--- /dev/null
+From 1affc01fdc6035189a5ab2a24948c9419ee0ecf2 Mon Sep 17 00:00:00 2001
+From: Edwin Peer <edwin.peer@broadcom.com>
+Date: Sun, 12 Sep 2021 12:34:48 -0400
+Subject: bnxt_en: make bnxt_free_skbs() safe to call after bnxt_free_mem()
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+commit 1affc01fdc6035189a5ab2a24948c9419ee0ecf2 upstream.
+
+The call to bnxt_free_mem(..., false) in the bnxt_half_open_nic() error
+path will deallocate ring descriptor memory via bnxt_free_?x_rings(),
+but because irq_re_init is false, the ring info itself is not freed.
+
+To simplify error paths, deallocation functions have generally been
+written to be safe when called on unallocated memory. It should always
+be safe to call dev_close(), which calls bnxt_free_skbs() a second time,
+even in this semi- allocated ring state.
+
+Calling bnxt_free_skbs() a second time with the rings already freed will
+cause NULL pointer dereference. Fix it by checking the rings are valid
+before proceeding in bnxt_free_tx_skbs() and
+bnxt_free_one_rx_ring_skbs().
+
+Fixes: 975bc99a4a39 ("bnxt_en: Refactor bnxt_free_rx_skbs().")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2591,6 +2591,9 @@ static void bnxt_free_tx_skbs(struct bnx
+ struct bnxt_tx_ring_info *txr = &bp->tx_ring[i];
+ int j;
+
++ if (!txr->tx_buf_ring)
++ continue;
++
+ for (j = 0; j < max_idx;) {
+ struct bnxt_sw_tx_bd *tx_buf = &txr->tx_buf_ring[j];
+ struct sk_buff *skb;
+@@ -2675,6 +2678,9 @@ static void bnxt_free_one_rx_ring_skbs(s
+ }
+
+ skip_rx_tpa_free:
++ if (!rxr->rx_buf_ring)
++ goto skip_rx_buf_free;
++
+ for (i = 0; i < max_idx; i++) {
+ struct bnxt_sw_rx_bd *rx_buf = &rxr->rx_buf_ring[i];
+ dma_addr_t mapping = rx_buf->mapping;
+@@ -2697,6 +2703,11 @@ skip_rx_tpa_free:
+ kfree(data);
+ }
+ }
++
++skip_rx_buf_free:
++ if (!rxr->rx_agg_ring)
++ goto skip_rx_agg_free;
++
+ for (i = 0; i < max_agg_idx; i++) {
+ struct bnxt_sw_rx_agg_bd *rx_agg_buf = &rxr->rx_agg_ring[i];
+ struct page *page = rx_agg_buf->page;
+@@ -2713,6 +2724,8 @@ skip_rx_tpa_free:
+
+ __free_page(page);
+ }
++
++skip_rx_agg_free:
+ if (rxr->rx_page) {
+ __free_page(rxr->rx_page);
+ rxr->rx_page = NULL;
--- /dev/null
+From d9ea761fdd197351890418acd462c51f241014a7 Mon Sep 17 00:00:00 2001
+From: "Lin, Zhenpeng" <zplin@psu.edu>
+Date: Wed, 8 Sep 2021 03:40:59 +0000
+Subject: dccp: don't duplicate ccid when cloning dccp sock
+
+From: Lin, Zhenpeng <zplin@psu.edu>
+
+commit d9ea761fdd197351890418acd462c51f241014a7 upstream.
+
+Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
+a UAF but reintroduced CVE-2017-6074.
+
+When the sock is cloned, two dccps_hc_tx_ccid will reference to the
+same ccid. So one can free the ccid object twice from two socks after
+cloning.
+
+This issue was found by "Hadar Manor" as well and assigned with
+CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
+the patch from Ubuntu to fix it.
+
+The patch prevents cloned socks from referencing the same ccid.
+
+Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...")
+Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/minisocks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dccp/minisocks.c
++++ b/net/dccp/minisocks.c
+@@ -94,6 +94,8 @@ struct sock *dccp_create_openreq_child(c
+ newdp->dccps_role = DCCP_ROLE_SERVER;
+ newdp->dccps_hc_rx_ackvec = NULL;
+ newdp->dccps_service_list = NULL;
++ newdp->dccps_hc_rx_ccid = NULL;
++ newdp->dccps_hc_tx_ccid = NULL;
+ newdp->dccps_service = dreq->dreq_service;
+ newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
+ newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
--- /dev/null
+From 040b8907ccf1c78d020aca29800036565d761d73 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 28 Apr 2020 23:31:24 +0200
+Subject: drm/rockchip: cdn-dp-core: Make cdn_dp_core_resume __maybe_unused
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 040b8907ccf1c78d020aca29800036565d761d73 upstream.
+
+With the new static annotation, the compiler warns when the functions
+are actually unused:
+
+ drivers/gpu/drm/rockchip/cdn-dp-core.c:1123:12: error: 'cdn_dp_resume' defined but not used [-Werror=unused-function]
+ 1123 | static int cdn_dp_resume(struct device *dev)
+ | ^~~~~~~~~~~~~
+
+Mark them __maybe_unused to suppress that warning as well.
+
+[ Not so 'new' static annotations any more, and I removed the part of
+ the patch that added __maybe_unused to cdn_dp_suspend(), because it's
+ used by the shutdown/remove code.
+
+ So only the resume function ends up possibly unused if CONFIG_PM isn't
+ set - Linus ]
+
+Fixes: 7c49abb4c2f8 ("drm/rockchip: cdn-dp-core: Make cdn_dp_core_suspend/resume static")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
+@@ -1122,7 +1122,7 @@ static int cdn_dp_suspend(struct device
+ return ret;
+ }
+
+-static int cdn_dp_resume(struct device *dev)
++static __maybe_unused int cdn_dp_resume(struct device *dev)
+ {
+ struct cdn_dp_device *dp = dev_get_drvdata(dev);
+
--- /dev/null
+From 55c21d57eafb7b379bb7b3e93baf9ca2695895b0 Mon Sep 17 00:00:00 2001
+From: David Heidelberg <david@ixit.cz>
+Date: Sun, 12 Sep 2021 18:51:20 +0200
+Subject: dt-bindings: arm: Fix Toradex compatible typo
+
+From: David Heidelberg <david@ixit.cz>
+
+commit 55c21d57eafb7b379bb7b3e93baf9ca2695895b0 upstream.
+
+Fix board compatible typo reported by dtbs_check.
+
+Fixes: f4d1577e9bc6 ("dt-bindings: arm: Convert Tegra board/soc bindings to json-schema")
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Link: https://lore.kernel.org/r/20210912165120.188490-1-david@ixit.cz
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/arm/tegra.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/arm/tegra.yaml
++++ b/Documentation/devicetree/bindings/arm/tegra.yaml
+@@ -54,7 +54,7 @@ properties:
+ - const: toradex,apalis_t30
+ - const: nvidia,tegra30
+ - items:
+- - const: toradex,apalis_t30-eval-v1.1
++ - const: toradex,apalis_t30-v1.1-eval
+ - const: toradex,apalis_t30-eval
+ - const: toradex,apalis_t30-v1.1
+ - const: toradex,apalis_t30
--- /dev/null
+From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+Date: Mon, 6 Sep 2021 11:53:10 +1000
+Subject: events: Reuse value read using READ_ONCE instead of re-reading it
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+commit b89a05b21f46150ac10a962aa50109250b56b03b upstream.
+
+In perf_event_addr_filters_apply, the task associated with
+the event (event->ctx->task) is read using READ_ONCE at the beginning
+of the function, checked, and then re-read from event->ctx->task,
+voiding all guarantees of the checks. Reuse the value that was read by
+READ_ONCE to ensure the consistency of the task struct throughout the
+function.
+
+Fixes: 375637bc52495 ("perf/core: Introduce address range filtering")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9973,7 +9973,7 @@ static void perf_event_addr_filters_appl
+ return;
+
+ if (ifh->nr_file_filters) {
+- mm = get_task_mm(event->ctx->task);
++ mm = get_task_mm(task);
+ if (!mm)
+ goto restart;
+
--- /dev/null
+From ec783c7cb2495c5a3b8ca10db8056d43c528f940 Mon Sep 17 00:00:00 2001
+From: Kortan <kortanzh@gmail.com>
+Date: Wed, 8 Sep 2021 11:28:48 +0800
+Subject: gen_compile_commands: fix missing 'sys' package
+
+From: Kortan <kortanzh@gmail.com>
+
+commit ec783c7cb2495c5a3b8ca10db8056d43c528f940 upstream.
