--- /dev/null
+From c4e95ecb9459cb981fb70bd2be4ac5e393e6e86f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 09:46:53 -0700
+Subject: ARM: dts: BCM5301X: Add interrupt properties to GPIO node
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 40f7342f0587639e5ad625adaa15efdd3cffb18f ]
+
+The GPIO controller is also an interrupt controller provider and is
+currently missing the appropriate 'interrupt-controller' and
+'#interrupt-cells' properties to denote that.
+
+Fixes: fb026d3de33b ("ARM: BCM5301X: Add Broadcom's bus-axi to the DTS file")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm5301x.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
+index 51f20ded92f04..05d67f9769118 100644
+--- a/arch/arm/boot/dts/bcm5301x.dtsi
++++ b/arch/arm/boot/dts/bcm5301x.dtsi
+@@ -242,6 +242,8 @@ chipcommon: chipcommon@0 {
+
+ gpio-controller;
+ #gpio-cells = <2>;
++ interrupt-controller;
++ #interrupt-cells = <2>;
+ };
+
+ pcie0: pcie@12000 {
+--
+2.33.0
+
--- /dev/null
+From 37fb133afd91ec5fe3a86709e62f92b0895d790d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Oct 2021 12:37:29 -0700
+Subject: ARM: dts: BCM5301X: Fix I2C controller interrupt
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 754c4050a00e802e122690112fc2c3a6abafa7e2 ]
+
+The I2C interrupt controller line is off by 32 because the datasheet
+describes interrupt inputs into the GIC which are for Shared Peripheral
+Interrupts and are starting at offset 32. The ARM GIC binding expects
+the SPI interrupts to be numbered from 0 relative to the SPI base.
+
+Fixes: bb097e3e0045 ("ARM: dts: BCM5301X: Add I2C support to the DT")
+Tested-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/bcm5301x.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/bcm5301x.dtsi b/arch/arm/boot/dts/bcm5301x.dtsi
+index 9711170649b69..51f20ded92f04 100644
+--- a/arch/arm/boot/dts/bcm5301x.dtsi
++++ b/arch/arm/boot/dts/bcm5301x.dtsi
+@@ -387,7 +387,7 @@ usb3_dmp: syscon@18105000 {
+ i2c0: i2c@18009000 {
+ compatible = "brcm,iproc-i2c";
+ reg = <0x18009000 0x50>;
+- interrupts = <GIC_SPI 121 IRQ_TYPE_LEVEL_HIGH>;
++ interrupts = <GIC_SPI 89 IRQ_TYPE_LEVEL_HIGH>;
+ #address-cells = <1>;
+ #size-cells = <0>;
+ clock-frequency = <100000>;
+--
+2.33.0
+
--- /dev/null
+From d98e9ea834c6d0b9a285cfb47f9c66515d5a963f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 15:25:08 +0100
+Subject: ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 187bea472600dcc8d2eb714335053264dd437172 ]
+
+When CONFIG_FORTIFY_SOURCE is set, memcpy() checks the potential
+buffer overflow and panics. The code in sofcpga bootstrapping
+contains the memcpy() calls are mistakenly translated as the shorter
+size, hence it triggers a panic as if it were overflowing.
+
+This patch changes the secondary_trampoline and *_end definitions
+to arrays for avoiding the false-positive crash above.
+
+Fixes: 9c4566a117a6 ("ARM: socfpga: Enable SMP for socfpga")
+Suggested-by: Kees Cook <keescook@chromium.org>
+Buglink: https://bugzilla.suse.com/show_bug.cgi?id=1192473
+Link: https://lore.kernel.org/r/20211117193244.31162-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-socfpga/core.h | 2 +-
+ arch/arm/mach-socfpga/platsmp.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm/mach-socfpga/core.h b/arch/arm/mach-socfpga/core.h
+index fc2608b18a0d0..18f01190dcfd4 100644
+--- a/arch/arm/mach-socfpga/core.h
++++ b/arch/arm/mach-socfpga/core.h
+@@ -33,7 +33,7 @@ extern void __iomem *sdr_ctl_base_addr;
+ u32 socfpga_sdram_self_refresh(u32 sdr_base);
+ extern unsigned int socfpga_sdram_self_refresh_sz;
+
+-extern char secondary_trampoline, secondary_trampoline_end;
++extern char secondary_trampoline[], secondary_trampoline_end[];
+
+ extern unsigned long socfpga_cpu1start_addr;
+
+diff --git a/arch/arm/mach-socfpga/platsmp.c b/arch/arm/mach-socfpga/platsmp.c
+index fbb80b883e5dd..201191cf68f32 100644
+--- a/arch/arm/mach-socfpga/platsmp.c
++++ b/arch/arm/mach-socfpga/platsmp.c
+@@ -20,14 +20,14 @@
+
+ static int socfpga_boot_secondary(unsigned int cpu, struct task_struct *idle)
+ {
+- int trampoline_size = &secondary_trampoline_end - &secondary_trampoline;
++ int trampoline_size = secondary_trampoline_end - secondary_trampoline;
+
+ if (socfpga_cpu1start_addr) {
+ /* This will put CPU #1 into reset. */
+ writel(RSTMGR_MPUMODRST_CPU1,
+ rst_manager_base_addr + SOCFPGA_RSTMGR_MODMPURST);
+
+- memcpy(phys_to_virt(0), &secondary_trampoline, trampoline_size);
++ memcpy(phys_to_virt(0), secondary_trampoline, trampoline_size);
+
+ writel(__pa_symbol(secondary_startup),
+ sys_manager_base_addr + (socfpga_cpu1start_addr & 0x000000ff));
+@@ -45,12 +45,12 @@ static int socfpga_boot_secondary(unsigned int cpu, struct task_struct *idle)
+
+ static int socfpga_a10_boot_secondary(unsigned int cpu, struct task_struct *idle)
+ {
+- int trampoline_size = &secondary_trampoline_end - &secondary_trampoline;
++ int trampoline_size = secondary_trampoline_end - secondary_trampoline;
+
+ if (socfpga_cpu1start_addr) {
+ writel(RSTMGR_MPUMODRST_CPU1, rst_manager_base_addr +
+ SOCFPGA_A10_RSTMGR_MODMPURST);
+- memcpy(phys_to_virt(0), &secondary_trampoline, trampoline_size);
++ memcpy(phys_to_virt(0), secondary_trampoline, trampoline_size);
+
+ writel(__pa_symbol(secondary_startup),
+ sys_manager_base_addr + (socfpga_cpu1start_addr & 0x00000fff));
+--
+2.33.0
+
--- /dev/null
+From 05bc15775442ff963791d0d136da80137e92b9ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 11:47:18 +0000
+Subject: ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 861afeac7990587588d057b2c0b3222331c3da29 ]
+
+Stream IDs are reused across multiple BackEnd mixers, do not reset the
+stream mixers if they are not already set for that particular FrontEnd.
+
+Ex:
+amixer cset iface=MIXER,name='SLIMBUS_0_RX Audio Mixer MultiMedia1' 1
+
+would set the MultiMedia1 steam for SLIMBUS_0_RX, however doing below
+command will reset previously setup MultiMedia1 stream, because both of them
+are using MultiMedia1 PCM stream.
+
+amixer cset iface=MIXER,name='SLIMBUS_2_RX Audio Mixer MultiMedia1' 0
+
+reset the FrontEnd Mixers conditionally to fix this issue.
+
+This is more noticeable in desktop setup, where in alsactl tries to restore
+the alsa state and overwriting the previous mixer settings.
+
+Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20211116114721.12517-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6routing.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/qcom/qdsp6/q6routing.c b/sound/soc/qcom/qdsp6/q6routing.c
+index 745cc9dd14f38..16f26dd2d59ed 100644
+--- a/sound/soc/qcom/qdsp6/q6routing.c
++++ b/sound/soc/qcom/qdsp6/q6routing.c
+@@ -443,7 +443,11 @@ static int msm_routing_put_audio_mixer(struct snd_kcontrol *kcontrol,
+ session->port_id = be_id;
+ snd_soc_dapm_mixer_update_power(dapm, kcontrol, 1, update);
+ } else {
+- session->port_id = -1;
++ if (session->port_id == be_id) {
++ session->port_id = -1;
++ return 0;
++ }
++
+ snd_soc_dapm_mixer_update_power(dapm, kcontrol, 0, update);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 12ce94016eeea3a2e8070f92bb4774ab1d96fda0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 08:18:12 +0100
+Subject: ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 7e567b5ae06315ef2d70666b149962e2bb4b97af ]
+
+snd_ctl_remove() has to be called with card->controls_rwsem held (when
+called after the card instantiation). This patch add the missing
+rwsem calls around it.
