--- /dev/null
+From 1f2aefecafaf915f76b13346b1cbad9213eeccc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 19:17:37 +0530
+Subject: ALSA: compress: fix partial_drain completion state
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit f79a732a8325dfbd570d87f1435019d7e5501c6d ]
+
+On partial_drain completion we should be in SNDRV_PCM_STATE_RUNNING
+state, so set that for partially draining streams in
+snd_compr_drain_notify() and use a flag for partially draining streams
+
+While at it, add locks for stream state change in
+snd_compr_drain_notify() as well.
+
+Fixes: f44f2a5417b2 ("ALSA: compress: fix drain calls blocking other compress functions (v6)")
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Link: https://lore.kernel.org/r/20200629134737.105993-4-vkoul@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/compress_driver.h | 10 +++++++++-
+ sound/core/compress_offload.c | 4 ++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
+index 6ce8effa0b128..70cbc5095e725 100644
+--- a/include/sound/compress_driver.h
++++ b/include/sound/compress_driver.h
+@@ -66,6 +66,7 @@ struct snd_compr_runtime {
+ * @direction: stream direction, playback/recording
+ * @metadata_set: metadata set flag, true when set
+ * @next_track: has userspace signal next track transition, true when set
++ * @partial_drain: undergoing partial_drain for stream, true when set
+ * @private_data: pointer to DSP private data
+ * @dma_buffer: allocated buffer if any
+ */
+@@ -78,6 +79,7 @@ struct snd_compr_stream {
+ enum snd_compr_direction direction;
+ bool metadata_set;
+ bool next_track;
++ bool partial_drain;
+ void *private_data;
+ struct snd_dma_buffer dma_buffer;
+ };
+@@ -182,7 +184,13 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream)
+ if (snd_BUG_ON(!stream))
+ return;
+
+- stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ /* for partial_drain case we are back to running state on success */
++ if (stream->partial_drain) {
++ stream->runtime->state = SNDRV_PCM_STATE_RUNNING;
++ stream->partial_drain = false; /* clear this flag as well */
++ } else {
++ stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ }
+
+ wake_up(&stream->runtime->sleep);
+ }
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index 509290f2efa8e..0e53f6f319167 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -764,6 +764,9 @@ static int snd_compr_stop(struct snd_compr_stream *stream)
+
+ retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP);
+ if (!retval) {
++ /* clear flags and stop any drain wait */
++ stream->partial_drain = false;
++ stream->metadata_set = false;
+ snd_compr_drain_notify(stream);
+ stream->runtime->total_bytes_available = 0;
+ stream->runtime->total_bytes_transferred = 0;
+@@ -921,6 +924,7 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream)
+ if (stream->next_track == false)
+ return -EPERM;
+
++ stream->partial_drain = true;
+ retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_PARTIAL_DRAIN);
+ if (retval) {
+ pr_debug("Partial drain returned failure\n");
+--
+2.25.1
+
--- /dev/null
+From 2504466d764cc63b2a3035283355e21c3dda31c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 May 2020 05:41:56 +0800
+Subject: arm64: kgdb: Fix single-step exception handling oops
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit 8523c006264df65aac7d77284cc69aac46a6f842 ]
+
+After entering kdb due to breakpoint, when we execute 'ss' or 'go' (will
+delay installing breakpoints, do single-step first), it won't work
+correctly, and it will enter kdb due to oops.
+
+It's because the reason gotten in kdb_stub() is not as expected, and it
+seems that the ex_vector for single-step should be 0, like what arch
+powerpc/sh/parisc has implemented.
+
+Before the patch:
+Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry
+[0]kdb> bp printk
+Instruction(i) BP #0 at 0xffff8000101486cc (printk)
+ is enabled addr at ffff8000101486cc, hardtype=0 installed=0
+
+[0]kdb> g
+
+/ # echo h > /proc/sysrq-trigger
+
+Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 due to Breakpoint @ 0xffff8000101486cc
+[3]kdb> ss
+
+Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 Oops: (null)
+due to oops @ 0xffff800010082ab8
+CPU: 3 PID: 266 Comm: sh Not tainted 5.7.0-rc4-13839-gf0e5ad491718 #6
+Hardware name: linux,dummy-virt (DT)
+pstate: 00000085 (nzcv daIf -PAN -UAO)
+pc : el1_irq+0x78/0x180
+lr : __handle_sysrq+0x80/0x190
+sp : ffff800015003bf0
+x29: ffff800015003d20 x28: ffff0000fa878040
+x27: 0000000000000000 x26: ffff80001126b1f0
+x25: ffff800011b6a0d8 x24: 0000000000000000
+x23: 0000000080200005 x22: ffff8000101486cc
+x21: ffff800015003d30 x20: 0000ffffffffffff
+x19: ffff8000119f2000 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000000 x14: 0000000000000000
+x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000
+x9 : 0000000000000000 x8 : ffff800015003e50
+x7 : 0000000000000002 x6 : 00000000380b9990
+x5 : ffff8000106e99e8 x4 : ffff0000fadd83c0
+x3 : 0000ffffffffffff x2 : ffff800011b6a0d8
+x1 : ffff800011b6a000 x0 : ffff80001130c9d8
+Call trace:
+ el1_irq+0x78/0x180
+ printk+0x0/0x84
+ write_sysrq_trigger+0xb0/0x118
+ proc_reg_write+0xb4/0xe0
+ __vfs_write+0x18/0x40
+ vfs_write+0xb0/0x1b8
+ ksys_write+0x64/0xf0
+ __arm64_sys_write+0x14/0x20
+ el0_svc_common.constprop.2+0xb0/0x168
+ do_el0_svc+0x20/0x98
+ el0_sync_handler+0xec/0x1a8
+ el0_sync+0x140/0x180
+
+[3]kdb>
+
+After the patch:
+Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry
+[0]kdb> bp printk
+Instruction(i) BP #0 at 0xffff8000101486cc (printk)
+ is enabled addr at ffff8000101486cc, hardtype=0 installed=0
+
+[0]kdb> g
+
+/ # echo h > /proc/sysrq-trigger
+
+Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc
+[0]kdb> g
+
+Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc
+[0]kdb> ss
+
+Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to SS trap @ 0xffff800010082ab8
+[0]kdb>
+
+Fixes: 44679a4f142b ("arm64: KGDB: Add step debugging support")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20200509214159.19680-2-liwei391@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/kgdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c
+index 43119922341f8..1a157ca33262d 100644
+--- a/arch/arm64/kernel/kgdb.c
++++ b/arch/arm64/kernel/kgdb.c
+@@ -252,7 +252,7 @@ static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr)
+ if (!kgdb_single_step)
+ return DBG_HOOK_ERROR;
+
+- kgdb_handle_exception(1, SIGTRAP, 0, regs);
++ kgdb_handle_exception(0, SIGTRAP, 0, regs);
+ return DBG_HOOK_HANDLED;
+ }
+ NOKPROBE_SYMBOL(kgdb_step_brk_fn);
+--
+2.25.1
+
--- /dev/null
+From de6ffe27a827c47ce0bd031d94f670fd345350f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 14:01:11 +0800
+Subject: ASoC: fsl_mqs: Don't check clock is NULL before calling clk API
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit adf46113a608d9515801997fc96cbfe8ffa89ed3 ]
+
+Because clk_prepare_enable and clk_disable_unprepare should
+check input clock parameter is NULL or not internally, then
+we don't need to check them before calling the function.
+
+Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Link: https://lore.kernel.org/r/743be216bd504c26e8d45d5ce4a84561b67a122b.1592888591.git.shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_mqs.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c
+index 0c813a45bba7c..b44b134390a39 100644
+--- a/sound/soc/fsl/fsl_mqs.c
++++ b/sound/soc/fsl/fsl_mqs.c
+@@ -266,11 +266,9 @@ static int fsl_mqs_runtime_resume(struct device *dev)
+ {
+ struct fsl_mqs *mqs_priv = dev_get_drvdata(dev);
+
+- if (mqs_priv->ipg)
+- clk_prepare_enable(mqs_priv->ipg);
++ clk_prepare_enable(mqs_priv->ipg);
+
+- if (mqs_priv->mclk)
+- clk_prepare_enable(mqs_priv->mclk);
++ clk_prepare_enable(mqs_priv->mclk);
+
+ if (mqs_priv->use_gpr)
+ regmap_write(mqs_priv->regmap, IOMUXC_GPR2,
+@@ -292,11 +290,8 @@ static int fsl_mqs_runtime_suspend(struct device *dev)
+ regmap_read(mqs_priv->regmap, REG_MQS_CTRL,
+ &mqs_priv->reg_mqs_ctrl);
+
+- if (mqs_priv->mclk)
+- clk_disable_unprepare(mqs_priv->mclk);
+-
+- if (mqs_priv->ipg)
+- clk_disable_unprepare(mqs_priv->ipg);
++ clk_disable_unprepare(mqs_priv->mclk);
++ clk_disable_unprepare(mqs_priv->ipg);
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From b65c10794a9ffbfa7b1326b14d9198f814836564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 14:01:12 +0800
+Subject: ASoC: fsl_mqs: Fix unchecked return value for clk_prepare_enable
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 15217d170a4461c1d4c1ea7c497e1fc1122e42a9 ]
+
+Fix unchecked return value for clk_prepare_enable, add error
+handler in fsl_mqs_runtime_resume.
+
+Fixes: 9e28f6532c61 ("ASoC: fsl_mqs: Add MQS component driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Link: https://lore.kernel.org/r/5edd68d03def367d96268f1a9a00bd528ea5aaf2.1592888591.git.shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_mqs.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/fsl/fsl_mqs.c b/sound/soc/fsl/fsl_mqs.c
+index b44b134390a39..69aeb0e71844d 100644
+--- a/sound/soc/fsl/fsl_mqs.c
++++ b/sound/soc/fsl/fsl_mqs.c
+@@ -265,10 +265,20 @@ static int fsl_mqs_remove(struct platform_device *pdev)
+ static int fsl_mqs_runtime_resume(struct device *dev)
+ {
+ struct fsl_mqs *mqs_priv = dev_get_drvdata(dev);
++ int ret;
+
+- clk_prepare_enable(mqs_priv->ipg);
++ ret = clk_prepare_enable(mqs_priv->ipg);
++ if (ret) {
++ dev_err(dev, "failed to enable ipg clock\n");
++ return ret;
++ }
+
+- clk_prepare_enable(mqs_priv->mclk);
++ ret = clk_prepare_enable(mqs_priv->mclk);
++ if (ret) {
++ dev_err(dev, "failed to enable mclk clock\n");
++ clk_disable_unprepare(mqs_priv->ipg);
++ return ret;
++ }
+
+ if (mqs_priv->use_gpr)
+ regmap_write(mqs_priv->regmap, IOMUXC_GPR2,
+--
+2.25.1
+
--- /dev/null
+From d2230da81cd870e88aaae86592b4e5bdab5365ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 12:55:08 +0200
+Subject: bnxt_en: fix NULL dereference in case SR-IOV configuration fails
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit c8b1d7436045d3599bae56aef1682813ecccaad7 ]
+
+we need to set 'active_vfs' back to 0, if something goes wrong during the
+allocation of SR-IOV resources: otherwise, further VF configurations will
+wrongly assume that bp->pf.vf[x] are valid memory locations, and commands
+like the ones in the following sequence:
+
+ # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs
+ # ip link set dev ens1f0np0 up
+ # ip link set dev ens1f0np0 vf 0 trust on
+
+will cause a kernel crash similar to this:
+
+ bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV
+ BUG: kernel NULL pointer dereference, address: 0000000000000014
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 43 PID: 2059 Comm: ip Tainted: G I 5.8.0-rc2.upstream+ #871
+ Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019
+ RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en]
+ Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89
+ RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900
+ RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008
+ R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000
+ R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0
+ FS: 00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ do_setlink+0x994/0xfe0
+ __rtnl_newlink+0x544/0x8d0
+ rtnl_newlink+0x47/0x70
+ rtnetlink_rcv_msg+0x29f/0x350
+ netlink_rcv_skb+0x4a/0x110
+ netlink_unicast+0x21d/0x300
+ netlink_sendmsg+0x329/0x450
+ sock_sendmsg+0x5b/0x60
+ ____sys_sendmsg+0x204/0x280
+ ___sys_sendmsg+0x88/0xd0
+ __sys_sendmsg+0x5e/0xa0
+ do_syscall_64+0x47/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.")
+Reported-by: Fei Liu <feliu@redhat.com>
+CC: Jonathan Toppins <jtoppins@redhat.com>
+CC: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Acked-by: Jonathan Toppins <jtoppins@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+index cea2f9958a1df..2295f539a6414 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+@@ -396,6 +396,7 @@ static void bnxt_free_vf_resources(struct bnxt *bp)
+ }
+ }
+
++ bp->pf.active_vfs = 0;
+ kfree(bp->pf.vf);
+ bp->pf.vf = NULL;
+ }
+@@ -835,7 +836,6 @@ void bnxt_sriov_disable(struct bnxt *bp)
+
+ bnxt_free_vf_resources(bp);
+
+- bp->pf.active_vfs = 0;
+ /* Reclaim all resources for the PF. */
+ rtnl_lock();
+ bnxt_restore_pf_fw_resources(bp);
+--
+2.25.1
+
--- /dev/null
+From 7c089a07e0ef389bee519a3a1a272fc016d5bb01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 15:20:39 -0700
+Subject: bpf: Do not allow btf_ctx_access with __int128 types
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit a9b59159d338d414acaa8e2f569d129d51c76452 ]
+
+To ensure btf_ctx_access() is safe the verifier checks that the BTF
+arg type is an int, enum, or pointer. When the function does the
+BTF arg lookup it uses the calculation 'arg = off / 8' using the
+fact that registers are 8B. This requires that the first arg is
+in the first reg, the second in the second, and so on. However,
+for __int128 the arg will consume two registers by default LLVM
+implementation. So this will cause the arg layout assumed by the
+'arg = off / 8' calculation to be incorrect.
+
+Because __int128 is uncommon this patch applies the easiest fix and
+will force int types to be sizeof(u64) or smaller so that they will
+fit in a single register.
+
+v2: remove unneeded parens per Andrii's feedback
+
+Fixes: 9e15db66136a1 ("bpf: Implement accurate raw_tp context access via BTF")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/159303723962.11287.13309537171132420717.stgit@john-Precision-5820-Tower
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/btf.h | 5 +++++
+ kernel/bpf/btf.c | 4 ++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/btf.h b/include/linux/btf.h
+index 5c1ea99b480fa..8b81fbb4497cf 100644
+--- a/include/linux/btf.h
++++ b/include/linux/btf.h
+@@ -82,6 +82,11 @@ static inline bool btf_type_is_int(const struct btf_type *t)
+ return BTF_INFO_KIND(t->info) == BTF_KIND_INT;
+ }
+
++static inline bool btf_type_is_small_int(const struct btf_type *t)
++{
++ return btf_type_is_int(t) && t->size <= sizeof(u64);
++}
++
+ static inline bool btf_type_is_enum(const struct btf_type *t)
+ {
+ return BTF_INFO_KIND(t->info) == BTF_KIND_ENUM;
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index d65c6912bdaf6..d1f5d428c9fe2 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -3744,7 +3744,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
+ return false;
+
+ t = btf_type_skip_modifiers(btf, t->type, NULL);
+- if (!btf_type_is_int(t)) {
++ if (!btf_type_is_small_int(t)) {
+ bpf_log(log,
+ "ret type %s not allowed for fmod_ret\n",
+ btf_kind_str[BTF_INFO_KIND(t->info)]);
+@@ -3766,7 +3766,7 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type,
+ /* skip modifiers */
+ while (btf_type_is_modifier(t))
+ t = btf_type_by_id(btf, t->type);
+- if (btf_type_is_int(t) || btf_type_is_enum(t))
++ if (btf_type_is_small_int(t) || btf_type_is_enum(t))
+ /* accessing a scalar */
+ return true;
+ if (!btf_type_is_ptr(t)) {
+--
+2.25.1
+
--- /dev/null
+From ab35b699f77973cd5dc34689751925f75eb3736b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 16:13:18 -0700
+Subject: bpf, sockmap: RCU dereferenced psock may be used outside RCU block
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 8025751d4d55a2f32be6bdf825b6a80c299875f5 ]
+
+If an ingress verdict program specifies message sizes greater than
+skb->len and there is an ENOMEM error due to memory pressure we
+may call the rcv_msg handler outside the strp_data_ready() caller
+context. This is because on an ENOMEM error the strparser will
+retry from a workqueue. The caller currently protects the use of
+psock by calling the strp_data_ready() inside a rcu_read_lock/unlock
+block.
+
+But, in above workqueue error case the psock is accessed outside
+the read_lock/unlock block of the caller. So instead of using
+psock directly we must do a look up against the sk again to
+ensure the psock is available.
+
+There is an an ugly piece here where we must handle
+the case where we paused the strp and removed the psock. On
+psock removal we first pause the strparser and then remove
+the psock. If the strparser is paused while an skb is
+scheduled on the workqueue the skb will be dropped on the
+flow and kfree_skb() is called. If the workqueue manages
+to get called before we pause the strparser but runs the rcvmsg
+callback after the psock is removed we will hit the unlikely
+case where we run the sockmap rcvmsg handler but do not have
+a psock. For now we will follow strparser logic and drop the
+skb on the floor with skb_kfree(). This is ugly because the
+data is dropped. To date this has not caused problems in practice
+because either the application controlling the sockmap is
+coordinating with the datapath so that skbs are "flushed"
+before removal or we simply wait for the sock to be closed before
+removing it.
+
+This patch fixes the describe RCU bug and dropping the skb doesn't
+make things worse. Future patches will improve this by allowing
+the normal case where skbs are not merged to skip the strparser
+altogether. In practice many (most?) use cases have no need to
+merge skbs so its both a code complexity hit as seen above and
+a performance issue. For example, in the Cilium case we always
+set the strparser up to return sbks 1:1 without any merging and
+have avoided above issues.
+
+Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/159312679888.18340.15248924071966273998.stgit@john-XPS-13-9370
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index c41ab6906b210..6a32a1fd34f8c 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -781,11 +781,18 @@ static void sk_psock_verdict_apply(struct sk_psock *psock,
+
+ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)
+ {
+- struct sk_psock *psock = sk_psock_from_strp(strp);
++ struct sk_psock *psock;
+ struct bpf_prog *prog;
+ int ret = __SK_DROP;
++ struct sock *sk;
+
+ rcu_read_lock();
++ sk = strp->sk;
++ psock = sk_psock(sk);
++ if (unlikely(!psock)) {
++ kfree_skb(skb);
++ goto out;
++ }
+ prog = READ_ONCE(psock->progs.skb_verdict);
+ if (likely(prog)) {
+ skb_orphan(skb);
+@@ -794,6 +801,7 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)
+ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
+ }
+ sk_psock_verdict_apply(psock, skb, ret);
++out:
+ rcu_read_unlock();
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c0275cc5c194e722b5675106ce5def7aea817de9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 16:12:59 -0700
+Subject: bpf, sockmap: RCU splat with redirect and strparser error or TLS
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 93dd5f185916b05e931cffae636596f21f98546e ]
+
+There are two paths to generate the below RCU splat the first and
+most obvious is the result of the BPF verdict program issuing a
+redirect on a TLS socket (This is the splat shown below). Unlike
+the non-TLS case the caller of the *strp_read() hooks does not
+wrap the call in a rcu_read_lock/unlock. Then if the BPF program
+issues a redirect action we hit the RCU splat.
+
+However, in the non-TLS socket case the splat appears to be
+relatively rare, because the skmsg caller into the strp_data_ready()
+is wrapped in a rcu_read_lock/unlock. Shown here,
+
+ static void sk_psock_strp_data_ready(struct sock *sk)
+ {
+ struct sk_psock *psock;
+
+ rcu_read_lock();
+ psock = sk_psock(sk);
+ if (likely(psock)) {
+ if (tls_sw_has_ctx_rx(sk)) {
+ psock->parser.saved_data_ready(sk);
+ } else {
+ write_lock_bh(&sk->sk_callback_lock);
+ strp_data_ready(&psock->parser.strp);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+ }
+ rcu_read_unlock();
+ }
+
+If the above was the only way to run the verdict program we
+would be safe. But, there is a case where the strparser may throw an
+ENOMEM error while parsing the skb. This is a result of a failed
+skb_clone, or alloc_skb_for_msg while building a new merged skb when
+the msg length needed spans multiple skbs. This will in turn put the
+skb on the strp_wrk workqueue in the strparser code. The skb will
+later be dequeued and verdict programs run, but now from a
+different context without the rcu_read_lock()/unlock() critical
+section in sk_psock_strp_data_ready() shown above. In practice
+I have not seen this yet, because as far as I know most users of the
+verdict programs are also only working on single skbs. In this case no
+merge happens which could trigger the above ENOMEM errors. In addition
+the system would need to be under memory pressure. For example, we
+can't hit the above case in selftests because we missed having tests
+to merge skbs. (Added in later patch)
+
+To fix the below splat extend the rcu_read_lock/unnlock block to
+include the call to sk_psock_tls_verdict_apply(). This will fix both
+TLS redirect case and non-TLS redirect+error case. Also remove
+psock from the sk_psock_tls_verdict_apply() function signature its
+not used there.