+
+We need to import the 'sys' package since the script has called
+sys.exit() method.
+
+Fixes: 6ad7cbc01527 ("Makefile: Add clang-tidy and static analyzer support to makefile")
+Signed-off-by: Kortan <kortanzh@gmail.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/clang-tools/gen_compile_commands.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/scripts/clang-tools/gen_compile_commands.py
++++ b/scripts/clang-tools/gen_compile_commands.py
+@@ -13,6 +13,7 @@ import logging
+ import os
+ import re
+ import subprocess
++import sys
+
+ _DEFAULT_OUTPUT = 'compile_commands.json'
+ _DEFAULT_LOG_LEVEL = 'WARNING'
--- /dev/null
+From 273c29e944bda9a20a30c26cfc34c9a3f363280b Mon Sep 17 00:00:00 2001
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Date: Wed, 8 Sep 2021 09:58:20 -0700
+Subject: ibmvnic: check failover_pending in login response
+
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+
+commit 273c29e944bda9a20a30c26cfc34c9a3f363280b upstream.
+
+If a failover occurs before a login response is received, the login
+response buffer maybe undefined. Check that there was no failover
+before accessing the login response buffer.
+
+Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -4478,6 +4478,14 @@ static int handle_login_rsp(union ibmvni
+ return 0;
+ }
+
++ if (adapter->failover_pending) {
++ adapter->init_done_rc = -EAGAIN;
++ netdev_dbg(netdev, "Failover pending, ignoring login response\n");
++ complete(&adapter->init_done);
++ /* login response buffer will be released on reset */
++ return 0;
++ }
++
+ netdev->mtu = adapter->req_mtu - ETH_HLEN;
+
+ netdev_dbg(adapter->netdev, "Login Response Buffer:\n");
--- /dev/null
+From 267cdfa21385d78c794768233678756e32b39ead Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Wed, 8 Sep 2021 20:17:18 +1000
+Subject: KVM: PPC: Book3S HV: Tolerate treclaim. in fake-suspend mode changing registers
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit 267cdfa21385d78c794768233678756e32b39ead upstream.
+
+POWER9 DD2.2 and 2.3 hardware implements a "fake-suspend" mode where
+certain TM instructions executed in HV=0 mode cause softpatch interrupts
+so the hypervisor can emulate them and prevent problematic processor
+conditions. In this fake-suspend mode, the treclaim. instruction does
+not modify registers.
+
+Unfortunately the rfscv instruction executed by the guest do not
+generate softpatch interrupts, which can cause the hypervisor to lose
+track of the fake-suspend mode, and it can execute this treclaim. while
+not in fake-suspend mode. This modifies GPRs and crashes the hypervisor.
+
+It's not trivial to disable scv in the guest with HFSCR now, because
+they assume a POWER9 has scv available. So this fix saves and restores
+checkpointed registers across the treclaim.
+
+Fixes: 7854f7545bff ("KVM: PPC: Book3S: Rework TM save/restore code and make it C-callable")
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210908101718.118522-2-npiggin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 36 ++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -3146,7 +3146,7 @@ END_FTR_SECTION_IFCLR(CPU_FTR_P9_TM_HV_A
+ /* The following code handles the fake_suspend = 1 case */
+ mflr r0
+ std r0, PPC_LR_STKOFF(r1)
+- stdu r1, -PPC_MIN_STKFRM(r1)
++ stdu r1, -TM_FRAME_SIZE(r1)
+
+ /* Turn on TM. */
+ mfmsr r8
+@@ -3161,10 +3161,42 @@ BEGIN_FTR_SECTION
+ END_FTR_SECTION_IFSET(CPU_FTR_P9_TM_XER_SO_BUG)
+ nop
+
++ /*
++ * It's possible that treclaim. may modify registers, if we have lost
++ * track of fake-suspend state in the guest due to it using rfscv.
++ * Save and restore registers in case this occurs.
++ */
++ mfspr r3, SPRN_DSCR
++ mfspr r4, SPRN_XER
++ mfspr r5, SPRN_AMR
++ /* SPRN_TAR would need to be saved here if the kernel ever used it */
++ mfcr r12
++ SAVE_NVGPRS(r1)
++ SAVE_GPR(2, r1)
++ SAVE_GPR(3, r1)
++ SAVE_GPR(4, r1)
++ SAVE_GPR(5, r1)
++ stw r12, 8(r1)
++ std r1, HSTATE_HOST_R1(r13)
++
+ /* We have to treclaim here because that's the only way to do S->N */
+ li r3, TM_CAUSE_KVM_RESCHED
+ TRECLAIM(R3)
+
++ GET_PACA(r13)
++ ld r1, HSTATE_HOST_R1(r13)
++ REST_GPR(2, r1)
++ REST_GPR(3, r1)
++ REST_GPR(4, r1)
++ REST_GPR(5, r1)
++ lwz r12, 8(r1)
++ REST_NVGPRS(r1)
++ mtspr SPRN_DSCR, r3
++ mtspr SPRN_XER, r4
++ mtspr SPRN_AMR, r5
++ mtcr r12
++ HMT_MEDIUM
++
+ /*
+ * We were in fake suspend, so we are not going to save the
+ * register state as the guest checkpointed state (since
+@@ -3192,7 +3224,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_P9_TM_XER_
+ std r5, VCPU_TFHAR(r9)
+ std r6, VCPU_TFIAR(r9)
+
+- addi r1, r1, PPC_MIN_STKFRM
++ addi r1, r1, TM_FRAME_SIZE
+ ld r0, PPC_LR_STKOFF(r1)
+ mtlr r0
+ blr
--- /dev/null
+From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 8 Sep 2021 17:00:29 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_poll
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream.
+
+syzbot reported another data-race in af_unix [1]
+
+Lets change __skb_insert() to use WRITE_ONCE() when changing
+skb head qlen.
+
+Also, change unix_dgram_poll() to use lockless version
+of unix_recvq_full()
+
+It is verry possible we can switch all/most unix_recvq_full()
+to the lockless version, this will be done in a future kernel version.
+
+[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1
+
+BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll
+
+write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0:
+ __skb_insert include/linux/skbuff.h:1938 [inline]
+ __skb_queue_before include/linux/skbuff.h:2043 [inline]
+ __skb_queue_tail include/linux/skbuff.h:2076 [inline]
+ skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264
+ unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532
+ __do_sys_sendmmsg net/socket.c:2561 [inline]
+ __se_sys_sendmmsg net/socket.c:2558 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1:
+ skb_queue_len include/linux/skbuff.h:1869 [inline]
+ unix_recvq_full net/unix/af_unix.c:194 [inline]
+ unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777
+ sock_poll+0x23e/0x260 net/socket.c:1288
+ vfs_poll include/linux/poll.h:90 [inline]
+ ep_item_poll fs/eventpoll.c:846 [inline]
+ ep_send_events fs/eventpoll.c:1683 [inline]
+ ep_poll fs/eventpoll.c:1798 [inline]
+ do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226
+ __do_sys_epoll_wait fs/eventpoll.c:2238 [inline]
+ __se_sys_epoll_wait fs/eventpoll.c:2233 [inline]
+ __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000001b -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()")
+Cc: Qian Cai <cai@lca.pw>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 +-
+ net/unix/af_unix.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1908,7 +1908,7 @@ static inline void __skb_insert(struct s
+ WRITE_ONCE(newsk->prev, prev);
+ WRITE_ONCE(next->prev, newsk);
+ WRITE_ONCE(prev->next, newsk);
+- list->qlen++;
++ WRITE_ONCE(list->qlen, list->qlen + 1);
+ }
+
+ static inline void __skb_queue_splice(const struct sk_buff_head *list,
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2769,7 +2769,7 @@ static __poll_t unix_dgram_poll(struct f
+
+ other = unix_peer(sk);
+ if (other && unix_peer(other) != sk &&
+- unix_recvq_full(other) &&
++ unix_recvq_full_lockless(other) &&
+ unix_dgram_peer_wake_me(sk, other))
+ writable = 0;
+
--- /dev/null
+From 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 13 Sep 2021 11:08:36 -0700
+Subject: net-caif: avoid user-triggerable WARN_ON(1)
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 upstream.
