--- /dev/null
+From 3ccfb3d50b5bec53dc73a378e504e92dd598d1bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 09:51:34 +0100
+Subject: bpf: Fix OOB read when printing XDP link fdinfo
+
+From: Lorenz Bauer <lmb@cloudflare.com>
+
+[ Upstream commit d6371c76e20d7d3f61b05fd67b596af4d14a8886 ]
+
+We got the following UBSAN report on one of our testing machines:
+
+ ================================================================================
+ UBSAN: array-index-out-of-bounds in kernel/bpf/syscall.c:2389:24
+ index 6 is out of range for type 'char *[6]'
+ CPU: 43 PID: 930921 Comm: systemd-coredum Tainted: G O 5.10.48-cloudflare-kasan-2021.7.0 #1
+ Hardware name: <snip>
+ Call Trace:
+ dump_stack+0x7d/0xa3
+ ubsan_epilogue+0x5/0x40
+ __ubsan_handle_out_of_bounds.cold+0x43/0x48
+ ? seq_printf+0x17d/0x250
+ bpf_link_show_fdinfo+0x329/0x380
+ ? bpf_map_value_size+0xe0/0xe0
+ ? put_files_struct+0x20/0x2d0
+ ? __kasan_kmalloc.constprop.0+0xc2/0xd0
+ seq_show+0x3f7/0x540
+ seq_read_iter+0x3f8/0x1040
+ seq_read+0x329/0x500
+ ? seq_read_iter+0x1040/0x1040
+ ? __fsnotify_parent+0x80/0x820
+ ? __fsnotify_update_child_dentry_flags+0x380/0x380
+ vfs_read+0x123/0x460
+ ksys_read+0xed/0x1c0
+ ? __x64_sys_pwrite64+0x1f0/0x1f0
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ <snip>
+ ================================================================================
+ ================================================================================
+ UBSAN: object-size-mismatch in kernel/bpf/syscall.c:2384:2
+
+From the report, we can infer that some array access in bpf_link_show_fdinfo at index 6
+is out of bounds. The obvious candidate is bpf_link_type_strs[BPF_LINK_TYPE_XDP] with
+BPF_LINK_TYPE_XDP == 6. It turns out that BPF_LINK_TYPE_XDP is missing from bpf_types.h
+and therefore doesn't have an entry in bpf_link_type_strs:
+
+ pos: 0
+ flags: 02000000
+ mnt_id: 13
+ link_type: (null)
+ link_id: 4
+ prog_tag: bcf7977d3b93787c
+ prog_id: 4
+ ifindex: 1
+
+Fixes: aa8d3a716b59 ("bpf, xdp: Add bpf_link-based XDP attachment API")
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210719085134.43325-2-lmb@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_types.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
+index 2e6f568377f1..a8137bb6dd3c 100644
+--- a/include/linux/bpf_types.h
++++ b/include/linux/bpf_types.h
+@@ -133,4 +133,5 @@ BPF_LINK_TYPE(BPF_LINK_TYPE_CGROUP, cgroup)
+ BPF_LINK_TYPE(BPF_LINK_TYPE_ITER, iter)
+ #ifdef CONFIG_NET
+ BPF_LINK_TYPE(BPF_LINK_TYPE_NETNS, netns)
++BPF_LINK_TYPE(BPF_LINK_TYPE_XDP, xdp)
+ #endif
+--
+2.30.2
+
--- /dev/null
+From 9a3bc639f96b98b7787e5a495a0be61bcb046b1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 17:12:46 +0300
+Subject: can: hi311x: fix a signedness bug in hi3110_cmd()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit f6b3c7848e66e9046c8a79a5b88fd03461cc252b ]
+
+The hi3110_cmd() is supposed to return zero on success and negative
+error codes on failure, but it was accidentally declared as a u8 when
+it needs to be an int type.
+
+Fixes: 57e83fb9b746 ("can: hi311x: Add Holt HI-311x CAN driver")
+Link: https://lore.kernel.org/r/20210729141246.GA1267@kili
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/spi/hi311x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/spi/hi311x.c b/drivers/net/can/spi/hi311x.c
+index 73d48c3b8ded..7d2315c8cacb 100644
+--- a/drivers/net/can/spi/hi311x.c
++++ b/drivers/net/can/spi/hi311x.c
+@@ -218,7 +218,7 @@ static int hi3110_spi_trans(struct spi_device *spi, int len)
+ return ret;
+ }
+
+-static u8 hi3110_cmd(struct spi_device *spi, u8 command)
++static int hi3110_cmd(struct spi_device *spi, u8 command)
+ {
+ struct hi3110_priv *priv = spi_get_drvdata(spi);
+
+--
+2.30.2
+
--- /dev/null
+From 3243fe42fe87da66708c71559a91641af70c1e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 19:44:34 -0700
+Subject: drm/msm/dp: Initialize the INTF_CONFIG register
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit f9a39932fa54b6421e751ada7a285da809146421 ]
+
+Some bootloaders set the widebus enable bit in the INTF_CONFIG register,
+but configuration of widebus isn't yet supported ensure that the
+register has a known value, with widebus disabled.
+
+Fixes: c943b4948b58 ("drm/msm/dp: add displayPort driver support")
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20210722024434.3313167-1-bjorn.andersson@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_catalog.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c
+index 4963bfe6a472..aeca8b2ac5c6 100644
+--- a/drivers/gpu/drm/msm/dp/dp_catalog.c
++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c
+@@ -740,6 +740,7 @@ int dp_catalog_panel_timing_cfg(struct dp_catalog *dp_catalog)
+ dp_write_link(catalog, REG_DP_HSYNC_VSYNC_WIDTH_POLARITY,
+ dp_catalog->width_blanking);
+ dp_write_link(catalog, REG_DP_ACTIVE_HOR_VER, dp_catalog->dp_active);
++ dp_write_p0(catalog, MMSS_DP_INTF_CONFIG, 0);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e135157775e8382283c8ebe8f7ece5bdcfa4d621 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 10:50:33 +0200
+Subject: drm/msm/dpu: Fix sm8250_mdp register length
+
+From: Robert Foss <robert.foss@linaro.org>
+
+[ Upstream commit b910a0206b59eb90ea8ff76d146f4c3156da61e9 ]
+
+The downstream dts lists this value as 0x494, and not
+0x45c.
+
+Fixes: af776a3e1c30 ("drm/msm/dpu: add SM8250 to hw catalog")
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@somainline.org>
+Link: https://lore.kernel.org/r/20210628085033.9905-1-robert.foss@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+index 60b304b72b7c..b39980b9db1d 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_catalog.c
+@@ -168,7 +168,7 @@ static const struct dpu_mdp_cfg sc7180_mdp[] = {
+ static const struct dpu_mdp_cfg sm8250_mdp[] = {
+ {
+ .name = "top_0", .id = MDP_TOP,
+- .base = 0x0, .len = 0x45C,
++ .base = 0x0, .len = 0x494,
+ .features = 0,
+ .highest_bank_bit = 0x3, /* TODO: 2 for LP_DDR4 */
+ .clk_ctrls[DPU_CLK_CTRL_VIG0] = {
+--
+2.30.2
+
--- /dev/null
+From f8216f0663d566cde91b3b05c654f2a6f040fe85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 18:41:26 +0200
+Subject: i40e: Fix firmware LLDP agent related warning
+
+From: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+
+[ Upstream commit 71d6fdba4b2d82fdd883fec31dee77fbcf59773a ]
+
+Make warning meaningful for the user.
+
+Previously the trace:
+"Starting FW LLDP agent failed: error: I40E_ERR_ADMIN_QUEUE_ERROR, I40E_AQ_RC_EAGAIN"
+was produced when user tried to start Firmware LLDP agent,
+just after it was stopped with sequence:
+ethtool --set-priv-flags <dev> disable-fw-lldp on
+ethtool --set-priv-flags <dev> disable-fw-lldp off
+(without any delay between the commands)
+At that point the firmware is still processing stop command, the behavior
+is expected.
+
+Fixes: c1041d070437 ("i40e: Missing response checks in driver when starting/stopping FW LLDP")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Imam Hassan Reza Biswas <imam.hassan.reza.biswas@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 874073f7f024..a952ae07d253 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -5106,6 +5106,10 @@ flags_complete:
+ dev_warn(&pf->pdev->dev,
+ "Device configuration forbids SW from starting the LLDP agent.\n");
+ return -EINVAL;
++ case I40E_AQ_RC_EAGAIN:
++ dev_warn(&pf->pdev->dev,
++ "Stop FW LLDP agent command is still being processed, please try again in a second.\n");
++ return -EBUSY;
+ default:
+ dev_warn(&pf->pdev->dev,
+ "Starting FW LLDP agent failed: error: %s, %s\n",
+--
+2.30.2
+
--- /dev/null
+From 955a21b4fc4e6e41093568d35e97545bff481aac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 08:49:49 +0000
+Subject: i40e: Fix log TC creation failure when max num of queues is exceeded
+
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+
+[ Upstream commit ea52faae1d17cd3048681d86d2e8641f44de484d ]
+
+Fix missing failed message if driver does not have enough queues to
+complete TC command. Without this fix no message is displayed in dmesg.
+
+Fixes: a9ce82f744dc ("i40e: Enable 'channel' mode in mqprio for TC configs")
+Signed-off-by: Grzegorz Szczurek <grzegorzx.szczurek@intel.com>
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Tested-by: Imam Hassan Reza Biswas <imam.hassan.reza.biswas@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index b3a9dec414a5..bc648ce0743c 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -6933,6 +6933,8 @@ static int i40e_validate_mqprio_qopt(struct i40e_vsi *vsi,
+ }
+ if (vsi->num_queue_pairs <
+ (mqprio_qopt->qopt.offset[i] + mqprio_qopt->qopt.count[i])) {
++ dev_err(&vsi->back->pdev->dev,
++ "Failed to create traffic channel, insufficient number of queues.\n");
+ return -EINVAL;
+ }
+ if (sum_max_rate > i40e_get_link_speed(vsi)) {
+--
+2.30.2
+
--- /dev/null
+From 1952ef82b04313dd812cca7514047a23338077c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 19:49:47 +0200
+Subject: i40e: Fix logic of disabling queues
+
+From: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+
+[ Upstream commit 65662a8dcdd01342b71ee44234bcfd0162e195af ]
+
+Correct the message flow between driver and firmware when disabling
+queues.
