++] = &pols[pi]->xfrm_vec[i];
+ }
+ xfrm_nr = ti;
++
++ if (!xfrm_default_allow(net, dir) && !xfrm_nr) {
++ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
++ goto reject;
++ }
++
+ if (npols > 1) {
+ xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
+ tpp = stp;
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 1ece01cd67a4..dec24f280e83 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1914,6 +1914,54 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
+ return skb;
+ }
+
++static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct nlattr **attrs)
++{
++ struct net *net = sock_net(skb->sk);
++ struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
++ u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
++ u8 old_default = net->xfrm.policy_default;
++
++ net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
++ | (up->action << up->dirmask);
++
++ rt_genid_bump_all(net);
++
++ return 0;
++}
++
++static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct nlattr **attrs)
++{
++ struct sk_buff *r_skb;
++ struct nlmsghdr *r_nlh;
++ struct net *net = sock_net(skb->sk);
++ struct xfrm_userpolicy_default *r_up, *up;
++ int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default));
++ u32 portid = NETLINK_CB(skb).portid;
++ u32 seq = nlh->nlmsg_seq;
++
++ up = nlmsg_data(nlh);
++
++ r_skb = nlmsg_new(len, GFP_ATOMIC);
++ if (!r_skb)
++ return -ENOMEM;
++
++ r_nlh = nlmsg_put(r_skb, portid, seq, XFRM_MSG_GETDEFAULT, sizeof(*r_up), 0);
++ if (!r_nlh) {
++ kfree_skb(r_skb);
++ return -EMSGSIZE;
++ }
++
++ r_up = nlmsg_data(r_nlh);
++
++ r_up->action = ((net->xfrm.policy_default & (1 << up->dirmask)) >> up->dirmask);
++ r_up->dirmask = up->dirmask;
++ nlmsg_end(r_skb, r_nlh);
++
++ return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid);
++}
++
+ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+ {
+@@ -2621,6 +2669,8 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES] = {
+ [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
++ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
++ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ };
+ EXPORT_SYMBOL_GPL(xfrm_msg_min);
+
+@@ -2700,6 +2750,8 @@ static const struct xfrm_link {
+ .nla_pol = xfrma_spd_policy,
+ .nla_max = XFRMA_SPD_MAX },
+ [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = { .doit = xfrm_get_spdinfo },
++ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_set_default },
++ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = { .doit = xfrm_get_default },
+ };
+
+ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
+--
+2.35.1
+
--- /dev/null
+From f0ea470080f9e2e0d450b29ea9642cd4eb4295e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 11:33:13 +0100
+Subject: xfrm: fix dflt policy check when there is no policy configured
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit ec3bb890817e4398f2d46e12e2e205495b116be9 ]
+
+When there is no policy configured on the system, the default policy is
+checked in xfrm_route_forward. However, it was done with the wrong
+direction (XFRM_POLICY_FWD instead of XFRM_POLICY_OUT).
+The default policy for XFRM_POLICY_FWD was checked just before, with a call
+to xfrm[46]_policy_check().
+
+CC: stable@vger.kernel.org
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 988886f95e5b..6a9e3b4c8a35 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1175,7 +1175,7 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ {
+ struct net *net = dev_net(skb->dev);
+
+- if (xfrm_default_allow(net, XFRM_POLICY_FWD))
++ if (xfrm_default_allow(net, XFRM_POLICY_OUT))
+ return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
+ (skb_dst(skb)->flags & DST_NOXFRM) ||
+ __xfrm_route_forward(skb, family);
+--
+2.35.1
+
--- /dev/null
+From 96880b270bc8470d43dab9a2ca94cf4065aa4399 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 May 2022 23:34:02 +0300
+Subject: xfrm: fix "disable_policy" flag use when arriving from different
+ devices
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+[ Upstream commit e6175a2ed1f18bf2f649625bf725e07adcfa6a28 ]
+
+In IPv4 setting the "disable_policy" flag on a device means no policy
+should be enforced for traffic originating from the device. This was
+implemented by seting the DST_NOPOLICY flag in the dst based on the
+originating device.