+
+syszbot triggers this warning, which looks something
+we can easily prevent.
+
+If we initialize priv->list_field in chnl_net_init(),
+then always use list_del_init(), we can remove robust_list_del()
+completely.
+
+WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 robust_list_del net/caif/chnl_net.c:67 [inline]
+WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375
+Modules linked in:
+CPU: 0 PID: 3233 Comm: syz-executor.3 Not tainted 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:robust_list_del net/caif/chnl_net.c:67 [inline]
+RIP: 0010:chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375
+Code: 89 eb e8 3a a3 ba f8 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 bf 01 00 00 48 81 fb 00 14 4e 8d 48 8b 2b 75 d0 e8 17 a3 ba f8 <0f> 0b 5b 5d 41 5c 41 5d e9 0a a3 ba f8 4c 89 e3 e8 02 a3 ba f8 4c
+RSP: 0018:ffffc90009067248 EFLAGS: 00010202
+RAX: 0000000000008780 RBX: ffffffff8d4e1400 RCX: ffffc9000fd34000
+RDX: 0000000000040000 RSI: ffffffff88bb6e49 RDI: 0000000000000003
+RBP: ffff88802cd9ee08 R08: 0000000000000000 R09: ffffffff8d0e6647
+R10: ffffffff88bb6dc2 R11: 0000000000000000 R12: ffff88803791ae08
+R13: dffffc0000000000 R14: 00000000e600ffce R15: ffff888073ed3480
+FS: 00007fed10fa0700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2c322000 CR3: 00000000164a6000 CR4: 00000000001506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10347
+ ipcaif_newlink+0x4c/0x260 net/caif/chnl_net.c:468
+ __rtnl_newlink+0x106d/0x1750 net/core/rtnetlink.c:3458
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506
+ rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:704 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:724
+ __sys_sendto+0x21c/0x320 net/socket.c:2036
+ __do_sys_sendto net/socket.c:2048 [inline]
+ __se_sys_sendto net/socket.c:2044 [inline]
+ __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2044
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: cc36a070b590 ("net-caif: add CAIF netdevice")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/chnl_net.c | 19 +++----------------
+ 1 file changed, 3 insertions(+), 16 deletions(-)
+
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -53,20 +53,6 @@ struct chnl_net {
+ enum caif_states state;
+ };
+
+-static void robust_list_del(struct list_head *delete_node)
+-{
+- struct list_head *list_node;
+- struct list_head *n;
+- ASSERT_RTNL();
+- list_for_each_safe(list_node, n, &chnl_net_list) {
+- if (list_node == delete_node) {
+- list_del(list_node);
+- return;
+- }
+- }
+- WARN_ON(1);
+-}
+-
+ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
+ {
+ struct sk_buff *skb;
+@@ -369,6 +355,7 @@ static int chnl_net_init(struct net_devi
+ ASSERT_RTNL();
+ priv = netdev_priv(dev);
+ strncpy(priv->name, dev->name, sizeof(priv->name));
++ INIT_LIST_HEAD(&priv->list_field);
+ return 0;
+ }
+
+@@ -377,7 +364,7 @@ static void chnl_net_uninit(struct net_d
+ struct chnl_net *priv;
+ ASSERT_RTNL();
+ priv = netdev_priv(dev);
+- robust_list_del(&priv->list_field);
++ list_del_init(&priv->list_field);
+ }
+
+ static const struct net_device_ops netdev_ops = {
+@@ -542,7 +529,7 @@ static void __exit chnl_exit_module(void
+ rtnl_lock();
+ list_for_each_safe(list_node, _tmp, &chnl_net_list) {
+ dev = list_entry(list_node, struct chnl_net, list_field);
+- list_del(list_node);
++ list_del_init(list_node);
+ delete_device(dev);
+ }
+ rtnl_unlock();
--- /dev/null
+From 6a52e73368038f47f6618623d75061dc263b26ae Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 14 Sep 2021 16:43:31 +0300
+Subject: net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 6a52e73368038f47f6618623d75061dc263b26ae upstream.
+
+DSA supports connecting to a phy-handle, and has a fallback to a non-OF
+based method of connecting to an internal PHY on the switch's own MDIO
+bus, if no phy-handle and no fixed-link nodes were present.
+
+The -ENODEV error code from the first attempt (phylink_of_phy_connect)
+is what triggers the second attempt (phylink_connect_phy).
+
+However, when the first attempt returns a different error code than
+-ENODEV, this results in an unbalance of calls to phylink_create and
+phylink_destroy by the time we exit the function. The phylink instance
+has leaked.
+
+There are many other error codes that can be returned by
+phylink_of_phy_connect. For example, phylink_validate returns -EINVAL.
+So this is a practical issue too.
+
+Fixes: aab9c4067d23 ("net: dsa: Plug in PHYLINK support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://lore.kernel.org/r/20210914134331.2303380-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/slave.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1728,13 +1728,11 @@ static int dsa_slave_phy_setup(struct ne
+ * use the switch internal MDIO bus instead
+ */
+ ret = dsa_slave_phy_connect(slave_dev, dp->index);
+- if (ret) {
+- netdev_err(slave_dev,
+- "failed to connect to port %d: %d\n",
+- dp->index, ret);
+- phylink_destroy(dp->pl);
+- return ret;
+- }
++ }
++ if (ret) {
++ netdev_err(slave_dev, "failed to connect to PHY: %pe\n",
++ ERR_PTR(ret));
++ phylink_destroy(dp->pl);
+ }
+
+ return ret;
--- /dev/null
+From 1dc839ec09d3ab2a4156dc98328b8bc3586f2b70 Mon Sep 17 00:00:00 2001
+From: Yufeng Mo <moyufeng@huawei.com>
+Date: Mon, 13 Sep 2021 21:08:22 +0800
+Subject: net: hns3: change affinity_mask to numa node range
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+commit 1dc839ec09d3ab2a4156dc98328b8bc3586f2b70 upstream.
+
+Currently, affinity_mask is set to a single cpu. As a result,
+irqbalance becomes invalid in SUBSET or EXACT mode. To solve
+this problem, change affinity_mask to numa node range. In this
+way, irqbalance can be performed on the cpu of the numa node.
+
+Fixes: 0812545487ec ("net: hns3: add interrupt affinity support for misc interrupt")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -1463,9 +1463,10 @@ static void hclge_init_kdump_kernel_conf
+
+ static int hclge_configure(struct hclge_dev *hdev)
+ {
++ const struct cpumask *cpumask = cpu_online_mask;
+ struct hclge_cfg cfg;
+ unsigned int i;
+- int ret;
++ int node, ret;
+
+ ret = hclge_get_cfg(hdev, &cfg);
+ if (ret)
+@@ -1526,11 +1527,12 @@ static int hclge_configure(struct hclge_
+
+ hclge_init_kdump_kernel_config(hdev);
+
+- /* Set the init affinity based on pci func number */
+- i = cpumask_weight(cpumask_of_node(dev_to_node(&hdev->pdev->dev)));
+- i = i ? PCI_FUNC(hdev->pdev->devfn) % i : 0;
+- cpumask_set_cpu(cpumask_local_spread(i, dev_to_node(&hdev->pdev->dev)),
+- &hdev->affinity_mask);
++ /* Set the affinity based on numa node */
++ node = dev_to_node(&hdev->pdev->dev);
++ if (node != NUMA_NO_NODE)
++ cpumask = cpumask_of_node(node);
++
++ cpumask_copy(&hdev->affinity_mask, cpumask);
+
+ return ret;
+ }
--- /dev/null
+From b81d8948746520f989e86d66292ff72b5056114a Mon Sep 17 00:00:00 2001
+From: Yufeng Mo <moyufeng@huawei.com>
+Date: Mon, 13 Sep 2021 21:08:23 +0800
+Subject: net: hns3: disable mac in flr process
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+commit b81d8948746520f989e86d66292ff72b5056114a upstream.
+
+The firmware will not disable mac in flr process. Therefore, the driver
+needs to proactively disable mac during flr, which is the same as the
+function reset.