+
+[ 1095.937597] WARNING: suspicious RCU usage
+[ 1095.940964] 5.7.0-rc7-02911-g463bac5f1ca79 #1 Tainted: G W
+[ 1095.944363] -----------------------------
+[ 1095.947384] include/linux/skmsg.h:284 suspicious rcu_dereference_check() usage!
+[ 1095.950866]
+[ 1095.950866] other info that might help us debug this:
+[ 1095.950866]
+[ 1095.957146]
+[ 1095.957146] rcu_scheduler_active = 2, debug_locks = 1
+[ 1095.961482] 1 lock held by test_sockmap/15970:
+[ 1095.964501] #0: ffff9ea6b25de660 (sk_lock-AF_INET){+.+.}-{0:0}, at: tls_sw_recvmsg+0x13a/0x840 [tls]
+[ 1095.968568]
+[ 1095.968568] stack backtrace:
+[ 1095.975001] CPU: 1 PID: 15970 Comm: test_sockmap Tainted: G W 5.7.0-rc7-02911-g463bac5f1ca79 #1
+[ 1095.977883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[ 1095.980519] Call Trace:
+[ 1095.982191] dump_stack+0x8f/0xd0
+[ 1095.984040] sk_psock_skb_redirect+0xa6/0xf0
+[ 1095.986073] sk_psock_tls_strp_read+0x1d8/0x250
+[ 1095.988095] tls_sw_recvmsg+0x714/0x840 [tls]
+
+v2: Improve commit message to identify non-TLS redirect plus error case
+ condition as well as more common TLS case. In the process I decided
+ doing the rcu_read_unlock followed by the lock/unlock inside branches
+ was unnecessarily complex. We can just extend the current rcu block
+ and get the same effeective without the shuffling and branching.
+ Thanks Martin!
+
+Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/159312677907.18340.11064813152758406626.stgit@john-XPS-13-9370
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 351afbf6bfbac..c41ab6906b210 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -683,7 +683,7 @@ static struct sk_psock *sk_psock_from_strp(struct strparser *strp)
+ return container_of(parser, struct sk_psock, parser);
+ }
+
+-static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb)
++static void sk_psock_skb_redirect(struct sk_buff *skb)
+ {
+ struct sk_psock *psock_other;
+ struct sock *sk_other;
+@@ -715,12 +715,11 @@ static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb)
+ }
+ }
+
+-static void sk_psock_tls_verdict_apply(struct sk_psock *psock,
+- struct sk_buff *skb, int verdict)
++static void sk_psock_tls_verdict_apply(struct sk_buff *skb, int verdict)
+ {
+ switch (verdict) {
+ case __SK_REDIRECT:
+- sk_psock_skb_redirect(psock, skb);
++ sk_psock_skb_redirect(skb);
+ break;
+ case __SK_PASS:
+ case __SK_DROP:
+@@ -741,8 +740,8 @@ int sk_psock_tls_strp_read(struct sk_psock *psock, struct sk_buff *skb)
+ ret = sk_psock_bpf_run(psock, prog, skb);
+ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
+ }
++ sk_psock_tls_verdict_apply(skb, ret);
+ rcu_read_unlock();
+- sk_psock_tls_verdict_apply(psock, skb, ret);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(sk_psock_tls_strp_read);
+@@ -770,7 +769,7 @@ static void sk_psock_verdict_apply(struct sk_psock *psock,
+ }
+ goto out_free;
+ case __SK_REDIRECT:
+- sk_psock_skb_redirect(psock, skb);
++ sk_psock_skb_redirect(skb);
+ break;
+ case __SK_DROP:
+ /* fall-through */
+@@ -794,8 +793,8 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)
+ ret = sk_psock_bpf_run(psock, prog, skb);
+ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
+ }
+- rcu_read_unlock();
+ sk_psock_verdict_apply(psock, skb, ret);
++ rcu_read_unlock();
+ }
+
+ static int sk_psock_strp_read_done(struct strparser *strp, int err)
+--
+2.25.1
+
--- /dev/null
+From 76a71da4888d19a4771dcc0419e40118556516f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jun 2020 11:40:44 +0100
+Subject: btrfs: fix reclaim_size counter leak after stealing from global
+ reserve
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 6d548b9e5d56067cff17ff77585167cd65375e4b ]
+
+Commit 7f9fe614407692 ("btrfs: improve global reserve stealing logic"),
+added in the 5.8 merge window, introduced another leak for the space_info's
+reclaim_size counter. This is very often triggered by the test cases
+generic/269 and generic/416 from fstests, producing a stack trace like the
+following during unmount:
+
+[37079.155499] ------------[ cut here ]------------
+[37079.156844] WARNING: CPU: 2 PID: 2000423 at fs/btrfs/block-group.c:3422 btrfs_free_block_groups+0x2eb/0x300 [btrfs]
+[37079.158090] Modules linked in: dm_snapshot btrfs dm_thin_pool (...)
+[37079.164440] CPU: 2 PID: 2000423 Comm: umount Tainted: G W 5.7.0-rc7-btrfs-next-62 #1
+[37079.165422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)
+[37079.167384] RIP: 0010:btrfs_free_block_groups+0x2eb/0x300 [btrfs]
+[37079.168375] Code: bd 58 ff ff ff 00 4c 8d (...)
+[37079.170199] RSP: 0018:ffffaa53875c7de0 EFLAGS: 00010206
+[37079.171120] RAX: ffff98099e701cf8 RBX: ffff98099e2d4000 RCX: 0000000000000000
+[37079.172057] RDX: 0000000000000001 RSI: ffffffffc0acc5b1 RDI: 00000000ffffffff
+[37079.173002] RBP: ffff98099e701cf8 R08: 0000000000000000 R09: 0000000000000000
+[37079.173886] R10: 0000000000000000 R11: 0000000000000000 R12: ffff98099e701c00
+[37079.174730] R13: ffff98099e2d5100 R14: dead000000000122 R15: dead000000000100
+[37079.175578] FS: 00007f4d7d0a5840(0000) GS:ffff9809ec600000(0000) knlGS:0000000000000000
+[37079.176434] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[37079.177289] CR2: 0000559224dcc000 CR3: 000000012207a004 CR4: 00000000003606e0
+[37079.178152] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[37079.178935] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[37079.179675] Call Trace:
+[37079.180419] close_ctree+0x291/0x2d1 [btrfs]
+[37079.181162] generic_shutdown_super+0x6c/0x100
+[37079.181898] kill_anon_super+0x14/0x30
+[37079.182641] btrfs_kill_super+0x12/0x20 [btrfs]
+[37079.183371] deactivate_locked_super+0x31/0x70
+[37079.184012] cleanup_mnt+0x100/0x160
+[37079.184650] task_work_run+0x68/0xb0
+[37079.185284] exit_to_usermode_loop+0xf9/0x100
+[37079.185920] do_syscall_64+0x20d/0x260
+[37079.186556] entry_SYSCALL_64_after_hwframe+0x49/0xb3
+[37079.187197] RIP: 0033:0x7f4d7d2d9357
+[37079.187836] Code: eb 0b 00 f7 d8 64 89 01 48 (...)
+[37079.189180] RSP: 002b:00007ffee4e0d368 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
+[37079.189845] RAX: 0000000000000000 RBX: 00007f4d7d3fb224 RCX: 00007f4d7d2d9357
+[37079.190515] RDX: ffffffffffffff78 RSI: 0000000000000000 RDI: 0000559224dc5c90
+[37079.191173] RBP: 0000559224dc1970 R08: 0000000000000000 R09: 00007ffee4e0c0e0
+[37079.191815] R10: 0000559224dc7b00 R11: 0000000000000246 R12: 0000000000000000
+[37079.192451] R13: 0000559224dc5c90 R14: 0000559224dc1a80 R15: 0000559224dc1ba0
+[37079.193096] irq event stamp: 0
+[37079.193729] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+[37079.194379] hardirqs last disabled at (0): [<ffffffff97ab8935>] copy_process+0x755/0x1ea0
+[37079.195033] softirqs last enabled at (0): [<ffffffff97ab8935>] copy_process+0x755/0x1ea0
+[37079.195700] softirqs last disabled at (0): [<0000000000000000>] 0x0
+[37079.196318] ---[ end trace b32710d864dea887 ]---
+
+In the past commit d611add48b717a ("btrfs: fix reclaim counter leak of
+space_info objects") fixed similar cases. That commit however has a date
+more recent (April 7 2020) then the commit mentioned before (March 13
+2020), however it was merged in kernel 5.7 while the older commit, which
+introduces a new leak, was merged only in the 5.8 merge window. So the
+leak sneaked in unnoticed.
+
+Fix this by making steal_from_global_rsv() remove the ticket using the
+helper remove_ticket(), which decrements the reclaim_size counter of the
+space_info object.
+
+Fixes: 7f9fe614407692 ("btrfs: improve global reserve stealing logic")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/space-info.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
+index eee6748c49e4e..756950aba1a66 100644
+--- a/fs/btrfs/space-info.c
++++ b/fs/btrfs/space-info.c
+@@ -879,8 +879,8 @@ static bool steal_from_global_rsv(struct btrfs_fs_info *fs_info,
+ return false;
+ }
+ global_rsv->reserved -= ticket->bytes;
++ remove_ticket(space_info, ticket);
+ ticket->bytes = 0;
+- list_del_init(&ticket->list);
+ wake_up(&ticket->wait);
+ space_info->tickets_id++;
+ if (global_rsv->reserved < global_rsv->size)
+--
+2.25.1
+
--- /dev/null
+From f7719bca3250d3732a7088f8b54e12bc774d2be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 03:14:27 +0530
+Subject: cxgb4: fix all-mask IP address comparison
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 76c4d85c9260c3d741cbd194c30c61983d0a4303 ]
+
+Convert all-mask IP address to Big Endian, instead, for comparison.
+
+Fixes: f286dd8eaad5 ("cxgb4: use correct type for all-mask IP address comparison")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+index 7a7f61a8cdf40..d02d346629b36 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+@@ -1112,16 +1112,16 @@ static bool is_addr_all_mask(u8 *ipmask, int family)
+ struct in_addr *addr;
+
+ addr = (struct in_addr *)ipmask;
+- if (ntohl(addr->s_addr) == 0xffffffff)
++ if (addr->s_addr == htonl(0xffffffff))
+ return true;
+ } else if (family == AF_INET6) {
+ struct in6_addr *addr6;
+
+ addr6 = (struct in6_addr *)ipmask;
+- if (ntohl(addr6->s6_addr32[0]) == 0xffffffff &&
+- ntohl(addr6->s6_addr32[1]) == 0xffffffff &&
+- ntohl(addr6->s6_addr32[2]) == 0xffffffff &&
+- ntohl(addr6->s6_addr32[3]) == 0xffffffff)
++ if (addr6->s6_addr32[0] == htonl(0xffffffff) &&
++ addr6->s6_addr32[1] == htonl(0xffffffff) &&
++ addr6->s6_addr32[2] == htonl(0xffffffff) &&
++ addr6->s6_addr32[3] == htonl(0xffffffff))
+ return true;
+ }
+ return false;
+--
+2.25.1
+
--- /dev/null
+From 0aecae61df0fc093c2e58e24c01f05c14ccf1aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jun 2020 23:57:53 +0800
+Subject: drm/mediatek: Check plane visibility in atomic_update
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit c0b8892e2461b5fa740e47efbb1269a487b04020 ]
+
+Disable the plane if it's not visible. Otherwise mtk_ovl_layer_config()
+would proceed with invalid plane and we may see vblank timeout.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_plane.c | 25 ++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+index c2bd683a87c82..92141a19681b9 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+@@ -164,6 +164,16 @@ static int mtk_plane_atomic_check(struct drm_plane *plane,
+ true, true);
+ }
+
++static void mtk_plane_atomic_disable(struct drm_plane *plane,
++ struct drm_plane_state *old_state)
++{
++ struct mtk_plane_state *state = to_mtk_plane_state(plane->state);
++
++ state->pending.enable = false;
++ wmb(); /* Make sure the above parameter is set before update */
++ state->pending.dirty = true;
++}
++
+ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ struct drm_plane_state *old_state)
+ {
+@@ -178,6 +188,11 @@ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ if (!crtc || WARN_ON(!fb))
+ return;
+
++ if (!plane->state->visible) {
++ mtk_plane_atomic_disable(plane, old_state);
++ return;
++ }
++
+ gem = fb->obj[0];
+ mtk_gem = to_mtk_gem_obj(gem);
+ addr = mtk_gem->dma_addr;
+@@ -200,16 +215,6 @@ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ state->pending.dirty = true;
+ }
+
+-static void mtk_plane_atomic_disable(struct drm_plane *plane,
+- struct drm_plane_state *old_state)
+-{
+- struct mtk_plane_state *state = to_mtk_plane_state(plane->state);
+-
+- state->pending.enable = false;
+- wmb(); /* Make sure the above parameter is set before update */
+- state->pending.dirty = true;
+-}
+-
+ static const struct drm_plane_helper_funcs mtk_plane_helper_funcs = {
+ .prepare_fb = drm_gem_fb_prepare_fb,
+ .atomic_check = mtk_plane_atomic_check,
+--
+2.25.1
+
--- /dev/null
+From 6dc0075d485bdf00da762331cad72c5b78559818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jun 2020 17:57:52 +0200
+Subject: drm/meson: viu: fix setting the OSD burst length in
+ VIU_OSD1_FIFO_CTRL_STAT
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 17f64701ea6f541db7eb5d7423a830cb929b3052 ]
+
+The burst length is configured in VIU_OSD1_FIFO_CTRL_STAT[31] and
+VIU_OSD1_FIFO_CTRL_STAT[11:10]. The public S905D3 datasheet describes
+this as:
+- 0x0 = up to 24 per burst
+- 0x1 = up to 32 per burst
+- 0x2 = up to 48 per burst
+- 0x3 = up to 64 per burst
+- 0x4 = up to 96 per burst
+- 0x5 = up to 128 per burst
+
+The lower two bits map to VIU_OSD1_FIFO_CTRL_STAT[11:10] while the upper
+bit maps to VIU_OSD1_FIFO_CTRL_STAT[31].
+
+Replace meson_viu_osd_burst_length_reg() with pre-defined macros which
+set these values. meson_viu_osd_burst_length_reg() always returned 0
+(for the two used values: 32 and 64 at least) and thus incorrectly set
+the burst size to 24.
+
+Fixes: 147ae1cbaa1842 ("drm: meson: viu: use proper macros instead of magic constants")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Christian Hewitt <christianshewitt@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200620155752.21065-1-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_registers.h | 6 ++++++
+ drivers/gpu/drm/meson/meson_viu.c | 11 ++---------
+ 2 files changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_registers.h b/drivers/gpu/drm/meson/meson_registers.h
+index 8ea00546cd4e2..049c4bfe2a3ae 100644
+--- a/drivers/gpu/drm/meson/meson_registers.h
++++ b/drivers/gpu/drm/meson/meson_registers.h
+@@ -261,6 +261,12 @@
+ #define VIU_OSD_FIFO_DEPTH_VAL(val) ((val & 0x7f) << 12)
+ #define VIU_OSD_WORDS_PER_BURST(words) (((words & 0x4) >> 1) << 22)
+ #define VIU_OSD_FIFO_LIMITS(size) ((size & 0xf) << 24)
++#define VIU_OSD_BURST_LENGTH_24 (0x0 << 31 | 0x0 << 10)
++#define VIU_OSD_BURST_LENGTH_32 (0x0 << 31 | 0x1 << 10)
++#define VIU_OSD_BURST_LENGTH_48 (0x0 << 31 | 0x2 << 10)
++#define VIU_OSD_BURST_LENGTH_64 (0x0 << 31 | 0x3 << 10)
++#define VIU_OSD_BURST_LENGTH_96 (0x1 << 31 | 0x0 << 10)
++#define VIU_OSD_BURST_LENGTH_128 (0x1 << 31 | 0x1 << 10)
+
+ #define VD1_IF0_GEN_REG 0x1a50
+ #define VD1_IF0_CANVAS0 0x1a51
+diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c
+index 304f8ff1339cb..aede0c67a57f0 100644
+--- a/drivers/gpu/drm/meson/meson_viu.c
++++ b/drivers/gpu/drm/meson/meson_viu.c
+@@ -411,13 +411,6 @@ void meson_viu_gxm_disable_osd1_afbc(struct meson_drm *priv)
+ priv->io_base + _REG(VIU_MISC_CTRL1));
+ }
+
+-static inline uint32_t meson_viu_osd_burst_length_reg(uint32_t length)
+-{
+- uint32_t val = (((length & 0x80) % 24) / 12);
+-
+- return (((val & 0x3) << 10) | (((val & 0x4) >> 2) << 31));
+-}
+-
+ void meson_viu_init(struct meson_drm *priv)
+ {
+ uint32_t reg;
+@@ -444,9 +437,9 @@ void meson_viu_init(struct meson_drm *priv)
+ VIU_OSD_FIFO_LIMITS(2); /* fifo_lim: 2*16=32 */
+
+ if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
+- reg |= meson_viu_osd_burst_length_reg(32);
++ reg |= VIU_OSD_BURST_LENGTH_32;
+ else
+- reg |= meson_viu_osd_burst_length_reg(64);
++ reg |= VIU_OSD_BURST_LENGTH_64;
+
+ writel_relaxed(reg, priv->io_base + _REG(VIU_OSD1_FIFO_CTRL_STAT));
+ writel_relaxed(reg, priv->io_base + _REG(VIU_OSD2_FIFO_CTRL_STAT));
+--
+2.25.1
+
--- /dev/null
+From f99a72fa72ad0db844e4633a318b94f483cbc538 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 16:40:35 +0300
+Subject: gpio: pca953x: Fix direction setting when configure an IRQ
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 0b22c25e1b81c5f718e89c4d759e6a359be24417 ]
+
+The commit 0f25fda840a9 ("gpio: pca953x: Zap ad-hoc reg_direction cache")
+seems inadvertently made a typo in pca953x_irq_bus_sync_unlock().
+
+When the direction bit is 1 it means input, and the piece of code in question
+was looking for output ones that should be turned to inputs.
+
+Fix direction setting when configure an IRQ by injecting a bitmap complement
+operation.
+
+Fixes: 0f25fda840a9 ("gpio: pca953x: Zap ad-hoc reg_direction cache")
+Depends-on: 35d13d94893f ("gpio: pca953x: convert to use bitmap API")
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index 8571e54512476..a10411958e3f2 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -686,8 +686,6 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d)
+ DECLARE_BITMAP(reg_direction, MAX_LINE);
+ int level;
+
+- pca953x_read_regs(chip, chip->regs->direction, reg_direction);
+-
+ if (chip->driver_data & PCA_PCAL) {
+ /* Enable latch on interrupt-enabled inputs */
+ pca953x_write_regs(chip, PCAL953X_IN_LATCH, chip->irq_mask);
+@@ -698,7 +696,11 @@ static void pca953x_irq_bus_sync_unlock(struct irq_data *d)
+ pca953x_write_regs(chip, PCAL953X_INT_MASK, irq_mask);
+ }
+
++ /* Switch direction to input if needed */
++ pca953x_read_regs(chip, chip->regs->direction, reg_direction);
++
+ bitmap_or(irq_mask, chip->irq_trig_fall, chip->irq_trig_raise, gc->ngpio);
++ bitmap_complement(reg_direction, reg_direction, gc->ngpio);
+ bitmap_and(irq_mask, irq_mask, reg_direction, gc->ngpio);
+
+ /* Look for any newly setup interrupt */
+--
+2.25.1
+
--- /dev/null
+From a4c6f5f54db1de0606aca268229b5d80ee19b29c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 14:49:06 +0300
+Subject: gpio: pca953x: Fix GPIO resource leak on Intel Galileo Gen 2
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5d8913504ccfeea6120df5ae1c6f4479ff09b931 ]
+
+When adding a quirk for IRQ on Intel Galileo Gen 2 the commit ba8c90c61847
+("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2")
+missed GPIO resource release. We can safely do this in the same quirk, since
+IRQ will be locked by GPIO framework when requested and unlocked on freeing.