+
+However, dsts are cached in nexthops regardless of the originating
+devices, in which case, the DST_NOPOLICY flag value may be incorrect.
+
+Consider the following setup:
+
+ +------------------------------+
+ | ROUTER |
+ +-------------+ | +-----------------+ |
+ | ipsec src |----|-|ipsec0 | |
+ +-------------+ | |disable_policy=0 | +----+ |
+ | +-----------------+ |eth1|-|-----
+ +-------------+ | +-----------------+ +----+ |
+ | noipsec src |----|-|eth0 | |
+ +-------------+ | |disable_policy=1 | |
+ | +-----------------+ |
+ +------------------------------+
+
+Where ROUTER has a default route towards eth1.
+
+dst entries for traffic arriving from eth0 would have DST_NOPOLICY
+and would be cached and therefore can be reused by traffic originating
+from ipsec0, skipping policy check.
+
+Fix by setting a IPSKB_NOPOLICY flag in IPCB and observing it instead
+of the DST in IN/FWD IPv4 policy checks.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip.h | 1 +
+ include/net/xfrm.h | 14 +++++++++++++-
+ net/ipv4/route.c | 23 ++++++++++++++++++-----
+ 3 files changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index de2dc22a78f9..76aaa7eb5b82 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -55,6 +55,7 @@ struct inet_skb_parm {
+ #define IPSKB_DOREDIRECT BIT(5)
+ #define IPSKB_FRAG_PMTU BIT(6)
+ #define IPSKB_L3SLAVE BIT(7)
++#define IPSKB_NOPOLICY BIT(8)
+
+ u16 frag_max_size;
+ };
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 86e5d1aa9628..8a9943d935f1 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1100,6 +1100,18 @@ static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
+ return false;
+ }
+
++static inline bool __xfrm_check_dev_nopolicy(struct sk_buff *skb,
++ int dir, unsigned short family)
++{
++ if (dir != XFRM_POLICY_OUT && family == AF_INET) {
++ /* same dst may be used for traffic originating from
++ * devices with different policy settings.
++ */
++ return IPCB(skb)->flags & IPSKB_NOPOLICY;
++ }
++ return skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY);
++}
++
+ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
+ struct sk_buff *skb,
+ unsigned int family, int reverse)
+@@ -1111,7 +1123,7 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
+ return __xfrm_policy_check(sk, ndir, skb, family);
+
+ return __xfrm_check_nopolicy(net, skb, dir) ||
+- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
++ __xfrm_check_dev_nopolicy(skb, dir, family) ||
+ __xfrm_policy_check(sk, ndir, skb, family);
+ }
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 9bd3cd2177f4..aab8ac383d5d 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1765,6 +1765,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ struct in_device *in_dev = __in_dev_get_rcu(dev);
+ unsigned int flags = RTCF_MULTICAST;
+ struct rtable *rth;
++ bool no_policy;
+ u32 itag = 0;
+ int err;
+
+@@ -1775,8 +1776,12 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ if (our)
+ flags |= RTCF_LOCAL;
+
++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY);
++ if (no_policy)
++ IPCB(skb)->flags |= IPSKB_NOPOLICY;
++
+ rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST,
+- IN_DEV_ORCONF(in_dev, NOPOLICY), false);
++ no_policy, false);
+ if (!rth)
+ return -ENOBUFS;
+
+@@ -1835,7 +1840,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ struct rtable *rth;
+ int err;
+ struct in_device *out_dev;
+- bool do_cache;
++ bool do_cache, no_policy;
+ u32 itag = 0;
+
+ /* get a working reference to the output device */
+@@ -1880,6 +1885,10 @@ static int __mkroute_input(struct sk_buff *skb,
+ }
+ }
+
++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY);
++ if (no_policy)
++ IPCB(skb)->flags |= IPSKB_NOPOLICY;
++
+ fnhe = find_exception(nhc, daddr);
+ if (do_cache) {
+ if (fnhe)
+@@ -1892,8 +1901,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ }
+ }
+
+- rth = rt_dst_alloc(out_dev->dev, 0, res->type,
+- IN_DEV_ORCONF(in_dev, NOPOLICY),
++ rth = rt_dst_alloc(out_dev->dev, 0, res->type, no_policy,
