--- /dev/null
+From b72c4bf779e51b5482dc16143cd5ce783e04e1ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 12:28:31 +0900
+Subject: ALSA: bebob: enable to deliver MIDI messages for multiple ports
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+[ Upstream commit d2b6f15bc18ac8fbce25398290774c21f5b2cd44 ]
+
+Current implementation of bebob driver doesn't correctly handle the case
+that the device has multiple MIDI ports. The cause is the number of MIDI
+conformant data channels is passed to AM824 data block processing layer.
+
+This commit fixes the bug.
+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Link: https://lore.kernel.org/r/20210321032831.340278-4-o-takashi@sakamocchi.jp
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/bebob/bebob_stream.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/sound/firewire/bebob/bebob_stream.c b/sound/firewire/bebob/bebob_stream.c
+index ce07ea0d4e71..3935e90c8e8f 100644
+--- a/sound/firewire/bebob/bebob_stream.c
++++ b/sound/firewire/bebob/bebob_stream.c
+@@ -534,20 +534,22 @@ int snd_bebob_stream_init_duplex(struct snd_bebob *bebob)
+ static int keep_resources(struct snd_bebob *bebob, struct amdtp_stream *stream,
+ unsigned int rate, unsigned int index)
+ {
+- struct snd_bebob_stream_formation *formation;
++ unsigned int pcm_channels;
++ unsigned int midi_ports;
+ struct cmp_connection *conn;
+ int err;
+
+ if (stream == &bebob->tx_stream) {
+- formation = bebob->tx_stream_formations + index;
++ pcm_channels = bebob->tx_stream_formations[index].pcm;
++ midi_ports = bebob->midi_input_ports;
+ conn = &bebob->out_conn;
+ } else {
+- formation = bebob->rx_stream_formations + index;
++ pcm_channels = bebob->rx_stream_formations[index].pcm;
++ midi_ports = bebob->midi_output_ports;
+ conn = &bebob->in_conn;
+ }
+
+- err = amdtp_am824_set_parameters(stream, rate, formation->pcm,
+- formation->midi, false);
++ err = amdtp_am824_set_parameters(stream, rate, pcm_channels, midi_ports, false);
+ if (err < 0)
+ return err;
+
+--
+2.30.2
+
--- /dev/null
+From a177b61a0c001a6b038451c491765001d0bf69a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 16:11:57 +0300
+Subject: ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+[ Upstream commit 0c37e2eb6b83e375e8a654d01598292d5591fc65 ]
+
+When snd-hda-codec-hdmi is used with ASoC HDA controller like SOF (acomp
+used for ELD notifications), display connection change done during suspend,
+can be lost due to following sequence of events:
+
+ 1. system in S3 suspend
+ 2. DP/HDMI receiver connected
+ 3. system resumed
+ 4. HDA controller resumed, but card->deferred_resume_work not complete
+ 5. acomp eld_notify callback
+ 6. eld_notify ignored as power state is not CTL_POWER_D0
+ 7. HDA resume deferred work completed, power state set to CTL_POWER_D0
+
+This results in losing the notification, and the jack state reported to
+user-space is not correct.
+
+The check on step 6 was added in commit 8ae743e82f0b ("ALSA: hda - Skip
+ELD notification during system suspend"). It would seem with the deferred
+resume logic in ASoC core, this check is not safe.
+
+Fix the issue by modifying the check to use "dev.power.power_state.event"
+instead of ALSA specific card power state variable.
+
+BugLink: https://github.com/thesofproject/linux/issues/2825
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20210416131157.1881366-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_hdmi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
+index ce38b5d4670d..f620b402b309 100644
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -2567,7 +2567,7 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id)
+ /* skip notification during system suspend (but not in runtime PM);
+ * the state will be updated at resume
+ */
+- if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0)
++ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND)
+ return;
+ /* ditto during suspend/resume process itself */
+ if (snd_hdac_is_in_pm(&codec->core))
+@@ -2772,7 +2772,7 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe)
+ /* skip notification during system suspend (but not in runtime PM);
+ * the state will be updated at resume
+ */
+- if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0)
++ if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND)
+ return;
+ /* ditto during suspend/resume process itself */
+ if (snd_hdac_is_in_pm(&codec->core))
+--
+2.30.2
+
--- /dev/null
+From 28d44bf81f9e3d36f6008d6c737b75828c7e6185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:38 -0400
+Subject: ALSA: hdsp: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ]
+
+hdsp wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device
+[ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.766985] Call Trace:
+[ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp]
+[ 1.767388] release_card_device+0x4b/0x80 [snd]
+[ 1.767639] device_release+0x3b/0xa0
+[ 1.767838] kobject_put+0x94/0x1b0
+[ 1.768027] put_device+0x13/0x20
+[ 1.768207] snd_card_free+0x61/0x90 [snd]
+[ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/hdsp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index 5cbdc9be9c7e..c7b3e76ea2d2 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -5326,7 +5326,8 @@ static int snd_hdsp_free(struct hdsp *hdsp)
+ if (hdsp->port)
+ pci_release_regions(hdsp->pci);
+
+- pci_disable_device(hdsp->pci);
++ if (pci_is_enabled(hdsp->pci))
++ pci_disable_device(hdsp->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a9eb160962730309fd9ebb7f9c1bc1024c8747ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:39 -0400
+Subject: ALSA: hdspm: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ]
+
+hdspm wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device
+[ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.795181] Call Trace:
+[ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm]
+[ 1.795595] release_card_device+0x4b/0x80 [snd]
+[ 1.795860] device_release+0x3b/0xa0
+[ 1.796072] kobject_put+0x94/0x1b0
+[ 1.796260] put_device+0x13/0x20
+[ 1.796438] snd_card_free+0x61/0x90 [snd]
+[ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/hdspm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index 81a6f4b2bd3c..e34f07c9ff47 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -6889,7 +6889,8 @@ static int snd_hdspm_free(struct hdspm * hdspm)
+ if (hdspm->port)
+ pci_release_regions(hdspm->pci);
+
+- pci_disable_device(hdspm->pci);
++ if (pci_is_enabled(hdspm->pci))
++ pci_disable_device(hdspm->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 62bface8e7ce05575b97cb40d31cb7be9f56725b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:40 -0400
+Subject: ALSA: rme9652: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ]
+
+rme9652 wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device
+[ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.759968] Call Trace:
+[ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652]
+[ 1.760434] release_card_device+0x4b/0x80 [snd]
+[ 1.760679] device_release+0x3b/0xa0
+[ 1.760874] kobject_put+0x94/0x1b0
+[ 1.761059] put_device+0x13/0x20
+[ 1.761235] snd_card_free+0x61/0x90 [snd]
+[ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/rme9652.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
+index 4c851f8dcaf8..73ad6e74aac9 100644
+--- a/sound/pci/rme9652/rme9652.c
++++ b/sound/pci/rme9652/rme9652.c
+@@ -1745,7 +1745,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652)
+ if (rme9652->port)
+ pci_release_regions(rme9652->pci);
+
+- pci_disable_device(rme9652->pci);
++ if (pci_is_enabled(rme9652->pci))
++ pci_disable_device(rme9652->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 9959f5b56d246b8dcd46fbf971b146b0bb027292 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 03:00:05 +0100
+Subject: ARM: 9064/1: hw_breakpoint: Do not directly check the event's
+ overflow_handler hook
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ]
+
+The commit 1879445dfa7b ("perf/core: Set event's default
+::overflow_handler()") set a default event->overflow_handler in
+perf_event_alloc(), and replace the check event->overflow_handler with
+is_default_overflow_handler(), but one is missing.
+
+Currently, the bp->overflow_handler can not be NULL. As a result,
+enable_single_step() is always not invoked.
+
+Comments from Zhen Lei:
+
+ https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/
+
+Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
+index 7021ef0b4e71..b06d9ea07c84 100644
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -883,7 +883,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
+ info->trigger = addr;
+ pr_debug("breakpoint fired: address = 0x%x\n", addr);
+ perf_bp_event(bp, regs);
+- if (!bp->overflow_handler)
++ if (is_default_overflow_handler(bp))
+ enable_single_step(bp, addr);
+ goto unlock;
+ }
+--
+2.30.2
+
--- /dev/null
+From c300ad619349520f02d9fd7502333ff38f2a7cf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 23:10:54 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 875c40eadf6ac6644c0f71842a4f30dd9968d281 ]
+
+The Chuwi Hi8 tablet is using an analog mic on IN1 and has its
+jack-detect connected to JD2_IN4N, instead of using the default
+IN3 for its internal mic and JD1_IN4P for jack-detect.
+
+It also only has 1 speaker.
+
+Add a quirk applying the correct settings for this configuration.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210325221054.22714-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index 006cf1e8b602..46a81d4f0b2d 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -512,6 +512,23 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_SSP0_AIF1 |
+ BYT_RT5640_MCLK_EN),
+ },
++ {
++ /* Chuwi Hi8 (CWI509) */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Hampoo"),
++ DMI_MATCH(DMI_BOARD_NAME, "BYT-PA03C"),
++ DMI_MATCH(DMI_SYS_VENDOR, "ilife"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "S806"),
++ },
++ .driver_data = (void *)(BYT_RT5640_IN1_MAP |
++ BYT_RT5640_JD_SRC_JD2_IN4N |
++ BYT_RT5640_OVCD_TH_2000UA |
++ BYT_RT5640_OVCD_SF_0P75 |
++ BYT_RT5640_MONO_SPEAKER |
++ BYT_RT5640_DIFF_MIC |
++ BYT_RT5640_SSP0_AIF1 |
++ BYT_RT5640_MCLK_EN),
++ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Circuitco"),
+--
+2.30.2
+
--- /dev/null
+From 5eefb238b2f889a97b2858b1daff4355a6ece588 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 12:48:50 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit b7c7203a1f751348f35fc4bcb157572d303f7573 ]
+
+The Asus T100TAF uses the same jack-detect settings as the T100TA,
+this has been confirmed on actual hardware.
+
+Add these settings to the T100TAF quirks to enable jack-detect support
+on the T100TAF.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210312114850.13832-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index cfd307717473..006cf1e8b602 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -476,6 +476,9 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TAF"),
+ },
+ .driver_data = (void *)(BYT_RT5640_IN1_MAP |
++ BYT_RT5640_JD_SRC_JD2_IN4N |
++ BYT_RT5640_OVCD_TH_2000UA |
++ BYT_RT5640_OVCD_SF_0P75 |
+ BYT_RT5640_MONO_SPEAKER |
+ BYT_RT5640_DIFF_MIC |
+ BYT_RT5640_SSP0_AIF2 |
+--
+2.30.2
+
--- /dev/null
+From 20d064bd92a3c2f0d2bc8dc03c1ea10d24e09cdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 13:28:38 +0900
+Subject: ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init()
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit a122a116fc6d8fcf2f202dcd185173a54268f239 ]
+
+Current rsnd needs to call .prepare (P) for clock settings,
+.trigger for playback start (S) and stop (E).
+It should be called as below from SSI point of view.
+
+ P -> S -> E -> P -> S -> E -> ...
+
+But, if you used MIXer, below case might happen
+
+ (2)
+ 1: P -> S ---> E -> ...
+ 2: P ----> S -> ...
+ (1) (3)
+
+P(1) setups clock, but E(2) resets it. and starts playback (3).
+In such case, it will reports "SSI parent/child should use same rate".
+
+rsnd_ssi_master_clk_start() which is the main function at (P)
+was called from rsnd_ssi_init() (= S) before,
+but was moved by below patch to rsnd_soc_dai_prepare() (= P) to avoid
+using clk_get_rate() which shouldn't be used under atomic context.
+
+ commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set
+ under non-atomic")
+
+Because of above patch, rsnd_ssi_master_clk_start() is now called at (P)
+which is for non atomic context. But (P) is assuming that spin lock is
+*not* used.
+One issue now is rsnd_ssi_master_clk_start() is checking ssi->xxx
+which should be protected by spin lock.
+
+After above patch, adg.c had below patch for other reasons.
+
+ commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate()
+ under atomic context")
+
+clk_get_rate() is used at probe() timing by this patch.
+In other words, rsnd_ssi_master_clk_start() is no longer using
+clk_get_rate() any more.
+
+This means we can call it from rsnd_ssi_init() (= S) again which is
+protected by spin lock.
+This patch re-move it to under spin lock, and solves
+1. checking ssi->xxx without spin lock issue.
+2. clk setting / device start / device stop race condition.
+
+Reported-by: Linh Phung T. Y. <linh.phung.jy@renesas.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/875z0x1jt5.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/ssi.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
+index 47d5ddb526f2..8926dd69e8b8 100644
+--- a/sound/soc/sh/rcar/ssi.c
++++ b/sound/soc/sh/rcar/ssi.c
+@@ -507,10 +507,15 @@ static int rsnd_ssi_init(struct rsnd_mod *mod,
+ struct rsnd_priv *priv)
+ {
+ struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod);
++ int ret;
+
+ if (!rsnd_ssi_is_run_mods(mod, io))
+ return 0;
+
++ ret = rsnd_ssi_master_clk_start(mod, io);
++ if (ret < 0)
++ return ret;
++
+ ssi->usrcnt++;
+
+ rsnd_mod_power_on(mod);
+@@ -1060,13 +1065,6 @@ static int rsnd_ssi_pio_pointer(struct rsnd_mod *mod,
+ return 0;
+ }
+
+-static int rsnd_ssi_prepare(struct rsnd_mod *mod,
+- struct rsnd_dai_stream *io,
+- struct rsnd_priv *priv)
+-{
+- return rsnd_ssi_master_clk_start(mod, io);
+-}
+-
+ static struct rsnd_mod_ops rsnd_ssi_pio_ops = {
+ .name = SSI_NAME,
+ .probe = rsnd_ssi_common_probe,
+@@ -1079,7 +1077,6 @@ static struct rsnd_mod_ops rsnd_ssi_pio_ops = {
+ .pointer = rsnd_ssi_pio_pointer,
+ .pcm_new = rsnd_ssi_pcm_new,
+ .hw_params = rsnd_ssi_hw_params,
+- .prepare = rsnd_ssi_prepare,
+ .get_status = rsnd_ssi_get_status,
+ };
+
+@@ -1166,7 +1163,6 @@ static struct rsnd_mod_ops rsnd_ssi_dma_ops = {
+ .pcm_new = rsnd_ssi_pcm_new,
+ .fallback = rsnd_ssi_fallback,
+ .hw_params = rsnd_ssi_hw_params,
+- .prepare = rsnd_ssi_prepare,
+ .get_status = rsnd_ssi_get_status,
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 367aef231ee1f49e1f5eeba2632fff4a3e69ad15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Mar 2021 14:47:35 +1000
+Subject: ASoC: rsnd: core: Check convert rate in rsnd_hw_params
+
+From: Mikhail Durnev <mikhail_durnev@mentor.com>
+
+[ Upstream commit 19c6a63ced5e07e40f3a5255cb1f0fe0d3be7b14 ]
+
+snd_pcm_hw_params_set_rate_near can return incorrect sample rate in
+some cases, e.g. when the backend output rate is set to some value higher
+than 48000 Hz and the input rate is 8000 Hz. So passing the value returned
+by snd_pcm_hw_params_set_rate_near to snd_pcm_hw_params will result in
+"FSO/FSI ratio error" and playing no audio at all while the userland
+is not properly notified about the issue.
+
+If SRC is unable to convert the requested sample rate to the sample rate
+the backend is using, then the requested sample rate should be adjusted in
+rsnd_hw_params. The userland will be notified about that change in the
+returned hw_params structure.
+
+Signed-off-by: Mikhail Durnev <mikhail_durnev@mentor.com>
+Link: https://lore.kernel.org/r/1615870055-13954-1-git-send-email-mikhail_durnev@mentor.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sh/rcar/core.c | 69 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
+index a6c1cf987e6e..df8d7b53b760 100644
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -1426,8 +1426,75 @@ static int rsnd_hw_params(struct snd_pcm_substream *substream,
+ }
+ if (io->converted_chan)
+ dev_dbg(dev, "convert channels = %d\n", io->converted_chan);
+- if (io->converted_rate)
++ if (io->converted_rate) {
++ /*
++ * SRC supports convert rates from params_rate(hw_params)/k_down
++ * to params_rate(hw_params)*k_up, where k_up is always 6, and
++ * k_down depends on number of channels and SRC unit.
++ * So all SRC units can upsample audio up to 6 times regardless
++ * its number of channels. And all SRC units can downsample
++ * 2 channel audio up to 6 times too.
++ */
++ int k_up = 6;
++ int k_down = 6;
++ int channel;
++ struct rsnd_mod *src_mod = rsnd_io_to_mod_src(io);
++
+ dev_dbg(dev, "convert rate = %d\n", io->converted_rate);
++
++ channel = io->converted_chan ? io->converted_chan :
++ params_channels(hw_params);
++
++ switch (rsnd_mod_id(src_mod)) {
++ /*
++ * SRC0 can downsample 4, 6 and 8 channel audio up to 4 times.
++ * SRC1, SRC3 and SRC4 can downsample 4 channel audio
++ * up to 4 times.
++ * SRC1, SRC3 and SRC4 can downsample 6 and 8 channel audio
++ * no more than twice.
++ */
++ case 1:
++ case 3:
++ case 4:
++ if (channel > 4) {
++ k_down = 2;
++ break;
++ }
++ fallthrough;
++ case 0:
++ if (channel > 2)
++ k_down = 4;
++ break;
++
++ /* Other SRC units do not support more than 2 channels */
++ default:
++ if (channel > 2)
++ return -EINVAL;
++ }
++
++ if (params_rate(hw_params) > io->converted_rate * k_down) {
++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min =
++ io->converted_rate * k_down;
++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max =
++ io->converted_rate * k_down;
++ hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE;
++ } else if (params_rate(hw_params) * k_up < io->converted_rate) {
++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min =
++ (io->converted_rate + k_up - 1) / k_up;
++ hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max =
++ (io->converted_rate + k_up - 1) / k_up;
++ hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE;
++ }
++
++ /*
++ * TBD: Max SRC input and output rates also depend on number
++ * of channels and SRC unit:
++ * SRC1, SRC3 and SRC4 do not support more than 128kHz
++ * for 6 channel and 96kHz for 8 channel audio.
++ * Perhaps this function should return EINVAL if the input or
++ * the output rate exceeds the limitation.
