--- /dev/null
+From c574aa9e0050510e99089c581f7400d21ac36109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:27 +0100
+Subject: ASoC: cs42l42: Correct definition of ADC Volume control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ee86f680ff4c9b406d49d4e22ddf10805b8a2137 ]
+
+The ADC volume is a signed 8-bit number with range -97 to +12,
+with -97 being mute. Use a SOC_SINGLE_S8_TLV() to define this
+and fix the DECLARE_TLV_DB_SCALE() to have the correct start and
+mute flag.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210729170929.6589-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index fddfd227a9c0..6a58c666776a 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -404,7 +404,7 @@ static const struct regmap_config cs42l42_regmap = {
+ .cache_type = REGCACHE_RBTREE,
+ };
+
+-static DECLARE_TLV_DB_SCALE(adc_tlv, -9600, 100, false);
++static DECLARE_TLV_DB_SCALE(adc_tlv, -9700, 100, true);
+ static DECLARE_TLV_DB_SCALE(mixer_tlv, -6300, 100, true);
+
+ static const char * const cs42l42_hpf_freq_text[] = {
+@@ -443,8 +443,7 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_INV_SHIFT, true, false),
+ SOC_SINGLE("ADC Boost Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_DIG_BOOST_SHIFT, true, false),
+- SOC_SINGLE_SX_TLV("ADC Volume", CS42L42_ADC_VOLUME,
+- CS42L42_ADC_VOL_SHIFT, 0xA0, 0x6C, adc_tlv),
++ SOC_SINGLE_S8_TLV("ADC Volume", CS42L42_ADC_VOLUME, -97, 12, adc_tlv),
+ SOC_SINGLE("ADC WNF Switch", CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_EN_SHIFT, true, false),
+ SOC_SINGLE("ADC HPF Switch", CS42L42_ADC_WNF_HPF_CTL,
+--
+2.30.2
+
--- /dev/null
+From 59b838e9e1cc1e57d95dabdc4517f06fcfc16841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:28 +0100
+Subject: ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 64324bac750b84ca54711fb7d332132fcdb87293 ]
+
+The driver has no support for left-justified protocol so it should
+not have been allowing this to be passed to cs42l42_set_dai_fmt().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210729170929.6589-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 6a58c666776a..ca6541ac59e1 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -773,7 +773,6 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+- case SND_SOC_DAIFMT_LEFT_J:
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 73c42d2ce9ecf13105915d6fe05a8e84a9251a5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:33 +0100
+Subject: ASoC: cs42l42: Fix inversion of ADC Notch Switch control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 30615bd21b4cc3c3bb5ae8bd70e2a915cc5f75c7 ]
+
+The underlying register field has inverted sense (0 = enabled) so
+the control definition must be marked as inverted.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index ca6541ac59e1..c11e60e9fe4e 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -436,7 +436,7 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+- CS42L42_ADC_NOTCH_DIS_SHIFT, true, false),
++ CS42L42_ADC_NOTCH_DIS_SHIFT, true, true),
+ SOC_SINGLE("ADC Weak Force Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_FORCE_WEAK_VCM_SHIFT, true, false),
+ SOC_SINGLE("ADC Invert Switch", CS42L42_ADC_CTL,
+--
+2.30.2
+
--- /dev/null
+From 448f6ce48e63190d3e5fe2f459612bba92107ed8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 17:11:05 +0100
+Subject: ASoC: cs42l42: Fix LRCLK frame start edge
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0c2f2ad4f16a58879463d0979a54293f8f296d6f ]
+
+An I2S frame starts on the falling edge of LRCLK so ASP_STP must
+be 0.