+
+Fixes: ba8c90c61847 ("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index a10411958e3f2..48bea0997e70c 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -176,7 +176,12 @@ static int pca953x_acpi_get_irq(struct device *dev)
+ if (ret)
+ return ret;
+
+- return gpio_to_irq(pin);
++ ret = gpio_to_irq(pin);
++
++ /* When pin is used as an IRQ, no need to keep it requested */
++ gpio_free(pin);
++
++ return ret;
+ }
+ #endif
+
+--
+2.25.1
+
--- /dev/null
+From e4bef1b85839f0478139cefb9aa512ab926b247c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 16:40:34 +0300
+Subject: gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ba8c90c6184784b397807b72403656085ac2f8c1 ]
+
+ACPI table on Intel Galileo Gen 2 has wrong pin number for IRQ resource
+of one of the I²C GPIO expanders. Since we know what that number is and
+luckily have GPIO bases fixed for SoC's controllers, we may use a simple
+DMI quirk to match the platform and retrieve GpioInt() pin on it for
+the expander in question.
+
+Mika suggested the way to avoid a quirk in the GPIO ACPI library and
+here is the second, almost rewritten version of it.
+
+Fixes: f32517bf1ae0 ("gpio: pca953x: support ACPI devices found on Galileo Gen2")
+Depends-on: 25e3ef894eef ("gpio: acpi: Split out acpi_gpio_get_irq_resource() helper")
+Suggested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 79 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 79 insertions(+)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index d8ba6c5195be7..8571e54512476 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -107,6 +107,79 @@ static const struct i2c_device_id pca953x_id[] = {
+ };
+ MODULE_DEVICE_TABLE(i2c, pca953x_id);
+
++#ifdef CONFIG_GPIO_PCA953X_IRQ
++
++#include <linux/dmi.h>
++#include <linux/gpio.h>
++#include <linux/list.h>
++
++static const struct dmi_system_id pca953x_dmi_acpi_irq_info[] = {
++ {
++ /*
++ * On Intel Galileo Gen 2 board the IRQ pin of one of
++ * the I²C GPIO expanders, which has GpioInt() resource,
++ * is provided as an absolute number instead of being
++ * relative. Since first controller (gpio-sch.c) and
++ * second (gpio-dwapb.c) are at the fixed bases, we may
++ * safely refer to the number in the global space to get
++ * an IRQ out of it.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "GalileoGen2"),
++ },
++ },
++ {}
++};
++
++#ifdef CONFIG_ACPI
++static int pca953x_acpi_get_pin(struct acpi_resource *ares, void *data)
++{
++ struct acpi_resource_gpio *agpio;
++ int *pin = data;
++
++ if (acpi_gpio_get_irq_resource(ares, &agpio))
++ *pin = agpio->pin_table[0];
++ return 1;
++}
++
++static int pca953x_acpi_find_pin(struct device *dev)
++{
++ struct acpi_device *adev = ACPI_COMPANION(dev);
++ int pin = -ENOENT, ret;
++ LIST_HEAD(r);
++
++ ret = acpi_dev_get_resources(adev, &r, pca953x_acpi_get_pin, &pin);
++ acpi_dev_free_resource_list(&r);
++ if (ret < 0)
++ return ret;
++
++ return pin;
++}
++#else
++static inline int pca953x_acpi_find_pin(struct device *dev) { return -ENXIO; }
++#endif
++
++static int pca953x_acpi_get_irq(struct device *dev)
++{
++ int pin, ret;
++
++ pin = pca953x_acpi_find_pin(dev);
++ if (pin < 0)
++ return pin;
++
++ dev_info(dev, "Applying ACPI interrupt quirk (GPIO %d)\n", pin);
++
++ if (!gpio_is_valid(pin))
++ return -EINVAL;
++
++ ret = gpio_request(pin, "pca953x interrupt");
++ if (ret)
++ return ret;
++
++ return gpio_to_irq(pin);
++}
++#endif
++
+ static const struct acpi_device_id pca953x_acpi_ids[] = {
+ { "INT3491", 16 | PCA953X_TYPE | PCA_LATCH_INT, },
+ { }
+@@ -744,6 +817,12 @@ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base)
+ DECLARE_BITMAP(irq_stat, MAX_LINE);
+ int ret;
+
++ if (dmi_first_match(pca953x_dmi_acpi_irq_info)) {
++ ret = pca953x_acpi_get_irq(&client->dev);
++ if (ret > 0)
++ client->irq = ret;
++ }
++
+ if (!client->irq)
+ return 0;
+
+--
+2.25.1
+
--- /dev/null
+From 3b1aec5087e2ad1c2504fdbe4a96a3ad358c4087 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 16:40:33 +0300
+Subject: gpio: pca953x: Synchronize interrupt handler properly
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 064c73afe7385de99e5b2785b88c83dc5d84403b ]
+
+Since the commit aa58a21ae378 ("gpio: pca953x: disable regmap locking")
+the locking of regmap is disabled and that immediately introduces
+a synchronization issue. It's easy to see when we try to monitor
+more than one interrupt from the same chip.
+
+It seems that the problem exists from the day one and even commit
+6e20fb18054c ("drivers/gpio/pca953x.c: add a mutex to fix race condition")
+missed this.
+
+Below are the traces and shell reproducers before and after proposed change.
+Note duplicates in the IRQ events. /proc/interrupts also shows a deviation,
+i.e. sum of children interrupts higher than parent's one.
+
+When locking is disabled for regmap and no protection in IRQ handler
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ...
+ gpioset-194 regmap_hw_write_start: i2c-INT3491:02 reg=2 count=1
+ irq/31-i2c-INT3-139 regmap_hw_read_start: i2c-INT3491:02 reg=4c count=2
+ gpioset-194 regmap_hw_write_done: i2c-INT3491:02 reg=2 count=1
+ gpioset-194 regmap_reg_read_cache: i2c-INT3491:02 reg=6 val=f5
+ gpioset-194 regmap_reg_write: i2c-INT3491:02 reg=6 val=f5
+ gpioset-194 regmap_hw_write_start: i2c-INT3491:02 reg=6 count=1
+ irq/31-i2c-INT3-139 regmap_hw_read_done: i2c-INT3491:02 reg=4c count=2
+ ...
+
+ % gpiomon gpiochip3 0 &
+ % gpioset gpiochip3 1=0
+ % gpioset gpiochip3 1=1
+ event: RISING EDGE offset: 0 timestamp: [ 302.782583765]
+ % gpiomon gpiochip3 2 &
+ % gpioset gpiochip3 1=0
+ event: RISING EDGE offset: 2 timestamp: [ 312.033148829]
+ event: FALLING EDGE offset: 0 timestamp: [ 312.022757525]
+ % gpioset gpiochip3 1=1
+ event: RISING EDGE offset: 2 timestamp: [ 316.201148473]
+ event: RISING EDGE offset: 0 timestamp: [ 316.191759599]
+
+When locking is disabled for regmap and protection in IRQ handler
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ...
+ gpioset-202 regmap_hw_write_start: i2c-INT3491:02 reg=2 count=1
+ gpioset-202 regmap_hw_write_done: i2c-INT3491:02 reg=2 count=1
+ gpioset-202 regmap_reg_read_cache: i2c-INT3491:02 reg=6 val=fd
+ gpioset-202 regmap_reg_write: i2c-INT3491:02 reg=6 val=fd
+ gpioset-202 regmap_hw_write_start: i2c-INT3491:02 reg=6 count=1
+ gpioset-202 regmap_hw_write_done: i2c-INT3491:02 reg=6 count=1
+ irq/31-i2c-INT3-139 regmap_hw_read_start: i2c-INT3491:02 reg=4c count=2
+ irq/31-i2c-INT3-139 regmap_hw_read_done: i2c-INT3491:02 reg=4c count=2
+ ...
+
+ % gpiomon gpiochip3 0 &
+ % gpioset gpiochip3 1=0
+ event: FALLING EDGE offset: 0 timestamp: [ 531.330078107]
+ % gpioset gpiochip3 1=1
+ event: RISING EDGE offset: 0 timestamp: [ 532.912239128]
+ % gpiomon gpiochip3 2 &
+ % gpioset gpiochip3 1=0
+ event: FALLING EDGE offset: 0 timestamp: [ 539.633669484]
+ % gpioset gpiochip3 1=1
+ event: RISING EDGE offset: 0 timestamp: [ 542.256978461]
+
+Fixes: 6e20fb18054c ("drivers/gpio/pca953x.c: add a mutex to fix race condition")
+Depends-on: 35d13d94893f ("gpio: pca953x: convert to use bitmap API")
+Depends-on: 49427232764d ("gpio: pca953x: Perform basic regmap conversion")
+Cc: Marek Vasut <marek.vasut@gmail.com>
+Cc: Roland Stigge <stigge@antcom.de>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index 01011a780688a..d8ba6c5195be7 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -724,14 +724,16 @@ static irqreturn_t pca953x_irq_handler(int irq, void *devid)
+ struct gpio_chip *gc = &chip->gpio_chip;
+ DECLARE_BITMAP(pending, MAX_LINE);
+ int level;
++ bool ret;
+
+- if (!pca953x_irq_pending(chip, pending))
+- return IRQ_NONE;
++ mutex_lock(&chip->i2c_lock);
++ ret = pca953x_irq_pending(chip, pending);
++ mutex_unlock(&chip->i2c_lock);
+
+ for_each_set_bit(level, pending, gc->ngpio)
+ handle_nested_irq(irq_find_mapping(gc->irq.domain, level));
+
+- return IRQ_HANDLED;
++ return IRQ_RETVAL(ret);
+ }
+
+ static int pca953x_irq_setup(struct pca953x_chip *chip, int irq_base)
+--
+2.25.1
+
--- /dev/null
+From 66858e95f56b3551e9fff85010a84a9c8717f681 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 14:06:11 +0300
+Subject: IB/mlx5: Fix 50G per lane indication
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 530c8632b547ff72f11ff83654b22462a73f1f7b ]
+
+Some released FW versions mistakenly don't set the capability that 50G per
+lane link-modes are supported for VFs (ptys_extended_ethernet capability
+bit).
+
+Use PTYS.ext_eth_proto_capability instead, as this indication is always
+accurate. If PTYS.ext_eth_proto_capability is valid
+(has a non-zero value) conclude that the HCA supports 50G per lane.
+
+Otherwise, conclude that the HCA doesn't support 50G per lane.
+
+Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes")
+Link: https://lore.kernel.org/r/20200707110612.882962-3-leon@kernel.org
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 6679756506e60..820e407b3e260 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -515,7 +515,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u8 port_num,
+ mdev_port_num);
+ if (err)
+ goto out;
+- ext = MLX5_CAP_PCAM_FEATURE(dev->mdev, ptys_extended_ethernet);
++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability);
+ eth_prot_oper = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, eth_proto_oper);
+
+ props->active_width = IB_WIDTH_4X;
+--
+2.25.1
+
--- /dev/null
+From 6c31a61bdb42c1288d4a166c9e5042f4e144a20f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 19:13:09 -0700
+Subject: IB/sa: Resolv use-after-free in ib_nl_make_request()
+
+From: Divya Indi <divya.indi@oracle.com>
+
+[ Upstream commit f427f4d6214c183c474eeb46212d38e6c7223d6a ]
+
+There is a race condition where ib_nl_make_request() inserts the request
+data into the linked list but the timer in ib_nl_request_timeout() can see
+it and destroy it before ib_nl_send_msg() is done touching it. This could
+happen, for instance, if there is a long delay allocating memory during
+nlmsg_new()
+
+This causes a use-after-free in the send_mad() thread:
+
+ [<ffffffffa02f43cb>] ? ib_pack+0x17b/0x240 [ib_core]
+ [ <ffffffffa032aef1>] ib_sa_path_rec_get+0x181/0x200 [ib_sa]
+ [<ffffffffa0379db0>] rdma_resolve_route+0x3c0/0x8d0 [rdma_cm]
+ [<ffffffffa0374450>] ? cma_bind_port+0xa0/0xa0 [rdma_cm]
+ [<ffffffffa040f850>] ? rds_rdma_cm_event_handler_cmn+0x850/0x850 [rds_rdma]
+ [<ffffffffa040f22c>] rds_rdma_cm_event_handler_cmn+0x22c/0x850 [rds_rdma]
+ [<ffffffffa040f860>] rds_rdma_cm_event_handler+0x10/0x20 [rds_rdma]
+ [<ffffffffa037778e>] addr_handler+0x9e/0x140 [rdma_cm]
+ [<ffffffffa026cdb4>] process_req+0x134/0x190 [ib_addr]
+ [<ffffffff810a02f9>] process_one_work+0x169/0x4a0
+ [<ffffffff810a0b2b>] worker_thread+0x5b/0x560
+ [<ffffffff810a0ad0>] ? flush_delayed_work+0x50/0x50
+ [<ffffffff810a68fb>] kthread+0xcb/0xf0
+ [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
+ [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
+ [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180
+ [<ffffffff816f25a7>] ret_from_fork+0x47/0x90
+ [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180
+
+The ownership rule is once the request is on the list, ownership transfers
+to the list and the local thread can't touch it any more, just like for
+the normal MAD case in send_mad().
+
+Thus, instead of adding before send and then trying to delete after on
+errors, move the entire thing under the spinlock so that the send and
+update of the lists are atomic to the conurrent threads. Lightly reoganize
+things so spinlock safe memory allocations are done in the final NL send
+path and the rest of the setup work is done before and outside the lock.
+
+Fixes: 3ebd2fd0d011 ("IB/sa: Put netlink request into the request list before sending")
+Link: https://lore.kernel.org/r/1592964789-14533-1-git-send-email-divya.indi@oracle.com
+Signed-off-by: Divya Indi <divya.indi@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/sa_query.c | 38 +++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c
+index 74e0058fcf9e1..0c14ab2244d47 100644
+--- a/drivers/infiniband/core/sa_query.c
++++ b/drivers/infiniband/core/sa_query.c
+@@ -829,13 +829,20 @@ static int ib_nl_get_path_rec_attrs_len(ib_sa_comp_mask comp_mask)
+ return len;
+ }
+
+-static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask)
++static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask)
+ {
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
+ void *data;
+ struct ib_sa_mad *mad;
+ int len;
++ unsigned long flags;
++ unsigned long delay;
++ gfp_t gfp_flag;
++ int ret;
++
++ INIT_LIST_HEAD(&query->list);
++ query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq);
+
+ mad = query->mad_buf->mad;
+ len = ib_nl_get_path_rec_attrs_len(mad->sa_hdr.comp_mask);
+@@ -860,36 +867,25 @@ static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask)
+ /* Repair the nlmsg header length */
+ nlmsg_end(skb, nlh);
+
+- return rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_mask);
+-}
++ gfp_flag = ((gfp_mask & GFP_ATOMIC) == GFP_ATOMIC) ? GFP_ATOMIC :
++ GFP_NOWAIT;
+
+-static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask)
+-{
+- unsigned long flags;
+- unsigned long delay;
+- int ret;
++ spin_lock_irqsave(&ib_nl_request_lock, flags);
++ ret = rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_flag);
+
+- INIT_LIST_HEAD(&query->list);
+- query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq);
++ if (ret)
++ goto out;
+
+- /* Put the request on the list first.*/
+- spin_lock_irqsave(&ib_nl_request_lock, flags);
++ /* Put the request on the list.*/
+ delay = msecs_to_jiffies(sa_local_svc_timeout_ms);
+ query->timeout = delay + jiffies;
+ list_add_tail(&query->list, &ib_nl_request_list);
+ /* Start the timeout if this is the only request */
+ if (ib_nl_request_list.next == &query->list)
+ queue_delayed_work(ib_nl_wq, &ib_nl_timed_work, delay);
+- spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+
+- ret = ib_nl_send_msg(query, gfp_mask);
+- if (ret) {
+- ret = -EIO;
+- /* Remove the request */
+- spin_lock_irqsave(&ib_nl_request_lock, flags);
+- list_del(&query->list);
+- spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+- }
++out:
++ spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From 3646fff269439041b6b4f9e9e596fade063e6e23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 14:13:26 -0700
+Subject: ionic: centralize queue reset code
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit 086c18f2452d0028f81e319f098bcb8e53133dbf ]
+
+The queue reset pattern is used in a couple different places,
+only slightly different from each other, and could cause
+issues if one gets changed and the other didn't. This puts
+them together so that only one version is needed, yet each
+can have slighty different effects by passing in a pointer
+to a work function to do whatever configuration twiddling is
+needed in the middle of the reset.
+
+This specifically addresses issues seen where under loops
+of changing ring size or queue count parameters we could
+occasionally bump into the netdev watchdog.
+
+v2: added more commit message commentary
+
+Fixes: 4d03e00a2140 ("ionic: Add initial ethtool support")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/pensando/ionic/ionic_ethtool.c | 52 ++++++-------------
+ .../net/ethernet/pensando/ionic/ionic_lif.c | 17 ++++--
+ .../net/ethernet/pensando/ionic/ionic_lif.h | 4 +-
+ 3 files changed, 32 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+index 6996229facfd4..22430fa911e2c 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_ethtool.c
+@@ -464,12 +464,18 @@ static void ionic_get_ringparam(struct net_device *netdev,
+ ring->rx_pending = lif->nrxq_descs;
+ }
+
++static void ionic_set_ringsize(struct ionic_lif *lif, void *arg)
++{
++ struct ethtool_ringparam *ring = arg;
++
++ lif->ntxq_descs = ring->tx_pending;
++ lif->nrxq_descs = ring->rx_pending;
++}
++
+ static int ionic_set_ringparam(struct net_device *netdev,
+ struct ethtool_ringparam *ring)
+ {
+ struct ionic_lif *lif = netdev_priv(netdev);
+- bool running;
+- int err;
+
+ if (ring->rx_mini_pending || ring->rx_jumbo_pending) {
+ netdev_info(netdev, "Changing jumbo or mini descriptors not supported\n");
+@@ -487,22 +493,7 @@ static int ionic_set_ringparam(struct net_device *netdev,
+ ring->rx_pending == lif->nrxq_descs)
+ return 0;
+
+- err = ionic_wait_for_bit(lif, IONIC_LIF_F_QUEUE_RESET);
+- if (err)
+- return err;
+-
+- running = test_bit(IONIC_LIF_F_UP, lif->state);
+- if (running)
+- ionic_stop(netdev);
+-
+- lif->ntxq_descs = ring->tx_pending;
+- lif->nrxq_descs = ring->rx_pending;
+-
+- if (running)
+- ionic_open(netdev);
+- clear_bit(IONIC_LIF_F_QUEUE_RESET, lif->state);
+-
+- return 0;
++ return ionic_reset_queues(lif, ionic_set_ringsize, ring);
+ }
+
+ static void ionic_get_channels(struct net_device *netdev,
+@@ -517,12 +508,17 @@ static void ionic_get_channels(struct net_device *netdev,
+ ch->combined_count = lif->nxqs;
+ }
+
++static void ionic_set_queuecount(struct ionic_lif *lif, void *arg)
++{
++ struct ethtool_channels *ch = arg;
++
++ lif->nxqs = ch->combined_count;
++}
++
+ static int ionic_set_channels(struct net_device *netdev,
+ struct ethtool_channels *ch)
+ {
+ struct ionic_lif *lif = netdev_priv(netdev);
+- bool running;
+- int err;
+
+ if (!ch->combined_count || ch->other_count ||
+ ch->rx_count || ch->tx_count)
+@@ -531,21 +527,7 @@ static int ionic_set_channels(struct net_device *netdev,
+ if (ch->combined_count == lif->nxqs)
+ return 0;
+
+- err = ionic_wait_for_bit(lif, IONIC_LIF_F_QUEUE_RESET);
+- if (err)
+- return err;
+-
+- running = test_bit(IONIC_LIF_F_UP, lif->state);
+- if (running)
+- ionic_stop(netdev);
+-
+- lif->nxqs = ch->combined_count;
+-
+- if (running)
+- ionic_open(netdev);
+- clear_bit(IONIC_LIF_F_QUEUE_RESET, lif->state);
+-
+- return 0;
++ return ionic_reset_queues(lif, ionic_set_queuecount, ch);
+ }
+
+ static u32 ionic_get_priv_flags(struct net_device *netdev)
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index 790d4854b8ef5..b591bec0301cc 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -1301,7 +1301,7 @@ static int ionic_change_mtu(struct net_device *netdev, int new_mtu)
+ return err;
+
+ netdev->mtu = new_mtu;
+- err = ionic_reset_queues(lif);
++ err = ionic_reset_queues(lif, NULL, NULL);
+
+ return err;
+ }
+@@ -1313,7 +1313,7 @@ static void ionic_tx_timeout_work(struct work_struct *ws)
+ netdev_info(lif->netdev, "Tx Timeout recovery\n");
+
+ rtnl_lock();
+- ionic_reset_queues(lif);
++ ionic_reset_queues(lif, NULL, NULL);
+ rtnl_unlock();
+ }
+
+@@ -1944,7 +1944,7 @@ static const struct net_device_ops ionic_netdev_ops = {
+ .ndo_get_vf_stats = ionic_get_vf_stats,
+ };
+
+-int ionic_reset_queues(struct ionic_lif *lif)
++int ionic_reset_queues(struct ionic_lif *lif, ionic_reset_cb cb, void *arg)
+ {
+ bool running;
+ int err = 0;
+@@ -1957,12 +1957,19 @@ int ionic_reset_queues(struct ionic_lif *lif)
+ if (running) {
+ netif_device_detach(lif->netdev);
+ err = ionic_stop(lif->netdev);
++ if (err)
++ goto reset_out;
+ }
+- if (!err && running) {
+- ionic_open(lif->netdev);
++
++ if (cb)
++ cb(lif, arg);
++
++ if (running) {
++ err = ionic_open(lif->netdev);
+ netif_device_attach(lif->netdev);
+ }
+
++reset_out:
+ clear_bit(IONIC_LIF_F_QUEUE_RESET, lif->state);
+
+ return err;
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.h b/drivers/net/ethernet/pensando/ionic/ionic_lif.h
+index 5d4ffda5c05f2..2c65cf6300dbd 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.h
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.h
+@@ -226,6 +226,8 @@ static inline u32 ionic_coal_hw_to_usec(struct ionic *ionic, u32 units)
+ return (units * div) / mult;
+ }
+
++typedef void (*ionic_reset_cb)(struct ionic_lif *lif, void *arg);
++
+ void ionic_link_status_check_request(struct ionic_lif *lif);
+ void ionic_lif_deferred_enqueue(struct ionic_deferred *def,
+ struct ionic_deferred_work *work);
+@@ -243,7 +245,7 @@ int ionic_lif_rss_config(struct ionic_lif *lif, u16 types,
+
+ int ionic_open(struct net_device *netdev);
+ int ionic_stop(struct net_device *netdev);
+-int ionic_reset_queues(struct ionic_lif *lif);
++int ionic_reset_queues(struct ionic_lif *lif, ionic_reset_cb cb, void *arg);
+
+ static inline void debug_stats_txq_post(struct ionic_qcq *qcq,
+ struct ionic_txq_desc *desc, bool dbell)
+--
+2.25.1
+
--- /dev/null
+From 3f12f12596c8fadd25f765a65e43b18c72fa9880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 10:44:08 +0100
+Subject: KVM: arm64: vgic-v4: Plug race between non-residency and v4.1
+ doorbell
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit a3f574cd65487cd993f79ab235d70229d9302c1e ]
+
+When making a vPE non-resident because it has hit a blocking WFI,
+the doorbell can fire at any time after the write to the RD.