++ */
++ }
+ }
+
+ ret = rsnd_dai_call(hw_params, io, substream, hw_params);
+--
+2.30.2
+
--- /dev/null
+From faf4bd1f8d83660f6c6057734302d61b34f6a516 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 09:46:58 -0400
+Subject: ASoC: rt286: Generalize support for ALC3263 codec
+
+From: David Ward <david.ward@gatech.edu>
+
+[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ]
+
+The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350
+and Venue 11 Pro 7140. They require the same handling for the combo jack to
+work with a headset: GPIO pin 6 must be set.
+
+The HDA driver always sets this pin on the ALC3263, which it distinguishes
+by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028
+(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to
+determine if Dell is the system vendor.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961
+Signed-off-by: David Ward <david.ward@gatech.edu>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt286.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
+index 9593a9a27bf8..03e3e0aa25a2 100644
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -1115,12 +1115,11 @@ static const struct dmi_system_id force_combo_jack_table[] = {
+ { }
+ };
+
+-static const struct dmi_system_id dmi_dell_dino[] = {
++static const struct dmi_system_id dmi_dell[] = {
+ {
+- .ident = "Dell Dino",
++ .ident = "Dell",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343")
+ }
+ },
+ { }
+@@ -1131,7 +1130,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ {
+ struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev);
+ struct rt286_priv *rt286;
+- int i, ret, val;
++ int i, ret, vendor_id;
+
+ rt286 = devm_kzalloc(&i2c->dev, sizeof(*rt286),
+ GFP_KERNEL);
+@@ -1147,14 +1146,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ }
+
+ ret = regmap_read(rt286->regmap,
+- RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val);
++ RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id);
+ if (ret != 0) {
+ dev_err(&i2c->dev, "I2C error %d\n", ret);
+ return ret;
+ }
+- if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) {
++ if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) {
+ dev_err(&i2c->dev,
+- "Device with ID register %#x is not rt286\n", val);
++ "Device with ID register %#x is not rt286\n",
++ vendor_id);
+ return -ENODEV;
+ }
+
+@@ -1178,8 +1178,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ if (pdata)
+ rt286->pdata = *pdata;
+
+- if (dmi_check_system(force_combo_jack_table) ||
+- dmi_check_system(dmi_dell_dino))
++ if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) ||
++ dmi_check_system(force_combo_jack_table))
+ rt286->pdata.cbj_en = true;
+
+ regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3);
+@@ -1218,7 +1218,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737);
+ regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f);
+
+- if (dmi_check_system(dmi_dell_dino)) {
++ if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) {
+ regmap_update_bits(rt286->regmap,
+ RT286_SET_GPIO_MASK, 0x40, 0x40);
+ regmap_update_bits(rt286->regmap,
+--
+2.30.2
+
--- /dev/null
+From b0cb4cd1d77bd74127bd1514dda516c4ec9a4a3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 09:46:57 -0400
+Subject: ASoC: rt286: Make RT286_SET_GPIO_* readable and writable
+
+From: David Ward <david.ward@gatech.edu>
+
+[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ]
+
+The GPIO configuration cannot be applied if the registers are inaccessible.
+This prevented the headset mic from working on the Dell XPS 13 9343.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171
+Signed-off-by: David Ward <david.ward@gatech.edu>
+Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt286.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
+index 03e3e0aa25a2..d8ab8af2c786 100644
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -171,6 +171,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg)
+ case RT286_PROC_COEF:
+ case RT286_SET_AMP_GAIN_ADC_IN1:
+ case RT286_SET_AMP_GAIN_ADC_IN2:
++ case RT286_SET_GPIO_MASK:
++ case RT286_SET_GPIO_DIRECTION:
++ case RT286_SET_GPIO_DATA:
+ case RT286_SET_POWER(RT286_DAC_OUT1):
+ case RT286_SET_POWER(RT286_DAC_OUT2):
+ case RT286_SET_POWER(RT286_ADC_IN1):
+--
+2.30.2
+
--- /dev/null
+From 2aee6bf051f68df8360c8da47ee93ae00a516561 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 16:32:20 +0800
+Subject: Bluetooth: check for zapped sk before connecting
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit 3af70b39fa2d415dc86c370e5b24ddb9fdacbd6f ]
+
+There is a possibility of receiving a zapped sock on
+l2cap_sock_connect(). This could lead to interesting crashes, one
+such case is tearing down an already tore l2cap_sock as is happened
+with this call trace:
+
+__dump_stack lib/dump_stack.c:15 [inline]
+dump_stack+0xc4/0x118 lib/dump_stack.c:56
+register_lock_class kernel/locking/lockdep.c:792 [inline]
+register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742
+__lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105
+lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599
+__raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline]
+_raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175
+spin_lock_bh include/linux/spinlock.h:307 [inline]
+lock_sock_nested+0x44/0xfa net/core/sock.c:2518
+l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345
+l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598
+l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756
+l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429
+process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064
+worker_thread+0x5a5/0x773 kernel/workqueue.c:2196
+kthread+0x291/0x2a6 kernel/kthread.c:211
+ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 8648c5211ebe..e693fee08623 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -179,9 +179,17 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct sockaddr_l2 la;
+ int len, err = 0;
++ bool zapped;
+
+ BT_DBG("sk %p", sk);
+
++ lock_sock(sk);
++ zapped = sock_flag(sk, SOCK_ZAPPED);
++ release_sock(sk);
++
++ if (zapped)
++ return -EINVAL;
++
+ if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
+ addr->sa_family != AF_BLUETOOTH)
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 9722253c85a22b651596a562e32691c95224624d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 07:52:07 +0900
+Subject: Bluetooth: initialize skb_queue_head at l2cap_chan_create()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ]
+
+syzbot is hitting "INFO: trying to register non-static key." message [1],
+for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when
+l2cap_chan_del() is called due to e.g. timeout.
+
+Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create()
+immediately after "struct l2cap_chan" is allocated using kzalloc(), let's
+as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there.
+
+[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842
+
+Reported-and-tested-by: syzbot <syzbot+fadfba6a911f6bf71842@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index f5039700d927..959a16b13303 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -450,6 +450,8 @@ struct l2cap_chan *l2cap_chan_create(void)
+ if (!chan)
+ return NULL;
+
++ skb_queue_head_init(&chan->tx_q);
++ skb_queue_head_init(&chan->srej_q);
+ mutex_init(&chan->lock);
+
+ /* Set default lock nesting level */
+--
+2.30.2
+
--- /dev/null
+From 2354aafddc2a0ea286105c7f64bbad583345cb01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 14:02:15 +0800
+Subject: Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ]
+
+Currently l2cap_chan_set_defaults() reset chan->conf_state to zero.
+However, there is a flag CONF_NOT_COMPLETE which is set when
+creating the l2cap_chan. It is suggested that the flag should be
+cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults()
+is called, l2cap_chan is not yet ready. Therefore, we must set this
+flag as the default.
+
+Example crash call trace:
+__dump_stack lib/dump_stack.c:15 [inline]
+dump_stack+0xc4/0x118 lib/dump_stack.c:56
+panic+0x1c6/0x38b kernel/panic.c:117
+__warn+0x170/0x1b9 kernel/panic.c:471
+warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494
+debug_print_object+0x175/0x193 lib/debugobjects.c:260
+debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614
+debug_timer_assert_init kernel/time/timer.c:629 [inline]
+debug_assert_init kernel/time/timer.c:677 [inline]
+del_timer+0x7c/0x179 kernel/time/timer.c:1034
+try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230
+cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929
+l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834
+l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640
+l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756
+l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174
+l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217
+__sock_release+0xda/0x217 net/socket.c:580
+sock_close+0x1b/0x1f net/socket.c:1039
+__fput+0x322/0x55c fs/file_table.c:208
+____fput+0x17/0x19 fs/file_table.c:244
+task_work_run+0x19b/0x1d3 kernel/task_work.c:115
+exit_task_work include/linux/task_work.h:21 [inline]
+do_exit+0xe4c/0x204a kernel/exit.c:766
+do_group_exit+0x291/0x291 kernel/exit.c:891
+get_signal+0x749/0x1093 kernel/signal.c:2396
+do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737
+exit_to_usermode_loop arch/x86/entry/common.c:243 [inline]
+prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277
+syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348
+int_ret_from_sys_call+0x25/0xa3
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 3499bace25ec..f5039700d927 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -515,7 +515,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
+ chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
+ chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
+ chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
++
+ chan->conf_state = 0;
++ set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
+
+ set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
+ }
+--
+2.30.2
+
--- /dev/null
+From dd8aa0c10e05f573b8bfc076d15249a77fd4b0b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Apr 2021 13:45:25 -0400
+Subject: bnxt_en: Add PCI IDs for Hyper-V VF devices.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 7fbf359bb2c19c824cbb1954020680824f6ee5a5 ]
+
+Support VF device IDs used by the Hyper-V hypervisor.
+
+Reviewed-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 588389697cf9..106f2b2ce17f 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -125,7 +125,10 @@ enum board_idx {
+ NETXTREME_E_VF,
+ NETXTREME_C_VF,
+ NETXTREME_S_VF,
++ NETXTREME_C_VF_HV,
++ NETXTREME_E_VF_HV,
+ NETXTREME_E_P5_VF,
++ NETXTREME_E_P5_VF_HV,
+ };
+
+ /* indexed by enum above */
+@@ -173,7 +176,10 @@ static const struct {
+ [NETXTREME_E_VF] = { "Broadcom NetXtreme-E Ethernet Virtual Function" },
+ [NETXTREME_C_VF] = { "Broadcom NetXtreme-C Ethernet Virtual Function" },
+ [NETXTREME_S_VF] = { "Broadcom NetXtreme-S Ethernet Virtual Function" },
++ [NETXTREME_C_VF_HV] = { "Broadcom NetXtreme-C Virtual Function for Hyper-V" },
++ [NETXTREME_E_VF_HV] = { "Broadcom NetXtreme-E Virtual Function for Hyper-V" },
+ [NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" },
++ [NETXTREME_E_P5_VF_HV] = { "Broadcom BCM5750X NetXtreme-E Virtual Function for Hyper-V" },
+ };
+
+ static const struct pci_device_id bnxt_pci_tbl[] = {
+@@ -225,15 +231,25 @@ static const struct pci_device_id bnxt_pci_tbl[] = {
+ { PCI_VDEVICE(BROADCOM, 0xd804), .driver_data = BCM58804 },
+ #ifdef CONFIG_BNXT_SRIOV
+ { PCI_VDEVICE(BROADCOM, 0x1606), .driver_data = NETXTREME_E_VF },
++ { PCI_VDEVICE(BROADCOM, 0x1607), .driver_data = NETXTREME_E_VF_HV },
++ { PCI_VDEVICE(BROADCOM, 0x1608), .driver_data = NETXTREME_E_VF_HV },
+ { PCI_VDEVICE(BROADCOM, 0x1609), .driver_data = NETXTREME_E_VF },
++ { PCI_VDEVICE(BROADCOM, 0x16bd), .driver_data = NETXTREME_E_VF_HV },
+ { PCI_VDEVICE(BROADCOM, 0x16c1), .driver_data = NETXTREME_E_VF },
++ { PCI_VDEVICE(BROADCOM, 0x16c2), .driver_data = NETXTREME_C_VF_HV },
++ { PCI_VDEVICE(BROADCOM, 0x16c3), .driver_data = NETXTREME_C_VF_HV },
++ { PCI_VDEVICE(BROADCOM, 0x16c4), .driver_data = NETXTREME_E_VF_HV },
++ { PCI_VDEVICE(BROADCOM, 0x16c5), .driver_data = NETXTREME_E_VF_HV },
+ { PCI_VDEVICE(BROADCOM, 0x16cb), .driver_data = NETXTREME_C_VF },
+ { PCI_VDEVICE(BROADCOM, 0x16d3), .driver_data = NETXTREME_E_VF },
+ { PCI_VDEVICE(BROADCOM, 0x16dc), .driver_data = NETXTREME_E_VF },
+ { PCI_VDEVICE(BROADCOM, 0x16e1), .driver_data = NETXTREME_C_VF },
+ { PCI_VDEVICE(BROADCOM, 0x16e5), .driver_data = NETXTREME_C_VF },
++ { PCI_VDEVICE(BROADCOM, 0x16e6), .driver_data = NETXTREME_C_VF_HV },
+ { PCI_VDEVICE(BROADCOM, 0x1806), .driver_data = NETXTREME_E_P5_VF },
+ { PCI_VDEVICE(BROADCOM, 0x1807), .driver_data = NETXTREME_E_P5_VF },
++ { PCI_VDEVICE(BROADCOM, 0x1808), .driver_data = NETXTREME_E_P5_VF_HV },
++ { PCI_VDEVICE(BROADCOM, 0x1809), .driver_data = NETXTREME_E_P5_VF_HV },
+ { PCI_VDEVICE(BROADCOM, 0xd800), .driver_data = NETXTREME_S_VF },
+ #endif
+ { 0 }
+@@ -263,7 +279,8 @@ static struct workqueue_struct *bnxt_pf_wq;
+ static bool bnxt_vf_pciid(enum board_idx idx)
+ {
+ return (idx == NETXTREME_C_VF || idx == NETXTREME_E_VF ||
+- idx == NETXTREME_S_VF || idx == NETXTREME_E_P5_VF);
++ idx == NETXTREME_S_VF || idx == NETXTREME_C_VF_HV ||
++ idx == NETXTREME_E_VF_HV || idx == NETXTREME_E_P5_VF);
+ }
+
+ #define DB_CP_REARM_FLAGS (DB_KEY_CP | DB_IDX_VALID)
+--
+2.30.2
+
--- /dev/null
+From f43af97658deab842a62643884c73d990a1ea5f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 13:32:27 +0200
+Subject: can: m_can: m_can_tx_work_queue(): fix tx_skb race condition
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit e04b2cfe61072c7966e1a5fb73dd1feb30c206ed ]
+
+The m_can_start_xmit() function checks if the cdev->tx_skb is NULL and
+returns with NETDEV_TX_BUSY in case tx_sbk is not NULL.
+
+There is a race condition in the m_can_tx_work_queue(), where first
+the skb is send to the driver and then the case tx_sbk is set to NULL.
+A TX complete IRQ might come in between and wake the queue, which
+results in tx_skb not being cleared yet.
+
+Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework")
+Tested-by: Torin Cooper-Bennun <torin@maxiluxsystems.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index b2224113987c..de275ccb4fd0 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1418,6 +1418,8 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
+ int i;
+ int putidx;
+
++ cdev->tx_skb = NULL;
++
+ /* Generate ID field for TX buffer Element */
+ /* Common to all supported M_CAN versions */
+ if (cf->can_id & CAN_EFF_FLAG) {
+@@ -1534,7 +1536,6 @@ static void m_can_tx_work_queue(struct work_struct *ws)
+ tx_work);
+
+ m_can_tx_handler(cdev);
+- cdev->tx_skb = NULL;
+ }
+
+ static netdev_tx_t m_can_start_xmit(struct sk_buff *skb,
+--
+2.30.2
+
--- /dev/null
+From c306f54a13a43e5eaa48c751b34c9c15f768ad03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Mar 2021 09:21:53 -0400
+Subject: ceph: fix inode leak on getattr error in __fh_to_dentry
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 1775c7ddacfcea29051c67409087578f8f4d751b ]
+
+Fixes: 878dabb64117 ("ceph: don't return -ESTALE if there's still an open file")
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/export.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ceph/export.c b/fs/ceph/export.c
+index e088843a7734..baa6368bece5 100644
+--- a/fs/ceph/export.c
++++ b/fs/ceph/export.c
+@@ -178,8 +178,10 @@ static struct dentry *__fh_to_dentry(struct super_block *sb, u64 ino)
+ return ERR_CAST(inode);
+ /* We need LINK caps to reliably check i_nlink */
+ err = ceph_do_getattr(inode, CEPH_CAP_LINK_SHARED, false);
+- if (err)
++ if (err) {
++ iput(inode);
+ return ERR_PTR(err);
++ }
+ /* -ESTALE if inode as been unlinked and no file is open */
+ if ((inode->i_nlink == 0) && (atomic_read(&inode->i_count) == 1)) {
+ iput(inode);
+--
+2.30.2
+
--- /dev/null
+From 816ae05bb13fd88f31c247fbaa88738f03b062b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 10:40:58 +0200
+Subject: cuse: prevent clone
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]
+
+For cloned connections cuse_channel_release() will be called more than
+once, resulting in use after free.
+
+Prevent device cloning for CUSE, which does not make sense at this point,
+and highly unlikely to be used in real life.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/cuse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
+index 00015d851382..e51b7019e887 100644
+--- a/fs/fuse/cuse.c
++++ b/fs/fuse/cuse.c
+@@ -624,6 +624,8 @@ static int __init cuse_init(void)
+ cuse_channel_fops.owner = THIS_MODULE;
+ cuse_channel_fops.open = cuse_channel_open;
+ cuse_channel_fops.release = cuse_channel_release;
++ /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
++ cuse_channel_fops.unlocked_ioctl = NULL;
+
+ cuse_class = class_create(THIS_MODULE, "cuse");
+ if (IS_ERR(cuse_class))
+--
+2.30.2
+
--- /dev/null
+From 4a382354449447ae482b833a203ad9f0a185878c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 19:14:48 -0500
+Subject: drm/amd/display: fixed divide by zero kernel crash during dsc
+ enablement
+
+From: Robin Singh <robin.singh@amd.com>
+
+[ Upstream commit 19cc1f3829567e7dca21c1389ea6407b8f5efab4 ]
+
+[why]
+During dsc enable, a divide by zero condition triggered the
+kernel crash.
+
+[how]
+An IGT test, which enable the DSC, was crashing at the time of
+restore the default dsc status, becaue of h_totals value
+becoming 0. So add a check before divide condition. If h_total
+is zero, gracefully ignore and set the default value.
+
+kernel panic log:
+
+ [ 128.758827] divide error: 0000 [#1] PREEMPT SMP NOPTI
+ [ 128.762714] CPU: 5 PID: 4562 Comm: amd_dp_dsc Tainted: G W 5.4.19-android-x86_64 #1
+ [ 128.769728] Hardware name: ADVANCED MICRO DEVICES, INC. Mauna/Mauna, BIOS WMN0B13N Nov 11 2020
+ [ 128.777695] RIP: 0010:hubp2_vready_at_or_After_vsync+0x37/0x7a [amdgpu]
+ [ 128.785707] Code: 80 02 00 00 48 89 f3 48 8b 7f 08 b ......
