--- /dev/null
+From c9b7b94dacf154bffa2cb5fc2590d900d7dcee32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 15:40:38 +0100
+Subject: ARM: dts: armada-38x: fix NETA lockup when repeatedly switching
+ speeds
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 09781ba0395c46b1c844f47e405e3ce7856f5989 ]
+
+To support the change in "phy: armada-38x: fix NETA lockup when
+repeatedly switching speeds" we need to update the DT with the
+additional register.
+
+Fixes: 14dc100b4411 ("phy: armada38x: add common phy support")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/armada-38x.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/armada-38x.dtsi b/arch/arm/boot/dts/armada-38x.dtsi
+index e038abc0c6b40..420ae26e846b6 100644
+--- a/arch/arm/boot/dts/armada-38x.dtsi
++++ b/arch/arm/boot/dts/armada-38x.dtsi
+@@ -344,7 +344,8 @@
+
+ comphy: phy@18300 {
+ compatible = "marvell,armada-380-comphy";
+- reg = <0x18300 0x100>;
++ reg-names = "comphy", "conf";
++ reg = <0x18300 0x100>, <0x18460 4>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+--
+2.25.1
+
--- /dev/null
+From 87a210a13f18bf6ba6879afd82d76572c96fd2ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jul 2020 15:08:29 +0200
+Subject: ARM: dts sunxi: Relax a bit the CMA pool allocation range
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 92025b90f18d45e26b7f17d68756b1abd771b9d3 ]
+
+The hardware codec on the A10, A10s, A13 and A20 needs buffer in the
+first 256MB of RAM. This was solved by setting the CMA pool at a fixed
+address in that range.
+
+However, in recent kernels there's something else that comes in and
+reserve some range that end up conflicting with our default pool
+requirement, and thus makes its reservation fail.
+
+The video codec will then use buffers from the usual default pool,
+outside of the range it can access, and will fail to decode anything.
+
+Since we're only concerned about that 256MB, we can however relax the
+allocation to just specify the range that's allowed, and not try to
+enforce a specific address.
+
+Fixes: 5949bc5602cc ("ARM: dts: sun4i-a10: Add Video Engine and reserved memory nodes")
+Fixes: 960432010156 ("ARM: dts: sun5i: Add Video Engine and reserved memory nodes")
+Fixes: c2a641a74850 ("ARM: dts: sun7i-a20: Add Video Engine and reserved memory nodes")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://lore.kernel.org/r/20200704130829.34297-1-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/sun4i-a10.dtsi | 2 +-
+ arch/arm/boot/dts/sun5i.dtsi | 2 +-
+ arch/arm/boot/dts/sun7i-a20.dtsi | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/sun4i-a10.dtsi b/arch/arm/boot/dts/sun4i-a10.dtsi
+index bf531efc0610e..0f95a6ef8543a 100644
+--- a/arch/arm/boot/dts/sun4i-a10.dtsi
++++ b/arch/arm/boot/dts/sun4i-a10.dtsi
+@@ -198,7 +198,7 @@
+ default-pool {
+ compatible = "shared-dma-pool";
+ size = <0x6000000>;
+- alloc-ranges = <0x4a000000 0x6000000>;
++ alloc-ranges = <0x40000000 0x10000000>;
+ reusable;
+ linux,cma-default;
+ };
+diff --git a/arch/arm/boot/dts/sun5i.dtsi b/arch/arm/boot/dts/sun5i.dtsi
+index e6b036734a643..c2b4fbf552a38 100644
+--- a/arch/arm/boot/dts/sun5i.dtsi
++++ b/arch/arm/boot/dts/sun5i.dtsi
+@@ -117,7 +117,7 @@
+ default-pool {
+ compatible = "shared-dma-pool";
+ size = <0x6000000>;
+- alloc-ranges = <0x4a000000 0x6000000>;
++ alloc-ranges = <0x40000000 0x10000000>;
+ reusable;
+ linux,cma-default;
+ };
+diff --git a/arch/arm/boot/dts/sun7i-a20.dtsi b/arch/arm/boot/dts/sun7i-a20.dtsi
+index ffe1d10a1a846..6d6a37940db2a 100644
+--- a/arch/arm/boot/dts/sun7i-a20.dtsi
++++ b/arch/arm/boot/dts/sun7i-a20.dtsi
+@@ -181,7 +181,7 @@
+ default-pool {
+ compatible = "shared-dma-pool";
+ size = <0x6000000>;
+- alloc-ranges = <0x4a000000 0x6000000>;
++ alloc-ranges = <0x40000000 0x10000000>;
+ reusable;
+ linux,cma-default;
+ };
+--
+2.25.1
+
--- /dev/null
+From c01f7e7320bdf50a788aae2d503fb104ce102c82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 08:37:01 -0700
+Subject: arm64/alternatives: move length validation inside the subsection
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit 966a0acce2fca776391823381dba95c40e03c339 ]
+
+Commit f7b93d42945c ("arm64/alternatives: use subsections for replacement
+sequences") breaks LLVM's integrated assembler, because due to its
+one-pass design, it cannot compute instruction sequence lengths before the
+layout for the subsection has been finalized. This change fixes the build
+by moving the .org directives inside the subsection, so they are processed
+after the subsection layout is known.
+
+Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences")
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Link: https://github.com/ClangBuiltLinux/linux/issues/1078
+Link: https://lore.kernel.org/r/20200730153701.3892953-1-samitolvanen@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/alternative.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/alternative.h b/arch/arm64/include/asm/alternative.h
+index 12f0eb56a1cc3..619db9b4c9d5c 100644
+--- a/arch/arm64/include/asm/alternative.h
++++ b/arch/arm64/include/asm/alternative.h
+@@ -77,9 +77,9 @@ static inline void apply_alternatives_module(void *start, size_t length) { }
+ "663:\n\t" \
+ newinstr "\n" \
+ "664:\n\t" \
+- ".previous\n\t" \
+ ".org . - (664b-663b) + (662b-661b)\n\t" \
+- ".org . - (662b-661b) + (664b-663b)\n" \
++ ".org . - (662b-661b) + (664b-663b)\n\t" \
++ ".previous\n" \
+ ".endif\n"
+
+ #define __ALTERNATIVE_CFG_CB(oldinstr, feature, cfg_enabled, cb) \
+--
+2.25.1
+
--- /dev/null
+From db7615fdc3265b395e848842df91a04b719c5a1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 10:56:49 +0100
+Subject: arm64: csum: Fix handling of bad packets
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit 05fb3dbda187bbd9cc1cd0e97e5d6595af570ac6 ]
+
+Although iph is expected to point to at least 20 bytes of valid memory,
+ihl may be bogus, for example on reception of a corrupt packet. If it
+happens to be less than 5, we really don't want to run away and
+dereference 16GB worth of memory until it wraps back to exactly zero...
+
+Fixes: 0e455d8e80aa ("arm64: Implement optimised IP checksum helpers")
+Reported-by: guodeqing <geffrey.guo@huawei.com>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/checksum.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h
+index b6f7bc6da5fb3..93a161b3bf3fe 100644
+--- a/arch/arm64/include/asm/checksum.h
++++ b/arch/arm64/include/asm/checksum.h
+@@ -24,16 +24,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl)
+ {
+ __uint128_t tmp;
+ u64 sum;
++ int n = ihl; /* we want it signed */
+
+ tmp = *(const __uint128_t *)iph;
+ iph += 16;
+- ihl -= 4;
++ n -= 4;
+ tmp += ((tmp >> 64) | (tmp << 64));
+ sum = tmp >> 64;
+ do {
+ sum += *(const u32 *)iph;
+ iph += 4;
+- } while (--ihl);
++ } while (--n > 0);
+
+ sum += ((sum >> 32) | (sum << 32));
+ return csum_fold((__force u32)(sum >> 32));
+--
+2.25.1
+
--- /dev/null
+From 291a7c0307c246a983e90b2bc8f6cae9eaa15f09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 15:06:47 +0200
+Subject: bareudp: forbid mixing IP and MPLS in multiproto mode
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 302d201b5cdf6f4781ee6cd9862f377f975d6c43 ]
+
+In multiproto mode, bareudp_xmit() accepts sending multicast MPLS and
+IPv6 packets regardless of the bareudp ethertype. In practice, this
+let an IP tunnel send multicast MPLS packets, or an MPLS tunnel send
+IPv6 packets.
+
+We need to restrict the test further, so that the multiproto mode only
+enables
+ * IPv6 for IPv4 tunnels,
+ * or multicast MPLS for unicast MPLS tunnels.
+
+To improve clarity, the protocol validation is moved to its own
+function, where each logical test has its own condition.
+
+v2: s/ntohs/htons/
+
+Fixes: 4b5f67232d95 ("net: Special handling for IP & MPLS.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index 3dd46cd551145..88e7900853db9 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -407,19 +407,34 @@ free_dst:
+ return err;
+ }
+
++static bool bareudp_proto_valid(struct bareudp_dev *bareudp, __be16 proto)
++{
++ if (bareudp->ethertype == proto)
++ return true;
++
++ if (!bareudp->multi_proto_mode)
++ return false;
++
++ if (bareudp->ethertype == htons(ETH_P_MPLS_UC) &&
++ proto == htons(ETH_P_MPLS_MC))
++ return true;
++
++ if (bareudp->ethertype == htons(ETH_P_IP) &&
++ proto == htons(ETH_P_IPV6))
++ return true;
++
++ return false;
++}
++
+ static netdev_tx_t bareudp_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct bareudp_dev *bareudp = netdev_priv(dev);
+ struct ip_tunnel_info *info = NULL;
+ int err;
+
+- if (skb->protocol != bareudp->ethertype) {
+- if (!bareudp->multi_proto_mode ||
+- (skb->protocol != htons(ETH_P_MPLS_MC) &&
+- skb->protocol != htons(ETH_P_IPV6))) {
+- err = -EINVAL;
+- goto tx_error;
+- }
++ if (!bareudp_proto_valid(bareudp, skb->protocol)) {
++ err = -EINVAL;
++ goto tx_error;
+ }
+
+ info = skb_tunnel_info(skb);
+--
+2.25.1
+
--- /dev/null
+From d2547ba0a010c3b264a44e98b82bb372470c5300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 20:48:55 +0000
+Subject: Bluetooth: fix kernel oops in store_pending_adv_report
+
+From: Alain Michaud <alainm@chromium.org>
+
+[ Upstream commit a2ec905d1e160a33b2e210e45ad30445ef26ce0e ]
+
+Fix kernel oops observed when an ext adv data is larger than 31 bytes.
+
+This can be reproduced by setting up an advertiser with advertisement
+larger than 31 bytes. The issue is not sensitive to the advertisement
+content. In particular, this was reproduced with an advertisement of
+229 bytes filled with 'A'. See stack trace below.
+
+This is fixed by not catching ext_adv as legacy adv are only cached to
+be able to concatenate a scanable adv with its scan response before
+sending it up through mgmt.
+
+With ext_adv, this is no longer necessary.
+
+ general protection fault: 0000 [#1] SMP PTI
+ CPU: 6 PID: 205 Comm: kworker/u17:0 Not tainted 5.4.0-37-generic #41-Ubuntu
+ Hardware name: Dell Inc. XPS 15 7590/0CF6RR, BIOS 1.7.0 05/11/2020
+ Workqueue: hci0 hci_rx_work [bluetooth]
+ RIP: 0010:hci_bdaddr_list_lookup+0x1e/0x40 [bluetooth]
+ Code: ff ff e9 26 ff ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 8b 07 48 89 e5 48 39 c7 75 0a eb 24 48 8b 00 48 39 f8 74 1c 44 8b 06 <44> 39 40 10 75 ef 44 0f b7 4e 04 66 44 39 48 14 75 e3 38 50 16 75
+ RSP: 0018:ffffbc6a40493c70 EFLAGS: 00010286
+ RAX: 4141414141414141 RBX: 000000000000001b RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffff9903e76c100f RDI: ffff9904289d4b28
+ RBP: ffffbc6a40493c70 R08: 0000000093570362 R09: 0000000000000000
+ R10: 0000000000000000 R11: ffff9904344eae38 R12: ffff9904289d4000
+ R13: 0000000000000000 R14: 00000000ffffffa3 R15: ffff9903e76c100f
+ FS: 0000000000000000(0000) GS:ffff990434580000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007feed125a000 CR3: 00000001b860a003 CR4: 00000000003606e0
+ Call Trace:
+ process_adv_report+0x12e/0x560 [bluetooth]
+ hci_le_meta_evt+0x7b2/0xba0 [bluetooth]
+ hci_event_packet+0x1c29/0x2a90 [bluetooth]
+ hci_rx_work+0x19b/0x360 [bluetooth]
+ process_one_work+0x1eb/0x3b0
+ worker_thread+0x4d/0x400
+ kthread+0x104/0x140
+
+Fixes: c215e9397b00 ("Bluetooth: Process extended ADV report event")
+Reported-by: Andy Nguyen <theflow@google.com>
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
+Signed-off-by: Alain Michaud <alainm@chromium.org>
+Tested-by: Sonny Sasaka <sonnysasaka@chromium.org>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index b11f8d391ad82..fe75f435171ce 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -1305,6 +1305,9 @@ static void store_pending_adv_report(struct hci_dev *hdev, bdaddr_t *bdaddr,
+ {
+ struct discovery_state *d = &hdev->discovery;
+
++ if (len > HCI_MAX_AD_LENGTH)
++ return;
++
+ bacpy(&d->last_adv_addr, bdaddr);
+ d->last_adv_addr_type = bdaddr_type;
+ d->last_adv_rssi = rssi;
+@@ -5317,7 +5320,8 @@ static struct hci_conn *check_pending_le_conn(struct hci_dev *hdev,
+
+ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ u8 bdaddr_type, bdaddr_t *direct_addr,
+- u8 direct_addr_type, s8 rssi, u8 *data, u8 len)
++ u8 direct_addr_type, s8 rssi, u8 *data, u8 len,
++ bool ext_adv)
+ {
+ struct discovery_state *d = &hdev->discovery;
+ struct smp_irk *irk;
+@@ -5339,6 +5343,11 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ return;
+ }
+
++ if (!ext_adv && len > HCI_MAX_AD_LENGTH) {
++ bt_dev_err_ratelimited(hdev, "legacy adv larger than 31 bytes");
++ return;
++ }
++
+ /* Find the end of the data in case the report contains padded zero
+ * bytes at the end causing an invalid length value.
+ *
+@@ -5398,7 +5407,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ */
+ conn = check_pending_le_conn(hdev, bdaddr, bdaddr_type, type,
+ direct_addr);
+- if (conn && type == LE_ADV_IND) {
++ if (!ext_adv && conn && type == LE_ADV_IND && len <= HCI_MAX_AD_LENGTH) {
+ /* Store report for later inclusion by
+ * mgmt_device_connected
+ */
+@@ -5452,7 +5461,7 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ * event or send an immediate device found event if the data
+ * should not be stored for later.
+ */
+- if (!has_pending_adv_report(hdev)) {
++ if (!ext_adv && !has_pending_adv_report(hdev)) {
+ /* If the report will trigger a SCAN_REQ store it for
+ * later merging.
+ */
+@@ -5487,7 +5496,8 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ /* If the new report will trigger a SCAN_REQ store it for
+ * later merging.
+ */
+- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
++ if (!ext_adv && (type == LE_ADV_IND ||
++ type == LE_ADV_SCAN_IND)) {
+ store_pending_adv_report(hdev, bdaddr, bdaddr_type,
+ rssi, flags, data, len);
+ return;
+@@ -5527,7 +5537,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ rssi = ev->data[ev->length];
+ process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+ ev->bdaddr_type, NULL, 0, rssi,
+- ev->data, ev->length);
++ ev->data, ev->length, false);
+ } else {
+ bt_dev_err(hdev, "Dropping invalid advertising data");
+ }
+@@ -5599,7 +5609,8 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ if (legacy_evt_type != LE_ADV_INVALID) {
+ process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,
+ ev->bdaddr_type, NULL, 0, ev->rssi,
+- ev->data, ev->length);
++ ev->data, ev->length,
++ !(evt_type & LE_EXT_ADV_LEGACY_PDU));
+ }
+
+ ptr += sizeof(*ev) + ev->length;
+@@ -5797,7 +5808,8 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
+
+ process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+ ev->bdaddr_type, &ev->direct_addr,
+- ev->direct_addr_type, ev->rssi, NULL, 0);
++ ev->direct_addr_type, ev->rssi, NULL, 0,
++ false);
+
+ ptr += sizeof(*ev);
+ }
+--
+2.25.1
+
--- /dev/null
+From 13d70f13ed1306ea241bf87b7b777bc5f041c01b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 21:09:12 -0700
+Subject: bpf: Fix map leak in HASH_OF_MAPS map
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+[ Upstream commit 1d4e1eab456e1ee92a94987499b211db05f900ea ]
+
+Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update()
+operation. This is due to per-cpu extra_elems optimization, which bypassed
+free_htab_elem() logic doing proper clean ups. Make sure that inner map is put
+properly in optimized case as well.
+
+Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20200729040913.2815687-1-andriin@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index d541c8486c95d..5e1ac22adf7a2 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -779,15 +779,20 @@ static void htab_elem_free_rcu(struct rcu_head *head)
+ htab_elem_free(htab, l);
+ }
+
+-static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
++static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l)
+ {
+ struct bpf_map *map = &htab->map;
++ void *ptr;
+
+ if (map->ops->map_fd_put_ptr) {
+- void *ptr = fd_htab_map_get_ptr(map, l);
+-
++ ptr = fd_htab_map_get_ptr(map, l);
+ map->ops->map_fd_put_ptr(ptr);
+ }
++}
++
++static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
++{
++ htab_put_fd_value(htab, l);
+
+ if (htab_is_prealloc(htab)) {
+ __pcpu_freelist_push(&htab->freelist, &l->fnode);
+@@ -839,6 +844,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
+ */
+ pl_new = this_cpu_ptr(htab->extra_elems);
+ l_new = *pl_new;
++ htab_put_fd_value(htab, old_elem);
+ *pl_new = old_elem;
+ } else {
+ struct pcpu_freelist_node *l;
+--
+2.25.1
+
--- /dev/null
+From ce70931f45fa68e8cf2c7cb64abfe559e923a7f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jul 2020 21:58:39 -0500
+Subject: cxgb4: add missing release on skb in uld_send()
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit e6827d1abdc9b061a57d7b7d3019c4e99fabea2f ]
+
+In the implementation of uld_send(), the skb is consumed on all
+execution paths except one. Release skb when returning NET_XMIT_DROP.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/sge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+index 28ce9856a0784..0f5ca68c98542 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -2925,6 +2925,7 @@ static inline int uld_send(struct adapter *adap, struct sk_buff *skb,
+ txq_info = adap->sge.uld_txq_info[tx_uld_type];
+ if (unlikely(!txq_info)) {
+ WARN_ON(true);
++ kfree_skb(skb);
+ return NET_XMIT_DROP;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From e6cebfbbe676cc9af7f899e50677a68772b717ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 09:33:47 -0700
+Subject: drivers/net/wan: lapb: Corrected the usage of skb_cow
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit 8754e1379e7089516a449821f88e1fe1ebbae5e1 ]
+
+This patch fixed 2 issues with the usage of skb_cow in LAPB drivers
+"lapbether" and "hdlc_x25":
+
+1) After skb_cow fails, kfree_skb should be called to drop a reference
+to the skb. But in both drivers, kfree_skb is not called.
+
+2) skb_cow should be called before skb_push so that is can ensure the
+safety of skb_push. But in "lapbether", it is incorrectly called after
+skb_push.
+
+More details about these 2 issues:
+
+1) The behavior of calling kfree_skb on failure is also the behavior of
+netif_rx, which is called by this function with "return netif_rx(skb);".
+So this function should follow this behavior, too.
+
+2) In "lapbether", skb_cow is called after skb_push. This results in 2
+logical issues:
+ a) skb_push is not protected by skb_cow;
+ b) An extra headroom of 1 byte is ensured after skb_push. This extra
+ headroom has no use in this function. It also has no use in the
+ upper-layer function that this function passes the skb to
+ (x25_lapb_receive_frame in net/x25/x25_dev.c).
+So logically skb_cow should instead be called before skb_push.
+
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/hdlc_x25.c | 4 +++-
+ drivers/net/wan/lapbether.c | 8 +++++---
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wan/hdlc_x25.c b/drivers/net/wan/hdlc_x25.c
+index c84536b03aa84..f70336bb6f524 100644
+--- a/drivers/net/wan/hdlc_x25.c
++++ b/drivers/net/wan/hdlc_x25.c
+@@ -71,8 +71,10 @@ static int x25_data_indication(struct net_device *dev, struct sk_buff *skb)
+ {
+ unsigned char *ptr;
+
+- if (skb_cow(skb, 1))
++ if (skb_cow(skb, 1)) {
++ kfree_skb(skb);
+ return NET_RX_DROP;
++ }
+
+ skb_push(skb, 1);
+ skb_reset_network_header(skb);
+diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
+index 284832314f310..b2868433718f6 100644
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -128,10 +128,12 @@ static int lapbeth_data_indication(struct net_device *dev, struct sk_buff *skb)
+ {
+ unsigned char *ptr;
+
+- skb_push(skb, 1);
+-
+- if (skb_cow(skb, 1))
++ if (skb_cow(skb, 1)) {
++ kfree_skb(skb);
+ return NET_RX_DROP;
++ }
++
++ skb_push(skb, 1);
+
+ ptr = skb->data;
+ *ptr = X25_IFACE_DATA;
+--
+2.25.1
+
--- /dev/null
+From 7b91235c7705cd72b21fe792c4e0c00d72534820 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 18:38:42 +0200
+Subject: espintcp: handle short messages instead of breaking the encap socket
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit fadd1a63a7b4df295a01fa50b2f4e447542bee59 ]
+
+Currently, short messages (less than 4 bytes after the length header)
+will break the stream of messages. This is unnecessary, since we can
+still parse messages even if they're too short to contain any usable
+data. This is also bogus, as keepalive messages (a single 0xff byte),
+though not needed with TCP encapsulation, should be allowed.
+
+This patch changes the stream parser so that short messages are
+accepted and dropped in the kernel. Messages that contain a valid SPI
+or non-ESP header are processed as before.
+
+Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
+Reported-by: Andrew Cagney <cagney@libreswan.org>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/espintcp.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c
+index 024470fb2d856..19396f3655c05 100644
+--- a/net/xfrm/espintcp.c
++++ b/net/xfrm/espintcp.c
+@@ -41,9 +41,32 @@ static void espintcp_rcv(struct strparser *strp, struct sk_buff *skb)
+ struct espintcp_ctx *ctx = container_of(strp, struct espintcp_ctx,
+ strp);
+ struct strp_msg *rxm = strp_msg(skb);
++ int len = rxm->full_len - 2;
+ u32 nonesp_marker;
+ int err;
+
++ /* keepalive packet? */
++ if (unlikely(len == 1)) {
++ u8 data;
++
++ err = skb_copy_bits(skb, rxm->offset + 2, &data, 1);
++ if (err < 0) {
++ kfree_skb(skb);
++ return;
++ }
++
++ if (data == 0xff) {
++ kfree_skb(skb);
++ return;
++ }
++ }
++
++ /* drop other short messages */
++ if (unlikely(len <= sizeof(nonesp_marker))) {
++ kfree_skb(skb);
++ return;
++ }
++
+ err = skb_copy_bits(skb, rxm->offset + 2, &nonesp_marker,
+ sizeof(nonesp_marker));
+ if (err < 0) {
+@@ -83,7 +106,7 @@ static int espintcp_parse(struct strparser *strp, struct sk_buff *skb)
+ return err;
+
+ len = be16_to_cpu(blen);
+- if (len < 6)
++ if (len < 2)
+ return -EINVAL;
+
+ return len;
+--
+2.25.1
+
--- /dev/null
+From b00e298733338003dd2bbceccf1e3b5d61f1e396 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 10:09:02 +0200
+Subject: espintcp: recv() should return 0 when the peer socket is closed
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit e229c877cde141a4c46cb603a341ce8c909e9a98 ]
+
+man 2 recv says:
+
+ RETURN VALUE
+
+ When a stream socket peer has performed an orderly shutdown, the
+ return value will be 0 (the traditional "end-of-file" return).
+
+Currently, this works for blocking reads, but non-blocking reads will
+return -EAGAIN. This patch overwrites that return value when the peer
+won't send us any more data.
+
+Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
+Reported-by: Andrew Cagney <cagney@libreswan.org>
+Tested-by: Andrew Cagney <cagney@libreswan.org>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/espintcp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/espintcp.c b/net/xfrm/espintcp.c
+index 5a0ff665b71a8..024470fb2d856 100644
+--- a/net/xfrm/espintcp.c
++++ b/net/xfrm/espintcp.c
+@@ -101,8 +101,11 @@ static int espintcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+ flags |= nonblock ? MSG_DONTWAIT : 0;
+
+ skb = __skb_recv_datagram(sk, &ctx->ike_queue, flags, &off, &err);
+- if (!skb)
++ if (!skb) {
++ if (err == -EAGAIN && sk->sk_shutdown & RCV_SHUTDOWN)
++ return 0;
+ return err;
++ }
+
+ copied = len;
+ if (copied > skb->len)
+--
+2.25.1
+
--- /dev/null
+From d43e38a12fad937a4163cb3dd1ff8e24386e337a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jul 2020 23:34:57 +0300
+Subject: habanalabs: prevent possible out-of-bounds array access
+
+From: Oded Gabbay <oded.gabbay@gmail.com>
+
+[ Upstream commit cea7a0449ea3fa4883bf5dc8397f000d6b67d6cd ]
+
+Queue index is received from the user. Therefore, we must validate it
+before using it to access the queue props array.
+
+Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
+Reviewed-by: Tomer Tayar <ttayar@habana.ai>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/habanalabs/command_submission.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/misc/habanalabs/command_submission.c b/drivers/misc/habanalabs/command_submission.c
+index 409276b6374d7..e7c8e7473226f 100644
+--- a/drivers/misc/habanalabs/command_submission.c
++++ b/drivers/misc/habanalabs/command_submission.c
+@@ -425,11 +425,19 @@ static int validate_queue_index(struct hl_device *hdev,
+ struct asic_fixed_properties *asic = &hdev->asic_prop;
+ struct hw_queue_properties *hw_queue_prop;
+
++ /* This must be checked here to prevent out-of-bounds access to
++ * hw_queues_props array
++ */
++ if (chunk->queue_index >= HL_MAX_QUEUES) {
++ dev_err(hdev->dev, "Queue index %d is invalid\n",
++ chunk->queue_index);
++ return -EINVAL;
++ }
++
+ hw_queue_prop = &asic->hw_queues_props[chunk->queue_index];
+
+- if ((chunk->queue_index >= HL_MAX_QUEUES) ||
+- (hw_queue_prop->type == QUEUE_TYPE_NA)) {
+- dev_err(hdev->dev, "Queue index %d is invalid\n",
++ if (hw_queue_prop->type == QUEUE_TYPE_NA) {
++ dev_err(hdev->dev, "Queue index %d is not applicable\n",
+ chunk->queue_index);
+ return -EINVAL;
+ }
+--
+2.25.1
+
--- /dev/null
+From 51cc3295924451909aa09ee5b745351ca4f50fee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jul 2020 19:26:12 +0530
+Subject: i2c: cadence: Clear HOLD bit at correct time in Rx path
+
+From: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
+
+[ Upstream commit 12d4d9ec5eeecd712c73772e422b6d082e66b046 ]
+
+There are few issues on Zynq SOC observed in the stress tests causing
+timeout errors. Even though all the data is received, timeout error
+is thrown. This is due to an IP bug in which the COMP bit in ISR is
+not set at end of transfer and completion interrupt is not generated.
