Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/arm64-fix-clang-warning-about-tramp_valias.patch b/queue-5.10/arm64-fix-clang-warning-about-tramp_valias.patch
new file mode 100644 (file)
index 0000000..f5b3fc6
--- /dev/null
+++ b/queue-5.10/arm64-fix-clang-warning-about-tramp_valias.patch
@@ -0,0 +1,51 @@
+From 5600cee4310a6fc3923dfba5c9a83729b36c0218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 19:38:18 +0100
+Subject: arm64: fix clang warning about TRAMP_VALIAS
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 7f34b43e07cb512b28543fdcb9f35d1fbfda9ebc ]
+
+The newly introduced TRAMP_VALIAS definition causes a build warning
+with clang-14:
+
+arch/arm64/include/asm/vectors.h:66:31: error: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension [-Werror,-Wnull-pointer-arithmetic]
+                return (char *)TRAMP_VALIAS + SZ_2K * slot;
+
+Change the addition to something clang does not complain about.
+
+Fixes: bd09128d16fa ("arm64: Add percpu vectors for EL1")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: James Morse <james.morse@arm.com>
+Link: https://lore.kernel.org/r/20220316183833.1563139-1-arnd@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/vectors.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h
+index f64613a96d53..bc9a2145f419 100644
+--- a/arch/arm64/include/asm/vectors.h
++++ b/arch/arm64/include/asm/vectors.h
+@@ -56,14 +56,14 @@ enum arm64_bp_harden_el1_vectors {
+ DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector);
+ 
+ #ifndef CONFIG_UNMAP_KERNEL_AT_EL0
+-#define TRAMP_VALIAS  0
++#define TRAMP_VALIAS  0ul
+ #endif
+ 
+ static inline const char *
+ arm64_get_bp_hardening_vector(enum arm64_bp_harden_el1_vectors slot)
+ {
+       if (arm64_kernel_unmapped_at_el0())
+-              return (char *)TRAMP_VALIAS + SZ_2K * slot;
++              return (char *)(TRAMP_VALIAS + SZ_2K * slot);
+ 
+       WARN_ON_ONCE(slot == EL1_VECTOR_KPTI);
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/atm-eni-add-check-for-dma_map_single.patch b/queue-5.10/atm-eni-add-check-for-dma_map_single.patch
new file mode 100644 (file)
index 0000000..01e6683
--- /dev/null
+++ b/queue-5.10/atm-eni-add-check-for-dma_map_single.patch
@@ -0,0 +1,37 @@
+From a5ceb4f4ace756010779b5649c5b3f43ce5d39d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Mar 2022 09:34:48 +0800
+Subject: atm: eni: Add check for dma_map_single
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 0f74b29a4f53627376cf5a5fb7b0b3fa748a0b2b ]
+
+As the potential failure of the dma_map_single(),
+it should be better to check it and return error
+if fails.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/eni.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
+index b574cce98dc3..9fcc49be499f 100644
+--- a/drivers/atm/eni.c
++++ b/drivers/atm/eni.c
+@@ -1112,6 +1112,8 @@ DPRINTK("iovcnt = %d\n",skb_shinfo(skb)->nr_frags);
+       skb_data3 = skb->data[3];
+       paddr = dma_map_single(&eni_dev->pci_dev->dev,skb->data,skb->len,
+                              DMA_TO_DEVICE);
++      if (dma_mapping_error(&eni_dev->pci_dev->dev, paddr))
++              return enq_next;
+       ENI_PRV_PADDR(skb) = paddr;
+       /* prepare DMA queue entries */
+       j = 0;
+-- 
+2.34.1
+

diff --git a/queue-5.10/bnx2x-fix-built-in-kernel-driver-load-failure.patch b/queue-5.10/bnx2x-fix-built-in-kernel-driver-load-failure.patch
new file mode 100644 (file)
index 0000000..094e433
--- /dev/null
+++ b/queue-5.10/bnx2x-fix-built-in-kernel-driver-load-failure.patch
@@ -0,0 +1,160 @@
+From 32d85dbf7fe20bba98ad0964ba9b1054c61e4f9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 14:46:13 -0700
+Subject: bnx2x: fix built-in kernel driver load failure
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit 424e7834e293936a54fcf05173f2884171adc5a3 ]
+
+Commit b7a49f73059f ("bnx2x: Utilize firmware 7.13.21.0")
+added request_firmware() logic in probe() which caused
+load failure when firmware file is not present in initrd (below),
+as access to firmware file is not feasible during probe.
+
+  Direct firmware load for bnx2x/bnx2x-e2-7.13.15.0.fw failed with error -2
+  Direct firmware load for bnx2x/bnx2x-e2-7.13.21.0.fw failed with error -2
+
+This patch fixes this issue by -
+
+1. Removing request_firmware() logic from the probe()
+   such that .ndo_open() handle it as it used to handle
+   it earlier
+
+2. Given request_firmware() is removed from probe(), so
+   driver has to relax FW version comparisons a bit against
+   the already loaded FW version (by some other PFs of same
+   adapter) to allow different compatible/close enough FWs with which
+   multiple PFs may run with (in different environments), as the
+   given PF who is in probe flow has no idea now with which firmware
+   file version it is going to initialize the device in ndo_open()
+
+Link: https://lore.kernel.org/all/46f2d9d9-ae7f-b332-ddeb-b59802be2bab@molgen.mpg.de/
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Fixes: b7a49f73059f ("bnx2x: Utilize firmware 7.13.21.0")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Link: https://lore.kernel.org/r/20220316214613.6884-1-manishc@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x.h   |  2 --
+ .../net/ethernet/broadcom/bnx2x/bnx2x_cmn.c   | 28 +++++++++++--------
+ .../net/ethernet/broadcom/bnx2x/bnx2x_main.c  | 15 ++--------
+ 3 files changed, 19 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
+index bb3ba614fb17..2a61229d3f97 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
+@@ -2534,6 +2534,4 @@ void bnx2x_register_phc(struct bnx2x *bp);
+  * Meant for implicit re-load flows.