+
+Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -7005,11 +7005,12 @@ static void hclge_ae_stop(struct hnae3_h
+ hclge_clear_arfs_rules(handle);
+ spin_unlock_bh(&hdev->fd_rule_lock);
+
+- /* If it is not PF reset, the firmware will disable the MAC,
++ /* If it is not PF reset or FLR, the firmware will disable the MAC,
+ * so it only need to stop phy here.
+ */
+ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) &&
+- hdev->reset_type != HNAE3_FUNC_RESET) {
++ hdev->reset_type != HNAE3_FUNC_RESET &&
++ hdev->reset_type != HNAE3_FLR_RESET) {
+ hclge_mac_stop_phy(hdev);
+ hclge_update_link_status(hdev);
+ return;
--- /dev/null
+From 427900d27d86b820c559037a984bd403f910860f Mon Sep 17 00:00:00 2001
+From: Jiaran Zhang <zhangjiaran@huawei.com>
+Date: Mon, 13 Sep 2021 21:08:25 +0800
+Subject: net: hns3: fix the timing issue of VF clearing interrupt sources
+
+From: Jiaran Zhang <zhangjiaran@huawei.com>
+
+commit 427900d27d86b820c559037a984bd403f910860f upstream.
+
+Currently, the VF does not clear the interrupt source immediately after
+receiving the interrupt. As a result, if the second interrupt task is
+triggered when processing the first interrupt task, clearing the
+interrupt source before exiting will clear the interrupt sources of the
+two tasks at the same time. As a result, no interrupt is triggered for
+the second task. The VF detects the missed message only when the next
+interrupt is generated.
+
+Clearing it immediately after executing check_evt_cause ensures that:
+1. Even if two interrupt tasks are triggered at the same time, they can
+be processed.
+2. If the second task is triggered during the processing of the first
+task and the interrupt source is not cleared, the interrupt is reported
+after vector0 is enabled.
+
+Fixes: b90fcc5bd904 ("net: hns3: add reset handling for VF when doing Core/Global/IMP reset")
+Signed-off-by: Jiaran Zhang <zhangjiaran@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2352,6 +2352,8 @@ static irqreturn_t hclgevf_misc_irq_hand
+
+ hclgevf_enable_vector(&hdev->misc_vector, false);
+ event_cause = hclgevf_check_evt_cause(hdev, &clearval);
++ if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER)
++ hclgevf_clear_event_cause(hdev, clearval);
+
+ switch (event_cause) {
+ case HCLGEVF_VECTOR0_EVENT_RST:
+@@ -2364,10 +2366,8 @@ static irqreturn_t hclgevf_misc_irq_hand
+ break;
+ }
+
+- if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER) {
+- hclgevf_clear_event_cause(hdev, clearval);
++ if (event_cause != HCLGEVF_VECTOR0_EVENT_OTHER)
+ hclgevf_enable_vector(&hdev->misc_vector, true);
+- }
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From d18e81183b1cb9c309266cbbce9acd3e0c528d04 Mon Sep 17 00:00:00 2001
+From: Yufeng Mo <moyufeng@huawei.com>
+Date: Mon, 13 Sep 2021 21:08:21 +0800
+Subject: net: hns3: pad the short tunnel frame before sending to hardware
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+commit d18e81183b1cb9c309266cbbce9acd3e0c528d04 upstream.
+
+The hardware cannot handle short tunnel frames below 65 bytes,
+and will cause vlan tag missing problem. So pads packet size to
+65 bytes for tunnel frames to fix this bug.
+
+Fixes: 3db084d28dc0("net: hns3: Fix for vxlan tx checksum bug")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -60,6 +60,7 @@ MODULE_PARM_DESC(debug, " Network interf
+ #define HNS3_OUTER_VLAN_TAG 2
+
+ #define HNS3_MIN_TX_LEN 33U
++#define HNS3_MIN_TUN_PKT_LEN 65U
+
+ /* hns3_pci_tbl - PCI Device ID Table
+ *
+@@ -913,8 +914,11 @@ static int hns3_set_l2l3l4(struct sk_buf
+ l4.tcp->doff);
+ break;
+ case IPPROTO_UDP:
+- if (hns3_tunnel_csum_bug(skb))
+- return skb_checksum_help(skb);
++ if (hns3_tunnel_csum_bug(skb)) {
++ int ret = skb_put_padto(skb, HNS3_MIN_TUN_PKT_LEN);
++
++ return ret ? ret : skb_checksum_help(skb);
++ }
+
+ hns3_set_field(*type_cs_vlan_tso, HNS3_TXD_L4CS_B, 1);
+ hns3_set_field(*type_cs_vlan_tso, HNS3_TXD_L4T_S,
--- /dev/null
+From b5c102238cea985d8126b173d06b9e1de88037ee Mon Sep 17 00:00:00 2001
+From: Alex Elder <elder@linaro.org>
+Date: Tue, 7 Sep 2021 12:05:54 -0500
+Subject: net: ipa: initialize all filter table slots
+
+From: Alex Elder <elder@linaro.org>
+
+commit b5c102238cea985d8126b173d06b9e1de88037ee upstream.
+
+There is an off-by-one problem in ipa_table_init_add(), when
+initializing filter tables.
+
+In that function, the number of filter table entries is determined
+based on the number of set bits in the filter map. However that
+count does *not* include the extra "slot" in the filter table that
+holds the filter map itself. Meanwhile, ipa_table_addr() *does*
+include the filter map in the memory it returns, but because the
+count it's provided doesn't include it, it includes one too few
+table entries.
+
+Fix this by including the extra slot for the filter map in the count
+computed in ipa_table_init_add().
+
+Note: ipa_filter_reset_table() does not have this problem; it resets
+filter table entries one by one, but does not overwrite the filter
+bitmap.
+
+Fixes: 2b9feef2b6c2 ("soc: qcom: ipa: filter and routing tables")
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipa/ipa_table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ipa/ipa_table.c
++++ b/drivers/net/ipa/ipa_table.c
+@@ -451,7 +451,8 @@ static void ipa_table_init_add(struct gs
+ * table region determines the number of entries it has.
+ */
+ if (filter) {
+- count = hweight32(ipa->filter_map);
++ /* Include one extra "slot" to hold the filter map itself */
++ count = 1 + hweight32(ipa->filter_map);
+ hash_count = hash_mem->size ? count : 0;
+ } else {
+ count = mem->size / IPA_TABLE_ENTRY_SIZE;
--- /dev/null
+From 9b6ff7eb666415e1558f1ba8a742f5db6a9954de Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Thu, 9 Sep 2021 12:32:00 +0800
+Subject: net/l2tp: Fix reference count leak in l2tp_udp_recv_core
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 9b6ff7eb666415e1558f1ba8a742f5db6a9954de upstream.
+
+The reference count leak issue may take place in an error handling
+path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
+return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
+would directly jump to label invalid, without decrementing the reference
+count of the l2tp_session object session increased earlier by
+l2tp_tunnel_get_session(). This may result in refcount leaks.
+
+Fix this issue by decrease the reference count before jumping to the
+label invalid.
+
+Fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -869,8 +869,10 @@ static int l2tp_udp_recv_core(struct l2t
+ }
+
+ if (tunnel->version == L2TP_HDR_VER_3 &&
+- l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
++ l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
++ l2tp_session_dec_refcount(session);
+ goto invalid;
++ }
+
+ l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
+ l2tp_session_dec_refcount(session);
--- /dev/null
+From ee27e330a953595903979ffdb84926843595a9fe Mon Sep 17 00:00:00 2001
+From: Maor Gottlieb <maorg@nvidia.com>
+Date: Wed, 1 Sep 2021 11:48:13 +0300
+Subject: net/mlx5: Fix potential sleeping in atomic context
+
+From: Maor Gottlieb <maorg@nvidia.com>
+
+commit ee27e330a953595903979ffdb84926843595a9fe upstream.
+
+Fixes the below flow of sleeping in atomic context by releasing
+the RCU lock before calling to free_match_list.
