--- /dev/null
+From b70518dbc896ec859f8ff0ee5fc14596fd9de0de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 10:15:12 +0100
+Subject: afs: Fix NULL deref in afs_dynroot_depopulate()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 5e0b17b026eb7c6de9baa9b0d45a51b05f05abe1 ]
+
+If an error occurs during the construction of an afs superblock, it's
+possible that an error occurs after a superblock is created, but before
+we've created the root dentry. If the superblock has a dynamic root
+(ie. what's normally mounted on /afs), the afs_kill_super() will call
+afs_dynroot_depopulate() to unpin any created dentries - but this will
+oops if the root hasn't been created yet.
+
+Fix this by skipping that bit of code if there is no root dentry.
+
+This leads to an oops looking like:
+
+ general protection fault, ...
+ KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
+ ...
+ RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385
+ ...
+ Call Trace:
+ afs_kill_super+0x13b/0x180 fs/afs/super.c:535
+ deactivate_locked_super+0x94/0x160 fs/super.c:335
+ afs_get_tree+0x1124/0x1460 fs/afs/super.c:598
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1547
+ do_new_mount fs/namespace.c:2875 [inline]
+ path_mount+0x1387/0x2070 fs/namespace.c:3192
+ do_mount fs/namespace.c:3205 [inline]
+ __do_sys_mount fs/namespace.c:3413 [inline]
+ __se_sys_mount fs/namespace.c:3390 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+which is oopsing on this line:
+
+ inode_lock(root->d_inode);
+
+presumably because sb->s_root was NULL.
+
+Fixes: 0da0b7fd73e4 ("afs: Display manually added cells in dynamic root mount")
+Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 7503899c0a1b5..f07e53ab808e3 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -289,15 +289,17 @@ void afs_dynroot_depopulate(struct super_block *sb)
+ net->dynroot_sb = NULL;
+ mutex_unlock(&net->proc_cells_lock);
+
+- inode_lock(root->d_inode);
+-
+- /* Remove all the pins for dirs created for manually added cells */
+- list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) {
+- if (subdir->d_fsdata) {
+- subdir->d_fsdata = NULL;
+- dput(subdir);
++ if (root) {
++ inode_lock(root->d_inode);
++
++ /* Remove all the pins for dirs created for manually added cells */
++ list_for_each_entry_safe(subdir, tmp, &root->d_subdirs, d_child) {
++ if (subdir->d_fsdata) {
++ subdir->d_fsdata = NULL;
++ dput(subdir);
++ }
+ }
+- }
+
+- inode_unlock(root->d_inode);
++ inode_unlock(root->d_inode);
++ }
+ }
+--
+2.25.1
+
--- /dev/null
+From 6aa7548eb9256d2c2f604911685af018608e0e6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 18:49:50 -0700
+Subject: ARM64: vdso32: Install vdso32 from vdso_install
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 8d75785a814241587802655cc33e384230744f0c ]
+
+Add the 32-bit vdso Makefile to the vdso_install rule so that 'make
+vdso_install' installs the 32-bit compat vdso when it is compiled.
+
+Fixes: a7f71a2c8903 ("arm64: compat: Add vDSO")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Acked-by: Will Deacon <will@kernel.org>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Link: https://lore.kernel.org/r/20200818014950.42492-1-swboyd@chromium.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Makefile | 1 +
+ arch/arm64/kernel/vdso32/Makefile | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
+index d65aef47ece3b..11a7d6208087f 100644
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -146,6 +146,7 @@ zinstall install:
+ PHONY += vdso_install
+ vdso_install:
+ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
++ $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso32 $@
+
+ # We use MRPROPER_FILES and CLEAN_FILES now
+ archclean:
+diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile
+index 76b327f88fbb1..40dffe60b8454 100644
+--- a/arch/arm64/kernel/vdso32/Makefile
++++ b/arch/arm64/kernel/vdso32/Makefile
+@@ -190,7 +190,7 @@ quiet_cmd_vdsosym = VDSOSYM $@
+ cmd_vdsosym = $(NM) $< | $(gen-vdsosym) | LC_ALL=C sort > $@
+
+ # Install commands for the unstripped file
+-quiet_cmd_vdso_install = INSTALL $@
++quiet_cmd_vdso_install = INSTALL32 $@
+ cmd_vdso_install = cp $(obj)/$@.dbg $(MODLIB)/vdso/vdso32.so
+
+ vdso.so: $(obj)/vdso.so.dbg
+--
+2.25.1
+
--- /dev/null
+From 210b5e78ef8bfce032fea472ac6b70f5875b66f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 16:41:10 +0800
+Subject: ASoC: intel: Fix memleak in sst_media_open
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit 062fa09f44f4fb3776a23184d5d296b0c8872eb9 ]
+
+When power_up_sst() fails, stream needs to be freed
+just like when try_module_get() fails. However, current
+code is returning directly and ends up leaking memory.
+
+Fixes: 0121327c1a68b ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/atom/sst-mfld-platform-pcm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/atom/sst-mfld-platform-pcm.c b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+index 8cc3cc363eb03..31f1dd6541aa1 100644
+--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c
++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c
+@@ -331,7 +331,7 @@ static int sst_media_open(struct snd_pcm_substream *substream,
+
+ ret_val = power_up_sst(stream);
+ if (ret_val < 0)
+- return ret_val;
++ goto out_power_up;
+
+ /* Make sure, that the period size is always even */
+ snd_pcm_hw_constraint_step(substream->runtime, 0,
+@@ -340,8 +340,9 @@ static int sst_media_open(struct snd_pcm_substream *substream,
+ return snd_pcm_hw_constraint_integer(runtime,
+ SNDRV_PCM_HW_PARAM_PERIODS);
+ out_ops:
+- kfree(stream);
+ mutex_unlock(&sst_lock);
++out_power_up:
++ kfree(stream);
+ return ret_val;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From a931ff0a3d7819bf2c2a45d41e560f28861a3f07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 11:34:52 +0100
+Subject: ASoC: msm8916-wcd-analog: fix register Interrupt offset
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit ff69c97ef84c9f7795adb49e9f07c9adcdd0c288 ]
+
+For some reason interrupt set and clear register offsets are
+not set correctly.
+This patch corrects them!
+
+Fixes: 585e881e5b9e ("ASoC: codecs: Add msm8916-wcd analog codec")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/msm8916-wcd-analog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/msm8916-wcd-analog.c b/sound/soc/codecs/msm8916-wcd-analog.c
+index 84289ebeae872..337bddb7c2a49 100644
+--- a/sound/soc/codecs/msm8916-wcd-analog.c
++++ b/sound/soc/codecs/msm8916-wcd-analog.c
+@@ -19,8 +19,8 @@
+
+ #define CDC_D_REVISION1 (0xf000)
+ #define CDC_D_PERPH_SUBTYPE (0xf005)
+-#define CDC_D_INT_EN_SET (0x015)
+-#define CDC_D_INT_EN_CLR (0x016)
++#define CDC_D_INT_EN_SET (0xf015)
++#define CDC_D_INT_EN_CLR (0xf016)
+ #define MBHC_SWITCH_INT BIT(7)
+ #define MBHC_MIC_ELECTRICAL_INS_REM_DET BIT(6)
+ #define MBHC_BUTTON_PRESS_DET BIT(5)
+--
+2.25.1
+
--- /dev/null
+From d1d0db36d99af3f3e038122dd83a0e50257e61da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 13:02:04 +0100
+Subject: ASoC: q6afe-dai: mark all widgets registers as SND_SOC_NOPM
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 56235e4bc5ae58cb8fcd9314dba4e9ab077ddda8 ]
+
+Looks like the q6afe-dai dapm widget registers are set as "0",
+which is a not correct.
+
+As this registers will be read by ASoC core during startup
+which will throw up errors, Fix this by making the registers
+as SND_SOC_NOPM as these should be never used.
+
+With recent changes to ASoC core, every register read/write
+failures are reported very verbosely. Prior to this fails to reads
+are totally ignored, so we never saw any error messages.
+
+Fixes: 24c4cbcfac09 ("ASoC: qdsp6: q6afe: Add q6afe dai driver")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200811120205.21805-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6afe-dai.c | 210 +++++++++++++++----------------
+ 1 file changed, 105 insertions(+), 105 deletions(-)
+
+diff --git a/sound/soc/qcom/qdsp6/q6afe-dai.c b/sound/soc/qcom/qdsp6/q6afe-dai.c
+index 2a5302f1db98a..0168af8492727 100644
+--- a/sound/soc/qcom/qdsp6/q6afe-dai.c
++++ b/sound/soc/qcom/qdsp6/q6afe-dai.c
+@@ -1150,206 +1150,206 @@ static int q6afe_of_xlate_dai_name(struct snd_soc_component *component,
+ }
+
+ static const struct snd_soc_dapm_widget q6afe_dai_widgets[] = {
+- SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, 0, 0, 0),
++ SND_SOC_DAPM_AIF_IN("HDMI_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_0_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_1_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_2_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_3_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_4_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_5_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SLIMBUS_6_RX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_0_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_1_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_2_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_3_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_4_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_5_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("SLIMBUS_6_TX", NULL, 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_MI2S_RX_SD1",
+ "Secondary MI2S Playback SD1",
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRI_MI2S_RX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRI_MI2S_TX", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("PRIMARY_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("PRIMARY_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("SEC_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("SEC_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("TERT_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("TERT_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUAT_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUAT_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_IN("QUIN_TDM_RX_7", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_0", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_1", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_2", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_3", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_4", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_5", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_6", NULL,
+- 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
+ SND_SOC_DAPM_AIF_OUT("QUIN_TDM_TX_7", NULL,
+- 0, 0, 0, 0),
+- SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, 0, 0, 0),
++ 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_OUT("DISPLAY_PORT_RX", "NULL", 0, SND_SOC_NOPM, 0, 0),
+ };
+
+ static const struct snd_soc_component_driver q6afe_dai_component = {
+--
+2.25.1
+
--- /dev/null
+From a85057d2ec76c54adcf11bdc1d962d552cf4127b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 13:02:05 +0100
+Subject: ASoC: q6routing: add dummy register read/write function
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 796a58fe2b8c9b6668db00d92512ec84be663027 ]
+
+Most of the DAPM widgets for DSP ASoC components reuse reg field
+of the widgets for its internal calculations, however these are not
+real registers. So read/writes to these numbers are not really
+valid. However ASoC core will read these registers to get default
+state during startup.
+
+With recent changes to ASoC core, every register read/write
+failures are reported very verbosely. Prior to this fails to reads
+are totally ignored, so we never saw any error messages.
+
+To fix this add dummy read/write function to return default value.