+  */
+ int bnx2x_vlan_reconfigure_vid(struct bnx2x *bp);
+-int bnx2x_init_firmware(struct bnx2x *bp);
+-void bnx2x_release_firmware(struct bnx2x *bp);
+ #endif /* bnx2x.h */
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index 41ebbb2c7d3a..198e041d8410 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -2363,24 +2363,30 @@ int bnx2x_compare_fw_ver(struct bnx2x *bp, u32 load_code, bool print_err)
+       /* is another pf loaded on this engine? */
+       if (load_code != FW_MSG_CODE_DRV_LOAD_COMMON_CHIP &&
+           load_code != FW_MSG_CODE_DRV_LOAD_COMMON) {
+-              /* build my FW version dword */
+-              u32 my_fw = (bp->fw_major) + (bp->fw_minor << 8) +
+-                              (bp->fw_rev << 16) + (bp->fw_eng << 24);
++              u8 loaded_fw_major, loaded_fw_minor, loaded_fw_rev, loaded_fw_eng;
++              u32 loaded_fw;
+ 
+               /* read loaded FW from chip */
+-              u32 loaded_fw = REG_RD(bp, XSEM_REG_PRAM);
++              loaded_fw = REG_RD(bp, XSEM_REG_PRAM);
+ 
+-              DP(BNX2X_MSG_SP, "loaded fw %x, my fw %x\n",
+-                 loaded_fw, my_fw);
++              loaded_fw_major = loaded_fw & 0xff;
++              loaded_fw_minor = (loaded_fw >> 8) & 0xff;
++              loaded_fw_rev = (loaded_fw >> 16) & 0xff;
++              loaded_fw_eng = (loaded_fw >> 24) & 0xff;
++
++              DP(BNX2X_MSG_SP, "loaded fw 0x%x major 0x%x minor 0x%x rev 0x%x eng 0x%x\n",
++                 loaded_fw, loaded_fw_major, loaded_fw_minor, loaded_fw_rev, loaded_fw_eng);
+ 
+               /* abort nic load if version mismatch */
+-              if (my_fw != loaded_fw) {
++              if (loaded_fw_major != BCM_5710_FW_MAJOR_VERSION ||
++                  loaded_fw_minor != BCM_5710_FW_MINOR_VERSION ||
++                  loaded_fw_eng != BCM_5710_FW_ENGINEERING_VERSION ||
++                  loaded_fw_rev < BCM_5710_FW_REVISION_VERSION_V15) {
+                       if (print_err)
+-                              BNX2X_ERR("bnx2x with FW %x was already loaded which mismatches my %x FW. Aborting\n",
+-                                        loaded_fw, my_fw);
++                              BNX2X_ERR("loaded FW incompatible. Aborting\n");
+                       else
+-                              BNX2X_DEV_INFO("bnx2x with FW %x was already loaded which mismatches my %x FW, possibly due to MF UNDI\n",
+-                                             loaded_fw, my_fw);
++                              BNX2X_DEV_INFO("loaded FW incompatible, possibly due to MF UNDI\n");
++
+                       return -EBUSY;
+               }
+       }
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+index 7fa271db41b0..6333471916be 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -12366,15 +12366,6 @@ static int bnx2x_init_bp(struct bnx2x *bp)
+ 
+       bnx2x_read_fwinfo(bp);
+ 
+-      if (IS_PF(bp)) {
+-              rc = bnx2x_init_firmware(bp);
+-
+-              if (rc) {
+-                      bnx2x_free_mem_bp(bp);
+-                      return rc;
+-              }
+-      }
+-
+       func = BP_FUNC(bp);
+ 
+       /* need to reset chip if undi was active */
+@@ -12387,7 +12378,6 @@ static int bnx2x_init_bp(struct bnx2x *bp)
+ 
+               rc = bnx2x_prev_unload(bp);
+               if (rc) {
+-                      bnx2x_release_firmware(bp);
+                       bnx2x_free_mem_bp(bp);
+                       return rc;
+               }
+@@ -13469,7 +13459,7 @@ do {                                                                   \
+            (u8 *)bp->arr, len);                                       \
+ } while (0)
+ 
+-int bnx2x_init_firmware(struct bnx2x *bp)
++static int bnx2x_init_firmware(struct bnx2x *bp)
+ {
+       const char *fw_file_name, *fw_file_name_v15;
+       struct bnx2x_fw_file_hdr *fw_hdr;
+@@ -13569,7 +13559,7 @@ int bnx2x_init_firmware(struct bnx2x *bp)
+       return rc;
+ }
+ 
+-void bnx2x_release_firmware(struct bnx2x *bp)
++static void bnx2x_release_firmware(struct bnx2x *bp)
+ {
+       kfree(bp->init_ops_offsets);
+       kfree(bp->init_ops);
+@@ -14086,7 +14076,6 @@ static int bnx2x_init_one(struct pci_dev *pdev,
+       return 0;
+ 
+ init_one_freemem:
+-      bnx2x_release_firmware(bp);
+       bnx2x_free_mem_bp(bp);
+ 
+ init_one_exit:
+-- 
+2.34.1
+

diff --git a/queue-5.10/drm-imx-parallel-display-remove-bus-flags-check-in-i.patch b/queue-5.10/drm-imx-parallel-display-remove-bus-flags-check-in-i.patch
new file mode 100644 (file)
index 0000000..66bade2
--- /dev/null
+++ b/queue-5.10/drm-imx-parallel-display-remove-bus-flags-check-in-i.patch
@@ -0,0 +1,69 @@
+From 0df6eb8b0ad04a1a9216e1a96c683738d9806f9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Feb 2022 12:36:43 +0100
+Subject: drm/imx: parallel-display: Remove bus flags check in
+ imx_pd_bridge_atomic_check()
+
+From: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+
+[ Upstream commit 6061806a863e8b65b109eb06a280041cc7525442 ]
+
+If display timings were read from the devicetree using
+of_get_display_timing() and pixelclk-active is defined
+there, the flag DISPLAY_FLAGS_SYNC_POSEDGE/NEGEDGE is
+automatically generated. Through the function
+drm_bus_flags_from_videomode() e.g. called in the
+panel-simple driver this flag got into the bus flags,
+but then in imx_pd_bridge_atomic_check() the bus flag
+check failed and will not initialize the display. The
+original commit fe141cedc433 does not explain why this
+check was introduced. So remove the bus flags check,
+because it stops the initialization of the display with
+valid bus flags.
