--- /dev/null
+From 6a1cdf298ca7e03f036321ffc8debb13eacdc317 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 16:32:58 +0000
+Subject: afs: Fix warning due to unadvanced marshalling pointer
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit c80afa1d9c3603d5eddeb8d63368823b1982f3f0 ]
+
+When using the afs.yfs.acl xattr to change an AuriStor ACL, a warning
+can be generated when the request is marshalled because the buffer
+pointer isn't increased after adding the last element, thereby
+triggering the check at the end if the ACL wasn't empty. This just
+causes something like the following warning, but doesn't stop the call
+from happening successfully:
+
+ kAFS: YFS.StoreOpaqueACL2: Request buffer underflow (36<108)
+
+Fix this simply by increasing the count prior to the check.
+
+Fixes: f5e4546347bc ("afs: Implement YFS ACL setting")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/yfsclient.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c
+index d21cf61d86b9f..3b19b009452a2 100644
+--- a/fs/afs/yfsclient.c
++++ b/fs/afs/yfsclient.c
+@@ -2162,6 +2162,7 @@ int yfs_fs_store_opaque_acl2(struct afs_fs_cursor *fc, const struct afs_acl *acl
+ memcpy(bp, acl->data, acl->size);
+ if (acl->size != size)
+ memset((void *)bp + acl->size, 0, size - acl->size);
++ bp += size / sizeof(__be32);
+ yfs_check_req(call, bp);
+
+ trace_afs_make_fs_call(call, &vnode->fid);
+--
+2.27.0
+
--- /dev/null
+From 8d908395c4e841f09230599e2946d9e5ab668c19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 13:18:07 +0300
+Subject: ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 158e1886b6262c1d1c96a18c85fac5219b8bf804 ]
+
+This is harmless, but the "addr" comes from the user and it could lead
+to a negative shift or to shift wrapping if it's too high.
+
+Fixes: 0b00a5615dc4 ("ALSA: hdac_ext: add hdac extended controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20201103101807.GC1127762@mwanda
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/ext/hdac_ext_controller.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/hda/ext/hdac_ext_controller.c b/sound/hda/ext/hdac_ext_controller.c
+index 09ff209df4a30..c87187f635733 100644
+--- a/sound/hda/ext/hdac_ext_controller.c
++++ b/sound/hda/ext/hdac_ext_controller.c
+@@ -148,6 +148,8 @@ struct hdac_ext_link *snd_hdac_ext_bus_get_link(struct hdac_bus *bus,
+ return NULL;
+ if (bus->idx != bus_idx)
+ return NULL;
++ if (addr < 0 || addr > 31)
++ return NULL;
+
+ list_for_each_entry(hlink, &bus->hlink_list, list) {
+ for (i = 0; i < HDA_MAX_CODECS; i++) {
+--
+2.27.0
+
--- /dev/null
+From 9d17cc8dd6ef8128d7bbe2986a11d4bfd00eba10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 15:43:40 +0000
+Subject: ASoC: codecs: wcd9335: Set digital gain range correctly
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 6d6bc54ab4f2404d46078abc04bf4dee4db01def ]
+
+digital gain range is -84dB min to 40dB max, however this was not
+correctly specified in the range.
+
+Fix this by with correct range!
+
+Fixes: 8c4f021d806a ("ASoC: wcd9335: add basic controls")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20201028154340.17090-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index f318403133e96..81906c25e4a87 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -618,7 +618,7 @@ static const char * const sb_tx8_mux_text[] = {
+ "ZERO", "RX_MIX_TX8", "DEC8", "DEC8_192"
+ };
+
+-static const DECLARE_TLV_DB_SCALE(digital_gain, 0, 1, 0);
++static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
+ static const DECLARE_TLV_DB_SCALE(line_gain, 0, 7, 1);
+ static const DECLARE_TLV_DB_SCALE(analog_gain, 0, 25, 1);
+ static const DECLARE_TLV_DB_SCALE(ear_pa_gain, 0, 150, 0);
+--
+2.27.0
+
--- /dev/null
+From 60de5283b79e12af7c8f072af34f14ee2aa08ec1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 14:16:24 +0000
+Subject: ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Figa <tfiga@chromium.org>
+
+[ Upstream commit 9fe9efd6924c9a62ebb759025bb8927e398f51f7 ]
+
+This is a copy of commit 5c5f1baee85a ("ASoC: Intel:
+kbl_rt5663_rt5514_max98927: Fix kabylake_ssp_fixup function") applied to
+the kbl_rt5663_max98927 board file.
+
+Original explanation of the change:
+
+kabylake_ssp_fixup function uses snd_soc_dpcm to identify the
+codecs DAIs. The HW parameters are changed based on the codec DAI of the
+stream. The earlier approach to get snd_soc_dpcm was using container_of()
+macro on snd_pcm_hw_params.
+
+The structures have been modified over time and snd_soc_dpcm does not have
+snd_pcm_hw_params as a reference but as a copy. This causes the current
+driver to crash when used.
+
+This patch changes the way snd_soc_dpcm is extracted. snd_soc_pcm_runtime
+holds 2 dpcm instances (one for playback and one for capture). 2 codecs
+on the SSP are dmic (capture) and speakers (playback). Based on the
+stream direction, snd_soc_dpcm is extracted from snd_soc_pcm_runtime.
+
+Fixes a boot crash on a HP Chromebook x2:
+
+[ 16.582225] BUG: kernel NULL pointer dereference, address: 0000000000000050
+[ 16.582231] #PF: supervisor read access in kernel mode
+[ 16.582233] #PF: error_code(0x0000) - not-present page
+[ 16.582234] PGD 0 P4D 0
+[ 16.582238] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 16.582241] CPU: 0 PID: 1980 Comm: cras Tainted: G C 5.4.58 #1
+[ 16.582243] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.75.0 08/30/2018
+[ 16.582247] RIP: 0010:kabylake_ssp_fixup+0x19/0xbb [snd_soc_kbl_rt5663_max98927]
+[ 16.582250] Code: c6 6f c5 80 c0 44 89 f2 31 c0 e8 3e c9 4c d6 eb de 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 48 8b 46 c8 48 8b 4e d0 <48> 8b 49 10 4c 8b 78 10 4c 8b 31 4c 89 f7 48 c7 c6 4b c2 80 c0 e8
+[ 16.582252] RSP: 0000:ffffaf7e81e0b958 EFLAGS: 00010282
+[ 16.582254] RAX: ffffffff96f13e0d RBX: ffffaf7e81e0ba00 RCX: 0000000000000040
+[ 16.582256] RDX: ffffaf7e81e0ba00 RSI: ffffaf7e81e0ba00 RDI: ffffa3b208558028
+[ 16.582258] RBP: ffffaf7e81e0b970 R08: ffffa3b203b54160 R09: ffffaf7e81e0ba00
+[ 16.582259] R10: 0000000000000000 R11: ffffffffc080b345 R12: ffffa3b209fb6e00
+[ 16.582261] R13: ffffa3b1b1a47838 R14: ffffa3b1e6197f28 R15: ffffaf7e81e0ba00
+[ 16.582263] FS: 00007eb3f25aaf80(0000) GS:ffffa3b236a00000(0000) knlGS:0000000000000000
+[ 16.582265] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 16.582267] CR2: 0000000000000050 CR3: 0000000246bc8006 CR4: 00000000003606f0
+[ 16.582269] Call Trace:
+[ 16.582275] snd_soc_link_be_hw_params_fixup+0x21/0x68
+[ 16.582278] snd_soc_dai_hw_params+0x25/0x94
+[ 16.582282] soc_pcm_hw_params+0x2d8/0x583
+[ 16.582288] dpcm_be_dai_hw_params+0x172/0x29e
+[ 16.582291] dpcm_fe_dai_hw_params+0x9f/0x12f
+[ 16.582295] snd_pcm_hw_params+0x137/0x41c
+[ 16.582298] snd_pcm_hw_params_user+0x3c/0x71
+[ 16.582301] snd_pcm_common_ioctl+0x2c6/0x565
+[ 16.582304] snd_pcm_ioctl+0x32/0x36
+[ 16.582307] do_vfs_ioctl+0x506/0x783
+[ 16.582311] ksys_ioctl+0x58/0x83
+[ 16.582313] __x64_sys_ioctl+0x1a/0x1e
+[ 16.582316] do_syscall_64+0x54/0x7e
+[ 16.582319] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 16.582322] RIP: 0033:0x7eb3f1886157
+[ 16.582324] Code: 8a 66 90 48 8b 05 11 dd 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 dc 2b 00 f7 d8 64 89 01 48
+[ 16.582326] RSP: 002b:00007ffff7559818 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 16.582329] RAX: ffffffffffffffda RBX: 00005acc9188b140 RCX: 00007eb3f1886157
+[ 16.582330] RDX: 00007ffff7559940 RSI: 00000000c2604111 RDI: 000000000000001e
+[ 16.582332] RBP: 00007ffff7559840 R08: 0000000000000004 R09: 0000000000000000
+[ 16.582333] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bb80
+[ 16.582335] R13: 00005acc91702e80 R14: 00007ffff7559940 R15: 00005acc91702e80
+[ 16.582337] Modules linked in: rfcomm cmac algif_hash algif_skcipher af_alg uinput hid_google_hammer snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_soc_dmic snd_soc_skl_ssp_clk snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core ipu3_cio2 ipu3_imgu(C) videobuf2_v4l2 videobuf2_common videobuf2_dma_sg videobuf2_memops snd_soc_rt5663 snd_soc_max98927 snd_soc_rl6231 ov5670 ov13858 acpi_als v4l2_fwnode dw9714 fuse xt_MASQUERADE iio_trig_sysfs cros_ec_light_prox cros_ec_sensors cros_ec_sensors_core cros_ec_sensors_ring industrialio_triggered_buffer kfifo_buf industrialio cros_ec_sensorhub cdc_ether usbnet btusb btrtl btintel btbcm bluetooth ecdh_generic ecc lzo_rle lzo_compress iwlmvm zram iwl7000_mac80211 r8152 mii iwlwifi cfg80211 joydev
+[ 16.584243] gsmi: Log Shutdown Reason 0x03
+[ 16.584246] CR2: 0000000000000050
+[ 16.584248] ---[ end trace c8511d090c11edff ]---
+
+Suggested-by: Åukasz Majczak <lmajczak@google.com>
+Fixes: 2e5894d73789e ("ASoC: pcm: Add support for DAI multicodec")
+Signed-off-by: Tomasz Figa <tfiga@chromium.org>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20201014141624.4143453-1-tfiga@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/kbl_rt5663_max98927.c | 39 ++++++++++++++++----
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c
+index 7cefda341fbf8..a540a2dad80c3 100644
+--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c
++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c
+@@ -401,17 +401,40 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd,
+ struct snd_interval *channels = hw_param_interval(params,
+ SNDRV_PCM_HW_PARAM_CHANNELS);
+ struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
+- struct snd_soc_dpcm *dpcm = container_of(
+- params, struct snd_soc_dpcm, hw_params);
+- struct snd_soc_dai_link *fe_dai_link = dpcm->fe->dai_link;
+- struct snd_soc_dai_link *be_dai_link = dpcm->be->dai_link;
++ struct snd_soc_dpcm *dpcm, *rtd_dpcm = NULL;
++
++ /*
++ * The following loop will be called only for playback stream
++ * In this platform, there is only one playback device on every SSP
++ */
++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_PLAYBACK, dpcm) {
++ rtd_dpcm = dpcm;
++ break;
++ }
++
++ /*
++ * This following loop will be called only for capture stream
++ * In this platform, there is only one capture device on every SSP
++ */
++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_CAPTURE, dpcm) {
++ rtd_dpcm = dpcm;
++ break;
++ }
++
++ if (!rtd_dpcm)
++ return -EINVAL;
++
++ /*
++ * The above 2 loops are mutually exclusive based on the stream direction,
++ * thus rtd_dpcm variable will never be overwritten
++ */
+
+ /*
+ * The ADSP will convert the FE rate to 48k, stereo, 24 bit
+ */
+- if (!strcmp(fe_dai_link->name, "Kbl Audio Port") ||
+- !strcmp(fe_dai_link->name, "Kbl Audio Headset Playback") ||
+- !strcmp(fe_dai_link->name, "Kbl Audio Capture Port")) {
++ if (!strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Port") ||
++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Headset Playback") ||
++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Capture Port")) {
+ rate->min = rate->max = 48000;
+ channels->min = channels->max = 2;
+ snd_mask_none(fmt);
+@@ -421,7 +444,7 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd,
+ * The speaker on the SSP0 supports S16_LE and not S24_LE.
+ * thus changing the mask here
+ */
+- if (!strcmp(be_dai_link->name, "SSP0-Codec"))
++ if (!strcmp(rtd_dpcm->be->dai_link->name, "SSP0-Codec"))
+ snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S16_LE);
+
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From a534dd68c9f8de231e6a25033d47c91ca524038a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 17:27:29 +0900
+Subject: btrfs: reschedule when cloning lots of extents
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+[ Upstream commit 6b613cc97f0ace77f92f7bc112b8f6ad3f52baf8 ]
+
+We have several occurrences of a soft lockup from fstest's generic/175
+testcase, which look more or less like this one:
+
+ watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [xfs_io:10030]
+ Kernel panic - not syncing: softlockup: hung tasks
+ CPU: 0 PID: 10030 Comm: xfs_io Tainted: G L 5.9.0-rc5+ #768
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4-rebuilt.opensuse.org 04/01/2014
+ Call Trace:
+ <IRQ>
+ dump_stack+0x77/0xa0
+ panic+0xfa/0x2cb
+ watchdog_timer_fn.cold+0x85/0xa5
+ ? lockup_detector_update_enable+0x50/0x50
+ __hrtimer_run_queues+0x99/0x4c0
+ ? recalibrate_cpu_khz+0x10/0x10
+ hrtimer_run_queues+0x9f/0xb0
+ update_process_times+0x28/0x80
+ tick_handle_periodic+0x1b/0x60
+ __sysvec_apic_timer_interrupt+0x76/0x210
+ asm_call_on_stack+0x12/0x20
+ </IRQ>
+ sysvec_apic_timer_interrupt+0x7f/0x90
+ asm_sysvec_apic_timer_interrupt+0x12/0x20
+ RIP: 0010:btrfs_tree_unlock+0x91/0x1a0 [btrfs]
+ RSP: 0018:ffffc90007123a58 EFLAGS: 00000282
+ RAX: ffff8881cea2fbe0 RBX: ffff8881cea2fbe0 RCX: 0000000000000000
+ RDX: ffff8881d23fd200 RSI: ffffffff82045220 RDI: ffff8881cea2fba0
+ RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000032
+ R10: 0000160000000000 R11: 0000000000001000 R12: 0000000000001000
+ R13: ffff8882357fd5b0 R14: ffff88816fa76e70 R15: ffff8881cea2fad0
+ ? btrfs_tree_unlock+0x15b/0x1a0 [btrfs]
+ btrfs_release_path+0x67/0x80 [btrfs]
+ btrfs_insert_replace_extent+0x177/0x2c0 [btrfs]
+ btrfs_replace_file_extents+0x472/0x7c0 [btrfs]
+ btrfs_clone+0x9ba/0xbd0 [btrfs]
+ btrfs_clone_files.isra.0+0xeb/0x140 [btrfs]
+ ? file_update_time+0xcd/0x120
+ btrfs_remap_file_range+0x322/0x3b0 [btrfs]
+ do_clone_file_range+0xb7/0x1e0
+ vfs_clone_file_range+0x30/0xa0
+ ioctl_file_clone+0x8a/0xc0
+ do_vfs_ioctl+0x5b2/0x6f0
+ __x64_sys_ioctl+0x37/0xa0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f87977fc247
+ RSP: 002b:00007ffd51a2f6d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f87977fc247
+ RDX: 00007ffd51a2f710 RSI: 000000004020940d RDI: 0000000000000003
+ RBP: 0000000000000004 R08: 00007ffd51a79080 R09: 0000000000000000
+ R10: 00005621f11352f2 R11: 0000000000000206 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00005621f128b958 R15: 0000000080000000
+ Kernel Offset: disabled
+ ---[ end Kernel panic - not syncing: softlockup: hung tasks ]---
+
+All of these lockup reports have the call chain btrfs_clone_files() ->
+btrfs_clone() in common. btrfs_clone_files() calls btrfs_clone() with
+both source and destination extents locked and loops over the source
+extent to create the clones.
