--- /dev/null
+From a7c52f2e0bf8b32345733cdb40603443ebc05a4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 12:34:24 +0000
+Subject: bpf, selftests: Adjust few selftest outcomes wrt unreachable code
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 973377ffe8148180b2651825b92ae91988141b05 ]
+
+In almost all cases from test_verifier that have been changed in here, we've
+had an unreachable path with a load from a register which has an invalid
+address on purpose. This was basically to make sure that we never walk this
+path and to have the verifier complain if it would otherwise. Change it to
+match on the right error for unprivileged given we now test these paths
+under speculative execution.
+
+There's one case where we match on exact # of insns_processed. Due to the
+extra path, this will of course mismatch on unprivileged. Thus, restrict the
+test->insn_processed check to privileged-only.
+
+In one other case, we result in a 'pointer comparison prohibited' error. This
+is similarly due to verifying an 'invalid' branch where we end up with a value
+pointer on one side of the comparison.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_verifier.c | 2 +-
+ tools/testing/selftests/bpf/verifier/and.c | 2 ++
+ tools/testing/selftests/bpf/verifier/bounds.c | 14 ++++++++++++
+ .../selftests/bpf/verifier/dead_code.c | 2 ++
+ tools/testing/selftests/bpf/verifier/jmp32.c | 22 +++++++++++++++++++
+ tools/testing/selftests/bpf/verifier/jset.c | 10 +++++----
+ tools/testing/selftests/bpf/verifier/unpriv.c | 2 ++
+ .../selftests/bpf/verifier/value_ptr_arith.c | 7 +++---
+ 8 files changed, 53 insertions(+), 8 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
+index 58b5a349d3ba..ea3158b0d551 100644
+--- a/tools/testing/selftests/bpf/test_verifier.c
++++ b/tools/testing/selftests/bpf/test_verifier.c
+@@ -1147,7 +1147,7 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
+ }
+ }
+
+- if (test->insn_processed) {
++ if (!unpriv && test->insn_processed) {
+ uint32_t insn_processed;
+ char *proc;
+
+diff --git a/tools/testing/selftests/bpf/verifier/and.c b/tools/testing/selftests/bpf/verifier/and.c
+index ca8fdb1b3f01..7d7ebee5cc7a 100644
+--- a/tools/testing/selftests/bpf/verifier/and.c
++++ b/tools/testing/selftests/bpf/verifier/and.c
+@@ -61,6 +61,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R1 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 0
+ },
+diff --git a/tools/testing/selftests/bpf/verifier/bounds.c b/tools/testing/selftests/bpf/verifier/bounds.c
+index 8a1caf46ffbc..e061e8799ce2 100644
+--- a/tools/testing/selftests/bpf/verifier/bounds.c
++++ b/tools/testing/selftests/bpf/verifier/bounds.c
+@@ -508,6 +508,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT
+ },
+ {
+@@ -528,6 +530,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT
+ },
+ {
+@@ -569,6 +573,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 min value is outside of the allowed memory range",
++ .result_unpriv = REJECT,
+ .fixup_map_hash_8b = { 3 },
+ .result = ACCEPT,
+ },
+@@ -589,6 +595,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 min value is outside of the allowed memory range",
++ .result_unpriv = REJECT,
+ .fixup_map_hash_8b = { 3 },
+ .result = ACCEPT,
+ },
+@@ -609,6 +617,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 min value is outside of the allowed memory range",
++ .result_unpriv = REJECT,
+ .fixup_map_hash_8b = { 3 },
+ .result = ACCEPT,
+ },
+@@ -674,6 +684,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 min value is outside of the allowed memory range",
++ .result_unpriv = REJECT,
+ .fixup_map_hash_8b = { 3 },
+ .result = ACCEPT,
+ },
+@@ -695,6 +707,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 min value is outside of the allowed memory range",
++ .result_unpriv = REJECT,
+ .fixup_map_hash_8b = { 3 },
+ .result = ACCEPT,
+ },
+diff --git a/tools/testing/selftests/bpf/verifier/dead_code.c b/tools/testing/selftests/bpf/verifier/dead_code.c
+index 5cf361d8eb1c..721ec9391be5 100644
+--- a/tools/testing/selftests/bpf/verifier/dead_code.c
++++ b/tools/testing/selftests/bpf/verifier/dead_code.c
+@@ -8,6 +8,8 @@
+ BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, -4),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 7,
+ },
+diff --git a/tools/testing/selftests/bpf/verifier/jmp32.c b/tools/testing/selftests/bpf/verifier/jmp32.c
+index bd5cae4a7f73..1c857b2fbdf0 100644
+--- a/tools/testing/selftests/bpf/verifier/jmp32.c
++++ b/tools/testing/selftests/bpf/verifier/jmp32.c
+@@ -87,6 +87,8 @@
+ BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+ {
+@@ -150,6 +152,8 @@
+ BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+ {
+@@ -213,6 +217,8 @@
+ BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+ {
+@@ -280,6 +286,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -348,6 +356,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -416,6 +426,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -484,6 +496,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -552,6 +566,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -620,6 +636,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -688,6 +706,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+@@ -756,6 +776,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 2,
+ },
+diff --git a/tools/testing/selftests/bpf/verifier/jset.c b/tools/testing/selftests/bpf/verifier/jset.c
+index 8dcd4e0383d5..11fc68da735e 100644
+--- a/tools/testing/selftests/bpf/verifier/jset.c
++++ b/tools/testing/selftests/bpf/verifier/jset.c
+@@ -82,8 +82,8 @@
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+- .retval_unpriv = 1,
+- .result_unpriv = ACCEPT,
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .retval = 1,
+ .result = ACCEPT,
+ },
+@@ -141,7 +141,8 @@
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+- .result_unpriv = ACCEPT,
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+ {
+@@ -162,6 +163,7 @@
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+- .result_unpriv = ACCEPT,
++ .errstr_unpriv = "R9 !read_ok",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+diff --git a/tools/testing/selftests/bpf/verifier/unpriv.c b/tools/testing/selftests/bpf/verifier/unpriv.c
+index bd436df5cc32..111801aea5e3 100644
+--- a/tools/testing/selftests/bpf/verifier/unpriv.c
++++ b/tools/testing/selftests/bpf/verifier/unpriv.c
+@@ -420,6 +420,8 @@
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R7 invalid mem access 'inv'",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 0,
+ },
+diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
+index 7ae2859d495c..a3e593ddfafc 100644
+--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
+@@ -120,7 +120,7 @@
+ .fixup_map_array_48b = { 1 },
+ .result = ACCEPT,
+ .result_unpriv = REJECT,
+- .errstr_unpriv = "R2 tried to add from different maps, paths or scalars",
++ .errstr_unpriv = "R2 pointer comparison prohibited",
+ .retval = 0,
+ },
+ {
+@@ -159,7 +159,8 @@
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ // fake-dead code; targeted from branch A to
+- // prevent dead code sanitization
++ // prevent dead code sanitization, rejected
++ // via branch B however
+ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+@@ -167,7 +168,7 @@
+ .fixup_map_array_48b = { 1 },
+ .result = ACCEPT,
+ .result_unpriv = REJECT,
+- .errstr_unpriv = "R2 tried to add from different maps, paths or scalars",
++ .errstr_unpriv = "R0 invalid mem access 'inv'",
+ .retval = 0,
+ },
+ {
+--
+2.30.2
+
--- /dev/null
+From 5bd56516c81e70fb46d7d24e526fab68895b714c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 14:39:41 +0800
+Subject: cfg80211: call cfg80211_leave_ocb when switching away from OCB
+
+From: Du Cheng <ducheng2@gmail.com>
+
+[ Upstream commit a64b6a25dd9f984ed05fade603a00e2eae787d2f ]
+
+If the userland switches back-and-forth between NL80211_IFTYPE_OCB and
+NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), there is a
+chance where the cleanup cfg80211_leave_ocb() is not called. This leads
+to initialization of in-use memory (e.g. init u.ibss while in-use by
+u.ocb) due to a shared struct/union within ieee80211_sub_if_data:
+
+struct ieee80211_sub_if_data {
+ ...
+ union {
+ struct ieee80211_if_ap ap;
+ struct ieee80211_if_vlan vlan;
+ struct ieee80211_if_managed mgd;
+ struct ieee80211_if_ibss ibss; // <- shares address
+ struct ieee80211_if_mesh mesh;
+ struct ieee80211_if_ocb ocb; // <- shares address
+ struct ieee80211_if_mntr mntr;
+ struct ieee80211_if_nan nan;
+ } u;
+ ...
+}
+
+Therefore add handling of otype == NL80211_IFTYPE_OCB, during
+cfg80211_change_iface() to perform cleanup when leaving OCB mode.
+
+link to syzkaller bug:
+https://syzkaller.appspot.com/bug?id=0612dbfa595bf4b9b680ff7b4948257b8e3732d5
+
+Reported-by: syzbot+105896fac213f26056f9@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210428063941.105161-1-ducheng2@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index f342b6147675..726e7d2342bd 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1059,6 +1059,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
+ case NL80211_IFTYPE_MESH_POINT:
+ /* mesh should be handled? */
+ break;
++ case NL80211_IFTYPE_OCB:
++ cfg80211_leave_ocb(rdev, dev);
++ break;
+ default:
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From 71546332846dcad43f334c0ba12e0c339c48575c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 18:07:26 +0800
+Subject: dmaengine: idxd: Fix missing error code in idxd_cdev_open()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 99b18e88a1cf737ae924123d63b46d9a3d17b1af ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'rc'.
+
+Eliminate the follow smatch warning:
+
+drivers/dma/idxd/cdev.c:113 idxd_cdev_open() warn: missing error code
+'rc'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Acked-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/1622628446-87909-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/idxd/cdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
+index 1d8a3876b745..5ba8e8bc609f 100644
+--- a/drivers/dma/idxd/cdev.c
++++ b/drivers/dma/idxd/cdev.c
+@@ -110,6 +110,7 @@ static int idxd_cdev_open(struct inode *inode, struct file *filp)
+ pasid = iommu_sva_get_pasid(sva);
+ if (pasid == IOMMU_PASID_INVALID) {
+ iommu_sva_unbind_device(sva);
++ rc = -EINVAL;
+ goto failed;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 2ec03dbfcd2517841c9fcfeff42fbfeb35d3836d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 21:26:41 +0200
+Subject: dmaengine: mediatek: do not issue a new desc if one is still current
+
+From: Guillaume Ranquet <granquet@baylibre.com>
+
+[ Upstream commit 2537b40b0a4f61d2c83900744fe89b09076be9c6 ]
+
+Avoid issuing a new desc if one is still being processed as this can
+lead to some desc never being marked as completed.
+
+Signed-off-by: Guillaume Ranquet <granquet@baylibre.com>
+
+Link: https://lore.kernel.org/r/20210513192642.29446-3-granquet@baylibre.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mediatek/mtk-uart-apdma.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
+index e38b67fc0c0c..a09ab2dd3b46 100644
+--- a/drivers/dma/mediatek/mtk-uart-apdma.c
++++ b/drivers/dma/mediatek/mtk-uart-apdma.c
+@@ -204,14 +204,9 @@ static void mtk_uart_apdma_start_rx(struct mtk_chan *c)
+
+ static void mtk_uart_apdma_tx_handler(struct mtk_chan *c)
+ {
+- struct mtk_uart_apdma_desc *d = c->desc;
+-
+ mtk_uart_apdma_write(c, VFF_INT_FLAG, VFF_TX_INT_CLR_B);
+ mtk_uart_apdma_write(c, VFF_INT_EN, VFF_INT_EN_CLR_B);
+ mtk_uart_apdma_write(c, VFF_EN, VFF_EN_CLR_B);
+-
+- list_del(&d->vd.node);
+- vchan_cookie_complete(&d->vd);
+ }
+
+ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c)
+@@ -242,9 +237,17 @@ static void mtk_uart_apdma_rx_handler(struct mtk_chan *c)
+
+ c->rx_status = d->avail_len - cnt;
+ mtk_uart_apdma_write(c, VFF_RPT, wg);
++}
+
+- list_del(&d->vd.node);
+- vchan_cookie_complete(&d->vd);
++static void mtk_uart_apdma_chan_complete_handler(struct mtk_chan *c)
++{
++ struct mtk_uart_apdma_desc *d = c->desc;
++
++ if (d) {
++ list_del(&d->vd.node);
++ vchan_cookie_complete(&d->vd);
++ c->desc = NULL;
++ }
+ }
+
+ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id)
+@@ -258,6 +261,7 @@ static irqreturn_t mtk_uart_apdma_irq_handler(int irq, void *dev_id)
+ mtk_uart_apdma_rx_handler(c);
+ else if (c->dir == DMA_MEM_TO_DEV)
+ mtk_uart_apdma_tx_handler(c);
++ mtk_uart_apdma_chan_complete_handler(c);
+ spin_unlock_irqrestore(&c->vc.lock, flags);
+
+ return IRQ_HANDLED;
+@@ -363,7 +367,7 @@ static void mtk_uart_apdma_issue_pending(struct dma_chan *chan)
+ unsigned long flags;
+
+ spin_lock_irqsave(&c->vc.lock, flags);
+- if (vchan_issue_pending(&c->vc)) {
++ if (vchan_issue_pending(&c->vc) && !c->desc) {
+ vd = vchan_next_desc(&c->vc);
+ c->desc = to_mtk_uart_apdma_desc(&vd->tx);
+
+--
+2.30.2
+
--- /dev/null
+From 81a92666b27db9625650b9b3599381a6ffd375aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 21:26:40 +0200
+Subject: dmaengine: mediatek: free the proper desc in desc_free handler
+
+From: Guillaume Ranquet <granquet@baylibre.com>
+
+[ Upstream commit 0a2ff58f9f8f95526ecb0ccd7517fefceb96f661 ]
+
+The desc_free handler assumed that the desc we want to free was always
+ the current one associated with the channel.
