--- /dev/null
+From 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 13 Apr 2021 13:21:03 -0300
+Subject: Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 upstream.
+
+When cmtp_attach_device fails, cmtp_add_connection returns the error value
+which leads to the caller to doing fput through sockfd_put. But
+cmtp_session kthread, which is stopped in this path will also call fput,
+leading to a potential refcount underflow or a use-after-free.
+
+Add a refcount before we signal the kthread to stop. The kthread will try
+to grab the cmtp_session_sem mutex before doing the fput, which is held
+when get_file is called, so there should be no races there.
+
+Reported-by: Ryota Shiga
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/cmtp/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -392,6 +392,11 @@ int cmtp_add_connection(struct cmtp_conn
+ if (!(session->flags & BIT(CMTP_LOOPBACK))) {
+ err = cmtp_attach_device(session);
+ if (err < 0) {
++ /* Caller will call fput in case of failure, and so
++ * will cmtp_session kthread.
++ */
++ get_file(session->sock->file);
++
+ atomic_inc(&session->terminate);
+ wake_up_interruptible(sk_sleep(session->sock->sk));
+ up_write(&cmtp_session_sem);
--- /dev/null
+From 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 Mon Sep 17 00:00:00 2001
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Fri, 30 Apr 2021 10:27:44 +0200
+Subject: drm/meson: fix shutdown crash when component not probed
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+commit 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 upstream.
+
+When main component is not probed, by example when the dw-hdmi module is
+not loaded yet or in probe defer, the following crash appears on shutdown:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038
+...
+pc : meson_drv_shutdown+0x24/0x50
+lr : platform_drv_shutdown+0x20/0x30
+...
+Call trace:
+meson_drv_shutdown+0x24/0x50
+platform_drv_shutdown+0x20/0x30
+device_shutdown+0x158/0x360
+kernel_restart_prepare+0x38/0x48
+kernel_restart+0x18/0x68
+__do_sys_reboot+0x224/0x250
+__arm64_sys_reboot+0x24/0x30
+...
+
+Simply check if the priv struct has been allocated before using it.
+
+Fixes: fa0c16caf3d7 ("drm: meson_drv add shutdown function")
+Reported-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210430082744.3638743-1-narmstrong@baylibre.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/meson/meson_drv.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/meson/meson_drv.c
++++ b/drivers/gpu/drm/meson/meson_drv.c
+@@ -485,11 +485,12 @@ static int meson_probe_remote(struct pla
+ static void meson_drv_shutdown(struct platform_device *pdev)
+ {
+ struct meson_drm *priv = dev_get_drvdata(&pdev->dev);
+- struct drm_device *drm = priv->drm;
+
+- DRM_DEBUG_DRIVER("\n");
+- drm_kms_helper_poll_fini(drm);
+- drm_atomic_helper_shutdown(drm);
++ if (!priv)
++ return;
++
++ drm_kms_helper_poll_fini(priv->drm);
++ drm_atomic_helper_shutdown(priv->drm);
+ }
+
+ static int meson_drv_probe(struct platform_device *pdev)
--- /dev/null
+From bb002388901151fe35b6697ab116f6ed0721a9ed Mon Sep 17 00:00:00 2001
+From: zhouchuangao <zhouchuangao@vivo.com>
+Date: Sun, 9 May 2021 19:34:37 -0700
+Subject: fs/nfs: Use fatal_signal_pending instead of signal_pending
+
+From: zhouchuangao <zhouchuangao@vivo.com>
+
+commit bb002388901151fe35b6697ab116f6ed0721a9ed upstream.
+
+We set the state of the current process to TASK_KILLABLE via
+prepare_to_wait(). Should we use fatal_signal_pending() to detect
+the signal here?
+
+Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE")
+Signed-off-by: zhouchuangao <zhouchuangao@vivo.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1688,7 +1688,7 @@ static void nfs_set_open_stateid_locked(
+ rcu_read_unlock();
+ trace_nfs4_open_stateid_update_wait(state->inode, stateid, 0);
+
+- if (!signal_pending(current)) {
++ if (!fatal_signal_pending(current)) {
+ if (schedule_timeout(5*HZ) == 0)
+ status = -EAGAIN;
+ else
+@@ -3463,7 +3463,7 @@ static bool nfs4_refresh_open_old_statei
+ write_sequnlock(&state->seqlock);
+ trace_nfs4_close_stateid_update_wait(state->inode, dst, 0);
+
+- if (signal_pending(current))
++ if (fatal_signal_pending(current))
+ status = -EINTR;
+ else
+ if (schedule_timeout(5*HZ) != 0)
--- /dev/null
+From db825feefc6868896fed5e361787ba3bee2fd906 Mon Sep 17 00:00:00 2001
+From: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+Date: Sun, 9 May 2021 09:43:18 +0300
+Subject: net/mlx4: Fix EEPROM dump support
+
+From: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+
+commit db825feefc6868896fed5e361787ba3bee2fd906 upstream.
+
+Fix SFP and QSFP* EEPROM queries by setting i2c_address, offset and page
+number correctly. For SFP set the following params:
+- I2C address for offsets 0-255 is 0x50. For 256-511 - 0x51.
+- Page number is zero.
+- Offset is 0-255.
+
+At the same time, QSFP* parameters are different:
+- I2C address is always 0x50.
+- Page number is not limited to zero.
+- Offset is 0-255 for page zero and 128-255 for others.
+
+To set parameters accordingly to cable used, implement function to query
+module ID and implement respective helper functions to set parameters
+correctly.