+
+This bug is seen on Zynq platforms when the following condition occurs:
+Master read & HOLD bit set & Transfer size register reaches '0'.
+
+One workaround is to clear the HOLD bit before the transfer size
+register reaches '0'. The current implementation checks for this at
+the start of the loop and also only for less than FIFO DEPTH case
+(ignoring the equal to case).
+
+So clear the HOLD bit when the data yet to receive is less than or
+equal to the FIFO DEPTH. This avoids the IP bug condition.
+
+Signed-off-by: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index 97a0bd6ea31f1..1efdabb5adca0 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -230,20 +230,21 @@ static irqreturn_t cdns_i2c_isr(int irq, void *ptr)
+ /* Read data if receive data valid is set */
+ while (cdns_i2c_readreg(CDNS_I2C_SR_OFFSET) &
+ CDNS_I2C_SR_RXDV) {
+- /*
+- * Clear hold bit that was set for FIFO control if
+- * RX data left is less than FIFO depth, unless
+- * repeated start is selected.
+- */
+- if ((id->recv_count < CDNS_I2C_FIFO_DEPTH) &&
+- !id->bus_hold_flag)
+- cdns_i2c_clear_bus_hold(id);
+-
+ if (id->recv_count > 0) {
+ *(id->p_recv_buf)++ =
+ cdns_i2c_readreg(CDNS_I2C_DATA_OFFSET);
+ id->recv_count--;
+ id->curr_recv_count--;
++
++ /*
++ * Clear hold bit that was set for FIFO control
++ * if RX data left is less than or equal to
++ * FIFO DEPTH unless repeated start is selected
++ */
++ if (id->recv_count <= CDNS_I2C_FIFO_DEPTH &&
++ !id->bus_hold_flag)
++ cdns_i2c_clear_bus_hold(id);
++
+ } else {
+ dev_err(id->adap.dev.parent,
+ "xfer_size reg rollover. xfer aborted!\n");
+--
+2.25.1
+
--- /dev/null
+From ac6026fdefe6e562e305bd85860b85313a0420b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 16:36:32 -0500
+Subject: ibmvnic: Fix IRQ mapping disposal in error path
+
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+
+[ Upstream commit 27a2145d6f826d1fad9de06ac541b1016ced3427 ]
+
+RX queue IRQ mappings are disposed in both the TX IRQ and RX IRQ
+error paths. Fix this and dispose of TX IRQ mappings correctly in
+case of an error.
+
+Fixes: ea22d51a7831 ("ibmvnic: simplify and improve driver probe function")
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index 0fd7eae25fe9d..5afb3c9c52d20 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -3206,7 +3206,7 @@ req_rx_irq_failed:
+ req_tx_irq_failed:
+ for (j = 0; j < i; j++) {
+ free_irq(adapter->tx_scrq[j]->irq, adapter->tx_scrq[j]);
+- irq_dispose_mapping(adapter->rx_scrq[j]->irq);
++ irq_dispose_mapping(adapter->tx_scrq[j]->irq);
+ }
+ release_sub_crqs(adapter, 1);
+ return rc;
+--
+2.25.1
+
--- /dev/null
+From f87c520ecd462978bc74e6ebe1d40237ed943b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Jul 2020 14:15:16 -0600
+Subject: io_uring: always allow drain/link/hardlink/async sqe flags
+
+From: Daniele Albano <d.albano@gmail.com>
+
+[ Upstream commit 61710e437f2807e26a3402543bdbb7217a9c8620 ]
+
+We currently filter these for timeout_remove/async_cancel/files_update,
+but we only should be filtering for fixed file and buffer select. This
+also causes a second read of sqe->flags, which isn't needed.
+
+Just check req->flags for the relevant bits. This then allows these
+commands to be used in links, for example, like everything else.
+
+Signed-off-by: Daniele Albano <d.albano@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index d0d3efaaa4d4f..4e09af1d5d223 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4808,7 +4808,9 @@ static int io_timeout_remove_prep(struct io_kiocb *req,
+ {
+ if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
+ return -EINVAL;
+- if (sqe->flags || sqe->ioprio || sqe->buf_index || sqe->len)
++ if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
++ return -EINVAL;
++ if (sqe->ioprio || sqe->buf_index || sqe->len)
+ return -EINVAL;
+
+ req->timeout.addr = READ_ONCE(sqe->addr);
+@@ -5014,8 +5016,9 @@ static int io_async_cancel_prep(struct io_kiocb *req,
+ {
+ if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
+ return -EINVAL;
+- if (sqe->flags || sqe->ioprio || sqe->off || sqe->len ||
+- sqe->cancel_flags)
++ if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
++ return -EINVAL;
++ if (sqe->ioprio || sqe->off || sqe->len || sqe->cancel_flags)
+ return -EINVAL;
+
+ req->cancel.addr = READ_ONCE(sqe->addr);
+@@ -5033,7 +5036,9 @@ static int io_async_cancel(struct io_kiocb *req)
+ static int io_files_update_prep(struct io_kiocb *req,
+ const struct io_uring_sqe *sqe)
+ {
+- if (sqe->flags || sqe->ioprio || sqe->rw_flags)
++ if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
++ return -EINVAL;
++ if (sqe->ioprio || sqe->rw_flags)
+ return -EINVAL;
+
+ req->files_update.offset = READ_ONCE(sqe->off);
+--
+2.25.1
+
--- /dev/null
+From 144b7123db0d58152625875aa54328255713e7fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 10:52:17 -0700
+Subject: ionic: unlock queue mutex in error path
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit 59929fbb45e06da7d501d3a97f10a91912181f7c ]
+
+On an error return, jump to the unlock at the end to be sure
+to unlock the queue_lock mutex.
+
+Fixes: 0925e9db4dc8 ("ionic: use mutex to protect queue operations")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index 2c3e9ef22129c..337d971ffd92c 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -1959,7 +1959,7 @@ int ionic_reset_queues(struct ionic_lif *lif, ionic_reset_cb cb, void *arg)
+ netif_device_detach(lif->netdev);
+ err = ionic_stop(lif->netdev);
+ if (err)
+- return err;
++ goto reset_out;
+ }
+
+ if (cb)
+@@ -1969,6 +1969,8 @@ int ionic_reset_queues(struct ionic_lif *lif, ionic_reset_cb cb, void *arg)
+ err = ionic_open(lif->netdev);
+ netif_device_attach(lif->netdev);
+ }
++
++reset_out:
+ mutex_unlock(&lif->queue_lock);
+
+ return err;
+--
+2.25.1
+
--- /dev/null
+From c5ddda09712fb321a69470a3cd87f1259f8fc10a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 09:38:00 +0200
+Subject: iwlwifi: fix crash in iwl_dbg_tlv_alloc_trigger
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+[ Upstream commit ea0cca61d628662e4a1b26c77c7646f9a0257069 ]
+
+The tlv passed to iwl_dbg_tlv_alloc_trigger comes from a loaded firmware
+file. The memory can be marked as read-only as firmware could be
+shared. In anyway, writing to this memory is not expected. So,
+iwl_dbg_tlv_alloc_trigger can crash now:
+
+ BUG: unable to handle page fault for address: ffffae2c01bfa794
+ PF: supervisor write access in kernel mode
+ PF: error_code(0x0003) - permissions violation
+ PGD 107d51067 P4D 107d51067 PUD 107d52067 PMD 659ad2067 PTE 8000000662298161
+ CPU: 2 PID: 161 Comm: kworker/2:1 Not tainted 5.7.0-3.gad96a07-default #1 openSUSE Tumbleweed (unreleased)
+ RIP: 0010:iwl_dbg_tlv_alloc_trigger+0x25/0x60 [iwlwifi]
+ Code: eb f2 0f 1f 00 66 66 66 66 90 83 7e 04 33 48 89 f8 44 8b 46 10 48 89 f7 76 40 41 8d 50 ff 83 fa 19 77 23 8b 56 20 85 d2 75 07 <c7> 46 20 ff ff ff ff 4b 8d 14 40 48 c1 e2 04 48 8d b4 10 00 05 00
+ RSP: 0018:ffffae2c00417ce8 EFLAGS: 00010246
+ RAX: ffff8f0522334018 RBX: ffff8f0522334018 RCX: ffffffffc0fc26c0
+ RDX: 0000000000000000 RSI: ffffae2c01bfa774 RDI: ffffae2c01bfa774
+ RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
+ R10: 0000000000000034 R11: ffffae2c01bfa77c R12: ffff8f0522334230
+ R13: 0000000001000009 R14: ffff8f0523fdbc00 R15: ffff8f051f395800
+ FS: 0000000000000000(0000) GS:ffff8f0527c80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffae2c01bfa794 CR3: 0000000389eba000 CR4: 00000000000006e0
+ Call Trace:
+ iwl_dbg_tlv_alloc+0x79/0x120 [iwlwifi]
+ iwl_parse_tlv_firmware.isra.0+0x57d/0x1550 [iwlwifi]
+ iwl_req_fw_callback+0x3f8/0x6a0 [iwlwifi]
+ request_firmware_work_func+0x47/0x90
+ process_one_work+0x1e3/0x3b0
+ worker_thread+0x46/0x340
+ kthread+0x115/0x140
+ ret_from_fork+0x1f/0x40
+
+As can be seen, write bit is not set in the PTE. Read of
+trig->occurrences succeeds in iwl_dbg_tlv_alloc_trigger, but
+trig->occurrences = cpu_to_le32(-1); fails there, obviously.
+
+This is likely because we (at SUSE) use compressed firmware and that is
+marked as RO after decompression (see fw_map_paged_buf).
+
+Fix it by creating a temporary buffer in case we need to change the
+memory.
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Reported-by: Dieter Nützel <Dieter@nuetzel-hh.de>
+Tested-by: Dieter Nützel <Dieter@nuetzel-hh.de>
+Cc: Johannes Berg <johannes.berg@intel.com>
+Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Cc: Luca Coelho <luciano.coelho@intel.com>
+Cc: Intel Linux Wireless <linuxwifi@intel.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: linux-wireless@vger.kernel.org
+Cc: netdev@vger.kernel.org
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20200612073800.27742-1-jslaby@suse.cz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+index bf2f00b892140..85b132a77787d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+@@ -263,6 +263,8 @@ static int iwl_dbg_tlv_alloc_trigger(struct iwl_trans *trans,
+ {
+ struct iwl_fw_ini_trigger_tlv *trig = (void *)tlv->data;
+ u32 tp = le32_to_cpu(trig->time_point);
++ struct iwl_ucode_tlv *dup = NULL;
++ int ret;
+
+ if (le32_to_cpu(tlv->length) < sizeof(*trig))
+ return -EINVAL;
+@@ -275,10 +277,20 @@ static int iwl_dbg_tlv_alloc_trigger(struct iwl_trans *trans,
+ return -EINVAL;
+ }
+
+- if (!le32_to_cpu(trig->occurrences))
++ if (!le32_to_cpu(trig->occurrences)) {
++ dup = kmemdup(tlv, sizeof(*tlv) + le32_to_cpu(tlv->length),
++ GFP_KERNEL);
++ if (!dup)
++ return -ENOMEM;
++ trig = (void *)dup->data;
+ trig->occurrences = cpu_to_le32(-1);
++ tlv = dup;
++ }
++
++ ret = iwl_dbg_tlv_add(tlv, &trans->dbg.time_point[tp].trig_list);
++ kfree(dup);
+
+- return iwl_dbg_tlv_add(tlv, &trans->dbg.time_point[tp].trig_list);
++ return ret;
+ }
+
+ static int (*dbg_tlv_alloc[])(struct iwl_trans *trans,
+--
+2.25.1
+
--- /dev/null
+From fe437a52c2e9dc08b61007c35e08d94a08303750 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jul 2020 15:50:07 +0200
+Subject: mac80211: mesh: Free ie data when leaving mesh
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 6a01afcf8468d3ca2bd8bbb27503f60dcf643b20 ]
+
+At ieee80211_join_mesh() some ie data could have been allocated (see
+copy_mesh_setup()) and need to be cleaned up when leaving the mesh.
+
+This fixes the following kmemleak report:
+
+unreferenced object 0xffff0000116bc600 (size 128):
+ comm "wpa_supplicant", pid 608, jiffies 4294898983 (age 293.484s)
+ hex dump (first 32 bytes):
+ 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 0...............
+ 00 0f ac 08 00 00 00 00 c4 65 40 00 00 00 00 00 .........e@.....
+ backtrace:
+ [<00000000bebe439d>] __kmalloc_track_caller+0x1c0/0x330
+ [<00000000a349dbe1>] kmemdup+0x28/0x50
+ [<0000000075d69baa>] ieee80211_join_mesh+0x6c/0x3b8 [mac80211]
+ [<00000000683bb98b>] __cfg80211_join_mesh+0x1e8/0x4f0 [cfg80211]
+ [<0000000072cb507f>] nl80211_join_mesh+0x520/0x6b8 [cfg80211]
+ [<0000000077e9bcf9>] genl_family_rcv_msg+0x374/0x680
+ [<00000000b1bd936d>] genl_rcv_msg+0x78/0x108
+ [<0000000022c53788>] netlink_rcv_skb+0xb0/0x1c0
+ [<0000000011af8ec9>] genl_rcv+0x34/0x48
+ [<0000000069e41f53>] netlink_unicast+0x268/0x2e8
+ [<00000000a7517316>] netlink_sendmsg+0x320/0x4c0
+ [<0000000069cba205>] ____sys_sendmsg+0x354/0x3a0
+ [<00000000e06bab0f>] ___sys_sendmsg+0xd8/0x120
+ [<0000000037340728>] __sys_sendmsg+0xa4/0xf8
+ [<000000004fed9776>] __arm64_sys_sendmsg+0x44/0x58
+ [<000000001c1e5647>] el0_svc_handler+0xd0/0x1a0
+
+Fixes: c80d545da3f7 (mac80211: Let userspace enable and configure vendor specific path selection.)
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://lore.kernel.org/r/20200704135007.27292-1-repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 0f72813fed53e..4230b483168a1 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2140,6 +2140,7 @@ static int ieee80211_leave_mesh(struct wiphy *wiphy, struct net_device *dev)
+ ieee80211_stop_mesh(sdata);
+ mutex_lock(&sdata->local->mtx);
+ ieee80211_vif_release_channel(sdata);
++ kfree(sdata->u.mesh.ie);
+ mutex_unlock(&sdata->local->mtx);
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From fc40f2cc7ef6147a1f9a9826c2474bb48475df6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jul 2020 15:54:19 +0200
+Subject: mac80211: mesh: Free pending skb when destroying a mpath
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 5e43540c2af0a0c0a18e39579b1ad49541f87506 ]
+
+A mpath object can hold reference on a list of skb that are waiting for
+mpath resolution to be sent. When destroying a mpath this skb list
+should be cleaned up in order to not leak memory.
+
+Fixing that kind of leak:
+
+unreferenced object 0xffff0000181c9300 (size 1088):
+ comm "openvpn", pid 1782, jiffies 4295071698 (age 80.416s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 f9 80 36 00 00 00 00 00 ..........6.....
+ 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
+ backtrace:
+ [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
+ [<000000002caaef13>] sk_prot_alloc.isra.39+0x34/0x178
+ [<00000000ceeaa916>] sk_alloc+0x34/0x228
+ [<00000000ca1f1d04>] inet_create+0x198/0x518
+ [<0000000035626b1c>] __sock_create+0x134/0x328
+ [<00000000a12b3a87>] __sys_socket+0xb0/0x158
+ [<00000000ff859f23>] __arm64_sys_socket+0x40/0x58
+ [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
+ [<0000000005b5157d>] el0_svc+0x8/0xc
+unreferenced object 0xffff000012973a40 (size 216):
+ comm "openvpn", pid 1782, jiffies 4295082137 (age 38.660s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 c0 06 16 00 00 ff ff 00 93 1c 18 00 00 ff ff ................
+ backtrace:
+ [<000000004bc6a443>] kmem_cache_alloc+0x1a4/0x2f0
+ [<0000000023c8c8f9>] __alloc_skb+0xc0/0x2b8
+ [<000000007ad950bb>] alloc_skb_with_frags+0x60/0x320
+ [<00000000ef90023a>] sock_alloc_send_pskb+0x388/0x3c0
+ [<00000000104fb1a3>] sock_alloc_send_skb+0x1c/0x28
+ [<000000006919d2dd>] __ip_append_data+0xba4/0x11f0
+ [<0000000083477587>] ip_make_skb+0x14c/0x1a8
+ [<0000000024f3d592>] udp_sendmsg+0xaf0/0xcf0
+ [<000000005aabe255>] inet_sendmsg+0x5c/0x80
+ [<000000008651ea08>] __sys_sendto+0x15c/0x218
+ [<000000003505c99b>] __arm64_sys_sendto+0x74/0x90
+ [<00000000263486ec>] el0_svc_handler+0xd0/0x1a0
+ [<0000000005b5157d>] el0_svc+0x8/0xc
+
+Fixes: 2bdaf386f99c (mac80211: mesh: move path tables into if_mesh)
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://lore.kernel.org/r/20200704135419.27703-1-repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 117519bf33d65..aca608ae313fe 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -521,6 +521,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl,
+ del_timer_sync(&mpath->timer);
+ atomic_dec(&sdata->u.mesh.mpaths);
+ atomic_dec(&tbl->entries);
++ mesh_path_flush_pending(mpath);
+ kfree_rcu(mpath, rcu);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From c5e5ceb1240247fde1c5479f7665c0ea22b2988b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 16:15:43 -0700
+Subject: mlx4: disable device on shutdown
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 3cab8c65525920f00d8f4997b3e9bb73aecb3a8e ]
+
+It appears that not disabling a PCI device on .shutdown may lead to
+a Hardware Error with particular (perhaps buggy) BIOS versions:
+
+ mlx4_en: eth0: Close port called
+ mlx4_en 0000:04:00.0: removed PHC
+ reboot: Restarting system
+ {1}[Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1
+ {1}[Hardware Error]: event severity: fatal
+ {1}[Hardware Error]: Error 0, type: fatal
+ {1}[Hardware Error]: section_type: PCIe error
+ {1}[Hardware Error]: port_type: 4, root port
+ {1}[Hardware Error]: version: 1.16
+ {1}[Hardware Error]: command: 0x4010, status: 0x0143
+ {1}[Hardware Error]: device_id: 0000:00:02.2
+ {1}[Hardware Error]: slot: 0
+ {1}[Hardware Error]: secondary_bus: 0x04
+ {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2f06
+ {1}[Hardware Error]: class_code: 000604
+ {1}[Hardware Error]: bridge: secondary_status: 0x2000, control: 0x0003
+ {1}[Hardware Error]: aer_uncor_status: 0x00100000, aer_uncor_mask: 0x00000000
+ {1}[Hardware Error]: aer_uncor_severity: 0x00062030
+ {1}[Hardware Error]: TLP Header: 40000018 040000ff 791f4080 00000000
+[hw error repeats]
+ Kernel panic - not syncing: Fatal hardware error!
+ CPU: 0 PID: 2189 Comm: reboot Kdump: loaded Not tainted 5.6.x-blabla #1
+ Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 05/05/2017
+
+Fix the mlx4 driver.
+
+This is a very similar problem to what had been fixed in:
+commit 0d98ba8d70b0 ("scsi: hpsa: disable device during shutdown")
+to address https://bugzilla.kernel.org/show_bug.cgi?id=199779.
+
+Fixes: 2ba5fbd62b25 ("net/mlx4_core: Handle AER flow properly")
+Reported-by: Jake Lawrence <lawja@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
+index c72c4e1ea383b..598e222e0b907 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -4358,12 +4358,14 @@ end:
+ static void mlx4_shutdown(struct pci_dev *pdev)
+ {
+ struct mlx4_dev_persistent *persist = pci_get_drvdata(pdev);
++ struct mlx4_dev *dev = persist->dev;
+
+ mlx4_info(persist->dev, "mlx4_shutdown was called\n");
+ mutex_lock(&persist->interface_state_mutex);
+ if (persist->interface_state & MLX4_INTERFACE_STATE_UP)
+ mlx4_unload_one(pdev);
+ mutex_unlock(&persist->interface_state_mutex);
++ mlx4_pci_disable_device(dev);
+ }
+
+ static const struct pci_error_handlers mlx4_err_handler = {
+--
+2.25.1
+
--- /dev/null
+From 3c44a37bc02039b93bde51b493ef4867b2896328 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 12:26:46 +0300
+Subject: mlxsw: core: Free EMAD transactions using kfree_rcu()
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 3c8ce24b037648a5a15b85888b259a74b05ff97d ]
+
+The lifetime of EMAD transactions (i.e., 'struct mlxsw_reg_trans') is
+managed using RCU. They are freed using kfree_rcu() once the transaction
+ends.
+
+However, in case the transaction failed it is freed immediately after being
+removed from the active transactions list. This is problematic because it is
+still possible for a different CPU to dereference the transaction from an RCU
+read-side critical section while traversing the active transaction list in
+mlxsw_emad_rx_listener_func(). In which case, a use-after-free is triggered
+[1].
+
+Fix this by freeing the transaction after a grace period by calling
+kfree_rcu().
+
+[1]
+BUG: KASAN: use-after-free in mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
+Read of size 8 at addr ffff88800b7964e8 by task syz-executor.2/2881
+
+CPU: 0 PID: 2881 Comm: syz-executor.2 Not tainted 5.8.0-rc4+ #44
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ mlxsw_emad_rx_listener_func+0x969/0xac0 drivers/net/ethernet/mellanox/mlxsw/core.c:671
+ mlxsw_core_skb_receive+0x571/0x700 drivers/net/ethernet/mellanox/mlxsw/core.c:2061
+ mlxsw_pci_cqe_rdq_handle drivers/net/ethernet/mellanox/mlxsw/pci.c:595 [inline]
+ mlxsw_pci_cq_tasklet+0x12a6/0x2520 drivers/net/ethernet/mellanox/mlxsw/pci.c:651
+ tasklet_action_common.isra.0+0x13f/0x3e0 kernel/softirq.c:550
+ __do_softirq+0x223/0x964 kernel/softirq.c:292
+ asm_call_on_stack+0x12/0x20 arch/x86/entry/entry_64.S:711
+ </IRQ>
+ __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
+ run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
+ do_softirq_own_stack+0x109/0x140 arch/x86/kernel/irq_64.c:77
+ invoke_softirq kernel/softirq.c:387 [inline]
+ __irq_exit_rcu kernel/softirq.c:417 [inline]
+ irq_exit_rcu+0x16f/0x1a0 kernel/softirq.c:429
+ sysvec_apic_timer_interrupt+0x4e/0xd0 arch/x86/kernel/apic/apic.c:1091
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:587
+RIP: 0010:arch_local_irq_restore arch/x86/include/asm/irqflags.h:85 [inline]
+RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
+RIP: 0010:_raw_spin_unlock_irqrestore+0x3b/0x40 kernel/locking/spinlock.c:191
+Code: e8 2a c3 f4 fc 48 89 ef e8 12 96 f5 fc f6 c7 02 75 11 53 9d e8 d6 db 11 fd 65 ff 0d 1f 21 b3 56 5b 5d c3 e8 a7 d7 11 fd 53 9d <eb> ed 0f 1f 00 55 48 89 fd 65 ff 05 05 21 b3 56 ff 74 24 08 48 8d
+RSP: 0018:ffff8880446ffd80 EFLAGS: 00000286
+RAX: 0000000000000006 RBX: 0000000000000286 RCX: 0000000000000006
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa94ecea9
+RBP: ffff888012934408 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000001 R11: fffffbfff57be301 R12: 1ffff110088dffc1
+R13: ffff888037b817c0 R14: ffff88802442415a R15: ffff888024424000
+ __do_sys_perf_event_open+0x1b5d/0x2bd0 kernel/events/core.c:11874
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:384
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x473dbd
+Code: Bad RIP value.
+RSP: 002b:00007f21e5e9cc28 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
+RAX: ffffffffffffffda RBX: 000000000057bf00 RCX: 0000000000473dbd
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000040
+RBP: 000000000057bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000003 R11: 0000000000000246 R12: 000000000057bf0c
+R13: 00007ffd0493503f R14: 00000000004d0f46 R15: 00007f21e5e9cd80
+
+Allocated by task 871:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc mm/kasan/common.c:494 [inline]
+ __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ mlxsw_core_reg_access_emad+0x70/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1812
+ mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
+ mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
+ update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
+ process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
+ worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
+ kthread+0x355/0x470 kernel/kthread.c:291
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
+
+Freed by task 871:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ kasan_set_free_info mm/kasan/common.c:316 [inline]
+ __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455
+ slab_free_hook mm/slub.c:1474 [inline]
+ slab_free_freelist_hook mm/slub.c:1507 [inline]
+ slab_free mm/slub.c:3072 [inline]
+ kfree+0xe6/0x320 mm/slub.c:4052
+ mlxsw_core_reg_access_emad+0xd45/0x1410 drivers/net/ethernet/mellanox/mlxsw/core.c:1819
+ mlxsw_core_reg_access+0xeb/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1991
+ mlxsw_sp_port_get_hw_xstats+0x335/0x7e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1130
+ update_stats_cache+0xf4/0x140 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:1173
+ process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
+ worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
+ kthread+0x355/0x470 kernel/kthread.c:291
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
+
+The buggy address belongs to the object at ffff88800b796400
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 232 bytes inside of
+ 512-byte region [ffff88800b796400, ffff88800b796600)
+The buggy address belongs to the page:
+page:ffffea00002de500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00002de500 order:2 compound_mapcount:0 compound_pincount:0
+flags: 0x100000000010200(slab|head)
+raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c402500
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88800b796380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88800b796400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88800b796480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88800b796500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88800b796580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
+index 5e76a96a118eb..71b6185b49042 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -1814,7 +1814,7 @@ static int mlxsw_core_reg_access_emad(struct mlxsw_core *mlxsw_core,
+ err = mlxsw_emad_reg_access(mlxsw_core, reg, payload, type, trans,
+ bulk_list, cb, cb_priv, tid);
+ if (err) {
+- kfree(trans);
++ kfree_rcu(trans, rcu);
+ return err;
+ }
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 038e26da84ff632817ccca8eecbc2a10099cda08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 12:26:45 +0300
+Subject: mlxsw: core: Increase scope of RCU read-side critical section
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 7d8e8f3433dc8d1dc87c1aabe73a154978fb4c4d ]
+
+The lifetime of the Rx listener item ('rxl_item') is managed using RCU,
+but is dereferenced outside of RCU read-side critical section, which can
+lead to a use-after-free.
+
+Fix this by increasing the scope of the RCU read-side critical section.
+
+Fixes: 93c1edb27f9e ("mlxsw: Introduce Mellanox switch driver core")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c
+index d6d6fe64887b3..5e76a96a118eb 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -2051,11 +2051,13 @@ void mlxsw_core_skb_receive(struct mlxsw_core *mlxsw_core, struct sk_buff *skb,
+ break;
+ }
+ }
+- rcu_read_unlock();
+- if (!found)
++ if (!found) {
++ rcu_read_unlock();
+ goto drop;
++ }
+
+ rxl->func(skb, local_port, rxl_item->priv);
++ rcu_read_unlock();
+ return;
+
+ drop:
+--
+2.25.1
+
--- /dev/null
+From bc9d51facd0c56d3142887b4819d6954df4c57f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 12:26:47 +0300
+Subject: mlxsw: spectrum_router: Fix use-after-free in router init / de-init
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 5515c3448d55bdcb5ff8a1778aa84f34e4205596 ]
+
+Several notifiers are registered as part of router initialization.