+
+This is seldom the case and this is causing use after free crashes in
+ multiple places (tx/rx/terminate...).
+
+ BUG: KASAN: use-after-free in mtk_uart_apdma_rx_handler+0x120/0x304
+
+ Call trace:
+ dump_backtrace+0x0/0x1b0
+ show_stack+0x24/0x34
+ dump_stack+0xe0/0x150
+ print_address_description+0x8c/0x55c
+ __kasan_report+0x1b8/0x218
+ kasan_report+0x14/0x20
+ __asan_load4+0x98/0x9c
+ mtk_uart_apdma_rx_handler+0x120/0x304
+ mtk_uart_apdma_irq_handler+0x50/0x80
+ __handle_irq_event_percpu+0xe0/0x210
+ handle_irq_event+0x8c/0x184
+ handle_fasteoi_irq+0x1d8/0x3ac
+ __handle_domain_irq+0xb0/0x110
+ gic_handle_irq+0x50/0xb8
+ el0_irq_naked+0x60/0x6c
+
+ Allocated by task 3541:
+ __kasan_kmalloc+0xf0/0x1b0
+ kasan_kmalloc+0x10/0x1c
+ kmem_cache_alloc_trace+0x90/0x2dc
+ mtk_uart_apdma_prep_slave_sg+0x6c/0x1a0
+ mtk8250_dma_rx_complete+0x220/0x2e4
+ vchan_complete+0x290/0x340
+ tasklet_action_common+0x220/0x298
+ tasklet_action+0x28/0x34
+ __do_softirq+0x158/0x35c
+
+ Freed by task 3541:
+ __kasan_slab_free+0x154/0x224
+ kasan_slab_free+0x14/0x24
+ slab_free_freelist_hook+0xf8/0x15c
+ kfree+0xb4/0x278
+ mtk_uart_apdma_desc_free+0x34/0x44
+ vchan_complete+0x1bc/0x340
+ tasklet_action_common+0x220/0x298
+ tasklet_action+0x28/0x34
+ __do_softirq+0x158/0x35c
+
+ The buggy address belongs to the object at ffff000063606800
+ which belongs to the cache kmalloc-256 of size 256
+ The buggy address is located 176 bytes inside of
+ 256-byte region [ffff000063606800, ffff000063606900)
+ The buggy address belongs to the page:
+ page:fffffe00016d8180 refcount:1 mapcount:0 mapping:ffff00000302f600 index:0x0 compound_mapcount: 0
+ flags: 0xffff00000010200(slab|head)
+ raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00000302f600
+ raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+Signed-off-by: Guillaume Ranquet <granquet@baylibre.com>
+
+Link: https://lore.kernel.org/r/20210513192642.29446-2-granquet@baylibre.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mediatek/mtk-uart-apdma.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
+index 27c07350971d..e38b67fc0c0c 100644
+--- a/drivers/dma/mediatek/mtk-uart-apdma.c
++++ b/drivers/dma/mediatek/mtk-uart-apdma.c
+@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg)
+
+ static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd)
+ {
+- struct dma_chan *chan = vd->tx.chan;
+- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan);
+-
+- kfree(c->desc);
++ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd));
+ }
+
+ static void mtk_uart_apdma_start_tx(struct mtk_chan *c)
+--
+2.30.2
+
--- /dev/null
+From 9e48686e4511832b374f879669609ae48db10573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 21:26:42 +0200
+Subject: dmaengine: mediatek: use GFP_NOWAIT instead of GFP_ATOMIC in prep_dma
+
+From: Guillaume Ranquet <granquet@baylibre.com>
+
+[ Upstream commit 9041575348b21ade1fb74d790f1aac85d68198c7 ]
+
+As recommended by the doc in:
+Documentation/drivers-api/dmaengine/provider.rst
+
+Use GFP_NOWAIT to not deplete the emergency pool.
+
+Signed-off-by: Guillaume Ranquet <granquet@baylibre.com>
+
+Link: https://lore.kernel.org/r/20210513192642.29446-4-granquet@baylibre.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/mediatek/mtk-uart-apdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
+index a09ab2dd3b46..375e7e647df6 100644
+--- a/drivers/dma/mediatek/mtk-uart-apdma.c
++++ b/drivers/dma/mediatek/mtk-uart-apdma.c
+@@ -349,7 +349,7 @@ static struct dma_async_tx_descriptor *mtk_uart_apdma_prep_slave_sg
+ return NULL;
+
+ /* Now allocate and setup the descriptor */
+- d = kzalloc(sizeof(*d), GFP_ATOMIC);
++ d = kzalloc(sizeof(*d), GFP_NOWAIT);
+ if (!d)
+ return NULL;
+
+--
+2.30.2
+
--- /dev/null
+From 12cb300119b988398bf75812e3cc39ca14a0bff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 14:36:03 +0800
+Subject: dmaengine: rcar-dmac: Fix PM reference leak in rcar_dmac_probe()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit dea8464ddf553803382efb753b6727dbf3931d06 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/1622442963-54095-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/sh/rcar-dmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
+index d530c1bf11d9..6885b3dcd7a9 100644
+--- a/drivers/dma/sh/rcar-dmac.c
++++ b/drivers/dma/sh/rcar-dmac.c
+@@ -1913,7 +1913,7 @@ static int rcar_dmac_probe(struct platform_device *pdev)
+
+ /* Enable runtime PM and initialize the device. */
+ pm_runtime_enable(&pdev->dev);
+- ret = pm_runtime_get_sync(&pdev->dev);
++ ret = pm_runtime_resume_and_get(&pdev->dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "runtime PM get sync failed (%d)\n", ret);
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 95e3d155d26496eb6f1f7b78805f7e96a6b69955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:18:24 +0800
+Subject: dmaengine: stm32-mdma: fix PM reference leak in
+ stm32_mdma_alloc_chan_resourc()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 83eb4868d325b86e18509d0874e911497667cb54 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20210517081826.1564698-2-yukuai3@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/stm32-mdma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
+index 36ba8b43e78d..18cbd1e43c2e 100644
+--- a/drivers/dma/stm32-mdma.c
++++ b/drivers/dma/stm32-mdma.c
+@@ -1452,7 +1452,7 @@ static int stm32_mdma_alloc_chan_resources(struct dma_chan *c)
+ return -ENOMEM;
+ }
+
+- ret = pm_runtime_get_sync(dmadev->ddev.dev);
++ ret = pm_runtime_resume_and_get(dmadev->ddev.dev);
+ if (ret < 0)
+ return ret;
+
+@@ -1718,7 +1718,7 @@ static int stm32_mdma_pm_suspend(struct device *dev)
+ u32 ccr, id;
+ int ret;
+
+- ret = pm_runtime_get_sync(dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From 17154ddfdbc7b694a5324c1abe91996f89f93a37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 18:24:17 +0300
+Subject: dmaengine: xilinx: dpdma: Add missing dependencies to Kconfig
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 32828b82fb875b06511918b139d3a3cd93d34262 ]
+
+The driver depends on both OF and IOMEM support, express those
+dependencies in Kconfig. This fixes a build failure on S390 reported by
+the 0day bot.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Tested-by: Jianqiang Chen <jianqiang.chen@xilinx.com>
+Reviewed-by: Jianqiang Chen <jianqiang.chen@xilinx.com>
+Link: https://lore.kernel.org/r/20210520152420.23986-2-laurent.pinchart@ideasonboard.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/dma/Kconfig b/drivers/dma/Kconfig
+index 03b1b0334947..c42b17b76640 100644
+--- a/drivers/dma/Kconfig
++++ b/drivers/dma/Kconfig
+@@ -690,6 +690,7 @@ config XILINX_ZYNQMP_DMA
+
+ config XILINX_ZYNQMP_DPDMA
+ tristate "Xilinx DPDMA Engine"
++ depends on HAS_IOMEM && OF
+ select DMA_ENGINE
+ select DMA_VIRTUAL_CHANNELS
+ help
+--
+2.30.2
+
--- /dev/null
+From 0fb2b339201c5e544d8c728ea73f65bdcf1e1cb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 18:24:20 +0300
+Subject: dmaengine: xilinx: dpdma: Limit descriptor IDs to 16 bits
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit 9f007e7b6643799e2a6538a5fe04f51c371c6657 ]
+
+While the descriptor ID is stored in a 32-bit field in the hardware
+descriptor, only 16 bits are used by the hardware and are reported
+through the XILINX_DPDMA_CH_DESC_ID register. Failure to handle the
+wrap-around results in a descriptor ID mismatch after 65536 frames. Fix
+it.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Tested-by: Jianqiang Chen <jianqiang.chen@xilinx.com>
+Reviewed-by: Jianqiang Chen <jianqiang.chen@xilinx.com>
+Link: https://lore.kernel.org/r/20210520152420.23986-5-laurent.pinchart@ideasonboard.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dpdma.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/xilinx/xilinx_dpdma.c b/drivers/dma/xilinx/xilinx_dpdma.c
+index ff7dfb3fdeb4..6c709803203a 100644
+--- a/drivers/dma/xilinx/xilinx_dpdma.c
++++ b/drivers/dma/xilinx/xilinx_dpdma.c
+@@ -113,6 +113,7 @@
+ #define XILINX_DPDMA_CH_VDO 0x020
+ #define XILINX_DPDMA_CH_PYLD_SZ 0x024
+ #define XILINX_DPDMA_CH_DESC_ID 0x028
++#define XILINX_DPDMA_CH_DESC_ID_MASK GENMASK(15, 0)
+
+ /* DPDMA descriptor fields */
+ #define XILINX_DPDMA_DESC_CONTROL_PREEMBLE 0xa5
+@@ -866,7 +867,8 @@ static void xilinx_dpdma_chan_queue_transfer(struct xilinx_dpdma_chan *chan)
+ * will be used, but it should be enough.
+ */
+ list_for_each_entry(sw_desc, &desc->descriptors, node)
+- sw_desc->hw.desc_id = desc->vdesc.tx.cookie;
++ sw_desc->hw.desc_id = desc->vdesc.tx.cookie
++ & XILINX_DPDMA_CH_DESC_ID_MASK;
+
+ sw_desc = list_first_entry(&desc->descriptors,
+ struct xilinx_dpdma_sw_desc, node);
+@@ -1086,7 +1088,8 @@ static void xilinx_dpdma_chan_vsync_irq(struct xilinx_dpdma_chan *chan)
+ if (!chan->running || !pending)
+ goto out;
+
+- desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID);
++ desc_id = dpdma_read(chan->reg, XILINX_DPDMA_CH_DESC_ID)
++ & XILINX_DPDMA_CH_DESC_ID_MASK;
+
+ /* If the retrigger raced with vsync, retry at the next frame. */
+ sw_desc = list_first_entry(&pending->descriptors,
+--
+2.30.2
+
--- /dev/null
+From 758d23caf0165bfaefd781e7e0977cfa994ed6db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:18:26 +0800
+Subject: dmaengine: zynqmp_dma: Fix PM reference leak in
+ zynqmp_dma_alloc_chan_resourc()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 8982d48af36d2562c0f904736b0fc80efc9f2532 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20210517081826.1564698-4-yukuai3@huawei.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/zynqmp_dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
+index d8419565b92c..5fecf5aa6e85 100644
+--- a/drivers/dma/xilinx/zynqmp_dma.c
++++ b/drivers/dma/xilinx/zynqmp_dma.c
+@@ -468,7 +468,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan *dchan)
+ struct zynqmp_dma_desc_sw *desc;
+ int i, ret;
+
+- ret = pm_runtime_get_sync(chan->dev);
++ ret = pm_runtime_resume_and_get(chan->dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From fca9f5687ed65382cc3bf95ed1a1b60e2875db17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 21:46:38 +0800
+Subject: drm/kmb: Fix error return code in kmb_hw_init()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 6fd8f323b3e4e5290d02174559308669507c00dd ]
+
+When the call to platform_get_irq() to obtain the IRQ of the lcd fails, the
+returned error code should be propagated. However, we currently do not
+explicitly assign this error code to 'ret'. As a result, 0 was incorrectly
+returned.
+
+Fixes: 7f7b96a8a0a1 ("drm/kmb: Add support for KeemBay Display")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Anitha Chrisanthus <anitha.chrisanthus@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210513134639.6541-1-thunder.leizhen@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/kmb/kmb_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c
+index f64e06e1067d..96ea1a2c11dd 100644
+--- a/drivers/gpu/drm/kmb/kmb_drv.c
++++ b/drivers/gpu/drm/kmb/kmb_drv.c
+@@ -137,6 +137,7 @@ static int kmb_hw_init(struct drm_device *drm, unsigned long flags)
+ /* Allocate LCD interrupt resources */
+ irq_lcd = platform_get_irq(pdev, 0);
+ if (irq_lcd < 0) {
++ ret = irq_lcd;
+ drm_err(&kmb->drm, "irq_lcd not found");
+ goto setup_fail;
+ }
+--
+2.30.2
+
--- /dev/null
+From 955d4445d923c48b8cdd0263a6998f4d767dd84f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 11:10:59 +0200
+Subject: drm/vc4: hdmi: Make sure the controller is powered in detect
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 9984d6664ce9dcbbc713962539eaf7636ea246c2 ]
+
+If the HPD GPIO is not available and drm_probe_ddc fails, we end up
+reading the HDMI_HOTPLUG register, but the controller might be powered
+off resulting in a CPU hang. Make sure we have the power domain and the
+HSM clock powered during the detect cycle to prevent the hang from
+happening.
