--- /dev/null
+From 4cfba0856280f5ded3296a1efc9720178d4f3c67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:27 +0100
+Subject: ASoC: cs42l42: Correct definition of ADC Volume control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ee86f680ff4c9b406d49d4e22ddf10805b8a2137 ]
+
+The ADC volume is a signed 8-bit number with range -97 to +12,
+with -97 being mute. Use a SOC_SINGLE_S8_TLV() to define this
+and fix the DECLARE_TLV_DB_SCALE() to have the correct start and
+mute flag.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210729170929.6589-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 7c6b10bc0b8c..64e8831e7b8a 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -403,7 +403,7 @@ static const struct regmap_config cs42l42_regmap = {
+ .use_single_write = true,
+ };
+
+-static DECLARE_TLV_DB_SCALE(adc_tlv, -9600, 100, false);
++static DECLARE_TLV_DB_SCALE(adc_tlv, -9700, 100, true);
+ static DECLARE_TLV_DB_SCALE(mixer_tlv, -6300, 100, true);
+
+ static const char * const cs42l42_hpf_freq_text[] = {
+@@ -442,8 +442,7 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_INV_SHIFT, true, false),
+ SOC_SINGLE("ADC Boost Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_DIG_BOOST_SHIFT, true, false),
+- SOC_SINGLE_SX_TLV("ADC Volume", CS42L42_ADC_VOLUME,
+- CS42L42_ADC_VOL_SHIFT, 0xA0, 0x6C, adc_tlv),
++ SOC_SINGLE_S8_TLV("ADC Volume", CS42L42_ADC_VOLUME, -97, 12, adc_tlv),
+ SOC_SINGLE("ADC WNF Switch", CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_EN_SHIFT, true, false),
+ SOC_SINGLE("ADC HPF Switch", CS42L42_ADC_WNF_HPF_CTL,
+--
+2.30.2
+
--- /dev/null
+From 3d999c3ba013d39c7846f2e8c1a7230c0c9f52df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:28 +0100
+Subject: ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 64324bac750b84ca54711fb7d332132fcdb87293 ]
+
+The driver has no support for left-justified protocol so it should
+not have been allowing this to be passed to cs42l42_set_dai_fmt().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210729170929.6589-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 64e8831e7b8a..9269b7003b31 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -772,7 +772,6 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+- case SND_SOC_DAIFMT_LEFT_J:
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 17cb1e55c844a25ca692a4c9f6d781cf65dd937d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:33 +0100
+Subject: ASoC: cs42l42: Fix inversion of ADC Notch Switch control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 30615bd21b4cc3c3bb5ae8bd70e2a915cc5f75c7 ]
+
+The underlying register field has inverted sense (0 = enabled) so
+the control definition must be marked as inverted.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 9269b7003b31..298354d4ab8d 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -435,7 +435,7 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+- CS42L42_ADC_NOTCH_DIS_SHIFT, true, false),
++ CS42L42_ADC_NOTCH_DIS_SHIFT, true, true),
+ SOC_SINGLE("ADC Weak Force Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_FORCE_WEAK_VCM_SHIFT, true, false),
+ SOC_SINGLE("ADC Invert Switch", CS42L42_ADC_CTL,
+--
+2.30.2
+
--- /dev/null
+From 3e5fb4e82e04d4ba23b38304576125bf42d72f9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 17:11:05 +0100
+Subject: ASoC: cs42l42: Fix LRCLK frame start edge
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0c2f2ad4f16a58879463d0979a54293f8f296d6f ]
+
+An I2S frame starts on the falling edge of LRCLK so ASP_STP must
+be 0.
+
+At the same time, move other format settings in the same register
+from cs42l42_pll_config() to cs42l42_set_dai_fmt() where you'd
+expect to find them, and merge into a single write.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210805161111.10410-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index ab6f89032ea0..828dc78202e8 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -658,15 +658,6 @@ static int cs42l42_pll_config(struct snd_soc_component *component)
+ CS42L42_FSYNC_PULSE_WIDTH_MASK,
+ CS42L42_FRAC1_VAL(fsync - 1) <<
+ CS42L42_FSYNC_PULSE_WIDTH_SHIFT);
+- snd_soc_component_update_bits(component,
+- CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_5050_MASK,
+- CS42L42_ASP_5050_MASK);
+- /* Set the frame delay to 1.0 SCLK clocks */
+- snd_soc_component_update_bits(component, CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_FSD_MASK,
+- CS42L42_ASP_FSD_1_0 <<
+- CS42L42_ASP_FSD_SHIFT);
+ /* Set the sample rates (96k or lower) */
+ snd_soc_component_update_bits(component, CS42L42_FS_RATE_EN,
+ CS42L42_FS_EN_MASK,
+@@ -762,6 +753,18 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
++ /*
++ * 5050 mode, frame starts on falling edge of LRCLK,
++ * frame delayed by 1.0 SCLKs
++ */
++ snd_soc_component_update_bits(component,
++ CS42L42_ASP_FRM_CFG,
++ CS42L42_ASP_STP_MASK |
++ CS42L42_ASP_5050_MASK |
++ CS42L42_ASP_FSD_MASK,
++ CS42L42_ASP_5050_MASK |
++ (CS42L42_ASP_FSD_1_0 <<
++ CS42L42_ASP_FSD_SHIFT));
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 2c697c2e75ac0e017bcd159a5378038e727dbf27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:34 +0100
+Subject: ASoC: cs42l42: Remove duplicate control for WNF filter frequency
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 8b353bbeae20e2214c9d9d88bcb2fda4ba145d83 ]
+
+The driver was defining two ALSA controls that both change the same
+register field for the wind noise filter corner frequency. The filter
+response has two corners, at different frequencies, and the duplicate
+controls most likely were an attempt to be able to set the value using
+either of the frequencies.
+
+However, having two controls changing the same field can be problematic
+and it is unnecessary. Both frequencies are related to each other so
+setting one implies exactly what the other would be.
+
+Removing a control affects user-side code, but there is currently no
+known use of the removed control so it would be best to remove it now
+before it becomes a problem.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 298354d4ab8d..ab6f89032ea0 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -423,15 +423,6 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf3_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_CF_SHIFT,
+ cs42l42_wnf3_freq_text);
+
+-static const char * const cs42l42_wnf05_freq_text[] = {
+- "280Hz", "315Hz", "350Hz", "385Hz",
+- "420Hz", "455Hz", "490Hz", "525Hz"
+-};
+-
+-static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+- CS42L42_ADC_WNF_CF_SHIFT,
+- cs42l42_wnf05_freq_text);
+-
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+@@ -449,7 +440,6 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_HPF_EN_SHIFT, true, false),
+ SOC_ENUM("HPF Corner Freq", cs42l42_hpf_freq_enum),
+ SOC_ENUM("WNF 3dB Freq", cs42l42_wnf3_freq_enum),
+- SOC_ENUM("WNF 05dB Freq", cs42l42_wnf05_freq_enum),
+
+ /* DAC Volume and Filter Controls */
+ SOC_SINGLE("DACA Invert Switch", CS42L42_DAC_CTL1,
+--
+2.30.2
+
--- /dev/null
+From 8553794bf9c43c4daf3d27c009985ca298f548ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 10:17:49 -0500
+Subject: ASoC: SOF: Intel: hda-ipc: fix reply size checking
+
+From: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+
+[ Upstream commit 973b393fdf073a4ebd8d82ef6edea99fedc74af9 ]
+
+Checking that two values don't have common bits makes no sense,
+strict equality is meant.
+
+Fixes: f3b433e4699f ("ASoC: SOF: Implement Probe IPC API")
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210802151749.15417-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-ipc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/intel/hda-ipc.c b/sound/soc/sof/intel/hda-ipc.c
+index c91aa951df22..acfeca42604c 100644
+--- a/sound/soc/sof/intel/hda-ipc.c
++++ b/sound/soc/sof/intel/hda-ipc.c
+@@ -107,8 +107,8 @@ void hda_dsp_ipc_get_reply(struct snd_sof_dev *sdev)
+ } else {
+ /* reply correct size ? */
+ if (reply.hdr.size != msg->reply_size &&
+- /* getter payload is never known upfront */
+- !(reply.hdr.cmd & SOF_IPC_GLB_PROBE)) {
++ /* getter payload is never known upfront */
++ ((reply.hdr.cmd & SOF_GLB_TYPE_MASK) != SOF_IPC_GLB_PROBE)) {
+ dev_err(sdev->dev, "error: reply expected %zu got %u bytes\n",
+ msg->reply_size, reply.hdr.size);
+ ret = -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 52ee6b38c43afd43526e40d6495140b8a575bd35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 17:52:06 +0200
+Subject: bareudp: Fix invalid read beyond skb's linear data
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 143a8526ab5fd4f8a0c4fe2a9cb28c181dc5a95f ]
+
+Data beyond the UDP header might not be part of the skb's linear data.
+Use skb_copy_bits() instead of direct access to skb->data+X, so that
+we read the correct bytes even on a fragmented skb.
+
+Fixes: 4b5f67232d95 ("net: Special handling for IP & MPLS.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Link: https://lore.kernel.org/r/7741c46545c6ef02e70c80a9b32814b22d9616b3.1628264975.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index 59c1724bcd0e..39b128205f25 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -71,12 +71,18 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ family = AF_INET6;
+
+ if (bareudp->ethertype == htons(ETH_P_IP)) {
+- struct iphdr *iphdr;
++ __u8 ipversion;
+
+- iphdr = (struct iphdr *)(skb->data + BAREUDP_BASE_HLEN);
+- if (iphdr->version == 4) {
+- proto = bareudp->ethertype;
+- } else if (bareudp->multi_proto_mode && (iphdr->version == 6)) {
++ if (skb_copy_bits(skb, BAREUDP_BASE_HLEN, &ipversion,
++ sizeof(ipversion))) {
++ bareudp->dev->stats.rx_dropped++;
++ goto drop;
++ }
++ ipversion >>= 4;
++
++ if (ipversion == 4) {
++ proto = htons(ETH_P_IP);
++ } else if (ipversion == 6 && bareudp->multi_proto_mode) {
+ proto = htons(ETH_P_IPV6);
+ } else {
+ bareudp->dev->stats.rx_dropped++;
+--
+2.30.2
+
--- /dev/null
+From e6ec13b9c41d05a66b4469b06401a97ba3a8f3ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 00:04:18 +0900
+Subject: bpf: Fix integer overflow involving bucket_size
+
+From: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+
+[ Upstream commit c4eb1f403243fc7bbb7de644db8587c03de36da6 ]
+
+In __htab_map_lookup_and_delete_batch(), hash buckets are iterated
+over to count the number of elements in each bucket (bucket_size).
+If bucket_size is large enough, the multiplication to calculate
+kvmalloc() size could overflow, resulting in out-of-bounds write
+as reported by KASAN:
+
+ [...]
+ [ 104.986052] BUG: KASAN: vmalloc-out-of-bounds in __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.986489] Write of size 4194224 at addr ffffc9010503be70 by task crash/112
+ [ 104.986889]
+ [ 104.987193] CPU: 0 PID: 112 Comm: crash Not tainted 5.14.0-rc4 #13
+ [ 104.987552] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ [ 104.988104] Call Trace:
+ [ 104.988410] dump_stack_lvl+0x34/0x44
+ [ 104.988706] print_address_description.constprop.0+0x21/0x140
+ [ 104.988991] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.989327] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.989622] kasan_report.cold+0x7f/0x11b
+ [ 104.989881] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.990239] kasan_check_range+0x17c/0x1e0
+ [ 104.990467] memcpy+0x39/0x60
+ [ 104.990670] __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.990982] ? __wake_up_common+0x4d/0x230
+ [ 104.991256] ? htab_of_map_free+0x130/0x130
+ [ 104.991541] bpf_map_do_batch+0x1fb/0x220
+ [...]
+
+In hashtable, if the elements' keys have the same jhash() value, the
+elements will be put into the same bucket. By putting a lot of elements
+into a single bucket, the value of bucket_size can be increased to
+trigger the integer overflow.
+
+Triggering the overflow is possible for both callers with CAP_SYS_ADMIN
+and callers without CAP_SYS_ADMIN.
+
+It will be trivial for a caller with CAP_SYS_ADMIN to intentionally
+reach this overflow by enabling BPF_F_ZERO_SEED. As this flag will set
+the random seed passed to jhash() to 0, it will be easy for the caller
+to prepare keys which will be hashed into the same value, and thus put
+all the elements into the same bucket.
+
+If the caller does not have CAP_SYS_ADMIN, BPF_F_ZERO_SEED cannot be
+used. However, it will be still technically possible to trigger the
+overflow, by guessing the random seed value passed to jhash() (32bit)
+and repeating the attempt to trigger the overflow. In this case,
+the probability to trigger the overflow will be low and will take
+a very long time.
+
+Fix the integer overflow by calling kvmalloc_array() instead of
+kvmalloc() to allocate memory.
+
+Fixes: 057996380a42 ("bpf: Add batch ops to all htab bpf map")
+Signed-off-by: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210806150419.109658-1-th.yasumatsu@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index 1fccba6e88c4..6c444e815406 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -1425,8 +1425,8 @@ alloc:
+ /* We cannot do copy_from_user or copy_to_user inside
+ * the rcu_read_lock. Allocate enough space here.
+ */
+- keys = kvmalloc(key_size * bucket_size, GFP_USER | __GFP_NOWARN);
+- values = kvmalloc(value_size * bucket_size, GFP_USER | __GFP_NOWARN);
++ keys = kvmalloc_array(key_size, bucket_size, GFP_USER | __GFP_NOWARN);
++ values = kvmalloc_array(value_size, bucket_size, GFP_USER | __GFP_NOWARN);
+ if (!keys || !values) {
+ ret = -ENOMEM;
+ goto after_loop;
+--
+2.30.2
+
--- /dev/null
+From 9729174b490ee8cfee2a4873a4a95ac40f0b563f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 10:41:30 -0700
+Subject: drm/i915: Only access SFC_DONE when media domain is not fused off
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matt Roper <matthew.d.roper@intel.com>
+
+[ Upstream commit 24d032e2359e3abc926b3d423f49a7c33e0b7836 ]
+
+The SFC_DONE register lives within the corresponding VD0/VD2/VD4/VD6
+forcewake domain and is not accessible if the vdbox in that domain is
+fused off and the forcewake is not initialized.