+
+Fixes: fe141cedc433 ("drm/imx: pd: Use bus format/flags provided by the bridge when available")
+Signed-off-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Cc: Marek Vasut <marex@denx.de>
+Cc: Boris Brezillon <boris.brezillon@collabora.com>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: linux-arm-kernel@lists.infradead.org
+To: dri-devel@lists.freedesktop.org
+Tested-by: Max Krummenacher <max.krummenacher@toradex.com>
+Acked-by: Boris Brezillon <boris.brezillon@collabora.com>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220201113643.4638-1-cniedermaier@dh-electronics.com
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/parallel-display.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
+index 2eb8df4697df..605ac8825a59 100644
+--- a/drivers/gpu/drm/imx/parallel-display.c
++++ b/drivers/gpu/drm/imx/parallel-display.c
+@@ -212,14 +212,6 @@ static int imx_pd_bridge_atomic_check(struct drm_bridge *bridge,
+       if (!imx_pd_format_supported(bus_fmt))
+               return -EINVAL;
+ 
+-      if (bus_flags &
+-          ~(DRM_BUS_FLAG_DE_LOW | DRM_BUS_FLAG_DE_HIGH |
+-            DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE |
+-            DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE)) {
+-              dev_warn(imxpd->dev, "invalid bus_flags (%x)\n", bus_flags);
+-              return -EINVAL;
+-      }
+-
+       bridge_state->output_bus_cfg.flags = bus_flags;
+       bridge_state->input_bus_cfg.flags = bus_flags;
+       imx_crtc_state->bus_flags = bus_flags;
+-- 
+2.34.1
+

diff --git a/queue-5.10/drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch b/queue-5.10/drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch
new file mode 100644 (file)
index 0000000..aa757e3
--- /dev/null
+++ b/queue-5.10/drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch
@@ -0,0 +1,49 @@
+From 327c617ffe9a4c63a715c85d33f422178e3f8e65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Feb 2022 05:07:18 +0100
+Subject: drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit fc1b6ef7bfb3d1d4df868b1c3e0480cacda6cd81 ]
+
+The Innolux G070Y2-L01 supports two modes of operation:
+1) FRC=Low/NC ... MEDIA_BUS_FMT_RGB666_1X7X3_SPWG ... BPP=6
+2) FRC=High ..... MEDIA_BUS_FMT_RGB888_1X7X4_SPWG ... BPP=8
+
+Currently the panel description mixes both, BPP from 1) and bus
+format from 2), which triggers a warning at panel-simple.c:615.
+
+Pick the later, set bpp=8, fix the warning.
+
+Fixes: a5d2ade627dca ("drm/panel: simple: Add support for Innolux G070Y2-L01")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Christoph Fritz <chf.fritz@googlemail.com>
+Cc: Laurent Pinchart <Laurent.pinchart@ideasonboard.com>
+Cc: Maxime Ripard <maxime@cerno.tech>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220220040718.532866-1-marex@denx.de
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index 7ffd2a04ab23..959dcbd8a29c 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2132,7 +2132,7 @@ static const struct display_timing innolux_g070y2_l01_timing = {
+ static const struct panel_desc innolux_g070y2_l01 = {
+       .timings = &innolux_g070y2_l01_timing,
+       .num_timings = 1,
+-      .bpc = 6,
++      .bpc = 8,
+       .size = {
+               .width = 152,
+               .height = 91,
+-- 
+2.34.1
+

diff --git a/queue-5.10/efi-fix-return-value-of-__setup-handlers.patch b/queue-5.10/efi-fix-return-value-of-__setup-handlers.patch
new file mode 100644 (file)
index 0000000..a9d2019
--- /dev/null
+++ b/queue-5.10/efi-fix-return-value-of-__setup-handlers.patch
@@ -0,0 +1,82 @@
+From 7ef2c6610da2b6ae837772e4379c505a76195a22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Feb 2022 20:18:51 -0800
+Subject: efi: fix return value of __setup handlers
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 9feaf8b387ee0ece9c1d7add308776b502a35d0c ]
+
+When "dump_apple_properties" is used on the kernel boot command line,
+it causes an Unknown parameter message and the string is added to init's
+argument strings:
+
+  Unknown kernel command line parameters "dump_apple_properties
+    BOOT_IMAGE=/boot/bzImage-517rc6 efivar_ssdt=newcpu_ssdt", will be
+    passed to user space.