+
+Fixes: e3a33673e845 ("ASoC: qdsp6: q6routing: Add q6routing driver")
+Reported-by: John Stultz <john.stultz@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20200811120205.21805-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/qdsp6/q6routing.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/sound/soc/qcom/qdsp6/q6routing.c b/sound/soc/qcom/qdsp6/q6routing.c
+index ddcd9978cf57b..745cc9dd14f38 100644
+--- a/sound/soc/qcom/qdsp6/q6routing.c
++++ b/sound/soc/qcom/qdsp6/q6routing.c
+@@ -996,6 +996,20 @@ static int msm_routing_probe(struct snd_soc_component *c)
+ return 0;
+ }
+
++static unsigned int q6routing_reg_read(struct snd_soc_component *component,
++ unsigned int reg)
++{
++ /* default value */
++ return 0;
++}
++
++static int q6routing_reg_write(struct snd_soc_component *component,
++ unsigned int reg, unsigned int val)
++{
++ /* dummy */
++ return 0;
++}
++
+ static const struct snd_soc_component_driver msm_soc_routing_component = {
+ .ops = &q6pcm_routing_ops,
+ .probe = msm_routing_probe,
+@@ -1004,6 +1018,8 @@ static const struct snd_soc_component_driver msm_soc_routing_component = {
+ .num_dapm_widgets = ARRAY_SIZE(msm_qdsp6_widgets),
+ .dapm_routes = intercon,
+ .num_dapm_routes = ARRAY_SIZE(intercon),
++ .read = q6routing_reg_read,
++ .write = q6routing_reg_write,
+ };
+
+ static int q6pcm_routing_probe(struct platform_device *pdev)
+--
+2.25.1
+
--- /dev/null
+From e7ba46f4914d3fc2e1ce31d8ca914bab918ad6e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Aug 2020 20:05:58 -0700
+Subject: bonding: fix a potential double-unregister
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 832707021666411d04795c564a4adea5d6b94f17 ]
+
+When we tear down a network namespace, we unregister all
+the netdevices within it. So we may queue a slave device
+and a bonding device together in the same unregister queue.
+
+If the only slave device is non-ethernet, it would
+automatically unregister the bonding device as well. Thus,
+we may end up unregistering the bonding device twice.
+
+Workaround this special case by checking reg_state.
+
+Fixes: 9b5e383c11b0 ("net: Introduce unregister_netdevice_many()")
+Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 11c014586d466..ce829a7a92101 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2037,7 +2037,8 @@ static int bond_release_and_destroy(struct net_device *bond_dev,
+ int ret;
+
+ ret = __bond_release_one(bond_dev, slave_dev, false, true);
+- if (ret == 0 && !bond_has_slaves(bond)) {
++ if (ret == 0 && !bond_has_slaves(bond) &&
++ bond_dev->reg_state != NETREG_UNREGISTERING) {
+ bond_dev->priv_flags |= IFF_DISABLE_NETPOLL;
+ netdev_info(bond_dev, "Destroying bond\n");
+ bond_remove_proc_entry(bond);
+--
+2.25.1
+
--- /dev/null
+From 8facc6fcb6e1094e2de3bf05821d46eb8bd11ccd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Aug 2020 20:52:44 +0200
+Subject: bonding: fix active-backup failover for current ARP slave
+
+From: Jiri Wiesner <jwiesner@suse.com>
+
+[ Upstream commit 0410d07190961ac526f05085765a8d04d926545b ]
+
+When the ARP monitor is used for link detection, ARP replies are
+validated for all slaves (arp_validate=3) and fail_over_mac is set to
+active, two slaves of an active-backup bond may get stuck in a state
+where both of them are active and pass packets that they receive to
+the bond. This state makes IPv6 duplicate address detection fail. The
+state is reached thus:
+1. The current active slave goes down because the ARP target
+ is not reachable.
+2. The current ARP slave is chosen and made active.
+3. A new slave is enslaved. This new slave becomes the current active
+ slave and can reach the ARP target.
+As a result, the current ARP slave stays active after the enslave
+action has finished and the log is littered with "PROBE BAD" messages:
+> bond0: PROBE: c_arp ens10 && cas ens11 BAD
+The workaround is to remove the slave with "going back" status from
+the bond and re-enslave it. This issue was encountered when DPDK PMD
+interfaces were being enslaved to an active-backup bond.
+
+I would be possible to fix the issue in bond_enslave() or
+bond_change_active_slave() but the ARP monitor was fixed instead to
+keep most of the actions changing the current ARP slave in the ARP
+monitor code. The current ARP slave is set as inactive and backup
+during the commit phase. A new state, BOND_LINK_FAIL, has been
+introduced for slaves in the context of the ARP monitor. This allows
+administrators to see how slaves are rotated for sending ARP requests
+and attempts are made to find a new active slave.
+
+Fixes: b2220cad583c9 ("bonding: refactor ARP active-backup monitor")
+Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index ce829a7a92101..0d7a173f8e61c 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2778,6 +2778,9 @@ static int bond_ab_arp_inspect(struct bonding *bond)
+ if (bond_time_in_interval(bond, last_rx, 1)) {
+ bond_propose_link_state(slave, BOND_LINK_UP);
+ commit++;
++ } else if (slave->link == BOND_LINK_BACK) {
++ bond_propose_link_state(slave, BOND_LINK_FAIL);
++ commit++;
+ }
+ continue;
+ }
+@@ -2886,6 +2889,19 @@ static void bond_ab_arp_commit(struct bonding *bond)
+
+ continue;
+
++ case BOND_LINK_FAIL:
++ bond_set_slave_link_state(slave, BOND_LINK_FAIL,
++ BOND_SLAVE_NOTIFY_NOW);
++ bond_set_slave_inactive_flags(slave,
++ BOND_SLAVE_NOTIFY_NOW);
++
++ /* A slave has just been enslaved and has become
++ * the current active slave.
++ */
++ if (rtnl_dereference(bond->curr_active_slave))
++ RCU_INIT_POINTER(bond->current_arp_slave, NULL);
++ continue;
++
+ default:
+ slave_err(bond->dev, slave->dev,
+ "impossible: link_new_state %d on slave\n",
+@@ -2936,8 +2952,6 @@ static bool bond_ab_arp_probe(struct bonding *bond)
+ return should_notify_rtnl;
+ }
+
+- bond_set_slave_inactive_flags(curr_arp_slave, BOND_SLAVE_NOTIFY_LATER);
+-
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ if (!found && !before && bond_slave_is_up(slave))
+ before = slave;
+--
+2.25.1
+
--- /dev/null
+From 40c4ba6b9f269c1dd89858593928a4126620ced5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 10:09:00 -0400
+Subject: bonding: show saner speed for broadcast mode
+
+From: Jarod Wilson <jarod@redhat.com>
+
+[ Upstream commit 4ca0d9ac3fd8f9f90b72a15d8da2aca3ffb58418 ]
+
+Broadcast mode bonds transmit a copy of all traffic simultaneously out of
+all interfaces, so the "speed" of the bond isn't really the aggregate of
+all interfaces, but rather, the speed of the slowest active interface.
+
+Also, the type of the speed field is u32, not unsigned long, so adjust
+that accordingly, as required to make min() function here without
+complaining about mismatching types.
+
+Fixes: bb5b052f751b ("bond: add support to read speed and duplex via ethtool")
+CC: Jay Vosburgh <j.vosburgh@gmail.com>
+CC: Veaceslav Falico <vfalico@gmail.com>
+CC: Andy Gospodarek <andy@greyhouse.net>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 499845c32b1bc..11c014586d466 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4246,13 +4246,23 @@ static netdev_tx_t bond_start_xmit(struct sk_buff *skb, struct net_device *dev)
+ return ret;
+ }
+
++static u32 bond_mode_bcast_speed(struct slave *slave, u32 speed)
++{
++ if (speed == 0 || speed == SPEED_UNKNOWN)
++ speed = slave->speed;
++ else
++ speed = min(speed, slave->speed);
++
++ return speed;
++}
++
+ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev,
+ struct ethtool_link_ksettings *cmd)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- unsigned long speed = 0;
+ struct list_head *iter;
+ struct slave *slave;
++ u32 speed = 0;
+
+ cmd->base.duplex = DUPLEX_UNKNOWN;
+ cmd->base.port = PORT_OTHER;
+@@ -4264,8 +4274,13 @@ static int bond_ethtool_get_link_ksettings(struct net_device *bond_dev,
+ */
+ bond_for_each_slave(bond, slave, iter) {
+ if (bond_slave_can_tx(slave)) {
+- if (slave->speed != SPEED_UNKNOWN)
+- speed += slave->speed;
++ if (slave->speed != SPEED_UNKNOWN) {
++ if (BOND_MODE(bond) == BOND_MODE_BROADCAST)
++ speed = bond_mode_bcast_speed(slave,
++ speed);
++ else
++ speed += slave->speed;
++ }
+ if (cmd->base.duplex == DUPLEX_UNKNOWN &&
+ slave->duplex != DUPLEX_UNKNOWN)
+ cmd->base.duplex = slave->duplex;
+--
+2.25.1
+
--- /dev/null
+From ffb7a4171351a1c43c71084d7c830d1ca21b8eba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 15:04:56 -0700
+Subject: bpf: sock_ops sk access may stomp registers when dst_reg = src_reg
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 84f44df664e9f0e261157e16ee1acd77cc1bb78d ]
+
+Similar to patch ("bpf: sock_ops ctx access may stomp registers") if the
+src_reg = dst_reg when reading the sk field of a sock_ops struct we
+generate xlated code,
+
+ 53: (61) r9 = *(u32 *)(r9 +28)
+ 54: (15) if r9 == 0x0 goto pc+3
+ 56: (79) r9 = *(u64 *)(r9 +0)
+
+This stomps on the r9 reg to do the sk_fullsock check and then when
+reading the skops->sk field instead of the sk pointer we get the
+sk_fullsock. To fix use similar pattern noted in the previous fix
+and use the temp field to save/restore a register used to do
+sk_fullsock check.
+
+After the fix the generated xlated code reads,
+
+ 52: (7b) *(u64 *)(r9 +32) = r8
+ 53: (61) r8 = *(u32 *)(r9 +28)
+ 54: (15) if r9 == 0x0 goto pc+3
+ 55: (79) r8 = *(u64 *)(r9 +32)
+ 56: (79) r9 = *(u64 *)(r9 +0)
+ 57: (05) goto pc+1
+ 58: (79) r8 = *(u64 *)(r9 +32)
+
+Here r9 register was in-use so r8 is chosen as the temporary register.
+In line 52 r8 is saved in temp variable and at line 54 restored in case
+fullsock != 0. Finally we handle fullsock == 0 case by restoring at
+line 58.
+
+This adds a new macro SOCK_OPS_GET_SK it is almost possible to merge
+this with SOCK_OPS_GET_FIELD, but I found the extra branch logic a
+bit more confusing than just adding a new macro despite a bit of
+duplicating code.