+ IN_DEV_ORCONF(out_dev, NOXFRM));
+ if (!rth) {
+ err = -ENOBUFS;
+@@ -2145,6 +2153,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ struct rtable *rth;
+ struct flowi4 fl4;
+ bool do_cache = true;
++ bool no_policy;
+
+ /* IP on this device is disabled. */
+
+@@ -2262,6 +2271,10 @@ out: return err;
+ RT_CACHE_STAT_INC(in_brd);
+
+ local_input:
++ no_policy = IN_DEV_ORCONF(in_dev, NOPOLICY);
++ if (no_policy)
++ IPCB(skb)->flags |= IPSKB_NOPOLICY;
++
+ do_cache &= res->fi && !itag;
+ if (do_cache) {
+ struct fib_nh_common *nhc = FIB_RES_NHC(*res);
+@@ -2276,7 +2289,7 @@ out: return err;
+
+ rth = rt_dst_alloc(ip_rt_get_dev(net, res),
+ flags | RTCF_LOCAL, res->type,
+- IN_DEV_ORCONF(in_dev, NOPOLICY), false);
++ no_policy, false);
+ if (!rth)
+ goto e_nobufs;
+
+--
+2.35.1
+
--- /dev/null
+From cb361c1238c8c6bb438a7adfe8a07a1cbfe17343 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 16:46:33 +0200
+Subject: xfrm: make user policy API complete
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit f8d858e607b2a36808ac6d4218f5f5203d7a7d63 ]
+
+>From a userland POV, this API was based on some magic values:
+ - dirmask and action were bitfields but meaning of bits
+ (XFRM_POL_DEFAULT_*) are not exported;
+ - action is confusing, if a bit is set, does it mean drop or accept?
+
+Let's try to simplify this uapi by using explicit field and macros.
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/xfrm.h | 9 ++++++---
+ net/xfrm/xfrm_user.c | 31 +++++++++++++++++++------------
+ 2 files changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
+index 2a2c4dcb015f..6bae68645148 100644
+--- a/include/uapi/linux/xfrm.h
++++ b/include/uapi/linux/xfrm.h
+@@ -521,9 +521,12 @@ struct xfrm_user_offload {
+ #define XFRM_OFFLOAD_INBOUND 2
+
+ struct xfrm_userpolicy_default {
+-#define XFRM_USERPOLICY_DIRMASK_MAX (sizeof(__u8) * 8)
+- __u8 dirmask;
+- __u8 action;
++#define XFRM_USERPOLICY_UNSPEC 0
++#define XFRM_USERPOLICY_BLOCK 1
++#define XFRM_USERPOLICY_ACCEPT 2
++ __u8 in;
++ __u8 fwd;
++ __u8 out;
+ };
+
+ #ifndef __KERNEL__
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 026f29f80f88..261953e081fb 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1919,16 +1919,21 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+ {
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
+- u8 dirmask;
+- u8 old_default = net->xfrm.policy_default;
+
+- if (up->dirmask >= XFRM_USERPOLICY_DIRMASK_MAX)
+- return -EINVAL;
++ if (up->in == XFRM_USERPOLICY_BLOCK)
++ net->xfrm.policy_default |= XFRM_POL_DEFAULT_IN;
++ else if (up->in == XFRM_USERPOLICY_ACCEPT)
++ net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_IN;
+
+- dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
++ if (up->fwd == XFRM_USERPOLICY_BLOCK)
++ net->xfrm.policy_default |= XFRM_POL_DEFAULT_FWD;
++ else if (up->fwd == XFRM_USERPOLICY_ACCEPT)
++ net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_FWD;
+
+- net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
+- | (up->action << up->dirmask);
++ if (up->out == XFRM_USERPOLICY_BLOCK)
++ net->xfrm.policy_default |= XFRM_POL_DEFAULT_OUT;
++ else if (up->out == XFRM_USERPOLICY_ACCEPT)
++ net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_OUT;
+
+ rt_genid_bump_all(net);
+
+@@ -1941,13 +1946,11 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct sk_buff *r_skb;
+ struct nlmsghdr *r_nlh;
+ struct net *net = sock_net(skb->sk);
+- struct xfrm_userpolicy_default *r_up, *up;
++ struct xfrm_userpolicy_default *r_up;
+ int len = NLMSG_ALIGN(sizeof(struct xfrm_userpolicy_default));
+ u32 portid = NETLINK_CB(skb).portid;
+ u32 seq = nlh->nlmsg_seq;
+
+- up = nlmsg_data(nlh);
+-
+ r_skb = nlmsg_new(len, GFP_ATOMIC);
+ if (!r_skb)
+ return -ENOMEM;
+@@ -1960,8 +1963,12 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+
+ r_up = nlmsg_data(r_nlh);
+
+- r_up->action = ((net->xfrm.policy_default & (1 << up->dirmask)) >> up->dirmask);
+- r_up->dirmask = up->dirmask;
++ r_up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ?
