--- /dev/null
+From 85140ef275f577f64e8a2c5789447222dfc14fc4 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 11 Jul 2022 14:25:59 +0300
+Subject: ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 85140ef275f577f64e8a2c5789447222dfc14fc4 upstream.
+
+The value acpi_add_nondev_subnodes() returns is bool so change the return
+type of the function to match that.
+
+Fixes: 445b0eb058f5 ("ACPI / property: Add support for data-only subnodes")
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -155,10 +155,10 @@ static bool acpi_nondev_subnode_ok(acpi_
+ return acpi_nondev_subnode_data_ok(handle, link, list, parent);
+ }
+
+-static int acpi_add_nondev_subnodes(acpi_handle scope,
+- const union acpi_object *links,
+- struct list_head *list,
+- struct fwnode_handle *parent)
++static bool acpi_add_nondev_subnodes(acpi_handle scope,
++ const union acpi_object *links,
++ struct list_head *list,
++ struct fwnode_handle *parent)
+ {
+ bool ret = false;
+ int i;
--- /dev/null
+From 6bc2906253e723d1ab1acc652b55b83e286bfec2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 9 Aug 2022 09:32:59 +0200
+Subject: ALSA: usb-audio: More comprehensive mixer map for ASUS ROG Zenith II
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6bc2906253e723d1ab1acc652b55b83e286bfec2 upstream.
+
+ASUS ROG Zenith II has two USB interfaces, one for the front headphone
+and another for the rest I/O. Currently we provided the mixer mapping
+for the latter but with an incomplete form.
+
+This patch corrects and provides more comprehensive mixer mapping, as
+well as providing the proper device names for both the front headphone
+and main audio.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211005
+Fixes: 2a48218f8e23 ("ALSA: usb-audio: Add mixer workaround for TRX40 and co")
+Link: https://lore.kernel.org/r/20220809073259.18849-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/card.c | 8 ++++++++
+ sound/usb/mixer_maps.c | 34 +++++++++++++++++++++++++---------
+ 2 files changed, 33 insertions(+), 9 deletions(-)
+
+--- a/sound/usb/card.c
++++ b/sound/usb/card.c
+@@ -379,6 +379,14 @@ static const struct usb_audio_device_nam
+
+ DEVICE_NAME(0x046d, 0x0990, "Logitech, Inc.", "QuickCam Pro 9000"),
+
++ /* ASUS ROG Zenith II: this machine has also two devices, one for
++ * the front headphone and another for the rest
++ */
++ PROFILE_NAME(0x0b05, 0x1915, "ASUS", "Zenith II Front Headphone",
++ "Zenith-II-Front-Headphone"),
++ PROFILE_NAME(0x0b05, 0x1916, "ASUS", "Zenith II Main Audio",
++ "Zenith-II-Main-Audio"),
++
+ /* ASUS ROG Strix */
+ PROFILE_NAME(0x0b05, 0x1917,
+ "Realtek", "ALC1220-VB-DT", "Realtek-ALC1220-VB-Desktop"),
+--- a/sound/usb/mixer_maps.c
++++ b/sound/usb/mixer_maps.c
+@@ -367,13 +367,28 @@ static const struct usbmix_name_map cors
+ { 0 }
+ };
+
+-/* Some mobos shipped with a dummy HD-audio show the invalid GET_MIN/GET_MAX
+- * response for Input Gain Pad (id=19, control=12) and the connector status
+- * for SPDIF terminal (id=18). Skip them.
+- */
+-static const struct usbmix_name_map asus_rog_map[] = {
+- { 18, NULL }, /* OT, connector control */
+- { 19, NULL, 12 }, /* FU, Input Gain Pad */
++/* ASUS ROG Zenith II with Realtek ALC1220-VB */
++static const struct usbmix_name_map asus_zenith_ii_map[] = {
++ { 19, NULL, 12 }, /* FU, Input Gain Pad - broken response, disabled */
++ { 16, "Speaker" }, /* OT */
++ { 22, "Speaker Playback" }, /* FU */
++ { 7, "Line" }, /* IT */
++ { 19, "Line Capture" }, /* FU */
++ { 8, "Mic" }, /* IT */
++ { 20, "Mic Capture" }, /* FU */
++ { 9, "Front Mic" }, /* IT */
++ { 21, "Front Mic Capture" }, /* FU */
++ { 17, "IEC958" }, /* OT */
++ { 23, "IEC958 Playback" }, /* FU */
++ {}
++};
++
++static const struct usbmix_connector_map asus_zenith_ii_connector_map[] = {
++ { 10, 16 }, /* (Back) Speaker */
++ { 11, 17 }, /* SPDIF */
++ { 13, 7 }, /* Line */
++ { 14, 8 }, /* Mic */
++ { 15, 9 }, /* Front Mic */
+ {}
+ };
+
+@@ -590,9 +605,10 @@ static const struct usbmix_ctl_map usbmi
+ .map = trx40_mobo_map,
+ .connector_map = trx40_mobo_connector_map,
+ },
+- { /* ASUS ROG Zenith II */
++ { /* ASUS ROG Zenith II (main audio) */
+ .id = USB_ID(0x0b05, 0x1916),
+- .map = asus_rog_map,
++ .map = asus_zenith_ii_map,
++ .connector_map = asus_zenith_ii_connector_map,
+ },
+ { /* ASUS ROG Strix */
+ .id = USB_ID(0x0b05, 0x1917),
--- /dev/null
+From 3e2a3a0830a2090e766d0d887d52c67de2a6f323 Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Sun, 13 Feb 2022 13:32:28 -0800
+Subject: apparmor: fix aa_label_asxprint return check
+
+From: Tom Rix <trix@redhat.com>
+
+commit 3e2a3a0830a2090e766d0d887d52c67de2a6f323 upstream.
+
+Clang static analysis reports this issue
+label.c:1802:3: warning: 2nd function call argument
+ is an uninitialized value
+ pr_info("%s", str);
+ ^~~~~~~~~~~~~~~~~~
+
+str is set from a successful call to aa_label_asxprint(&str, ...)
+On failure a negative value is returned, not a -1. So change
+the check.
+
+Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/label.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1745,7 +1745,7 @@ void aa_label_xaudit(struct audit_buffer
+ if (!use_label_hname(ns, label, flags) ||
+ display_mode(ns, label, flags)) {
+ len = aa_label_asxprint(&name, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
+@@ -1773,7 +1773,7 @@ void aa_label_seq_xprint(struct seq_file
+ int len;
+
+ len = aa_label_asxprint(&str, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
+@@ -1796,7 +1796,7 @@ void aa_label_xprintk(struct aa_ns *ns,
+ int len;
+
+ len = aa_label_asxprint(&str, ns, label, flags, gfp);
+- if (len == -1) {
++ if (len < 0) {
+ AA_DEBUG("label print error");
+ return;
+ }
--- /dev/null
+From 511f7b5b835726e844a5fc7444c18e4b8672edfd Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 14 Dec 2021 02:59:28 -0800
+Subject: apparmor: fix absroot causing audited secids to begin with =
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 511f7b5b835726e844a5fc7444c18e4b8672edfd upstream.
+
+AppArmor is prefixing secids that are converted to secctx with the =
+to indicate the secctx should only be parsed from an absolute root
+POV. This allows catching errors where secctx are reparsed back into
+internal labels.
+
+Unfortunately because audit is using secid to secctx conversion this
+means that subject and object labels can result in a very unfortunate
+== that can break audit parsing.
+
+eg. the subj==unconfined term in the below audit message
+
+type=USER_LOGIN msg=audit(1639443365.233:160): pid=1633 uid=0 auid=1000
+ses=3 subj==unconfined msg='op=login id=1000 exe="/usr/sbin/sshd"
+hostname=192.168.122.1 addr=192.168.122.1 terminal=/dev/pts/1 res=success'
+
+Fix this by switch the prepending of = to a _. This still works as a
+special character to flag this case without breaking audit. Also move
+this check behind debug as it should not be needed during normal
+operqation.
+
+Fixes: 26b7899510ae ("apparmor: add support for absolute root view based labels")
+Reported-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/include/lib.h | 5 +++++
+ security/apparmor/label.c | 7 ++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/include/lib.h
++++ b/security/apparmor/include/lib.h
+@@ -22,6 +22,11 @@
+ */
+
+ #define DEBUG_ON (aa_g_debug)
++/*
++ * split individual debug cases out in preparation for finer grained
++ * debug controls in the future.
++ */
++#define AA_DEBUG_LABEL DEBUG_ON
+ #define dbg_printk(__fmt, __args...) pr_debug(__fmt, ##__args)
+ #define AA_DEBUG(fmt, args...) \
+ do { \
+--- a/security/apparmor/label.c
++++ b/security/apparmor/label.c
+@@ -1632,9 +1632,9 @@ int aa_label_snxprint(char *str, size_t
+ AA_BUG(!str && size != 0);
+ AA_BUG(!label);
+
+- if (flags & FLAG_ABS_ROOT) {
++ if (AA_DEBUG_LABEL && (flags & FLAG_ABS_ROOT)) {
+ ns = root_ns;
+- len = snprintf(str, size, "=");
++ len = snprintf(str, size, "_");
+ update_for_len(total, len, size, str);
+ } else if (!ns) {
+ ns = labels_ns(label);
+@@ -1896,7 +1896,8 @@ struct aa_label *aa_label_strn_parse(str
+ AA_BUG(!str);
+
+ str = skipn_spaces(str, n);
+- if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
++ if (str == NULL || (AA_DEBUG_LABEL && *str == '_' &&
++ base != &root_ns->unconfined->label))
+ return ERR_PTR(-EINVAL);
+
+ len = label_count_strn_entries(str, end - str);
--- /dev/null
+From ec240b5905bbb09a03dccffee03062cf39e38dc2 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Tue, 25 Jan 2022 00:37:42 -0800
+Subject: apparmor: Fix failed mount permission check error message
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit ec240b5905bbb09a03dccffee03062cf39e38dc2 upstream.
+
+When the mount check fails due to a permission check failure instead
+of explicitly at one of the subcomponent checks, AppArmor is reporting
+a failure in the flags match. However this is not true and AppArmor
+can not attribute the error at this point to any particular component,
+and should only indicate the mount failed due to missing permissions.