+
+Previously in case of PF reset (due to required reinit after reconfig),
+the error like: "VSI seid 397 Tx ring 60 disable timeout" could show up
+occasionally. The error was not a real issue of hardware or firmware,
+it was caused by wrong sequence of messages invoked by the driver.
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 58 ++++++++++++---------
+ 1 file changed, 34 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 52e31f712a54..112a18dd13c4 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -4425,11 +4425,10 @@ int i40e_control_wait_tx_q(int seid, struct i40e_pf *pf, int pf_q,
+ }
+
+ /**
+- * i40e_vsi_control_tx - Start or stop a VSI's rings
++ * i40e_vsi_enable_tx - Start a VSI's rings
+ * @vsi: the VSI being configured
+- * @enable: start or stop the rings
+ **/
+-static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable)
++static int i40e_vsi_enable_tx(struct i40e_vsi *vsi)
+ {
+ struct i40e_pf *pf = vsi->back;
+ int i, pf_q, ret = 0;
+@@ -4438,7 +4437,7 @@ static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable)
+ for (i = 0; i < vsi->num_queue_pairs; i++, pf_q++) {
+ ret = i40e_control_wait_tx_q(vsi->seid, pf,
+ pf_q,
+- false /*is xdp*/, enable);
++ false /*is xdp*/, true);
+ if (ret)
+ break;
+
+@@ -4447,7 +4446,7 @@ static int i40e_vsi_control_tx(struct i40e_vsi *vsi, bool enable)
+
+ ret = i40e_control_wait_tx_q(vsi->seid, pf,
+ pf_q + vsi->alloc_queue_pairs,
+- true /*is xdp*/, enable);
++ true /*is xdp*/, true);
+ if (ret)
+ break;
+ }
+@@ -4545,32 +4544,25 @@ int i40e_control_wait_rx_q(struct i40e_pf *pf, int pf_q, bool enable)
+ }
+
+ /**
+- * i40e_vsi_control_rx - Start or stop a VSI's rings
++ * i40e_vsi_enable_rx - Start a VSI's rings
+ * @vsi: the VSI being configured
+- * @enable: start or stop the rings
+ **/
+-static int i40e_vsi_control_rx(struct i40e_vsi *vsi, bool enable)
++static int i40e_vsi_enable_rx(struct i40e_vsi *vsi)
+ {
+ struct i40e_pf *pf = vsi->back;
+ int i, pf_q, ret = 0;
+
+ pf_q = vsi->base_queue;
+ for (i = 0; i < vsi->num_queue_pairs; i++, pf_q++) {
+- ret = i40e_control_wait_rx_q(pf, pf_q, enable);
++ ret = i40e_control_wait_rx_q(pf, pf_q, true);
+ if (ret) {
+ dev_info(&pf->pdev->dev,
+- "VSI seid %d Rx ring %d %sable timeout\n",
+- vsi->seid, pf_q, (enable ? "en" : "dis"));
++ "VSI seid %d Rx ring %d enable timeout\n",
++ vsi->seid, pf_q);
+ break;
+ }
+ }
+
+- /* Due to HW errata, on Rx disable only, the register can indicate done
+- * before it really is. Needs 50ms to be sure
+- */
+- if (!enable)
+- mdelay(50);
+-
+ return ret;
+ }
+
+@@ -4583,29 +4575,47 @@ int i40e_vsi_start_rings(struct i40e_vsi *vsi)
+ int ret = 0;
+
+ /* do rx first for enable and last for disable */
+- ret = i40e_vsi_control_rx(vsi, true);
++ ret = i40e_vsi_enable_rx(vsi);
+ if (ret)
+ return ret;
+- ret = i40e_vsi_control_tx(vsi, true);
++ ret = i40e_vsi_enable_tx(vsi);
+
+ return ret;
+ }
+
++#define I40E_DISABLE_TX_GAP_MSEC 50
++
+ /**
+ * i40e_vsi_stop_rings - Stop a VSI's rings
+ * @vsi: the VSI being configured
+ **/
+ void i40e_vsi_stop_rings(struct i40e_vsi *vsi)
+ {
++ struct i40e_pf *pf = vsi->back;
++ int pf_q, err, q_end;
++
+ /* When port TX is suspended, don't wait */
+ if (test_bit(__I40E_PORT_SUSPENDED, vsi->back->state))
+ return i40e_vsi_stop_rings_no_wait(vsi);
+
+- /* do rx first for enable and last for disable
+- * Ignore return value, we need to shutdown whatever we can
+- */
+- i40e_vsi_control_tx(vsi, false);
+- i40e_vsi_control_rx(vsi, false);
++ q_end = vsi->base_queue + vsi->num_queue_pairs;
++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++)
++ i40e_pre_tx_queue_cfg(&pf->hw, (u32)pf_q, false);
++
++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++) {
++ err = i40e_control_wait_rx_q(pf, pf_q, false);
++ if (err)
++ dev_info(&pf->pdev->dev,
++ "VSI seid %d Rx ring %d dissable timeout\n",
++ vsi->seid, pf_q);
++ }
++
++ msleep(I40E_DISABLE_TX_GAP_MSEC);
++ pf_q = vsi->base_queue;
++ for (pf_q = vsi->base_queue; pf_q < q_end; pf_q++)
++ wr32(&pf->hw, I40E_QTX_ENA(pf_q), 0);
++
++ i40e_vsi_wait_queues_disabled(vsi);
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From 54925b281319b53e825ddeb4c52d6cba91ed65e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 00:47:03 +0000
+Subject: i40e: Fix queue-to-TC mapping on Tx
+
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+
+[ Upstream commit 89ec1f0886c127c7e41ac61a6b6d539f4fb2510b ]
+
+In SW DCB mode the packets sent receive incorrect UP tags. They are
+constructed correctly and put into tx_ring, but UP is later remapped by
+HW on the basis of TCTUPR register contents according to Tx queue
+selected, and BW used is consistent with the new UP values. This is
+caused by Tx queue selection in kernel not taking into account DCB
+configuration. This patch fixes the issue by implementing the
+ndo_select_queue NDO callback.
+
+Fixes: fd0a05ce74ef ("i40e: transmit, receive, and NAPI")
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Tested-by: Imam Hassan Reza Biswas <imam.hassan.reza.biswas@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 50 +++++++++++++++++++++
+ drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +
+ 3 files changed, 53 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 112a18dd13c4..b3a9dec414a5 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -12809,6 +12809,7 @@ static const struct net_device_ops i40e_netdev_ops = {
+ .ndo_poll_controller = i40e_netpoll,
+ #endif
+ .ndo_setup_tc = __i40e_setup_tc,
++ .ndo_select_queue = i40e_lan_select_queue,
+ .ndo_set_features = i40e_set_features,
+ .ndo_set_vf_mac = i40e_ndo_set_vf_mac,
+ .ndo_set_vf_vlan = i40e_ndo_set_vf_port_vlan,
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index c40ac82db863..615802b07521 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -3524,6 +3524,56 @@ dma_error:
+ return -1;
+ }
+
++static u16 i40e_swdcb_skb_tx_hash(struct net_device *dev,
++ const struct sk_buff *skb,
++ u16 num_tx_queues)
++{
++ u32 jhash_initval_salt = 0xd631614b;
++ u32 hash;
++
++ if (skb->sk && skb->sk->sk_hash)
++ hash = skb->sk->sk_hash;
++ else
++ hash = (__force u16)skb->protocol ^ skb->hash;
++
++ hash = jhash_1word(hash, jhash_initval_salt);
++
++ return (u16)(((u64)hash * num_tx_queues) >> 32);
++}
++
++u16 i40e_lan_select_queue(struct net_device *netdev,
++ struct sk_buff *skb,
++ struct net_device __always_unused *sb_dev)
++{
++ struct i40e_netdev_priv *np = netdev_priv(netdev);
++ struct i40e_vsi *vsi = np->vsi;
++ struct i40e_hw *hw;
++ u16 qoffset;
++ u16 qcount;
++ u8 tclass;
++ u16 hash;
++ u8 prio;
++
++ /* is DCB enabled at all? */
++ if (vsi->tc_config.numtc == 1)
++ return i40e_swdcb_skb_tx_hash(netdev, skb,
++ netdev->real_num_tx_queues);
++
++ prio = skb->priority;
++ hw = &vsi->back->hw;
++ tclass = hw->local_dcbx_config.etscfg.prioritytable[prio];
++ /* sanity check */
++ if (unlikely(!(vsi->tc_config.enabled_tc & BIT(tclass))))
++ tclass = 0;
++
++ /* select a queue assigned for the given TC */
++ qcount = vsi->tc_config.tc_info[tclass].qcount;
++ hash = i40e_swdcb_skb_tx_hash(netdev, skb, qcount);
++
++ qoffset = vsi->tc_config.tc_info[tclass].qoffset;
++ return qoffset + hash;
++}
++
+ /**
+ * i40e_xmit_xdp_ring - transmits an XDP buffer to an XDP Tx ring
+ * @xdpf: data to transmit
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+index 2feed920ef8a..93ac201f68b8 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+@@ -449,6 +449,8 @@ static inline unsigned int i40e_rx_pg_order(struct i40e_ring *ring)
+
+ bool i40e_alloc_rx_buffers(struct i40e_ring *rxr, u16 cleaned_count);
+ netdev_tx_t i40e_lan_xmit_frame(struct sk_buff *skb, struct net_device *netdev);
++u16 i40e_lan_select_queue(struct net_device *netdev, struct sk_buff *skb,
++ struct net_device *sb_dev);
+ void i40e_clean_tx_ring(struct i40e_ring *tx_ring);
+ void i40e_clean_rx_ring(struct i40e_ring *rx_ring);
+ int i40e_setup_tx_descriptors(struct i40e_ring *tx_ring);
+--
+2.30.2
+
--- /dev/null
+From 0e304fceb36b8b5d61e86428b98d0c0796ad0680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 11:02:49 -0700
+Subject: ionic: count csum_none when offload enabled
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit f07f9815b7046e25cc32bf8542c9c0bbc5eb6e0e ]
+
+Be sure to count the csum_none cases when csum offload is
+enabled.