+
+This mistake went unnoticed because until recently we were using the
+wrong register offset for the SFC_DONE register; once the register
+offset was corrected, we started hitting errors like
+
+ <4> [544.989065] i915 0000:cc:00.0: Uninitialized forcewake domain(s) 0x80 accessed at 0x1ce000
+
+on parts with fused-off vdbox engines.
+
+Fixes: e50dbdbfd9fb ("drm/i915/tgl: Add SFC instdone to error state")
+Fixes: 9c9c6d0ab08a ("drm/i915: Correct SFC_DONE register offset")
+Cc: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210806174130.1058960-1-matthew.d.roper@intel.com
+Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
+(cherry picked from commit c5589bb5dccb0c5cb74910da93663f489589f3ce)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+[Changed Fixes tag to match the cherry-picked 82929a2140eb]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/i915_gpu_error.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
+index cf6e47adfde6..9ce8f043ad7f 100644
+--- a/drivers/gpu/drm/i915/i915_gpu_error.c
++++ b/drivers/gpu/drm/i915/i915_gpu_error.c
+@@ -727,9 +727,18 @@ static void err_print_gt(struct drm_i915_error_state_buf *m,
+ if (INTEL_GEN(m->i915) >= 12) {
+ int i;
+
+- for (i = 0; i < GEN12_SFC_DONE_MAX; i++)
++ for (i = 0; i < GEN12_SFC_DONE_MAX; i++) {
++ /*
++ * SFC_DONE resides in the VD forcewake domain, so it
++ * only exists if the corresponding VCS engine is
++ * present.
++ */
++ if (!HAS_ENGINE(gt->_gt, _VCS(i * 2)))
++ continue;
++
+ err_printf(m, " SFC_DONE[%d]: 0x%08x\n", i,
+ gt->sfc_done[i]);
++ }
+
+ err_printf(m, " GAM_DONE: 0x%08x\n", gt->gam_done);
+ }
+@@ -1594,6 +1603,14 @@ static void gt_record_regs(struct intel_gt_coredump *gt)
+
+ if (INTEL_GEN(i915) >= 12) {
+ for (i = 0; i < GEN12_SFC_DONE_MAX; i++) {
++ /*
++ * SFC_DONE resides in the VD forcewake domain, so it
++ * only exists if the corresponding VCS engine is
++ * present.
++ */
++ if (!HAS_ENGINE(gt->_gt, _VCS(i * 2)))
++ continue;
++
+ gt->sfc_done[i] =
+ intel_uncore_read(uncore, GEN12_SFC_DONE(i));
+ }
+--
+2.30.2
+
--- /dev/null
+From a6a7d5172e2ad770816c3fc48d1e6ef52fdeced3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 09:40:05 +0000
+Subject: drm/meson: fix colour distortion from HDR set during vendor u-boot
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit bf33677a3c394bb8fddd48d3bbc97adf0262e045 ]
+
+Add support for the OSD1 HDR registers so meson DRM can handle the HDR
+properties set by Amlogic u-boot on G12A and newer devices which result
+in blue/green/pink colour distortion to display output.
+
+This takes the original patch submissions from Mathias [0] and [1] with
+corrections for formatting and the missing description and attribution
+needed for merge.
+
+[0] https://lore.kernel.org/linux-amlogic/59dfd7e6-fc91-3d61-04c4-94e078a3188c@baylibre.com/T/
+[1] https://lore.kernel.org/linux-amlogic/CAOKfEHBx_fboUqkENEMd-OC-NSrf46nto+vDLgvgttzPe99kXg@mail.gmail.com/T/#u
+
+Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup")
+Suggested-by: Mathias Steiger <mathias.steiger@googlemail.com>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Tested-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Philip Milev <milev.philip@gmail.com>
+[narmsrong: adding missing space on second tested-by tag]
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210806094005.7136-1-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_registers.h | 5 +++++
+ drivers/gpu/drm/meson/meson_viu.c | 7 ++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_registers.h b/drivers/gpu/drm/meson/meson_registers.h
+index 446e7961da48..0f3cafab8860 100644
+--- a/drivers/gpu/drm/meson/meson_registers.h
++++ b/drivers/gpu/drm/meson/meson_registers.h
+@@ -634,6 +634,11 @@
+ #define VPP_WRAP_OSD3_MATRIX_PRE_OFFSET2 0x3dbc
+ #define VPP_WRAP_OSD3_MATRIX_EN_CTRL 0x3dbd
+
++/* osd1 HDR */
++#define OSD1_HDR2_CTRL 0x38a0
++#define OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN BIT(13)
++#define OSD1_HDR2_CTRL_REG_ONLY_MAT BIT(16)
++
+ /* osd2 scaler */
+ #define OSD2_VSC_PHASE_STEP 0x3d00
+ #define OSD2_VSC_INI_PHASE 0x3d01
+diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c
+index aede0c67a57f..259f3e6bec90 100644
+--- a/drivers/gpu/drm/meson/meson_viu.c
++++ b/drivers/gpu/drm/meson/meson_viu.c
+@@ -425,9 +425,14 @@ void meson_viu_init(struct meson_drm *priv)
+ if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) ||
+ meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXL))
+ meson_viu_load_matrix(priv);
+- else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
++ else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) {
+ meson_viu_set_g12a_osd1_matrix(priv, RGB709_to_YUV709l_coeff,
+ true);
++ /* fix green/pink color distortion from vendor u-boot */
++ writel_bits_relaxed(OSD1_HDR2_CTRL_REG_ONLY_MAT |
++ OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN, 0,
++ priv->io_base + _REG(OSD1_HDR2_CTRL));
++ }
+
+ /* Initialize OSD1 fifo control register */
+ reg = VIU_OSD_DDR_PRIORITY_URGENT |
+--
+2.30.2
+
--- /dev/null
+From 3612dde11890173918a89d52dbd2f9288144df38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 09:53:33 -0700
+Subject: iavf: Set RSS LUT and key in reset handle path
+
+From: Md Fahad Iqbal Polash <md.fahad.iqbal.polash@intel.com>
+
+[ Upstream commit a7550f8b1c9712894f9e98d6caf5f49451ebd058 ]
+
+iavf driver should set RSS LUT and key unconditionally in reset
+path. Currently, the driver does not do that. This patch fixes
+this issue.
+
+Fixes: 2c86ac3c7079 ("i40evf: create a generic config RSS function")
+Signed-off-by: Md Fahad Iqbal Polash <md.fahad.iqbal.polash@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index f3caf5eab8d4..c4ec9a91c7c5 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1489,11 +1489,6 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter)
+ set_bit(__IAVF_VSI_DOWN, adapter->vsi.state);
+
+ iavf_map_rings_to_vectors(adapter);
+-
+- if (RSS_AQ(adapter))
+- adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS;
+- else
+- err = iavf_init_rss(adapter);
+ err:
+ return err;
+ }
+@@ -2167,6 +2162,14 @@ continue_reset:
+ goto reset_err;
+ }
+
++ if (RSS_AQ(adapter)) {
++ adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS;
++ } else {
++ err = iavf_init_rss(adapter);
++ if (err)
++ goto reset_err;
++ }
++
+ adapter->aq_required |= IAVF_FLAG_AQ_GET_CONFIG;
+ adapter->aq_required |= IAVF_FLAG_AQ_MAP_VECTORS;
+
+--
+2.30.2
+
--- /dev/null
+From d8c6ee7726668828873e710c40621695cd7038aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 09:51:27 -0700
+Subject: ice: don't remove netdev->dev_addr from uc sync list
+
+From: Brett Creeley <brett.creeley@intel.com>
+
+[ Upstream commit 3ba7f53f8bf1fb862e36c7f74434ac3aceb60158 ]
+
+In some circumstances, such as with bridging, it's possible that the
+stack will add the device's own MAC address to its unicast address list.
+
+If, later, the stack deletes this address, the driver will receive a
+request to remove this address.
+
+The driver stores its current MAC address as part of the VSI MAC filter
+list instead of separately. So, this causes a problem when the device's
+MAC address is deleted unexpectedly, which results in traffic failure in
+some cases.
+
+The following configuration steps will reproduce the previously
+mentioned problem:
+
+> ip link set eth0 up
+> ip link add dev br0 type bridge
+> ip link set br0 up
+> ip addr flush dev eth0
+> ip link set eth0 master br0
+> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
+> modprobe -r veth
+> modprobe -r bridge
+> ip addr add 192.168.1.100/24 dev eth0
+
+The following ping command fails due to the netdev->dev_addr being
+deleted when removing the bridge module.
+> ping <link partner>
+
+Fix this by making sure to not delete the netdev->dev_addr during MAC
+address sync. After fixing this issue it was noticed that the
+netdev_warn() in .set_mac was overly verbose, so make it at
+netdev_dbg().
+
+Also, there is a possibility of a race condition between .set_mac and
+.set_rx_mode. Fix this by calling netif_addr_lock_bh() and
+netif_addr_unlock_bh() on the device's netdev when the netdev->dev_addr
+is going to be updated in .set_mac.
+
+Fixes: e94d44786693 ("ice: Implement filter sync, NDO operations and bump version")
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Tested-by: Liang Li <liali@redhat.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 6421e9fd69a2..a46780570cd9 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -189,6 +189,14 @@ static int ice_add_mac_to_unsync_list(struct net_device *netdev, const u8 *addr)
+ struct ice_netdev_priv *np = netdev_priv(netdev);
+ struct ice_vsi *vsi = np->vsi;
+
++ /* Under some circumstances, we might receive a request to delete our
++ * own device address from our uc list. Because we store the device
++ * address in the VSI's MAC filter list, we need to ignore such
++ * requests and not delete our device address from this list.
++ */
++ if (ether_addr_equal(addr, netdev->dev_addr))
++ return 0;
++
+ if (ice_fltr_add_mac_to_list(vsi, &vsi->tmp_unsync_list, addr,
+ ICE_FWD_TO_VSI))
+ return -EINVAL;
+@@ -4881,7 +4889,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi)
+ return -EADDRNOTAVAIL;
+
+ if (ether_addr_equal(netdev->dev_addr, mac)) {
+- netdev_warn(netdev, "already using mac %pM\n", mac);
++ netdev_dbg(netdev, "already using mac %pM\n", mac);
+ return 0;
+ }
+
+@@ -4892,6 +4900,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi)
+ return -EBUSY;
+ }
+
++ netif_addr_lock_bh(netdev);
+ /* Clean up old MAC filter. Not an error if old filter doesn't exist */
+ status = ice_fltr_remove_mac(vsi, netdev->dev_addr, ICE_FWD_TO_VSI);
+ if (status && status != ICE_ERR_DOES_NOT_EXIST) {
+@@ -4901,30 +4910,28 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi)
+
+ /* Add filter for new MAC. If filter exists, return success */
+ status = ice_fltr_add_mac(vsi, mac, ICE_FWD_TO_VSI);
+- if (status == ICE_ERR_ALREADY_EXISTS) {
++ if (status == ICE_ERR_ALREADY_EXISTS)
+ /* Although this MAC filter is already present in hardware it's
+ * possible in some cases (e.g. bonding) that dev_addr was
+ * modified outside of the driver and needs to be restored back
+ * to this value.
+ */
+- memcpy(netdev->dev_addr, mac, netdev->addr_len);
+ netdev_dbg(netdev, "filter for MAC %pM already exists\n", mac);
+- return 0;
+- }
+-
+- /* error if the new filter addition failed */
+- if (status)
++ else if (status)
++ /* error if the new filter addition failed */
+ err = -EADDRNOTAVAIL;
+
+ err_update_filters:
+ if (err) {
+ netdev_err(netdev, "can't set MAC %pM. filter update failed\n",
+ mac);
++ netif_addr_unlock_bh(netdev);
+ return err;
+ }
+
+ /* change the netdev's MAC address */
+ memcpy(netdev->dev_addr, mac, netdev->addr_len);
++ netif_addr_unlock_bh(netdev);
+ netdev_dbg(vsi->netdev, "updated MAC address to %pM\n",
+ netdev->dev_addr);
+
+--
+2.30.2
+
--- /dev/null
+From 726d391eea80f58213dd1cc5716c68497d134b68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 12:39:10 -0700
+Subject: ice: Prevent probing virtual functions
+
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+
+[ Upstream commit 50ac7479846053ca8054be833c1594e64de496bb ]
+
+The userspace utility "driverctl" can be used to change/override the
+system's default driver choices. This is useful in some situations
+(buggy driver, old driver missing a device ID, trying a workaround,
+etc.) where the user needs to load a different driver.
+
+However, this is also prone to user error, where a driver is mapped
+to a device it's not designed to drive. For example, if the ice driver
+is mapped to driver iavf devices, the ice driver crashes.
+
+Add a check to return an error if the ice driver is being used to
+probe a virtual function.
+
+Fixes: 837f08fdecbe ("ice: Add basic driver framework for Intel(R) E800 Series")
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 1567ddd4c5b8..6421e9fd69a2 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -3991,6 +3991,11 @@ ice_probe(struct pci_dev *pdev, const struct pci_device_id __always_unused *ent)
+ struct ice_hw *hw;
+ int i, err;
+
++ if (pdev->is_virtfn) {
++ dev_err(dev, "can't probe a virtual function\n");
++ return -EINVAL;
++ }
++
+ /* this driver uses devres, see
+ * Documentation/driver-api/driver-model/devres.rst
+ */
+--
+2.30.2
+
--- /dev/null
+From 1689d71783cb2112ca3206ca9aa5d6715f28993f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 23:56:32 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_new_edge_nl
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 889d0e7dc68314a273627d89cbb60c09e1cc1c25 ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210707155633.1486603-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 43f389540bba..080b15fc0060 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -418,7 +418,7 @@ static int hwsim_new_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ struct hwsim_edge *e;
+ u32 v0, v1;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From 8468debbc5782c5ac9518e214c661a6b83d9b8fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:13:20 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit e9faf53c5a5d01f6f2a09ae28ec63a3bbd6f64fd ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE,
+MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID and MAC802154_HWSIM_EDGE_ATTR_LQI
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210705131321.217111-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 626e1ce817fc..43f389540bba 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -528,14 +528,14 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ u32 v0, v1;
+ u8 lqi;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+ if (nla_parse_nested_deprecated(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX, info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE], hwsim_edge_policy, NULL))
+ return -EINVAL;
+
+- if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] &&
++ if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] ||
+ !edge_attrs[MAC802154_HWSIM_EDGE_ATTR_LQI])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From 36874ac60c095178afa0616db16ee70f61c61d11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:54:32 -0700
+Subject: interconnect: qcom: icc-rpmh: Add BCMs to commit list in
+ pre_aggregate
+
+From: Mike Tipton <mdtipton@codeaurora.org>
+
+[ Upstream commit f84f5b6f72e68bbaeb850b58ac167e4a3a47532a ]
+
+We're only adding BCMs to the commit list in aggregate(), but there are
+cases where pre_aggregate() is called without subsequently calling
+aggregate(). In particular, in icc_sync_state() when a node with initial
+BW has zero requests. Since BCMs aren't added to the commit list in
+these cases, we don't actually send the zero BW request to HW. So the
+resources remain on unnecessarily.