+ [ 128.805696] RSP: 0018:ffffad8f82d43628 EFLAGS: 00010246
+ ......
+ [ 128.857707] CR2: 00007106d8465000 CR3: 0000000426530000 CR4: 0000000000140ee0
+ [ 128.865695] Call Trace:
+ [ 128.869712] hubp3_setup+0x1f/0x7f [amdgpu]
+ [ 128.873705] dcn20_update_dchubp_dpp+0xc8/0x54a [amdgpu]
+ [ 128.877706] dcn20_program_front_end_for_ctx+0x31d/0x463 [amdgpu]
+ [ 128.885706] dc_commit_state+0x3d2/0x658 [amdgpu]
+ [ 128.889707] amdgpu_dm_atomic_commit_tail+0x4b3/0x1e7c [amdgpu]
+ [ 128.897699] ? dm_read_reg_func+0x41/0xb5 [amdgpu]
+ [ 128.901707] ? dm_read_reg_func+0x41/0xb5 [amdgpu]
+ [ 128.905706] ? __is_insn_slot_addr+0x43/0x48
+ [ 128.909706] ? fill_plane_buffer_attributes+0x29e/0x3dc [amdgpu]
+ [ 128.917705] ? dm_plane_helper_prepare_fb+0x255/0x284 [amdgpu]
+ [ 128.921700] ? usleep_range+0x7c/0x7c
+ [ 128.925705] ? preempt_count_sub+0xf/0x18
+ [ 128.929706] ? _raw_spin_unlock_irq+0x13/0x24
+ [ 128.933732] ? __wait_for_common+0x11e/0x18f
+ [ 128.937705] ? _raw_spin_unlock_irq+0x13/0x24
+ [ 128.941706] ? __wait_for_common+0x11e/0x18f
+ [ 128.945705] commit_tail+0x8b/0xd2 [drm_kms_helper]
+ [ 128.949707] drm_atomic_helper_commit+0xd8/0xf5 [drm_kms_helper]
+ [ 128.957706] amdgpu_dm_atomic_commit+0x337/0x360 [amdgpu]
+ [ 128.961705] ? drm_atomic_check_only+0x543/0x68d [drm]
+ [ 128.969705] ? drm_atomic_set_property+0x760/0x7af [drm]
+ [ 128.973704] ? drm_mode_atomic_ioctl+0x6f3/0x85a [drm]
+ [ 128.977705] drm_mode_atomic_ioctl+0x6f3/0x85a [drm]
+ [ 128.985705] ? drm_atomic_set_property+0x7af/0x7af [drm]
+ [ 128.989706] drm_ioctl_kernel+0x82/0xda [drm]
+ [ 128.993706] drm_ioctl+0x225/0x319 [drm]
+ [ 128.997707] ? drm_atomic_set_property+0x7af/0x7af [drm]
+ [ 129.001706] ? preempt_count_sub+0xf/0x18
+ [ 129.005713] amdgpu_drm_ioctl+0x4b/0x76 [amdgpu]
+ [ 129.009705] vfs_ioctl+0x1d/0x2a
+ [ 129.013705] do_vfs_ioctl+0x419/0x43d
+ [ 129.017707] ksys_ioctl+0x52/0x71
+ [ 129.021707] __x64_sys_ioctl+0x16/0x19
+ [ 129.025706] do_syscall_64+0x78/0x85
+ [ 129.029705] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Robin Singh <robin.singh@amd.com>
+Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
+Reviewed-by: Robin Singh <Robin.Singh@amd.com>
+Acked-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c
+index 69e2aae42394..b250ef75c163 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2012-17 Advanced Micro Devices, Inc.
++ * Copyright 2012-2021 Advanced Micro Devices, Inc.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+@@ -179,11 +179,14 @@ void hubp2_vready_at_or_After_vsync(struct hubp *hubp,
+ else
+ Set HUBP_VREADY_AT_OR_AFTER_VSYNC = 0
+ */
+- if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width
+- + pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) {
+- value = 1;
+- } else
+- value = 0;
++ if (pipe_dest->htotal != 0) {
++ if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width
++ + pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) {
++ value = 1;
++ } else
++ value = 0;
++ }
++
+ REG_UPDATE(DCHUBP_CNTL, HUBP_VREADY_AT_OR_AFTER_VSYNC, value);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From cd92e20268dec8449b55df356d7e10218ac67cfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 11:03:35 -0400
+Subject: drm/amd/display: Force vsync flip when reconfiguring MPCC
+
+From: Anthony Wang <anthony1.wang@amd.com>
+
+[ Upstream commit 56d63782af9bbd1271bff1422a6a013123eade4d ]
+
+[Why]
+Underflow observed when disabling PIP overlay in-game when
+vsync is disabled, due to OTC master lock not working with
+game pipe which is immediate flip.
+
+[How]
+When performing a full update, override flip_immediate value
+to false for all planes, so that flip occurs on vsync.
+
+Signed-off-by: Anthony Wang <anthony1.wang@amd.com>
+Acked-by: Bindu Ramamurthy <bindur12@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index 092db590087c..14dc1b8719a9 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -2050,6 +2050,10 @@ static void commit_planes_for_stream(struct dc *dc,
+ plane_state->triplebuffer_flips = true;
+ }
+ }
++ if (update_type == UPDATE_TYPE_FULL) {
++ /* force vsync flip when reconfiguring pipes to prevent underflow */
++ plane_state->flip_immediate = false;
++ }
+ }
+ }
+ #endif
+--
+2.30.2
+
--- /dev/null
+From e0cd1e3642b3e6563bbe7c01c8994c163cc11f36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 May 2021 22:06:08 -0700
+Subject: drm/radeon: Avoid power table parsing memory leaks
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit c69f27137a38d24301a6b659454a91ad85dff4aa ]
+
+Avoid leaving a hanging pre-allocated clock_info if last mode is
+invalid, and avoid heap corruption if no valid modes are found.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537
+Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 97703449e049..9e0aa357585f 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -2136,11 +2136,14 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
+ return state_index;
+ /* last mode is usually default, array is low to high */
+ for (i = 0; i < num_modes; i++) {
+- rdev->pm.power_state[state_index].clock_info =
+- kcalloc(1, sizeof(struct radeon_pm_clock_info),
+- GFP_KERNEL);
++ /* avoid memory leaks from invalid modes or unknown frev. */
++ if (!rdev->pm.power_state[state_index].clock_info) {
++ rdev->pm.power_state[state_index].clock_info =
++ kzalloc(sizeof(struct radeon_pm_clock_info),
++ GFP_KERNEL);
++ }
+ if (!rdev->pm.power_state[state_index].clock_info)
+- return state_index;
++ goto out;
+ rdev->pm.power_state[state_index].num_clock_modes = 1;
+ rdev->pm.power_state[state_index].clock_info[0].voltage.type = VOLTAGE_NONE;
+ switch (frev) {
+@@ -2259,8 +2262,15 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
+ break;
+ }
+ }
++out:
++ /* free any unused clock_info allocation. */
++ if (state_index && state_index < num_modes) {
++ kfree(rdev->pm.power_state[state_index].clock_info);
++ rdev->pm.power_state[state_index].clock_info = NULL;
++ }
++
+ /* last mode is usually default */
+- if (rdev->pm.default_power_state_index == -1) {
++ if (state_index && rdev->pm.default_power_state_index == -1) {
+ rdev->pm.power_state[state_index - 1].type =
+ POWER_STATE_TYPE_DEFAULT;
+ rdev->pm.default_power_state_index = state_index - 1;
+--
+2.30.2
+
--- /dev/null
+From c2e1d19b5c0b5704dee275c3ae917a733a0c53d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 May 2021 22:06:07 -0700
+Subject: drm/radeon: Fix off-by-one power_state index heap overwrite
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ]
+
+An out of bounds write happens when setting the default power state.
+KASAN sees this as:
+
+[drm] radeon: 512M of GTT memory ready.
+[drm] GART: num cpu pages 131072, num gpu pages 131072
+==================================================================
+BUG: KASAN: slab-out-of-bounds in
+radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
+Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157
+
+CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50
+Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008
+Call Trace:
+ dump_stack+0xa5/0xe6
+ print_address_description.constprop.0+0x18/0x239
+ kasan_report+0x170/0x1a8
+ radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
+ radeon_atombios_get_power_modes+0x144/0x1888 [radeon]
+ radeon_pm_init+0x1019/0x1904 [radeon]
+ rs690_init+0x76e/0x84a [radeon]
+ radeon_device_init+0x1c1a/0x21e5 [radeon]
+ radeon_driver_load_kms+0xf5/0x30b [radeon]
+ drm_dev_register+0x255/0x4a0 [drm]
+ radeon_pci_probe+0x246/0x2f6 [radeon]
+ pci_device_probe+0x1aa/0x294
+ really_probe+0x30e/0x850
+ driver_probe_device+0xe6/0x135
+ device_driver_attach+0xc1/0xf8
+ __driver_attach+0x13f/0x146
+ bus_for_each_dev+0xfa/0x146
+ bus_add_driver+0x2b3/0x447
+ driver_register+0x242/0x2c1
+ do_one_initcall+0x149/0x2fd
+ do_init_module+0x1ae/0x573
+ load_module+0x4dee/0x5cca
+ __do_sys_finit_module+0xf1/0x140
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Without KASAN, this will manifest later when the kernel attempts to
+allocate memory that was stomped, since it collides with the inline slab
+freelist pointer:
+
+invalid opcode: 0000 [#1] SMP NOPTI
+CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2
+Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008
+RIP: 0010:kfree+0x115/0x230
+Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7
+RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246
+RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d
+RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80
+RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000
+R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100
+FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0
+Call Trace:
+ __free_fdtable+0x16/0x1f
+ put_files_struct+0x81/0x9b
+ do_exit+0x433/0x94d
+ do_group_exit+0xa6/0xa6
+ __x64_sys_exit_group+0xf/0xf
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7fe80ef64bea
+Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0.
+RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea
+RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0
+R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0
+Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ...
+
+Use a valid power_state index when initializing the "flags" and "misc"
+and "misc2" fields.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)")
+Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 226a7bf0eb7a..97703449e049 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -2266,10 +2266,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
+ rdev->pm.default_power_state_index = state_index - 1;
+ rdev->pm.power_state[state_index - 1].default_clock_mode =
+ &rdev->pm.power_state[state_index - 1].clock_info[0];
+- rdev->pm.power_state[state_index].flags &=
++ rdev->pm.power_state[state_index - 1].flags &=
+ ~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY;
+- rdev->pm.power_state[state_index].misc = 0;
+- rdev->pm.power_state[state_index].misc2 = 0;
++ rdev->pm.power_state[state_index - 1].misc = 0;
++ rdev->pm.power_state[state_index - 1].misc2 = 0;
+ }
+ return state_index;
+ }
+--
+2.30.2
+
--- /dev/null
+From 15fea053dcf75a98bc52096dfc30c12b18dc9ba4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 May 2021 04:58:18 -0700
+Subject: ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit 643001b47adc844ae33510c4bb93c236667008a3 ]
+
+In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside
+enic_queue_wq_skb, if some error happens, the skb will be freed
+by dev_kfree_skb(skb). But the freed skb is still used in
+skb_tx_timestamp(skb).
+
+My patch makes enic_queue_wq_skb() return error and goto spin_unlock()
+incase of error. The solution is provided by Govind.
+See https://lkml.org/lkml/2021/4/30/961.
+
+Fixes: fb7516d42478e ("enic: add sw timestamp support")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Acked-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index 8314102002b0..03c8af58050c 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -803,7 +803,7 @@ static inline int enic_queue_wq_skb_encap(struct enic *enic, struct vnic_wq *wq,
+ return err;
+ }
+
+-static inline void enic_queue_wq_skb(struct enic *enic,
++static inline int enic_queue_wq_skb(struct enic *enic,
+ struct vnic_wq *wq, struct sk_buff *skb)
+ {
+ unsigned int mss = skb_shinfo(skb)->gso_size;
+@@ -849,6 +849,7 @@ static inline void enic_queue_wq_skb(struct enic *enic,
+ wq->to_use = buf->next;
+ dev_kfree_skb(skb);
+ }
++ return err;
+ }
+
+ /* netif_tx_lock held, process context with BHs disabled, or BH */
+@@ -892,7 +893,8 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb,
+ return NETDEV_TX_BUSY;
+ }
+
+- enic_queue_wq_skb(enic, wq, skb);
++ if (enic_queue_wq_skb(enic, wq, skb))
++ goto error;
+
+ if (vnic_wq_desc_avail(wq) < MAX_SKB_FRAGS + ENIC_DESC_MAX_SPLITS)
+ netif_tx_stop_queue(txq);
+@@ -900,6 +902,7 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb,
+ if (!netdev_xmit_more() || netif_xmit_stopped(txq))
+ vnic_wq_doorbell(wq);
+
++error:
+ spin_unlock(&enic->wq_lock[txq_map]);
+
+ return NETDEV_TX_OK;
+--
+2.30.2
+
--- /dev/null
+From 523da41101a8ca2703cba67b70b5292fd722a7a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 15:15:40 -0500
+Subject: ethtool: ioctl: Fix out-of-bounds warning in
+ store_link_ksettings_for_user()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit c1d9e34e11281a8ba1a1c54e4db554232a461488 ]
+
+Fix the following out-of-bounds warning:
+
+net/ethtool/ioctl.c:492:2: warning: 'memcpy' offset [49, 84] from the object at 'link_usettings' is out of the bounds of referenced subobject 'base' with type 'struct ethtool_link_settings' at offset 0 [-Warray-bounds]
+
+The problem is that the original code is trying to copy data into a
+some struct members adjacent to each other in a single call to
+memcpy(). This causes a legitimate compiler warning because memcpy()
+overruns the length of &link_usettings.base. Fix this by directly
+using &link_usettings and _from_ as destination and source addresses,
+instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/ethtool.c b/net/core/ethtool.c
+index cd9bc67381b2..76506975d59a 100644
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -589,7 +589,7 @@ store_link_ksettings_for_user(void __user *to,
+ {
+ struct ethtool_link_usettings link_usettings;
+
+- memcpy(&link_usettings.base, &from->base, sizeof(link_usettings));
++ memcpy(&link_usettings, from, sizeof(link_usettings));
+ bitmap_to_arr32(link_usettings.link_modes.supported,
+ from->link_modes.supported,
+ __ETHTOOL_LINK_MODE_MASK_NBITS);
+--
+2.30.2
+
--- /dev/null
+From 0731c8002d896ea62e96a7e1e275369ca218d7dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 09:21:18 +0000
+Subject: f2fs: fix a redundant call to f2fs_balance_fs if an error occurs
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ]
+
+The uninitialized variable dn.node_changed does not get set when a
+call to f2fs_get_node_page fails. This uninitialized value gets used
+in the call to f2fs_balance_fs() that may or not may not balances
+dirty node and dentry pages depending on the uninitialized state of
+the variable. Fix this by only calling f2fs_balance_fs if err is
+not set.
+
+Thanks to Jaegeuk Kim for suggesting an appropriate fix.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inline.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
+index cbd17e4ff920..c6bd669f4b4e 100644
+--- a/fs/f2fs/inline.c
++++ b/fs/f2fs/inline.c
+@@ -216,7 +216,8 @@ out:
+
+ f2fs_put_page(page, 1);
+
+- f2fs_balance_fs(sbi, dn.node_changed);
++ if (!err)
++ f2fs_balance_fs(sbi, dn.node_changed);
+
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From a6327ddf8d500228e05c4ed2397b2f80978d897c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 14:31:51 -0500
+Subject: flow_dissector: Fix out-of-bounds warning in
+ __skb_flow_bpf_to_target()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 1e3d976dbb23b3fce544752b434bdc32ce64aabc ]
+
+Fix the following out-of-bounds warning:
+
+net/core/flow_dissector.c:835:3: warning: 'memcpy' offset [33, 48] from the object at 'flow_keys' is out of the bounds of referenced subobject 'ipv6_src' with type '__u32[4]' {aka 'unsigned int[4]'} at offset 16 [-Warray-bounds]
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). So, the compiler legitimately complains about it. As these
+are just a couple of members, fix this by copying each one of them in
+separate calls to memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index da86c0e1b677..96957a7c732f 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -811,8 +811,10 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
+ key_addrs = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_IPV6_ADDRS,
+ target_container);
+- memcpy(&key_addrs->v6addrs, &flow_keys->ipv6_src,
+- sizeof(key_addrs->v6addrs));
++ memcpy(&key_addrs->v6addrs.src, &flow_keys->ipv6_src,
++ sizeof(key_addrs->v6addrs.src));
++ memcpy(&key_addrs->v6addrs.dst, &flow_keys->ipv6_dst,
++ sizeof(key_addrs->v6addrs.dst));
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 466b84d5605089449ef2fcdd405959ef92ff7868 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 17:05:08 -0500
+Subject: fs: dlm: fix debugfs dump
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ]
+
+This patch fixes the following message which randomly pops up during
+glocktop call:
+
+seq_file: buggy .next function table_seq_next did not update position index
+
+The issue is that seq_read_iter() in fs/seq_file.c also needs an
+increment of the index in an non next record case as well which this
+patch fixes otherwise seq_read_iter() will print out the above message.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/debug_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c
+index d6bbccb0ed15..d5bd990bcab8 100644
+--- a/fs/dlm/debug_fs.c
++++ b/fs/dlm/debug_fs.c
+@@ -542,6 +542,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos)
+
+ if (bucket >= ls->ls_rsbtbl_size) {
+ kfree(ri);
++ ++*pos;
+ return NULL;
+ }
+ tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep;
+--
+2.30.2
+
--- /dev/null
+From 2a420995d1143d7d5d96b76cee7d05e6a4454ef5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 19:19:20 +0000
+Subject: i2c: Add I2C_AQ_NO_REP_START adapter quirk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bence Csókás <bence98@sch.bme.hu>
+
+[ Upstream commit aca01415e076aa96cca0f801f4420ee5c10c660d ]
+
+This quirk signifies that the adapter cannot do a repeated
+START, it always issues a STOP condition after transfers.