+
+Conditionally reschedule in the btrfs_clone() loop, to give some time back
+to other processes.
+
+CC: stable@vger.kernel.org # 4.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 63394b450afcc..3fd6c9aed7191 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3752,6 +3752,8 @@ process_slot:
+ ret = -EINTR;
+ goto out;
+ }
++
++ cond_resched();
+ }
+ ret = 0;
+
+--
+2.27.0
+
--- /dev/null
+From cf7e4ad88d8cb110a445e430d5f97eff65a368fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 08:09:01 -0400
+Subject: btrfs: sysfs: init devices outside of the chunk_mutex
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit ca10845a56856fff4de3804c85e6424d0f6d0cde ]
+
+While running btrfs/061, btrfs/073, btrfs/078, or btrfs/178 we hit the
+following lockdep splat:
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 5.9.0-rc3+ #4 Not tainted
+ ------------------------------------------------------
+ kswapd0/100 is trying to acquire lock:
+ ffff96ecc22ef4a0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x3f/0x330
+
+ but task is already holding lock:
+ ffffffff8dd74700 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #3 (fs_reclaim){+.+.}-{0:0}:
+ fs_reclaim_acquire+0x65/0x80
+ slab_pre_alloc_hook.constprop.0+0x20/0x200
+ kmem_cache_alloc+0x37/0x270
+ alloc_inode+0x82/0xb0
+ iget_locked+0x10d/0x2c0
+ kernfs_get_inode+0x1b/0x130
+ kernfs_get_tree+0x136/0x240
+ sysfs_get_tree+0x16/0x40
+ vfs_get_tree+0x28/0xc0
+ path_mount+0x434/0xc00
+ __x64_sys_mount+0xe3/0x120
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ -> #2 (kernfs_mutex){+.+.}-{3:3}:
+ __mutex_lock+0x7e/0x7e0
+ kernfs_add_one+0x23/0x150
+ kernfs_create_link+0x63/0xa0
+ sysfs_do_create_link_sd+0x5e/0xd0
+ btrfs_sysfs_add_devices_dir+0x81/0x130
+ btrfs_init_new_device+0x67f/0x1250
+ btrfs_ioctl+0x1ef/0x2e20
+ __x64_sys_ioctl+0x83/0xb0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ -> #1 (&fs_info->chunk_mutex){+.+.}-{3:3}:
+ __mutex_lock+0x7e/0x7e0
+ btrfs_chunk_alloc+0x125/0x3a0
+ find_free_extent+0xdf6/0x1210
+ btrfs_reserve_extent+0xb3/0x1b0
+ btrfs_alloc_tree_block+0xb0/0x310
+ alloc_tree_block_no_bg_flush+0x4a/0x60
+ __btrfs_cow_block+0x11a/0x530
+ btrfs_cow_block+0x104/0x220
+ btrfs_search_slot+0x52e/0x9d0
+ btrfs_insert_empty_items+0x64/0xb0
+ btrfs_insert_delayed_items+0x90/0x4f0
+ btrfs_commit_inode_delayed_items+0x93/0x140
+ btrfs_log_inode+0x5de/0x2020
+ btrfs_log_inode_parent+0x429/0xc90
+ btrfs_log_new_name+0x95/0x9b
+ btrfs_rename2+0xbb9/0x1800
+ vfs_rename+0x64f/0x9f0
+ do_renameat2+0x320/0x4e0
+ __x64_sys_rename+0x1f/0x30
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ -> #0 (&delayed_node->mutex){+.+.}-{3:3}:
+ __lock_acquire+0x119c/0x1fc0
+ lock_acquire+0xa7/0x3d0
+ __mutex_lock+0x7e/0x7e0
+ __btrfs_release_delayed_node.part.0+0x3f/0x330
+ btrfs_evict_inode+0x24c/0x500
+ evict+0xcf/0x1f0
+ dispose_list+0x48/0x70
+ prune_icache_sb+0x44/0x50
+ super_cache_scan+0x161/0x1e0
+ do_shrink_slab+0x178/0x3c0
+ shrink_slab+0x17c/0x290
+ shrink_node+0x2b2/0x6d0
+ balance_pgdat+0x30a/0x670
+ kswapd+0x213/0x4c0
+ kthread+0x138/0x160
+ ret_from_fork+0x1f/0x30
+
+ other info that might help us debug this:
+
+ Chain exists of:
+ &delayed_node->mutex --> kernfs_mutex --> fs_reclaim
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(fs_reclaim);
+ lock(kernfs_mutex);
+ lock(fs_reclaim);
+ lock(&delayed_node->mutex);
+
+ *** DEADLOCK ***
+
+ 3 locks held by kswapd0/100:
+ #0: ffffffff8dd74700 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x5/0x30
+ #1: ffffffff8dd65c50 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x115/0x290
+ #2: ffff96ed2ade30e0 (&type->s_umount_key#36){++++}-{3:3}, at: super_cache_scan+0x38/0x1e0
+
+ stack backtrace:
+ CPU: 0 PID: 100 Comm: kswapd0 Not tainted 5.9.0-rc3+ #4
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+ Call Trace:
+ dump_stack+0x8b/0xb8
+ check_noncircular+0x12d/0x150
+ __lock_acquire+0x119c/0x1fc0
+ lock_acquire+0xa7/0x3d0
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x330
+ __mutex_lock+0x7e/0x7e0
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x330
+ ? __btrfs_release_delayed_node.part.0+0x3f/0x330
+ ? lock_acquire+0xa7/0x3d0
+ ? find_held_lock+0x2b/0x80
+ __btrfs_release_delayed_node.part.0+0x3f/0x330
+ btrfs_evict_inode+0x24c/0x500
+ evict+0xcf/0x1f0
+ dispose_list+0x48/0x70
+ prune_icache_sb+0x44/0x50
+ super_cache_scan+0x161/0x1e0
+ do_shrink_slab+0x178/0x3c0
+ shrink_slab+0x17c/0x290
+ shrink_node+0x2b2/0x6d0
+ balance_pgdat+0x30a/0x670
+ kswapd+0x213/0x4c0
+ ? _raw_spin_unlock_irqrestore+0x41/0x50
+ ? add_wait_queue_exclusive+0x70/0x70
+ ? balance_pgdat+0x670/0x670
+ kthread+0x138/0x160
+ ? kthread_create_worker_on_cpu+0x40/0x40
+ ret_from_fork+0x1f/0x30
+
+This happens because we are holding the chunk_mutex at the time of
+adding in a new device. However we only need to hold the
+device_list_mutex, as we're going to iterate over the fs_devices
+devices. Move the sysfs init stuff outside of the chunk_mutex to get
+rid of this lockdep splat.
+
+CC: stable@vger.kernel.org # 4.4.x: f3cd2c58110dad14e: btrfs: sysfs, rename device_link add/remove functions
+CC: stable@vger.kernel.org # 4.4.x
+Reported-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/volumes.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index 58910a0a3e4a4..00e7816dc9a1e 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -2728,9 +2728,6 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
+ btrfs_set_super_num_devices(fs_info->super_copy,
+ orig_super_num_devices + 1);
+
+- /* add sysfs device entry */
+- btrfs_sysfs_add_device_link(fs_devices, device);
+-
+ /*
+ * we've got more storage, clear any full flags on the space
+ * infos
+@@ -2738,6 +2735,10 @@ int btrfs_init_new_device(struct btrfs_fs_info *fs_info, const char *device_path
+ btrfs_clear_space_info_full(fs_info);
+
+ mutex_unlock(&fs_info->chunk_mutex);
++
++ /* Add sysfs device entry */
++ btrfs_sysfs_add_device_link(fs_devices, device);
++
+ mutex_unlock(&fs_devices->device_list_mutex);
+
+ if (seeding_dev) {
+--
+2.27.0
+
--- /dev/null
+From 8774930cf30f217de1e57c6f2aff373ef5af9f55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 09:42:49 +0800
+Subject: btrfs: tracepoints: output proper root owner for
+ trace_find_free_extent()
+
+From: Qu Wenruo <wqu@suse.com>
+
+The current trace event always output result like this:
+
+ find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA)
+ find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=4(METADATA)
+ find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA)
+ find_free_extent: root=2(EXTENT_TREE) len=8192 empty_size=0 flags=1(DATA)
+ find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA)
+ find_free_extent: root=2(EXTENT_TREE) len=4096 empty_size=0 flags=1(DATA)
+
+T's saying we're allocating data extent for EXTENT tree, which is not
+even possible.
+
+It's because we always use EXTENT tree as the owner for
+trace_find_free_extent() without using the @root from
+btrfs_reserve_extent().
+
+This patch will change the parameter to use proper @root for
+trace_find_free_extent():
+
+Now it looks much better:
+
+ find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+ find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA)
+ find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=1(DATA)
+ find_free_extent: root=5(FS_TREE) len=4096 empty_size=0 flags=1(DATA)
+ find_free_extent: root=5(FS_TREE) len=8192 empty_size=0 flags=1(DATA)
+ find_free_extent: root=5(FS_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+ find_free_extent: root=7(CSUM_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+ find_free_extent: root=2(EXTENT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+ find_free_extent: root=1(ROOT_TREE) len=16384 empty_size=0 flags=36(METADATA|DUP)
+
+Reported-by: Hans van Kranenburg <hans@knorrie.org>
+CC: stable@vger.kernel.org # 5.4+
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+---
+ fs/btrfs/extent-tree.c | 7 ++++---
+ include/trace/events/btrfs.h | 10 ++++++----
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 388449101705e..c6d9e8c07c236 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -3800,11 +3800,12 @@ static int find_free_extent_update_loop(struct btrfs_fs_info *fs_info,
+ * |- Push harder to find free extents
+ * |- If not found, re-iterate all block groups
+ */
+-static noinline int find_free_extent(struct btrfs_fs_info *fs_info,
++static noinline int find_free_extent(struct btrfs_root *root,
+ u64 ram_bytes, u64 num_bytes, u64 empty_size,
+ u64 hint_byte, struct btrfs_key *ins,
+ u64 flags, int delalloc)
+ {
++ struct btrfs_fs_info *fs_info = root->fs_info;
+ int ret = 0;
+ int cache_block_group_error = 0;
+ struct btrfs_free_cluster *last_ptr = NULL;
+@@ -3833,7 +3834,7 @@ static noinline int find_free_extent(struct btrfs_fs_info *fs_info,
+ ins->objectid = 0;
+ ins->offset = 0;
+
+- trace_find_free_extent(fs_info, num_bytes, empty_size, flags);
++ trace_find_free_extent(root, num_bytes, empty_size, flags);
+
+ space_info = btrfs_find_space_info(fs_info, flags);
+ if (!space_info) {
+@@ -4141,7 +4142,7 @@ int btrfs_reserve_extent(struct btrfs_root *root, u64 ram_bytes,
+ flags = get_alloc_profile_by_root(root, is_data);
+ again:
+ WARN_ON(num_bytes < fs_info->sectorsize);
+- ret = find_free_extent(fs_info, ram_bytes, num_bytes, empty_size,
++ ret = find_free_extent(root, ram_bytes, num_bytes, empty_size,
+ hint_byte, ins, flags, delalloc);
+ if (!ret && !is_data) {
+ btrfs_dec_block_group_reservations(fs_info, ins->objectid);
+diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
+index 75ae1899452b9..94a3adb65b8af 100644
+--- a/include/trace/events/btrfs.h
++++ b/include/trace/events/btrfs.h
+@@ -1159,25 +1159,27 @@ DEFINE_EVENT(btrfs__reserved_extent, btrfs_reserved_extent_free,
+
+ TRACE_EVENT(find_free_extent,
+
+- TP_PROTO(const struct btrfs_fs_info *fs_info, u64 num_bytes,
++ TP_PROTO(const struct btrfs_root *root, u64 num_bytes,
+ u64 empty_size, u64 data),
+
+- TP_ARGS(fs_info, num_bytes, empty_size, data),
++ TP_ARGS(root, num_bytes, empty_size, data),
+
+ TP_STRUCT__entry_btrfs(
++ __field( u64, root_objectid )
+ __field( u64, num_bytes )
+ __field( u64, empty_size )
+ __field( u64, data )
+ ),
+
+- TP_fast_assign_btrfs(fs_info,
++ TP_fast_assign_btrfs(root->fs_info,
++ __entry->root_objectid = root->root_key.objectid;
+ __entry->num_bytes = num_bytes;
+ __entry->empty_size = empty_size;
+ __entry->data = data;
+ ),
+
+ TP_printk_btrfs("root=%llu(%s) len=%llu empty_size=%llu flags=%llu(%s)",
+- show_root_type(BTRFS_EXTENT_TREE_OBJECTID),
++ show_root_type(__entry->root_objectid),
+ __entry->num_bytes, __entry->empty_size, __entry->data,
+ __print_flags((unsigned long)__entry->data, "|",
+ BTRFS_GROUP_FLAGS))
+--
+2.27.0
+
--- /dev/null
+From 83e11e8e47d80c66831394f786167de7a55a54f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 09:39:02 +0100
+Subject: can: can_create_echo_skb(): fix echo skb generation: always use
+ skb_clone()
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 286228d382ba6320f04fa2e7c6fc8d4d92e428f4 ]
+
+All user space generated SKBs are owned by a socket (unless injected into the
+key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned
+up.
+
+This leads to a problem when a CAN driver calls can_put_echo_skb() on a
+unshared SKB. If the socket is closed prior to the TX complete handler,
+can_get_echo_skb() and the subsequent delivering of the echo SKB to all
+registered callbacks, a SKB with a refcount of 0 is delivered.
+
+To avoid the problem, in can_get_echo_skb() the original SKB is now always
+cloned, regardless of shared SKB or not. If the process exists it can now
+safely discard its SKBs, without disturbing the delivery of the echo SKB.
+
+The problem shows up in the j1939 stack, when it clones the incoming skb, which
+detects the already 0 refcount.
+
+We can easily reproduce this with following example:
+
+testj1939 -B -r can0: &
+cansend can0 1823ff40#0123
+
+WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174
+refcount_t: addition on 0; use-after-free.
+Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan
+CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Backtrace:
+[<c010f570>] (dump_backtrace) from [<c010f90c>] (show_stack+0x20/0x24)
+[<c010f8ec>] (show_stack) from [<c0c3e1a4>] (dump_stack+0x8c/0xa0)
+[<c0c3e118>] (dump_stack) from [<c0127fec>] (__warn+0xe0/0x108)
+[<c0127f0c>] (__warn) from [<c01283c8>] (warn_slowpath_fmt+0xa8/0xcc)
+[<c0128324>] (warn_slowpath_fmt) from [<c0539c0c>] (refcount_warn_saturate+0x108/0x174)
+[<c0539b04>] (refcount_warn_saturate) from [<c0ad2cac>] (j1939_can_recv+0x20c/0x210)
+[<c0ad2aa0>] (j1939_can_recv) from [<c0ac9dc8>] (can_rcv_filter+0xb4/0x268)
+[<c0ac9d14>] (can_rcv_filter) from [<c0aca2cc>] (can_receive+0xb0/0xe4)
+[<c0aca21c>] (can_receive) from [<c0aca348>] (can_rcv+0x48/0x98)
+[<c0aca300>] (can_rcv) from [<c09b1fdc>] (__netif_receive_skb_one_core+0x64/0x88)
+[<c09b1f78>] (__netif_receive_skb_one_core) from [<c09b2070>] (__netif_receive_skb+0x38/0x94)
+[<c09b2038>] (__netif_receive_skb) from [<c09b2130>] (netif_receive_skb_internal+0x64/0xf8)
+[<c09b20cc>] (netif_receive_skb_internal) from [<c09b21f8>] (netif_receive_skb+0x34/0x19c)
+[<c09b21c4>] (netif_receive_skb) from [<c0791278>] (can_rx_offload_napi_poll+0x58/0xb4)
+
+Fixes: 0ae89beb283a ("can: add destructor for self generated skbs")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/can/skb.h | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h
+index a954def26c0dd..0783b0c6d9e2f 100644
+--- a/include/linux/can/skb.h
++++ b/include/linux/can/skb.h
+@@ -61,21 +61,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk)
+ */
+ static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb)
+ {
+- if (skb_shared(skb)) {
+- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
++ struct sk_buff *nskb;
+
+- if (likely(nskb)) {
+- can_skb_set_owner(nskb, skb->sk);
+- consume_skb(skb);
+- return nskb;
+- } else {
+- kfree_skb(skb);
+- return NULL;
+- }
++ nskb = skb_clone(skb, GFP_ATOMIC);
++ if (unlikely(!nskb)) {
++ kfree_skb(skb);
++ return NULL;
+ }
+
+- /* we can assume to have an unshared skb with proper owner */
+- return skb;
++ can_skb_set_owner(nskb, skb->sk);
++ consume_skb(skb);
++ return nskb;
+ }
+
+ #endif /* !_CAN_SKB_H */
+--
+2.27.0
+
--- /dev/null
+From 8c26159ce080a722710d017eb64ca79484173be4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Oct 2020 08:44:43 +0200
+Subject: can: dev: __can_get_echo_skb(): fix real payload length return value
+ for RTR frames
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit ed3320cec279407a86bc4c72edc4a39eb49165ec ]
+
+The can_get_echo_skb() function returns the number of received bytes to
+be used for netdev statistics. In the case of RTR frames we get a valid
+(potential non-zero) data length value which has to be passed for further
+operations. But on the wire RTR frames have no payload length. Therefore
+the value to be used in the statistics has to be zero for RTR frames.
+
+Reported-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/r/20201020064443.80164-1-socketcan@hartkopp.net
+Fixes: cf5046b309b3 ("can: dev: let can_get_echo_skb() return dlc of CAN frame")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index de3c589b1ae0e..448d1548cca39 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -486,9 +486,13 @@ __can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ */
+ struct sk_buff *skb = priv->echo_skb[idx];
+ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+- u8 len = cf->len;
+
+- *len_ptr = len;
++ /* get the real payload length for netdev statistics */
++ if (cf->can_id & CAN_RTR_FLAG)
++ *len_ptr = 0;
++ else
++ *len_ptr = cf->len;
++
+ priv->echo_skb[idx] = NULL;
+
+ return skb;
+--
+2.27.0
+
--- /dev/null
+From 075eb6332098d6a8b0d01af1ae5a99487b8b71ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Oct 2020 00:41:45 +0900
+Subject: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ
+ context
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 2283f79b22684d2812e5c76fc2280aae00390365 ]
+
+If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but
+not always, the case), the 'WARN_ON(in_irq)' in
+net/core/skbuff.c#skb_release_head_state() might be triggered, under network
+congestion circumstances, together with the potential risk of a NULL pointer
+dereference.
+
+The root cause of this issue is the call to kfree_skb() instead of
+dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog().
+
+This patch prevents the skb to be freed within the call to netif_rx() by
+incrementing its reference count with skb_get(). The skb is finally freed by
+one of the in-irq-context safe functions: dev_consume_skb_any() or
+dev_kfree_skb_any(). The "any" version is used because some drivers might call
+can_get_echo_skb() in a normal context.
+
+The reason for this issue to occur is that initially, in the core network
+stack, loopback skb were not supposed to be received in hardware IRQ context.
+The CAN stack is an exeption.
+
+This bug was previously reported back in 2017 in [1] but the proposed patch
+never got accepted.
+
+While [1] directly modifies net/core/dev.c, we try to propose here a
+smoother modification local to CAN network stack (the assumption
+behind is that only CAN devices are affected by this issue).
+
+[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com
+
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/r/20201002154219.4887-2-mailhol.vincent@wanadoo.fr
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 3a33fb5034005..de3c589b1ae0e 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -512,7 +512,11 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
+ if (!skb)
+ return 0;
+
+- netif_rx(skb);
++ skb_get(skb);
++ if (netif_rx(skb) == NET_RX_SUCCESS)
++ dev_consume_skb_any(skb);
++ else
++ dev_kfree_skb_any(skb);
+
+ return len;
+ }
+--
+2.27.0
+
--- /dev/null
+From eba5c632e77d47a792a00a8fc29b2525d909148c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Oct 2020 02:45:27 +0800
+Subject: can: flexcan: flexcan_remove(): disable wakeup completely
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 ]
+
+With below sequence, we can see wakeup default is enabled after re-load module,
+if it was enabled before, so we need disable wakeup in flexcan_remove().
+
+| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| disabled
+| # echo enabled > /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| enabled
+| # rmmod flexcan
+| # modprobe flexcan
+| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| enabled
+
+Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
+Fixes: 915f9666421c ("can: flexcan: add support for DT property 'wakeup-source'")
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20201020184527.8190-1-qiangqing.zhang@nxp.com
+[mkl: streamlined commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index fbf812cf4f5da..130f3022d3396 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1676,6 +1676,8 @@ static int flexcan_remove(struct platform_device *pdev)
+ {
+ struct net_device *dev = platform_get_drvdata(pdev);
+
++ device_set_wakeup_enable(&pdev->dev, false);
++ device_set_wakeup_capable(&pdev->dev, false);
+ unregister_flexcandev(dev);
+ pm_runtime_disable(&pdev->dev);
+ free_candev(dev);
+--
+2.27.0
+
--- /dev/null
+From b9ce406423461f726c3c05f2e09faf987a4bdb77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Oct 2020 23:53:55 +0800
+Subject: can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 018799649071a1638c0c130526af36747df4355a ]
+
+After double check with Layerscape CAN owner (Pankaj Bansal), confirm that
+LS1021A doesn't support ECC feature, so remove FLEXCAN_QUIRK_DISABLE_MECR
+quirk.
+
+Fixes: 99b7668c04b27 ("can: flexcan: adding platform specific details for LS1021A")
+Cc: Pankaj Bansal <pankaj.bansal@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20201020155402.30318-4-qiangqing.zhang@nxp.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index d59c6c87164f4..fbf812cf4f5da 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -321,8 +321,7 @@ static const struct flexcan_devtype_data fsl_vf610_devtype_data = {
+
+ static const struct flexcan_devtype_data fsl_ls1021a_r2_devtype_data = {
+ .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+- FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+- FLEXCAN_QUIRK_USE_OFF_TIMESTAMP,
++ FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP,
+ };
+
+ static const struct can_bittiming_const flexcan_bittiming_const = {
+--
+2.27.0
+
--- /dev/null
+From c0f3f01e29cf2a07bf7fd78c441100782c31a8be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 14:31:48 +0800
+Subject: can: j1939: j1939_sk_bind(): return failure if netdev is down
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 08c487d8d807535f509ed80c6a10ad90e6872139 ]
+
+When a netdev down event occurs after a successful call to
+j1939_sk_bind(), j1939_netdev_notify() can handle it correctly.
+
+But if the netdev already in down state before calling j1939_sk_bind(),
+j1939_sk_release() will stay in wait_event_interruptible() blocked
+forever. Because in this case, j1939_netdev_notify() won't be called and
+j1939_tp_txtimer() won't call j1939_session_cancel() or other function
+to clear session for ENETDOWN error, this lead to mismatch of
+j1939_session_get/put() and jsk->skb_pending will never decrease to
+zero.
+
+To reproduce it use following commands:
+1. ip link add dev vcan0 type vcan
+2. j1939acd -r 100,80-120 1122334455667788 vcan0
+3. presses ctrl-c and thread will be blocked forever
+
+This patch adds check for ndev->flags in j1939_sk_bind() to avoid this
+kind of situation and return with -ENETDOWN.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1599460308-18770-1-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/socket.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index bf9fd6ee88fe0..0470909605392 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -475,6 +475,12 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+ goto out_release_sock;
+ }
+
++ if (!(ndev->flags & IFF_UP)) {
++ dev_put(ndev);
++ ret = -ENETDOWN;
++ goto out_release_sock;
++ }
++
+ priv = j1939_netdev_start(ndev);
+ dev_put(ndev);
+ if (IS_ERR(priv)) {
+--
+2.27.0
+
--- /dev/null
+From b2dd0f142b6623109f07a346632f1de8470ce607 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Oct 2020 10:37:08 +0200
+Subject: can: j1939: swap addr and pgn in the send example
+
+From: Yegor Yefremov <yegorslists@googlemail.com>
+
+[ Upstream commit ea780d39b1888ed5afc243c29b23d9bdb3828c7a ]
+
+The address was wrongly assigned to the PGN field and vice versa.
+
+Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
+Link: https://lore.kernel.org/r/20201022083708.8755-1-yegorslists@googlemail.com
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/j1939.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/networking/j1939.rst b/Documentation/networking/j1939.rst
+index f5be243d250a4..4b0db514b2010 100644
+--- a/Documentation/networking/j1939.rst
++++ b/Documentation/networking/j1939.rst
+@@ -414,8 +414,8 @@ Send:
+ .can_family = AF_CAN,
+ .can_addr.j1939 = {
+ .name = J1939_NO_NAME;
+- .pgn = 0x30,
+- .addr = 0x12300,
++ .addr = 0x30,
++ .pgn = 0x12300,
+ },
+ };
+
+--
+2.27.0
+
--- /dev/null
+From 42385733e016a884c740e7822becee60a070ed87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 17:39:47 +0200
+Subject: can: peak_canfd: pucan_handle_can_rx(): fix echo management when
+ loopback is on
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+[ Upstream commit 93ef65e5a6357cc7381f85fcec9283fe29970045 ]
+
+Echo management is driven by PUCAN_MSG_LOOPED_BACK bit, while loopback
+frames are identified with PUCAN_MSG_SELF_RECEIVE bit. Those bits are set
+for each outgoing frame written to the IP core so that a copy of each one
+will be placed into the rx path. Thus,
+
+- when PUCAN_MSG_LOOPED_BACK is set then the rx frame is an echo of a
+ previously sent frame,
+- when PUCAN_MSG_LOOPED_BACK+PUCAN_MSG_SELF_RECEIVE are set, then the rx
+ frame is an echo AND a loopback frame. Therefore, this frame must be
+ put into the socket rx path too.
+
+This patch fixes how CAN frames are handled when these are sent while the
+can interface is configured in "loopback on" mode.
+
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Link: https://lore.kernel.org/r/20201013153947.28012-1-s.grosjean@peak-system.com
+Fixes: 8ac8321e4a79 ("can: peak: add support for PEAK PCAN-PCIe FD CAN-FD boards")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/peak_canfd/peak_canfd.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/peak_canfd/peak_canfd.c b/drivers/net/can/peak_canfd/peak_canfd.c
+index 6b0c6a99fc8d6..91b156b2123a3 100644
+--- a/drivers/net/can/peak_canfd/peak_canfd.c
++++ b/drivers/net/can/peak_canfd/peak_canfd.c
+@@ -248,8 +248,7 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv,
+ cf_len = get_can_dlc(pucan_msg_get_dlc(msg));
+
+ /* if this frame is an echo, */
+- if ((rx_msg_flags & PUCAN_MSG_LOOPED_BACK) &&
+- !(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) {
++ if (rx_msg_flags & PUCAN_MSG_LOOPED_BACK) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&priv->echo_lock, flags);
+@@ -263,7 +262,13 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv,
+ netif_wake_queue(priv->ndev);
+
+ spin_unlock_irqrestore(&priv->echo_lock, flags);
+- return 0;
++
++ /* if this frame is only an echo, stop here. Otherwise,
++ * continue to push this application self-received frame into
++ * its own rx queue.
++ */
++ if (!(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE))
++ return 0;
+ }
+
+ /* otherwise, it should be pushed into rx fifo */
+--
+2.27.0
+
--- /dev/null
+From 8302d2990a1172bb218bd6a598050d831c161225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 17:06:04 +0300
+Subject: can: peak_usb: add range checking in decode operations
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ]
+
+These values come from skb->data so Smatch considers them untrusted. I
+believe Smatch is correct but I don't have a way to test this.
+
+The usb_if->dev[] array has 2 elements but the index is in the 0-15
+range without checks. The cfd->len can be up to 255 but the maximum
+valid size is CANFD_MAX_DLEN (64) so that could lead to memory
+corruption.