+
+Add BCMs to the commit list in pre_aggregate() instead, which is always
+called even when there are no requests.
+
+Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support")
+Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
+Link: https://lore.kernel.org/r/20210721175432.2119-5-mdtipton@codeaurora.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/icc-rpmh.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/interconnect/qcom/icc-rpmh.c b/drivers/interconnect/qcom/icc-rpmh.c
+index f6fae64861ce..27cc5f03611c 100644
+--- a/drivers/interconnect/qcom/icc-rpmh.c
++++ b/drivers/interconnect/qcom/icc-rpmh.c
+@@ -20,13 +20,18 @@ void qcom_icc_pre_aggregate(struct icc_node *node)
+ {
+ size_t i;
+ struct qcom_icc_node *qn;
++ struct qcom_icc_provider *qp;
+
+ qn = node->data;
++ qp = to_qcom_provider(node->provider);
+
+ for (i = 0; i < QCOM_ICC_NUM_BUCKETS; i++) {
+ qn->sum_avg[i] = 0;
+ qn->max_peak[i] = 0;
+ }
++
++ for (i = 0; i < qn->num_bcms; i++)
++ qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
+ }
+ EXPORT_SYMBOL_GPL(qcom_icc_pre_aggregate);
+
+@@ -44,10 +49,8 @@ int qcom_icc_aggregate(struct icc_node *node, u32 tag, u32 avg_bw,
+ {
+ size_t i;
+ struct qcom_icc_node *qn;
+- struct qcom_icc_provider *qp;
+
+ qn = node->data;
+- qp = to_qcom_provider(node->provider);
+
+ if (!tag)
+ tag = QCOM_ICC_TAG_ALWAYS;
+@@ -67,9 +70,6 @@ int qcom_icc_aggregate(struct icc_node *node, u32 tag, u32 avg_bw,
+ *agg_avg += avg_bw;
+ *agg_peak = max_t(u32, *agg_peak, peak_bw);
+
+- for (i = 0; i < qn->num_bcms; i++)
+- qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(qcom_icc_aggregate);
+--
+2.30.2
+
--- /dev/null
+From 3724486c41d61e3925cbdfe221ff9474f8031bca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 00:58:25 +0200
+Subject: libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Robin Gögge <r.goegge@googlemail.com>
+
+[ Upstream commit 78d14bda861dd2729f15bb438fe355b48514bfe0 ]
+
+This patch fixes the probe for BPF_PROG_TYPE_CGROUP_SOCKOPT,
+so the probe reports accurate results when used by e.g.
+bpftool.
+
+Fixes: 4cdbfb59c44a ("libbpf: support sockopt hooks")
+Signed-off-by: Robin Gögge <r.goegge@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Link: https://lore.kernel.org/bpf/20210728225825.2357586-1-r.goegge@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf_probes.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c
+index 5482a9b7ae2d..d38284a3aaf0 100644
+--- a/tools/lib/bpf/libbpf_probes.c
++++ b/tools/lib/bpf/libbpf_probes.c
+@@ -75,6 +75,9 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns,
+ case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
+ xattr.expected_attach_type = BPF_CGROUP_INET4_CONNECT;
+ break;
++ case BPF_PROG_TYPE_CGROUP_SOCKOPT:
++ xattr.expected_attach_type = BPF_CGROUP_GETSOCKOPT;
++ break;
+ case BPF_PROG_TYPE_SK_LOOKUP:
+ xattr.expected_attach_type = BPF_SK_LOOKUP;
+ break;
+@@ -104,7 +107,6 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns,
+ case BPF_PROG_TYPE_SK_REUSEPORT:
+ case BPF_PROG_TYPE_FLOW_DISSECTOR:
+ case BPF_PROG_TYPE_CGROUP_SYSCTL:
+- case BPF_PROG_TYPE_CGROUP_SOCKOPT:
+ case BPF_PROG_TYPE_TRACING:
+ case BPF_PROG_TYPE_STRUCT_OPS:
+ case BPF_PROG_TYPE_EXT:
+--
+2.30.2
+
--- /dev/null
+From 7ae39894aa9ea8322770c5a097b6afb3104c2185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:13:30 +0800
+Subject: nbd: Aovid double completion of a request
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit cddce01160582a5f52ada3da9626c052d852ec42 ]
+
+There is a race between iterating over requests in
+nbd_clear_que() and completing requests in recv_work(),
+which can lead to double completion of a request.
+
+To fix it, flush the recv worker before iterating over
+the requests and don't abort the completed request
+while iterating.
+
+Fixes: 96d97e17828f ("nbd: clear_sock on netlink disconnect")
+Reported-by: Jiang Yadong <jiangyadong@bytedance.com>
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20210813151330.96-1-xieyongji@bytedance.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 9a70eab7edbf..59c452fff835 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -812,6 +812,10 @@ static bool nbd_clear_req(struct request *req, void *data, bool reserved)
+ {
+ struct nbd_cmd *cmd = blk_mq_rq_to_pdu(req);
+
++ /* don't abort one completed request */
++ if (blk_mq_request_completed(req))
++ return true;
++
+ mutex_lock(&cmd->lock);
+ cmd->status = BLK_STS_IOERR;
+ mutex_unlock(&cmd->lock);
+@@ -2024,15 +2028,19 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
+ {
+ mutex_lock(&nbd->config_lock);
+ nbd_disconnect(nbd);
+- nbd_clear_sock(nbd);
+- mutex_unlock(&nbd->config_lock);
++ sock_shutdown(nbd);
+ /*
+ * Make sure recv thread has finished, so it does not drop the last
+ * config ref and try to destroy the workqueue from inside the work
+- * queue.
++ * queue. And this also ensure that we can safely call nbd_clear_que()
++ * to cancel the inflight I/Os.
+ */
+ if (nbd->recv_workq)
+ flush_workqueue(nbd->recv_workq);
++ nbd_clear_que(nbd);
++ nbd->task_setup = NULL;
++ mutex_unlock(&nbd->config_lock);
++
+ if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF,
+ &nbd->config->runtime_flags))
+ nbd_config_put(nbd);
+--
+2.30.2
+
--- /dev/null
+From 5fea272d5c5f7d933bd762d7a78865f0b83c2abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:00:10 +0300
+Subject: net: bridge: fix flags interpretation for extern learn fdb entries
+
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+
+[ Upstream commit 45a687879b31caae4032abd1c2402e289d2b8083 ]
+
+Ignore fdb flags when adding port extern learn entries and always set
+BR_FDB_LOCAL flag when adding bridge extern learn entries. This is
+closest to the behaviour we had before and avoids breaking any use cases
+which were allowed.
+
+This patch fixes iproute2 calls which assume NUD_PERMANENT and were
+allowed before, example:
+$ bridge fdb add 00:11:22:33:44:55 dev swp1 extern_learn
+
+Extern learn entries are allowed to roam, but do not expire, so static
+or dynamic flags make no sense for them.
+
+Also add a comment for future reference.
+
+Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space")
+Fixes: 0541a6293298 ("net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Tested-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20210810110010.43859-1-razor@blackwall.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/neighbour.h | 7 +++++--
+ net/bridge/br.c | 3 +--
+ net/bridge/br_fdb.c | 11 ++++-------
+ net/bridge/br_private.h | 2 +-
+ 4 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
+index dc8b72201f6c..00a60695fa53 100644
+--- a/include/uapi/linux/neighbour.h
++++ b/include/uapi/linux/neighbour.h
+@@ -66,8 +66,11 @@ enum {
+ #define NUD_NONE 0x00
+
+ /* NUD_NOARP & NUD_PERMANENT are pseudostates, they never change
+- and make no address resolution or NUD.
+- NUD_PERMANENT also cannot be deleted by garbage collectors.
++ * and make no address resolution or NUD.
++ * NUD_PERMANENT also cannot be deleted by garbage collectors.
++ * When NTF_EXT_LEARNED is set for a bridge fdb entry the different cache entry
++ * states don't make sense and thus are ignored. Such entries don't age and
++ * can roam.
+ */
+
+ struct nda_cacheinfo {
+diff --git a/net/bridge/br.c b/net/bridge/br.c
+index a416b01ee773..1b169f8e7491 100644
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -166,8 +166,7 @@ static int br_switchdev_event(struct notifier_block *unused,
+ case SWITCHDEV_FDB_ADD_TO_BRIDGE:
+ fdb_info = ptr;
+ err = br_fdb_external_learn_add(br, p, fdb_info->addr,
+- fdb_info->vid,
+- fdb_info->is_local, false);
++ fdb_info->vid, false);
+ if (err) {
+ err = notifier_from_errno(err);
+ break;
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index a729786e0f03..8a6470a21702 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -975,10 +975,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
+ "FDB entry towards bridge must be permanent");
+ return -EINVAL;
+ }
+-
+- err = br_fdb_external_learn_add(br, p, addr, vid,
+- ndm->ndm_state & NUD_PERMANENT,
+- true);
++ err = br_fdb_external_learn_add(br, p, addr, vid, true);
+ } else {
+ spin_lock_bh(&br->hash_lock);
+ err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb);
+@@ -1206,7 +1203,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p)
+ }
+
+ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+- const unsigned char *addr, u16 vid, bool is_local,
++ const unsigned char *addr, u16 vid,
+ bool swdev_notify)
+ {
+ struct net_bridge_fdb_entry *fdb;
+@@ -1224,7 +1221,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ if (swdev_notify)
+ flags |= BIT(BR_FDB_ADDED_BY_USER);
+
+- if (is_local)
++ if (!p)
+ flags |= BIT(BR_FDB_LOCAL);
+
+ fdb = fdb_create(br, p, addr, vid, flags);
+@@ -1253,7 +1250,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ if (swdev_notify)
+ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+
+- if (is_local)
++ if (!p)
+ set_bit(BR_FDB_LOCAL, &fdb->flags);
+
+ if (modified)
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 26f311b2cc11..5e5726048a1a 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -708,7 +708,7 @@ int br_fdb_get(struct sk_buff *skb, struct nlattr *tb[], struct net_device *dev,
+ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p);
+ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p);
+ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+- const unsigned char *addr, u16 vid, bool is_local,
++ const unsigned char *addr, u16 vid,
+ bool swdev_notify);
+ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+ const unsigned char *addr, u16 vid,
+--
+2.30.2
+
--- /dev/null
+From b3de964698d3be4e1ef6db625fa9c035a3681ed6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 21:20:23 +0800
+Subject: net: bridge: fix memleak in br_add_if()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ]
+
+I got a memleak report:
+
+BUG: memory leak
+unreferenced object 0x607ee521a658 (size 240):
+comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s)
+hex dump (first 32 bytes, cpu 1):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000d830ea5a>] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693
+[<00000000274d9a71>] new_nbp net/bridge/br_if.c:435 [inline]
+[<00000000274d9a71>] br_add_if+0x670/0x1740 net/bridge/br_if.c:611
+[<0000000012ce888e>] do_set_master net/core/rtnetlink.c:2513 [inline]
+[<0000000012ce888e>] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487
+[<0000000099d1cafc>] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457
+[<00000000a01facc0>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
+[<00000000acc9186c>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550
+[<00000000d4aabb9c>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000bc2e12a3>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<00000000bc2e12a3>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000e4dc2d0e>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000d22c8b3>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000d22c8b3>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000e281417a>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000237aa2ab>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000004f2dc381>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<0000000005feca6c>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<000000007304477d>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+On error path of br_add_if(), p->mcast_stats allocated in
+new_nbp() need be freed, or it will be leaked.
+
+Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_if.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index 857a2c512ca3..1d87bf51f384 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -615,6 +615,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+
+ err = dev_set_allmulti(dev, 1);
+ if (err) {
++ br_multicast_del_port(p);
+ kfree(p); /* kobject not yet init'd, manually free */
+ goto err1;
+ }
+@@ -728,6 +729,7 @@ err4:
+ err3:
+ sysfs_remove_link(br->ifobj, p->dev->name);
+ err2:
++ br_multicast_del_port(p);
+ kobject_put(&p->kobj);
+ dev_set_allmulti(dev, -1);
+ err1:
+--
+2.30.2
+
--- /dev/null
+From 5c3230552dacbe86157a399f361bf1549c9b49a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 02:17:30 +0300
+Subject: net: bridge: validate the NUD_PERMANENT bit when adding an
+ extern_learn FDB entry
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 0541a6293298fb52789de389dfb27ef54df81f73 ]
+
+Currently it is possible to add broken extern_learn FDB entries to the
+bridge in two ways:
+
+1. Entries pointing towards the bridge device that are not local/permanent:
+
+ip link add br0 type bridge
+bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn static
+
+2. Entries pointing towards the bridge device or towards a port that
+are marked as local/permanent, however the bridge does not process the
+'permanent' bit in any way, therefore they are recorded as though they
+aren't permanent:
+
+ip link add br0 type bridge
+bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn permanent
+
+Since commit 52e4bec15546 ("net: bridge: switchdev: treat local FDBs the
+same as entries towards the bridge"), these incorrect FDB entries can
+even trigger NULL pointer dereferences inside the kernel.
+
+This is because that commit made the assumption that all FDB entries
+that are not local/permanent have a valid destination port. For context,
+local / permanent FDB entries either have fdb->dst == NULL, and these
+point towards the bridge device and are therefore local and not to be
+used for forwarding, or have fdb->dst == a net_bridge_port structure
+(but are to be treated in the same way, i.e. not for forwarding).