+
+Fixes: 135dd9594f12 ("net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query")
+Signed-off-by: Vladyslav Tarasiuk <vladyslavt@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4
+ drivers/net/ethernet/mellanox/mlx4/port.c | 107 +++++++++++++++++++++++-
+ 2 files changed, 104 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -2027,8 +2027,6 @@ static int mlx4_en_set_tunable(struct ne
+ return ret;
+ }
+
+-#define MLX4_EEPROM_PAGE_LEN 256
+-
+ static int mlx4_en_get_module_info(struct net_device *dev,
+ struct ethtool_modinfo *modinfo)
+ {
+@@ -2063,7 +2061,7 @@ static int mlx4_en_get_module_info(struc
+ break;
+ case MLX4_MODULE_ID_SFP:
+ modinfo->type = ETH_MODULE_SFF_8472;
+- modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN;
++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
+ break;
+ default:
+ return -EINVAL;
+--- a/drivers/net/ethernet/mellanox/mlx4/port.c
++++ b/drivers/net/ethernet/mellanox/mlx4/port.c
+@@ -1973,6 +1973,7 @@ EXPORT_SYMBOL(mlx4_get_roce_gid_from_sla
+ #define I2C_ADDR_LOW 0x50
+ #define I2C_ADDR_HIGH 0x51
+ #define I2C_PAGE_SIZE 256
++#define I2C_HIGH_PAGE_SIZE 128
+
+ /* Module Info Data */
+ struct mlx4_cable_info {
+@@ -2026,6 +2027,88 @@ static inline const char *cable_info_mad
+ return "Unknown Error";
+ }
+
++static int mlx4_get_module_id(struct mlx4_dev *dev, u8 port, u8 *module_id)
++{
++ struct mlx4_cmd_mailbox *inbox, *outbox;
++ struct mlx4_mad_ifc *inmad, *outmad;
++ struct mlx4_cable_info *cable_info;
++ int ret;
++
++ inbox = mlx4_alloc_cmd_mailbox(dev);
++ if (IS_ERR(inbox))
++ return PTR_ERR(inbox);
++
++ outbox = mlx4_alloc_cmd_mailbox(dev);
++ if (IS_ERR(outbox)) {
++ mlx4_free_cmd_mailbox(dev, inbox);
++ return PTR_ERR(outbox);
++ }
++
++ inmad = (struct mlx4_mad_ifc *)(inbox->buf);
++ outmad = (struct mlx4_mad_ifc *)(outbox->buf);
++
++ inmad->method = 0x1; /* Get */
++ inmad->class_version = 0x1;
++ inmad->mgmt_class = 0x1;
++ inmad->base_version = 0x1;
++ inmad->attr_id = cpu_to_be16(0xFF60); /* Module Info */
++
++ cable_info = (struct mlx4_cable_info *)inmad->data;
++ cable_info->dev_mem_address = 0;
++ cable_info->page_num = 0;
++ cable_info->i2c_addr = I2C_ADDR_LOW;
++ cable_info->size = cpu_to_be16(1);
++
++ ret = mlx4_cmd_box(dev, inbox->dma, outbox->dma, port, 3,
++ MLX4_CMD_MAD_IFC, MLX4_CMD_TIME_CLASS_C,
++ MLX4_CMD_NATIVE);
++ if (ret)
++ goto out;
++
++ if (be16_to_cpu(outmad->status)) {
++ /* Mad returned with bad status */
++ ret = be16_to_cpu(outmad->status);
++ mlx4_warn(dev,
++ "MLX4_CMD_MAD_IFC Get Module ID attr(%x) port(%d) i2c_addr(%x) offset(%d) size(%d): Response Mad Status(%x) - %s\n",
++ 0xFF60, port, I2C_ADDR_LOW, 0, 1, ret,
++ cable_info_mad_err_str(ret));
++ ret = -ret;
++ goto out;
++ }
++ cable_info = (struct mlx4_cable_info *)outmad->data;
++ *module_id = cable_info->data[0];
++out:
++ mlx4_free_cmd_mailbox(dev, inbox);
++ mlx4_free_cmd_mailbox(dev, outbox);
++ return ret;
++}
++
++static void mlx4_sfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset)
++{
++ *i2c_addr = I2C_ADDR_LOW;
++ *page_num = 0;
++
++ if (*offset < I2C_PAGE_SIZE)
++ return;
++
++ *i2c_addr = I2C_ADDR_HIGH;
++ *offset -= I2C_PAGE_SIZE;
++}
++
++static void mlx4_qsfp_eeprom_params_set(u8 *i2c_addr, u8 *page_num, u16 *offset)
++{
++ /* Offsets 0-255 belong to page 0.
++ * Offsets 256-639 belong to pages 01, 02, 03.
++ * For example, offset 400 is page 02: 1 + (400 - 256) / 128 = 2
++ */
++ if (*offset < I2C_PAGE_SIZE)
++ *page_num = 0;
++ else
++ *page_num = 1 + (*offset - I2C_PAGE_SIZE) / I2C_HIGH_PAGE_SIZE;
++ *i2c_addr = I2C_ADDR_LOW;
++ *offset -= *page_num * I2C_HIGH_PAGE_SIZE;
++}
++
+ /**
+ * mlx4_get_module_info - Read cable module eeprom data
+ * @dev: mlx4_dev.
+@@ -2045,12 +2128,30 @@ int mlx4_get_module_info(struct mlx4_dev
+ struct mlx4_cmd_mailbox *inbox, *outbox;
+ struct mlx4_mad_ifc *inmad, *outmad;
+ struct mlx4_cable_info *cable_info;
+- u16 i2c_addr;
++ u8 module_id, i2c_addr, page_num;
+ int ret;
+
+ if (size > MODULE_INFO_MAX_READ)
+ size = MODULE_INFO_MAX_READ;
+
++ ret = mlx4_get_module_id(dev, port, &module_id);
++ if (ret)
++ return ret;
++
++ switch (module_id) {
++ case MLX4_MODULE_ID_SFP:
++ mlx4_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ case MLX4_MODULE_ID_QSFP:
++ case MLX4_MODULE_ID_QSFP_PLUS:
++ case MLX4_MODULE_ID_QSFP28:
++ mlx4_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ default:
++ mlx4_err(dev, "Module ID not recognized: %#x\n", module_id);
++ return -EINVAL;
++ }
++
+ inbox = mlx4_alloc_cmd_mailbox(dev);
+ if (IS_ERR(inbox))
+ return PTR_ERR(inbox);
+@@ -2076,11 +2177,9 @@ int mlx4_get_module_info(struct mlx4_dev
+ */
+ size -= offset + size - I2C_PAGE_SIZE;
+
+- i2c_addr = I2C_ADDR_LOW;
+-
+ cable_info = (struct mlx4_cable_info *)inmad->data;
+ cable_info->dev_mem_address = cpu_to_be16(offset);
+- cable_info->page_num = 0;
++ cable_info->page_num = page_num;
+ cable_info->i2c_addr = i2c_addr;
+ cable_info->size = cpu_to_be16(size);
+
--- /dev/null
+From 442b3d7b671bcb779ebdad46edd08051eb8b28d9 Mon Sep 17 00:00:00 2001
+From: Jianbo Liu <jianbol@nvidia.com>
+Date: Fri, 30 Apr 2021 06:58:29 +0000
+Subject: net/mlx5: Set reformat action when needed for termination rules
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+commit 442b3d7b671bcb779ebdad46edd08051eb8b28d9 upstream.
+
+For remote mirroring, after the tunnel packets are received, they are
+decapsulated and sent to representor, then re-encapsulated and sent
+out over another tunnel. So reformat action is set only when the
+destination is required to do encapsulation.