+Crucially, it can fire right between the write to GICR_VPENDBASER
+and the write to the pending_last field in the its_vpe structure.
+
+This means that we would overwrite pending_last with stale data,
+and potentially not wakeup until some unrelated event (such as
+a timer interrupt) puts the vPE back on the CPU.
+
+GICv4 isn't affected by this as we actively mask the doorbell on
+entering the guest, while GICv4.1 automatically manages doorbell
+delivery without any hypervisor-driven masking.
+
+Use the vpe_lock to synchronize such update, which solves the
+problem altogether.
+
+Fixes: ae699ad348cdc ("irqchip/gic-v4.1: Move doorbell management to the GICv4 abstraction layer")
+Reported-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 8 ++++++++
+ virt/kvm/arm/vgic/vgic-v4.c | 8 ++++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index b3e16a06c13b7..b99e3105bf9fe 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3938,16 +3938,24 @@ static void its_vpe_4_1_deschedule(struct its_vpe *vpe,
+ u64 val;
+
+ if (info->req_db) {
++ unsigned long flags;
++
+ /*
+ * vPE is going to block: make the vPE non-resident with
+ * PendingLast clear and DB set. The GIC guarantees that if
+ * we read-back PendingLast clear, then a doorbell will be
+ * delivered when an interrupt comes.
++ *
++ * Note the locking to deal with the concurrent update of
++ * pending_last from the doorbell interrupt handler that can
++ * run concurrently.
+ */
++ raw_spin_lock_irqsave(&vpe->vpe_lock, flags);
+ val = its_clear_vpend_valid(vlpi_base,
+ GICR_VPENDBASER_PendingLast,
+ GICR_VPENDBASER_4_1_DB);
+ vpe->pending_last = !!(val & GICR_VPENDBASER_PendingLast);
++ raw_spin_unlock_irqrestore(&vpe->vpe_lock, flags);
+ } else {
+ /*
+ * We're not blocking, so just make the vPE non-resident
+diff --git a/virt/kvm/arm/vgic/vgic-v4.c b/virt/kvm/arm/vgic/vgic-v4.c
+index 27ac833e5ec7c..b5fa73c9fd355 100644
+--- a/virt/kvm/arm/vgic/vgic-v4.c
++++ b/virt/kvm/arm/vgic/vgic-v4.c
+@@ -90,7 +90,15 @@ static irqreturn_t vgic_v4_doorbell_handler(int irq, void *info)
+ !irqd_irq_disabled(&irq_to_desc(irq)->irq_data))
+ disable_irq_nosync(irq);
+
++ /*
++ * The v4.1 doorbell can fire concurrently with the vPE being
++ * made non-resident. Ensure we only update pending_last
++ * *after* the non-residency sequence has completed.
++ */
++ raw_spin_lock(&vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vpe_lock);
+ vcpu->arch.vgic_cpu.vgic_v3.its_vpe.pending_last = true;
++ raw_spin_unlock(&vcpu->arch.vgic_cpu.vgic_v3.its_vpe.vpe_lock);
++
+ kvm_make_request(KVM_REQ_IRQ_PENDING, vcpu);
+ kvm_vcpu_kick(vcpu);
+
+--
+2.25.1
+
--- /dev/null
+From 6a15c4ff10bc8e928a9703a2af94716b1a08056b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jun 2020 15:45:54 +0530
+Subject: mac80211: Fix dropping broadcast packets in 802.11 encap
+
+From: Seevalamuthu Mariappan <seevalam@codeaurora.org>
+
+[ Upstream commit 78fb5b541b7ae57ac39187ccb3097e606004cf9b ]
+
+Broadcast pkts like arp are getting dropped in 'ieee80211_8023_xmit'.
+Fix this by replacing is_valid_ether_addr api with is_zero_ether_addr.
+
+Fixes: 50ff477a8639 ("mac80211: add 802.11 encapsulation offloading support")
+Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
+Link: https://lore.kernel.org/r/1591697754-4975-1-git-send-email-seevalam@codeaurora.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 82846aca86d96..6ab33d9904eec 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -4192,7 +4192,7 @@ static void ieee80211_8023_xmit(struct ieee80211_sub_if_data *sdata,
+ (!sta || !test_sta_flag(sta, WLAN_STA_TDLS_PEER)))
+ ra = sdata->u.mgd.bssid;
+
+- if (!is_valid_ether_addr(ra))
++ if (is_zero_ether_addr(ra))
+ goto out_free;
+
+ multicast = is_multicast_ether_addr(ra);
+--
+2.25.1
+
--- /dev/null
+From 1859e90788702ec05f898523972190cc8a23eb44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 16:41:39 +0300
+Subject: mlxsw: pci: Fix use-after-free in case of failed devlink reload
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit c4317b11675b99af6641662ebcbd3c6010600e64 ]
+
+In case devlink reload failed, it is possible to trigger a
+use-after-free when querying the kernel for device info via 'devlink dev
+info' [1].
+
+This happens because as part of the reload error path the PCI command
+interface is de-initialized and its mailboxes are freed. When the
+devlink '->info_get()' callback is invoked the device is queried via the
+command interface and the freed mailboxes are accessed.
+
+Fix this by initializing the command interface once during probe and not
+during every reload.
+
+This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c')
+and also allows user space to query the running firmware version (for
+example) from the device after a failed reload.
+
+[1]
+BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline]
+BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
+Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355
+
+CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ check_memory_region_inline mm/kasan/generic.c:186 [inline]
+ check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
+ memcpy+0x39/0x60 mm/kasan/common.c:106
+ memcpy include/linux/string.h:406 [inline]
+ mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
+ mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335
+ mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline]
+ mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline]
+ mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985
+ mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline]
+ mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090
+ devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588
+ devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648
+ genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575
+ netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245
+ __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353
+ genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638
+ genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
+ genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753
+ netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0x150/0x190 net/socket.c:672
+ ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
+ ___sys_sendmsg+0xff/0x170 net/socket.c:2417
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: a9c8336f6544 ("mlxsw: core: Add support for devlink info command")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/pci.c | 54 ++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+index fd0e97de44e7a..c04ec1a928260 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+@@ -1414,23 +1414,12 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core,
+ u16 num_pages;
+ int err;
+
+- mutex_init(&mlxsw_pci->cmd.lock);
+- init_waitqueue_head(&mlxsw_pci->cmd.wait);
+-
+ mlxsw_pci->core = mlxsw_core;
+
+ mbox = mlxsw_cmd_mbox_alloc();
+ if (!mbox)
+ return -ENOMEM;
+
+- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
+- if (err)
+- goto mbox_put;
+-
+- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
+- if (err)
+- goto err_out_mbox_alloc;
+-
+ err = mlxsw_pci_sw_reset(mlxsw_pci, mlxsw_pci->id);
+ if (err)
+ goto err_sw_reset;
+@@ -1537,9 +1526,6 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core,
+ mlxsw_pci_free_irq_vectors(mlxsw_pci);
+ err_alloc_irq:
+ err_sw_reset:
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
+-err_out_mbox_alloc:
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
+ mbox_put:
+ mlxsw_cmd_mbox_free(mbox);
+ return err;
+@@ -1553,8 +1539,6 @@ static void mlxsw_pci_fini(void *bus_priv)
+ mlxsw_pci_aqs_fini(mlxsw_pci);
+ mlxsw_pci_fw_area_fini(mlxsw_pci);
+ mlxsw_pci_free_irq_vectors(mlxsw_pci);
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
+ }
+
+ static struct mlxsw_pci_queue *
+@@ -1776,6 +1760,37 @@ static const struct mlxsw_bus mlxsw_pci_bus = {
+ .features = MLXSW_BUS_F_TXRX | MLXSW_BUS_F_RESET,
+ };
+
++static int mlxsw_pci_cmd_init(struct mlxsw_pci *mlxsw_pci)
++{
++ int err;
++
++ mutex_init(&mlxsw_pci->cmd.lock);
++ init_waitqueue_head(&mlxsw_pci->cmd.wait);
++
++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
++ if (err)
++ goto err_in_mbox_alloc;
++
++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
++ if (err)
++ goto err_out_mbox_alloc;
++
++ return 0;
++
++err_out_mbox_alloc:
++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
++err_in_mbox_alloc:
++ mutex_destroy(&mlxsw_pci->cmd.lock);
++ return err;
++}
++
++static void mlxsw_pci_cmd_fini(struct mlxsw_pci *mlxsw_pci)
++{
++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
++ mutex_destroy(&mlxsw_pci->cmd.lock);
++}
++
+ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
+ const char *driver_name = pdev->driver->name;
+@@ -1831,6 +1846,10 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ mlxsw_pci->pdev = pdev;
+ pci_set_drvdata(pdev, mlxsw_pci);
+
++ err = mlxsw_pci_cmd_init(mlxsw_pci);
++ if (err)
++ goto err_pci_cmd_init;
++
+ mlxsw_pci->bus_info.device_kind = driver_name;
+ mlxsw_pci->bus_info.device_name = pci_name(mlxsw_pci->pdev);
+ mlxsw_pci->bus_info.dev = &pdev->dev;
+@@ -1848,6 +1867,8 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ return 0;
+
+ err_bus_device_register:
++ mlxsw_pci_cmd_fini(mlxsw_pci);
++err_pci_cmd_init:
+ iounmap(mlxsw_pci->hw_addr);
+ err_ioremap:
+ err_pci_resource_len_check:
+@@ -1865,6 +1886,7 @@ static void mlxsw_pci_remove(struct pci_dev *pdev)
+ struct mlxsw_pci *mlxsw_pci = pci_get_drvdata(pdev);
+
+ mlxsw_core_bus_device_unregister(mlxsw_pci->core, false);
++ mlxsw_pci_cmd_fini(mlxsw_pci);
+ iounmap(mlxsw_pci->hw_addr);
+ pci_release_regions(mlxsw_pci->pdev);
+ pci_disable_device(mlxsw_pci->pdev);
+--
+2.25.1
+
--- /dev/null
+From f535260ab3a815523df419be3c0260795742afca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 16:41:38 +0300
+Subject: mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON()
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit d9d5420273997664a1c09151ca86ac993f2f89c1 ]
+
+We should not trigger a warning when a memory allocation fails. Remove
+the WARN_ON().
+
+The warning is constantly triggered by syzkaller when it is injecting
+faults:
+
+[ 2230.758664] FAULT_INJECTION: forcing a failure.
+[ 2230.758664] name failslab, interval 1, probability 0, space 0, times 0
+[ 2230.762329] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
+...
+[ 2230.898175] WARNING: CPU: 3 PID: 1407 at drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:6265 mlxsw_sp_router_fib_event+0xfad/0x13e0
+[ 2230.898179] Kernel panic - not syncing: panic_on_warn set ...
+[ 2230.898183] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
+[ 2230.898190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+
+Fixes: 3057224e014c ("mlxsw: spectrum_router: Implement FIB offload in deferred work")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+index d5bca1be3ef53..84b3d78a9dd84 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -6256,7 +6256,7 @@ static int mlxsw_sp_router_fib_event(struct notifier_block *nb,
+ }
+
+ fib_work = kzalloc(sizeof(*fib_work), GFP_ATOMIC);
+- if (WARN_ON(!fib_work))
++ if (!fib_work)
+ return NOTIFY_BAD;
+
+ fib_work->mlxsw_sp = router->mlxsw_sp;
+--
+2.25.1
+
--- /dev/null
+From 3456be286be7af679f2627d2903ade1a38ee608f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 11:51:34 -0400
+Subject: mtd: set master partition panic write flag
+
+From: Kamal Dasu <kdasu.kdev@gmail.com>
+
+[ Upstream commit 630e8d5507d9f55dfa98134bfcadefb6cfba4fbb ]
+
+Check and set master panic write flag so that low level drivers
+can use it to take required action to ensure oops data gets written
+to assigned mtdoops device partition.
+
+Fixes: 9f897bfdd89f ("mtd: Add flag to indicate panic_write")
+Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20200615155134.32007-1-kdasu.kdev@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/mtdcore.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
+index 29d41003d6e0d..f8317ccd8f2a6 100644
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -1235,8 +1235,8 @@ int mtd_panic_write(struct mtd_info *mtd, loff_t to, size_t len, size_t *retlen,
+ return -EROFS;
+ if (!len)
+ return 0;
+- if (!mtd->oops_panic_write)
+- mtd->oops_panic_write = true;
++ if (!master->oops_panic_write)
++ master->oops_panic_write = true;
+
+ return master->_panic_write(master, mtd_get_master_ofs(mtd, to), len,
+ retlen, buf);
+--
+2.25.1
+
--- /dev/null
+From a193c83e350bc2d00243bb1ce2c6b7c487bf30ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 09:23:49 +0800
+Subject: nbd: Fix memory leak in nbd_add_socket
+
+From: Zheng Bin <zhengbin13@huawei.com>
+
+[ Upstream commit 579dd91ab3a5446b148e7f179b6596b270dace46 ]
+
+When adding first socket to nbd, if nsock's allocation failed, the data
+structure member "config->socks" was reallocated, but the data structure
+member "config->num_connections" was not updated. A memory leak will occur
+then because the function "nbd_config_put" will free "config->socks" only
+when "config->num_connections" is not zero.
+
+Fixes: 03bf73c315ed ("nbd: prevent memory leak")
+Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com
+Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 43cff01a5a675..ce7e9f223b20b 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1033,25 +1033,26 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
+ test_bit(NBD_RT_BOUND, &config->runtime_flags))) {
+ dev_err(disk_to_dev(nbd->disk),
+ "Device being setup by another task");
+- sockfd_put(sock);
+- return -EBUSY;
++ err = -EBUSY;
++ goto put_socket;
++ }
++
++ nsock = kzalloc(sizeof(*nsock), GFP_KERNEL);
++ if (!nsock) {
++ err = -ENOMEM;
++ goto put_socket;
+ }
+
+ socks = krealloc(config->socks, (config->num_connections + 1) *
+ sizeof(struct nbd_sock *), GFP_KERNEL);
+ if (!socks) {
+- sockfd_put(sock);
+- return -ENOMEM;
++ kfree(nsock);
++ err = -ENOMEM;
++ goto put_socket;
+ }
+
+ config->socks = socks;
+
+- nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL);
+- if (!nsock) {
+- sockfd_put(sock);
+- return -ENOMEM;
+- }
+-
+ nsock->fallback_index = -1;
+ nsock->dead = false;
+ mutex_init(&nsock->tx_lock);
+@@ -1063,6 +1064,10 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
+ atomic_inc(&config->live_connections);
+
+ return 0;
++
++put_socket:
++ sockfd_put(sock);
++ return err;
+ }
+
+ static int nbd_reconnect_socket(struct nbd_device *nbd, unsigned long arg)
+--
+2.25.1
+
--- /dev/null
+From dfcdbf258b0a1eaf858a306e66fd4770a45a8961 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 17:17:10 +0300
+Subject: net: atlantic: fix ip dst and ipv6 address filters
+
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+
+[ Upstream commit a42e6aee7f47a8a68d09923c720fc8f605a04207 ]
+
+This patch fixes ip dst and ipv6 address filters.
+There were 2 mistakes in the code, which led to the issue:
+* invalid register was used for ipv4 dst address;
+* incorrect write order of dwords for ipv6 addresses.
+
+Fixes: 23e7a718a49b ("net: aquantia: add rx-flow filter definitions")
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
+Signed-off-by: Alexander Lobakin <alobakin@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c | 4 ++--
+ .../ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c
+index d1f68fc162918..e6b1fb10ad912 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh.c
+@@ -1651,7 +1651,7 @@ void hw_atl_rpfl3l4_ipv6_src_addr_set(struct aq_hw_s *aq_hw, u8 location,
+ for (i = 0; i < 4; ++i)
+ aq_hw_write_reg(aq_hw,
+ HW_ATL_RPF_L3_SRCA_ADR(location + i),
+- ipv6_src[i]);
++ ipv6_src[3 - i]);
+ }
+
+ void hw_atl_rpfl3l4_ipv6_dest_addr_set(struct aq_hw_s *aq_hw, u8 location,
+@@ -1662,7 +1662,7 @@ void hw_atl_rpfl3l4_ipv6_dest_addr_set(struct aq_hw_s *aq_hw, u8 location,
+ for (i = 0; i < 4; ++i)
+ aq_hw_write_reg(aq_hw,
+ HW_ATL_RPF_L3_DSTA_ADR(location + i),
+- ipv6_dest[i]);
++ ipv6_dest[3 - i]);
+ }
+
+ u32 hw_atl_sem_ram_get(struct aq_hw_s *self)
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h
+index 18de2f7b89593..a7590b9ea2df5 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_llh_internal.h
+@@ -1360,7 +1360,7 @@
+ */
+
+ /* Register address for bitfield pif_rpf_l3_da0_i[31:0] */
+-#define HW_ATL_RPF_L3_DSTA_ADR(filter) (0x000053B0 + (filter) * 0x4)
++#define HW_ATL_RPF_L3_DSTA_ADR(filter) (0x000053D0 + (filter) * 0x4)
+ /* Bitmask for bitfield l3_da0[1F:0] */
+ #define HW_ATL_RPF_L3_DSTA_MSK 0xFFFFFFFFu
+ /* Inverted bitmask for bitfield l3_da0[1F:0] */
+--
+2.25.1
+
--- /dev/null
+From e075e535a4377c2936a695e6a2983cbc0fee0c5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 18:49:51 +0800
+Subject: net: cxgb4: fix return error value in t4_prep_fw
+
+From: Li Heng <liheng40@huawei.com>
+
+[ Upstream commit 8a259e6b73ad8181b0b2ef338b35043433db1075 ]
+
+t4_prep_fw goto bye tag with positive return value when something
+bad happened and which can not free resource in adap_init0.
+so fix it to return negative value.