+
+Fixes: 8a9782346dcc ("ASoC: topology: Add topology core")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20211116071812.18109-1-tiwai@suse.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index c367609433bfc..21f859e56b700 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -2777,6 +2777,7 @@ EXPORT_SYMBOL_GPL(snd_soc_tplg_widget_remove_all);
+ /* remove dynamic controls from the component driver */
+ int snd_soc_tplg_component_remove(struct snd_soc_component *comp, u32 index)
+ {
++ struct snd_card *card = comp->card->snd_card;
+ struct snd_soc_dobj *dobj, *next_dobj;
+ int pass = SOC_TPLG_PASS_END;
+
+@@ -2784,6 +2785,7 @@ int snd_soc_tplg_component_remove(struct snd_soc_component *comp, u32 index)
+ while (pass >= SOC_TPLG_PASS_START) {
+
+ /* remove mixer controls */
++ down_write(&card->controls_rwsem);
+ list_for_each_entry_safe(dobj, next_dobj, &comp->dobj_list,
+ list) {
+
+@@ -2827,6 +2829,7 @@ int snd_soc_tplg_component_remove(struct snd_soc_component *comp, u32 index)
+ break;
+ }
+ }
++ up_write(&card->controls_rwsem);
+ pass--;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 4a9737cc1a76d98e413d040123dae342e29f945d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 14:14:16 +0300
+Subject: drm/vc4: fix error code in vc4_create_object()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 96c5f82ef0a145d3e56e5b26f2bf6dcd2ffeae1c ]
+
+The ->gem_create_object() functions are supposed to return NULL if there
+is an error. None of the callers expect error pointers so returing one
+will lead to an Oops. See drm_gem_vram_create(), for example.
+
+Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211118111416.GC1147@kili
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 72d30d90b856c..0af246a5609ca 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -389,7 +389,7 @@ struct drm_gem_object *vc4_create_object(struct drm_device *dev, size_t size)
+
+ bo = kzalloc(sizeof(*bo), GFP_KERNEL);
+ if (!bo)
+- return ERR_PTR(-ENOMEM);
++ return NULL;
+
+ bo->madv = VC4_MADV_WILLNEED;
+ refcount_set(&bo->usecnt, 0);
+--
+2.33.0
+
--- /dev/null
+From e7a5cc331698f6f735fa5d8b4349e1e098d665f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 14:42:27 +0800
+Subject: firmware: arm_scmi: pm: Propagate return value to caller
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 1446fc6c678e8d8b31606a4b877abe205f344b38 ]
+
+of_genpd_add_provider_onecell may return error, so let's propagate
+its return value to caller
+
+Link: https://lore.kernel.org/r/20211116064227.20571-1-peng.fan@oss.nxp.com
+Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/scmi_pm_domain.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/arm_scmi/scmi_pm_domain.c b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+index 041f8152272bf..177874adccf0d 100644
+--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+@@ -106,9 +106,7 @@ static int scmi_pm_domain_probe(struct scmi_device *sdev)
+ scmi_pd_data->domains = domains;
+ scmi_pd_data->num_domains = num_domains;
+
+- of_genpd_add_provider_onecell(np, scmi_pd_data);
+-
+- return 0;
++ return of_genpd_add_provider_onecell(np, scmi_pd_data);
+ }
+
+ static const struct scmi_device_id scmi_id_table[] = {
+--
+2.33.0
+
--- /dev/null
+From 747fae648927f41ae5dd7b249c6fdeae12f6c270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 09:53:31 -0700
+Subject: iavf: Prevent changing static ITR values if adaptive moderation is on
+
+From: Nitesh B Venkatesh <nitesh.b.venkatesh@intel.com>
+
+[ Upstream commit e792779e6b639c182df91b46ac1e5803460b0b15 ]
+
+Resolve being able to change static values on VF when adaptive interrupt
+moderation is enabled.
+
+This problem is fixed by checking the interrupt settings is not
+a combination of change of static value while adaptive interrupt
+moderation is turned on.
+
+Without this fix, the user would be able to change static values
+on VF with adaptive moderation enabled.
+
+Fixes: 65e87c0398f5 ("i40evf: support queue-specific settings for interrupt moderation")
+Signed-off-by: Nitesh B Venkatesh <nitesh.b.venkatesh@intel.com>
+Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/iavf/iavf_ethtool.c | 30 ++++++++++++++++---
+ 1 file changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+index ad1e796e5544a..4e0e1b02d615e 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+@@ -719,12 +719,31 @@ static int iavf_get_per_queue_coalesce(struct net_device *netdev, u32 queue,
+ *
+ * Change the ITR settings for a specific queue.
+ **/
+-static void iavf_set_itr_per_queue(struct iavf_adapter *adapter,
+- struct ethtool_coalesce *ec, int queue)
++static int iavf_set_itr_per_queue(struct iavf_adapter *adapter,
++ struct ethtool_coalesce *ec, int queue)
+ {
+ struct iavf_ring *rx_ring = &adapter->rx_rings[queue];
+ struct iavf_ring *tx_ring = &adapter->tx_rings[queue];
+ struct iavf_q_vector *q_vector;
++ u16 itr_setting;
++
++ itr_setting = rx_ring->itr_setting & ~IAVF_ITR_DYNAMIC;
++
++ if (ec->rx_coalesce_usecs != itr_setting &&
++ ec->use_adaptive_rx_coalesce) {
++ netif_info(adapter, drv, adapter->netdev,
++ "Rx interrupt throttling cannot be changed if adaptive-rx is enabled\n");
++ return -EINVAL;
++ }
++
++ itr_setting = tx_ring->itr_setting & ~IAVF_ITR_DYNAMIC;
++
++ if (ec->tx_coalesce_usecs != itr_setting &&
++ ec->use_adaptive_tx_coalesce) {
++ netif_info(adapter, drv, adapter->netdev,
++ "Tx interrupt throttling cannot be changed if adaptive-tx is enabled\n");
++ return -EINVAL;
++ }
+
+ rx_ring->itr_setting = ITR_REG_ALIGN(ec->rx_coalesce_usecs);
+ tx_ring->itr_setting = ITR_REG_ALIGN(ec->tx_coalesce_usecs);
+@@ -747,6 +766,7 @@ static void iavf_set_itr_per_queue(struct iavf_adapter *adapter,
+ * the Tx and Rx ITR values based on the values we have entered
+ * into the q_vector, no need to write the values now.
+ */
++ return 0;
+ }
+
+ /**
+@@ -788,9 +808,11 @@ static int __iavf_set_coalesce(struct net_device *netdev,
+ */
+ if (queue < 0) {
+ for (i = 0; i < adapter->num_active_queues; i++)
+- iavf_set_itr_per_queue(adapter, ec, i);
++ if (iavf_set_itr_per_queue(adapter, ec, i))
++ return -EINVAL;
+ } else if (queue < adapter->num_active_queues) {
+- iavf_set_itr_per_queue(adapter, ec, queue);
++ if (iavf_set_itr_per_queue(adapter, ec, queue))
++ return -EINVAL;
+ } else {
+ netif_info(adapter, drv, netdev, "Invalid queue value, queue range is 0 - %d\n",
+ adapter->num_active_queues - 1);
+--
+2.33.0
+
--- /dev/null
+From 1e3c1c2e38ff09aae90734231c7b0b206c7d36f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 12:40:00 -0800
+Subject: igb: fix netpoll exit with traffic
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit eaeace60778e524a2820d0c0ad60bf80289e292c ]
+
+Oleksandr brought a bug report where netpoll causes trace
+messages in the log on igb.
+
+Danielle brought this back up as still occurring, so we'll try
+again.
+
+[22038.710800] ------------[ cut here ]------------
+[22038.710801] igb_poll+0x0/0x1440 [igb] exceeded budget in poll
+[22038.710802] WARNING: CPU: 12 PID: 40362 at net/core/netpoll.c:155 netpoll_poll_dev+0x18a/0x1a0
+
+As Alex suggested, change the driver to return work_done at the
+exit of napi_poll, which should be safe to do in this driver
+because it is not polling multiple queues in this single napi
+context (multiple queues attached to one MSI-X vector). Several
+other drivers contain the same simple sequence, so I hope
+this will not create new problems.