+
+Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Ariel Levkovich <lariel@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 31 +++-------
+ 1 file changed, 10 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+@@ -171,19 +171,6 @@ mlx5_eswitch_termtbl_put(struct mlx5_esw
+ }
+ }
+
+-static bool mlx5_eswitch_termtbl_is_encap_reformat(struct mlx5_pkt_reformat *rt)
+-{
+- switch (rt->reformat_type) {
+- case MLX5_REFORMAT_TYPE_L2_TO_VXLAN:
+- case MLX5_REFORMAT_TYPE_L2_TO_NVGRE:
+- case MLX5_REFORMAT_TYPE_L2_TO_L2_TUNNEL:
+- case MLX5_REFORMAT_TYPE_L2_TO_L3_TUNNEL:
+- return true;
+- default:
+- return false;
+- }
+-}
+-
+ static void
+ mlx5_eswitch_termtbl_actions_move(struct mlx5_flow_act *src,
+ struct mlx5_flow_act *dst)
+@@ -201,14 +188,6 @@ mlx5_eswitch_termtbl_actions_move(struct
+ memset(&src->vlan[1], 0, sizeof(src->vlan[1]));
+ }
+ }
+-
+- if (src->action & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT &&
+- mlx5_eswitch_termtbl_is_encap_reformat(src->pkt_reformat)) {
+- src->action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
+- dst->action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
+- dst->pkt_reformat = src->pkt_reformat;
+- src->pkt_reformat = NULL;
+- }
+ }
+
+ static bool mlx5_eswitch_offload_is_uplink_port(const struct mlx5_eswitch *esw,
+@@ -278,6 +257,14 @@ mlx5_eswitch_add_termtbl_rule(struct mlx
+ if (dest[i].type != MLX5_FLOW_DESTINATION_TYPE_VPORT)
+ continue;
+
++ if (attr->dests[num_vport_dests].flags & MLX5_ESW_DEST_ENCAP) {
++ term_tbl_act.action |= MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
++ term_tbl_act.pkt_reformat = attr->dests[num_vport_dests].pkt_reformat;
++ } else {
++ term_tbl_act.action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
++ term_tbl_act.pkt_reformat = NULL;
++ }
++
+ /* get the terminating table for the action list */
+ tt = mlx5_eswitch_termtbl_get_create(esw, &term_tbl_act,
+ &dest[i], attr);
+@@ -299,6 +286,8 @@ mlx5_eswitch_add_termtbl_rule(struct mlx
+ goto revert_changes;
+
+ /* create the FTE */
++ flow_act->action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
++ flow_act->pkt_reformat = NULL;
+ rule = mlx5_add_flow_rules(fdb, spec, flow_act, dest, num_dest);
+ if (IS_ERR(rule))
+ goto revert_changes;
--- /dev/null
+From 6ff51ab8aa8fcbcddeeefce8ca705b575805d12b Mon Sep 17 00:00:00 2001
+From: Ariel Levkovich <lariel@nvidia.com>
+Date: Wed, 31 Mar 2021 10:09:02 +0300
+Subject: net/mlx5: Set term table as an unmanaged flow table
+
+From: Ariel Levkovich <lariel@nvidia.com>
+
+commit 6ff51ab8aa8fcbcddeeefce8ca705b575805d12b upstream.
+
+Termination tables are restricted to have the default miss action and
+cannot be set to forward to another table in case of a miss.
+If the fs prio of the termination table is not the last one in the
+list, fs_core will attempt to attach it to another table.
+
+Set the unmanaged ft flag when creating the termination table ft
+and select the tc offload prio for it to prevent fs_core from selecting
+the forwarding to next ft miss action and use the default one.
+
+In addition, set the flow that forwards to the termination table to
+ignore ft level restrictions since the ft level is not set by fs_core
+for unamanged fts.
+
+Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink")
+Signed-off-by: Ariel Levkovich <lariel@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+@@ -76,10 +76,11 @@ mlx5_eswitch_termtbl_create(struct mlx5_
+ /* As this is the terminating action then the termination table is the
+ * same prio as the slow path
+ */
+- ft_attr.flags = MLX5_FLOW_TABLE_TERMINATION |
++ ft_attr.flags = MLX5_FLOW_TABLE_TERMINATION | MLX5_FLOW_TABLE_UNMANAGED |
+ MLX5_FLOW_TABLE_TUNNEL_EN_REFORMAT;
+- ft_attr.prio = FDB_SLOW_PATH;
++ ft_attr.prio = FDB_TC_OFFLOAD;
+ ft_attr.max_fte = 1;
++ ft_attr.level = 1;
+ ft_attr.autogroup.max_num_groups = 1;
+ tt->termtbl = mlx5_create_auto_grouped_flow_table(root_ns, &ft_attr);
+ if (IS_ERR(tt->termtbl)) {
+@@ -216,6 +217,7 @@ mlx5_eswitch_termtbl_required(struct mlx
+ int i;
+
+ if (!MLX5_CAP_ESW_FLOWTABLE_FDB(esw->dev, termination_table) ||
++ !MLX5_CAP_ESW_FLOWTABLE_FDB(esw->dev, ignore_flow_level) ||
+ attr->flags & MLX5_ESW_ATTR_FLAG_SLOW_PATH ||
+ !mlx5_eswitch_offload_is_uplink_port(esw, spec))
+ return false;
+@@ -288,6 +290,7 @@ mlx5_eswitch_add_termtbl_rule(struct mlx
+ /* create the FTE */
+ flow_act->action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
+ flow_act->pkt_reformat = NULL;
++ flow_act->flags |= FLOW_ACT_IGNORE_FLOW_LEVEL;
+ rule = mlx5_add_flow_rules(fdb, spec, flow_act, dest, num_dest);
+ if (IS_ERR(rule))
+ goto revert_changes;
--- /dev/null
+From 5e7923acbd86d0ff29269688d8a9c47ad091dd46 Mon Sep 17 00:00:00 2001
+From: Aya Levin <ayal@nvidia.com>
+Date: Wed, 21 Apr 2021 14:26:31 +0300
+Subject: net/mlx5e: Fix error path of updating netdev queues
+
+From: Aya Levin <ayal@nvidia.com>
+
+commit 5e7923acbd86d0ff29269688d8a9c47ad091dd46 upstream.
+
+Avoid division by zero in the error flow. In the driver TC number can be
+either 1 or 8. When TC count is set to 1, driver zero netdev->num_tc.
+Hence, need to convert it back from 0 to 1 in the error flow.
+
+Fixes: fa3748775b92 ("net/mlx5e: Handle errors from netif_set_real_num_{tx,rx}_queues")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -2920,7 +2920,7 @@ static int mlx5e_update_netdev_queues(st
+ int err;
+
+ old_num_txqs = netdev->real_num_tx_queues;
+- old_ntc = netdev->num_tc;
++ old_ntc = netdev->num_tc ? : 1;
+
+ nch = priv->channels.params.num_channels;
+ ntc = priv->channels.params.num_tc;
--- /dev/null
+From 97817fcc684ed01497bd19d0cd4dea699665b9cf Mon Sep 17 00:00:00 2001
+From: Dima Chumak <dchumak@nvidia.com>
+Date: Tue, 13 Apr 2021 22:43:08 +0300
+Subject: net/mlx5e: Fix multipath lag activation
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+commit 97817fcc684ed01497bd19d0cd4dea699665b9cf upstream.
+
+When handling FIB_EVENT_ENTRY_REPLACE event for a new multipath route,
+lag activation can be missed if a stale (struct lag_mp)->mfi pointer
+exists, which was associated with an older multipath route that had been
+removed.
+
+Normally, when a route is removed, it triggers mlx5_lag_fib_event(),
+which handles FIB_EVENT_ENTRY_DEL and clears mfi pointer. But, if
+mlx5_lag_check_prereq() condition isn't met, for example when eswitch is
+in legacy mode, the fib event is skipped and mfi pointer becomes stale.
+
+Fix by resetting mfi pointer to NULL every time mlx5_lag_mp_init() is
+called.
+
+Fixes: 544fe7c2e654 ("net/mlx5e: Activate HW multipath and handle port affinity based on FIB events")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag_mp.c
+@@ -307,6 +307,11 @@ int mlx5_lag_mp_init(struct mlx5_lag *ld
+ struct lag_mp *mp = &ldev->lag_mp;
+ int err;
+
++ /* always clear mfi, as it might become stale when a route delete event
++ * has been missed
++ */
++ mp->mfi = NULL;
++
+ if (mp->fib_nb.notifier_call)
+ return 0;
+
+@@ -335,4 +340,5 @@ void mlx5_lag_mp_cleanup(struct mlx5_lag
+ unregister_fib_notifier(&init_net, &mp->fib_nb);
+ destroy_workqueue(mp->wq);
+ mp->fib_nb.notifier_call = NULL;
++ mp->mfi = NULL;
+ }
--- /dev/null
+From 83026d83186bc48bb41ee4872f339b83f31dfc55 Mon Sep 17 00:00:00 2001
+From: Roi Dayan <roid@nvidia.com>
+Date: Mon, 3 May 2021 18:01:02 +0300
+Subject: net/mlx5e: Fix null deref accessing lag dev
+
+From: Roi Dayan <roid@nvidia.com>
+
+commit 83026d83186bc48bb41ee4872f339b83f31dfc55 upstream.