+
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20200813140604.GA456946@mwanda
+Acked-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 48 +++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+index 47cc1ff5b88e8..dee3e689b54da 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -468,12 +468,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pucan_rx_msg *rm = (struct pucan_rx_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pucan_msg_get_channel(rm)];
+- struct net_device *netdev = dev->netdev;
++ struct peak_usb_device *dev;
++ struct net_device *netdev;
+ struct canfd_frame *cfd;
+ struct sk_buff *skb;
+ const u16 rx_msg_flags = le16_to_cpu(rm->flags);
+
++ if (pucan_msg_get_channel(rm) >= ARRAY_SIZE(usb_if->dev))
++ return -ENOMEM;
++
++ dev = usb_if->dev[pucan_msg_get_channel(rm)];
++ netdev = dev->netdev;
++
+ if (rx_msg_flags & PUCAN_MSG_EXT_DATA_LEN) {
+ /* CANFD frame case */
+ skb = alloc_canfd_skb(netdev, &cfd);
+@@ -519,15 +525,21 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pucan_status_msg *sm = (struct pucan_status_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pucan_stmsg_get_channel(sm)];
+- struct pcan_usb_fd_device *pdev =
+- container_of(dev, struct pcan_usb_fd_device, dev);
++ struct pcan_usb_fd_device *pdev;
+ enum can_state new_state = CAN_STATE_ERROR_ACTIVE;
+ enum can_state rx_state, tx_state;
+- struct net_device *netdev = dev->netdev;
++ struct peak_usb_device *dev;
++ struct net_device *netdev;
+ struct can_frame *cf;
+ struct sk_buff *skb;
+
++ if (pucan_stmsg_get_channel(sm) >= ARRAY_SIZE(usb_if->dev))
++ return -ENOMEM;
++
++ dev = usb_if->dev[pucan_stmsg_get_channel(sm)];
++ pdev = container_of(dev, struct pcan_usb_fd_device, dev);
++ netdev = dev->netdev;
++
+ /* nothing should be sent while in BUS_OFF state */
+ if (dev->can.state == CAN_STATE_BUS_OFF)
+ return 0;
+@@ -579,9 +591,14 @@ static int pcan_usb_fd_decode_error(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pucan_error_msg *er = (struct pucan_error_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pucan_ermsg_get_channel(er)];
+- struct pcan_usb_fd_device *pdev =
+- container_of(dev, struct pcan_usb_fd_device, dev);
++ struct pcan_usb_fd_device *pdev;
++ struct peak_usb_device *dev;
++
++ if (pucan_ermsg_get_channel(er) >= ARRAY_SIZE(usb_if->dev))
++ return -EINVAL;
++
++ dev = usb_if->dev[pucan_ermsg_get_channel(er)];
++ pdev = container_of(dev, struct pcan_usb_fd_device, dev);
+
+ /* keep a trace of tx and rx error counters for later use */
+ pdev->bec.txerr = er->tx_err_cnt;
+@@ -595,11 +612,17 @@ static int pcan_usb_fd_decode_overrun(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pcan_ufd_ovr_msg *ov = (struct pcan_ufd_ovr_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pufd_omsg_get_channel(ov)];
+- struct net_device *netdev = dev->netdev;
++ struct peak_usb_device *dev;
++ struct net_device *netdev;
+ struct can_frame *cf;
+ struct sk_buff *skb;
+
++ if (pufd_omsg_get_channel(ov) >= ARRAY_SIZE(usb_if->dev))
++ return -EINVAL;
++
++ dev = usb_if->dev[pufd_omsg_get_channel(ov)];
++ netdev = dev->netdev;
++
+ /* allocate an skb to store the error frame */
+ skb = alloc_can_err_skb(netdev, &cf);
+ if (!skb)
+@@ -716,6 +739,9 @@ static int pcan_usb_fd_encode_msg(struct peak_usb_device *dev,
+ u16 tx_msg_size, tx_msg_flags;
+ u8 can_dlc;
+
++ if (cfd->len > CANFD_MAX_DLEN)
++ return -EINVAL;
++
+ tx_msg_size = ALIGN(sizeof(struct pucan_tx_msg) + cfd->len, 4);
+ tx_msg->size = cpu_to_le16(tx_msg_size);
+ tx_msg->type = cpu_to_le16(PUCAN_MSG_CAN_TX);
+--
+2.27.0
+
--- /dev/null
+From 0da98b96d8b2cf72fe72e7602749b85ff4e8d817 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 10:56:31 +0200
+Subject: can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+[ Upstream commit ecc7b4187dd388549544195fb13a11b4ea8e6a84 ]
+
+Fabian Inostroza <fabianinostrozap@gmail.com> has discovered a potential
+problem in the hardware timestamp reporting from the PCAN-USB USB CAN interface
+(only), related to the fact that a timestamp of an event may precede the
+timestamp used for synchronization when both records are part of the same USB
+packet. However, this case was used to detect the wrapping of the time counter.
+
+This patch details and fixes the two identified cases where this problem can
+occur.
+
+Reported-by: Fabian Inostroza <fabianinostrozap@gmail.com>
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Link: https://lore.kernel.org/r/20201014085631.15128-1-s.grosjean@peak-system.com
+Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 51 ++++++++++++++++++--
+ 1 file changed, 46 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index 0b7766b715fd2..c844c6abe5fcd 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -130,14 +130,55 @@ void peak_usb_get_ts_time(struct peak_time_ref *time_ref, u32 ts, ktime_t *time)
+ /* protect from getting time before setting now */
+ if (ktime_to_ns(time_ref->tv_host)) {
+ u64 delta_us;
++ s64 delta_ts = 0;
++
++ /* General case: dev_ts_1 < dev_ts_2 < ts, with:
++ *
++ * - dev_ts_1 = previous sync timestamp
++ * - dev_ts_2 = last sync timestamp
++ * - ts = event timestamp
++ * - ts_period = known sync period (theoretical)
++ * ~ dev_ts2 - dev_ts1
++ * *but*:
++ *
++ * - time counters wrap (see adapter->ts_used_bits)
++ * - sometimes, dev_ts_1 < ts < dev_ts2
++ *
++ * "normal" case (sync time counters increase):
++ * must take into account case when ts wraps (tsw)
++ *
++ * < ts_period > < >
++ * | | |
++ * ---+--------+----+-------0-+--+-->
++ * ts_dev_1 | ts_dev_2 |
++ * ts tsw
++ */
++ if (time_ref->ts_dev_1 < time_ref->ts_dev_2) {
++ /* case when event time (tsw) wraps */
++ if (ts < time_ref->ts_dev_1)
++ delta_ts = 1 << time_ref->adapter->ts_used_bits;
++
++ /* Otherwise, sync time counter (ts_dev_2) has wrapped:
++ * handle case when event time (tsn) hasn't.
++ *
++ * < ts_period > < >
++ * | | |
++ * ---+--------+--0-+---------+--+-->
++ * ts_dev_1 | ts_dev_2 |
++ * tsn ts
++ */
++ } else if (time_ref->ts_dev_1 < ts) {
++ delta_ts = -(1 << time_ref->adapter->ts_used_bits);
++ }
+
+- delta_us = ts - time_ref->ts_dev_2;
+- if (ts < time_ref->ts_dev_2)
+- delta_us &= (1 << time_ref->adapter->ts_used_bits) - 1;
++ /* add delay between last sync and event timestamps */
++ delta_ts += (signed int)(ts - time_ref->ts_dev_2);
+
+- delta_us += time_ref->ts_total;
++ /* add time from beginning to last sync */
++ delta_ts += time_ref->ts_total;
+
+- delta_us *= time_ref->adapter->us_per_ts_scale;
++ /* convert ticks number into microseconds */
++ delta_us = delta_ts * time_ref->adapter->us_per_ts_scale;
+ delta_us >>= time_ref->adapter->us_per_ts_shift;
+
+ *time = ktime_add_us(time_ref->tv_host_0, delta_us);
+--
+2.27.0
+
--- /dev/null
+From 5acd31695b9af7125529ba547a63b187295db049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 12:47:06 +0200
+Subject: can: rx-offload: don't call kfree_skb() from IRQ context
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 2ddd6bfe7bdbb6c661835c3ff9cab8e0769940a6 ]
+
+A CAN driver, using the rx-offload infrastructure, is reading CAN frames
+(usually in IRQ context) from the hardware and placing it into the rx-offload
+queue to be delivered to the networking stack via NAPI.
+
+In case the rx-offload queue is full, trying to add more skbs results in the
+skbs being dropped using kfree_skb(). If done from hard-IRQ context this
+results in the following warning:
+
+[ 682.552693] ------------[ cut here ]------------
+[ 682.557360] WARNING: CPU: 0 PID: 3057 at net/core/skbuff.c:650 skb_release_head_state+0x74/0x84
+[ 682.566075] Modules linked in: can_raw can coda_vpu flexcan dw_hdmi_ahb_audio v4l2_jpeg imx_vdoa can_dev
+[ 682.575597] CPU: 0 PID: 3057 Comm: cansend Tainted: G W 5.7.0+ #18
+[ 682.583098] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[ 682.589657] [<c0112628>] (unwind_backtrace) from [<c010c1c4>] (show_stack+0x10/0x14)
+[ 682.597423] [<c010c1c4>] (show_stack) from [<c06c481c>] (dump_stack+0xe0/0x114)
+[ 682.604759] [<c06c481c>] (dump_stack) from [<c0128f10>] (__warn+0xc0/0x10c)
+[ 682.611742] [<c0128f10>] (__warn) from [<c0129314>] (warn_slowpath_fmt+0x5c/0xc0)
+[ 682.619248] [<c0129314>] (warn_slowpath_fmt) from [<c0b95dec>] (skb_release_head_state+0x74/0x84)
+[ 682.628143] [<c0b95dec>] (skb_release_head_state) from [<c0b95e08>] (skb_release_all+0xc/0x24)
+[ 682.636774] [<c0b95e08>] (skb_release_all) from [<c0b95eac>] (kfree_skb+0x74/0x1c8)
+[ 682.644479] [<c0b95eac>] (kfree_skb) from [<bf001d1c>] (can_rx_offload_queue_sorted+0xe0/0xe8 [can_dev])
+[ 682.654051] [<bf001d1c>] (can_rx_offload_queue_sorted [can_dev]) from [<bf001d6c>] (can_rx_offload_get_echo_skb+0x48/0x94 [can_dev])
+[ 682.666007] [<bf001d6c>] (can_rx_offload_get_echo_skb [can_dev]) from [<bf01efe4>] (flexcan_irq+0x194/0x5dc [flexcan])
+[ 682.676734] [<bf01efe4>] (flexcan_irq [flexcan]) from [<c019c1ec>] (__handle_irq_event_percpu+0x4c/0x3ec)
+[ 682.686322] [<c019c1ec>] (__handle_irq_event_percpu) from [<c019c5b8>] (handle_irq_event_percpu+0x2c/0x88)
+[ 682.695993] [<c019c5b8>] (handle_irq_event_percpu) from [<c019c64c>] (handle_irq_event+0x38/0x5c)
+[ 682.704887] [<c019c64c>] (handle_irq_event) from [<c01a1058>] (handle_fasteoi_irq+0xc8/0x180)
+[ 682.713432] [<c01a1058>] (handle_fasteoi_irq) from [<c019b2c0>] (generic_handle_irq+0x30/0x44)
+[ 682.722063] [<c019b2c0>] (generic_handle_irq) from [<c019b8f8>] (__handle_domain_irq+0x64/0xdc)
+[ 682.730783] [<c019b8f8>] (__handle_domain_irq) from [<c06df4a4>] (gic_handle_irq+0x48/0x9c)
+[ 682.739158] [<c06df4a4>] (gic_handle_irq) from [<c0100b30>] (__irq_svc+0x70/0x98)
+[ 682.746656] Exception stack(0xe80e9dd8 to 0xe80e9e20)
+[ 682.751725] 9dc0: 00000001 e80e8000
+[ 682.759922] 9de0: e820cf80 00000000 ffffe000 00000000 eaf08fe4 00000000 600d0013 00000000
+[ 682.768117] 9e00: c1732e3c c16093a8 e820d4c0 e80e9e28 c018a57c c018b870 600d0013 ffffffff
+[ 682.776315] [<c0100b30>] (__irq_svc) from [<c018b870>] (lock_acquire+0x108/0x4e8)
+[ 682.783821] [<c018b870>] (lock_acquire) from [<c0e938e4>] (down_write+0x48/0xa8)
+[ 682.791242] [<c0e938e4>] (down_write) from [<c02818dc>] (unlink_file_vma+0x24/0x40)
+[ 682.798922] [<c02818dc>] (unlink_file_vma) from [<c027a258>] (free_pgtables+0x34/0xb8)
+[ 682.806858] [<c027a258>] (free_pgtables) from [<c02835a4>] (exit_mmap+0xe4/0x170)
+[ 682.814361] [<c02835a4>] (exit_mmap) from [<c01248e0>] (mmput+0x5c/0x110)
+[ 682.821171] [<c01248e0>] (mmput) from [<c012e910>] (do_exit+0x374/0xbe4)
+[ 682.827892] [<c012e910>] (do_exit) from [<c0130888>] (do_group_exit+0x38/0xb4)
+[ 682.835132] [<c0130888>] (do_group_exit) from [<c0130914>] (__wake_up_parent+0x0/0x14)
+[ 682.843063] irq event stamp: 1936
+[ 682.846399] hardirqs last enabled at (1935): [<c02938b0>] rmqueue+0xf4/0xc64
+[ 682.853553] hardirqs last disabled at (1936): [<c0100b20>] __irq_svc+0x60/0x98
+[ 682.860799] softirqs last enabled at (1878): [<bf04cdcc>] raw_release+0x108/0x1f0 [can_raw]
+[ 682.869256] softirqs last disabled at (1876): [<c0b8f478>] release_sock+0x18/0x98
+[ 682.876753] ---[ end trace 7bca4751ce44c444 ]---
+
+This patch fixes the problem by replacing the kfree_skb() by
+dev_kfree_skb_any(), as rx-offload might be called from threaded IRQ handlers
+as well.
+
+Fixes: ca913f1ac024 ("can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak")
+Fixes: 6caf8a6d6586 ("can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak")
+Link: http://lore.kernel.org/r/20201019190524.1285319-3-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/rx-offload.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/rx-offload.c
+index 84cae167e42f6..7e75a87a8a6a9 100644
+--- a/drivers/net/can/rx-offload.c
++++ b/drivers/net/can/rx-offload.c
+@@ -272,7 +272,7 @@ int can_rx_offload_queue_sorted(struct can_rx_offload *offload,
+
+ if (skb_queue_len(&offload->skb_queue) >
+ offload->skb_queue_len_max) {
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return -ENOBUFS;
+ }
+
+@@ -317,7 +317,7 @@ int can_rx_offload_queue_tail(struct can_rx_offload *offload,
+ {
+ if (skb_queue_len(&offload->skb_queue) >
+ offload->skb_queue_len_max) {
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return -ENOBUFS;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 0ccab5e0d9b824e2df387c27a3be9178d23a19d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 16:04:39 +0800
+Subject: can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in
+ error path
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit e002103b36a695f7cb6048b96da73e66c86ddffb ]
+
+The driver forgets to call clk_disable_unprepare() in error path after
+a success calling for clk_prepare_enable().
+
+Fix it by adding a clk_disable_unprepare() in error path.
+
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1594973079-27743-1-git-send-email-zhangchangzhong@huawei.com
+Fixes: befa60113ce7 ("can: ti_hecc: add missing prepare and unprepare of the clock")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/ti_hecc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
+index 31ad364a89bbe..d3a7631eecaf2 100644
+--- a/drivers/net/can/ti_hecc.c
++++ b/drivers/net/can/ti_hecc.c
+@@ -936,7 +936,7 @@ static int ti_hecc_probe(struct platform_device *pdev)
+ err = clk_prepare_enable(priv->clk);
+ if (err) {
+ dev_err(&pdev->dev, "clk_prepare_enable() failed\n");
+- goto probe_exit_clk;
++ goto probe_exit_release_clk;
+ }
+
+ priv->offload.mailbox_read = ti_hecc_mailbox_read;
+@@ -945,7 +945,7 @@ static int ti_hecc_probe(struct platform_device *pdev)
+ err = can_rx_offload_add_timestamp(ndev, &priv->offload);
+ if (err) {
+ dev_err(&pdev->dev, "can_rx_offload_add_timestamp() failed\n");
+- goto probe_exit_clk;
++ goto probe_exit_disable_clk;
+ }
+
+ err = register_candev(ndev);
+@@ -963,7 +963,9 @@ static int ti_hecc_probe(struct platform_device *pdev)
+
+ probe_exit_offload:
+ can_rx_offload_del(&priv->offload);
+-probe_exit_clk:
++probe_exit_disable_clk:
++ clk_disable_unprepare(priv->clk);
++probe_exit_release_clk:
+ clk_put(priv->clk);
+ probe_exit_candev:
+ free_candev(ndev);
+--
+2.27.0
+
--- /dev/null
+From b5e82439a905b750ab50899c8635836f6d42facc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 22:32:39 -0500
+Subject: can: xilinx_can: handle failure cases of pm_runtime_get_sync
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 79c43333bdd5a7026a5aab606b53053b643585e7 ]
+
+Calling pm_runtime_get_sync increments the counter even in case of
+failure, causing incorrect ref count. Call pm_runtime_put if
+pm_runtime_get_sync fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20200605033239.60664-1-navid.emamdoost@gmail.com
+Fixes: 4716620d1b62 ("can: xilinx: Convert to runtime_pm")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/xilinx_can.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
+index 2be846ee627d1..0de39ebb35662 100644
+--- a/drivers/net/can/xilinx_can.c
++++ b/drivers/net/can/xilinx_can.c
+@@ -1384,7 +1384,7 @@ static int xcan_open(struct net_device *ndev)
+ if (ret < 0) {
+ netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n",
+ __func__, ret);
+- return ret;
++ goto err;
+ }
+
+ ret = request_irq(ndev->irq, xcan_interrupt, priv->irq_flags,
+@@ -1468,6 +1468,7 @@ static int xcan_get_berr_counter(const struct net_device *ndev,
+ if (ret < 0) {
+ netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n",
+ __func__, ret);
++ pm_runtime_put(priv->dev);
+ return ret;
+ }
+
+@@ -1783,7 +1784,7 @@ static int xcan_probe(struct platform_device *pdev)
+ if (ret < 0) {
+ netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n",
+ __func__, ret);
+- goto err_pmdisable;
++ goto err_disableclks;
+ }
+
+ if (priv->read_reg(priv, XCAN_SR_OFFSET) != XCAN_SR_CONFIG_MASK) {
+@@ -1818,7 +1819,6 @@ static int xcan_probe(struct platform_device *pdev)
+
+ err_disableclks:
+ pm_runtime_put(priv->dev);
+-err_pmdisable:
+ pm_runtime_disable(&pdev->dev);
+ err_free:
+ free_candev(ndev);
+--
+2.27.0
+
--- /dev/null
+From 3ab5d0d953229c59c52f8ed94bc9b1a85c5bcf6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 13:14:52 -0400
+Subject: dm raid: fix discard limits for raid1 and raid10
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+[ Upstream commit e0910c8e4f87bb9f767e61a778b0d9271c4dc512 ]
+
+Block core warned that discard_granularity was 0 for dm-raid with
+personality of raid1. Reason is that raid_io_hints() was incorrectly
+special-casing raid1 rather than raid0.