+Since some of these notifiers are registered before the end of the
+initialization, it is possible for them to access uninitialized or freed
+memory when processing notifications [1].
+
+Additionally, some of these notifiers queue work items on a workqueue.
+If these work items are executed after the router was de-initialized,
+they will access freed memory.
+
+Fix both problems by moving the registration of the notifiers to the end
+of the router initialization and flush the work queue after they are
+unregistered.
+
+[1]
+BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:938 [inline]
+BUG: KASAN: use-after-free in __mutex_lock+0xeea/0x1340 kernel/locking/mutex.c:1103
+Read of size 8 at addr ffff888038c3a6e0 by task kworker/u4:1/61
+
+CPU: 1 PID: 61 Comm: kworker/u4:1 Not tainted 5.8.0-rc2+ #36
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Workqueue: mlxsw_core_ordered mlxsw_sp_inet6addr_event_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ __mutex_lock_common kernel/locking/mutex.c:938 [inline]
+ __mutex_lock+0xeea/0x1340 kernel/locking/mutex.c:1103
+ mlxsw_sp_inet6addr_event_work+0xb3/0x1b0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7123
+ process_one_work+0xa3e/0x17a0 kernel/workqueue.c:2269
+ worker_thread+0x9e/0x1050 kernel/workqueue.c:2415
+ kthread+0x355/0x470 kernel/kthread.c:291
+ ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:293
+
+Allocated by task 1298:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc mm/kasan/common.c:494 [inline]
+ __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:467
+ kmalloc include/linux/slab.h:555 [inline]
+ kzalloc include/linux/slab.h:669 [inline]
+ mlxsw_sp_router_init+0xb2/0x1d20 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:8074
+ mlxsw_sp_init+0xbd8/0x3ac0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:2932
+ __mlxsw_core_bus_device_register+0x657/0x10d0 drivers/net/ethernet/mellanox/mlxsw/core.c:1375
+ mlxsw_core_bus_device_register drivers/net/ethernet/mellanox/mlxsw/core.c:1436 [inline]
+ mlxsw_devlink_core_bus_device_reload_up+0xcd/0x150 drivers/net/ethernet/mellanox/mlxsw/core.c:1133
+ devlink_reload net/core/devlink.c:2959 [inline]
+ devlink_reload+0x281/0x3b0 net/core/devlink.c:2944
+ devlink_nl_cmd_reload+0x2f1/0x7c0 net/core/devlink.c:2987
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:691 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:736 [inline]
+ genl_rcv_msg+0x611/0x9d0 net/netlink/genetlink.c:753
+ netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0x150/0x190 net/socket.c:672
+ ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
+ ___sys_sendmsg+0xff/0x170 net/socket.c:2417
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 1348:
+ save_stack+0x1b/0x40 mm/kasan/common.c:48
+ set_track mm/kasan/common.c:56 [inline]
+ kasan_set_free_info mm/kasan/common.c:316 [inline]
+ __kasan_slab_free+0x12c/0x170 mm/kasan/common.c:455
+ slab_free_hook mm/slub.c:1474 [inline]
+ slab_free_freelist_hook mm/slub.c:1507 [inline]
+ slab_free mm/slub.c:3072 [inline]
+ kfree+0xe6/0x320 mm/slub.c:4063
+ mlxsw_sp_fini+0x340/0x4e0 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3132
+ mlxsw_core_bus_device_unregister+0x16c/0x6d0 drivers/net/ethernet/mellanox/mlxsw/core.c:1474
+ mlxsw_devlink_core_bus_device_reload_down+0x8e/0xc0 drivers/net/ethernet/mellanox/mlxsw/core.c:1123
+ devlink_reload+0xc6/0x3b0 net/core/devlink.c:2952
+ devlink_nl_cmd_reload+0x2f1/0x7c0 net/core/devlink.c:2987
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:691 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:736 [inline]
+ genl_rcv_msg+0x611/0x9d0 net/netlink/genetlink.c:753
+ netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0x150/0x190 net/socket.c:672
+ ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
+ ___sys_sendmsg+0xff/0x170 net/socket.c:2417
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff888038c3a000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1760 bytes inside of
+ 2048-byte region [ffff888038c3a000, ffff888038c3a800)
+The buggy address belongs to the page:
+page:ffffea0000e30e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0000e30e00 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x100000000010200(slab|head)
+raw: 0100000000010200 dead000000000100 dead000000000122 ffff88806c40c000
+raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888038c3a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888038c3a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888038c3a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888038c3a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888038c3a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 965fa8e600d2 ("mlxsw: spectrum_router: Make RIF deletion more robust")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlxsw/spectrum_router.c | 50 ++++++++++---------
+ 1 file changed, 26 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+index 84b3d78a9dd84..ac1a63fe0899c 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -8072,16 +8072,6 @@ int mlxsw_sp_router_init(struct mlxsw_sp *mlxsw_sp,
+ mlxsw_sp->router = router;
+ router->mlxsw_sp = mlxsw_sp;
+
+- router->inetaddr_nb.notifier_call = mlxsw_sp_inetaddr_event;
+- err = register_inetaddr_notifier(&router->inetaddr_nb);
+- if (err)
+- goto err_register_inetaddr_notifier;
+-
+- router->inet6addr_nb.notifier_call = mlxsw_sp_inet6addr_event;
+- err = register_inet6addr_notifier(&router->inet6addr_nb);
+- if (err)
+- goto err_register_inet6addr_notifier;
+-
+ INIT_LIST_HEAD(&mlxsw_sp->router->nexthop_neighs_list);
+ err = __mlxsw_sp_router_init(mlxsw_sp);
+ if (err)
+@@ -8122,12 +8112,6 @@ int mlxsw_sp_router_init(struct mlxsw_sp *mlxsw_sp,
+ if (err)
+ goto err_neigh_init;
+
+- mlxsw_sp->router->netevent_nb.notifier_call =
+- mlxsw_sp_router_netevent_event;
+- err = register_netevent_notifier(&mlxsw_sp->router->netevent_nb);
+- if (err)
+- goto err_register_netevent_notifier;
+-
+ err = mlxsw_sp_mp_hash_init(mlxsw_sp);
+ if (err)
+ goto err_mp_hash_init;
+@@ -8136,6 +8120,22 @@ int mlxsw_sp_router_init(struct mlxsw_sp *mlxsw_sp,
+ if (err)
+ goto err_dscp_init;
+
++ router->inetaddr_nb.notifier_call = mlxsw_sp_inetaddr_event;
++ err = register_inetaddr_notifier(&router->inetaddr_nb);
++ if (err)
++ goto err_register_inetaddr_notifier;
++
++ router->inet6addr_nb.notifier_call = mlxsw_sp_inet6addr_event;
++ err = register_inet6addr_notifier(&router->inet6addr_nb);
++ if (err)
++ goto err_register_inet6addr_notifier;
++
++ mlxsw_sp->router->netevent_nb.notifier_call =
++ mlxsw_sp_router_netevent_event;
++ err = register_netevent_notifier(&mlxsw_sp->router->netevent_nb);
++ if (err)
++ goto err_register_netevent_notifier;
++
+ mlxsw_sp->router->fib_nb.notifier_call = mlxsw_sp_router_fib_event;
+ err = register_fib_notifier(mlxsw_sp_net(mlxsw_sp),
+ &mlxsw_sp->router->fib_nb,
+@@ -8146,10 +8146,15 @@ int mlxsw_sp_router_init(struct mlxsw_sp *mlxsw_sp,
+ return 0;
+
+ err_register_fib_notifier:
+-err_dscp_init:
+-err_mp_hash_init:
+ unregister_netevent_notifier(&mlxsw_sp->router->netevent_nb);
+ err_register_netevent_notifier:
++ unregister_inet6addr_notifier(&router->inet6addr_nb);
++err_register_inet6addr_notifier:
++ unregister_inetaddr_notifier(&router->inetaddr_nb);
++err_register_inetaddr_notifier:
++ mlxsw_core_flush_owq();
++err_dscp_init:
++err_mp_hash_init:
+ mlxsw_sp_neigh_fini(mlxsw_sp);
+ err_neigh_init:
+ mlxsw_sp_vrs_fini(mlxsw_sp);
+@@ -8168,10 +8173,6 @@ err_ipips_init:
+ err_rifs_init:
+ __mlxsw_sp_router_fini(mlxsw_sp);
+ err_router_init:
+- unregister_inet6addr_notifier(&router->inet6addr_nb);
+-err_register_inet6addr_notifier:
+- unregister_inetaddr_notifier(&router->inetaddr_nb);
+-err_register_inetaddr_notifier:
+ mutex_destroy(&mlxsw_sp->router->lock);
+ kfree(mlxsw_sp->router);
+ return err;
+@@ -8182,6 +8183,9 @@ void mlxsw_sp_router_fini(struct mlxsw_sp *mlxsw_sp)
+ unregister_fib_notifier(mlxsw_sp_net(mlxsw_sp),
+ &mlxsw_sp->router->fib_nb);
+ unregister_netevent_notifier(&mlxsw_sp->router->netevent_nb);
++ unregister_inet6addr_notifier(&mlxsw_sp->router->inet6addr_nb);
++ unregister_inetaddr_notifier(&mlxsw_sp->router->inetaddr_nb);
++ mlxsw_core_flush_owq();
+ mlxsw_sp_neigh_fini(mlxsw_sp);
+ mlxsw_sp_vrs_fini(mlxsw_sp);
+ mlxsw_sp_mr_fini(mlxsw_sp);
+@@ -8191,8 +8195,6 @@ void mlxsw_sp_router_fini(struct mlxsw_sp *mlxsw_sp)
+ mlxsw_sp_ipips_fini(mlxsw_sp);
+ mlxsw_sp_rifs_fini(mlxsw_sp);
+ __mlxsw_sp_router_fini(mlxsw_sp);
+- unregister_inet6addr_notifier(&mlxsw_sp->router->inet6addr_nb);
+- unregister_inetaddr_notifier(&mlxsw_sp->router->inetaddr_nb);
+ mutex_destroy(&mlxsw_sp->router->lock);
+ kfree(mlxsw_sp->router);
+ }
+--
+2.25.1
+
--- /dev/null
+From 5f2fa367b5f533b37ac0516b91b03ff7aa2eb904 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 May 2020 23:51:27 +0200
+Subject: mt76: mt7615: fix lmac queue debugsfs entry
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit d941f47caa386931c3b598ad1b43d5ddd65869aa ]
+
+acs and wmm index are swapped in mt7615_queues_acq respect to the hw
+design
+
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c
+index b4d0795154e3d..a2afd1a3c51ba 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c
+@@ -206,10 +206,11 @@ mt7615_queues_acq(struct seq_file *s, void *data)
+ int i;
+
+ for (i = 0; i < 16; i++) {
+- int j, acs = i / 4, index = i % 4;
++ int j, wmm_idx = i % MT7615_MAX_WMM_SETS;
++ int acs = i / MT7615_MAX_WMM_SETS;
+ u32 ctrl, val, qlen = 0;
+
+- val = mt76_rr(dev, MT_PLE_AC_QEMPTY(acs, index));
++ val = mt76_rr(dev, MT_PLE_AC_QEMPTY(acs, wmm_idx));
+ ctrl = BIT(31) | BIT(15) | (acs << 8);
+
+ for (j = 0; j < 32; j++) {
+@@ -217,11 +218,11 @@ mt7615_queues_acq(struct seq_file *s, void *data)
+ continue;
+
+ mt76_wr(dev, MT_PLE_FL_Q0_CTRL,
+- ctrl | (j + (index << 5)));
++ ctrl | (j + (wmm_idx << 5)));
+ qlen += mt76_get_field(dev, MT_PLE_FL_Q3_CTRL,
+ GENMASK(11, 0));
+ }
+- seq_printf(s, "AC%d%d: queued=%d\n", acs, index, qlen);
++ seq_printf(s, "AC%d%d: queued=%d\n", wmm_idx, acs, qlen);
+ }
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 03be84fccd75b7e9c2cf180192d6eb8a9fc4a03c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 10:15:17 +0200
+Subject: net: ethernet: mtk_eth_soc: fix MTU warnings
+
+From: Landen Chao <landen.chao@mediatek.com>
+
+[ Upstream commit 555a893303872e044fb86f0a5834ce78d41ad2e2 ]
+
+in recent kernel versions there are warnings about incorrect MTU size
+like these:
+
+eth0: mtu greater than device maximum
+mtk_soc_eth 1b100000.ethernet eth0: error -22 setting MTU to include DSA overhead
+
+Fixes: bfcb813203e6 ("net: dsa: configure the MTU for switch ports")
+Fixes: 72579e14a1d3 ("net: dsa: don't fail to probe if we couldn't set the MTU")
+Fixes: 7a4c53bee332 ("net: report invalid mtu value via netlink extack")
+Signed-off-by: Landen Chao <landen.chao@mediatek.com>
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 09047109d0daa..b743d8b56c848 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -2882,6 +2882,8 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np)
+ eth->netdev[id]->irq = eth->irq[0];
+ eth->netdev[id]->dev.of_node = np;
+
++ eth->netdev[id]->max_mtu = MTK_MAX_RX_LENGTH - MTK_RX_ETH_HLEN;
++
+ return 0;
+
+ free_netdev:
+--
+2.25.1
+
--- /dev/null
+From 7e18bab61673c01b5fe4a064913c2ccece85c2c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 15:23:12 +0900
+Subject: net: ethernet: ravb: exit if re-initialization fails in tx timeout
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 015c5d5e6aa3523c758a70eb87b291cece2dbbb4 ]
+
+According to the report of [1], this driver is possible to cause
+the following error in ravb_tx_timeout_work().
+
+ravb e6800000.ethernet ethernet: failed to switch device to config mode
+
+This error means that the hardware could not change the state
+from "Operation" to "Configuration" while some tx and/or rx queue
+are operating. After that, ravb_config() in ravb_dmac_init() will fail,
+and then any descriptors will be not allocaled anymore so that NULL
+pointer dereference happens after that on ravb_start_xmit().
+
+To fix the issue, the ravb_tx_timeout_work() should check
+the return values of ravb_stop_dma() and ravb_dmac_init().
+If ravb_stop_dma() fails, ravb_tx_timeout_work() re-enables TX and RX
+and just exits. If ravb_dmac_init() fails, just exits.
+
+[1]
+https://lore.kernel.org/linux-renesas-soc/20200518045452.2390-1-dirk.behme@de.bosch.com/
+
+Reported-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 26 ++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 067ad25553b92..ab335f7dab828 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1444,6 +1444,7 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ struct ravb_private *priv = container_of(work, struct ravb_private,
+ work);
+ struct net_device *ndev = priv->ndev;
++ int error;
+
+ netif_tx_stop_all_queues(ndev);
+
+@@ -1452,15 +1453,36 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ ravb_ptp_stop(ndev);
+
+ /* Wait for DMA stopping */
+- ravb_stop_dma(ndev);
++ if (ravb_stop_dma(ndev)) {
++ /* If ravb_stop_dma() fails, the hardware is still operating
++ * for TX and/or RX. So, this should not call the following
++ * functions because ravb_dmac_init() is possible to fail too.
++ * Also, this should not retry ravb_stop_dma() again and again
++ * here because it's possible to wait forever. So, this just
++ * re-enables the TX and RX and skip the following
++ * re-initialization procedure.
++ */
++ ravb_rcv_snd_enable(ndev);
++ goto out;
++ }
+
+ ravb_ring_free(ndev, RAVB_BE);
+ ravb_ring_free(ndev, RAVB_NC);
+
+ /* Device init */
+- ravb_dmac_init(ndev);
++ error = ravb_dmac_init(ndev);
++ if (error) {
++ /* If ravb_dmac_init() fails, descriptors are freed. So, this
++ * should return here to avoid re-enabling the TX and RX in
++ * ravb_emac_init().
++ */
++ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n",
++ __func__, error);
++ return;
++ }
+ ravb_emac_init(ndev);
+
++out:
+ /* Initialise PTP Clock driver */
+ if (priv->chip_id == RCAR_GEN2)
+ ravb_ptp_init(ndev, priv->pdev);
+--
+2.25.1
+
--- /dev/null
+From a9286cda6523c2a0f7a5a6ed2615bafa557a14c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 15:30:00 +0800
+Subject: net: gemini: Fix missing clk_disable_unprepare() in error path of
+ gemini_ethernet_port_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 85496a29224188051b6135eb38da8afd4c584765 ]
+
+Fix the missing clk_disable_unprepare() before return
+from gemini_ethernet_port_probe() in the error handling case.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index 5bff5c2be88b9..5359fb40578db 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -2445,6 +2445,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ port->reset = devm_reset_control_get_exclusive(dev, NULL);
+ if (IS_ERR(port->reset)) {
+ dev_err(dev, "no reset\n");
++ clk_disable_unprepare(port->pclk);
+ return PTR_ERR(port->reset);
+ }
+ reset_control_reset(port->reset);
+@@ -2500,8 +2501,10 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ IRQF_SHARED,
+ port_names[port->id],
+ port);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(port->pclk);
+ return ret;
++ }
+
+ ret = register_netdev(netdev);
+ if (!ret) {
+--
+2.25.1
+
--- /dev/null
+From 93b3d398ae41cf35b34deb84f373718a8becfb20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 10:16:50 +0800
+Subject: net: hns3: add reset check for VF updating port based VLAN
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit a6f7bfdc78ddd8d719d108fef973b4e4a5a6ac6b ]
+
+Currently hclgevf_update_port_base_vlan_info() may be called when
+VF is resetting, which may cause hns3_nic_net_open() being called
+twice unexpectedly.
+
+So fix it by adding a reset check for it, and extend critical
+region for rntl_lock in hclgevf_update_port_base_vlan_info().
+
+Fixes: 92f11ea177cd ("net: hns3: fix set port based VLAN issue for VF")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../hisilicon/hns3/hns3vf/hclgevf_main.c | 30 +++++++++++++------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index e6cdd06925e6b..1bdff64bb70f9 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -3142,23 +3142,35 @@ void hclgevf_update_port_base_vlan_info(struct hclgevf_dev *hdev, u16 state,
+ {
+ struct hnae3_handle *nic = &hdev->nic;
+ struct hclge_vf_to_pf_msg send_msg;
++ int ret;
+
+ rtnl_lock();
+- hclgevf_notify_client(hdev, HNAE3_DOWN_CLIENT);
+- rtnl_unlock();
++
++ if (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state)) {
++ dev_warn(&hdev->pdev->dev,
++ "is resetting when updating port based vlan info\n");
++ rtnl_unlock();
++ return;
++ }
++
++ ret = hclgevf_notify_client(hdev, HNAE3_DOWN_CLIENT);
++ if (ret) {
++ rtnl_unlock();
++ return;
++ }
+
+ /* send msg to PF and wait update port based vlan info */
+ hclgevf_build_send_msg(&send_msg, HCLGE_MBX_SET_VLAN,
+ HCLGE_MBX_PORT_BASE_VLAN_CFG);
+ memcpy(send_msg.data, port_base_vlan_info, data_size);
+- hclgevf_send_mbx_msg(hdev, &send_msg, false, NULL, 0);
+-
+- if (state == HNAE3_PORT_BASE_VLAN_DISABLE)
+- nic->port_base_vlan_state = HNAE3_PORT_BASE_VLAN_DISABLE;
+- else
+- nic->port_base_vlan_state = HNAE3_PORT_BASE_VLAN_ENABLE;
++ ret = hclgevf_send_mbx_msg(hdev, &send_msg, false, NULL, 0);
++ if (!ret) {
++ if (state == HNAE3_PORT_BASE_VLAN_DISABLE)
++ nic->port_base_vlan_state = state;
++ else
++ nic->port_base_vlan_state = HNAE3_PORT_BASE_VLAN_ENABLE;
++ }
+
+- rtnl_lock();
+ hclgevf_notify_client(hdev, HNAE3_UP_CLIENT);
+ rtnl_unlock();
+ }
+--
+2.25.1
+
--- /dev/null
+From 4be0bfdbd5363dcfdbd4d2464abc3b1b66d9cf51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 10:16:49 +0800
+Subject: net: hns3: fix a TX timeout issue
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit a7e90ee5965fafc53d36e8b3205f08c88d7bc11f ]
+
+When the queue depth and queue parameters are modified, there is
+a low probability that TX timeout occurs. The two operations cause
+the link to be down or up when the watchdog is still working. All
+queues are stopped when the link is down. After the carrier is on,
+all queues are woken up. If the watchdog detects the link between
+the carrier on and wakeup queues, a false TX timeout occurs.
+
+So fix this issue by modifying the sequence of carrier on and queue
+wakeup, which is symmetrical to the link down action.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 0b12425fa2845..6e186aea7a2f2 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -4170,8 +4170,8 @@ static void hns3_link_status_change(struct hnae3_handle *handle, bool linkup)
+ return;
+
+ if (linkup) {
+- netif_carrier_on(netdev);
+ netif_tx_wake_all_queues(netdev);
++ netif_carrier_on(netdev);
+ if (netif_msg_link(handle))
+ netdev_info(netdev, "link up\n");
+ } else {
+--
+2.25.1
+
--- /dev/null
+From 638d5e8e4133803ebd46ce80c94ff083a1acee32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 10:16:51 +0800
+Subject: net: hns3: fix aRFS FD rules leftover after add a user FD rule
+
+From: Guojia Liao <liaoguojia@huawei.com>
+
+[ Upstream commit efe3fa45f770f1d66e2734ee7a3523c75694ff04 ]
+
+When user had created a FD rule, all the aRFS rules should be clear up.
+HNS3 process flow as below:
+1.get spin lock of fd_ruls_list
+2.clear up all aRFS rules
+3.release lock
+4.get spin lock of fd_ruls_list
+5.creat a rules
+6.release lock;
+
+There is a short period of time between step 3 and step 4, which would
+creatting some new aRFS FD rules if driver was receiving packet.
+So refactor the fd_rule_lock to fix it.
+
+Fixes: 441228875706 ("net: hns3: refine the flow director handle")
+Signed-off-by: Guojia Liao <liaoguojia@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../hisilicon/hns3/hns3pf/hclge_main.c | 28 ++++++++++---------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index b66b93f320b42..ae4c415b97e45 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -5737,9 +5737,9 @@ static int hclge_add_fd_entry(struct hnae3_handle *handle,
+ /* to avoid rule conflict, when user configure rule by ethtool,
+ * we need to clear all arfs rules
+ */
++ spin_lock_bh(&hdev->fd_rule_lock);
+ hclge_clear_arfs_rules(handle);
+
+- spin_lock_bh(&hdev->fd_rule_lock);
+ ret = hclge_fd_config_rule(hdev, rule);
+
+ spin_unlock_bh(&hdev->fd_rule_lock);
+@@ -5782,6 +5782,7 @@ static int hclge_del_fd_entry(struct hnae3_handle *handle,
+ return ret;
+ }
+
++/* make sure being called after lock up with fd_rule_lock */
+ static void hclge_del_all_fd_entries(struct hnae3_handle *handle,
+ bool clear_list)
+ {
+@@ -5794,7 +5795,6 @@ static void hclge_del_all_fd_entries(struct hnae3_handle *handle,
+ if (!hnae3_dev_fd_supported(hdev))
+ return;
+
+- spin_lock_bh(&hdev->fd_rule_lock);
+ for_each_set_bit(location, hdev->fd_bmap,
+ hdev->fd_cfg.rule_num[HCLGE_FD_STAGE_1])
+ hclge_fd_tcam_config(hdev, HCLGE_FD_STAGE_1, true, location,
+@@ -5811,8 +5811,6 @@ static void hclge_del_all_fd_entries(struct hnae3_handle *handle,
+ bitmap_zero(hdev->fd_bmap,
+ hdev->fd_cfg.rule_num[HCLGE_FD_STAGE_1]);
+ }
+-
+- spin_unlock_bh(&hdev->fd_rule_lock);
+ }
+
+ static int hclge_restore_fd_entries(struct hnae3_handle *handle)
+@@ -6179,7 +6177,7 @@ static int hclge_add_fd_entry_by_arfs(struct hnae3_handle *handle, u16 queue_id,
+ u16 flow_id, struct flow_keys *fkeys)
+ {
+ struct hclge_vport *vport = hclge_get_vport(handle);
+- struct hclge_fd_rule_tuples new_tuples;
++ struct hclge_fd_rule_tuples new_tuples = {};
+ struct hclge_dev *hdev = vport->back;
+ struct hclge_fd_rule *rule;
+ u16 tmp_queue_id;
+@@ -6189,20 +6187,18 @@ static int hclge_add_fd_entry_by_arfs(struct hnae3_handle *handle, u16 queue_id,
+ if (!hnae3_dev_fd_supported(hdev))
+ return -EOPNOTSUPP;
+
+- memset(&new_tuples, 0, sizeof(new_tuples));
+- hclge_fd_get_flow_tuples(fkeys, &new_tuples);
+-
+- spin_lock_bh(&hdev->fd_rule_lock);
+-
+ /* when there is already fd rule existed add by user,
+ * arfs should not work
+ */
++ spin_lock_bh(&hdev->fd_rule_lock);
+ if (hdev->fd_active_type == HCLGE_FD_EP_ACTIVE) {
+ spin_unlock_bh(&hdev->fd_rule_lock);
+
+ return -EOPNOTSUPP;
+ }
+
++ hclge_fd_get_flow_tuples(fkeys, &new_tuples);
++
+ /* check is there flow director filter existed for this flow,
+ * if not, create a new filter for it;
+ * if filter exist with different queue id, modify the filter;
+@@ -6287,6 +6283,7 @@ static void hclge_rfs_filter_expire(struct hclge_dev *hdev)
+ #endif
+ }
+
++/* make sure being called after lock up with fd_rule_lock */
+ static void hclge_clear_arfs_rules(struct hnae3_handle *handle)
+ {
+ #ifdef CONFIG_RFS_ACCEL
+@@ -6331,10 +6328,14 @@ static void hclge_enable_fd(struct hnae3_handle *handle, bool enable)
+
+ hdev->fd_en = enable;
+ clear = hdev->fd_active_type == HCLGE_FD_ARFS_ACTIVE;
+- if (!enable)
++
++ if (!enable) {
++ spin_lock_bh(&hdev->fd_rule_lock);
+ hclge_del_all_fd_entries(handle, clear);
+- else
++ spin_unlock_bh(&hdev->fd_rule_lock);
++ } else {
+ hclge_restore_fd_entries(handle);
++ }
+ }
+
+ static void hclge_cfg_mac_mode(struct hclge_dev *hdev, bool enable)
+@@ -6799,8 +6800,9 @@ static void hclge_ae_stop(struct hnae3_handle *handle)
+ int i;
+
+ set_bit(HCLGE_STATE_DOWN, &hdev->state);
+-
++ spin_lock_bh(&hdev->fd_rule_lock);
+ hclge_clear_arfs_rules(handle);
++ spin_unlock_bh(&hdev->fd_rule_lock);
+
+ /* If it is not PF reset, the firmware will disable the MAC,
+ * so it only need to stop phy here.