+
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/mount.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -229,7 +229,8 @@ static const char * const mnt_info_table
+ "failed srcname match",
+ "failed type match",
+ "failed flags match",
+- "failed data match"
++ "failed data match",
++ "failed perms check"
+ };
+
+ /*
+@@ -284,8 +285,8 @@ static int do_match_mnt(struct aa_dfa *d
+ return 0;
+ }
+
+- /* failed at end of flags match */
+- return 4;
++ /* failed at perms check, don't confuse with flags match */
++ return 6;
+ }
+
+
--- /dev/null
+From 417ea9fe972d2654a268ad66e89c8fcae67017c3 Mon Sep 17 00:00:00 2001
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+Date: Tue, 14 Jun 2022 17:00:01 +0800
+Subject: apparmor: Fix memleak in aa_simple_write_to_buffer()
+
+From: Xiu Jianfeng <xiujianfeng@huawei.com>
+
+commit 417ea9fe972d2654a268ad66e89c8fcae67017c3 upstream.
+
+When copy_from_user failed, the memory is freed by kvfree. however the
+management struct and data blob are allocated independently, so only
+kvfree(data) cause a memleak issue here. Use aa_put_loaddata(data) to
+fix this issue.
+
+Fixes: a6a52579e52b5 ("apparmor: split load data into management struct and data blob")
+Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/apparmorfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -401,7 +401,7 @@ static struct aa_loaddata *aa_simple_wri
+
+ data->size = copy_size;
+ if (copy_from_user(data->data, userbuf, copy_size)) {
+- kvfree(data);
++ aa_put_loaddata(data);
+ return ERR_PTR(-EFAULT);
+ }
+
--- /dev/null
+From 2504db207146543736e877241f3b3de005cbe056 Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sat, 26 Mar 2022 01:58:15 -0700
+Subject: apparmor: fix overlapping attachment computation
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 2504db207146543736e877241f3b3de005cbe056 upstream.
+
+When finding the profile via patterned attachments, the longest left
+match is being set to the static compile time value and not using the
+runtime computed value.
+
+Fix this by setting the candidate value to the greater of the
+precomputed value or runtime computed value.
+
+Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/domain.c | 2 +-
+ security/apparmor/include/policy.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -465,7 +465,7 @@ restart:
+ * xattrs, or a longer match
+ */
+ candidate = profile;
+- candidate_len = profile->xmatch_len;
++ candidate_len = max(count, profile->xmatch_len);
+ candidate_xattrs = ret;
+ conflict = false;
+ }
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -135,7 +135,7 @@ struct aa_profile {
+
+ const char *attach;
+ struct aa_dfa *xmatch;
+- int xmatch_len;
++ unsigned int xmatch_len;
+ enum audit_mode audit;
+ long mode;
+ u32 path_flags;
--- /dev/null
+From 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Thu, 29 Apr 2021 01:48:28 -0700
+Subject: apparmor: fix quiet_denied for file rules
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c upstream.
+
+Global quieting of denied AppArmor generated file events is not
+handled correctly. Unfortunately the is checking if quieting of all
+audit events is set instead of just denied events.
+
+Fixes: 67012e8209df ("AppArmor: basic auditing infrastructure.")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/audit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -137,7 +137,7 @@ int aa_audit(int type, struct aa_profile
+ }
+ if (AUDIT_MODE(profile) == AUDIT_QUIET ||
+ (type == AUDIT_APPARMOR_DENIED &&
+- AUDIT_MODE(profile) == AUDIT_QUIET))
++ AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
+ return aad(sa)->error;
+
+ if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
--- /dev/null
+From 11c3627ec6b56c1525013f336f41b79a983b4d46 Mon Sep 17 00:00:00 2001
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+Date: Thu, 28 Apr 2022 11:39:08 +0800
+Subject: apparmor: fix reference count leak in aa_pivotroot()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+commit 11c3627ec6b56c1525013f336f41b79a983b4d46 upstream.
+
+The aa_pivotroot() function has a reference counting bug in a specific
+path. When aa_replace_current_label() returns on success, the function
+forgets to decrement the reference count of “target”, which is
+increased earlier by build_pivotroot(), causing a reference leak.
+
+Fix it by decreasing the refcount of “target” in that path.
+
+Fixes: 2ea3ffb7782a ("apparmor: add mount mediation")
+Co-developed-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Co-developed-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/mount.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/mount.c
++++ b/security/apparmor/mount.c
+@@ -719,6 +719,7 @@ int aa_pivotroot(struct aa_label *label,
+ aa_put_label(target);
+ goto out;
+ }
++ aa_put_label(target);
+ } else
+ /* already audited error */
+ error = PTR_ERR(target);
--- /dev/null
+From 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc Mon Sep 17 00:00:00 2001
+From: John Johansen <john.johansen@canonical.com>
+Date: Sat, 26 Mar 2022 01:52:06 -0700
+Subject: apparmor: fix setting unconfined mode on a loaded profile
+
+From: John Johansen <john.johansen@canonical.com>
+
+commit 3bbb7b2e9bbcd22e539e23034da753898fe3b4dc upstream.
+
+When loading a profile that is set to unconfined mode, that label
+flag is not set when it should be. Ensure it is set so that when
+used in a label the unconfined check will be applied correctly.
+
+Fixes: 038165070aa5 ("apparmor: allow setting any profile into the unconfined state")
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy_unpack.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -746,16 +746,18 @@ static struct aa_profile *unpack_profile
+ profile->label.flags |= FLAG_HAT;
+ if (!unpack_u32(e, &tmp, NULL))
+ goto fail;
+- if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
++ if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
+ profile->mode = APPARMOR_COMPLAIN;
+- else if (tmp == PACKED_MODE_ENFORCE)
++ } else if (tmp == PACKED_MODE_ENFORCE) {
+ profile->mode = APPARMOR_ENFORCE;
+- else if (tmp == PACKED_MODE_KILL)
++ } else if (tmp == PACKED_MODE_KILL) {
+ profile->mode = APPARMOR_KILL;
+- else if (tmp == PACKED_MODE_UNCONFINED)
++ } else if (tmp == PACKED_MODE_UNCONFINED) {
+ profile->mode = APPARMOR_UNCONFINED;
+- else
++ profile->label.flags |= FLAG_UNCONFINED;
++ } else {
+ goto fail;
++ }
+ if (!unpack_u32(e, &tmp, NULL))
+ goto fail;
+ if (tmp)
--- /dev/null
+From f76fa6b338055054f80c72b29c97fb95c1becadc Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:30 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for array map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit f76fa6b338055054f80c72b29c97fb95c1becadc upstream.
+
+bpf_iter_attach_map() acquires a map uref, and the uref may be released
+before or in the middle of iterating map elements. For example, the uref
+could be released in bpf_iter_detach_map() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+Alternative fix is acquiring an extra bpf_link reference just like
+a pinned map iterator does, but it introduces unnecessary dependency
+on bpf_link instead of bpf_map.
+
+So choose another fix: acquiring an extra map uref in .init_seq_private
+for array map iterator.
+
+Fixes: d3cc2ab546ad ("bpf: Implement bpf iterator for array maps")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-2-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/arraymap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -616,6 +616,11 @@ static int bpf_iter_init_array_map(void
+ seq_info->percpu_value_buf = value_buf;
+ }
+
++ /* bpf_iter_attach_map() acquires a map uref, and the uref may be
++ * released before or in the middle of iterating map elements, so
++ * acquire an extra map uref for iterator.
++ */
++ bpf_map_inc_with_uref(map);
+ seq_info->map = map;
+ return 0;
+ }
+@@ -624,6 +629,7 @@ static void bpf_iter_fini_array_map(void
+ {
+ struct bpf_iter_seq_array_map_info *seq_info = priv_data;
+
++ bpf_map_put_with_uref(seq_info->map);
+ kfree(seq_info->percpu_value_buf);
+ }
+
--- /dev/null
+From ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:31 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for hash map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit ef1e93d2eeb58a1f08c37b22a2314b94bc045f15 upstream.
+
+bpf_iter_attach_map() acquires a map uref, and the uref may be released
+before or in the middle of iterating map elements. For example, the uref
+could be released in bpf_iter_detach_map() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+So acquiring an extra map uref in bpf_iter_init_hash_map() and
+releasing it in bpf_iter_fini_hash_map().
+
+Fixes: d6c4503cc296 ("bpf: Implement bpf iterator for hash maps")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-3-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/hashtab.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -1801,6 +1801,7 @@ static int bpf_iter_init_hash_map(void *
+ seq_info->percpu_value_buf = value_buf;
+ }
+
++ bpf_map_inc_with_uref(map);
+ seq_info->map = map;
+ seq_info->htab = container_of(map, struct bpf_htab, map);
+ return 0;
+@@ -1810,6 +1811,7 @@ static void bpf_iter_fini_hash_map(void
+ {
+ struct bpf_iter_seq_hash_map_info *seq_info = priv_data;
+
++ bpf_map_put_with_uref(seq_info->map);
+ kfree(seq_info->percpu_value_buf);
+ }
+
--- /dev/null
+From 3c5f6e698b5c538bbb23cd453b22e1e4922cffd8 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:32 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for sock local storage map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 3c5f6e698b5c538bbb23cd453b22e1e4922cffd8 upstream.
+
+bpf_iter_attach_map() acquires a map uref, and the uref may be released
+before or in the middle of iterating map elements. For example, the uref
+could be released in bpf_iter_detach_map() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+So acquiring an extra map uref in bpf_iter_init_sk_storage_map() and
+releasing it in bpf_iter_fini_sk_storage_map().