+
+Fixes: 16eb8815c235 ("igb: Refactor clean_rx_irq to reduce overhead and improve performance")
+Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Reported-by: Danielle Ratson <danieller@nvidia.com>
+Suggested-by: Alexander Duyck <alexander.duyck@gmail.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Tested-by: Danielle Ratson <danieller@nvidia.com>
+Link: https://lore.kernel.org/r/20211123204000.1597971-1-jesse.brandeburg@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 158feb0ab2739..c11244a9b7e69 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -7752,7 +7752,7 @@ static int igb_poll(struct napi_struct *napi, int budget)
+ if (likely(napi_complete_done(napi, work_done)))
+ igb_ring_irq_enable(q_vector);
+
+- return min(work_done, budget - 1);
++ return work_done;
+ }
+
+ /**
+--
+2.33.0
+
--- /dev/null
+From e9ce54689ebb5a7192b9e5a02bd79254b8c1da3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Nov 2021 17:37:58 -0800
+Subject: ipv6: fix typos in __ip6_finish_output()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 19d36c5f294879949c9d6f57cb61d39cc4c48553 ]
+
+We deal with IPv6 packets, so we need to use IP6CB(skb)->flags and
+IP6SKB_REROUTED, instead of IPCB(skb)->flags and IPSKB_REROUTED
+
+Found by code inspection, please double check that fixing this bug
+does not surface other bugs.
+
+Fixes: 09ee9dba9611 ("ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Tobias Brunner <tobias@strongswan.org>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Tested-by: Tobias Brunner <tobias@strongswan.org>
+Acked-by: Tobias Brunner <tobias@strongswan.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index fc913f09606db..d847aa32628da 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -192,7 +192,7 @@ static int __ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff
+ #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+ /* Policy lookup after SNAT yielded a new policy */
+ if (skb_dst(skb)->xfrm) {
+- IPCB(skb)->flags |= IPSKB_REROUTED;
++ IP6CB(skb)->flags |= IP6SKB_REROUTED;
+ return dst_output(net, sk, skb);
+ }
+ #endif
+--
+2.33.0
+
--- /dev/null
+From 951199bddc70f4a342c13155c9462a98d7b21262 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Nov 2021 18:59:48 +0800
+Subject: MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48
+
+From: Huang Pei <huangpei@loongson.cn>
+
+[ Upstream commit 41ce097f714401e6ad8f3f5eb30d7f91b0b5e495 ]
+
+It hangup when booting Loongson 3A1000 with BOTH
+CONFIG_PAGE_SIZE_64KB and CONFIG_MIPS_VA_BITS_48, that it turn
+out to use 2-level pgtable instead of 3-level. 64KB page size
+with 2-level pgtable only cover 42 bits VA, use 3-level pgtable
+to cover all 48 bits VA(55 bits)
+
+Fixes: 1e321fa917fb ("MIPS64: Support of at least 48 bits of SEGBITS)
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 9749818eed6d6..2811ecc1f3c71 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -3059,7 +3059,7 @@ config STACKTRACE_SUPPORT
+ config PGTABLE_LEVELS
+ int
+ default 4 if PAGE_SIZE_4KB && MIPS_VA_BITS_48
+- default 3 if 64BIT && !PAGE_SIZE_64KB
++ default 3 if 64BIT && (!PAGE_SIZE_64KB || MIPS_VA_BITS_48)
+ default 2
+
+ config MIPS_AUTO_PFN_OFFSET
+--
+2.33.0
+
--- /dev/null
+From 5754372ab0acd03fb853be8219524ece6b602027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 20:03:15 +0800
+Subject: net: hns3: fix VF RSS failed problem after PF enable multi-TCs
+
+From: Guangbin Huang <huangguangbin2@huawei.com>
+
+[ Upstream commit 8d2ad993aa05c0768f00c886c9d369cd97a337ac ]
+
+When PF is set to multi-TCs and configured mapping relationship between
+priorities and TCs, the hardware will active these settings for this PF
+and its VFs.
+
+In this case when VF just uses one TC and its rx packets contain priority,
+and if the priority is not mapped to TC0, as other TCs of VF is not valid,
+hardware always put this kind of packets to the queue 0. It cause this kind
+of packets of VF can not be used RSS function.
+
+To fix this problem, set tc mode of all unused TCs of VF to the setting of
+TC0, then rx packet with priority which map to unused TC will be direct to
+TC0.
+
+Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index db2e9dd5681eb..ce6a4e1965e1d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -644,9 +644,9 @@ static int hclgevf_set_rss_tc_mode(struct hclgevf_dev *hdev, u16 rss_size)
+ roundup_size = ilog2(roundup_size);
+
+ for (i = 0; i < HCLGEVF_MAX_TC_NUM; i++) {
+- tc_valid[i] = !!(hdev->hw_tc_map & BIT(i));
++ tc_valid[i] = 1;
+ tc_size[i] = roundup_size;
+- tc_offset[i] = rss_size * i;
++ tc_offset[i] = (hdev->hw_tc_map & BIT(i)) ? rss_size * i : 0;
+ }
+
+ hclgevf_cmd_setup_basic_desc(&desc, HCLGEVF_OPC_RSS_TC_MODE, false);
+--
+2.33.0
+
--- /dev/null
+From 130cd6753a34549a9faa67ede12e70bc1eacea9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Nov 2021 22:09:16 -0500
+Subject: net: ieee802154: handle iftypes as u32
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 451dc48c806a7ce9fbec5e7a24ccf4b2c936e834 ]
+
+This patch fixes an issue that an u32 netlink value is handled as a
+signed enum value which doesn't fit into the range of u32 netlink type.
+If it's handled as -1 value some BIT() evaluation ends in a
+shift-out-of-bounds issue. To solve the issue we set the to u32 max which
+is s32 "-1" value to keep backwards compatibility and let the followed enum
+values start counting at 0. This brings the compiler to never handle the
+enum as signed and a check if the value is above NL802154_IFTYPE_MAX should
+filter -1 out.
+
+Fixes: f3ea5e44231a ("ieee802154: add new interface command")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20211112030916.685793-1-aahringo@redhat.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/nl802154.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/nl802154.h b/include/net/nl802154.h
+index ddcee128f5d9a..145acb8f25095 100644
+--- a/include/net/nl802154.h
++++ b/include/net/nl802154.h
+@@ -19,6 +19,8 @@
+ *
+ */
+
++#include <linux/types.h>
++
+ #define NL802154_GENL_NAME "nl802154"
+
+ enum nl802154_commands {
+@@ -150,10 +152,9 @@ enum nl802154_attrs {
+ };
+
+ enum nl802154_iftype {
+- /* for backwards compatibility TODO */
+- NL802154_IFTYPE_UNSPEC = -1,
++ NL802154_IFTYPE_UNSPEC = (~(__u32)0),
+
+- NL802154_IFTYPE_NODE,
++ NL802154_IFTYPE_NODE = 0,
+ NL802154_IFTYPE_MONITOR,
+ NL802154_IFTYPE_COORD,
+
+--
+2.33.0
+
--- /dev/null
+From ed44417675304016b611b0efac3bf3dac95cd2c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 17:15:12 +0200
+Subject: net: ipv6: add fib6_nh_release_dsts stub
+
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+
+[ Upstream commit 8837cbbf854246f5f4d565f21e6baa945d37aded ]
+
+We need a way to release a fib6_nh's per-cpu dsts when replacing
+nexthops otherwise we can end up with stale per-cpu dsts which hold net
+device references, so add a new IPv6 stub called fib6_nh_release_dsts.
+It must be used after an RCU grace period, so no new dsts can be created
+through a group's nexthop entry.
+Similar to fib6_nh_release it shouldn't be used if fib6_nh_init has failed
+so it doesn't need a dummy stub when IPv6 is not enabled.