+
+build_match_list() <- disables preempt
+-> free_match_list()
+ -> tree_put_node()
+ -> down_write_ref_node() <- take write lock
+
+Fixes: 693c6883bbc4 ("net/mlx5: Add hash table for flow groups in flow table")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -1675,14 +1675,13 @@ static int build_match_list(struct match
+
+ curr_match = kmalloc(sizeof(*curr_match), GFP_ATOMIC);
+ if (!curr_match) {
++ rcu_read_unlock();
+ free_match_list(match_head, ft_locked);
+- err = -ENOMEM;
+- goto out;
++ return -ENOMEM;
+ }
+ curr_match->g = g;
+ list_add_tail(&curr_match->list, &match_head->list);
+ }
+-out:
+ rcu_read_unlock();
+ return err;
+ }
--- /dev/null
+From dfe6fd72b5f1878b16aa2c8603e031bbcd66b96d Mon Sep 17 00:00:00 2001
+From: Saeed Mahameed <saeedm@nvidia.com>
+Date: Wed, 18 Aug 2021 13:09:26 -0700
+Subject: net/mlx5: FWTrace, cancel work on alloc pd error flow
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+commit dfe6fd72b5f1878b16aa2c8603e031bbcd66b96d upstream.
+
+Handle error flow on mlx5_core_alloc_pd() failure,
+read_fw_strings_work must be canceled.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Reported-by: Pavel Machek (CIP) <pavel@denx.de>
+Suggested-by: Pavel Machek (CIP) <pavel@denx.de>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Reviewed-by: Aya Levin <ayal@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -1007,7 +1007,7 @@ int mlx5_fw_tracer_init(struct mlx5_fw_t
+ err = mlx5_core_alloc_pd(dev, &tracer->buff.pdn);
+ if (err) {
+ mlx5_core_warn(dev, "FWTracer: Failed to allocate PD %d\n", err);
+- return err;
++ goto err_cancel_work;
+ }
+
+ err = mlx5_fw_tracer_create_mkey(tracer);
+@@ -1031,6 +1031,7 @@ err_notifier_unregister:
+ mlx5_core_destroy_mkey(dev, &tracer->buff.mkey);
+ err_dealloc_pd:
+ mlx5_core_dealloc_pd(dev, tracer->buff.pdn);
++err_cancel_work:
+ cancel_work_sync(&tracer->read_fw_strings_work);
+ return err;
+ }
--- /dev/null
+From 70f437fb4395ad4d1d16fab9a1ad9fbc9fc0579b Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Thu, 9 Sep 2021 08:54:52 -0700
+Subject: nvme-tcp: fix io_work priority inversion
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit 70f437fb4395ad4d1d16fab9a1ad9fbc9fc0579b upstream.
+
+Dispatching requests inline with the .queue_rq() call may block while
+holding the send_mutex. If the tcp io_work also happens to schedule, it
+may see the req_list is non-empty, leaving "pending" true and remaining
+in TASK_RUNNING. Since io_work is of higher scheduling priority, the
+.queue_rq task may not get a chance to run, blocking forward progress
+and leading to io timeouts.
+
+Instead of checking for pending requests within io_work, let the queueing
+restart io_work outside the send_mutex lock if there is more work to be
+done.
+
+Fixes: a0fdd1418007f ("nvme-tcp: rerun io_work if req_list is not empty")
+Reported-by: Samuel Jones <sjones@kalrayinc.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/tcp.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -273,6 +273,12 @@ static inline void nvme_tcp_send_all(str
+ } while (ret > 0);
+ }
+
++static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue)
++{
++ return !list_empty(&queue->send_list) ||
++ !llist_empty(&queue->req_list) || queue->more_requests;
++}
++
+ static inline void nvme_tcp_queue_request(struct nvme_tcp_request *req,
+ bool sync, bool last)
+ {
+@@ -293,9 +299,10 @@ static inline void nvme_tcp_queue_reques
+ nvme_tcp_send_all(queue);
+ queue->more_requests = false;
+ mutex_unlock(&queue->send_mutex);
+- } else if (last) {
+- queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work);
+ }
++
++ if (last && nvme_tcp_queue_more(queue))
++ queue_work_on(queue->io_cpu, nvme_tcp_wq, &queue->io_work);
+ }
+
+ static void nvme_tcp_process_req_list(struct nvme_tcp_queue *queue)
+@@ -890,12 +897,6 @@ done:
+ read_unlock_bh(&sk->sk_callback_lock);
+ }
+
+-static inline bool nvme_tcp_queue_more(struct nvme_tcp_queue *queue)
+-{
+- return !list_empty(&queue->send_list) ||
+- !llist_empty(&queue->req_list) || queue->more_requests;
+-}
+-
+ static inline void nvme_tcp_done_send_req(struct nvme_tcp_queue *queue)
+ {
+ queue->request = NULL;
+@@ -1132,8 +1133,7 @@ static void nvme_tcp_io_work(struct work
+ pending = true;
+ else if (unlikely(result < 0))
+ break;
+- } else
+- pending = !llist_empty(&queue->req_list);
++ }
+
+ result = nvme_tcp_try_recv(queue);
+ if (result > 0)
--- /dev/null
+From 57f0ff059e3daa4e70a811cb1d31a49968262d20 Mon Sep 17 00:00:00 2001
+From: Michael Petlan <mpetlan@redhat.com>
+Date: Mon, 19 Jul 2021 16:53:32 +0200
+Subject: perf machine: Initialize srcline string member in add_location struct
+
+From: Michael Petlan <mpetlan@redhat.com>
+
+commit 57f0ff059e3daa4e70a811cb1d31a49968262d20 upstream.
+
+It's later supposed to be either a correct address or NULL. Without the
+initialization, it may contain an undefined value which results in the
+following segmentation fault:
+
+ # perf top --sort comm -g --ignore-callees=do_idle
+
+terminates with:
+
+ #0 0x00007ffff56b7685 in __strlen_avx2 () from /lib64/libc.so.6
+ #1 0x00007ffff55e3802 in strdup () from /lib64/libc.so.6
+ #2 0x00005555558cb139 in hist_entry__init (callchain_size=<optimized out>, sample_self=true, template=0x7fffde7fb110, he=0x7fffd801c250) at util/hist.c:489
+ #3 hist_entry__new (template=template@entry=0x7fffde7fb110, sample_self=sample_self@entry=true) at util/hist.c:564
+ #4 0x00005555558cb4ba in hists__findnew_entry (hists=hists@entry=0x5555561d9e38, entry=entry@entry=0x7fffde7fb110, al=al@entry=0x7fffde7fb420,
+ sample_self=sample_self@entry=true) at util/hist.c:657
+ #5 0x00005555558cba1b in __hists__add_entry (hists=hists@entry=0x5555561d9e38, al=0x7fffde7fb420, sym_parent=<optimized out>, bi=bi@entry=0x0, mi=mi@entry=0x0,
+ sample=sample@entry=0x7fffde7fb4b0, sample_self=true, ops=0x0, block_info=0x0) at util/hist.c:288
+ #6 0x00005555558cbb70 in hists__add_entry (sample_self=true, sample=0x7fffde7fb4b0, mi=0x0, bi=0x0, sym_parent=<optimized out>, al=<optimized out>, hists=0x5555561d9e38)
+ at util/hist.c:1056
+ #7 iter_add_single_cumulative_entry (iter=0x7fffde7fb460, al=<optimized out>) at util/hist.c:1056
+ #8 0x00005555558cc8a4 in hist_entry_iter__add (iter=iter@entry=0x7fffde7fb460, al=al@entry=0x7fffde7fb420, max_stack_depth=<optimized out>, arg=arg@entry=0x7fffffff7db0)
+ at util/hist.c:1231
+ #9 0x00005555557cdc9a in perf_event__process_sample (machine=<optimized out>, sample=0x7fffde7fb4b0, evsel=<optimized out>, event=<optimized out>, tool=0x7fffffff7db0)
+ at builtin-top.c:842
+ #10 deliver_event (qe=<optimized out>, qevent=<optimized out>) at builtin-top.c:1202
+ #11 0x00005555558a9318 in do_flush (show_progress=false, oe=0x7fffffff80e0) at util/ordered-events.c:244
+ #12 __ordered_events__flush (oe=oe@entry=0x7fffffff80e0, how=how@entry=OE_FLUSH__TOP, timestamp=timestamp@entry=0) at util/ordered-events.c:323
+ #13 0x00005555558a9789 in __ordered_events__flush (timestamp=<optimized out>, how=<optimized out>, oe=<optimized out>) at util/ordered-events.c:339
+ #14 ordered_events__flush (how=OE_FLUSH__TOP, oe=0x7fffffff80e0) at util/ordered-events.c:341
+ #15 ordered_events__flush (oe=oe@entry=0x7fffffff80e0, how=how@entry=OE_FLUSH__TOP) at util/ordered-events.c:339
+ #16 0x00005555557cd631 in process_thread (arg=0x7fffffff7db0) at builtin-top.c:1114
+ #17 0x00007ffff7bb817a in start_thread () from /lib64/libpthread.so.0
+ #18 0x00007ffff5656dc3 in clone () from /lib64/libc.so.6
+
+If you look at the frame #2, the code is:
+
+488 if (he->srcline) {
+489 he->srcline = strdup(he->srcline);
+490 if (he->srcline == NULL)
+491 goto err_rawdata;
+492 }
+
+If he->srcline is not NULL (it is not NULL if it is uninitialized rubbish),
+it gets strdupped and strdupping a rubbish random string causes the problem.