+
+At the same time, move other format settings in the same register
+from cs42l42_pll_config() to cs42l42_set_dai_fmt() where you'd
+expect to find them, and merge into a single write.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210805161111.10410-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index fb12fcf88878..4cb3e11c66af 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -659,15 +659,6 @@ static int cs42l42_pll_config(struct snd_soc_component *component)
+ CS42L42_FSYNC_PULSE_WIDTH_MASK,
+ CS42L42_FRAC1_VAL(fsync - 1) <<
+ CS42L42_FSYNC_PULSE_WIDTH_SHIFT);
+- snd_soc_component_update_bits(component,
+- CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_5050_MASK,
+- CS42L42_ASP_5050_MASK);
+- /* Set the frame delay to 1.0 SCLK clocks */
+- snd_soc_component_update_bits(component, CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_FSD_MASK,
+- CS42L42_ASP_FSD_1_0 <<
+- CS42L42_ASP_FSD_SHIFT);
+ /* Set the sample rates (96k or lower) */
+ snd_soc_component_update_bits(component, CS42L42_FS_RATE_EN,
+ CS42L42_FS_EN_MASK,
+@@ -763,6 +754,18 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
++ /*
++ * 5050 mode, frame starts on falling edge of LRCLK,
++ * frame delayed by 1.0 SCLKs
++ */
++ snd_soc_component_update_bits(component,
++ CS42L42_ASP_FRM_CFG,
++ CS42L42_ASP_STP_MASK |
++ CS42L42_ASP_5050_MASK |
++ CS42L42_ASP_FSD_MASK,
++ CS42L42_ASP_5050_MASK |
++ (CS42L42_ASP_FSD_1_0 <<
++ CS42L42_ASP_FSD_SHIFT));
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 76c19b7557e8ffcc2d69da9b8247dc95c7b7f0e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:34 +0100
+Subject: ASoC: cs42l42: Remove duplicate control for WNF filter frequency
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 8b353bbeae20e2214c9d9d88bcb2fda4ba145d83 ]
+
+The driver was defining two ALSA controls that both change the same
+register field for the wind noise filter corner frequency. The filter
+response has two corners, at different frequencies, and the duplicate
+controls most likely were an attempt to be able to set the value using
+either of the frequencies.
+
+However, having two controls changing the same field can be problematic
+and it is unnecessary. Both frequencies are related to each other so
+setting one implies exactly what the other would be.
+
+Removing a control affects user-side code, but there is currently no
+known use of the removed control so it would be best to remove it now
+before it becomes a problem.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index c11e60e9fe4e..fb12fcf88878 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -424,15 +424,6 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf3_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_CF_SHIFT,
+ cs42l42_wnf3_freq_text);
+
+-static const char * const cs42l42_wnf05_freq_text[] = {
+- "280Hz", "315Hz", "350Hz", "385Hz",
+- "420Hz", "455Hz", "490Hz", "525Hz"
+-};
+-
+-static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+- CS42L42_ADC_WNF_CF_SHIFT,
+- cs42l42_wnf05_freq_text);
+-
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+@@ -450,7 +441,6 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_HPF_EN_SHIFT, true, false),
+ SOC_ENUM("HPF Corner Freq", cs42l42_hpf_freq_enum),
+ SOC_ENUM("WNF 3dB Freq", cs42l42_wnf3_freq_enum),
+- SOC_ENUM("WNF 05dB Freq", cs42l42_wnf05_freq_enum),
+
+ /* DAC Volume and Filter Controls */
+ SOC_SINGLE("DACA Invert Switch", CS42L42_DAC_CTL1,
+--
+2.30.2
+
--- /dev/null
+From ee09949f5fa9ab39786dd0fcc6ff9ecab130ca79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 23:56:32 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_new_edge_nl
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 889d0e7dc68314a273627d89cbb60c09e1cc1c25 ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210707155633.1486603-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 82f3fbda7dfe..ed60e691cc2b 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -432,7 +432,7 @@ static int hwsim_new_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ struct hwsim_edge *e;
+ u32 v0, v1;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From 982943039c9c930730fe566235f454932b479860 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:13:20 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit e9faf53c5a5d01f6f2a09ae28ec63a3bbd6f64fd ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE,
+MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID and MAC802154_HWSIM_EDGE_ATTR_LQI
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210705131321.217111-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 06aadebc2d5b..82f3fbda7dfe 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -546,7 +546,7 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ u32 v0, v1;
+ u8 lqi;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+@@ -555,7 +555,7 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ hwsim_edge_policy, NULL))
+ return -EINVAL;
+
+- if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] &&
++ if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] ||
+ !edge_attrs[MAC802154_HWSIM_EDGE_ATTR_LQI])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From ef91f307e4d74eb835ef96b3fae1ad4096d107f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 21:20:23 +0800
+Subject: net: bridge: fix memleak in br_add_if()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ]
+
+I got a memleak report:
+
+BUG: memory leak
+unreferenced object 0x607ee521a658 (size 240):
+comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s)
+hex dump (first 32 bytes, cpu 1):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000d830ea5a>] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693
+[<00000000274d9a71>] new_nbp net/bridge/br_if.c:435 [inline]
+[<00000000274d9a71>] br_add_if+0x670/0x1740 net/bridge/br_if.c:611
+[<0000000012ce888e>] do_set_master net/core/rtnetlink.c:2513 [inline]
+[<0000000012ce888e>] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487
+[<0000000099d1cafc>] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457
+[<00000000a01facc0>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
+[<00000000acc9186c>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550
+[<00000000d4aabb9c>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000bc2e12a3>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<00000000bc2e12a3>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000e4dc2d0e>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000d22c8b3>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000d22c8b3>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000e281417a>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000237aa2ab>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000004f2dc381>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<0000000005feca6c>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<000000007304477d>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+On error path of br_add_if(), p->mcast_stats allocated in
+new_nbp() need be freed, or it will be leaked.