+
+It could be the lag dev is null so stop processing the event.
+In bond_enslave() the active/backup slave being set before setting the
+upper dev so first event is without an upper dev.
+After setting the upper dev with bond_master_upper_dev_link() there is
+a second event and in that event we have an upper dev.
+
+Fixes: 7e51891a237f ("net/mlx5e: Use netdev events to set/del egress acl forward-to-vport rule")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/rep/bond.c
+@@ -223,6 +223,8 @@ static void mlx5e_rep_changelowerstate_e
+ rpriv = priv->ppriv;
+ fwd_vport_num = rpriv->rep->vport;
+ lag_dev = netdev_master_upper_dev_get(netdev);
++ if (!lag_dev)
++ return;
+
+ netdev_dbg(netdev, "lag_dev(%s)'s slave vport(%d) is txable(%d)\n",
+ lag_dev->name, fwd_vport_num, net_lag_port_dev_txable(netdev));
--- /dev/null
+From dca59f4a791960ec73fa15803faa0abe0f92ece2 Mon Sep 17 00:00:00 2001
+From: Dima Chumak <dchumak@nvidia.com>
+Date: Mon, 26 Apr 2021 15:16:26 +0300
+Subject: net/mlx5e: Fix nullptr in add_vlan_push_action()
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+commit dca59f4a791960ec73fa15803faa0abe0f92ece2 upstream.
+
+The result of dev_get_by_index_rcu() is not checked for NULL and then
+gets dereferenced immediately.
+
+Also, the RCU lock must be held by the caller of dev_get_by_index_rcu(),
+which isn't satisfied by the call stack.
+
+Fix by handling nullptr return value when iflink device is not found.
+Add RCU locking around dev_get_by_index_rcu() to avoid possible adverse
+effects while iterating over the net_device's hlist.
+
+It is safe not to increment reference count of the net_device pointer in
+case of a successful lookup, because it's already handled by VLAN code
+during VLAN device registration (see register_vlan_dev and
+netdev_upper_dev_link).
+
+Fixes: 278748a95aa3 ("net/mlx5e: Offload TC e-switch rules with egress VLAN device")
+Addresses-Coverity: ("Dereference null return value")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -4025,8 +4025,12 @@ static int add_vlan_push_action(struct m
+ if (err)
+ return err;
+
+- *out_dev = dev_get_by_index_rcu(dev_net(vlan_dev),
+- dev_get_iflink(vlan_dev));
++ rcu_read_lock();
++ *out_dev = dev_get_by_index_rcu(dev_net(vlan_dev), dev_get_iflink(vlan_dev));
++ rcu_read_unlock();
++ if (!*out_dev)
++ return -ENODEV;
++
+ if (is_vlan_dev(*out_dev))
+ err = add_vlan_push_action(priv, attr, out_dev, action);
+
--- /dev/null
+From 77ecd10d0a8aaa6e4871d8c63626e4c9fc5e47db Mon Sep 17 00:00:00 2001
+From: Saeed Mahameed <saeedm@nvidia.com>
+Date: Thu, 25 Feb 2021 11:20:00 -0800
+Subject: net/mlx5e: reset XPS on error flow if netdev isn't registered yet
+
+From: Saeed Mahameed <saeedm@nvidia.com>
+
+commit 77ecd10d0a8aaa6e4871d8c63626e4c9fc5e47db upstream.
+
+mlx5e_attach_netdev can be called prior to registering the netdevice:
+Example stack:
+
+ipoib_new_child_link ->
+ipoib_intf_init->
+rdma_init_netdev->
+mlx5_rdma_setup_rn->
+
+mlx5e_attach_netdev->
+mlx5e_num_channels_changed ->
+mlx5e_set_default_xps_cpumasks ->
+netif_set_xps_queue ->
+__netif_set_xps_queue -> kmalloc
+
+If any later stage fails at any point after mlx5e_num_channels_changed()
+returns, XPS allocated maps will never be freed as they
+are only freed during netdev unregistration, which will never happen for
+yet to be registered netdevs.
+
+Fixes: 3909a12e7913 ("net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases")
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5385,6 +5385,11 @@ err_free_netdev:
+ return NULL;
+ }
+
++static void mlx5e_reset_channels(struct net_device *netdev)
++{
++ netdev_reset_tc(netdev);
++}
++
+ int mlx5e_attach_netdev(struct mlx5e_priv *priv)
+ {
+ const bool take_rtnl = priv->netdev->reg_state == NETREG_REGISTERED;
+@@ -5438,6 +5443,7 @@ err_cleanup_tx:
+ profile->cleanup_tx(priv);
+
+ out:
++ mlx5e_reset_channels(priv->netdev);
+ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
+ cancel_work_sync(&priv->update_stats_work);
+ return err;
+@@ -5455,6 +5461,7 @@ void mlx5e_detach_netdev(struct mlx5e_pr
+
+ profile->cleanup_rx(priv);
+ profile->cleanup_tx(priv);
++ mlx5e_reset_channels(priv->netdev);
+ cancel_work_sync(&priv->update_stats_work);
+ }
+
--- /dev/null
+From 7c9f131f366ab414691907fa0407124ea2b2f3bc Mon Sep 17 00:00:00 2001
+From: Eli Cohen <elic@nvidia.com>
+Date: Thu, 22 Apr 2021 15:48:10 +0300
+Subject: {net,vdpa}/mlx5: Configure interface MAC into mpfs L2 table
+
+From: Eli Cohen <elic@nvidia.com>
+
+commit 7c9f131f366ab414691907fa0407124ea2b2f3bc upstream.
+
+net/mlx5: Expose MPFS configuration API
+
+MPFS is the multi physical function switch that bridges traffic between
+the physical port and any physical functions associated with it. The
+driver is required to add or remove MAC entries to properly forward
+incoming traffic to the correct physical function.
+
+We export the API to control MPFS so that other drivers, such as
+mlx5_vdpa are able to add MAC addresses of their network interfaces.
+
+The MAC address of the vdpa interface must be configured into the MPFS L2
+address. Failing to do so could cause, in some NIC configurations, failure
+to forward packets to the vdpa network device instance.
+
+Fix this by adding calls to update the MPFS table.