+
+Also, if you look at the commit 1fb7d06a509e, it adds the srcline property
+into the struct, but not initializing it everywhere needed.
+
+Committer notes:
+
+Now I see, when using --ignore-callees=do_idle we end up here at line
+2189 in add_callchain_ip():
+
+2181 if (al.sym != NULL) {
+2182 if (perf_hpp_list.parent && !*parent &&
+2183 symbol__match_regex(al.sym, &parent_regex))
+2184 *parent = al.sym;
+2185 else if (have_ignore_callees && root_al &&
+2186 symbol__match_regex(al.sym, &ignore_callees_regex)) {
+2187 /* Treat this symbol as the root,
+2188 forgetting its callees. */
+2189 *root_al = al;
+2190 callchain_cursor_reset(cursor);
+2191 }
+2192 }
+
+And the al that doesn't have the ->srcline field initialized will be
+copied to the root_al, so then, back to:
+
+1211 int hist_entry_iter__add(struct hist_entry_iter *iter, struct addr_location *al,
+1212 int max_stack_depth, void *arg)
+1213 {
+1214 int err, err2;
+1215 struct map *alm = NULL;
+1216
+1217 if (al)
+1218 alm = map__get(al->map);
+1219
+1220 err = sample__resolve_callchain(iter->sample, &callchain_cursor, &iter->parent,
+1221 iter->evsel, al, max_stack_depth);
+1222 if (err) {
+1223 map__put(alm);
+1224 return err;
+1225 }
+1226
+1227 err = iter->ops->prepare_entry(iter, al);
+1228 if (err)
+1229 goto out;
+1230
+1231 err = iter->ops->add_single_entry(iter, al);
+1232 if (err)
+1233 goto out;
+1234
+
+That al at line 1221 is what hist_entry_iter__add() (called from
+sample__resolve_callchain()) saw as 'root_al', and then:
+
+ iter->ops->add_single_entry(iter, al);
+
+will go on with al->srcline with a bogus value, I'll add the above
+sequence to the cset and apply, thanks!
+
+Signed-off-by: Michael Petlan <mpetlan@redhat.com>
+CC: Milian Wolff <milian.wolff@kdab.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Fixes: 1fb7d06a509e ("perf report Use srcline from callchain for hist entries")
+Link: https //lore.kernel.org/r/20210719145332.29747-1-mpetlan@redhat.com
+Reported-by: Juri Lelli <jlelli@redhat.com>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/machine.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2100,6 +2100,7 @@ static int add_callchain_ip(struct threa
+
+ al.filtered = 0;
+ al.sym = NULL;
++ al.srcline = NULL;
+ if (!cpumode) {
+ thread__find_cpumode_addr_location(thread, ip, &al);
+ } else {
--- /dev/null
+From 7366c23ff492ad260776a3ee1aaabba9fc773a8b Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 13 Sep 2021 15:06:05 -0700
+Subject: ptp: dp83640: don't define PAGE0
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 7366c23ff492ad260776a3ee1aaabba9fc773a8b upstream.
+
+Building dp83640.c on arch/parisc/ produces a build warning for
+PAGE0 being redefined. Since the macro is not used in the dp83640
+driver, just make it a comment for documentation purposes.
+
+In file included from ../drivers/net/phy/dp83640.c:23:
+../drivers/net/phy/dp83640_reg.h:8: warning: "PAGE0" redefined
+ 8 | #define PAGE0 0x0000
+ from ../drivers/net/phy/dp83640.c:11:
+../arch/parisc/include/asm/page.h:187: note: this is the location of the previous definition
+ 187 | #define PAGE0 ((struct zeropage *)__PAGE_OFFSET)
+
+Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Richard Cochran <richard.cochran@omicron.at>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20210913220605.19682-1-rdunlap@infradead.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640_reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83640_reg.h
++++ b/drivers/net/phy/dp83640_reg.h
+@@ -5,7 +5,7 @@
+ #ifndef HAVE_DP83640_REGISTERS
+ #define HAVE_DP83640_REGISTERS
+
+-#define PAGE0 0x0000
++/* #define PAGE0 0x0000 */
+ #define PHYCR2 0x001c /* PHY Control Register 2 */
+
+ #define PAGE4 0x0004
--- /dev/null
+From 20e100f52730cd0db609e559799c1712b5f27582 Mon Sep 17 00:00:00 2001
+From: Shai Malin <smalin@marvell.com>
+Date: Fri, 10 Sep 2021 11:33:56 +0300
+Subject: qed: Handle management FW error
+
+From: Shai Malin <smalin@marvell.com>
+
+commit 20e100f52730cd0db609e559799c1712b5f27582 upstream.
+
+Handle MFW (management FW) error response in order to avoid a crash
+during recovery flows.
+
+Changes from v1:
+- Add "Fixes tag".
+
+Fixes: tag 5e7ba042fd05 ("qed: Fix reading stale configuration information")
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Shai Malin <smalin@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_mcp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+@@ -3376,6 +3376,7 @@ qed_mcp_get_nvm_image_att(struct qed_hwf
+ struct qed_nvm_image_att *p_image_att)
+ {
+ enum nvm_image_type type;
++ int rc;
+ u32 i;
+
+ /* Translate image_id into MFW definitions */
+@@ -3404,7 +3405,10 @@ qed_mcp_get_nvm_image_att(struct qed_hwf
+ return -EINVAL;
+ }
+
+- qed_mcp_nvm_info_populate(p_hwfn);
++ rc = qed_mcp_nvm_info_populate(p_hwfn);
++ if (rc)
++ return rc;
++
+ for (i = 0; i < p_hwfn->nvm_info.num_images; i++)
+ if (type == p_hwfn->nvm_info.image_att[i].image_type)
+ break;
--- /dev/null
+From e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 9 Sep 2021 10:33:28 -0700
+Subject: r6040: Restore MDIO clock frequency after MAC reset
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 upstream.
+
+A number of users have reported that they were not able to get the PHY
+to successfully link up, especially after commit c36757eb9dee ("net:
+phy: consider AN_RESTART status when reading link status") where we
+stopped reading just BMSR, but we also read BMCR to determine the link
+status.
+
+Andrius at NetBSD did a wonderful job at debugging the problem
+and found out that the MDIO bus clock frequency would be incorrectly set
+back to its default value which would prevent the MDIO bus controller
+from reading PHY registers properly. Back when we only read BMSR, if we
+read all 1s, we could falsely indicate a link status, though in general
+there is a cable plugged in, so this went unnoticed. After a second read
+of BMCR was added, a wrong read will lead to the inability to determine
+a link UP condition which is when it started to be visibly broken, even
+if it was long before that.
+
+The fix consists in restoring the value of the MD_CSR register that was
+set prior to the MAC reset.