+
+That assumption _is_ correct as long as things are working correctly in
+the bridge driver, i.e. we cannot logically have fdb->dst == NULL under
+any circumstance for FDB entries that are not local. However, the
+extern_learn code path where FDB entries are managed by a user space
+controller show that it is possible for the bridge kernel driver to
+misinterpret the NUD flags of an entry transmitted by user space, and
+end up having fdb->dst == NULL while not being a local entry. This is
+invalid and should be rejected.
+
+Before, the two commands listed above both crashed the kernel in this
+check from br_switchdev_fdb_notify:
+
+ struct net_device *dev = info.is_local ? br->dev : dst->dev;
+
+info.is_local == false, dst == NULL.
+
+After this patch, the invalid entry added by the first command is
+rejected:
+
+ip link add br0 type bridge && bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn static; ip link del br0
+Error: bridge: FDB entry towards bridge must be permanent.
+
+and the valid entry added by the second command is properly treated as a
+local address and does not crash br_switchdev_fdb_notify anymore:
+
+ip link add br0 type bridge && bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn permanent; ip link del br0
+
+Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space")
+Reported-by: syzbot+9ba1174359adba5a5b7c@syzkaller.appspotmail.com
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20210801231730.7493-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br.c | 3 ++-
+ net/bridge/br_fdb.c | 30 ++++++++++++++++++++++++------
+ net/bridge/br_private.h | 2 +-
+ 3 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/net/bridge/br.c b/net/bridge/br.c
+index 1b169f8e7491..a416b01ee773 100644
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -166,7 +166,8 @@ static int br_switchdev_event(struct notifier_block *unused,
+ case SWITCHDEV_FDB_ADD_TO_BRIDGE:
+ fdb_info = ptr;
+ err = br_fdb_external_learn_add(br, p, fdb_info->addr,
+- fdb_info->vid, false);
++ fdb_info->vid,
++ fdb_info->is_local, false);
+ if (err) {
+ err = notifier_from_errno(err);
+ break;
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 32ac8343b0ba..a729786e0f03 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -950,7 +950,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+
+ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
+ struct net_bridge_port *p, const unsigned char *addr,
+- u16 nlh_flags, u16 vid, struct nlattr *nfea_tb[])
++ u16 nlh_flags, u16 vid, struct nlattr *nfea_tb[],
++ struct netlink_ext_ack *extack)
+ {
+ int err = 0;
+
+@@ -969,7 +970,15 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
+ rcu_read_unlock();
+ local_bh_enable();
+ } else if (ndm->ndm_flags & NTF_EXT_LEARNED) {
+- err = br_fdb_external_learn_add(br, p, addr, vid, true);
++ if (!p && !(ndm->ndm_state & NUD_PERMANENT)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "FDB entry towards bridge must be permanent");
++ return -EINVAL;
++ }
++
++ err = br_fdb_external_learn_add(br, p, addr, vid,
++ ndm->ndm_state & NUD_PERMANENT,
++ true);
+ } else {
+ spin_lock_bh(&br->hash_lock);
+ err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb);
+@@ -1041,9 +1050,11 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
+ }
+
+ /* VID was specified, so use it. */
+- err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid, nfea_tb);
++ err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid, nfea_tb,
++ extack);
+ } else {
+- err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0, nfea_tb);
++ err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0, nfea_tb,
++ extack);
+ if (err || !vg || !vg->num_vlans)
+ goto out;
+
+@@ -1055,7 +1066,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
+ if (!br_vlan_should_use(v))
+ continue;
+ err = __br_fdb_add(ndm, br, p, addr, nlh_flags, v->vid,
+- nfea_tb);
++ nfea_tb, extack);
+ if (err)
+ goto out;
+ }
+@@ -1195,7 +1206,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p)
+ }
+
+ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+- const unsigned char *addr, u16 vid,
++ const unsigned char *addr, u16 vid, bool is_local,
+ bool swdev_notify)
+ {
+ struct net_bridge_fdb_entry *fdb;
+@@ -1212,6 +1223,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+
+ if (swdev_notify)
+ flags |= BIT(BR_FDB_ADDED_BY_USER);
++
++ if (is_local)
++ flags |= BIT(BR_FDB_LOCAL);
++
+ fdb = fdb_create(br, p, addr, vid, flags);
+ if (!fdb) {
+ err = -ENOMEM;
+@@ -1238,6 +1253,9 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ if (swdev_notify)
+ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+
++ if (is_local)
++ set_bit(BR_FDB_LOCAL, &fdb->flags);
++
+ if (modified)
+ fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
+ }
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 5e5726048a1a..26f311b2cc11 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -708,7 +708,7 @@ int br_fdb_get(struct sk_buff *skb, struct nlattr *tb[], struct net_device *dev,
+ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p);
+ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p);
+ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+- const unsigned char *addr, u16 vid,
++ const unsigned char *addr, u16 vid, bool is_local,
+ bool swdev_notify);
+ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+ const unsigned char *addr, u16 vid,
+--
+2.30.2
+
--- /dev/null
+From 5ec4306cf18cdc6d119475616fa140d3518e9b06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:54 +0300
+Subject: net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ada2fee185d8145afb89056558bb59545b9dbdd0 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: ab335349b852 ("net: dsa: lan9303: Add port_fast_age and port_fdb_dump methods")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index aa1142d6a9f5..dcf1fc89451f 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -557,12 +557,12 @@ static int lan9303_alr_make_entry_raw(struct lan9303 *chip, u32 dat0, u32 dat1)
+ return 0;
+ }
+
+-typedef void alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
+- int portmap, void *ctx);
++typedef int alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
++ int portmap, void *ctx);
+
+-static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
++static int lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ {
+- int i;
++ int ret = 0, i;
+
+ mutex_lock(&chip->alr_mutex);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+@@ -582,13 +582,17 @@ static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ LAN9303_ALR_DAT1_PORT_BITOFFS;
+ portmap = alrport_2_portmap[alrport];
+
+- cb(chip, dat0, dat1, portmap, ctx);
++ ret = cb(chip, dat0, dat1, portmap, ctx);
++ if (ret)
++ break;
+
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+ LAN9303_ALR_CMD_GET_NEXT);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, 0);
+ }
+ mutex_unlock(&chip->alr_mutex);
++
++ return ret;
+ }
+
+ static void alr_reg_to_mac(u32 dat0, u32 dat1, u8 mac[6])
+@@ -606,18 +610,20 @@ struct del_port_learned_ctx {
+ };
+
+ /* Clear learned (non-static) entry on given port */
+-static void alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct del_port_learned_ctx *del_ctx = ctx;
+ int port = del_ctx->port;
+
+ if (((BIT(port) & portmap) == 0) || (dat1 & LAN9303_ALR_DAT1_STATIC))
+- return;
++ return 0;
+
+ /* learned entries has only one port, we can just delete */
+ dat1 &= ~LAN9303_ALR_DAT1_VALID; /* delete entry */
+ lan9303_alr_make_entry_raw(chip, dat0, dat1);
++
++ return 0;
+ }
+
+ struct port_fdb_dump_ctx {
+@@ -626,19 +632,19 @@ struct port_fdb_dump_ctx {
+ dsa_fdb_dump_cb_t *cb;
+ };
+
+-static void alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct port_fdb_dump_ctx *dump_ctx = ctx;
+ u8 mac[ETH_ALEN];
+ bool is_static;
+
+ if ((BIT(dump_ctx->port) & portmap) == 0)
+- return;
++ return 0;
+
+ alr_reg_to_mac(dat0, dat1, mac);
+ is_static = !!(dat1 & LAN9303_ALR_DAT1_STATIC);
+- dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
++ return dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
+ }
+
+ /* Set a static ALR entry. Delete entry if port_map is zero */
+@@ -1210,9 +1216,7 @@ static int lan9303_port_fdb_dump(struct dsa_switch *ds, int port,
+ };
+
+ dev_dbg(chip->dev, "%s(%d)\n", __func__, port);
+- lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+-
+- return 0;
++ return lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+ }
+
+ static int lan9303_port_mdb_prepare(struct dsa_switch *ds, int port,
+--
+2.30.2
+
--- /dev/null
+From 65df0fd07344353be4829cbb96a2c84b010a1808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:55 +0300
+Subject: net: dsa: lantiq: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 871a73a1c8f55da0a3db234e9dd816ea4fd546f2 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: 58c59ef9e930 ("net: dsa: lantiq: Add Forwarding Database access")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lantiq_gswip.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c
+index 93c7fa1fd4cb..a455534740cd 100644
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -1416,11 +1416,17 @@ static int gswip_port_fdb_dump(struct dsa_switch *ds, int port,
+ addr[1] = mac_bridge.key[2] & 0xff;
+ addr[0] = (mac_bridge.key[2] >> 8) & 0xff;
+ if (mac_bridge.val[1] & GSWIP_TABLE_MAC_BRIDGE_STATIC) {
+- if (mac_bridge.val[0] & BIT(port))
+- cb(addr, 0, true, data);
++ if (mac_bridge.val[0] & BIT(port)) {
++ err = cb(addr, 0, true, data);
++ if (err)
++ return err;
++ }
+ } else {
+- if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port)
+- cb(addr, 0, false, data);
++ if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port) {
++ err = cb(addr, 0, false, data);
++ if (err)
++ return err;
++ }
+ }
+ }
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 357f4e4d19f0943930b1c0690341aef90eeda12e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:12 +0200
+Subject: net: dsa: microchip: Fix ksz_read64()
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit c34f674c8875235725c3ef86147a627f165d23b4 ]
+
+ksz_read64() currently does some dubious byte-swapping on the two
+halves of a 64-bit register, and then only returns the high bits.
+Replace this with a straightforward expression.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz_common.h | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h
+index cf866e48ff66..a51c716ec920 100644
+--- a/drivers/net/dsa/microchip/ksz_common.h
++++ b/drivers/net/dsa/microchip/ksz_common.h
+@@ -210,12 +210,8 @@ static inline int ksz_read64(struct ksz_device *dev, u32 reg, u64 *val)
+ int ret;
+
+ ret = regmap_bulk_read(dev->regmap[2], reg, value, 2);
+- if (!ret) {
+- /* Ick! ToDo: Add 64bit R/W to regmap on 32bit systems */
+- value[0] = swab32(value[0]);
+- value[1] = swab32(value[1]);
+- *val = swab64((u64)*value);
+- }
++ if (!ret)
++ *val = (u64)value[0] << 32 | value[1];
+
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From cb21f67b1b622c180b813016c31627b40ea8a979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 01:00:06 +0200
+Subject: net: dsa: microchip: ksz8795: Fix VLAN filtering
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 164844135a3f215d3018ee9d6875336beb942413 ]
+
+Currently ksz8_port_vlan_filtering() sets or clears the VLAN Enable
+hardware flag. That controls discarding of packets with a VID that
+has not been enabled for any port on the switch.
+
+Since it is a global flag, set the dsa_switch::vlan_filtering_is_global
+flag so that the DSA core understands this can't be controlled per
+port.
+
+When VLAN filtering is enabled, the switch should also discard packets
+with a VID that's not enabled on the ingress port. Set or clear each
+external port's VLAN Ingress Filter flag in ksz8_port_vlan_filtering()
+to make that happen.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 1e101ab56cea..108a14db1f1a 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -790,8 +790,14 @@ static int ksz8795_port_vlan_filtering(struct dsa_switch *ds, int port,
+ if (switchdev_trans_ph_prepare(trans))
+ return 0;
+
++ /* Discard packets with VID not enabled on the switch */
+ ksz_cfg(dev, S_MIRROR_CTRL, SW_VLAN_ENABLE, flag);
+
++ /* Discard packets with VID not enabled on the ingress port */
++ for (port = 0; port < dev->phy_port_cnt; ++port)
++ ksz_port_cfg(dev, port, REG_PORT_CTRL_2, PORT_INGRESS_FILTER,
++ flag);
++
+ return 0;
+ }
+
+@@ -1266,6 +1272,11 @@ static int ksz8795_switch_init(struct ksz_device *dev)
+ /* set the real number of ports */
+ dev->ds->num_ports = dev->port_cnt + 1;
+
++ /* VLAN filtering is partly controlled by the global VLAN
++ * Enable flag
++ */
++ dev->ds->vlan_filtering_is_global = true;
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 16c56d0508aa58c11aebd1ed15f9c96891432756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:05:27 +0800
+Subject: net: dsa: mt7530: add the missing RxUnicast MIB counter
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+[ Upstream commit aff51c5da3208bd164381e1488998667269c6cf4 ]
+
+Add the missing RxUnicast counter.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 190025a0a98e..3fa2f81c8b47 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -45,6 +45,7 @@ static const struct mt7530_mib_desc mt7530_mib[] = {
+ MIB_DESC(2, 0x48, "TxBytes"),
+ MIB_DESC(1, 0x60, "RxDrop"),
+ MIB_DESC(1, 0x64, "RxFiltering"),
++ MIB_DESC(1, 0x68, "RxUnicast"),
+ MIB_DESC(1, 0x6c, "RxMulticast"),
+ MIB_DESC(1, 0x70, "RxBroadcast"),
+ MIB_DESC(1, 0x74, "RxAlignErr"),
+--
+2.30.2
+
--- /dev/null
+From 98605c3e59dcff04e6388a3c0354027ef5270a67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:56 +0300
+Subject: net: dsa: sja1105: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 21b52fed928e96d2f75d2f6aa9eac7a4b0b55d22 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 855371fcbf85..c03d76c10868 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1566,7 +1566,9 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port,
+ /* We need to hide the dsa_8021q VLANs from the user. */
+ if (priv->vlan_state == SJA1105_VLAN_UNAWARE)
+ l2_lookup.vlanid = 0;
+- cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data);
++ rc = cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data);
++ if (rc)
++ return rc;
+ }
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 555e64eca1648d22a08e5fb2b334bfec9b39af9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 16:54:14 +0900
+Subject: net: Fix memory leak in ieee802154_raw_deliver
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]
+
+If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
+Fix this, by freeing sk_receive_queue in sk->sk_destruct().
+
+syzbot report:
+BUG: memory leak
+unreferenced object 0xffff88810f644600 (size 232):
+ comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
+ hex dump (first 32 bytes):
+ 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K.....
+ 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K.....