+
+Fixes: 16e47624e76b ("cxgb4: Add new scheme to update T4/T5 firmware")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Li Heng <liheng40@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+index 2a3480fc1d914..9121cef2be2d5 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -3493,7 +3493,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info,
+ drv_fw = &fw_info->fw_hdr;
+
+ /* Read the header of the firmware on the card */
+- ret = -t4_read_flash(adap, FLASH_FW_START,
++ ret = t4_read_flash(adap, FLASH_FW_START,
+ sizeof(*card_fw) / sizeof(uint32_t),
+ (uint32_t *)card_fw, 1);
+ if (ret == 0) {
+@@ -3522,8 +3522,8 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info,
+ should_install_fs_fw(adap, card_fw_usable,
+ be32_to_cpu(fs_fw->fw_ver),
+ be32_to_cpu(card_fw->fw_ver))) {
+- ret = -t4_fw_upgrade(adap, adap->mbox, fw_data,
+- fw_size, 0);
++ ret = t4_fw_upgrade(adap, adap->mbox, fw_data,
++ fw_size, 0);
+ if (ret != 0) {
+ dev_err(adap->pdev_dev,
+ "failed to install firmware: %d\n", ret);
+@@ -3554,7 +3554,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info,
+ FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c),
+ FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k),
+ FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k));
+- ret = EINVAL;
++ ret = -EINVAL;
+ goto bye;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 4e3781645ce58b4d5cc8ae7d322bb6290d9f10b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 12:44:50 +0300
+Subject: net: dsa: microchip: set the correct number of ports
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+[ Upstream commit af199a1a9cb02ec0194804bd46c174b6db262075 ]
+
+The number of ports is incorrectly set to the maximum available for a DSA
+switch. Even if the extra ports are not used, this causes some functions
+to be called later, like port_disable() and port_stp_state_set(). If the
+driver doesn't check the port index, it will end up modifying unknown
+registers.
+
+Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 3 +++
+ drivers/net/dsa/microchip/ksz9477.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 47d65b77caf77..7c17b0f705ec3 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1268,6 +1268,9 @@ static int ksz8795_switch_init(struct ksz_device *dev)
+ return -ENOMEM;
+ }
+
++ /* set the real number of ports */
++ dev->ds->num_ports = dev->port_cnt;
++
+ return 0;
+ }
+
+diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c
+index 9a51b8a4de5d1..8d15c30160246 100644
+--- a/drivers/net/dsa/microchip/ksz9477.c
++++ b/drivers/net/dsa/microchip/ksz9477.c
+@@ -1588,6 +1588,9 @@ static int ksz9477_switch_init(struct ksz_device *dev)
+ return -ENOMEM;
+ }
+
++ /* set the real number of ports */
++ dev->ds->num_ports = dev->port_cnt;
++
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 2e4856c7bcc6c696a86f5394890952a20b33b385 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 19:26:01 +0800
+Subject: net: hns3: add a missing uninit debugfs when unload driver
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit e22b5e728bbb179b912d3a3cd5c25894a89a26a2 ]
+
+When unloading driver, if flag HNS3_NIC_STATE_INITED has been
+already cleared, the debugfs will not be uninitialized, so fix it.
+
+Fixes: b2292360bb2a ("net: hns3: Add debugfs framework registration")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index da98fd7c8eca5..3003eecd5263b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -4153,9 +4153,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset)
+
+ hns3_put_ring_config(priv);
+
+- hns3_dbg_uninit(handle);
+-
+ out_netdev_free:
++ hns3_dbg_uninit(handle);
+ free_netdev(netdev);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c6ac524461bbd00af137d17619f37f61a20ca71f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 19:25:59 +0800
+Subject: net: hns3: check reset pending after FLR prepare
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit bb3d866882c280a85e8950d4d72af1e294d2e69c ]
+
+If there is a PF reset pending before FLR prepare, FLR's
+preparatory work will not fail, but the FLR rebuild procedure
+will fail for this pending. So this PF reset pending should
+be handled in the FLR preparatory.
+
+Fixes: 8627bdedc435 ("net: hns3: refactor the precedure of PF FLR")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index a758f9ae32be9..4de268a879582 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -9351,7 +9351,7 @@ static void hclge_flr_prepare(struct hnae3_ae_dev *ae_dev)
+ set_bit(HCLGE_STATE_RST_HANDLING, &hdev->state);
+ hdev->reset_type = HNAE3_FLR_RESET;
+ ret = hclge_reset_prepare(hdev);
+- if (ret) {
++ if (ret || hdev->reset_pending) {
+ dev_err(&hdev->pdev->dev, "fail to prepare FLR, ret=%d\n",
+ ret);
+ if (hdev->reset_pending ||
+--
+2.25.1
+
--- /dev/null
+From 8dfee9772fd56569bb922eea651486469558a161 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 19:26:00 +0800
+Subject: net: hns3: fix for mishandle of asserting VF reset fail
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit cddd5648926d7a6e84526dadd8bfb21609a14fb7 ]
+
+When asserts VF reset fail, flag HCLGEVF_STATE_CMD_DISABLE
+and handshake status should not set, otherwise the retry will
+fail. So adds a check for asserting VF reset and returns
+directly when fails.
+
+Fixes: ef5f8e507ec9 ("net: hns3: stop handling command queue while resetting VF")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index e02d427131eeb..e6cdd06925e6b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -1527,6 +1527,11 @@ static int hclgevf_reset_prepare_wait(struct hclgevf_dev *hdev)
+ if (hdev->reset_type == HNAE3_VF_FUNC_RESET) {
+ hclgevf_build_send_msg(&send_msg, HCLGE_MBX_RESET, 0);
+ ret = hclgevf_send_mbx_msg(hdev, &send_msg, true, NULL, 0);
++ if (ret) {
++ dev_err(&hdev->pdev->dev,
++ "failed to assert VF reset, ret = %d\n", ret);
++ return ret;
++ }
+ hdev->rst_stats.vf_func_rst_cnt++;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 77e020ca4ebe1bbce7c6beef2ff8064ab36ab58c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 19:26:02 +0800
+Subject: net: hns3: fix use-after-free when doing self test
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit a06656211304fec653c1931c2ca6d644013b5bbb ]
+
+Enable promisc mode of PF, set VF link state to enable, and
+run iperf of the VF, then do self test of the PF. The self test
+will fail with a low frequency, and may cause a use-after-free
+problem.
+
+[ 87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[ 87.159722] ==================================================================
+[ 87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608
+[ 87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186
+[ 87.201012]
+[ 87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4
+[ 87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020
+[ 87.238292] Call trace:
+[ 87.243173] dump_backtrace+0x0/0x280
+[ 87.250491] show_stack+0x24/0x30
+[ 87.257114] dump_stack+0xe8/0x140
+[ 87.263911] print_address_description.isra.8+0x70/0x380
+[ 87.274538] __kasan_report+0x12c/0x230
+[ 87.282203] kasan_report+0xc/0x18
+[ 87.288999] __asan_load1+0x60/0x68
+[ 87.295969] hex_dump_to_buffer+0x140/0x608
+[ 87.304332] print_hex_dump+0x140/0x1e0
+[ 87.312000] hns3_lb_check_skb_data+0x168/0x170
+[ 87.321060] hns3_clean_rx_ring+0xa94/0xfe0
+[ 87.329422] hns3_self_test+0x708/0x8c0
+
+The length of packet sent by the selftest process is only
+128 + 14 bytes, and the min buffer size of a BD is 256 bytes,
+and the receive process will make sure the packet sent by
+the selftest process is in the linear part, so only check
+the linear part in hns3_lb_check_skb_data().
+
+So fix this use-after-free by using skb_headlen() to dump
+skb->data instead of skb->len.
+
+Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index 28b81f24afa11..2a78805d531a1 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -174,18 +174,21 @@ static void hns3_lb_check_skb_data(struct hns3_enet_ring *ring,
+ {
+ struct hns3_enet_tqp_vector *tqp_vector = ring->tqp_vector;
+ unsigned char *packet = skb->data;
++ u32 len = skb_headlen(skb);
+ u32 i;
+
+- for (i = 0; i < skb->len; i++)
++ len = min_t(u32, len, HNS3_NIC_LB_TEST_PACKET_SIZE);
++
++ for (i = 0; i < len; i++)
+ if (packet[i] != (unsigned char)(i & 0xff))
+ break;
+
+ /* The packet is correctly received */
+- if (i == skb->len)
++ if (i == HNS3_NIC_LB_TEST_PACKET_SIZE)
+ tqp_vector->rx_group.total_packets++;
+ else
+ print_hex_dump(KERN_ERR, "selftest:", DUMP_PREFIX_OFFSET, 16, 1,
+- skb->data, skb->len, true);
++ skb->data, len, true);
+
+ dev_kfree_skb_any(skb);
+ }
+--
+2.25.1
+
--- /dev/null
+From e6ac7d9dd8ba22aaf5cfbc3c4fbf88dd3f75c2f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 18:10:08 -0500
+Subject: net: ipa: fix QMI structure definition bugs
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit 74478ea4ded519db35cb1f059948b1e713bb4abf ]
+
+Building with "W=1" did exactly what it was supposed to do, namely
+point out some suspicious-looking code to be verified not to contain
+bugs.
+
+Some QMI message structures defined in "ipa_qmi_msg.c" contained
+some bad field names (duplicating the "elem_size" field instead of
+defining the "offset" field), almost certainly due to copy/paste
+errors that weren't obvious in a scan of the code. Fix these bugs.
+
+Fixes: 530f9216a953 ("soc: qcom: ipa: AP/modem communications")
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/ipa_qmi_msg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ipa/ipa_qmi_msg.c b/drivers/net/ipa/ipa_qmi_msg.c
+index 03a1d0e559644..73413371e3d3e 100644
+--- a/drivers/net/ipa/ipa_qmi_msg.c
++++ b/drivers/net/ipa/ipa_qmi_msg.c
+@@ -119,7 +119,7 @@ struct qmi_elem_info ipa_driver_init_complete_rsp_ei[] = {
+ sizeof_field(struct ipa_driver_init_complete_rsp,
+ rsp),
+ .tlv_type = 0x02,
+- .elem_size = offsetof(struct ipa_driver_init_complete_rsp,
++ .offset = offsetof(struct ipa_driver_init_complete_rsp,
+ rsp),
+ .ei_array = qmi_response_type_v01_ei,
+ },
+@@ -137,7 +137,7 @@ struct qmi_elem_info ipa_init_complete_ind_ei[] = {
+ sizeof_field(struct ipa_init_complete_ind,
+ status),
+ .tlv_type = 0x02,
+- .elem_size = offsetof(struct ipa_init_complete_ind,
++ .offset = offsetof(struct ipa_init_complete_ind,
+ status),
+ .ei_array = qmi_response_type_v01_ei,
+ },
+@@ -218,7 +218,7 @@ struct qmi_elem_info ipa_init_modem_driver_req_ei[] = {
+ sizeof_field(struct ipa_init_modem_driver_req,
+ platform_type_valid),
+ .tlv_type = 0x10,
+- .elem_size = offsetof(struct ipa_init_modem_driver_req,
++ .offset = offsetof(struct ipa_init_modem_driver_req,
+ platform_type_valid),
+ },
+ {
+--
+2.25.1
+
--- /dev/null
+From 4856abf79dfd705635c409756dd9c73f6ee066b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 07:44:43 -0500
+Subject: net: ipa: no checksum offload for SDM845 LAN RX
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit 41af5436e857ec64f302fcc9b6e4a8c526b6b402 ]
+
+The AP LAN RX endpoint should not have download checksum offload
+enabled.
+
+The receive handler does properly accommodate the trailer that's
+added by the hardware, but we ignore it.
+
+Fixes: 1ed7d0c0fdba ("soc: qcom: ipa: configuration data")
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/ipa_data-sdm845.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ipa/ipa_data-sdm845.c b/drivers/net/ipa/ipa_data-sdm845.c
+index 0d9c36e1e806c..0917c5b028f67 100644
+--- a/drivers/net/ipa/ipa_data-sdm845.c
++++ b/drivers/net/ipa/ipa_data-sdm845.c
+@@ -44,7 +44,6 @@ static const struct ipa_gsi_endpoint_data ipa_gsi_endpoint_data[] = {
+ .endpoint = {
+ .seq_type = IPA_SEQ_INVALID,
+ .config = {
+- .checksum = true,
+ .aggregation = true,
+ .status_enable = true,
+ .rx = {
+--
+2.25.1
+
--- /dev/null
+From 1a759b3d9f0480978df98e4d614d37f684f310fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:45 +0200
+Subject: net: macb: fix call to pm_runtime in the suspend/resume functions
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit 6c8f85cac98a4c6b767c4c4f6af7283724c32b47 ]
+
+The calls to pm_runtime_force_suspend/resume() functions are only
+relevant if the device is not configured to act as a WoL wakeup source.
+Add the device_may_wakeup() test before calling them.
+
+Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Cc: Sergio Prado <sergio.prado@e-labworks.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 548815255e22b..f1f0976e7669a 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4606,7 +4606,8 @@ static int __maybe_unused macb_suspend(struct device *dev)
+
+ if (bp->ptp_info)
+ bp->ptp_info->ptp_remove(netdev);
+- pm_runtime_force_suspend(dev);
++ if (!device_may_wakeup(dev))
++ pm_runtime_force_suspend(dev);
+
+ return 0;
+ }
+@@ -4621,7 +4622,8 @@ static int __maybe_unused macb_resume(struct device *dev)
+ if (!netif_running(netdev))
+ return 0;
+
+- pm_runtime_force_resume(dev);
++ if (!device_may_wakeup(dev))
++ pm_runtime_force_resume(dev);
+
+ if (bp->wol & MACB_WOL_ENABLED) {
+ macb_writel(bp, IDR, MACB_BIT(WOL));
+--
+2.25.1
+
--- /dev/null
+From 8be9ab23ba7b9a9d124e1d9ea07e1ec8d7774696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:43 +0200
+Subject: net: macb: fix macb_get/set_wol() when moving to phylink
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit 253fe09435045ab9346a8e364299d971185ae031 ]
+
+Keep previous function goals and integrate phylink actions to them.
+
+phylink_ethtool_get_wol() is not enough to figure out if Ethernet driver
+supports Wake-on-Lan.
+Initialization of "supported" and "wolopts" members is done in phylink
+function, no need to keep them in calling function.
+
+phylink_ethtool_set_wol() return value is considered and determines
+if the MAC has to handle WoL or not. The case where the PHY doesn't
+implement WoL leads to the MAC configuring it to provide this feature.
+
+Fixes: 7897b071ac3b ("net: macb: convert to phylink")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Cc: Antoine Tenart <antoine.tenart@bootlin.com>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 4cafe343c0a27..79c2fe0543038 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -2821,11 +2821,13 @@ static void macb_get_wol(struct net_device *netdev, struct ethtool_wolinfo *wol)
+ {
+ struct macb *bp = netdev_priv(netdev);
+
+- wol->supported = 0;
+- wol->wolopts = 0;
+-
+- if (bp->wol & MACB_WOL_HAS_MAGIC_PACKET)
++ if (bp->wol & MACB_WOL_HAS_MAGIC_PACKET) {
+ phylink_ethtool_get_wol(bp->phylink, wol);
++ wol->supported |= WAKE_MAGIC;
++
++ if (bp->wol & MACB_WOL_ENABLED)
++ wol->wolopts |= WAKE_MAGIC;
++ }
+ }
+
+ static int macb_set_wol(struct net_device *netdev, struct ethtool_wolinfo *wol)
+@@ -2833,9 +2835,13 @@ static int macb_set_wol(struct net_device *netdev, struct ethtool_wolinfo *wol)
+ struct macb *bp = netdev_priv(netdev);
+ int ret;
+
++ /* Pass the order to phylink layer */
+ ret = phylink_ethtool_set_wol(bp->phylink, wol);
+- if (!ret)
+- return 0;
++ /* Don't manage WoL on MAC if handled by the PHY
++ * or if there's a failure in talking to the PHY
++ */
++ if (!ret || ret != -EOPNOTSUPP)
++ return ret;
+
+ if (!(bp->wol & MACB_WOL_HAS_MAGIC_PACKET) ||
+ (wol->wolopts & ~WAKE_MAGIC))
+--
+2.25.1
+
--- /dev/null
+From 7c7dc7405dd340e9c47fbc429fb0d2f025262853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:44 +0200
+Subject: net: macb: fix macb_suspend() by removing call to netif_carrier_off()
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit 64febc5e56c9a748162f206dcc5be1a44436087a ]
+
+As we now use the phylink call to phylink_stop() in the non-WoL path,
+there is no need for this call to netif_carrier_off() anymore. It can
+disturb the underlying phylink FSM.
+
+Fixes: 7897b071ac3b ("net: macb: convert to phylink")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Cc: Antoine Tenart <antoine.tenart@bootlin.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 79c2fe0543038..548815255e22b 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4604,7 +4604,6 @@ static int __maybe_unused macb_suspend(struct device *dev)
+ bp->pm_data.scrt2 = gem_readl_n(bp, ETHT, SCRT2_ETHT);
+ }
+
+- netif_carrier_off(netdev);
+ if (bp->ptp_info)
+ bp->ptp_info->ptp_remove(netdev);
+ pm_runtime_force_suspend(dev);
+--
+2.25.1
+
--- /dev/null
+From c42ec16f214f7f9d0d1eadcfa38b12898639bb2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:41 +0200
+Subject: net: macb: fix wakeup test in runtime suspend/resume routines
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit 515a10a701d570e26dfbe6ee373f77c8bf11053f ]
+
+Use the proper struct device pointer to check if the wakeup flag
+and wakeup source are positioned.
+Use the one passed by function call which is equivalent to
+&bp->dev->dev.parent.
+
+It's preventing the trigger of a spurious interrupt in case the
+Wake-on-Lan feature is used.
+
+Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 52582e8ed90e5..55e680f350222 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4654,7 +4654,7 @@ static int __maybe_unused macb_runtime_suspend(struct device *dev)
+ struct net_device *netdev = dev_get_drvdata(dev);
+ struct macb *bp = netdev_priv(netdev);
+
+- if (!(device_may_wakeup(&bp->dev->dev))) {
++ if (!(device_may_wakeup(dev))) {
+ clk_disable_unprepare(bp->tx_clk);
+ clk_disable_unprepare(bp->hclk);
+ clk_disable_unprepare(bp->pclk);
+@@ -4670,7 +4670,7 @@ static int __maybe_unused macb_runtime_resume(struct device *dev)
+ struct net_device *netdev = dev_get_drvdata(dev);
+ struct macb *bp = netdev_priv(netdev);
+
+- if (!(device_may_wakeup(&bp->dev->dev))) {
++ if (!(device_may_wakeup(dev))) {
+ clk_prepare_enable(bp->pclk);
+ clk_prepare_enable(bp->hclk);
+ clk_prepare_enable(bp->tx_clk);
+--
+2.25.1
+
--- /dev/null
+From 4458e5c776c80e2c25de92651601c90032c7c9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:42 +0200
+Subject: net: macb: mark device wake capable when "magic-packet" property
+ present
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit ced4799d06375929e013eea04ba6908207afabbe ]
+
+Change the way the "magic-packet" DT property is handled in the
+macb_probe() function, matching DT binding documentation.
+Now we mark the device as "wakeup capable" instead of calling the
+device_init_wakeup() function that would enable the wakeup source.
+
+For Ethernet WoL, enabling the wakeup_source is done by
+using ethtool and associated macb_set_wol() function that
+already calls device_set_wakeup_enable() for this purpose.
+
+That would reduce power consumption by cutting more clocks if
+"magic-packet" property is set but WoL is not configured by ethtool.
+
+Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Cc: Sergio Prado <sergio.prado@e-labworks.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 55e680f350222..4cafe343c0a27 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4422,7 +4422,7 @@ static int macb_probe(struct platform_device *pdev)
+ bp->wol = 0;
+ if (of_get_property(np, "magic-packet", NULL))
+ bp->wol |= MACB_WOL_HAS_MAGIC_PACKET;
+- device_init_wakeup(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET);
++ device_set_wakeup_capable(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET);
+
+ spin_lock_init(&bp->lock);
+
+--
+2.25.1
+
--- /dev/null
+From 87772f5566b9baeda34c2646d9ee216def3bfe53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 17:31:26 +0300
+Subject: net/mlx5: Fix eeprom support for SFP module
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 47afbdd2fa4c5775c383ba376a3d1da7d7f694dc ]
+
+Fix eeprom SFP query support by setting i2c_addr, offset and page number
+correctly. Unlike QSFP modules, SFP eeprom params are as follow:
+- i2c_addr is 0x50 for offset 0 - 255 and 0x51 for offset 256 - 511.
+- Page number is always zero.
+- Page offset is always relative to zero.
+
+As part of eeprom query, query the module ID (SFP / QSFP*) via helper
+function to set the params accordingly.
+
+In addition, change mlx5_qsfp_eeprom_page() input type to be u16 to avoid
+unnecessary casting.