+--
+2.25.1
+
--- /dev/null
+From 8b98ceb4a80741c2ea77b22372163fbefc2c4e65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 10:16:48 +0800
+Subject: net: hns3: fix desc filling bug when skb is expanded or lineared
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit cfdaeba5ddc98b303639a3265c2031ac5db249d6 ]
+
+The linear and frag data part may be changed when the skb is expanded
+or lineared in skb_cow_head() or skb_checksum_help(), which is called
+by hns3_fill_skb_desc(), so the linear len return by skb_headlen()
+before the calling of hns3_fill_skb_desc() is unreliable.
+
+Move hns3_fill_skb_desc() before the calling of skb_headlen() to fix
+this bug.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index df1cb0441183c..0b12425fa2845 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -1098,16 +1098,8 @@ static int hns3_fill_desc(struct hns3_enet_ring *ring, void *priv,
+ int k, sizeoflast;
+ dma_addr_t dma;
+
+- if (type == DESC_TYPE_SKB) {
+- struct sk_buff *skb = (struct sk_buff *)priv;
+- int ret;
+-
+- ret = hns3_fill_skb_desc(ring, skb, desc);
+- if (unlikely(ret < 0))
+- return ret;
+-
+- dma = dma_map_single(dev, skb->data, size, DMA_TO_DEVICE);
+- } else if (type == DESC_TYPE_FRAGLIST_SKB) {
++ if (type == DESC_TYPE_FRAGLIST_SKB ||
++ type == DESC_TYPE_SKB) {
+ struct sk_buff *skb = (struct sk_buff *)priv;
+
+ dma = dma_map_single(dev, skb->data, size, DMA_TO_DEVICE);
+@@ -1452,6 +1444,10 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_buff *skb, struct net_device *netdev)
+
+ next_to_use_head = ring->next_to_use;
+
++ ret = hns3_fill_skb_desc(ring, skb, &ring->desc[ring->next_to_use]);
++ if (unlikely(ret < 0))
++ goto fill_err;
++
+ ret = hns3_fill_skb_to_desc(ring, skb, DESC_TYPE_SKB);
+ if (unlikely(ret < 0))
+ goto fill_err;
+--
+2.25.1
+
--- /dev/null
+From e30ae200d2ca264b9c28a8e9f7ef8235f7b21909 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 10:16:52 +0800
+Subject: net: hns3: fix for VLAN config when reset failed
+
+From: Guojia Liao <liaoguojia@huawei.com>
+
+[ Upstream commit b7b5d25bdd7bdea7d72a41e0a97b1b8f3dea2ee7 ]
+
+When device is resetting or reset failed, firmware is unable to
+handle mailbox. VLAN should not be configured in this case.
+
+Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
+Signed-off-by: Guojia Liao <liaoguojia@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 7 ++++---
+ .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 ++++++----
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index ae4c415b97e45..dfe247ad84751 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -8534,11 +8534,12 @@ int hclge_set_vlan_filter(struct hnae3_handle *handle, __be16 proto,
+ bool writen_to_tbl = false;
+ int ret = 0;
+
+- /* When device is resetting, firmware is unable to handle
+- * mailbox. Just record the vlan id, and remove it after
++ /* When device is resetting or reset failed, firmware is unable to
++ * handle mailbox. Just record the vlan id, and remove it after
+ * reset finished.
+ */
+- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) && is_kill) {
++ if ((test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) ||
++ test_bit(HCLGE_STATE_RST_FAIL, &hdev->state)) && is_kill) {
+ set_bit(vlan_id, vport->vlan_del_fail_bmap);
+ return -EBUSY;
+ }
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 1bdff64bb70f9..0060fa643d0e3 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -1322,11 +1322,12 @@ static int hclgevf_set_vlan_filter(struct hnae3_handle *handle,
+ if (proto != htons(ETH_P_8021Q))
+ return -EPROTONOSUPPORT;
+
+- /* When device is resetting, firmware is unable to handle
+- * mailbox. Just record the vlan id, and remove it after
++ /* When device is resetting or reset failed, firmware is unable to
++ * handle mailbox. Just record the vlan id, and remove it after
+ * reset finished.
+ */
+- if (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state) && is_kill) {
++ if ((test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state) ||
++ test_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state)) && is_kill) {
+ set_bit(vlan_id, hdev->vlan_del_fail_bmap);
+ return -EBUSY;
+ }
+@@ -3146,7 +3147,8 @@ void hclgevf_update_port_base_vlan_info(struct hclgevf_dev *hdev, u16 state,
+
+ rtnl_lock();
+
+- if (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state)) {
++ if (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state) ||
++ test_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state)) {
+ dev_warn(&hdev->pdev->dev,
+ "is resetting when updating port based vlan info\n");
+ rtnl_unlock();
+--
+2.25.1
+
--- /dev/null
+From 148718c500d51e0e4d0f9dd6c35d4b5379e6be31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 14:10:29 +0200
+Subject: net: lan78xx: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 8d8e95fd6d69d774013f51e5f2ee10c6e6d1fc14 ]
+
+Add the missing endpoint sanity check to prevent a NULL-pointer
+dereference should a malicious device lack the expected endpoints.
+
+Note that the driver has a broken endpoint-lookup helper,
+lan78xx_get_endpoints(), which can end up accepting interfaces in an
+altsetting without endpoints as long as *some* altsetting has a bulk-in
+and a bulk-out endpoint.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index eccbf4cd71496..d7162690e3f3d 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3759,6 +3759,11 @@ static int lan78xx_probe(struct usb_interface *intf,
+ netdev->max_mtu = MAX_SINGLE_PACKET_SIZE;
+ netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER);
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) {
++ ret = -ENODEV;
++ goto out3;
++ }
++
+ dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0;
+ dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1;
+ dev->ep_intr = (intf->cur_altsetting)->endpoint + 2;
+--
+2.25.1
+
--- /dev/null
+From 028b785f61b952961059da056d6949150e362113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 14:10:30 +0200
+Subject: net: lan78xx: fix transfer-buffer memory leak
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 63634aa679ba8b5e306ad0727120309ae6ba8a8e ]
+
+The interrupt URB transfer-buffer was never freed on disconnect or after
+probe errors.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index d7162690e3f3d..ee062b27cfa7b 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3788,6 +3788,7 @@ static int lan78xx_probe(struct usb_interface *intf,
+ usb_fill_int_urb(dev->urb_intr, dev->udev,
+ dev->pipe_intr, buf, maxp,
+ intr_complete, dev, period);
++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER;
+ }
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b345dd928809923b0e4d9c07715c1eefc6bb6ff6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jun 2020 13:11:56 +0300
+Subject: net/mlx5: E-switch, Destroy TSAR after reload interface
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 0c2600c619578f759cf3d5192b01bd14e281f24c ]
+
+When eswitch offloads is enabled, TSAR is created before reloading
+the interfaces.
+However when eswitch offloads mode is disabled, TSAR is disabled before
+reloading the interfaces.
+
+To keep the eswitch enable/disable sequence as mirror, destroy TSAR
+after reloading the interfaces.
+
+Fixes: 1bd27b11c1df ("net/mlx5: Introduce E-switch QoS management")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 459cd668b9e2f..3bb4f72b76da2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -2206,8 +2206,6 @@ void mlx5_eswitch_disable_locked(struct mlx5_eswitch *esw, bool clear_vf)
+ else if (esw->mode == MLX5_ESWITCH_OFFLOADS)
+ esw_offloads_disable(esw);
+
+- esw_destroy_tsar(esw);
+-
+ old_mode = esw->mode;
+ esw->mode = MLX5_ESWITCH_NONE;
+
+@@ -2217,6 +2215,8 @@ void mlx5_eswitch_disable_locked(struct mlx5_eswitch *esw, bool clear_vf)
+ mlx5_reload_interface(esw->dev, MLX5_INTERFACE_PROTOCOL_IB);
+ mlx5_reload_interface(esw->dev, MLX5_INTERFACE_PROTOCOL_ETH);
+ }
++ esw_destroy_tsar(esw);
++
+ if (clear_vf)
+ mlx5_eswitch_clear_vf_vports_info(esw);
+ }
+--
+2.25.1
+
--- /dev/null
+From 058ce749046eea92e203177d29684196396ddbbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jun 2020 13:29:28 +0300
+Subject: net/mlx5: E-switch, Destroy TSAR when fail to enable the mode
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 2b8e9c7c3fd0e31091edb1c66cc06ffe4988ca21 ]
+
+When either esw_legacy_enable() or esw_offloads_enable() fails,
+code missed to destroy the created TSAR.
+
+Hence, add the missing call to destroy the TSAR.
+
+Fixes: 610090ebce92 ("net/mlx5: E-switch, Initialize TSAR Qos hardware block before its user vports")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 7f618a443bfd8..459cd668b9e2f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -2161,7 +2161,7 @@ abort:
+ mlx5_reload_interface(esw->dev, MLX5_INTERFACE_PROTOCOL_IB);
+ mlx5_reload_interface(esw->dev, MLX5_INTERFACE_PROTOCOL_ETH);
+ }
+-
++ esw_destroy_tsar(esw);
+ return err;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 027d5912a90ae341c52ac74783ecd33ccdd5525a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 18:53:19 +0300
+Subject: net/mlx5: Fix a bug of using ptp channel index as pin index
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 88c8cf92db48b2e359fe3051ad8e09829c1bee5d ]
+
+On PTP mlx5_ptp_enable(on=0) flow, driver mistakenly used channel index
+as pin index.
+
+After ptp patch marked in fixes tag was introduced, driver can freely
+call ptp_find_pin() as part of the .enable() callback.
+
+Fix driver mlx5_ptp_enable(on=0) flow to always use ptp_find_pin(). With
+that, Driver will use the correct pin index in mlx5_ptp_enable(on=0) flow.
+
+In addition, when initializing the pins, always set channel to zero. As
+all pins can be attached to all channels, let ptp_set_pinfunc() to move
+them between the channels.
+
+For stable branches, this fix to be applied only on kernels that includes
+both patches in fixes tag. Otherwise, mlx5_ptp_enable(on=0) will be stuck
+on pincfg_mux.
+
+Fixes: 62582a7ee783 ("ptp: Avoid deadlocks in the programmable pin code.")
+Fixes: ee7f12205abc ("net/mlx5e: Implement 1PPS support")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Reviewed-by: Ariel Levkovich <lariel@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/lib/clock.c | 21 +++++++++----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+index 43f97601b5000..b88c6456d2154 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+@@ -252,17 +252,17 @@ static int mlx5_extts_configure(struct ptp_clock_info *ptp,
+ if (rq->extts.index >= clock->ptp_info.n_pins)
+ return -EINVAL;
+
++ pin = ptp_find_pin(clock->ptp, PTP_PF_EXTTS, rq->extts.index);
++ if (pin < 0)
++ return -EBUSY;
++
+ if (on) {
+- pin = ptp_find_pin(clock->ptp, PTP_PF_EXTTS, rq->extts.index);
+- if (pin < 0)
+- return -EBUSY;
+ pin_mode = MLX5_PIN_MODE_IN;
+ pattern = !!(rq->extts.flags & PTP_FALLING_EDGE);
+ field_select = MLX5_MTPPS_FS_PIN_MODE |
+ MLX5_MTPPS_FS_PATTERN |
+ MLX5_MTPPS_FS_ENABLE;
+ } else {
+- pin = rq->extts.index;
+ field_select = MLX5_MTPPS_FS_ENABLE;
+ }
+
+@@ -310,12 +310,12 @@ static int mlx5_perout_configure(struct ptp_clock_info *ptp,
+ if (rq->perout.index >= clock->ptp_info.n_pins)
+ return -EINVAL;
+
+- if (on) {
+- pin = ptp_find_pin(clock->ptp, PTP_PF_PEROUT,
+- rq->perout.index);
+- if (pin < 0)
+- return -EBUSY;
++ pin = ptp_find_pin(clock->ptp, PTP_PF_PEROUT,
++ rq->perout.index);
++ if (pin < 0)
++ return -EBUSY;
+
++ if (on) {
+ pin_mode = MLX5_PIN_MODE_OUT;
+ pattern = MLX5_OUT_PATTERN_PERIODIC;
+ ts.tv_sec = rq->perout.period.sec;
+@@ -341,7 +341,6 @@ static int mlx5_perout_configure(struct ptp_clock_info *ptp,
+ MLX5_MTPPS_FS_ENABLE |
+ MLX5_MTPPS_FS_TIME_STAMP;
+ } else {
+- pin = rq->perout.index;
+ field_select = MLX5_MTPPS_FS_ENABLE;
+ }
+
+@@ -431,7 +430,7 @@ static int mlx5_init_pin_config(struct mlx5_clock *clock)
+ "mlx5_pps%d", i);
+ clock->ptp_info.pin_config[i].index = i;
+ clock->ptp_info.pin_config[i].func = PTP_PF_NONE;
+- clock->ptp_info.pin_config[i].chan = i;
++ clock->ptp_info.pin_config[i].chan = 0;
+ }
+
+ return 0;
+--
+2.25.1
+
--- /dev/null
+From 76db57c961e031e19d8bcd9a6b7f0425732ea02a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 18:34:37 +0300
+Subject: net/mlx5: Query PPS pin operational status before registering it
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit ed56d749c366be269d58b29597392e4a0ae71c0a ]
+
+In a special configuration, a ConnectX6-Dx pin pps-out might be activated
+when driver is loaded. Fix the driver to always read the operational pin
+mode when registering it, and advertise it accordingly.
+
+Fixes: ee7f12205abc ("net/mlx5e: Implement 1PPS support")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/lib/clock.c | 34 ++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+index 0267552b8a61b..1d9a5117f90b2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+@@ -431,6 +431,38 @@ static const struct ptp_clock_info mlx5_ptp_clock_info = {
+ .verify = NULL,
+ };
+
++static int mlx5_query_mtpps_pin_mode(struct mlx5_core_dev *mdev, u8 pin,
++ u32 *mtpps, u32 mtpps_size)
++{
++ u32 in[MLX5_ST_SZ_DW(mtpps_reg)] = {};
++
++ MLX5_SET(mtpps_reg, in, pin, pin);
++
++ return mlx5_core_access_reg(mdev, in, sizeof(in), mtpps,
++ mtpps_size, MLX5_REG_MTPPS, 0, 0);
++}
++
++static int mlx5_get_pps_pin_mode(struct mlx5_clock *clock, u8 pin)
++{
++ struct mlx5_core_dev *mdev = clock->mdev;
++ u32 out[MLX5_ST_SZ_DW(mtpps_reg)] = {};
++ u8 mode;
++ int err;
++
++ err = mlx5_query_mtpps_pin_mode(mdev, pin, out, sizeof(out));
++ if (err || !MLX5_GET(mtpps_reg, out, enable))
++ return PTP_PF_NONE;
++
++ mode = MLX5_GET(mtpps_reg, out, pin_mode);
++
++ if (mode == MLX5_PIN_MODE_IN)
++ return PTP_PF_EXTTS;
++ else if (mode == MLX5_PIN_MODE_OUT)
++ return PTP_PF_PEROUT;
++
++ return PTP_PF_NONE;
++}
++
+ static int mlx5_init_pin_config(struct mlx5_clock *clock)
+ {
+ int i;
+@@ -450,7 +482,7 @@ static int mlx5_init_pin_config(struct mlx5_clock *clock)
+ sizeof(clock->ptp_info.pin_config[i].name),
+ "mlx5_pps%d", i);
+ clock->ptp_info.pin_config[i].index = i;
+- clock->ptp_info.pin_config[i].func = PTP_PF_NONE;
++ clock->ptp_info.pin_config[i].func = mlx5_get_pps_pin_mode(clock, i);
+ clock->ptp_info.pin_config[i].chan = 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 36f6839f7eea007a7e1ac515912bcea39e052068 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 11:10:01 +0300
+Subject: net/mlx5: Verify Hardware supports requested ptp function on a given
+ pin
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 071995c877a8646209d55ff8edddd2b054e7424c ]
+
+Fix a bug where driver did not verify Hardware pin capabilities for
+PTP functions.
+
+Fixes: ee7f12205abc ("net/mlx5e: Implement 1PPS support")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Reviewed-by: Ariel Levkovich <lariel@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/lib/clock.c | 23 ++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+index b88c6456d2154..0267552b8a61b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+@@ -387,10 +387,31 @@ static int mlx5_ptp_enable(struct ptp_clock_info *ptp,
+ return 0;
+ }
+
++enum {
++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_IN = BIT(0),
++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_OUT = BIT(1),
++};
++
+ static int mlx5_ptp_verify(struct ptp_clock_info *ptp, unsigned int pin,
+ enum ptp_pin_function func, unsigned int chan)
+ {
+- return (func == PTP_PF_PHYSYNC) ? -EOPNOTSUPP : 0;
++ struct mlx5_clock *clock = container_of(ptp, struct mlx5_clock,
++ ptp_info);
++
++ switch (func) {
++ case PTP_PF_NONE:
++ return 0;
++ case PTP_PF_EXTTS:
++ return !(clock->pps_info.pin_caps[pin] &
++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_IN);
++ case PTP_PF_PEROUT:
++ return !(clock->pps_info.pin_caps[pin] &
++ MLX5_MTPPS_REG_CAP_PIN_X_MODE_SUPPORT_PPS_OUT);
++ default:
++ return -EOPNOTSUPP;
++ }
++
++ return -EOPNOTSUPP;
+ }
+
+ static const struct ptp_clock_info mlx5_ptp_clock_info = {
+--
+2.25.1
+
--- /dev/null
+From a38e8cead79f0fa47dd8a02daa9c5d4c2af74bd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 01:06:37 +0000
+Subject: net/mlx5e: E-Switch, Add misc bit when misc fields changed for
+ mirroring
+
+From: Jianbo Liu <jianbol@mellanox.com>
+
+[ Upstream commit 0faddfe6b7953e224a1283f89f671ef6a9ba73de ]
+
+The modified flow_context fields in FTE must be indicated in
+modify_enable bitmask. Previously, the misc bit in modify_enable is
+always set as source vport must be set for each rule. So, when parsing
+vxlan/gre/geneve/qinq rules, this bit is not set because those are all
+from the same misc fileds that source vport fields are located at, and
+we don't need to set the indicator twice.
+
+After adding per vport tables for mirroring, misc bit is not set, then
+firmware syndrome happens. To fix it, set the bit wherever misc fileds
+are changed. This also makes it unnecessary to check misc fields and set
+the misc bit accordingly in metadata matching, so here remove it.
+
+Besides, flow_source must be specified for uplink because firmware
+will check it and some actions are only allowed for packets received
+from uplink.
+
+Fixes: 96e326878fa5 ("net/mlx5e: Eswitch, Use per vport tables for mirroring")
+Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
+Reviewed-by: Chris Mi <chrism@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c | 2 ++
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_gre.c | 2 ++
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c | 2 ++
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 1 +
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 6 +++---
+ 5 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c
+index 951ea26d96bc3..e472ed0eacfbc 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_geneve.c
+@@ -301,6 +301,8 @@ static int mlx5e_tc_tun_parse_geneve_params(struct mlx5e_priv *priv,
+ MLX5_SET(fte_match_set_misc, misc_v, geneve_protocol_type, ETH_P_TEB);
+ }
+
++ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
++
+ return 0;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_gre.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_gre.c
+index 58b13192df239..2805416c32a3c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_gre.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_gre.c
+@@ -80,6 +80,8 @@ static int mlx5e_tc_tun_parse_gretap(struct mlx5e_priv *priv,
+ gre_key.key, be32_to_cpu(enc_keyid.key->keyid));
+ }
+
++ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
++
+ return 0;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c
+index 37b176801bccb..038a0f1cecec6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_vxlan.c
+@@ -136,6 +136,8 @@ static int mlx5e_tc_tun_parse_vxlan(struct mlx5e_priv *priv,
+ MLX5_SET(fte_match_set_misc, misc_v, vxlan_vni,
+ be32_to_cpu(enc_keyid.key->keyid));
+
++ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
++
+ return 0;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 10f705761666b..c0f54d2d49258 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2256,6 +2256,7 @@ static int __parse_cls_flower(struct mlx5e_priv *priv,
+ match.key->vlan_priority);
+
+ *match_level = MLX5_MATCH_L2;
++ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
+ }
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 5d9def18ae3a7..cfc52521d7753 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -264,9 +264,6 @@ mlx5_eswitch_set_rule_source_port(struct mlx5_eswitch *esw,
+ mlx5_eswitch_get_vport_metadata_mask());
+
+ spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS_2;
+- misc = MLX5_ADDR_OF(fte_match_param, spec->match_criteria, misc_parameters);
+- if (memchr_inv(misc, 0, MLX5_ST_SZ_BYTES(fte_match_set_misc)))
+- spec->match_criteria_enable |= MLX5_MATCH_MISC_PARAMETERS;
+ } else {
+ misc = MLX5_ADDR_OF(fte_match_param, spec->match_value, misc_parameters);
+ MLX5_SET(fte_match_set_misc, misc, source_port, attr->in_rep->vport);
+@@ -381,6 +378,9 @@ mlx5_eswitch_add_offloaded_rule(struct mlx5_eswitch *esw,
+ flow_act.modify_hdr = attr->modify_hdr;
+
+ if (split) {
++ if (MLX5_CAP_ESW_FLOWTABLE(esw->dev, flow_source) &&
++ attr->in_rep->vport == MLX5_VPORT_UPLINK)
++ spec->flow_context.flow_source = MLX5_FLOW_CONTEXT_FLOW_SOURCE_UPLINK;
+ fdb = esw_vport_tbl_get(esw, attr);
+ } else {
+ if (attr->chain || attr->prio)
+--
+2.25.1
+
--- /dev/null
+From 53acec462e944bf8d2b5609874d5f8a2ae158403 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 18:29:41 +0800
+Subject: net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+[ Upstream commit e692139e6af339a1495ef401b2d95f7f9d1c7a44 ]
+
+The function invokes bpf_prog_inc(), which increases the reference
+count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL.
+
+The refcount leak issues take place in two error handling paths. When
+either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
+simply returns the error code and forgets to drop the reference count
+increased earlier, causing a reference count leak of "rq->xdp_prog".
+
+Fix this issue by jumping to the error handling path err_rq_wq_destroy
+while either function fails.
+
+Fixes: 422d4c401edd ("net/mlx5e: RX, Split WQ objects for different RQ types")
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index b485eec812111..9861c9e42c0a7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -422,7 +422,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
+ err = mlx5_wq_ll_create(mdev, &rqp->wq, rqc_wq, &rq->mpwqe.wq,
+ &rq->wq_ctrl);
+ if (err)
+- return err;
++ goto err_rq_wq_destroy;
+
+ rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
+
+@@ -475,7 +475,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
+ err = mlx5_wq_cyc_create(mdev, &rqp->wq, rqc_wq, &rq->wqe.wq,
+ &rq->wq_ctrl);
+ if (err)
+- return err;
++ goto err_rq_wq_destroy;
+
+ rq->wqe.wq.db = &rq->wqe.wq.db[MLX5_RCV_DBR];
+
+--
+2.25.1
+
--- /dev/null
+From da698a48b1a1c2ae5c9c962d4637d50161afb378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jul 2020 12:21:53 +0300
+Subject: net/mlx5e: Fix error path of device attach
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 5cd39b6e9a420329a9a408894be7ba8aa7dd755e ]
+
+On failure to attach the netdev, fix the rollback by re-setting the
+device's state back to MLX5E_STATE_DESTROYING.
+
+Failing to attach doesn't stop statistics polling via .ndo_get_stats64.
+In this case, although the device is not attached, it falsely continues
+to query the firmware for counters. Setting the device's state back to
+MLX5E_STATE_DESTROYING prevents the firmware counters query.
+
+Fixes: 26e59d8077a3 ("net/mlx5e: Implement mlx5e interface attach/detach callbacks")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index bc54913c58618..5f8c69ea82539 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5395,6 +5395,8 @@ err_cleanup_tx:
+ profile->cleanup_tx(priv);
+
+ out:
++ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
++ cancel_work_sync(&priv->update_stats_work);
+ return err;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 827c15d1661997e0f0138f9865fca7ea19505e5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jul 2020 11:46:30 +0300
+Subject: net/mlx5e: Fix kernel crash when setting vf VLANID on a VF dev
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+[ Upstream commit 350a63249d270b1f5bd05c7e2a24cd8de0f9db20 ]
+
+After the cited commit, function 'mlx5_eswitch_set_vport_vlan' started
+to acquire esw->state_lock.
+However, esw is not defined for VF devices, hence attempting to set vf
+VLANID on a VF dev will cause a kernel panic.
+
+Fix it by moving up the (redundant) esw validation from function
+'__mlx5_eswitch_set_vport_vlan' since the rest of the callers now have
+and use a valid esw.
+
+For example with vf device eth4:
+ # ip link set dev eth4 vf 0 vlan 0
+
+Trace of the panic:
+ [ 411.409842] BUG: unable to handle page fault for address: 00000000000011b8
+ [ 411.449745] #PF: supervisor read access in kernel mode
+ [ 411.452348] #PF: error_code(0x0000) - not-present page
+ [ 411.454938] PGD 80000004189c9067 P4D 80000004189c9067 PUD 41899a067 PMD 0
+ [ 411.458382] Oops: 0000 [#1] SMP PTI
+ [ 411.460268] CPU: 4 PID: 5711 Comm: ip Not tainted 5.8.0-rc4_for_upstream_min_debug_2020_07_08_22_04 #1
+ [ 411.462447] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+ [ 411.464158] RIP: 0010:__mutex_lock+0x4e/0x940
+ [ 411.464928] Code: fd 41 54 49 89 f4 41 52 53 89 d3 48 83 ec 70 44 8b 1d ee 03 b0 01 65 48 8b 04 25 28 00 00 00 48 89 45 c8 31 c0 45 85 db 75 0a <48> 3b 7f 60 0f 85 7e 05 00 00 49 8d 45 68 41 56 41 b8 01 00 00 00
+ [ 411.467678] RSP: 0018:ffff88841fcd74b0 EFLAGS: 00010246
+ [ 411.468562] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+ [ 411.469715] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000001158
+ [ 411.470812] RBP: ffff88841fcd7550 R08: ffffffffa00fa1ce R09: 0000000000000000
+ [ 411.471835] R10: ffff88841fcd7570 R11: 0000000000000000 R12: 0000000000000002
+ [ 411.472862] R13: 0000000000001158 R14: ffffffffa00fa1ce R15: 0000000000000000
+ [ 411.474004] FS: 00007faee7ca6b80(0000) GS:ffff88846fc00000(0000) knlGS:0000000000000000
+ [ 411.475237] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 411.476129] CR2: 00000000000011b8 CR3: 000000041909c006 CR4: 0000000000360ea0
+ [ 411.477260] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 411.478340] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 411.479332] Call Trace:
+ [ 411.479760] ? __nla_validate_parse.part.6+0x57/0x8f0
+ [ 411.482825] ? mlx5_eswitch_set_vport_vlan+0x3e/0xa0 [mlx5_core]
+ [ 411.483804] mlx5_eswitch_set_vport_vlan+0x3e/0xa0 [mlx5_core]
+ [ 411.484733] mlx5e_set_vf_vlan+0x41/0x50 [mlx5_core]
+ [ 411.485545] do_setlink+0x613/0x1000
+ [ 411.486165] __rtnl_newlink+0x53d/0x8c0
+ [ 411.486791] ? mark_held_locks+0x49/0x70
+ [ 411.487429] ? __lock_acquire+0x8fe/0x1eb0
+ [ 411.488085] ? rcu_read_lock_sched_held+0x52/0x60
+ [ 411.488998] ? kmem_cache_alloc_trace+0x16d/0x2d0
+ [ 411.489759] rtnl_newlink+0x47/0x70
+ [ 411.490357] rtnetlink_rcv_msg+0x24e/0x450
+ [ 411.490978] ? netlink_deliver_tap+0x92/0x3d0
+ [ 411.491631] ? validate_linkmsg+0x330/0x330
+ [ 411.492262] netlink_rcv_skb+0x47/0x110
+ [ 411.492852] netlink_unicast+0x1ac/0x270
+ [ 411.493551] netlink_sendmsg+0x336/0x450
+ [ 411.494209] sock_sendmsg+0x30/0x40
+ [ 411.494779] ____sys_sendmsg+0x1dd/0x1f0
+ [ 411.495378] ? copy_msghdr_from_user+0x5c/0x90
+ [ 411.496082] ___sys_sendmsg+0x87/0xd0
+ [ 411.496683] ? lock_acquire+0xb9/0x3a0
+ [ 411.497322] ? lru_cache_add+0x5/0x170
+ [ 411.497944] ? find_held_lock+0x2d/0x90
+ [ 411.498568] ? handle_mm_fault+0xe46/0x18c0
+ [ 411.499205] ? __sys_sendmsg+0x51/0x90
+ [ 411.499784] __sys_sendmsg+0x51/0x90
+ [ 411.500341] do_syscall_64+0x59/0x2e0
+ [ 411.500938] ? asm_exc_page_fault+0x8/0x30
+ [ 411.501609] ? rcu_read_lock_sched_held+0x52/0x60
+ [ 411.502350] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [ 411.503093] RIP: 0033:0x7faee73b85a7
+ [ 411.503654] Code: Bad RIP value.