+
+Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210525091059.234116-4-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 84e218365045..8106b5634fe1 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -159,6 +159,8 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+ struct vc4_hdmi *vc4_hdmi = connector_to_vc4_hdmi(connector);
+ bool connected = false;
+
++ WARN_ON(pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev));
++
+ if (vc4_hdmi->hpd_gpio) {
+ if (gpio_get_value_cansleep(vc4_hdmi->hpd_gpio) ^
+ vc4_hdmi->hpd_active_low)
+@@ -180,10 +182,12 @@ vc4_hdmi_connector_detect(struct drm_connector *connector, bool force)
+ }
+ }
+
++ pm_runtime_put(&vc4_hdmi->pdev->dev);
+ return connector_status_connected;
+ }
+
+ cec_phys_addr_invalidate(vc4_hdmi->cec_adap);
++ pm_runtime_put(&vc4_hdmi->pdev->dev);
+ return connector_status_disconnected;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 41e781e1b46a43c689df872771ef5bc8e217532b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 11:10:58 +0200
+Subject: drm/vc4: hdmi: Move the HSM clock enable to runtime_pm
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 411efa18e4b03840553ff58ad9b4621b82a30c04 ]
+
+In order to access the HDMI controller, we need to make sure the HSM
+clock is enabled. If we were to access it with the clock disabled, the
+CPU would completely hang, resulting in an hard crash.
+
+Since we have different code path that would require it, let's move that
+clock enable / disable to runtime_pm that will take care of the
+reference counting for us.
+
+Fixes: 4f6e3d66ac52 ("drm/vc4: Add runtime PM support to the HDMI encoder driver")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210525091059.234116-3-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 40 +++++++++++++++++++++++++---------
+ 1 file changed, 30 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 1fda574579af..84e218365045 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -473,7 +473,6 @@ static void vc4_hdmi_encoder_post_crtc_powerdown(struct drm_encoder *encoder,
+ HDMI_READ(HDMI_VID_CTL) & ~VC4_HD_VID_CTL_ENABLE);
+
+ clk_disable_unprepare(vc4_hdmi->pixel_bvb_clock);
+- clk_disable_unprepare(vc4_hdmi->hsm_clock);
+ clk_disable_unprepare(vc4_hdmi->pixel_clock);
+
+ ret = pm_runtime_put(&vc4_hdmi->pdev->dev);
+@@ -784,13 +783,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+ return;
+ }
+
+- ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
+- if (ret) {
+- DRM_ERROR("Failed to turn on HSM clock: %d\n", ret);
+- clk_disable_unprepare(vc4_hdmi->pixel_clock);
+- return;
+- }
+-
+ vc4_hdmi_cec_update_clk_div(vc4_hdmi);
+
+ /*
+@@ -801,7 +793,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+ (hsm_rate > VC4_HSM_MID_CLOCK ? 150000000 : 75000000));
+ if (ret) {
+ DRM_ERROR("Failed to set pixel bvb clock rate: %d\n", ret);
+- clk_disable_unprepare(vc4_hdmi->hsm_clock);
+ clk_disable_unprepare(vc4_hdmi->pixel_clock);
+ return;
+ }
+@@ -809,7 +800,6 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder,
+ ret = clk_prepare_enable(vc4_hdmi->pixel_bvb_clock);
+ if (ret) {
+ DRM_ERROR("Failed to turn on pixel bvb clock: %d\n", ret);
+- clk_disable_unprepare(vc4_hdmi->hsm_clock);
+ clk_disable_unprepare(vc4_hdmi->pixel_clock);
+ return;
+ }
+@@ -1929,6 +1919,29 @@ static int vc5_hdmi_init_resources(struct vc4_hdmi *vc4_hdmi)
+ return 0;
+ }
+
++#ifdef CONFIG_PM
++static int vc4_hdmi_runtime_suspend(struct device *dev)
++{
++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
++
++ clk_disable_unprepare(vc4_hdmi->hsm_clock);
++
++ return 0;
++}
++
++static int vc4_hdmi_runtime_resume(struct device *dev)
++{
++ struct vc4_hdmi *vc4_hdmi = dev_get_drvdata(dev);
++ int ret;
++
++ ret = clk_prepare_enable(vc4_hdmi->hsm_clock);
++ if (ret)
++ return ret;
++
++ return 0;
++}
++#endif
++
+ static int vc4_hdmi_bind(struct device *dev, struct device *master, void *data)
+ {
+ const struct vc4_hdmi_variant *variant = of_device_get_match_data(dev);
+@@ -2165,11 +2178,18 @@ static const struct of_device_id vc4_hdmi_dt_match[] = {
+ {}
+ };
+
++static const struct dev_pm_ops vc4_hdmi_pm_ops = {
++ SET_RUNTIME_PM_OPS(vc4_hdmi_runtime_suspend,
++ vc4_hdmi_runtime_resume,
++ NULL)
++};
++
+ struct platform_driver vc4_hdmi_driver = {
+ .probe = vc4_hdmi_dev_probe,
+ .remove = vc4_hdmi_dev_remove,
+ .driver = {
+ .name = "vc4_hdmi",
+ .of_match_table = vc4_hdmi_dt_match,
++ .pm = &vc4_hdmi_pm_ops,
+ },
+ };
+--
+2.30.2
+
--- /dev/null
+From 779a7cf2a6951fe8944f09141a7e0445c12081f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 00:59:45 -0700
+Subject: inet: annotate data race in inet_send_prepare() and
+ inet_dgram_connect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dcd01eeac14486b56a790f5cce9b823440ba5b34 ]
+
+Both functions are known to be racy when reading inet_num
+as we do not want to grab locks for the common case the socket
+has been bound already. The race is resolved in inet_autobind()
+by reading again inet_num under the socket lock.
+
+syzbot reported:
+BUG: KCSAN: data-race in inet_send_prepare / udp_lib_get_port
+
+write to 0xffff88812cba150e of 2 bytes by task 24135 on cpu 0:
+ udp_lib_get_port+0x4b2/0xe20 net/ipv4/udp.c:308
+ udp_v6_get_port+0x5e/0x70 net/ipv6/udp.c:89
+ inet_autobind net/ipv4/af_inet.c:183 [inline]
+ inet_send_prepare+0xd0/0x210 net/ipv4/af_inet.c:807
+ inet6_sendmsg+0x29/0x80 net/ipv6/af_inet6.c:639
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88812cba150e of 2 bytes by task 24132 on cpu 1:
+ inet_send_prepare+0x21/0x210 net/ipv4/af_inet.c:806
+ inet6_sendmsg+0x29/0x80 net/ipv6/af_inet6.c:639
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000 -> 0x9db4
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 24132 Comm: syz-executor.2 Not tainted 5.13.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/af_inet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 1355e6c0d567..faa7856c7fb0 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -575,7 +575,7 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr,
+ return err;
+ }
+
+- if (!inet_sk(sk)->inet_num && inet_autobind(sk))
++ if (data_race(!inet_sk(sk)->inet_num) && inet_autobind(sk))
+ return -EAGAIN;
+ return sk->sk_prot->connect(sk, uaddr, addr_len);
+ }
+@@ -803,7 +803,7 @@ int inet_send_prepare(struct sock *sk)
+ sock_rps_record_flow(sk);
+
+ /* We may need to bind the socket. */
+- if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind &&
++ if (data_race(!inet_sk(sk)->inet_num) && !sk->sk_prot->no_autobind &&
+ inet_autobind(sk))
+ return -EAGAIN;
+
+--
+2.30.2
+
--- /dev/null
+From 1299a1d3e5988c33bc1bdbbc0a2121f27f744d02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 07:44:11 -0700
+Subject: inet: annotate date races around sk->sk_txhash
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ]
+
+UDP sendmsg() path can be lockless, it is possible for another
+thread to re-connect an change sk->sk_txhash under us.
+
+There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE()
+pair to document the race.
+
+BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w
+
+write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1:
+ sk_set_txhash include/net/sock.h:1937 [inline]
+ __ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75
+ __ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189
+ ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272
+ inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580
+ __sys_connect_file net/socket.c:1837 [inline]
+ __sys_connect+0x245/0x280 net/socket.c:1854
+ __do_sys_connect net/socket.c:1864 [inline]
+ __se_sys_connect net/socket.c:1861 [inline]
+ __x64_sys_connect+0x3d/0x50 net/socket.c:1861
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0:
+ skb_set_hash_from_sk include/net/sock.h:2211 [inline]
+ skb_set_owner_w+0x118/0x220 net/core/sock.c:2101
+ sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359
+ sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373
+ __ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621
+ ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983
+ udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527
+ inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xbca3c43d -> 0xfdb309e0
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index b98c80a7c7ae..b9bdeca1d784 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1928,7 +1928,8 @@ static inline u32 net_tx_rndhash(void)
+
+ static inline void sk_set_txhash(struct sock *sk)
+ {
+- sk->sk_txhash = net_tx_rndhash();
++ /* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
++ WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
+ }
+
+ static inline bool sk_rethink_txhash(struct sock *sk)
+@@ -2200,9 +2201,12 @@ static inline void sock_poll_wait(struct file *filp, struct socket *sock,
+
+ static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
+ {
+- if (sk->sk_txhash) {
++ /* This pairs with WRITE_ONCE() in sk_set_txhash() */
++ u32 txhash = READ_ONCE(sk->sk_txhash);
++
++ if (txhash) {
+ skb->l4_hash = 1;
+- skb->hash = sk->sk_txhash;
++ skb->hash = txhash;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 59ff635bb62ecef5c821f7ab21e7217a79de3791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 16:04:43 +0100
+Subject: KVM: selftests: Fix kvm_check_cap() assertion
+
+From: Fuad Tabba <tabba@google.com>
+
+[ Upstream commit d8ac05ea13d789d5491a5920d70a05659015441d ]
+
+KVM_CHECK_EXTENSION ioctl can return any negative value on error,
+and not necessarily -1. Change the assertion to reflect that.
+
+Signed-off-by: Fuad Tabba <tabba@google.com>
+Message-Id: <20210615150443.1183365-1-tabba@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kvm/lib/kvm_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kvm/lib/kvm_util.c b/tools/testing/selftests/kvm/lib/kvm_util.c
+index 2f0e4365f61b..8b90256bca96 100644
+--- a/tools/testing/selftests/kvm/lib/kvm_util.c
++++ b/tools/testing/selftests/kvm/lib/kvm_util.c
+@@ -58,7 +58,7 @@ int kvm_check_cap(long cap)
+ exit(KSFT_SKIP);
+
+ ret = ioctl(kvm_fd, KVM_CHECK_EXTENSION, cap);
+- TEST_ASSERT(ret != -1, "KVM_CHECK_EXTENSION IOCTL failed,\n"
++ TEST_ASSERT(ret >= 0, "KVM_CHECK_EXTENSION IOCTL failed,\n"
+ " rc: %i errno: %i", ret, errno);
+
+ close(kvm_fd);
+--
+2.30.2
+
--- /dev/null
+From eb68ed122d6c4ff90d1084734af3684d700e1135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 13:12:38 +0200
+Subject: locking/lockdep: Improve noinstr vs errors
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 49faa77759b211fff344898edc23bb780707fff5 ]
+
+Better handle the failure paths.
+
+ vmlinux.o: warning: objtool: debug_locks_off()+0x23: call to console_verbose() leaves .noinstr.text section
+ vmlinux.o: warning: objtool: debug_locks_off()+0x19: call to __kasan_check_write() leaves .noinstr.text section
+
+ debug_locks_off+0x19/0x40:
+ instrument_atomic_write at include/linux/instrumented.h:86
+ (inlined by) __debug_locks_off at include/linux/debug_locks.h:17
+ (inlined by) debug_locks_off at lib/debug_locks.c:41
+
+Fixes: 6eebad1ad303 ("lockdep: __always_inline more for noinstr")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20210621120120.784404944@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/debug_locks.h | 2 ++
+ kernel/locking/lockdep.c | 4 +++-
+ lib/debug_locks.c | 2 +-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/debug_locks.h b/include/linux/debug_locks.h
+index 2915f56ad421..edb5c186b0b7 100644
+--- a/include/linux/debug_locks.h
++++ b/include/linux/debug_locks.h
+@@ -27,8 +27,10 @@ extern int debug_locks_off(void);
+ int __ret = 0; \
+ \
+ if (!oops_in_progress && unlikely(c)) { \
++ instrumentation_begin(); \
+ if (debug_locks_off() && !debug_locks_silent) \
+ WARN(1, "DEBUG_LOCKS_WARN_ON(%s)", #c); \
++ instrumentation_end(); \
+ __ret = 1; \
+ } \
+ __ret; \
+diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
+index f39c383c7180..5bf6b1659215 100644
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -842,7 +842,7 @@ static int count_matching_names(struct lock_class *new_class)
+ }
+
+ /* used from NMI context -- must be lockless */
+-static __always_inline struct lock_class *
++static noinstr struct lock_class *
+ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass)
+ {
+ struct lockdep_subclass_key *key;
+@@ -850,12 +850,14 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass)
+ struct lock_class *class;
+
+ if (unlikely(subclass >= MAX_LOCKDEP_SUBCLASSES)) {
++ instrumentation_begin();
+ debug_locks_off();
+ printk(KERN_ERR
+ "BUG: looking up invalid subclass: %u\n", subclass);
+ printk(KERN_ERR
+ "turning off the locking correctness validator.\n");
+ dump_stack();
++ instrumentation_end();
+ return NULL;
+ }
+
+diff --git a/lib/debug_locks.c b/lib/debug_locks.c
+index 06d3135bd184..a75ee30b77cb 100644
+--- a/lib/debug_locks.c
++++ b/lib/debug_locks.c
+@@ -36,7 +36,7 @@ EXPORT_SYMBOL_GPL(debug_locks_silent);
+ /*
+ * Generic 'turn off all lock debugging' function:
+ */
+-noinstr int debug_locks_off(void)
++int debug_locks_off(void)
+ {
+ if (debug_locks && __debug_locks_off()) {
+ if (!debug_locks_silent) {
+--
+2.30.2
+
--- /dev/null
+From 80721b8d4adc1f0bf02855b5957aca15063fcb5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 16:13:06 +0200
+Subject: mac80211: drop multicast fragments
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit a9799541ca34652d9996e45f80e8e03144c12949 ]
+
+These are not permitted by the spec, just drop them.