+
+Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_if.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index 5aa508a08a69..b5fb2b682e19 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -604,6 +604,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+
+ err = dev_set_allmulti(dev, 1);
+ if (err) {
++ br_multicast_del_port(p);
+ kfree(p); /* kobject not yet init'd, manually free */
+ goto err1;
+ }
+@@ -708,6 +709,7 @@ err4:
+ err3:
+ sysfs_remove_link(br->ifobj, p->dev->name);
+ err2:
++ br_multicast_del_port(p);
+ kobject_put(&p->kobj);
+ dev_set_allmulti(dev, -1);
+ err1:
+--
+2.30.2
+
--- /dev/null
+From 2ae75971544c6d34f6f2ffe154761a08501848ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:54 +0300
+Subject: net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ada2fee185d8145afb89056558bb59545b9dbdd0 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: ab335349b852 ("net: dsa: lan9303: Add port_fast_age and port_fdb_dump methods")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index b4f6e1a67dd9..b89c474e6b6b 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -566,12 +566,12 @@ static int lan9303_alr_make_entry_raw(struct lan9303 *chip, u32 dat0, u32 dat1)
+ return 0;
+ }
+
+-typedef void alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
+- int portmap, void *ctx);
++typedef int alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
++ int portmap, void *ctx);
+
+-static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
++static int lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ {
+- int i;
++ int ret = 0, i;
+
+ mutex_lock(&chip->alr_mutex);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+@@ -591,13 +591,17 @@ static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ LAN9303_ALR_DAT1_PORT_BITOFFS;
+ portmap = alrport_2_portmap[alrport];
+
+- cb(chip, dat0, dat1, portmap, ctx);
++ ret = cb(chip, dat0, dat1, portmap, ctx);
++ if (ret)
++ break;
+
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+ LAN9303_ALR_CMD_GET_NEXT);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, 0);
+ }
+ mutex_unlock(&chip->alr_mutex);
++
++ return ret;
+ }
+
+ static void alr_reg_to_mac(u32 dat0, u32 dat1, u8 mac[6])
+@@ -615,18 +619,20 @@ struct del_port_learned_ctx {
+ };
+
+ /* Clear learned (non-static) entry on given port */
+-static void alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct del_port_learned_ctx *del_ctx = ctx;
+ int port = del_ctx->port;
+
+ if (((BIT(port) & portmap) == 0) || (dat1 & LAN9303_ALR_DAT1_STATIC))
+- return;
++ return 0;
+
+ /* learned entries has only one port, we can just delete */
+ dat1 &= ~LAN9303_ALR_DAT1_VALID; /* delete entry */
+ lan9303_alr_make_entry_raw(chip, dat0, dat1);
++
++ return 0;
+ }
+
+ struct port_fdb_dump_ctx {
+@@ -635,19 +641,19 @@ struct port_fdb_dump_ctx {
+ dsa_fdb_dump_cb_t *cb;
+ };
+
+-static void alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct port_fdb_dump_ctx *dump_ctx = ctx;
+ u8 mac[ETH_ALEN];
+ bool is_static;
+
+ if ((BIT(dump_ctx->port) & portmap) == 0)
+- return;
++ return 0;
+
+ alr_reg_to_mac(dat0, dat1, mac);
+ is_static = !!(dat1 & LAN9303_ALR_DAT1_STATIC);
+- dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
++ return dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
+ }
+
+ /* Set a static ALR entry. Delete entry if port_map is zero */
+@@ -1214,9 +1220,7 @@ static int lan9303_port_fdb_dump(struct dsa_switch *ds, int port,
+ };
+
+ dev_dbg(chip->dev, "%s(%d)\n", __func__, port);
+- lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+-
+- return 0;
++ return lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+ }
+
+ static int lan9303_port_mdb_prepare(struct dsa_switch *ds, int port,
+--
+2.30.2
+
--- /dev/null
+From 9f68304486fe5eba5054feb6b00394bc2171a840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:05:27 +0800
+Subject: net: dsa: mt7530: add the missing RxUnicast MIB counter
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+[ Upstream commit aff51c5da3208bd164381e1488998667269c6cf4 ]
+