+
+Fixes: 5ce6e77c7edf ("bpf: Implement bpf iterator for sock local storage map")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-4-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/bpf_sk_storage.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/core/bpf_sk_storage.c
++++ b/net/core/bpf_sk_storage.c
+@@ -794,10 +794,18 @@ static int bpf_iter_init_sk_storage_map(
+ {
+ struct bpf_iter_seq_sk_storage_map_info *seq_info = priv_data;
+
++ bpf_map_inc_with_uref(aux->map);
+ seq_info->map = aux->map;
+ return 0;
+ }
+
++static void bpf_iter_fini_sk_storage_map(void *priv_data)
++{
++ struct bpf_iter_seq_sk_storage_map_info *seq_info = priv_data;
++
++ bpf_map_put_with_uref(seq_info->map);
++}
++
+ static int bpf_iter_attach_map(struct bpf_prog *prog,
+ union bpf_iter_link_info *linfo,
+ struct bpf_iter_aux_info *aux)
+@@ -843,7 +851,7 @@ static const struct seq_operations bpf_s
+ static const struct bpf_iter_seq_info iter_seq_info = {
+ .seq_ops = &bpf_sk_storage_map_seq_ops,
+ .init_seq_private = bpf_iter_init_sk_storage_map,
+- .fini_seq_private = NULL,
++ .fini_seq_private = bpf_iter_fini_sk_storage_map,
+ .seq_priv_size = sizeof(struct bpf_iter_seq_sk_storage_map_info),
+ };
+
--- /dev/null
+From f0d2b2716d71778d0b0c8eaa433c073287d69d93 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:33 +0800
+Subject: bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit f0d2b2716d71778d0b0c8eaa433c073287d69d93 upstream.
+
+sock_map_iter_attach_target() acquires a map uref, and the uref may be
+released before or in the middle of iterating map elements. For example,
+the uref could be released in sock_map_iter_detach_target() as part of
+bpf_link_release(), or could be released in bpf_map_put_with_uref() as
+part of bpf_map_release().
+
+Fixing it by acquiring an extra map uref in .init_seq_private and
+releasing it in .fini_seq_private.
+
+Fixes: 0365351524d7 ("net: Allow iterating sockmap and sockhash")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-5-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_map.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -815,13 +815,22 @@ static int sock_map_init_seq_private(voi
+ {
+ struct sock_map_seq_info *info = priv_data;
+
++ bpf_map_inc_with_uref(aux->map);
+ info->map = aux->map;
+ return 0;
+ }
+
++static void sock_map_fini_seq_private(void *priv_data)
++{
++ struct sock_map_seq_info *info = priv_data;
++
++ bpf_map_put_with_uref(info->map);
++}
++
+ static const struct bpf_iter_seq_info sock_map_iter_seq_info = {
+ .seq_ops = &sock_map_seq_ops,
+ .init_seq_private = sock_map_init_seq_private,
++ .fini_seq_private = sock_map_fini_seq_private,
+ .seq_priv_size = sizeof(struct sock_map_seq_info),
+ };
+
+@@ -1422,18 +1431,27 @@ static const struct seq_operations sock_
+ };
+
+ static int sock_hash_init_seq_private(void *priv_data,
+- struct bpf_iter_aux_info *aux)
++ struct bpf_iter_aux_info *aux)
+ {
+ struct sock_hash_seq_info *info = priv_data;
+
++ bpf_map_inc_with_uref(aux->map);
+ info->map = aux->map;
+ info->htab = container_of(aux->map, struct bpf_shtab, map);
+ return 0;
+ }
+
++static void sock_hash_fini_seq_private(void *priv_data)
++{
++ struct sock_hash_seq_info *info = priv_data;
++
++ bpf_map_put_with_uref(info->map);
++}
++
+ static const struct bpf_iter_seq_info sock_hash_iter_seq_info = {
+ .seq_ops = &sock_hash_seq_ops,
+ .init_seq_private = sock_hash_init_seq_private,
++ .fini_seq_private = sock_hash_fini_seq_private,
+ .seq_priv_size = sizeof(struct sock_hash_seq_info),
+ };
+
--- /dev/null
+From 52bd05eb7c88e1ad8541a48873188ccebca9da26 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Wed, 10 Aug 2022 16:05:34 +0800
+Subject: bpf: Check the validity of max_rdwr_access for sock local storage map iterator
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 52bd05eb7c88e1ad8541a48873188ccebca9da26 upstream.
+
+The value of sock local storage map is writable in map iterator, so check
+max_rdwr_access instead of max_rdonly_access.
+
+Fixes: 5ce6e77c7edf ("bpf: Implement bpf iterator for sock local storage map")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20220810080538.1845898-6-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/bpf_sk_storage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/bpf_sk_storage.c
++++ b/net/core/bpf_sk_storage.c
+@@ -823,7 +823,7 @@ static int bpf_iter_attach_map(struct bp
+ if (map->map_type != BPF_MAP_TYPE_SK_STORAGE)
+ goto put_map;
+
+- if (prog->aux->max_rdonly_access > map->value_size) {
++ if (prog->aux->max_rdwr_access > map->value_size) {
+ err = -EACCES;
+ goto put_map;
+ }
--- /dev/null
+From a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 1 Aug 2022 22:47:16 +0200
+Subject: can: ems_usb: fix clang's -Wunaligned-access warning
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit a4cb6e62ea4d36e53fb3c0f18ea4503d7b76674f upstream.
+
+clang emits a -Wunaligned-access warning on struct __packed
+ems_cpc_msg.
+
+The reason is that the anonymous union msg (not declared as packed) is
+being packed right after some non naturally aligned variables (3*8
+bits + 2*32) inside a packed struct:
+
+| struct __packed ems_cpc_msg {
+| u8 type; /* type of message */
+| u8 length; /* length of data within union 'msg' */
+| u8 msgid; /* confirmation handle */
+| __le32 ts_sec; /* timestamp in seconds */
+| __le32 ts_nsec; /* timestamp in nano seconds */
+| /* ^ not naturally aligned */
+|
+| union {
+| /* ^ not declared as packed */
+| u8 generic[64];
+| struct cpc_can_msg can_msg;
+| struct cpc_can_params can_params;
+| struct cpc_confirm confirmation;
+| struct cpc_overrun overrun;
+| struct cpc_can_error error;
+| struct cpc_can_err_counter err_counter;
+| u8 can_state;
+| } msg;
+| };
+
+Starting from LLVM 14, having an unpacked struct nested in a packed
+struct triggers a warning. c.f. [1].
+
+Fix the warning by marking the anonymous union as packed.
+
+[1] https://github.com/llvm/llvm-project/issues/55520
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/all/20220802094021.959858-1-mkl@pengutronix.de
+Cc: Gerhard Uttenthaler <uttenthaler@ems-wuensche.com>
+Cc: Sebastian Haas <haas@ems-wuensche.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ems_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -194,7 +194,7 @@ struct __packed ems_cpc_msg {
+ __le32 ts_sec; /* timestamp in seconds */
+ __le32 ts_nsec; /* timestamp in nano seconds */
+
+- union {
++ union __packed {
+ u8 generic[64];
+ struct cpc_can_msg can_msg;
+ struct cpc_can_params can_params;
--- /dev/null
+From d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20W=C3=BCrl?= <sebastian.wuerl@ororatech.com>
+Date: Thu, 4 Aug 2022 10:14:11 +0200
+Subject: can: mcp251x: Fix race condition on receive interrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sebastian Würl <sebastian.wuerl@ororatech.com>
+
+commit d80d60b0db6ff3dd2e29247cc2a5166d7e9ae37e upstream.
+
+The mcp251x driver uses both receiving mailboxes of the CAN controller
+chips. For retrieving the CAN frames from the controller via SPI, it checks
+once per interrupt which mailboxes have been filled and will retrieve the
+messages accordingly.
+
+This introduces a race condition, as another CAN frame can enter mailbox 1
+while mailbox 0 is emptied. If now another CAN frame enters mailbox 0 until
+the interrupt handler is called next, mailbox 0 is emptied before
+mailbox 1, leading to out-of-order CAN frames in the network device.
+
+This is fixed by checking the interrupt flags once again after freeing
+mailbox 0, to correctly also empty mailbox 1 before leaving the handler.
+
+For reproducing the bug I created the following setup:
+ - Two CAN devices, one Raspberry Pi with MCP2515, the other can be any.
+ - Setup CAN to 1 MHz
+ - Spam bursts of 5 CAN-messages with increasing CAN-ids
+ - Continue sending the bursts while sleeping a second between the bursts
+ - Check on the RPi whether the received messages have increasing CAN-ids
+ - Without this patch, every burst of messages will contain a flipped pair
+
+v3: https://lore.kernel.org/all/20220804075914.67569-1-sebastian.wuerl@ororatech.com
+v2: https://lore.kernel.org/all/20220804064803.63157-1-sebastian.wuerl@ororatech.com
+v1: https://lore.kernel.org/all/20220803153300.58732-1-sebastian.wuerl@ororatech.com
+
+Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.")
+Signed-off-by: Sebastian Würl <sebastian.wuerl@ororatech.com>
+Link: https://lore.kernel.org/all/20220804081411.68567-1-sebastian.wuerl@ororatech.com
+[mkl: reduce scope of intf1, eflag1]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251x.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/spi/mcp251x.c
++++ b/drivers/net/can/spi/mcp251x.c
+@@ -1074,9 +1074,6 @@ static irqreturn_t mcp251x_can_ist(int i
+
+ mcp251x_read_2regs(spi, CANINTF, &intf, &eflag);
+
+- /* mask out flags we don't care about */
+- intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR;
+-
+ /* receive buffer 0 */
+ if (intf & CANINTF_RX0IF) {
+ mcp251x_hw_rx(spi, 0);
+@@ -1086,6 +1083,18 @@ static irqreturn_t mcp251x_can_ist(int i
+ if (mcp251x_is_2510(spi))
+ mcp251x_write_bits(spi, CANINTF,
+ CANINTF_RX0IF, 0x00);
++
++ /* check if buffer 1 is already known to be full, no need to re-read */
++ if (!(intf & CANINTF_RX1IF)) {
++ u8 intf1, eflag1;
++
++ /* intf needs to be read again to avoid a race condition */
++ mcp251x_read_2regs(spi, CANINTF, &intf1, &eflag1);
++
++ /* combine flags from both operations for error handling */
++ intf |= intf1;
++ eflag |= eflag1;
++ }
+ }
+
+ /* receive buffer 1 */
+@@ -1096,6 +1105,9 @@ static irqreturn_t mcp251x_can_ist(int i
+ clear_intf |= CANINTF_RX1IF;
+ }
+
++ /* mask out flags we don't care about */
++ intf &= CANINTF_RX | CANINTF_TX | CANINTF_ERR;
++
+ /* any error or tx interrupt we need to clear? */
+ if (intf & (CANINTF_ERR | CANINTF_TX))
+ clear_intf |= intf & (CANINTF_ERR | CANINTF_TX);
--- /dev/null
+From 6b4db2e528f650c7fb712961aac36455468d5902 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Tue, 9 Aug 2022 14:35:06 +0300
+Subject: devlink: Fix use-after-free after a failed reload
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 6b4db2e528f650c7fb712961aac36455468d5902 upstream.