+
+Link: https://lore.kernel.org/r/20210609161305.23def022b750.Ibd6dd3cdce573dae262fcdc47f8ac52b883a9c50@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 59de7a86599d..cb5cbf02dbac 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2239,17 +2239,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ sc = le16_to_cpu(hdr->seq_ctrl);
+ frag = sc & IEEE80211_SCTL_FRAG;
+
+- if (is_multicast_ether_addr(hdr->addr1)) {
+- I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
+- goto out_no_led;
+- }
+-
+ if (rx->sta)
+ cache = &rx->sta->frags;
+
+ if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+ goto out;
+
++ if (is_multicast_ether_addr(hdr->addr1))
++ return RX_DROP_MONITOR;
++
+ I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+
+ if (skb_linearize(rx->skb))
+@@ -2375,7 +2373,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+
+ out:
+ ieee80211_led_rx(rx->local);
+- out_no_led:
+ if (rx->sta)
+ rx->sta->rx_stats.packets++;
+ return RX_CONTINUE;
+--
+2.30.2
+
--- /dev/null
+From ad246669d35daff30c2a96ebeadba7f6c56d3868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 13:41:45 +0300
+Subject: mac80211: handle various extensible elements correctly
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 652e8363bbc7d149fa194a5cbf30b1001c0274b0 ]
+
+Various elements are parsed with a requirement to have an
+exact size, when really we should only check that they have
+the minimum size that we need. Check only that and therefore
+ignore any additional data that they might carry.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210618133832.cd101f8040a4.Iadf0e9b37b100c6c6e79c7b298cc657c2be9151a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/util.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 53755a05f73b..06342693799e 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -955,7 +955,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
+
+ switch (elem->data[0]) {
+ case WLAN_EID_EXT_HE_MU_EDCA:
+- if (len == sizeof(*elems->mu_edca_param_set)) {
++ if (len >= sizeof(*elems->mu_edca_param_set)) {
+ elems->mu_edca_param_set = data;
+ if (crc)
+ *crc = crc32_be(*crc, (void *)elem,
+@@ -976,7 +976,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
+ }
+ break;
+ case WLAN_EID_EXT_UORA:
+- if (len == 1)
++ if (len >= 1)
+ elems->uora_element = data;
+ break;
+ case WLAN_EID_EXT_MAX_CHANNEL_SWITCH_TIME:
+@@ -984,7 +984,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
+ elems->max_channel_switch_time = data;
+ break;
+ case WLAN_EID_EXT_MULTIPLE_BSSID_CONFIGURATION:
+- if (len == sizeof(*elems->mbssid_config_ie))
++ if (len >= sizeof(*elems->mbssid_config_ie))
+ elems->mbssid_config_ie = data;
+ break;
+ case WLAN_EID_EXT_HE_SPR:
+@@ -993,7 +993,7 @@ static void ieee80211_parse_extension_element(u32 *crc,
+ elems->he_spr = data;
+ break;
+ case WLAN_EID_EXT_HE_6GHZ_CAPA:
+- if (len == sizeof(*elems->he_6ghz_capa))
++ if (len >= sizeof(*elems->he_6ghz_capa))
+ elems->he_6ghz_capa = data;
+ break;
+ }
+@@ -1082,14 +1082,14 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
+
+ switch (id) {
+ case WLAN_EID_LINK_ID:
+- if (elen + 2 != sizeof(struct ieee80211_tdls_lnkie)) {
++ if (elen + 2 < sizeof(struct ieee80211_tdls_lnkie)) {
+ elem_parse_failed = true;
+ break;
+ }
+ elems->lnk_id = (void *)(pos - 2);
+ break;
+ case WLAN_EID_CHAN_SWITCH_TIMING:
+- if (elen != sizeof(struct ieee80211_ch_switch_timing)) {
++ if (elen < sizeof(struct ieee80211_ch_switch_timing)) {
+ elem_parse_failed = true;
+ break;
+ }
+@@ -1252,7 +1252,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
+ elems->sec_chan_offs = (void *)pos;
+ break;
+ case WLAN_EID_CHAN_SWITCH_PARAM:
+- if (elen !=
++ if (elen <
+ sizeof(*elems->mesh_chansw_params_ie)) {
+ elem_parse_failed = true;
+ break;
+@@ -1261,7 +1261,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
+ break;
+ case WLAN_EID_WIDE_BW_CHANNEL_SWITCH:
+ if (!action ||
+- elen != sizeof(*elems->wide_bw_chansw_ie)) {
++ elen < sizeof(*elems->wide_bw_chansw_ie)) {
+ elem_parse_failed = true;
+ break;
+ }
+@@ -1280,7 +1280,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
+ ie = cfg80211_find_ie(WLAN_EID_WIDE_BW_CHANNEL_SWITCH,
+ pos, elen);
+ if (ie) {
+- if (ie[1] == sizeof(*elems->wide_bw_chansw_ie))
++ if (ie[1] >= sizeof(*elems->wide_bw_chansw_ie))
+ elems->wide_bw_chansw_ie =
+ (void *)(ie + 2);
+ else
+@@ -1324,7 +1324,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
+ elems->cisco_dtpc_elem = pos;
+ break;
+ case WLAN_EID_ADDBA_EXT:
+- if (elen != sizeof(struct ieee80211_addba_ext_ie)) {
++ if (elen < sizeof(struct ieee80211_addba_ext_ie)) {
+ elem_parse_failed = true;
+ break;
+ }
+@@ -1350,7 +1350,7 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
+ elem, elems);
+ break;
+ case WLAN_EID_S1G_CAPABILITIES:
+- if (elen == sizeof(*elems->s1g_capab))
++ if (elen >= sizeof(*elems->s1g_capab))
+ elems->s1g_capab = (void *)pos;
+ else
+ elem_parse_failed = true;
+--
+2.30.2
+
--- /dev/null
+From 2a4caf6201c9a31e32b3b3e2040a575879ea5bd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:47:17 +0200
+Subject: mac80211: remove warning in ieee80211_get_sband()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 0ee4d55534f82a0624701d0bb9fc2304d4529086 ]
+
+Syzbot reports that it's possible to hit this from userspace,
+by trying to add a station before any other connection setup
+has been done. Instead of trying to catch this in some other
+way simply remove the warning, that will appropriately reject
+the call from userspace.
+
+Reported-by: syzbot+7716dbc401d9a437890d@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20210517164715.f537da276d17.Id05f40ec8761d6a8cc2df87f1aa09c651988a586@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 02e818d740f6..5ec437e8e713 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1442,7 +1442,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+ rcu_read_lock();
+ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+
+- if (WARN_ON_ONCE(!chanctx_conf)) {
++ if (!chanctx_conf) {
+ rcu_read_unlock();
+ return NULL;
+ }
+--
+2.30.2
+
--- /dev/null
+From dffee9d13446cea7679b160471d097494e76df26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 13:41:49 +0300
+Subject: mac80211: reset profile_periodicity/ema_ap
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit bbc6f03ff26e7b71d6135a7b78ce40e7dee3d86a ]
+
+Apparently we never clear these values, so they'll remain set
+since the setting of them is conditional. Clear the values in
+the relevant other cases.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210618133832.316e32d136a9.I2a12e51814258e1e1b526103894f4b9f19a91c8d@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 0fe91dc9817e..437d88822d8f 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4062,10 +4062,14 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
+ if (elems.mbssid_config_ie)
+ bss_conf->profile_periodicity =
+ elems.mbssid_config_ie->profile_periodicity;
++ else
++ bss_conf->profile_periodicity = 0;
+
+ if (elems.ext_capab_len >= 11 &&
+ (elems.ext_capab[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
+ bss_conf->ema_ap = true;
++ else
++ bss_conf->ema_ap = false;
+
+ /* continue assoc process */
+ ifmgd->assoc_data->timeout = jiffies;
+@@ -5802,12 +5806,16 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
+ beacon_ies->data, beacon_ies->len);
+ if (elem && elem->datalen >= 3)
+ sdata->vif.bss_conf.profile_periodicity = elem->data[2];
++ else
++ sdata->vif.bss_conf.profile_periodicity = 0;
+
+ elem = cfg80211_find_elem(WLAN_EID_EXT_CAPABILITY,
+ beacon_ies->data, beacon_ies->len);
+ if (elem && elem->datalen >= 11 &&
+ (elem->data[10] & WLAN_EXT_CAPA11_EMA_SUPPORT))
+ sdata->vif.bss_conf.ema_ap = true;
++ else
++ sdata->vif.bss_conf.ema_ap = false;
+ } else {
+ assoc_data->timeout = jiffies;
+ assoc_data->timeout_started = true;
+--
+2.30.2
+
--- /dev/null
+From 08d56e619dbfa4c98af169caa9acd43367a11826 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 17:04:31 +0200
+Subject: mac80211_hwsim: drop pending frames on stop
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit bd18de517923903a177508fc8813f44e717b1c00 ]
+
+Syzbot reports that we may be able to get into a situation where
+mac80211 has pending ACK frames on shutdown with hwsim. It appears
+that the reason for this is that syzbot uses the wmediumd hooks to
+intercept/injection frames, and may shut down hwsim, removing the
+radio(s), while frames are pending in the air simulation.
+
+Clean out the pending queue when the interface is stopped, after
+this the frames can't be reported back to mac80211 properly anyway.
+
+Reported-by: syzbot+a063bbf0b15737362592@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20210517170429.b0f85ab0eda1.Ie42a6ec6b940c971f3441286aeaaae2fe368e29a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index fa7d4c20dc13..30b39cb4056a 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -1693,8 +1693,13 @@ static int mac80211_hwsim_start(struct ieee80211_hw *hw)
+ static void mac80211_hwsim_stop(struct ieee80211_hw *hw)
+ {
+ struct mac80211_hwsim_data *data = hw->priv;
++
+ data->started = false;
+ hrtimer_cancel(&data->beacon_timer);
++
++ while (!skb_queue_empty(&data->pending))
++ ieee80211_free_txskb(hw, skb_dequeue(&data->pending));
++
+ wiphy_dbg(hw->wiphy, "%s\n", __func__);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 43a9954288fc64cde8371c171cc8d8ef5a0dc04e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 07:27:37 -0700
+Subject: net: annotate data race in sock_error()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f13ef10059ccf5f4ed201cd050176df62ec25bb8 ]
+
+sock_error() is known to be racy. The code avoids
+an atomic operation is sk_err is zero, and this field
+could be changed under us, this is fine.
+
+Sysbot reported:
+
+BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock
+
+write to 0xffff888131855630 of 4 bytes by task 9365 on cpu 1:
+ unix_release_sock+0x2e9/0x6e0 net/unix/af_unix.c:550
+ unix_release+0x2f/0x50 net/unix/af_unix.c:859
+ __sock_release net/socket.c:599 [inline]
+ sock_close+0x6c/0x150 net/socket.c:1258
+ __fput+0x25b/0x4e0 fs/file_table.c:280
+ ____fput+0x11/0x20 fs/file_table.c:313
+ task_work_run+0xae/0x130 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
+ exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:208
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:301
+ do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888131855630 of 4 bytes by task 9385 on cpu 0:
+ sock_error include/net/sock.h:2269 [inline]
+ sock_alloc_send_pskb+0xe4/0x4e0 net/core/sock.c:2336
+ unix_dgram_sendmsg+0x478/0x1610 net/unix/af_unix.c:1671
+ unix_seqpacket_sendmsg+0xc2/0x100 net/unix/af_unix.c:2055
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ __sys_sendmsg_sock+0x25/0x30 net/socket.c:2416
+ io_sendmsg fs/io_uring.c:4367 [inline]
+ io_issue_sqe+0x231a/0x6750 fs/io_uring.c:6135
+ __io_queue_sqe+0xe9/0x360 fs/io_uring.c:6414
+ __io_req_task_submit fs/io_uring.c:2039 [inline]
+ io_async_task_func+0x312/0x590 fs/io_uring.c:5074
+ __tctx_task_work fs/io_uring.c:1910 [inline]
+ tctx_task_work+0x1d4/0x3d0 fs/io_uring.c:1924
+ task_work_run+0xae/0x130 kernel/task_work.c:164
+ tracehook_notify_signal include/linux/tracehook.h:212 [inline]
+ handle_signal_work kernel/entry/common.c:145 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0xf8/0x190 kernel/entry/common.c:208
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:301
+ do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00000000 -> 0x00000068
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 9385 Comm: syz-executor.3 Not tainted 5.13.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 62e3811e95a7..b98c80a7c7ae 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2260,8 +2260,13 @@ struct sk_buff *sock_dequeue_err_skb(struct sock *sk);
+ static inline int sock_error(struct sock *sk)
+ {
+ int err;
+- if (likely(!sk->sk_err))
++
++ /* Avoid an atomic operation for the common case.
++ * This is racy since another cpu/thread can change sk_err under us.
++ */
++ if (likely(data_race(!sk->sk_err)))
+ return 0;
++
+ err = xchg(&sk->sk_err, 0);
+ return -err;
+ }
+--
+2.30.2
+
--- /dev/null
+From 0d59c91dae8f8567fcac85f4a7897497e0c1ff20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 17:51:22 +0300
+Subject: net: caif: fix memory leak in ldisc_open
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 58af3d3d54e87bfc1f936e16c04ade3369d34011 ]
+
+Syzbot reported memory leak in tty_init_dev().