+
+Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+index 52213fee054d..46dbb49f837c 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+@@ -197,12 +197,11 @@ static void ionic_rx_clean(struct ionic_queue *q,
+ }
+ }
+
+- if (likely(netdev->features & NETIF_F_RXCSUM)) {
+- if (comp->csum_flags & IONIC_RXQ_COMP_CSUM_F_CALC) {
+- skb->ip_summed = CHECKSUM_COMPLETE;
+- skb->csum = (__force __wsum)le16_to_cpu(comp->csum);
+- stats->csum_complete++;
+- }
++ if (likely(netdev->features & NETIF_F_RXCSUM) &&
++ (comp->csum_flags & IONIC_RXQ_COMP_CSUM_F_CALC)) {
++ skb->ip_summed = CHECKSUM_COMPLETE;
++ skb->csum = (__force __wsum)le16_to_cpu(comp->csum);
++ stats->csum_complete++;
+ } else {
+ stats->csum_none++;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2accb06fc228cc427be58f69bb49b9f6b5a8eb5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 11:02:48 -0700
+Subject: ionic: fix up dim accounting for tx and rx
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit 76ed8a4a00b484dcccef819ef2618bcf8e46f560 ]
+
+We need to count the correct Tx and/or Rx packets for dynamic
+interrupt moderation, depending on which we're processing on
+the queue interrupt.
+
+Fixes: 04a834592bf5 ("ionic: dynamic interrupt moderation")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/pensando/ionic/ionic_txrx.c | 28 ++++++++++++++-----
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+index ec064327c998..52213fee054d 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+@@ -417,11 +417,12 @@ void ionic_rx_empty(struct ionic_queue *q)
+ }
+ }
+
+-static void ionic_dim_update(struct ionic_qcq *qcq)
++static void ionic_dim_update(struct ionic_qcq *qcq, int napi_mode)
+ {
+ struct dim_sample dim_sample;
+ struct ionic_lif *lif;
+ unsigned int qi;
++ u64 pkts, bytes;
+
+ if (!qcq->intr.dim_coal_hw)
+ return;
+@@ -429,10 +430,23 @@ static void ionic_dim_update(struct ionic_qcq *qcq)
+ lif = qcq->q.lif;
+ qi = qcq->cq.bound_q->index;
+
++ switch (napi_mode) {
++ case IONIC_LIF_F_TX_DIM_INTR:
++ pkts = lif->txqstats[qi].pkts;
++ bytes = lif->txqstats[qi].bytes;
++ break;
++ case IONIC_LIF_F_RX_DIM_INTR:
++ pkts = lif->rxqstats[qi].pkts;
++ bytes = lif->rxqstats[qi].bytes;
++ break;
++ default:
++ pkts = lif->txqstats[qi].pkts + lif->rxqstats[qi].pkts;
++ bytes = lif->txqstats[qi].bytes + lif->rxqstats[qi].bytes;
++ break;
++ }
++
+ dim_update_sample(qcq->cq.bound_intr->rearm_count,
+- lif->txqstats[qi].pkts,
+- lif->txqstats[qi].bytes,
+- &dim_sample);
++ pkts, bytes, &dim_sample);
+
+ net_dim(&qcq->dim, dim_sample);
+ }
+@@ -453,7 +467,7 @@ int ionic_tx_napi(struct napi_struct *napi, int budget)
+ ionic_tx_service, NULL, NULL);
+
+ if (work_done < budget && napi_complete_done(napi, work_done)) {
+- ionic_dim_update(qcq);
++ ionic_dim_update(qcq, IONIC_LIF_F_TX_DIM_INTR);
+ flags |= IONIC_INTR_CRED_UNMASK;
+ cq->bound_intr->rearm_count++;
+ }
+@@ -489,7 +503,7 @@ int ionic_rx_napi(struct napi_struct *napi, int budget)
+ ionic_rx_fill(cq->bound_q);
+
+ if (work_done < budget && napi_complete_done(napi, work_done)) {
+- ionic_dim_update(qcq);
++ ionic_dim_update(qcq, IONIC_LIF_F_RX_DIM_INTR);
+ flags |= IONIC_INTR_CRED_UNMASK;
+ cq->bound_intr->rearm_count++;
+ }
+@@ -531,7 +545,7 @@ int ionic_txrx_napi(struct napi_struct *napi, int budget)
+ ionic_rx_fill_cb(rxcq->bound_q);
+
+ if (rx_work_done < budget && napi_complete_done(napi, rx_work_done)) {
+- ionic_dim_update(qcq);
++ ionic_dim_update(qcq, 0);
+ flags |= IONIC_INTR_CRED_UNMASK;
+ rxcq->bound_intr->rearm_count++;
+ }
+--
+2.30.2
+
--- /dev/null
+From ca9cc8937b7ff02d5cabf48df05f9a8f687d0b76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 11:02:47 -0700
+Subject: ionic: remove intr coalesce update from napi
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit a6ff85e0a2d9d074a4b4c291ba9ec1e5b0aba22b ]
+
+Move the interrupt coalesce value update out of the napi
+thread and into the dim_work thread and set it only when it
+has actually changed.
+
+Fixes: 04a834592bf5 ("ionic: dynamic interrupt moderation")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 14 +++++++++++++-
+ drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 4 ----
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index d0ae1cf43592..6dc7ce649448 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -52,7 +52,19 @@ static void ionic_dim_work(struct work_struct *work)
+ cur_moder = net_dim_get_rx_moderation(dim->mode, dim->profile_ix);
+ qcq = container_of(dim, struct ionic_qcq, dim);
+ new_coal = ionic_coal_usec_to_hw(qcq->q.lif->ionic, cur_moder.usec);
+- qcq->intr.dim_coal_hw = new_coal ? new_coal : 1;
++ new_coal = new_coal ? new_coal : 1;
++
++ if (qcq->intr.dim_coal_hw != new_coal) {
++ unsigned int qi = qcq->cq.bound_q->index;
++ struct ionic_lif *lif = qcq->q.lif;
++
++ qcq->intr.dim_coal_hw = new_coal;
++
++ ionic_intr_coal_init(lif->ionic->idev.intr_ctrl,
++ lif->rxqcqs[qi]->intr.index,
++ qcq->intr.dim_coal_hw);
++ }
++
+ dim->state = DIM_START_MEASURE;
+ }
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+index 909eca14f647..ec064327c998 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+@@ -429,10 +429,6 @@ static void ionic_dim_update(struct ionic_qcq *qcq)
+ lif = qcq->q.lif;
+ qi = qcq->cq.bound_q->index;
+
+- ionic_intr_coal_init(lif->ionic->idev.intr_ctrl,
+- lif->rxqcqs[qi]->intr.index,
+- qcq->intr.dim_coal_hw);
+-
+ dim_update_sample(qcq->cq.bound_intr->rearm_count,
+ lif->txqstats[qi].pkts,
+ lif->txqstats[qi].bytes,
+--
+2.30.2
+
--- /dev/null
+From 63b73d649fe0f9fc9d9b3caaf39976a4c433ae4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 14:30:18 +0200
+Subject: KVM: x86: Check the right feature bit for MSR_KVM_ASYNC_PF_ACK access
+
+From: Vitaly Kuznetsov <vkuznets@redhat.com>
+
+[ Upstream commit 0a31df6823232516f61f174907e444f710941dfe ]
+
+MSR_KVM_ASYNC_PF_ACK MSR is part of interrupt based asynchronous page fault
+interface and not the original (deprecated) KVM_FEATURE_ASYNC_PF. This is
+stated in Documentation/virt/kvm/msr.rst.