+
+After a failed devlink reload, devlink parameters are still registered,
+which means user space can set and get their values. In the case of the
+mlxsw "acl_region_rehash_interval" parameter, these operations will
+trigger a use-after-free [1].
+
+Fix this by rejecting set and get operations while in the failed state.
+Return the "-EOPNOTSUPP" error code which does not abort the parameters
+dump, but instead causes it to skip over the problematic parameter.
+
+Another possible fix is to perform these checks in the mlxsw parameter
+callbacks, but other drivers might be affected by the same problem and I
+am not aware of scenarios where these stricter checks will cause a
+regression.
+
+[1]
+mlxsw_spectrum3 0000:00:10.0: Port 125: Failed to register netdev
+mlxsw_spectrum3 0000:00:10.0: Failed to create ports
+
+==================================================================
+BUG: KASAN: use-after-free in mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904
+Read of size 4 at addr ffff8880099dcfd8 by task kworker/u4:4/777
+
+CPU: 1 PID: 777 Comm: kworker/u4:4 Not tainted 5.19.0-rc7-custom-126601-gfe26f28c586d #1
+Hardware name: QEMU MSN4700, BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+Workqueue: netns cleanup_net
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x92/0xbd lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:313 [inline]
+ print_report.cold+0x5e/0x5cf mm/kasan/report.c:429
+ kasan_report+0xb9/0xf0 mm/kasan/report.c:491
+ __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:306
+ mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904
+ mlxsw_sp_acl_region_rehash_intrvl_get+0x49/0x60 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c:1106
+ mlxsw_sp_params_acl_region_rehash_intrvl_get+0x33/0x80 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3854
+ devlink_param_get net/core/devlink.c:4981 [inline]
+ devlink_nl_param_fill+0x238/0x12d0 net/core/devlink.c:5089
+ devlink_param_notify+0xe5/0x230 net/core/devlink.c:5168
+ devlink_ns_change_notify net/core/devlink.c:4417 [inline]
+ devlink_ns_change_notify net/core/devlink.c:4396 [inline]
+ devlink_reload+0x15f/0x700 net/core/devlink.c:4507
+ devlink_pernet_pre_exit+0x112/0x1d0 net/core/devlink.c:12272
+ ops_pre_exit_list net/core/net_namespace.c:152 [inline]
+ cleanup_net+0x494/0xc00 net/core/net_namespace.c:582
+ process_one_work+0x9fc/0x1710 kernel/workqueue.c:2289
+ worker_thread+0x675/0x10b0 kernel/workqueue.c:2436
+ kthread+0x30c/0x3d0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
+ </TASK>
+
+The buggy address belongs to the physical page:
+page:ffffea0000267700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99dc
+flags: 0x100000000000000(node=0|zone=1)
+raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880099dce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8880099dcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+>ffff8880099dcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff8880099dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8880099dd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+==================================================================
+
+Fixes: 98bbf70c1c41 ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -3620,7 +3620,7 @@ static int devlink_param_get(struct devl
+ const struct devlink_param *param,
+ struct devlink_param_gset_ctx *ctx)
+ {
+- if (!param->get)
++ if (!param->get || devlink->reload_failed)
+ return -EOPNOTSUPP;
+ return param->get(devlink, param->id, ctx);
+ }
+@@ -3629,7 +3629,7 @@ static int devlink_param_set(struct devl
+ const struct devlink_param *param,
+ struct devlink_param_gset_ctx *ctx)
+ {
+- if (!param->set)
++ if (!param->set || devlink->reload_failed)
+ return -EOPNOTSUPP;
+ return param->set(devlink, param->id, ctx);
+ }
--- /dev/null
+From 9066e151c37950af92c3be6a7270daa8e8063db9 Mon Sep 17 00:00:00 2001
+From: Qifu Zhang <zhangqifu@bytedance.com>
+Date: Tue, 19 Jul 2022 19:50:13 +0800
+Subject: Documentation: ACPI: EINJ: Fix obsolete example
+
+From: Qifu Zhang <zhangqifu@bytedance.com>
+
+commit 9066e151c37950af92c3be6a7270daa8e8063db9 upstream.
+
+Since commit 488dac0c9237 ("libfs: fix error cast of negative value in
+simple_attr_write()"), the EINJ debugfs interface no longer accepts
+negative values as input. Attempt to do so will result in EINVAL.
+
+Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
+Signed-off-by: Qifu Zhang <zhangqifu@bytedance.com>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/firmware-guide/acpi/apei/einj.rst | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/firmware-guide/acpi/apei/einj.rst
++++ b/Documentation/firmware-guide/acpi/apei/einj.rst
+@@ -168,7 +168,7 @@ An error injection example::
+ 0x00000008 Memory Correctable
+ 0x00000010 Memory Uncorrectable non-fatal
+ # echo 0x12345000 > param1 # Set memory address for injection
+- # echo $((-1 << 12)) > param2 # Mask 0xfffffffffffff000 - anywhere in this page
++ # echo 0xfffffffffffff000 > param2 # Mask - anywhere in this page
+ # echo 0x8 > error_type # Choose correctable memory error
+ # echo 1 > error_inject # Inject now
+
--- /dev/null
+From ca2bb69514a8bc7f83914122f0d596371352416c Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:03 +0200
+Subject: geneve: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit ca2bb69514a8bc7f83914122f0d596371352416c upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: 3a56f86f1be6 ("geneve: handle ipv6 priority like ipv4 tos")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -850,8 +850,7 @@ static struct dst_entry *geneve_get_v6_d
+ use_cache = false;
+ }
+
+- fl6->flowlabel = ip6_make_flowinfo(RT_TOS(prio),
+- info->key.label);
++ fl6->flowlabel = ip6_make_flowinfo(prio, info->key.label);
+ dst_cache = (struct dst_cache *)&info->dst_cache;
+ if (use_cache) {
+ dst = dst_cache_get_ip6(dst_cache, &fl6->saddr);
--- /dev/null
+From ab7e2e0dfa5d37540ab1dc5376e9a2cb9188925d Mon Sep 17 00:00:00 2001
+From: Matthias May <matthias.may@westermo.com>
+Date: Fri, 5 Aug 2022 21:19:06 +0200
+Subject: ipv6: do not use RT_TOS for IPv6 flowlabel
+
+From: Matthias May <matthias.may@westermo.com>
+
+commit ab7e2e0dfa5d37540ab1dc5376e9a2cb9188925d upstream.
+
+According to Guillaume Nault RT_TOS should never be used for IPv6.
+
+Quote:
+RT_TOS() is an old macro used to interprete IPv4 TOS as described in
+the obsolete RFC 1349. It's conceptually wrong to use it even in IPv4
+code, although, given the current state of the code, most of the
+existing calls have no consequence.
+
+But using RT_TOS() in IPv6 code is always a bug: IPv6 never had a "TOS"
+field to be interpreted the RFC 1349 way. There's no historical
+compatibility to worry about.
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Matthias May <matthias.may@westermo.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1313,8 +1313,7 @@ struct dst_entry *ip6_dst_lookup_tunnel(
+ fl6.daddr = info->key.u.ipv6.dst;
+ fl6.saddr = info->key.u.ipv6.src;
+ prio = info->key.tos;
+- fl6.flowlabel = ip6_make_flowinfo(RT_TOS(prio),
+- info->key.label);
++ fl6.flowlabel = ip6_make_flowinfo(prio, info->key.label);
+
+ dst = ipv6_stub->ipv6_dst_lookup_flow(net, sock->sk, &fl6,
+ NULL);
--- /dev/null
+From 2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3 Mon Sep 17 00:00:00 2001
+From: "Chia-Lin Kao (AceLan)" <acelan.kao@canonical.com>
+Date: Mon, 8 Aug 2022 16:18:45 +0800
+Subject: net: atlantic: fix aq_vec index out of range error
+
+From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+
+commit 2ba5e47fb75fbb8fab45f5c1bc8d5c33d8834bd3 upstream.
+
+The final update statement of the for loop exceeds the array range, the
+dereference of self->aq_vec[i] is not checked and then leads to the
+index out of range error.
+Also fixed this kind of coding style in other for loop.