+The problem was in unputted tty in ldisc_open()
+
+static int ldisc_open(struct tty_struct *tty)
+{
+...
+ ser->tty = tty_kref_get(tty);
+...
+ result = register_netdevice(dev);
+ if (result) {
+ rtnl_unlock();
+ free_netdev(dev);
+ return -ENODEV;
+ }
+...
+}
+
+Ser pointer is netdev private_data, so after free_netdev()
+this pointer goes away with unputted tty reference. So, fix
+it by adding tty_kref_put() before freeing netdev.
+
+Reported-and-tested-by: syzbot+f303e045423e617d2cad@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/caif/caif_serial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
+index 9f30748da4ab..8c38f224becb 100644
+--- a/drivers/net/caif/caif_serial.c
++++ b/drivers/net/caif/caif_serial.c
+@@ -350,6 +350,7 @@ static int ldisc_open(struct tty_struct *tty)
+ rtnl_lock();
+ result = register_netdevice(dev);
+ if (result) {
++ tty_kref_put(tty);
+ rtnl_unlock();
+ free_netdev(dev);
+ return -ENODEV;
+--
+2.30.2
+
--- /dev/null
+From 96840b77ee533a8b39c52f435788d021beb52812 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 03:34:25 +0100
+Subject: net: ethtool: clear heap allocations for ethtool function
+
+From: Austin Kim <austindh.kim@gmail.com>
+
+[ Upstream commit 80ec82e3d2c1fab42eeb730aaa7985494a963d3f ]
+
+Several ethtool functions leave heap uncleared (potentially) by
+drivers. This will leave the unused portion of heap unchanged and
+might copy the full contents back to userspace.
+
+Signed-off-by: Austin Kim <austindh.kim@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ethtool/ioctl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
+index 2603966da904..e910890a868c 100644
+--- a/net/ethtool/ioctl.c
++++ b/net/ethtool/ioctl.c
+@@ -1421,7 +1421,7 @@ static int ethtool_get_any_eeprom(struct net_device *dev, void __user *useraddr,
+ if (eeprom.offset + eeprom.len > total_len)
+ return -EINVAL;
+
+- data = kmalloc(PAGE_SIZE, GFP_USER);
++ data = kzalloc(PAGE_SIZE, GFP_USER);
+ if (!data)
+ return -ENOMEM;
+
+@@ -1486,7 +1486,7 @@ static int ethtool_set_eeprom(struct net_device *dev, void __user *useraddr)
+ if (eeprom.offset + eeprom.len > ops->get_eeprom_len(dev))
+ return -EINVAL;
+
+- data = kmalloc(PAGE_SIZE, GFP_USER);
++ data = kzalloc(PAGE_SIZE, GFP_USER);
+ if (!data)
+ return -ENOMEM;
+
+@@ -1765,7 +1765,7 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr)
+ return -EFAULT;
+
+ test.len = test_len;
+- data = kmalloc_array(test_len, sizeof(u64), GFP_USER);
++ data = kcalloc(test_len, sizeof(u64), GFP_USER);
+ if (!data)
+ return -ENOMEM;
+
+@@ -2281,7 +2281,7 @@ static int ethtool_get_tunable(struct net_device *dev, void __user *useraddr)
+ ret = ethtool_tunable_valid(&tuna);
+ if (ret)
+ return ret;
+- data = kmalloc(tuna.len, GFP_USER);
++ data = kzalloc(tuna.len, GFP_USER);
+ if (!data)
+ return -ENOMEM;
+ ret = ops->get_tunable(dev, &tuna, data);
+@@ -2473,7 +2473,7 @@ static int get_phy_tunable(struct net_device *dev, void __user *useraddr)
+ ret = ethtool_phy_tunable_valid(&tuna);
+ if (ret)
+ return ret;
+- data = kmalloc(tuna.len, GFP_USER);
++ data = kzalloc(tuna.len, GFP_USER);
+ if (!data)
+ return -ENOMEM;
+ if (phy_drv_tunable) {
+--
+2.30.2
+
--- /dev/null
+From 452243244eefef1a0acfe8a61b90b6ab01d0980e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 09:53:15 +0800
+Subject: net: ipv4: Remove unneed BUG() function
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 5ac6b198d7e312bd10ebe7d58c64690dc59cc49a ]
+
+When 'nla_parse_nested_deprecated' failed, it's no need to
+BUG() here, return -EINVAL is ok.
+
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 2 +-
+ net/ipv6/addrconf.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index 2e35f68da40a..1c6429c353a9 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1989,7 +1989,7 @@ static int inet_set_link_af(struct net_device *dev, const struct nlattr *nla,
+ return -EAFNOSUPPORT;
+
+ if (nla_parse_nested_deprecated(tb, IFLA_INET_MAX, nla, NULL, NULL) < 0)
+- BUG();
++ return -EINVAL;
+
+ if (tb[IFLA_INET_CONF]) {
+ nla_for_each_nested(a, tb[IFLA_INET_CONF], rem)
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index a9e53f5942fa..eab0a46983c0 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5822,7 +5822,7 @@ static int inet6_set_link_af(struct net_device *dev, const struct nlattr *nla,
+ return -EAFNOSUPPORT;
+
+ if (nla_parse_nested_deprecated(tb, IFLA_INET6_MAX, nla, NULL, NULL) < 0)
+- BUG();
++ return -EINVAL;
+
+ if (tb[IFLA_INET6_TOKEN]) {
+ err = inet6_set_iftoken(idev, nla_data(tb[IFLA_INET6_TOKEN]),
+--
+2.30.2
+
--- /dev/null
+From 57b344acdcfbf41e4008672ebd00e340fc4c7582 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 12:52:28 +0200
+Subject: net: ll_temac: Add memory-barriers for TX BD access
+
+From: Esben Haabendal <esben@geanix.com>
+
+[ Upstream commit 28d9fab458b16bcd83f9dd07ede3d585c3e1a69e ]
+
+Add a couple of memory-barriers to ensure correct ordering of read/write
+access to TX BDs.
+
+In xmit_done, we should ensure that reading the additional BD fields are
+only done after STS_CTRL_APP0_CMPLT bit is set.
+
+When xmit_done marks the BD as free by setting APP0=0, we need to ensure
+that the other BD fields are reset first, so we avoid racing with the xmit
+path, which writes to the same fields.
+
+Finally, making sure to read APP0 of next BD after the current BD, ensures
+that we see all available buffers.
+
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
+index 01bb36e7cff0..b105e1d35d15 100644
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -774,12 +774,15 @@ static void temac_start_xmit_done(struct net_device *ndev)
+ stat = be32_to_cpu(cur_p->app0);
+
+ while (stat & STS_CTRL_APP0_CMPLT) {
++ /* Make sure that the other fields are read after bd is
++ * released by dma
++ */
++ rmb();
+ dma_unmap_single(ndev->dev.parent, be32_to_cpu(cur_p->phys),
+ be32_to_cpu(cur_p->len), DMA_TO_DEVICE);
+ skb = (struct sk_buff *)ptr_from_txbd(cur_p);
+ if (skb)
+ dev_consume_skb_irq(skb);
+- cur_p->app0 = 0;
+ cur_p->app1 = 0;
+ cur_p->app2 = 0;
+ cur_p->app3 = 0;
+@@ -788,6 +791,12 @@ static void temac_start_xmit_done(struct net_device *ndev)
+ ndev->stats.tx_packets++;
+ ndev->stats.tx_bytes += be32_to_cpu(cur_p->len);
+
++ /* app0 must be visible last, as it is used to flag
++ * availability of the bd
++ */
++ smp_mb();
++ cur_p->app0 = 0;
++
+ lp->tx_bd_ci++;
+ if (lp->tx_bd_ci >= lp->tx_bd_num)
+ lp->tx_bd_ci = 0;
+@@ -814,6 +823,9 @@ static inline int temac_check_tx_bd_space(struct temac_local *lp, int num_frag)
+ if (cur_p->app0)
+ return NETDEV_TX_BUSY;
+
++ /* Make sure to read next bd app0 after this one */
++ rmb();
++
+ tail++;
+ if (tail >= lp->tx_bd_num)
+ tail = 0;
+--
+2.30.2
+
--- /dev/null
+From eacf94d15e7a94edc571556e08af37ec460c4b0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 12:52:38 +0200
+Subject: net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
+
+From: Esben Haabendal <esben@geanix.com>
+
+[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ]
+
+As documented in Documentation/networking/driver.rst, the ndo_start_xmit
+method must not return NETDEV_TX_BUSY under any normal circumstances, and
+as recommended, we simply stop the tx queue in advance, when there is a
+risk that the next xmit would cause a NETDEV_TX_BUSY return.
+
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
+index b105e1d35d15..6bd3a389d389 100644
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -942,6 +942,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ wmb();
+ lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
+
++ if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
++ netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
++ netif_stop_queue(ndev);
++ }
++
+ return NETDEV_TX_OK;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5a01dca0ec6da666340412d0978fdcd01864b0aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 06:42:01 -0700
+Subject: net/packet: annotate accesses to po->bind
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c7d2ef5dd4b03ed0ee1d13bc0c55f9cf62d49bd6 ]
+
+tpacket_snd(), packet_snd(), packet_getname() and packet_seq_show()
+can read po->num without holding a lock. This means other threads
+can change po->num at the same time.
+
+KCSAN complained about this known fact [1]
+Add READ_ONCE()/WRITE_ONCE() to address the issue.
+
+[1] BUG: KCSAN: data-race in packet_do_bind / packet_sendmsg
+
+write to 0xffff888131a0dcc0 of 2 bytes by task 24714 on cpu 0:
+ packet_do_bind+0x3ab/0x7e0 net/packet/af_packet.c:3181
+ packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255
+ __sys_bind+0x200/0x290 net/socket.c:1637
+ __do_sys_bind net/socket.c:1648 [inline]
+ __se_sys_bind net/socket.c:1646 [inline]
+ __x64_sys_bind+0x3d/0x50 net/socket.c:1646
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888131a0dcc0 of 2 bytes by task 24719 on cpu 1:
+ packet_snd net/packet/af_packet.c:2899 [inline]
+ packet_sendmsg+0x317/0x3570 net/packet/af_packet.c:3040
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2433
+ __do_sys_sendmsg net/socket.c:2442 [inline]
+ __se_sys_sendmsg net/socket.c:2440 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2440
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000 -> 0x1200
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 24719 Comm: syz-executor.5 Not tainted 5.13.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 84d8921391c3..8e07341a98af 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2683,7 +2683,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ }
+ if (likely(saddr == NULL)) {
+ dev = packet_cached_dev_get(po);
+- proto = po->num;
++ proto = READ_ONCE(po->num);
+ } else {
+ err = -EINVAL;
+ if (msg->msg_namelen < sizeof(struct sockaddr_ll))
+@@ -2896,7 +2896,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+
+ if (likely(saddr == NULL)) {
+ dev = packet_cached_dev_get(po);
+- proto = po->num;
++ proto = READ_ONCE(po->num);
+ } else {
+ err = -EINVAL;
+ if (msg->msg_namelen < sizeof(struct sockaddr_ll))
+@@ -3171,7 +3171,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ /* prevents packet_notifier() from calling
+ * register_prot_hook()
+ */
+- po->num = 0;
++ WRITE_ONCE(po->num, 0);
+ __unregister_prot_hook(sk, true);
+ rcu_read_lock();
+ dev_curr = po->prot_hook.dev;
+@@ -3181,7 +3181,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ }
+
+ BUG_ON(po->running);
+- po->num = proto;
++ WRITE_ONCE(po->num, proto);
+ po->prot_hook.type = proto;
+
+ if (unlikely(unlisted)) {
+@@ -3526,7 +3526,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+
+ sll->sll_family = AF_PACKET;
+ sll->sll_ifindex = po->ifindex;
+- sll->sll_protocol = po->num;
++ sll->sll_protocol = READ_ONCE(po->num);
+ sll->sll_pkttype = 0;
+ rcu_read_lock();
+ dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
+@@ -4414,7 +4414,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ was_running = po->running;
+ num = po->num;
+ if (was_running) {
+- po->num = 0;
++ WRITE_ONCE(po->num, 0);
+ __unregister_prot_hook(sk, false);
+ }
+ spin_unlock(&po->bind_lock);
+@@ -4449,7 +4449,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+
+ spin_lock(&po->bind_lock);
+ if (was_running) {
+- po->num = num;
++ WRITE_ONCE(po->num, num);
+ register_prot_hook(sk);
+ }
+ spin_unlock(&po->bind_lock);
+@@ -4619,7 +4619,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+ s,
+ refcount_read(&s->sk_refcnt),
+ s->sk_type,
+- ntohs(po->num),
++ ntohs(READ_ONCE(po->num)),
+ po->ifindex,
+ po->running,
+ atomic_read(&s->sk_rmem_alloc),
+--
+2.30.2
+
--- /dev/null
+From a8cc79598fd4ef55c5fce488ac847a4116350d14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 06:42:02 -0700
+Subject: net/packet: annotate accesses to po->ifindex
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e032f7c9c7cefffcfb79b9fc16c53011d2d9d11f ]
+
+Like prior patch, we need to annotate lockless accesses to po->ifindex
+For instance, packet_getname() is reading po->ifindex (twice) while
+another thread is able to change po->ifindex.