+
+Suggested-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Bence Csókás <bence98@sch.bme.hu>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/i2c.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/linux/i2c.h b/include/linux/i2c.h
+index 1361637c369d..af2b799d7a66 100644
+--- a/include/linux/i2c.h
++++ b/include/linux/i2c.h
+@@ -677,6 +677,8 @@ struct i2c_adapter_quirks {
+ #define I2C_AQ_NO_ZERO_LEN_READ BIT(5)
+ #define I2C_AQ_NO_ZERO_LEN_WRITE BIT(6)
+ #define I2C_AQ_NO_ZERO_LEN (I2C_AQ_NO_ZERO_LEN_READ | I2C_AQ_NO_ZERO_LEN_WRITE)
++/* adapter cannot do repeated START */
++#define I2C_AQ_NO_REP_START BIT(7)
+
+ /*
+ * i2c_adapter is the structure used to identify a physical i2c bus along
+--
+2.30.2
+
--- /dev/null
+From 4062f635ee76a503ab7db0872173cd0b76464196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Mar 2021 12:57:34 +0100
+Subject: i2c: bail out early when RDWR parameters are wrong
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 71581562ee36032d2d574a9b23ad4af6d6a64cf7 ]
+
+The buggy parameters currently get caught later, but emit a noisy WARN.
+Userspace should not be able to trigger this, so add similar checks much
+earlier. Also avoids some unneeded code paths, of course. Apply kernel
+coding stlye to a comment while here.
+
+Reported-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com
+Tested-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 94beacc41302..a3fec3df11b6 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -440,8 +440,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ sizeof(rdwr_arg)))
+ return -EFAULT;
+
+- /* Put an arbitrary limit on the number of messages that can
+- * be sent at once */
++ if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
++ return -EINVAL;
++
++ /*
++ * Put an arbitrary limit on the number of messages that can
++ * be sent at once
++ */
+ if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From e897565e7ce83328f4c5350409d4a13449a13efa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 14:43:07 +0000
+Subject: i40e: Fix PHY type identifiers for 2.5G and 5G adapters
+
+From: Mateusz Palczewski <mateusz.palczewski@intel.com>
+
+[ Upstream commit 15395ec4685bd45a43d1b54b8fd9846b87e2c621 ]
+
+Unlike other supported adapters, 2.5G and 5G use different
+PHY type identifiers for reading/writing PHY settings
+and for reading link status. This commit introduces
+separate PHY identifiers for these two operation types.
+
+Fixes: 2e45d3f4677a ("i40e: Add support for X710 B/P & SFP+ cards")
+Signed-off-by: Dawid Lukwinski <dawid.lukwinski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h | 6 ++++--
+ drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++--
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++--
+ drivers/net/ethernet/intel/i40e/i40e_type.h | 7 ++-----
+ 4 files changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+index d7684ac2522e..57a8328e9b4f 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+@@ -1893,8 +1893,10 @@ enum i40e_aq_phy_type {
+ I40E_PHY_TYPE_25GBASE_LR = 0x22,
+ I40E_PHY_TYPE_25GBASE_AOC = 0x23,
+ I40E_PHY_TYPE_25GBASE_ACC = 0x24,
+- I40E_PHY_TYPE_2_5GBASE_T = 0x30,
+- I40E_PHY_TYPE_5GBASE_T = 0x31,
++ I40E_PHY_TYPE_2_5GBASE_T = 0x26,
++ I40E_PHY_TYPE_5GBASE_T = 0x27,
++ I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS = 0x30,
++ I40E_PHY_TYPE_5GBASE_T_LINK_STATUS = 0x31,
+ I40E_PHY_TYPE_MAX,
+ I40E_PHY_TYPE_NOT_SUPPORTED_HIGH_TEMP = 0xFD,
+ I40E_PHY_TYPE_EMPTY = 0xFE,
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c
+index 66f7deaf46ae..6475f78e85f6 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
+@@ -1156,8 +1156,8 @@ static enum i40e_media_type i40e_get_media_type(struct i40e_hw *hw)
+ break;
+ case I40E_PHY_TYPE_100BASE_TX:
+ case I40E_PHY_TYPE_1000BASE_T:
+- case I40E_PHY_TYPE_2_5GBASE_T:
+- case I40E_PHY_TYPE_5GBASE_T:
++ case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS:
++ case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS:
+ case I40E_PHY_TYPE_10GBASE_T:
+ media = I40E_MEDIA_TYPE_BASET;
+ break;
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index 502b4abc0aab..e4d0b7747e84 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -839,8 +839,8 @@ static void i40e_get_settings_link_up(struct i40e_hw *hw,
+ 10000baseT_Full);
+ break;
+ case I40E_PHY_TYPE_10GBASE_T:
+- case I40E_PHY_TYPE_5GBASE_T:
+- case I40E_PHY_TYPE_2_5GBASE_T:
++ case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS:
++ case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS:
+ case I40E_PHY_TYPE_1000BASE_T:
+ case I40E_PHY_TYPE_100BASE_TX:
+ ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg);
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_type.h b/drivers/net/ethernet/intel/i40e/i40e_type.h
+index b43ec94a0f29..666a251e8c72 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_type.h
++++ b/drivers/net/ethernet/intel/i40e/i40e_type.h
+@@ -253,11 +253,8 @@ struct i40e_phy_info {
+ #define I40E_CAP_PHY_TYPE_25GBASE_ACC BIT_ULL(I40E_PHY_TYPE_25GBASE_ACC + \
+ I40E_PHY_TYPE_OFFSET)
+ /* Offset for 2.5G/5G PHY Types value to bit number conversion */
+-#define I40E_PHY_TYPE_OFFSET2 (-10)
+-#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T + \
+- I40E_PHY_TYPE_OFFSET2)
+-#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T + \
+- I40E_PHY_TYPE_OFFSET2)
++#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T)
++#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T)
+ #define I40E_HW_CAP_MAX_GPIO 30
+ /* Capabilities of a PF or a VF or the whole device */
+ struct i40e_hw_capabilities {
+--
+2.30.2
+
--- /dev/null
+From f0f771e64d91368fdee36f4b5dacf1ef4a330b3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 14:19:40 +0000
+Subject: i40e: fix the restart auto-negotiation after FEC modified
+
+From: Jaroslaw Gawin <jaroslawx.gawin@intel.com>
+
+[ Upstream commit 61343e6da7810de81d6b826698946ae4f9070819 ]
+
+When FEC mode was changed the link didn't know it because
+the link was not reset and new parameters were not negotiated.
+Set a flag 'I40E_AQ_PHY_ENABLE_ATOMIC_LINK' in 'abilities'
+to restart the link and make it run with the new settings.
+
+Fixes: 1d96340196f1 ("i40e: Add support FEC configuration for Fortville 25G")
+Signed-off-by: Jaroslaw Gawin <jaroslawx.gawin@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index b519e5af5ed9..502b4abc0aab 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -1406,7 +1406,8 @@ static int i40e_set_fec_cfg(struct net_device *netdev, u8 fec_cfg)
+
+ memset(&config, 0, sizeof(config));
+ config.phy_type = abilities.phy_type;
+- config.abilities = abilities.abilities;
++ config.abilities = abilities.abilities |
++ I40E_AQ_PHY_ENABLE_ATOMIC_LINK;
+ config.phy_type_ext = abilities.phy_type_ext;
+ config.link_speed = abilities.link_speed;
+ config.eee_capability = abilities.eee_capability;
+--
+2.30.2
+
--- /dev/null
+From 0f7723f19304dc467b8833595f578566b7b95076 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Apr 2021 22:41:18 +0800
+Subject: i40e: Fix use-after-free in i40e_client_subtask()
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 38318f23a7ef86a8b1862e5e8078c4de121960c3 ]
+
+Currently the call to i40e_client_del_instance frees the object
+pf->cinst, however pf->cinst->lan_info is being accessed after
+the free. Fix this by adding the missing return.
+
+Addresses-Coverity: ("Read from pointer after free")
+Fixes: 7b0b1a6d0ac9 ("i40e: Disable iWARP VSI PETCP_ENA flag on netdev down events")
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_client.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
+index e81530ca08d0..5706abb3c0ea 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
+@@ -377,6 +377,7 @@ void i40e_client_subtask(struct i40e_pf *pf)
+ clear_bit(__I40E_CLIENT_INSTANCE_OPENED,
+ &cdev->state);
+ i40e_client_del_instance(pf);
++ return;
+ }
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 9239e421a3a8179eacd622754e7e7dde86465d97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 22:53:48 -0700
+Subject: ia64: module: fix symbolizer crash on fdescr
+
+From: Sergei Trofimovich <slyfox@gentoo.org>
+
+[ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ]
+
+Noticed failure as a crash on ia64 when tried to symbolize all backtraces
+collected by page_owner=on:
+
+ $ cat /sys/kernel/debug/page_owner
+ <oops>
+
+ CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226
+ Hardware name: hp server rx3600, BIOS 04.03 04/08/2008
+ ip is at dereference_module_function_descriptor+0x41/0x100
+
+Crash happens at dereference_module_function_descriptor() due to
+use-after-free when dereferencing ".opd" section header.
+
+All section headers are already freed after module is laoded successfully.
+
+To keep symbolizer working the change stores ".opd" address and size after
+module is relocated to a new place and before section headers are
+discarded.
+
+To make similar errors less obscure module_finalize() now zeroes out all
+variables relevant to module loading only.
+
+Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org
+Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/ia64/include/asm/module.h | 6 +++++-
+ arch/ia64/kernel/module.c | 29 +++++++++++++++++++++++++----
+ 2 files changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h
+index f319144260ce..9fbf32e6e881 100644
+--- a/arch/ia64/include/asm/module.h
++++ b/arch/ia64/include/asm/module.h
+@@ -14,16 +14,20 @@
+ struct elf64_shdr; /* forward declration */
+
+ struct mod_arch_specific {
++ /* Used only at module load time. */
+ struct elf64_shdr *core_plt; /* core PLT section */
+ struct elf64_shdr *init_plt; /* init PLT section */
+ struct elf64_shdr *got; /* global offset table */
+ struct elf64_shdr *opd; /* official procedure descriptors */
+ struct elf64_shdr *unwind; /* unwind-table section */
+ unsigned long gp; /* global-pointer for module */
++ unsigned int next_got_entry; /* index of next available got entry */
+
++ /* Used at module run and cleanup time. */
+ void *core_unw_table; /* core unwind-table cookie returned by unwinder */
+ void *init_unw_table; /* init unwind-table cookie returned by unwinder */
+- unsigned int next_got_entry; /* index of next available got entry */
++ void *opd_addr; /* symbolize uses .opd to get to actual function */
++ unsigned long opd_size;
+ };
+
+ #define MODULE_PROC_FAMILY "ia64"
+diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
+index 1a42ba885188..ee693c8cec49 100644
+--- a/arch/ia64/kernel/module.c
++++ b/arch/ia64/kernel/module.c
+@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod)
+ int
+ module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod)
+ {
++ struct mod_arch_specific *mas = &mod->arch;
++
+ DEBUGP("%s: init: entry=%p\n", __func__, mod->init);
+- if (mod->arch.unwind)
++ if (mas->unwind)
+ register_unwind_table(mod);
++
++ /*
++ * ".opd" was already relocated to the final destination. Store
++ * it's address for use in symbolizer.
++ */
++ mas->opd_addr = (void *)mas->opd->sh_addr;
++ mas->opd_size = mas->opd->sh_size;
++
++ /*
++ * Module relocation was already done at this point. Section
++ * headers are about to be deleted. Wipe out load-time context.
++ */
++ mas->core_plt = NULL;
++ mas->init_plt = NULL;
++ mas->got = NULL;
++ mas->opd = NULL;
++ mas->unwind = NULL;
++ mas->gp = 0;
++ mas->next_got_entry = 0;
++
+ return 0;
+ }
+
+@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod)
+
+ void *dereference_module_function_descriptor(struct module *mod, void *ptr)
+ {
+- Elf64_Shdr *opd = mod->arch.opd;
++ struct mod_arch_specific *mas = &mod->arch;
+
+- if (ptr < (void *)opd->sh_addr ||
+- ptr >= (void *)(opd->sh_addr + opd->sh_size))
++ if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size)
+ return ptr;
+
+ return dereference_function_descriptor(ptr);
+--
+2.30.2
+
--- /dev/null
+From e5b68342b224c05ee01b07d847ab528d8d0acccb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 15:41:42 +0100
+Subject: iavf: remove duplicate free resources calls
+
+From: Stefan Assmann <sassmann@kpanic.de>
+
+[ Upstream commit 1a0e880b028f97478dc689e2900b312741d0d772 ]
+
+Both iavf_free_all_tx_resources() and iavf_free_all_rx_resources() have
+already been called in the very same function.
+Remove the duplicate calls.
+
+Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index cffc8c1044f2..a97e1f9ca1ed 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -3906,8 +3906,6 @@ static void iavf_remove(struct pci_dev *pdev)
+
+ iounmap(hw->hw_addr);
+ pci_release_regions(pdev);
+- iavf_free_all_tx_resources(adapter);
+- iavf_free_all_rx_resources(adapter);
+ iavf_free_queues(adapter);
+ kfree(adapter->vf_res);
+ spin_lock_bh(&adapter->mac_vlan_list_lock);
+--
+2.30.2
+
--- /dev/null
+From 47d00c8e3e813ecc6a93f1d88975b2078e56fdfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 03:58:48 -0500
+Subject: iommu/amd: Remove performance counter pre-initialization test
+
+From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+
+[ Upstream commit 994d6608efe4a4c8834bdc5014c86f4bc6aceea6 ]
+
+In early AMD desktop/mobile platforms (during 2013), when the IOMMU
+Performance Counter (PMC) support was first introduced in
+commit 30861ddc9cca ("perf/x86/amd: Add IOMMU Performance Counter
+resource management"), there was a HW bug where the counters could not
+be accessed. The result was reading of the counter always return zero.
+
+At the time, the suggested workaround was to add a test logic prior
+to initializing the PMC feature to check if the counters can be programmed
+and read back the same value. This has been working fine until the more
+recent desktop/mobile platforms start enabling power gating for the PMC,
+which prevents access to the counters. This results in the PMC support
+being disabled unnecesarily.
+
+Unfortunatly, there is no documentation of since which generation
+of hardware the original PMC HW bug was fixed. Although, it was fixed
+soon after the first introduction of the PMC. Base on this, we assume
+that the buggy platforms are less likely to be in used, and it should
+be relatively safe to remove this legacy logic.
+
+Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753
+Cc: Tj (Elloe Linux) <ml.linux@elloe.vision>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: Alexander Monakov <amonakov@ispras.ru>
+Cc: David Coe <david.coe@live.co.uk>
+Cc: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Tested-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20210409085848.3908-3-suravee.suthikulpanit@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_init.c | 24 +-----------------------
+ 1 file changed, 1 insertion(+), 23 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index 31d7e2d4f304..692401e941a7 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -1672,33 +1672,16 @@ static int __init init_iommu_all(struct acpi_table_header *table)
+ return 0;
+ }
+
+-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
+- u8 fxn, u64 *value, bool is_write);
+-
+ static void init_iommu_perf_ctr(struct amd_iommu *iommu)
+ {
++ u64 val;
+ struct pci_dev *pdev = iommu->dev;
+- u64 val = 0xabcd, val2 = 0, save_reg = 0;
+
+ if (!iommu_feature(iommu, FEATURE_PC))
+ return;
+
+ amd_iommu_pc_present = true;
+
+- /* save the value to restore, if writable */
+- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false))
+- goto pc_false;
+-
+- /* Check if the performance counters can be written to */
+- if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) ||
+- (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) ||
+- (val != val2))
+- goto pc_false;
+-
+- /* restore */
+- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true))
+- goto pc_false;
+-
+ pci_info(pdev, "IOMMU performance counters supported\n");
+
+ val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET);
+@@ -1706,11 +1689,6 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu)
+ iommu->max_counters = (u8) ((val >> 7) & 0xf);
+
+ return;
+-
+-pc_false:
+- pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n");
+- amd_iommu_pc_present = false;
+- return;
+ }
+
+ static ssize_t amd_iommu_show_cap(struct device *dev,
+--
+2.30.2
+
--- /dev/null
+From 47af251fe18d41bf25afd7d88f66be76929921f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 12:12:54 -0700
+Subject: ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ]
+
+After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
+a warning [1]
+
+Issue here is that:
+
+- all dev_put() should be paired with a corresponding prior dev_hold().
+
+- A driver doing a dev_put() in its ndo_uninit() MUST also
+ do a dev_hold() in its ndo_init(), only when ndo_init()
+ is returning 0.
+
+Otherwise, register_netdevice() would call ndo_uninit()
+in its error path and release a refcount too soon.
+
+Therefore, we need to move dev_hold() call from
+vti6_tnl_create2() to vti6_dev_init_gen()
+
+[1]
+WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Modules linked in:
+CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
+RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568
+R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40
+FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __refcount_dec include/linux/refcount.h:344 [inline]
+ refcount_dec include/linux/refcount.h:359 [inline]
+ dev_put include/linux/netdevice.h:4135 [inline]
+ vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10308
+ vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190
+ vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x331/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmmsg+0x195/0x470 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index cc6180e08a4f..01ddb0f70c57 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -192,7 +192,6 @@ static int vti6_tnl_create2(struct net_device *dev)
+
+ strcpy(t->parms.name, dev->name);
+
+- dev_hold(dev);
+ vti6_tnl_link(ip6n, t);
+
+ return 0;
+@@ -921,6 +920,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev)
+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+ if (!dev->tstats)
+ return -ENOMEM;
++ dev_hold(dev);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From afddb4e00db22da9406f659789f4868a6e5a58b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 09:28:03 +0200
+Subject: kconfig: nconf: stop endless search loops
+
+From: Mihai Moldovan <ionic@ionic.de>
+
+[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ]
+
+If the user selects the very first entry in a page and performs a
+search-up operation, or selects the very last entry in a page and
+performs a search-down operation that will not succeed (e.g., via
+[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page.
+
+The reason is that in this case, the starting point will be set to -1
+or n, which is then translated into (n - 1) (i.e., the last entry of
+the page) or 0 (i.e., the first entry of the page) and finally the
+search begins. This continues to work fine until the index reaches 0 or
+(n - 1), at which point it will be decremented to -1 or incremented to
+n, but not checked against the starting point right away. Instead, it's
+wrapped around to the bottom or top again, after which the starting
+point check occurs... and naturally fails.