+
+Fixes: 66570e966dd9 ("kvm: x86: only provide PV features if enabled in guest's CPUID")
+Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Oliver Upton <oupton@google.com>
+Message-Id: <20210722123018.260035-1-vkuznets@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 3ad6f77ea1c4..27faa00fff71 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -3205,7 +3205,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ return 1;
+ break;
+ case MSR_KVM_ASYNC_PF_ACK:
+- if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF))
++ if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
+ return 1;
+ if (data & 0x1) {
+ vcpu->arch.apf.pageready_pending = false;
+@@ -3534,7 +3534,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
+ msr_info->data = vcpu->arch.apf.msr_int_val;
+ break;
+ case MSR_KVM_ASYNC_PF_ACK:
+- if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF))
++ if (!guest_pv_has(vcpu, KVM_FEATURE_ASYNC_PF_INT))
+ return 1;
+
+ msr_info->data = 0;
+--
+2.30.2
+
--- /dev/null
+From 7154b7330b6982cd980567b84e20272ba3b4ca5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 07:01:11 +0200
+Subject: mac80211: fix enabling 4-address mode on a sta vif after assoc
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit a5d3cbdb09ff1f52cbe040932e06c8b9915c6dad ]
+
+Notify the driver about the 4-address mode change and also send a nulldata
+packet to the AP to notify it about the change
+
+Fixes: 1ff4e8f2dec8 ("mac80211: notify the driver when a sta uses 4-address mode")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20210702050111.47546-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 19 +++++++++++++++++++
+ net/mac80211/ieee80211_i.h | 2 ++
+ net/mac80211/mlme.c | 4 ++--
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 6a96deded763..e429dbb10df7 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -152,6 +152,8 @@ static int ieee80211_change_iface(struct wiphy *wiphy,
+ struct vif_params *params)
+ {
+ struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
++ struct ieee80211_local *local = sdata->local;
++ struct sta_info *sta;
+ int ret;
+
+ ret = ieee80211_if_change_type(sdata, type);
+@@ -162,7 +164,24 @@ static int ieee80211_change_iface(struct wiphy *wiphy,
+ RCU_INIT_POINTER(sdata->u.vlan.sta, NULL);
+ ieee80211_check_fast_rx_iface(sdata);
+ } else if (type == NL80211_IFTYPE_STATION && params->use_4addr >= 0) {
++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
++
++ if (params->use_4addr == ifmgd->use_4addr)
++ return 0;
++
+ sdata->u.mgd.use_4addr = params->use_4addr;
++ if (!ifmgd->associated)
++ return 0;
++
++ mutex_lock(&local->sta_mtx);
++ sta = sta_info_get(sdata, ifmgd->bssid);
++ if (sta)
++ drv_sta_set_4addr(local, sdata, &sta->sta,
++ params->use_4addr);
++ mutex_unlock(&local->sta_mtx);
++
++ if (params->use_4addr)
++ ieee80211_send_4addr_nullfunc(local, sdata);
+ }
+
+ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) {
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index a83f0c2fcdf7..7f2be08b72a5 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -2051,6 +2051,8 @@ void ieee80211_dynamic_ps_timer(struct timer_list *t);
+ void ieee80211_send_nullfunc(struct ieee80211_local *local,
+ struct ieee80211_sub_if_data *sdata,
+ bool powersave);
++void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata);
+ void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_hdr *hdr, bool ack, u16 tx_time);
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 142bb28199c4..32bc30ec50ec 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1115,8 +1115,8 @@ void ieee80211_send_nullfunc(struct ieee80211_local *local,
+ ieee80211_tx_skb(sdata, skb);
+ }
+
+-static void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
+- struct ieee80211_sub_if_data *sdata)
++void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata)
+ {
+ struct sk_buff *skb;
+ struct ieee80211_hdr *nullfunc;
+--
+2.30.2
+
--- /dev/null
+From c5f2b99234e91052591656fb8823b0234eb53245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 18:36:09 +0800
+Subject: mlx4: Fix missing error code in mlx4_load_one()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 7e4960b3d66d7248b23de3251118147812b42da2 ]
+
+The error code is missing in this code scenario, add the error code
+'-EINVAL' to the return value 'err'.
+
+Eliminate the follow smatch warning:
+
+drivers/net/ethernet/mellanox/mlx4/main.c:3538 mlx4_load_one() warn:
+missing error code 'err'.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Fixes: 7ae0e400cd93 ("net/mlx4_core: Flexible (asymmetric) allocation of EQs and MSI-X vectors for PF/VFs")
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/main.c b/drivers/net/ethernet/mellanox/mlx4/main.c
+index 00c84656b2e7..28ac4693da3c 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -3535,6 +3535,7 @@ slave_start:
+
+ if (!SRIOV_VALID_STATE(dev->flags)) {
+ mlx4_err(dev, "Invalid SRIOV state\n");
++ err = -EINVAL;
+ goto err_close;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From ab507b0ca15ceff9d1438e04754c8b10724e6624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 00:11:59 +0300
+Subject: net: llc: fix skb_over_panic
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit c7c9d2102c9c098916ab9e0ab248006107d00d6c ]
+
+Syzbot reported skb_over_panic() in llc_pdu_init_as_xid_cmd(). The
+problem was in wrong LCC header manipulations.
+
+Syzbot's reproducer tries to send XID packet. llc_ui_sendmsg() is
+doing following steps:
+
+ 1. skb allocation with size = len + header size
+ len is passed from userpace and header size
+ is 3 since addr->sllc_xid is set.
+
+ 2. skb_reserve() for header_len = 3
+ 3. filling all other space with memcpy_from_msg()
+
+Ok, at this moment we have fully loaded skb, only headers needs to be
+filled.
+
+Then code comes to llc_sap_action_send_xid_c(). This function pushes 3
+bytes for LLC PDU header and initializes it. Then comes
+llc_pdu_init_as_xid_cmd(). It initalizes next 3 bytes *AFTER* LLC PDU
+header and call skb_push(skb, 3). This looks wrong for 2 reasons:
+
+ 1. Bytes rigth after LLC header are user data, so this function
+ was overwriting payload.
+
+ 2. skb_push(skb, 3) call can cause skb_over_panic() since
+ all free space was filled in llc_ui_sendmsg(). (This can
+ happen is user passed 686 len: 686 + 14 (eth header) + 3 (LLC
+ header) = 703. SKB_DATA_ALIGN(703) = 704)
+
+So, in this patch I added 2 new private constansts: LLC_PDU_TYPE_U_XID
+and LLC_PDU_LEN_U_XID. LLC_PDU_LEN_U_XID is used to correctly reserve
+header size to handle LLC + XID case. LLC_PDU_TYPE_U_XID is used by
+llc_pdu_header_init() function to push 6 bytes instead of 3. And finally
+I removed skb_push() call from llc_pdu_init_as_xid_cmd().
+
+This changes should not affect other parts of LLC, since after
+all steps we just transmit buffer.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: syzbot+5e5a981ad7cc54c4b2b4@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/llc_pdu.h | 31 +++++++++++++++++++++++--------
+ net/llc/af_llc.c | 10 +++++++++-
+ net/llc/llc_s_ac.c | 2 +-
+ 3 files changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/llc_pdu.h b/include/net/llc_pdu.h
+index c0f0a13ed818..49aa79c7b278 100644
+--- a/include/net/llc_pdu.h
++++ b/include/net/llc_pdu.h
+@@ -15,9 +15,11 @@
+ #include <linux/if_ether.h>
+
+ /* Lengths of frame formats */
+-#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */
+-#define LLC_PDU_LEN_S 4
+-#define LLC_PDU_LEN_U 3 /* header and 1 control byte */
++#define LLC_PDU_LEN_I 4 /* header and 2 control bytes */
++#define LLC_PDU_LEN_S 4
++#define LLC_PDU_LEN_U 3 /* header and 1 control byte */
++/* header and 1 control byte and XID info */
++#define LLC_PDU_LEN_U_XID (LLC_PDU_LEN_U + sizeof(struct llc_xid_info))
+ /* Known SAP addresses */
+ #define LLC_GLOBAL_SAP 0xFF
+ #define LLC_NULL_SAP 0x00 /* not network-layer visible */
+@@ -50,9 +52,10 @@
+ #define LLC_PDU_TYPE_U_MASK 0x03 /* 8-bit control field */
+ #define LLC_PDU_TYPE_MASK 0x03
+
+-#define LLC_PDU_TYPE_I 0 /* first bit */
+-#define LLC_PDU_TYPE_S 1 /* first two bits */
+-#define LLC_PDU_TYPE_U 3 /* first two bits */
++#define LLC_PDU_TYPE_I 0 /* first bit */
++#define LLC_PDU_TYPE_S 1 /* first two bits */
++#define LLC_PDU_TYPE_U 3 /* first two bits */
++#define LLC_PDU_TYPE_U_XID 4 /* private type for detecting XID commands */
+
+ #define LLC_PDU_TYPE_IS_I(pdu) \
+ ((!(pdu->ctrl_1 & LLC_PDU_TYPE_I_MASK)) ? 1 : 0)
+@@ -230,9 +233,18 @@ static inline struct llc_pdu_un *llc_pdu_un_hdr(struct sk_buff *skb)
+ static inline void llc_pdu_header_init(struct sk_buff *skb, u8 type,
+ u8 ssap, u8 dsap, u8 cr)
+ {
+- const int hlen = type == LLC_PDU_TYPE_U ? 3 : 4;
++ int hlen = 4; /* default value for I and S types */
+ struct llc_pdu_un *pdu;
+
++ switch (type) {
++ case LLC_PDU_TYPE_U:
++ hlen = 3;
++ break;
++ case LLC_PDU_TYPE_U_XID:
++ hlen = 6;
++ break;
++ }
++
+ skb_push(skb, hlen);
+ skb_reset_network_header(skb);
+ pdu = llc_pdu_un_hdr(skb);
+@@ -374,7 +386,10 @@ static inline void llc_pdu_init_as_xid_cmd(struct sk_buff *skb,
+ xid_info->fmt_id = LLC_XID_FMT_ID; /* 0x81 */
+ xid_info->type = svcs_supported;
+ xid_info->rw = rx_window << 1; /* size of receive window */
+- skb_put(skb, sizeof(struct llc_xid_info));
++
++ /* no need to push/put since llc_pdu_header_init() has already
++ * pushed 3 + 3 bytes
++ */
+ }
+
+ /**
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 7180979114e4..ac5cadd02cfa 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -98,8 +98,16 @@ static inline u8 llc_ui_header_len(struct sock *sk, struct sockaddr_llc *addr)
+ {
+ u8 rc = LLC_PDU_LEN_U;
+
+- if (addr->sllc_test || addr->sllc_xid)
++ if (addr->sllc_test)
+ rc = LLC_PDU_LEN_U;
++ else if (addr->sllc_xid)
++ /* We need to expand header to sizeof(struct llc_xid_info)
++ * since llc_pdu_init_as_xid_cmd() sets 4,5,6 bytes of LLC header
++ * as XID PDU. In llc_ui_sendmsg() we reserved header size and then
++ * filled all other space with user data. If we won't reserve this
++ * bytes, llc_pdu_init_as_xid_cmd() will overwrite user data
++ */
++ rc = LLC_PDU_LEN_U_XID;
+ else if (sk->sk_type == SOCK_STREAM)
+ rc = LLC_PDU_LEN_I;
+ return rc;
+diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c
+index 7ae4cc684d3a..9fa3342c7a82 100644
+--- a/net/llc/llc_s_ac.c
++++ b/net/llc/llc_s_ac.c
+@@ -79,7 +79,7 @@ int llc_sap_action_send_xid_c(struct llc_sap *sap, struct sk_buff *skb)
+ struct llc_sap_state_ev *ev = llc_sap_ev(skb);
+ int rc;
+
+- llc_pdu_header_init(skb, LLC_PDU_TYPE_U, ev->saddr.lsap,
++ llc_pdu_header_init(skb, LLC_PDU_TYPE_U_XID, ev->saddr.lsap,
+ ev->daddr.lsap, LLC_PDU_CMD);
+ llc_pdu_init_as_xid_cmd(skb, LLC_XID_NULL_CLASS_2, 0);
+ rc = llc_mac_hdr_init(skb, ev->saddr.mac, ev->daddr.mac);
+--
+2.30.2
+
--- /dev/null
+From dd163d8a8cf4935aaffd7cac49d55379daf56cca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 09:20:14 +0300
+Subject: net/mlx5: Fix flow table chaining
+
+From: Maor Gottlieb <maorg@nvidia.com>
+
+[ Upstream commit 8b54874ef1617185048029a3083d510569e93751 ]
+
+Fix a bug when flow table is created in priority that already
+has other flow tables as shown in the below diagram.