+
+Fixes: 1314ef561102e ("bpf: export bpf_sock for BPF_PROG_TYPE_SOCK_OPS prog type")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/159718349653.4728.6559437186853473612.stgit@john-Precision-5820-Tower
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 49 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index bd1e46d61d8a1..5c490d473df1d 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -8010,6 +8010,43 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
+ offsetof(OBJ, OBJ_FIELD)); \
+ } while (0)
+
++#define SOCK_OPS_GET_SK() \
++ do { \
++ int fullsock_reg = si->dst_reg, reg = BPF_REG_9, jmp = 1; \
++ if (si->dst_reg == reg || si->src_reg == reg) \
++ reg--; \
++ if (si->dst_reg == reg || si->src_reg == reg) \
++ reg--; \
++ if (si->dst_reg == si->src_reg) { \
++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ fullsock_reg = reg; \
++ jmp += 2; \
++ } \
++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \
++ struct bpf_sock_ops_kern, \
++ is_fullsock), \
++ fullsock_reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ is_fullsock)); \
++ *insn++ = BPF_JMP_IMM(BPF_JEQ, fullsock_reg, 0, jmp); \
++ if (si->dst_reg == si->src_reg) \
++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( \
++ struct bpf_sock_ops_kern, sk),\
++ si->dst_reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, sk));\
++ if (si->dst_reg == si->src_reg) { \
++ *insn++ = BPF_JMP_A(1); \
++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, si->src_reg, \
++ offsetof(struct bpf_sock_ops_kern, \
++ temp)); \
++ } \
++ } while (0)
++
+ #define SOCK_OPS_GET_TCP_SOCK_FIELD(FIELD) \
+ SOCK_OPS_GET_FIELD(FIELD, FIELD, struct tcp_sock)
+
+@@ -8294,17 +8331,7 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
+ SOCK_OPS_GET_TCP_SOCK_FIELD(bytes_acked);
+ break;
+ case offsetof(struct bpf_sock_ops, sk):
+- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+- struct bpf_sock_ops_kern,
+- is_fullsock),
+- si->dst_reg, si->src_reg,
+- offsetof(struct bpf_sock_ops_kern,
+- is_fullsock));
+- *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 1);
+- *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
+- struct bpf_sock_ops_kern, sk),
+- si->dst_reg, si->src_reg,
+- offsetof(struct bpf_sock_ops_kern, sk));
++ SOCK_OPS_GET_SK();
+ break;
+ }
+ return insn - insn_buf;
+--
+2.25.1
+
--- /dev/null
+From 28e22a5d5313a2faa496a27c73f4e7fc2bdc4941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:24 +0800
+Subject: can: j1939: abort multipacket broadcast session when timeout occurs
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 2b8b2e31555cf55ba3680fb28e2b382e168d7ea1 ]
+
+If timeout occurs, j1939_tp_rxtimer() first calls hrtimer_start() to restart
+rxtimer, and then calls __j1939_session_cancel() to set session->state =
+J1939_SESSION_WAITING_ABORT. At next timeout expiration, because of the
+J1939_SESSION_WAITING_ABORT session state j1939_tp_rxtimer() will call
+j1939_session_deactivate_activate_next() to deactivate current session, and
+rxtimer won't be set.
+
+But for multipacket broadcast session, __j1939_session_cancel() don't set
+session->state = J1939_SESSION_WAITING_ABORT, thus current session won't be
+deactivate and hrtimer_start() is called to start new rxtimer again and again.
+
+So fix it by moving session->state = J1939_SESSION_WAITING_ABORT out of if
+(!j1939_cb_is_broadcast(&session->skcb)) statement.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-4-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index d1a9adde677b0..e3167619b196f 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1074,9 +1074,9 @@ static void __j1939_session_cancel(struct j1939_session *session,
+ lockdep_assert_held(&session->priv->active_session_list_lock);
+
+ session->err = j1939_xtp_abort_to_errno(priv, err);
++ session->state = J1939_SESSION_WAITING_ABORT;
+ /* do not send aborts on incoming broadcasts */
+ if (!j1939_cb_is_broadcast(&session->skcb)) {
+- session->state = J1939_SESSION_WAITING_ABORT;
+ j1939_xtp_tx_abort(priv, &session->skcb,
+ !session->transmission,
+ err, session->skcb.addr.pgn);
+--
+2.25.1
+
--- /dev/null
+From 1ad44c62fae16810c767e7ec4ed563b93fde7f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:25 +0800
+Subject: can: j1939: add rxtimer for multipacket broadcast session
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 0ae18a82686f9b9965a8ce0dd81371871b306ffe ]
+
+According to SAE J1939/21 (Chapter 5.12.3 and APPENDIX C), for transmit side
+the required time interval between packets of a multipacket broadcast message
+is 50 to 200 ms, the responder shall use a timeout of 250ms (provides margin
+allowing for the maximumm spacing of 200ms). For receive side a timeout will
+occur when a time of greater than 750 ms elapsed between two message packets
+when more packets were expected.
+
+So this patch fix and add rxtimer for multipacket broadcast session.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-5-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index e3167619b196f..dbd215cbc53d8 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -723,10 +723,12 @@ static int j1939_session_tx_rts(struct j1939_session *session)
+ return ret;
+
+ session->last_txcmd = dat[0];
+- if (dat[0] == J1939_TP_CMD_BAM)
++ if (dat[0] == J1939_TP_CMD_BAM) {
+ j1939_tp_schedule_txtimer(session, 50);
+-
+- j1939_tp_set_rxtimeout(session, 1250);
++ j1939_tp_set_rxtimeout(session, 250);
++ } else {
++ j1939_tp_set_rxtimeout(session, 1250);
++ }
+
+ netdev_dbg(session->priv->ndev, "%s: 0x%p\n", __func__, session);
+
+@@ -1687,11 +1689,15 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb,
+ }
+ session->last_cmd = cmd;
+
+- j1939_tp_set_rxtimeout(session, 1250);
+-
+- if (cmd != J1939_TP_CMD_BAM && !session->transmission) {
+- j1939_session_txtimer_cancel(session);
+- j1939_tp_schedule_txtimer(session, 0);
++ if (cmd == J1939_TP_CMD_BAM) {
++ if (!session->transmission)
++ j1939_tp_set_rxtimeout(session, 750);
++ } else {
++ if (!session->transmission) {
++ j1939_session_txtimer_cancel(session);
++ j1939_tp_schedule_txtimer(session, 0);
++ }
++ j1939_tp_set_rxtimeout(session, 1250);
+ }
+
+ j1939_session_put(session);
+@@ -1742,6 +1748,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ int offset;
+ int nbytes;
+ bool final = false;
++ bool remain = false;
+ bool do_cts_eoma = false;
+ int packet;
+
+@@ -1804,6 +1811,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ j1939_cb_is_broadcast(&session->skcb)) {
+ if (session->pkt.rx >= session->pkt.total)
+ final = true;
++ else
++ remain = true;
+ } else {
+ /* never final, an EOMA must follow */
+ if (session->pkt.rx >= session->pkt.last)
+@@ -1813,6 +1822,9 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ if (final) {
+ j1939_session_timers_cancel(session);
+ j1939_session_completed(session);
++ } else if (remain) {
++ if (!session->transmission)
++ j1939_tp_set_rxtimeout(session, 750);
+ } else if (do_cts_eoma) {
+ j1939_tp_set_rxtimeout(session, 1250);
+ if (!session->transmission)
+--
+2.25.1
+
--- /dev/null
+From 027acd9def4c4438a90c174ca479bf80d71c9e57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:23 +0800
+Subject: can: j1939: cancel rxtimer on multipacket broadcast session complete
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit e8b17653088f28a87c81845fa41a2d295a3b458c ]
+
+If j1939_xtp_rx_dat_one() receive last frame of multipacket broadcast message,
+j1939_session_timers_cancel() should be called to cancel rxtimer.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-3-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 67189b4c482c5..d1a9adde677b0 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1811,6 +1811,7 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ }
+
+ if (final) {
++ j1939_session_timers_cancel(session);
+ j1939_session_completed(session);
+ } else if (do_cts_eoma) {
+ j1939_tp_set_rxtimeout(session, 1250);
+--
+2.25.1
+
--- /dev/null
+From 94450e7c92f567801c4d2a3e8d6615a1fc95fb79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 09:18:34 -0700
+Subject: can: j1939: fix kernel-infoleak in j1939_sk_sock2sockaddr_can()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 38ba8b9241f5848a49b80fddac9ab5f4692e434e ]
+
+syzbot found that at least 2 bytes of kernel information
+were leaked during getsockname() on AF_CAN CAN_J1939 socket.
+
+Since struct sockaddr_can has in fact two holes, simply
+clear the whole area before filling it with useful data.
+
+BUG: KMSAN: kernel-infoleak in kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
+CPU: 0 PID: 8466 Comm: syz-executor511 Not tainted 5.8.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
+ kmsan_internal_check_memory+0x238/0x3d0 mm/kmsan/kmsan.c:423
+ kmsan_copy_to_user+0x81/0x90 mm/kmsan/kmsan_hooks.c:253
+ instrument_copy_to_user include/linux/instrumented.h:91 [inline]
+ _copy_to_user+0x18e/0x260 lib/usercopy.c:39
+ copy_to_user include/linux/uaccess.h:186 [inline]
+ move_addr_to_user+0x3de/0x670 net/socket.c:237
+ __sys_getsockname+0x407/0x5e0 net/socket.c:1909
+ __do_sys_getsockname net/socket.c:1920 [inline]
+ __se_sys_getsockname+0x91/0xb0 net/socket.c:1917
+ __x64_sys_getsockname+0x4a/0x70 net/socket.c:1917
+ do_syscall_64+0xad/0x160 arch/x86/entry/common.c:386
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x440219
+Code: Bad RIP value.
+RSP: 002b:00007ffe5ee150c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000033
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440219
+RDX: 0000000020000240 RSI: 0000000020000100 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a20
+R13: 0000000000401ab0 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable ----address@__sys_getsockname created at:
+ __sys_getsockname+0x91/0x5e0 net/socket.c:1894
+ __sys_getsockname+0x91/0x5e0 net/socket.c:1894
+
+Bytes 2-3 of 24 are uninitialized
+Memory access of size 24 starts at ffff8880ba2c7de8
+Data copied to user address 0000000020000100
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Robin van der Gracht <robin@protonic.nl>
+Cc: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
+Cc: linux-can@vger.kernel.org
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20200813161834.4021638-1-edumazet@google.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/socket.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index 11d566c70a944..1b7dc1a8547f3 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -561,6 +561,11 @@ static int j1939_sk_connect(struct socket *sock, struct sockaddr *uaddr,
+ static void j1939_sk_sock2sockaddr_can(struct sockaddr_can *addr,
+ const struct j1939_sock *jsk, int peer)
+ {
++ /* There are two holes (2 bytes and 3 bytes) to clear to avoid
++ * leaking kernel information to user space.
++ */
++ memset(addr, 0, J1939_MIN_NAMELEN);
++
+ addr->can_family = AF_CAN;
+ addr->can_ifindex = jsk->ifindex;
+ addr->can_addr.j1939.pgn = jsk->addr.pgn;
+--
+2.25.1
+
--- /dev/null
+From 14a0fcbf74c89dc134aa2c9c88fc328268f6d91a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 11:50:22 +0800
+Subject: can: j1939: fix support for multipacket broadcast message
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit f4fd77fd87e9b214c26bb2ebd4f90055eaea5ade ]
+
+Currently j1939_tp_im_involved_anydir() in j1939_tp_recv() check the previously
+set flags J1939_ECU_LOCAL_DST and J1939_ECU_LOCAL_SRC of incoming skb, thus
+multipacket broadcast message was aborted by receive side because it may come
+from remote ECUs and have no exact dst address. Similarly, j1939_tp_cmd_recv()
+and j1939_xtp_rx_dat() didn't process broadcast message.
+
+So fix it by checking and process broadcast message in j1939_tp_recv(),
+j1939_tp_cmd_recv() and j1939_xtp_rx_dat().