++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++ r_up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ?
++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++ r_up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ?
++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
+ nlmsg_end(r_skb, r_nlh);
+
+ return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid);
+--
+2.35.1
+
--- /dev/null
+From bacd28f3be200acc3d7d055b36936b5ff44bd9a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 16:46:34 +0200
+Subject: xfrm: notify default policy on update
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 88d0adb5f13b1c52fbb7d755f6f79db18c2f0c2c ]
+
+This configuration knob is very sensible, it should be notified when
+changing.
+
+Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 261953e081fb..4152f6399205 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1914,6 +1914,36 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
+ return skb;
+ }
+
++static int xfrm_notify_userpolicy(struct net *net)
++{
++ struct xfrm_userpolicy_default *up;
++ int len = NLMSG_ALIGN(sizeof(*up));
++ struct nlmsghdr *nlh;
++ struct sk_buff *skb;
++
++ skb = nlmsg_new(len, GFP_ATOMIC);
++ if (skb == NULL)
++ return -ENOMEM;
++
++ nlh = nlmsg_put(skb, 0, 0, XFRM_MSG_GETDEFAULT, sizeof(*up), 0);
++ if (nlh == NULL) {
++ kfree_skb(skb);
++ return -EMSGSIZE;
++ }
++
++ up = nlmsg_data(nlh);
++ up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ?
++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++ up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ?
++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++ up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ?
++ XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++
++ nlmsg_end(skb, nlh);
++
++ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
++}
++
+ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+ {
+@@ -1937,6 +1967,7 @@ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+
+ rt_genid_bump_all(net);
+
++ xfrm_notify_userpolicy(net);
+ return 0;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 5f576c1102da14de78b9efdc411bd4c7db5de7f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Mar 2022 11:38:22 +0100
+Subject: xfrm: rework default policy structure
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit b58b1f563ab78955d37e9e43e02790a85c66ac05 ]
+
+This is a follow up of commit f8d858e607b2 ("xfrm: make user policy API
+complete"). The goal is to align userland API to the internal structures.