+ backtrace:
+ [<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
+ [<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
+ [<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
+ [<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
+ [<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
+ [<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
+ [<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
+ [<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
+ [<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
+ [<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
+ [<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
+ [<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
+ [<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
+ [<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
+ [<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
+ [<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
+ [<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
+ [<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
+ [<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
+ [<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
+ [<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
+ [<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
+ [<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
+ [<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
+ [<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
+ [<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
+ [<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
+
+Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
+Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index a45a0401adc5..c25f7617770c 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -984,6 +984,11 @@ static const struct proto_ops ieee802154_dgram_ops = {
+ .sendpage = sock_no_sendpage,
+ };
+
++static void ieee802154_sock_destruct(struct sock *sk)
++{
++ skb_queue_purge(&sk->sk_receive_queue);
++}
++
+ /* Create a socket. Initialise the socket, blank the addresses
+ * set the state.
+ */
+@@ -1024,7 +1029,7 @@ static int ieee802154_create(struct net *net, struct socket *sock,
+ sock->ops = ops;
+
+ sock_init_data(sock, sk);
+- /* FIXME: sk->sk_destruct */
++ sk->sk_destruct = ieee802154_sock_destruct;
+ sk->sk_family = PF_IEEE802154;
+
+ /* Checksums on by default */
+--
+2.30.2
+
--- /dev/null
+From 5e38479fb03e4a46174173abe02c06fc6f35b461 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 02:45:47 -0700
+Subject: net: igmp: fix data-race in igmp_ifc_timer_expire()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a2b285e7e103d4d6c6ed3e5052a0ff74a5d7f15 ]
+
+Fix the data-race reported by syzbot [1]
+Issue here is that igmp_ifc_timer_expire() can update in_dev->mr_ifc_count
+while another change just occured from another context.
+
+in_dev->mr_ifc_count is only 8bit wide, so the race had little
+consequences.
+
+[1]
+BUG: KCSAN: data-race in igmp_ifc_event / igmp_ifc_timer_expire
+
+write to 0xffff8881051e3062 of 1 bytes by task 12547 on cpu 0:
+ igmp_ifc_event+0x1d5/0x290 net/ipv4/igmp.c:821
+ igmp_group_added+0x462/0x490 net/ipv4/igmp.c:1356
+ ____ip_mc_inc_group+0x3ff/0x500 net/ipv4/igmp.c:1461
+ __ip_mc_join_group+0x24d/0x2c0 net/ipv4/igmp.c:2199
+ ip_mc_join_group_ssm+0x20/0x30 net/ipv4/igmp.c:2218
+ do_ip_setsockopt net/ipv4/ip_sockglue.c:1285 [inline]
+ ip_setsockopt+0x1827/0x2a80 net/ipv4/ip_sockglue.c:1423
+ tcp_setsockopt+0x8c/0xa0 net/ipv4/tcp.c:3657
+ sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3362
+ __sys_setsockopt+0x18f/0x200 net/socket.c:2159
+ __do_sys_setsockopt net/socket.c:2170 [inline]
+ __se_sys_setsockopt net/socket.c:2167 [inline]
+ __x64_sys_setsockopt+0x62/0x70 net/socket.c:2167
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff8881051e3062 of 1 bytes by interrupt on cpu 1:
+ igmp_ifc_timer_expire+0x706/0xa30 net/ipv4/igmp.c:808
+ call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1419
+ expire_timers+0x135/0x250 kernel/time/timer.c:1464
+ __run_timers+0x358/0x420 kernel/time/timer.c:1732
+ run_timer_softirq+0x19/0x30 kernel/time/timer.c:1745
+ __do_softirq+0x12c/0x26e kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu+0x9a/0xb0 kernel/softirq.c:636
+ sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
+ console_unlock+0x8e8/0xb30 kernel/printk/printk.c:2646
+ vprintk_emit+0x125/0x3d0 kernel/printk/printk.c:2174
+ vprintk_default+0x22/0x30 kernel/printk/printk.c:2185
+ vprintk+0x15a/0x170 kernel/printk/printk_safe.c:392
+ printk+0x62/0x87 kernel/printk/printk.c:2216
+ selinux_netlink_send+0x399/0x400 security/selinux/hooks.c:6041
+ security_netlink_send+0x42/0x90 security/security.c:2070
+ netlink_sendmsg+0x59e/0x7c0 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2475
+ __do_sys_sendmsg net/socket.c:2484 [inline]
+ __se_sys_sendmsg net/socket.c:2482 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x01 -> 0x02
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 12539 Comm: syz-executor.1 Not tainted 5.14.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 6b3c558a4f23..a51360087b19 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -803,10 +803,17 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
++ u8 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+- if (in_dev->mr_ifc_count) {
+- in_dev->mr_ifc_count--;
++restart:
++ mr_ifc_count = READ_ONCE(in_dev->mr_ifc_count);
++
++ if (mr_ifc_count) {
++ if (cmpxchg(&in_dev->mr_ifc_count,
++ mr_ifc_count,
++ mr_ifc_count - 1) != mr_ifc_count)
++ goto restart;
+ igmp_ifc_start_timer(in_dev,
+ unsolicited_report_interval(in_dev));
+ }
+@@ -818,7 +825,7 @@ static void igmp_ifc_event(struct in_device *in_dev)
+ struct net *net = dev_net(in_dev->dev);
+ if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev))
+ return;
+- in_dev->mr_ifc_count = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
++ WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv);
+ igmp_ifc_start_timer(in_dev, 1);
+ }
+
+@@ -957,7 +964,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
+ in_dev->mr_qri;
+ }
+ /* cancel the interface change timer */
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ /* clear deleted report items */
+@@ -1724,7 +1731,7 @@ void ip_mc_down(struct in_device *in_dev)
+ igmp_group_dropped(pmc);
+
+ #ifdef CONFIG_IP_MULTICAST
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ in_dev->mr_gq_running = 0;
+@@ -1941,7 +1948,7 @@ static int ip_mc_del_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ pmc->sfmode = MCAST_INCLUDE;
+ #ifdef CONFIG_IP_MULTICAST
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(pmc->interface);
+@@ -2120,7 +2127,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ /* else no filters; keep old mode for reports */
+
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(in_dev);
+--
+2.30.2
+
--- /dev/null
+From 91734d19af98551ef5fe93b3bafe3f8016285325 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 12:57:15 -0700
+Subject: net: igmp: increase size of mr_ifc_count
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b69dd5b3780a7298bd893816a09da751bc0636f7 ]
+
+Some arches support cmpxchg() on 4-byte and 8-byte only.
+Increase mr_ifc_count width to 32bit to fix this problem.
+
+Fixes: 4a2b285e7e10 ("net: igmp: fix data-race in igmp_ifc_timer_expire()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210811195715.3684218-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/inetdevice.h | 2 +-
+ net/ipv4/igmp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index 3515ca64e638..b68fca08be27 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -41,7 +41,7 @@ struct in_device {
+ unsigned long mr_qri; /* Query Response Interval */
+ unsigned char mr_qrv; /* Query Robustness Variable */
+ unsigned char mr_gq_running;
+- unsigned char mr_ifc_count;
++ u32 mr_ifc_count;
+ struct timer_list mr_gq_timer; /* general query timer */
+ struct timer_list mr_ifc_timer; /* interface change timer */
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index a51360087b19..00576bae183d 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -803,7 +803,7 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
+- u8 mr_ifc_count;
++ u32 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+ restart:
+--
+2.30.2
+
--- /dev/null
+From 5a072844789db0e56362ac312bd135584706f212 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:06:28 +0200
+Subject: net: linkwatch: fix failure to restore device state across
+ suspend/resume
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 6922110d152e56d7569616b45a1f02876cf3eb9f ]
+
+After migrating my laptop from 4.19-LTS to 5.4-LTS a while ago I noticed
+that my Ethernet port to which a bond and a VLAN interface are attached
+appeared to remain up after resuming from suspend with the cable unplugged
+(and that problem still persists with 5.10-LTS).
+
+It happens that the following happens:
+
+ - the network driver (e1000e here) prepares to suspend, calls e1000e_down()
+ which calls netif_carrier_off() to signal that the link is going down.
+ - netif_carrier_off() adds a link_watch event to the list of events for
+ this device
+ - the device is completely stopped.
+ - the machine suspends
+ - the cable is unplugged and the machine brought to another location
+ - the machine is resumed
+ - the queued linkwatch events are processed for the device
+ - the device doesn't yet have the __LINK_STATE_PRESENT bit and its events
+ are silently dropped
+ - the device is resumed with its link down
+ - the upper VLAN and bond interfaces are never notified that the link had
+ been turned down and remain up
+ - the only way to provoke a change is to physically connect the machine
+ to a port and possibly unplug it.
+
+The state after resume looks like this:
+ $ ip -br li | egrep 'bond|eth'
+ bond0 UP e8:6a:64:64:64:64 <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP>
+ eth0 DOWN e8:6a:64:64:64:64 <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP>
+ eth0.2@eth0 UP e8:6a:64:64:64:64 <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP>
+
+Placing an explicit call to netdev_state_change() either in the suspend
+or the resume code in the NIC driver worked around this but the solution
+is not satisfying.
+
+The issue in fact really is in link_watch that loses events while it
+ought not to. It happens that the test for the device being present was
+added by commit 124eee3f6955 ("net: linkwatch: add check for netdevice
+being present to linkwatch_do_dev") in 4.20 to avoid an access to
+devices that are not present.
+
+Instead of dropping events, this patch proceeds slightly differently by
+postponing their handling so that they happen after the device is fully
+resumed.
+
+Fixes: 124eee3f6955 ("net: linkwatch: add check for netdevice being present to linkwatch_do_dev")
+Link: https://lists.openwall.net/netdev/2018/03/15/62
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20210809160628.22623-1-w@1wt.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/link_watch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/link_watch.c b/net/core/link_watch.c
+index 75431ca9300f..1a455847da54 100644
+--- a/net/core/link_watch.c
++++ b/net/core/link_watch.c
+@@ -158,7 +158,7 @@ static void linkwatch_do_dev(struct net_device *dev)
+ clear_bit(__LINK_STATE_LINKWATCH_PENDING, &dev->state);
+
+ rfc2863_policy(dev);
+- if (dev->flags & IFF_UP && netif_device_present(dev)) {
++ if (dev->flags & IFF_UP) {
+ if (netif_carrier_ok(dev))
+ dev_activate(dev);
+ else
+@@ -204,7 +204,8 @@ static void __linkwatch_run_queue(int urgent_only)
+ dev = list_first_entry(&wrk, struct net_device, link_watch_list);
+ list_del_init(&dev->link_watch_list);
+
+- if (urgent_only && !linkwatch_urgent_event(dev)) {
++ if (!netif_device_present(dev) ||
++ (urgent_only && !linkwatch_urgent_event(dev))) {
+ list_add_tail(&dev->link_watch_list, &lweventlist);
+ continue;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2e3209d8713730a3794211365c19e00c1acfc30d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 16:38:30 +0300
+Subject: net/mlx5: Fix return value from tracer initialization
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit bd37c2888ccaa5ceb9895718f6909b247cc372e0 ]
+
+Check return value of mlx5_fw_tracer_start(), set error path and fix
+return value of mlx5_fw_tracer_init() accordingly.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 2eb022ad7fd0..3dfcb20e97c6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -1019,12 +1019,19 @@ int mlx5_fw_tracer_init(struct mlx5_fw_tracer *tracer)
+ MLX5_NB_INIT(&tracer->nb, fw_tracer_event, DEVICE_TRACER);
+ mlx5_eq_notifier_register(dev, &tracer->nb);
+
+- mlx5_fw_tracer_start(tracer);
+-
++ err = mlx5_fw_tracer_start(tracer);
++ if (err) {
++ mlx5_core_warn(dev, "FWTracer: Failed to start tracer %d\n", err);
++ goto err_notifier_unregister;
++ }
+ return 0;
+
++err_notifier_unregister:
++ mlx5_eq_notifier_unregister(dev, &tracer->nb);
++ mlx5_core_destroy_mkey(dev, &tracer->buff.mkey);
+ err_dealloc_pd:
+ mlx5_core_dealloc_pd(dev, tracer->buff.pdn);
++ cancel_work_sync(&tracer->read_fw_strings_work);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d995f6780118f1dfd066a1f1a4fe33e16ae132f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 15:32:55 +0300
+Subject: net/mlx5: Synchronize correct IRQ when destroying CQ
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 563476ae0c5e48a028cbfa38fa9d2fc0418eb88f ]
+
+The CQ destroy is performed based on the IRQ number that is stored in
+cq->irqn. That number wasn't set explicitly during CQ creation and as
+expected some of the API users of mlx5_core_create_cq() forgot to update
+it.
+
+This caused to wrong synchronization call of the wrong IRQ with a number
+0 instead of the real one.
+
+As a fix, set the IRQ number directly in the mlx5_core_create_cq() and
+update all users accordingly.