+
+But since commit 29efc390b9462 ("md/md0: optimize raid0 discard
+handling") even raid0 properly handles large discards.
+
+Fix raid_io_hints() by removing discard limits settings for raid1.
+Also, fix limits for raid10 by properly stacking underlying limits as
+done in blk_stack_limits().
+
+Depends-on: 29efc390b9462 ("md/md0: optimize raid0 discard handling")
+Fixes: 61697a6abd24a ("dm: eliminate 'split_discard_bios' flag from DM target interface")
+Cc: stable@vger.kernel.org
+Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index b0aa595e4375d..2f41e38e06475 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3744,12 +3744,14 @@ static void raid_io_hints(struct dm_target *ti, struct queue_limits *limits)
+ blk_limits_io_opt(limits, chunk_size_bytes * mddev_data_stripes(rs));
+
+ /*
+- * RAID1 and RAID10 personalities require bio splitting,
+- * RAID0/4/5/6 don't and process large discard bios properly.
++ * RAID10 personality requires bio splitting,
++ * RAID0/1/4/5/6 don't and process large discard bios properly.
+ */
+- if (rs_is_raid1(rs) || rs_is_raid10(rs)) {
+- limits->discard_granularity = chunk_size_bytes;
+- limits->max_discard_sectors = rs->md.chunk_sectors;
++ if (rs_is_raid10(rs)) {
++ limits->discard_granularity = max(chunk_size_bytes,
++ limits->discard_granularity);
++ limits->max_discard_sectors = min_not_zero(rs->md.chunk_sectors,
++ limits->max_discard_sectors);
+ }
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 842a88888277085ed518b314ab018fea6fc9213d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Oct 2020 21:38:25 +0100
+Subject: drm/i915/gem: Flush coherency domains on first set-domain-ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 59dd13ad310793757e34afa489dd6fc8544fc3da ]
+
+Avoid skipping what appears to be a no-op set-domain-ioctl if the cache
+coherency state is inconsistent with our target domain. This also has
+the utility of using the population of the pages to validate the backing
+store.
+
+The danger in skipping the first set-domain is leaving the cache
+inconsistent and submitting stale data, or worse leaving the clean data
+in the cache and not flushing it to the GPU. The impact should be small
+as it requires a no-op set-domain as the very first ioctl in a
+particular sequence not found in typical userspace.
+
+Reported-by: Zbigniew KempczyÅski <zbigniew.kempczynski@intel.com>
+Fixes: 754a25442705 ("drm/i915: Skip object locking around a no-op set-domain ioctl")
+Testcase: igt/gem_mmap_offset/blt-coherency
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Matthew Auld <matthew.william.auld@gmail.com>
+Cc: Zbigniew KempczyÅski <zbigniew.kempczynski@intel.com>
+Cc: <stable@vger.kernel.org> # v5.2+
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201019203825.10966-1-chris@chris-wilson.co.uk
+(cherry picked from commit 44c2200afcd59f441b43f27829b4003397cc495d)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_domain.c | 28 ++++++++++------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_domain.c b/drivers/gpu/drm/i915/gem/i915_gem_domain.c
+index 9c58e8fac1d97..a4b48c9abeacd 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_domain.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_domain.c
+@@ -605,21 +605,6 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ if (!obj)
+ return -ENOENT;
+
+- /*
+- * Already in the desired write domain? Nothing for us to do!
+- *
+- * We apply a little bit of cunning here to catch a broader set of
+- * no-ops. If obj->write_domain is set, we must be in the same
+- * obj->read_domains, and only that domain. Therefore, if that
+- * obj->write_domain matches the request read_domains, we are
+- * already in the same read/write domain and can skip the operation,
+- * without having to further check the requested write_domain.
+- */
+- if (READ_ONCE(obj->write_domain) == read_domains) {
+- err = 0;
+- goto out;
+- }
+-
+ /*
+ * Try to flush the object off the GPU without holding the lock.
+ * We will repeat the flush holding the lock in the normal manner
+@@ -657,6 +642,19 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ if (err)
+ goto out;
+
++ /*
++ * Already in the desired write domain? Nothing for us to do!
++ *
++ * We apply a little bit of cunning here to catch a broader set of
++ * no-ops. If obj->write_domain is set, we must be in the same
++ * obj->read_domains, and only that domain. Therefore, if that
++ * obj->write_domain matches the request read_domains, we are
++ * already in the same read/write domain and can skip the operation,
++ * without having to further check the requested write_domain.
++ */
++ if (READ_ONCE(obj->write_domain) == read_domains)
++ goto out_unpin;
++
+ err = i915_gem_object_lock_interruptible(obj);
+ if (err)
+ goto out_unpin;
+--
+2.27.0
+
--- /dev/null
+From 0032092e457da4d7161feeb9b84309b7c1829386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 21:41:44 +0100
+Subject: genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 151a535171be6ff824a0a3875553ea38570f4c05 ]
+
+kernel/irq/ipi.c otherwise fails to compile if nothing else
+selects it.
+
+Fixes: 379b656446a3 ("genirq: Add GENERIC_IRQ_IPI Kconfig symbol")
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Tested-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20201015101222.GA32747@amd
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/irq/Kconfig b/kernel/irq/Kconfig
+index f92d9a6873720..4e11120265c74 100644
+--- a/kernel/irq/Kconfig
++++ b/kernel/irq/Kconfig
+@@ -81,6 +81,7 @@ config IRQ_FASTEOI_HIERARCHY_HANDLERS
+ # Generic IRQ IPI support
+ config GENERIC_IRQ_IPI
+ bool
++ select IRQ_DOMAIN_HIERARCHY
+
+ # Generic MSI interrupt support
+ config GENERIC_MSI_IRQ
+--
+2.27.0
+
--- /dev/null
+From bcb84dfd166196016ec4fb751d7ce9e535296803 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 09:12:15 +0200
+Subject: hv_balloon: disable warning when floor reached
+
+From: Olaf Hering <olaf@aepfle.de>
+
+[ Upstream commit 2c3bd2a5c86fe744e8377733c5e511a5ca1e14f5 ]
+
+It is not an error if the host requests to balloon down, but the VM
+refuses to do so. Without this change a warning is logged in dmesg
+every five minutes.
+
+Fixes: b3bb97b8a49f3 ("Drivers: hv: balloon: Add logging for dynamic memory operations")
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20201008071216.16554-1-olaf@aepfle.de
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/hv_balloon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
+index 930674117533e..bd4e72f6dfd49 100644
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -1277,7 +1277,7 @@ static void balloon_up(struct work_struct *dummy)
+
+ /* Refuse to balloon below the floor. */
+ if (avail_pages < num_pages || avail_pages - num_pages < floor) {
+- pr_warn("Balloon request will be partially fulfilled. %s\n",
++ pr_info("Balloon request will be partially fulfilled. %s\n",
+ avail_pages < num_pages ? "Not enough memory." :
+ "Balloon floor reached.");
+
+--
+2.27.0
+
--- /dev/null
+From 60c4f423ad0cbe03a285a5c0b6be04ce26e87a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Oct 2020 10:37:24 +0800
+Subject: iommu/vt-d: Fix a bug for PDP check in prq_event_thread
+
+From: Liu, Yi L <yi.l.liu@intel.com>
+
+[ Upstream commit 71cd8e2d16703a9df5c86a9e19f4cba99316cc53 ]
+
+In prq_event_thread(), the QI_PGRP_PDP is wrongly set by
+'req->pasid_present' which should be replaced to
+'req->priv_data_present'.
+
+Fixes: 5b438f4ba315 ("iommu/vt-d: Support page request in scalable mode")
+Signed-off-by: Liu, Yi L <yi.l.liu@intel.com>
+Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com>
+Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/1604025444-6954-3-git-send-email-yi.y.sun@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel-svm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel-svm.c b/drivers/iommu/intel-svm.c
+index 1d3816cd65d57..ec69a99b99bab 100644
+--- a/drivers/iommu/intel-svm.c
++++ b/drivers/iommu/intel-svm.c
+@@ -646,7 +646,7 @@ static irqreturn_t prq_event_thread(int irq, void *d)
+ resp.qw0 = QI_PGRP_PASID(req->pasid) |
+ QI_PGRP_DID(req->rid) |
+ QI_PGRP_PASID_P(req->pasid_present) |
+- QI_PGRP_PDP(req->pasid_present) |
++ QI_PGRP_PDP(req->priv_data_present) |
+ QI_PGRP_RESP_CODE(result) |
+ QI_PGRP_RESP_TYPE;
+ resp.qw1 = QI_PGRP_IDX(req->prg_index) |
+--
+2.27.0
+
--- /dev/null
+From 0a9202aa2e43c69b0f2e02a3363f64010361932b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Oct 2020 16:54:07 +0530
+Subject: KVM: arm64: Force PTE mapping on fault resulting in a device mapping
+
+From: Santosh Shukla <sashukla@nvidia.com>
+
+[ Upstream commit 91a2c34b7d6fadc9c5d9433c620ea4c32ee7cae8 ]
+
+VFIO allows a device driver to resolve a fault by mapping a MMIO
+range. This can be subsequently result in user_mem_abort() to
+try and compute a huge mapping based on the MMIO pfn, which is
+a sure recipe for things to go wrong.
+
+Instead, force a PTE mapping when the pfn faulted in has a device
+mapping.
+
+Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings")
+Suggested-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Santosh Shukla <sashukla@nvidia.com>
+[maz: rewritten commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1603711447-11998-2-git-send-email-sashukla@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ virt/kvm/arm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/virt/kvm/arm/mmu.c b/virt/kvm/arm/mmu.c
+index 8700402f3000d..03a586ab6d27b 100644
+--- a/virt/kvm/arm/mmu.c
++++ b/virt/kvm/arm/mmu.c
+@@ -1756,6 +1756,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ if (kvm_is_device_pfn(pfn)) {
+ mem_type = PAGE_S2_DEVICE;
+ flags |= KVM_S2PTE_FLAG_IS_IOMAP;
++ force_pte = true;
+ } else if (logging_active) {
+ /*
+ * Faults on pages in a memslot with logging enabled
+--
+2.27.0
+
--- /dev/null
+From ce99de2d056efce2b5937e16173f5f10067a7980 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 15:24:34 +0800
+Subject: nbd: don't update block size after device is started
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit b40813ddcd6bf9f01d020804e4cb8febc480b9e4 ]
+
+Mounted NBD device can be resized, one use case is rbd-nbd.
+
+Fix the issue by setting up default block size, then not touch it
+in nbd_size_update() any more. This kind of usage is aligned with loop
+which has same use case too.
+
+Cc: stable@vger.kernel.org
+Fixes: c8a83a6b54d0 ("nbd: Use set_blocksize() to set device blocksize")
+Reported-by: lining <lining2020x@163.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Cc: Jan Kara <jack@suse.cz>
+Tested-by: lining <lining2020x@163.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 742f8160b6e28..62a873718b5bb 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -296,7 +296,7 @@ static void nbd_size_clear(struct nbd_device *nbd)
+ }
+ }
+
+-static void nbd_size_update(struct nbd_device *nbd)
++static void nbd_size_update(struct nbd_device *nbd, bool start)
+ {
+ struct nbd_config *config = nbd->config;
+ struct block_device *bdev = bdget_disk(nbd->disk, 0);
+@@ -312,7 +312,8 @@ static void nbd_size_update(struct nbd_device *nbd)
+ if (bdev) {
+ if (bdev->bd_disk) {
+ bd_set_size(bdev, config->bytesize);
+- set_blocksize(bdev, config->blksize);
++ if (start)
++ set_blocksize(bdev, config->blksize);
+ } else
+ bdev->bd_invalidated = 1;
+ bdput(bdev);
+@@ -327,7 +328,7 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize,
+ config->blksize = blocksize;
+ config->bytesize = blocksize * nr_blocks;
+ if (nbd->task_recv != NULL)
+- nbd_size_update(nbd);
++ nbd_size_update(nbd, false);
+ }
+
+ static void nbd_complete_rq(struct request *req)
+@@ -1293,7 +1294,7 @@ static int nbd_start_device(struct nbd_device *nbd)
+ args->index = i;
+ queue_work(nbd->recv_workq, &args->work);
+ }
+- nbd_size_update(nbd);
++ nbd_size_update(nbd, true);
+ return error;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From ffac45d361075df325a71fde4c1d8052f4267c7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Oct 2020 09:05:35 +0200
+Subject: net: xfrm: fix a race condition during allocing spi
+
+From: zhuoliang zhang <zhuoliang.zhang@mediatek.com>
+
+[ Upstream commit a779d91314ca7208b7feb3ad817b62904397c56d ]
+
+we found that the following race condition exists in
+xfrm_alloc_userspi flow:
+
+user thread state_hash_work thread
+---- ----
+xfrm_alloc_userspi()
+ __find_acq_core()
+ /*alloc new xfrm_state:x*/
+ xfrm_state_alloc()
+ /*schedule state_hash_work thread*/
+ xfrm_hash_grow_check() xfrm_hash_resize()
+ xfrm_alloc_spi /*hold lock*/
+ x->id.spi = htonl(spi) spin_lock_bh(&net->xfrm.xfrm_state_lock)
+ /*waiting lock release*/ xfrm_hash_transfer()
+ spin_lock_bh(&net->xfrm.xfrm_state_lock) /*add x into hlist:net->xfrm.state_byspi*/
+ hlist_add_head_rcu(&x->byspi)
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock)
+
+ /*add x into hlist:net->xfrm.state_byspi 2 times*/
+ hlist_add_head_rcu(&x->byspi)
+
+1. a new state x is alloced in xfrm_state_alloc() and added into the bydst hlist
+in __find_acq_core() on the LHS;
+2. on the RHS, state_hash_work thread travels the old bydst and tranfers every xfrm_state
+(include x) into the new bydst hlist and new byspi hlist;
+3. user thread on the LHS gets the lock and adds x into the new byspi hlist again.