+
+CC: <mst@redhat.com>
+CC: <jasowang@redhat.com>
+CC: <virtualization@lists.linux-foundation.org>
+Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
+Signed-off-by: Eli Cohen <elic@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 1 +
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 +
+ drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.c | 3 +++
+ drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.h | 5 +----
+ drivers/vdpa/mlx5/net/mlx5_vnet.c | 19 ++++++++++++++++++-
+ include/linux/mlx5/mpfs.h | 18 ++++++++++++++++++
+ 6 files changed, 42 insertions(+), 5 deletions(-)
+ create mode 100644 include/linux/mlx5/mpfs.h
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+@@ -35,6 +35,7 @@
+ #include <linux/ipv6.h>
+ #include <linux/tcp.h>
+ #include <linux/mlx5/fs.h>
++#include <linux/mlx5/mpfs.h>
+ #include "en.h"
+ #include "lib/mpfs.h"
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -35,6 +35,7 @@
+ #include <linux/mlx5/mlx5_ifc.h>
+ #include <linux/mlx5/vport.h>
+ #include <linux/mlx5/fs.h>
++#include <linux/mlx5/mpfs.h>
+ #include "esw/acl/lgcy.h"
+ #include "mlx5_core.h"
+ #include "lib/eq.h"
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.c
+@@ -33,6 +33,7 @@
+ #include <linux/etherdevice.h>
+ #include <linux/mlx5/driver.h>
+ #include <linux/mlx5/mlx5_ifc.h>
++#include <linux/mlx5/mpfs.h>
+ #include <linux/mlx5/eswitch.h>
+ #include "mlx5_core.h"
+ #include "lib/mpfs.h"
+@@ -175,6 +176,7 @@ out:
+ mutex_unlock(&mpfs->lock);
+ return err;
+ }
++EXPORT_SYMBOL(mlx5_mpfs_add_mac);
+
+ int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac)
+ {
+@@ -206,3 +208,4 @@ unlock:
+ mutex_unlock(&mpfs->lock);
+ return err;
+ }
++EXPORT_SYMBOL(mlx5_mpfs_del_mac);
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/mpfs.h
+@@ -84,12 +84,9 @@ struct l2addr_node {
+ #ifdef CONFIG_MLX5_MPFS
+ int mlx5_mpfs_init(struct mlx5_core_dev *dev);
+ void mlx5_mpfs_cleanup(struct mlx5_core_dev *dev);
+-int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac);
+-int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac);
+ #else /* #ifndef CONFIG_MLX5_MPFS */
+ static inline int mlx5_mpfs_init(struct mlx5_core_dev *dev) { return 0; }
+ static inline void mlx5_mpfs_cleanup(struct mlx5_core_dev *dev) {}
+-static inline int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; }
+-static inline int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; }
+ #endif
++
+ #endif
+--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+@@ -9,6 +9,7 @@
+ #include <linux/mlx5/vport.h>
+ #include <linux/mlx5/fs.h>
+ #include <linux/mlx5/device.h>
++#include <linux/mlx5/mpfs.h>
+ #include "mlx5_vnet.h"
+ #include "mlx5_vdpa_ifc.h"
+ #include "mlx5_vdpa.h"
+@@ -1839,11 +1840,16 @@ static int mlx5_vdpa_set_map(struct vdpa
+ static void mlx5_vdpa_free(struct vdpa_device *vdev)
+ {
+ struct mlx5_vdpa_dev *mvdev = to_mvdev(vdev);
++ struct mlx5_core_dev *pfmdev;
+ struct mlx5_vdpa_net *ndev;
+
+ ndev = to_mlx5_vdpa_ndev(mvdev);
+
+ free_resources(ndev);
++ if (!is_zero_ether_addr(ndev->config.mac)) {
++ pfmdev = pci_get_drvdata(pci_physfn(mvdev->mdev->pdev));
++ mlx5_mpfs_del_mac(pfmdev, ndev->config.mac);
++ }
+ mlx5_vdpa_free_resources(&ndev->mvdev);
+ mutex_destroy(&ndev->reslock);
+ }
+@@ -1962,6 +1968,7 @@ static void init_mvqs(struct mlx5_vdpa_n
+ void *mlx5_vdpa_add_dev(struct mlx5_core_dev *mdev)
+ {
+ struct virtio_net_config *config;
++ struct mlx5_core_dev *pfmdev;
+ struct mlx5_vdpa_dev *mvdev;
+ struct mlx5_vdpa_net *ndev;
+ u32 max_vqs;
+@@ -1990,10 +1997,17 @@ void *mlx5_vdpa_add_dev(struct mlx5_core
+ if (err)
+ goto err_mtu;
+
++ if (!is_zero_ether_addr(config->mac)) {
++ pfmdev = pci_get_drvdata(pci_physfn(mdev->pdev));
++ err = mlx5_mpfs_add_mac(pfmdev, config->mac);
++ if (err)
++ goto err_mtu;
++ }
++
+ mvdev->vdev.dma_dev = mdev->device;
+ err = mlx5_vdpa_alloc_resources(&ndev->mvdev);
+ if (err)
+- goto err_mtu;
++ goto err_mpfs;
+
+ err = alloc_resources(ndev);
+ if (err)
+@@ -2009,6 +2023,9 @@ err_reg:
+ free_resources(ndev);
+ err_res:
+ mlx5_vdpa_free_resources(&ndev->mvdev);
++err_mpfs:
++ if (!is_zero_ether_addr(config->mac))
++ mlx5_mpfs_del_mac(pfmdev, config->mac);
+ err_mtu:
+ mutex_destroy(&ndev->reslock);
+ put_device(&mvdev->vdev.dev);
+--- /dev/null
++++ b/include/linux/mlx5/mpfs.h
+@@ -0,0 +1,18 @@
++/* SPDX-License-Identifier: GPL-2.0 OR Linux-OpenIB
++ * Copyright (c) 2021 Mellanox Technologies Ltd.
++ */
++
++#ifndef _MLX5_MPFS_
++#define _MLX5_MPFS_
++
++struct mlx5_core_dev;
++
++#ifdef CONFIG_MLX5_MPFS
++int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac);
++int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac);
++#else /* #ifndef CONFIG_MLX5_MPFS */
++static inline int mlx5_mpfs_add_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; }
++static inline int mlx5_mpfs_del_mac(struct mlx5_core_dev *dev, u8 *mac) { return 0; }
++#endif
++
++#endif
--- /dev/null
+From 0d0ea309357dea0d85a82815f02157eb7fcda39f Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:40:12 -0400
+Subject: NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 0d0ea309357dea0d85a82815f02157eb7fcda39f upstream.
+
+The value of mirror->pg_bytes_written should only be updated after a
+successful attempt to flush out the requests on the list.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1128,17 +1128,16 @@ static void nfs_pageio_doio(struct nfs_p
+ {
+ struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc);
+
+-
+ if (!list_empty(&mirror->pg_list)) {
+ int error = desc->pg_ops->pg_doio(desc);
+ if (error < 0)
+ desc->pg_error = error;
+- else
++ if (list_empty(&mirror->pg_list)) {
+ mirror->pg_bytes_written += mirror->pg_count;
+- }
+- if (list_empty(&mirror->pg_list)) {
+- mirror->pg_count = 0;
+- mirror->pg_base = 0;
++ mirror->pg_count = 0;
++ mirror->pg_base = 0;
++ mirror->pg_recoalesce = 0;
++ }
+ }
+ }
+
+@@ -1228,7 +1227,6 @@ static int nfs_do_recoalesce(struct nfs_
+
+ do {
+ list_splice_init(&mirror->pg_list, &head);
+- mirror->pg_bytes_written -= mirror->pg_count;
+ mirror->pg_count = 0;
+ mirror->pg_base = 0;
+ mirror->pg_recoalesce = 0;
--- /dev/null
+From 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 11 May 2021 11:49:42 +0300
+Subject: NFS: fix an incorrect limit in filelayout_decode_layout()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream.