+
+Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
+Fixes: ef1659ade359 ("IB/mlx5: Add DEVX support for CQ events")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/cq.c | 4 +---
+ drivers/infiniband/hw/mlx5/devx.c | 3 +--
+ drivers/net/ethernet/mellanox/mlx5/core/cq.c | 1 +
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 13 ++----------
+ drivers/net/ethernet/mellanox/mlx5/core/eq.c | 20 +++++++++++++++----
+ .../ethernet/mellanox/mlx5/core/fpga/conn.c | 4 +---
+ .../net/ethernet/mellanox/mlx5/core/lib/eq.h | 2 ++
+ .../mellanox/mlx5/core/steering/dr_send.c | 4 +---
+ drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 +--
+ include/linux/mlx5/driver.h | 3 +--
+ 10 files changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index 372adb7ceb74..74644b6ea0ff 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -930,7 +930,6 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ u32 *cqb = NULL;
+ void *cqc;
+ int cqe_size;
+- unsigned int irqn;
+ int eqn;
+ int err;
+
+@@ -969,7 +968,7 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ INIT_WORK(&cq->notify_work, notify_soft_wc_handler);
+ }
+
+- err = mlx5_vector2eqn(dev->mdev, vector, &eqn, &irqn);
++ err = mlx5_vector2eqn(dev->mdev, vector, &eqn);
+ if (err)
+ goto err_cqb;
+
+@@ -992,7 +991,6 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ goto err_cqb;
+
+ mlx5_ib_dbg(dev, "cqn 0x%x\n", cq->mcq.cqn);
+- cq->mcq.irqn = irqn;
+ if (udata)
+ cq->mcq.tasklet_ctx.comp = mlx5_ib_cq_comp;
+ else
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index 06a873257619..343e6709d9fc 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -904,7 +904,6 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_QUERY_EQN)(
+ struct mlx5_ib_dev *dev;
+ int user_vector;
+ int dev_eqn;
+- unsigned int irqn;
+ int err;
+
+ if (uverbs_copy_from(&user_vector, attrs,
+@@ -916,7 +915,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_QUERY_EQN)(
+ return PTR_ERR(c);
+ dev = to_mdev(c->ibucontext.device);
+
+- err = mlx5_vector2eqn(dev->mdev, user_vector, &dev_eqn, &irqn);
++ err = mlx5_vector2eqn(dev->mdev, user_vector, &dev_eqn);
+ if (err < 0)
+ return err;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cq.c b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
+index df3e4938ecdd..360e093874d4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
+@@ -134,6 +134,7 @@ int mlx5_core_create_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq,
+ cq->cqn);
+
+ cq->uar = dev->priv.uar;
++ cq->irqn = eq->core.irqn;
+
+ return 0;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index d81fa8e56199..6b4a3d90c9f7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -1547,15 +1547,9 @@ static int mlx5e_alloc_cq_common(struct mlx5_core_dev *mdev,
+ struct mlx5e_cq *cq)
+ {
+ struct mlx5_core_cq *mcq = &cq->mcq;
+- int eqn_not_used;
+- unsigned int irqn;
+ int err;
+ u32 i;
+
+- err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn_not_used, &irqn);
+- if (err)
+- return err;
+-
+ err = mlx5_cqwq_create(mdev, ¶m->wq, param->cqc, &cq->wq,
+ &cq->wq_ctrl);
+ if (err)
+@@ -1569,7 +1563,6 @@ static int mlx5e_alloc_cq_common(struct mlx5_core_dev *mdev,
+ mcq->vector = param->eq_ix;
+ mcq->comp = mlx5e_completion_event;
+ mcq->event = mlx5e_cq_error_event;
+- mcq->irqn = irqn;
+
+ for (i = 0; i < mlx5_cqwq_get_size(&cq->wq); i++) {
+ struct mlx5_cqe64 *cqe = mlx5_cqwq_get_wqe(&cq->wq, i);
+@@ -1615,11 +1608,10 @@ static int mlx5e_create_cq(struct mlx5e_cq *cq, struct mlx5e_cq_param *param)
+ void *in;
+ void *cqc;
+ int inlen;
+- unsigned int irqn_not_used;
+ int eqn;
+ int err;
+
+- err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn, &irqn_not_used);
++ err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn);
+ if (err)
+ return err;
+
+@@ -1977,9 +1969,8 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix,
+ struct mlx5e_channel *c;
+ unsigned int irq;
+ int err;
+- int eqn;
+
+- err = mlx5_vector2eqn(priv->mdev, ix, &eqn, &irq);
++ err = mlx5_vector2irqn(priv->mdev, ix, &irq);
+ if (err)
+ return err;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+index ccd53a7a2b80..4f4f79ca37a8 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+@@ -859,8 +859,8 @@ clean:
+ return err;
+ }
+
+-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+- unsigned int *irqn)
++static int vector2eqnirqn(struct mlx5_core_dev *dev, int vector, int *eqn,
++ unsigned int *irqn)
+ {
+ struct mlx5_eq_table *table = dev->priv.eq_table;
+ struct mlx5_eq_comp *eq, *n;
+@@ -869,8 +869,10 @@ int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+
+ list_for_each_entry_safe(eq, n, &table->comp_eqs_list, list) {
+ if (i++ == vector) {
+- *eqn = eq->core.eqn;
+- *irqn = eq->core.irqn;
++ if (irqn)
++ *irqn = eq->core.irqn;
++ if (eqn)
++ *eqn = eq->core.eqn;
+ err = 0;
+ break;
+ }
+@@ -878,8 +880,18 @@ int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+
+ return err;
+ }
++
++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn)
++{
++ return vector2eqnirqn(dev, vector, eqn, NULL);
++}
+ EXPORT_SYMBOL(mlx5_vector2eqn);
+
++int mlx5_vector2irqn(struct mlx5_core_dev *dev, int vector, unsigned int *irqn)
++{
++ return vector2eqnirqn(dev, vector, NULL, irqn);
++}
++
+ unsigned int mlx5_comp_vectors_count(struct mlx5_core_dev *dev)
+ {
+ return dev->priv.eq_table->num_comp_eqs;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
+index 80da50e12915..a42bd493293a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
+@@ -417,7 +417,6 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ struct mlx5_wq_param wqp;
+ struct mlx5_cqe64 *cqe;
+ int inlen, err, eqn;
+- unsigned int irqn;
+ void *cqc, *in;
+ __be64 *pas;
+ u32 i;
+@@ -446,7 +445,7 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ goto err_cqwq;
+ }
+
+- err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn, &irqn);
++ err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn);
+ if (err) {
+ kvfree(in);
+ goto err_cqwq;
+@@ -476,7 +475,6 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ *conn->cq.mcq.arm_db = 0;
+ conn->cq.mcq.vector = 0;
+ conn->cq.mcq.comp = mlx5_fpga_conn_cq_complete;
+- conn->cq.mcq.irqn = irqn;
+ conn->cq.mcq.uar = fdev->conn_res.uar;
+ tasklet_setup(&conn->cq.tasklet, mlx5_fpga_conn_cq_tasklet);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h
+index 81f2cc4ca1da..fa79e6e6a98a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h
+@@ -98,4 +98,6 @@ void mlx5_core_eq_free_irqs(struct mlx5_core_dev *dev);
+ struct cpu_rmap *mlx5_eq_table_get_rmap(struct mlx5_core_dev *dev);
+ #endif
+
++int mlx5_vector2irqn(struct mlx5_core_dev *dev, int vector, unsigned int *irqn);
++
+ #endif
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+index 24dede1b0a20..ea3c6cf27db4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+@@ -711,7 +711,6 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ struct mlx5_cqe64 *cqe;
+ struct mlx5dr_cq *cq;
+ int inlen, err, eqn;
+- unsigned int irqn;
+ void *cqc, *in;
+ __be64 *pas;
+ int vector;
+@@ -744,7 +743,7 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ goto err_cqwq;
+
+ vector = raw_smp_processor_id() % mlx5_comp_vectors_count(mdev);
+- err = mlx5_vector2eqn(mdev, vector, &eqn, &irqn);
++ err = mlx5_vector2eqn(mdev, vector, &eqn);
+ if (err) {
+ kvfree(in);
+ goto err_cqwq;
+@@ -780,7 +779,6 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ *cq->mcq.arm_db = cpu_to_be32(2 << 28);
+
+ cq->mcq.vector = 0;
+- cq->mcq.irqn = irqn;
+ cq->mcq.uar = uar;
+
+ return cq;
+diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+index fe7ed3212473..fbdc9468818d 100644
+--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+@@ -511,7 +511,6 @@ static int cq_create(struct mlx5_vdpa_net *ndev, u16 idx, u32 num_ent)
+ void __iomem *uar_page = ndev->mvdev.res.uar->map;
+ u32 out[MLX5_ST_SZ_DW(create_cq_out)];
+ struct mlx5_vdpa_cq *vcq = &mvq->cq;
+- unsigned int irqn;
+ __be64 *pas;
+ int inlen;
+ void *cqc;
+@@ -551,7 +550,7 @@ static int cq_create(struct mlx5_vdpa_net *ndev, u16 idx, u32 num_ent)
+ /* Use vector 0 by default. Consider adding code to choose least used
+ * vector.
+ */
+- err = mlx5_vector2eqn(mdev, 0, &eqn, &irqn);
++ err = mlx5_vector2eqn(mdev, 0, &eqn);
+ if (err)
+ goto err_vec;
+
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index add85094f9a5..41fbb4793394 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -981,8 +981,7 @@ void mlx5_unregister_debugfs(void);
+ void mlx5_fill_page_array(struct mlx5_frag_buf *buf, __be64 *pas);
+ void mlx5_fill_page_frag_array_perm(struct mlx5_frag_buf *buf, __be64 *pas, u8 perm);
+ void mlx5_fill_page_frag_array(struct mlx5_frag_buf *frag_buf, __be64 *pas);
+-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+- unsigned int *irqn);
++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn);
+ int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
+ int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
+
+--
+2.30.2
+
--- /dev/null
+From be61583556543c7fc1e8d53986e0f6a2f216e717 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 23:53:30 -0700
+Subject: net: mvvp2: fix short frame size on s390
+
+From: John Hubbard <jhubbard@nvidia.com>
+
+[ Upstream commit 704e624f7b3e8a4fc1ce43fb564746d1d07b20c0 ]
+
+On s390, the following build warning occurs:
+
+drivers/net/ethernet/marvell/mvpp2/mvpp2.h:844:2: warning: overflow in
+conversion from 'long unsigned int' to 'int' changes value from
+'18446744073709551584' to '-32' [-Woverflow]
+844 | ((total_size) - MVPP2_SKB_HEADROOM - MVPP2_SKB_SHINFO_SIZE)
+
+This happens because MVPP2_SKB_SHINFO_SIZE, which is 320 bytes (which is
+already 64-byte aligned) on some architectures, actually gets ALIGN'd up
+to 512 bytes in the s390 case.
+
+So then, when this is invoked:
+
+ MVPP2_RX_MAX_PKT_SIZE(MVPP2_BM_SHORT_FRAME_SIZE)
+
+...that turns into:
+
+ 704 - 224 - 512 == -32
+
+...which is not a good frame size to end up with! The warning above is a
+bit lucky: it notices a signed/unsigned bad behavior here, which leads
+to the real problem of a frame that is too short for its contents.
+
+Increase MVPP2_BM_SHORT_FRAME_SIZE by 32 (from 704 to 736), which is
+just exactly big enough. (The other values can't readily be changed
+without causing a lot of other problems.)
+
+Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
+Cc: Sven Auhagen <sven.auhagen@voleatech.de>
+Cc: Matteo Croce <mcroce@microsoft.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: John Hubbard <jhubbard@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+index a1aefce55e65..d825eb021b22 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+@@ -854,7 +854,7 @@ enum mvpp22_ptp_packet_format {
+ #define MVPP2_BM_COOKIE_POOL_OFFS 8
+ #define MVPP2_BM_COOKIE_CPU_OFFS 24
+
+-#define MVPP2_BM_SHORT_FRAME_SIZE 704 /* frame size 128 */
++#define MVPP2_BM_SHORT_FRAME_SIZE 736 /* frame size 128 */
+ #define MVPP2_BM_LONG_FRAME_SIZE 2240 /* frame size 1664 */
+ #define MVPP2_BM_JUMBO_FRAME_SIZE 10432 /* frame size 9856 */
+ /* BM short pool packet size
+--
+2.30.2
+
--- /dev/null
+From 965ef8b2adabce2f3a51d3faeb3eb7cc785032d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 02:06:18 +0200
+Subject: net: phy: micrel: Fix link detection on ksz87xx switch"
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 2383cb9497d113360137a2be308b390faa80632d ]
+
+Commit a5e63c7d38d5 "net: phy: micrel: Fix detection of ksz87xx
+switch" broke link detection on the external ports of the KSZ8795.
+
+The previously unused phy_driver structure for these devices specifies
+config_aneg and read_status functions that appear to be designed for a
+fixed link and do not work with the embedded PHYs in the KSZ8795.
+
+Delete the use of these functions in favour of the generic PHY
+implementations which were used previously.
+
+Fixes: a5e63c7d38d5 ("net: phy: micrel: Fix detection of ksz87xx switch")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 9a566c5b36a6..69b20a466c61 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -1374,8 +1374,6 @@ static struct phy_driver ksphy_driver[] = {
+ .name = "Micrel KSZ87XX Switch",
+ /* PHY_BASIC_FEATURES */
+ .config_init = kszphy_config_init,
+- .config_aneg = ksz8873mll_config_aneg,
+- .read_status = ksz8873mll_read_status,
+ .match_phy_device = ksz8795_match_phy_device,
+ .suspend = genphy_suspend,
+ .resume = genphy_resume,
+--
+2.30.2
+
--- /dev/null
+From 3e723986d758e3123b0297b300886d27b327fa95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 15:04:55 +0800
+Subject: net: sched: act_mirred: Reset ct info when mirror/redirect skb
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit d09c548dbf3b31cb07bba562e0f452edfa01efe3 ]
+
+When mirror/redirect a skb to a different port, the ct info should be reset
+for reclassification. Or the pkts will match unexpected rules. For example,
+with following topology and commands:
+
+ -----------
+ |
+ veth0 -+-------
+ |
+ veth1 -+-------
+ |
+ ------------
+
+ tc qdisc add dev veth0 clsact
+ # The same with "action mirred egress mirror dev veth1" or "action mirred ingress redirect dev veth1"
+ tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action mirred ingress mirror dev veth1
+ tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action ct commit action goto chain 1
+ tc qdisc add dev veth1 clsact
+ tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action drop
+
+ ping <remove ip via veth0> &
+ tc -s filter show dev veth1 ingress
+
+With command 'tc -s filter show', we can find the pkts were dropped on
+veth1.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index e24b7e2331cd..0b0eb18919c0 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -261,6 +261,9 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ goto out;
+ }
+
++ /* All mirred/redirected skbs should clear previous ct info */
++ nf_reset_ct(skb2);
++
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+
+ expects_nh = want_ingress || !m_mac_header_xmit;
+--
+2.30.2
+
--- /dev/null
+From bb0468a979493436e47e925d6e87905950aca1c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 11:05:56 +0200
+Subject: net/smc: fix wait on already cleared link
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+[ Upstream commit 8f3d65c166797746455553f4eaf74a5f89f996d4 ]
+
+There can be a race between the waiters for a tx work request buffer
+and the link down processing that finally clears the link. Although
+all waiters are woken up before the link is cleared there might be
+waiters which did not yet get back control and are still waiting.
+This results in an access to a cleared wait queue head.
+
+Fix this by introducing atomic reference counting around the wait calls,
+and wait with the link clear processing until all waiters have finished.
+Move the work request layer related calls into smc_wr.c and set the
+link state to INACTIVE before calling smcr_link_clear() in
+smc_llc_srv_add_link().