+
+So the same xfrm_state (x) is added into the same list_hash
+(net->xfrm.state_byspi) 2 times that makes the list_hash become
+an inifite loop.
+
+To fix the race, x->id.spi = htonl(spi) in the xfrm_alloc_spi() is moved
+to the back of spin_lock_bh, sothat state_hash_work thread no longer add x
+which id.spi is zero into the hash_list.
+
+Fixes: f034b5d4efdf ("[XFRM]: Dynamic xfrm_state hash table sizing.")
+Signed-off-by: zhuoliang zhang <zhuoliang.zhang@mediatek.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index aaea8cb7459d8..61fd0569d3934 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2001,6 +2001,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
+ int err = -ENOENT;
+ __be32 minspi = htonl(low);
+ __be32 maxspi = htonl(high);
++ __be32 newspi = 0;
+ u32 mark = x->mark.v & x->mark.m;
+
+ spin_lock_bh(&x->lock);
+@@ -2019,21 +2020,22 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
+ xfrm_state_put(x0);
+ goto unlock;
+ }
+- x->id.spi = minspi;
++ newspi = minspi;
+ } else {
+ u32 spi = 0;
+ for (h = 0; h < high-low+1; h++) {
+ spi = low + prandom_u32()%(high-low+1);
+ x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family);
+ if (x0 == NULL) {
+- x->id.spi = htonl(spi);
++ newspi = htonl(spi);
+ break;
+ }
+ xfrm_state_put(x0);
+ }
+ }
+- if (x->id.spi) {
++ if (newspi) {
+ spin_lock_bh(&net->xfrm.xfrm_state_lock);
++ x->id.spi = newspi;
+ h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
+ hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h);
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+--
+2.27.0
+
--- /dev/null
+From 57a78d3d928c7e5fc23bf388dff3e33386359d5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 16:39:46 +0100
+Subject: netfilter: ipset: Update byte and packet counters regardless of
+ whether they match
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 7d10e62c2ff8e084c136c94d32d9a94de4d31248 ]
+
+In ip_set_match_extensions(), for sets with counters, we take care of
+updating counters themselves by calling ip_set_update_counter(), and of
+checking if the given comparison and values match, by calling
+ip_set_match_counter() if needed.
+
+However, if a given comparison on counters doesn't match the configured
+values, that doesn't mean the set entry itself isn't matching.
+
+This fix restores the behaviour we had before commit 4750005a85f7
+("netfilter: ipset: Fix "don't update counters" mode when counters used
+at the matching"), without reintroducing the issue fixed there: back
+then, mtype_data_match() first updated counters in any case, and then
+took care of matching on counters.
+
+Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
+ip_set_update_counter() will anyway skip counter updates if desired.
+
+The issue observed is illustrated by this reproducer:
+
+ ipset create c hash:ip counters
+ ipset add c 192.0.2.1
+ iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
+
+if we now send packets from 192.0.2.1, bytes and packets counters
+for the entry as shown by 'ipset list' are always zero, and, no
+matter how many bytes we send, the rule will never match, because
+counters themselves are not updated.
+
+Reported-by: Mithil Mhatre <mmhatre@redhat.com>
+Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 133a3f1b6f56c..3cc4daa856d6b 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -485,13 +485,14 @@ ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext,
+ if (SET_WITH_COUNTER(set)) {
+ struct ip_set_counter *counter = ext_counter(data, set);
+
++ ip_set_update_counter(counter, ext, flags);
++
+ if (flags & IPSET_FLAG_MATCH_COUNTERS &&
+ !(ip_set_match_counter(ip_set_get_packets(counter),
+ mext->packets, mext->packets_op) &&
+ ip_set_match_counter(ip_set_get_bytes(counter),
+ mext->bytes, mext->bytes_op)))
+ return false;
+- ip_set_update_counter(counter, ext, flags);
+ }
+ if (SET_WITH_SKBINFO(set))
+ ip_set_get_skbinfo(ext_skbinfo(data, set),
+--
+2.27.0
+
--- /dev/null
+From 7930377d1b249b4365c04a410c4ec520375ea7a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 13:50:03 +0100
+Subject: netfilter: nf_tables: missing validation from the abort path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c0391b6ab810381df632677a1dcbbbbd63d05b6d ]
+
+If userspace does not include the trailing end of batch message, then
+nfnetlink aborts the transaction. This allows to check that ruleset
+updates trigger no errors.
+
+After this patch, invoking this command from the prerouting chain:
+
+ # nft -c add rule x y fib saddr . oif type local
+
+fails since oif is not supported there.
+
+This patch fixes the lack of rule validation from the abort/check path
+to catch configuration errors such as the one above.
+
+Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter/nfnetlink.h | 9 ++++++++-
+ net/netfilter/nf_tables_api.c | 15 ++++++++++-----
+ net/netfilter/nfnetlink.c | 22 ++++++++++++++++++----
+ 3 files changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
+index 89016d08f6a27..f6267e2883f26 100644
+--- a/include/linux/netfilter/nfnetlink.h
++++ b/include/linux/netfilter/nfnetlink.h
+@@ -24,6 +24,12 @@ struct nfnl_callback {
+ const u_int16_t attr_count; /* number of nlattr's */
+ };
+
++enum nfnl_abort_action {
++ NFNL_ABORT_NONE = 0,
++ NFNL_ABORT_AUTOLOAD,
++ NFNL_ABORT_VALIDATE,
++};
++
+ struct nfnetlink_subsystem {
+ const char *name;
+ __u8 subsys_id; /* nfnetlink subsystem ID */
+@@ -31,7 +37,8 @@ struct nfnetlink_subsystem {
+ const struct nfnl_callback *cb; /* callback for individual types */
+ struct module *owner;
+ int (*commit)(struct net *net, struct sk_buff *skb);
+- int (*abort)(struct net *net, struct sk_buff *skb, bool autoload);
++ int (*abort)(struct net *net, struct sk_buff *skb,
++ enum nfnl_abort_action action);
+ void (*cleanup)(struct net *net);
+ bool (*valid_genid)(struct net *net, u32 genid);
+ };
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 5a77b7a177229..51391d5d22656 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7010,11 +7010,15 @@ static void nf_tables_abort_release(struct nft_trans *trans)
+ kfree(trans);
+ }
+
+-static int __nf_tables_abort(struct net *net, bool autoload)
++static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ {
+ struct nft_trans *trans, *next;
+ struct nft_trans_elem *te;
+
++ if (action == NFNL_ABORT_VALIDATE &&
++ nf_tables_validate(net) < 0)
++ return -EAGAIN;
++
+ list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
+ list) {
+ switch (trans->msg_type) {
+@@ -7132,7 +7136,7 @@ static int __nf_tables_abort(struct net *net, bool autoload)
+ nf_tables_abort_release(trans);
+ }
+
+- if (autoload)
++ if (action == NFNL_ABORT_AUTOLOAD)
+ nf_tables_module_autoload(net);
+ else
+ nf_tables_module_autoload_cleanup(net);
+@@ -7145,9 +7149,10 @@ static void nf_tables_cleanup(struct net *net)
+ nft_validate_state_update(net, NFT_VALIDATE_SKIP);
+ }
+
+-static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
++static int nf_tables_abort(struct net *net, struct sk_buff *skb,
++ enum nfnl_abort_action action)
+ {
+- int ret = __nf_tables_abort(net, autoload);
++ int ret = __nf_tables_abort(net, action);
+
+ mutex_unlock(&net->nft.commit_mutex);
+
+@@ -7754,7 +7759,7 @@ static void __net_exit nf_tables_exit_net(struct net *net)
+ {
+ mutex_lock(&net->nft.commit_mutex);
+ if (!list_empty(&net->nft.commit_list))
+- __nf_tables_abort(net, false);
++ __nf_tables_abort(net, NFNL_ABORT_NONE);
+ __nft_release_tables(net);
+ mutex_unlock(&net->nft.commit_mutex);
+ WARN_ON_ONCE(!list_empty(&net->nft.tables));
+diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
+index 6d03b09096210..81c86a156c6c0 100644
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -315,7 +315,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return netlink_ack(skb, nlh, -EINVAL, NULL);
+ replay:
+ status = 0;
+-
++replay_abort:
+ skb = netlink_skb_clone(oskb, GFP_KERNEL);
+ if (!skb)
+ return netlink_ack(oskb, nlh, -ENOMEM, NULL);
+@@ -481,7 +481,7 @@ ack:
+ }
+ done:
+ if (status & NFNL_BATCH_REPLAY) {
+- ss->abort(net, oskb, true);
++ ss->abort(net, oskb, NFNL_ABORT_AUTOLOAD);
+ nfnl_err_reset(&err_list);
+ kfree_skb(skb);
+ module_put(ss->owner);
+@@ -492,11 +492,25 @@ done:
+ status |= NFNL_BATCH_REPLAY;
+ goto done;
+ } else if (err) {
+- ss->abort(net, oskb, false);
++ ss->abort(net, oskb, NFNL_ABORT_NONE);
+ netlink_ack(oskb, nlmsg_hdr(oskb), err, NULL);
+ }
+ } else {
+- ss->abort(net, oskb, false);
++ enum nfnl_abort_action abort_action;
++
++ if (status & NFNL_BATCH_FAILURE)
++ abort_action = NFNL_ABORT_NONE;
++ else
++ abort_action = NFNL_ABORT_VALIDATE;
++
++ err = ss->abort(net, oskb, abort_action);
++ if (err == -EAGAIN) {
++ nfnl_err_reset(&err_list);
++ kfree_skb(skb);
++ module_put(ss->owner);
++ status |= NFNL_BATCH_FAILURE;
++ goto replay_abort;
++ }
+ }
+ if (ss->cleanup)
+ ss->cleanup(net);
+--
+2.27.0
+
--- /dev/null
+From 31116e2cc4380003461e8e9f6703e157b7bc79d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 03:56:06 +0100
+Subject: netfilter: use actual socket sk rather than skb sk when routing
+ harder
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ]
+
+If netfilter changes the packet mark when mangling, the packet is
+rerouted using the route_me_harder set of functions. Prior to this
+commit, there's one big difference between route_me_harder and the
+ordinary initial routing functions, described in the comment above
+__ip_queue_xmit():
+
+ /* Note: skb->sk can be different from sk, in case of tunnels */
+ int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
+
+That function goes on to correctly make use of sk->sk_bound_dev_if,
+rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a
+tunnel will receive a packet in ndo_start_xmit with an initial skb->sk.
+It will make some transformations to that packet, and then it will send
+the encapsulated packet out of a *new* socket. That new socket will
+basically always have a different sk_bound_dev_if (otherwise there'd be
+a routing loop). So for the purposes of routing the encapsulated packet,
+the routing information as it pertains to the socket should come from
+that socket's sk, rather than the packet's original skb->sk. For that
+reason __ip_queue_xmit() and related functions all do the right thing.
+
+One might argue that all tunnels should just call skb_orphan(skb) before
+transmitting the encapsulated packet into the new socket. But tunnels do
+*not* do this -- and this is wisely avoided in skb_scrub_packet() too --
+because features like TSQ rely on skb->destructor() being called when
+that buffer space is truely available again. Calling skb_orphan(skb) too
+early would result in buffers filling up unnecessarily and accounting
+info being all wrong. Instead, additional routing must take into account
+the new sk, just as __ip_queue_xmit() notes.