+
+KCSAN reported:
+
+BUG: KCSAN: data-race in packet_do_bind / packet_getname
+
+write to 0xffff888143ce3cbc of 4 bytes by task 25573 on cpu 1:
+ packet_do_bind+0x420/0x7e0 net/packet/af_packet.c:3191
+ packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255
+ __sys_bind+0x200/0x290 net/socket.c:1637
+ __do_sys_bind net/socket.c:1648 [inline]
+ __se_sys_bind net/socket.c:1646 [inline]
+ __x64_sys_bind+0x3d/0x50 net/socket.c:1646
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888143ce3cbc of 4 bytes by task 25578 on cpu 0:
+ packet_getname+0x5b/0x1a0 net/packet/af_packet.c:3525
+ __sys_getsockname+0x10e/0x1a0 net/socket.c:1887
+ __do_sys_getsockname net/socket.c:1902 [inline]
+ __se_sys_getsockname net/socket.c:1899 [inline]
+ __x64_sys_getsockname+0x3e/0x50 net/socket.c:1899
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00000000 -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 25578 Comm: syz-executor.5 Not tainted 5.13.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 8e07341a98af..68a4dd251242 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3187,11 +3187,11 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ if (unlikely(unlisted)) {
+ dev_put(dev);
+ po->prot_hook.dev = NULL;
+- po->ifindex = -1;
++ WRITE_ONCE(po->ifindex, -1);
+ packet_cached_dev_reset(po);
+ } else {
+ po->prot_hook.dev = dev;
+- po->ifindex = dev ? dev->ifindex : 0;
++ WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
+ packet_cached_dev_assign(po, dev);
+ }
+ }
+@@ -3505,7 +3505,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ uaddr->sa_family = AF_PACKET;
+ memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ rcu_read_lock();
+- dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
++ dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
+ if (dev)
+ strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ rcu_read_unlock();
+@@ -3520,16 +3520,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ struct sock *sk = sock->sk;
+ struct packet_sock *po = pkt_sk(sk);
+ DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr);
++ int ifindex;
+
+ if (peer)
+ return -EOPNOTSUPP;
+
++ ifindex = READ_ONCE(po->ifindex);
+ sll->sll_family = AF_PACKET;
+- sll->sll_ifindex = po->ifindex;
++ sll->sll_ifindex = ifindex;
+ sll->sll_protocol = READ_ONCE(po->num);
+ sll->sll_pkttype = 0;
+ rcu_read_lock();
+- dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
++ dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
+ if (dev) {
+ sll->sll_hatype = dev->type;
+ sll->sll_halen = dev->addr_len;
+@@ -4108,7 +4110,7 @@ static int packet_notifier(struct notifier_block *this,
+ }
+ if (msg == NETDEV_UNREGISTER) {
+ packet_cached_dev_reset(po);
+- po->ifindex = -1;
++ WRITE_ONCE(po->ifindex, -1);
+ if (po->prot_hook.dev)
+ dev_put(po->prot_hook.dev);
+ po->prot_hook.dev = NULL;
+@@ -4620,7 +4622,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+ refcount_read(&s->sk_refcnt),
+ s->sk_type,
+ ntohs(READ_ONCE(po->num)),
+- po->ifindex,
++ READ_ONCE(po->ifindex),
+ po->running,
+ atomic_read(&s->sk_rmem_alloc),
+ from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
+--
+2.30.2
+
--- /dev/null
+From 3330f6df0f4ee6e7f378e2b5c9a6988b4885335d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 09:00:12 -0700
+Subject: net/packet: annotate data race in packet_sendmsg()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d1b5bee4c8be01585033be9b3a8878789285285f ]
+
+There is a known race in packet_sendmsg(), addressed
+in commit 32d3182cd2cd ("net/packet: fix race in tpacket_snd()")
+
+Now we have data_race(), we can use it to avoid a future KCSAN warning,
+as syzbot loves stressing af_packet sockets :)
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index c52557ec7fb3..84d8921391c3 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3034,10 +3034,13 @@ static int packet_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ struct sock *sk = sock->sk;
+ struct packet_sock *po = pkt_sk(sk);
+
+- if (po->tx_ring.pg_vec)
++ /* Reading tx_ring.pg_vec without holding pg_vec_lock is racy.
++ * tpacket_snd() will redo the check safely.
++ */
++ if (data_race(po->tx_ring.pg_vec))
+ return tpacket_snd(po, msg);
+- else
+- return packet_snd(sock, msg, len);
++
++ return packet_snd(sock, msg, len);
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 94dcc202ec1de6e7b526d513d34193b6ee4a4755 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 19:43:42 -0500
+Subject: net: phy: dp83867: perform soft reset and retain established link
+
+From: Praneeth Bajjuri <praneeth@ti.com>
+
+[ Upstream commit da9ef50f545f86ffe6ff786174d26500c4db737a ]
+
+Current logic is performing hard reset and causing the programmed
+registers to be wiped out.
+
+as per datasheet: https://www.ti.com/lit/ds/symlink/dp83867cr.pdf
+8.6.26 Control Register (CTRL)
+
+do SW_RESTART to perform a reset not including the registers,
+If performed when link is already present,
+it will drop the link and trigger re-auto negotiation.
+
+Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
+Signed-off-by: Geet Modi <geet.modi@ti.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/dp83867.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
+index 9bd9a5c0b1db..6bbc81ad295f 100644
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -826,16 +826,12 @@ static int dp83867_phy_reset(struct phy_device *phydev)
+ {
+ int err;
+
+- err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESET);
++ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
+ if (err < 0)
+ return err;
+
+ usleep_range(10, 20);
+
+- /* After reset FORCE_LINK_GOOD bit is set. Although the
+- * default value should be unset. Disable FORCE_LINK_GOOD
+- * for the phy to work properly.
+- */
+ return phy_modify(phydev, MII_DP83867_PHYCTRL,
+ DP83867_PHYCR_FORCE_LINK_GOOD, 0);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8f6f89928e90bab6bf606a3c10b5116cfe4a6941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 10:09:53 -0700
+Subject: net: qed: Fix memcpy() overflow of qed_dcbx_params()
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 1c200f832e14420fa770193f9871f4ce2df00d07 ]
+
+The source (&dcbx_info->operational.params) and dest
+(&p_hwfn->p_dcbx_info->set.config.params) are both struct qed_dcbx_params
+(560 bytes), not struct qed_dcbx_admin_params (564 bytes), which is used
+as the memcpy() size.
+
+However it seems that struct qed_dcbx_operational_params
+(dcbx_info->operational)'s layout matches struct qed_dcbx_admin_params
+(p_hwfn->p_dcbx_info->set.config)'s 4 byte difference (3 padding, 1 byte
+for "valid").
+
+On the assumption that the size is wrong (rather than the source structure
+type), adjust the memcpy() size argument to be 4 bytes smaller and add
+a BUILD_BUG_ON() to validate any changes to the structure sizes.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+index 17d5b649eb36..e81dd34a3cac 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+@@ -1266,9 +1266,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn,
+ p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_STATIC;
+
+ p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled;
++ BUILD_BUG_ON(sizeof(dcbx_info->operational.params) !=
++ sizeof(p_hwfn->p_dcbx_info->set.config.params));
+ memcpy(&p_hwfn->p_dcbx_info->set.config.params,
+ &dcbx_info->operational.params,
+- sizeof(struct qed_dcbx_admin_params));
++ sizeof(p_hwfn->p_dcbx_info->set.config.params));
+ p_hwfn->p_dcbx_info->set.config.valid = true;
+
+ memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set));
+--
+2.30.2
+
--- /dev/null
+From 9a45ae5504b7201332735adaa07439ef2e8598d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 17:48:23 -0400
+Subject: PCI: Add AMD RS690 quirk to enable 64-bit DMA
+
+From: Mikel Rychliski <mikel@mikelr.com>
+
+[ Upstream commit cacf994a91d3a55c0c2f853d6429cd7b86113915 ]
+
+Although the AMD RS690 chipset has 64-bit DMA support, BIOS implementations
+sometimes fail to configure the memory limit registers correctly.
+
+The Acer F690GVM mainboard uses this chipset and a Marvell 88E8056 NIC. The
+sky2 driver programs the NIC to use 64-bit DMA, which will not work:
+
+ sky2 0000:02:00.0: error interrupt status=0x8
+ sky2 0000:02:00.0 eth0: tx timeout
+ sky2 0000:02:00.0 eth0: transmit ring 0 .. 22 report=0 done=0
+
+Other drivers required by this mainboard either don't support 64-bit DMA,
+or have it disabled using driver specific quirks. For example, the ahci
+driver has quirks to enable or disable 64-bit DMA depending on the BIOS
+version (see ahci_sb600_enable_64bit() in ahci.c). This ahci quirk matches
+against the SB600 SATA controller, but the real issue is almost certainly
+with the RS690 PCI host that it was commonly attached to.
+
+To avoid this issue in all drivers with 64-bit DMA support, fix the
+configuration of the PCI host. If the kernel is aware of physical memory
+above 4GB, but the BIOS never configured the PCI host with this
+information, update the registers with our values.
+
+[bhelgaas: drop PCI_DEVICE_ID_ATI_RS690 definition]
+Link: https://lore.kernel.org/r/20210611214823.4898-1-mikel@mikelr.com
+Signed-off-by: Mikel Rychliski <mikel@mikelr.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/fixup.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/arch/x86/pci/fixup.c b/arch/x86/pci/fixup.c
+index 0a0e168be1cb..9b0e771302ce 100644
+--- a/arch/x86/pci/fixup.c
++++ b/arch/x86/pci/fixup.c
+@@ -779,4 +779,48 @@ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1571, pci_amd_enable_64bit_bar);
+ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x15b1, pci_amd_enable_64bit_bar);
+ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1601, pci_amd_enable_64bit_bar);
+
++#define RS690_LOWER_TOP_OF_DRAM2 0x30
++#define RS690_LOWER_TOP_OF_DRAM2_VALID 0x1
++#define RS690_UPPER_TOP_OF_DRAM2 0x31
++#define RS690_HTIU_NB_INDEX 0xA8
++#define RS690_HTIU_NB_INDEX_WR_ENABLE 0x100
++#define RS690_HTIU_NB_DATA 0xAC
++
++/*
++ * Some BIOS implementations support RAM above 4GB, but do not configure the
++ * PCI host to respond to bus master accesses for these addresses. These
++ * implementations set the TOP_OF_DRAM_SLOT1 register correctly, so PCI DMA
++ * works as expected for addresses below 4GB.
++ *
++ * Reference: "AMD RS690 ASIC Family Register Reference Guide" (pg. 2-57)
++ * https://www.amd.com/system/files/TechDocs/43372_rs690_rrg_3.00o.pdf
++ */
++static void rs690_fix_64bit_dma(struct pci_dev *pdev)
++{
++ u32 val = 0;
++ phys_addr_t top_of_dram = __pa(high_memory - 1) + 1;
++
++ if (top_of_dram <= (1ULL << 32))
++ return;
++
++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
++ RS690_LOWER_TOP_OF_DRAM2);
++ pci_read_config_dword(pdev, RS690_HTIU_NB_DATA, &val);
++
++ if (val)
++ return;
++
++ pci_info(pdev, "Adjusting top of DRAM to %pa for 64-bit DMA support\n", &top_of_dram);
++
++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
++ RS690_UPPER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE);
++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA, top_of_dram >> 32);
++
++ pci_write_config_dword(pdev, RS690_HTIU_NB_INDEX,
++ RS690_LOWER_TOP_OF_DRAM2 | RS690_HTIU_NB_INDEX_WR_ENABLE);
++ pci_write_config_dword(pdev, RS690_HTIU_NB_DATA,
++ top_of_dram | RS690_LOWER_TOP_OF_DRAM2_VALID);
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7910, rs690_fix_64bit_dma);
++
+ #endif
+--
+2.30.2
+
--- /dev/null
+From a93e366bb5cfbd583df26297563d6256d7f6c32d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:03:16 +0200
+Subject: perf/x86/intel/lbr: Zero the xstate buffer on allocation
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 7f049fbdd57f6ea71dc741d903c19c73b2f70950 ]
+
+XRSTORS requires a valid xstate buffer to work correctly. XSAVES does not
+guarantee to write a fully valid buffer according to the SDM:
+
+ "XSAVES does not write to any parts of the XSAVE header other than the
+ XSTATE_BV and XCOMP_BV fields."
+
+XRSTORS triggers a #GP:
+
+ "If bytes 63:16 of the XSAVE header are not all zero."
+
+It's dubious at best how this can work at all when the buffer is not zeroed
+before use.
+
+Allocate the buffers with __GFP_ZERO to prevent XRSTORS failure.
+
+Fixes: ce711ea3cab9 ("perf/x86/intel/lbr: Support XSAVES/XRSTORS for LBR context switch")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/87wnr0wo2z.ffs@nanos.tec.linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/lbr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
+index 22d0e40a1920..991715886246 100644
+--- a/arch/x86/events/intel/lbr.c
++++ b/arch/x86/events/intel/lbr.c
+@@ -730,7 +730,8 @@ void reserve_lbr_buffers(void)
+ if (!kmem_cache || cpuc->lbr_xsave)
+ continue;
+
+- cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache, GFP_KERNEL,
++ cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache,
++ GFP_KERNEL | __GFP_ZERO,
+ cpu_to_node(cpu));
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From f41f6a8c6117b281f5c3a781e5d30515d4fb9c80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 13:22:47 +0800
+Subject: perf/x86/lbr: Remove cpuc->lbr_xsave allocation from atomic context
+
+From: Like Xu <like.xu@linux.intel.com>
+
+[ Upstream commit 488e13a489e9707a7e81e1991fdd1f20c0f04689 ]
+
+If the kernel is compiled with the CONFIG_LOCKDEP option, the conditional
+might_sleep_if() deep in kmem_cache_alloc() will generate the following
+trace, and potentially cause a deadlock when another LBR event is added:
+
+ [] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:196
+ [] Call Trace:
+ [] kmem_cache_alloc+0x36/0x250
+ [] intel_pmu_lbr_add+0x152/0x170
+ [] x86_pmu_add+0x83/0xd0
+
+Make it symmetric with the release_lbr_buffers() call and mirror the
+existing DS buffers.