+
+Link: http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53494
+Fixes: 90f750a81a29 ("r6040: consolidate MAC reset to its own function")
+Reported-by: Andrius V <vezhlys@gmail.com>
+Reported-by: Darek Strugacz <darek.strugacz@op.pl>
+Tested-by: Darek Strugacz <darek.strugacz@op.pl>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/rdc/r6040.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/rdc/r6040.c
++++ b/drivers/net/ethernet/rdc/r6040.c
+@@ -119,6 +119,8 @@
+ #define PHY_ST 0x8A /* PHY status register */
+ #define MAC_SM 0xAC /* MAC status machine */
+ #define MAC_SM_RST 0x0002 /* MAC status machine reset */
++#define MD_CSC 0xb6 /* MDC speed control register */
++#define MD_CSC_DEFAULT 0x0030
+ #define MAC_ID 0xBE /* Identifier register */
+
+ #define TX_DCNT 0x80 /* TX descriptor count */
+@@ -355,8 +357,9 @@ static void r6040_reset_mac(struct r6040
+ {
+ void __iomem *ioaddr = lp->base;
+ int limit = MAC_DEF_TIMEOUT;
+- u16 cmd;
++ u16 cmd, md_csc;
+
++ md_csc = ioread16(ioaddr + MD_CSC);
+ iowrite16(MAC_RST, ioaddr + MCR1);
+ while (limit--) {
+ cmd = ioread16(ioaddr + MCR1);
+@@ -368,6 +371,10 @@ static void r6040_reset_mac(struct r6040
+ iowrite16(MAC_SM_RST, ioaddr + MAC_SM);
+ iowrite16(0, ioaddr + MAC_SM);
+ mdelay(5);
++
++ /* Restore MDIO clock frequency */
++ if (md_csc != MD_CSC_DEFAULT)
++ iowrite16(md_csc, ioaddr + MD_CSC);
+ }
+
+ static void r6040_init_mac_regs(struct net_device *dev)
--- /dev/null
+From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001
+From: Yajun Deng <yajun.deng@linux.dev>
+Date: Mon, 13 Sep 2021 12:04:42 +0800
+Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+commit d7807a9adf4856171f8441f13078c33941df48ab upstream.
+
+This reverts commit 919483096bfe75dda338e98d56da91a263746a0a.
+
+There is only when ip_options_get() return zero need to free.
+It already called kfree() when return error.
+
+Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ping.c | 5 ++---
+ net/ipv4/raw.c | 5 ++---
+ net/ipv4/udp.c | 5 ++---
+ 4 files changed, 7 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -279,7 +279,7 @@ int ip_cmsg_send(struct sock *sk, struct
+ case IP_RETOPTS:
+ err = cmsg->cmsg_len - sizeof(struct cmsghdr);
+
+- /* Our caller is responsible for freeing ipc->opt */
++ /* Our caller is responsible for freeing ipc->opt when err = 0 */
+ err = ip_options_get(net, &ipc->opt,
+ KERNEL_SOCKPTR(CMSG_DATA(cmsg)),
+ err < 40 ? err : 40);
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -725,10 +725,9 @@ static int ping_v4_sendmsg(struct sock *
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ return err;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -562,10 +562,9 @@ static int raw_sendmsg(struct sock *sk,
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ goto out;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1104,10 +1104,9 @@ int udp_sendmsg(struct sock *sk, struct
+ if (err > 0)
+ err = ip_cmsg_send(sk, msg, &ipc,
+ sk->sk_family == AF_INET6);
+- if (unlikely(err < 0)) {
+- kfree(ipc.opt);
++ if (unlikely(err < 0))
+ return err;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ connected = 0;
--- /dev/null
+From 1b704b27beb11ce147d64b21c914e57afbfb5656 Mon Sep 17 00:00:00 2001
+From: Andrea Claudi <aclaudi@redhat.com>
+Date: Sat, 11 Sep 2021 16:14:18 +0200
+Subject: selftest: net: fix typo in altname test
+
+From: Andrea Claudi <aclaudi@redhat.com>
+
+commit 1b704b27beb11ce147d64b21c914e57afbfb5656 upstream.
+
+If altname deletion of the short alternative name fails, the error
+message printed is: "Failed to add short alternative name".
+This is obviously a typo, as we are testing altname deletion.
+
+Fix this using a proper error message.
+
+Fixes: f95e6c9c4617 ("selftest: net: add alternative names test")
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/altnames.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/altnames.sh
++++ b/tools/testing/selftests/net/altnames.sh
+@@ -45,7 +45,7 @@ altnames_test()
+ check_err $? "Got unexpected long alternative name from link show JSON"
+
+ ip link property del $DUMMY_DEV altname $SHORT_NAME
+- check_err $? "Failed to add short alternative name"
++ check_err $? "Failed to delete short alternative name"
+
+ ip -j -p link show $SHORT_NAME &>/dev/null
+ check_fail $? "Unexpected success while trying to do link show with deleted short alternative name"
tipc-fix-an-use-after-free-issue-in-tipc_recvmsg.patch
ethtool-fix-rxnfc-copy-to-user-buffer-overflow.patch
net-mlx5-nfp-bnxt-remove-unnecessary-rtnl-lock-assert.patch
+net-caif-avoid-user-triggerable-warn_on-1.patch
+ptp-dp83640-don-t-define-page0.patch
+dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch
+net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch
+r6040-restore-mdio-clock-frequency-after-mac-reset.patch
+tipc-increase-timeout-in-tipc_sk_enqueue.patch
+drm-rockchip-cdn-dp-core-make-cdn_dp_core_resume-__maybe_unused.patch
+perf-machine-initialize-srcline-string-member-in-add_location-struct.patch
+net-mlx5-fwtrace-cancel-work-on-alloc-pd-error-flow.patch
+net-mlx5-fix-potential-sleeping-in-atomic-context.patch
+nvme-tcp-fix-io_work-priority-inversion.patch
+events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch
+net-ipa-initialize-all-filter-table-slots.patch
+gen_compile_commands-fix-missing-sys-package.patch
+vhost_net-fix-oob-on-sendmsg-failure.patch
+net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch
+net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch
+revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch
+x86-uaccess-fix-32-bit-__get_user_asm_u64-when-cc_has_asm_goto_output-y.patch
+tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch
+selftest-net-fix-typo-in-altname-test.patch
+qed-handle-management-fw-error.patch
+udp_tunnel-fix-udp_tunnel_nic-work-queue-type.patch
+dt-bindings-arm-fix-toradex-compatible-typo.patch
+ibmvnic-check-failover_pending-in-login-response.patch
+kvm-ppc-book3s-hv-tolerate-treclaim.-in-fake-suspend-mode-changing-registers.patch
+bnxt_en-make-bnxt_free_skbs-safe-to-call-after-bnxt_free_mem.patch
+net-hns3-pad-the-short-tunnel-frame-before-sending-to-hardware.patch
+net-hns3-change-affinity_mask-to-numa-node-range.patch
+net-hns3-disable-mac-in-flr-process.patch
+net-hns3-fix-the-timing-issue-of-vf-clearing-interrupt-sources.patch
--- /dev/null
+From 4f884f3962767877d7aabbc1ec124d2c307a4257 Mon Sep 17 00:00:00 2001
+From: zhenggy <zhenggy@chinatelecom.cn>
+Date: Tue, 14 Sep 2021 09:51:15 +0800
+Subject: tcp: fix tp->undo_retrans accounting in tcp_sacktag_one()
+
+From: zhenggy <zhenggy@chinatelecom.cn>
+
+commit 4f884f3962767877d7aabbc1ec124d2c307a4257 upstream.
+
+Commit 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit
+time") may directly retrans a multiple segments TSO/GSO packet without
+split, Since this commit, we can no longer assume that a retransmitted
+packet is a single segment.
+
+This patch fixes the tp->undo_retrans accounting in tcp_sacktag_one()
+that use the actual segments(pcount) of the retransmitted packet.
+
+Before that commit (10d3be569243), the assumption underlying the
+tp->undo_retrans-- seems correct.
+
+Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time")
+Signed-off-by: zhenggy <zhenggy@chinatelecom.cn>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1314,7 +1314,7 @@ static u8 tcp_sacktag_one(struct sock *s
+ if (dup_sack && (sacked & TCPCB_RETRANS)) {
+ if (tp->undo_marker && tp->undo_retrans > 0 &&
+ after(end_seq, tp->undo_marker))
+- tp->undo_retrans--;
++ tp->undo_retrans = max_t(int, 0, tp->undo_retrans - pcount);
+ if ((sacked & TCPCB_SACKED_ACKED) &&
+ before(start_seq, state->reord))
+ state->reord = start_seq;
--- /dev/null
+From f4bb62e64c88c93060c051195d3bbba804e56945 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Mon, 13 Sep 2021 16:28:52 +0700
+Subject: tipc: increase timeout in tipc_sk_enqueue()
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit f4bb62e64c88c93060c051195d3bbba804e56945 upstream.