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1596599425-5534-2-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 90a2baac8a4aa..67189b4c482c5 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -1673,8 +1673,12 @@ static void j1939_xtp_rx_rts(struct j1939_priv *priv, struct sk_buff *skb,
+ return;
+ }
+ session = j1939_xtp_rx_rts_session_new(priv, skb);
+- if (!session)
++ if (!session) {
++ if (cmd == J1939_TP_CMD_BAM && j1939_sk_recv_match(priv, skcb))
++ netdev_info(priv->ndev, "%s: failed to create TP BAM session\n",
++ __func__);
+ return;
++ }
+ } else {
+ if (j1939_xtp_rx_rts_session_active(session, skb)) {
+ j1939_session_put(session);
+@@ -1852,6 +1856,13 @@ static void j1939_xtp_rx_dat(struct j1939_priv *priv, struct sk_buff *skb)
+ else
+ j1939_xtp_rx_dat_one(session, skb);
+ }
++
++ if (j1939_cb_is_broadcast(skcb)) {
++ session = j1939_session_get_by_addr(priv, &skcb->addr, false,
++ false);
++ if (session)
++ j1939_xtp_rx_dat_one(session, skb);
++ }
+ }
+
+ /* j1939 main intf */
+@@ -1943,7 +1954,7 @@ static void j1939_tp_cmd_recv(struct j1939_priv *priv, struct sk_buff *skb)
+ if (j1939_tp_im_transmitter(skcb))
+ j1939_xtp_rx_rts(priv, skb, true);
+
+- if (j1939_tp_im_receiver(skcb))
++ if (j1939_tp_im_receiver(skcb) || j1939_cb_is_broadcast(skcb))
+ j1939_xtp_rx_rts(priv, skb, false);
+
+ break;
+@@ -2007,7 +2018,7 @@ int j1939_tp_recv(struct j1939_priv *priv, struct sk_buff *skb)
+ {
+ struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
+
+- if (!j1939_tp_im_involved_anydir(skcb))
++ if (!j1939_tp_im_involved_anydir(skcb) && !j1939_cb_is_broadcast(skcb))
+ return 0;
+
+ switch (skcb->addr.pgn) {
+--
+2.25.1
+
--- /dev/null
+From b75fddf482cc41af6df251cb19bc390918c05833 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 12:51:59 +0200
+Subject: can: j1939: transport: add j1939_session_skb_find_by_offset()
+ function
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 840835c9281215341d84966a8855f267a971e6a3 ]
+
+Sometimes it makes no sense to search the skb by pkt.dpo, since we need
+next the skb within the transaction block. This may happen if we have an
+ETP session with CTS set to less than 255 packets.
+
+After this patch, we will be able to work with ETP sessions where the
+block size (ETP.CM_CTS byte 2) is less than 255 packets.
+
+Reported-by: Henrique Figueira <henrislip@gmail.com>
+Reported-by: https://github.com/linux-can/can-utils/issues/228
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20200807105200.26441-5-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/transport.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 30957c9a8eb7a..90a2baac8a4aa 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -352,17 +352,16 @@ void j1939_session_skb_queue(struct j1939_session *session,
+ skb_queue_tail(&session->skb_queue, skb);
+ }
+
+-static struct sk_buff *j1939_session_skb_find(struct j1939_session *session)
++static struct
++sk_buff *j1939_session_skb_find_by_offset(struct j1939_session *session,
++ unsigned int offset_start)
+ {
+ struct j1939_priv *priv = session->priv;
++ struct j1939_sk_buff_cb *do_skcb;
+ struct sk_buff *skb = NULL;
+ struct sk_buff *do_skb;
+- struct j1939_sk_buff_cb *do_skcb;
+- unsigned int offset_start;
+ unsigned long flags;
+
+- offset_start = session->pkt.dpo * 7;
+-
+ spin_lock_irqsave(&session->skb_queue.lock, flags);
+ skb_queue_walk(&session->skb_queue, do_skb) {
+ do_skcb = j1939_skb_to_cb(do_skb);
+@@ -382,6 +381,14 @@ static struct sk_buff *j1939_session_skb_find(struct j1939_session *session)
+ return skb;
+ }
+
++static struct sk_buff *j1939_session_skb_find(struct j1939_session *session)
++{
++ unsigned int offset_start;
++
++ offset_start = session->pkt.dpo * 7;
++ return j1939_session_skb_find_by_offset(session, offset_start);
++}
++
+ /* see if we are receiver
+ * returns 0 for broadcasts, although we will receive them
+ */
+@@ -766,7 +773,7 @@ static int j1939_session_tx_dat(struct j1939_session *session)
+ int ret = 0;
+ u8 dat[8];
+
+- se_skb = j1939_session_skb_find(session);
++ se_skb = j1939_session_skb_find_by_offset(session, session->pkt.tx * 7);
+ if (!se_skb)
+ return -ENOBUFS;
+
+@@ -1765,7 +1772,8 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
+ __func__, session);
+ goto out_session_cancel;
+ }
+- se_skb = j1939_session_skb_find(session);
++
++ se_skb = j1939_session_skb_find_by_offset(session, packet * 7);
+ if (!se_skb) {
+ netdev_warn(priv->ndev, "%s: 0x%p: no skb found\n", __func__,
+ session);
+--
+2.25.1
+
--- /dev/null
+From 356afd0a5639f8e6a679768dfdc35af5bfa9f4fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 12:51:56 +0200
+Subject: can: j1939: transport: j1939_simple_recv(): ignore local J1939
+ messages send not by J1939 stack
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit b43e3a82bc432c1caaed8950e7662c143470c54c ]
+
+In current J1939 stack implementation, we process all locally send
+messages as own messages. Even if it was send by CAN_RAW socket.
+
+To reproduce it use following commands:
+testj1939 -P -r can0:0x80 &
+cansend can0 18238040#0123
+
+This step will trigger false positive not critical warning:
+j1939_simple_recv: Received already invalidated message
+
+With this patch we add additional check to make sure, related skb is own
+echo message.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20200807105200.26441-2-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/socket.c | 1 +
+ net/can/j1939/transport.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index 1b7dc1a8547f3..bf9fd6ee88fe0 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -398,6 +398,7 @@ static int j1939_sk_init(struct sock *sk)
+ spin_lock_init(&jsk->sk_session_queue_lock);
+ INIT_LIST_HEAD(&jsk->sk_session_queue);
+ sk->sk_destruct = j1939_sk_sock_destruct;
++ sk->sk_protocol = CAN_J1939;
+
+ return 0;
+ }
+diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
+index 5bfe6bf15a999..30957c9a8eb7a 100644
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -2032,6 +2032,10 @@ void j1939_simple_recv(struct j1939_priv *priv, struct sk_buff *skb)
+ if (!skb->sk)
+ return;
+
++ if (skb->sk->sk_family != AF_CAN ||
++ skb->sk->sk_protocol != CAN_J1939)
++ return;
++
+ j1939_session_list_lock(priv);
+ session = j1939_session_get_simple(priv, skb);
+ j1939_session_list_unlock(priv);
+--
+2.25.1
+
--- /dev/null
+From 772075486ec94b70c7af005a578d8ff42d5c04d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 16:16:51 +0200
+Subject: efi: avoid error message when booting under Xen
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 6163a985e50cb19d5bdf73f98e45b8af91a77658 ]
+
+efifb_probe() will issue an error message in case the kernel is booted
+as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid
+that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set.
+
+Fixes: 38ac0287b7f4 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/efifb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
+index 51d97ec4f58f9..e0cbf5b3d2174 100644
+--- a/drivers/video/fbdev/efifb.c
++++ b/drivers/video/fbdev/efifb.c
+@@ -453,7 +453,7 @@ static int efifb_probe(struct platform_device *dev)
+ info->apertures->ranges[0].base = efifb_fix.smem_start;
+ info->apertures->ranges[0].size = size_remap;
+
+- if (efi_enabled(EFI_BOOT) &&
++ if (efi_enabled(EFI_MEMMAP) &&
+ !efi_mem_desc_lookup(efifb_fix.smem_start, &md)) {
+ if ((efifb_fix.smem_start + efifb_fix.smem_len) >
+ (md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT))) {
+--
+2.25.1
+
--- /dev/null
+From 571f9bc3c02e91de326292c01929fcea601f2e82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 15:04:33 +0200
+Subject: ext4: don't allow overlapping system zones
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit bf9a379d0980e7413d94cb18dac73db2bfc5f470 ]
+
+Currently, add_system_zone() just silently merges two added system zones
+that overlap. However the overlap should not happen and it generally
+suggests that some unrelated metadata overlap which indicates the fs is
+corrupted. We should have caught such problems earlier (e.g. in
+ext4_check_descriptors()) but add this check as another line of defense.
+In later patch we also use this for stricter checking of journal inode
+extent tree.
+
+Reviewed-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20200728130437.7804-3-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/block_validity.c | 36 +++++++++++++-----------------------
+ 1 file changed, 13 insertions(+), 23 deletions(-)
+
+diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
+index ff8e1205127ee..ceb54ccc937e9 100644
+--- a/fs/ext4/block_validity.c
++++ b/fs/ext4/block_validity.c
+@@ -68,7 +68,7 @@ static int add_system_zone(struct ext4_system_blocks *system_blks,
+ ext4_fsblk_t start_blk,
+ unsigned int count)
+ {
+- struct ext4_system_zone *new_entry = NULL, *entry;
++ struct ext4_system_zone *new_entry, *entry;
+ struct rb_node **n = &system_blks->root.rb_node, *node;
+ struct rb_node *parent = NULL, *new_node = NULL;
+
+@@ -79,30 +79,20 @@ static int add_system_zone(struct ext4_system_blocks *system_blks,
+ n = &(*n)->rb_left;
+ else if (start_blk >= (entry->start_blk + entry->count))
+ n = &(*n)->rb_right;
+- else {
+- if (start_blk + count > (entry->start_blk +
+- entry->count))
+- entry->count = (start_blk + count -
+- entry->start_blk);
+- new_node = *n;
+- new_entry = rb_entry(new_node, struct ext4_system_zone,
+- node);
+- break;
+- }
++ else /* Unexpected overlap of system zones. */
++ return -EFSCORRUPTED;
+ }
+
+- if (!new_entry) {
+- new_entry = kmem_cache_alloc(ext4_system_zone_cachep,
+- GFP_KERNEL);
+- if (!new_entry)
+- return -ENOMEM;
+- new_entry->start_blk = start_blk;
+- new_entry->count = count;
+- new_node = &new_entry->node;
+-
+- rb_link_node(new_node, parent, n);
+- rb_insert_color(new_node, &system_blks->root);
+- }
++ new_entry = kmem_cache_alloc(ext4_system_zone_cachep,
++ GFP_KERNEL);
++ if (!new_entry)
++ return -ENOMEM;
++ new_entry->start_blk = start_blk;
++ new_entry->count = count;
++ new_node = &new_entry->node;
++
++ rb_link_node(new_node, parent, n);
++ rb_insert_color(new_node, &system_blks->root);
+
+ /* Can we merge to the left? */
+ node = rb_prev(new_node);
+--
+2.25.1
+
--- /dev/null
+From 638c679db31663428c232ef957655bfc74793c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2020 14:19:04 -0500
+Subject: ext4: fix potential negative array index in do_split()
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit 5872331b3d91820e14716632ebb56b1399b34fe1 ]
+
+If for any reason a directory passed to do_split() does not have enough
+active entries to exceed half the size of the block, we can end up
+iterating over all "count" entries without finding a split point.
+
+In this case, count == move, and split will be zero, and we will
+attempt a negative index into map[].
+
+Guard against this by detecting this case, and falling back to
+split-to-half-of-count instead; in this case we will still have
+plenty of space (> half blocksize) in each split block.