+
+[ 97.937604] UBSAN: array-index-out-of-bounds in drivers/net/ethernet/aquantia/atlantic/aq_nic.c:1404:48
+[ 97.937607] index 8 is out of range for type 'aq_vec_s *[8]'
+[ 97.937608] CPU: 38 PID: 3767 Comm: kworker/u256:18 Not tainted 5.19.0+ #2
+[ 97.937610] Hardware name: Dell Inc. Precision 7865 Tower/, BIOS 1.0.0 06/12/2022
+[ 97.937611] Workqueue: events_unbound async_run_entry_fn
+[ 97.937616] Call Trace:
+[ 97.937617] <TASK>
+[ 97.937619] dump_stack_lvl+0x49/0x63
+[ 97.937624] dump_stack+0x10/0x16
+[ 97.937626] ubsan_epilogue+0x9/0x3f
+[ 97.937627] __ubsan_handle_out_of_bounds.cold+0x44/0x49
+[ 97.937629] ? __scm_send+0x348/0x440
+[ 97.937632] ? aq_vec_stop+0x72/0x80 [atlantic]
+[ 97.937639] aq_nic_stop+0x1b6/0x1c0 [atlantic]
+[ 97.937644] aq_suspend_common+0x88/0x90 [atlantic]
+[ 97.937648] aq_pm_suspend_poweroff+0xe/0x20 [atlantic]
+[ 97.937653] pci_pm_suspend+0x7e/0x1a0
+[ 97.937655] ? pci_pm_suspend_noirq+0x2b0/0x2b0
+[ 97.937657] dpm_run_callback+0x54/0x190
+[ 97.937660] __device_suspend+0x14c/0x4d0
+[ 97.937661] async_suspend+0x23/0x70
+[ 97.937663] async_run_entry_fn+0x33/0x120
+[ 97.937664] process_one_work+0x21f/0x3f0
+[ 97.937666] worker_thread+0x4a/0x3c0
+[ 97.937668] ? process_one_work+0x3f0/0x3f0
+[ 97.937669] kthread+0xf0/0x120
+[ 97.937671] ? kthread_complete_and_exit+0x20/0x20
+[ 97.937672] ret_from_fork+0x22/0x30
+[ 97.937676] </TASK>
+
+v2. fixed "warning: variable 'aq_vec' set but not used"
+
+v3. simplified a for loop
+
+Fixes: 97bde5c4f909 ("net: ethernet: aquantia: Support for NIC-specific code")
+Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Link: https://lore.kernel.org/r/20220808081845.42005-1-acelan.kao@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -265,12 +265,10 @@ static void aq_nic_service_timer_cb(stru
+ static void aq_nic_polling_timer_cb(struct timer_list *t)
+ {
+ struct aq_nic_s *self = from_timer(self, t, polling_timer);
+- struct aq_vec_s *aq_vec = NULL;
+ unsigned int i = 0U;
+
+- for (i = 0U, aq_vec = self->aq_vec[0];
+- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+- aq_vec_isr(i, (void *)aq_vec);
++ for (i = 0U; self->aq_vecs > i; ++i)
++ aq_vec_isr(i, (void *)self->aq_vec[i]);
+
+ mod_timer(&self->polling_timer, jiffies +
+ AQ_CFG_POLLING_TIMER_INTERVAL);
+@@ -872,7 +870,6 @@ int aq_nic_get_regs_count(struct aq_nic_
+
+ u64 *aq_nic_get_stats(struct aq_nic_s *self, u64 *data)
+ {
+- struct aq_vec_s *aq_vec = NULL;
+ struct aq_stats_s *stats;
+ unsigned int count = 0U;
+ unsigned int i = 0U;
+@@ -922,11 +919,11 @@ u64 *aq_nic_get_stats(struct aq_nic_s *s
+ data += i;
+
+ for (tc = 0U; tc < self->aq_nic_cfg.tcs; tc++) {
+- for (i = 0U, aq_vec = self->aq_vec[0];
+- aq_vec && self->aq_vecs > i;
+- ++i, aq_vec = self->aq_vec[i]) {
++ for (i = 0U; self->aq_vecs > i; ++i) {
++ if (!self->aq_vec[i])
++ break;
+ data += count;
+- count = aq_vec_get_sw_stats(aq_vec, tc, data);
++ count = aq_vec_get_sw_stats(self->aq_vec[i], tc, data);
+ }
+ }
+
+@@ -1240,7 +1237,6 @@ int aq_nic_set_loopback(struct aq_nic_s
+
+ int aq_nic_stop(struct aq_nic_s *self)
+ {
+- struct aq_vec_s *aq_vec = NULL;
+ unsigned int i = 0U;
+
+ netif_tx_disable(self->ndev);
+@@ -1258,9 +1254,8 @@ int aq_nic_stop(struct aq_nic_s *self)
+
+ aq_ptp_irq_free(self);
+
+- for (i = 0U, aq_vec = self->aq_vec[0];
+- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i])
+- aq_vec_stop(aq_vec);
++ for (i = 0U; self->aq_vecs > i; ++i)
++ aq_vec_stop(self->aq_vec[i]);
+
+ aq_ptp_ring_stop(self);
+
--- /dev/null
+From 1b7680c6c1f6de9904f1d9b05c952f0c64a03350 Mon Sep 17 00:00:00 2001
+From: Sandor Bodo-Merle <sbodomerle@gmail.com>
+Date: Mon, 8 Aug 2022 19:39:39 +0200
+Subject: net: bgmac: Fix a BUG triggered by wrong bytes_compl
+
+From: Sandor Bodo-Merle <sbodomerle@gmail.com>
+
+commit 1b7680c6c1f6de9904f1d9b05c952f0c64a03350 upstream.
+
+On one of our machines we got:
+
+kernel BUG at lib/dynamic_queue_limits.c:27!
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
+CPU: 0 PID: 1166 Comm: irq/41-bgmac Tainted: G W O 4.14.275-rt132 #1
+Hardware name: BRCM XGS iProc
+task: ee3415c0 task.stack: ee32a000
+PC is at dql_completed+0x168/0x178
+LR is at bgmac_poll+0x18c/0x6d8
+pc : [<c03b9430>] lr : [<c04b5a18>] psr: 800a0313
+sp : ee32be14 ip : 000005ea fp : 00000bd4
+r10: ee558500 r9 : c0116298 r8 : 00000002
+r7 : 00000000 r6 : ef128810 r5 : 01993267 r4 : 01993851
+r3 : ee558000 r2 : 000070e1 r1 : 00000bd4 r0 : ee52c180
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+Control: 12c5387d Table: 8e88c04a DAC: 00000051
+Process irq/41-bgmac (pid: 1166, stack limit = 0xee32a210)
+Stack: (0xee32be14 to 0xee32c000)
+be00: ee558520 ee52c100 ef128810
+be20: 00000000 00000002 c0116298 c04b5a18 00000000 c0a0c8c4 c0951780 00000040
+be40: c0701780 ee558500 ee55d520 ef05b340 ef6f9780 ee558520 00000001 00000040
+be60: ffffe000 c0a56878 ef6fa040 c0952040 0000012c c0528744 ef6f97b0 fffcfb6a
+be80: c0a04104 2eda8000 c0a0c4ec c0a0d368 ee32bf44 c0153534 ee32be98 ee32be98
+bea0: ee32bea0 ee32bea0 ee32bea8 ee32bea8 00000000 c01462e4 ffffe000 ef6f22a8
+bec0: ffffe000 00000008 ee32bee4 c0147430 ffffe000 c094a2a8 00000003 ffffe000
+bee0: c0a54528 00208040 0000000c c0a0c8c4 c0a65980 c0124d3c 00000008 ee558520
+bf00: c094a23c c0a02080 00000000 c07a9910 ef136970 ef136970 ee30a440 ef136900
+bf20: ee30a440 00000001 ef136900 ee30a440 c016d990 00000000 c0108db0 c012500c
+bf40: ef136900 c016da14 ee30a464 ffffe000 00000001 c016dd14 00000000 c016db28
+bf60: ffffe000 ee21a080 ee30a400 00000000 ee32a000 ee30a440 c016dbfc ee25fd70
+bf80: ee21a09c c013edcc ee32a000 ee30a400 c013ec7c 00000000 00000000 00000000
+bfa0: 00000000 00000000 00000000 c0108470 00000000 00000000 00000000 00000000
+bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+[<c03b9430>] (dql_completed) from [<c04b5a18>] (bgmac_poll+0x18c/0x6d8)
+[<c04b5a18>] (bgmac_poll) from [<c0528744>] (net_rx_action+0x1c4/0x494)
+[<c0528744>] (net_rx_action) from [<c0124d3c>] (do_current_softirqs+0x1ec/0x43c)
+[<c0124d3c>] (do_current_softirqs) from [<c012500c>] (__local_bh_enable+0x80/0x98)
+[<c012500c>] (__local_bh_enable) from [<c016da14>] (irq_forced_thread_fn+0x84/0x98)
+[<c016da14>] (irq_forced_thread_fn) from [<c016dd14>] (irq_thread+0x118/0x1c0)
+[<c016dd14>] (irq_thread) from [<c013edcc>] (kthread+0x150/0x158)
+[<c013edcc>] (kthread) from [<c0108470>] (ret_from_fork+0x14/0x24)
+Code: a83f15e0 0200001a 0630a0e1 c3ffffea (f201f0e7)
+
+The issue seems similar to commit 90b3b339364c ("net: hisilicon: Fix a BUG
+trigered by wrong bytes_compl") and potentially introduced by commit
+b38c83dd0866 ("bgmac: simplify tx ring index handling").
+
+If there is an RX interrupt between setting ring->end
+and netdev_sent_queue() we can hit the BUG_ON as bgmac_dma_tx_free()
+can miscalculate the queue size while called from bgmac_poll().
+
+The machine which triggered the BUG runs a v4.14 RT kernel - but the issue
+seems present in mainline too.
+
+Fixes: b38c83dd0866 ("bgmac: simplify tx ring index handling")
+Signed-off-by: Sandor Bodo-Merle <sbodomerle@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220808173939.193804-1-sbodomerle@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac.c
++++ b/drivers/net/ethernet/broadcom/bgmac.c
+@@ -189,8 +189,8 @@ static netdev_tx_t bgmac_dma_tx_add(stru
+ }
+
+ slot->skb = skb;
+- ring->end += nr_frags + 1;
+ netdev_sent_queue(net_dev, skb->len);
++ ring->end += nr_frags + 1;
+
+ wmb();
+
--- /dev/null
+From 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 13 Jul 2022 17:46:52 -0400
+Subject: NFSv4: Fix races in the legacy idmapper upcall
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 51fd2eb52c0ca8275a906eed81878ef50ae94eb0 upstream.
+
+nfs_idmap_instantiate() will cause the process that is waiting in
+request_key_with_auxdata() to wake up and exit. If there is a second
+process waiting for the idmap->idmap_mutex, then it may wake up and
+start a new call to request_key_with_auxdata(). If the call to
+idmap_pipe_downcall() from the first process has not yet finished
+calling nfs_idmap_complete_pipe_upcall_locked(), then we may end up
+triggering the WARN_ON_ONCE() in nfs_idmap_prepare_pipe_upcall().
+
+The fix is to ensure that we clear idmap->idmap_upcall_data before
+calling nfs_idmap_instantiate().