+
+Fixes: 0e18134f4f9f ("net/mlx5e: Eswitch, use state_lock to synchronize vlan change")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 577a5b3b841ed..77a1ac1b1cc17 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -2435,8 +2435,6 @@ int __mlx5_eswitch_set_vport_vlan(struct mlx5_eswitch *esw,
+ struct mlx5_vport *evport = mlx5_eswitch_get_vport(esw, vport);
+ int err = 0;
+
+- if (!ESW_ALLOWED(esw))
+- return -EPERM;
+ if (IS_ERR(evport))
+ return PTR_ERR(evport);
+ if (vlan > 4095 || qos > 7)
+@@ -2464,6 +2462,9 @@ int mlx5_eswitch_set_vport_vlan(struct mlx5_eswitch *esw,
+ u8 set_flags = 0;
+ int err;
+
++ if (!ESW_ALLOWED(esw))
++ return -EPERM;
++
+ if (vlan || qos)
+ set_flags = SET_VLAN_STRIP | SET_VLAN_INSERT;
+
+--
+2.25.1
+
--- /dev/null
+From f3f6d61c2acc733c3307d0af438a666c2790528d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Apr 2020 13:58:40 +0300
+Subject: net/mlx5e: Modify uplink state on interface up/down
+
+From: Ron Diskin <rondi@mellanox.com>
+
+[ Upstream commit 7d0314b11cdd92bca8b89684c06953bf114605fc ]
+
+When setting the PF interface up/down, notify the firmware to update
+uplink state via MODIFY_VPORT_STATE, when E-Switch is enabled.
+
+This behavior will prevent sending traffic out on uplink port when PF is
+down, such as sending traffic from a VF interface which is still up.
+Currently when calling mlx5e_open/close(), the driver only sends PAOS
+command to notify the firmware to set the physical port state to
+up/down, however, it is not sufficient. When VF is in "auto" state, it
+follows the uplink state, which was not updated on mlx5e_open/close()
+before this patch.
+
+When switchdev mode is enabled and uplink representor is first enabled,
+set the uplink port state value back to its FW default "AUTO".
+
+Fixes: 63bfd399de55 ("net/mlx5e: Send PAOS command on interface up/down")
+Signed-off-by: Ron Diskin <rondi@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 25 ++++++++++++++++---
+ .../net/ethernet/mellanox/mlx5/core/en_rep.c | 2 ++
+ .../net/ethernet/mellanox/mlx5/core/eswitch.c | 16 +++++++-----
+ .../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 ++
+ include/linux/mlx5/mlx5_ifc.h | 1 +
+ 5 files changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 5f8c69ea82539..b485eec812111 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3041,6 +3041,25 @@ void mlx5e_timestamp_init(struct mlx5e_priv *priv)
+ priv->tstamp.rx_filter = HWTSTAMP_FILTER_NONE;
+ }
+
++static void mlx5e_modify_admin_state(struct mlx5_core_dev *mdev,
++ enum mlx5_port_status state)
++{
++ struct mlx5_eswitch *esw = mdev->priv.eswitch;
++ int vport_admin_state;
++
++ mlx5_set_port_admin_status(mdev, state);
++
++ if (!MLX5_ESWITCH_MANAGER(mdev) || mlx5_eswitch_mode(esw) == MLX5_ESWITCH_OFFLOADS)
++ return;
++
++ if (state == MLX5_PORT_UP)
++ vport_admin_state = MLX5_VPORT_ADMIN_STATE_AUTO;
++ else
++ vport_admin_state = MLX5_VPORT_ADMIN_STATE_DOWN;
++
++ mlx5_eswitch_set_vport_state(esw, MLX5_VPORT_UPLINK, vport_admin_state);
++}
++
+ int mlx5e_open_locked(struct net_device *netdev)
+ {
+ struct mlx5e_priv *priv = netdev_priv(netdev);
+@@ -3073,7 +3092,7 @@ int mlx5e_open(struct net_device *netdev)
+ mutex_lock(&priv->state_lock);
+ err = mlx5e_open_locked(netdev);
+ if (!err)
+- mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_UP);
++ mlx5e_modify_admin_state(priv->mdev, MLX5_PORT_UP);
+ mutex_unlock(&priv->state_lock);
+
+ return err;
+@@ -3107,7 +3126,7 @@ int mlx5e_close(struct net_device *netdev)
+ return -ENODEV;
+
+ mutex_lock(&priv->state_lock);
+- mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_DOWN);
++ mlx5e_modify_admin_state(priv->mdev, MLX5_PORT_DOWN);
+ err = mlx5e_close_locked(netdev);
+ mutex_unlock(&priv->state_lock);
+
+@@ -5185,7 +5204,7 @@ static void mlx5e_nic_enable(struct mlx5e_priv *priv)
+
+ /* Marking the link as currently not needed by the Driver */
+ if (!netif_running(netdev))
+- mlx5_set_port_admin_status(mdev, MLX5_PORT_DOWN);
++ mlx5e_modify_admin_state(mdev, MLX5_PORT_DOWN);
+
+ mlx5e_set_netdev_mtu_boundaries(priv);
+ mlx5e_set_dev_port_mtu(priv);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 4a8e0dfdc5f2c..e93d7430c1a31 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1922,6 +1922,8 @@ static void mlx5e_uplink_rep_enable(struct mlx5e_priv *priv)
+ INIT_WORK(&rpriv->uplink_priv.reoffload_flows_work,
+ mlx5e_tc_reoffload_flows_work);
+
++ mlx5_modify_vport_admin_state(mdev, MLX5_VPORT_STATE_OP_MOD_UPLINK,
++ 0, 0, MLX5_VPORT_ADMIN_STATE_AUTO);
+ mlx5_lag_add(mdev, netdev);
+ priv->events_nb.notifier_call = uplink_rep_async_event;
+ mlx5_notifier_register(mdev, &priv->events_nb);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 3bb4f72b76da2..577a5b3b841ed 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -2374,6 +2374,8 @@ int mlx5_eswitch_set_vport_state(struct mlx5_eswitch *esw,
+ u16 vport, int link_state)
+ {
+ struct mlx5_vport *evport = mlx5_eswitch_get_vport(esw, vport);
++ int opmod = MLX5_VPORT_STATE_OP_MOD_ESW_VPORT;
++ int other_vport = 1;
+ int err = 0;
+
+ if (!ESW_ALLOWED(esw))
+@@ -2381,15 +2383,17 @@ int mlx5_eswitch_set_vport_state(struct mlx5_eswitch *esw,
+ if (IS_ERR(evport))
+ return PTR_ERR(evport);
+
++ if (vport == MLX5_VPORT_UPLINK) {
++ opmod = MLX5_VPORT_STATE_OP_MOD_UPLINK;
++ other_vport = 0;
++ vport = 0;
++ }
+ mutex_lock(&esw->state_lock);
+
+- err = mlx5_modify_vport_admin_state(esw->dev,
+- MLX5_VPORT_STATE_OP_MOD_ESW_VPORT,
+- vport, 1, link_state);
++ err = mlx5_modify_vport_admin_state(esw->dev, opmod, vport, other_vport, link_state);
+ if (err) {
+- mlx5_core_warn(esw->dev,
+- "Failed to set vport %d link state, err = %d",
+- vport, err);
++ mlx5_core_warn(esw->dev, "Failed to set vport %d link state, opmod = %d, err = %d",
++ vport, opmod, err);
+ goto unlock;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+index c1848b57f61c8..56d2a1ab9378e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+@@ -684,6 +684,8 @@ static inline int mlx5_eswitch_enable(struct mlx5_eswitch *esw, int num_vfs) { r
+ static inline void mlx5_eswitch_disable(struct mlx5_eswitch *esw, bool clear_vf) {}
+ static inline bool mlx5_esw_lag_prereq(struct mlx5_core_dev *dev0, struct mlx5_core_dev *dev1) { return true; }
+ static inline bool mlx5_eswitch_is_funcs_handler(struct mlx5_core_dev *dev) { return false; }
++static inline
++int mlx5_eswitch_set_vport_state(struct mlx5_eswitch *esw, u16 vport, int link_state) { return 0; }
+ static inline const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev)
+ {
+ return ERR_PTR(-EOPNOTSUPP);
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index 69b27c7dfc3e2..fb7fa1fc8e010 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -4347,6 +4347,7 @@ struct mlx5_ifc_query_vport_state_out_bits {
+ enum {
+ MLX5_VPORT_STATE_OP_MOD_VNIC_VPORT = 0x0,
+ MLX5_VPORT_STATE_OP_MOD_ESW_VPORT = 0x1,
++ MLX5_VPORT_STATE_OP_MOD_UPLINK = 0x2,
+ };
+
+ struct mlx5_ifc_arm_monitor_counter_in_bits {
+--
+2.25.1
+
--- /dev/null
+From f2e67fa6de27c0b052652f0130770aa9eca6f9d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 11:50:05 +0800
+Subject: net: nixge: fix potential memory leak in nixge_probe()
+
+From: Lu Wei <luwei32@huawei.com>
+
+[ Upstream commit 366228ed01f6882cc203e3d5b40010dfae0be1c3 ]
+
+If some processes in nixge_probe() fail, free_netdev(dev)
+needs to be called to aviod a memory leak.
+
+Fixes: 87ab207981ec ("net: nixge: Separate ctrl and dma resources")
+Fixes: abcd3d6fc640 ("net: nixge: Fix error path for obtaining mac address")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Lu Wei <luwei32@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ni/nixge.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/ni/nixge.c b/drivers/net/ethernet/ni/nixge.c
+index 2fdd0753b3afd..0e776131a3ef3 100644
+--- a/drivers/net/ethernet/ni/nixge.c
++++ b/drivers/net/ethernet/ni/nixge.c
+@@ -1298,19 +1298,21 @@ static int nixge_probe(struct platform_device *pdev)
+ netif_napi_add(ndev, &priv->napi, nixge_poll, NAPI_POLL_WEIGHT);
+ err = nixge_of_get_resources(pdev);
+ if (err)
+- return err;
++ goto free_netdev;
+ __nixge_hw_set_mac_address(ndev);
+
+ priv->tx_irq = platform_get_irq_byname(pdev, "tx");
+ if (priv->tx_irq < 0) {
+ netdev_err(ndev, "could not find 'tx' irq");
+- return priv->tx_irq;
++ err = priv->tx_irq;
++ goto free_netdev;
+ }
+
+ priv->rx_irq = platform_get_irq_byname(pdev, "rx");
+ if (priv->rx_irq < 0) {
+ netdev_err(ndev, "could not find 'rx' irq");
+- return priv->rx_irq;
++ err = priv->rx_irq;
++ goto free_netdev;
+ }
+
+ priv->coalesce_count_rx = XAXIDMA_DFT_RX_THRESHOLD;
+--
+2.25.1
+
--- /dev/null
+From d5c52302863fa18deeee1f9a06ee0d688636082b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Jul 2020 00:31:49 -0500
+Subject: nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 1e8fd3a97f2d83a7197876ceb4f37b4c2b00a0f3 ]
+
+The implementation of s3fwrn5_recv_frame() is supposed to consume skb on
+all execution paths. Release skb before returning -ENODEV.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nfc/s3fwrn5/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5/core.c
+index 91d4d5b28a7d9..ba6c486d64659 100644
+--- a/drivers/nfc/s3fwrn5/core.c
++++ b/drivers/nfc/s3fwrn5/core.c
+@@ -198,6 +198,7 @@ int s3fwrn5_recv_frame(struct nci_dev *ndev, struct sk_buff *skb,
+ case S3FWRN5_MODE_FW:
+ return s3fwrn5_fw_recv_frame(ndev, skb);
+ default:
++ kfree_skb(skb);
+ return -ENODEV;
+ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 6bdc13c18c6f4729559362721dc2ec916f27c01e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 13:09:03 +0200
+Subject: nvme: add a Identify Namespace Identification Descriptor list quirk
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 5bedd3afee8eb01ccd256f0cd2cc0fa6f841417a ]
+
+Add a quirk for a device that does not support the Identify Namespace
+Identification Descriptor list despite claiming 1.3 compliance.
+
+Fixes: ea43d9709f72 ("nvme: fix identify error status silent ignore")
+Reported-by: Ingo Brunberg <ingo_brunberg@web.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Ingo Brunberg <ingo_brunberg@web.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 15 +++------------
+ drivers/nvme/host/nvme.h | 7 +++++++
+ drivers/nvme/host/pci.c | 2 ++
+ 3 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 137d7bcc13585..f7540a9e54fd2 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1106,6 +1106,9 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl, unsigned nsid,
+ int pos;
+ int len;
+
++ if (ctrl->quirks & NVME_QUIRK_NO_NS_DESC_LIST)
++ return 0;
++
+ c.identify.opcode = nvme_admin_identify;
+ c.identify.nsid = cpu_to_le32(nsid);
+ c.identify.cns = NVME_ID_CNS_NS_DESC_LIST;
+@@ -1119,18 +1122,6 @@ static int nvme_identify_ns_descs(struct nvme_ctrl *ctrl, unsigned nsid,
+ if (status) {
+ dev_warn(ctrl->device,
+ "Identify Descriptors failed (%d)\n", status);
+- /*
+- * Don't treat non-retryable errors as fatal, as we potentially
+- * already have a NGUID or EUI-64. If we failed with DNR set,
+- * we want to silently ignore the error as we can still
+- * identify the device, but if the status has DNR set, we want
+- * to propagate the error back specifically for the disk
+- * revalidation flow to make sure we don't abandon the
+- * device just because of a temporal retry-able error (such
+- * as path of transport errors).
+- */
+- if (status > 0 && (status & NVME_SC_DNR))
+- status = 0;
+ goto free_data;
+ }
+
+diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
+index 46f965f8c9bcd..8f1b0a30fd2a6 100644
+--- a/drivers/nvme/host/nvme.h
++++ b/drivers/nvme/host/nvme.h
+@@ -126,6 +126,13 @@ enum nvme_quirks {
+ * Don't change the value of the temperature threshold feature
+ */
+ NVME_QUIRK_NO_TEMP_THRESH_CHANGE = (1 << 14),
++
++ /*
++ * The controller doesn't handle the Identify Namespace
++ * Identification Descriptor list subcommand despite claiming
++ * NVMe 1.3 compliance.
++ */
++ NVME_QUIRK_NO_NS_DESC_LIST = (1 << 15),
+ };
+
+ /*
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 4ad629eb3bc66..10d65f27879fd 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3105,6 +3105,8 @@ static const struct pci_device_id nvme_id_table[] = {
+ { PCI_VDEVICE(INTEL, 0x5845), /* Qemu emulated controller */
+ .driver_data = NVME_QUIRK_IDENTIFY_CNS |
+ NVME_QUIRK_DISABLE_WRITE_ZEROES, },
++ { PCI_DEVICE(0x126f, 0x2263), /* Silicon Motion unidentified */
++ .driver_data = NVME_QUIRK_NO_NS_DESC_LIST, },
+ { PCI_DEVICE(0x1bb1, 0x0100), /* Seagate Nytro Flash Storage */
+ .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY, },
+ { PCI_DEVICE(0x1c58, 0x0003), /* HGST adapter */
+--
+2.25.1
+
--- /dev/null
+From cc9fb8410c0f49775d50bc32fab922c925d56e33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 16:42:26 -0700
+Subject: nvme-tcp: fix possible hang waiting for icresp response
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit adc99fd378398f4c58798a1c57889872967d56a6 ]
+
+If the controller died exactly when we are receiving icresp
+we hang because icresp may never return. Make sure to set a
+high finite limit.
+
+Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 4862fa962011d..26461bf3fdcc3 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1392,6 +1392,9 @@ static int nvme_tcp_alloc_queue(struct nvme_ctrl *nctrl,
+ }
+ }
+
++ /* Set 10 seconds timeout for icresp recvmsg */
++ queue->sock->sk->sk_rcvtimeo = 10 * HZ;
++
+ queue->sock->sk->sk_allocation = GFP_ATOMIC;
+ nvme_tcp_set_queue_io_cpu(queue);
+ queue->request = NULL;
+--
+2.25.1
+
--- /dev/null
+From 8ceffd6dd636b2342b782877f21cb1bd2e840c70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 10:13:53 +0530
+Subject: octeontx2-pf: cancel reset_task work
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit c0376f473c5cc2ef94f8e1e055d173293cc3698c ]
+
+During driver exit cancel the queued
+reset_task work in VF driver.
+
+Fixes: 3184fb5ba96e ("octeontx2-vf: Virtual function driver support")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+index f4227517dc8e0..c1c263d1ac2ec 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+@@ -617,6 +617,7 @@ static void otx2vf_remove(struct pci_dev *pdev)
+
+ vf = netdev_priv(netdev);
+
++ cancel_work_sync(&vf->reset_task);
+ otx2vf_disable_mbox_intr(vf);
+
+ otx2_detach_resources(&vf->mbox);
+--
+2.25.1
+
--- /dev/null
+From 9498eee5506df79ff7bd3b8fd069e873329f02a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 10:13:52 +0530
+Subject: octeontx2-pf: Fix reset_task bugs
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 948a66338f44c16f52c0f03f6ad81a6f59eb5604 ]
+
+Two bugs exist in the code related to reset_task
+in PF driver one is the missing protection
+against network stack ndo_open and ndo_close.
+Other one is the missing cancel_work.
+This patch fixes those problems.
+
+Fixes: 4ff7d1488a84 ("octeontx2-pf: Error handling support")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+index 64786568af0db..75a8c407e815c 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+@@ -1730,10 +1730,12 @@ static void otx2_reset_task(struct work_struct *work)
+ if (!netif_running(pf->netdev))
+ return;
+
++ rtnl_lock();
+ otx2_stop(pf->netdev);
+ pf->reset_count++;
+ otx2_open(pf->netdev);
+ netif_trans_update(pf->netdev);
++ rtnl_unlock();
+ }
+
+ static const struct net_device_ops otx2_netdev_ops = {
+@@ -2111,6 +2113,7 @@ static void otx2_remove(struct pci_dev *pdev)
+
+ pf = netdev_priv(netdev);
+
++ cancel_work_sync(&pf->reset_task);
+ /* Disable link notifications */
+ otx2_cgx_config_linkevents(pf, false);
+
+--
+2.25.1
+
--- /dev/null
+From 5a43f7f649486b94cdfc804645b5c58ae9828779 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 10:13:54 +0530
+Subject: octeontx2-pf: Unregister netdev at driver remove
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit ed543f5c6a988d8a863d2436794230cef2c82389 ]
+
+Added unregister_netdev in the driver remove
+function. Generally unregister_netdev is called
+after disabling all the device interrupts but here
+it is called before disabling device mailbox
+interrupts. The reason behind this is VF needs
+mailbox interrupt to communicate with its PF to
+clean up its resources during otx2_stop.
+otx2_stop disables packet I/O and queue interrupts
+first and by using mailbox interrupt communicates
+to PF to free VF resources. Hence this patch
+calls unregister_device just before
+disabling mailbox interrupts.
+
+Fixes: 3184fb5ba96e ("octeontx2-vf: Virtual function driver support")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+index c1c263d1ac2ec..92a3db69a6cd6 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+@@ -618,6 +618,7 @@ static void otx2vf_remove(struct pci_dev *pdev)
+ vf = netdev_priv(netdev);
+
+ cancel_work_sync(&vf->reset_task);
++ unregister_netdev(netdev);
+ otx2vf_disable_mbox_intr(vf);
+
+ otx2_detach_resources(&vf->mbox);
+--
+2.25.1
+
--- /dev/null
+From 0452040efdff50a413337d7611f1c840675779c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Jul 2020 16:10:21 -0400
+Subject: parisc: add support for cmpxchg on u8 pointers
+
+From: Liam Beguin <liambeguin@gmail.com>
+
+[ Upstream commit b344d6a83d01c52fddbefa6b3b4764da5b1022a0 ]
+
+The kernel test bot reported[1] that using set_mask_bits on a u8 causes
+the following issue on parisc:
+
+ hppa-linux-ld: drivers/phy/ti/phy-tusb1210.o: in function `tusb1210_probe':
+ >> (.text+0x2f4): undefined reference to `__cmpxchg_called_with_bad_pointer'
+ >> hppa-linux-ld: (.text+0x324): undefined reference to `__cmpxchg_called_with_bad_pointer'
+ hppa-linux-ld: (.text+0x354): undefined reference to `__cmpxchg_called_with_bad_pointer'
+
+Add support for cmpxchg on u8 pointers.
+
+[1] https://lore.kernel.org/patchwork/patch/1272617/#1468946
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Liam Beguin <liambeguin@gmail.com>
+Tested-by: Dave Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/include/asm/cmpxchg.h | 2 ++
+ arch/parisc/lib/bitops.c | 12 ++++++++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/arch/parisc/include/asm/cmpxchg.h b/arch/parisc/include/asm/cmpxchg.h
+index ab5c215cf46c3..0689585758717 100644
+--- a/arch/parisc/include/asm/cmpxchg.h
++++ b/arch/parisc/include/asm/cmpxchg.h
+@@ -60,6 +60,7 @@ extern void __cmpxchg_called_with_bad_pointer(void);
+ extern unsigned long __cmpxchg_u32(volatile unsigned int *m, unsigned int old,
+ unsigned int new_);
+ extern u64 __cmpxchg_u64(volatile u64 *ptr, u64 old, u64 new_);
++extern u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new_);
+
+ /* don't worry...optimizer will get rid of most of this */
+ static inline unsigned long
+@@ -71,6 +72,7 @@ __cmpxchg(volatile void *ptr, unsigned long old, unsigned long new_, int size)
+ #endif
+ case 4: return __cmpxchg_u32((unsigned int *)ptr,
+ (unsigned int)old, (unsigned int)new_);
++ case 1: return __cmpxchg_u8((u8 *)ptr, (u8)old, (u8)new_);
+ }
+ __cmpxchg_called_with_bad_pointer();
+ return old;
+diff --git a/arch/parisc/lib/bitops.c b/arch/parisc/lib/bitops.c
+index 70ffbcf889b8e..2e4d1f05a9264 100644
+--- a/arch/parisc/lib/bitops.c
++++ b/arch/parisc/lib/bitops.c
+@@ -79,3 +79,15 @@ unsigned long __cmpxchg_u32(volatile unsigned int *ptr, unsigned int old, unsign
+ _atomic_spin_unlock_irqrestore(ptr, flags);
+ return (unsigned long)prev;
+ }
++
++u8 __cmpxchg_u8(volatile u8 *ptr, u8 old, u8 new)
++{
++ unsigned long flags;
++ u8 prev;
++
++ _atomic_spin_lock_irqsave(ptr, flags);
++ if ((prev = *ptr) == old)
++ *ptr = new;
++ _atomic_spin_unlock_irqrestore(ptr, flags);
++ return prev;
++}
+--
+2.25.1
+
--- /dev/null
+From df07887b5f628dcdcefb498a6c1d618ccf269b5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 15:11:10 +0800
+Subject: perf tools: Fix record failure when mixed with ARM SPE event
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit bd3c628f8fafa6cbd6a1ca440034b841f0080160 ]
+
+When recording with cache-misses and arm_spe_x event, I found that it
+will just fail without showing any error info if i put cache-misses
+after 'arm_spe_x' event.
+
+ [root@localhost 0620]# perf record -e cache-misses \
+ -e arm_spe_0/ts_enable=1,pct_enable=1,pa_enable=1,load_filter=1,jitter=1,store_filter=1,min_latency=0/ sleep 1
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.067 MB perf.data ]
+ [root@localhost 0620]#
+ [root@localhost 0620]# perf record -e arm_spe_0/ts_enable=1,pct_enable=1,pa_enable=1,load_filter=1,jitter=1,store_filter=1,min_latency=0/ \
+ -e cache-misses sleep 1
+ [root@localhost 0620]#
+
+The current code can only work if the only event to be traced is an
+'arm_spe_x', or if it is the last event to be specified. Otherwise the
+last event type will be checked against all the arm_spe_pmus[i]->types,
+none will match and an out of bound 'i' index will be used in
+arm_spe_recording_init().
+
+We don't support concurrent multiple arm_spe_x events currently, that
+is checked in arm_spe_recording_options(), and it will show the relevant
+info. So add the check and record of the first found 'arm_spe_pmu' to
+fix this issue here.
+
+Fixes: ffd3d18c20b8 ("perf tools: Add ARM Statistical Profiling Extensions (SPE) support")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Reviewed-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Tested-by-by: Leo Yan <leo.yan@linaro.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kim Phillips <kim.phillips@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lore.kernel.org/lkml/20200724071111.35593-2-liwei391@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/arm/util/auxtrace.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/arch/arm/util/auxtrace.c b/tools/perf/arch/arm/util/auxtrace.c
+index 0a6e75b8777a6..28a5d0c18b1d2 100644
+--- a/tools/perf/arch/arm/util/auxtrace.c
++++ b/tools/perf/arch/arm/util/auxtrace.c
+@@ -56,7 +56,7 @@ struct auxtrace_record
+ struct perf_pmu *cs_etm_pmu;
+ struct evsel *evsel;
+ bool found_etm = false;
+- bool found_spe = false;
++ struct perf_pmu *found_spe = NULL;
+ static struct perf_pmu **arm_spe_pmus = NULL;
+ static int nr_spes = 0;
+ int i = 0;
+@@ -74,12 +74,12 @@ struct auxtrace_record
+ evsel->core.attr.type == cs_etm_pmu->type)
+ found_etm = true;
+
+- if (!nr_spes)
++ if (!nr_spes || found_spe)
+ continue;
+
+ for (i = 0; i < nr_spes; i++) {
+ if (evsel->core.attr.type == arm_spe_pmus[i]->type) {
+- found_spe = true;
++ found_spe = arm_spe_pmus[i];
+ break;
+ }
+ }
+@@ -96,7 +96,7 @@ struct auxtrace_record
+
+ #if defined(__aarch64__)
+ if (found_spe)
+- return arm_spe_recording_init(err, arm_spe_pmus[i]);
++ return arm_spe_recording_init(err, found_spe);
+ #endif
+
+ /*
+--
+2.25.1
+
--- /dev/null
+From c156a6deefe2ad166d70329e14deb47b7314790c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 08:04:17 -0700
+Subject: pinctrl: qcom: Handle broken/missing PDC dual edge IRQs on sc7180
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit c3c0c2e18d943ec4a84162ac679970b592555a4a ]
+
+Depending on how you look at it, you can either say that:
+a) There is a PDC hardware issue (with the specific IP rev that exists
+ on sc7180) that causes the PDC not to work properly when configured
+ to handle dual edges.