+
+Fixes: c085fb8774 ("perf/x86/intel/lbr: Support XSAVES for arch LBR read")
+Signed-off-by: Like Xu <like.xu@linux.intel.com>
+[peterz: simplified]
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Kan Liang <kan.liang@linux.intel.com>
+Link: https://lkml.kernel.org/r/20210430052247.3079672-2-like.xu@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/core.c | 6 ++++--
+ arch/x86/events/intel/lbr.c | 26 ++++++++++++++++++++------
+ arch/x86/events/perf_event.h | 6 ++++++
+ 3 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index 18df17129695..10cadd73a8ac 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -380,10 +380,12 @@ int x86_reserve_hardware(void)
+ if (!atomic_inc_not_zero(&pmc_refcount)) {
+ mutex_lock(&pmc_reserve_mutex);
+ if (atomic_read(&pmc_refcount) == 0) {
+- if (!reserve_pmc_hardware())
++ if (!reserve_pmc_hardware()) {
+ err = -EBUSY;
+- else
++ } else {
+ reserve_ds_buffers();
++ reserve_lbr_buffers();
++ }
+ }
+ if (!err)
+ atomic_inc(&pmc_refcount);
+diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
+index 21890dacfcfe..22d0e40a1920 100644
+--- a/arch/x86/events/intel/lbr.c
++++ b/arch/x86/events/intel/lbr.c
+@@ -658,7 +658,6 @@ static inline bool branch_user_callstack(unsigned br_sel)
+
+ void intel_pmu_lbr_add(struct perf_event *event)
+ {
+- struct kmem_cache *kmem_cache = event->pmu->task_ctx_cache;
+ struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
+
+ if (!x86_pmu.lbr_nr)
+@@ -696,11 +695,6 @@ void intel_pmu_lbr_add(struct perf_event *event)
+ perf_sched_cb_inc(event->ctx->pmu);
+ if (!cpuc->lbr_users++ && !event->total_time_running)
+ intel_pmu_lbr_reset();
+-
+- if (static_cpu_has(X86_FEATURE_ARCH_LBR) &&
+- kmem_cache && !cpuc->lbr_xsave &&
+- (cpuc->lbr_users != cpuc->lbr_pebs_users))
+- cpuc->lbr_xsave = kmem_cache_alloc(kmem_cache, GFP_KERNEL);
+ }
+
+ void release_lbr_buffers(void)
+@@ -721,6 +715,26 @@ void release_lbr_buffers(void)
+ }
+ }
+
++void reserve_lbr_buffers(void)
++{
++ struct kmem_cache *kmem_cache;
++ struct cpu_hw_events *cpuc;
++ int cpu;
++
++ if (!static_cpu_has(X86_FEATURE_ARCH_LBR))
++ return;
++
++ for_each_possible_cpu(cpu) {
++ cpuc = per_cpu_ptr(&cpu_hw_events, cpu);
++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache;
++ if (!kmem_cache || cpuc->lbr_xsave)
++ continue;
++
++ cpuc->lbr_xsave = kmem_cache_alloc_node(kmem_cache, GFP_KERNEL,
++ cpu_to_node(cpu));
++ }
++}
++
+ void intel_pmu_lbr_del(struct perf_event *event)
+ {
+ struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
+diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
+index 53b2b5fc23bc..7888266c76cd 100644
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -1135,6 +1135,8 @@ void reserve_ds_buffers(void);
+
+ void release_lbr_buffers(void);
+
++void reserve_lbr_buffers(void);
++
+ extern struct event_constraint bts_constraint;
+ extern struct event_constraint vlbr_constraint;
+
+@@ -1282,6 +1284,10 @@ static inline void release_lbr_buffers(void)
+ {
+ }
+
++static inline void reserve_lbr_buffers(void)
++{
++}
++
+ static inline int intel_pmu_init(void)
+ {
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 7f6244d0c2091bcbf2080d8ee7794a3e0049462c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Apr 2021 07:30:43 -0700
+Subject: perf/x86: Track pmu in per-CPU cpu_hw_events
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 61e76d53c39bb768ad264d379837cfc56b9e35b4 ]
+
+Some platforms, e.g. Alder Lake, have hybrid architecture. In the same
+package, there may be more than one type of CPU. The PMU capabilities
+are different among different types of CPU. Perf will register a
+dedicated PMU for each type of CPU.
+
+Add a 'pmu' variable in the struct cpu_hw_events to track the dedicated
+PMU of the current CPU.
+
+Current x86_get_pmu() use the global 'pmu', which will be broken on a
+hybrid platform. Modify it to apply the 'pmu' of the specific CPU.
+
+Initialize the per-CPU 'pmu' variable with the global 'pmu'. There is
+nothing changed for the non-hybrid platforms.
+
+The is_x86_event() will be updated in the later patch ("perf/x86:
+Register hybrid PMUs") for hybrid platforms. For the non-hybrid
+platforms, nothing is changed here.
+
+Suggested-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/1618237865-33448-4-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/core.c | 17 +++++++++++++----
+ arch/x86/events/intel/core.c | 2 +-
+ arch/x86/events/intel/ds.c | 4 ++--
+ arch/x86/events/intel/lbr.c | 9 +++++----
+ arch/x86/events/perf_event.h | 4 +++-
+ 5 files changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index 10cadd73a8ac..7050a9ebd73f 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -45,9 +45,11 @@
+ #include "perf_event.h"
+
+ struct x86_pmu x86_pmu __read_mostly;
++static struct pmu pmu;
+
+ DEFINE_PER_CPU(struct cpu_hw_events, cpu_hw_events) = {
+ .enabled = 1,
++ .pmu = &pmu,
+ };
+
+ DEFINE_STATIC_KEY_FALSE(rdpmc_never_available_key);
+@@ -726,16 +728,23 @@ void x86_pmu_enable_all(int added)
+ }
+ }
+
+-static struct pmu pmu;
+-
+ static inline int is_x86_event(struct perf_event *event)
+ {
+ return event->pmu == &pmu;
+ }
+
+-struct pmu *x86_get_pmu(void)
++struct pmu *x86_get_pmu(unsigned int cpu)
+ {
+- return &pmu;
++ struct cpu_hw_events *cpuc = &per_cpu(cpu_hw_events, cpu);
++
++ /*
++ * All CPUs of the hybrid type have been offline.
++ * The x86_get_pmu() should not be invoked.
++ */
++ if (WARN_ON_ONCE(!cpuc->pmu))
++ return &pmu;
++
++ return cpuc->pmu;
+ }
+ /*
+ * Event scheduler state:
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index 4c18e7fb58f5..77fe4fece679 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -4879,7 +4879,7 @@ static void update_tfa_sched(void *ignored)
+ * and if so force schedule out for all event types all contexts
+ */
+ if (test_bit(3, cpuc->active_mask))
+- perf_pmu_resched(x86_get_pmu());
++ perf_pmu_resched(x86_get_pmu(smp_processor_id()));
+ }
+
+ static ssize_t show_sysctl_tfa(struct device *cdev,
+diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c
+index d32b302719fe..72df2f392c86 100644
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -2192,7 +2192,7 @@ void __init intel_ds_init(void)
+ PERF_SAMPLE_TIME;
+ x86_pmu.flags |= PMU_FL_PEBS_ALL;
+ pebs_qual = "-baseline";
+- x86_get_pmu()->capabilities |= PERF_PMU_CAP_EXTENDED_REGS;
++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_EXTENDED_REGS;
+ } else {
+ /* Only basic record supported */
+ x86_pmu.large_pebs_flags &=
+@@ -2207,7 +2207,7 @@ void __init intel_ds_init(void)
+
+ if (x86_pmu.intel_cap.pebs_output_pt_available) {
+ pr_cont("PEBS-via-PT, ");
+- x86_get_pmu()->capabilities |= PERF_PMU_CAP_AUX_OUTPUT;
++ x86_get_pmu(smp_processor_id())->capabilities |= PERF_PMU_CAP_AUX_OUTPUT;
+ }
+
+ break;
+diff --git a/arch/x86/events/intel/lbr.c b/arch/x86/events/intel/lbr.c
+index 991715886246..c9cd6ce0fa2a 100644
+--- a/arch/x86/events/intel/lbr.c
++++ b/arch/x86/events/intel/lbr.c
+@@ -699,7 +699,7 @@ void intel_pmu_lbr_add(struct perf_event *event)
+
+ void release_lbr_buffers(void)
+ {
+- struct kmem_cache *kmem_cache = x86_get_pmu()->task_ctx_cache;
++ struct kmem_cache *kmem_cache;
+ struct cpu_hw_events *cpuc;
+ int cpu;
+
+@@ -708,6 +708,7 @@ void release_lbr_buffers(void)
+
+ for_each_possible_cpu(cpu) {
+ cpuc = per_cpu_ptr(&cpu_hw_events, cpu);
++ kmem_cache = x86_get_pmu(cpu)->task_ctx_cache;
+ if (kmem_cache && cpuc->lbr_xsave) {
+ kmem_cache_free(kmem_cache, cpuc->lbr_xsave);
+ cpuc->lbr_xsave = NULL;
+@@ -1624,7 +1625,7 @@ void intel_pmu_lbr_init_hsw(void)
+ x86_pmu.lbr_sel_mask = LBR_SEL_MASK;
+ x86_pmu.lbr_sel_map = hsw_lbr_sel_map;
+
+- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0);
++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0);
+
+ if (lbr_from_signext_quirk_needed())
+ static_branch_enable(&lbr_from_quirk_key);
+@@ -1644,7 +1645,7 @@ __init void intel_pmu_lbr_init_skl(void)
+ x86_pmu.lbr_sel_mask = LBR_SEL_MASK;
+ x86_pmu.lbr_sel_map = hsw_lbr_sel_map;
+
+- x86_get_pmu()->task_ctx_cache = create_lbr_kmem_cache(size, 0);
++ x86_get_pmu(smp_processor_id())->task_ctx_cache = create_lbr_kmem_cache(size, 0);
+
+ /*
+ * SW branch filter usage:
+@@ -1741,7 +1742,7 @@ static bool is_arch_lbr_xsave_available(void)
+
+ void __init intel_pmu_arch_lbr_init(void)
+ {
+- struct pmu *pmu = x86_get_pmu();
++ struct pmu *pmu = x86_get_pmu(smp_processor_id());
+ union cpuid28_eax eax;
+ union cpuid28_ebx ebx;
+ union cpuid28_ecx ecx;
+diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
+index 7888266c76cd..35cdece5644f 100644
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -327,6 +327,8 @@ struct cpu_hw_events {
+ int n_pair; /* Large increment events */
+
+ void *kfree_on_online[X86_PERF_KFREE_MAX];
++
++ struct pmu *pmu;
+ };
+
+ #define __EVENT_CONSTRAINT_RANGE(c, e, n, m, w, o, f) { \
+@@ -905,7 +907,7 @@ static struct perf_pmu_events_ht_attr event_attr_##v = { \
+ .event_str_ht = ht, \
+ }
+
+-struct pmu *x86_get_pmu(void);
++struct pmu *x86_get_pmu(unsigned int cpu);
+ extern struct x86_pmu x86_pmu __read_mostly;
+
+ static __always_inline struct x86_perf_task_context_opt *task_context_opt(void *ctx)
+--
+2.30.2
+
--- /dev/null
+From aff098ddff139a0df605400a4f8fe048a292bd86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 09:41:36 +0800
+Subject: ping: Check return value of function 'ping_queue_rcv_skb'
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ]
+
+Function 'ping_queue_rcv_skb' not always return success, which will
+also return fail. If not check the wrong return value of it, lead to function
+`ping_rcv` return success.
+
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ping.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 8b943f85fff9..ea22768f76b8 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -952,6 +952,7 @@ bool ping_rcv(struct sk_buff *skb)
+ struct sock *sk;
+ struct net *net = dev_net(skb->dev);
+ struct icmphdr *icmph = icmp_hdr(skb);
++ bool rc = false;
+
+ /* We assume the packet has already been checked by icmp_rcv */
+
+@@ -966,14 +967,15 @@ bool ping_rcv(struct sk_buff *skb)
+ struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
+
+ pr_debug("rcv on socket %p\n", sk);
+- if (skb2)
+- ping_queue_rcv_skb(sk, skb2);
++ if (skb2 && !ping_queue_rcv_skb(sk, skb2))
++ rc = true;
+ sock_put(sk);
+- return true;
+ }
+- pr_debug("no socket, dropping\n");
+
+- return false;
++ if (!rc)
++ pr_debug("no socket, dropping\n");
++
++ return rc;
+ }
+ EXPORT_SYMBOL_GPL(ping_rcv);
+
+--
+2.30.2
+
--- /dev/null
+From 1c8b1cad219f6a92497835e76f99048bcd42dda0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 12:01:51 +0200
+Subject: qmi_wwan: Do not call netif_rx from rx_fixup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kristian Evensen <kristian.evensen@gmail.com>
+
+[ Upstream commit 057d49334c02a79af81c30a8d240e641bd6f1741 ]
+
+When the QMI_WWAN_FLAG_PASS_THROUGH is set, netif_rx() is called from
+qmi_wwan_rx_fixup(). When the call to netif_rx() is successful (which is
+most of the time), usbnet_skb_return() is called (from rx_process()).
+usbnet_skb_return() will then call netif_rx() a second time for the same
+skb.
+
+Simplify the code and avoid the redundant netif_rx() call by changing
+qmi_wwan_rx_fixup() to always return 1 when QMI_WWAN_FLAG_PASS_THROUGH
+is set. We then leave it up to the existing infrastructure to call
+netif_rx().