+
+Fixes: ef2b02d3e617 ("ext34: ensure do_split leaves enough free space in both blocks")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/namei.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 0218b1407abbb..36a81b57012a5 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1852,7 +1852,7 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+ blocksize, hinfo, map);
+ map -= count;
+ dx_sort_map(map, count);
+- /* Split the existing block in the middle, size-wise */
++ /* Ensure that neither split block is over half full */
+ size = 0;
+ move = 0;
+ for (i = count-1; i >= 0; i--) {
+@@ -1862,8 +1862,18 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+ size += map[i].size;
+ move++;
+ }
+- /* map index at which we will split */
+- split = count - move;
++ /*
++ * map index at which we will split
++ *
++ * If the sum of active entries didn't exceed half the block size, just
++ * split it in half by count; each resulting block will have at least
++ * half the space free.
++ */
++ if (i > 0)
++ split = count - move;
++ else
++ split = count/2;
++
+ hash2 = map[split].hash;
+ continued = hash2 == map[split - 1].hash;
+ dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n",
+--
+2.25.1
+
--- /dev/null
+From 042bedd5a400f9be2d4bac2e1c54d536b787e0a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 06:30:47 +0200
+Subject: Fix build error when CONFIG_ACPI is not set/enabled:
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit ee87e1557c42dc9c2da11c38e11b87c311569853 ]
+
+../arch/x86/pci/xen.c: In function ‘pci_xen_init’:
+../arch/x86/pci/xen.c:410:2: error: implicit declaration of function ‘acpi_noirq_set’; did you mean ‘acpi_irq_get’? [-Werror=implicit-function-declaration]
+ acpi_noirq_set();
+
+Fixes: 88e9ca161c13 ("xen/pci: Use acpi_noirq_set() helper to avoid #ifdef")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Cc: xen-devel@lists.xenproject.org
+Cc: linux-pci@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/pci/xen.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c
+index 91220cc258547..5c11ae66b5d8e 100644
+--- a/arch/x86/pci/xen.c
++++ b/arch/x86/pci/xen.c
+@@ -26,6 +26,7 @@
+ #include <asm/xen/pci.h>
+ #include <asm/xen/cpuid.h>
+ #include <asm/apic.h>
++#include <asm/acpi.h>
+ #include <asm/i8259.h>
+
+ static int xen_pcifront_enable_irq(struct pci_dev *dev)
+--
+2.25.1
+
--- /dev/null
+From 2d6d99232580fe0427ce1e6665a7bf72211927f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Aug 2020 14:53:15 -0700
+Subject: hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit c3d897e01aef8ddc43149e4d661b86f823e3aae7 ]
+
+netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue
+or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the
+queue number, so the “skb->queue_mapping - 1” will be used. This may
+cause the last queue of VF not been used.
+
+Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called
+later will get the correct queue number, and VF will be able to use
+all queues.
+
+Fixes: b3bf5666a510 ("hv_netvsc: defer queue selection to VF")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
+index 24bb721a12bc0..42eb7a7ecd96b 100644
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -501,7 +501,7 @@ static int netvsc_vf_xmit(struct net_device *net, struct net_device *vf_netdev,
+ int rc;
+
+ skb->dev = vf_netdev;
+- skb->queue_mapping = qdisc_skb_cb(skb)->slave_dev_queue_mapping;
++ skb_record_rx_queue(skb, qdisc_skb_cb(skb)->slave_dev_queue_mapping);
+
+ rc = dev_queue_xmit(skb);
+ if (likely(rc == NET_XMIT_SUCCESS || rc == NET_XMIT_CN)) {
+--
+2.25.1
+
--- /dev/null
+From a5db4c1227481067d4a481d93671f09c173727cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Aug 2020 10:56:49 +0000
+Subject: i40e: Fix crash during removing i40e driver
+
+From: Grzegorz Szczurek <grzegorzx.szczurek@intel.com>
+
+[ Upstream commit 5b6d4a7f20b09c47ca598760f6dafd554af8b6d5 ]
+
+Fix the reason of crashing system by add waiting time to finish reset
+recovery process before starting remove driver procedure.
+Now VSI is releasing if VSI is not in reset recovery mode.
+Without this fix it was possible to start remove driver if other
+processing command need reset recovery procedure which resulted in
+null pointer dereference. VSI used by the ethtool process has been
+cleared by remove driver process.
+
+[ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 6731.508668] #PF: supervisor read access in kernel mode
+[ 6731.508670] #PF: error_code(0x0000) - not-present page
+[ 6731.508671] PGD 0 P4D 0
+[ 6731.508674] Oops: 0000 [#1] SMP PTI
+[ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017
+[ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e]
+[ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83
+[ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246
+[ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007
+[ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780
+[ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004
+[ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000
+[ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000
+[ 6731.508708] FS: 00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000
+[ 6731.508710] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0
+[ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 6731.508715] Call Trace:
+[ 6731.508734] i40e_vsi_close+0x84/0x90 [i40e]
+[ 6731.508742] i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e]
+[ 6731.508749] i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e]
+[ 6731.508757] i40e_prep_for_reset+0x59/0x130 [i40e]
+[ 6731.508765] i40e_reconfig_rss_queues+0x5a/0x120 [i40e]
+[ 6731.508774] i40e_set_channels+0xda/0x170 [i40e]
+[ 6731.508778] ethtool_set_channels+0xe9/0x150
+[ 6731.508781] dev_ethtool+0x1b94/0x2920
+[ 6731.508805] dev_ioctl+0xc2/0x590
+[ 6731.508811] sock_do_ioctl+0xae/0x150
+[ 6731.508813] sock_ioctl+0x34f/0x3c0
+[ 6731.508821] ksys_ioctl+0x98/0xb0
+[ 6731.508828] __x64_sys_ioctl+0x1a/0x20
+[ 6731.508831] do_syscall_64+0x57/0x1c0
+[ 6731.508835] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 4b8164467b85 ("i40e: Add common function for finding VSI by type")
+Signed-off-by: Grzegorz Szczurek <grzegorzx.szczurek@intel.com>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 095ed81cc0ba4..b3c3911adfc2e 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -15342,6 +15342,9 @@ static void i40e_remove(struct pci_dev *pdev)
+ i40e_write_rx_ctl(hw, I40E_PFQF_HENA(0), 0);
+ i40e_write_rx_ctl(hw, I40E_PFQF_HENA(1), 0);
+
++ while (test_bit(__I40E_RESET_RECOVERY_PENDING, pf->state))
++ usleep_range(1000, 2000);
++
+ /* no more scheduling of any task */
+ set_bit(__I40E_SUSPENDED, pf->state);
+ set_bit(__I40E_DOWN, pf->state);
+--
+2.25.1
+
--- /dev/null
+From 973edf07e3606c0c41ba95f22664feed2795d726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 13:40:59 +0000
+Subject: i40e: Set RX_ONLY mode for unicast promiscuous on VLAN
+
+From: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+
+[ Upstream commit 4bd5e02a2ed1575c2f65bd3c557a077dd399f0e8 ]
+
+Trusted VF with unicast promiscuous mode set, could listen to TX
+traffic of other VFs.
+Set unicast promiscuous mode to RX traffic, if VSI has port VLAN
+configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to
+I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with
+VLAN to the one without VLAN.
+
+Fixes: 6c41a7606967 ("i40e: Add promiscuous on VLAN support")
+Fixes: 3b1200891b7f ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well")
+Signed-off-by: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/i40e/i40e_adminq_cmd.h | 2 +-
+ drivers/net/ethernet/intel/i40e/i40e_common.c | 35 ++++++++++++++-----
+ 2 files changed, 28 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+index 69a2daaca5c56..d7684ac2522ef 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+@@ -1211,7 +1211,7 @@ struct i40e_aqc_set_vsi_promiscuous_modes {
+ #define I40E_AQC_SET_VSI_PROMISC_BROADCAST 0x04
+ #define I40E_AQC_SET_VSI_DEFAULT 0x08
+ #define I40E_AQC_SET_VSI_PROMISC_VLAN 0x10
+-#define I40E_AQC_SET_VSI_PROMISC_TX 0x8000
++#define I40E_AQC_SET_VSI_PROMISC_RX_ONLY 0x8000
+ __le16 seid;
+ #define I40E_AQC_VSI_PROM_CMD_SEID_MASK 0x3FF
+ __le16 vlan_tag;
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c
+index 3160b5bbe6728..66f7deaf46ae2 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
+@@ -1949,6 +1949,21 @@ i40e_status i40e_aq_set_phy_debug(struct i40e_hw *hw, u8 cmd_flags,
+ return status;
+ }
+
++/**
++ * i40e_is_aq_api_ver_ge
++ * @aq: pointer to AdminQ info containing HW API version to compare
++ * @maj: API major value
++ * @min: API minor value
++ *
++ * Assert whether current HW API version is greater/equal than provided.
++ **/
++static bool i40e_is_aq_api_ver_ge(struct i40e_adminq_info *aq, u16 maj,
++ u16 min)
++{
++ return (aq->api_maj_ver > maj ||
++ (aq->api_maj_ver == maj && aq->api_min_ver >= min));
++}
++
+ /**
+ * i40e_aq_add_vsi
+ * @hw: pointer to the hw struct
+@@ -2074,18 +2089,16 @@ i40e_status i40e_aq_set_vsi_unicast_promiscuous(struct i40e_hw *hw,
+
+ if (set) {
+ flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST;
+- if (rx_only_promisc &&
+- (((hw->aq.api_maj_ver == 1) && (hw->aq.api_min_ver >= 5)) ||
+- (hw->aq.api_maj_ver > 1)))
+- flags |= I40E_AQC_SET_VSI_PROMISC_TX;
++ if (rx_only_promisc && i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY;
+ }
+
+ cmd->promiscuous_flags = cpu_to_le16(flags);
+
+ cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST);
+- if (((hw->aq.api_maj_ver >= 1) && (hw->aq.api_min_ver >= 5)) ||
+- (hw->aq.api_maj_ver > 1))
+- cmd->valid_flags |= cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_TX);
++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ cmd->valid_flags |=
++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY);
+
+ cmd->seid = cpu_to_le16(seid);
+ status = i40e_asq_send_command(hw, &desc, NULL, 0, cmd_details);
+@@ -2182,11 +2195,17 @@ enum i40e_status_code i40e_aq_set_vsi_uc_promisc_on_vlan(struct i40e_hw *hw,
+ i40e_fill_default_direct_cmd_desc(&desc,
+ i40e_aqc_opc_set_vsi_promiscuous_modes);
+
+- if (enable)
++ if (enable) {
+ flags |= I40E_AQC_SET_VSI_PROMISC_UNICAST;
++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ flags |= I40E_AQC_SET_VSI_PROMISC_RX_ONLY;
++ }
+
+ cmd->promiscuous_flags = cpu_to_le16(flags);
+ cmd->valid_flags = cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_UNICAST);
++ if (i40e_is_aq_api_ver_ge(&hw->aq, 1, 5))
++ cmd->valid_flags |=
++ cpu_to_le16(I40E_AQC_SET_VSI_PROMISC_RX_ONLY);
+ cmd->seid = cpu_to_le16(seid);
+ cmd->vlan_tag = cpu_to_le16(vid | I40E_AQC_SET_VSI_VLAN_VALID);
+
+--
+2.25.1
+
--- /dev/null
+From 7a60e86a3542c5bf2d6a6a9bca76958c4d8f281a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Aug 2020 18:19:08 +0900
+Subject: kconfig: qconf: do not limit the pop-up menu to the first row
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit fa8de0a3bf3c02e6f00b7746e7e934db522cdda9 ]
+
+If you right-click the first row in the option tree, the pop-up menu
+shows up, but if you right-click the second row or below, the event
+is ignored due to the following check:
+
+ if (e->y() <= header()->geometry().bottom()) {
+
+Perhaps, the intention was to show the pop-menu only when the tree
+header was right-clicked, but this handler is not called in that case.