+Add the missing RxUnicast counter.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 6335c4ea0957..2ff6a0be97de 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -54,6 +54,7 @@ static const struct mt7530_mib_desc mt7530_mib[] = {
+ MIB_DESC(2, 0x48, "TxBytes"),
+ MIB_DESC(1, 0x60, "RxDrop"),
+ MIB_DESC(1, 0x64, "RxFiltering"),
++ MIB_DESC(1, 0x68, "RxUnicast"),
+ MIB_DESC(1, 0x6c, "RxMulticast"),
+ MIB_DESC(1, 0x70, "RxBroadcast"),
+ MIB_DESC(1, 0x74, "RxAlignErr"),
+--
+2.30.2
+
--- /dev/null
+From 97f9c5d3dfe783982b5d6d19ed9fcdaf439033e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 16:54:14 +0900
+Subject: net: Fix memory leak in ieee802154_raw_deliver
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]
+
+If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
+Fix this, by freeing sk_receive_queue in sk->sk_destruct().
+
+syzbot report:
+BUG: memory leak
+unreferenced object 0xffff88810f644600 (size 232):
+ comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
+ hex dump (first 32 bytes):
+ 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K.....
+ 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K.....
+ backtrace:
+ [<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
+ [<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
+ [<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
+ [<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
+ [<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
+ [<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
+ [<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
+ [<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
+ [<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
+ [<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
+ [<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
+ [<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
+ [<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
+ [<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
+ [<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
+ [<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
+ [<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
+ [<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
+ [<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
+ [<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
+ [<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
+ [<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
+ [<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
+ [<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
+ [<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
+ [<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
+ [<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
+
+Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
+Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index 89819745e482..14c6fac039f9 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -1002,6 +1002,11 @@ static const struct proto_ops ieee802154_dgram_ops = {
+ #endif
+ };
+
++static void ieee802154_sock_destruct(struct sock *sk)
++{
++ skb_queue_purge(&sk->sk_receive_queue);
++}
++
+ /* Create a socket. Initialise the socket, blank the addresses
+ * set the state.
+ */
+@@ -1042,7 +1047,7 @@ static int ieee802154_create(struct net *net, struct socket *sock,
+ sock->ops = ops;
+
+ sock_init_data(sock, sk);
+- /* FIXME: sk->sk_destruct */
++ sk->sk_destruct = ieee802154_sock_destruct;
+ sk->sk_family = PF_IEEE802154;
+
+ /* Checksums on by default */
+--
+2.30.2
+
--- /dev/null
+From 65941fca42f454d5bc885ed5949d8bd32b9a59e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 02:45:47 -0700
+Subject: net: igmp: fix data-race in igmp_ifc_timer_expire()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a2b285e7e103d4d6c6ed3e5052a0ff74a5d7f15 ]
+
+Fix the data-race reported by syzbot [1]
+Issue here is that igmp_ifc_timer_expire() can update in_dev->mr_ifc_count
+while another change just occured from another context.
+
+in_dev->mr_ifc_count is only 8bit wide, so the race had little
+consequences.