+
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netns/xfrm.h | 6 +----
+ include/net/xfrm.h | 48 +++++++++++++++-------------------------
+ net/xfrm/xfrm_policy.c | 10 ++++++---
+ net/xfrm/xfrm_user.c | 43 +++++++++++++++--------------------
+ 4 files changed, 44 insertions(+), 63 deletions(-)
+
+diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
+index b694ff0963cc..69e4161462fb 100644
+--- a/include/net/netns/xfrm.h
++++ b/include/net/netns/xfrm.h
+@@ -65,11 +65,7 @@ struct netns_xfrm {
+ int sysctl_larval_drop;
+ u32 sysctl_acq_expires;
+
+- u8 policy_default;
+-#define XFRM_POL_DEFAULT_IN 1
+-#define XFRM_POL_DEFAULT_OUT 2
+-#define XFRM_POL_DEFAULT_FWD 4
+-#define XFRM_POL_DEFAULT_MASK 7
++ u8 policy_default[XFRM_POLICY_MAX];
+
+ #ifdef CONFIG_SYSCTL
+ struct ctl_table_header *sysctl_hdr;
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 6a9e3b4c8a35..86e5d1aa9628 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1088,25 +1088,18 @@ xfrm_state_addr_cmp(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x, un
+ }
+
+ #ifdef CONFIG_XFRM
+-static inline bool
+-xfrm_default_allow(struct net *net, int dir)
+-{
+- u8 def = net->xfrm.policy_default;
+-
+- switch (dir) {
+- case XFRM_POLICY_IN:
+- return def & XFRM_POL_DEFAULT_IN ? false : true;
+- case XFRM_POLICY_OUT:
+- return def & XFRM_POL_DEFAULT_OUT ? false : true;
+- case XFRM_POLICY_FWD:
+- return def & XFRM_POL_DEFAULT_FWD ? false : true;
+- }
+- return false;
+-}
+-
+ int __xfrm_policy_check(struct sock *, int dir, struct sk_buff *skb,
+ unsigned short family);
+
++static inline bool __xfrm_check_nopolicy(struct net *net, struct sk_buff *skb,
++ int dir)
++{
++ if (!net->xfrm.policy_count[dir] && !secpath_exists(skb))
++ return net->xfrm.policy_default[dir] == XFRM_USERPOLICY_ACCEPT;
++
++ return false;
++}
++
+ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
+ struct sk_buff *skb,
+ unsigned int family, int reverse)
+@@ -1117,13 +1110,9 @@ static inline int __xfrm_policy_check2(struct sock *sk, int dir,
+ if (sk && sk->sk_policy[XFRM_POLICY_IN])
+ return __xfrm_policy_check(sk, ndir, skb, family);
+
+- if (xfrm_default_allow(net, dir))
+- return (!net->xfrm.policy_count[dir] && !secpath_exists(skb)) ||
+- (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
+- __xfrm_policy_check(sk, ndir, skb, family);
+- else
+- return (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
+- __xfrm_policy_check(sk, ndir, skb, family);
++ return __xfrm_check_nopolicy(net, skb, dir) ||
++ (skb_dst(skb) && (skb_dst(skb)->flags & DST_NOPOLICY)) ||
++ __xfrm_policy_check(sk, ndir, skb, family);
+ }
+
+ static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family)
+@@ -1175,13 +1164,12 @@ static inline int xfrm_route_forward(struct sk_buff *skb, unsigned short family)
+ {
+ struct net *net = dev_net(skb->dev);
+
+- if (xfrm_default_allow(net, XFRM_POLICY_OUT))
+- return !net->xfrm.policy_count[XFRM_POLICY_OUT] ||
+- (skb_dst(skb)->flags & DST_NOXFRM) ||
+- __xfrm_route_forward(skb, family);
+- else
+- return (skb_dst(skb)->flags & DST_NOXFRM) ||
+- __xfrm_route_forward(skb, family);
++ if (!net->xfrm.policy_count[XFRM_POLICY_OUT] &&
++ net->xfrm.policy_default[XFRM_POLICY_OUT] == XFRM_USERPOLICY_ACCEPT)
++ return true;
++
++ return (skb_dst(skb)->flags & DST_NOXFRM) ||
++ __xfrm_route_forward(skb, family);
+ }
+
+ static inline int xfrm4_route_forward(struct sk_buff *skb)
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 2c701fb3a61b..93cbcc8f9b39 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -3162,7 +3162,7 @@ struct dst_entry *xfrm_lookup_with_ifid(struct net *net,
+
+ nopol:
+ if (!(dst_orig->dev->flags & IFF_LOOPBACK) &&
+- !xfrm_default_allow(net, dir)) {
++ net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
+ err = -EPERM;
+ goto error;
+ }
+@@ -3613,7 +3613,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+
+ if (!pol) {
+- if (!xfrm_default_allow(net, dir)) {
++ if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
+ return 0;
+ }
+@@ -3673,7 +3673,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
+ }
+ xfrm_nr = ti;
+
+- if (!xfrm_default_allow(net, dir) && !xfrm_nr) {
++ if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
++ !xfrm_nr) {
+ XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
+ goto reject;
+ }
+@@ -4162,6 +4163,9 @@ static int __net_init xfrm_net_init(struct net *net)
+ spin_lock_init(&net->xfrm.xfrm_policy_lock);
+ seqcount_spinlock_init(&net->xfrm.xfrm_policy_hash_generation, &net->xfrm.xfrm_policy_lock);
+ mutex_init(&net->xfrm.xfrm_cfg_mutex);
++ net->xfrm.policy_default[XFRM_POLICY_IN] = XFRM_USERPOLICY_ACCEPT;
++ net->xfrm.policy_default[XFRM_POLICY_FWD] = XFRM_USERPOLICY_ACCEPT;
++ net->xfrm.policy_default[XFRM_POLICY_OUT] = XFRM_USERPOLICY_ACCEPT;
+
+ rv = xfrm_statistics_init(net);
+ if (rv < 0)
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 4152f6399205..d9841f44487f 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1932,38 +1932,35 @@ static int xfrm_notify_userpolicy(struct net *net)
+ }
+
+ up = nlmsg_data(nlh);
+- up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ?
+- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
+- up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ?
+- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
+- up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ?
+- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++ up->in = net->xfrm.policy_default[XFRM_POLICY_IN];
++ up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD];
++ up->out = net->xfrm.policy_default[XFRM_POLICY_OUT];
+
+ nlmsg_end(skb, nlh);
+
+ return xfrm_nlmsg_multicast(net, skb, 0, XFRMNLGRP_POLICY);
+ }
+
++static bool xfrm_userpolicy_is_valid(__u8 policy)
++{
++ return policy == XFRM_USERPOLICY_BLOCK ||
++ policy == XFRM_USERPOLICY_ACCEPT;
++}
++
+ static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct nlattr **attrs)
+ {
+ struct net *net = sock_net(skb->sk);
+ struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
+
+- if (up->in == XFRM_USERPOLICY_BLOCK)
+- net->xfrm.policy_default |= XFRM_POL_DEFAULT_IN;
+- else if (up->in == XFRM_USERPOLICY_ACCEPT)
+- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_IN;
++ if (xfrm_userpolicy_is_valid(up->in))
++ net->xfrm.policy_default[XFRM_POLICY_IN] = up->in;
+
+- if (up->fwd == XFRM_USERPOLICY_BLOCK)
+- net->xfrm.policy_default |= XFRM_POL_DEFAULT_FWD;
+- else if (up->fwd == XFRM_USERPOLICY_ACCEPT)
+- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_FWD;
++ if (xfrm_userpolicy_is_valid(up->fwd))
++ net->xfrm.policy_default[XFRM_POLICY_FWD] = up->fwd;
+
+- if (up->out == XFRM_USERPOLICY_BLOCK)
+- net->xfrm.policy_default |= XFRM_POL_DEFAULT_OUT;
+- else if (up->out == XFRM_USERPOLICY_ACCEPT)
+- net->xfrm.policy_default &= ~XFRM_POL_DEFAULT_OUT;
++ if (xfrm_userpolicy_is_valid(up->out))
++ net->xfrm.policy_default[XFRM_POLICY_OUT] = up->out;
+
+ rt_genid_bump_all(net);
+
+@@ -1993,13 +1990,9 @@ static int xfrm_get_default(struct sk_buff *skb, struct nlmsghdr *nlh,
+ }
+
+ r_up = nlmsg_data(r_nlh);
+-
+- r_up->in = net->xfrm.policy_default & XFRM_POL_DEFAULT_IN ?
+- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
+- r_up->fwd = net->xfrm.policy_default & XFRM_POL_DEFAULT_FWD ?
+- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
+- r_up->out = net->xfrm.policy_default & XFRM_POL_DEFAULT_OUT ?
+- XFRM_USERPOLICY_BLOCK : XFRM_USERPOLICY_ACCEPT;
++ r_up->in = net->xfrm.policy_default[XFRM_POLICY_IN];
++ r_up->fwd = net->xfrm.policy_default[XFRM_POLICY_FWD];
++ r_up->out = net->xfrm.policy_default[XFRM_POLICY_OUT];
+ nlmsg_end(r_skb, r_nlh);
+
+ return nlmsg_unicast(net->xfrm.nlsk, r_skb, portid);
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