+
+ Run /sbin/init as init process
+   with arguments:
+     /sbin/init
+     dump_apple_properties
+   with environment:
+     HOME=/
+     TERM=linux
+     BOOT_IMAGE=/boot/bzImage-517rc6
+     efivar_ssdt=newcpu_ssdt
+
+Similarly when "efivar_ssdt=somestring" is used, it is added to the
+Unknown parameter message and to init's environment strings, polluting
+them (see examples above).
+
+Change the return value of the __setup functions to 1 to indicate
+that the __setup options have been handled.
+
+Fixes: 58c5475aba67 ("x86/efi: Retrieve and assign Apple device properties")
+Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
+Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: linux-efi@vger.kernel.org
+Cc: Lukas Wunner <lukas@wunner.de>
+Cc: Octavian Purdila <octavian.purdila@intel.com>
+Cc: "Rafael J. Wysocki" <rafael@kernel.org>
+Cc: Matt Fleming <matt@codeblueprint.co.uk>
+Link: https://lore.kernel.org/r/20220301041851.12459-1-rdunlap@infradead.org
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/apple-properties.c | 2 +-
+ drivers/firmware/efi/efi.c              | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/efi/apple-properties.c b/drivers/firmware/efi/apple-properties.c
+index e1926483ae2f..e51838d749e2 100644
+--- a/drivers/firmware/efi/apple-properties.c
++++ b/drivers/firmware/efi/apple-properties.c
+@@ -24,7 +24,7 @@ static bool dump_properties __initdata;
+ static int __init dump_properties_enable(char *arg)
+ {
+       dump_properties = true;
+-      return 0;
++      return 1;
+ }
+ 
+ __setup("dump_apple_properties", dump_properties_enable);
+diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
+index 9fa86288b78a..e3df82d5d37a 100644
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -209,7 +209,7 @@ static int __init efivar_ssdt_setup(char *str)
+               memcpy(efivar_ssdt, str, strlen(str));
+       else
+               pr_warn("efivar_ssdt: name too long: %s\n", str);
+-      return 0;
++      return 1;
+ }
+ __setup("efivar_ssdt=", efivar_ssdt_setup);
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch b/queue-5.10/esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch
new file mode 100644 (file)
index 0000000..0cde861
--- /dev/null
+++ b/queue-5.10/esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch
@@ -0,0 +1,57 @@
+From f5cb4b9e61a1ea76df0d9200d32c94b849c28c0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Mar 2022 11:49:00 +0100
+Subject: esp6: fix check on ipv6_skip_exthdr's return value
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 4db4075f92af2b28f415fc979ab626e6b37d67b6 ]
+
+Commit 5f9c55c8066b ("ipv6: check return value of ipv6_skip_exthdr")
+introduced an incorrect check, which leads to all ESP packets over
+either TCPv6 or UDPv6 encapsulation being dropped. In this particular
+case, offset is negative, since skb->data points to the ESP header in
+the following chain of headers, while skb->network_header points to
+the IPv6 header:
+
+    IPv6 | ext | ... | ext | UDP | ESP | ...
+
+That doesn't seem to be a problem, especially considering that if we
+reach esp6_input_done2, we're guaranteed to have a full set of headers
+available (otherwise the packet would have been dropped earlier in the
+stack). However, it means that the return value will (intentionally)
+be negative. We can make the test more specific, as the expected
+return value of ipv6_skip_exthdr will be the (negated) size of either
+a UDP header, or a TCP header with possible options.
+
+In the future, we should probably either make ipv6_skip_exthdr
+explicitly accept negative offsets (and adjust its return value for
+error cases), or make ipv6_skip_exthdr only take non-negative
+offsets (and audit all callers).
+
+Fixes: 5f9c55c8066b ("ipv6: check return value of ipv6_skip_exthdr")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/esp6.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
+index fc8acb15dcfb..5ce8b6c344b8 100644
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -808,8 +808,7 @@ int esp6_input_done2(struct sk_buff *skb, int err)
+               struct tcphdr *th;
+ 
+               offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
+-
+-              if (offset < 0) {
++              if (offset == -1) {
+                       err = -EINVAL;
+                       goto out;
+               }
+-- 
+2.34.1
+

diff --git a/queue-5.10/hv_netvsc-add-check-for-kvmalloc_array.patch b/queue-5.10/hv_netvsc-add-check-for-kvmalloc_array.patch
new file mode 100644 (file)
index 0000000..79aa703
--- /dev/null
+++ b/queue-5.10/hv_netvsc-add-check-for-kvmalloc_array.patch
@@ -0,0 +1,40 @@
+From 7939c7c7db69e30c5039ecb08d0e78862b244577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Mar 2022 10:01:25 +0800
+Subject: hv_netvsc: Add check for kvmalloc_array
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 886e44c9298a6b428ae046e2fa092ca52e822e6a ]
+
+As the potential failure of the kvmalloc_array(),
+it should be better to check and restore the 'data'
+if fails in order to avoid the dereference of the
+NULL pointer.