+
+[1]
+BUG: KCSAN: data-race in igmp_ifc_event / igmp_ifc_timer_expire
+
+write to 0xffff8881051e3062 of 1 bytes by task 12547 on cpu 0:
+ igmp_ifc_event+0x1d5/0x290 net/ipv4/igmp.c:821
+ igmp_group_added+0x462/0x490 net/ipv4/igmp.c:1356
+ ____ip_mc_inc_group+0x3ff/0x500 net/ipv4/igmp.c:1461
+ __ip_mc_join_group+0x24d/0x2c0 net/ipv4/igmp.c:2199
+ ip_mc_join_group_ssm+0x20/0x30 net/ipv4/igmp.c:2218
+ do_ip_setsockopt net/ipv4/ip_sockglue.c:1285 [inline]
+ ip_setsockopt+0x1827/0x2a80 net/ipv4/ip_sockglue.c:1423
+ tcp_setsockopt+0x8c/0xa0 net/ipv4/tcp.c:3657
+ sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3362
+ __sys_setsockopt+0x18f/0x200 net/socket.c:2159
+ __do_sys_setsockopt net/socket.c:2170 [inline]
+ __se_sys_setsockopt net/socket.c:2167 [inline]
+ __x64_sys_setsockopt+0x62/0x70 net/socket.c:2167
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff8881051e3062 of 1 bytes by interrupt on cpu 1:
+ igmp_ifc_timer_expire+0x706/0xa30 net/ipv4/igmp.c:808
+ call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1419
+ expire_timers+0x135/0x250 kernel/time/timer.c:1464
+ __run_timers+0x358/0x420 kernel/time/timer.c:1732
+ run_timer_softirq+0x19/0x30 kernel/time/timer.c:1745
+ __do_softirq+0x12c/0x26e kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu+0x9a/0xb0 kernel/softirq.c:636
+ sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
+ console_unlock+0x8e8/0xb30 kernel/printk/printk.c:2646
+ vprintk_emit+0x125/0x3d0 kernel/printk/printk.c:2174
+ vprintk_default+0x22/0x30 kernel/printk/printk.c:2185
+ vprintk+0x15a/0x170 kernel/printk/printk_safe.c:392
+ printk+0x62/0x87 kernel/printk/printk.c:2216
+ selinux_netlink_send+0x399/0x400 security/selinux/hooks.c:6041
+ security_netlink_send+0x42/0x90 security/security.c:2070
+ netlink_sendmsg+0x59e/0x7c0 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2475
+ __do_sys_sendmsg net/socket.c:2484 [inline]
+ __se_sys_sendmsg net/socket.c:2482 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x01 -> 0x02
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 12539 Comm: syz-executor.1 Not tainted 5.14.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index ffa847fc9619..95ec3923083f 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -807,10 +807,17 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
++ u8 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+- if (in_dev->mr_ifc_count) {
+- in_dev->mr_ifc_count--;
++restart:
++ mr_ifc_count = READ_ONCE(in_dev->mr_ifc_count);
++
++ if (mr_ifc_count) {
++ if (cmpxchg(&in_dev->mr_ifc_count,
++ mr_ifc_count,
++ mr_ifc_count - 1) != mr_ifc_count)
++ goto restart;
+ igmp_ifc_start_timer(in_dev,
+ unsolicited_report_interval(in_dev));
+ }
+@@ -822,7 +829,7 @@ static void igmp_ifc_event(struct in_device *in_dev)
+ struct net *net = dev_net(in_dev->dev);
+ if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev))
+ return;
+- in_dev->mr_ifc_count = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
++ WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv);
+ igmp_ifc_start_timer(in_dev, 1);
+ }
+
+@@ -961,7 +968,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
+ in_dev->mr_qri;
+ }
+ /* cancel the interface change timer */
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ /* clear deleted report items */
+@@ -1739,7 +1746,7 @@ void ip_mc_down(struct in_device *in_dev)
+ igmp_group_dropped(pmc);
+
+ #ifdef CONFIG_IP_MULTICAST
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ in_dev->mr_gq_running = 0;
+@@ -1956,7 +1963,7 @@ static int ip_mc_del_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ pmc->sfmode = MCAST_INCLUDE;
+ #ifdef CONFIG_IP_MULTICAST
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(pmc->interface);
+@@ -2135,7 +2142,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ /* else no filters; keep old mode for reports */
+
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(in_dev);
+--
+2.30.2
+
--- /dev/null
+From 8f67557c6edfb1524728397474a5ab2bcb94af6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 12:57:15 -0700
+Subject: net: igmp: increase size of mr_ifc_count
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b69dd5b3780a7298bd893816a09da751bc0636f7 ]
+
+Some arches support cmpxchg() on 4-byte and 8-byte only.
+Increase mr_ifc_count width to 32bit to fix this problem.