+
+Since the origin of e->y() starts from the bottom of the header,
+this check is odd.
+
+Going forward, you can right-click anywhere in the tree to get the
+pop-up menu.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 68 ++++++++++++++++++++--------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index 0f8c77f847114..3e7fbfae798c2 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -869,40 +869,40 @@ void ConfigList::focusInEvent(QFocusEvent *e)
+
+ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ {
+- if (e->y() <= header()->geometry().bottom()) {
+- if (!headerPopup) {
+- QAction *action;
+-
+- headerPopup = new QMenu(this);
+- action = new QAction("Show Name", this);
+- action->setCheckable(true);
+- connect(action, SIGNAL(toggled(bool)),
+- parent(), SLOT(setShowName(bool)));
+- connect(parent(), SIGNAL(showNameChanged(bool)),
+- action, SLOT(setOn(bool)));
+- action->setChecked(showName);
+- headerPopup->addAction(action);
+- action = new QAction("Show Range", this);
+- action->setCheckable(true);
+- connect(action, SIGNAL(toggled(bool)),
+- parent(), SLOT(setShowRange(bool)));
+- connect(parent(), SIGNAL(showRangeChanged(bool)),
+- action, SLOT(setOn(bool)));
+- action->setChecked(showRange);
+- headerPopup->addAction(action);
+- action = new QAction("Show Data", this);
+- action->setCheckable(true);
+- connect(action, SIGNAL(toggled(bool)),
+- parent(), SLOT(setShowData(bool)));
+- connect(parent(), SIGNAL(showDataChanged(bool)),
+- action, SLOT(setOn(bool)));
+- action->setChecked(showData);
+- headerPopup->addAction(action);
+- }
+- headerPopup->exec(e->globalPos());
+- e->accept();
+- } else
+- e->ignore();
++ if (!headerPopup) {
++ QAction *action;
++
++ headerPopup = new QMenu(this);
++ action = new QAction("Show Name", this);
++ action->setCheckable(true);
++ connect(action, SIGNAL(toggled(bool)),
++ parent(), SLOT(setShowName(bool)));
++ connect(parent(), SIGNAL(showNameChanged(bool)),
++ action, SLOT(setOn(bool)));
++ action->setChecked(showName);
++ headerPopup->addAction(action);
++
++ action = new QAction("Show Range", this);
++ action->setCheckable(true);
++ connect(action, SIGNAL(toggled(bool)),
++ parent(), SLOT(setShowRange(bool)));
++ connect(parent(), SIGNAL(showRangeChanged(bool)),
++ action, SLOT(setOn(bool)));
++ action->setChecked(showRange);
++ headerPopup->addAction(action);
++
++ action = new QAction("Show Data", this);
++ action->setCheckable(true);
++ connect(action, SIGNAL(toggled(bool)),
++ parent(), SLOT(setShowData(bool)));
++ connect(parent(), SIGNAL(showDataChanged(bool)),
++ action, SLOT(setOn(bool)));
++ action->setChecked(showData);
++ headerPopup->addAction(action);
++ }
++
++ headerPopup->exec(e->globalPos());
++ e->accept();
+ }
+
+ ConfigView*ConfigView::viewList;
+--
+2.25.1
+
--- /dev/null
+From 1c494622cacba48113c2e924f5d904a8e7e925cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 01:36:29 +0900
+Subject: kconfig: qconf: fix signal connection to invalid slots
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit d85de3399f97467baa2026fbbbe587850d01ba8a ]
+
+If you right-click in the ConfigList window, you will see the following
+messages in the console:
+
+QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:888
+QObject::connect: (sender name: 'config')
+QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:897
+QObject::connect: (sender name: 'config')
+QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:906
+QObject::connect: (sender name: 'config')
+
+Right, there is no such slot in QAction. I think this is a typo of
+setChecked.
+
+Due to this bug, when you toggled the menu "Option->Show Name/Range/Data"
+the state of the context menu was not previously updated. Fix this.
+
+Fixes: d5d973c3f8a9 ("Port xconfig to Qt5 - Put back some of the old implementation(part 2)")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/qconf.cc | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
+index 3e7fbfae798c2..a94909ad9a53a 100644
+--- a/scripts/kconfig/qconf.cc
++++ b/scripts/kconfig/qconf.cc
+@@ -878,7 +878,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ connect(action, SIGNAL(toggled(bool)),
+ parent(), SLOT(setShowName(bool)));
+ connect(parent(), SIGNAL(showNameChanged(bool)),
+- action, SLOT(setOn(bool)));
++ action, SLOT(setChecked(bool)));
+ action->setChecked(showName);
+ headerPopup->addAction(action);
+
+@@ -887,7 +887,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ connect(action, SIGNAL(toggled(bool)),
+ parent(), SLOT(setShowRange(bool)));
+ connect(parent(), SIGNAL(showRangeChanged(bool)),
+- action, SLOT(setOn(bool)));
++ action, SLOT(setChecked(bool)));
+ action->setChecked(showRange);
+ headerPopup->addAction(action);
+
+@@ -896,7 +896,7 @@ void ConfigList::contextMenuEvent(QContextMenuEvent *e)
+ connect(action, SIGNAL(toggled(bool)),
+ parent(), SLOT(setShowData(bool)));
+ connect(parent(), SIGNAL(showDataChanged(bool)),
+- action, SLOT(setOn(bool)));
++ action, SLOT(setChecked(bool)));
+ action->setChecked(showData);
+ headerPopup->addAction(action);
+ }
+@@ -1228,7 +1228,7 @@ QMenu* ConfigInfoView::createStandardContextMenu(const QPoint & pos)
+
+ action->setCheckable(true);
+ connect(action, SIGNAL(toggled(bool)), SLOT(setShowDebug(bool)));
+- connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setOn(bool)));
++ connect(this, SIGNAL(showDebugChanged(bool)), action, SLOT(setChecked(bool)));
+ action->setChecked(showDebug());
+ popup->addSeparator();
+ popup->addAction(action);
+--
+2.25.1
+
--- /dev/null
+From bb2ce227b2a78431de635e7cb301320b36ba9c99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:16:54 -0700
+Subject: kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit cb957adb4ea422bd758568df5b2478ea3bb34f35 ]
+
+See the SDM, volume 3, section 4.4.1:
+
+If PAE paging would be in use following an execution of MOV to CR0 or
+MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of
+CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then
+the PDPTEs are loaded from the address in CR3.
+
+Fixes: b9baba8614890 ("KVM, pkeys: expose CPUID/CR4 to guest")
+Cc: Huaitong Han <huaitong.han@intel.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Peter Shier <pshier@google.com>
+Reviewed-by: Oliver Upton <oupton@google.com>
+Message-Id: <20200817181655.3716509-1-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 1721a8c8eb26c..8920ee7b28811 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -972,7 +972,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
+ unsigned long old_cr4 = kvm_read_cr4(vcpu);
+ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
+- X86_CR4_SMEP | X86_CR4_PKE;
++ X86_CR4_SMEP;
+
+ if (kvm_valid_cr4(vcpu, cr4))
+ return 1;
+--
+2.25.1
+
--- /dev/null
+From 4eb66a1b8ffe7ac93e056e570aafb9a1a720e980 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:16:55 -0700
+Subject: kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode
+
+From: Jim Mattson <jmattson@google.com>
+
+[ Upstream commit 427890aff8558eb4326e723835e0eae0e6fe3102 ]
+
+See the SDM, volume 3, section 4.4.1:
+
+If PAE paging would be in use following an execution of MOV to CR0 or
+MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of
+CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then
+the PDPTEs are loaded from the address in CR3.
+
+Fixes: 0be0226f07d14 ("KVM: MMU: fix SMAP virtualization")
+Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reviewed-by: Peter Shier <pshier@google.com>
+Reviewed-by: Oliver Upton <oupton@google.com>
+Message-Id: <20200817181655.3716509-2-jmattson@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 38b2df0e71096..1721a8c8eb26c 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -972,7 +972,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
+ {
+ unsigned long old_cr4 = kvm_read_cr4(vcpu);
+ unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
+- X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE;
++ X86_CR4_SMEP | X86_CR4_PKE;
+
+ if (kvm_valid_cr4(vcpu, cr4))
+ return 1;
+--
+2.25.1
+
--- /dev/null
+From 0a7d169d6cdafeeac18ba004337dcaf1b7a80a0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Aug 2020 06:56:00 -0700
+Subject: net: dsa: b53: check for timeout
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 774d977abfd024e6f73484544b9abe5a5cd62de7 ]
+
+clang static analysis reports this problem
+
+b53_common.c:1583:13: warning: The left expression of the compound
+ assignment is an uninitialized value. The computed value will
+ also be garbage
+ ent.port &= ~BIT(port);
+ ~~~~~~~~ ^
+
+ent is set by a successful call to b53_arl_read(). Unsuccessful
+calls are caught by an switch statement handling specific returns.
+b32_arl_read() calls b53_arl_op_wait() which fails with the
+unhandled -ETIMEDOUT.
+
+So add -ETIMEDOUT to the switch statement. Because
+b53_arl_op_wait() already prints out a message, do not add another
+one.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 14850b7fe6d7f..4bd66ba72c03c 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1523,6 +1523,8 @@ static int b53_arl_op(struct b53_device *dev, int op, int port,
+ return ret;
+
+ switch (ret) {
++ case -ETIMEDOUT:
++ return ret;
+ case -ENOSPC:
+ dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n",
+ addr, vid);
+--
+2.25.1
+
--- /dev/null
+From e3a25a2b42850b050665ac44948a691ab349c670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 20:28:36 +0300
+Subject: net: ena: Prevent reset after device destruction
+
+From: Shay Agroskin <shayagr@amazon.com>
+
+[ Upstream commit 63d4a4c145cca2e84dc6e62d2ef5cb990c9723c2 ]
+
+The reset work is scheduled by the timer routine whenever it
+detects that a device reset is required (e.g. when a keep_alive signal
+is missing).
+When releasing device resources in ena_destroy_device() the driver
+cancels the scheduling of the timer routine without destroying the reset
+work explicitly.
+
+This creates the following bug:
+ The driver is suspended and the ena_suspend() function is called
+ -> This function calls ena_destroy_device() to free the net device
+ resources
+ -> The driver waits for the timer routine to finish
+ its execution and then cancels it, thus preventing from it
+ to be called again.
+
+ If, in its final execution, the timer routine schedules a reset,
+ the reset routine might be called afterwards,and a redundant call to
+ ena_restore_device() would be made.
+
+By changing the reset routine we allow it to read the device's state
+accurately.
+This is achieved by checking whether ENA_FLAG_TRIGGER_RESET flag is set
+before resetting the device and making both the destruction function and
+the flag check are under rtnl lock.
+The ENA_FLAG_TRIGGER_RESET is cleared at the end of the destruction
+routine. Also surround the flag check with 'likely' because
+we expect that the reset routine would be called only when
+ENA_FLAG_TRIGGER_RESET flag is set.
+
+The destruction of the timer and reset services in __ena_shutoff() have to
+stay, even though the timer routine is destroyed in ena_destroy_device().
+This is to avoid a case in which the reset routine is scheduled after
+free_netdev() in __ena_shutoff(), which would create an access to freed
+memory in adapter->flags.
