--- /dev/null
+From 70eacf42a93aff6589a8b91279bbfe5f73c4ca3d Mon Sep 17 00:00:00 2001
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+Date: Sat, 16 Jan 2021 16:44:28 +0800
+Subject: arm64: dts: imx8m: correct assigned clocks for FEC
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+commit 70eacf42a93aff6589a8b91279bbfe5f73c4ca3d upstream.
+
+CLK_ENET_TIMER assigned clocks twice, should be a typo, correct to
+CLK_ENET_PHY_REF clock.
+
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm.dtsi | 7 ++++---
+ arch/arm64/boot/dts/freescale/imx8mn.dtsi | 7 ++++---
+ arch/arm64/boot/dts/freescale/imx8mp.dtsi | 7 ++++---
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mm.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm.dtsi
+@@ -866,11 +866,12 @@
+ assigned-clocks = <&clk IMX8MM_CLK_ENET_AXI>,
+ <&clk IMX8MM_CLK_ENET_TIMER>,
+ <&clk IMX8MM_CLK_ENET_REF>,
+- <&clk IMX8MM_CLK_ENET_TIMER>;
++ <&clk IMX8MM_CLK_ENET_PHY_REF>;
+ assigned-clock-parents = <&clk IMX8MM_SYS_PLL1_266M>,
+ <&clk IMX8MM_SYS_PLL2_100M>,
+- <&clk IMX8MM_SYS_PLL2_125M>;
+- assigned-clock-rates = <0>, <0>, <125000000>, <100000000>;
++ <&clk IMX8MM_SYS_PLL2_125M>,
++ <&clk IMX8MM_SYS_PLL2_50M>;
++ assigned-clock-rates = <0>, <100000000>, <125000000>, <0>;
+ fsl,num-tx-queues = <3>;
+ fsl,num-rx-queues = <3>;
+ status = "disabled";
+--- a/arch/arm64/boot/dts/freescale/imx8mn.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+@@ -753,11 +753,12 @@
+ assigned-clocks = <&clk IMX8MN_CLK_ENET_AXI>,
+ <&clk IMX8MN_CLK_ENET_TIMER>,
+ <&clk IMX8MN_CLK_ENET_REF>,
+- <&clk IMX8MN_CLK_ENET_TIMER>;
++ <&clk IMX8MN_CLK_ENET_PHY_REF>;
+ assigned-clock-parents = <&clk IMX8MN_SYS_PLL1_266M>,
+ <&clk IMX8MN_SYS_PLL2_100M>,
+- <&clk IMX8MN_SYS_PLL2_125M>;
+- assigned-clock-rates = <0>, <0>, <125000000>, <100000000>;
++ <&clk IMX8MN_SYS_PLL2_125M>,
++ <&clk IMX8MN_SYS_PLL2_50M>;
++ assigned-clock-rates = <0>, <100000000>, <125000000>, <0>;
+ fsl,num-tx-queues = <3>;
+ fsl,num-rx-queues = <3>;
+ status = "disabled";
+--- a/arch/arm64/boot/dts/freescale/imx8mp.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp.dtsi
+@@ -725,11 +725,12 @@
+ assigned-clocks = <&clk IMX8MP_CLK_ENET_AXI>,
+ <&clk IMX8MP_CLK_ENET_TIMER>,
+ <&clk IMX8MP_CLK_ENET_REF>,
+- <&clk IMX8MP_CLK_ENET_TIMER>;
++ <&clk IMX8MP_CLK_ENET_PHY_REF>;
+ assigned-clock-parents = <&clk IMX8MP_SYS_PLL1_266M>,
+ <&clk IMX8MP_SYS_PLL2_100M>,
+- <&clk IMX8MP_SYS_PLL2_125M>;
+- assigned-clock-rates = <0>, <0>, <125000000>, <100000000>;
++ <&clk IMX8MP_SYS_PLL2_125M>,
++ <&clk IMX8MP_SYS_PLL2_50M>;
++ assigned-clock-rates = <0>, <100000000>, <125000000>, <0>;
+ fsl,num-tx-queues = <3>;
+ fsl,num-rx-queues = <3>;
+ status = "disabled";
--- /dev/null
+From 798a1807ab13a38e21c6fecd8d22a513d6786e2d Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 18 Mar 2021 08:13:30 -0300
+Subject: arm64: dts: imx8mp-evk: Improve the Ethernet PHY description
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit 798a1807ab13a38e21c6fecd8d22a513d6786e2d upstream.