+
+Fixes: 4a2b285e7e10 ("net: igmp: fix data-race in igmp_ifc_timer_expire()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210811195715.3684218-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/inetdevice.h | 2 +-
+ net/ipv4/igmp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index a64f21a97369..131f93f8d587 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -41,7 +41,7 @@ struct in_device {
+ unsigned long mr_qri; /* Query Response Interval */
+ unsigned char mr_qrv; /* Query Robustness Variable */
+ unsigned char mr_gq_running;
+- unsigned char mr_ifc_count;
++ u32 mr_ifc_count;
+ struct timer_list mr_gq_timer; /* general query timer */
+ struct timer_list mr_ifc_timer; /* interface change timer */
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 95ec3923083f..dca7fe0ae24a 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -807,7 +807,7 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
+- u8 mr_ifc_count;
++ u32 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+ restart:
+--
+2.30.2
+
--- /dev/null
+From 0510ce16187ca776f0222da4eb56afc69257600a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 15:27:03 +0200
+Subject: ppp: Fix generating ifname when empty IFLA_IFNAME is specified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2459dcb96bcba94c08d6861f8a050185ff301672 ]
+
+IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be
+larger than length of string which contains.
+
+Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME
+was not specified at all or userspace passed empty nul-term string.
+
+It is expected that if userspace does not specify ifname for new ppp netdev
+then kernel generates one in format "ppp<id>" where id matches to the ppp
+unit id which can be later obtained by PPPIOCGUNIT ioctl.
+
+And it works in this way if IFLA_IFNAME is not specified at all. But it
+does not work when IFLA_IFNAME is specified with empty string.
+
+So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function
+and correctly generates ifname based on ppp unit identifier if userspace
+did not provided preferred ifname.
+
+Without this patch when IFLA_IFNAME was specified with empty string then
+kernel created a new ppp interface in format "ppp<id>" but id did not
+match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some
+number generated by __rtnl_newlink() function.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: bb8082f69138 ("ppp: build ifname using unit identifier for rtnl based devices")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 1af47aaa7ba5..dc9de8731c56 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1125,7 +1125,7 @@ static int ppp_nl_newlink(struct net *src_net, struct net_device *dev,
+ * the PPP unit identifer as suffix (i.e. ppp<unit_id>). This allows
+ * userspace to infer the device name using to the PPPIOCGUNIT ioctl.
+ */
+- if (!tb[IFLA_IFNAME])
++ if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME]))
+ conf.ifname_is_set = false;
+
+ err = ppp_dev_configure(src_net, dev, &conf);
+--
+2.30.2
+
--- /dev/null
+From 443e366b721a40c317e45a50926b304bbcb39e76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 09:52:42 +0300
+Subject: psample: Add a fwd declaration for skbuff
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit beb7f2de5728b0bd2140a652fa51f6ad85d159f7 ]
+
+Without this there is a warning if source files include psample.h
+before skbuff.h or doesn't include it at all.
+
+Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Link: https://lore.kernel.org/r/20210808065242.1522535-1-roid@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/psample.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/psample.h b/include/net/psample.h
+index 94cb37a7bf75..796f01e5635d 100644
+--- a/include/net/psample.h
++++ b/include/net/psample.h
+@@ -18,6 +18,8 @@ struct psample_group {
+ struct psample_group *psample_group_get(struct net *net, u32 group_num);
+ void psample_group_put(struct psample_group *group);
+
++struct sk_buff;
++
+ #if IS_ENABLED(CONFIG_PSAMPLE)
+
+ void psample_sample_packet(struct psample_group *group, struct sk_buff *skb,
+--
+2.30.2
+
asoc-intel-atom-fix-reference-to-pcm-buffer-address.patch
i2c-dev-zero-out-array-used-for-i2c-reads-from-userspace.patch
acpi-nfit-fix-support-for-virtual-spa-ranges.patch
+ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch
+ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch
+asoc-cs42l42-correct-definition-of-adc-volume-contro.patch
+asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch
+asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch
+asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch
+asoc-cs42l42-fix-lrclk-frame-start-edge.patch
+net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch
+ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch
+psample-add-a-fwd-declaration-for-skbuff.patch
+net-fix-memory-leak-in-ieee802154_raw_deliver.patch
+net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch
+net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch
+net-bridge-fix-memleak-in-br_add_if.patch
+tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch
+net-igmp-increase-size-of-mr_ifc_count.patch
+xen-events-fix-race-in-set_evtchn_to_irq.patch
+vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch
--- /dev/null
+From 449e2b26d342595326e1d90405d7b1125e103c0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 22:40:56 -0400
+Subject: tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after
+ 2B packets
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]
+
+Currently if BBR congestion control is initialized after more than 2B
+packets have been delivered, depending on the phase of the
+tp->delivered counter the tracking of BBR round trips can get stuck.