+
+Suggested-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 6700f1970b24..bc55ec739af9 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -575,7 +575,7 @@ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+
+ if (info->flags & QMI_WWAN_FLAG_PASS_THROUGH) {
+ skb->protocol = htons(ETH_P_MAP);
+- return (netif_rx(skb) == NET_RX_SUCCESS);
++ return 1;
+ }
+
+ switch (skb->data[0] & 0xf0) {
+--
+2.30.2
+
--- /dev/null
+From 986d8d851151077db48a0a712018a6d41da2f72c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:03 -0700
+Subject: r8152: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 99718abdc00e86e4f286dd836408e2834886c16e ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 20fb5638ac65..23fae943a119 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -6078,7 +6078,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ switch (stringset) {
+ case ETH_SS_STATS:
+- memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
++ memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
+ break;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From d9aade58c9c392d8cda3bc8dae06922a159c8058 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:59 -0700
+Subject: r8169: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit da5ac772cfe2a03058b0accfac03fad60c46c24d ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 1df2c002c9f6..f7a56e05ec8a 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -1673,7 +1673,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ switch(stringset) {
+ case ETH_SS_STATS:
+- memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
++ memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
+ break;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 7e6a3d256fae82c9748d1c22b993a72f3cac5315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 23:41:26 +0800
+Subject: recordmcount: Correct st_shndx handling
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit fb780761e7bd9f2e94f5b9a296ead6b35b944206 ]
+
+One should only use st_shndx when >SHN_UNDEF and <SHN_LORESERVE. When
+SHN_XINDEX, then use .symtab_shndx. Otherwise use 0.
+
+This handles the case: st_shndx >= SHN_LORESERVE && st_shndx != SHN_XINDEX.
+
+Link: https://lore.kernel.org/lkml/20210607023839.26387-1-mark-pk.tsai@mediatek.com/
+Link: https://lkml.kernel.org/r/20210616154126.2794-1-mark-pk.tsai@mediatek.com
+
+Reported-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
+Tested-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+[handle endianness of sym->st_shndx]
+Signed-off-by: Mark-PK Tsai <mark-pk.tsai@mediatek.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/recordmcount.h | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/scripts/recordmcount.h b/scripts/recordmcount.h
+index f9b19524da11..1e9baa5c4fc6 100644
+--- a/scripts/recordmcount.h
++++ b/scripts/recordmcount.h
+@@ -192,15 +192,20 @@ static unsigned int get_symindex(Elf_Sym const *sym, Elf32_Word const *symtab,
+ Elf32_Word const *symtab_shndx)
+ {
+ unsigned long offset;
++ unsigned short shndx = w2(sym->st_shndx);
+ int index;
+
+- if (sym->st_shndx != SHN_XINDEX)
+- return w2(sym->st_shndx);
++ if (shndx > SHN_UNDEF && shndx < SHN_LORESERVE)
++ return shndx;
+
+- offset = (unsigned long)sym - (unsigned long)symtab;
+- index = offset / sizeof(*sym);
++ if (shndx == SHN_XINDEX) {
++ offset = (unsigned long)sym - (unsigned long)symtab;
++ index = offset / sizeof(*sym);
+
+- return w(symtab_shndx[index]);
++ return w(symtab_shndx[index]);
++ }
++
++ return 0;
+ }
+
+ static unsigned int get_shnum(Elf_Ehdr const *ehdr, Elf_Shdr const *shdr0)
+--
+2.30.2
+
--- /dev/null
+From 88108a67f70e5a37ed107c7e12902f53b2fe7286 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 17:43:57 -0700
+Subject: riscv: dts: fu740: fix cache-controller interrupts
+
+From: David Abdurachmanov <david.abdurachmanov@sifive.com>
+
+[ Upstream commit 7ede12b01b59dc67bef2e2035297dd2da5bfe427 ]
+
+The order of interrupt numbers is incorrect.
+
+The order for FU740 is: DirError, DataError, DataFail, DirFail
+
+From SiFive FU740-C000 Manual:
+19 - L2 Cache DirError
+20 - L2 Cache DirFail
+21 - L2 Cache DataError
+22 - L2 Cache DataFail
+
+Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/boot/dts/sifive/fu740-c000.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/boot/dts/sifive/fu740-c000.dtsi b/arch/riscv/boot/dts/sifive/fu740-c000.dtsi
+index eeb4f8c3e0e7..d0d206cdb999 100644
+--- a/arch/riscv/boot/dts/sifive/fu740-c000.dtsi
++++ b/arch/riscv/boot/dts/sifive/fu740-c000.dtsi
+@@ -272,7 +272,7 @@ ccache: cache-controller@2010000 {
+ cache-size = <2097152>;
+ cache-unified;
+ interrupt-parent = <&plic0>;
+- interrupts = <19 20 21 22>;
++ interrupts = <19 21 22 20>;
+ reg = <0x0 0x2010000 0x0 0x1000>;
+ };
+ gpio: gpio@10060000 {
+--
+2.30.2
+
--- /dev/null
+From c3ae5941e43847c16eba763586051770b648c410 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jun 2021 15:09:40 -0700
+Subject: riscv32: Use medany C model for modules
+
+From: Khem Raj <raj.khem@gmail.com>
+
+[ Upstream commit 5d2388dbf84adebeb6d9742164be8d32728e4269 ]
+
+When CONFIG_CMODEL_MEDLOW is used it ends up generating riscv_hi20_rela
+relocations in modules which are not resolved during runtime and
+following errors would be seen
+
+[ 4.802714] virtio_input: target 00000000c1539090 can not be addressed by the 32-bit offset from PC = 39148b7b
+[ 4.854800] virtio_input: target 00000000c1539090 can not be addressed by the 32-bit offset from PC = 9774456d
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/Makefile b/arch/riscv/Makefile
+index 5243bf2327c0..a5ee34117321 100644
+--- a/arch/riscv/Makefile
++++ b/arch/riscv/Makefile
+@@ -16,7 +16,7 @@ ifeq ($(CONFIG_DYNAMIC_FTRACE),y)
+ CC_FLAGS_FTRACE := -fpatchable-function-entry=8
+ endif
+
+-ifeq ($(CONFIG_64BIT)$(CONFIG_CMODEL_MEDLOW),yy)
++ifeq ($(CONFIG_CMODEL_MEDLOW),y)
+ KBUILD_CFLAGS_MODULE += -mcmodel=medany
+ endif
+
+--
+2.30.2
+
psi-fix-psi-state-corruption-when-schedule-races-with-cgroup-move.patch
spi-spi-nxp-fspi-move-the-register-operation-after-t.patch
revert-pci-pm-do-not-read-power-state-in-pci_enable_.patch
+drm-vc4-hdmi-move-the-hsm-clock-enable-to-runtime_pm.patch
+drm-vc4-hdmi-make-sure-the-controller-is-powered-in-.patch
+x86-entry-fix-noinstr-fail-in-__do_fast_syscall_32.patch
+x86-xen-fix-noinstr-fail-in-xen_pv_evtchn_do_upcall.patch
+x86-xen-fix-noinstr-fail-in-exc_xen_unknown_trap.patch
+locking-lockdep-improve-noinstr-vs-errors.patch
+drm-kmb-fix-error-return-code-in-kmb_hw_init.patch
+perf-x86-lbr-remove-cpuc-lbr_xsave-allocation-from-a.patch
+perf-x86-intel-lbr-zero-the-xstate-buffer-on-allocat.patch
+dmaengine-zynqmp_dma-fix-pm-reference-leak-in-zynqmp.patch
+dmaengine-stm32-mdma-fix-pm-reference-leak-in-stm32_.patch
+dmaengine-xilinx-dpdma-add-missing-dependencies-to-k.patch
+dmaengine-xilinx-dpdma-limit-descriptor-ids-to-16-bi.patch
+mac80211-remove-warning-in-ieee80211_get_sband.patch
+mac80211_hwsim-drop-pending-frames-on-stop.patch
+cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch
+dmaengine-idxd-fix-missing-error-code-in-idxd_cdev_o.patch
+dmaengine-rcar-dmac-fix-pm-reference-leak-in-rcar_dm.patch
+dmaengine-mediatek-free-the-proper-desc-in-desc_free.patch
+dmaengine-mediatek-do-not-issue-a-new-desc-if-one-is.patch
+dmaengine-mediatek-use-gfp_nowait-instead-of-gfp_ato.patch
+net-ipv4-remove-unneed-bug-function.patch
+mac80211-drop-multicast-fragments.patch
+net-ethtool-clear-heap-allocations-for-ethtool-funct.patch
+inet-annotate-data-race-in-inet_send_prepare-and-ine.patch
+ping-check-return-value-of-function-ping_queue_rcv_s.patch
+net-annotate-data-race-in-sock_error.patch
+inet-annotate-date-races-around-sk-sk_txhash.patch
+net-packet-annotate-data-race-in-packet_sendmsg.patch
+net-phy-dp83867-perform-soft-reset-and-retain-establ.patch
+riscv32-use-medany-c-model-for-modules.patch
+net-caif-fix-memory-leak-in-ldisc_open.patch
+bpf-selftests-adjust-few-selftest-outcomes-wrt-unrea.patch
+qmi_wwan-do-not-call-netif_rx-from-rx_fixup.patch
+net-packet-annotate-accesses-to-po-bind.patch
+net-packet-annotate-accesses-to-po-ifindex.patch
+r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+kvm-selftests-fix-kvm_check_cap-assertion.patch
+net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch
+mac80211-reset-profile_periodicity-ema_ap.patch
+mac80211-handle-various-extensible-elements-correctl.patch
+recordmcount-correct-st_shndx-handling.patch
+pci-add-amd-rs690-quirk-to-enable-64-bit-dma.patch
+net-ll_temac-add-memory-barriers-for-tx-bd-access.patch
+net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch
+riscv-dts-fu740-fix-cache-controller-interrupts.patch
+perf-x86-track-pmu-in-per-cpu-cpu_hw_events.patch
--- /dev/null
+From 13d464baae121ccaedd2a81002bef0c08cfa6353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:33 -0700
+Subject: sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 224004fbb033600715dbd626bceec10bfd9c58bc ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
+index f029c7c03804..393cf99856ed 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2287,7 +2287,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
+ {
+ switch (stringset) {
+ case ETH_SS_STATS:
+- memcpy(data, *sh_eth_gstrings_stats,
++ memcpy(data, sh_eth_gstrings_stats,
+ sizeof(sh_eth_gstrings_stats));
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From f94f91870d129dd82d05f6fd4aa3344cf3397142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 13:12:34 +0200
+Subject: x86/entry: Fix noinstr fail in __do_fast_syscall_32()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 240001d4e3041832e8a2654adc3ccf1683132b92 ]
+
+Fix:
+
+ vmlinux.o: warning: objtool: __do_fast_syscall_32()+0xf5: call to trace_hardirqs_off() leaves .noinstr.text section
+
+Fixes: 5d5675df792f ("x86/entry: Fix entry/exit mismatch on failed fast 32-bit syscalls")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20210621120120.467898710@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
+index 4efd39aacb9f..cbe19c87e6be 100644
+--- a/arch/x86/entry/common.c
++++ b/arch/x86/entry/common.c
+@@ -127,8 +127,8 @@ static noinstr bool __do_fast_syscall_32(struct pt_regs *regs)
+ /* User code screwed up. */
+ regs->ax = -EFAULT;
+
+- instrumentation_end();
+ local_irq_disable();
++ instrumentation_end();
+ irqentry_exit_to_user_mode(regs);
+ return false;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2e835d816494c32f1ec2d25d01ba06bc957dcce4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 13:12:36 +0200
+Subject: x86/xen: Fix noinstr fail in exc_xen_unknown_trap()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 4c9c26f1e67648f41f28f8c997c5c9467a3dbbe4 ]
+
+Fix:
+
+ vmlinux.o: warning: objtool: exc_xen_unknown_trap()+0x7: call to printk() leaves .noinstr.text section
+
+Fixes: 2e92493637a0 ("x86/xen: avoid warning in Xen pv guest with CONFIG_AMD_MEM_ENCRYPT enabled")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20210621120120.606560778@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/enlighten_pv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
+index 8183ddb3700c..64db5852432e 100644
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -592,8 +592,10 @@ DEFINE_IDTENTRY_RAW(xenpv_exc_debug)
+ DEFINE_IDTENTRY_RAW(exc_xen_unknown_trap)
+ {
+ /* This should never happen and there is no way to handle it. */
++ instrumentation_begin();
+ pr_err("Unknown trap in Xen PV mode.");
+ BUG();
++ instrumentation_end();
+ }
+
+ #ifdef CONFIG_X86_MCE
+--
+2.30.2
+
--- /dev/null
+From e3cc00c50618d188dcc71157f9e96d5a7c7ec50f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 13:12:35 +0200
+Subject: x86/xen: Fix noinstr fail in xen_pv_evtchn_do_upcall()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 84e60065df9ef03759115a7e48c04bbc0d292165 ]
+
+Fix:
+
+ vmlinux.o: warning: objtool: xen_pv_evtchn_do_upcall()+0x23: call to irq_enter_rcu() leaves .noinstr.text section
+
+Fixes: 359f01d1816f ("x86/entry: Use run_sysvec_on_irqstack_cond() for XEN upcall")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20210621120120.532960208@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
+index cbe19c87e6be..8767dc53b569 100644
+--- a/arch/x86/entry/common.c
++++ b/arch/x86/entry/common.c
+@@ -266,15 +266,16 @@ __visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs)
+ irqentry_state_t state = irqentry_enter(regs);
+ bool inhcall;
+
++ instrumentation_begin();
+ run_sysvec_on_irqstack_cond(__xen_pv_evtchn_do_upcall, regs);
+
+ inhcall = get_and_clear_inhcall();
+ if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) {
+- instrumentation_begin();
+ irqentry_exit_cond_resched();
+ instrumentation_end();
+ restore_inhcall(inhcall);
+ } else {
++ instrumentation_end();
+ irqentry_exit(regs, state);
+ }
+ }
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