+If the new flow table (FT-B) has the lowest level in the priority,
+we need to connect the flow tables from the previous priority (p0)
+to this new table. In addition when this flow table is destroyed
+(FT-B), we need to connect the flow tables from the previous
+priority (p0) to the next level flow table (FT-C) in the same
+priority of the destroyed table (if exists).
+
+ ---------
+ |root_ns|
+ ---------
+ |
+ --------------------------------
+ | | |
+ ---------- ---------- ---------
+ |p(prio)-x| | p-y | | p-n |
+ ---------- ---------- ---------
+ | |
+ ---------------- ------------------
+ |ns(e.g bypass)| |ns(e.g. kernel) |
+ ---------------- ------------------
+ | | |
+ ------- ------ ----
+ | p0 | | p1 | |p2|
+ ------- ------ ----
+ | | \
+ -------- ------- ------
+ | FT-A | |FT-B | |FT-C|
+ -------- ------- ------
+
+Fixes: f90edfd279f3 ("net/mlx5_core: Connect flow tables")
+Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+index 79fc5755735f..1d4b4e6f6fb4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -1024,17 +1024,19 @@ static int connect_fwd_rules(struct mlx5_core_dev *dev,
+ static int connect_flow_table(struct mlx5_core_dev *dev, struct mlx5_flow_table *ft,
+ struct fs_prio *prio)
+ {
+- struct mlx5_flow_table *next_ft;
++ struct mlx5_flow_table *next_ft, *first_ft;
+ int err = 0;
+
+ /* Connect_prev_fts and update_root_ft_create are mutually exclusive */
+
+- if (list_empty(&prio->node.children)) {
++ first_ft = list_first_entry_or_null(&prio->node.children,
++ struct mlx5_flow_table, node.list);
++ if (!first_ft || first_ft->level > ft->level) {
+ err = connect_prev_fts(dev, ft, prio);
+ if (err)
+ return err;
+
+- next_ft = find_next_chained_ft(prio);
++ next_ft = first_ft ? first_ft : find_next_chained_ft(prio);
+ err = connect_fwd_rules(dev, ft, next_ft);
+ if (err)
+ return err;
+@@ -2113,7 +2115,7 @@ static int disconnect_flow_table(struct mlx5_flow_table *ft)
+ node.list) == ft))
+ return 0;
+
+- next_ft = find_next_chained_ft(prio);
++ next_ft = find_next_ft(ft);
+ err = connect_fwd_rules(dev, next_ft, ft);
+ if (err)
+ return err;
+--
+2.30.2
+
--- /dev/null
+From 941b1a55997b0264195f4be6389934fe3bce10e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Apr 2021 15:16:26 +0300
+Subject: net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev()
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+[ Upstream commit b1c2f6312c5005c928a72e668bf305a589d828d4 ]
+
+The result of __dev_get_by_index() is not checked for NULL and then gets
+dereferenced immediately.
+
+Also, __dev_get_by_index() must be called while holding either RTNL lock
+or @dev_base_lock, which isn't satisfied by mlx5e_hairpin_get_mdev() or
+its callers. This makes the underlying hlist_for_each_entry() loop not
+safe, and can have adverse effects in itself.
+
+Fix by using dev_get_by_index() and handling nullptr return value when
+ifindex device is not found. Update mlx5e_hairpin_get_mdev() callers to
+check for possible PTR_ERR() result.
+
+Fixes: 77ab67b7f0f9 ("net/mlx5e: Basic setup of hairpin object")
+Addresses-Coverity: ("Dereference null return value")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_tc.c | 33 +++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 59837af959d0..1ad1692a5b2d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -481,12 +481,32 @@ static void mlx5e_detach_mod_hdr(struct mlx5e_priv *priv,
+ static
+ struct mlx5_core_dev *mlx5e_hairpin_get_mdev(struct net *net, int ifindex)
+ {
++ struct mlx5_core_dev *mdev;
+ struct net_device *netdev;
+ struct mlx5e_priv *priv;
+
+- netdev = __dev_get_by_index(net, ifindex);
++ netdev = dev_get_by_index(net, ifindex);
++ if (!netdev)
++ return ERR_PTR(-ENODEV);
++
+ priv = netdev_priv(netdev);
+- return priv->mdev;
++ mdev = priv->mdev;
++ dev_put(netdev);
++
++ /* Mirred tc action holds a refcount on the ifindex net_device (see
++ * net/sched/act_mirred.c:tcf_mirred_get_dev). So, it's okay to continue using mdev
++ * after dev_put(netdev), while we're in the context of adding a tc flow.
++ *
++ * The mdev pointer corresponds to the peer/out net_device of a hairpin. It is then
++ * stored in a hairpin object, which exists until all flows, that refer to it, get
++ * removed.
++ *
++ * On the other hand, after a hairpin object has been created, the peer net_device may
++ * be removed/unbound while there are still some hairpin flows that are using it. This
++ * case is handled by mlx5e_tc_hairpin_update_dead_peer, which is hooked to
++ * NETDEV_UNREGISTER event of the peer net_device.
++ */
++ return mdev;
+ }
+
+ static int mlx5e_hairpin_create_transport(struct mlx5e_hairpin *hp)
+@@ -685,6 +705,10 @@ mlx5e_hairpin_create(struct mlx5e_priv *priv, struct mlx5_hairpin_params *params
+
+ func_mdev = priv->mdev;
+ peer_mdev = mlx5e_hairpin_get_mdev(dev_net(priv->netdev), peer_ifindex);
++ if (IS_ERR(peer_mdev)) {
++ err = PTR_ERR(peer_mdev);
++ goto create_pair_err;
++ }
+
+ pair = mlx5_core_hairpin_create(func_mdev, peer_mdev, params);
+ if (IS_ERR(pair)) {
+@@ -823,6 +847,11 @@ static int mlx5e_hairpin_flow_add(struct mlx5e_priv *priv,
+ int err;
+
+ peer_mdev = mlx5e_hairpin_get_mdev(dev_net(priv->netdev), peer_ifindex);
++ if (IS_ERR(peer_mdev)) {
++ NL_SET_ERR_MSG_MOD(extack, "invalid ifindex of mirred device");
++ return PTR_ERR(peer_mdev);
++ }
++
+ if (!MLX5_CAP_GEN(priv->mdev, hairpin) || !MLX5_CAP_GEN(peer_mdev, hairpin)) {
+ NL_SET_ERR_MSG_MOD(extack, "hairpin is not supported");
+ return -EOPNOTSUPP;
+--
+2.30.2
+
--- /dev/null
+From 027bb2a05d06ac57b4ab1df636568121a83b62b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 18:31:32 +0300
+Subject: net: qrtr: fix memory leaks
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 52f3456a96c06760b9bfae460e39596fec7af22e ]
+
+Syzbot reported memory leak in qrtr. The problem was in unputted
+struct sock. qrtr_local_enqueue() function calls qrtr_port_lookup()
+which takes sock reference if port was found. Then there is the following
+check:
+
+if (!ipc || &ipc->sk == skb->sk) {
+ ...
+ return -ENODEV;
+}
+
+Since we should drop the reference before returning from this function and
+ipc can be non-NULL inside this if, we should add qrtr_port_put() inside
+this if.
+
+The similar corner case is in qrtr_endpoint_post() as Manivannan
+reported. In case of sock_queue_rcv_skb() failure we need to put
+port reference to avoid leaking struct sock pointer.
+
+Fixes: e04df98adf7d ("net: qrtr: Remove receive worker")
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Reported-and-tested-by: syzbot+35a511c72ea7356cdcf3@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/qrtr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
+index 0d9baddb9cd4..6826558483f9 100644
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -504,8 +504,10 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ if (!ipc)
+ goto err;
+
+- if (sock_queue_rcv_skb(&ipc->sk, skb))
++ if (sock_queue_rcv_skb(&ipc->sk, skb)) {
++ qrtr_port_put(ipc);
+ goto err;
++ }
+
+ qrtr_port_put(ipc);
+ }
+@@ -830,6 +832,8 @@ static int qrtr_local_enqueue(struct qrtr_node *node, struct sk_buff *skb,
+
+ ipc = qrtr_port_lookup(to->sq_port);
+ if (!ipc || &ipc->sk == skb->sk) { /* do not send to self */
++ if (ipc)
++ qrtr_port_put(ipc);
+ kfree_skb(skb);
+ return -ENODEV;
+ }
+--
+2.30.2
+
--- /dev/null
+From 5153f2fc5039e5ee4be6e07389639a457d4f2a8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 20:01:28 +0300
+Subject: net: Set true network header for ECN decapsulation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gilad Naaman <gnaaman@drivenets.com>
+
+[ Upstream commit 227adfb2b1dfbc53dfc53b9dd7a93a6298ff7c56 ]
+
+In cases where the header straight after the tunnel header was
+another ethernet header (TEB), instead of the network header,
+the ECN decapsulation code would treat the ethernet header as if
+it was an IP header, resulting in mishandling and possible
+wrong drops or corruption of the IP header.
+
+In this case, ECT(1) is sent, so IP_ECN_decapsulate tries to copy it to the
+inner IPv4 header, and correct its checksum.