+
+Fixes: e9ab41b620e4 ("NFSv4: Clean up the legacy idmapper upcall")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4idmap.c | 46 ++++++++++++++++++++++++----------------------
+ 1 file changed, 24 insertions(+), 22 deletions(-)
+
+--- a/fs/nfs/nfs4idmap.c
++++ b/fs/nfs/nfs4idmap.c
+@@ -561,22 +561,20 @@ nfs_idmap_prepare_pipe_upcall(struct idm
+ return true;
+ }
+
+-static void
+-nfs_idmap_complete_pipe_upcall_locked(struct idmap *idmap, int ret)
++static void nfs_idmap_complete_pipe_upcall(struct idmap_legacy_upcalldata *data,
++ int ret)
+ {
+- struct key *authkey = idmap->idmap_upcall_data->authkey;
+-
+- kfree(idmap->idmap_upcall_data);
+- idmap->idmap_upcall_data = NULL;
+- complete_request_key(authkey, ret);
+- key_put(authkey);
++ complete_request_key(data->authkey, ret);
++ key_put(data->authkey);
++ kfree(data);
+ }
+
+-static void
+-nfs_idmap_abort_pipe_upcall(struct idmap *idmap, int ret)
++static void nfs_idmap_abort_pipe_upcall(struct idmap *idmap,
++ struct idmap_legacy_upcalldata *data,
++ int ret)
+ {
+- if (idmap->idmap_upcall_data != NULL)
+- nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
++ if (cmpxchg(&idmap->idmap_upcall_data, data, NULL) == data)
++ nfs_idmap_complete_pipe_upcall(data, ret);
+ }
+
+ static int nfs_idmap_legacy_upcall(struct key *authkey, void *aux)
+@@ -613,7 +611,7 @@ static int nfs_idmap_legacy_upcall(struc
+
+ ret = rpc_queue_upcall(idmap->idmap_pipe, msg);
+ if (ret < 0)
+- nfs_idmap_abort_pipe_upcall(idmap, ret);
++ nfs_idmap_abort_pipe_upcall(idmap, data, ret);
+
+ return ret;
+ out2:
+@@ -669,6 +667,7 @@ idmap_pipe_downcall(struct file *filp, c
+ struct request_key_auth *rka;
+ struct rpc_inode *rpci = RPC_I(file_inode(filp));
+ struct idmap *idmap = (struct idmap *)rpci->private;
++ struct idmap_legacy_upcalldata *data;
+ struct key *authkey;
+ struct idmap_msg im;
+ size_t namelen_in;
+@@ -678,10 +677,11 @@ idmap_pipe_downcall(struct file *filp, c
+ * will have been woken up and someone else may now have used
+ * idmap_key_cons - so after this point we may no longer touch it.
+ */
+- if (idmap->idmap_upcall_data == NULL)
++ data = xchg(&idmap->idmap_upcall_data, NULL);
++ if (data == NULL)
+ goto out_noupcall;
+
+- authkey = idmap->idmap_upcall_data->authkey;
++ authkey = data->authkey;
+ rka = get_request_key_auth(authkey);
+
+ if (mlen != sizeof(im)) {
+@@ -703,18 +703,17 @@ idmap_pipe_downcall(struct file *filp, c
+ if (namelen_in == 0 || namelen_in == IDMAP_NAMESZ) {
+ ret = -EINVAL;
+ goto out;
+-}
++ }
+
+- ret = nfs_idmap_read_and_verify_message(&im,
+- &idmap->idmap_upcall_data->idmap_msg,
+- rka->target_key, authkey);
++ ret = nfs_idmap_read_and_verify_message(&im, &data->idmap_msg,
++ rka->target_key, authkey);
+ if (ret >= 0) {
+ key_set_timeout(rka->target_key, nfs_idmap_cache_timeout);
+ ret = mlen;
+ }
+
+ out:
+- nfs_idmap_complete_pipe_upcall_locked(idmap, ret);
++ nfs_idmap_complete_pipe_upcall(data, ret);
+ out_noupcall:
+ return ret;
+ }
+@@ -728,7 +727,7 @@ idmap_pipe_destroy_msg(struct rpc_pipe_m
+ struct idmap *idmap = data->idmap;
+
+ if (msg->errno)
+- nfs_idmap_abort_pipe_upcall(idmap, msg->errno);
++ nfs_idmap_abort_pipe_upcall(idmap, data, msg->errno);
+ }
+
+ static void
+@@ -736,8 +735,11 @@ idmap_release_pipe(struct inode *inode)
+ {
+ struct rpc_inode *rpci = RPC_I(inode);
+ struct idmap *idmap = (struct idmap *)rpci->private;
++ struct idmap_legacy_upcalldata *data;
+
+- nfs_idmap_abort_pipe_upcall(idmap, -EPIPE);
++ data = xchg(&idmap->idmap_upcall_data, NULL);
++ if (data)
++ nfs_idmap_complete_pipe_upcall(data, -EPIPE);
+ }
+
+ int nfs_map_name_to_uid(const struct nfs_server *server, const char *name, size_t namelen, kuid_t *uid)
--- /dev/null
+From 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 2 Aug 2022 15:48:50 -0400
+Subject: NFSv4/pnfs: Fix a use-after-free bug in open
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 2135e5d56278ffdb1c2e6d325dc6b87f669b9dac upstream.
+
+If someone cancels the open RPC call, then we must not try to free
+either the open slot or the layoutget operation arguments, since they
+are likely still in use by the hung RPC call.
+
+Fixes: 6949493884fe ("NFSv4: Don't hold the layoutget locks across multiple RPC calls")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3084,12 +3084,13 @@ static int _nfs4_open_and_get_state(stru
+ }
+
+ out:
+- if (opendata->lgp) {
+- nfs4_lgopen_release(opendata->lgp);
+- opendata->lgp = NULL;
+- }
+- if (!opendata->cancelled)
++ if (!opendata->cancelled) {
++ if (opendata->lgp) {
++ nfs4_lgopen_release(opendata->lgp);
++ opendata->lgp = NULL;
++ }
+ nfs4_sequence_free_slot(&opendata->o_res.seq_res);
++ }
+ return ret;
+ }
+
--- /dev/null
+From f07a5d2427fc113dc50c5c818eba8929bc27b8ca Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 12 Jul 2022 09:16:04 -0400
+Subject: NFSv4.1: Don't decrease the value of seq_nr_highest_sent
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit f07a5d2427fc113dc50c5c818eba8929bc27b8ca upstream.
+
+When we're trying to figure out what the server may or may not have seen
+in terms of request numbers, do not assume that requests with a larger
+number were missed, just because we saw a reply to a request with a
+smaller number.
+
+Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -790,10 +790,9 @@ static void nfs4_slot_sequence_record_se
+ if ((s32)(seqnr - slot->seq_nr_highest_sent) > 0)
+ slot->seq_nr_highest_sent = seqnr;
+ }
+-static void nfs4_slot_sequence_acked(struct nfs4_slot *slot,
+- u32 seqnr)
++static void nfs4_slot_sequence_acked(struct nfs4_slot *slot, u32 seqnr)
+ {
+- slot->seq_nr_highest_sent = seqnr;
++ nfs4_slot_sequence_record_sent(slot, seqnr);
+ slot->seq_nr_last_acked = seqnr;
+ }
+
--- /dev/null
+From 7ccafd4b2b9f34e6d8185f796f151c47424e273e Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 12 Jul 2022 09:22:40 -0400
+Subject: NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 7ccafd4b2b9f34e6d8185f796f151c47424e273e upstream.
+
+Don't assume that the NFS4ERR_DELAY means that the server is processing
+this slot id.
+
+Fixes: 3453d5708b33 ("NFSv4.1: Avoid false retries when RPC calls are interrupted")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -859,7 +859,6 @@ static int nfs41_sequence_process(struct
+ __func__,
+ slot->slot_nr,
+ slot->seq_nr);
+- nfs4_slot_sequence_acked(slot, slot->seq_nr);
+ goto out_retry;
+ case -NFS4ERR_RETRY_UNCACHED_REP:
+ case -NFS4ERR_SEQ_FALSE_RETRY:
--- /dev/null
+From e35a5e782f67ed76a65ad0f23a484444a95f000f Mon Sep 17 00:00:00 2001
+From: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+Date: Wed, 27 Jul 2022 18:01:07 +0800
+Subject: NFSv4.1: RECLAIM_COMPLETE must handle EACCES
+
+From: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+
+commit e35a5e782f67ed76a65ad0f23a484444a95f000f upstream.
+
+A client should be able to handle getting an EACCES error while doing
+a mount operation to reclaim state due to NFS4CLNT_RECLAIM_REBOOT
+being set. If the server returns RPC_AUTH_BADCRED because authentication
+failed when we execute "exportfs -au", then RECLAIM_COMPLETE will go a
+wrong way. After mount succeeds, all OPEN call will fail due to an
+NFS4ERR_GRACE error being returned. This patch is to fix it by resending
+a RPC request.
+
+Signed-off-by: Zhang Xianwei <zhang.xianwei8@zte.com.cn>
+Signed-off-by: Yi Wang <wang.yi59@zte.com.cn>
+Fixes: aa5190d0ed7d ("NFSv4: Kill nfs4_async_handle_error() abuses by NFSv4.1")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -9273,6 +9273,9 @@ static int nfs41_reclaim_complete_handle
+ rpc_delay(task, NFS4_POLL_RETRY_MAX);
+ fallthrough;
+ case -NFS4ERR_RETRY_UNCACHED_REP:
++ case -EACCES:
++ dprintk("%s: failed to reclaim complete error %d for server %s, retrying\n",
++ __func__, task->tk_status, clp->cl_hostname);
+ return -EAGAIN;
+ case -NFS4ERR_BADSESSION:
+ case -NFS4ERR_DEADSESSION:
--- /dev/null
+From 4b32e054335ea0ce50967f63a7bfd4db058b14b9 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 7 Jun 2022 15:16:01 +0400
+Subject: pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 4b32e054335ea0ce50967f63a7bfd4db058b14b9 upstream.
+
+of_parse_phandle() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when not need anymore.
+Add missing of_node_put() to avoid refcount leak."
+
+Fixes: c2f6d059abfc ("pinctrl: nomadik: refactor DT parser to take two paths")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220607111602.57355-1-linmq006@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/nomadik/pinctrl-nomadik.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/nomadik/pinctrl-nomadik.c
++++ b/drivers/pinctrl/nomadik/pinctrl-nomadik.c
+@@ -1421,8 +1421,10 @@ static int nmk_pinctrl_dt_subnode_to_map
+
+ has_config = nmk_pinctrl_dt_get_config(np, &configs);
+ np_config = of_parse_phandle(np, "ste,config", 0);
+- if (np_config)
++ if (np_config) {
+ has_config |= nmk_pinctrl_dt_get_config(np_config, &configs);
++ of_node_put(np_config);
++ }
+ if (has_config) {
+ const char *gpio_name;
+ const char *pin;
--- /dev/null
+From 44339391c666e46cba522d19c65a6ad1071c68b7 Mon Sep 17 00:00:00 2001
+From: Nikita Travkin <nikita@trvn.ru>
+Date: Sun, 12 Jun 2022 19:59:54 +0500
+Subject: pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed
+
+From: Nikita Travkin <nikita@trvn.ru>
+
+commit 44339391c666e46cba522d19c65a6ad1071c68b7 upstream.