+
+Fixes: a708fb7b1f8d ("net/mlx5e: ethtool, Add support for EEPROM high pages query")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/port.c | 93 +++++++++++++++----
+ 1 file changed, 77 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c
+index cc262b30aed53..dc589322940c5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c
+@@ -293,7 +293,40 @@ static int mlx5_query_module_num(struct mlx5_core_dev *dev, int *module_num)
+ return 0;
+ }
+
+-static int mlx5_eeprom_page(int offset)
++static int mlx5_query_module_id(struct mlx5_core_dev *dev, int module_num,
++ u8 *module_id)
++{
++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {};
++ u32 out[MLX5_ST_SZ_DW(mcia_reg)];
++ int err, status;
++ u8 *ptr;
++
++ MLX5_SET(mcia_reg, in, i2c_device_address, MLX5_I2C_ADDR_LOW);
++ MLX5_SET(mcia_reg, in, module, module_num);
++ MLX5_SET(mcia_reg, in, device_address, 0);
++ MLX5_SET(mcia_reg, in, page_number, 0);
++ MLX5_SET(mcia_reg, in, size, 1);
++ MLX5_SET(mcia_reg, in, l, 0);
++
++ err = mlx5_core_access_reg(dev, in, sizeof(in), out,
++ sizeof(out), MLX5_REG_MCIA, 0, 0);
++ if (err)
++ return err;
++
++ status = MLX5_GET(mcia_reg, out, status);
++ if (status) {
++ mlx5_core_err(dev, "query_mcia_reg failed: status: 0x%x\n",
++ status);
++ return -EIO;
++ }
++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
++
++ *module_id = ptr[0];
++
++ return 0;
++}
++
++static int mlx5_qsfp_eeprom_page(u16 offset)
+ {
+ if (offset < MLX5_EEPROM_PAGE_LENGTH)
+ /* Addresses between 0-255 - page 00 */
+@@ -307,7 +340,7 @@ static int mlx5_eeprom_page(int offset)
+ MLX5_EEPROM_HIGH_PAGE_LENGTH);
+ }
+
+-static int mlx5_eeprom_high_page_offset(int page_num)
++static int mlx5_qsfp_eeprom_high_page_offset(int page_num)
+ {
+ if (!page_num) /* Page 0 always start from low page */
+ return 0;
+@@ -316,35 +349,62 @@ static int mlx5_eeprom_high_page_offset(int page_num)
+ return page_num * MLX5_EEPROM_HIGH_PAGE_LENGTH;
+ }
+
++static void mlx5_qsfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset)
++{
++ *i2c_addr = MLX5_I2C_ADDR_LOW;
++ *page_num = mlx5_qsfp_eeprom_page(*offset);
++ *offset -= mlx5_qsfp_eeprom_high_page_offset(*page_num);
++}
++
++static void mlx5_sfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset)
++{
++ *i2c_addr = MLX5_I2C_ADDR_LOW;
++ *page_num = 0;
++
++ if (*offset < MLX5_EEPROM_PAGE_LENGTH)
++ return;
++
++ *i2c_addr = MLX5_I2C_ADDR_HIGH;
++ *offset -= MLX5_EEPROM_PAGE_LENGTH;
++}
++
+ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
+ u16 offset, u16 size, u8 *data)
+ {
+- int module_num, page_num, status, err;
++ int module_num, status, err, page_num = 0;
++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {};
+ u32 out[MLX5_ST_SZ_DW(mcia_reg)];
+- u32 in[MLX5_ST_SZ_DW(mcia_reg)];
+- u16 i2c_addr;
+- void *ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
++ u16 i2c_addr = 0;
++ u8 module_id;
++ void *ptr;
+
+ err = mlx5_query_module_num(dev, &module_num);
+ if (err)
+ return err;
+
+- memset(in, 0, sizeof(in));
+- size = min_t(int, size, MLX5_EEPROM_MAX_BYTES);
+-
+- /* Get the page number related to the given offset */
+- page_num = mlx5_eeprom_page(offset);
++ err = mlx5_query_module_id(dev, module_num, &module_id);
++ if (err)
++ return err;
+
+- /* Set the right offset according to the page number,
+- * For page_num > 0, relative offset is always >= 128 (high page).
+- */
+- offset -= mlx5_eeprom_high_page_offset(page_num);
++ switch (module_id) {
++ case MLX5_MODULE_ID_SFP:
++ mlx5_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ case MLX5_MODULE_ID_QSFP:
++ case MLX5_MODULE_ID_QSFP_PLUS:
++ case MLX5_MODULE_ID_QSFP28:
++ mlx5_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ default:
++ mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id);
++ return -EINVAL;
++ }
+
+ if (offset + size > MLX5_EEPROM_PAGE_LENGTH)
+ /* Cross pages read, read until offset 256 in low page */
+ size -= offset + size - MLX5_EEPROM_PAGE_LENGTH;
+
+- i2c_addr = MLX5_I2C_ADDR_LOW;
++ size = min_t(int, size, MLX5_EEPROM_MAX_BYTES);
+
+ MLX5_SET(mcia_reg, in, l, 0);
+ MLX5_SET(mcia_reg, in, module, module_num);
+@@ -365,6 +425,7 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
+ return -EIO;
+ }
+
++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
+ memcpy(data, ptr, size);
+
+ return size;
+--
+2.25.1
+
--- /dev/null
+From 8da58a12c4d63f444bacdf62bb8dca9fb02509fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jun 2020 15:42:26 +0300
+Subject: net/mlx5e: CT: Fix memory leak in cleanup
+
+From: Eli Britstein <elibr@mellanox.com>
+
+[ Upstream commit eb32b3f53d283e8d68b6d86c3a6ed859b24dacae ]
+
+CT entries are deleted via a workqueue from netfilter. If removing the
+module before that, the rules are cleaned by the driver itself, but the
+memory entries for them are not freed. Fix that.
+
+Fixes: ac991b48d43c ("net/mlx5e: CT: Offload established flows")
+Signed-off-by: Eli Britstein <elibr@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+index 470282daed198..369a037714356 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+@@ -849,6 +849,7 @@ mlx5_tc_ct_flush_ft_entry(void *ptr, void *arg)
+ struct mlx5_ct_entry *entry = ptr;
+
+ mlx5_tc_ct_entry_del_rules(ct_priv, entry);
++ kfree(entry);
+ }
+
+ static void
+--
+2.25.1
+
--- /dev/null
+From e88f6ffb8dfb5ec08efb7e26311a051cbc0a599e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 12:48:47 +0300
+Subject: net/mlx5e: Fix 50G per lane indication
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 6a1cf4e443a3b0a4d690d3c93b84b1e9cbfcb1bd ]
+
+Some released FW versions mistakenly don't set the capability that 50G
+per lane link-modes are supported for VFs (ptys_extended_ethernet
+capability bit). When the capability is unset, read
+PTYS.ext_eth_proto_capability (always reliable).
+If PTYS.ext_eth_proto_capability is valid (has a non-zero value)
+conclude that the HCA supports 50G per lane. Otherwise, conclude that
+the HCA doesn't support 50G per lane.
+
+Fixes: a08b4ed1373d ("net/mlx5: Add support to ext_* fields introduced in Port Type and Speed register")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en/port.c | 21 ++++++++++++++++---
+ .../net/ethernet/mellanox/mlx5/core/en/port.h | 2 +-
+ .../ethernet/mellanox/mlx5/core/en_ethtool.c | 8 +++----
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
+index 2a8950b3056f9..3cf3e35053f77 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
+@@ -78,11 +78,26 @@ static const u32 mlx5e_ext_link_speed[MLX5E_EXT_LINK_MODES_NUMBER] = {
+ [MLX5E_400GAUI_8] = 400000,
+ };
+
++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev)
++{
++ struct mlx5e_port_eth_proto eproto;
++ int err;
++
++ if (MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet))
++ return true;
++
++ err = mlx5_port_query_eth_proto(mdev, 1, true, &eproto);
++ if (err)
++ return false;
++
++ return !!eproto.cap;
++}
++
+ static void mlx5e_port_get_speed_arr(struct mlx5_core_dev *mdev,
+ const u32 **arr, u32 *size,
+ bool force_legacy)
+ {
+- bool ext = force_legacy ? false : MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ bool ext = force_legacy ? false : mlx5e_ptys_ext_supported(mdev);
+
+ *size = ext ? ARRAY_SIZE(mlx5e_ext_link_speed) :
+ ARRAY_SIZE(mlx5e_link_speed);
+@@ -177,7 +192,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed)
+ bool ext;
+ int err;
+
+- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext = mlx5e_ptys_ext_supported(mdev);
+ err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto);
+ if (err)
+ goto out;
+@@ -205,7 +220,7 @@ int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed)
+ int err;
+ int i;
+
+- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext = mlx5e_ptys_ext_supported(mdev);
+ err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto);
+ if (err)
+ return err;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h
+index a2ddd446dd59e..7a7defe607926 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h
+@@ -54,7 +54,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed);
+ int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed);
+ u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed,
+ bool force_legacy);
+-
++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev);
+ int mlx5e_port_query_pbmc(struct mlx5_core_dev *mdev, void *out);
+ int mlx5e_port_set_pbmc(struct mlx5_core_dev *mdev, void *in);
+ int mlx5e_port_query_priority2buffer(struct mlx5_core_dev *mdev, u8 *buffer);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index bc290ae80a531..1c491acd48f32 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -200,7 +200,7 @@ static void mlx5e_ethtool_get_speed_arr(struct mlx5_core_dev *mdev,
+ struct ptys2ethtool_config **arr,
+ u32 *size)
+ {
+- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ bool ext = mlx5e_ptys_ext_supported(mdev);
+
+ *arr = ext ? ptys2ext_ethtool_table : ptys2legacy_ethtool_table;
+ *size = ext ? ARRAY_SIZE(ptys2ext_ethtool_table) :
+@@ -883,7 +883,7 @@ static void get_lp_advertising(struct mlx5_core_dev *mdev, u32 eth_proto_lp,
+ struct ethtool_link_ksettings *link_ksettings)
+ {
+ unsigned long *lp_advertising = link_ksettings->link_modes.lp_advertising;
+- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ bool ext = mlx5e_ptys_ext_supported(mdev);
+
+ ptys2ethtool_adver_link(lp_advertising, eth_proto_lp, ext);
+ }
+@@ -913,7 +913,7 @@ int mlx5e_ethtool_get_link_ksettings(struct mlx5e_priv *priv,
+ __func__, err);
+ goto err_query_regs;
+ }
+- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability);
+ eth_proto_cap = MLX5_GET_ETH_PROTO(ptys_reg, out, ext,
+ eth_proto_capability);
+ eth_proto_admin = MLX5_GET_ETH_PROTO(ptys_reg, out, ext,
+@@ -1066,7 +1066,7 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv,
+ autoneg = link_ksettings->base.autoneg;
+ speed = link_ksettings->base.speed;
+
+- ext_supported = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext_supported = mlx5e_ptys_ext_supported(mdev);
+ ext = ext_requested(autoneg, adver, ext_supported);
+ if (!ext_supported && ext)
+ return -EOPNOTSUPP;
+--
+2.25.1
+
--- /dev/null
+From 7c2cd1b62c62c9fe93fc22fc376f7b5f510acbbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 May 2020 10:37:42 +0300
+Subject: net/mlx5e: Fix CPU mapping after function reload to avoid aRFS RX
+ crash
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit f4aebbfb56ed0c186adbeb2799df836da50f78e3 ]
+
+After function reload, CPU mapping used by aRFS RX is broken, leading to
+a kernel panic. Fix by moving initialization of rx_cpu_rmap from
+netdev_init to netdev_attach. IRQ table is re-allocated on mlx5_load,
+but netdev is not re-initialize.
+
+Trace of the panic:
+[ 22.055672] general protection fault, probably for non-canonical address 0x785634120000ff1c: 0000 [#1] SMP PTI
+[ 22.065010] CPU: 4 PID: 0 Comm: swapper/4 Not tainted 5.7.0-rc2-for-upstream-perf-2020-04-21_16-34-03-31 #1
+[ 22.067967] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+[ 22.071174] RIP: 0010:get_rps_cpu+0x267/0x300
+[ 22.075692] RSP: 0018:ffffc90000244d60 EFLAGS: 00010202
+[ 22.076888] RAX: ffff888459b0e400 RBX: 0000000000000000 RCX:0000000000000007
+[ 22.078364] RDX: 0000000000008884 RSI: ffff888467cb5b00 RDI:0000000000000000
+[ 22.079815] RBP: 00000000ff342b27 R08: 0000000000000007 R09:0000000000000003
+[ 22.081289] R10: ffffffffffffffff R11: 00000000000070cc R12:ffff888454900000
+[ 22.082767] R13: ffffc90000e5a950 R14: ffffc90000244dc0 R15:0000000000000007
+[ 22.084190] FS: 0000000000000000(0000) GS:ffff88846fc80000(0000)knlGS:0000000000000000
+[ 22.086161] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 22.087427] CR2: ffffffffffffffff CR3: 0000000464426003 CR4:0000000000760ee0
+[ 22.088888] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000
+[ 22.090336] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400
+[ 22.091764] PKRU: 55555554
+[ 22.092618] Call Trace:
+[ 22.093442] <IRQ>
+[ 22.094211] ? kvm_clock_get_cycles+0xd/0x10
+[ 22.095272] netif_receive_skb_list_internal+0x258/0x2a0
+[ 22.096460] gro_normal_list.part.137+0x19/0x40
+[ 22.097547] napi_complete_done+0xc6/0x110
+[ 22.098685] mlx5e_napi_poll+0x190/0x670 [mlx5_core]
+[ 22.099859] net_rx_action+0x2a0/0x400
+[ 22.100848] __do_softirq+0xd8/0x2a8
+[ 22.101829] irq_exit+0xa5/0xb0
+[ 22.102750] do_IRQ+0x52/0xd0
+[ 22.103654] common_interrupt+0xf/0xf
+[ 22.104641] </IRQ>
+
+Fixes: 4383cfcc65e7 ("net/mlx5: Add devlink reload")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 02f6b6bd2847c..bc54913c58618 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5119,6 +5119,10 @@ static int mlx5e_init_nic_rx(struct mlx5e_priv *priv)
+ if (err)
+ goto err_destroy_flow_steering;
+
++#ifdef CONFIG_MLX5_EN_ARFS
++ priv->netdev->rx_cpu_rmap = mlx5_eq_table_get_rmap(priv->mdev);
++#endif
++
+ return 0;
+
+ err_destroy_flow_steering:
+@@ -5296,10 +5300,6 @@ int mlx5e_netdev_init(struct net_device *netdev,
+ /* netdev init */
+ netif_carrier_off(netdev);
+
+-#ifdef CONFIG_MLX5_EN_ARFS
+- netdev->rx_cpu_rmap = mlx5_eq_table_get_rmap(mdev);
+-#endif
+-
+ return 0;
+
+ err_free_cpumask:
+--
+2.25.1
+
--- /dev/null
+From 9c0b8aa6b42b5c6edecb68df7314e8ceac0d3787 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jun 2020 19:04:03 +0300
+Subject: net/mlx5e: Fix VXLAN configuration restore after function reload
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit b3c2ed21c0bdf35ba498a9974aa587f99a03b658 ]
+
+When detaching netdev, remove vxlan port configuration using
+udp_tunnel_drop_rx_info. During function reload, configuration will be
+restored using udp_tunnel_get_rx_info. This ensures sync between
+firmware and driver. Use udp_tunnel_get_rx_info even if its physical
+interface is down.
+
+Fixes: 4383cfcc65e7 ("net/mlx5: Add devlink reload")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index bd8d0e0960857..02f6b6bd2847c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3076,9 +3076,6 @@ int mlx5e_open(struct net_device *netdev)
+ mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_UP);
+ mutex_unlock(&priv->state_lock);
+
+- if (mlx5_vxlan_allowed(priv->mdev->vxlan))
+- udp_tunnel_get_rx_info(netdev);
+-
+ return err;
+ }
+
+@@ -5207,6 +5204,8 @@ static void mlx5e_nic_enable(struct mlx5e_priv *priv)
+ rtnl_lock();
+ if (netif_running(netdev))
+ mlx5e_open(netdev);
++ if (mlx5_vxlan_allowed(priv->mdev->vxlan))
++ udp_tunnel_get_rx_info(netdev);
+ netif_device_attach(netdev);
+ rtnl_unlock();
+ }
+@@ -5223,6 +5222,8 @@ static void mlx5e_nic_disable(struct mlx5e_priv *priv)
+ rtnl_lock();
+ if (netif_running(priv->netdev))
+ mlx5e_close(priv->netdev);
++ if (mlx5_vxlan_allowed(priv->mdev->vxlan))
++ udp_tunnel_drop_rx_info(priv->netdev);
+ netif_device_detach(priv->netdev);
+ rtnl_unlock();
+
+--
+2.25.1
+
--- /dev/null
+From ff6e9db9e4f9828600287b324056ccb062538846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 11:04:40 +0100
+Subject: net: mvneta: fix use of state->speed
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit f2ca673d2cd5df9a76247b670e9ffd4d63682b3f ]
+
+When support for short preambles was added, it incorrectly keyed its
+decision off state->speed instead of state->interface. state->speed
+is not guaranteed to be correct for in-band modes, which can lead to
+short preambles being unexpectedly disabled.
+
+Fix this by keying off the interface mode, which is the only way that
+mvneta can operate at 2.5Gbps.
+
+Fixes: da58a931f248 ("net: mvneta: Add support for 2500Mbps SGMII")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index af578a5813bd2..cf26cf4e47aa8 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3953,7 +3953,7 @@ static void mvneta_mac_config(struct phylink_config *config, unsigned int mode,
+ /* When at 2.5G, the link partner can send frames with shortened
+ * preambles.
+ */
+- if (state->speed == SPEED_2500)
++ if (state->interface == PHY_INTERFACE_MODE_2500BASEX)
+ new_ctrl4 |= MVNETA_GMAC4_SHORT_PREAMBLE_ENABLE;
+
+ if (pp->phy_interface != state->interface) {
+--
+2.25.1
+
--- /dev/null
+From 31ea600bdb726d959e6a26d2f0ea767899bc2494 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 12:25:53 +0300
+Subject: net: qed: fix buffer overflow on ethtool -d
+
+From: Alexander Lobakin <alobakin@marvell.com>
+
+[ Upstream commit da3287111ab43b32cec54d7ca6b48640f210a196 ]
+
+When generating debug dump, driver firstly collects all data in binary
+form, and then performs per-feature formatting to human-readable if it
+is supported.
+
+For ethtool -d, this is roughly incorrect for two reasons. First of all,
+drivers should always provide only original raw dumps to Ethtool without
+any changes.
+The second, and more critical, is that Ethtool's output buffer size is
+strictly determined by ethtool_ops::get_regs_len(), and all data *must*
+fit in it. The current version of driver always returns the size of raw
+data, but the size of the formatted buffer exceeds it in most cases.
+This leads to out-of-bound writes and memory corruption.
+
+Address both issues by adding an option to return original, non-formatted
+debug data, and using it for Ethtool case.
+
+v2:
+ - Expand commit message to make it more clear;
+ - No functional changes.
+
+Fixes: c965db444629 ("qed: Add support for debug data collection")
+Signed-off-by: Alexander Lobakin <alobakin@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed.h | 2 ++
+ drivers/net/ethernet/qlogic/qed/qed_debug.c | 13 ++++++++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed.h b/drivers/net/ethernet/qlogic/qed/qed.h
+index fa41bf08a5895..58d6ef489d5bf 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed.h
++++ b/drivers/net/ethernet/qlogic/qed/qed.h
+@@ -880,6 +880,8 @@ struct qed_dev {
+ #endif
+ struct qed_dbg_feature dbg_features[DBG_FEATURE_NUM];
+ bool disable_ilt_dump;
++ bool dbg_bin_dump;
++
+ DECLARE_HASHTABLE(connections, 10);
+ const struct firmware *firmware;
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+index 3e56b6056b477..03ce18f653932 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+@@ -7506,6 +7506,12 @@ static enum dbg_status format_feature(struct qed_hwfn *p_hwfn,
+ if (p_hwfn->cdev->dbg_params.print_data)
+ qed_dbg_print_feature(text_buf, text_size_bytes);
+
++ /* Just return the original binary buffer if requested */
++ if (p_hwfn->cdev->dbg_bin_dump) {
++ vfree(text_buf);
++ return DBG_STATUS_OK;
++ }
++
+ /* Free the old dump_buf and point the dump_buf to the newly allocagted
+ * and formatted text buffer.