+
+The offset of the ECT bits in an IPv4 header corresponds to the
+lower 2 bits of the second octet of the destination MAC address
+in the ethernet header.
+The IPv4 checksum corresponds to end of the source address.
+
+In order to reproduce:
+
+ $ ip netns add A
+ $ ip netns add B
+ $ ip -n A link add _v0 type veth peer name _v1 netns B
+ $ ip -n A link set _v0 up
+ $ ip -n A addr add dev _v0 10.254.3.1/24
+ $ ip -n A route add default dev _v0 scope global
+ $ ip -n B link set _v1 up
+ $ ip -n B addr add dev _v1 10.254.1.6/24
+ $ ip -n B route add default dev _v1 scope global
+ $ ip -n B link add gre1 type gretap local 10.254.1.6 remote 10.254.3.1 key 0x49000000
+ $ ip -n B link set gre1 up
+
+ # Now send an IPv4/GRE/Eth/IPv4 frame where the outer header has ECT(1),
+ # and the inner header has no ECT bits set:
+
+ $ cat send_pkt.py
+ #!/usr/bin/env python3
+ from scapy.all import *
+
+ pkt = IP(b'E\x01\x00\xa7\x00\x00\x00\x00@/`%\n\xfe\x03\x01\n\xfe\x01\x06 \x00eXI\x00'
+ b'\x00\x00\x18\xbe\x92\xa0\xee&\x18\xb0\x92\xa0l&\x08\x00E\x00\x00}\x8b\x85'
+ b'@\x00\x01\x01\xe4\xf2\x82\x82\x82\x01\x82\x82\x82\x02\x08\x00d\x11\xa6\xeb'
+ b'3\x1e\x1e\\xf3\\xf7`\x00\x00\x00\x00ZN\x00\x00\x00\x00\x00\x00\x10\x11\x12'
+ b'\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234'
+ b'56789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ')
+
+ send(pkt)
+ $ sudo ip netns exec B tcpdump -neqlllvi gre1 icmp & ; sleep 1
+ $ sudo ip netns exec A python3 send_pkt.py
+
+In the original packet, the source/destinatio MAC addresses are
+dst=18:be:92:a0:ee:26 src=18:b0:92:a0:6c:26
+
+In the received packet, they are
+dst=18:bd:92:a0:ee:26 src=18:b0:92:a0:6c:27
+
+Thanks to Lahav Schlesinger <lschlesinger@drivenets.com> and Isaac Garzon <isaac@speed.io>
+for helping me pinpoint the origin.
+
+Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040")
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+Cc: David Ahern <dsahern@kernel.org>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Gilad Naaman <gnaaman@drivenets.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
+index 0dca00745ac3..be75b409445c 100644
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -390,7 +390,7 @@ int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
+ tunnel->i_seqno = ntohl(tpi->seq) + 1;
+ }
+
+- skb_reset_network_header(skb);
++ skb_set_network_header(skb, (tunnel->dev->type == ARPHRD_ETHER) ? ETH_HLEN : 0);
+
+ err = IP_ECN_decapsulate(iph, skb);
+ if (unlikely(err)) {
+--
+2.30.2
+
--- /dev/null
+From 8685bd1e19781d36ec6b234e1fba3f07e0d78866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 18:36:00 +0200
+Subject: netfilter: conntrack: adjust stop timestamp to real expiry value
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 30a56a2b881821625f79837d4d968c679852444e ]
+
+In case the entry is evicted via garbage collection there is
+delay between the timeout value and the eviction event.
+
+This adjusts the stop value based on how much time has passed.
+
+Fixes: b87a2f9199ea82 ("netfilter: conntrack: add gc worker to remove timed-out entries")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index ff0168736f6e..f9f2af26ccb3 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -661,8 +661,13 @@ bool nf_ct_delete(struct nf_conn *ct, u32 portid, int report)
+ return false;
+
+ tstamp = nf_conn_tstamp_find(ct);
+- if (tstamp && tstamp->stop == 0)
++ if (tstamp) {
++ s32 timeout = ct->timeout - nfct_time_stamp;
++
+ tstamp->stop = ktime_get_real_ns();
++ if (timeout < 0)
++ tstamp->stop -= jiffies_to_nsecs(-timeout);
++ }
+
+ if (nf_conntrack_event_report(IPCT_DESTROY, ct,
+ portid, report) < 0) {
+--
+2.30.2
+
--- /dev/null
+From cca5838a3c9ae1249b20deb1d724abe1193b0b21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 18:22:50 +0200
+Subject: netfilter: nft_nat: allow to specify layer 4 protocol NAT only
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit a33f387ecd5aafae514095c2c4a8c24f7aea7e8b ]
+
+nft_nat reports a bogus EAFNOSUPPORT if no layer 3 information is specified.
+
+Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_nat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
+index 4bcf33b049c4..ea53fd999f46 100644
+--- a/net/netfilter/nft_nat.c
++++ b/net/netfilter/nft_nat.c
+@@ -201,7 +201,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+ alen = sizeof_field(struct nf_nat_range, min_addr.ip6);
+ break;
+ default:
+- return -EAFNOSUPPORT;
++ if (tb[NFTA_NAT_REG_ADDR_MIN])
++ return -EAFNOSUPPORT;
++ break;
+ }
+ priv->family = family;
+
+--
+2.30.2
+
--- /dev/null
+From aead170e18f1a3cf686d9fd6482d287ed9869187 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 13:29:03 +0530
+Subject: octeontx2-pf: Fix interface down flag on error
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit 69f0aeb13bb548e2d5710a350116e03f0273302e ]
+
+In the existing code while changing the number of TX/RX
+queues using ethtool the PF/VF interface resources are
+freed and reallocated (otx2_stop and otx2_open is called)
+if the device is in running state. If any resource allocation
+fails in otx2_open, driver free already allocated resources
+and return. But again, when the number of queues changes
+as the device state still running oxt2_stop is called.
+In which we try to free already freed resources leading
+to driver crash.
+This patch fixes the issue by setting the INTF_DOWN flag on
+error and free the resources in otx2_stop only if the flag is
+not set.
+
+Fixes: 50fe6c02e5ad ("octeontx2-pf: Register and handle link notifications")
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Signed-off-by: Sunil Kovvuri Goutham <Sunil.Goutham@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 7 +++----
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 5 +++++
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index 662fb80dbb9d..c6d408de0605 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -230,15 +230,14 @@ static int otx2_set_channels(struct net_device *dev,
+ err = otx2_set_real_num_queues(dev, channel->tx_count,
+ channel->rx_count);
+ if (err)
+- goto fail;
++ return err;
+
+ pfvf->hw.rx_queues = channel->rx_count;
+ pfvf->hw.tx_queues = channel->tx_count;
+ pfvf->qset.cq_cnt = pfvf->hw.tx_queues + pfvf->hw.rx_queues;
+
+-fail:
+ if (if_up)
+- dev->netdev_ops->ndo_open(dev);
++ err = dev->netdev_ops->ndo_open(dev);
+
+ netdev_info(dev, "Setting num Tx rings to %d, Rx rings to %d success\n",
+ pfvf->hw.tx_queues, pfvf->hw.rx_queues);
+@@ -342,7 +341,7 @@ static int otx2_set_ringparam(struct net_device *netdev,
+ qs->rqe_cnt = rx_count;
+
+ if (if_up)
+- netdev->netdev_ops->ndo_open(netdev);
++ return netdev->netdev_ops->ndo_open(netdev);
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+index 9fef9be015e5..044a5b1196ac 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c
+@@ -1592,6 +1592,7 @@ int otx2_open(struct net_device *netdev)
+ err_tx_stop_queues:
+ netif_tx_stop_all_queues(netdev);
+ netif_carrier_off(netdev);
++ pf->flags |= OTX2_FLAG_INTF_DOWN;
+ err_free_cints:
+ otx2_free_cints(pf, qidx);
+ vec = pci_irq_vector(pf->pdev,
+@@ -1619,6 +1620,10 @@ int otx2_stop(struct net_device *netdev)
+ struct otx2_rss_info *rss;
+ int qidx, vec, wrk;
+
++ /* If the DOWN flag is set resources are already freed */
++ if (pf->flags & OTX2_FLAG_INTF_DOWN)
++ return 0;
++
+ netif_carrier_off(netdev);
+ netif_tx_stop_all_queues(netdev);
+
+--
+2.30.2
+
--- /dev/null
+From 182ef70324f44d55a36744050a1088698af4eab1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jul 2021 06:31:36 -0700
+Subject: RDMA/bnxt_re: Fix stats counters
+
+From: Naresh Kumar PBS <nareshkumar.pbs@broadcom.com>
+
+[ Upstream commit 0c23af52ccd1605926480b5dfd1dd857ef604611 ]
+
+Statistical counters are not incrementing in some adapter versions with
+newer FW. This is due to the stats context length mismatch between FW and
+driver. Since the L2 driver updates the length correctly, use the stats
+length from L2 driver while allocating the DMA'able memory and creating
+the stats context.
+
+Fixes: 9d6b648c3112 ("bnxt_en: Update firmware interface spec to 1.10.1.65.")