+
+According to the datasheet RTL8211, it must be asserted low for at least
+10ms and at least 72ms "for internal circuits settling time" before
+accessing the PHY registers.
+
+Add properties to describe such requirements.
+
+Reported-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Tested-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-evk.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mp-evk.dts
+@@ -62,6 +62,8 @@
+ reg = <1>;
+ eee-broken-1000t;
+ reset-gpios = <&gpio4 2 GPIO_ACTIVE_LOW>;
++ reset-assert-us = <10000>;
++ reset-deassert-us = <80000>;
+ };
+ };
+ };
--- /dev/null
+From f4b3ee3c85551d2d343a3ba159304066523f730f Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Thu, 9 Dec 2021 11:46:07 -0500
+Subject: audit: improve robustness of the audit queue handling
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit f4b3ee3c85551d2d343a3ba159304066523f730f upstream.
+
+If the audit daemon were ever to get stuck in a stopped state the
+kernel's kauditd_thread() could get blocked attempting to send audit
+records to the userspace audit daemon. With the kernel thread
+blocked it is possible that the audit queue could grow unbounded as
+certain audit record generating events must be exempt from the queue
+limits else the system enter a deadlock state.
+
+This patch resolves this problem by lowering the kernel thread's
+socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks
+the kauditd_send_queue() function to better manage the various audit
+queues when connection problems occur between the kernel and the
+audit daemon. With this patch, the backlog may temporarily grow
+beyond the defined limits when the audit daemon is stopped and the
+system is under heavy audit pressure, but kauditd_thread() will
+continue to make progress and drain the queues as it would for other
+connection problems. For example, with the audit daemon put into a
+stopped state and the system configured to audit every syscall it
+was still possible to shutdown the system without a kernel panic,
+deadlock, etc.; granted, the system was slow to shutdown but that is
+to be expected given the extreme pressure of recording every syscall.
+
+The timeout value of HZ/10 was chosen primarily through
+experimentation and this developer's "gut feeling". There is likely
+no one perfect value, but as this scenario is limited in scope (root
+privileges would be needed to send SIGSTOP to the audit daemon), it
+is likely not worth exposing this as a tunable at present. This can
+always be done at a later date if it proves necessary.
+
+Cc: stable@vger.kernel.org
+Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking")
+Reported-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Tested-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/audit.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -718,7 +718,7 @@ static int kauditd_send_queue(struct soc
+ {
+ int rc = 0;
+ struct sk_buff *skb;
+- static unsigned int failed = 0;
++ unsigned int failed = 0;
+
+ /* NOTE: kauditd_thread takes care of all our locking, we just use
+ * the netlink info passed to us (e.g. sk and portid) */
+@@ -735,32 +735,30 @@ static int kauditd_send_queue(struct soc
+ continue;
+ }
+
++retry:
+ /* grab an extra skb reference in case of error */
+ skb_get(skb);
+ rc = netlink_unicast(sk, skb, portid, 0);
+ if (rc < 0) {
+- /* fatal failure for our queue flush attempt? */
++ /* send failed - try a few times unless fatal error */
+ if (++failed >= retry_limit ||
+ rc == -ECONNREFUSED || rc == -EPERM) {
+- /* yes - error processing for the queue */
+ sk = NULL;
+ if (err_hook)
+ (*err_hook)(skb);
+- if (!skb_hook)
+- goto out;
+- /* keep processing with the skb_hook */
++ if (rc == -EAGAIN)
++ rc = 0;
++ /* continue to drain the queue */
+ continue;
+ } else
+- /* no - requeue to preserve ordering */
+- skb_queue_head(queue, skb);
++ goto retry;
+ } else {
+- /* it worked - drop the extra reference and continue */
++ /* skb sent - drop the extra reference and continue */
+ consume_skb(skb);
+ failed = 0;
+ }
+ }
+
+-out:
+ return (rc >= 0 ? 0 : rc);
+ }
+
+@@ -1609,7 +1607,8 @@ static int __net_init audit_net_init(str
+ audit_panic("cannot initialize netlink socket in namespace");
+ return -ENOMEM;
+ }
+- aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
++ /* limit the timeout in case auditd is blocked/stopped */
++ aunet->sk->sk_sndtimeo = HZ / 10;
+
+ return 0;
+ }
--- /dev/null
+From 3cf2b61eb06765e27fec6799292d9fb46d0b7e60 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 15 Dec 2021 22:02:19 +0000
+Subject: bpf: Fix signed bounds propagation after mov32
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 3cf2b61eb06765e27fec6799292d9fb46d0b7e60 upstream.