+b) The dual edge feature of the PDC hardware was only added in later
+ HW revisions and thus isn't in all hardware.
+
+Regardless of how you look at it, let's work around the lack of dual
+edge support by only ever letting our parent see requests for single
+edge interrupts on affected hardware.
+
+NOTE: it's possible that a driver requesting a dual edge interrupt
+might get several edges coalesced into a single IRQ. For instance if
+a line starts low and then goes high and low again, the driver that
+requested the IRQ is not guaranteed to be called twice. However, it
+is guaranteed that once the driver's interrupt handler starts running
+its first instruction that any new edges coming in will cause the
+interrupt to fire again. This is relatively commonplace for dual-edge
+gpio interrupts (many gpio controllers require software to emulate
+dual edge with single edge) so client drivers should be setup to
+handle it.
+
+Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20200714080254.v3.1.Ie0d730120b232a86a4eac1e2909bcbec844d1766@changeid
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/qcom/Kconfig | 2 +
+ drivers/pinctrl/qcom/pinctrl-msm.c | 74 ++++++++++++++++++++++++++-
+ drivers/pinctrl/qcom/pinctrl-msm.h | 4 ++
+ drivers/pinctrl/qcom/pinctrl-sc7180.c | 1 +
+ 4 files changed, 79 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/qcom/Kconfig b/drivers/pinctrl/qcom/Kconfig
+index c5d4428f1f948..2a1233b41aa41 100644
+--- a/drivers/pinctrl/qcom/Kconfig
++++ b/drivers/pinctrl/qcom/Kconfig
+@@ -7,6 +7,8 @@ config PINCTRL_MSM
+ select PINCONF
+ select GENERIC_PINCONF
+ select GPIOLIB_IRQCHIP
++ select IRQ_DOMAIN_HIERARCHY
++ select IRQ_FASTEOI_HIERARCHY_HANDLERS
+
+ config PINCTRL_APQ8064
+ tristate "Qualcomm APQ8064 pin controller driver"
+diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
+index 85858c1d56d02..4ebce5b738454 100644
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -833,6 +833,52 @@ static void msm_gpio_irq_unmask(struct irq_data *d)
+ msm_gpio_irq_clear_unmask(d, false);
+ }
+
++/**
++ * msm_gpio_update_dual_edge_parent() - Prime next edge for IRQs handled by parent.
++ * @d: The irq dta.
++ *
++ * This is much like msm_gpio_update_dual_edge_pos() but for IRQs that are
++ * normally handled by the parent irqchip. The logic here is slightly
++ * different due to what's easy to do with our parent, but in principle it's
++ * the same.
++ */
++static void msm_gpio_update_dual_edge_parent(struct irq_data *d)
++{
++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++ struct msm_pinctrl *pctrl = gpiochip_get_data(gc);
++ const struct msm_pingroup *g = &pctrl->soc->groups[d->hwirq];
++ int loop_limit = 100;
++ unsigned int val;
++ unsigned int type;
++
++ /* Read the value and make a guess about what edge we need to catch */
++ val = msm_readl_io(pctrl, g) & BIT(g->in_bit);
++ type = val ? IRQ_TYPE_EDGE_FALLING : IRQ_TYPE_EDGE_RISING;
++
++ do {
++ /* Set the parent to catch the next edge */
++ irq_chip_set_type_parent(d, type);
++
++ /*
++ * Possibly the line changed between when we last read "val"
++ * (and decided what edge we needed) and when set the edge.
++ * If the value didn't change (or changed and then changed
++ * back) then we're done.
++ */
++ val = msm_readl_io(pctrl, g) & BIT(g->in_bit);
++ if (type == IRQ_TYPE_EDGE_RISING) {
++ if (!val)
++ return;
++ type = IRQ_TYPE_EDGE_FALLING;
++ } else if (type == IRQ_TYPE_EDGE_FALLING) {
++ if (val)
++ return;
++ type = IRQ_TYPE_EDGE_RISING;
++ }
++ } while (loop_limit-- > 0);
++ dev_warn_once(pctrl->dev, "dual-edge irq failed to stabilize\n");
++}
++
+ static void msm_gpio_irq_ack(struct irq_data *d)
+ {
+ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+@@ -841,8 +887,11 @@ static void msm_gpio_irq_ack(struct irq_data *d)
+ unsigned long flags;
+ u32 val;
+
+- if (test_bit(d->hwirq, pctrl->skip_wake_irqs))
++ if (test_bit(d->hwirq, pctrl->skip_wake_irqs)) {
++ if (test_bit(d->hwirq, pctrl->dual_edge_irqs))
++ msm_gpio_update_dual_edge_parent(d);
+ return;
++ }
+
+ g = &pctrl->soc->groups[d->hwirq];
+
+@@ -861,6 +910,17 @@ static void msm_gpio_irq_ack(struct irq_data *d)
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
+ }
+
++static bool msm_gpio_needs_dual_edge_parent_workaround(struct irq_data *d,
++ unsigned int type)
++{
++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++ struct msm_pinctrl *pctrl = gpiochip_get_data(gc);
++
++ return type == IRQ_TYPE_EDGE_BOTH &&
++ pctrl->soc->wakeirq_dual_edge_errata && d->parent_data &&
++ test_bit(d->hwirq, pctrl->skip_wake_irqs);
++}
++
+ static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type)
+ {
+ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+@@ -869,11 +929,21 @@ static int msm_gpio_irq_set_type(struct irq_data *d, unsigned int type)
+ unsigned long flags;
+ u32 val;
+
++ if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) {
++ set_bit(d->hwirq, pctrl->dual_edge_irqs);
++ irq_set_handler_locked(d, handle_fasteoi_ack_irq);
++ msm_gpio_update_dual_edge_parent(d);
++ return 0;
++ }
++
+ if (d->parent_data)
+ irq_chip_set_type_parent(d, type);
+
+- if (test_bit(d->hwirq, pctrl->skip_wake_irqs))
++ if (test_bit(d->hwirq, pctrl->skip_wake_irqs)) {
++ clear_bit(d->hwirq, pctrl->dual_edge_irqs);
++ irq_set_handler_locked(d, handle_fasteoi_irq);
+ return 0;
++ }
+
+ g = &pctrl->soc->groups[d->hwirq];
+
+diff --git a/drivers/pinctrl/qcom/pinctrl-msm.h b/drivers/pinctrl/qcom/pinctrl-msm.h
+index 9452da18a78bd..7486fe08eb9b6 100644
+--- a/drivers/pinctrl/qcom/pinctrl-msm.h
++++ b/drivers/pinctrl/qcom/pinctrl-msm.h
+@@ -113,6 +113,9 @@ struct msm_gpio_wakeirq_map {
+ * @pull_no_keeper: The SoC does not support keeper bias.
+ * @wakeirq_map: The map of wakeup capable GPIOs and the pin at PDC/MPM
+ * @nwakeirq_map: The number of entries in @wakeirq_map
++ * @wakeirq_dual_edge_errata: If true then GPIOs using the wakeirq_map need
++ * to be aware that their parent can't handle dual
++ * edge interrupts.
+ */
+ struct msm_pinctrl_soc_data {
+ const struct pinctrl_pin_desc *pins;
+@@ -128,6 +131,7 @@ struct msm_pinctrl_soc_data {
+ const int *reserved_gpios;
+ const struct msm_gpio_wakeirq_map *wakeirq_map;
+ unsigned int nwakeirq_map;
++ bool wakeirq_dual_edge_errata;
+ };
+
+ extern const struct dev_pm_ops msm_pinctrl_dev_pm_ops;
+diff --git a/drivers/pinctrl/qcom/pinctrl-sc7180.c b/drivers/pinctrl/qcom/pinctrl-sc7180.c
+index 1b6465a882f21..1d9acad3c1ce2 100644
+--- a/drivers/pinctrl/qcom/pinctrl-sc7180.c
++++ b/drivers/pinctrl/qcom/pinctrl-sc7180.c
+@@ -1147,6 +1147,7 @@ static const struct msm_pinctrl_soc_data sc7180_pinctrl = {
+ .ntiles = ARRAY_SIZE(sc7180_tiles),
+ .wakeirq_map = sc7180_pdc_map,
+ .nwakeirq_map = ARRAY_SIZE(sc7180_pdc_map),
++ .wakeirq_dual_edge_errata = true,
+ };
+
+ static int sc7180_pinctrl_probe(struct platform_device *pdev)
+--
+2.25.1
+
--- /dev/null
+From bafac78a64c0f944e49c8233425282925794425e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 18:08:05 -0400
+Subject: qed: Disable "MFW indication via attention" SPAM every 5 minutes
+
+From: Laurence Oberman <loberman@redhat.com>
+
+[ Upstream commit 1d61e21852d3161f234b9656797669fe185c251b ]
+
+This is likely firmware causing this but its starting to annoy customers.
+Change the message level to verbose to prevent the spam.
+Note that this seems to only show up with ISCSI enabled on the HBA via the
+qedi driver.
+
+Signed-off-by: Laurence Oberman <loberman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_int.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_int.c b/drivers/net/ethernet/qlogic/qed/qed_int.c
+index 8d106063e9275..666e43748a5f4 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_int.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_int.c
+@@ -1180,7 +1180,8 @@ static int qed_int_attentions(struct qed_hwfn *p_hwfn)
+ index, attn_bits, attn_acks, asserted_bits,
+ deasserted_bits, p_sb_attn_sw->known_attn);
+ } else if (asserted_bits == 0x100) {
+- DP_INFO(p_hwfn, "MFW indication via attention\n");
++ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR,
++ "MFW indication via attention\n");
+ } else {
+ DP_VERBOSE(p_hwfn, NETIF_MSG_INTR,
+ "MFW indication [deassertion]\n");
+--
+2.25.1
+
--- /dev/null
+From dfdc749eba1d022ccb9d58e98c567827d3b066dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 11:27:19 +0300
+Subject: RDMA/core: Free DIM memory in error unwind
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit fb448ce87a4a9482b084e67faf804aec79ed9b43 ]
+
+The memory allocated for the DIM wasn't freed in in error unwind path, fix
+it by calling to rdma_dim_destroy().
+
+Fixes: da6629793aa6 ("RDMA/core: Provide RDMA DIM support for ULPs")
+Link: https://lore.kernel.org/r/20200730082719.1582397-4-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com <mailto:maxg@mellanox.com>>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/core/cq.c b/drivers/infiniband/core/cq.c
+index c259f632f257f..6bb62d04030ac 100644
+--- a/drivers/infiniband/core/cq.c
++++ b/drivers/infiniband/core/cq.c
+@@ -270,6 +270,7 @@ struct ib_cq *__ib_alloc_cq_user(struct ib_device *dev, void *private,
+ return cq;
+
+ out_destroy_cq:
++ rdma_dim_destroy(cq);
+ rdma_restrack_del(&cq->res);
+ cq->device->ops.destroy_cq(cq, udata);
+ out_free_wc:
+--
+2.25.1
+
--- /dev/null
+From 1440da8bbfc0be29126295b61d7073fa5f2c6057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 11:27:18 +0300
+Subject: RDMA/core: Stop DIM before destroying CQ
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+[ Upstream commit 5d46b289d04b98eb992b2f8b67745cc0953e16b1 ]
+
+HW destroy operation should be last operation after all possible CQ users
+completed their work, so move DIM work cancellation before such destroy
+call.
+
+Fixes: da6629793aa6 ("RDMA/core: Provide RDMA DIM support for ULPs")
+Link: https://lore.kernel.org/r/20200730082719.1582397-3-leon@kernel.org
+Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cq.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/core/cq.c b/drivers/infiniband/core/cq.c
+index 4f25b24006945..c259f632f257f 100644
+--- a/drivers/infiniband/core/cq.c
++++ b/drivers/infiniband/core/cq.c
+@@ -68,6 +68,15 @@ static void rdma_dim_init(struct ib_cq *cq)
+ INIT_WORK(&dim->work, ib_cq_rdma_dim_work);
+ }
+
++static void rdma_dim_destroy(struct ib_cq *cq)
++{
++ if (!cq->dim)
++ return;
++
++ cancel_work_sync(&cq->dim->work);
++ kfree(cq->dim);
++}
++
+ static int __poll_cq(struct ib_cq *cq, int num_entries, struct ib_wc *wc)
+ {
+ int rc;
+@@ -324,12 +333,10 @@ void ib_free_cq_user(struct ib_cq *cq, struct ib_udata *udata)
+ WARN_ON_ONCE(1);
+ }
+
++ rdma_dim_destroy(cq);
+ trace_cq_free(cq);
+ rdma_restrack_del(&cq->res);
+ cq->device->ops.destroy_cq(cq, udata);
+- if (cq->dim)
+- cancel_work_sync(&cq->dim->work);
+- kfree(cq->dim);
+ kfree(cq->wc);
+ kfree(cq);
+ }
+--
+2.25.1
+
--- /dev/null
+From a2d10ed0fd438cbc076bafa2a1ad91f1ba4d4ba4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jul 2020 19:25:49 +0530
+Subject: Revert "i2c: cadence: Fix the hold bit setting"
+
+From: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
+
+[ Upstream commit 0db9254d6b896b587759e2c844c277fb1a6da5b9 ]
+
+This reverts commit d358def706880defa4c9e87381c5bf086a97d5f9.
+
+There are two issues with "i2c: cadence: Fix the hold bit setting" commit.
+
+1. In case of combined message request from user space, when the HOLD
+bit is cleared in cdns_i2c_mrecv function, a STOP condition is sent
+on the bus even before the last message is started. This is because when
+the HOLD bit is cleared, the FIFOS are empty and there is no pending
+transfer. The STOP condition should occur only after the last message
+is completed.
+
+2. The code added by the commit is redundant. Driver is handling the
+setting/clearing of HOLD bit in right way before the commit.
+
+The setting of HOLD bit based on 'bus_hold_flag' is taken care in
+cdns_i2c_master_xfer function even before cdns_i2c_msend/cdns_i2c_recv
+functions.
+
+The clearing of HOLD bit is taken care at the end of cdns_i2c_msend and
+cdns_i2c_recv functions based on bus_hold_flag and byte count.
+Since clearing of HOLD bit is done after the slave address is written to
+the register (writing to address register triggers the message transfer),
+it is ensured that STOP condition occurs at the right time after
+completion of the pending transfer (last message).
+
+Signed-off-by: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
+Acked-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-cadence.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
+index 89d58f7d2a253..97a0bd6ea31f1 100644
+--- a/drivers/i2c/busses/i2c-cadence.c
++++ b/drivers/i2c/busses/i2c-cadence.c
+@@ -382,10 +382,8 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
++ if (id->recv_count > CDNS_I2C_FIFO_DEPTH)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
+- else
+- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+@@ -442,11 +440,8 @@ static void cdns_i2c_msend(struct cdns_i2c *id)
+ * Check for the message size against FIFO depth and set the
+ * 'hold bus' bit if it is greater than FIFO depth.
+ */
+- if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag)
++ if (id->send_count > CDNS_I2C_FIFO_DEPTH)
+ ctrl_reg |= CDNS_I2C_CR_HOLD;
+- else
+- ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD;
+-
+ cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET);
+
+ /* Clear the interrupts in interrupt status register. */
+--
+2.25.1
+
--- /dev/null
+From 28d842e72b6797ed476e316e112d56ddbb2add6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 20:12:53 +1000
+Subject: rhashtable: Fix unprotected RCU dereference in __rht_ptr
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1748f6a2cbc4694523f16da1c892b59861045b9d ]
+
+The rcu_dereference call in rht_ptr_rcu is completely bogus because
+we've already dereferenced the value in __rht_ptr and operated on it.
+This causes potential double readings which could be fatal. The RCU
+dereference must occur prior to the comparison in __rht_ptr.
+
+This patch changes the order of RCU dereference so that it is done
+first and the result is then fed to __rht_ptr. The RCU marking
+changes have been minimised using casts which will be removed in
+a follow-up patch.
+
+Fixes: ba6306e3f648 ("rhashtable: Remove RCU marking from...")
+Reported-by: "Gong, Sishuai" <sishuai@purdue.edu>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rhashtable.h | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h
+index 70ebef866cc82..e3def7bbe9323 100644
+--- a/include/linux/rhashtable.h
++++ b/include/linux/rhashtable.h
+@@ -349,11 +349,11 @@ static inline void rht_unlock(struct bucket_table *tbl,
+ local_bh_enable();
+ }
+
+-static inline struct rhash_head __rcu *__rht_ptr(
+- struct rhash_lock_head *const *bkt)
++static inline struct rhash_head *__rht_ptr(
++ struct rhash_lock_head *p, struct rhash_lock_head __rcu *const *bkt)
+ {
+- return (struct rhash_head __rcu *)
+- ((unsigned long)*bkt & ~BIT(0) ?:
++ return (struct rhash_head *)
++ ((unsigned long)p & ~BIT(0) ?:
+ (unsigned long)RHT_NULLS_MARKER(bkt));
+ }
+
+@@ -365,25 +365,26 @@ static inline struct rhash_head __rcu *__rht_ptr(
+ * access is guaranteed, such as when destroying the table.
+ */
+ static inline struct rhash_head *rht_ptr_rcu(
+- struct rhash_lock_head *const *bkt)
++ struct rhash_lock_head *const *p)
+ {
+- struct rhash_head __rcu *p = __rht_ptr(bkt);
+-
+- return rcu_dereference(p);
++ struct rhash_lock_head __rcu *const *bkt = (void *)p;
++ return __rht_ptr(rcu_dereference(*bkt), bkt);
+ }
+
+ static inline struct rhash_head *rht_ptr(
+- struct rhash_lock_head *const *bkt,
++ struct rhash_lock_head *const *p,
+ struct bucket_table *tbl,
+ unsigned int hash)
+ {
+- return rht_dereference_bucket(__rht_ptr(bkt), tbl, hash);
++ struct rhash_lock_head __rcu *const *bkt = (void *)p;
++ return __rht_ptr(rht_dereference_bucket(*bkt, tbl, hash), bkt);
+ }
+
+ static inline struct rhash_head *rht_ptr_exclusive(
+- struct rhash_lock_head *const *bkt)
++ struct rhash_lock_head *const *p)
+ {
+- return rcu_dereference_protected(__rht_ptr(bkt), 1);
++ struct rhash_lock_head __rcu *const *bkt = (void *)p;
++ return __rht_ptr(rcu_dereference_protected(*bkt, 1), bkt);
+ }
+
+ static inline void rht_assign_locked(struct rhash_lock_head **bkt,
+--
+2.25.1
+
--- /dev/null
+From 38f022ba6988fc81e1a52d6243f082cff2ffc025 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jul 2020 16:30:07 -0700
+Subject: RISC-V: Set maximum number of mapped pages correctly
+
+From: Atish Patra <atish.patra@wdc.com>
+
+[ Upstream commit d0d8aae64566b753c4330fbd5944b88af035f299 ]
+
+Currently, maximum number of mapper pages are set to the pfn calculated
+from the memblock size of the memblock containing kernel. This will work
+until that memblock spans the entire memory. However, it will be set to
+a wrong value if there are multiple memblocks defined in kernel
+(e.g. with efi runtime services).
+
+Set the the maximum value to the pfn calculated from dram size.
+
+Signed-off-by: Atish Patra <atish.patra@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index 81493cee0a167..af8926777567f 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -170,9 +170,9 @@ void __init setup_bootmem(void)
+ /* Reserve from the start of the kernel to the end of the kernel */
+ memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start);
+
+- set_max_mapnr(PFN_DOWN(mem_size));
+ max_pfn = PFN_DOWN(memblock_end_of_DRAM());
+ max_low_pfn = max_pfn;
++ set_max_mapnr(max_low_pfn);
+
+ #ifdef CONFIG_BLK_DEV_INITRD
+ setup_initrd();
+--
+2.25.1
+
--- /dev/null
+From 6dbb092f1dc946d8ecf11c6308fd313897a4038d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 10:40:54 +0800
+Subject: riscv: kasan: use local_tlb_flush_all() to avoid uninitialized
+ __sbi_rfence
+
+From: Vincent Chen <vincent.chen@sifive.com>
+
+[ Upstream commit 4cb699d0447be8e0906539f93cbe41e19598ee5a ]
+
+It fails to boot the v5.8-rc4 kernel with CONFIG_KASAN because kasan_init
+and kasan_early_init use uninitialized __sbi_rfence as executing the
+tlb_flush_all(). Actually, at this moment, only the CPU which is
+responsible for the system initialization enables the MMU. Other CPUs are
+parking at the .Lsecondary_start. Hence the tlb_flush_all() is able to be
+replaced by local_tlb_flush_all() to avoid using uninitialized
+__sbi_rfence.
+
+Signed-off-by: Vincent Chen <vincent.chen@sifive.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/kasan_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/mm/kasan_init.c b/arch/riscv/mm/kasan_init.c
+index ec0ca90dd9000..7a580c8ad6034 100644
+--- a/arch/riscv/mm/kasan_init.c
++++ b/arch/riscv/mm/kasan_init.c
+@@ -44,7 +44,7 @@ asmlinkage void __init kasan_early_init(void)
+ (__pa(((uintptr_t) kasan_early_shadow_pmd))),
+ __pgprot(_PAGE_TABLE)));
+
+- flush_tlb_all();
++ local_flush_tlb_all();
+ }
+
+ static void __init populate(void *start, void *end)
+@@ -79,7 +79,7 @@ static void __init populate(void *start, void *end)
+ pfn_pgd(PFN_DOWN(__pa(&pmd[offset])),
+ __pgprot(_PAGE_TABLE)));
+
+- flush_tlb_all();
++ local_flush_tlb_all();
+ memset(start, 0, end - start);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From f29468d64c4f7ebd9f6e2f31c1967998b6873a4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jul 2020 16:30:09 -0700
+Subject: riscv: Parse all memory blocks to remove unusable memory
+
+From: Atish Patra <atish.patra@wdc.com>
+
+[ Upstream commit fa5a198359053c8e21dcc2b39c0e13871059bc9f ]
+
+Currently, maximum physical memory allowed is equal to -PAGE_OFFSET.
+That's why we remove any memory blocks spanning beyond that size. However,
+it is done only for memblock containing linux kernel which will not work
+if there are multiple memblocks.
+
+Process all memory blocks to figure out how much memory needs to be removed
+and remove at the end instead of updating the memblock list in place.
+
+Signed-off-by: Atish Patra <atish.patra@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/init.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index af8926777567f..115fb9245f160 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -146,26 +146,29 @@ void __init setup_bootmem(void)
+ {
+ struct memblock_region *reg;
+ phys_addr_t mem_size = 0;
++ phys_addr_t total_mem = 0;
++ phys_addr_t mem_start, end = 0;
+ phys_addr_t vmlinux_end = __pa_symbol(&_end);
+ phys_addr_t vmlinux_start = __pa_symbol(&_start);
+
+ /* Find the memory region containing the kernel */
+ for_each_memblock(memory, reg) {
+- phys_addr_t end = reg->base + reg->size;
+-
+- if (reg->base <= vmlinux_start && vmlinux_end <= end) {
+- mem_size = min(reg->size, (phys_addr_t)-PAGE_OFFSET);
+-
+- /*
+- * Remove memblock from the end of usable area to the
+- * end of region
+- */
+- if (reg->base + mem_size < end)
+- memblock_remove(reg->base + mem_size,
+- end - reg->base - mem_size);
+- }
++ end = reg->base + reg->size;
++ if (!total_mem)
++ mem_start = reg->base;
++ if (reg->base <= vmlinux_start && vmlinux_end <= end)
++ BUG_ON(reg->size == 0);
++ total_mem = total_mem + reg->size;
+ }
+- BUG_ON(mem_size == 0);
++
++ /*
++ * Remove memblock from the end of usable area to the
++ * end of region
++ */
++ mem_size = min(total_mem, (phys_addr_t)-PAGE_OFFSET);
++ if (mem_start + mem_size < end)
++ memblock_remove(mem_start + mem_size,
++ end - mem_start - mem_size);
+
+ /* Reserve from the start of the kernel to the end of the kernel */
+ memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start);
+--
+2.25.1
+
--- /dev/null
+From 330491af2c0ba9a89af21fd3a095912f5d58ac56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 10:54:35 +0800
+Subject: scsi: core: Run queue in case of I/O resource contention failure
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 3f0dcfbcd2e162fc0a11c1f59b7acd42ee45f126 ]
+
+I/O requests may be held in scheduler queue because of resource contention.
+The starvation scenario was handled properly in the regular completion
+path but we failed to account for it during I/O submission. This lead to
+the hang captured below. Make sure we run the queue when resource
+contention is encountered in the submission path.
+
+[ 39.054963] scsi 13:0:0:0: rejecting I/O to dead device
+[ 39.058700] scsi 13:0:0:0: rejecting I/O to dead device
+[ 39.087855] sd 13:0:0:1: [sdd] Synchronizing SCSI cache
+[ 39.088909] scsi 13:0:0:1: rejecting I/O to dead device
+[ 39.095351] scsi 13:0:0:1: rejecting I/O to dead device
+[ 39.096962] scsi 13:0:0:1: rejecting I/O to dead device
+[ 247.021859] INFO: task scsi-stress-rem:813 blocked for more than 122 seconds.
+[ 247.023258] Not tainted 5.8.0-rc2 #8
+[ 247.024069] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+[ 247.025331] scsi-stress-rem D 0 813 802 0x00004000
+[ 247.025334] Call Trace:
+[ 247.025354] __schedule+0x504/0x55f
+[ 247.027987] schedule+0x72/0xa8
+[ 247.027991] blk_mq_freeze_queue_wait+0x63/0x8c
+[ 247.027994] ? do_wait_intr_irq+0x7a/0x7a
+[ 247.027996] blk_cleanup_queue+0x4b/0xc9
+[ 247.028000] __scsi_remove_device+0xf6/0x14e
+[ 247.028002] scsi_remove_device+0x21/0x2b
+[ 247.029037] sdev_store_delete+0x58/0x7c
+[ 247.029041] kernfs_fop_write+0x10d/0x14f
+[ 247.031281] vfs_write+0xa2/0xdf
+[ 247.032670] ksys_write+0x6b/0xb3
+[ 247.032673] do_syscall_64+0x56/0x82
+[ 247.034053] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 247.034059] RIP: 0033:0x7f69f39e9008
+[ 247.036330] Code: Bad RIP value.