+
+Fixes: 8c5c7abdeb2d ("net: ena: add power management ops to the ENA driver")
+Signed-off-by: Shay Agroskin <shayagr@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index 26325f7b3c1fa..4d0d13d5d0998 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -2835,16 +2835,14 @@ static void ena_fw_reset_device(struct work_struct *work)
+ {
+ struct ena_adapter *adapter =
+ container_of(work, struct ena_adapter, reset_task);
+- struct pci_dev *pdev = adapter->pdev;
+
+- if (unlikely(!test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) {
+- dev_err(&pdev->dev,
+- "device reset schedule while reset bit is off\n");
+- return;
+- }
+ rtnl_lock();
+- ena_destroy_device(adapter, false);
+- ena_restore_device(adapter);
++
++ if (likely(test_bit(ENA_FLAG_TRIGGER_RESET, &adapter->flags))) {
++ ena_destroy_device(adapter, false);
++ ena_restore_device(adapter);
++ }
++
+ rtnl_unlock();
+ }
+
+@@ -3675,8 +3673,11 @@ static void __ena_shutoff(struct pci_dev *pdev, bool shutdown)
+ netdev->rx_cpu_rmap = NULL;
+ }
+ #endif /* CONFIG_RFS_ACCEL */
+- del_timer_sync(&adapter->timer_service);
+
++ /* Make sure timer and reset routine won't be called after
++ * freeing device resources.
++ */
++ del_timer_sync(&adapter->timer_service);
+ cancel_work_sync(&adapter->reset_task);
+
+ rtnl_lock(); /* lock released inside the below if-else block */
+--
+2.25.1
+
--- /dev/null
+From 0e4676690b5edebada566da2ea54768b0a92b6bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 15:13:14 +0800
+Subject: net: fec: correct the error path for regulator disable in probe
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit c6165cf0dbb82ded90163dce3ac183fc7a913dc4 ]
+
+Correct the error path for regulator disable.
+
+Fixes: 9269e5560b26 ("net: fec: add phy-reset-gpios PROBE_DEFER check")
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 39c112f1543c1..a0e4b12ac4ea2 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3707,11 +3707,11 @@ fec_probe(struct platform_device *pdev)
+ failed_irq:
+ failed_init:
+ fec_ptp_stop(pdev);
+- if (fep->reg_phy)
+- regulator_disable(fep->reg_phy);
+ failed_reset:
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
++ if (fep->reg_phy)
++ regulator_disable(fep->reg_phy);
+ failed_regulator:
+ clk_disable_unprepare(fep->clk_ahb);
+ failed_clk_ahb:
+--
+2.25.1
+
--- /dev/null
+From 4ae4ba8d14a5836b7ad4cb2860f0992a6ecdc0c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Aug 2020 10:33:09 +0800
+Subject: net: gemini: Fix missing free_netdev() in error path of
+ gemini_ethernet_port_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit cf96d977381d4a23957bade2ddf1c420b74a26b6 ]
+
+Replace alloc_etherdev_mq with devm_alloc_etherdev_mqs. In this way,
+when probe fails, netdev can be freed automatically.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index 01ae113f122a0..28d4c54505f9a 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -2388,7 +2388,7 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+
+ dev_info(dev, "probe %s ID %d\n", dev_name(dev), id);
+
+- netdev = alloc_etherdev_mq(sizeof(*port), TX_QUEUE_NUM);
++ netdev = devm_alloc_etherdev_mqs(dev, sizeof(*port), TX_QUEUE_NUM, TX_QUEUE_NUM);
+ if (!netdev) {
+ dev_err(dev, "Can't allocate ethernet device #%d\n", id);
+ return -ENOMEM;
+@@ -2520,7 +2520,6 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+ }
+
+ port->netdev = NULL;
+- free_netdev(netdev);
+ return ret;
+ }
+
+@@ -2529,7 +2528,6 @@ static int gemini_ethernet_port_remove(struct platform_device *pdev)
+ struct gemini_ethernet_port *port = platform_get_drvdata(pdev);
+
+ gemini_port_remove(port);
+- free_netdev(port->netdev);
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 53878b376db3c0d02935fd172075859a753dc484 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Aug 2020 17:44:09 -0400
+Subject: netfilter: nf_tables: nft_exthdr: the presence return value should be
+ little-endian
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit b428336676dbca363262cc134b6218205df4f530 ]
+
+On big-endian machine, the returned register data when the exthdr is
+present is not being compared correctly because little-endian is
+assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval()
+and nft_cmp_fast_init(), calls cpu_to_le32().
+
+The following dump also shows that little endian is assumed:
+
+$ nft --debug=netlink add rule ip recordroute forward ip option rr exists counter
+ip
+ [ exthdr load ipv4 1b @ 7 + 0 present => reg 1 ]
+ [ cmp eq reg 1 0x01000000 ]
+ [ counter pkts 0 bytes 0 ]
+
+Lastly, debug print in nft_cmp_fast_init() and nft_cmp_fast_eval() when
+RR option exists in the packet shows that the comparison fails because
+the assumption:
+
+nft_cmp_fast_init:189 priv->sreg=4 desc.len=8 mask=0xff000000 data.data[0]=0x10003e0
+nft_cmp_fast_eval:57 regs->data[priv->sreg=4]=0x1 mask=0xff000000 priv->data=0x1000000
+
+v2: use nft_reg_store8() instead (Florian Westphal). Also to avoid the
+ warnings reported by kernel test robot.
+
+Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
+Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_exthdr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
+index a5e8469859e39..427d77b111b17 100644
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -44,7 +44,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+
+ err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+- *dest = (err >= 0);
++ nft_reg_store8(dest, err >= 0);
+ return;
+ } else if (err < 0) {
+ goto err;
+@@ -141,7 +141,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
+
+ err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type);
+ if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+- *dest = (err >= 0);
++ nft_reg_store8(dest, err >= 0);
+ return;
+ } else if (err < 0) {
+ goto err;
+--
+2.25.1
+
--- /dev/null
+From 7a46d962d5cd429194615073a1e4353caa50edc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Aug 2020 21:45:48 -0700
+Subject: RDMA/bnxt_re: Do not add user qps to flushlist
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit a812f2d60a9fb7818f9c81f967180317b52545c0 ]
+
+Driver shall add only the kernel qps to the flush list for clean up.
+During async error events from the HW, driver is adding qps to this list
+without checking if the qp is kernel qp or not.
+
+Add a check to avoid user qp addition to the flush list.
+
+Fixes: 942c9b6ca8de ("RDMA/bnxt_re: Avoid Hard lockup during error CQE processing")
+Fixes: c50866e2853a ("bnxt_re: fix the regression due to changes in alloc_pbl")
+Link: https://lore.kernel.org/r/1596689148-4023-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/main.c b/drivers/infiniband/hw/bnxt_re/main.c
+index 27e2df44d043d..cfe5f47d9890e 100644
+--- a/drivers/infiniband/hw/bnxt_re/main.c
++++ b/drivers/infiniband/hw/bnxt_re/main.c
+@@ -789,7 +789,8 @@ static int bnxt_re_handle_qp_async_event(struct creq_qp_event *qp_event,
+ struct ib_event event;
+ unsigned int flags;
+
+- if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR) {
++ if (qp->qplib_qp.state == CMDQ_MODIFY_QP_NEW_STATE_ERR &&
++ rdma_is_kernel_res(&qp->ib_qp.res)) {
+ flags = bnxt_re_lock_cqs(qp);
+ bnxt_qplib_add_flush_qp(&qp->qplib_qp);
+ bnxt_re_unlock_cqs(qp, flags);
+--
+2.25.1
+
--- /dev/null
+From 3be40acea2eefde28bce91b43c7edac8ca11c157 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Aug 2020 04:10:14 -0700
+Subject: Revert "scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during
+ probe"
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit dca93232b361d260413933903cd4bdbd92ebcc7f ]
+
+FCP T10-PI and NVMe features are independent of each other. This patch
+allows both features to co-exist.
+
+This reverts commit 5da05a26b8305a625bc9d537671b981795b46dab.
+
+Link: https://lore.kernel.org/r/20200806111014.28434-12-njavali@marvell.com
+Fixes: 5da05a26b830 ("scsi: qla2xxx: Disable T10-DIF feature with FC-NVMe during probe")
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index d7ec4083a0911..d91c95d9981ac 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -2804,10 +2804,6 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
+ /* This may fail but that's ok */
+ pci_enable_pcie_error_reporting(pdev);
+
+- /* Turn off T10-DIF when FC-NVMe is enabled */
+- if (ql2xnvmeenable)
+- ql2xenabledif = 0;
+-
+ ha = kzalloc(sizeof(struct qla_hw_data), GFP_KERNEL);
+ if (!ha) {
+ ql_log_pci(ql_log_fatal, pdev, 0x0009,
+--
+2.25.1
+
--- /dev/null
+From aeb6de712776c4f8dddc66af27410cbd5f53c1b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 18:56:28 +0200
+Subject: s390/ptrace: fix storage key handling
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit fd78c59446b8d050ecf3e0897c5a486c7de7c595 ]
+
+The key member of the runtime instrumentation control block contains
+only the access key, not the complete storage key. Therefore the value
+must be shifted by four bits. Since existing user space does not
+necessarily query and set the access key correctly, just ignore the
+user space provided key and use the correct one.
+Note: this is only relevant for debugging purposes in case somebody
+compiles a kernel with a default storage access key set to a value not
+equal to zero.
+
+Fixes: 262832bc5acd ("s390/ptrace: add runtime instrumention register get/set")
+Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/ptrace.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index 5aa786063eb3e..c6aef2ecf2890 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -1283,7 +1283,6 @@ static bool is_ri_cb_valid(struct runtime_instr_cb *cb)
+ cb->pc == 1 &&
+ cb->qc == 0 &&
+ cb->reserved2 == 0 &&
+- cb->key == PAGE_DEFAULT_KEY &&
+ cb->reserved3 == 0 &&
+ cb->reserved4 == 0 &&
+ cb->reserved5 == 0 &&
+@@ -1347,7 +1346,11 @@ static int s390_runtime_instr_set(struct task_struct *target,
+ kfree(data);
+ return -EINVAL;
+ }
+-
++ /*
++ * Override access key in any case, since user space should
++ * not be able to set it, nor should it care about it.
++ */
++ ri_cb.key = PAGE_DEFAULT_KEY >> 4;
+ preempt_disable();
+ if (!target->thread.ri_cb)
+ target->thread.ri_cb = data;
+--
+2.25.1
+
--- /dev/null
+From 32e04fef3ca6d98500104cacb6965566700cec17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Aug 2020 18:55:41 +0200
+Subject: s390/runtime_instrumentation: fix storage key handling
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 9eaba29c7985236e16468f4e6a49cc18cf01443e ]
+
+The key member of the runtime instrumentation control block contains
+only the access key, not the complete storage key. Therefore the value
+must be shifted by four bits.
+Note: this is only relevant for debugging purposes in case somebody
+compiles a kernel with a default storage access key set to a value not
+equal to zero.