+
+For the case where both s32_{min,max}_value bounds are positive, the
+__reg_assign_32_into_64() directly propagates them to their 64 bit
+counterparts, otherwise it pessimises them into [0,u32_max] universe and
+tries to refine them later on by learning through the tnum as per comment
+in mentioned function. However, that does not always happen, for example,
+in mov32 operation we call zext_32_to_64(dst_reg) which invokes the
+__reg_assign_32_into_64() as is without subsequent bounds update as
+elsewhere thus no refinement based on tnum takes place.
+
+Thus, not calling into the __update_reg_bounds() / __reg_deduce_bounds() /
+__reg_bound_offset() triplet as we do, for example, in case of ALU ops via
+adjust_scalar_min_max_vals(), will lead to more pessimistic bounds when
+dumping the full register state:
+
+Before fix:
+
+ 0: (b4) w0 = -1
+ 1: R0_w=invP4294967295
+ (id=0,imm=ffffffff,
+ smin_value=4294967295,smax_value=4294967295,
+ umin_value=4294967295,umax_value=4294967295,
+ var_off=(0xffffffff; 0x0),
+ s32_min_value=-1,s32_max_value=-1,
+ u32_min_value=-1,u32_max_value=-1)
+
+ 1: (bc) w0 = w0
+ 2: R0_w=invP4294967295
+ (id=0,imm=ffffffff,
+ smin_value=0,smax_value=4294967295,
+ umin_value=4294967295,umax_value=4294967295,
+ var_off=(0xffffffff; 0x0),
+ s32_min_value=-1,s32_max_value=-1,
+ u32_min_value=-1,u32_max_value=-1)
+
+Technically, the smin_value=0 and smax_value=4294967295 bounds are not
+incorrect, but given the register is still a constant, they break assumptions
+about const scalars that smin_value == smax_value and umin_value == umax_value.
+
+After fix:
+
+ 0: (b4) w0 = -1
+ 1: R0_w=invP4294967295
+ (id=0,imm=ffffffff,
+ smin_value=4294967295,smax_value=4294967295,
+ umin_value=4294967295,umax_value=4294967295,
+ var_off=(0xffffffff; 0x0),
+ s32_min_value=-1,s32_max_value=-1,
+ u32_min_value=-1,u32_max_value=-1)
+
+ 1: (bc) w0 = w0
+ 2: R0_w=invP4294967295
+ (id=0,imm=ffffffff,
+ smin_value=4294967295,smax_value=4294967295,
+ umin_value=4294967295,umax_value=4294967295,
+ var_off=(0xffffffff; 0x0),
+ s32_min_value=-1,s32_max_value=-1,
+ u32_min_value=-1,u32_max_value=-1)
+
+Without the smin_value == smax_value and umin_value == umax_value invariant
+being intact for const scalars, it is possible to leak out kernel pointers
+from unprivileged user space if the latter is enabled. For example, when such
+registers are involved in pointer arithmtics, then adjust_ptr_min_max_vals()
+will taint the destination register into an unknown scalar, and the latter
+can be exported and stored e.g. into a BPF map value.
+
+Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
+Reported-by: Kuee K1r0a <liulin063@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -7125,6 +7125,10 @@ static int check_alu_op(struct bpf_verif
+ insn->dst_reg);
+ }
+ zext_32_to_64(dst_reg);
++
++ __update_reg_bounds(dst_reg);
++ __reg_deduce_bounds(dst_reg);
++ __reg_bound_offset(dst_reg);
+ }
+ } else {
+ /* case: R = imm
--- /dev/null
+From e572ff80f05c33cd0cb4860f864f5c9c044280b6 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 15 Dec 2021 22:28:48 +0000
+Subject: bpf: Make 32->64 bounds propagation slightly more robust
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit e572ff80f05c33cd0cb4860f864f5c9c044280b6 upstream.