+
+Fixes: 7bf4796dd099 ("nexthops: add support for replace")
+Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_fib.h | 1 +
+ include/net/ipv6_stubs.h | 1 +
+ net/ipv6/af_inet6.c | 1 +
+ net/ipv6/route.c | 19 +++++++++++++++++++
+ 4 files changed, 22 insertions(+)
+
+diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
+index bd0f1595bdc71..05ecaefeb6322 100644
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -451,6 +451,7 @@ int fib6_nh_init(struct net *net, struct fib6_nh *fib6_nh,
+ struct fib6_config *cfg, gfp_t gfp_flags,
+ struct netlink_ext_ack *extack);
+ void fib6_nh_release(struct fib6_nh *fib6_nh);
++void fib6_nh_release_dsts(struct fib6_nh *fib6_nh);
+
+ int call_fib6_entry_notifiers(struct net *net,
+ enum fib_event_type event_type,
+diff --git a/include/net/ipv6_stubs.h b/include/net/ipv6_stubs.h
+index 3e7d2c0e79ca1..af9e127779adf 100644
+--- a/include/net/ipv6_stubs.h
++++ b/include/net/ipv6_stubs.h
+@@ -47,6 +47,7 @@ struct ipv6_stub {
+ struct fib6_config *cfg, gfp_t gfp_flags,
+ struct netlink_ext_ack *extack);
+ void (*fib6_nh_release)(struct fib6_nh *fib6_nh);
++ void (*fib6_nh_release_dsts)(struct fib6_nh *fib6_nh);
+ void (*fib6_update_sernum)(struct net *net, struct fib6_info *rt);
+ int (*ip6_del_rt)(struct net *net, struct fib6_info *rt);
+ void (*fib6_rt_update)(struct net *net, struct fib6_info *rt,
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 14ac1d9112877..942da168f18fb 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -955,6 +955,7 @@ static const struct ipv6_stub ipv6_stub_impl = {
+ .ip6_mtu_from_fib6 = ip6_mtu_from_fib6,
+ .fib6_nh_init = fib6_nh_init,
+ .fib6_nh_release = fib6_nh_release,
++ .fib6_nh_release_dsts = fib6_nh_release_dsts,
+ .fib6_update_sernum = fib6_update_sernum_stub,
+ .fib6_rt_update = fib6_rt_update,
+ .ip6_del_rt = ip6_del_rt,
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index daa876c6ae8db..f36db3dd97346 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3585,6 +3585,25 @@ void fib6_nh_release(struct fib6_nh *fib6_nh)
+ fib_nh_common_release(&fib6_nh->nh_common);
+ }
+
++void fib6_nh_release_dsts(struct fib6_nh *fib6_nh)
++{
++ int cpu;
++
++ if (!fib6_nh->rt6i_pcpu)
++ return;
++
++ for_each_possible_cpu(cpu) {
++ struct rt6_info *pcpu_rt, **ppcpu_rt;
++
++ ppcpu_rt = per_cpu_ptr(fib6_nh->rt6i_pcpu, cpu);
++ pcpu_rt = xchg(ppcpu_rt, NULL);
++ if (pcpu_rt) {
++ dst_dev_put(&pcpu_rt->dst);
++ dst_release(&pcpu_rt->dst);
++ }
++ }
++}
++
+ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
+ gfp_t gfp_flags,
+ struct netlink_ext_ack *extack)
+--
+2.33.0
+
--- /dev/null
+From b47da71786f310d64755f3770585ca17bf7a0bf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 19:28:45 +0200
+Subject: net: mscc: ocelot: correctly report the timestamping RX filters in
+ ethtool
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit c49a35eedfef08bffd46b53c25dbf9d6016a86ff ]
+
+The driver doesn't support RX timestamping for non-PTP packets, but it
+declares that it does. Restrict the reported RX filters to PTP v2 over
+L2 and over L4.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index 3f83647c5802e..bf7832b34a000 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1183,7 +1183,10 @@ static int ocelot_get_ts_info(struct net_device *dev,
+ SOF_TIMESTAMPING_RAW_HARDWARE;
+ info->tx_types = BIT(HWTSTAMP_TX_OFF) | BIT(HWTSTAMP_TX_ON) |
+ BIT(HWTSTAMP_TX_ONESTEP_SYNC);
+- info->rx_filters = BIT(HWTSTAMP_FILTER_NONE) | BIT(HWTSTAMP_FILTER_ALL);
++ info->rx_filters = BIT(HWTSTAMP_FILTER_NONE) |
++ BIT(HWTSTAMP_FILTER_PTP_V2_EVENT) |
++ BIT(HWTSTAMP_FILTER_PTP_V2_L2_EVENT) |
++ BIT(HWTSTAMP_FILTER_PTP_V2_L4_EVENT);
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 33a7090349ca7ca97e93e0721a3fb80d72e41465 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 19:28:41 +0200
+Subject: net: mscc: ocelot: don't downgrade timestamping RX filters in
+ SIOCSHWTSTAMP
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 8a075464d1e9317ffae0973dfe538a7511291a06 ]
+
+The ocelot driver, when asked to timestamp all receiving packets, 1588
+v1 or NTP, says "nah, here's 1588 v2 for you".
+
+According to this discussion:
+https://patchwork.kernel.org/project/netdevbpf/patch/20211104133204.19757-8-martin.kaistra@linutronix.de/#24577647
+drivers that downgrade from a wider request to a narrower response (or
+even a response where the intersection with the request is empty) are
+buggy, and should return -ERANGE instead. This patch fixes that.
+
+Fixes: 4e3b0468e6d7 ("net: mscc: PTP Hardware Clock (PHC) support")
+Suggested-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
+index 6030c90d50ccb..3f83647c5802e 100644
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1024,12 +1024,6 @@ static int ocelot_hwstamp_set(struct ocelot_port *port, struct ifreq *ifr)
+ switch (cfg.rx_filter) {
+ case HWTSTAMP_FILTER_NONE:
+ break;
+- case HWTSTAMP_FILTER_ALL:
+- case HWTSTAMP_FILTER_SOME:
+- case HWTSTAMP_FILTER_PTP_V1_L4_EVENT:
+- case HWTSTAMP_FILTER_PTP_V1_L4_SYNC:
+- case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ:
+- case HWTSTAMP_FILTER_NTP_ALL:
+ case HWTSTAMP_FILTER_PTP_V2_L4_EVENT:
+ case HWTSTAMP_FILTER_PTP_V2_L4_SYNC:
+ case HWTSTAMP_FILTER_PTP_V2_L4_DELAY_REQ:
+--
+2.33.0
+
--- /dev/null
+From 4764d03f22bdcb3c0935da0e822c7c473c47b268 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 22:08:18 +0530
+Subject: net/ncsi : Add payload to be 32-bit aligned to fix dropped packets
+
+From: Kumar Thangavel <kumarthangavel.hcl@gmail.com>
+
+[ Upstream commit ac132852147ad303a938dda318970dd1bbdfda4e ]
+
+Update NC-SI command handler (both standard and OEM) to take into
+account of payload paddings in allocating skb (in case of payload
+size is not 32-bit aligned).
+
+The checksum field follows payload field, without taking payload
+padding into account can cause checksum being truncated, leading to
+dropped packets.
+
+Fixes: fb4ee67529ff ("net/ncsi: Add NCSI OEM command support")
+Signed-off-by: Kumar Thangavel <thangavel.k@hcl.com>
+Acked-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/ncsi-cmd.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
+index 0187e65176c05..114ef47db76d3 100644
+--- a/net/ncsi/ncsi-cmd.c
++++ b/net/ncsi/ncsi-cmd.c
+@@ -18,6 +18,8 @@
+ #include "internal.h"
+ #include "ncsi-pkt.h"
+
++static const int padding_bytes = 26;
++
+ u32 ncsi_calculate_checksum(unsigned char *data, int len)
+ {
+ u32 checksum = 0;
+@@ -213,12 +215,17 @@ static int ncsi_cmd_handler_oem(struct sk_buff *skb,
+ {
+ struct ncsi_cmd_oem_pkt *cmd;
+ unsigned int len;
++ int payload;
++ /* NC-SI spec DSP_0222_1.2.0, section 8.2.2.2
++ * requires payload to be padded with 0 to
++ * 32-bit boundary before the checksum field.
++ * Ensure the padding bytes are accounted for in
++ * skb allocation
++ */
+
++ payload = ALIGN(nca->payload, 4);
+ len = sizeof(struct ncsi_cmd_pkt_hdr) + 4;
+- if (nca->payload < 26)
+- len += 26;
+- else
+- len += nca->payload;
++ len += max(payload, padding_bytes);
+
+ cmd = skb_put_zero(skb, len);
+ memcpy(&cmd->mfr_id, nca->data, nca->payload);
+@@ -272,6 +279,7 @@ static struct ncsi_request *ncsi_alloc_command(struct ncsi_cmd_arg *nca)
+ struct net_device *dev = nd->dev;
+ int hlen = LL_RESERVED_SPACE(dev);
+ int tlen = dev->needed_tailroom;
++ int payload;
+ int len = hlen + tlen;
+ struct sk_buff *skb;
+ struct ncsi_request *nr;
+@@ -281,14 +289,14 @@ static struct ncsi_request *ncsi_alloc_command(struct ncsi_cmd_arg *nca)
+ return NULL;
+
+ /* NCSI command packet has 16-bytes header, payload, 4 bytes checksum.
++ * Payload needs padding so that the checksum field following payload is
++ * aligned to 32-bit boundary.
+ * The packet needs padding if its payload is less than 26 bytes to
+ * meet 64 bytes minimal ethernet frame length.