+ */
+@@ -7733,7 +7739,9 @@ int qed_dbg_mcp_trace_size(struct qed_dev *cdev)
+ #define REGDUMP_HEADER_SIZE_SHIFT 0
+ #define REGDUMP_HEADER_SIZE_MASK 0xffffff
+ #define REGDUMP_HEADER_FEATURE_SHIFT 24
+-#define REGDUMP_HEADER_FEATURE_MASK 0x3f
++#define REGDUMP_HEADER_FEATURE_MASK 0x1f
++#define REGDUMP_HEADER_BIN_DUMP_SHIFT 29
++#define REGDUMP_HEADER_BIN_DUMP_MASK 0x1
+ #define REGDUMP_HEADER_OMIT_ENGINE_SHIFT 30
+ #define REGDUMP_HEADER_OMIT_ENGINE_MASK 0x1
+ #define REGDUMP_HEADER_ENGINE_SHIFT 31
+@@ -7771,6 +7779,7 @@ static u32 qed_calc_regdump_header(struct qed_dev *cdev,
+ feature, feature_size);
+
+ SET_FIELD(res, REGDUMP_HEADER_FEATURE, feature);
++ SET_FIELD(res, REGDUMP_HEADER_BIN_DUMP, 1);
+ SET_FIELD(res, REGDUMP_HEADER_OMIT_ENGINE, omit_engine);
+ SET_FIELD(res, REGDUMP_HEADER_ENGINE, engine);
+
+@@ -7794,6 +7803,7 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer)
+ omit_engine = 1;
+
+ mutex_lock(&qed_dbg_lock);
++ cdev->dbg_bin_dump = true;
+
+ org_engine = qed_get_debug_engine(cdev);
+ for (cur_engine = 0; cur_engine < cdev->num_hwfns; cur_engine++) {
+@@ -7993,6 +8003,7 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer)
+ QED_NVM_IMAGE_MDUMP, "QED_NVM_IMAGE_MDUMP", rc);
+ }
+
++ cdev->dbg_bin_dump = false;
+ mutex_unlock(&qed_dbg_lock);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 35cd1ea46c358a56334c4c7802f49b0ec90a1313 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 17:08:55 +0000
+Subject: net: rmnet: do not allow to add multiple bridge interfaces
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 2fb2799a2abb39d7dbb48abb3baa1133bf5e921a ]
+
+rmnet can have only two bridge interface.
+One of them is a link interface and another one is added by
+the master operation.
+rmnet interface shouldn't allow adding additional
+bridge interfaces by mater operation.
+But, there is no code to deny additional interfaces.
+So, interface leak occurs.
+
+Test commands:
+ ip link add dummy0 type dummy
+ ip link add dummy1 type dummy
+ ip link add dummy2 type dummy
+ ip link add rmnet0 link dummy0 type rmnet mux_id 1
+ ip link set dummy1 master rmnet0
+ ip link set dummy2 master rmnet0
+ ip link del rmnet0
+
+In the above test command, the dummy0 was attached to rmnet as VND mode.
+Then, dummy1 was attached to rmnet0 as BRIDGE mode.
+At this point, dummy0 mode is switched from VND to BRIDGE automatically.
+Then, dummy2 is attached to rmnet as BRIDGE mode.
+At this point, rmnet0 should deny this operation.
+But, rmnet0 doesn't deny this.
+So that below splat occurs when the rmnet0 interface is deleted.
+
+Splat looks like:
+[ 186.684787][ C2] WARNING: CPU: 2 PID: 1009 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0
+[ 186.684788][ C2] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_x
+[ 186.684805][ C2] CPU: 2 PID: 1009 Comm: ip Not tainted 5.8.0-rc1+ #621
+[ 186.684807][ C2] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 186.684808][ C2] RIP: 0010:rollback_registered_many+0x986/0xcf0
+[ 186.684811][ C2] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 5
+[ 186.684812][ C2] RSP: 0018:ffff8880cd9472e0 EFLAGS: 00010287
+[ 186.684815][ C2] RAX: ffff8880cc56da58 RBX: ffff8880ab21c000 RCX: ffffffff9329d323
+[ 186.684816][ C2] RDX: 1ffffffff2be6410 RSI: 0000000000000008 RDI: ffffffff95f32080
+[ 186.684818][ C2] RBP: dffffc0000000000 R08: fffffbfff2be6411 R09: fffffbfff2be6411
+[ 186.684819][ C2] R10: ffffffff95f32087 R11: 0000000000000001 R12: ffff8880cd947480
+[ 186.684820][ C2] R13: ffff8880ab21c0b8 R14: ffff8880cd947400 R15: ffff8880cdf10640
+[ 186.684822][ C2] FS: 00007f00843890c0(0000) GS:ffff8880d4e00000(0000) knlGS:0000000000000000
+[ 186.684823][ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 186.684825][ C2] CR2: 000055b8ab1077b8 CR3: 00000000ab612006 CR4: 00000000000606e0
+[ 186.684826][ C2] Call Trace:
+[ 186.684827][ C2] ? lockdep_hardirqs_on_prepare+0x379/0x540
+[ 186.684829][ C2] ? netif_set_real_num_tx_queues+0x780/0x780
+[ 186.684830][ C2] ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
+[ 186.684831][ C2] ? __kasan_slab_free+0x126/0x150
+[ 186.684832][ C2] ? kfree+0xdc/0x320
+[ 186.684834][ C2] ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
+[ 186.684835][ C2] unregister_netdevice_many.part.135+0x13/0x1b0
+[ 186.684836][ C2] rtnl_delete_link+0xbc/0x100
+[ ... ]
+[ 238.440071][ T1009] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1
+
+Fixes: 037f9cdf72fb ("net: rmnet: use upper/lower device infrastructure")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+index 2c8c252b7b97f..fcdecddb28122 100644
+--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+@@ -429,6 +429,11 @@ int rmnet_add_bridge(struct net_device *rmnet_dev,
+ return -EINVAL;
+ }
+
++ if (port->rmnet_mode != RMNET_EPMODE_VND) {
++ NL_SET_ERR_MSG_MOD(extack, "more than one bridge dev attached");
++ return -EINVAL;
++ }
++
+ if (rmnet_is_real_dev_registered(slave_dev)) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "slave cannot be another rmnet dev");
+--
+2.25.1
+
--- /dev/null
+From 61595f1c90c95ba6143de3a192637c49bc198327 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 17:08:18 +0000
+Subject: net: rmnet: fix lower interface leak
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 2a762e9e8cd1cf1242e4269a2244666ed02eecd1 ]
+
+There are two types of the lower interface of rmnet that are VND
+and BRIDGE.
+Each lower interface can have only one type either VND or BRIDGE.
+But, there is a case, which uses both lower interface types.
+Due to this unexpected behavior, lower interface leak occurs.
+
+Test commands:
+ ip link add dummy0 type dummy
+ ip link add dummy1 type dummy
+ ip link add rmnet0 link dummy0 type rmnet mux_id 1
+ ip link set dummy1 master rmnet0
+ ip link add rmnet1 link dummy1 type rmnet mux_id 2
+ ip link del rmnet0
+
+The dummy1 was attached as BRIDGE interface of rmnet0.
+Then, it also was attached as VND interface of rmnet1.
+This is unexpected behavior and there is no code for handling this case.
+So that below splat occurs when the rmnet0 interface is deleted.
+
+Splat looks like:
+[ 53.254112][ C1] WARNING: CPU: 1 PID: 1192 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0
+[ 53.254117][ C1] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nfx
+[ 53.254182][ C1] CPU: 1 PID: 1192 Comm: ip Not tainted 5.8.0-rc1+ #620
+[ 53.254188][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 53.254192][ C1] RIP: 0010:rollback_registered_many+0x986/0xcf0
+[ 53.254200][ C1] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 0f 0b e5
+[ 53.254205][ C1] RSP: 0018:ffff888050a5f2e0 EFLAGS: 00010287
+[ 53.254214][ C1] RAX: ffff88805756d658 RBX: ffff88804d99c000 RCX: ffffffff8329d323
+[ 53.254219][ C1] RDX: 1ffffffff0be6410 RSI: 0000000000000008 RDI: ffffffff85f32080
+[ 53.254223][ C1] RBP: dffffc0000000000 R08: fffffbfff0be6411 R09: fffffbfff0be6411
+[ 53.254228][ C1] R10: ffffffff85f32087 R11: 0000000000000001 R12: ffff888050a5f480
+[ 53.254233][ C1] R13: ffff88804d99c0b8 R14: ffff888050a5f400 R15: ffff8880548ebe40
+[ 53.254238][ C1] FS: 00007f6b86b370c0(0000) GS:ffff88806c200000(0000) knlGS:0000000000000000
+[ 53.254243][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 53.254248][ C1] CR2: 0000562c62438758 CR3: 000000003f600005 CR4: 00000000000606e0
+[ 53.254253][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 53.254257][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 53.254261][ C1] Call Trace:
+[ 53.254266][ C1] ? lockdep_hardirqs_on_prepare+0x379/0x540
+[ 53.254270][ C1] ? netif_set_real_num_tx_queues+0x780/0x780
+[ 53.254275][ C1] ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
+[ 53.254279][ C1] ? __kasan_slab_free+0x126/0x150
+[ 53.254283][ C1] ? kfree+0xdc/0x320
+[ 53.254288][ C1] ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
+[ 53.254293][ C1] unregister_netdevice_many.part.135+0x13/0x1b0
+[ 53.254297][ C1] rtnl_delete_link+0xbc/0x100
+[ 53.254301][ C1] ? rtnl_af_register+0xc0/0xc0
+[ 53.254305][ C1] rtnl_dellink+0x2dc/0x840
+[ 53.254309][ C1] ? find_held_lock+0x39/0x1d0
+[ 53.254314][ C1] ? valid_fdb_dump_strict+0x620/0x620
+[ 53.254318][ C1] ? rtnetlink_rcv_msg+0x457/0x890
+[ 53.254322][ C1] ? lock_contended+0xd20/0xd20
+[ 53.254326][ C1] rtnetlink_rcv_msg+0x4a8/0x890
+[ ... ]
+[ 73.813696][ T1192] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1
+
+Fixes: 037f9cdf72fb ("net: rmnet: use upper/lower device infrastructure")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/qualcomm/rmnet/rmnet_config.c | 21 +++++++++++--------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+index 40efe60eff8d9..2c8c252b7b97f 100644
+--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
++++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+@@ -47,15 +47,23 @@ static int rmnet_unregister_real_device(struct net_device *real_dev)
+ return 0;
+ }
+
+-static int rmnet_register_real_device(struct net_device *real_dev)
++static int rmnet_register_real_device(struct net_device *real_dev,
++ struct netlink_ext_ack *extack)
+ {
+ struct rmnet_port *port;
+ int rc, entry;
+
+ ASSERT_RTNL();
+
+- if (rmnet_is_real_dev_registered(real_dev))
++ if (rmnet_is_real_dev_registered(real_dev)) {
++ port = rmnet_get_port_rtnl(real_dev);
++ if (port->rmnet_mode != RMNET_EPMODE_VND) {
++ NL_SET_ERR_MSG_MOD(extack, "bridge device already exists");
++ return -EINVAL;
++ }
++
+ return 0;
++ }
+
+ port = kzalloc(sizeof(*port), GFP_KERNEL);
+ if (!port)
+@@ -133,7 +141,7 @@ static int rmnet_newlink(struct net *src_net, struct net_device *dev,
+
+ mux_id = nla_get_u16(data[IFLA_RMNET_MUX_ID]);
+
+- err = rmnet_register_real_device(real_dev);
++ err = rmnet_register_real_device(real_dev, extack);
+ if (err)
+ goto err0;
+
+@@ -421,11 +429,6 @@ int rmnet_add_bridge(struct net_device *rmnet_dev,
+ return -EINVAL;
+ }
+
+- if (port->rmnet_mode != RMNET_EPMODE_VND) {
+- NL_SET_ERR_MSG_MOD(extack, "bridge device already exists");
+- return -EINVAL;
+- }
+-
+ if (rmnet_is_real_dev_registered(slave_dev)) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "slave cannot be another rmnet dev");
+@@ -433,7 +436,7 @@ int rmnet_add_bridge(struct net_device *rmnet_dev,
+ return -EBUSY;
+ }
+
+- err = rmnet_register_real_device(slave_dev);
++ err = rmnet_register_real_device(slave_dev, extack);
+ if (err)
+ return -EBUSY;
+
+--
+2.25.1
+
--- /dev/null
+From 937f23966dbf3962004ac06e9734f5ea33d678b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jul 2020 13:17:40 +0200
+Subject: netfilter: conntrack: refetch conntrack after nf_conntrack_update()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ]
+
+__nf_conntrack_update() might refresh the conntrack object that is
+attached to the skbuff. Otherwise, this triggers UAF.
+
+[ 633.200434] ==================================================================
+[ 633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769
+
+[ 633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388
+[ 633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
+[ 633.200491] Call Trace:
+[ 633.200499] dump_stack+0x7c/0xb0
+[ 633.200526] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200532] print_address_description.constprop.6+0x1a/0x200
+[ 633.200539] ? _raw_write_lock_irqsave+0xc0/0xc0
+[ 633.200568] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200594] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200598] kasan_report.cold.9+0x1f/0x42
+[ 633.200604] ? call_rcu+0x2c0/0x390
+[ 633.200633] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200659] nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200687] ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack]
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436
+Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index bb72ca5f3999a..3ab6dbb6588e2 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -2149,6 +2149,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
+ err = __nf_conntrack_update(net, skb, ct, ctinfo);
+ if (err < 0)
+ return err;
++
++ ct = nf_ct_get(skb, &ctinfo);
+ }
+
+ return nf_confirm_cthelper(skb, ct, ctinfo);
+--
+2.25.1
+
--- /dev/null
+From 33376bde186ffb154182759e6cf9fad7d9c28d10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 17:04:17 -0700
+Subject: netfilter: ipset: call ip_set_free() instead of kfree()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c4e8fa9074ad94f80e5c0dcaa16b313e50e958c5 ]
+
+Whenever ip_set_alloc() is used, allocated memory can either
+use kmalloc() or vmalloc(). We should call kvfree() or
+ip_set_free()
+
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 21935 Comm: syz-executor.3 Not tainted 5.8.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__phys_addr+0xa7/0x110 arch/x86/mm/physaddr.c:28
+Code: 1d 7a 09 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 d0 58 3f 00 48 85 db 75 0d e8 26 5c 3f 00 4c 89 e0 5b 5d 41 5c c3 e8 19 5c 3f 00 <0f> 0b e8 12 5c 3f 00 48 c7 c0 10 10 a8 89 48 ba 00 00 00 00 00 fc
+RSP: 0000:ffffc900018572c0 EFLAGS: 00010046
+RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc9000fac3000
+RDX: 0000000000040000 RSI: ffffffff8133f437 RDI: 0000000000000007
+RBP: ffffc90098aff000 R08: 0000000000000000 R09: ffff8880ae636cdb
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000408018aff000
+R13: 0000000000080000 R14: 000000000000001d R15: ffffc900018573d8
+FS: 00007fc540c66700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc9dcd67200 CR3: 0000000059411000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ virt_to_head_page include/linux/mm.h:841 [inline]
+ virt_to_cache mm/slab.h:474 [inline]
+ kfree+0x77/0x2c0 mm/slab.c:3749
+ hash_net_create+0xbb2/0xd70 net/netfilter/ipset/ip_set_hash_gen.h:1536
+ ip_set_create+0x6a2/0x13c0 net/netfilter/ipset/ip_set_core.c:1128
+ nfnetlink_rcv_msg+0xbe8/0xea0 net/netfilter/nfnetlink.c:230
+ netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469
+ nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:564
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45cb19
+Code: Bad RIP value.
+RSP: 002b:00007fc540c65c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004fed80 RCX: 000000000045cb19
+RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003
+RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000095e R14: 00000000004cc295 R15: 00007fc540c666d4
+
+Fixes: f66ee0410b1c ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports")
+Fixes: 03c8b234e61a ("netfilter: ipset: Generalize extensions support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_port.c | 2 +-
+ net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
+index 486959f70cf31..a8ce04a4bb72a 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -326,7 +326,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ set->variant = &bitmap_ip;
+ if (!init_map_ip(set, map, first_ip, last_ip,
+ elements, hosts, netmask)) {
+- kfree(map);
++ ip_set_free(map);
+ return -ENOMEM;
+ }
+ if (tb[IPSET_ATTR_TIMEOUT]) {
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+index 2310a316e0aff..2c625e0f49ec0 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_ipmac;
+ if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
+- kfree(map);
++ ip_set_free(map);
+ return -ENOMEM;
+ }
+ if (tb[IPSET_ATTR_TIMEOUT]) {
+diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
+index e56ced66f202d..7138e080def4c 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_port.c
++++ b/net/netfilter/ipset/ip_set_bitmap_port.c
+@@ -274,7 +274,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_port;
+ if (!init_map_port(set, map, first_port, last_port)) {
+- kfree(map);
++ ip_set_free(map);
+ return -ENOMEM;
+ }
+ if (tb[IPSET_ATTR_TIMEOUT]) {
+diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
+index 1ee43752d6d3c..521e970be4028 100644
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried)
+ }
+ t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));
+ if (!t->hregion) {
+- kfree(t);
++ ip_set_free(t);
+ ret = -ENOMEM;
+ goto out;
+ }
+@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
+ }
+ t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits));
+ if (!t->hregion) {
+- kfree(t);
++ ip_set_free(t);
+ kfree(h);
+ return -ENOMEM;
+ }
+--
+2.25.1
+
--- /dev/null
+From 81e96f05610d656f8fff9f6d726055e51179a9c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 12:49:39 +0300
+Subject: nl80211: don't return err unconditionally in nl80211_start_ap()
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit bc7a39b4272b9672d806d422b6850e8c1a09914c ]
+
+When a memory leak was fixed, a return err was changed to goto err,
+but, accidentally, the if (err) was removed, so now we always exit at
+this point.
+
+Fix it by adding if (err) back.
+
+Fixes: 9951ebfcdf2b ("nl80211: fix potential leak in AP start")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 692bcd35f8094..a56ede64e70fc 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5004,7 +5004,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ err = nl80211_parse_he_obss_pd(
+ info->attrs[NL80211_ATTR_HE_OBSS_PD],
+ ¶ms.he_obss_pd);
+- goto out;
++ if (err)
++ goto out;
+ }
+
+ if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
+--
+2.25.1
+
--- /dev/null
+From 9f120f5793216844b4d9bfb55b064ba10252e5d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 12:49:40 +0300
+Subject: nl80211: fix memory leak when parsing NL80211_ATTR_HE_BSS_COLOR
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit 60a0121f8fa64b0f4297aa6fef8207500483a874 ]
+
+If there is an error when parsing the NL80211_ATTR_HE_BSS_COLOR
+attribute, we return immediately without freeing param.acl. Fit it by
+using goto out instead of returning immediately.
+
+Fixes: 5c5e52d1bb96 ("nl80211: add handling for BSS color")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200626124931.7ad2a3eb894f.I60905fb70bd20389a3b170db515a07275e31845e@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index a56ede64e70fc..7ae6b90e0d264 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5013,7 +5013,7 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ info->attrs[NL80211_ATTR_HE_BSS_COLOR],
+ ¶ms.he_bss_color);
+ if (err)
+- return err;
++ goto out;
+ }
+
+ nl80211_calculate_ap_params(¶ms);
+--
+2.25.1
+
--- /dev/null
+From 0f8ab9e17b31a2d2e007ff689546d39c2225838b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 16:39:35 +0300
+Subject: perf intel-pt: Fix PEBS sample for XMM registers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 4c95ad261cfac120dd66238fcae222766754c219 ]
+
+The condition to add XMM registers was missing, the regs array needed to
+be in the outer scope, and the size of the regs array was too small.
+
+Fixes: 143d34a6b387b ("perf intel-pt: Add XMM registers to synthesized PEBS sample")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Luwei Kang <luwei.kang@intel.com>
+Link: http://lore.kernel.org/lkml/20200630133935.11150-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index 23c8289c2472d..545d1cdc0ec87 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -1731,6 +1731,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+ u64 sample_type = evsel->core.attr.sample_type;
+ u64 id = evsel->core.id[0];
+ u8 cpumode;
++ u64 regs[8 * sizeof(sample.intr_regs.mask)];
+
+ if (intel_pt_skip_event(pt))
+ return 0;
+@@ -1780,8 +1781,8 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+ }
+
+ if (sample_type & PERF_SAMPLE_REGS_INTR &&
+- items->mask[INTEL_PT_GP_REGS_POS]) {
+- u64 regs[sizeof(sample.intr_regs.mask)];
++ (items->mask[INTEL_PT_GP_REGS_POS] ||
++ items->mask[INTEL_PT_XMM_POS])) {
+ u64 regs_mask = evsel->core.attr.sample_regs_intr;
+ u64 *pos;
+
+--
+2.25.1
+
--- /dev/null
+From 6871c7fe8809bbc5b9f3eb5d8d15585873e38ec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 16:39:33 +0300
+Subject: perf intel-pt: Fix recording PEBS-via-PT with registers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 75bcb8776dc987538f267ba4ba05ca43fc2b1676 ]
+
+When recording PEBS-via-PT, the kernel will not accept the intel_pt
+event with register sampling e.g.