+
+Fixes: 15e1b99aadfb ("net/smc: no WR buffer wait for terminating link group")
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.h | 2 ++
+ net/smc/smc_llc.c | 10 ++++------
+ net/smc/smc_tx.c | 18 +++++++++++++++++-
+ net/smc/smc_wr.c | 10 ++++++++++
+ 4 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
+index f1e867ce2e63..4745a9a5a28f 100644
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -94,6 +94,7 @@ struct smc_link {
+ unsigned long *wr_tx_mask; /* bit mask of used indexes */
+ u32 wr_tx_cnt; /* number of WR send buffers */
+ wait_queue_head_t wr_tx_wait; /* wait for free WR send buf */
++ atomic_t wr_tx_refcnt; /* tx refs to link */
+
+ struct smc_wr_buf *wr_rx_bufs; /* WR recv payload buffers */
+ struct ib_recv_wr *wr_rx_ibs; /* WR recv meta data */
+@@ -106,6 +107,7 @@ struct smc_link {
+
+ struct ib_reg_wr wr_reg; /* WR register memory region */
+ wait_queue_head_t wr_reg_wait; /* wait for wr_reg result */
++ atomic_t wr_reg_refcnt; /* reg refs to link */
+ enum smc_wr_reg_state wr_reg_state; /* state of wr_reg request */
+
+ u8 gid[SMC_GID_SIZE];/* gid matching used vlan id*/
+diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c
+index 273eaf1bfe49..2e7560eba981 100644
+--- a/net/smc/smc_llc.c
++++ b/net/smc/smc_llc.c
+@@ -888,6 +888,7 @@ int smc_llc_cli_add_link(struct smc_link *link, struct smc_llc_qentry *qentry)
+ if (!rc)
+ goto out;
+ out_clear_lnk:
++ lnk_new->state = SMC_LNK_INACTIVE;
+ smcr_link_clear(lnk_new, false);
+ out_reject:
+ smc_llc_cli_add_link_reject(qentry);
+@@ -1184,6 +1185,7 @@ int smc_llc_srv_add_link(struct smc_link *link)
+ goto out_err;
+ return 0;
+ out_err:
++ link_new->state = SMC_LNK_INACTIVE;
+ smcr_link_clear(link_new, false);
+ return rc;
+ }
+@@ -1286,10 +1288,8 @@ static void smc_llc_process_cli_delete_link(struct smc_link_group *lgr)
+ del_llc->reason = 0;
+ smc_llc_send_message(lnk, &qentry->msg); /* response */
+
+- if (smc_link_downing(&lnk_del->state)) {
+- if (smc_switch_conns(lgr, lnk_del, false))
+- smc_wr_tx_wait_no_pending_sends(lnk_del);
+- }
++ if (smc_link_downing(&lnk_del->state))
++ smc_switch_conns(lgr, lnk_del, false);
+ smcr_link_clear(lnk_del, true);
+
+ active_links = smc_llc_active_link_count(lgr);
+@@ -1805,8 +1805,6 @@ void smc_llc_link_clear(struct smc_link *link, bool log)
+ link->smcibdev->ibdev->name, link->ibport);
+ complete(&link->llc_testlink_resp);
+ cancel_delayed_work_sync(&link->llc_testlink_wrk);
+- smc_wr_wakeup_reg_wait(link);
+- smc_wr_wakeup_tx_wait(link);
+ }
+
+ /* register a new rtoken at the remote peer (for all links) */
+diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
+index 4532c16bf85e..ff02952b3d03 100644
+--- a/net/smc/smc_tx.c
++++ b/net/smc/smc_tx.c
+@@ -479,7 +479,7 @@ static int smc_tx_rdma_writes(struct smc_connection *conn,
+ /* Wakeup sndbuf consumers from any context (IRQ or process)
+ * since there is more data to transmit; usable snd_wnd as max transmit
+ */
+-static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
++static int _smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
+ {
+ struct smc_cdc_producer_flags *pflags = &conn->local_tx_ctrl.prod_flags;
+ struct smc_link *link = conn->lnk;
+@@ -533,6 +533,22 @@ out_unlock:
+ return rc;
+ }
+
++static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
++{
++ struct smc_link *link = conn->lnk;
++ int rc = -ENOLINK;
++
++ if (!link)
++ return rc;
++
++ atomic_inc(&link->wr_tx_refcnt);
++ if (smc_link_usable(link))
++ rc = _smcr_tx_sndbuf_nonempty(conn);
++ if (atomic_dec_and_test(&link->wr_tx_refcnt))
++ wake_up_all(&link->wr_tx_wait);
++ return rc;
++}
++
+ static int smcd_tx_sndbuf_nonempty(struct smc_connection *conn)
+ {
+ struct smc_cdc_producer_flags *pflags = &conn->local_tx_ctrl.prod_flags;
+diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
+index 1e23cdd41eb1..9dbe4804853e 100644
+--- a/net/smc/smc_wr.c
++++ b/net/smc/smc_wr.c
+@@ -322,9 +322,12 @@ int smc_wr_reg_send(struct smc_link *link, struct ib_mr *mr)
+ if (rc)
+ return rc;
+
++ atomic_inc(&link->wr_reg_refcnt);
+ rc = wait_event_interruptible_timeout(link->wr_reg_wait,
+ (link->wr_reg_state != POSTED),
+ SMC_WR_REG_MR_WAIT_TIME);
++ if (atomic_dec_and_test(&link->wr_reg_refcnt))
++ wake_up_all(&link->wr_reg_wait);
+ if (!rc) {
+ /* timeout - terminate link */
+ smcr_link_down_cond_sched(link);
+@@ -566,10 +569,15 @@ void smc_wr_free_link(struct smc_link *lnk)
+ return;
+ ibdev = lnk->smcibdev->ibdev;
+
++ smc_wr_wakeup_reg_wait(lnk);
++ smc_wr_wakeup_tx_wait(lnk);
++
+ if (smc_wr_tx_wait_no_pending_sends(lnk))
+ memset(lnk->wr_tx_mask, 0,
+ BITS_TO_LONGS(SMC_WR_BUF_CNT) *
+ sizeof(*lnk->wr_tx_mask));
++ wait_event(lnk->wr_reg_wait, (!atomic_read(&lnk->wr_reg_refcnt)));
++ wait_event(lnk->wr_tx_wait, (!atomic_read(&lnk->wr_tx_refcnt)));
+
+ if (lnk->wr_rx_dma_addr) {
+ ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr,
+@@ -730,7 +738,9 @@ int smc_wr_create_link(struct smc_link *lnk)
+ memset(lnk->wr_tx_mask, 0,
+ BITS_TO_LONGS(SMC_WR_BUF_CNT) * sizeof(*lnk->wr_tx_mask));
+ init_waitqueue_head(&lnk->wr_tx_wait);
++ atomic_set(&lnk->wr_tx_refcnt, 0);
+ init_waitqueue_head(&lnk->wr_reg_wait);
++ atomic_set(&lnk->wr_reg_refcnt, 0);
+ return rc;
+
+ dma_unmap:
+--
+2.30.2
+
--- /dev/null
+From b8a0c4586a2d90926351aefe20a00f4926e1aa40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:20:21 +0800
+Subject: netfilter: nf_conntrack_bridge: Fix memory leak when error
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 38ea9def5b62f9193f6bad96c5d108e2830ecbde ]
+
+It should be added kfree_skb_list() when err is not equal to zero
+in nf_br_ip_fragment().
+
+v2: keep this aligned with IPv6.
+v3: modify iter.frag_list to iter.frag.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index 8d033a75a766..fdbed3158555 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -88,6 +88,12 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+
+ skb = ip_fraglist_next(&iter);
+ }
++
++ if (!err)
++ return 0;
++
++ kfree_skb_list(iter.frag);
++
+ return err;
+ }
+ slow_path:
+--
+2.30.2
+
--- /dev/null
+From d30449f2afe75f1f35f51a044e90294abc2ffdf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 16:09:55 +0800
+Subject: pinctrl: mediatek: Fix fallback behavior for bias_set_combo
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit 798a315fc359aa6dbe48e09d802aa59b7e158ffc ]
+
+Some pin doesn't support PUPD register, if it fails and fallbacks with
+bias_set_combo case, it will call mtk_pinconf_bias_set_pupd_r1_r0() to
+modify the PUPD pin again.
+
+Since the general bias set are either PU/PD or PULLSEL/PULLEN, try
+bias_set or bias_set_rev1 for the other fallback case. If the pin
+doesn't support neither PU/PD nor PULLSEL/PULLEN, it will return
+-ENOTSUPP.
+
+Fixes: 81bd1579b43e ("pinctrl: mediatek: Fix fallback call path")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
+Link: https://lore.kernel.org/r/20210701080955.2660294-1-hsinyi@chromium.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+index 7815426e7aea..10002b8497fe 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+@@ -926,12 +926,10 @@ int mtk_pinconf_adv_pull_set(struct mtk_pinctrl *hw,
+ err = hw->soc->bias_set(hw, desc, pullup);
+ if (err)
+ return err;
+- } else if (hw->soc->bias_set_combo) {
+- err = hw->soc->bias_set_combo(hw, desc, pullup, arg);
+- if (err)
+- return err;
+ } else {
+- return -ENOTSUPP;
++ err = mtk_pinconf_bias_set_rev1(hw, desc, pullup);
++ if (err)
++ err = mtk_pinconf_bias_set(hw, desc, pullup);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From f088bf5351615e87b4cd29662098fa6e9d03996b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 14:21:41 +0300
+Subject: pinctrl: tigerlake: Fix GPIO mapping for newer version of software
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 2f658f7a3953f6d70bab90e117aff8d0ad44e200 ]
+
+The software mapping for GPIO, which initially comes from Microsoft,
+is subject to change by respective Windows and firmware developers.
+Due to the above the driver had been written and published way ahead
+of the schedule, and thus the numbering schema used in it is outdated.
+
+Fix the numbering schema in accordance with the real products on market.
+
+Fixes: 653d96455e1e ("pinctrl: tigerlake: Add support for Tiger Lake-H")
+Reported-and-tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reported-by: Riccardo Mori <patacca@autistici.org>
+Reported-and-tested-by: Lovesh <lovesh.bond@gmail.com>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213463
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213579
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213857
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-tigerlake.c | 26 +++++++++++------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-tigerlake.c b/drivers/pinctrl/intel/pinctrl-tigerlake.c
+index 3e354e02f408..bed769d99b8b 100644
+--- a/drivers/pinctrl/intel/pinctrl-tigerlake.c
++++ b/drivers/pinctrl/intel/pinctrl-tigerlake.c
+@@ -701,32 +701,32 @@ static const struct pinctrl_pin_desc tglh_pins[] = {
+
+ static const struct intel_padgroup tglh_community0_gpps[] = {
+ TGL_GPP(0, 0, 24, 0), /* GPP_A */
+- TGL_GPP(1, 25, 44, 128), /* GPP_R */
+- TGL_GPP(2, 45, 70, 32), /* GPP_B */
+- TGL_GPP(3, 71, 78, INTEL_GPIO_BASE_NOMAP), /* vGPIO_0 */
++ TGL_GPP(1, 25, 44, 32), /* GPP_R */
++ TGL_GPP(2, 45, 70, 64), /* GPP_B */
++ TGL_GPP(3, 71, 78, 96), /* vGPIO_0 */
+ };
+
+ static const struct intel_padgroup tglh_community1_gpps[] = {
+- TGL_GPP(0, 79, 104, 96), /* GPP_D */
+- TGL_GPP(1, 105, 128, 64), /* GPP_C */
+- TGL_GPP(2, 129, 136, 160), /* GPP_S */
+- TGL_GPP(3, 137, 153, 192), /* GPP_G */
+- TGL_GPP(4, 154, 180, 224), /* vGPIO */
++ TGL_GPP(0, 79, 104, 128), /* GPP_D */
++ TGL_GPP(1, 105, 128, 160), /* GPP_C */
++ TGL_GPP(2, 129, 136, 192), /* GPP_S */
++ TGL_GPP(3, 137, 153, 224), /* GPP_G */
++ TGL_GPP(4, 154, 180, 256), /* vGPIO */
+ };
+
+ static const struct intel_padgroup tglh_community3_gpps[] = {
+- TGL_GPP(0, 181, 193, 256), /* GPP_E */
+- TGL_GPP(1, 194, 217, 288), /* GPP_F */
++ TGL_GPP(0, 181, 193, 288), /* GPP_E */
++ TGL_GPP(1, 194, 217, 320), /* GPP_F */
+ };
+
+ static const struct intel_padgroup tglh_community4_gpps[] = {
+- TGL_GPP(0, 218, 241, 320), /* GPP_H */
++ TGL_GPP(0, 218, 241, 352), /* GPP_H */
+ TGL_GPP(1, 242, 251, 384), /* GPP_J */
+- TGL_GPP(2, 252, 266, 352), /* GPP_K */
++ TGL_GPP(2, 252, 266, 416), /* GPP_K */
+ };
+
+ static const struct intel_padgroup tglh_community5_gpps[] = {
+- TGL_GPP(0, 267, 281, 416), /* GPP_I */
++ TGL_GPP(0, 267, 281, 448), /* GPP_I */
+ TGL_GPP(1, 282, 290, INTEL_GPIO_BASE_NOMAP), /* JTAG */
+ };
+
+--
+2.30.2
+
--- /dev/null
+From fc76311915393bd2bf4bb3d3b1761838e5c8e1bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 13:55:15 +0200
+Subject: platform/x86: pcengines-apuv2: Add missing terminating entries to
+ gpio-lookup tables
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 9d7b132e62e41b7d49bf157aeaf9147c27492e0f ]
+
+The gpiod_lookup_table.table passed to gpiod_add_lookup_table() must
+be terminated with an empty entry, add this.
+
+Note we have likely been getting away with this not being present because
+the GPIO lookup code first matches on the dev_id, causing most lookups to
+skip checking the table and the lookups which do check the table will
+find a matching entry before reaching the end. With that said, terminating
+these tables properly still is obviously the correct thing to do.