+
+The bug arises because if tp->delivered is between 2^31 and 2^32 at
+the time the BBR congestion control module is initialized, then the
+initialization of bbr->next_rtt_delivered to 0 will cause the logic to
+believe that the end of the round trip is still billions of packets in
+the future. More specifically, the following check will fail
+repeatedly:
+
+ !before(rs->prior_delivered, bbr->next_rtt_delivered)
+
+and thus the connection will take up to 2B packets delivered before
+that check will pass and the connection will set:
+
+ bbr->round_start = 1;
+
+This could cause many mechanisms in BBR to fail to trigger, for
+example bbr_check_full_bw_reached() would likely never exit STARTUP.
+
+This bug is 5 years old and has not been observed, and as a practical
+matter this would likely rarely trigger, since it would require
+transferring at least 2B packets, or likely more than 3 terabytes of
+data, before switching congestion control algorithms to BBR.
+
+This patch is a stable candidate for kernels as far back as v4.9,
+when tcp_bbr.c was added.
+
+Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Kevin Yang <yyd@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bbr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
+index b70c9365e131..1740de053072 100644
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -985,7 +985,7 @@ static void bbr_init(struct sock *sk)
+ bbr->prior_cwnd = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ bbr->rtt_cnt = 0;
+- bbr->next_rtt_delivered = 0;
++ bbr->next_rtt_delivered = tp->delivered;
+ bbr->prev_ca_state = TCP_CA_Open;
+ bbr->packet_conservation = 0;
+
+--
+2.30.2
+
--- /dev/null
+From 99d88e931648e95d676a6f93fce224eb245d2075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:30:56 +0800
+Subject: vsock/virtio: avoid potential deadlock when vsock device remove
+
+From: Longpeng(Mike) <longpeng2@huawei.com>
+
+[ Upstream commit 49b0b6ffe20c5344f4173f3436298782a08da4f2 ]
+
+There's a potential deadlock case when remove the vsock device or
+process the RESET event:
+
+ vsock_for_each_connected_socket:
+ spin_lock_bh(&vsock_table_lock) ----------- (1)
+ ...
+ virtio_vsock_reset_sock:
+ lock_sock(sk) --------------------- (2)
+ ...
+ spin_unlock_bh(&vsock_table_lock)
+
+lock_sock() may do initiative schedule when the 'sk' is owned by
+other thread at the same time, we would receivce a warning message
+that "scheduling while atomic".
+
+Even worse, if the next task (selected by the scheduler) try to
+release a 'sk', it need to request vsock_table_lock and the deadlock
+occur, cause the system into softlockup state.
+ Call trace:
+ queued_spin_lock_slowpath
+ vsock_remove_bound
+ vsock_remove_sock
+ virtio_transport_release
+ __vsock_release
+ vsock_release
+ __sock_release
+ sock_close
+ __fput
+ ____fput
+
+So we should not require sk_lock in this case, just like the behavior
+in vhost_vsock or vmci.
+
+Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/20210812053056.1699-1-longpeng2@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index cc70d651d13e..e34979fcefd2 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -373,11 +373,14 @@ static void virtio_vsock_event_fill(struct virtio_vsock *vsock)
+
+ static void virtio_vsock_reset_sock(struct sock *sk)
+ {
+- lock_sock(sk);
++ /* vmci_transport.c doesn't take sk_lock here either. At least we're
++ * under vsock_table_lock so the sock cannot disappear while we're
++ * executing.
++ */
++
+ sk->sk_state = TCP_CLOSE;
+ sk->sk_err = ECONNRESET;
+ sk->sk_error_report(sk);
+- release_sock(sk);
+ }
+
+ static void virtio_vsock_update_guest_cid(struct virtio_vsock *vsock)
+--
+2.30.2
+
--- /dev/null
+From 669cc8bebc8b468010857c8a4b0bc0d57ad32c2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:09:27 +0000
+Subject: xen/events: Fix race in set_evtchn_to_irq
+
+From: Maximilian Heyne <mheyne@amazon.de>
+
+[ Upstream commit 88ca2521bd5b4e8b83743c01a2d4cb09325b51e9 ]
+
+There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq
+mapping are lazily allocated in this function. The check whether the row
+is already present and the row initialization is not synchronized. Two
+threads can at the same time allocate a new row for evtchn_to_irq and
+add the irq mapping to the their newly allocated row. One thread will
+overwrite what the other has set for evtchn_to_irq[row] and therefore
+the irq mapping is lost. This will trigger a BUG_ON later in
+bind_evtchn_to_cpu:
+
+ INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802
+ INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002)
+ INFO: nvme nvme77: 1/0/0 default/read/poll queues
+ CRIT: kernel BUG at drivers/xen/events/events_base.c:427!