+
+My original implementation added another check for -1 before wrapping
+the running index variable around, but Masahiro Yamada pointed out that
+the actual issue is that the comparison point (starting point) exceeds
+bounds (i.e., the [0,n-1] interval) in the first place and that,
+instead, the starting point should be fixed.
+
+This has the welcome side-effect of also fixing the case where the
+starting point was n while searching down, which also lead to an
+infinite loop.
+
+OTOH, this code is now essentially all his work.
+
+Amazingly, nobody seems to have been hit by this for 11 years - or at
+the very least nobody bothered to debug and fix this.
+
+Signed-off-by: Mihai Moldovan <ionic@ionic.de>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index b7c1ef757178..331b2cc917ec 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -503,8 +503,8 @@ static int get_mext_match(const char *match_str, match_f flag)
+ else if (flag == FIND_NEXT_MATCH_UP)
+ --match_start;
+
++ match_start = (match_start + items_num) % items_num;
+ index = match_start;
+- index = (index + items_num) % items_num;
+ while (true) {
+ char *str = k_menu_items[index].str;
+ if (strcasestr(str, match_str) != NULL)
+--
+2.30.2
+
--- /dev/null
+From b8bc0ff81cd0b99675183b3e84142f1bdc8c36f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 18:04:38 -0700
+Subject: kernel: kexec_file: fix error return code of
+ kexec_calculate_store_digests()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ]
+
+When vzalloc() returns NULL to sha_regions, no error return code of
+kexec_calculate_store_digests() is assigned. To fix this bug, ret is
+assigned with -ENOMEM in this case.
+
+Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com
+Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c")
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Acked-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index 4e74db89bd23..b17998fa03f1 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -740,8 +740,10 @@ static int kexec_calculate_store_digests(struct kimage *image)
+
+ sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region);
+ sha_regions = vzalloc(sha_region_sz);
+- if (!sha_regions)
++ if (!sha_regions) {
++ ret = -ENOMEM;
+ goto out_free_desc;
++ }
+
+ desc->tfm = tfm;
+
+--
+2.30.2
+
--- /dev/null
+From 5fe5b7d9b8c1b40c30593cbfe396d8f09f407158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:33:46 -0700
+Subject: khugepaged: fix wrong result value for
+ trace_mm_collapse_huge_page_isolate()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ]
+
+In writable and !referenced case, the result value should be
+SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate()
+instead of default 0 (SCAN_FAIL) here.
+
+Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com
+Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Ebru Akagunduz <ebru.akagunduz@gmail.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Rik van Riel <riel@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index f0d7e6483ba3..3c2326568193 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -628,17 +628,17 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
+ mmu_notifier_test_young(vma->vm_mm, address))
+ referenced++;
+ }
+- if (likely(writable)) {
+- if (likely(referenced)) {
+- result = SCAN_SUCCEED;
+- trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+- referenced, writable, result);
+- return 1;
+- }
+- } else {
++
++ if (unlikely(!writable)) {
+ result = SCAN_PAGE_RO;
++ } else if (unlikely(!referenced)) {
++ result = SCAN_LACK_REFERENCED_PAGE;
++ } else {
++ result = SCAN_SUCCEED;
++ trace_mm_collapse_huge_page_isolate(page, none_or_zero,
++ referenced, writable, result);
++ return 1;
+ }
+-
+ out:
+ release_pte_pages(pte, _pte);
+ trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+--
+2.30.2
+
--- /dev/null
+From e28c898151d9147e12ea13ba3b75d0eec90d9182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:37:45 -0700
+Subject: ksm: fix potential missing rmap_item for stable_node
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ]
+
+When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is
+cleared with head reserved. So the following scenario might happen: For
+ksm page with rmap_item1:
+
+cmp_and_merge_page
+ stable_node->head = &migrate_nodes;
+ remove_rmap_item_from_tree, but head still equal to stable_node;
+ try_to_merge_with_ksm_page failed;
+ return;
+
+For the same ksm page with rmap_item2, stable node migration succeed this
+time. The stable_node->head does not equal to migrate_nodes now. For ksm
+page with rmap_item1 again:
+
+cmp_and_merge_page
+ stable_node->head != &migrate_nodes && rmap_item->head == stable_node
+ return;
+
+We would miss the rmap_item for stable_node and might result in failed
+rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item
+is removed from stable tree.
+
+Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com
+Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/ksm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index e486c54d921b..0bbae78aaaa0 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -793,6 +793,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item)
+ stable_node->rmap_hlist_len--;
+
+ put_anon_vma(rmap_item->anon_vma);
++ rmap_item->head = NULL;
+ rmap_item->address &= PAGE_MASK;
+
+ } else if (rmap_item->address & UNSTABLE_FLAG) {
+--
+2.30.2
+
--- /dev/null
+From f616e94ae8570b9c5287fd88db696ccf670a073c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 14:31:25 +0200
+Subject: mac80211: clear the beacon's CRC after channel switch
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ]
+
+After channel switch, we should consider any beacon with a
+CSA IE as a new switch. If the CSA IE is a leftover from
+before the switch that the AP forgot to remove, we'll get
+a CSA-to-Self.
+
+This caused issues in iwlwifi where the firmware saw a beacon
+with a CSA-to-Self with mode = 1 on the new channel after a
+switch. The firmware considered this a new switch and closed
+its queues. Since the beacon didn't change between before and
+after the switch, we wouldn't handle it (the CRC is the same)
+and we wouldn't let the firmware open its queues again or
+disconnect if the CSA IE stays for too long.
+
+Clear the CRC valid state after we switch to make sure that
+we handle the beacon and handle the CSA IE as required.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 17a3a1c938be..44fd922cc32a 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1215,6 +1215,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
+
+ sdata->vif.csa_active = false;
+ ifmgd->csa_waiting_bcn = false;
++ /*
++ * If the CSA IE is still present on the beacon after the switch,
++ * we need to consider it as a new CSA (possibly to self).
++ */
++ ifmgd->beacon_crc_valid = false;
+
+ ret = drv_post_channel_switch(sdata);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From 796a0bac0c65e8f772bb8433b9f819ba8ba70454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:34:38 -0700
+Subject: mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ]
+
+A rare out of memory error would prevent removal of the reserve map region
+for a page. hugetlb_fix_reserve_counts() handles this rare case to avoid
+dangling with incorrect counts. Unfortunately, hugepage_subpool_get_pages
+and hugetlb_acct_memory could possibly fail too. We should correctly
+handle these cases.
+
+Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com
+Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Feilong Lin <linfeilong@huawei.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/hugetlb.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 5253c67acb1d..3b08e34a775d 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -591,13 +591,20 @@ void hugetlb_fix_reserve_counts(struct inode *inode)
+ {
+ struct hugepage_subpool *spool = subpool_inode(inode);
+ long rsv_adjust;
++ bool reserved = false;
+
+ rsv_adjust = hugepage_subpool_get_pages(spool, 1);
+- if (rsv_adjust) {
++ if (rsv_adjust > 0) {
+ struct hstate *h = hstate_inode(inode);
+
+- hugetlb_acct_memory(h, 1);
++ if (!hugetlb_acct_memory(h, 1))
++ reserved = true;
++ } else if (!rsv_adjust) {
++ reserved = true;
+ }
++
++ if (!reserved)
++ pr_warn("hugetlb: Huge Page Reserved count may go negative.\n");
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From fd077acbad2a7c26bf5f2ea00b5b977085501b01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:37:10 -0700
+Subject: mm/migrate.c: fix potential indeterminate pte entry in
+ migrate_vma_insert_page()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 34f5e9b9d1990d286199084efa752530ee3d8297 ]
+
+If the zone device page does not belong to un-addressable device memory,
+the variable entry will be uninitialized and lead to indeterminate pte
+entry ultimately. Fix this unexpected case and warn about it.
+
+Link: https://lkml.kernel.org/r/20210325131524.48181-4-linmiaohe@huawei.com
+Fixes: df6ad69838fc ("mm/device-public-memory: device memory cache coherent with CPU")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Rafael Aquini <aquini@redhat.com>
+Cc: Yang Shi <shy828301@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/migrate.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/mm/migrate.c b/mm/migrate.c
+index c4c313e47f12..00bbe57c1ce2 100644
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -2771,6 +2771,13 @@ static void migrate_vma_insert_page(struct migrate_vma *migrate,
+
+ swp_entry = make_device_private_entry(page, vma->vm_flags & VM_WRITE);
+ entry = swp_entry_to_pte(swp_entry);
++ } else {
++ /*
++ * For now we only support migrating to un-addressable
++ * device memory.
++ */
++ pr_warn_once("Unsupported ZONE_DEVICE page type.\n");
++ goto abort;
+ }
+ } else {
+ entry = mk_pte(page, vma->vm_page_prot);
+--
+2.30.2
+
--- /dev/null
+From 7420989f460b1ec186013270dbad1be17a8d5533 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Feb 2021 16:09:17 +0100
+Subject: mt76: mt76x0: disable GTK offloading
+
+From: David Bauer <mail@david-bauer.net>
+
+[ Upstream commit 4b36cc6b390f18dbc59a45fb4141f90d7dfe2b23 ]
+
+When operating two VAP on a MT7610 with encryption (PSK2, SAE, OWE),
+only the first one to be created will transmit properly encrypteded
+frames.
+
+All subsequently created VAPs will sent out frames with the payload left
+unencrypted, breaking multicast traffic (ICMP6 NDP) and potentially
+disclosing information to a third party.
+
+Disable GTK offloading and encrypt these frames in software to
+circumvent this issue. THis only seems to be necessary on MT7610 chips,
+as MT7612 is not affected from our testing.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
+index de0d6f21c621..075871f52bad 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
+@@ -450,6 +450,10 @@ int mt76x02_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
+ return -EOPNOTSUPP;
+
++ /* MT76x0 GTK offloading does not work with more than one VIF */
++ if (is_mt76x0(dev) && !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
++ return -EOPNOTSUPP;
++
+ msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL;
+ wcid = msta ? &msta->wcid : &mvif->group_wcid;
+
+--
+2.30.2
+
--- /dev/null
+From 5b52e4dcb98bed52995375e164663d6daa8fa0d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 17:45:27 +0200
+Subject: net: bridge: when suppression is enabled exclude RARP packets
+
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+
+[ Upstream commit 0353b4a96b7a9f60fe20d1b3ebd4931a4085f91c ]
+
+Recently we had an interop issue where RARP packets got suppressed with
+bridge neigh suppression enabled, but the check in the code was meant to
+suppress GARP. Exclude RARP packets from it which would allow some VMWare
+setups to work, to quote the report:
+"Those RARP packets usually get generated by vMware to notify physical
+switches when vMotion occurs. vMware may use random sip/tip or just use
+sip=tip=0. So the RARP packet sometimes get properly flooded by the vtep
+and other times get dropped by the logic"
+
+Reported-by: Amer Abdalamer <amer@nvidia.com>
+Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_arp_nd_proxy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
+index b18cdf03edb3..c4e0f4777df5 100644
+--- a/net/bridge/br_arp_nd_proxy.c
++++ b/net/bridge/br_arp_nd_proxy.c
+@@ -155,7 +155,9 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
+ if (br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) {
+ if (p && (p->flags & BR_NEIGH_SUPPRESS))
+ return;
+- if (ipv4_is_zeronet(sip) || sip == tip) {
++ if (parp->ar_op != htons(ARPOP_RREQUEST) &&
++ parp->ar_op != htons(ARPOP_RREPLY) &&
++ (ipv4_is_zeronet(sip) || sip == tip)) {
+ /* prevent flooding to neigh suppress ports */
+ BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
+ return;
+--
+2.30.2
+
--- /dev/null
+From 8df4156e8c3f9da29919e34db2de7dfc9c7b9eb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 22:20:54 -0700
+Subject: net: ethernet: mtk_eth_soc: fix RX VLAN offload
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ]
+
+The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is
+set. Fixes frames wrongly marked with VLAN tags.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+[Ilya: fix commit message]
+Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index d01b3a1b40f4..7e3806fd70b2 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1315,7 +1315,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
+ skb->protocol = eth_type_trans(skb, netdev);
+
+ if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX &&
+- RX_DMA_VID(trxd.rxd3))
++ (trxd.rxd2 & RX_DMA_VTAG))
+ __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q),
+ RX_DMA_VID(trxd.rxd3));
+ skb_record_rx_queue(skb, 0);
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 1e787f3577aa..1e9202b34d35 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -293,6 +293,7 @@
+ #define RX_DMA_LSO BIT(30)
+ #define RX_DMA_PLEN0(_x) (((_x) & 0x3fff) << 16)
+ #define RX_DMA_GET_PLEN0(_x) (((_x) >> 16) & 0x3fff)
++#define RX_DMA_VTAG BIT(15)
+
+ /* QDMA descriptor rxd3 */
+ #define RX_DMA_VID(_x) ((_x) & 0xfff)
+--
+2.30.2
+
--- /dev/null
+From 5d771e011662e189efaae5b992c2535a7e90f873 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 09:58:31 -0700
+Subject: net: fix nla_strcmp to handle more then one trailing null character
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ]
+
+Android userspace has been using TCA_KIND with a char[IFNAMESIZ]
+many-null-terminated buffer containing the string 'bpf'.
+
+This works on 4.19 and ceases to work on 5.10.
+
+I'm not entirely sure what fixes tag to use, but I think the issue
+was likely introduced in the below mentioned 5.4 commit.
+
+Reported-by: Nucca Chen <nuccachen@google.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@mellanox.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND")
+Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/nlattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index cace9b307781..0d84f79cb4b5 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -609,7 +609,7 @@ int nla_strcmp(const struct nlattr *nla, const char *str)
+ int attrlen = nla_len(nla);
+ int d;
+
+- if (attrlen > 0 && buf[attrlen - 1] == '\0')
++ while (attrlen > 0 && buf[attrlen - 1] == '\0')
+ attrlen--;
+
+ d = attrlen - len;
+--
+2.30.2
+
--- /dev/null
+From a9058614bc76ea428711b937e9643582d37310cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 16:34:52 +0800
+Subject: net: hns3: add check for HNS3_NIC_STATE_INITED in
+ hns3_reset_notify_up_enet()
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit b4047aac4ec1066bab6c71950623746d7bcf7154 ]
+
+In some cases, the device is not initialized because reset failed.
+If another task calls hns3_reset_notify_up_enet() before reset
+retry, it will cause an error since uninitialized pointer access.
+So add check for HNS3_NIC_STATE_INITED before calling
+hns3_nic_net_open() in hns3_reset_notify_up_enet().
+
+Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 696f21543aa7..6b43cbf4f909 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -4280,6 +4280,11 @@ static int hns3_reset_notify_up_enet(struct hnae3_handle *handle)
+ struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev);
+ int ret = 0;
+
++ if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state)) {
++ netdev_err(kinfo->netdev, "device is not initialized yet\n");
++ return -EFAULT;
++ }
++
+ clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
+
+ if (netif_running(kinfo->netdev)) {
+--
+2.30.2
+
--- /dev/null
+From 99c80d9ef740a05897da79d58938c639ddb1fe61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 17:06:22 +0800
+Subject: net: hns3: disable phy loopback setting in hclge_mac_start_phy
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit 472497d0bdae890a896013332a0b673f9acdf2bf ]
+
+If selftest and reset are performed at the same time, the phy
+loopback setting may be still in enable state after the reset,
+and device cannot link up. So fix this issue by disabling phy
+loopback before phy_start().
+
+Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+index dc4dfd4602ab..c8f979c55fec 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+@@ -255,6 +255,8 @@ void hclge_mac_start_phy(struct hclge_dev *hdev)
+ if (!phydev)
+ return;
+
++ phy_loopback(phydev, false);
++
+ phy_start(phydev);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From af1088e43dfadd1cfc71e696a136024ff72f906d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 17:06:19 +0800
+Subject: net: hns3: fix for vxlan gpe tx checksum bug
+
+From: Hao Chen <chenhao288@hisilicon.com>
+
+[ Upstream commit 905416f18fe74bdd4de91bf94ef5a790a36e4b99 ]
+
+When skb->ip_summed is CHECKSUM_PARTIAL, for non-tunnel udp packet,
+which has a dest port as the IANA assigned, the hardware is expected
+to do the checksum offload, but the hardware whose version is below
+V3 will not do the checksum offload when udp dest port is 4790.
+
+So fixes it by doing the checksum in software for this case.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Hao Chen <chenhao288@hisilicon.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 6b43cbf4f909..3dd3b8047968 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -796,7 +796,7 @@ static int hns3_get_l4_protocol(struct sk_buff *skb, u8 *ol4_proto,
+ * and it is udp packet, which has a dest port as the IANA assigned.
+ * the hardware is expected to do the checksum offload, but the
+ * hardware will not do the checksum offload when udp dest port is
+- * 4789 or 6081.
++ * 4789, 4790 or 6081.
+ */
+ static bool hns3_tunnel_csum_bug(struct sk_buff *skb)
+ {
+@@ -806,7 +806,8 @@ static bool hns3_tunnel_csum_bug(struct sk_buff *skb)
+
+ if (!(!skb->encapsulation &&
+ (l4.udp->dest == htons(IANA_VXLAN_UDP_PORT) ||
+- l4.udp->dest == htons(GENEVE_UDP_PORT))))
++ l4.udp->dest == htons(GENEVE_UDP_PORT) ||
++ l4.udp->dest == htons(4790))))
+ return false;
+
+ skb_checksum_help(skb);
+--
+2.30.2
+
--- /dev/null
+From 3a495d3fbeec8d7cf4c1140bc57a368e1901c1f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 16:34:50 +0800
+Subject: net: hns3: fix incorrect configuration for igu_egu_hw_err
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit 2867298dd49ee84214b8721521dc7a5a6382520c ]
+
+According to the UM, the type and enable status of igu_egu_hw_err
+should be configured separately. Currently, the type field is
+incorrect when disable this error. So fix it by configuring these
+two fields separately.