+[ 247.036331] RSP: 002b:00007ffdd8116498 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 247.037613] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f69f39e9008
+[ 247.039714] RDX: 0000000000000002 RSI: 000055cde92a0ab0 RDI: 0000000000000001
+[ 247.039715] RBP: 000055cde92a0ab0 R08: 000000000000000a R09: 00007f69f3a79e80
+[ 247.039716] R10: 000000000000000a R11: 0000000000000246 R12: 00007f69f3abb780
+[ 247.039717] R13: 0000000000000002 R14: 00007f69f3ab6740 R15: 0000000000000002
+
+Link: https://lore.kernel.org/r/20200720025435.812030-1-ming.lei@redhat.com
+Cc: linux-block@vger.kernel.org
+Cc: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_lib.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index b8b4366f12001..887b6a47f5dac 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -564,6 +564,15 @@ static void scsi_mq_uninit_cmd(struct scsi_cmnd *cmd)
+ scsi_uninit_cmd(cmd);
+ }
+
++static void scsi_run_queue_async(struct scsi_device *sdev)
++{
++ if (scsi_target(sdev)->single_lun ||
++ !list_empty(&sdev->host->starved_list))
++ kblockd_schedule_work(&sdev->requeue_work);
++ else
++ blk_mq_run_hw_queues(sdev->request_queue, true);
++}
++
+ /* Returns false when no more bytes to process, true if there are more */
+ static bool scsi_end_request(struct request *req, blk_status_t error,
+ unsigned int bytes)
+@@ -608,11 +617,7 @@ static bool scsi_end_request(struct request *req, blk_status_t error,
+
+ __blk_mq_end_request(req, error);
+
+- if (scsi_target(sdev)->single_lun ||
+- !list_empty(&sdev->host->starved_list))
+- kblockd_schedule_work(&sdev->requeue_work);
+- else
+- blk_mq_run_hw_queues(q, true);
++ scsi_run_queue_async(sdev);
+
+ percpu_ref_put(&q->q_usage_counter);
+ return false;
+@@ -1706,6 +1711,7 @@ out_put_budget:
+ */
+ if (req->rq_flags & RQF_DONTPREP)
+ scsi_mq_uninit_cmd(cmd);
++ scsi_run_queue_async(sdev);
+ break;
+ }
+ return ret;
+--
+2.25.1
+
--- /dev/null
+From 0accb6e615837e61d9c20eaccc80c136708c63d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jul 2020 18:17:10 +0200
+Subject: selftest: txtimestamp: fix net ns entry logic
+
+From: Paolo Pisati <paolo.pisati@canonical.com>
+
+[ Upstream commit b346c0c85892cb8c53e8715734f71ba5bbec3387 ]
+
+According to 'man 8 ip-netns', if `ip netns identify` returns an empty string,
+there's no net namespace associated with current PID: fix the net ns entrance
+logic.
+
+Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/txtimestamp.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/txtimestamp.sh b/tools/testing/selftests/net/txtimestamp.sh
+index eea6f5193693f..31637769f59f6 100755
+--- a/tools/testing/selftests/net/txtimestamp.sh
++++ b/tools/testing/selftests/net/txtimestamp.sh
+@@ -75,7 +75,7 @@ main() {
+ fi
+ }
+
+-if [[ "$(ip netns identify)" == "root" ]]; then
++if [[ -z "$(ip netns identify)" ]]; then
+ ./in_netns.sh $0 $@
+ else
+ main $@
+--
+2.25.1
+
--- /dev/null
+From 059dc1a2656d1e9450341be871dbaeba00b8a2f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 19:04:55 +0800
+Subject: selftests/bpf: fix netdevsim trap_flow_action_cookie read
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 4bbca662df2523ff7ad3224463f1f28e6a118044 ]
+
+When read netdevsim trap_flow_action_cookie, we need to init it first,
+or we will get "Invalid argument" error.
+
+Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_offload.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/test_offload.py b/tools/testing/selftests/bpf/test_offload.py
+index 8294ae3ffb3cb..43c9cda199b82 100755
+--- a/tools/testing/selftests/bpf/test_offload.py
++++ b/tools/testing/selftests/bpf/test_offload.py
+@@ -318,6 +318,9 @@ class DebugfsDir:
+ continue
+
+ if os.path.isfile(p):
++ # We need to init trap_flow_action_cookie before read it
++ if f == "trap_flow_action_cookie":
++ cmd('echo deadbeef > %s/%s' % (path, f))
+ _, out = cmd('cat %s/%s' % (path, f))
+ dfs[f] = out.strip()
+ elif os.path.isdir(p):
+--
+2.25.1
+
--- /dev/null
+From 137172c0b365b23dcbf3dc3be5f8d283f5a61ab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 12:26:48 +0300
+Subject: selftests: ethtool: Fix test when only two speeds are supported
+
+From: Amit Cohen <amitc@mellanox.com>
+
+[ Upstream commit 10fef9ca6a879e7bee090b8e51c9812d438d3fb1 ]
+
+The test case check_highest_speed_is_chosen() configures $h1 to
+advertise a subset of its supported speeds and checks that $h2 chooses
+the highest speed from the subset.
+
+To find the common advertised speeds between $h1 and $h2,
+common_speeds_get() is called.
+
+Currently, the first speed returned from common_speeds_get() is removed
+claiming "h1 does not advertise this speed". The claim is wrong because
+the function is called after $h1 already advertised a subset of speeds.
+
+In case $h1 supports only two speeds, it will advertise a single speed
+which will be later removed because of previously mentioned bug. This
+results in the test needlessly failing. When more than two speeds are
+supported this is not an issue because the first advertised speed
+is the lowest one.
+
+Fix this by not removing any speed from the list of commonly advertised
+speeds.
+
+Fixes: 64916b57c0b1 ("selftests: forwarding: Add speed and auto-negotiation test")
+Reported-by: Danielle Ratson <danieller@mellanox.com>
+Signed-off-by: Amit Cohen <amitc@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/forwarding/ethtool.sh | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/forwarding/ethtool.sh b/tools/testing/selftests/net/forwarding/ethtool.sh
+index eb8e2a23bbb4c..43a948feed265 100755
+--- a/tools/testing/selftests/net/forwarding/ethtool.sh
++++ b/tools/testing/selftests/net/forwarding/ethtool.sh
+@@ -252,8 +252,6 @@ check_highest_speed_is_chosen()
+ fi
+
+ local -a speeds_arr=($(common_speeds_get $h1 $h2 0 1))
+- # Remove the first speed, h1 does not advertise this speed.
+- unset speeds_arr[0]
+
+ max_speed=${speeds_arr[0]}
+ for current in ${speeds_arr[@]}; do
+--
+2.25.1
+
--- /dev/null
+From c81b90d98bc82a3ea504098d3e21dd6ea94658f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jul 2020 17:40:55 +0200
+Subject: selftests: fib_nexthop_multiprefix: fix cleanup() netns deletion
+
+From: Paolo Pisati <paolo.pisati@canonical.com>
+
+[ Upstream commit 651149f60376758a4759f761767965040f9e4464 ]
+
+During setup():
+...
+ for ns in h0 r1 h1 h2 h3
+ do
+ create_ns ${ns}
+ done
+...
+
+while in cleanup():
+...
+ for n in h1 r1 h2 h3 h4
+ do
+ ip netns del ${n} 2>/dev/null
+ done
+...
+
+and after removing the stderr redirection in cleanup():
+
+$ sudo ./fib_nexthop_multiprefix.sh
+...
+TEST: IPv4: host 0 to host 3, mtu 1400 [ OK ]
+TEST: IPv6: host 0 to host 3, mtu 1400 [ OK ]
+Cannot remove namespace file "/run/netns/h4": No such file or directory
+$ echo $?
+1
+
+and a non-zero return code, make kselftests fail (even if the test
+itself is fine):
+
+...
+not ok 34 selftests: net: fib_nexthop_multiprefix.sh # exit=1
+...
+
+Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/fib_nexthop_multiprefix.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
+index 9dc35a16e4159..51df5e305855a 100755
+--- a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
++++ b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
+@@ -144,7 +144,7 @@ setup()
+
+ cleanup()
+ {
+- for n in h1 r1 h2 h3 h4
++ for n in h0 r1 h1 h2 h3
+ do
+ ip netns del ${n} 2>/dev/null
+ done
+--
+2.25.1
+
--- /dev/null
+From 14b3e0acabc81d2ad0d29297a7ea6133cf57fd57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jul 2020 17:51:14 +0200
+Subject: selftests: net: ip_defrag: modprobe missing nf_defrag_ipv6 support
+
+From: Paolo Pisati <paolo.pisati@canonical.com>
+
+[ Upstream commit aba69d49fb49c9166596dd78926514173b7f9ab5 ]
+
+Fix ip_defrag.sh when CONFIG_NF_DEFRAG_IPV6=m:
+
+$ sudo ./ip_defrag.sh
++ set -e
++ mktemp -u XXXXXX
++ readonly NETNS=ns-rGlXcw
++ trap cleanup EXIT
++ setup
++ ip netns add ns-rGlXcw
++ ip -netns ns-rGlXcw link set lo up
++ ip netns exec ns-rGlXcw sysctl -w net.ipv4.ipfrag_high_thresh=9000000
++ ip netns exec ns-rGlXcw sysctl -w net.ipv4.ipfrag_low_thresh=7000000
++ ip netns exec ns-rGlXcw sysctl -w net.ipv4.ipfrag_time=1
++ ip netns exec ns-rGlXcw sysctl -w net.ipv6.ip6frag_high_thresh=9000000
++ ip netns exec ns-rGlXcw sysctl -w net.ipv6.ip6frag_low_thresh=7000000
++ ip netns exec ns-rGlXcw sysctl -w net.ipv6.ip6frag_time=1
++ ip netns exec ns-rGlXcw sysctl -w net.netfilter.nf_conntrack_frag6_high_thresh=9000000
++ cleanup
++ ip netns del ns-rGlXcw
+
+$ ls -la /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh
+ls: cannot access '/proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh': No such file or directory
+
+$ sudo modprobe nf_defrag_ipv6
+$ ls -la /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh
+-rw-r--r-- 1 root root 0 Jul 14 12:34 /proc/sys/net/netfilter/nf_conntrack_frag6_high_thresh
+
+Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/ip_defrag.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/net/ip_defrag.sh b/tools/testing/selftests/net/ip_defrag.sh
+index 15d3489ecd9ce..ceb7ad4dbd945 100755
+--- a/tools/testing/selftests/net/ip_defrag.sh
++++ b/tools/testing/selftests/net/ip_defrag.sh
+@@ -6,6 +6,8 @@
+ set +x
+ set -e
+
++modprobe -q nf_defrag_ipv6
++
+ readonly NETNS="ns-$(mktemp -u XXXXXX)"
+
+ setup() {
+--
+2.25.1
+
--- /dev/null
+From f891fcf493e5729fdcd676ff0126d360ce307b7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 12:25:29 -0400
+Subject: selftests/net: psock_fanout: fix clang issues for target arch PowerPC
+
+From: Tanner Love <tannerlove@google.com>
+
+[ Upstream commit 64f9ede2274980076423583683d44480909b7a40 ]
+
+Clang 9 threw:
+warning: format specifies type 'unsigned short' but the argument has \
+type 'int' [-Wformat]
+ typeflags, PORT_BASE, PORT_BASE + port_off);
+
+Tested: make -C tools/testing/selftests TARGETS="net" run_tests
+
+Fixes: 77f65ebdca50 ("packet: packet fanout rollover during socket overload")
+Signed-off-by: Tanner Love <tannerlove@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/psock_fanout.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/psock_fanout.c b/tools/testing/selftests/net/psock_fanout.c
+index 8c8c7d79c38d9..2c522f7a0aeca 100644
+--- a/tools/testing/selftests/net/psock_fanout.c
++++ b/tools/testing/selftests/net/psock_fanout.c
+@@ -350,7 +350,8 @@ static int test_datapath(uint16_t typeflags, int port_off,
+ int fds[2], fds_udp[2][2], ret;
+
+ fprintf(stderr, "\ntest: datapath 0x%hx ports %hu,%hu\n",
+- typeflags, PORT_BASE, PORT_BASE + port_off);
++ typeflags, (uint16_t)PORT_BASE,
++ (uint16_t)(PORT_BASE + port_off));
+
+ fds[0] = sock_fanout_open(typeflags, 0);
+ fds[1] = sock_fanout_open(typeflags, 0);
+--
+2.25.1
+
--- /dev/null
+From 55be83e324403a8b078bb31ef2057a406e9025c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 12:25:28 -0400
+Subject: selftests/net: rxtimestamp: fix clang issues for target arch PowerPC
+
+From: Tanner Love <tannerlove@google.com>
+
+[ Upstream commit 955cbe91bcf782c09afe369c95a20f0a4b6dcc3c ]
+
+The signedness of char is implementation-dependent. Some systems
+(including PowerPC and ARM) use unsigned char. Clang 9 threw:
+warning: result of comparison of constant -1 with expression of type \
+'char' is always true [-Wtautological-constant-out-of-range-compare]
+ &arg_index)) != -1) {
+
+Tested: make -C tools/testing/selftests TARGETS="net" run_tests
+
+Fixes: 16e781224198 ("selftests/net: Add a test to validate behavior of rx timestamps")
+Signed-off-by: Tanner Love <tannerlove@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/rxtimestamp.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/rxtimestamp.c b/tools/testing/selftests/net/rxtimestamp.c
+index 422e7761254de..bcb79ba1f2143 100644
+--- a/tools/testing/selftests/net/rxtimestamp.c
++++ b/tools/testing/selftests/net/rxtimestamp.c
+@@ -329,8 +329,7 @@ int main(int argc, char **argv)
+ bool all_tests = true;
+ int arg_index = 0;
+ int failures = 0;
+- int s, t;
+- char opt;
++ int s, t, opt;
+
+ while ((opt = getopt_long(argc, argv, "", long_options,
+ &arg_index)) != -1) {
+--
+2.25.1
+
--- /dev/null
+From dcbc370dfb1483c128888f0a6fdfecfe6dacf52b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 12:25:30 -0400
+Subject: selftests/net: so_txtime: fix clang issues for target arch PowerPC
+
+From: Tanner Love <tannerlove@google.com>
+
+[ Upstream commit b4da96ffd30bd4a305045ba5c9b0de5d4aa20dc7 ]
+
+On powerpcle, int64_t maps to long long. Clang 9 threw:
+warning: absolute value function 'labs' given an argument of type \
+'long long' but has parameter of type 'long' which may cause \
+truncation of value [-Wabsolute-value]
+ if (labs(tstop - texpect) > cfg_variance_us)
+
+Tested: make -C tools/testing/selftests TARGETS="net" run_tests
+
+Fixes: af5136f95045 ("selftests/net: SO_TXTIME with ETF and FQ")
+Signed-off-by: Tanner Love <tannerlove@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/so_txtime.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/so_txtime.c b/tools/testing/selftests/net/so_txtime.c
+index ceaad78e96674..3155fbbf644b0 100644
+--- a/tools/testing/selftests/net/so_txtime.c
++++ b/tools/testing/selftests/net/so_txtime.c
+@@ -121,7 +121,7 @@ static bool do_recv_one(int fdr, struct timed_send *ts)
+ if (rbuf[0] != ts->data)
+ error(1, 0, "payload mismatch. expected %c", ts->data);
+
+- if (labs(tstop - texpect) > cfg_variance_us)
++ if (llabs(tstop - texpect) > cfg_variance_us)
+ error(1, 0, "exceeds variance (%d us)", cfg_variance_us);
+
+ return false;
+--
+2.25.1
+
--- /dev/null
+From 2a76e10c775c32b09a45a493073b9416c732ccaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 12:25:31 -0400
+Subject: selftests/net: tcp_mmap: fix clang warning for target arch PowerPC
+
+From: Tanner Love <tannerlove@google.com>
+
+[ Upstream commit 94b6c13be57cdedb7cf4d33dbcd066fad133f22b ]
+
+When size_t maps to unsigned int (e.g. on 32-bit powerpc), then the
+comparison with 1<<35 is always true. Clang 9 threw:
+warning: result of comparison of constant 34359738368 with \
+expression of type 'size_t' (aka 'unsigned int') is always true \
+[-Wtautological-constant-out-of-range-compare]
+ while (total < FILE_SZ) {
+
+Tested: make -C tools/testing/selftests TARGETS="net" run_tests
+
+Fixes: 192dc405f308 ("selftests: net: add tcp_mmap program")
+Signed-off-by: Tanner Love <tannerlove@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tcp_mmap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tcp_mmap.c b/tools/testing/selftests/net/tcp_mmap.c
+index 4555f88252baf..a61b7b3da5496 100644
+--- a/tools/testing/selftests/net/tcp_mmap.c
++++ b/tools/testing/selftests/net/tcp_mmap.c
+@@ -344,7 +344,7 @@ int main(int argc, char *argv[])
+ {
+ struct sockaddr_storage listenaddr, addr;
+ unsigned int max_pacing_rate = 0;
+- size_t total = 0;
++ uint64_t total = 0;
+ char *host = NULL;
+ int fd, c, on = 1;
+ char *buffer;
+@@ -473,12 +473,12 @@ int main(int argc, char *argv[])
+ zflg = 0;
+ }
+ while (total < FILE_SZ) {
+- ssize_t wr = FILE_SZ - total;
++ int64_t wr = FILE_SZ - total;
+
+ if (wr > chunk_size)
+ wr = chunk_size;
+ /* Note : we just want to fill the pipe with 0 bytes */
+- wr = send(fd, buffer, wr, zflg ? MSG_ZEROCOPY : 0);
++ wr = send(fd, buffer, (size_t)wr, zflg ? MSG_ZEROCOPY : 0);
+ if (wr <= 0)
+ break;
+ total += wr;
+--
+2.25.1
+
random32-remove-net_rand_state-from-the-latent-entropy-gcc-plugin.patch
rds-prevent-kernel-infoleak-in-rds_notify_queue_get.patch
libtraceevent-fix-build-with-binutils-2.35.patch
+xfrm-policy-match-with-both-mark-and-mask-on-user-in.patch
+arm-dts-sunxi-relax-a-bit-the-cma-pool-allocation-ra.patch
+pinctrl-qcom-handle-broken-missing-pdc-dual-edge-irq.patch
+espintcp-recv-should-return-0-when-the-peer-socket-i.patch
+xfrm-fix-crash-when-the-hold-queue-is-used.patch
+arm-dts-armada-38x-fix-neta-lockup-when-repeatedly-s.patch
+nvme-tcp-fix-possible-hang-waiting-for-icresp-respon.patch
+selftests-net-rxtimestamp-fix-clang-issues-for-targe.patch
+selftests-net-psock_fanout-fix-clang-issues-for-targ.patch
+selftests-net-so_txtime-fix-clang-issues-for-target-.patch
+selftests-net-tcp_mmap-fix-clang-warning-for-target-.patch
+sh-tlb-fix-pgtable_levels-2.patch
+sh-fix-validation-of-system-call-number.patch
+net-hns3-fix-desc-filling-bug-when-skb-is-expanded-o.patch
+net-hns3-fix-a-tx-timeout-issue.patch
+net-hns3-add-reset-check-for-vf-updating-port-based-.patch
+net-hns3-fix-arfs-fd-rules-leftover-after-add-a-user.patch
+net-hns3-fix-for-vlan-config-when-reset-failed.patch
+net-mlx5-e-switch-destroy-tsar-when-fail-to-enable-t.patch
+net-mlx5-e-switch-destroy-tsar-after-reload-interfac.patch
+net-mlx5e-fix-error-path-of-device-attach.patch
+net-mlx5-fix-a-bug-of-using-ptp-channel-index-as-pin.patch
+net-mlx5-verify-hardware-supports-requested-ptp-func.patch
+net-mlx5-query-pps-pin-operational-status-before-reg.patch
+net-mlx5e-modify-uplink-state-on-interface-up-down.patch
+net-mlx5e-fix-kernel-crash-when-setting-vf-vlanid-on.patch
+net-lan78xx-add-missing-endpoint-sanity-check.patch
+net-lan78xx-fix-transfer-buffer-memory-leak.patch
+rhashtable-fix-unprotected-rcu-dereference-in-__rht_.patch
+mlx4-disable-device-on-shutdown.patch
+octeontx2-pf-fix-reset_task-bugs.patch
+octeontx2-pf-cancel-reset_task-work.patch
+octeontx2-pf-unregister-netdev-at-driver-remove.patch
+bareudp-forbid-mixing-ip-and-mpls-in-multiproto-mode.patch
+nvme-add-a-identify-namespace-identification-descrip.patch
+mlxsw-core-increase-scope-of-rcu-read-side-critical-.patch
+mlxsw-core-free-emad-transactions-using-kfree_rcu.patch
+mlxsw-spectrum_router-fix-use-after-free-in-router-i.patch
+selftests-ethtool-fix-test-when-only-two-speeds-are-.patch
+ibmvnic-fix-irq-mapping-disposal-in-error-path.patch
+bpf-fix-map-leak-in-hash_of_maps-map.patch
+espintcp-handle-short-messages-instead-of-breaking-t.patch
+mac80211-mesh-free-ie-data-when-leaving-mesh.patch
+mac80211-mesh-free-pending-skb-when-destroying-a-mpa.patch
+rdma-core-stop-dim-before-destroying-cq.patch
+rdma-core-free-dim-memory-in-error-unwind.patch
+arm64-alternatives-move-length-validation-inside-the.patch
+arm64-csum-fix-handling-of-bad-packets.patch
+bluetooth-fix-kernel-oops-in-store_pending_adv_repor.patch
+selftests-bpf-fix-netdevsim-trap_flow_action_cookie-.patch
+net-nixge-fix-potential-memory-leak-in-nixge_probe.patch
+net-ethernet-mtk_eth_soc-fix-mtu-warnings.patch
+ionic-unlock-queue-mutex-in-error-path.patch
+net-gemini-fix-missing-clk_disable_unprepare-in-erro.patch
+net-mlx5e-e-switch-add-misc-bit-when-misc-fields-cha.patch
+net-mlx5e-fix-bpf_prog-reference-count-leaks-in-mlx5.patch
+perf-tools-fix-record-failure-when-mixed-with-arm-sp.patch
+vxlan-fix-memleak-of-fdb.patch
+mt76-mt7615-fix-lmac-queue-debugsfs-entry.patch
+iwlwifi-fix-crash-in-iwl_dbg_tlv_alloc_trigger.patch
+usb-hso-fix-debug-compile-warning-on-sparc32.patch
+selftests-fib_nexthop_multiprefix-fix-cleanup-netns-.patch
+qed-disable-mfw-indication-via-attention-spam-every-.patch
+selftests-net-ip_defrag-modprobe-missing-nf_defrag_i.patch
+io_uring-always-allow-drain-link-hardlink-async-sqe-.patch
+habanalabs-prevent-possible-out-of-bounds-array-acce.patch
+nfc-s3fwrn5-add-missing-release-on-skb-in-s3fwrn5_re.patch
+scsi-core-run-queue-in-case-of-i-o-resource-contenti.patch
+riscv-kasan-use-local_tlb_flush_all-to-avoid-uniniti.patch
+parisc-add-support-for-cmpxchg-on-u8-pointers.patch
+net-ethernet-ravb-exit-if-re-initialization-fails-in.patch
+selftest-txtimestamp-fix-net-ns-entry-logic.patch
+revert-i2c-cadence-fix-the-hold-bit-setting.patch
+i2c-cadence-clear-hold-bit-at-correct-time-in-rx-pat.patch
+x86-unwind-orc-fix-orc-for-newly-forked-tasks.patch
+x86-stacktrace-fix-reliable-check-for-empty-user-tas.patch
+cxgb4-add-missing-release-on-skb-in-uld_send.patch
+xen-netfront-fix-potential-deadlock-in-xennet_remove.patch
+risc-v-set-maximum-number-of-mapped-pages-correctly.patch
+drivers-net-wan-lapb-corrected-the-usage-of-skb_cow.patch
+riscv-parse-all-memory-blocks-to-remove-unusable-mem.patch
--- /dev/null
+From fef4c708b6265c2c0454a4600d2b84651bd0402f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 01:13:19 +0200
+Subject: sh: Fix validation of system call number
+
+From: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
+
+[ Upstream commit 04a8a3d0a73f51c7c2da84f494db7ec1df230e69 ]
+
+The slow path for traced system call entries accessed a wrong memory
+location to get the number of the maximum allowed system call number.
+Renumber the numbered "local" label for the correct location to avoid
+collisions with actual local labels.
+
+Signed-off-by: Michael Karcher <kernel@mkarcher.dialup.fu-berlin.de>
+Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Fixes: f3a8308864f920d2 ("sh: Add a few missing irqflags tracing markers.")
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/kernel/entry-common.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/sh/kernel/entry-common.S b/arch/sh/kernel/entry-common.S
+index 956a7a03b0c83..9bac5bbb67f33 100644
+--- a/arch/sh/kernel/entry-common.S
++++ b/arch/sh/kernel/entry-common.S
+@@ -199,7 +199,7 @@ syscall_trace_entry:
+ mov.l @(OFF_R7,r15), r7 ! arg3
+ mov.l @(OFF_R3,r15), r3 ! syscall_nr
+ !
+- mov.l 2f, r10 ! Number of syscalls
++ mov.l 6f, r10 ! Number of syscalls
+ cmp/hs r10, r3
+ bf syscall_call
+ mov #-ENOSYS, r0
+@@ -353,7 +353,7 @@ ENTRY(system_call)
+ tst r9, r8
+ bf syscall_trace_entry
+ !
+- mov.l 2f, r8 ! Number of syscalls
++ mov.l 6f, r8 ! Number of syscalls
+ cmp/hs r8, r3
+ bt syscall_badsys
+ !
+@@ -392,7 +392,7 @@ syscall_exit:
+ #if !defined(CONFIG_CPU_SH2)
+ 1: .long TRA
+ #endif
+-2: .long NR_syscalls
++6: .long NR_syscalls
+ 3: .long sys_call_table
+ 7: .long do_syscall_trace_enter
+ 8: .long do_syscall_trace_leave
+--
+2.25.1
+
--- /dev/null
+From cbe8ce3497df919a789c734141a88a24270e33be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 13:10:07 +0200
+Subject: sh/tlb: Fix PGTABLE_LEVELS > 2
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit c7bcbc8ab9cb20536b8f50c62a48cebda965fdba ]
+
+Geert reported that his SH7722-based Migo-R board failed to boot after
+commit:
+
+ c5b27a889da9 ("sh/tlb: Convert SH to generic mmu_gather")
+
+That commit fell victim to copying the wrong pattern --
+__pmd_free_tlb() used to be implemented with pmd_free().