+
+Fixes: f8eb0235f659 ("x86: pcengines apuv2 gpio/leds/keys platform driver")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210806115515.12184-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pcengines-apuv2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/platform/x86/pcengines-apuv2.c b/drivers/platform/x86/pcengines-apuv2.c
+index c37349f97bb8..d063d91db9bc 100644
+--- a/drivers/platform/x86/pcengines-apuv2.c
++++ b/drivers/platform/x86/pcengines-apuv2.c
+@@ -94,6 +94,7 @@ static struct gpiod_lookup_table gpios_led_table = {
+ NULL, 1, GPIO_ACTIVE_LOW),
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_LED3,
+ NULL, 2, GPIO_ACTIVE_LOW),
++ {} /* Terminating entry */
+ }
+ };
+
+@@ -123,6 +124,7 @@ static struct gpiod_lookup_table gpios_key_table = {
+ .table = {
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_MODESW,
+ NULL, 0, GPIO_ACTIVE_LOW),
++ {} /* Terminating entry */
+ }
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 70a334a96760579ba9fab179546fb11eb5ffba25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 15:27:03 +0200
+Subject: ppp: Fix generating ifname when empty IFLA_IFNAME is specified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2459dcb96bcba94c08d6861f8a050185ff301672 ]
+
+IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be
+larger than length of string which contains.
+
+Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME
+was not specified at all or userspace passed empty nul-term string.
+
+It is expected that if userspace does not specify ifname for new ppp netdev
+then kernel generates one in format "ppp<id>" where id matches to the ppp
+unit id which can be later obtained by PPPIOCGUNIT ioctl.
+
+And it works in this way if IFLA_IFNAME is not specified at all. But it
+does not work when IFLA_IFNAME is specified with empty string.
+
+So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function
+and correctly generates ifname based on ppp unit identifier if userspace
+did not provided preferred ifname.
+
+Without this patch when IFLA_IFNAME was specified with empty string then
+kernel created a new ppp interface in format "ppp<id>" but id did not
+match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some
+number generated by __rtnl_newlink() function.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: bb8082f69138 ("ppp: build ifname using unit identifier for rtnl based devices")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index f7a13529e4ad..33b2e0fb68bb 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1207,7 +1207,7 @@ static int ppp_nl_newlink(struct net *src_net, struct net_device *dev,
+ * the PPP unit identifer as suffix (i.e. ppp<unit_id>). This allows
+ * userspace to infer the device name using to the PPPIOCGUNIT ioctl.
+ */
+- if (!tb[IFLA_IFNAME])
++ if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME]))
+ conf.ifname_is_set = false;
+
+ err = ppp_dev_configure(src_net, dev, &conf);
+--
+2.30.2
+
--- /dev/null
+From 9746793d4a387359ad98d17b189744272937c74f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 09:52:42 +0300
+Subject: psample: Add a fwd declaration for skbuff
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit beb7f2de5728b0bd2140a652fa51f6ad85d159f7 ]
+
+Without this there is a warning if source files include psample.h
+before skbuff.h or doesn't include it at all.
+
+Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Link: https://lore.kernel.org/r/20210808065242.1522535-1-roid@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/psample.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/psample.h b/include/net/psample.h
+index 68ae16bb0a4a..20a17551f790 100644
+--- a/include/net/psample.h
++++ b/include/net/psample.h
+@@ -18,6 +18,8 @@ struct psample_group *psample_group_get(struct net *net, u32 group_num);
+ void psample_group_take(struct psample_group *group);
+ void psample_group_put(struct psample_group *group);
+
++struct sk_buff;
++
+ #if IS_ENABLED(CONFIG_PSAMPLE)
+
+ void psample_sample_packet(struct psample_group *group, struct sk_buff *skb,
+--
+2.30.2
+
--- /dev/null
+ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch
+ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch
+pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch
+asoc-cs42l42-correct-definition-of-adc-volume-contro.patch
+asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch
+interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch
+asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch
+asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch
+asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch
+netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch
+pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch
+asoc-cs42l42-fix-lrclk-frame-start-edge.patch
+net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch
+net-mvvp2-fix-short-frame-size-on-s390.patch
+platform-x86-pcengines-apuv2-add-missing-terminating.patch
+libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch
+bpf-fix-integer-overflow-involving-bucket_size.patch
+net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch
+ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch
+net-smc-fix-wait-on-already-cleared-link.patch
+net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch
+ice-prevent-probing-virtual-functions.patch
+ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch
+iavf-set-rss-lut-and-key-in-reset-handle-path.patch
+psample-add-a-fwd-declaration-for-skbuff.patch
+bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch
+net-mlx5-synchronize-correct-irq-when-destroying-cq.patch
+net-mlx5-fix-return-value-from-tracer-initialization.patch
+drm-meson-fix-colour-distortion-from-hdr-set-during-.patch
+net-dsa-microchip-fix-ksz_read64.patch
+net-dsa-microchip-ksz8795-fix-vlan-filtering.patch
+net-fix-memory-leak-in-ieee802154_raw_deliver.patch
+net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch
+net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch
+net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch
+net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch
+net-bridge-validate-the-nud_permanent-bit-when-addin.patch
+net-bridge-fix-flags-interpretation-for-extern-learn.patch
+net-bridge-fix-memleak-in-br_add_if.patch
+net-linkwatch-fix-failure-to-restore-device-state-ac.patch
+tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch
+net-igmp-increase-size-of-mr_ifc_count.patch
+drm-i915-only-access-sfc_done-when-media-domain-is-n.patch
+xen-events-fix-race-in-set_evtchn_to_irq.patch
+vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch
+nbd-aovid-double-completion-of-a-request.patch
--- /dev/null
+From d6cea02c543e85782f85981f959e518e4afca161 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 22:40:56 -0400
+Subject: tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after
+ 2B packets
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]
+
+Currently if BBR congestion control is initialized after more than 2B
+packets have been delivered, depending on the phase of the
+tp->delivered counter the tracking of BBR round trips can get stuck.
+
+The bug arises because if tp->delivered is between 2^31 and 2^32 at
+the time the BBR congestion control module is initialized, then the
+initialization of bbr->next_rtt_delivered to 0 will cause the logic to
+believe that the end of the round trip is still billions of packets in
+the future. More specifically, the following check will fail
+repeatedly:
+
+ !before(rs->prior_delivered, bbr->next_rtt_delivered)
+
+and thus the connection will take up to 2B packets delivered before
+that check will pass and the connection will set:
+
+ bbr->round_start = 1;
+
+This could cause many mechanisms in BBR to fail to trigger, for
+example bbr_check_full_bw_reached() would likely never exit STARTUP.
+
+This bug is 5 years old and has not been observed, and as a practical
+matter this would likely rarely trigger, since it would require
+transferring at least 2B packets, or likely more than 3 terabytes of
+data, before switching congestion control algorithms to BBR.
+
+This patch is a stable candidate for kernels as far back as v4.9,
+when tcp_bbr.c was added.
+
+Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Kevin Yang <yyd@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bbr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
+index 6ea3dc2e4219..6274462b86b4 100644
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -1041,7 +1041,7 @@ static void bbr_init(struct sock *sk)
+ bbr->prior_cwnd = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ bbr->rtt_cnt = 0;
+- bbr->next_rtt_delivered = 0;
++ bbr->next_rtt_delivered = tp->delivered;
+ bbr->prev_ca_state = TCP_CA_Open;
+ bbr->packet_conservation = 0;
+
+--
+2.30.2
+
--- /dev/null
+From 2c2ca2b6a3b5cba3a1b86688315a02bc81c53a0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:30:56 +0800
+Subject: vsock/virtio: avoid potential deadlock when vsock device remove
+
+From: Longpeng(Mike) <longpeng2@huawei.com>
+
+[ Upstream commit 49b0b6ffe20c5344f4173f3436298782a08da4f2 ]
+
+There's a potential deadlock case when remove the vsock device or
+process the RESET event:
+
+ vsock_for_each_connected_socket:
+ spin_lock_bh(&vsock_table_lock) ----------- (1)
+ ...
+ virtio_vsock_reset_sock:
+ lock_sock(sk) --------------------- (2)
+ ...
+ spin_unlock_bh(&vsock_table_lock)
+
+lock_sock() may do initiative schedule when the 'sk' is owned by
+other thread at the same time, we would receivce a warning message
+that "scheduling while atomic".
+
+Even worse, if the next task (selected by the scheduler) try to
+release a 'sk', it need to request vsock_table_lock and the deadlock
+occur, cause the system into softlockup state.
+ Call trace:
+ queued_spin_lock_slowpath
+ vsock_remove_bound
+ vsock_remove_sock
+ virtio_transport_release
+ __vsock_release
+ vsock_release
+ __sock_release
+ sock_close
+ __fput
+ ____fput
+
+So we should not require sk_lock in this case, just like the behavior
+in vhost_vsock or vmci.
+
+Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/20210812053056.1699-1-longpeng2@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 2700a63ab095..3a056f8affd1 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -356,11 +356,14 @@ static void virtio_vsock_event_fill(struct virtio_vsock *vsock)
+
+ static void virtio_vsock_reset_sock(struct sock *sk)
+ {
+- lock_sock(sk);
++ /* vmci_transport.c doesn't take sk_lock here either. At least we're
++ * under vsock_table_lock so the sock cannot disappear while we're
++ * executing.
++ */
++
+ sk->sk_state = TCP_CLOSE;
+ sk->sk_err = ECONNRESET;
+ sk->sk_error_report(sk);
+- release_sock(sk);
+ }
+
+ static void virtio_vsock_update_guest_cid(struct virtio_vsock *vsock)
+--
+2.30.2
+
--- /dev/null
+From 2915442f34a39458066b9e24424b88261b3fef1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:09:27 +0000
+Subject: xen/events: Fix race in set_evtchn_to_irq
+
+From: Maximilian Heyne <mheyne@amazon.de>
+
+[ Upstream commit 88ca2521bd5b4e8b83743c01a2d4cb09325b51e9 ]
+
+There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq
+mapping are lazily allocated in this function. The check whether the row
+is already present and the row initialization is not synchronized. Two
+threads can at the same time allocate a new row for evtchn_to_irq and
+add the irq mapping to the their newly allocated row. One thread will
+overwrite what the other has set for evtchn_to_irq[row] and therefore
+the irq mapping is lost. This will trigger a BUG_ON later in
+bind_evtchn_to_cpu:
+
+ INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802
+ INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002)
+ INFO: nvme nvme77: 1/0/0 default/read/poll queues
+ CRIT: kernel BUG at drivers/xen/events/events_base.c:427!
+ WARN: invalid opcode: 0000 [#1] SMP NOPTI
+ WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0
+ WARN: Call Trace:
+ WARN: set_affinity_irq+0x121/0x150
+ WARN: irq_do_set_affinity+0x37/0xe0
+ WARN: irq_setup_affinity+0xf6/0x170
+ WARN: irq_startup+0x64/0xe0
+ WARN: __setup_irq+0x69e/0x740
+ WARN: ? request_threaded_irq+0xad/0x160
+ WARN: request_threaded_irq+0xf5/0x160
+ WARN: ? nvme_timeout+0x2f0/0x2f0 [nvme]
+ WARN: pci_request_irq+0xa9/0xf0
+ WARN: ? pci_alloc_irq_vectors_affinity+0xbb/0x130
+ WARN: queue_request_irq+0x4c/0x70 [nvme]
+ WARN: nvme_reset_work+0x82d/0x1550 [nvme]
+ WARN: ? check_preempt_wakeup+0x14f/0x230
+ WARN: ? check_preempt_curr+0x29/0x80
+ WARN: ? nvme_irq_check+0x30/0x30 [nvme]
+ WARN: process_one_work+0x18e/0x3c0
+ WARN: worker_thread+0x30/0x3a0
+ WARN: ? process_one_work+0x3c0/0x3c0
+ WARN: kthread+0x113/0x130
+ WARN: ? kthread_park+0x90/0x90
+ WARN: ret_from_fork+0x3a/0x50
+
+This patch sets evtchn_to_irq rows via a cmpxchg operation so that they
+will be set only once. The row is now cleared before writing it to
+evtchn_to_irq in order to not create a race once the row is visible for
+other threads.
+
+While at it, do not require the page to be zeroed, because it will be
+overwritten with -1's in clear_evtchn_to_irq_row anyway.
+
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Fixes: d0b075ffeede ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated")
+Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/events/events_base.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index af0f6ad32522..fba78daee449 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -192,12 +192,12 @@ static void disable_dynirq(struct irq_data *data);
+
+ static DEFINE_PER_CPU(unsigned int, irq_epoch);
+
+-static void clear_evtchn_to_irq_row(unsigned row)
++static void clear_evtchn_to_irq_row(int *evtchn_row)
+ {
+ unsigned col;
+
+ for (col = 0; col < EVTCHN_PER_ROW; col++)
+- WRITE_ONCE(evtchn_to_irq[row][col], -1);
++ WRITE_ONCE(evtchn_row[col], -1);
+ }
+
+ static void clear_evtchn_to_irq_all(void)
+@@ -207,7 +207,7 @@ static void clear_evtchn_to_irq_all(void)
+ for (row = 0; row < EVTCHN_ROW(xen_evtchn_max_channels()); row++) {
+ if (evtchn_to_irq[row] == NULL)
+ continue;
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_to_irq[row]);
+ }
+ }
+
+@@ -215,6 +215,7 @@ static int set_evtchn_to_irq(evtchn_port_t evtchn, unsigned int irq)
+ {
+ unsigned row;
+ unsigned col;
++ int *evtchn_row;
+
+ if (evtchn >= xen_evtchn_max_channels())
+ return -EINVAL;
+@@ -227,11 +228,18 @@ static int set_evtchn_to_irq(evtchn_port_t evtchn, unsigned int irq)
+ if (irq == -1)
+ return 0;
+
+- evtchn_to_irq[row] = (int *)get_zeroed_page(GFP_KERNEL);
+- if (evtchn_to_irq[row] == NULL)
++ evtchn_row = (int *) __get_free_pages(GFP_KERNEL, 0);
++ if (evtchn_row == NULL)
+ return -ENOMEM;
+
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_row);
++
++ /*
++ * We've prepared an empty row for the mapping. If a different
++ * thread was faster inserting it, we can drop ours.
++ */
++ if (cmpxchg(&evtchn_to_irq[row], NULL, evtchn_row) != NULL)
++ free_page((unsigned long) evtchn_row);
+ }
+
+ WRITE_ONCE(evtchn_to_irq[row][col], irq);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