+ */
+ len += sizeof(struct ncsi_cmd_pkt_hdr) + 4;
+- if (nca->payload < 26)
+- len += 26;
+- else
+- len += nca->payload;
++ payload = ALIGN(nca->payload, 4);
++ len += max(payload, padding_bytes);
+
+ /* Allocate skb */
+ skb = alloc_skb(len, GFP_ATOMIC);
+--
+2.33.0
+
--- /dev/null
+From 15aeda700c2d6d67593be734a979dc005a399cc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 17:15:13 +0200
+Subject: net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop
+ group
+
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+
+[ Upstream commit 1005f19b9357b81aa64e1decd08d6e332caaa284 ]
+
+When replacing a nexthop group, we must release the IPv6 per-cpu dsts of
+the removed nexthop entries after an RCU grace period because they
+contain references to the nexthop's net device and to the fib6 info.
+With specific series of events[1] we can reach net device refcount
+imbalance which is unrecoverable. IPv4 is not affected because dsts
+don't take a refcount on the route.
+
+[1]
+ $ ip nexthop list
+ id 200 via 2002:db8::2 dev bridge.10 scope link onlink
+ id 201 via 2002:db8::3 dev bridge scope link onlink
+ id 203 group 201/200
+ $ ip -6 route
+ 2001:db8::10 nhid 203 metric 1024 pref medium
+ nexthop via 2002:db8::3 dev bridge weight 1 onlink
+ nexthop via 2002:db8::2 dev bridge.10 weight 1 onlink
+
+Create rt6_info through one of the multipath legs, e.g.:
+ $ taskset -a -c 1 ./pkt_inj 24 bridge.10 2001:db8::10
+ (pkt_inj is just a custom packet generator, nothing special)
+
+Then remove that leg from the group by replace (let's assume it is id
+200 in this case):
+ $ ip nexthop replace id 203 group 201
+
+Now remove the IPv6 route:
+ $ ip -6 route del 2001:db8::10/128
+
+The route won't be really deleted due to the stale rt6_info holding 1
+refcnt in nexthop id 200.
+At this point we have the following reference count dependency:
+ (deleted) IPv6 route holds 1 reference over nhid 203
+ nh 203 holds 1 ref over id 201
+ nh 200 holds 1 ref over the net device and the route due to the stale
+ rt6_info
+
+Now to create circular dependency between nh 200 and the IPv6 route, and
+also to get a reference over nh 200, restore nhid 200 in the group:
+ $ ip nexthop replace id 203 group 201/200
+
+And now we have a permanent circular dependncy because nhid 203 holds a
+reference over nh 200 and 201, but the route holds a ref over nh 203 and
+is deleted.
+
+To trigger the bug just delete the group (nhid 203):
+ $ ip nexthop del id 203
+
+It won't really be deleted due to the IPv6 route dependency, and now we
+have 2 unlinked and deleted objects that reference each other: the group
+and the IPv6 route. Since the group drops the reference it holds over its
+entries at free time (i.e. its own refcount needs to drop to 0) that will
+never happen and we get a permanent ref on them, since one of the entries
+holds a reference over the IPv6 route it will also never be released.
+
+At this point the dependencies are:
+ (deleted, only unlinked) IPv6 route holds reference over group nh 203
+ (deleted, only unlinked) group nh 203 holds reference over nh 201 and 200
+ nh 200 holds 1 ref over the net device and the route due to the stale
+ rt6_info
+
+This is the last point where it can be fixed by running traffic through
+nh 200, and specifically through the same CPU so the rt6_info (dst) will
+get released due to the IPv6 genid, that in turn will free the IPv6
+route, which in turn will free the ref count over the group nh 203.
+
+If nh 200 is deleted at this point, it will never be released due to the
+ref from the unlinked group 203, it will only be unlinked:
+ $ ip nexthop del id 200
+ $ ip nexthop
+ $
+
+Now we can never release that stale rt6_info, we have IPv6 route with ref
+over group nh 203, group nh 203 with ref over nh 200 and 201, nh 200 with
+rt6_info (dst) with ref over the net device and the IPv6 route. All of
+these objects are only unlinked, and cannot be released, thus they can't
+release their ref counts.
+
+ Message from syslogd@dev at Nov 19 14:04:10 ...
+ kernel:[73501.828730] unregister_netdevice: waiting for bridge.10 to become free. Usage count = 3
+ Message from syslogd@dev at Nov 19 14:04:20 ...
+ kernel:[73512.068811] unregister_netdevice: waiting for bridge.10 to become free. Usage count = 3
+
+Fixes: 7bf4796dd099 ("nexthops: add support for replace")
+Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index 8bdffdf0502a1..4d69b3de980a6 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -839,15 +839,36 @@ static void remove_nexthop(struct net *net, struct nexthop *nh,
+ /* if any FIB entries reference this nexthop, any dst entries
+ * need to be regenerated
+ */
+-static void nh_rt_cache_flush(struct net *net, struct nexthop *nh)
++static void nh_rt_cache_flush(struct net *net, struct nexthop *nh,
++ struct nexthop *replaced_nh)
+ {
+ struct fib6_info *f6i;
++ struct nh_group *nhg;
++ int i;
+
+ if (!list_empty(&nh->fi_list))
+ rt_cache_flush(net);
+
+ list_for_each_entry(f6i, &nh->f6i_list, nh_list)
+ ipv6_stub->fib6_update_sernum(net, f6i);
++
++ /* if an IPv6 group was replaced, we have to release all old
++ * dsts to make sure all refcounts are released
++ */
++ if (!replaced_nh->is_group)
++ return;
++
++ /* new dsts must use only the new nexthop group */
++ synchronize_net();
++
++ nhg = rtnl_dereference(replaced_nh->nh_grp);
++ for (i = 0; i < nhg->num_nh; i++) {
++ struct nh_grp_entry *nhge = &nhg->nh_entries[i];
++ struct nh_info *nhi = rtnl_dereference(nhge->nh->nh_info);
++
++ if (nhi->family == AF_INET6)
++ ipv6_stub->fib6_nh_release_dsts(&nhi->fib6_nh);
++ }
+ }
+
+ static int replace_nexthop_grp(struct net *net, struct nexthop *old,
+@@ -994,7 +1015,7 @@ static int replace_nexthop(struct net *net, struct nexthop *old,
+ err = replace_nexthop_single(net, old, new, extack);
+
+ if (!err) {
+- nh_rt_cache_flush(net, old);
++ nh_rt_cache_flush(net, old, new);
+
+ __remove_nexthop(net, new, NULL);
+ nexthop_put(new);
+--
+2.33.0
+
--- /dev/null
+From aa4551060e2ae762a8cabb04d66850d95142e5a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 10:41:35 +0800
+Subject: net/smc: Don't call clcsock shutdown twice when smc shutdown
+
+From: Tony Lu <tonylu@linux.alibaba.com>
+
+[ Upstream commit bacb6c1e47691cda4a95056c21b5487fb7199fcc ]
+
+When applications call shutdown() with SHUT_RDWR in userspace,
+smc_close_active() calls kernel_sock_shutdown(), and it is called
+twice in smc_shutdown().
+
+This fixes this by checking sk_state before do clcsock shutdown, and
+avoids missing the application's call of smc_shutdown().
+
+Link: https://lore.kernel.org/linux-s390/1f67548e-cbf6-0dce-82b5-10288a4583bd@linux.ibm.com/
+Fixes: 606a63c9783a ("net/smc: Ensure the active closing peer first closes clcsock")
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Acked-by: Karsten Graul <kgraul@linux.ibm.com>
+Link: https://lore.kernel.org/r/20211126024134.45693-1-tonylu@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 6b0f09c5b195f..5e1493f8deba7 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1658,8 +1658,10 @@ static __poll_t smc_poll(struct file *file, struct socket *sock,
+ static int smc_shutdown(struct socket *sock, int how)
+ {
+ struct sock *sk = sock->sk;
++ bool do_shutdown = true;
+ struct smc_sock *smc;
+ int rc = -EINVAL;
++ int old_state;
+ int rc1 = 0;
+
+ smc = smc_sk(sk);
+@@ -1686,7 +1688,11 @@ static int smc_shutdown(struct socket *sock, int how)
+ }
+ switch (how) {
+ case SHUT_RDWR: /* shutdown in both directions */
++ old_state = sk->sk_state;
+ rc = smc_close_active(smc);
++ if (old_state == SMC_ACTIVE &&
++ sk->sk_state == SMC_PEERCLOSEWAIT1)
++ do_shutdown = false;
+ break;
+ case SHUT_WR:
+ rc = smc_close_shutdown_write(smc);
+@@ -1696,7 +1702,7 @@ static int smc_shutdown(struct socket *sock, int how)
+ /* nothing more to do because peer is not involved */
+ break;
+ }
+- if (smc->clcsock)
++ if (do_shutdown && smc->clcsock)
+ rc1 = kernel_sock_shutdown(smc->clcsock, how);
+ /* map sock_shutdown_cmd constants to sk_shutdown value range */
+ sk->sk_shutdown |= how + 1;
+--
+2.33.0
+
--- /dev/null
+From 75bc39a9aeda4424fe0e9cb094d90d244cc161dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 16:25:18 +0800
+Subject: net/smc: Ensure the active closing peer first closes clcsock
+
+From: Tony Lu <tonylu@linux.alibaba.com>
+
+[ Upstream commit 606a63c9783a32a45bd2ef0eee393711d75b3284 ]
+
+The side that actively closed socket, it's clcsock doesn't enter
+TIME_WAIT state, but the passive side does it. It should show the same
+behavior as TCP sockets.