+
+GPIO 31, 32 can be muxed to GCC_CAMSS_GP(1,2)_CLK respectively but the
+function was never assigned to the pingroup (even though the function
+exists already).
+
+Add this mode to the related pins.
+
+Fixes: 5373a2c5abb6 ("pinctrl: qcom: Add msm8916 pinctrl driver")
+Signed-off-by: Nikita Travkin <nikita@trvn.ru>
+Link: https://lore.kernel.org/r/20220612145955.385787-4-nikita@trvn.ru
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm8916.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm8916.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm8916.c
+@@ -844,8 +844,8 @@ static const struct msm_pingroup msm8916
+ PINGROUP(28, pwr_modem_enabled_a, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac),
+ PINGROUP(29, cci_i2c, NA, NA, NA, NA, NA, qdss_tracedata_b, NA, atest_combodac),
+ PINGROUP(30, cci_i2c, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+- PINGROUP(31, cci_timer0, NA, NA, NA, NA, NA, NA, NA, NA),
+- PINGROUP(32, cci_timer1, NA, NA, NA, NA, NA, NA, NA, NA),
++ PINGROUP(31, cci_timer0, flash_strobe, NA, NA, NA, NA, NA, NA, NA),
++ PINGROUP(32, cci_timer1, flash_strobe, NA, NA, NA, NA, NA, NA, NA),
+ PINGROUP(33, cci_async, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+ PINGROUP(34, pwr_nav_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
+ PINGROUP(35, pwr_crypto_enabled_a, NA, NA, NA, NA, NA, NA, NA, qdss_tracedata_b),
--- /dev/null
+From 4b759ca15a4914f96ea204ea9200ceeb01d70666 Mon Sep 17 00:00:00 2001
+From: Jianhua Lu <lujianhua000@gmail.com>
+Date: Wed, 3 Aug 2022 09:56:45 +0800
+Subject: pinctrl: qcom: sm8250: Fix PDC map
+
+From: Jianhua Lu <lujianhua000@gmail.com>
+
+commit 4b759ca15a4914f96ea204ea9200ceeb01d70666 upstream.
+
+Fix the PDC mapping for SM8250, gpio39 is mapped to irq73(not irq37).
+
+Fixes: b41efeed507a("pinctrl: qcom: sm8250: Specify PDC map.")
+Signed-off-by: Jianhua Lu <lujianhua000@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
+Link: https://lore.kernel.org/r/20220803015645.22388-1-lujianhua000@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-sm8250.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/qcom/pinctrl-sm8250.c b/drivers/pinctrl/qcom/pinctrl-sm8250.c
+index af144e724bd9..3bd7f9fedcc3 100644
+--- a/drivers/pinctrl/qcom/pinctrl-sm8250.c
++++ b/drivers/pinctrl/qcom/pinctrl-sm8250.c
+@@ -1316,7 +1316,7 @@ static const struct msm_pingroup sm8250_groups[] = {
+ static const struct msm_gpio_wakeirq_map sm8250_pdc_map[] = {
+ { 0, 79 }, { 1, 84 }, { 2, 80 }, { 3, 82 }, { 4, 107 }, { 7, 43 },
+ { 11, 42 }, { 14, 44 }, { 15, 52 }, { 19, 67 }, { 23, 68 }, { 24, 105 },
+- { 27, 92 }, { 28, 106 }, { 31, 69 }, { 35, 70 }, { 39, 37 },
++ { 27, 92 }, { 28, 106 }, { 31, 69 }, { 35, 70 }, { 39, 73 },
+ { 40, 108 }, { 43, 71 }, { 45, 72 }, { 47, 83 }, { 51, 74 }, { 55, 77 },
+ { 59, 78 }, { 63, 75 }, { 64, 81 }, { 65, 87 }, { 66, 88 }, { 67, 89 },
+ { 68, 54 }, { 70, 85 }, { 77, 46 }, { 80, 90 }, { 81, 91 }, { 83, 97 },
+--
+2.37.2
+
--- /dev/null
+From fc153c8f283bf5925615195fc9d4056414d7b168 Mon Sep 17 00:00:00 2001
+From: Samuel Holland <samuel@sholland.org>
+Date: Tue, 12 Jul 2022 21:52:29 -0500
+Subject: pinctrl: sunxi: Add I/O bias setting for H6 R-PIO
+
+From: Samuel Holland <samuel@sholland.org>
+
+commit fc153c8f283bf5925615195fc9d4056414d7b168 upstream.
+
+H6 requires I/O bias configuration on both of its PIO devices.
+Previously it was only done for the main PIO.
+
+The setting for Port L is at bit 0, so the bank calculation needs to
+account for the pin base. Otherwise the wrong bit is used.
+
+Fixes: cc62383fcebe ("pinctrl: sunxi: Support I/O bias voltage setting on H6")
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Link: https://lore.kernel.org/r/20220713025233.27248-3-samuel@sholland.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c | 1 +
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-h6-r.c
+@@ -105,6 +105,7 @@ static const struct sunxi_pinctrl_desc s
+ .npins = ARRAY_SIZE(sun50i_h6_r_pins),
+ .pin_base = PL_BASE,
+ .irq_banks = 2,
++ .io_bias_cfg_variant = BIAS_VOLTAGE_PIO_POW_MODE_SEL,
+ };
+
+ static int sun50i_h6_r_pinctrl_probe(struct platform_device *pdev)
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -624,7 +624,7 @@ static int sunxi_pinctrl_set_io_bias_cfg
+ unsigned pin,
+ struct regulator *supply)
+ {
+- unsigned short bank = pin / PINS_PER_BANK;
++ unsigned short bank;
+ unsigned long flags;
+ u32 val, reg;
+ int uV;
+@@ -640,6 +640,9 @@ static int sunxi_pinctrl_set_io_bias_cfg
+ if (uV == 0)
+ return 0;
+
++ pin -= pctl->desc->pin_base;
++ bank = pin / PINS_PER_BANK;
++
+ switch (pctl->desc->io_bias_cfg_variant) {
+ case BIAS_VOLTAGE_GRP_CONFIG:
+ /*
+@@ -657,8 +660,6 @@ static int sunxi_pinctrl_set_io_bias_cfg
+ else
+ val = 0xD; /* 3.3V */
+
+- pin -= pctl->desc->pin_base;
+-
+ reg = readl(pctl->membase + sunxi_grp_config_reg(pin));
+ reg &= ~IO_BIAS_MASK;
+ writel(reg | val, pctl->membase + sunxi_grp_config_reg(pin));
--- /dev/null
+From bc3c8fe3c79bcdae4d90e3726054fac5cca8ac32 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sun, 7 Aug 2022 13:53:04 +0200
+Subject: plip: avoid rcu debug splat
+
+From: Florian Westphal <fw@strlen.de>
+
+commit bc3c8fe3c79bcdae4d90e3726054fac5cca8ac32 upstream.
+
+WARNING: suspicious RCU usage
+5.2.0-rc2-00605-g2638eb8b50cfc #1 Not tainted
+drivers/net/plip/plip.c:1110 suspicious rcu_dereference_check() usage!
+
+plip_open is called with RTNL held, switch to the correct helper.
+
+Fixes: 2638eb8b50cf ("net: ipv4: provide __rcu annotation for ifa_list")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20220807115304.13257-1-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/plip/plip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/plip/plip.c
++++ b/drivers/net/plip/plip.c
+@@ -1103,7 +1103,7 @@ plip_open(struct net_device *dev)
+ /* Any address will do - we take the first. We already
+ have the first two bytes filled with 0xfc, from
+ plip_init_dev(). */
+- const struct in_ifaddr *ifa = rcu_dereference(in_dev->ifa_list);
++ const struct in_ifaddr *ifa = rtnl_dereference(in_dev->ifa_list);
+ if (ifa != NULL) {
+ memcpy(dev->dev_addr+2, &ifa->ifa_local, 4);
+ }
mmc-meson-gx-fix-an-error-handling-path-in-meson_mmc_probe.patch
btrfs-fix-lost-error-handling-when-looking-up-extended-ref-on-log-replay.patch
tracing-have-filter-accept-common_cpu-to-be-consistent.patch
+alsa-usb-audio-more-comprehensive-mixer-map-for-asus-rog-zenith-ii.patch
+can-ems_usb-fix-clang-s-wunaligned-access-warning.patch
+apparmor-fix-quiet_denied-for-file-rules.patch
+apparmor-fix-absroot-causing-audited-secids-to-begin-with.patch
+apparmor-fix-failed-mount-permission-check-error-message.patch
+apparmor-fix-aa_label_asxprint-return-check.patch
+apparmor-fix-setting-unconfined-mode-on-a-loaded-profile.patch
+apparmor-fix-overlapping-attachment-computation.patch
+apparmor-fix-reference-count-leak-in-aa_pivotroot.patch
+apparmor-fix-memleak-in-aa_simple_write_to_buffer.patch
+documentation-acpi-einj-fix-obsolete-example.patch
+nfsv4.1-don-t-decrease-the-value-of-seq_nr_highest_sent.patch
+nfsv4.1-handle-nfs4err_delay-replies-to-op_sequence-correctly.patch
+nfsv4-fix-races-in-the-legacy-idmapper-upcall.patch
+nfsv4.1-reclaim_complete-must-handle-eacces.patch
+nfsv4-pnfs-fix-a-use-after-free-bug-in-open.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-array-map-iterator.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-hash-map-iterator.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-sock-local-storage-map-iterator.patch
+bpf-acquire-map-uref-in-.init_seq_private-for-sock-map-hash-iterator.patch
+bpf-check-the-validity-of-max_rdwr_access-for-sock-local-storage-map-iterator.patch
+can-mcp251x-fix-race-condition-on-receive-interrupt.patch
+net-atlantic-fix-aq_vec-index-out-of-range-error.patch
+sunrpc-fix-expiry-of-auth-creds.patch
+sunrpc-reinitialise-the-backchannel-request-buffers-before-reuse.patch
+virtio_net-fix-memory-leak-inside-xpd_tx-with-mergeable.patch
+devlink-fix-use-after-free-after-a-failed-reload.patch
+net-bgmac-fix-a-bug-triggered-by-wrong-bytes_compl.patch
+pinctrl-nomadik-fix-refcount-leak-in-nmk_pinctrl_dt_subnode_to_map.patch
+pinctrl-qcom-msm8916-allow-camss-gp-clocks-to-be-muxed.patch
+pinctrl-sunxi-add-i-o-bias-setting-for-h6-r-pio.patch
+pinctrl-qcom-sm8250-fix-pdc-map.patch
+um-add-missing-apply_returns.patch
+acpi-property-return-type-of-acpi_add_nondev_subnodes-should-be-bool.patch
+geneve-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+ipv6-do-not-use-rt_tos-for-ipv6-flowlabel.patch
+plip-avoid-rcu-debug-splat.patch
+vsock-fix-memory-leak-in-vsock_connect.patch
+vsock-set-socket-state-back-to-ss_unconnected-in-vsock_connect_timeout.patch
--- /dev/null
+From f1bafa7375c01ff71fb7cb97c06caadfcfe815f3 Mon Sep 17 00:00:00 2001
+From: Dan Aloni <dan.aloni@vastdata.com>
+Date: Mon, 4 Jul 2022 15:56:57 +0300
+Subject: sunrpc: fix expiry of auth creds
+
+From: Dan Aloni <dan.aloni@vastdata.com>
+
+commit f1bafa7375c01ff71fb7cb97c06caadfcfe815f3 upstream.