+
+The "sizeof(struct nfs_fh)" is two bytes too large and could lead to
+memory corruption. It should be NFS_MAXFHSIZE because that's the size
+of the ->data[] buffer.
+
+I reversed the size of the arguments to put the variable on the left.
+
+Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/filelayout/filelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/filelayout/filelayout.c
++++ b/fs/nfs/filelayout/filelayout.c
+@@ -718,7 +718,7 @@ filelayout_decode_layout(struct pnfs_lay
+ if (unlikely(!p))
+ goto out_err;
+ fl->fh_array[i]->size = be32_to_cpup(p++);
+- if (sizeof(struct nfs_fh) < fl->fh_array[i]->size) {
++ if (fl->fh_array[i]->size > NFS_MAXFHSIZE) {
+ printk(KERN_ERR "NFS: Too big fh %d received %d\n",
+ i, fl->fh_array[i]->size);
+ goto out_err;
--- /dev/null
+From 56517ab958b7c11030e626250c00b9b1a24b41eb Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Tue, 25 May 2021 10:23:05 -0400
+Subject: NFS: Fix an Oopsable condition in __nfs_pageio_add_request()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 56517ab958b7c11030e626250c00b9b1a24b41eb upstream.
+
+Ensure that nfs_pageio_error_cleanup() resets the mirror array contents,
+so that the structure reflects the fact that it is now empty.
+Also change the test in nfs_pageio_do_add_request() to be more robust by
+checking whether or not the list is empty rather than relying on the
+value of pg_count.
+
+Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pagelist.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/nfs/pagelist.c
++++ b/fs/nfs/pagelist.c
+@@ -1094,15 +1094,16 @@ nfs_pageio_do_add_request(struct nfs_pag
+ struct nfs_page *prev = NULL;
+ unsigned int size;
+
+- if (mirror->pg_count != 0) {
+- prev = nfs_list_entry(mirror->pg_list.prev);
+- } else {
++ if (list_empty(&mirror->pg_list)) {
+ if (desc->pg_ops->pg_init)
+ desc->pg_ops->pg_init(desc, req);
+ if (desc->pg_error < 0)
+ return 0;
+ mirror->pg_base = req->wb_pgbase;
+- }
++ mirror->pg_count = 0;
++ mirror->pg_recoalesce = 0;
++ } else
++ prev = nfs_list_entry(mirror->pg_list.prev);
+
+ if (desc->pg_maxretrans && req->wb_nio > desc->pg_maxretrans) {
+ if (NFS_SERVER(desc->pg_inode)->flags & NFS_MOUNT_SOFTERR)
--- /dev/null
+From e67afa7ee4a59584d7253e45d7f63b9528819a13 Mon Sep 17 00:00:00 2001
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Date: Tue, 25 May 2021 23:32:35 -0400
+Subject: NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config
+
+From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+
+commit e67afa7ee4a59584d7253e45d7f63b9528819a13 upstream.
+
+Since commit bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors"),
+nfs42_proc_llseek would return -EOPNOTSUPP rather than -ENOTSUPP when
+SEEK_DATA on NFSv4.0/v4.1.
+
+This will lead xfstests generic/285 not run on NFSv4.0/v4.1 when set the
+CONFIG_NFS_V4_2, rather than run failed.
+
+Fixes: bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors")
+Cc: <stable.vger.kernel.org> # 4.2
+Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/nfs4file.c
++++ b/fs/nfs/nfs4file.c
+@@ -211,7 +211,7 @@ static loff_t nfs4_file_llseek(struct fi
+ case SEEK_HOLE:
+ case SEEK_DATA:
+ ret = nfs42_proc_llseek(filep, offset, whence);
+- if (ret != -ENOTSUPP)
++ if (ret != -EOPNOTSUPP)
+ return ret;
+ fallthrough;
+ default:
--- /dev/null
+From 75016891357a628d2b8acc09e2b9b2576c18d318 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Fri, 14 May 2021 08:23:03 +0700
+Subject: Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit 75016891357a628d2b8acc09e2b9b2576c18d318 upstream.
+
+This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046.
+Above fix is not correct and caused memory leak issue.
+
+Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Acked-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1244,7 +1244,10 @@ void tipc_sk_mcast_rcv(struct net *net,
+ spin_lock_bh(&inputq->lock);
+ if (skb_peek(arrvq) == skb) {
+ skb_queue_splice_tail_init(&tmpq, inputq);
+- __skb_dequeue(arrvq);
++ /* Decrease the skb's refcnt as increasing in the
++ * function tipc_skb_peek
++ */
++ kfree_skb(__skb_dequeue(arrvq));
+ }
+ spin_unlock_bh(&inputq->lock);
+ __skb_queue_purge(&tmpq);
usb-gadget-udc-renesas_usb3-fix-a-race-in-usb3_start_pipen.patch
usb-typec-mux-fix-matching-with-typec_altmode_desc.patch
net-usb-fix-memory-leak-in-smsc75xx_bind.patch
+bluetooth-cmtp-fix-file-refcount-when-cmtp_attach_device-fails.patch
+fs-nfs-use-fatal_signal_pending-instead-of-signal_pending.patch
+nfs-fix-an-incorrect-limit-in-filelayout_decode_layout.patch
+nfs-fix-an-oopsable-condition-in-__nfs_pageio_add_request.patch
+nfs-don-t-corrupt-the-value-of-pg_bytes_written-in-nfs_do_recoalesce.patch
+nfsv4-fix-v4.0-v4.1-seek_data-return-enotsupp-when-set-nfs_v4_2-config.patch
+drm-meson-fix-shutdown-crash-when-component-not-probed.patch
+net-mlx5e-reset-xps-on-error-flow-if-netdev-isn-t-registered-yet.patch
+net-mlx5e-fix-multipath-lag-activation.patch
+net-mlx5e-fix-error-path-of-updating-netdev-queues.patch
+net-vdpa-mlx5-configure-interface-mac-into-mpfs-l2-table.patch
+net-mlx5e-fix-nullptr-in-add_vlan_push_action.patch
+net-mlx5-set-reformat-action-when-needed-for-termination-rules.patch
+net-mlx5e-fix-null-deref-accessing-lag-dev.patch
+net-mlx4-fix-eeprom-dump-support.patch
+net-mlx5-set-term-table-as-an-unmanaged-flow-table.patch
+sunrpc-in-case-of-backlog-hand-free-slots-directly-to-waiting-task.patch
+revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
+tipc-wait-and-exit-until-all-work-queues-are-done.patch
+tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch
+spi-spi-fsl-dspi-fix-a-resource-leak-in-an-error-handling-path.patch
--- /dev/null
+From 680ec0549a055eb464dce6ffb4bfb736ef87236e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 9 May 2021 21:12:27 +0200
+Subject: spi: spi-fsl-dspi: Fix a resource leak in an error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 680ec0549a055eb464dce6ffb4bfb736ef87236e upstream.