+
+Consider this, when client actively closes the socket, the clcsock in
+server enters TIME_WAIT state, which means the address is occupied and
+won't be reused before TIME_WAIT dismissing. If we restarted server, the
+service would be unavailable for a long time.
+
+To solve this issue, shutdown the clcsock in [A], perform the TCP active
+close progress first, before the passive closed side closing it. So that
+the actively closed side enters TIME_WAIT, not the passive one.
+
+Client | Server
+close() // client actively close |
+ smc_release() |
+ smc_close_active() // PEERCLOSEWAIT1 |
+ smc_close_final() // abort or closed = 1|
+ smc_cdc_get_slot_and_msg_send() |
+ [A] |
+ |smc_cdc_msg_recv_action() // ACTIVE
+ | queue_work(smc_close_wq, &conn->close_work)
+ | smc_close_passive_work() // PROCESSABORT or APPCLOSEWAIT1
+ | smc_close_passive_abort_received() // only in abort
+ |
+ |close() // server recv zero, close
+ | smc_release() // PROCESSABORT or APPCLOSEWAIT1
+ | smc_close_active()
+ | smc_close_abort() or smc_close_final() // CLOSED
+ | smc_cdc_get_slot_and_msg_send() // abort or closed = 1
+smc_cdc_msg_recv_action() | smc_clcsock_release()
+ queue_work(smc_close_wq, &conn->close_work) | sock_release(tcp) // actively close clc, enter TIME_WAIT
+ smc_close_passive_work() // PEERCLOSEWAIT1 | smc_conn_free()
+ smc_close_passive_abort_received() // CLOSED|
+ smc_conn_free() |
+ smc_clcsock_release() |
+ sock_release(tcp) // passive close clc |
+
+Link: https://www.spinics.net/lists/netdev/msg780407.html
+Fixes: b38d732477e4 ("smc: socket closing and linkgroup cleanup")
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Reviewed-by: Wen Gu <guwen@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_close.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
+index fc06720b53c14..2eabf39dee74d 100644
+--- a/net/smc/smc_close.c
++++ b/net/smc/smc_close.c
+@@ -218,6 +218,12 @@ int smc_close_active(struct smc_sock *smc)
+ if (rc)
+ break;
+ sk->sk_state = SMC_PEERCLOSEWAIT1;
++
++ /* actively shutdown clcsock before peer close it,
++ * prevent peer from entering TIME_WAIT state.
++ */
++ if (smc->clcsock && smc->clcsock->sk)
++ rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
+ } else {
+ /* peer event has changed the state */
+ goto again;
+--
+2.33.0
+
--- /dev/null
+From cc1973f2487d11a1fae3f765298ddc7ad0fc21d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 09:59:42 +0800
+Subject: net: vlan: fix underflow for the real_dev refcnt
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 01d9cc2dea3fde3bad6d27f464eff463496e2b00 ]
+
+Inject error before dev_hold(real_dev) in register_vlan_dev(),
+and execute the following testcase:
+
+ip link add dev dummy1 type dummy
+ip link add name dummy1.100 link dummy1 type vlan id 100
+ip link del dev dummy1
+
+When the dummy netdevice is removed, we will get a WARNING as following:
+
+=======================================================================
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 2 PID: 0 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0
+
+and an endless loop of:
+
+=======================================================================
+unregister_netdevice: waiting for dummy1 to become free. Usage count = -1073741824
+
+That is because dev_put(real_dev) in vlan_dev_free() be called without
+dev_hold(real_dev) in register_vlan_dev(). It makes the refcnt of real_dev
+underflow.
+
+Move the dev_hold(real_dev) to vlan_dev_init() which is the call-back of
+ndo_init(). That makes dev_hold() and dev_put() for vlan's real_dev
+symmetrical.
+
+Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()")
+Reported-by: Petr Machata <petrm@nvidia.com>
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/r/20211126015942.2918542-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan.c | 3 ---
+ net/8021q/vlan_dev.c | 3 +++
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
+index cd7c0429cddf8..796d95797ab40 100644
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -177,9 +177,6 @@ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack)
+ if (err)
+ goto out_unregister_netdev;
+
+- /* Account for reference in struct vlan_dev_priv */
+- dev_hold(real_dev);
+-
+ vlan_stacked_transfer_operstate(real_dev, dev, vlan);
+ linkwatch_fire_event(dev); /* _MUST_ call rfc2863_policy() */
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index 415a29d42cdf0..589615ec490bb 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -583,6 +583,9 @@ static int vlan_dev_init(struct net_device *dev)
+ if (!vlan->vlan_pcpu_stats)
+ return -ENOMEM;
+
++ /* Get vlan's reference to real_dev */
++ dev_hold(real_dev);
++
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From be568549878136659abbc17de14429588e8e0a08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Nov 2021 03:10:29 +0100
+Subject: netfilter: ipvs: Fix reuse connection if RS weight is 0
+
+From: yangxingwu <xingwu.yang@gmail.com>
+
+[ Upstream commit c95c07836fa4c1767ed11d8eca0769c652760e32 ]
+
+We are changing expire_nodest_conn to work even for reused connections when
+conn_reuse_mode=0, just as what was done with commit dc7b3eb900aa ("ipvs:
+Fix reuse connection if real server is dead").
+
+For controlled and persistent connections, the new connection will get the
+needed real server depending on the rules in ip_vs_check_template().
+
+Fixes: d752c3645717 ("ipvs: allow rescheduling of new connections when port reuse is detected")
+Co-developed-by: Chuanqi Liu <legend050709@qq.com>
+Signed-off-by: Chuanqi Liu <legend050709@qq.com>
+Signed-off-by: yangxingwu <xingwu.yang@gmail.com>
+Acked-by: Simon Horman <horms@verge.net.au>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/ipvs-sysctl.txt | 3 +--
+ net/netfilter/ipvs/ip_vs_core.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt
+index 056898685d408..fc531c29a2e83 100644
+--- a/Documentation/networking/ipvs-sysctl.txt
++++ b/Documentation/networking/ipvs-sysctl.txt
+@@ -30,8 +30,7 @@ conn_reuse_mode - INTEGER
+
+ 0: disable any special handling on port reuse. The new
+ connection will be delivered to the same real server that was
+- servicing the previous connection. This will effectively
+- disable expire_nodest_conn.
++ servicing the previous connection.
+
+ bit 1: enable rescheduling of new connections when it is safe.
+ That is, whenever expire_nodest_conn and for TCP sockets, when
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 89aa1fc334b19..ccd6af1440745 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -1982,7 +1982,6 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
+ struct ip_vs_proto_data *pd;
+ struct ip_vs_conn *cp;
+ int ret, pkts;
+- int conn_reuse_mode;
+ struct sock *sk;
+
+ /* Already marked as IPVS request or reply? */
+@@ -2059,15 +2058,16 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
+ cp = INDIRECT_CALL_1(pp->conn_in_get, ip_vs_conn_in_get_proto,
+ ipvs, af, skb, &iph);
+
+- conn_reuse_mode = sysctl_conn_reuse_mode(ipvs);
+- if (conn_reuse_mode && !iph.fragoffs && is_new_conn(skb, &iph) && cp) {
++ if (!iph.fragoffs && is_new_conn(skb, &iph) && cp) {
++ int conn_reuse_mode = sysctl_conn_reuse_mode(ipvs);
+ bool old_ct = false, resched = false;
+
+ if (unlikely(sysctl_expire_nodest_conn(ipvs)) && cp->dest &&
+ unlikely(!atomic_read(&cp->dest->weight))) {
+ resched = true;
+ old_ct = ip_vs_conn_uses_old_conntrack(cp, skb);
+- } else if (is_new_conn_expected(cp, conn_reuse_mode)) {
++ } else if (conn_reuse_mode &&
++ is_new_conn_expected(cp, conn_reuse_mode)) {
+ old_ct = ip_vs_conn_uses_old_conntrack(cp, skb);
+ if (!atomic_read(&cp->n_control)) {
+ resched = true;
+--
+2.33.0
+
--- /dev/null
+From df7bab6f2ab9e2a5fd4fd42d92c69d9add36b89a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Nov 2021 14:38:03 +0100
+Subject: nfp: checking parameter process for rx-usecs/tx-usecs is invalid
+
+From: Diana Wang <na.wang@corigine.com>
+
+[ Upstream commit 3bd6b2a838ba6a3b86d41b077f570b1b61174def ]
+
+Use nn->tlv_caps.me_freq_mhz instead of nn->me_freq_mhz to check whether
+rx-usecs/tx-usecs is valid.