+Link: https://lore.kernel.org/r/1626010296-6076-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Naresh Kumar PBS <nareshkumar.pbs@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 4 +++-
+ drivers/infiniband/hw/bnxt_re/qplib_res.c | 10 ++++------
+ drivers/infiniband/hw/bnxt_re/qplib_res.h | 1 +
+ 3 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 04621ba8fa76..1fadca8af71a 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -119,6 +119,7 @@ static int bnxt_re_setup_chip_ctx(struct bnxt_re_dev *rdev, u8 wqe_mode)
+ if (!chip_ctx)
+ return -ENOMEM;
+ chip_ctx->chip_num = bp->chip_num;
++ chip_ctx->hw_stats_size = bp->hw_ring_stats_size;
+
+ rdev->chip_ctx = chip_ctx;
+ /* rest members to follow eventually */
+@@ -507,6 +508,7 @@ static int bnxt_re_net_stats_ctx_alloc(struct bnxt_re_dev *rdev,
+ dma_addr_t dma_map,
+ u32 *fw_stats_ctx_id)
+ {
++ struct bnxt_qplib_chip_ctx *chip_ctx = rdev->chip_ctx;
+ struct hwrm_stat_ctx_alloc_output resp = {0};
+ struct hwrm_stat_ctx_alloc_input req = {0};
+ struct bnxt_en_dev *en_dev = rdev->en_dev;
+@@ -523,7 +525,7 @@ static int bnxt_re_net_stats_ctx_alloc(struct bnxt_re_dev *rdev,
+ bnxt_re_init_hwrm_hdr(rdev, (void *)&req, HWRM_STAT_CTX_ALLOC, -1, -1);
+ req.update_period_ms = cpu_to_le32(1000);
+ req.stats_dma_addr = cpu_to_le64(dma_map);
+- req.stats_dma_length = cpu_to_le16(sizeof(struct ctx_hw_stats_ext));
++ req.stats_dma_length = cpu_to_le16(chip_ctx->hw_stats_size);
+ req.stat_ctx_flags = STAT_CTX_ALLOC_REQ_STAT_CTX_FLAGS_ROCE;
+ bnxt_re_fill_fw_msg(&fw_msg, (void *)&req, sizeof(req), (void *)&resp,
+ sizeof(resp), DFLT_HWRM_CMD_TIMEOUT);
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+index 3ca47004b752..754dcebeb4ca 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
+@@ -56,6 +56,7 @@
+ static void bnxt_qplib_free_stats_ctx(struct pci_dev *pdev,
+ struct bnxt_qplib_stats *stats);
+ static int bnxt_qplib_alloc_stats_ctx(struct pci_dev *pdev,
++ struct bnxt_qplib_chip_ctx *cctx,
+ struct bnxt_qplib_stats *stats);
+
+ /* PBL */
+@@ -559,7 +560,7 @@ int bnxt_qplib_alloc_ctx(struct bnxt_qplib_res *res,
+ goto fail;
+ stats_alloc:
+ /* Stats */
+- rc = bnxt_qplib_alloc_stats_ctx(res->pdev, &ctx->stats);
++ rc = bnxt_qplib_alloc_stats_ctx(res->pdev, res->cctx, &ctx->stats);
+ if (rc)
+ goto fail;
+
+@@ -889,15 +890,12 @@ static void bnxt_qplib_free_stats_ctx(struct pci_dev *pdev,
+ }
+
+ static int bnxt_qplib_alloc_stats_ctx(struct pci_dev *pdev,
++ struct bnxt_qplib_chip_ctx *cctx,
+ struct bnxt_qplib_stats *stats)
+ {
+ memset(stats, 0, sizeof(*stats));
+ stats->fw_id = -1;
+- /* 128 byte aligned context memory is required only for 57500.
+- * However making this unconditional, it does not harm previous
+- * generation.
+- */
+- stats->size = ALIGN(sizeof(struct ctx_hw_stats), 128);
++ stats->size = cctx->hw_stats_size;
+ stats->dma = dma_alloc_coherent(&pdev->dev, stats->size,
+ &stats->dma_map, GFP_KERNEL);
+ if (!stats->dma) {
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.h b/drivers/infiniband/hw/bnxt_re/qplib_res.h
+index 7a1ab38b95da..58bad6f78456 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_res.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_res.h
+@@ -60,6 +60,7 @@ struct bnxt_qplib_chip_ctx {
+ u16 chip_num;
+ u8 chip_rev;
+ u8 chip_metal;
++ u16 hw_stats_size;
+ struct bnxt_qplib_drv_modes modes;
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 64b50ed5db670ccfd3422e71ee00868ec3da8e06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jul 2021 23:40:54 -0300
+Subject: sctp: fix return value check in __sctp_rcv_asconf_lookup
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 557fb5862c9272ad9b21407afe1da8acfd9b53eb ]
+
+As Ben Hutchings noticed, this check should have been inverted: the call
+returns true in case of success.
+
+Reported-by: Ben Hutchings <ben@decadent.org.uk>
+Fixes: 0c5dc070ff3d ("sctp: validate from_addr_param return")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index f72bff93745c..ddb5b5c2550e 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1175,7 +1175,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
+ if (unlikely(!af))
+ return NULL;
+
+- if (af->from_addr_param(&paddr, param, peer_port, 0))
++ if (!af->from_addr_param(&paddr, param, peer_port, 0))
+ return NULL;
+
+ return __sctp_lookup_association(net, laddr, &paddr, transportp);
+--
+2.30.2
+
blk-iocost-fix-operation-ordering-in-iocg_wake_fn.patch
nfc-nfcsim-fix-use-after-free-during-module-unload.patch
cfg80211-fix-possible-memory-leak-in-function-cfg80211_bss_update.patch
+rdma-bnxt_re-fix-stats-counters.patch
+bpf-fix-oob-read-when-printing-xdp-link-fdinfo.patch
+mac80211-fix-enabling-4-address-mode-on-a-sta-vif-af.patch
+netfilter-conntrack-adjust-stop-timestamp-to-real-ex.patch
+netfilter-nft_nat-allow-to-specify-layer-4-protocol-.patch
+i40e-fix-logic-of-disabling-queues.patch
+i40e-fix-firmware-lldp-agent-related-warning.patch
+i40e-fix-queue-to-tc-mapping-on-tx.patch
+i40e-fix-log-tc-creation-failure-when-max-num-of-que.patch
+tipc-fix-implicit-connect-for-syn.patch
+tipc-fix-sleeping-in-tipc-accept-routine.patch
+net-set-true-network-header-for-ecn-decapsulation.patch
+net-qrtr-fix-memory-leaks.patch
+ionic-remove-intr-coalesce-update-from-napi.patch
+ionic-fix-up-dim-accounting-for-tx-and-rx.patch
+ionic-count-csum_none-when-offload-enabled.patch
+tipc-do-not-write-skb_shinfo-frags-when-doing-decryt.patch
+octeontx2-pf-fix-interface-down-flag-on-error.patch
+mlx4-fix-missing-error-code-in-mlx4_load_one.patch
+kvm-x86-check-the-right-feature-bit-for-msr_kvm_asyn.patch
+net-llc-fix-skb_over_panic.patch
+drm-msm-dpu-fix-sm8250_mdp-register-length.patch
+drm-msm-dp-initialize-the-intf_config-register.patch
+skmsg-make-sk_psock_destroy-static.patch
+net-mlx5-fix-flow-table-chaining.patch
+net-mlx5e-fix-nullptr-in-mlx5e_hairpin_get_mdev.patch
+sctp-fix-return-value-check-in-__sctp_rcv_asconf_loo.patch
+tulip-windbond-840-fix-missing-pci_disable_device-in.patch
+sis900-fix-missing-pci_disable_device-in-probe-and-r.patch
+can-hi311x-fix-a-signedness-bug-in-hi3110_cmd.patch
--- /dev/null
+From 1973cecf16580a2ae9079aacd691c89968e205c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 20:11:07 +0800
+Subject: sis900: Fix missing pci_disable_device() in probe and remove
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 89fb62fde3b226f99b7015280cf132e2a7438edf ]
+
+Replace pci_enable_device() with pcim_enable_device(),
+pci_disable_device() and pci_release_regions() will be
+called in release automatically.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sis/sis900.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/sis/sis900.c b/drivers/net/ethernet/sis/sis900.c
+index 620c26f71be8..e267b7ce3a45 100644
+--- a/drivers/net/ethernet/sis/sis900.c
++++ b/drivers/net/ethernet/sis/sis900.c
+@@ -443,7 +443,7 @@ static int sis900_probe(struct pci_dev *pci_dev,
+ #endif
+
+ /* setup various bits in PCI command register */
+- ret = pci_enable_device(pci_dev);
++ ret = pcim_enable_device(pci_dev);
+ if(ret) return ret;
+
+ i = dma_set_mask(&pci_dev->dev, DMA_BIT_MASK(32));
+@@ -469,7 +469,7 @@ static int sis900_probe(struct pci_dev *pci_dev,
+ ioaddr = pci_iomap(pci_dev, 0, 0);
+ if (!ioaddr) {
+ ret = -ENOMEM;
+- goto err_out_cleardev;
++ goto err_out;
+ }
+
+ sis_priv = netdev_priv(net_dev);
+@@ -581,8 +581,6 @@ err_unmap_tx:
+ sis_priv->tx_ring_dma);
+ err_out_unmap:
+ pci_iounmap(pci_dev, ioaddr);
+-err_out_cleardev:
+- pci_release_regions(pci_dev);
+ err_out:
+ free_netdev(net_dev);
+ return ret;
+@@ -2499,7 +2497,6 @@ static void sis900_remove(struct pci_dev *pci_dev)
+ sis_priv->tx_ring_dma);
+ pci_iounmap(pci_dev, sis_priv->ioaddr);
+ free_netdev(net_dev);
+- pci_release_regions(pci_dev);
+ }
+
+ static int __maybe_unused sis900_suspend(struct device *dev)
+--
+2.30.2
+
--- /dev/null
+From 83cff927615e38180967710de974e540a8d0ab44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jan 2021 14:15:01 -0800
+Subject: skmsg: Make sk_psock_destroy() static
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit 8063e184e49011f6f3f34f6c358dc8a83890bb5b ]
+
+sk_psock_destroy() is a RCU callback, I can't see any reason why
+it could be used outside.