+
+Fixes: bf1faf9415dd ("net: hns3: Add enable and process hw errors from IGU, EGU and NCSI")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c | 3 ++-
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c
+index 87dece0e745d..53fd6e4d9e2d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c
+@@ -753,8 +753,9 @@ static int hclge_config_igu_egu_hw_err_int(struct hclge_dev *hdev, bool en)
+
+ /* configure IGU,EGU error interrupts */
+ hclge_cmd_setup_basic_desc(&desc, HCLGE_IGU_COMMON_INT_EN, false);
++ desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_TYPE);
+ if (en)
+- desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN);
++ desc.data[0] |= cpu_to_le32(HCLGE_IGU_ERR_INT_EN);
+
+ desc.data[1] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN_MASK);
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h
+index 876fd81ad2f1..8eccdb651a3c 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h
+@@ -33,7 +33,8 @@
+ #define HCLGE_TQP_ECC_ERR_INT_EN_MASK 0x0FFF
+ #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN_MASK 0x0F000000
+ #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN 0x0F000000
+-#define HCLGE_IGU_ERR_INT_EN 0x0000066F
++#define HCLGE_IGU_ERR_INT_EN 0x0000000F
++#define HCLGE_IGU_ERR_INT_TYPE 0x00000660
+ #define HCLGE_IGU_ERR_INT_EN_MASK 0x000F
+ #define HCLGE_IGU_TNL_ERR_INT_EN 0x0002AABF
+ #define HCLGE_IGU_TNL_ERR_INT_EN_MASK 0x003F
+--
+2.30.2
+
--- /dev/null
+From 126a3b752007578d11528c1a98a649025a8160ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Apr 2021 16:34:51 +0800
+Subject: net: hns3: initialize the message content in hclge_get_link_mode()
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit 568a54bdf70b143f3e0befa298e22ad469ffc732 ]
+
+The message sent to VF should be initialized, otherwise random
+value of some contents may cause improper processing by the target.
+So add a initialization to message in hclge_get_link_mode().
+
+Fixes: 9194d18b0577 ("net: hns3: fix the problem that the supported port is empty")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+index f5da28a60d00..23a706a1765a 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+@@ -455,7 +455,7 @@ static void hclge_get_link_mode(struct hclge_vport *vport,
+ unsigned long advertising;
+ unsigned long supported;
+ unsigned long send_data;
+- u8 msg_data[10];
++ u8 msg_data[10] = {};
+ u8 dest_vfid;
+
+ advertising = hdev->hw.mac.advertising[0];
+--
+2.30.2
+
--- /dev/null
+From 797eb5a6e468b3b08e8f8893bf79d10c7b252190 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 17:06:20 +0800
+Subject: net: hns3: use netif_tx_disable to stop the transmit queue
+
+From: Peng Li <lipeng321@huawei.com>
+
+[ Upstream commit b416e872be06fdace3c36cf5210130509d0f0e72 ]
+
+Currently, netif_tx_stop_all_queues() is used to ensure that
+the xmit is not running, but for the concurrent case it will
+not take effect, since netif_tx_stop_all_queues() just sets
+a flag without locking to indicate that the xmit queue(s)
+should not be run.
+
+So use netif_tx_disable() to replace netif_tx_stop_all_queues(),
+it takes the xmit queue lock while marking the queue stopped.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Peng Li <lipeng321@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 3dd3b8047968..5f2948bafff2 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -539,8 +539,8 @@ static int hns3_nic_net_stop(struct net_device *netdev)
+ if (h->ae_algo->ops->set_timer_task)
+ h->ae_algo->ops->set_timer_task(priv->ae_handle, false);
+
+- netif_tx_stop_all_queues(netdev);
+ netif_carrier_off(netdev);
++ netif_tx_disable(netdev);
+
+ hns3_nic_net_down(netdev);
+
+--
+2.30.2
+
--- /dev/null
+From f530a071e859062f81b80b6b733b60a5276d925b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Apr 2021 07:30:46 +0800
+Subject: net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule
+
+From: Du Cheng <ducheng2@gmail.com>
+
+[ Upstream commit ed8157f1ebf1ae81a8fa2653e3f20d2076fad1c9 ]
+
+There is a reproducible sequence from the userland that will trigger a WARN_ON()
+condition in taprio_get_start_time, which causes kernel to panic if configured
+as "panic_on_warn". Catch this condition in parse_taprio_schedule to
+prevent this condition.
+
+Reported as bug on syzkaller:
+https://syzkaller.appspot.com/bug?extid=d50710fd0873a9c6b40c
+
+Reported-by: syzbot+d50710fd0873a9c6b40c@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Acked-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_taprio.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index 09116be99511..a4de4853c79d 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -900,6 +900,12 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb,
+
+ list_for_each_entry(entry, &new->entries, list)
+ cycle = ktime_add_ns(cycle, entry->interval);
++
++ if (!cycle) {
++ NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0");
++ return -EINVAL;
++ }
++
+ new->cycle_time = cycle;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From bb751db08a6b53ef8999217d2384705e3573c69b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Mar 2021 13:18:26 +0000
+Subject: net: stmmac: Set FIFO sizes for ipq806x
+
+From: Jonathan McDowell <noodles@earth.li>
+
+[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ]
+
+Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values")
+started using the TX FIFO size to verify what counts as a valid MTU
+request for the stmmac driver. This is unset for the ipq806x variant.
+Looking at older patches for this it seems the RX + TXs buffers can be
+up to 8k, so set appropriately.
+
+(I sent this as an RFC patch in June last year, but received no replies.
+I've been running with this on my hardware (a MikroTik RB3011) since
+then with larger MTUs to support both the internal qca8k switch and
+VLANs with no problems. Without the patch it's impossible to set the
+larger MTU required to support this.)
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+index 826626e870d5..0f56f8e33691 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -351,6 +351,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ plat_dat->bsp_priv = gmac;
+ plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed;
+ plat_dat->multicast_filter_bins = 0;
++ plat_dat->tx_fifo_size = 8192;
++ plat_dat->rx_fifo_size = 8192;
+
+ err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From 40eeda763b1d2b93f50eb7c6e3fd1d869c01aac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 22:25:24 +0200
+Subject: netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL
+ check
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 5e024c325406470d1165a09c6feaf8ec897936be ]
+
+Do not assume that the tcph->doff field is correct when parsing for TCP
+options, skb_header_pointer() might fail to fetch these bits.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 916a3c7f9eaf..79fbf37291f3 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -186,6 +186,8 @@ static const struct tcphdr *nf_osf_hdr_ctx_init(struct nf_osf_hdr_ctx *ctx,
+
+ ctx->optp = skb_header_pointer(skb, ip_hdrlen(skb) +
+ sizeof(struct tcphdr), ctx->optsize, opts);
++ if (!ctx->optp)
++ return NULL;
+ }
+
+ return tcp;
+--
+2.30.2
+
--- /dev/null
+From 4e57c68959475e742df34dd83dbde97bea445fb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 05:53:23 -0700
+Subject: netfilter: nftables: avoid overflows in nft_hash_buckets()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a54754ec9891830ba548e2010c889e3c8146e449 ]
+
+Number of buckets being stored in 32bit variables, we have to
+ensure that no overflows occur in nft_hash_buckets()
+
+syzbot injected a size == 0x40000000 and reported:
+
+UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
+shift exponent 64 is too large for 64-bit type 'long unsigned int'
+CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
+ __roundup_pow_of_two include/linux/log2.h:57 [inline]
+ nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]
+ nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652
+ nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline]
+ nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322
+ nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488
+ nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline]
+ nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+
+Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_hash.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
+index b331a3c9a3a8..9de0eb20e954 100644
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -393,9 +393,17 @@ static void nft_rhash_destroy(const struct nft_set *set)
+ (void *)set);
+ }
+
++/* Number of buckets is stored in u32, so cap our result to 1U<<31 */
++#define NFT_MAX_BUCKETS (1U << 31)
++
+ static u32 nft_hash_buckets(u32 size)
+ {
+- return roundup_pow_of_two(size * 4 / 3);
++ u64 val = div_u64((u64)size * 4, 3);
++
++ if (val >= NFT_MAX_BUCKETS)
++ return NFT_MAX_BUCKETS;
++
++ return roundup_pow_of_two(val);
+ }
+
+ static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features,
+--
+2.30.2
+
--- /dev/null
+From 83628f7da7c583b55d0ba19ee895bf9acfcf0b5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 14:00:13 +0200
+Subject: netfilter: xt_SECMARK: add new revision to fix structure layout
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c7d13358b6a2f49f81a34aa323a2d0878a0532a2 ]
+
+This extension breaks when trying to delete rules, add a new revision to
+fix this.
+
+Fixes: 5e6874cdb8de ("[SECMARK]: Add xtables SECMARK target")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/xt_SECMARK.h | 6 ++
+ net/netfilter/xt_SECMARK.c | 88 ++++++++++++++++++-----
+ 2 files changed, 75 insertions(+), 19 deletions(-)
+
+diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
+index 1f2a708413f5..beb2cadba8a9 100644
+--- a/include/uapi/linux/netfilter/xt_SECMARK.h
++++ b/include/uapi/linux/netfilter/xt_SECMARK.h
+@@ -20,4 +20,10 @@ struct xt_secmark_target_info {
+ char secctx[SECMARK_SECCTX_MAX];
+ };
+
++struct xt_secmark_target_info_v1 {
++ __u8 mode;
++ char secctx[SECMARK_SECCTX_MAX];
++ __u32 secid;
++};
++
+ #endif /*_XT_SECMARK_H_target */
+diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
+index 2317721f3ecb..ea7aeea19b3b 100644
+--- a/net/netfilter/xt_SECMARK.c
++++ b/net/netfilter/xt_SECMARK.c
+@@ -26,10 +26,9 @@ MODULE_ALIAS("ip6t_SECMARK");
+ static u8 mode;
+
+ static unsigned int
+-secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
++secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
+ {
+ u32 secmark = 0;
+- const struct xt_secmark_target_info *info = par->targinfo;
+
+ switch (mode) {
+ case SECMARK_MODE_SEL:
+@@ -43,7 +42,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
+ return XT_CONTINUE;
+ }
+
+-static int checkentry_lsm(struct xt_secmark_target_info *info)
++static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
+ {
+ int err;
+
+@@ -75,15 +74,15 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
+ return 0;
+ }
+
+-static int secmark_tg_check(const struct xt_tgchk_param *par)
++static int
++secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info)
+ {
+- struct xt_secmark_target_info *info = par->targinfo;
+ int err;
+
+- if (strcmp(par->table, "mangle") != 0 &&
+- strcmp(par->table, "security") != 0) {
++ if (strcmp(table, "mangle") != 0 &&
++ strcmp(table, "security") != 0) {
+ pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
+- par->table);
++ table);
+ return -EINVAL;
+ }
+
+@@ -118,25 +117,76 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
+ }
+ }
+
+-static struct xt_target secmark_tg_reg __read_mostly = {
+- .name = "SECMARK",
+- .revision = 0,
+- .family = NFPROTO_UNSPEC,
+- .checkentry = secmark_tg_check,
+- .destroy = secmark_tg_destroy,
+- .target = secmark_tg,
+- .targetsize = sizeof(struct xt_secmark_target_info),
+- .me = THIS_MODULE,
++static int secmark_tg_check_v0(const struct xt_tgchk_param *par)
++{
++ struct xt_secmark_target_info *info = par->targinfo;
++ struct xt_secmark_target_info_v1 newinfo = {
++ .mode = info->mode,
++ };
++ int ret;
++
++ memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX);
++
++ ret = secmark_tg_check(par->table, &newinfo);
++ info->secid = newinfo.secid;
++
++ return ret;
++}
++
++static unsigned int
++secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par)
++{
++ const struct xt_secmark_target_info *info = par->targinfo;
++ struct xt_secmark_target_info_v1 newinfo = {
++ .secid = info->secid,
++ };
++
++ return secmark_tg(skb, &newinfo);
++}
++
++static int secmark_tg_check_v1(const struct xt_tgchk_param *par)
++{
++ return secmark_tg_check(par->table, par->targinfo);
++}
++
++static unsigned int
++secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
++{
++ return secmark_tg(skb, par->targinfo);
++}
++
++static struct xt_target secmark_tg_reg[] __read_mostly = {
++ {
++ .name = "SECMARK",
++ .revision = 0,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = secmark_tg_check_v0,
++ .destroy = secmark_tg_destroy,
++ .target = secmark_tg_v0,
++ .targetsize = sizeof(struct xt_secmark_target_info),
++ .me = THIS_MODULE,
++ },
++ {
++ .name = "SECMARK",
++ .revision = 1,
++ .family = NFPROTO_UNSPEC,
++ .checkentry = secmark_tg_check_v1,
++ .destroy = secmark_tg_destroy,
++ .target = secmark_tg_v1,
++ .targetsize = sizeof(struct xt_secmark_target_info_v1),
++ .usersize = offsetof(struct xt_secmark_target_info_v1, secid),
++ .me = THIS_MODULE,
++ },
+ };
+
+ static int __init secmark_tg_init(void)
+ {
+- return xt_register_target(&secmark_tg_reg);
++ return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
+ }
+
+ static void __exit secmark_tg_exit(void)
+ {
+- xt_unregister_target(&secmark_tg_reg);
++ xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
+ }
+
+ module_init(secmark_tg_init);
+--
+2.30.2
+
--- /dev/null
+From e5d0f7a2547c8d3a20cb7da31dde1587c2364281 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 16:46:05 -0400
+Subject: NFS: Deal correctly with attribute generation counter overflow
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ]
+
+We need to use unsigned long subtraction and then convert to signed in
+order to deal correcly with C overflow rules.
+
+Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 53604cc090ca..8c0f916380c4 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1618,10 +1618,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle);
+ */
+ static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr)
+ {
+- const struct nfs_inode *nfsi = NFS_I(inode);
++ unsigned long attr_gencount = NFS_I(inode)->attr_gencount;
+
+- return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 ||
+- ((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0);
++ return (long)(fattr->gencount - attr_gencount) > 0 ||
++ (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0;
+ }
+
+ static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+@@ -2049,7 +2049,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ nfsi->attrtimeo_timestamp = now;
+ }
+ /* Set the barrier to be more recent than this fattr */
+- if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0)
++ if ((long)(fattr->gencount - nfsi->attr_gencount) > 0)
+ nfsi->attr_gencount = fattr->gencount;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ec1e148c3cbb584ab38ab6802887da9dbccd6973 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 18:17:14 -0400
+Subject: NFSv4.2: Always flush out writes in nfs42_proc_fallocate()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ]
+
+Whether we're allocating or delallocating space, we should flush out the
+pending writes in order to avoid races with attribute updates.
+
+Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 9b61c80a93e9..5c84e5b8c0d6 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -59,7 +59,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ loff_t offset, loff_t len)
+ {
+- struct nfs_server *server = NFS_SERVER(file_inode(filep));
++ struct inode *inode = file_inode(filep);
++ struct nfs_server *server = NFS_SERVER(inode);
+ struct nfs4_exception exception = { };
+ struct nfs_lock_context *lock;
+ int err;
+@@ -68,9 +69,13 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ if (IS_ERR(lock))
+ return PTR_ERR(lock);
+
+- exception.inode = file_inode(filep);
++ exception.inode = inode;
+ exception.state = lock->open_context->state;
+
++ err = nfs_sync_inode(inode);
++ if (err)
++ goto out;
++
+ do {
+ err = _nfs42_proc_fallocate(msg, filep, lock, offset, len);
+ if (err == -ENOTSUPP) {
+@@ -79,7 +84,7 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ }
+ err = nfs4_handle_exception(server, err, &exception);
+ } while (exception.retry);
+-
++out:
+ nfs_put_lock_context(lock);
+ return err;
+ }
+@@ -117,16 +122,13 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
+ return -EOPNOTSUPP;
+
+ inode_lock(inode);
+- err = nfs_sync_inode(inode);
+- if (err)
+- goto out_unlock;
+
+ err = nfs42_proc_fallocate(&msg, filep, offset, len);
+ if (err == 0)
+ truncate_pagecache_range(inode, offset, (offset + len) -1);
+ if (err == -EOPNOTSUPP)
+ NFS_SERVER(inode)->caps &= ~NFS_CAP_DEALLOCATE;
+-out_unlock:
++
+ inode_unlock(inode);
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From ddf42ef4d762adfcd64413002d87aa96c1374e71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 15:30:25 -0400
+Subject: NFSv4.2 fix handling of sr_eof in SEEK's reply
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ]
+
+Currently the client ignores the value of the sr_eof of the SEEK
+operation. According to the spec, if the server didn't find the
+requested extent and reached the end of the file, the server
+would return sr_eof=true. In case the request for DATA and no
+data was found (ie in the middle of the hole), then the lseek
+expects that ENXIO would be returned.
+
+Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 5c84e5b8c0d6..6b7c926824ae 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -500,7 +500,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep,
+ if (status)
+ return status;
+
+- return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
++ if (whence == SEEK_DATA && res.sr_eof)
++ return -NFS4ERR_NXIO;
++ else
++ return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
+ }
+
+ loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence)
+--
+2.30.2
+
--- /dev/null
+From 3feba5c5f22ff872cefb0919d8d2e2e82259e3aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 16:40:12 +0800
+Subject: PCI: endpoint: Fix missing destroy_workqueue()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit acaef7981a218813e3617edb9c01837808de063c ]
+
+Add the missing destroy_workqueue() before return from
+pci_epf_test_init() in the error handling case and add
+destroy_workqueue() in pci_epf_test_exit().
+
+Link: https://lore.kernel.org/r/20210331084012.2091010-1-yangyingliang@huawei.com
+Fixes: 349e7a85b25fa ("PCI: endpoint: functions: Add an EP function to test PCI")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/functions/pci-epf-test.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
+index 1cfe3687a211..6dcee39b364a 100644
+--- a/drivers/pci/endpoint/functions/pci-epf-test.c
++++ b/drivers/pci/endpoint/functions/pci-epf-test.c
+@@ -604,6 +604,7 @@ static int __init pci_epf_test_init(void)
+
+ ret = pci_epf_register_driver(&test_driver);
+ if (ret) {
++ destroy_workqueue(kpcitest_workqueue);
+ pr_err("Failed to register pci epf test driver --> %d\n", ret);
+ return ret;
+ }
+@@ -614,6 +615,8 @@ module_init(pci_epf_test_init);
+
+ static void __exit pci_epf_test_exit(void)
+ {
++ if (kpcitest_workqueue)
++ destroy_workqueue(kpcitest_workqueue);
+ pci_epf_unregister_driver(&test_driver);
+ }
+ module_exit(pci_epf_test_exit);
+--
+2.30.2
+
--- /dev/null
+From 05f87d12f33b9d75e6e37a85d1c9f1d9ec2bcbc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Mar 2021 15:22:02 +0100
+Subject: PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 1e83130f01b04c16579ed5a5e03d729bcffc4c5d ]
+
+IRQ domain alloc function should return zero on success. Non-zero value
+indicates failure.