+
+This is because nn->tlv_caps.me_freq_mhz represents the clock_freq (MHz) of
+the flow processing cores (FPC) on the NIC. While nn->me_freq_mhz is not
+be set.
+
+Fixes: ce991ab6662a ("nfp: read ME frequency from vNIC ctrl memory")
+Signed-off-by: Diana Wang <na.wang@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net.h | 3 ---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 +-
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net.h b/drivers/net/ethernet/netronome/nfp/nfp_net.h
+index 250f510b1d212..3dcb09f17b77f 100644
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net.h
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net.h
+@@ -557,7 +557,6 @@ struct nfp_net_dp {
+ * @exn_name: Name for Exception interrupt
+ * @shared_handler: Handler for shared interrupts
+ * @shared_name: Name for shared interrupt
+- * @me_freq_mhz: ME clock_freq (MHz)
+ * @reconfig_lock: Protects @reconfig_posted, @reconfig_timer_active,
+ * @reconfig_sync_present and HW reconfiguration request
+ * regs/machinery from async requests (sync must take
+@@ -639,8 +638,6 @@ struct nfp_net {
+ irq_handler_t shared_handler;
+ char shared_name[IFNAMSIZ + 8];
+
+- u32 me_freq_mhz;
+-
+ bool link_up;
+ spinlock_t link_status_lock;
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+index 2354dec994184..89e578e25ff8f 100644
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -1269,7 +1269,7 @@ static int nfp_net_set_coalesce(struct net_device *netdev,
+ * ME timestamp ticks. There are 16 ME clock cycles for each timestamp
+ * count.
+ */
+- factor = nn->me_freq_mhz / 16;
++ factor = nn->tlv_caps.me_freq_mhz / 16;
+
+ /* Each pair of (usecs, max_frames) fields specifies that interrupts
+ * should be coalesced until
+--
+2.33.0
+
--- /dev/null
+From 167e5df93884b184e2fdfa50fd7f5dc78c7a3fa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Nov 2021 09:55:01 -0500
+Subject: NFSv42: Don't fail clone() unless the OP_CLONE operation failed
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit d3c45824ad65aebf765fcf51366d317a29538820 ]
+
+The failure to retrieve post-op attributes has no bearing on whether or
+not the clone operation itself was successful. We must therefore ignore
+the return value of decode_getfattr() when looking at the success or
+failure of nfs4_xdr_dec_clone().
+
+Fixes: 36022770de6c ("nfs42: add CLONE xdr functions")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42xdr.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c
+index aed865a846296..2b78f7b8d5467 100644
+--- a/fs/nfs/nfs42xdr.c
++++ b/fs/nfs/nfs42xdr.c
+@@ -769,8 +769,7 @@ static int nfs4_xdr_dec_clone(struct rpc_rqst *rqstp,
+ status = decode_clone(xdr);
+ if (status)
+ goto out;
+- status = decode_getfattr(xdr, res->dst_fattr, res->server);
+-
++ decode_getfattr(xdr, res->dst_fattr, res->server);
+ out:
+ res->rpc_status = status;
+ return status;
+--
+2.33.0
+
--- /dev/null
+From 40b61b0d006e9f905f1718e535168fd82969c249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 15:38:41 +0530
+Subject: nvmet-tcp: fix incomplete data digest send
+
+From: Varun Prakash <varun@chelsio.com>
+
+[ Upstream commit 102110efdff6beedece6ab9b51664c32ac01e2db ]
+
+Current nvmet_try_send_ddgst() code does not check whether
+all data digest bytes are transmitted, fix this by returning
+-EAGAIN if all data digest bytes are not transmitted.
+
+Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
+Signed-off-by: Varun Prakash <varun@chelsio.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index fac1985870765..4341c72446628 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -631,10 +631,11 @@ static int nvmet_try_send_r2t(struct nvmet_tcp_cmd *cmd, bool last_in_batch)
+ static int nvmet_try_send_ddgst(struct nvmet_tcp_cmd *cmd)
+ {
+ struct nvmet_tcp_queue *queue = cmd->queue;
++ int left = NVME_TCP_DIGEST_LENGTH - cmd->offset;
+ struct msghdr msg = { .msg_flags = MSG_DONTWAIT };
+ struct kvec iov = {
+ .iov_base = (u8 *)&cmd->exp_ddgst + cmd->offset,
+- .iov_len = NVME_TCP_DIGEST_LENGTH - cmd->offset
++ .iov_len = left
+ };
+ int ret;
+
+@@ -643,6 +644,10 @@ static int nvmet_try_send_ddgst(struct nvmet_tcp_cmd *cmd)
+ return ret;
+
+ cmd->offset += ret;
++ left -= ret;
++
++ if (left)
++ return -EAGAIN;
+
+ if (queue->nvme_sq.sqhd_disabled) {
+ cmd->queue->snd_cmd = NULL;
+--
+2.33.0
+
--- /dev/null
+From fbdbcc4303b615c8f0934826f4646c748438c82b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Nov 2021 11:08:27 +0100
+Subject: nvmet: use IOCB_NOWAIT only if the filesystem supports it
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit c024b226a417c4eb9353ff500b1c823165d4d508 ]
+
+Submit I/O requests with the IOCB_NOWAIT flag set only if
+the underlying filesystem supports it.
+
+Fixes: 50a909db36f2 ("nvmet: use IOCB_NOWAIT for file-ns buffered I/O")
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/io-cmd-file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/io-cmd-file.c b/drivers/nvme/target/io-cmd-file.c
+index 6ca17a0babae2..1c8d16b0245b1 100644
+--- a/drivers/nvme/target/io-cmd-file.c
++++ b/drivers/nvme/target/io-cmd-file.c
+@@ -8,6 +8,7 @@
+ #include <linux/uio.h>
+ #include <linux/falloc.h>
+ #include <linux/file.h>
++#include <linux/fs.h>
+ #include "nvmet.h"
+
+ #define NVMET_MAX_MPOOL_BVEC 16
+@@ -254,7 +255,8 @@ static void nvmet_file_execute_rw(struct nvmet_req *req)
+
+ if (req->ns->buffered_io) {
+ if (likely(!req->f.mpool_alloc) &&
+- nvmet_file_execute_io(req, IOCB_NOWAIT))
++ (req->ns->file->f_mode & FMODE_NOWAIT) &&
++ nvmet_file_execute_io(req, IOCB_NOWAIT))
+ return;
+ nvmet_file_submit_buffered_io(req);
+ } else
+--
+2.33.0
+
--- /dev/null
+From f82efcdfafdb91fe838ca1e1824780565ca77933 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 20:18:43 +0100
+Subject: PM: hibernate: use correct mode for swsusp_close()
+
+From: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
+
+[ Upstream commit cefcf24b4d351daf70ecd945324e200d3736821e ]
+
+Commit 39fbef4b0f77 ("PM: hibernate: Get block device exclusively in
+swsusp_check()") changed the opening mode of the block device to
+(FMODE_READ | FMODE_EXCL).
+
+In the corresponding calls to swsusp_close(), the mode is still just
+FMODE_READ which triggers the warning in blkdev_flush_mapping() on
+resume from hibernate.
+
+So, use the mode (FMODE_READ | FMODE_EXCL) also when closing the
+device.