+
+Make the bounds propagation in __reg_assign_32_into_64() slightly more
+robust and readable by aligning it similarly as we did back in the
+__reg_combine_64_into_32() counterpart. Meaning, only propagate or
+pessimize them as a smin/smax pair.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1249,22 +1249,28 @@ static void __reg_bound_offset(struct bp
+ reg->var_off = tnum_or(tnum_clear_subreg(var64_off), var32_off);
+ }
+
++static bool __reg32_bound_s64(s32 a)
++{
++ return a >= 0 && a <= S32_MAX;
++}
++
+ static void __reg_assign_32_into_64(struct bpf_reg_state *reg)
+ {
+ reg->umin_value = reg->u32_min_value;
+ reg->umax_value = reg->u32_max_value;
+- /* Attempt to pull 32-bit signed bounds into 64-bit bounds
+- * but must be positive otherwise set to worse case bounds
+- * and refine later from tnum.
++
++ /* Attempt to pull 32-bit signed bounds into 64-bit bounds but must
++ * be positive otherwise set to worse case bounds and refine later
++ * from tnum.
+ */
+- if (reg->s32_min_value >= 0 && reg->s32_max_value >= 0)
+- reg->smax_value = reg->s32_max_value;
+- else
+- reg->smax_value = U32_MAX;
+- if (reg->s32_min_value >= 0)
++ if (__reg32_bound_s64(reg->s32_min_value) &&
++ __reg32_bound_s64(reg->s32_max_value)) {
+ reg->smin_value = reg->s32_min_value;
+- else
++ reg->smax_value = reg->s32_max_value;
++ } else {
+ reg->smin_value = 0;
++ reg->smax_value = U32_MAX;
++ }
+ }
+
+ static void __reg_combine_32_into_64(struct bpf_reg_state *reg)
--- /dev/null
+From b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 15 Dec 2021 23:48:54 +0000
+Subject: bpf, selftests: Add test case trying to taint map value pointer
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 upstream.
+
+Add a test case which tries to taint map value pointer arithmetic into a
+unknown scalar with subsequent export through the map.
+
+Before fix:
+
+ # ./test_verifier 1186
+ #1186/u map access: trying to leak tained dst reg FAIL
+ Unexpected success to load!
+ verification time 24 usec
+ stack depth 8
+ processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
+ #1186/p map access: trying to leak tained dst reg FAIL
+ Unexpected success to load!
+ verification time 8 usec
+ stack depth 8
+ processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
+ Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
+
+After fix:
+
+ # ./test_verifier 1186
+ #1186/u map access: trying to leak tained dst reg OK
+ #1186/p map access: trying to leak tained dst reg OK
+ Summary: 2 PASSED, 0 SKIPPED, 0 FAILED
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/verifier/value_ptr_arith.c | 23 +++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
+@@ -849,6 +849,29 @@
+ .errstr_unpriv = "R0 pointer -= pointer prohibited",
+ },
+ {
++ "map access: trying to leak tained dst reg",
++ .insns = {
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
++ BPF_LD_MAP_FD(BPF_REG_1, 0),
++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
++ BPF_EXIT_INSN(),
++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
++ BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
++ BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
++ BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
++ BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ },
++ .fixup_map_array_48b = { 4 },
++ .result = REJECT,
++ .errstr = "math between map_value pointer and 4294967295 is not allowed",
++},
++{
+ "32bit pkt_ptr -= scalar",
+ .insns = {
+ BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
--- /dev/null
+From 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da Mon Sep 17 00:00:00 2001
+From: Joe Thornber <ejt@redhat.com>
+Date: Wed, 24 Nov 2021 12:07:39 -0500
+Subject: dm btree remove: fix use after free in rebalance_children()
+
+From: Joe Thornber <ejt@redhat.com>
+
+commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream.
+
+Move dm_tm_unlock() after dm_tm_dec().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/persistent-data/dm-btree-remove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/persistent-data/dm-btree-remove.c
++++ b/drivers/md/persistent-data/dm-btree-remove.c
+@@ -423,9 +423,9 @@ static int rebalance_children(struct sha
+
+ memcpy(n, dm_block_data(child),
+ dm_bm_block_size(dm_tm_get_bm(info->tm)));
+- dm_tm_unlock(info->tm, child);
+
+ dm_tm_dec(info->tm, dm_block_location(child));
++ dm_tm_unlock(info->tm, child);
+ return 0;
+ }
+
--- /dev/null
+From 85bf17b28f97ca2749968d8786dc423db320d9c2 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Fri, 10 Dec 2021 10:38:27 +0100
+Subject: recordmcount.pl: look for jgnop instruction as well as bcrl on s390
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream.
+
+On s390, recordmcount.pl is looking for "bcrl 0,<xxx>" instructions in
+the objdump -d outpout. However since binutils 2.37, objdump -d
+display "jgnop <xxx>" for the same instruction. Update the
+mcount_regex so that it accepts both.