+
+Fixes: e4b8b3f33fca ("s390: add support for runtime instrumentation")
+Reported-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/runtime_instr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/runtime_instr.c b/arch/s390/kernel/runtime_instr.c
+index 125c7f6e87150..1788a5454b6fc 100644
+--- a/arch/s390/kernel/runtime_instr.c
++++ b/arch/s390/kernel/runtime_instr.c
+@@ -57,7 +57,7 @@ static void init_runtime_instr_cb(struct runtime_instr_cb *cb)
+ cb->k = 1;
+ cb->ps = 1;
+ cb->pc = 1;
+- cb->key = PAGE_DEFAULT_KEY;
++ cb->key = PAGE_DEFAULT_KEY >> 4;
+ cb->v = 1;
+ }
+
+--
+2.25.1
+
xfs-fix-ubsan-null-ptr-deref-in-xfs_sysfs_init.patch
alpha-fix-annotation-of-io-read-write-16-32-be.patch
fs-signalfd.c-fix-inconsistent-return-codes-for-sign.patch
+ext4-fix-potential-negative-array-index-in-do_split.patch
+ext4-don-t-allow-overlapping-system-zones.patch
+netfilter-nf_tables-nft_exthdr-the-presence-return-v.patch
+spi-stm32-fixes-suspend-resume-management.patch
+asoc-q6afe-dai-mark-all-widgets-registers-as-snd_soc.patch
+asoc-q6routing-add-dummy-register-read-write-functio.patch
+bpf-sock_ops-sk-access-may-stomp-registers-when-dst_.patch
+can-j1939-fix-kernel-infoleak-in-j1939_sk_sock2socka.patch
+can-j1939-transport-j1939_simple_recv-ignore-local-j.patch
+can-j1939-transport-add-j1939_session_skb_find_by_of.patch
+i40e-set-rx_only-mode-for-unicast-promiscuous-on-vla.patch
+i40e-fix-crash-during-removing-i40e-driver.patch
+net-fec-correct-the-error-path-for-regulator-disable.patch
+bonding-show-saner-speed-for-broadcast-mode.patch
+can-j1939-fix-support-for-multipacket-broadcast-mess.patch
+can-j1939-cancel-rxtimer-on-multipacket-broadcast-se.patch
+can-j1939-abort-multipacket-broadcast-session-when-t.patch
+can-j1939-add-rxtimer-for-multipacket-broadcast-sess.patch
+bonding-fix-a-potential-double-unregister.patch
+s390-runtime_instrumentation-fix-storage-key-handlin.patch
+s390-ptrace-fix-storage-key-handling.patch
+asoc-msm8916-wcd-analog-fix-register-interrupt-offse.patch
+asoc-intel-fix-memleak-in-sst_media_open.patch
+vfio-type1-add-proper-error-unwind-for-vfio_iommu_re.patch
+kvm-x86-toggling-cr4.smap-does-not-load-pdptes-in-pa.patch
+kvm-x86-toggling-cr4.pke-does-not-load-pdptes-in-pae.patch
+revert-scsi-qla2xxx-disable-t10-dif-feature-with-fc-.patch
+kconfig-qconf-do-not-limit-the-pop-up-menu-to-the-fi.patch
+kconfig-qconf-fix-signal-connection-to-invalid-slots.patch
+efi-avoid-error-message-when-booting-under-xen.patch
+fix-build-error-when-config_acpi-is-not-set-enabled.patch
+rdma-bnxt_re-do-not-add-user-qps-to-flushlist.patch
+afs-fix-null-deref-in-afs_dynroot_depopulate.patch
+arm64-vdso32-install-vdso32-from-vdso_install.patch
+bonding-fix-active-backup-failover-for-current-arp-s.patch
+net-ena-prevent-reset-after-device-destruction.patch
+net-gemini-fix-missing-free_netdev-in-error-path-of-.patch
+hv_netvsc-fix-the-queue_mapping-in-netvsc_vf_xmit.patch
+net-dsa-b53-check-for-timeout.patch
--- /dev/null
+From 324c89ffd6f401357c2b7d02bef5e263cc63b86d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Aug 2020 09:12:37 +0200
+Subject: spi: stm32: fixes suspend/resume management
+
+From: Amelie Delaunay <amelie.delaunay@st.com>
+
+[ Upstream commit db96bf976a4fc65439be0b4524c0d41427d98814 ]
+
+This patch adds pinctrl power management, and reconfigure spi controller
+in case of resume.
+
+Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support")
+
+Signed-off-by: Amelie Delaunay <amelie.delaunay@st.com>
+Signed-off-by: Alain Volmat <alain.volmat@st.com>
+Link: https://lore.kernel.org/r/1597043558-29668-5-git-send-email-alain.volmat@st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 27 ++++++++++++++++++++++++---
+ 1 file changed, 24 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index b222ce8d083ef..7e92ab0cc9920 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -14,6 +14,7 @@
+ #include <linux/iopoll.h>
+ #include <linux/module.h>
+ #include <linux/of_platform.h>
++#include <linux/pinctrl/consumer.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/reset.h>
+ #include <linux/spi/spi.h>
+@@ -1986,6 +1987,8 @@ static int stm32_spi_remove(struct platform_device *pdev)
+
+ pm_runtime_disable(&pdev->dev);
+
++ pinctrl_pm_select_sleep_state(&pdev->dev);
++
+ return 0;
+ }
+
+@@ -1997,13 +2000,18 @@ static int stm32_spi_runtime_suspend(struct device *dev)
+
+ clk_disable_unprepare(spi->clk);
+
+- return 0;
++ return pinctrl_pm_select_sleep_state(dev);
+ }
+
+ static int stm32_spi_runtime_resume(struct device *dev)
+ {
+ struct spi_master *master = dev_get_drvdata(dev);
+ struct stm32_spi *spi = spi_master_get_devdata(master);
++ int ret;
++
++ ret = pinctrl_pm_select_default_state(dev);
++ if (ret)
++ return ret;
+
+ return clk_prepare_enable(spi->clk);
+ }
+@@ -2033,10 +2041,23 @@ static int stm32_spi_resume(struct device *dev)
+ return ret;
+
+ ret = spi_master_resume(master);
+- if (ret)
++ if (ret) {
+ clk_disable_unprepare(spi->clk);
++ return ret;
++ }
+
+- return ret;
++ ret = pm_runtime_get_sync(dev);
++ if (ret) {
++ dev_err(dev, "Unable to power device:%d\n", ret);
++ return ret;
++ }
++
++ spi->cfg->config(spi);
++
++ pm_runtime_mark_last_busy(dev);
++ pm_runtime_put_autosuspend(dev);
++
++ return 0;
+ }
+ #endif
+
+--
+2.25.1
+
--- /dev/null
+From a96c0c703378d132bdfe24e1d97fab310787e329 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Aug 2020 11:09:13 -0600
+Subject: vfio/type1: Add proper error unwind for vfio_iommu_replay()
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit aae7a75a821a793ed6b8ad502a5890fb8e8f172d ]
+
+The vfio_iommu_replay() function does not currently unwind on error,
+yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma
+structure to indicate IOMMU mapping. The IOMMU mappings are torn down
+when the domain is destroyed, but the other actions go on to cause
+trouble later. For example, the iommu->domain_list can be empty if we
+only have a non-IOMMU backed mdev attached. We don't currently check
+if the list is empty before getting the first entry in the list, which
+leads to a bogus domain pointer. If a vfio_dma entry is erroneously
+marked as iommu_mapped, we'll attempt to use that bogus pointer to
+retrieve the existing physical page addresses.
+
+This is the scenario that uncovered this issue, attempting to hot-add
+a vfio-pci device to a container with an existing mdev device and DMA
+mappings, one of which could not be pinned, causing a failure adding
+the new group to the existing container and setting the conditions
+for a subsequent attempt to explode.
+
+To resolve this, we can first check if the domain_list is empty so
+that we can reject replay of a bogus domain, should we ever encounter
+this inconsistent state again in the future. The real fix though is
+to add the necessary unwind support, which means cleaning up the
+current pinning if an IOMMU mapping fails, then walking back through
+the r-b tree of DMA entries, reading from the IOMMU which ranges are
+mapped, and unmapping and unpinning those ranges. To be able to do
+this, we also defer marking the DMA entry as IOMMU mapped until all
+entries are processed, in order to allow the unwind to know the
+disposition of each entry.
+
+Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices")
+Reported-by: Zhiyi Guo <zhguo@redhat.com>
+Tested-by: Zhiyi Guo <zhguo@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 71 ++++++++++++++++++++++++++++++---
+ 1 file changed, 66 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 6cc47af1f06d3..ca8c10aa4a4bc 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -1187,13 +1187,16 @@ static int vfio_bus_type(struct device *dev, void *data)
+ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+ struct vfio_domain *domain)
+ {
+- struct vfio_domain *d;
++ struct vfio_domain *d = NULL;
+ struct rb_node *n;
+ unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+ int ret;
+
+ /* Arbitrarily pick the first domain in the list for lookups */
+- d = list_first_entry(&iommu->domain_list, struct vfio_domain, next);
++ if (!list_empty(&iommu->domain_list))
++ d = list_first_entry(&iommu->domain_list,
++ struct vfio_domain, next);
++
+ n = rb_first(&iommu->dma_list);
+
+ for (; n; n = rb_next(n)) {
+@@ -1211,6 +1214,11 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+ phys_addr_t p;
+ dma_addr_t i;
+
++ if (WARN_ON(!d)) { /* mapped w/o a domain?! */
++ ret = -EINVAL;
++ goto unwind;
++ }
++
+ phys = iommu_iova_to_phys(d->domain, iova);
+
+ if (WARN_ON(!phys)) {
+@@ -1240,7 +1248,7 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+ if (npage <= 0) {
+ WARN_ON(!npage);
+ ret = (int)npage;
+- return ret;
++ goto unwind;
+ }
+
+ phys = pfn << PAGE_SHIFT;
+@@ -1249,14 +1257,67 @@ static int vfio_iommu_replay(struct vfio_iommu *iommu,
+
+ ret = iommu_map(domain->domain, iova, phys,
+ size, dma->prot | domain->prot);
+- if (ret)
+- return ret;
++ if (ret) {
++ if (!dma->iommu_mapped)
++ vfio_unpin_pages_remote(dma, iova,
++ phys >> PAGE_SHIFT,
++ size >> PAGE_SHIFT,
++ true);
++ goto unwind;
++ }
+
+ iova += size;
+ }
++ }
++
++ /* All dmas are now mapped, defer to second tree walk for unwind */
++ for (n = rb_first(&iommu->dma_list); n; n = rb_next(n)) {
++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node);
++
+ dma->iommu_mapped = true;
+ }
++
+ return 0;
++
++unwind:
++ for (; n; n = rb_prev(n)) {
++ struct vfio_dma *dma = rb_entry(n, struct vfio_dma, node);
++ dma_addr_t iova;
++
++ if (dma->iommu_mapped) {
++ iommu_unmap(domain->domain, dma->iova, dma->size);
++ continue;
++ }
++
++ iova = dma->iova;
++ while (iova < dma->iova + dma->size) {
++ phys_addr_t phys, p;
++ size_t size;
++ dma_addr_t i;
++
++ phys = iommu_iova_to_phys(domain->domain, iova);
++ if (!phys) {
++ iova += PAGE_SIZE;
++ continue;
++ }
++
++ size = PAGE_SIZE;
++ p = phys + size;
++ i = iova + size;
++ while (i < dma->iova + dma->size &&
++ p == iommu_iova_to_phys(domain->domain, i)) {
++ size += PAGE_SIZE;
++ p += PAGE_SIZE;
++ i += PAGE_SIZE;
++ }
++
++ iommu_unmap(domain->domain, iova, size);
++ vfio_unpin_pages_remote(dma, iova, phys >> PAGE_SHIFT,
++ size >> PAGE_SHIFT, true);
++ }
++ }
++
++ return ret;
+ }
+
+ /*
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