+
+In tipc_sk_enqueue() we use hardcoded 2 jiffies to extract
+socket buffer from generic queue to particular socket.
+The 2 jiffies is too short in case there are other high priority
+tasks get CPU cycles for multiple jiffies update. As result, no
+buffer could be enqueued to particular socket.
+
+To solve this, we switch to use constant timeout 20msecs.
+Then, the function will be expired between 2 jiffies (CONFIG_100HZ)
+and 20 jiffies (CONFIG_1000HZ).
+
+Fixes: c637c1035534 ("tipc: resolve race problem at unicast message reception")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2422,7 +2422,7 @@ static int tipc_sk_backlog_rcv(struct so
+ static void tipc_sk_enqueue(struct sk_buff_head *inputq, struct sock *sk,
+ u32 dport, struct sk_buff_head *xmitq)
+ {
+- unsigned long time_limit = jiffies + 2;
++ unsigned long time_limit = jiffies + usecs_to_jiffies(20000);
+ struct sk_buff *skb;
+ unsigned int lim;
+ atomic_t *dcnt;
--- /dev/null
+From e50e711351bdc656a8e6ca1022b4293cae8dcd59 Mon Sep 17 00:00:00 2001
+From: Aya Levin <ayal@nvidia.com>
+Date: Mon, 13 Sep 2021 10:53:49 +0300
+Subject: udp_tunnel: Fix udp_tunnel_nic work-queue type
+
+From: Aya Levin <ayal@nvidia.com>
+
+commit e50e711351bdc656a8e6ca1022b4293cae8dcd59 upstream.
+
+Turn udp_tunnel_nic work-queue to an ordered work-queue. This queue
+holds the UDP-tunnel configuration commands of the different netdevs.
+When the netdevs are functions of the same NIC the order of
+execution may be crucial.
+
+Problem example:
+NIC with 2 PFs, both PFs declare offload quota of up to 3 UDP-ports.
+ $ifconfig eth2 1.1.1.1/16 up
+
+ $ip link add eth2_19503 type vxlan id 5049 remote 1.1.1.2 dev eth2 dstport 19053
+ $ip link set dev eth2_19503 up
+
+ $ip link add eth2_19504 type vxlan id 5049 remote 1.1.1.3 dev eth2 dstport 19054
+ $ip link set dev eth2_19504 up
+
+ $ip link add eth2_19505 type vxlan id 5049 remote 1.1.1.4 dev eth2 dstport 19055
+ $ip link set dev eth2_19505 up
+
+ $ip link add eth2_19506 type vxlan id 5049 remote 1.1.1.5 dev eth2 dstport 19056
+ $ip link set dev eth2_19506 up
+
+NIC RX port offload infrastructure offloads the first 3 UDP-ports (on
+all devices which sets NETIF_F_RX_UDP_TUNNEL_PORT feature) and not
+UDP-port 19056. So both PFs gets this offload configuration.
+
+ $ip link set dev eth2_19504 down
+
+This triggers udp-tunnel-core to remove the UDP-port 19504 from
+offload-ports-list and offload UDP-port 19056 instead.
+
+In this scenario it is important that the UDP-port of 19504 will be
+removed from both PFs before trying to add UDP-port 19056. The NIC can
+stop offloading a UDP-port only when all references are removed.
+Otherwise the NIC may report exceeding of the offload quota.
+
+Fixes: cc4e3835eff4 ("udp_tunnel: add central NIC RX port offload infrastructure")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp_tunnel_nic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/udp_tunnel_nic.c
++++ b/net/ipv4/udp_tunnel_nic.c
+@@ -935,7 +935,7 @@ static int __init udp_tunnel_nic_init_mo
+ {
+ int err;
+
+- udp_tunnel_nic_workqueue = alloc_workqueue("udp_tunnel_nic", 0, 0);
++ udp_tunnel_nic_workqueue = alloc_ordered_workqueue("udp_tunnel_nic", 0);
+ if (!udp_tunnel_nic_workqueue)
+ return -ENOMEM;
+
--- /dev/null
+From 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 8 Sep 2021 13:42:09 +0200
+Subject: vhost_net: fix OoB on sendmsg() failure.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c upstream.
+
+If the sendmsg() call in vhost_tx_batch() fails, both the 'batched_xdp'
+and 'done_idx' indexes are left unchanged. If such failure happens
+when batched_xdp == VHOST_NET_BATCH, the next call to
+vhost_net_build_xdp() will access and write memory outside the xdp
+buffers area.
+
+Since sendmsg() can only error with EBADFD, this change addresses the
+issue explicitly freeing the XDP buffers batch on error.
+
+Fixes: 0a0be13b8fe2 ("vhost_net: batch submitting XDP buffers to underlayer sockets")
+Suggested-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -466,7 +466,7 @@ static void vhost_tx_batch(struct vhost_
+ .num = nvq->batched_xdp,
+ .ptr = nvq->xdp,
+ };
+- int err;
++ int i, err;
+
+ if (nvq->batched_xdp == 0)
+ goto signal_used;
+@@ -475,6 +475,15 @@ static void vhost_tx_batch(struct vhost_
+ err = sock->ops->sendmsg(sock, msghdr, 0);
+ if (unlikely(err < 0)) {
+ vq_err(&nvq->vq, "Fail to batch sending packets\n");
++
++ /* free pages owned by XDP; since this is an unlikely error path,
++ * keep it simple and avoid more complex bulk update for the
++ * used pages
++ */
++ for (i = 0; i < nvq->batched_xdp; ++i)
++ put_page(virt_to_head_page(nvq->xdp[i].data));
++ nvq->batched_xdp = 0;
++ nvq->done_idx = 0;
+ return;
+ }
+
--- /dev/null
+From a69ae291e1cc2d08ae77c2029579c59c9bde5061 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Mon, 13 Sep 2021 17:35:47 +0100
+Subject: x86/uaccess: Fix 32-bit __get_user_asm_u64() when CC_HAS_ASM_GOTO_OUTPUT=y
+
+From: Will Deacon <will@kernel.org>
+
+commit a69ae291e1cc2d08ae77c2029579c59c9bde5061 upstream.
+
+Commit 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT")
+added an optimised version of __get_user_asm() for x86 using 'asm goto'.
+
+Like the non-optimised code, the 32-bit implementation of 64-bit
+get_user() expands to a pair of 32-bit accesses. Unlike the
+non-optimised code, the _original_ pointer is incremented to copy the
+high word instead of loading through a new pointer explicitly
+constructed to point at a 32-bit type. Consequently, if the pointer
+points at a 64-bit type then we end up loading the wrong data for the
+upper 32-bits.
+
+This was observed as a mount() failure in Android targeting i686 after
+b0cfcdd9b967 ("d_path: make 'prepend()' fill up the buffer exactly on
+overflow") because the call to copy_from_kernel_nofault() from
+prepend_copy() ends up in __get_kernel_nofault() and casts the source
+pointer to a 'u64 __user *'. An attempt to mount at "/debug_ramdisk"
+therefore ends up failing trying to mount "/debumdismdisk".
+
+Use the existing '__gu_ptr' source pointer to unsigned int for 32-bit
+__get_user_asm_u64() instead of the original pointer.
+
+Cc: Bill Wendling <morbo@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: 865c50e1d279 ("x86/uaccess: utilize CONFIG_CC_HAS_ASM_GOTO_OUTPUT")
+Signed-off-by: Will Deacon <will@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/uaccess.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -301,8 +301,8 @@ do { \
+ unsigned int __gu_low, __gu_high; \
+ const unsigned int __user *__gu_ptr; \
+ __gu_ptr = (const void __user *)(ptr); \
+- __get_user_asm(__gu_low, ptr, "l", "=r", label); \
+- __get_user_asm(__gu_high, ptr+1, "l", "=r", label); \
++ __get_user_asm(__gu_low, __gu_ptr, "l", "=r", label); \
++ __get_user_asm(__gu_high, __gu_ptr+1, "l", "=r", label); \
+ (x) = ((unsigned long long)__gu_high << 32) | __gu_low; \
+ } while (0)
+ #else
projects / thirdparty / kernel / stable-queue.git / commitdiff