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Reviewed-by: Miroslav Benes <mbenes@suse.cz>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/recordmcount.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/recordmcount.pl
++++ b/scripts/recordmcount.pl
+@@ -252,7 +252,7 @@ if ($arch eq "x86_64") {
+
+ } elsif ($arch eq "s390" && $bits == 64) {
+ if ($cc =~ /-DCC_USING_HOTPATCH/) {
+- $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$";
++ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$";
+ $mcount_adjust = 0;
+ } else {
+ $mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*R_390_(PC|PLT)32DBL\\s+_mcount\\+0x2\$";
mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
mac80211-validate-extended-element-id-is-present.patch
firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
+bpf-fix-signed-bounds-propagation-after-mov32.patch
+bpf-make-32-64-bounds-propagation-slightly-more-robust.patch
+bpf-selftests-add-test-case-trying-to-taint-map-value-pointer.patch
+virtio_ring-fix-querying-of-maximum-dma-mapping-size-for-virtio-device.patch
+vdpa-check-that-offsets-are-within-bounds.patch
+recordmcount.pl-look-for-jgnop-instruction-as-well-as-bcrl-on-s390.patch
+dm-btree-remove-fix-use-after-free-in-rebalance_children.patch
+audit-improve-robustness-of-the-audit-queue-handling.patch
+arm64-dts-imx8m-correct-assigned-clocks-for-fec.patch
+arm64-dts-imx8mp-evk-improve-the-ethernet-phy-description.patch
--- /dev/null
+From 3ed21c1451a14d139e1ceb18f2fa70865ce3195a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 8 Dec 2021 13:33:37 +0300
+Subject: vdpa: check that offsets are within bounds
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 3ed21c1451a14d139e1ceb18f2fa70865ce3195a upstream.
+
+In this function "c->off" is a u32 and "size" is a long. On 64bit systems
+if "c->off" is greater than "size" then "size - c->off" is a negative and
+we always return -E2BIG. But on 32bit systems the subtraction is type
+promoted to a high positive u32 value and basically any "c->len" is
+accepted.
+
+Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend")
+Reported-by: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20211208103337.GA4047@kili
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vdpa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vhost/vdpa.c
++++ b/drivers/vhost/vdpa.c
+@@ -196,7 +196,7 @@ static int vhost_vdpa_config_validate(st
+ break;
+ }
+
+- if (c->len == 0)
++ if (c->len == 0 || c->off > size)
+ return -EINVAL;
+
+ if (c->len > size - c->off)
--- /dev/null
+From 817fc978b5a29b039db0418a91072b31c9aab152 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Wed, 1 Dec 2021 11:20:18 +0000
+Subject: virtio_ring: Fix querying of maximum DMA mapping size for virtio device
+
+From: Will Deacon <will@kernel.org>
+
+commit 817fc978b5a29b039db0418a91072b31c9aab152 upstream.
+
+virtio_max_dma_size() returns the maximum DMA mapping size of the virtio
+device by querying dma_max_mapping_size() for the device when the DMA
+API is in use for the vring. Unfortunately, the device passed is
+initialised by register_virtio_device() and does not inherit the DMA
+configuration from its parent, resulting in SWIOTLB errors when bouncing
+is enabled and the default 256K mapping limit (IO_TLB_SEGSIZE) is not
+respected:
+
+ | virtio-pci 0000:00:01.0: swiotlb buffer is full (sz: 294912 bytes), total 1024 (slots), used 725 (slots)
+
+Follow the pattern used elsewhere in the virtio_ring code when calling
+into the DMA layer and pass the parent device to dma_max_mapping_size()
+instead.
+
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Quentin Perret <qperret@google.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20211201112018.25276-1-will@kernel.org
+Acked-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Fixes: e6d6dd6c875e ("virtio: Introduce virtio_max_dma_size()")
+Cc: Joerg Roedel <jroedel@suse.de>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/virtio/virtio_ring.c
++++ b/drivers/virtio/virtio_ring.c
+@@ -263,7 +263,7 @@ size_t virtio_max_dma_size(struct virtio
+ size_t max_segment_size = SIZE_MAX;
+
+ if (vring_use_dma_api(vdev))
+- max_segment_size = dma_max_mapping_size(&vdev->dev);
++ max_segment_size = dma_max_mapping_size(vdev->dev.parent);
+
+ return max_segment_size;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