+
+Fixes: 6ae746711263 ("hv_netvsc: Add per-cpu ethtool stats for netvsc")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20220314020125.2365084-1-jiasheng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 261e6e55a907..e3676386d0ee 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -1562,6 +1562,9 @@ static void netvsc_get_ethtool_stats(struct net_device *dev,
+       pcpu_sum = kvmalloc_array(num_possible_cpus(),
+                                 sizeof(struct netvsc_ethtool_pcpu_stats),
+                                 GFP_KERNEL);
++      if (!pcpu_sum)
++              return;
++
+       netvsc_get_pcpu_stats(dev, pcpu_sum);
+       for_each_present_cpu(cpu) {
+               struct netvsc_ethtool_pcpu_stats *this_sum = &pcpu_sum[cpu];
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-bcmgenet-skip-invalid-partial-checksums.patch b/queue-5.10/net-bcmgenet-skip-invalid-partial-checksums.patch
new file mode 100644 (file)
index 0000000..3735055
--- /dev/null
+++ b/queue-5.10/net-bcmgenet-skip-invalid-partial-checksums.patch
@@ -0,0 +1,45 @@
+From 886dbe34714fbe18a252c20b55e1dd15721e7cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 18:28:12 -0700
+Subject: net: bcmgenet: skip invalid partial checksums
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit 0f643c88c8d240eba0ea25c2e095a46515ff46e9 ]
+
+The RXCHK block will return a partial checksum of 0 if it encounters
+a problem while receiving a packet. Since a 1's complement sum can
+only produce this result if no bits are set in the received data
+stream it is fair to treat it as an invalid partial checksum and
+not pass it up the stack.
+
+Fixes: 810155397890 ("net: bcmgenet: use CHECKSUM_COMPLETE for NETIF_F_RXCSUM")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220317012812.1313196-1-opendmb@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index e19cf020e5ae..a2062144d7ca 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2239,8 +2239,10 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring,
+               dma_length_status = status->length_status;
+               if (dev->features & NETIF_F_RXCSUM) {
+                       rx_csum = (__force __be16)(status->rx_csum & 0xffff);
+-                      skb->csum = (__force __wsum)ntohs(rx_csum);
+-                      skb->ip_summed = CHECKSUM_COMPLETE;
++                      if (rx_csum) {
++                              skb->csum = (__force __wsum)ntohs(rx_csum);
++                              skb->ip_summed = CHECKSUM_COMPLETE;
++                      }
+               }
+ 
+               /* DMA flags and length are still valid no matter how
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch b/queue-5.10/net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch
new file mode 100644 (file)
index 0000000..7c1418c
--- /dev/null
+++ b/queue-5.10/net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch
@@ -0,0 +1,36 @@
+From f1ec2ae9b25ad9c01f5b5de27a4145576c034925 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 08:26:02 +0000
+Subject: net: dsa: Add missing of_node_put() in dsa_port_parse_of
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit cb0b430b4e3acc88c85e0ad2e25f2a25a5765262 ]
+
+The device_node pointer is returned by of_parse_phandle()  with refcount
+incremented. We should use of_node_put() on it when done.
+
+Fixes: 6d4e5c570c2d ("net: dsa: get port type at parse time")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220316082602.10785-1-linmq006@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/dsa2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
+index 71c8ef7d4087..f543fca6dfcb 100644
+--- a/net/dsa/dsa2.c
++++ b/net/dsa/dsa2.c
+@@ -766,6 +766,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn)
+               struct net_device *master;
+ 
+               master = of_find_net_device_by_node(ethernet);
++              of_node_put(ethernet);
+               if (!master)
+                       return -EPROBE_DEFER;
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch b/queue-5.10/net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch
new file mode 100644 (file)
index 0000000..a41b05f
--- /dev/null
+++ b/queue-5.10/net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch
@@ -0,0 +1,36 @@
+From 9ce895a393e9ba5626c07b2ed764ea8730db1544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Mar 2022 10:20:08 +0100
+Subject: net: handle ARPHRD_PIMREG in dev_is_mac_header_xmit()
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 4ee06de7729d795773145692e246a06448b1eb7a ]
+
+This kind of interface doesn't have a mac header. This patch fixes
+bpf_redirect() to a PIM interface.
+
+Fixes: 27b29f63058d ("bpf: add bpf_redirect() helper")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Link: https://lore.kernel.org/r/20220315092008.31423-1-nicolas.dichtel@6wind.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/if_arp.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/if_arp.h b/include/linux/if_arp.h
+index bf5c5f32c65e..e147ea679467 100644
+--- a/include/linux/if_arp.h
++++ b/include/linux/if_arp.h
+@@ -51,6 +51,7 @@ static inline bool dev_is_mac_header_xmit(const struct net_device *dev)
+       case ARPHRD_VOID:
+       case ARPHRD_NONE:
+       case ARPHRD_RAWIP:
++      case ARPHRD_PIMREG:
+               return false;
+       default:
+               return true;
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch b/queue-5.10/net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch
new file mode 100644 (file)
index 0000000..9f14e2f
--- /dev/null
+++ b/queue-5.10/net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch
@@ -0,0 +1,82 @@
+From 5b10918ab846edb29dc9de2df82064299f00e31d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 21:21:17 +0200
+Subject: net: mscc: ocelot: fix backwards compatibility with single-chain
+ tc-flower offload
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 8e0341aefcc9133f3f48683873284b169581315b ]
+
+ACL rules can be offloaded to VCAP IS2 either through chain 0, or, since
+the blamed commit, through a chain index whose number encodes a specific
+PAG (Policy Action Group) and lookup number.
+
+The chain number is translated through ocelot_chain_to_pag() into a PAG,
+and through ocelot_chain_to_lookup() into a lookup number.
+
+The problem with the blamed commit is that the above 2 functions don't
+have special treatment for chain 0. So ocelot_chain_to_pag(0) returns
+filter->pag = 224, which is in fact -32, but the "pag" field is an u8.