+
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Cc: Lorenz Bauer <lmb@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20210127221501.46866-1-xiyou.wangcong@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 1 -
+ net/core/skmsg.c | 3 +--
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index 82126d529798..822c048934e3 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -395,7 +395,6 @@ static inline struct sk_psock *sk_psock_get(struct sock *sk)
+ }
+
+ void sk_psock_stop(struct sock *sk, struct sk_psock *psock);
+-void sk_psock_destroy(struct rcu_head *rcu);
+ void sk_psock_drop(struct sock *sk, struct sk_psock *psock);
+
+ static inline void sk_psock_put(struct sock *sk, struct sk_psock *psock)
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index c4c224a5b9de..5dd5569f89bf 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -676,14 +676,13 @@ static void sk_psock_destroy_deferred(struct work_struct *gc)
+ kfree(psock);
+ }
+
+-void sk_psock_destroy(struct rcu_head *rcu)
++static void sk_psock_destroy(struct rcu_head *rcu)
+ {
+ struct sk_psock *psock = container_of(rcu, struct sk_psock, rcu);
+
+ INIT_WORK(&psock->gc, sk_psock_destroy_deferred);
+ schedule_work(&psock->gc);
+ }
+-EXPORT_SYMBOL_GPL(sk_psock_destroy);
+
+ void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
+ {
+--
+2.30.2
+
--- /dev/null
+From de8602f4b6801bf45ee7a61f20a14429e4684355 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 18:46:01 -0400
+Subject: tipc: do not write skb_shinfo frags when doing decrytion
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 3cf4375a090473d240281a0d2b04a3a5aaeac34b ]
+
+One skb's skb_shinfo frags are not writable, and they can be shared with
+other skbs' like by pskb_copy(). To write the frags may cause other skb's
+data crash.
+
+So before doing en/decryption, skb_cow_data() should always be called for
+a cloned or nonlinear skb if req dst is using the same sg as req src.
+While at it, the likely branch can be removed, as it will be covered
+by skb_cow_data().
+
+Note that esp_input() has the same issue, and I will fix it in another
+patch. tipc_aead_encrypt() doesn't have this issue, as it only processes
+linear data in the unlikely branch.
+
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index 2301b66280de..f8e73c4a0093 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -891,16 +891,10 @@ static int tipc_aead_decrypt(struct net *net, struct tipc_aead *aead,
+ if (unlikely(!aead))
+ return -ENOKEY;
+
+- /* Cow skb data if needed */
+- if (likely(!skb_cloned(skb) &&
+- (!skb_is_nonlinear(skb) || !skb_has_frag_list(skb)))) {
+- nsg = 1 + skb_shinfo(skb)->nr_frags;
+- } else {
+- nsg = skb_cow_data(skb, 0, &unused);
+- if (unlikely(nsg < 0)) {
+- pr_err("RX: skb_cow_data() returned %d\n", nsg);
+- return nsg;
+- }
++ nsg = skb_cow_data(skb, 0, &unused);
++ if (unlikely(nsg < 0)) {
++ pr_err("RX: skb_cow_data() returned %d\n", nsg);
++ return nsg;
+ }
+
+ /* Allocate memory for the AEAD operation */
+--
+2.30.2
+
--- /dev/null
+From 34c0e3f43720e810af35a8e5a1b2dfd74e74726b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 12:05:41 -0400
+Subject: tipc: fix implicit-connect for SYN+
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f8dd60de194817c86bf812700980762bb5a8d9a4 ]
+
+For implicit-connect, when it's either SYN- or SYN+, an ACK should
+be sent back to the client immediately. It's not appropriate for
+the client to enter established state only after receiving data
+from the server.
+
+On client side, after the SYN is sent out, tipc_wait_for_connect()
+should be called to wait for the ACK if timeout is set.
+
+This patch also restricts __tipc_sendstream() to call __sendmsg()
+only when it's in TIPC_OPEN state, so that the client can program
+in a single loop doing both connecting and data sending like:
+
+ for (...)
+ sendmsg(dest, buf);
+
+This makes the implicit-connect more implicit.
+
+Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 9f7cc9e1e4ef..694c432b9710 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -148,6 +148,7 @@ static void tipc_sk_remove(struct tipc_sock *tsk);
+ static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dsz);
+ static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dsz);
+ static void tipc_sk_push_backlog(struct tipc_sock *tsk, bool nagle_ack);
++static int tipc_wait_for_connect(struct socket *sock, long *timeo_p);
+
+ static const struct proto_ops packet_ops;
+ static const struct proto_ops stream_ops;
+@@ -1508,8 +1509,13 @@ static int __tipc_sendmsg(struct socket *sock, struct msghdr *m, size_t dlen)
+ rc = 0;
+ }
+
+- if (unlikely(syn && !rc))
++ if (unlikely(syn && !rc)) {
+ tipc_set_sk_state(sk, TIPC_CONNECTING);
++ if (timeout) {
++ timeout = msecs_to_jiffies(timeout);
++ tipc_wait_for_connect(sock, &timeout);
++ }
++ }
+
+ return rc ? rc : dlen;
+ }
+@@ -1557,7 +1563,7 @@ static int __tipc_sendstream(struct socket *sock, struct msghdr *m, size_t dlen)
+ return -EMSGSIZE;
+
+ /* Handle implicit connection setup */
+- if (unlikely(dest)) {
++ if (unlikely(dest && sk->sk_state == TIPC_OPEN)) {
+ rc = __tipc_sendmsg(sock, m, dlen);
+ if (dlen && dlen == rc) {
+ tsk->peer_caps = tipc_node_get_capabilities(net, dnode);
+@@ -2686,9 +2692,10 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags,
+ bool kern)
+ {
+ struct sock *new_sk, *sk = sock->sk;
+- struct sk_buff *buf;
+ struct tipc_sock *new_tsock;
++ struct msghdr m = {NULL,};
+ struct tipc_msg *msg;
++ struct sk_buff *buf;
+ long timeo;
+ int res;
+
+@@ -2733,19 +2740,17 @@ static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags,
+ }
+
+ /*
+- * Respond to 'SYN-' by discarding it & returning 'ACK'-.
+- * Respond to 'SYN+' by queuing it on new socket.
++ * Respond to 'SYN-' by discarding it & returning 'ACK'.
++ * Respond to 'SYN+' by queuing it on new socket & returning 'ACK'.
+ */
+ if (!msg_data_sz(msg)) {
+- struct msghdr m = {NULL,};
+-
+ tsk_advance_rx_queue(sk);
+- __tipc_sendstream(new_sock, &m, 0);
+ } else {
+ __skb_dequeue(&sk->sk_receive_queue);
+ __skb_queue_head(&new_sk->sk_receive_queue, buf);
+ skb_set_owner_r(buf, new_sk);
+ }
++ __tipc_sendstream(new_sock, &m, 0);
+ release_sock(new_sk);
+ exit:
+ release_sock(sk);
+--
+2.30.2
+
--- /dev/null
+From 7042669301766ade7e932f24a5656c4ef0a13376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 09:25:34 +0700
+Subject: tipc: fix sleeping in tipc accept routine
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit d237a7f11719ff9320721be5818352e48071aab6 ]
+
+The release_sock() is blocking function, it would change the state
+after sleeping. In order to evaluate the stated condition outside
+the socket lock context, switch to use wait_woken() instead.
+
+Fixes: 6398e23cdb1d8 ("tipc: standardize accept routine")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/socket.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 694c432b9710..4f9bd95b4eee 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2650,7 +2650,7 @@ static int tipc_listen(struct socket *sock, int len)
+ static int tipc_wait_for_accept(struct socket *sock, long timeo)
+ {
+ struct sock *sk = sock->sk;
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err;
+
+ /* True wake-one mechanism for incoming connections: only
+@@ -2659,12 +2659,12 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo)
+ * anymore, the common case will execute the loop only once.
+ */
+ for (;;) {
+- prepare_to_wait_exclusive(sk_sleep(sk), &wait,
+- TASK_INTERRUPTIBLE);
+ if (timeo && skb_queue_empty(&sk->sk_receive_queue)) {
++ add_wait_queue(sk_sleep(sk), &wait);
+ release_sock(sk);
+- timeo = schedule_timeout(timeo);
++ timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
+ lock_sock(sk);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ }
+ err = 0;
+ if (!skb_queue_empty(&sk->sk_receive_queue))
+@@ -2676,7 +2676,6 @@ static int tipc_wait_for_accept(struct socket *sock, long timeo)
+ if (signal_pending(current))
+ break;
+ }
+- finish_wait(sk_sleep(sk), &wait);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 61a224ec24e5ccb11255dfd917cceb125957e1b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 15:43:13 +0800
+Subject: tulip: windbond-840: Fix missing pci_disable_device() in probe and
+ remove
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 76a16be07b209a3f507c72abe823bd3af1c8661a ]
+
+Replace pci_enable_device() with pcim_enable_device(),
+pci_disable_device() and pci_release_regions() will be
+called in release automatically.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/dec/tulip/winbond-840.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/dec/tulip/winbond-840.c b/drivers/net/ethernet/dec/tulip/winbond-840.c
+index 89cbdc1f4857..6161e1c604c0 100644
+--- a/drivers/net/ethernet/dec/tulip/winbond-840.c
++++ b/drivers/net/ethernet/dec/tulip/winbond-840.c
+@@ -357,7 +357,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ int i, option = find_cnt < MAX_UNITS ? options[find_cnt] : 0;
+ void __iomem *ioaddr;
+
+- i = pci_enable_device(pdev);
++ i = pcim_enable_device(pdev);
+ if (i) return i;
+
+ pci_set_master(pdev);
+@@ -379,7 +379,7 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ ioaddr = pci_iomap(pdev, TULIP_BAR, netdev_res_size);
+ if (!ioaddr)
+- goto err_out_free_res;
++ goto err_out_netdev;
+
+ for (i = 0; i < 3; i++)
+ ((__le16 *)dev->dev_addr)[i] = cpu_to_le16(eeprom_read(ioaddr, i));
+@@ -458,8 +458,6 @@ static int w840_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ err_out_cleardev:
+ pci_iounmap(pdev, ioaddr);
+-err_out_free_res:
+- pci_release_regions(pdev);
+ err_out_netdev:
+ free_netdev (dev);
+ return -ENODEV;
+@@ -1526,7 +1524,6 @@ static void w840_remove1(struct pci_dev *pdev)
+ if (dev) {
+ struct netdev_private *np = netdev_priv(dev);
+ unregister_netdev(dev);
+- pci_release_regions(pdev);
+ pci_iounmap(pdev, np->base_addr);
+ free_netdev(dev);
+ }
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