+
+Fixes: c5b27a889da9 ("sh/tlb: Convert SH to generic mmu_gather")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/include/asm/pgalloc.h | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/arch/sh/include/asm/pgalloc.h b/arch/sh/include/asm/pgalloc.h
+index 22d968bfe9bb6..d770da3f8b6fb 100644
+--- a/arch/sh/include/asm/pgalloc.h
++++ b/arch/sh/include/asm/pgalloc.h
+@@ -12,6 +12,7 @@ extern void pgd_free(struct mm_struct *mm, pgd_t *pgd);
+ extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd);
+ extern pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address);
+ extern void pmd_free(struct mm_struct *mm, pmd_t *pmd);
++#define __pmd_free_tlb(tlb, pmdp, addr) pmd_free((tlb)->mm, (pmdp))
+ #endif
+
+ static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd,
+@@ -33,13 +34,4 @@ do { \
+ tlb_remove_page((tlb), (pte)); \
+ } while (0)
+
+-#if CONFIG_PGTABLE_LEVELS > 2
+-#define __pmd_free_tlb(tlb, pmdp, addr) \
+-do { \
+- struct page *page = virt_to_page(pmdp); \
+- pgtable_pmd_page_dtor(page); \
+- tlb_remove_page((tlb), page); \
+-} while (0);
+-#endif
+-
+ #endif /* __ASM_SH_PGALLOC_H */
+--
+2.25.1
+
--- /dev/null
+From 4dee3a1c632eecf5faee8b1e01fb131c7390968a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jul 2020 13:05:13 +0200
+Subject: usb: hso: Fix debug compile warning on sparc32
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit e0484010ec05191a8edf980413fc92f28050c1cc ]
+
+On sparc32, tcflag_t is "unsigned long", unlike on all other
+architectures, where it is "unsigned int":
+
+ drivers/net/usb/hso.c: In function ‘hso_serial_set_termios’:
+ include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 4 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=]
+ drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’
+ hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
+ ^~~~~~~
+ include/linux/kern_levels.h:5:18: warning: format ‘%d’ expects argument of type ‘unsigned int’, but argument 5 has type ‘tcflag_t {aka long unsigned int}’ [-Wformat=]
+ drivers/net/usb/hso.c:1393:3: note: in expansion of macro ‘hso_dbg’
+ hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
+ ^~~~~~~
+
+As "unsigned long" is 32-bit on sparc32, fix this by casting all tcflag_t
+parameters to "unsigned int".
+While at it, use "%u" to format unsigned numbers.
+
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/hso.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index bb8c34d746ab3..5f123a8cf68ed 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -1390,8 +1390,9 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old)
+ unsigned long flags;
+
+ if (old)
+- hso_dbg(0x16, "Termios called with: cflags new[%d] - old[%d]\n",
+- tty->termios.c_cflag, old->c_cflag);
++ hso_dbg(0x16, "Termios called with: cflags new[%u] - old[%u]\n",
++ (unsigned int)tty->termios.c_cflag,
++ (unsigned int)old->c_cflag);
+
+ /* the actual setup */
+ spin_lock_irqsave(&serial->serial_lock, flags);
+--
+2.25.1
+
--- /dev/null
+From f26356f446268fa751d8d98e70fe8b73e92f324a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Aug 2020 07:07:50 +0000
+Subject: vxlan: fix memleak of fdb
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit fda2ec62cf1aa7cbee52289dc8059cd3662795da ]
+
+When vxlan interface is deleted, all fdbs are deleted by vxlan_flush().
+vxlan_flush() flushes fdbs but it doesn't delete fdb, which contains
+all-zeros-mac because it is deleted by vxlan_uninit().
+But vxlan_uninit() deletes only the fdb, which contains both all-zeros-mac
+and default vni.
+So, the fdb, which contains both all-zeros-mac and non-default vni
+will not be deleted.
+
+Test commands:
+ ip link add vxlan0 type vxlan dstport 4789 external
+ ip link set vxlan0 up
+ bridge fdb add to 00:00:00:00:00:00 dst 172.0.0.1 dev vxlan0 via lo \
+ src_vni 10000 self permanent
+ ip link del vxlan0
+
+kmemleak reports as follows:
+unreferenced object 0xffff9486b25ced88 (size 96):
+ comm "bridge", pid 2151, jiffies 4294701712 (age 35506.901s)
+ hex dump (first 32 bytes):
+ 02 00 00 00 ac 00 00 01 40 00 09 b1 86 94 ff ff ........@.......
+ 46 02 00 00 00 00 00 00 a7 03 00 00 12 b5 6a 6b F.............jk
+ backtrace:
+ [<00000000c10cf651>] vxlan_fdb_append.part.51+0x3c/0xf0 [vxlan]
+ [<000000006b31a8d9>] vxlan_fdb_create+0x184/0x1a0 [vxlan]
+ [<0000000049399045>] vxlan_fdb_update+0x12f/0x220 [vxlan]
+ [<0000000090b1ef00>] vxlan_fdb_add+0x12a/0x1b0 [vxlan]
+ [<0000000056633c2c>] rtnl_fdb_add+0x187/0x270
+ [<00000000dd5dfb6b>] rtnetlink_rcv_msg+0x264/0x490
+ [<00000000fc44dd54>] netlink_rcv_skb+0x4a/0x110
+ [<00000000dff433e7>] netlink_unicast+0x18e/0x250
+ [<00000000b87fb421>] netlink_sendmsg+0x2e9/0x400
+ [<000000002ed55153>] ____sys_sendmsg+0x237/0x260
+ [<00000000faa51c66>] ___sys_sendmsg+0x88/0xd0
+ [<000000006c3982f1>] __sys_sendmsg+0x4e/0x80
+ [<00000000a8f875d2>] do_syscall_64+0x56/0xe0
+ [<000000003610eefa>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+unreferenced object 0xffff9486b1c40080 (size 128):
+ comm "bridge", pid 2157, jiffies 4294701754 (age 35506.866s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 f8 dc 42 b2 86 94 ff ff ..........B.....
+ 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
+ backtrace:
+ [<00000000a2981b60>] vxlan_fdb_create+0x67/0x1a0 [vxlan]
+ [<0000000049399045>] vxlan_fdb_update+0x12f/0x220 [vxlan]
+ [<0000000090b1ef00>] vxlan_fdb_add+0x12a/0x1b0 [vxlan]
+ [<0000000056633c2c>] rtnl_fdb_add+0x187/0x270
+ [<00000000dd5dfb6b>] rtnetlink_rcv_msg+0x264/0x490
+ [<00000000fc44dd54>] netlink_rcv_skb+0x4a/0x110
+ [<00000000dff433e7>] netlink_unicast+0x18e/0x250
+ [<00000000b87fb421>] netlink_sendmsg+0x2e9/0x400
+ [<000000002ed55153>] ____sys_sendmsg+0x237/0x260
+ [<00000000faa51c66>] ___sys_sendmsg+0x88/0xd0
+ [<000000006c3982f1>] __sys_sendmsg+0x4e/0x80
+ [<00000000a8f875d2>] do_syscall_64+0x56/0xe0
+ [<000000003610eefa>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 3ad7a4b141eb ("vxlan: support fdb and learning in COLLECT_METADATA mode")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 779e56c43d27b..6e64bc8d601f7 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2863,8 +2863,10 @@ static void vxlan_flush(struct vxlan_dev *vxlan, bool do_all)
+ if (!do_all && (f->state & (NUD_PERMANENT | NUD_NOARP)))
+ continue;
+ /* the all_zeros_mac entry is deleted at vxlan_uninit */
+- if (!is_zero_ether_addr(f->eth_addr))
+- vxlan_fdb_destroy(vxlan, f, true, true);
++ if (is_zero_ether_addr(f->eth_addr) &&
++ f->vni == vxlan->cfg.vni)
++ continue;
++ vxlan_fdb_destroy(vxlan, f, true, true);
+ }
+ spin_unlock_bh(&vxlan->hash_lock[h]);
+ }
+--
+2.25.1
+
--- /dev/null
+From bd25504e997d38672202584f677837f8657bf0c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 09:04:26 -0500
+Subject: x86/stacktrace: Fix reliable check for empty user task stacks
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit 039a7a30ec102ec866d382a66f87f6f7654f8140 ]
+
+If a user task's stack is empty, or if it only has user regs, ORC
+reports it as a reliable empty stack. But arch_stack_walk_reliable()
+incorrectly treats it as unreliable.
+
+That happens because the only success path for user tasks is inside the
+loop, which only iterates on non-empty stacks. Generally, a user task
+must end in a user regs frame, but an empty stack is an exception to
+that rule.
+
+Thanks to commit 71c95825289f ("x86/unwind/orc: Fix error handling in
+__unwind_start()"), unwind_start() now sets state->error appropriately.
+So now for both ORC and FP unwinders, unwind_done() and !unwind_error()
+always means the end of the stack was successfully reached. So the
+success path for kthreads is no longer needed -- it can also be used for
+empty user tasks.
+
+Reported-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lkml.kernel.org/r/f136a4e5f019219cbc4f4da33b30c2f44fa65b84.1594994374.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/stacktrace.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/arch/x86/kernel/stacktrace.c b/arch/x86/kernel/stacktrace.c
+index 6ad43fc44556e..2fd698e28e4d5 100644
+--- a/arch/x86/kernel/stacktrace.c
++++ b/arch/x86/kernel/stacktrace.c
+@@ -58,7 +58,6 @@ int arch_stack_walk_reliable(stack_trace_consume_fn consume_entry,
+ * or a page fault), which can make frame pointers
+ * unreliable.
+ */
+-
+ if (IS_ENABLED(CONFIG_FRAME_POINTER))
+ return -EINVAL;
+ }
+@@ -81,10 +80,6 @@ int arch_stack_walk_reliable(stack_trace_consume_fn consume_entry,
+ if (unwind_error(&state))
+ return -EINVAL;
+
+- /* Success path for non-user tasks, i.e. kthreads and idle tasks */
+- if (!(task->flags & (PF_KTHREAD | PF_IDLE)))
+- return -EINVAL;
+-
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 887dfd7cd4a0d76fa5d49219d7dbdc8483108094 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 09:04:25 -0500
+Subject: x86/unwind/orc: Fix ORC for newly forked tasks
+
+From: Josh Poimboeuf <jpoimboe@redhat.com>
+
+[ Upstream commit 372a8eaa05998cd45b3417d0e0ffd3a70978211a ]
+
+The ORC unwinder fails to unwind newly forked tasks which haven't yet
+run on the CPU. It correctly reads the 'ret_from_fork' instruction
+pointer from the stack, but it incorrectly interprets that value as a
+call stack address rather than a "signal" one, so the address gets
+incorrectly decremented in the call to orc_find(), resulting in bad ORC
+data.
+
+Fix it by forcing 'ret_from_fork' frames to be signal frames.
+
+Reported-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lkml.kernel.org/r/f91a8778dde8aae7f71884b5df2b16d552040441.1594994374.git.jpoimboe@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/unwind_orc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/unwind_orc.c b/arch/x86/kernel/unwind_orc.c
+index 7f969b2d240fd..ec88bbe08a328 100644
+--- a/arch/x86/kernel/unwind_orc.c
++++ b/arch/x86/kernel/unwind_orc.c
+@@ -440,8 +440,11 @@ bool unwind_next_frame(struct unwind_state *state)
+ /*
+ * Find the orc_entry associated with the text address.
+ *
+- * Decrement call return addresses by one so they work for sibling
+- * calls and calls to noreturn functions.
++ * For a call frame (as opposed to a signal frame), state->ip points to
++ * the instruction after the call. That instruction's stack layout
++ * could be different from the call instruction's layout, for example
++ * if the call was to a noreturn function. So get the ORC data for the
++ * call instruction itself.
+ */
+ orc = orc_find(state->signal ? state->ip : state->ip - 1);
+ if (!orc) {
+@@ -662,6 +665,7 @@ void __unwind_start(struct unwind_state *state, struct task_struct *task,
+ state->sp = task->thread.sp;
+ state->bp = READ_ONCE_NOCHECK(frame->bp);
+ state->ip = READ_ONCE_NOCHECK(frame->ret_addr);
++ state->signal = (void *)state->ip == ret_from_fork;
+ }
+
+ if (get_stack_info((unsigned long *)state->sp, state->task,
+--
+2.25.1
+
--- /dev/null
+From a97dee1999f7219adc4d7bf03ba181a59a646983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 10:59:10 +0200
+Subject: xen-netfront: fix potential deadlock in xennet_remove()
+
+From: Andrea Righi <andrea.righi@canonical.com>
+
+[ Upstream commit c2c633106453611be07821f53dff9e93a9d1c3f0 ]
+
+There's a potential race in xennet_remove(); this is what the driver is
+doing upon unregistering a network device:
+
+ 1. state = read bus state
+ 2. if state is not "Closed":
+ 3. request to set state to "Closing"
+ 4. wait for state to be set to "Closing"
+ 5. request to set state to "Closed"
+ 6. wait for state to be set to "Closed"
+
+If the state changes to "Closed" immediately after step 1 we are stuck
+forever in step 4, because the state will never go back from "Closed" to
+"Closing".
+
+Make sure to check also for state == "Closed" in step 4 to prevent the
+deadlock.
+
+Also add a 5 sec timeout any time we wait for the bus state to change,
+to avoid getting stuck forever in wait_event().
+
+Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 64 +++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 482c6c8b0fb7e..88280057e0321 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -63,6 +63,8 @@ module_param_named(max_queues, xennet_max_queues, uint, 0644);
+ MODULE_PARM_DESC(max_queues,
+ "Maximum number of queues per virtual interface");
+
++#define XENNET_TIMEOUT (5 * HZ)
++
+ static const struct ethtool_ops xennet_ethtool_ops;
+
+ struct netfront_cb {
+@@ -1334,12 +1336,15 @@ static struct net_device *xennet_create_dev(struct xenbus_device *dev)
+
+ netif_carrier_off(netdev);
+
+- xenbus_switch_state(dev, XenbusStateInitialising);
+- wait_event(module_wq,
+- xenbus_read_driver_state(dev->otherend) !=
+- XenbusStateClosed &&
+- xenbus_read_driver_state(dev->otherend) !=
+- XenbusStateUnknown);
++ do {
++ xenbus_switch_state(dev, XenbusStateInitialising);
++ err = wait_event_timeout(module_wq,
++ xenbus_read_driver_state(dev->otherend) !=
++ XenbusStateClosed &&
++ xenbus_read_driver_state(dev->otherend) !=
++ XenbusStateUnknown, XENNET_TIMEOUT);
++ } while (!err);
++
+ return netdev;
+
+ exit:
+@@ -2139,28 +2144,43 @@ static const struct attribute_group xennet_dev_group = {
+ };
+ #endif /* CONFIG_SYSFS */
+
+-static int xennet_remove(struct xenbus_device *dev)
++static void xennet_bus_close(struct xenbus_device *dev)
+ {
+- struct netfront_info *info = dev_get_drvdata(&dev->dev);
+-
+- dev_dbg(&dev->dev, "%s\n", dev->nodename);
++ int ret;
+
+- if (xenbus_read_driver_state(dev->otherend) != XenbusStateClosed) {
++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed)
++ return;
++ do {
+ xenbus_switch_state(dev, XenbusStateClosing);
+- wait_event(module_wq,
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateClosing ||
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateUnknown);
++ ret = wait_event_timeout(module_wq,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosing ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosed ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateUnknown,
++ XENNET_TIMEOUT);
++ } while (!ret);
++
++ if (xenbus_read_driver_state(dev->otherend) == XenbusStateClosed)
++ return;
+
++ do {
+ xenbus_switch_state(dev, XenbusStateClosed);
+- wait_event(module_wq,
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateClosed ||
+- xenbus_read_driver_state(dev->otherend) ==
+- XenbusStateUnknown);
+- }
++ ret = wait_event_timeout(module_wq,
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateClosed ||
++ xenbus_read_driver_state(dev->otherend) ==
++ XenbusStateUnknown,
++ XENNET_TIMEOUT);
++ } while (!ret);
++}
++
++static int xennet_remove(struct xenbus_device *dev)
++{
++ struct netfront_info *info = dev_get_drvdata(&dev->dev);
+
++ xennet_bus_close(dev);
+ xennet_disconnect_backend(info);
+
+ if (info->netdev->reg_state == NETREG_REGISTERED)
+--
+2.25.1
+
--- /dev/null
+From 9231f2f40992ffa59f9bbba087cf906180ee52b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 10:34:27 +0200
+Subject: xfrm: Fix crash when the hold queue is used.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 101dde4207f1daa1fda57d714814a03835dccc3f ]
+
+The commits "xfrm: Move dst->path into struct xfrm_dst"
+and "net: Create and use new helper xfrm_dst_child()."
+changed xfrm bundle handling under the assumption
+that xdst->path and dst->child are not a NULL pointer
+only if dst->xfrm is not a NULL pointer. That is true
+with one exception. If the xfrm hold queue is used
+to wait until a SA is installed by the key manager,
+we create a dummy bundle without a valid dst->xfrm
+pointer. The current xfrm bundle handling crashes
+in that case. Fix this by extending the NULL check
+of dst->xfrm with a test of the DST_XFRM_QUEUE flag.
+
+Fixes: 0f6c480f23f4 ("xfrm: Move dst->path into struct xfrm_dst")
+Fixes: b92cf4aab8e6 ("net: Create and use new helper xfrm_dst_child().")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 31ff059b42904..7b616e45fbfcc 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -946,7 +946,7 @@ struct xfrm_dst {
+ static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
+ {
+ #ifdef CONFIG_XFRM
+- if (dst->xfrm) {
++ if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
+ const struct xfrm_dst *xdst = (const struct xfrm_dst *) dst;
+
+ return xdst->path;
+@@ -958,7 +958,7 @@ static inline struct dst_entry *xfrm_dst_path(const struct dst_entry *dst)
+ static inline struct dst_entry *xfrm_dst_child(const struct dst_entry *dst)
+ {
+ #ifdef CONFIG_XFRM
+- if (dst->xfrm) {
++ if (dst->xfrm || (dst->flags & DST_XFRM_QUEUE)) {
+ struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
+ return xdst->child;
+ }
+--
+2.25.1
+
--- /dev/null
+From b91f96b207b5068133db524856cc4da89b7aadbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jun 2020 16:40:29 +0800
+Subject: xfrm: policy: match with both mark and mask on user interfaces
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4f47e8ab6ab796b5380f74866fa5287aca4dcc58 ]
+
+In commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
+it would take 'priority' to make a policy unique, and allow duplicated
+policies with different 'priority' to be added, which is not expected
+by userland, as Tobias reported in strongswan.
+
+To fix this duplicated policies issue, and also fix the issue in
+commit ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list"),
+when doing add/del/get/update on user interfaces, this patch is to change
+to look up a policy with both mark and mask by doing:
+
+ mark.v == pol->mark.v && mark.m == pol->mark.m
+
+and leave the check:
+
+ (mark & pol->mark.m) == pol->mark.v
+
+for tx/rx path only.
+
+As the userland expects an exact mark and mask match to manage policies.
+
+v1->v2:
+ - make xfrm_policy_mark_match inline and fix the changelog as
+ Tobias suggested.
+
+Fixes: 295fae568885 ("xfrm: Allow user space manipulation of SPD mark")
+Fixes: ed17b8d377ea ("xfrm: fix a warning in xfrm_policy_insert_list")
+Reported-by: Tobias Brunner <tobias@strongswan.org>
+Tested-by: Tobias Brunner <tobias@strongswan.org>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 11 +++++++----
+ net/key/af_key.c | 4 ++--
+ net/xfrm/xfrm_policy.c | 39 ++++++++++++++++-----------------------
+ net/xfrm/xfrm_user.c | 18 +++++++++++-------
+ 4 files changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 03024701c79f7..31ff059b42904 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1633,13 +1633,16 @@ int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
+ void *);
+ void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
+ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
+-struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id,
+- u8 type, int dir,
++struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net,
++ const struct xfrm_mark *mark,
++ u32 if_id, u8 type, int dir,
+ struct xfrm_selector *sel,
+ struct xfrm_sec_ctx *ctx, int delete,
+ int *err);
+-struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id, u8,
+- int dir, u32 id, int delete, int *err);
++struct xfrm_policy *xfrm_policy_byid(struct net *net,
++ const struct xfrm_mark *mark, u32 if_id,
++ u8 type, int dir, u32 id, int delete,
++ int *err);
+ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
+ void xfrm_policy_hash_rebuild(struct net *net);
+ u32 xfrm_get_acqseq(void);
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index b67ed3a8486c2..979c579afc63b 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -2400,7 +2400,7 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sa
+ return err;
+ }
+
+- xp = xfrm_policy_bysel_ctx(net, DUMMY_MARK, 0, XFRM_POLICY_TYPE_MAIN,
++ xp = xfrm_policy_bysel_ctx(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN,
+ pol->sadb_x_policy_dir - 1, &sel, pol_ctx,
+ 1, &err);
+ security_xfrm_policy_free(pol_ctx);
+@@ -2651,7 +2651,7 @@ static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_
+ return -EINVAL;
+
+ delete = (hdr->sadb_msg_type == SADB_X_SPDDELETE2);
+- xp = xfrm_policy_byid(net, DUMMY_MARK, 0, XFRM_POLICY_TYPE_MAIN,
++ xp = xfrm_policy_byid(net, &dummy_mark, 0, XFRM_POLICY_TYPE_MAIN,
+ dir, pol->sadb_x_policy_id, delete, &err);
+ if (xp == NULL)
+ return -ENOENT;
+diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
+index 564aa6492e7c3..6847b3579f541 100644
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1433,14 +1433,10 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
+ spin_unlock_bh(&pq->hold_queue.lock);
+ }
+
+-static bool xfrm_policy_mark_match(struct xfrm_policy *policy,
+- struct xfrm_policy *pol)
++static inline bool xfrm_policy_mark_match(const struct xfrm_mark *mark,
++ struct xfrm_policy *pol)
+ {
+- if (policy->mark.v == pol->mark.v &&
+- policy->priority == pol->priority)
+- return true;
+-
+- return false;
++ return mark->v == pol->mark.v && mark->m == pol->mark.m;
+ }
+
+ static u32 xfrm_pol_bin_key(const void *data, u32 len, u32 seed)
+@@ -1503,7 +1499,7 @@ static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
+ if (pol->type == policy->type &&
+ pol->if_id == policy->if_id &&
+ !selector_cmp(&pol->selector, &policy->selector) &&
+- xfrm_policy_mark_match(policy, pol) &&
++ xfrm_policy_mark_match(&policy->mark, pol) &&
+ xfrm_sec_ctx_match(pol->security, policy->security) &&
+ !WARN_ON(delpol)) {
+ delpol = pol;
+@@ -1538,7 +1534,7 @@ static struct xfrm_policy *xfrm_policy_insert_list(struct hlist_head *chain,
+ if (pol->type == policy->type &&
+ pol->if_id == policy->if_id &&
+ !selector_cmp(&pol->selector, &policy->selector) &&
+- xfrm_policy_mark_match(policy, pol) &&
++ xfrm_policy_mark_match(&policy->mark, pol) &&
+ xfrm_sec_ctx_match(pol->security, policy->security) &&
+ !WARN_ON(delpol)) {
+ if (excl)
+@@ -1610,9 +1606,8 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
+ EXPORT_SYMBOL(xfrm_policy_insert);
+
+ static struct xfrm_policy *
+-__xfrm_policy_bysel_ctx(struct hlist_head *chain, u32 mark, u32 if_id,
+- u8 type, int dir,
+- struct xfrm_selector *sel,
++__xfrm_policy_bysel_ctx(struct hlist_head *chain, const struct xfrm_mark *mark,
++ u32 if_id, u8 type, int dir, struct xfrm_selector *sel,
+ struct xfrm_sec_ctx *ctx)
+ {
+ struct xfrm_policy *pol;
+@@ -1623,7 +1618,7 @@ __xfrm_policy_bysel_ctx(struct hlist_head *chain, u32 mark, u32 if_id,
+ hlist_for_each_entry(pol, chain, bydst) {
+ if (pol->type == type &&
+ pol->if_id == if_id &&
+- (mark & pol->mark.m) == pol->mark.v &&
++ xfrm_policy_mark_match(mark, pol) &&
+ !selector_cmp(sel, &pol->selector) &&
+ xfrm_sec_ctx_match(ctx, pol->security))
+ return pol;
+@@ -1632,11 +1627,10 @@ __xfrm_policy_bysel_ctx(struct hlist_head *chain, u32 mark, u32 if_id,
+ return NULL;
+ }
+
+-struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id,
+- u8 type, int dir,
+- struct xfrm_selector *sel,
+- struct xfrm_sec_ctx *ctx, int delete,
+- int *err)
++struct xfrm_policy *
++xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
++ u8 type, int dir, struct xfrm_selector *sel,
++ struct xfrm_sec_ctx *ctx, int delete, int *err)
+ {
+ struct xfrm_pol_inexact_bin *bin = NULL;
+ struct xfrm_policy *pol, *ret = NULL;
+@@ -1703,9 +1697,9 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u32 if_id,
+ }
+ EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
+
+-struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id,
+- u8 type, int dir, u32 id, int delete,
+- int *err)
++struct xfrm_policy *
++xfrm_policy_byid(struct net *net, const struct xfrm_mark *mark, u32 if_id,
++ u8 type, int dir, u32 id, int delete, int *err)
+ {
+ struct xfrm_policy *pol, *ret;
+ struct hlist_head *chain;
+@@ -1720,8 +1714,7 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u32 if_id,
+ ret = NULL;
+ hlist_for_each_entry(pol, chain, byidx) {
+ if (pol->type == type && pol->index == id &&
+- pol->if_id == if_id &&
+- (mark & pol->mark.m) == pol->mark.v) {
++ pol->if_id == if_id && xfrm_policy_mark_match(mark, pol)) {
+ xfrm_pol_hold(pol);
+ if (delete) {
+ *err = security_xfrm_policy_delete(
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index e6cfaa680ef3d..fbb7d9d064787 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1863,7 +1863,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct km_event c;
+ int delete;
+ struct xfrm_mark m;
+- u32 mark = xfrm_mark_get(attrs, &m);
+ u32 if_id = 0;
+
+ p = nlmsg_data(nlh);
+@@ -1880,8 +1879,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (attrs[XFRMA_IF_ID])
+ if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
+
++ xfrm_mark_get(attrs, &m);
++
+ if (p->index)
+- xp = xfrm_policy_byid(net, mark, if_id, type, p->dir, p->index, delete, &err);
++ xp = xfrm_policy_byid(net, &m, if_id, type, p->dir,
++ p->index, delete, &err);
+ else {
+ struct nlattr *rt = attrs[XFRMA_SEC_CTX];
+ struct xfrm_sec_ctx *ctx;
+@@ -1898,8 +1900,8 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (err)
+ return err;
+ }
+- xp = xfrm_policy_bysel_ctx(net, mark, if_id, type, p->dir, &p->sel,
+- ctx, delete, &err);
++ xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir,
++ &p->sel, ctx, delete, &err);
+ security_xfrm_policy_free(ctx);
+ }
+ if (xp == NULL)
+@@ -2166,7 +2168,6 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
+ u8 type = XFRM_POLICY_TYPE_MAIN;
+ int err = -ENOENT;
+ struct xfrm_mark m;
+- u32 mark = xfrm_mark_get(attrs, &m);
+ u32 if_id = 0;
+
+ err = copy_from_user_policy_type(&type, attrs);
+@@ -2180,8 +2181,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (attrs[XFRMA_IF_ID])
+ if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
+
++ xfrm_mark_get(attrs, &m);
++
+ if (p->index)
+- xp = xfrm_policy_byid(net, mark, if_id, type, p->dir, p->index, 0, &err);
++ xp = xfrm_policy_byid(net, &m, if_id, type, p->dir, p->index,
++ 0, &err);
+ else {
+ struct nlattr *rt = attrs[XFRMA_SEC_CTX];
+ struct xfrm_sec_ctx *ctx;
+@@ -2198,7 +2202,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (err)
+ return err;
+ }
+- xp = xfrm_policy_bysel_ctx(net, mark, if_id, type, p->dir,
++ xp = xfrm_policy_bysel_ctx(net, &m, if_id, type, p->dir,
+ &p->sel, ctx, 0, &err);
+ security_xfrm_policy_free(ctx);
+ }
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