+
+So we end up programming the hardware with VCAP IS2 entries having a PAG
+of 224. But the way in which the PAG works is that it defines a subset
+of VCAP IS2 filters which should match on a packet. The default PAG is
+0, and previous VCAP IS1 rules (which we offload using 'goto') can
+modify it. So basically, we are installing filters with a PAG on which
+no packet will ever match. This is the hardware equivalent of adding
+filters to a chain which has no 'goto' to it.
+
+Restore the previous functionality by making ACL filters offloaded to
+chain 0 go to PAG 0 and lookup number 0. The choice of PAG is clearly
+correct, but the choice of lookup number isn't "as before" (which was to
+leave the lookup a "don't care"). However, lookup 0 should be fine,
+since even though there are ACL actions (policers) which have a
+requirement to be used in a specific lookup, that lookup is 0.
+
+Fixes: 226e9cd82a96 ("net: mscc: ocelot: only install TCAM entries into a specific lookup and PAG")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20220316192117.2568261-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_flower.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_flower.c b/drivers/net/ethernet/mscc/ocelot_flower.c
+index 217e8333de6c..c4c4649b2088 100644
+--- a/drivers/net/ethernet/mscc/ocelot_flower.c
++++ b/drivers/net/ethernet/mscc/ocelot_flower.c
+@@ -54,6 +54,12 @@ static int ocelot_chain_to_block(int chain, bool ingress)
+  */
+ static int ocelot_chain_to_lookup(int chain)
+ {
++      /* Backwards compatibility with older, single-chain tc-flower
++       * offload support in Ocelot
++       */
++      if (chain == 0)
++              return 0;
++
+       return (chain / VCAP_LOOKUP) % 10;
+ }
+ 
+@@ -62,7 +68,15 @@ static int ocelot_chain_to_lookup(int chain)
+  */
+ static int ocelot_chain_to_pag(int chain)
+ {
+-      int lookup = ocelot_chain_to_lookup(chain);
++      int lookup;
++
++      /* Backwards compatibility with older, single-chain tc-flower
++       * offload support in Ocelot
++       */
++      if (chain == 0)
++              return 0;
++
++      lookup = ocelot_chain_to_lookup(chain);
+ 
+       /* calculate PAG value as chain index relative to the first PAG */
+       return chain - VCAP_IS2_CHAIN(lookup, 0);
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch b/queue-5.10/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
new file mode 100644 (file)
index 0000000..80eb7b6
--- /dev/null
+++ b/queue-5.10/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
@@ -0,0 +1,119 @@
+From 119f956cf807df45f775df3a0afb96166a6290e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Mar 2022 15:29:58 -0800
+Subject: net/packet: fix slab-out-of-bounds access in packet_recvmsg()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ]
+
+syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
+and mmap operations, tpacket_rcv() is queueing skbs with
+garbage in skb->cb[], triggering a too big copy [1]
+
+Presumably, users of af_packet using mmap() already gets correct
+metadata from the mapped buffer, we can simply make sure
+to clear 12 bytes that might be copied to user space later.
+
+BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
+BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
+Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631
+
+CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
+ __kasan_report mm/kasan/report.c:442 [inline]
+ kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
+ memcpy+0x39/0x60 mm/kasan/shadow.c:66
+ memcpy include/linux/fortify-string.h:225 [inline]
+ packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_recvmsg net/socket.c:962 [inline]
+ ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
+ ___sys_recvmsg+0x127/0x200 net/socket.c:2674
+ __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fdfd5954c29
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
+RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
+RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
+R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
+ </TASK>
+
+addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
+ ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246
+
+this frame has 1 object:
+ [32, 160) 'addr'
+
+Memory state around the buggy address:
+ ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
+ ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
+>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
+                                                                ^
+ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
+ ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
+==================================================================
+
+Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index a31334b92be7..d0c95d7dd292 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2278,8 +2278,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+                                       copy_skb = skb_get(skb);
+                                       skb_head = skb->data;
+                               }
+-                              if (copy_skb)
++                              if (copy_skb) {
++                                      memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0,
++                                             sizeof(PACKET_SKB_CB(copy_skb)->sa.ll));
+                                       skb_set_owner_r(copy_skb, sk);
++                              }
+                       }
+                       snaplen = po->rx_ring.frame_size - macoff;
+                       if ((int)snaplen < 0) {
+@@ -3434,6 +3437,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+       sock_recv_ts_and_drops(msg, sk, skb);
+ 
+       if (msg->msg_name) {
++              const size_t max_len = min(sizeof(skb->cb),
++                                         sizeof(struct sockaddr_storage));
+               int copy_len;
+ 
+               /* If the address length field is there to be filled
+@@ -3456,6 +3461,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+                               msg->msg_namelen = sizeof(struct sockaddr_ll);
+                       }
+               }
++              if (WARN_ON_ONCE(copy_len > max_len)) {
++                      copy_len = max_len;
++                      msg->msg_namelen = copy_len;
++              }
+               memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
+       }
+ 
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-phy-marvell-fix-invalid-comparison-in-the-resume.patch b/queue-5.10/net-phy-marvell-fix-invalid-comparison-in-the-resume.patch
new file mode 100644 (file)
index 0000000..0fa785d
--- /dev/null
+++ b/queue-5.10/net-phy-marvell-fix-invalid-comparison-in-the-resume.patch
@@ -0,0 +1,54 @@
+From 083ed42db391399ac8816e851b2f222520ddae89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Mar 2022 15:15:13 -0500
+Subject: net: phy: marvell: Fix invalid comparison in the resume and suspend
+ functions
+
+From: Kurt Cancemi <kurt@x64architecture.com>
+
+[ Upstream commit 837d9e49402eaf030db55a49f96fc51d73b4b441 ]
+
+This bug resulted in only the current mode being resumed and suspended when
+the PHY supported both fiber and copper modes and when the PHY only supported
+copper mode the fiber mode would incorrectly be attempted to be resumed and
+suspended.