+
+Fixes: 39fbef4b0f77 ("PM: hibernate: Get block device exclusively in swsusp_check()")
+Signed-off-by: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/hibernate.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index 69c4cd472def3..6cafb2e910a11 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -676,7 +676,7 @@ static int load_image_and_restore(void)
+ goto Unlock;
+
+ error = swsusp_read(&flags);
+- swsusp_close(FMODE_READ);
++ swsusp_close(FMODE_READ | FMODE_EXCL);
+ if (!error)
+ hibernation_restore(flags & SF_PLATFORM_MODE);
+
+@@ -871,7 +871,7 @@ static int software_resume(void)
+ /* The snapshot device should not be opened while we're running */
+ if (!atomic_add_unless(&snapshot_device_available, -1, 0)) {
+ error = -EBUSY;
+- swsusp_close(FMODE_READ);
++ swsusp_close(FMODE_READ | FMODE_EXCL);
+ goto Unlock;
+ }
+
+@@ -907,7 +907,7 @@ static int software_resume(void)
+ pm_pr_dbg("Hibernation image not present or could not be loaded.\n");
+ return error;
+ Close_Finish:
+- swsusp_close(FMODE_READ);
++ swsusp_close(FMODE_READ | FMODE_EXCL);
+ goto Finish;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From bbc493551cb9f6bcb099c4cffcbea27513f7a300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Nov 2021 10:49:17 -0600
+Subject: scsi: core: sysfs: Fix setting device state to SDEV_RUNNING
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit eb97545d6264b341b06ba7603f52ff6c0b2af6ea ]
+
+This fixes an issue added in commit 4edd8cd4e86d ("scsi: core: sysfs: Fix
+hang when device state is set via sysfs") where if userspace is requesting
+to set the device state to SDEV_RUNNING when the state is already
+SDEV_RUNNING, we return -EINVAL instead of count. The commmit above set ret
+to count for this case, when it should have set it to 0.
+
+Link: https://lore.kernel.org/r/20211120164917.4924-1-michael.christie@oracle.com
+Fixes: 4edd8cd4e86d ("scsi: core: sysfs: Fix hang when device state is set via sysfs")
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
+index 16432d42a50aa..6faf1d6451b0c 100644
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -796,7 +796,7 @@ store_state_field(struct device *dev, struct device_attribute *attr,
+
+ mutex_lock(&sdev->state_mutex);
+ if (sdev->sdev_state == SDEV_RUNNING && state == SDEV_RUNNING) {
+- ret = count;
++ ret = 0;
+ } else {
+ ret = scsi_device_set_state(sdev, state);
+ if (ret == 0 && state == SDEV_RUNNING)
+--
+2.33.0
+
--- /dev/null
+From 8106ef3128e24770f0323edbed4146539c2a6b19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 16:19:09 +0530
+Subject: scsi: mpt3sas: Fix kernel panic during drive powercycle test
+
+From: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+
+[ Upstream commit 0ee4ba13e09c9d9c1cb6abb59da8295d9952328b ]
+
+While looping over shost's sdev list it is possible that one
+of the drives is getting removed and its sas_target object is
+freed but its sdev object remains intact.
+
+Consequently, a kernel panic can occur while the driver is trying to access
+the sas_address field of sas_target object without also checking the
+sas_target object for NULL.
+
+Link: https://lore.kernel.org/r/20211117104909.2069-1-sreekanth.reddy@broadcom.com
+Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
+Signed-off-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 3654cfc4376fa..97c1f242ef0a3 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -3387,7 +3387,7 @@ _scsih_ublock_io_device(struct MPT3SAS_ADAPTER *ioc, u64 sas_address)
+
+ shost_for_each_device(sdev, ioc->shost) {
+ sas_device_priv_data = sdev->hostdata;
+- if (!sas_device_priv_data)
++ if (!sas_device_priv_data || !sas_device_priv_data->sas_target)
+ continue;
+ if (sas_device_priv_data->sas_target->sas_address
+ != sas_address)
+--
+2.33.0
+
pinctrl-armada-37xx-correct-pwm-pins-definitions.patch
arm64-dts-marvell-armada-37xx-set-pcie_reset_pin-to-gpio-function.patch
proc-vmcore-fix-clearing-user-buffer-by-properly-using-clear_user.patch
+netfilter-ipvs-fix-reuse-connection-if-rs-weight-is-.patch
+arm-dts-bcm5301x-fix-i2c-controller-interrupt.patch
+arm-dts-bcm5301x-add-interrupt-properties-to-gpio-no.patch
+asoc-qdsp6-q6routing-conditionally-reset-frontend-mi.patch
+asoc-topology-add-missing-rwsem-around-snd_ctl_remov.patch
+net-ieee802154-handle-iftypes-as-u32.patch
+firmware-arm_scmi-pm-propagate-return-value-to-calle.patch
+nfsv42-don-t-fail-clone-unless-the-op_clone-operatio.patch
+arm-socfpga-fix-crash-with-config_fortiry_source.patch
+scsi-mpt3sas-fix-kernel-panic-during-drive-powercycl.patch
+drm-vc4-fix-error-code-in-vc4_create_object.patch
+iavf-prevent-changing-static-itr-values-if-adaptive-.patch
+ipv6-fix-typos-in-__ip6_finish_output.patch
+nfp-checking-parameter-process-for-rx-usecs-tx-usecs.patch
+net-ipv6-add-fib6_nh_release_dsts-stub.patch
+net-nexthop-release-ipv6-per-cpu-dsts-when-replacing.patch
+scsi-core-sysfs-fix-setting-device-state-to-sdev_run.patch
+net-smc-ensure-the-active-closing-peer-first-closes-.patch
+nvmet-tcp-fix-incomplete-data-digest-send.patch
+net-ncsi-add-payload-to-be-32-bit-aligned-to-fix-dro.patch
+pm-hibernate-use-correct-mode-for-swsusp_close.patch
+tcp_cubic-fix-spurious-hystart-ack-train-detections-.patch
+nvmet-use-iocb_nowait-only-if-the-filesystem-support.patch
+igb-fix-netpoll-exit-with-traffic.patch
+mips-use-3-level-pgtable-for-64kb-page-size-on-mips_.patch
+net-vlan-fix-underflow-for-the-real_dev-refcnt.patch
+net-smc-don-t-call-clcsock-shutdown-twice-when-smc-s.patch
+net-hns3-fix-vf-rss-failed-problem-after-pf-enable-m.patch
+net-mscc-ocelot-don-t-downgrade-timestamping-rx-filt.patch
+net-mscc-ocelot-correctly-report-the-timestamping-rx.patch
--- /dev/null
+From 4a334f4bc2da34998ccf9da1834661a39e769ed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 12:25:35 -0800
+Subject: tcp_cubic: fix spurious Hystart ACK train detections for
+ not-cwnd-limited flows
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4e1fddc98d2585ddd4792b5e44433dcee7ece001 ]
+
+While testing BIG TCP patch series, I was expecting that TCP_RR workloads
+with 80KB requests/answers would send one 80KB TSO packet,
+then being received as a single GRO packet.
+
+It turns out this was not happening, and the root cause was that
+cubic Hystart ACK train was triggering after a few (2 or 3) rounds of RPC.
+
+Hystart was wrongly setting CWND/SSTHRESH to 30, while my RPC
+needed a budget of ~20 segments.
+
+Ideally these TCP_RR flows should not exit slow start.
+
+Cubic Hystart should reset itself at each round, instead of assuming
+every TCP flow is a bulk one.
+
+Note that even after this patch, Hystart can still trigger, depending
+on scheduling artifacts, but at a higher CWND/SSTHRESH threshold,
+keeping optimal TSO packet sizes.
+
+Tested:
+
+ip link set dev eth0 gro_ipv6_max_size 131072 gso_ipv6_max_size 131072
+nstat -n; netperf -H ... -t TCP_RR -l 5 -- -r 80000,80000 -K cubic; nstat|egrep "Ip6InReceives|Hystart|Ip6OutRequests"
+
+Before:
+
+ 8605
+Ip6InReceives 87541 0.0
+Ip6OutRequests 129496 0.0
+TcpExtTCPHystartTrainDetect 1 0.0
+TcpExtTCPHystartTrainCwnd 30 0.0
+
+After:
+
+ 8760
+Ip6InReceives 88514 0.0
+Ip6OutRequests 87975 0.0
+
+Fixes: ae27e98a5152 ("[TCP] CUBIC v2.3")
+Co-developed-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Soheil Hassas Yeganeh <soheil@google.com>
+Link: https://lore.kernel.org/r/20211123202535.1843771-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_cubic.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
+index ee6c38a73325d..44be7a5a13911 100644
+--- a/net/ipv4/tcp_cubic.c
++++ b/net/ipv4/tcp_cubic.c
+@@ -341,8 +341,6 @@ static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked)
+ return;
+
+ if (tcp_in_slow_start(tp)) {
+- if (hystart && after(ack, ca->end_seq))
+- bictcp_hystart_reset(sk);
+ acked = tcp_slow_start(tp, acked);
+ if (!acked)
+ return;
+@@ -384,6 +382,9 @@ static void hystart_update(struct sock *sk, u32 delay)
+ if (ca->found & hystart_detect)
+ return;
+
++ if (after(tp->snd_una, ca->end_seq))
++ bictcp_hystart_reset(sk);
++
+ if (hystart_detect & HYSTART_ACK_TRAIN) {
+ u32 now = bictcp_clock();
+
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