+
+Before this commit, with a large enough LRU of expired items (100), the
+loop skipped all the expired items and was entirely ineffectual in
+trimming the LRU list.
+
+Fixes: 95cd623250ad ('SUNRPC: Clean up the AUTH cache code')
+Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sunrpc/auth.c
++++ b/net/sunrpc/auth.c
+@@ -445,7 +445,7 @@ rpcauth_prune_expired(struct list_head *
+ * Enforce a 60 second garbage collection moratorium
+ * Note that the cred_unused list must be time-ordered.
+ */
+- if (!time_in_range(cred->cr_expire, expired, jiffies))
++ if (time_in_range(cred->cr_expire, expired, jiffies))
+ continue;
+ if (!rpcauth_unhash_cred(cred))
+ continue;
--- /dev/null
+From 6622e3a73112fc336c1c2c582428fb5ef18e456a Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Wed, 27 Jul 2022 12:27:54 -0400
+Subject: SUNRPC: Reinitialise the backchannel request buffers before reuse
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 6622e3a73112fc336c1c2c582428fb5ef18e456a upstream.
+
+When we're reusing the backchannel requests instead of freeing them,
+then we should reinitialise any values of the send/receive xdr_bufs so
+that they reflect the available space.
+
+Fixes: 0d2a970d0ae5 ("SUNRPC: Fix a backchannel race")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/backchannel_rqst.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/sunrpc/backchannel_rqst.c
++++ b/net/sunrpc/backchannel_rqst.c
+@@ -64,6 +64,17 @@ static void xprt_free_allocation(struct
+ kfree(req);
+ }
+
++static void xprt_bc_reinit_xdr_buf(struct xdr_buf *buf)
++{
++ buf->head[0].iov_len = PAGE_SIZE;
++ buf->tail[0].iov_len = 0;
++ buf->pages = NULL;
++ buf->page_len = 0;
++ buf->flags = 0;
++ buf->len = 0;
++ buf->buflen = PAGE_SIZE;
++}
++
+ static int xprt_alloc_xdr_buf(struct xdr_buf *buf, gfp_t gfp_flags)
+ {
+ struct page *page;
+@@ -292,6 +303,9 @@ void xprt_free_bc_rqst(struct rpc_rqst *
+ */
+ spin_lock_bh(&xprt->bc_pa_lock);
+ if (xprt_need_to_requeue(xprt)) {
++ xprt_bc_reinit_xdr_buf(&req->rq_snd_buf);
++ xprt_bc_reinit_xdr_buf(&req->rq_rcv_buf);
++ req->rq_rcv_buf.len = PAGE_SIZE;
+ list_add_tail(&req->rq_bc_pa_list, &xprt->bc_pa_list);
+ xprt->bc_alloc_count++;
+ atomic_inc(&xprt->bc_slot_count);
--- /dev/null
+From 637285e7f8d6da70a70c64e7895cb0672357a1f7 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 14 Jul 2022 12:20:19 +0200
+Subject: um: Add missing apply_returns()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 637285e7f8d6da70a70c64e7895cb0672357a1f7 upstream.
+
+Implement apply_returns() stub for UM, just like all the other patching
+routines.
+
+Fixes: 15e67227c49a ("x86: Undo return-thunk damage")
+Reported-by: Randy Dunlap <rdunlap@infradead.org)
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/um/kernel/um_arch.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/um/kernel/um_arch.c
++++ b/arch/um/kernel/um_arch.c
+@@ -367,6 +367,10 @@ void apply_returns(s32 *start, s32 *end)
+ {
+ }
+
++void apply_returns(s32 *start, s32 *end)
++{
++}
++
+ void apply_alternatives(struct alt_instr *start, struct alt_instr *end)
+ {
+ }
--- /dev/null
+From 7a542bee27c6a57e45c33cbbdc963325fd6493af Mon Sep 17 00:00:00 2001
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Date: Thu, 4 Aug 2022 14:32:48 +0800
+Subject: virtio_net: fix memory leak inside XPD_TX with mergeable
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+commit 7a542bee27c6a57e45c33cbbdc963325fd6493af upstream.
+
+When we call xdp_convert_buff_to_frame() to get xdpf, if it returns
+NULL, we should check if xdp_page was allocated by xdp_linearize_page().
+If it is newly allocated, it should be freed here alone. Just like any
+other "goto err_xdp".
+
+Fixes: 44fa2dbd4759 ("xdp: transition into using xdp_frame for ndo_xdp_xmit")
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -968,8 +968,11 @@ static struct sk_buff *receive_mergeable
+ case XDP_TX:
+ stats->xdp_tx++;
+ xdpf = xdp_convert_buff_to_frame(&xdp);
+- if (unlikely(!xdpf))
++ if (unlikely(!xdpf)) {
++ if (unlikely(xdp_page != page))
++ put_page(xdp_page);
+ goto err_xdp;
++ }
+ err = virtnet_xdp_xmit(dev, 1, &xdpf, 0);
+ if (unlikely(err < 0)) {
+ trace_xdp_exception(vi->dev, xdp_prog, act);
--- /dev/null
+From 7e97cfed9929eaabc41829c395eb0d1350fccb9d Mon Sep 17 00:00:00 2001
+From: Peilin Ye <peilin.ye@bytedance.com>
+Date: Mon, 8 Aug 2022 11:04:47 -0700
+Subject: vsock: Fix memory leak in vsock_connect()
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream.
+
+An O_NONBLOCK vsock_connect() request may try to reschedule
+@connect_work. Imagine the following sequence of vsock_connect()
+requests:
+
+ 1. The 1st, non-blocking request schedules @connect_work, which will
+ expire after 200 jiffies. Socket state is now SS_CONNECTING;
+
+ 2. Later, the 2nd, blocking request gets interrupted by a signal after
+ a few jiffies while waiting for the connection to be established.
+ Socket state is back to SS_UNCONNECTED, but @connect_work is still
+ pending, and will expire after 100 jiffies.
+
+ 3. Now, the 3rd, non-blocking request tries to schedule @connect_work
+ again. Since @connect_work is already scheduled,
+ schedule_delayed_work() silently returns. sock_hold() is called
+ twice, but sock_put() will only be called once in
+ vsock_connect_timeout(), causing a memory leak reported by syzbot:
+
+ BUG: memory leak
+ unreferenced object 0xffff88810ea56a40 (size 1232):
+ comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
+ backtrace:
+ [<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
+ [<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
+ [<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
+ [<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203
+ [<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
+ [<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline]
+ [<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561
+ [<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline]
+ [<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline]
+ [<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
+ [<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
+ [<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ <...>
+
+Use mod_delayed_work() instead: if @connect_work is already scheduled,
+reschedule it, and undo sock_hold() to keep the reference count
+balanced.
+
+Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Co-developed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1347,7 +1347,14 @@ static int vsock_stream_connect(struct s
+ * timeout fires.
+ */
+ sock_hold(sk);
+- schedule_delayed_work(&vsk->connect_work, timeout);
++
++ /* If the timeout function is already scheduled,
++ * reschedule it, then ungrab the socket refcount to
++ * keep it balanced.
++ */
++ if (mod_delayed_work(system_wq, &vsk->connect_work,
++ timeout))
++ sock_put(sk);
+
+ /* Skip ahead to preserve error code set above. */
+ goto out_wait;
--- /dev/null
+From a3e7b29e30854ed67be0d17687e744ad0c769c4b Mon Sep 17 00:00:00 2001
+From: Peilin Ye <peilin.ye@bytedance.com>
+Date: Mon, 8 Aug 2022 11:05:25 -0700
+Subject: vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+commit a3e7b29e30854ed67be0d17687e744ad0c769c4b upstream.
+
+Imagine two non-blocking vsock_connect() requests on the same socket.
+The first request schedules @connect_work, and after it times out,
+vsock_connect_timeout() sets *sock* state back to TCP_CLOSE, but keeps
+*socket* state as SS_CONNECTING.
+
+Later, the second request returns -EALREADY, meaning the socket "already
+has a pending connection in progress", even though the first request has
+already timed out.
+
+As suggested by Stefano, fix it by setting *socket* state back to
+SS_UNCONNECTED, so that the second request will return -ETIMEDOUT.
+
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1242,6 +1242,7 @@ static void vsock_connect_timeout(struct
+ if (sk->sk_state == TCP_SYN_SENT &&
+ (sk->sk_shutdown != SHUTDOWN_MASK)) {
+ sk->sk_state = TCP_CLOSE;
++ sk->sk_socket->state = SS_UNCONNECTED;
+ sk->sk_err = ETIMEDOUT;
+ sk->sk_error_report(sk);
+ vsock_transport_cancel_pkt(vsk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