+
+Fixes: 3758be3dc162 ("Marvell phy: add functions to suspend and resume both interfaces: fiber and copper links.")
+Signed-off-by: Kurt Cancemi <kurt@x64architecture.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220312201512.326047-1-kurt@x64architecture.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/marvell.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c
+index cb9d1852a75c..54786712a991 100644
+--- a/drivers/net/phy/marvell.c
++++ b/drivers/net/phy/marvell.c
+@@ -1536,8 +1536,8 @@ static int marvell_suspend(struct phy_device *phydev)
+       int err;
+ 
+       /* Suspend the fiber mode first */
+-      if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
+-                             phydev->supported)) {
++      if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
++                            phydev->supported)) {
+               err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE);
+               if (err < 0)
+                       goto error;
+@@ -1571,8 +1571,8 @@ static int marvell_resume(struct phy_device *phydev)
+       int err;
+ 
+       /* Resume the fiber mode first */
+-      if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
+-                             phydev->supported)) {
++      if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT,
++                            phydev->supported)) {
+               err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE);
+               if (err < 0)
+                       goto error;
+-- 
+2.34.1
+

diff --git a/queue-5.10/net-phy-mscc-add-module_firmware-macros.patch b/queue-5.10/net-phy-mscc-add-module_firmware-macros.patch
new file mode 100644 (file)
index 0000000..1b32570
--- /dev/null
+++ b/queue-5.10/net-phy-mscc-add-module_firmware-macros.patch
@@ -0,0 +1,35 @@
+From 8ab29551df108781ec1ca64b19ff5370e991b140 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 16:18:35 +0100
+Subject: net: phy: mscc: Add MODULE_FIRMWARE macros
+
+From: Juerg Haefliger <juerg.haefliger@canonical.com>
+
+[ Upstream commit f1858c277ba40172005b76a31e6bb931bfc19d9c ]
+
+The driver requires firmware so define MODULE_FIRMWARE so that modinfo
+provides the details.
+
+Fixes: fa164e40c53b ("net: phy: mscc: split the driver into separate files")
+Signed-off-by: Juerg Haefliger <juergh@canonical.com>
+Link: https://lore.kernel.org/r/20220316151835.88765-1-juergh@canonical.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
+index 41a410124437..e14fa72791b0 100644
+--- a/drivers/net/phy/mscc/mscc_main.c
++++ b/drivers/net/phy/mscc/mscc_main.c
+@@ -2584,3 +2584,6 @@ MODULE_DEVICE_TABLE(mdio, vsc85xx_tbl);
+ MODULE_DESCRIPTION("Microsemi VSC85xx PHY driver");
+ MODULE_AUTHOR("Nagaraju Lakkaraju");
+ MODULE_LICENSE("Dual MIT/GPL");
++
++MODULE_FIRMWARE(MSCC_VSC8584_REVB_INT8051_FW);
++MODULE_FIRMWARE(MSCC_VSC8574_REVB_INT8051_FW);
+-- 
+2.34.1
+

diff --git a/queue-5.10/series b/queue-5.10/series
index 3842268d570d9c3837f612ac3c0bf943416c0ae9..2f3eb651575cac19383c75f348e8d0cd123e010f 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -1,3 +1,19 @@
 crypto-qcom-rng-ensure-buffer-for-generate-is-completely-filled.patch
 ocfs2-fix-crash-when-initialize-filecheck-kobj-fails.patch
 mm-swap-get-rid-of-livelock-in-swapin-readahead.patch
+efi-fix-return-value-of-__setup-handlers.patch
+vsock-each-transport-cycles-only-on-its-own-sockets.patch
+esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch
+net-phy-marvell-fix-invalid-comparison-in-the-resume.patch
+net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
+atm-eni-add-check-for-dma_map_single.patch
+hv_netvsc-add-check-for-kvmalloc_array.patch
+drm-imx-parallel-display-remove-bus-flags-check-in-i.patch
+drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch
+net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch
+net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch
+net-phy-mscc-add-module_firmware-macros.patch
+bnx2x-fix-built-in-kernel-driver-load-failure.patch
+net-bcmgenet-skip-invalid-partial-checksums.patch
+net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch
+arm64-fix-clang-warning-about-tramp_valias.patch

diff --git a/queue-5.10/vsock-each-transport-cycles-only-on-its-own-sockets.patch b/queue-5.10/vsock-each-transport-cycles-only-on-its-own-sockets.patch
new file mode 100644 (file)
index 0000000..14381b0
--- /dev/null
+++ b/queue-5.10/vsock-each-transport-cycles-only-on-its-own-sockets.patch
@@ -0,0 +1,156 @@
+From 689fac66b41c187feff19a7384ce1f14591b5b4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Mar 2022 11:00:16 +0900
+Subject: vsock: each transport cycles only on its own sockets
+
+From: Jiyong Park <jiyong@google.com>
+
+[ Upstream commit 8e6ed963763fe21429eabfc76c69ce2b0163a3dd ]
+
+When iterating over sockets using vsock_for_each_connected_socket, make
+sure that a transport filters out sockets that don't belong to the
+transport.
+
+There actually was an issue caused by this; in a nested VM
+configuration, destroying the nested VM (which often involves the
+closing of /dev/vhost-vsock if there was h2g connections to the nested
+VM) kills not only the h2g connections, but also all existing g2h
+connections to the (outmost) host which are totally unrelated.