+
+Link: https://lore.kernel.org/r/20210303142202.25780-1-pali@kernel.org
+Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Reviewed-by: Krzysztof Wilczyński <kw@linux.com>
+Acked-by: Ray Jui <ray.jui@broadcom.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-iproc-msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c
+index a1298f6784ac..f40d17b285c5 100644
+--- a/drivers/pci/controller/pcie-iproc-msi.c
++++ b/drivers/pci/controller/pcie-iproc-msi.c
+@@ -271,7 +271,7 @@ static int iproc_msi_irq_domain_alloc(struct irq_domain *domain,
+ NULL, NULL);
+ }
+
+- return hwirq;
++ return 0;
+ }
+
+ static void iproc_msi_irq_domain_free(struct irq_domain *domain,
+--
+2.30.2
+
--- /dev/null
+From a8a102b1ba95e2da155c35ebc745809cad8225a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jan 2021 02:28:26 +0300
+Subject: PCI: Release OF node in pci_scan_device()'s error path
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ]
+
+In pci_scan_device(), if pci_setup_device() fails for any reason, the code
+will not release device's of_node by calling pci_release_of_node(). Fix
+that by calling the release function.
+
+Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically")
+Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 8fa13486f2f1..f28213b62527 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -2299,6 +2299,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn)
+ pci_set_of_node(dev);
+
+ if (pci_setup_device(dev)) {
++ pci_release_of_node(dev);
+ pci_bus_put(dev->bus);
+ kfree(dev);
+ return NULL;
+--
+2.30.2
+
--- /dev/null
+From 18421af93d689471d22952745fa5064c931849c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 21:50:29 +0200
+Subject: pinctrl: samsung: use 'int' for register masks in Exynos
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit fa0c10a5f3a49130dd11281aa27e7e1c8654abc7 ]
+
+The Special Function Registers on all Exynos SoC, including ARM64, are
+32-bit wide, so entire driver uses matching functions like readl() or
+writel(). On 64-bit ARM using unsigned long for register masks:
+1. makes little sense as immediately after bitwise operation it will be
+ cast to 32-bit value when calling writel(),
+2. is actually error-prone because it might promote other operands to
+ 64-bit.
+
+Addresses-Coverity: Unintentional integer overflow
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Link: https://lore.kernel.org/r/20210408195029.69974-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/samsung/pinctrl-exynos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/samsung/pinctrl-exynos.c b/drivers/pinctrl/samsung/pinctrl-exynos.c
+index 84501c785473..1cf31fe2674d 100644
+--- a/drivers/pinctrl/samsung/pinctrl-exynos.c
++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c
+@@ -55,7 +55,7 @@ static void exynos_irq_mask(struct irq_data *irqd)
+ struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip);
+ struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset;
+- unsigned long mask;
++ unsigned int mask;
+ unsigned long flags;
+
+ spin_lock_irqsave(&bank->slock, flags);
+@@ -83,7 +83,7 @@ static void exynos_irq_unmask(struct irq_data *irqd)
+ struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip);
+ struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset;
+- unsigned long mask;
++ unsigned int mask;
+ unsigned long flags;
+
+ /*
+@@ -474,7 +474,7 @@ static void exynos_irq_eint0_15(struct irq_desc *desc)
+ chained_irq_exit(chip, desc);
+ }
+
+-static inline void exynos_irq_demux_eint(unsigned long pend,
++static inline void exynos_irq_demux_eint(unsigned int pend,
+ struct irq_domain *domain)
+ {
+ unsigned int irq;
+@@ -491,8 +491,8 @@ static void exynos_irq_demux_eint16_31(struct irq_desc *desc)
+ {
+ struct irq_chip *chip = irq_desc_get_chip(desc);
+ struct exynos_muxed_weint_data *eintd = irq_desc_get_handler_data(desc);
+- unsigned long pend;
+- unsigned long mask;
++ unsigned int pend;
++ unsigned int mask;
+ int i;
+
+ chained_irq_enter(chip, desc);
+--
+2.30.2
+
--- /dev/null
+From 89e29ef2c0c7c5645a29298ac7b63110fd894809 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 11:56:49 +0300
+Subject: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
+
+From: Nikola Livic <nlivic@gmail.com>
+
+[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ]
+
+We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym
+bazalii) observed the check:
+
+ if (fh->size > sizeof(struct nfs_fh))
+
+should not use the size of the nfs_fh struct which includes an extra two
+bytes from the size field.
+
+struct nfs_fh {
+ unsigned short size;
+ unsigned char data[NFS_MAXFHSIZE];
+}
+
+but should determine the size from data[NFS_MAXFHSIZE] so the memcpy
+will not write 2 bytes beyond destination. The proposed fix is to
+compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs
+code base.
+
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Nikola Livic <nlivic@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index 1741d902b0d8..fa1c920afb49 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -103,7 +103,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh)
+ if (unlikely(!p))
+ return -ENOBUFS;
+ fh->size = be32_to_cpup(p++);
+- if (fh->size > sizeof(struct nfs_fh)) {
++ if (fh->size > NFS_MAXFHSIZE) {
+ printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n",
+ fh->size);
+ return -EOVERFLOW;
+--
+2.30.2
+
--- /dev/null
+From 16385a1edc2c7d0fd441bbf8ceebc0642c40fd52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 17:36:53 +1100
+Subject: powerpc/iommu: Annotate nested lock for lockdep
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ]
+
+The IOMMU table is divided into pools for concurrent mappings and each
+pool has a separate spinlock. When taking the ownership of an IOMMU group
+to pass through a device to a VM, we lock these spinlocks which triggers
+a false negative warning in lockdep (below).
+
+This fixes it by annotating the large pool's spinlock as a nest lock
+which makes lockdep not complaining when locking nested locks if
+the nest lock is locked already.
+
+===
+WARNING: possible recursive locking detected
+5.11.0-le_syzkaller_a+fstn1 #100 Not tainted
+--------------------------------------------
+qemu-system-ppc/4129 is trying to acquire lock:
+c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0
+
+but task is already holding lock:
+c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(p->lock)/1);
+ lock(&(p->lock)/1);
+===
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
+index 9704f3f76e63..d7d42bd448c4 100644
+--- a/arch/powerpc/kernel/iommu.c
++++ b/arch/powerpc/kernel/iommu.c
+@@ -1057,7 +1057,7 @@ int iommu_take_ownership(struct iommu_table *tbl)
+
+ spin_lock_irqsave(&tbl->large_pool.lock, flags);
+ for (i = 0; i < tbl->nr_pools; i++)
+- spin_lock(&tbl->pools[i].lock);
++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
+
+ iommu_table_release_pages(tbl);
+
+@@ -1085,7 +1085,7 @@ void iommu_release_ownership(struct iommu_table *tbl)
+
+ spin_lock_irqsave(&tbl->large_pool.lock, flags);
+ for (i = 0; i < tbl->nr_pools; i++)
+- spin_lock(&tbl->pools[i].lock);
++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
+
+ memset(tbl->it_map, 0, sz);
+
+--
+2.30.2
+
--- /dev/null
+From 6df44e208325344966657ca7e345feccf6c619ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 23:54:13 +1000
+Subject: powerpc/pseries: Stop calling printk in rtas_stop_self()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ]
+
+RCU complains about us calling printk() from an offline CPU:
+
+ =============================
+ WARNING: suspicious RCU usage
+ 5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted
+ -----------------------------
+ kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ RCU used illegally from offline CPU!
+ rcu_scheduler_active = 2, debug_locks = 1
+ no locks held by swapper/0/0.
+
+ stack backtrace:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1
+ Call Trace:
+ dump_stack+0xec/0x144 (unreliable)
+ lockdep_rcu_suspicious+0x124/0x144
+ __lock_acquire+0x1098/0x28b0
+ lock_acquire+0x128/0x600
+ _raw_spin_lock_irqsave+0x6c/0xc0
+ down_trylock+0x2c/0x70
+ __down_trylock_console_sem+0x60/0x140
+ vprintk_emit+0x1a8/0x4b0
+ vprintk_func+0xcc/0x200
+ printk+0x40/0x54
+ pseries_cpu_offline_self+0xc0/0x120
+ arch_cpu_idle_dead+0x54/0x70
+ do_idle+0x174/0x4a0
+ cpu_startup_entry+0x38/0x40
+ rest_init+0x268/0x388
+ start_kernel+0x748/0x790
+ start_here_common+0x1c/0x614
+
+Which happens because by the time we get to rtas_stop_self() we are
+already offline. In addition the message can be spammy, and is not that
+helpful for users, so remove it.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+index bbda646b63b5..210e6f563eb4 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+@@ -91,9 +91,6 @@ static void rtas_stop_self(void)
+
+ BUG_ON(rtas_stop_self_token == RTAS_UNKNOWN_SERVICE);
+
+- printk("cpu %u (hwid %u) Ready to die...\n",
+- smp_processor_id(), hard_smp_processor_id());
+-
+ rtas_call_unlocked(&args, rtas_stop_self_token, 0, 1, NULL);
+
+ panic("Alas, I survived.\n");
+--
+2.30.2
+
--- /dev/null
+From 5796db6681edab74c1e365b7cdbe3ceb5dbefe92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 21:12:00 +0530
+Subject: powerpc/smp: Set numa node before updating mask
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 6980d13f0dd189846887bbbfa43793d9a41768d3 ]
+
+Geethika reported a trace when doing a dlpar CPU add.
+
+------------[ cut here ]------------
+WARNING: CPU: 152 PID: 1134 at kernel/sched/topology.c:2057
+CPU: 152 PID: 1134 Comm: kworker/152:1 Not tainted 5.12.0-rc5-master #5
+Workqueue: events cpuset_hotplug_workfn
+NIP: c0000000001cfc14 LR: c0000000001cfc10 CTR: c0000000007e3420
+REGS: c0000034a08eb260 TRAP: 0700 Not tainted (5.12.0-rc5-master+)
+MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28828422 XER: 00000020
+CFAR: c0000000001fd888 IRQMASK: 0 #012GPR00: c0000000001cfc10
+c0000034a08eb500 c000000001f35400 0000000000000027 #012GPR04:
+c0000035abaa8010 c0000035abb30a00 0000000000000027 c0000035abaa8018
+#012GPR08: 0000000000000023 c0000035abaaef48 00000035aa540000
+c0000035a49dffe8 #012GPR12: 0000000028828424 c0000035bf1a1c80
+0000000000000497 0000000000000004 #012GPR16: c00000000347a258
+0000000000000140 c00000000203d468 c000000001a1a490 #012GPR20:
+c000000001f9c160 c0000034adf70920 c0000034aec9fd20 0000000100087bd3
+#012GPR24: 0000000100087bd3 c0000035b3de09f8 0000000000000030
+c0000035b3de09f8 #012GPR28: 0000000000000028 c00000000347a280
+c0000034aefe0b00 c0000000010a2a68
+NIP [c0000000001cfc14] build_sched_domains+0x6a4/0x1500
+LR [c0000000001cfc10] build_sched_domains+0x6a0/0x1500
+Call Trace:
+[c0000034a08eb500] [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 (unreliable)
+[c0000034a08eb640] [c0000000001d1e6c] partition_sched_domains_locked+0x3ec/0x530
+[c0000034a08eb6e0] [c0000000002936d4] rebuild_sched_domains_locked+0x524/0xbf0
+[c0000034a08eb7e0] [c000000000296bb0] rebuild_sched_domains+0x40/0x70
+[c0000034a08eb810] [c000000000296e74] cpuset_hotplug_workfn+0x294/0xe20
+[c0000034a08ebc30] [c000000000178dd0] process_one_work+0x300/0x670
+[c0000034a08ebd10] [c0000000001791b8] worker_thread+0x78/0x520
+[c0000034a08ebda0] [c000000000185090] kthread+0x1a0/0x1b0
+[c0000034a08ebe10] [c00000000000ccec] ret_from_kernel_thread+0x5c/0x70
+Instruction dump:
+7d2903a6 4e800421 e8410018 7f67db78 7fe6fb78 7f45d378 7f84e378 7c681b78
+3c62ff1a 3863c6f8 4802dc35 60000000 <0fe00000> 3920fff4 f9210070 e86100a0
+---[ end trace 532d9066d3d4d7ec ]---
+
+Some of the per-CPU masks use cpu_cpu_mask as a filter to limit the search
+for related CPUs. On a dlpar add of a CPU, update cpu_cpu_mask before
+updating the per-CPU masks. This will ensure the cpu_cpu_mask is updated
+correctly before its used in setting the masks. Setting the numa_node will
+ensure that when cpu_cpu_mask() gets called, the correct node number is
+used. This code movement helped fix the above call trace.
+
+Reported-by: Geetika Moolchandani <Geetika.Moolchandani1@ibm.com>
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Reviewed-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210401154200.150077-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/smp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
+index ea6adbf6a221..b24d860bbab9 100644
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -1254,6 +1254,9 @@ void start_secondary(void *unused)
+
+ vdso_getcpu_init();
+ #endif
++ set_numa_node(numa_cpu_lookup_table[cpu]);
++ set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu]));
++
+ /* Update topology CPU masks */
+ add_cpu_to_masks(cpu);
+
+@@ -1266,9 +1269,6 @@ void start_secondary(void *unused)
+ if (!cpumask_equal(cpu_l2_cache_mask(cpu), sibling_mask(cpu)))
+ shared_caches = true;
+
+- set_numa_node(numa_cpu_lookup_table[cpu]);
+- set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu]));
+-
+ smp_wmb();
+ notify_cpu_starting(cpu);
+ set_cpu_online(cpu, true);
+--
+2.30.2
+
--- /dev/null
+From 1cf894f9a3b51001dcb41ff5326ac9218e3d9e7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 15:58:42 +0100
+Subject: qtnfmac: Fix possible buffer overflow in
+ qtnf_event_handle_external_auth
+
+From: Lee Gibson <leegib@gmail.com>
+
+[ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ]
+
+Function qtnf_event_handle_external_auth calls memcpy without
+checking the length.
+A user could control that length and trigger a buffer overflow.
+Fix by checking the length is within the maximum allowed size.
+
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/quantenna/qtnfmac/event.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/quantenna/qtnfmac/event.c b/drivers/net/wireless/quantenna/qtnfmac/event.c
+index 7846383c8828..3f24dbdae8d0 100644
+--- a/drivers/net/wireless/quantenna/qtnfmac/event.c
++++ b/drivers/net/wireless/quantenna/qtnfmac/event.c
+@@ -599,8 +599,10 @@ qtnf_event_handle_external_auth(struct qtnf_vif *vif,
+ return 0;
+
+ if (ev->ssid_len) {
+- memcpy(auth.ssid.ssid, ev->ssid, ev->ssid_len);
+- auth.ssid.ssid_len = ev->ssid_len;
++ int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
++
++ memcpy(auth.ssid.ssid, ev->ssid, len);
++ auth.ssid.ssid_len = len;
+ }
+
+ auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
+--
+2.30.2
+
--- /dev/null
+From e09503cfea00127df2eb5f1277d67638baff7bc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 03:58:47 -0500
+Subject: Revert "iommu/amd: Fix performance counter initialization"
+
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+
+[ Upstream commit 715601e4e36903a653cd4294dfd3ed0019101991 ]
+
+This reverts commit 6778ff5b21bd8e78c8bd547fd66437cf2657fd9b.
+
+The original commit tries to address an issue, where PMC power-gating
+causing the IOMMU PMC pre-init test to fail on certain desktop/mobile
+platforms where the power-gating is normally enabled.
+
+There have been several reports that the workaround still does not
+guarantee to work, and can add up to 100 ms (on the worst case)
+to the boot process on certain platforms such as the MSI B350M MORTAR
+with AMD Ryzen 3 2200G.
+
+Therefore, revert this commit as a prelude to removing the pre-init
+test.
+
+Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753
+Cc: Tj (Elloe Linux) <ml.linux@elloe.vision>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: Alexander Monakov <amonakov@ispras.ru>
+Cc: David Coe <david.coe@live.co.uk>
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Link: https://lore.kernel.org/r/20210409085848.3908-2-suravee.suthikulpanit@amd.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd_iommu_init.c | 45 +++++++++-------------------------
+ 1 file changed, 11 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index ad714ff375f8..31d7e2d4f304 100644
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -12,7 +12,6 @@
+ #include <linux/acpi.h>
+ #include <linux/list.h>
+ #include <linux/bitmap.h>
+-#include <linux/delay.h>
+ #include <linux/slab.h>
+ #include <linux/syscore_ops.h>
+ #include <linux/interrupt.h>
+@@ -254,8 +253,6 @@ static enum iommu_init_state init_state = IOMMU_START_STATE;
+ static int amd_iommu_enable_interrupts(void);
+ static int __init iommu_go_to_state(enum iommu_init_state state);
+ static void init_device_table_dma(void);
+-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
+- u8 fxn, u64 *value, bool is_write);
+
+ static bool amd_iommu_pre_enabled = true;
+
+@@ -1675,11 +1672,13 @@ static int __init init_iommu_all(struct acpi_table_header *table)
+ return 0;
+ }
+
+-static void __init init_iommu_perf_ctr(struct amd_iommu *iommu)
++static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
++ u8 fxn, u64 *value, bool is_write);
++
++static void init_iommu_perf_ctr(struct amd_iommu *iommu)
+ {
+- int retry;
+ struct pci_dev *pdev = iommu->dev;
+- u64 val = 0xabcd, val2 = 0, save_reg, save_src;
++ u64 val = 0xabcd, val2 = 0, save_reg = 0;
+
+ if (!iommu_feature(iommu, FEATURE_PC))
+ return;
+@@ -1687,39 +1686,17 @@ static void __init init_iommu_perf_ctr(struct amd_iommu *iommu)
+ amd_iommu_pc_present = true;
+
+ /* save the value to restore, if writable */
+- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false) ||
+- iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, false))
+- goto pc_false;
+-
+- /*
+- * Disable power gating by programing the performance counter
+- * source to 20 (i.e. counts the reads and writes from/to IOMMU
+- * Reserved Register [MMIO Offset 1FF8h] that are ignored.),
+- * which never get incremented during this init phase.