+
+'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the
+error handling path of the probe function, as already done in the remove
+function
+
+Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/d51caaac747277a1099ba8dea07acd85435b857e.1620587472.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -1375,11 +1375,13 @@ poll_mode:
+ ret = spi_register_controller(ctlr);
+ if (ret != 0) {
+ dev_err(&pdev->dev, "Problem registering DSPI ctlr\n");
+- goto out_free_irq;
++ goto out_release_dma;
+ }
+
+ return ret;
+
++out_release_dma:
++ dspi_release_dma(dspi);
+ out_free_irq:
+ if (dspi->irq)
+ free_irq(dspi->irq, dspi);
--- /dev/null
+From e877a88d1f069edced4160792f42c2a8e2dba942 Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 17 May 2021 09:59:10 +1000
+Subject: SUNRPC in case of backlog, hand free slots directly to waiting task
+
+From: NeilBrown <neilb@suse.de>
+
+commit e877a88d1f069edced4160792f42c2a8e2dba942 upstream.
+
+If sunrpc.tcp_max_slot_table_entries is small and there are tasks
+on the backlog queue, then when a request completes it is freed and the
+first task on the queue is woken. The expectation is that it will wake
+and claim that request. However if it was a sync task and the waiting
+process was killed at just that moment, it will wake and NOT claim the
+request.
+
+As long as TASK_CONGESTED remains set, requests can only be claimed by
+tasks woken from the backlog, and they are woken only as requests are
+freed, so when a task doesn't claim a request, no other task can ever
+get that request until TASK_CONGESTED is cleared. Each time this
+happens the number of available requests is decreased by one.
+
+With a sufficiently high workload and sufficiently low setting of
+max_slot (16 in the case where this was seen), TASK_CONGESTED can remain
+set for an extended period, and the above scenario (of a process being
+killed just as its task was woken) can repeat until no requests can be
+allocated. Then traffic stops.
+
+This patch addresses the problem by introducing a positive handover of a
+request from a completing task to a backlog task - the request is never
+freed when there is a backlog.
+
+When a task is woken it might not already have a request attached in
+which case it is *not* freed (as with current code) but is initialised
+(if needed) and used. If it isn't used it will eventually be freed by
+rpc_exit_task(). xprt_release() is enhanced to be able to correctly
+release an uninitialised request.
+
+Fixes: ba60eb25ff6b ("SUNRPC: Fix a livelock problem in the xprt->backlog queue")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/clnt.c | 7 -----
+ net/sunrpc/xprt.c | 68 +++++++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 47 insertions(+), 28 deletions(-)
+
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -1680,13 +1680,6 @@ call_reserveresult(struct rpc_task *task
+ return;
+ }
+
+- /*
+- * Even though there was an error, we may have acquired
+- * a request slot somehow. Make sure not to leak it.
+- */
+- if (task->tk_rqstp)
+- xprt_release(task);
+-
+ switch (status) {
+ case -ENOMEM:
+ rpc_delay(task, HZ >> 2);
+--- a/net/sunrpc/xprt.c
++++ b/net/sunrpc/xprt.c
+@@ -70,6 +70,7 @@
+ static void xprt_init(struct rpc_xprt *xprt, struct net *net);
+ static __be32 xprt_alloc_xid(struct rpc_xprt *xprt);
+ static void xprt_destroy(struct rpc_xprt *xprt);
++static void xprt_request_init(struct rpc_task *task);
+
+ static DEFINE_SPINLOCK(xprt_list_lock);
+ static LIST_HEAD(xprt_list);
+@@ -1580,10 +1581,26 @@ static void xprt_add_backlog(struct rpc_
+ rpc_sleep_on(&xprt->backlog, task, NULL);
+ }
+
+-static void xprt_wake_up_backlog(struct rpc_xprt *xprt)
++static bool __xprt_set_rq(struct rpc_task *task, void *data)
+ {
+- if (rpc_wake_up_next(&xprt->backlog) == NULL)
++ struct rpc_rqst *req = data;
++
++ if (task->tk_rqstp == NULL) {
++ memset(req, 0, sizeof(*req)); /* mark unused */
++ task->tk_status = -EAGAIN;
++ task->tk_rqstp = req;
++ return true;
++ }
++ return false;
++}
++
++static bool xprt_wake_up_backlog(struct rpc_xprt *xprt, struct rpc_rqst *req)
++{
++ if (rpc_wake_up_first(&xprt->backlog, __xprt_set_rq, req) == NULL) {
+ clear_bit(XPRT_CONGESTED, &xprt->state);
++ return false;
++ }
++ return true;
+ }
+
+ static bool xprt_throttle_congested(struct rpc_xprt *xprt, struct rpc_task *task)
+@@ -1671,11 +1688,11 @@ EXPORT_SYMBOL_GPL(xprt_alloc_slot);
+ void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
+ {
+ spin_lock(&xprt->reserve_lock);
+- if (!xprt_dynamic_free_slot(xprt, req)) {
++ if (!xprt_wake_up_backlog(xprt, req) &&
++ !xprt_dynamic_free_slot(xprt, req)) {
+ memset(req, 0, sizeof(*req)); /* mark unused */
+ list_add(&req->rq_list, &xprt->free);
+ }
+- xprt_wake_up_backlog(xprt);
+ spin_unlock(&xprt->reserve_lock);
+ }
+ EXPORT_SYMBOL_GPL(xprt_free_slot);
+@@ -1763,6 +1780,10 @@ xprt_request_init(struct rpc_task *task)
+ struct rpc_xprt *xprt = task->tk_xprt;
+ struct rpc_rqst *req = task->tk_rqstp;
+
++ if (req->rq_task)
++ /* Already initialized */
++ return;
++
+ req->rq_task = task;
+ req->rq_xprt = xprt;
+ req->rq_buffer = NULL;
+@@ -1823,8 +1844,10 @@ void xprt_retry_reserve(struct rpc_task
+ struct rpc_xprt *xprt = task->tk_xprt;
+
+ task->tk_status = 0;
+- if (task->tk_rqstp != NULL)
++ if (task->tk_rqstp != NULL) {
++ xprt_request_init(task);
+ return;
++ }
+
+ task->tk_status = -EAGAIN;
+ xprt_do_reserve(xprt, task);
+@@ -1849,23 +1872,26 @@ void xprt_release(struct rpc_task *task)
+ }
+
+ xprt = req->rq_xprt;
+- xprt_request_dequeue_xprt(task);
+- spin_lock(&xprt->transport_lock);
+- xprt->ops->release_xprt(xprt, task);
+- if (xprt->ops->release_request)
+- xprt->ops->release_request(task);
+- xprt_schedule_autodisconnect(xprt);
+- spin_unlock(&xprt->transport_lock);
+- if (req->rq_buffer)
+- xprt->ops->buf_free(task);
+- xdr_free_bvec(&req->rq_rcv_buf);
+- xdr_free_bvec(&req->rq_snd_buf);
+- if (req->rq_cred != NULL)
+- put_rpccred(req->rq_cred);
+- task->tk_rqstp = NULL;
+- if (req->rq_release_snd_buf)
+- req->rq_release_snd_buf(req);
++ if (xprt) {
++ xprt_request_dequeue_xprt(task);
++ spin_lock(&xprt->transport_lock);
++ xprt->ops->release_xprt(xprt, task);
++ if (xprt->ops->release_request)
++ xprt->ops->release_request(task);
++ xprt_schedule_autodisconnect(xprt);
++ spin_unlock(&xprt->transport_lock);
++ if (req->rq_buffer)
++ xprt->ops->buf_free(task);
++ xdr_free_bvec(&req->rq_rcv_buf);
++ xdr_free_bvec(&req->rq_snd_buf);
++ if (req->rq_cred != NULL)
++ put_rpccred(req->rq_cred);
++ if (req->rq_release_snd_buf)
++ req->rq_release_snd_buf(req);
++ } else
++ xprt = task->tk_xprt;
+
++ task->tk_rqstp = NULL;
+ if (likely(!bc_prealloc(req)))
+ xprt->ops->free_slot(xprt, req);
+ else
--- /dev/null
+From b7df21cf1b79ab7026f545e7bf837bd5750ac026 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 8 May 2021 03:57:03 +0800
+Subject: tipc: skb_linearize the head skb when reassembling msgs
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit b7df21cf1b79ab7026f545e7bf837bd5750ac026 upstream.