+
+Tested: Executed the following steps on Cuttlefish (Android running on a
+VM) [1]: (1) Enter into an `adb shell` session - to have a g2h
+connection inside the VM, (2) open and then close /dev/vhost-vsock by
+`exec 3< /dev/vhost-vsock && exec 3<&-`, (3) observe that the adb
+session is not reset.
+
+[1] https://android.googlesource.com/device/google/cuttlefish/
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jiyong Park <jiyong@google.com>
+Link: https://lore.kernel.org/r/20220311020017.1509316-1-jiyong@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vsock.c            | 3 ++-
+ include/net/af_vsock.h           | 3 ++-
+ net/vmw_vsock/af_vsock.c         | 9 +++++++--
+ net/vmw_vsock/virtio_transport.c | 7 +++++--
+ net/vmw_vsock/vmci_transport.c   | 5 ++++-
+ 5 files changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
+index c282fc0d04bd..5d2d6ce7ff41 100644
+--- a/drivers/vhost/vsock.c
++++ b/drivers/vhost/vsock.c
+@@ -697,7 +697,8 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file)
+ 
+       /* Iterating over all connections for all CIDs to find orphans is
+        * inefficient.  Room for improvement here. */
+-      vsock_for_each_connected_socket(vhost_vsock_reset_orphans);
++      vsock_for_each_connected_socket(&vhost_transport.transport,
++                                      vhost_vsock_reset_orphans);
+ 
+       /* Don't check the owner, because we are in the release path, so we
+        * need to stop the vsock device in any case.
+diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h
+index b1c717286993..4d8589244dc7 100644
+--- a/include/net/af_vsock.h
++++ b/include/net/af_vsock.h
+@@ -197,7 +197,8 @@ struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr);
+ struct sock *vsock_find_connected_socket(struct sockaddr_vm *src,
+                                        struct sockaddr_vm *dst);
+ void vsock_remove_sock(struct vsock_sock *vsk);
+-void vsock_for_each_connected_socket(void (*fn)(struct sock *sk));
++void vsock_for_each_connected_socket(struct vsock_transport *transport,
++                                   void (*fn)(struct sock *sk));
+ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk);
+ bool vsock_find_cid(unsigned int cid);
+ 
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 005aa701f4d5..c59806253a65 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -333,7 +333,8 @@ void vsock_remove_sock(struct vsock_sock *vsk)
+ }
+ EXPORT_SYMBOL_GPL(vsock_remove_sock);
+ 
+-void vsock_for_each_connected_socket(void (*fn)(struct sock *sk))
++void vsock_for_each_connected_socket(struct vsock_transport *transport,
++                                   void (*fn)(struct sock *sk))
+ {
+       int i;
+ 
+@@ -342,8 +343,12 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk))
+       for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) {
+               struct vsock_sock *vsk;
+               list_for_each_entry(vsk, &vsock_connected_table[i],
+-                                  connected_table)
++                                  connected_table) {
++                      if (vsk->transport != transport)
++                              continue;
++
+                       fn(sk_vsock(vsk));
++              }
+       }
+ 
+       spin_unlock_bh(&vsock_table_lock);
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 3a056f8affd1..e131121533ad 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -24,6 +24,7 @@
+ static struct workqueue_struct *virtio_vsock_workqueue;
+ static struct virtio_vsock __rcu *the_virtio_vsock;
+ static DEFINE_MUTEX(the_virtio_vsock_mutex); /* protects the_virtio_vsock */
++static struct virtio_transport virtio_transport; /* forward declaration */
+ 
+ struct virtio_vsock {
+       struct virtio_device *vdev;
+@@ -383,7 +384,8 @@ static void virtio_vsock_event_handle(struct virtio_vsock *vsock,
+       switch (le32_to_cpu(event->id)) {
+       case VIRTIO_VSOCK_EVENT_TRANSPORT_RESET:
+               virtio_vsock_update_guest_cid(vsock);
+-              vsock_for_each_connected_socket(virtio_vsock_reset_sock);
++              vsock_for_each_connected_socket(&virtio_transport.transport,
++                                              virtio_vsock_reset_sock);
+               break;
+       }
+ }
+@@ -635,7 +637,8 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
+       synchronize_rcu();
+ 
+       /* Reset all connected sockets when the device disappear */
+-      vsock_for_each_connected_socket(virtio_vsock_reset_sock);
++      vsock_for_each_connected_socket(&virtio_transport.transport,
++                                      virtio_vsock_reset_sock);
+ 
+       /* Stop all work handlers to make sure no one is accessing the device,
+        * so we can safely call vdev->config->reset().
+diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
+index 1c9ecb18b8e6..a9ca95a0fcdd 100644
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -75,6 +75,8 @@ static u32 vmci_transport_qp_resumed_sub_id = VMCI_INVALID_ID;
+ 
+ static int PROTOCOL_OVERRIDE = -1;
+ 
++static struct vsock_transport vmci_transport; /* forward declaration */
++
+ /* Helper function to convert from a VMCI error code to a VSock error code. */
+ 
+ static s32 vmci_transport_error_to_vsock_error(s32 vmci_error)
+@@ -882,7 +884,8 @@ static void vmci_transport_qp_resumed_cb(u32 sub_id,
+                                        const struct vmci_event_data *e_data,
+                                        void *client_data)
+ {
+-      vsock_for_each_connected_socket(vmci_transport_handle_detach);
++      vsock_for_each_connected_socket(&vmci_transport,
++                                      vmci_transport_handle_detach);
+ }
+ 
+ static void vmci_transport_recv_pkt_work(struct work_struct *work)
+-- 
+2.34.1
+