+ WARN: invalid opcode: 0000 [#1] SMP NOPTI
+ WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0
+ WARN: Call Trace:
+ WARN: set_affinity_irq+0x121/0x150
+ WARN: irq_do_set_affinity+0x37/0xe0
+ WARN: irq_setup_affinity+0xf6/0x170
+ WARN: irq_startup+0x64/0xe0
+ WARN: __setup_irq+0x69e/0x740
+ WARN: ? request_threaded_irq+0xad/0x160
+ WARN: request_threaded_irq+0xf5/0x160
+ WARN: ? nvme_timeout+0x2f0/0x2f0 [nvme]
+ WARN: pci_request_irq+0xa9/0xf0
+ WARN: ? pci_alloc_irq_vectors_affinity+0xbb/0x130
+ WARN: queue_request_irq+0x4c/0x70 [nvme]
+ WARN: nvme_reset_work+0x82d/0x1550 [nvme]
+ WARN: ? check_preempt_wakeup+0x14f/0x230
+ WARN: ? check_preempt_curr+0x29/0x80
+ WARN: ? nvme_irq_check+0x30/0x30 [nvme]
+ WARN: process_one_work+0x18e/0x3c0
+ WARN: worker_thread+0x30/0x3a0
+ WARN: ? process_one_work+0x3c0/0x3c0
+ WARN: kthread+0x113/0x130
+ WARN: ? kthread_park+0x90/0x90
+ WARN: ret_from_fork+0x3a/0x50
+
+This patch sets evtchn_to_irq rows via a cmpxchg operation so that they
+will be set only once. The row is now cleared before writing it to
+evtchn_to_irq in order to not create a race once the row is visible for
+other threads.
+
+While at it, do not require the page to be zeroed, because it will be
+overwritten with -1's in clear_evtchn_to_irq_row anyway.
+
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Fixes: d0b075ffeede ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated")
+Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/events/events_base.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index a2f8130e18fe..d138027034fd 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -133,12 +133,12 @@ static void disable_dynirq(struct irq_data *data);
+
+ static DEFINE_PER_CPU(unsigned int, irq_epoch);
+
+-static void clear_evtchn_to_irq_row(unsigned row)
++static void clear_evtchn_to_irq_row(int *evtchn_row)
+ {
+ unsigned col;
+
+ for (col = 0; col < EVTCHN_PER_ROW; col++)
+- WRITE_ONCE(evtchn_to_irq[row][col], -1);
++ WRITE_ONCE(evtchn_row[col], -1);
+ }
+
+ static void clear_evtchn_to_irq_all(void)
+@@ -148,7 +148,7 @@ static void clear_evtchn_to_irq_all(void)
+ for (row = 0; row < EVTCHN_ROW(xen_evtchn_max_channels()); row++) {
+ if (evtchn_to_irq[row] == NULL)
+ continue;
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_to_irq[row]);
+ }
+ }
+
+@@ -156,6 +156,7 @@ static int set_evtchn_to_irq(unsigned evtchn, unsigned irq)
+ {
+ unsigned row;
+ unsigned col;
++ int *evtchn_row;
+
+ if (evtchn >= xen_evtchn_max_channels())
+ return -EINVAL;
+@@ -168,11 +169,18 @@ static int set_evtchn_to_irq(unsigned evtchn, unsigned irq)
+ if (irq == -1)
+ return 0;
+
+- evtchn_to_irq[row] = (int *)get_zeroed_page(GFP_KERNEL);
+- if (evtchn_to_irq[row] == NULL)
++ evtchn_row = (int *) __get_free_pages(GFP_KERNEL, 0);
++ if (evtchn_row == NULL)
+ return -ENOMEM;
+
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_row);
++
++ /*
++ * We've prepared an empty row for the mapping. If a different
++ * thread was faster inserting it, we can drop ours.
++ */
++ if (cmpxchg(&evtchn_to_irq[row], NULL, evtchn_row) != NULL)
++ free_page((unsigned long) evtchn_row);
+ }
+
+ WRITE_ONCE(evtchn_to_irq[row][col], irq);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