+
+ # perf record --kcore -c 10000 -e '{intel_pt/branch=0/,branch-loads/aux-output/ppp}' -I -- ls -l
+ Error:
+ intel_pt/branch=0/: PMU Hardware doesn't support sampling/overflow-interrupts. Try 'perf stat'
+
+Fix by suppressing register sampling on the intel_pt evsel.
+
+Committer notes:
+
+Adrian informed that this is only available from Tremont onwards, so on
+older processors the error continues the same as before.
+
+Fixes: 9e64cefe4335b ("perf intel-pt: Process options for PEBS event synthesis")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Luwei Kang <luwei.kang@intel.com>
+Link: http://lore.kernel.org/lkml/20200630133935.11150-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/x86/util/intel-pt.c | 1 +
+ tools/perf/util/evsel.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/arch/x86/util/intel-pt.c b/tools/perf/arch/x86/util/intel-pt.c
+index 1643aed8c4c8e..2a548fbdf2a2a 100644
+--- a/tools/perf/arch/x86/util/intel-pt.c
++++ b/tools/perf/arch/x86/util/intel-pt.c
+@@ -634,6 +634,7 @@ static int intel_pt_recording_options(struct auxtrace_record *itr,
+ }
+ evsel->core.attr.freq = 0;
+ evsel->core.attr.sample_period = 1;
++ evsel->no_aux_samples = true;
+ intel_pt_evsel = evsel;
+ opts->full_auxtrace = true;
+ }
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index eb880efbce16d..386950f29792a 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -1048,12 +1048,12 @@ void perf_evsel__config(struct evsel *evsel, struct record_opts *opts,
+ if (callchain && callchain->enabled && !evsel->no_aux_samples)
+ perf_evsel__config_callchain(evsel, opts, callchain);
+
+- if (opts->sample_intr_regs) {
++ if (opts->sample_intr_regs && !evsel->no_aux_samples) {
+ attr->sample_regs_intr = opts->sample_intr_regs;
+ perf_evsel__set_sample_bit(evsel, REGS_INTR);
+ }
+
+- if (opts->sample_user_regs) {
++ if (opts->sample_user_regs && !evsel->no_aux_samples) {
+ attr->sample_regs_user |= opts->sample_user_regs;
+ perf_evsel__set_sample_bit(evsel, REGS_USER);
+ }
+--
+2.25.1
+
--- /dev/null
+From a89886419ee4a51f612203306baaea1c224934ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 17:43:22 +0800
+Subject: perf report TUI: Fix segmentation fault in perf_evsel__hists_browse()
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit d61cbb859b45fdb6b4997f2d51834fae41af0e94 ]
+
+The segmentation fault can be reproduced as following steps:
+
+1) Executing perf report in tui.
+
+2) Typing '/xxxxx' to filter the symbol to get nothing matched.
+
+3) Pressing enter with no entry selected.
+
+Then it will report a segmentation fault.
+
+It is caused by the lack of check of browser->he_selection when
+accessing it's member res_samples in perf_evsel__hists_browse().
+
+These processes are meaningful for specified samples, so we can skip
+these when nothing is selected.
+
+Fixes: 4968ac8fb7c3 ("perf report: Implement browsing of individual samples")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Link: http://lore.kernel.org/lkml/20200612094322.39565-1-liwei391@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/hists.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
+index 487e54ef56a98..2101b6b770d81 100644
+--- a/tools/perf/ui/browsers/hists.c
++++ b/tools/perf/ui/browsers/hists.c
+@@ -2288,6 +2288,11 @@ static struct thread *hist_browser__selected_thread(struct hist_browser *browser
+ return browser->he_selection->thread;
+ }
+
++static struct res_sample *hist_browser__selected_res_sample(struct hist_browser *browser)
++{
++ return browser->he_selection ? browser->he_selection->res_samples : NULL;
++}
++
+ /* Check whether the browser is for 'top' or 'report' */
+ static inline bool is_report_browser(void *timer)
+ {
+@@ -3357,16 +3362,16 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events,
+ &options[nr_options], NULL, NULL, evsel);
+ nr_options += add_res_sample_opt(browser, &actions[nr_options],
+ &options[nr_options],
+- hist_browser__selected_entry(browser)->res_samples,
+- evsel, A_NORMAL);
++ hist_browser__selected_res_sample(browser),
++ evsel, A_NORMAL);
+ nr_options += add_res_sample_opt(browser, &actions[nr_options],
+ &options[nr_options],
+- hist_browser__selected_entry(browser)->res_samples,
+- evsel, A_ASM);
++ hist_browser__selected_res_sample(browser),
++ evsel, A_ASM);
+ nr_options += add_res_sample_opt(browser, &actions[nr_options],
+ &options[nr_options],
+- hist_browser__selected_entry(browser)->res_samples,
+- evsel, A_SOURCE);
++ hist_browser__selected_res_sample(browser),
++ evsel, A_SOURCE);
+ nr_options += add_switch_opt(browser, &actions[nr_options],
+ &options[nr_options]);
+ skip_scripting:
+--
+2.25.1
+
--- /dev/null
+From 7b1aef4c8c7acabd456cabe8f9e6d7c9de3b256d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 17:49:42 +1000
+Subject: powerpc/64s/exception: Fix 0x1500 interrupt handler crash
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit 4557ac6b344b8cdf948ff8b007e8e1de34832f2e ]
+
+A typo caused the interrupt handler to branch immediately to the
+common "unknown interrupt" handler and skip the special case test for
+denormal cause.
+
+This does not affect KVM softpatch handling (e.g., for POWER9 TM
+assist) because the KVM test was moved to common code by commit
+9600f261acaa ("powerpc/64s/exception: Move KVM test to common code")
+just before this bug was introduced.
+
+Fixes: 3f7fbd97d07d ("powerpc/64s/exception: Clean up SRR specifiers")
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
+[mpe: Split selftest into a separate patch]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200708074942.1713396-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/exceptions-64s.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
+index d9ddce40bed89..fd99d4feec7a4 100644
+--- a/arch/powerpc/kernel/exceptions-64s.S
++++ b/arch/powerpc/kernel/exceptions-64s.S
+@@ -2547,7 +2547,7 @@ EXC_VIRT_NONE(0x5400, 0x100)
+ INT_DEFINE_BEGIN(denorm_exception)
+ IVEC=0x1500
+ IHSRR=1
+- IBRANCH_COMMON=0
++ IBRANCH_TO_COMMON=0
+ IKVM_REAL=1
+ INT_DEFINE_END(denorm_exception)
+
+--
+2.25.1
+
--- /dev/null
+From 88c9527cccd9d9c5316535ebefc1049562d33735 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 20:14:29 -0700
+Subject: qed: Populate nvm-file attributes while reading nvm config partition.
+
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+
+[ Upstream commit 13cf8aab7425a253070433b5a55b4209ceac8b19 ]
+
+NVM config file address will be modified when the MBI image is upgraded.
+Driver would return stale config values if user reads the nvm-config
+(via ethtool -d) in this state. The fix is to re-populate nvm attribute
+info while reading the nvm config values/partition.
+
+Changes from previous version:
+-------------------------------
+v3: Corrected the formatting in 'Fixes' tag.
+v2: Added 'Fixes' tag.
+
+Fixes: 1ac4329a1cff ("qed: Add configuration information to register dump and debug data")
+Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_debug.c | 4 ++++
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 12 +++---------
+ drivers/net/ethernet/qlogic/qed/qed_mcp.c | 7 +++++++
+ drivers/net/ethernet/qlogic/qed/qed_mcp.h | 7 +++++++
+ 4 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+index 03ce18f653932..25745b75daf32 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+@@ -7941,6 +7941,10 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer)
+ DP_ERR(cdev, "qed_dbg_mcp_trace failed. rc = %d\n", rc);
+ }
+
++ /* Re-populate nvm attribute info */
++ qed_mcp_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_populate(p_hwfn);
++
+ /* nvm cfg1 */
+ rc = qed_dbg_nvm_image(cdev,
+ (u8 *)buffer + offset +
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index 9b00988fb77e1..58913fe4f3457 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -4466,12 +4466,6 @@ static int qed_get_dev_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt)
+ return 0;
+ }
+
+-static void qed_nvm_info_free(struct qed_hwfn *p_hwfn)
+-{
+- kfree(p_hwfn->nvm_info.image_att);
+- p_hwfn->nvm_info.image_att = NULL;
+-}
+-
+ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ void __iomem *p_regview,
+ void __iomem *p_doorbells,
+@@ -4556,7 +4550,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ return rc;
+ err3:
+ if (IS_LEAD_HWFN(p_hwfn))
+- qed_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_free(p_hwfn);
+ err2:
+ if (IS_LEAD_HWFN(p_hwfn))
+ qed_iov_free_hw_info(p_hwfn->cdev);
+@@ -4617,7 +4611,7 @@ int qed_hw_prepare(struct qed_dev *cdev,
+ if (rc) {
+ if (IS_PF(cdev)) {
+ qed_init_free(p_hwfn);
+- qed_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_free(p_hwfn);
+ qed_mcp_free(p_hwfn);
+ qed_hw_hwfn_free(p_hwfn);
+ }
+@@ -4651,7 +4645,7 @@ void qed_hw_remove(struct qed_dev *cdev)
+
+ qed_iov_free_hw_info(cdev);
+
+- qed_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_free(p_hwfn);
+ }
+
+ static void qed_chain_free_next_ptr(struct qed_dev *cdev,
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+index 280527cc05781..99548d5b44ea1 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+@@ -3151,6 +3151,13 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn)
+ return rc;
+ }
+
++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn)
++{
++ kfree(p_hwfn->nvm_info.image_att);
++ p_hwfn->nvm_info.image_att = NULL;
++ p_hwfn->nvm_info.valid = false;
++}
++
+ int
+ qed_mcp_get_nvm_image_att(struct qed_hwfn *p_hwfn,
+ enum qed_nvm_images image_id,
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.h b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+index 9c4c2763de8d7..e38297383b007 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+@@ -1192,6 +1192,13 @@ void qed_mcp_read_ufp_config(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt);
+ */
+ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn);
+
++/**
++ * @brief Delete nvm info shadow in the given hardware function
++ *
++ * @param p_hwfn
++ */
++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn);
++
+ /**
+ * @brief Get the engine affinity configuration.
+ *
+--
+2.25.1
+
--- /dev/null
+From 3a74ca04ed9bcfd6db9ef7353d8ecd9ad4d8a7c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 16:09:31 +0300
+Subject: RDMA/siw: Fix reporting vendor_part_id
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 04340645f69ab7abb6f9052688a60f0213b3f79c ]
+
+Move the initialization of the vendor_part_id to be before calling
+ib_register_device(), this is needed because the query_device() callback
+is called from the context of ib_register_device() before initializing the
+vendor_part_id, so the reported value is wrong.
+
+Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface")
+Link: https://lore.kernel.org/r/20200707130931.444724-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c
+index 5cd40fb9e20ce..634c4b3716238 100644
+--- a/drivers/infiniband/sw/siw/siw_main.c
++++ b/drivers/infiniband/sw/siw/siw_main.c
+@@ -67,12 +67,13 @@ static int siw_device_register(struct siw_device *sdev, const char *name)
+ static int dev_id = 1;
+ int rv;
+
++ sdev->vendor_part_id = dev_id++;
++
+ rv = ib_register_device(base_dev, name);
+ if (rv) {
+ pr_warn("siw: device registration error %d\n", rv);
+ return rv;
+ }
+- sdev->vendor_part_id = dev_id++;
+
+ siw_dbg(base_dev, "HWaddr=%pM\n", sdev->netdev->dev_addr);
+
+--
+2.25.1
+
--- /dev/null
+From 97b2b3b59df5c2f5450d44f695a566e95fc42a79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 12:51:51 +0100
+Subject: selftests: bpf: Fix detach from sockmap tests
+
+From: Lorenz Bauer <lmb@cloudflare.com>
+
+[ Upstream commit f43cb0d672aa8eb09bfdb779de5900c040487d1d ]
+
+Fix sockmap tests which rely on old bpf_prog_dispatch behaviour.
+In the first case, the tests check that detaching without giving
+a program succeeds. Since these are not the desired semantics,
+invert the condition. In the second case, the clean up code doesn't
+supply the necessary program fds.
+
+Fixes: bb0de3131f4c ("bpf: sockmap: Require attach_bpf_fd when detaching a program")
+Reported-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20200709115151.75829-1-lmb@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_maps.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c
+index c6766b2cff853..9990e91c18dff 100644
+--- a/tools/testing/selftests/bpf/test_maps.c
++++ b/tools/testing/selftests/bpf/test_maps.c
+@@ -789,19 +789,19 @@ static void test_sockmap(unsigned int tasks, void *data)
+ }
+
+ err = bpf_prog_detach(fd, BPF_SK_SKB_STREAM_PARSER);
+- if (err) {
++ if (!err) {
+ printf("Failed empty parser prog detach\n");
+ goto out_sockmap;
+ }
+
+ err = bpf_prog_detach(fd, BPF_SK_SKB_STREAM_VERDICT);
+- if (err) {
++ if (!err) {
+ printf("Failed empty verdict prog detach\n");
+ goto out_sockmap;
+ }
+
+ err = bpf_prog_detach(fd, BPF_SK_MSG_VERDICT);
+- if (err) {
++ if (!err) {
+ printf("Failed empty msg verdict prog detach\n");
+ goto out_sockmap;
+ }
+@@ -1090,19 +1090,19 @@ static void test_sockmap(unsigned int tasks, void *data)
+ assert(status == 0);
+ }
+
+- err = bpf_prog_detach(map_fd_rx, __MAX_BPF_ATTACH_TYPE);
++ err = bpf_prog_detach2(parse_prog, map_fd_rx, __MAX_BPF_ATTACH_TYPE);
+ if (!err) {
+ printf("Detached an invalid prog type.\n");
+ goto out_sockmap;
+ }
+
+- err = bpf_prog_detach(map_fd_rx, BPF_SK_SKB_STREAM_PARSER);
++ err = bpf_prog_detach2(parse_prog, map_fd_rx, BPF_SK_SKB_STREAM_PARSER);
+ if (err) {
+ printf("Failed parser prog detach\n");
+ goto out_sockmap;
+ }
+
+- err = bpf_prog_detach(map_fd_rx, BPF_SK_SKB_STREAM_VERDICT);
++ err = bpf_prog_detach2(verdict_prog, map_fd_rx, BPF_SK_SKB_STREAM_VERDICT);
+ if (err) {
+ printf("Failed parser prog detach\n");
+ goto out_sockmap;
+--
+2.25.1
+
arm64-add-kryo-3-4-xx-silver-cpu-cores-to-ssb-safeli.patch
nfs-fix-memory-leak-of-export_path.patch
sched-core-check-cpus_mask-not-cpus_ptr-in-__set_cpu.patch
+mtd-set-master-partition-panic-write-flag.patch
+gpio-pca953x-synchronize-interrupt-handler-properly.patch
+gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch
+gpio-pca953x-fix-direction-setting-when-configure-an.patch
+gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch
+asoc-fsl_mqs-don-t-check-clock-is-null-before-callin.patch
+asoc-fsl_mqs-fix-unchecked-return-value-for-clk_prep.patch
+kvm-arm64-vgic-v4-plug-race-between-non-residency-an.patch
+mac80211-fix-dropping-broadcast-packets-in-802.11-en.patch
+bpf-do-not-allow-btf_ctx_access-with-__int128-types.patch
+nl80211-don-t-return-err-unconditionally-in-nl80211_.patch
+nl80211-fix-memory-leak-when-parsing-nl80211_attr_he.patch
+drm-mediatek-check-plane-visibility-in-atomic_update.patch
+bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch
+bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch
+netfilter-ipset-call-ip_set_free-instead-of-kfree.patch
+net-mvneta-fix-use-of-state-speed.patch
+net-ipa-no-checksum-offload-for-sdm845-lan-rx.patch
+net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch
+btrfs-fix-reclaim_size-counter-leak-after-stealing-f.patch
+drm-meson-viu-fix-setting-the-osd-burst-length-in-vi.patch
+ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch
+net-dsa-microchip-set-the-correct-number-of-ports.patch
+netfilter-conntrack-refetch-conntrack-after-nf_connt.patch
+net-rmnet-fix-lower-interface-leak.patch
+net-rmnet-do-not-allow-to-add-multiple-bridge-interf.patch
+perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch
+perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch
+perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch
+smsc95xx-check-return-value-of-smsc95xx_reset.patch
+smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch
+net-hns3-check-reset-pending-after-flr-prepare.patch
+net-hns3-fix-for-mishandle-of-asserting-vf-reset-fai.patch
+net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch
+net-hns3-fix-use-after-free-when-doing-self-test.patch
+alsa-compress-fix-partial_drain-completion-state.patch
+net-ipa-fix-qmi-structure-definition-bugs.patch
+net-qed-fix-buffer-overflow-on-ethtool-d.patch
+ionic-centralize-queue-reset-code.patch
+powerpc-64s-exception-fix-0x1500-interrupt-handler-c.patch
+rdma-siw-fix-reporting-vendor_part_id.patch
+net-atlantic-fix-ip-dst-and-ipv6-address-filters.patch
+arm64-kgdb-fix-single-step-exception-handling-oops.patch
+nbd-fix-memory-leak-in-nbd_add_socket.patch
+cxgb4-fix-all-mask-ip-address-comparison.patch
+ib-mlx5-fix-50g-per-lane-indication.patch
+qed-populate-nvm-file-attributes-while-reading-nvm-c.patch
+selftests-bpf-fix-detach-from-sockmap-tests.patch
+net-mlx5-fix-eeprom-support-for-sfp-module.patch
+net-mlx5e-fix-vxlan-configuration-restore-after-func.patch
+net-mlx5e-fix-cpu-mapping-after-function-reload-to-a.patch
+net-mlx5e-fix-50g-per-lane-indication.patch
+net-mlx5e-ct-fix-memory-leak-in-cleanup.patch
+bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch
+net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch
+net-macb-mark-device-wake-capable-when-magic-packet-.patch
+net-macb-fix-macb_get-set_wol-when-moving-to-phylink.patch
+net-macb-fix-macb_suspend-by-removing-call-to-netif_.patch
+net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch
+mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch
+mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch
--- /dev/null
+From e41c5d5d6476bf689c3eb4a5036bc17568a9edd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 10:39:35 +0200
+Subject: smsc95xx: avoid memory leak in smsc95xx_bind
+
+From: Andre Edich <andre.edich@microchip.com>
+
+[ Upstream commit 3ed58f96a70b85ef646d5427258f677f1395b62f ]
+
+In a case where the ID_REV register read is failed, the memory for a
+private data structure has to be freed before returning error from the
+function smsc95xx_bind.
+
+Fixes: bbd9f9ee69242 ("smsc95xx: add wol support for more frame types")
+Signed-off-by: Andre Edich <andre.edich@microchip.com>
+Signed-off-by: Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index eb404bb74e18e..bb4ccbda031ab 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1293,7 +1293,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ /* detect device revision as different features may be available */
+ ret = smsc95xx_read_reg(dev, ID_REV, &val);
+ if (ret < 0)
+- return ret;
++ goto free_pdata;
++
+ val >>= 16;
+ pdata->chip_id = val;
+ pdata->mdix_ctrl = get_mdix_status(dev->net);
+--
+2.25.1
+
--- /dev/null
+From 923944f6fe8e8e8838e733c51be0deb8300367af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 10:39:34 +0200
+Subject: smsc95xx: check return value of smsc95xx_reset
+
+From: Andre Edich <andre.edich@microchip.com>
+
+[ Upstream commit 7c8b1e855f94f88a0c569be6309fc8d5c8844cd1 ]
+
+The return value of the function smsc95xx_reset() must be checked
+to avoid returning false success from the function smsc95xx_bind().
+
+Fixes: 2f7ca802bdae2 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Signed-off-by: Andre Edich <andre.edich@microchip.com>
+Signed-off-by: Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 3cf4dc3433f91..eb404bb74e18e 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1287,6 +1287,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+
+ /* Init all registers */
+ ret = smsc95xx_reset(dev);
++ if (ret)
++ goto free_pdata;
+
+ /* detect device revision as different features may be available */
+ ret = smsc95xx_read_reg(dev, ID_REV, &val);
+@@ -1317,6 +1319,10 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ schedule_delayed_work(&pdata->carrier_check, CARRIER_CHECK_DELAY);
+
+ return 0;
++
++free_pdata:
++ kfree(pdata);
++ return ret;
+ }
+
+ static void smsc95xx_unbind(struct usbnet *dev, struct usb_interface *intf)
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