+
+It's not a good idea to append the frag skb to a skb's frag_list if
+the frag_list already has skbs from elsewhere, such as this skb was
+created by pskb_copy() where the frag_list was cloned (all the skbs
+in it were skb_get'ed) and shared by multiple skbs.
+
+However, the new appended frag skb should have been only seen by the
+current skb. Otherwise, it will cause use after free crashes as this
+appended frag skb are seen by multiple skbs but it only got skb_get
+called once.
+
+The same thing happens with a skb updated by pskb_may_pull() with a
+skb_cloned skb. Li Shuang has reported quite a few crashes caused
+by this when doing testing over macvlan devices:
+
+ [] kernel BUG at net/core/skbuff.c:1970!
+ [] Call Trace:
+ [] skb_clone+0x4d/0xb0
+ [] macvlan_broadcast+0xd8/0x160 [macvlan]
+ [] macvlan_process_broadcast+0x148/0x150 [macvlan]
+ [] process_one_work+0x1a7/0x360
+ [] worker_thread+0x30/0x390
+
+ [] kernel BUG at mm/usercopy.c:102!
+ [] Call Trace:
+ [] __check_heap_object+0xd3/0x100
+ [] __check_object_size+0xff/0x16b
+ [] simple_copy_to_iter+0x1c/0x30
+ [] __skb_datagram_iter+0x7d/0x310
+ [] __skb_datagram_iter+0x2a5/0x310
+ [] skb_copy_datagram_iter+0x3b/0x90
+ [] tipc_recvmsg+0x14a/0x3a0 [tipc]
+ [] ____sys_recvmsg+0x91/0x150
+ [] ___sys_recvmsg+0x7b/0xc0
+
+ [] kernel BUG at mm/slub.c:305!
+ [] Call Trace:
+ [] <IRQ>
+ [] kmem_cache_free+0x3ff/0x400
+ [] __netif_receive_skb_core+0x12c/0xc40
+ [] ? kmem_cache_alloc+0x12e/0x270
+ [] netif_receive_skb_internal+0x3d/0xb0
+ [] ? get_rx_page_info+0x8e/0xa0 [be2net]
+ [] be_poll+0x6ef/0xd00 [be2net]
+ [] ? irq_exit+0x4f/0x100
+ [] net_rx_action+0x149/0x3b0
+
+ ...
+
+This patch is to fix it by linearizing the head skb if it has frag_list
+set in tipc_buf_append(). Note that we choose to do this before calling
+skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can
+not just drop the frag_list either as the early time.
+
+Fixes: 45c8b7b175ce ("tipc: allow non-linear first fragment buffer")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -151,18 +151,13 @@ int tipc_buf_append(struct sk_buff **hea
+ if (unlikely(head))
+ goto err;
+ *buf = NULL;
++ if (skb_has_frag_list(frag) && __skb_linearize(frag))
++ goto err;
+ frag = skb_unshare(frag, GFP_ATOMIC);
+ if (unlikely(!frag))
+ goto err;
+ head = *headbuf = frag;
+ TIPC_SKB_CB(head)->tail = NULL;
+- if (skb_is_nonlinear(head)) {
+- skb_walk_frags(head, tail) {
+- TIPC_SKB_CB(head)->tail = tail;
+- }
+- } else {
+- skb_frag_list_init(head);
+- }
+ return 0;
+ }
+
--- /dev/null
+From 04c26faa51d1e2fe71cf13c45791f5174c37f986 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 17 May 2021 02:28:58 +0800
+Subject: tipc: wait and exit until all work queues are done
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 upstream.
+
+On some host, a crash could be triggered simply by repeating these
+commands several times:
+
+ # modprobe tipc
+ # tipc bearer enable media udp name UDP1 localip 127.0.0.1
+ # rmmod tipc
+
+ [] BUG: unable to handle kernel paging request at ffffffffc096bb00
+ [] Workqueue: events 0xffffffffc096bb00
+ [] Call Trace:
+ [] ? process_one_work+0x1a7/0x360
+ [] ? worker_thread+0x30/0x390
+ [] ? create_worker+0x1a0/0x1a0
+ [] ? kthread+0x116/0x130
+ [] ? kthread_flush_work_fn+0x10/0x10
+ [] ? ret_from_fork+0x35/0x40
+
+When removing the TIPC module, the UDP tunnel sock will be delayed to
+release in a work queue as sock_release() can't be done in rtnl_lock().
+If the work queue is schedule to run after the TIPC module is removed,
+kernel will crash as the work queue function cleanup_beareri() code no
+longer exists when trying to invoke it.
+
+To fix it, this patch introduce a member wq_count in tipc_net to track
+the numbers of work queues in schedule, and wait and exit until all
+work queues are done in tipc_exit_net().
+
+Fixes: d0f91938bede ("tipc: add ip/udp media type")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/core.c | 2 ++
+ net/tipc/core.h | 2 ++
+ net/tipc/udp_media.c | 2 ++
+ 3 files changed, 6 insertions(+)
+
+--- a/net/tipc/core.c
++++ b/net/tipc/core.c
+@@ -121,6 +121,8 @@ static void __net_exit tipc_exit_net(str
+ #ifdef CONFIG_TIPC_CRYPTO
+ tipc_crypto_stop(&tipc_net(net)->crypto_tx);
+ #endif
++ while (atomic_read(&tn->wq_count))
++ cond_resched();
+ }
+
+ static void __net_exit tipc_pernet_pre_exit(struct net *net)
+--- a/net/tipc/core.h
++++ b/net/tipc/core.h
+@@ -151,6 +151,8 @@ struct tipc_net {
+ #endif
+ /* Work item for net finalize */
+ struct tipc_net_work final_work;
++ /* The numbers of work queues in schedule */
++ atomic_t wq_count;
+ };
+
+ static inline struct tipc_net *tipc_net(struct net *net)
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -806,6 +806,7 @@ static void cleanup_bearer(struct work_s
+ kfree_rcu(rcast, rcu);
+ }
+
++ atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
+ dst_cache_destroy(&ub->rcast.dst_cache);
+ udp_tunnel_sock_release(ub->ubsock);
+ synchronize_net();
+@@ -826,6 +827,7 @@ static void tipc_udp_disable(struct tipc
+ RCU_INIT_POINTER(ub->bearer, NULL);
+
+ /* sock_release need to be done outside of rtnl lock */
++ atomic_inc(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
+ INIT_WORK(&ub->work, cleanup_bearer);
+ schedule_work(&ub->work);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