+
+So, this commit addresses the problem by fishing the correct sk out of
+state->sk -- it's already set properly in the call to nf_hook() in
+__ip_local_out(), which receives the sk as part of its normal
+functionality. So we make sure to plumb state->sk through the various
+route_me_harder functions, and then make correct use of it following the
+example of __ip_queue_xmit().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter_ipv4.h | 2 +-
+ include/linux/netfilter_ipv6.h | 10 +++++-----
+ net/ipv4/netfilter.c | 8 +++++---
+ net/ipv4/netfilter/iptable_mangle.c | 2 +-
+ net/ipv4/netfilter/nf_reject_ipv4.c | 2 +-
+ net/ipv6/netfilter.c | 6 +++---
+ net/ipv6/netfilter/ip6table_mangle.c | 2 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 ++--
+ net/netfilter/nf_nat_proto.c | 4 ++--
+ net/netfilter/nf_synproxy_core.c | 2 +-
+ net/netfilter/nft_chain_route.c | 4 ++--
+ net/netfilter/utils.c | 4 ++--
+ 12 files changed, 26 insertions(+), 24 deletions(-)
+
+diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
+index 082e2c41b7ff9..5b70ca868bb19 100644
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -16,7 +16,7 @@ struct ip_rt_info {
+ u_int32_t mark;
+ };
+
+-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned addr_type);
+
+ struct nf_queue_entry;
+
+diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
+index 9b67394471e1c..48314ade1506f 100644
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -42,7 +42,7 @@ struct nf_ipv6_ops {
+ #if IS_MODULE(CONFIG_IPV6)
+ int (*chk_addr)(struct net *net, const struct in6_addr *addr,
+ const struct net_device *dev, int strict);
+- int (*route_me_harder)(struct net *net, struct sk_buff *skb);
++ int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb);
+ int (*dev_get_saddr)(struct net *net, const struct net_device *dev,
+ const struct in6_addr *daddr, unsigned int srcprefs,
+ struct in6_addr *saddr);
+@@ -143,9 +143,9 @@ static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk,
+ #endif
+ }
+
+-int ip6_route_me_harder(struct net *net, struct sk_buff *skb);
++int ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb);
+
+-static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
++static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+ #if IS_MODULE(CONFIG_IPV6)
+ const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
+@@ -153,9 +153,9 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
+ if (!v6_ops)
+ return -EHOSTUNREACH;
+
+- return v6_ops->route_me_harder(net, skb);
++ return v6_ops->route_me_harder(net, sk, skb);
+ #elif IS_BUILTIN(CONFIG_IPV6)
+- return ip6_route_me_harder(net, skb);
++ return ip6_route_me_harder(net, sk, skb);
+ #else
+ return -EHOSTUNREACH;
+ #endif
+diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
+index a058213b77a78..7c841037c5334 100644
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -17,17 +17,19 @@
+ #include <net/netfilter/nf_queue.h>
+
+ /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
+-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type)
++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned int addr_type)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+ struct rtable *rt;
+ struct flowi4 fl4 = {};
+ __be32 saddr = iph->saddr;
+- const struct sock *sk = skb_to_full_sk(skb);
+- __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0;
++ __u8 flags;
+ struct net_device *dev = skb_dst(skb)->dev;
+ unsigned int hh_len;
+
++ sk = sk_to_full_sk(sk);
++ flags = sk ? inet_sk_flowi_flags(sk) : 0;
++
+ if (addr_type == RTN_UNSPEC)
+ addr_type = inet_addr_type_dev_table(net, dev, saddr);
+ if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
+diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
+index bb9266ea37858..ae45bcdd335ea 100644
+--- a/net/ipv4/netfilter/iptable_mangle.c
++++ b/net/ipv4/netfilter/iptable_mangle.c
+@@ -62,7 +62,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
+ iph->daddr != daddr ||
+ skb->mark != mark ||
+ iph->tos != tos) {
+- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
+index 2361fdac2c438..57817313a85c1 100644
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -127,7 +127,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
+ ip4_dst_hoplimit(skb_dst(nskb)));
+ nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
+
+- if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC))
+ goto free_nskb;
+
+ niph = ip_hdr(nskb);
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 6d0e942d082d4..ab9a279dd6d47 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -20,10 +20,10 @@
+ #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
+ #include "../bridge/br_private.h"
+
+-int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
++int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff *skb)
+ {
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+- struct sock *sk = sk_to_full_sk(skb->sk);
++ struct sock *sk = sk_to_full_sk(sk_partial);
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ int strict = (ipv6_addr_type(&iph->daddr) &
+@@ -84,7 +84,7 @@ static int nf_ip6_reroute(struct sk_buff *skb,
+ if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
+ !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
+ skb->mark != rt_info->mark)
+- return ip6_route_me_harder(entry->state.net, skb);
++ return ip6_route_me_harder(entry->state.net, entry->state.sk, skb);
+ }
+ return 0;
+ }
+diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
+index 070afb97fa2ba..401e8dcb2c84b 100644
+--- a/net/ipv6/netfilter/ip6table_mangle.c
++++ b/net/ipv6/netfilter/ip6table_mangle.c
+@@ -57,7 +57,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
+ skb->mark != mark ||
+ ipv6_hdr(skb)->hop_limit != hop_limit ||
+ flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) {
+- err = ip6_route_me_harder(state->net, skb);
++ err = ip6_route_me_harder(state->net, state->sk, skb);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index 64a05906cc0e6..89aa1fc334b19 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -748,12 +748,12 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af,
+ struct dst_entry *dst = skb_dst(skb);
+
+ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
+- ip6_route_me_harder(ipvs->net, skb) != 0)
++ ip6_route_me_harder(ipvs->net, skb->sk, skb) != 0)
+ return 1;
+ } else
+ #endif
+ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
+- ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0)
++ ip_route_me_harder(ipvs->net, skb->sk, skb, RTN_LOCAL) != 0)
+ return 1;
+
+ return 0;
+diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
+index 59151dc07fdc1..e87b6bd6b3cdb 100644
+--- a/net/netfilter/nf_nat_proto.c
++++ b/net/netfilter/nf_nat_proto.c
+@@ -715,7 +715,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb,
+
+ if (ct->tuplehash[dir].tuple.dst.u3.ip !=
+ ct->tuplehash[!dir].tuple.src.u3.ip) {
+- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+@@ -953,7 +953,7 @@ nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb,
+
+ if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
+ &ct->tuplehash[!dir].tuple.src.u3)) {
+- err = nf_ip6_route_me_harder(state->net, skb);
++ err = nf_ip6_route_me_harder(state->net, state->sk, skb);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index b9cbe1e2453e8..4bb4cfde28b47 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -446,7 +446,7 @@ synproxy_send_tcp(struct net *net,
+
+ skb_dst_set_noref(nskb, skb_dst(skb));
+ nskb->protocol = htons(ETH_P_IP);
+- if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC))
+ goto free_nskb;
+
+ if (nfct) {
+diff --git a/net/netfilter/nft_chain_route.c b/net/netfilter/nft_chain_route.c
+index 8826bbe71136c..edd02cda57fca 100644
+--- a/net/netfilter/nft_chain_route.c
++++ b/net/netfilter/nft_chain_route.c
+@@ -42,7 +42,7 @@ static unsigned int nf_route_table_hook4(void *priv,
+ iph->daddr != daddr ||
+ skb->mark != mark ||
+ iph->tos != tos) {
+- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+@@ -92,7 +92,7 @@ static unsigned int nf_route_table_hook6(void *priv,
+ skb->mark != mark ||
+ ipv6_hdr(skb)->hop_limit != hop_limit ||
+ flowlabel != *((u32 *)ipv6_hdr(skb)))) {
+- err = nf_ip6_route_me_harder(state->net, skb);
++ err = nf_ip6_route_me_harder(state->net, state->sk, skb);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
+index 51b454d8fa9c9..924195861faf7 100644
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -191,8 +191,8 @@ static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry
+ skb->mark == rt_info->mark &&
+ iph->daddr == rt_info->daddr &&
+ iph->saddr == rt_info->saddr))
+- return ip_route_me_harder(entry->state.net, skb,
+- RTN_UNSPEC);
++ return ip_route_me_harder(entry->state.net, entry->state.sk,
++ skb, RTN_UNSPEC);
+ }
+ #endif
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 3dab0318bccd31f394f4a3a8561d3f062e7f6dd7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 14:49:54 +0200
+Subject: PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0
+
+From: Ansuel Smith <ansuelsmth@gmail.com>
+
+[ Upstream commit d3d4d028afb785e52c55024d779089654f8302e7 ]
+
+Qsdk U-Boot can incorrectly leave the PCIe interface in an undefined
+state if bootm command is used instead of bootipq. This is caused by the
+not deinit of PCIe when bootm is called. Reset the PCIe before init
+anyway to fix this U-Boot bug.
+
+Link: https://lore.kernel.org/r/20200901124955.137-1-ansuelsmth@gmail.com
+Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver")
+Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-qcom.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
+index 374db5d59cf87..14196c0287a24 100644
+--- a/drivers/pci/controller/dwc/pcie-qcom.c
++++ b/drivers/pci/controller/dwc/pcie-qcom.c
+@@ -303,6 +303,9 @@ static void qcom_pcie_deinit_2_1_0(struct qcom_pcie *pcie)
+ clk_disable_unprepare(res->core_clk);
+ clk_disable_unprepare(res->aux_clk);
+ clk_disable_unprepare(res->ref_clk);
++
++ writel(1, pcie->parf + PCIE20_PARF_PHY_CTRL);
++
+ regulator_bulk_disable(ARRAY_SIZE(res->supplies), res->supplies);
+ }
+
+@@ -315,6 +318,16 @@ static int qcom_pcie_init_2_1_0(struct qcom_pcie *pcie)
+ u32 val;
+ int ret;
+
++ /* reset the PCIe interface as uboot can leave it undefined state */
++ reset_control_assert(res->pci_reset);
++ reset_control_assert(res->axi_reset);
++ reset_control_assert(res->ahb_reset);
++ reset_control_assert(res->por_reset);
++ reset_control_assert(res->ext_reset);
++ reset_control_assert(res->phy_reset);
++
++ writel(1, pcie->parf + PCIE20_PARF_PHY_CTRL);
++
+ ret = regulator_bulk_enable(ARRAY_SIZE(res->supplies), res->supplies);
+ if (ret < 0) {
+ dev_err(dev, "cannot enable regulators\n");
+--
+2.27.0
+
--- /dev/null
+From 8a5714cddb7cd14a2e44616afe62f2948e68771e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 00:31:03 +0100
+Subject: perf tools: Add missing swap for ino_generation
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit fe01adb72356a4e2f8735e4128af85921ca98fa1 ]
+
+We are missing swap for ino_generation field.
+
+Fixes: 5c5e854bc760 ("perf tools: Add attr->mmap2 support")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20201101233103.3537427-2-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/session.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
+index 5c172845fa5ac..ff524a3fc5003 100644
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -588,6 +588,7 @@ static void perf_event__mmap2_swap(union perf_event *event,
+ event->mmap2.maj = bswap_32(event->mmap2.maj);
+ event->mmap2.min = bswap_32(event->mmap2.min);
+ event->mmap2.ino = bswap_64(event->mmap2.ino);
++ event->mmap2.ino_generation = bswap_64(event->mmap2.ino_generation);
+
+ if (sample_id_all) {
+ void *data = &event->mmap2.filename;
+--
+2.27.0
+
--- /dev/null
+From 1eac0dd9995ad2cca4634e2e0de15821622baf5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Oct 2020 12:43:57 +0300
+Subject: perf trace: Fix segfault when trying to trace events by cgroup
+
+From: Stanislav Ivanichkin <sivanichkin@yandex-team.ru>
+
+[ Upstream commit a6293f36ac92ab513771a98efe486477be2f981f ]
+
+ # ./perf trace -e sched:sched_switch -G test -a sleep 1
+ perf: Segmentation fault
+ Obtained 11 stack frames.
+ ./perf(sighandler_dump_stack+0x43) [0x55cfdc636db3]
+ /lib/x86_64-linux-gnu/libc.so.6(+0x3efcf) [0x7fd23eecafcf]
+ ./perf(parse_cgroups+0x36) [0x55cfdc673f36]
+ ./perf(+0x3186ed) [0x55cfdc70d6ed]
+ ./perf(parse_options_subcommand+0x629) [0x55cfdc70e999]
+ ./perf(cmd_trace+0x9c2) [0x55cfdc5ad6d2]
+ ./perf(+0x1e8ae0) [0x55cfdc5ddae0]
+ ./perf(+0x1e8ded) [0x55cfdc5ddded]
+ ./perf(main+0x370) [0x55cfdc556f00]
+ /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe6) [0x7fd23eeadb96]
+ ./perf(_start+0x29) [0x55cfdc557389]
+ Segmentation fault
+ #
+
+ It happens because "struct trace" in option->value is passed to the
+ parse_cgroups function instead of "struct evlist".
+
+Fixes: 9ea42ba4411ac ("perf trace: Support setting cgroups as targets")
+Signed-off-by: Stanislav Ivanichkin <sivanichkin@yandex-team.ru>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Link: http://lore.kernel.org/lkml/20201027094357.94881-1-sivanichkin@yandex-team.ru
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index bb5130d021554..a5201de1a191d 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -3979,9 +3979,9 @@ do_concat:
+ err = 0;
+
+ if (lists[0]) {
+- struct option o = OPT_CALLBACK('e', "event", &trace->evlist, "event",
+- "event selector. use 'perf list' to list available events",
+- parse_events_option);
++ struct option o = {
++ .value = &trace->evlist,
++ };
+ err = parse_events_option(&o, lists[0], 0);
+ }
+ out:
+@@ -3995,9 +3995,12 @@ static int trace__parse_cgroups(const struct option *opt, const char *str, int u
+ {
+ struct trace *trace = opt->value;
+
+- if (!list_empty(&trace->evlist->core.entries))
+- return parse_cgroups(opt, str, unset);
+-
++ if (!list_empty(&trace->evlist->core.entries)) {
++ struct option o = {
++ .value = &trace->evlist,
++ };
++ return parse_cgroups(&o, str, unset);
++ }
+ trace->cgroup = evlist__findnew_cgroup(trace->evlist, str);
+
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From cea09430544155f302f5044971eceac4f2a629a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 11:27:17 -0400
+Subject: powerpc/eeh_cache: Fix a possible debugfs deadlock
+
+From: Qian Cai <cai@redhat.com>
+
+[ Upstream commit fd552e0542b4532483289cce48fdbd27b692984b ]
+
+Lockdep complains that a possible deadlock below in
+eeh_addr_cache_show() because it is acquiring a lock with IRQ enabled,
+but eeh_addr_cache_insert_dev() needs to acquire the same lock with IRQ
+disabled. Let's just make eeh_addr_cache_show() acquire the lock with
+IRQ disabled as well.
+
+ CPU0 CPU1
+ ---- ----
+ lock(&pci_io_addr_cache_root.piar_lock);
+ local_irq_disable();
+ lock(&tp->lock);
+ lock(&pci_io_addr_cache_root.piar_lock);
+ <Interrupt>
+ lock(&tp->lock);
+
+ *** DEADLOCK ***
+
+ lock_acquire+0x140/0x5f0
+ _raw_spin_lock_irqsave+0x64/0xb0
+ eeh_addr_cache_insert_dev+0x48/0x390
+ eeh_probe_device+0xb8/0x1a0
+ pnv_pcibios_bus_add_device+0x3c/0x80
+ pcibios_bus_add_device+0x118/0x290
+ pci_bus_add_device+0x28/0xe0
+ pci_bus_add_devices+0x54/0xb0
+ pcibios_init+0xc4/0x124
+ do_one_initcall+0xac/0x528
+ kernel_init_freeable+0x35c/0x3fc
+ kernel_init+0x24/0x148
+ ret_from_kernel_thread+0x5c/0x80
+
+ lock_acquire+0x140/0x5f0
+ _raw_spin_lock+0x4c/0x70
+ eeh_addr_cache_show+0x38/0x110
+ seq_read+0x1a0/0x660
+ vfs_read+0xc8/0x1f0
+ ksys_read+0x74/0x130
+ system_call_exception+0xf8/0x1d0
+ system_call_common+0xe8/0x218
+
+Fixes: 5ca85ae6318d ("powerpc/eeh_cache: Add a way to dump the EEH address cache")
+Signed-off-by: Qian Cai <cai@redhat.com>
+Reviewed-by: Oliver O'Halloran <oohall@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201028152717.8967-1-cai@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_cache.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/eeh_cache.c b/arch/powerpc/kernel/eeh_cache.c
+index cf11277ebd020..000ebb5a6fb3c 100644
+--- a/arch/powerpc/kernel/eeh_cache.c
++++ b/arch/powerpc/kernel/eeh_cache.c
+@@ -272,8 +272,9 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v)
+ {
+ struct pci_io_addr_range *piar;
+ struct rb_node *n;
++ unsigned long flags;
+
+- spin_lock(&pci_io_addr_cache_root.piar_lock);
++ spin_lock_irqsave(&pci_io_addr_cache_root.piar_lock, flags);
+ for (n = rb_first(&pci_io_addr_cache_root.rb_root); n; n = rb_next(n)) {
+ piar = rb_entry(n, struct pci_io_addr_range, rb_node);
+
+@@ -281,7 +282,7 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v)
+ (piar->flags & IORESOURCE_IO) ? "i/o" : "mem",
+ &piar->addr_lo, &piar->addr_hi, pci_name(piar->pcidev));
+ }
+- spin_unlock(&pci_io_addr_cache_root.piar_lock);
++ spin_unlock_irqrestore(&pci_io_addr_cache_root.piar_lock, flags);
+
+ return 0;
+ }
+--
+2.27.0
+
--- /dev/null
+drm-i915-gem-flush-coherency-domains-on-first-set-do.patch
+time-prevent-undefined-behaviour-in-timespec64_to_ns.patch
+nbd-don-t-update-block-size-after-device-is-started.patch
+kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch
+pci-qcom-make-sure-pcie-is-reset-before-init-for-rev.patch
+usb-dwc3-gadget-continue-to-process-pending-requests.patch
+usb-dwc3-gadget-reclaim-extra-trbs-after-request-com.patch
+dm-raid-fix-discard-limits-for-raid1-and-raid10.patch
+btrfs-tracepoints-output-proper-root-owner-for-trace.patch
+btrfs-sysfs-init-devices-outside-of-the-chunk_mutex.patch
+btrfs-reschedule-when-cloning-lots-of-extents.patch
+asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch
+genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch
+hv_balloon-disable-warning-when-floor-reached.patch
+net-xfrm-fix-a-race-condition-during-allocing-spi.patch
+asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch
+xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch
+netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch
+netfilter-nf_tables-missing-validation-from-the-abor.patch
+netfilter-ipset-update-byte-and-packet-counters-rega.patch
+powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch
+perf-trace-fix-segfault-when-trying-to-trace-events-.patch
+perf-tools-add-missing-swap-for-ino_generation.patch
+alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch
+iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch
+afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch
+can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch
+can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch
+can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch
+can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch
+can-j1939-swap-addr-and-pgn-in-the-send-example.patch
+can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch
+can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch
+can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch
+can-peak_usb-add-range-checking-in-decode-operations.patch
+can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch
+can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch
+can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch
+can-flexcan-flexcan_remove-disable-wakeup-completely.patch
+xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch
+xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch
+tpm-efi-don-t-create-binary_bios_measurements-file-f.patch
--- /dev/null
+From 1576034634512ab27c2c2fefccd454a66ef4b9c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Sep 2020 17:30:13 +0800
+Subject: time: Prevent undefined behaviour in timespec64_to_ns()
+
+From: Zeng Tao <prime.zeng@hisilicon.com>
+
+[ Upstream commit cb47755725da7b90fecbb2aa82ac3b24a7adb89b ]
+
+UBSAN reports:
+
+Undefined behaviour in ./include/linux/time64.h:127:27
+signed integer overflow:
+17179869187 * 1000000000 cannot be represented in type 'long long int'
+Call Trace:
+ timespec64_to_ns include/linux/time64.h:127 [inline]
+ set_cpu_itimer+0x65c/0x880 kernel/time/itimer.c:180
+ do_setitimer+0x8e/0x740 kernel/time/itimer.c:245
+ __x64_sys_setitimer+0x14c/0x2c0 kernel/time/itimer.c:336
+ do_syscall_64+0xa1/0x540 arch/x86/entry/common.c:295
+
+Commit bd40a175769d ("y2038: itimer: change implementation to timespec64")
+replaced the original conversion which handled time clamping correctly with
+timespec64_to_ns() which has no overflow protection.
+
+Fix it in timespec64_to_ns() as this is not necessarily limited to the
+usage in itimers.
+
+[ tglx: Added comment and adjusted the fixes tag ]
+
+Fixes: 361a3bf00582 ("time64: Add time64.h header and define struct timespec64")
+Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1598952616-6416-1-git-send-email-prime.zeng@hisilicon.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/time64.h | 4 ++++
+ kernel/time/itimer.c | 4 ----
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/time64.h b/include/linux/time64.h
+index 19125489ae948..5eab3f2635186 100644
+--- a/include/linux/time64.h
++++ b/include/linux/time64.h
+@@ -132,6 +132,10 @@ static inline bool timespec64_valid_settod(const struct timespec64 *ts)
+ */
+ static inline s64 timespec64_to_ns(const struct timespec64 *ts)
+ {
++ /* Prevent multiplication overflow */
++ if ((unsigned long long)ts->tv_sec >= KTIME_SEC_MAX)
++ return KTIME_MAX;
++
+ return ((s64) ts->tv_sec * NSEC_PER_SEC) + ts->tv_nsec;
+ }
+
+diff --git a/kernel/time/itimer.c b/kernel/time/itimer.c
+index 77f1e5635cc18..62dc9757118c6 100644
+--- a/kernel/time/itimer.c
++++ b/kernel/time/itimer.c
+@@ -147,10 +147,6 @@ static void set_cpu_itimer(struct task_struct *tsk, unsigned int clock_id,
+ u64 oval, nval, ointerval, ninterval;
+ struct cpu_itimer *it = &tsk->signal->it[clock_id];
+
+- /*
+- * Use the to_ktime conversion because that clamps the maximum
+- * value to KTIME_MAX and avoid multiplication overflows.
+- */
+ nval = ktime_to_ns(timeval_to_ktime(value->it_value));
+ ninterval = ktime_to_ns(timeval_to_ktime(value->it_interval));
+
+--
+2.27.0
+
--- /dev/null
+From 6bae50f8e1cd2fd5df15329ffe40984eea2153e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 10:41:02 -0500
+Subject: tpm: efi: Don't create binary_bios_measurements file for an empty log
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tyler Hicks <tyhicks@linux.microsoft.com>
+
+[ Upstream commit 8ffd778aff45be760292225049e0141255d4ad6e ]
+
+Mimic the pre-existing ACPI and Device Tree event log behavior by not
+creating the binary_bios_measurements file when the EFI TPM event log is
+empty.
+
+This fixes the following NULL pointer dereference that can occur when
+reading /sys/kernel/security/tpm0/binary_bios_measurements after the
+kernel received an empty event log from the firmware:
+
+ BUG: kernel NULL pointer dereference, address: 000000000000002c
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17
+ Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019
+ RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550
+ Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49
+ RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246
+ RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010
+ RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258
+ RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300
+ R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280
+ R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258
+ FS: 00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ ? __kmalloc_node+0x113/0x320
+ ? kvmalloc_node+0x31/0x80
+ seq_read+0x94/0x420
+ vfs_read+0xa7/0x190
+ ksys_read+0xa7/0xe0
+ __x64_sys_read+0x1a/0x20
+ do_syscall_64+0x37/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+In this situation, the bios_event_log pointer in the tpm_bios_log struct
+was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was
+due to the following kmemdup() in tpm_read_log_efi():
+
+int tpm_read_log_efi(struct tpm_chip *chip)
+{
+...
+ /* malloc EventLog space */
+ log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL);
+ if (!log->bios_event_log) {
+ ret = -ENOMEM;
+ goto out;
+ }
+...
+}
+
+When log_size is zero, due to an empty event log from firmware,
+ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the
+binary_bios_measurements file, the tpm2_bios_measurements_start()
+function does not perform a ZERO_OR_NULL_PTR() check on the
+bios_event_log pointer before dereferencing it.
+
+Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of
+the bios_event_log pointer, simply avoid creating the
+binary_bios_measurements_file as is done in other event log retrieval
+backends.
+
+Explicitly ignore all of the events in the final event log when the main
+event log is empty. The list of events in the final event log cannot be
+accurately parsed without referring to the first event in the main event
+log (the event log header) so the final event log is useless in such a
+situation.
+
+Fixes: 58cc1e4faf10 ("tpm: parse TPM event logs based on EFI table")
+Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/
+Reported-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reported-by: Kenneth R. Crudup <kenny@panix.com>
+Reported-by: Mimi Zohar <zohar@linux.ibm.com>
+Cc: ThiƩbaud Weksteen <tweek@google.com>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/eventlog/efi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/char/tpm/eventlog/efi.c b/drivers/char/tpm/eventlog/efi.c
+index 6bb023de17f1f..35229e5143cac 100644
+--- a/drivers/char/tpm/eventlog/efi.c
++++ b/drivers/char/tpm/eventlog/efi.c
+@@ -41,6 +41,11 @@ int tpm_read_log_efi(struct tpm_chip *chip)
+ log_size = log_tbl->size;
+ memunmap(log_tbl);
+
++ if (!log_size) {
++ pr_warn("UEFI TPM log area empty\n");
++ return -EIO;
++ }
++
+ log_tbl = memremap(efi.tpm_log, sizeof(*log_tbl) + log_size,
+ MEMREMAP_WB);
+ if (!log_tbl) {
+--
+2.27.0
+
--- /dev/null
+From de92803f50c2a5a42003f6314bad570e6961b678 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Mar 2020 01:40:42 -0700
+Subject: usb: dwc3: gadget: Continue to process pending requests
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit d9feef974e0d8cb6842533c92476a1b32a41ba31 ]
+
+If there are still pending requests because no TRB was available,
+prepare more when started requests are completed.
+
+Introduce dwc3_gadget_ep_should_continue() to check for incomplete and
+pending requests to resume updating new TRBs to the controller's TRB
+cache.
+
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 1d65de84464d5..b6a454211329b 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2644,10 +2644,8 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep,
+
+ req->request.actual = req->request.length - req->remaining;
+
+- if (!dwc3_gadget_ep_request_completed(req)) {
+- __dwc3_gadget_kick_transfer(dep);
++ if (!dwc3_gadget_ep_request_completed(req))
+ goto out;
+- }
+
+ dwc3_gadget_giveback(dep, req, status);
+
+@@ -2671,6 +2669,24 @@ static void dwc3_gadget_ep_cleanup_completed_requests(struct dwc3_ep *dep,
+ }
+ }
+
++static bool dwc3_gadget_ep_should_continue(struct dwc3_ep *dep)
++{
++ struct dwc3_request *req;
++
++ if (!list_empty(&dep->pending_list))
++ return true;
++
++ /*
++ * We only need to check the first entry of the started list. We can
++ * assume the completed requests are removed from the started list.
++ */
++ req = next_request(&dep->started_list);
++ if (!req)
++ return false;
++
++ return !dwc3_gadget_ep_request_completed(req);
++}
++
+ static void dwc3_gadget_endpoint_frame_from_event(struct dwc3_ep *dep,
+ const struct dwc3_event_depevt *event)
+ {
+@@ -2700,6 +2716,8 @@ static void dwc3_gadget_endpoint_transfer_in_progress(struct dwc3_ep *dep,
+
+ if (stop)
+ dwc3_stop_active_transfer(dep, true, true);
++ else if (dwc3_gadget_ep_should_continue(dep))
++ __dwc3_gadget_kick_transfer(dep);
+
+ /*
+ * WORKAROUND: This is the 2nd half of U1/U2 -> U0 workaround.
+--
+2.27.0
+
--- /dev/null
+From 875874ddf331f4a609adacc8da0b5f028e638e2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 01:21:24 -0700
+Subject: usb: dwc3: gadget: Reclaim extra TRBs after request completion
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+[ Upstream commit 690e5c2dc29f8891fcfd30da67e0d5837c2c9df5 ]
+
+An SG request may be partially completed (due to no available TRBs).
+Don't reclaim extra TRBs and clear the needs_extra_trb flag until the
+request is fully completed. Otherwise, the driver will reclaim the wrong
+TRB.
+
+Cc: stable@vger.kernel.org
+Fixes: 1f512119a08c ("usb: dwc3: gadget: add remaining sg entries to ring")
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index b6a454211329b..9269cda4c1831 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2627,6 +2627,11 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep,
+ ret = dwc3_gadget_ep_reclaim_trb_linear(dep, req, event,
+ status);
+
++ req->request.actual = req->request.length - req->remaining;
++
++ if (!dwc3_gadget_ep_request_completed(req))
++ goto out;
++
+ if (req->needs_extra_trb) {
+ unsigned int maxp = usb_endpoint_maxp(dep->endpoint.desc);
+
+@@ -2642,11 +2647,6 @@ static int dwc3_gadget_ep_cleanup_completed_request(struct dwc3_ep *dep,
+ req->needs_extra_trb = false;
+ }
+
+- req->request.actual = req->request.length - req->remaining;
+-
+- if (!dwc3_gadget_ep_request_completed(req))
+- goto out;
+-
+ dwc3_gadget_giveback(dep, req, status);
+
+ out:
+--
+2.27.0
+
--- /dev/null
+From 5d94d239674b9dc20dfb18e358abb101b64bc8db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 17:14:07 -0800
+Subject: xfs: fix scrub flagging rtinherit even if there is no rt device
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit c1f6b1ac00756a7108e5fcb849a2f8230c0b62a5 ]
+
+The kernel has always allowed directories to have the rtinherit flag
+set, even if there is no rt device, so this check is wrong.
+
+Fixes: 80e4e1268802 ("xfs: scrub inodes")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/scrub/inode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/xfs/scrub/inode.c b/fs/xfs/scrub/inode.c
+index 6d483ab29e639..1bea029b634a6 100644
+--- a/fs/xfs/scrub/inode.c
++++ b/fs/xfs/scrub/inode.c
+@@ -121,8 +121,7 @@ xchk_inode_flags(
+ goto bad;
+
+ /* rt flags require rt device */
+- if ((flags & (XFS_DIFLAG_REALTIME | XFS_DIFLAG_RTINHERIT)) &&
+- !mp->m_rtdev_targp)
++ if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp)
+ goto bad;
+
+ /* new rt bitmap flag only valid for rbmino */
+--
+2.27.0
+
--- /dev/null
+From bca5edaa0b8e8e351369f6d093fd02b23dfae0d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 14:30:48 -0700
+Subject: xfs: flush new eof page on truncate to avoid post-eof corruption
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 869ae85dae64b5540e4362d7fe4cd520e10ec05c ]
+
+It is possible to expose non-zeroed post-EOF data in XFS if the new
+EOF page is dirty, backed by an unwritten block and the truncate
+happens to race with writeback. iomap_truncate_page() will not zero
+the post-EOF portion of the page if the underlying block is
+unwritten. The subsequent call to truncate_setsize() will, but
+doesn't dirty the page. Therefore, if writeback happens to complete
+after iomap_truncate_page() (so it still sees the unwritten block)
+but before truncate_setsize(), the cached page becomes inconsistent
+with the on-disk block. A mapped read after the associated page is
+reclaimed or invalidated exposes non-zero post-EOF data.
+
+For example, consider the following sequence when run on a kernel
+modified to explicitly flush the new EOF page within the race
+window:
+
+$ xfs_io -fc "falloc 0 4k" -c fsync /mnt/file
+$ xfs_io -c "pwrite 0 4k" -c "truncate 1k" /mnt/file
+ ...
+$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file
+00000400: 00 00 00 00 00 00 00 00 ........
+$ umount /mnt/; mount <dev> /mnt/
+$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file
+00000400: cd cd cd cd cd cd cd cd ........
+
+Update xfs_setattr_size() to explicitly flush the new EOF page prior
+to the page truncate to ensure iomap has the latest state of the
+underlying block.
+
+Fixes: 68a9f5e7007c ("xfs: implement iomap based buffered write path")
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_iops.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index fe285d123d69f..dec511823fcbc 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -885,6 +885,16 @@ xfs_setattr_size(
+ error = iomap_zero_range(inode, oldsize, newsize - oldsize,
+ &did_zeroing, &xfs_iomap_ops);
+ } else {
++ /*
++ * iomap won't detect a dirty page over an unwritten block (or a
++ * cow block over a hole) and subsequently skips zeroing the
++ * newly post-EOF portion of the page. Flush the new EOF to
++ * convert the block before the pagecache truncate.
++ */
++ error = filemap_write_and_wait_range(inode->i_mapping, newsize,
++ newsize);
++ if (error)
++ return error;
+ error = iomap_truncate_page(inode, newsize, &did_zeroing,
+ &xfs_iomap_ops);
+ }
+--
+2.27.0
+
--- /dev/null
+From 123ac6b6a79bf52de8e118b0dfc15bde12f97368 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Oct 2020 15:19:38 -0700
+Subject: xfs: set xefi_discard when creating a deferred agfl free log intent
+ item
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 2c334e12f957cd8c6bb66b4aa3f79848b7c33cab ]
+
+Make sure that we actually initialize xefi_discard when we're scheduling
+a deferred free of an AGFL block. This was (eventually) found by the
+UBSAN while I was banging on realtime rmap problems, but it exists in
+the upstream codebase. While we're at it, rearrange the structure to
+reduce the struct size from 64 to 56 bytes.
+
+Fixes: fcb762f5de2e ("xfs: add bmapi nodiscard flag")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_alloc.c | 1 +
+ fs/xfs/libxfs/xfs_bmap.h | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index 0a36f532cf86c..436f686a98918 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -2209,6 +2209,7 @@ xfs_defer_agfl_block(
+ new->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno);
+ new->xefi_blockcount = 1;
+ new->xefi_oinfo = *oinfo;
++ new->xefi_skip_discard = false;
+
+ trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h
+index e2798c6f3a5f3..093716a074fb7 100644
+--- a/fs/xfs/libxfs/xfs_bmap.h
++++ b/fs/xfs/libxfs/xfs_bmap.h
+@@ -52,9 +52,9 @@ struct xfs_extent_free_item
+ {
+ xfs_fsblock_t xefi_startblock;/* starting fs block number */
+ xfs_extlen_t xefi_blockcount;/* number of blocks in extent */
++ bool xefi_skip_discard;
+ struct list_head xefi_list;
+ struct xfs_owner_info xefi_oinfo; /* extent owner */
+- bool xefi_skip_discard;
+ };
+
+ #define XFS_BMAP_MAX_NMAP 4
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