+- * (Note: The event is also deprecated.)
+- */
+- val = 20;
+- if (iommu_pc_get_set_reg(iommu, 0, 0, 8, &val, true))
++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false))
+ goto pc_false;
+
+ /* Check if the performance counters can be written to */
+- val = 0xabcd;
+- for (retry = 5; retry; retry--) {
+- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true) ||
+- iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false) ||
+- val2)
+- break;
+-
+- /* Wait about 20 msec for power gating to disable and retry. */
+- msleep(20);
+- }
+-
+- /* restore */
+- if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true) ||
+- iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, true))
++ if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) ||
++ (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) ||
++ (val != val2))
+ goto pc_false;
+
+- if (val != val2)
++ /* restore */
++ if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true))
+ goto pc_false;
+
+ pci_info(pdev, "IOMMU performance counters supported\n");
+--
+2.30.2
+
--- /dev/null
+From f73ec2d38e1cd858aebda08b4f32c0f7aafba66a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 14:25:22 +0530
+Subject: RISC-V: Fix error code returned by riscv_hartid_to_cpuid()
+
+From: Anup Patel <anup.patel@wdc.com>
+
+[ Upstream commit 533b4f3a789d49574e7ae0f6ececed153f651f97 ]
+
+We should return a negative error code upon failure in
+riscv_hartid_to_cpuid() instead of NR_CPUS. This is also
+aligned with all uses of riscv_hartid_to_cpuid() which
+expect negative error code upon failure.
+
+Fixes: 6825c7a80f18 ("RISC-V: Add logical CPU indexing for RISC-V")
+Fixes: f99fb607fb2b ("RISC-V: Use Linux logical CPU number instead of hartid")
+Signed-off-by: Anup Patel <anup.patel@wdc.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/smp.c b/arch/riscv/kernel/smp.c
+index 5c9ec78422c2..098c04adbaaf 100644
+--- a/arch/riscv/kernel/smp.c
++++ b/arch/riscv/kernel/smp.c
+@@ -51,7 +51,7 @@ int riscv_hartid_to_cpuid(int hartid)
+ return i;
+
+ pr_err("Couldn't find cpu id for hartid [%d]\n", hartid);
+- return i;
++ return -ENOENT;
+ }
+
+ void riscv_cpuid_to_hartid_mask(const struct cpumask *in, struct cpumask *out)
+--
+2.30.2
+
--- /dev/null
+From 22329bf8dd856c67fbb7517cf5eb1f325e16e98b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Mar 2021 05:36:24 -0800
+Subject: rpmsg: qcom_glink_native: fix error return code of
+ qcom_glink_rx_data()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 26594c6bbb60c6bc87e3762a86ceece57d164c66 ]
+
+When idr_find() returns NULL to intent, no error return code of
+qcom_glink_rx_data() is assigned.
+To fix this bug, ret is assigned with -ENOENT in this case.
+
+Fixes: 64f95f87920d ("rpmsg: glink: Use the local intents when receiving data")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index d5114abcde19..0f10b3f84705 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -857,6 +857,7 @@ static int qcom_glink_rx_data(struct qcom_glink *glink, size_t avail)
+ dev_err(glink->dev,
+ "no intent found for channel %s intent %d",
+ channel->name, liid);
++ ret = -ENOENT;
+ goto advance_rx;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 502dd1b5babbc3a74c1182a29c7ce7c2f7ae24fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 11:39:17 +0900
+Subject: rtc: ds1307: Fix wday settings for rx8130
+
+From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+
+[ Upstream commit 204756f016726a380bafe619438ed979088bd04a ]
+
+rx8130 wday specifies the bit position, not BCD.
+
+Fixes: ee0981be7704 ("rtc: ds1307: Add support for Epson RX8130CE")
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 1f7e8aefc1eb..99b93f56a2d5 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -265,7 +265,11 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
+ t->tm_min = bcd2bin(regs[DS1307_REG_MIN] & 0x7f);
+ tmp = regs[DS1307_REG_HOUR] & 0x3f;
+ t->tm_hour = bcd2bin(tmp);
+- t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1;
++ /* rx8130 is bit position, not BCD */
++ if (ds1307->type == rx_8130)
++ t->tm_wday = fls(regs[DS1307_REG_WDAY] & 0x7f);
++ else
++ t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1;
+ t->tm_mday = bcd2bin(regs[DS1307_REG_MDAY] & 0x3f);
+ tmp = regs[DS1307_REG_MONTH] & 0x1f;
+ t->tm_mon = bcd2bin(tmp) - 1;
+@@ -312,7 +316,11 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
+ regs[DS1307_REG_SECS] = bin2bcd(t->tm_sec);
+ regs[DS1307_REG_MIN] = bin2bcd(t->tm_min);
+ regs[DS1307_REG_HOUR] = bin2bcd(t->tm_hour);
+- regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1);
++ /* rx8130 is bit position, not BCD */
++ if (ds1307->type == rx_8130)
++ regs[DS1307_REG_WDAY] = 1 << t->tm_wday;
++ else
++ regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1);
+ regs[DS1307_REG_MDAY] = bin2bcd(t->tm_mday);
+ regs[DS1307_REG_MONTH] = bin2bcd(t->tm_mon + 1);
+
+--
+2.30.2
+
--- /dev/null
+From 1026edd6f1f9b79f7b753f7d6cbc9250df954353 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 10:40:06 +0200
+Subject: rtc: fsl-ftm-alarm: add MODULE_TABLE()
+
+From: Michael Walle <michael@walle.cc>
+
+[ Upstream commit 7fcb86185978661c9188397d474f90364745b8d9 ]
+
+The module doesn't load automatically. Fix it by adding the missing
+MODULE_TABLE().
+
+Fixes: 7b0b551dbc1e ("rtc: fsl-ftm-alarm: add FTM alarm driver")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210414084006.17933-1-michael@walle.cc
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-fsl-ftm-alarm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rtc/rtc-fsl-ftm-alarm.c b/drivers/rtc/rtc-fsl-ftm-alarm.c
+index 8df2075af9a2..835695bedaac 100644
+--- a/drivers/rtc/rtc-fsl-ftm-alarm.c
++++ b/drivers/rtc/rtc-fsl-ftm-alarm.c
+@@ -316,6 +316,7 @@ static const struct of_device_id ftm_rtc_match[] = {
+ { .compatible = "fsl,lx2160a-ftm-alarm", },
+ { },
+ };
++MODULE_DEVICE_TABLE(of, ftm_rtc_match);
+
+ static struct platform_driver ftm_rtc_driver = {
+ .probe = ftm_rtc_probe,
+--
+2.30.2
+
--- /dev/null
+From 30aec8ab097b785f9a58d0b56e47eb1ccbf37fdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 23:48:03 +0800
+Subject: samples/bpf: Fix broken tracex1 due to kprobe argument change
+
+From: Yaqi Chen <chendotjs@gmail.com>
+
+[ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ]
+
+>From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by
+reference"), the first argument passed into __netif_receive_skb_core
+has changed to reference of a skb pointer.
+
+This commit fixes by using bpf_probe_read_kernel.
+
+Signed-off-by: Yaqi Chen <chendotjs@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/tracex1_kern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c
+index 107da148820f..9c74b45c5720 100644
+--- a/samples/bpf/tracex1_kern.c
++++ b/samples/bpf/tracex1_kern.c
+@@ -20,7 +20,7 @@
+ SEC("kprobe/__netif_receive_skb_core")
+ int bpf_prog1(struct pt_regs *ctx)
+ {
+- /* attaches to kprobe netif_receive_skb,
++ /* attaches to kprobe __netif_receive_skb_core,
+ * looks for packets on loobpack device and prints them
+ */
+ char devname[IFNAMSIZ];
+@@ -29,7 +29,7 @@ int bpf_prog1(struct pt_regs *ctx)
+ int len;
+
+ /* non-portable! works for the given kernel only */
+- skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
++ bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx));
+ dev = _(skb->dev);
+ len = _(skb->len);
+
+--
+2.30.2
+
--- /dev/null
+From da1264ebef092b01974c4ca214928bdfb67b8ef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 16:19:50 +0200
+Subject: sched/fair: Fix unfairness caused by missing load decay
+
+From: Odin Ugedal <odin@uged.al>
+
+[ Upstream commit 0258bdfaff5bd13c4d2383150b7097aecd6b6d82 ]
+
+This fixes an issue where old load on a cfs_rq is not properly decayed,
+resulting in strange behavior where fairness can decrease drastically.
+Real workloads with equally weighted control groups have ended up
+getting a respective 99% and 1%(!!) of cpu time.
+
+When an idle task is attached to a cfs_rq by attaching a pid to a cgroup,
+the old load of the task is attached to the new cfs_rq and sched_entity by
+attach_entity_cfs_rq. If the task is then moved to another cpu (and
+therefore cfs_rq) before being enqueued/woken up, the load will be moved
+to cfs_rq->removed from the sched_entity. Such a move will happen when
+enforcing a cpuset on the task (eg. via a cgroup) that force it to move.
+
+The load will however not be removed from the task_group itself, making
+it look like there is a constant load on that cfs_rq. This causes the
+vruntime of tasks on other sibling cfs_rq's to increase faster than they
+are supposed to; causing severe fairness issues. If no other task is
+started on the given cfs_rq, and due to the cpuset it would not happen,
+this load would never be properly unloaded. With this patch the load
+will be properly removed inside update_blocked_averages. This also
+applies to tasks moved to the fair scheduling class and moved to another
+cpu, and this path will also fix that. For fork, the entity is queued
+right away, so this problem does not affect that.
+
+This applies to cases where the new process is the first in the cfs_rq,
+issue introduced 3d30544f0212 ("sched/fair: Apply more PELT fixes"), and
+when there has previously been load on the cgroup but the cgroup was
+removed from the leaflist due to having null PELT load, indroduced
+in 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing
+path").
+
+For a simple cgroup hierarchy (as seen below) with two equally weighted
+groups, that in theory should get 50/50 of cpu time each, it often leads
+to a load of 60/40 or 70/30.
+
+parent/
+ cg-1/
+ cpu.weight: 100
+ cpuset.cpus: 1
+ cg-2/
+ cpu.weight: 100
+ cpuset.cpus: 1
+
+If the hierarchy is deeper (as seen below), while keeping cg-1 and cg-2
+equally weighted, they should still get a 50/50 balance of cpu time.
+This however sometimes results in a balance of 10/90 or 1/99(!!) between
+the task groups.
+
+$ ps u -C stress
+USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
+root 18568 1.1 0.0 3684 100 pts/12 R+ 13:36 0:00 stress --cpu 1
+root 18580 99.3 0.0 3684 100 pts/12 R+ 13:36 0:09 stress --cpu 1
+
+parent/
+ cg-1/
+ cpu.weight: 100
+ sub-group/
+ cpu.weight: 1
+ cpuset.cpus: 1
+ cg-2/
+ cpu.weight: 100
+ sub-group/
+ cpu.weight: 10000
+ cpuset.cpus: 1
+
+This can be reproduced by attaching an idle process to a cgroup and
+moving it to a given cpuset before it wakes up. The issue is evident in
+many (if not most) container runtimes, and has been reproduced
+with both crun and runc (and therefore docker and all its "derivatives"),
+and with both cgroup v1 and v2.
+
+Fixes: 3d30544f0212 ("sched/fair: Apply more PELT fixes")
+Fixes: 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path")
+Signed-off-by: Odin Ugedal <odin@uged.al>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20210501141950.23622-2-odin@uged.al
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 93ab546b6e16..092aa5e47251 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -10146,16 +10146,22 @@ static void propagate_entity_cfs_rq(struct sched_entity *se)
+ {
+ struct cfs_rq *cfs_rq;
+
++ list_add_leaf_cfs_rq(cfs_rq_of(se));
++
+ /* Start to propagate at parent */
+ se = se->parent;
+
+ for_each_sched_entity(se) {
+ cfs_rq = cfs_rq_of(se);
+
+- if (cfs_rq_throttled(cfs_rq))
+- break;
++ if (!cfs_rq_throttled(cfs_rq)){
++ update_load_avg(cfs_rq, se, UPDATE_TG);
++ list_add_leaf_cfs_rq(cfs_rq);
++ continue;
++ }
+
+- update_load_avg(cfs_rq, se, UPDATE_TG);
++ if (list_add_leaf_cfs_rq(cfs_rq))
++ break;
+ }
+ }
+ #else
+--
+2.30.2
+
--- /dev/null
+From fb3df8439e4a5c561ba0e751e5127f86522e2faf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 15:14:12 +0000
+Subject: sched: Fix out-of-bound access in uclamp
+
+From: Quentin Perret <qperret@google.com>
+
+[ Upstream commit 6d2f8909a5fabb73fe2a63918117943986c39b6c ]
+
+Util-clamp places tasks in different buckets based on their clamp values
+for performance reasons. However, the size of buckets is currently
+computed using a rounding division, which can lead to an off-by-one
+error in some configurations.
+
+For instance, with 20 buckets, the bucket size will be 1024/20=51. A
+task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly,
+correct indexes are in range [0,19], hence leading to an out of bound
+memory access.
+
+Clamp the bucket id to fix the issue.
+
+Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting")
+Suggested-by: Qais Yousef <qais.yousef@arm.com>
+Signed-off-by: Quentin Perret <qperret@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
+Link: https://lkml.kernel.org/r/20210430151412.160913-1-qperret@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 2ce61018e33b..a3e95d7779e1 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -820,7 +820,7 @@ DEFINE_STATIC_KEY_FALSE(sched_uclamp_used);
+
+ static inline unsigned int uclamp_bucket_id(unsigned int clamp_value)
+ {
+- return clamp_value / UCLAMP_BUCKET_DELTA;
++ return min_t(unsigned int, clamp_value / UCLAMP_BUCKET_DELTA, UCLAMP_BUCKETS - 1);
+ }
+
+ static inline unsigned int uclamp_bucket_base_value(unsigned int clamp_value)
+--
+2.30.2
+
--- /dev/null
+From fdd6355f9a7e15de948b5a0dbe7f751cbae76e6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 04:02:58 +0800
+Subject: sctp: do asoc update earlier in sctp_sf_do_dupcook_a
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ]
+
+There's a panic that occurs in a few of envs, the call trace is as below:
+
+ [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI
+ [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]
+ [] sctp_assoc_control_transport+0x1b9/0x210 [sctp]
+ [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]
+ [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]
+ [] sctp_do_sm+0xc3/0x2a0 [sctp]
+ [] sctp_generate_timeout_event+0x81/0xf0 [sctp]
+
+This is caused by a transport use-after-free issue. When processing a
+duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK
+and SHUTDOWN chunks are allocated with the transort from the new asoc.
+However, later in the sideeffect machine, the old asoc is used to send
+them out and old asoc's shutdown_last_sent_to is set to the transport
+that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually
+belongs to the new asoc. After the new_asoc is freed and the old asoc
+T2 timeout, the old asoc's shutdown_last_sent_to that is already freed
+would be accessed in sctp_sf_t2_timer_expire().
+
+Thanks Alexander and Jere for helping dig into this issue.
+
+To fix it, this patch is to do the asoc update first, then allocate
+the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This
+would make more sense, as a chunk from an asoc shouldn't be sent out
+with another asoc. We had fixed quite a few issues caused by this.
+
+Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK")
+Reported-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
+Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com
+Reported-by: Michal Tesar <mtesar@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++-----
+ 1 file changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 84138a07e936..72e4eaffacdb 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1841,20 +1841,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
+ SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
+ sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
+
+- repl = sctp_make_cookie_ack(new_asoc, chunk);
++ /* Update the content of current association. */
++ if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) {
++ struct sctp_chunk *abort;
++
++ abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
++ if (abort) {
++ sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
++ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
++ }
++ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
++ sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
++ SCTP_PERR(SCTP_ERROR_RSRC_LOW));
++ SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
++ SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
++ goto nomem;
++ }
++
++ repl = sctp_make_cookie_ack(asoc, chunk);
+ if (!repl)
+ goto nomem;
+
+ /* Report association restart to upper layer. */
+ ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
+- new_asoc->c.sinit_num_ostreams,
+- new_asoc->c.sinit_max_instreams,
++ asoc->c.sinit_num_ostreams,
++ asoc->c.sinit_max_instreams,
+ NULL, GFP_ATOMIC);
+ if (!ev)
+ goto nomem_ev;
+
+- /* Update the content of current association. */
+- sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
+ sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
+ if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
+ sctp_state(asoc, SHUTDOWN_SENT)) &&
+--
+2.30.2
+
--- /dev/null
+From d16f5b23e2de79cb7a01041e31479871790efbd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 04:41:20 +0800
+Subject: sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ]
+
+Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into
+ESTABLISHED from the state < ESTABLISHED and decremented when the asoc
+is being deleted.
+
+However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to
+ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment
+SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB
+multiple times but only decrement once at the end.
+
+I was able to reproduce it by using scapy to do the 4-way shakehands,
+after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field
+changed to different values, and SCTP_MIB_CURRESTAB was incremented
+multiple times and never went back to 0 even when the asoc was freed.
+
+This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when
+the state < ESTABLISHED in sctp_sf_do_dupcook_b().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 72e4eaffacdb..82a202d71a31 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1933,7 +1933,8 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
+ sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_ESTABLISHED));
+- SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
++ if (asoc->state < SCTP_STATE_ESTABLISHED)
++ SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
+ sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
+
+ repl = sctp_make_cookie_ack(new_asoc, chunk);
+--
+2.30.2
+
--- /dev/null
+From 2d5218f2f21cdb988f0bef2c2260260dcf3e8e00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 14:12:36 -0500
+Subject: sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ]
+
+Fix the following out-of-bounds warning:
+
+net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds]
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_make_chunk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index d5eda966a706..4ffb9116b6f2 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -3134,7 +3134,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ * primary.
+ */
+ if (af->is_any(&addr))
+- memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
++ memcpy(&addr, sctp_source(asconf), sizeof(addr));
+
+ if (security_sctp_bind_connect(asoc->ep->base.sk,
+ SCTP_PARAM_SET_PRIMARY,
+--
+2.30.2
+
--- /dev/null
+From 84c1a804b3023ff91163b1e7414c21b77841d71e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 08:34:13 -0700
+Subject: selftests: Set CC to clang in lib.mk if LLVM is set
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ]
+
+selftests/bpf/Makefile includes lib.mk. With the following command
+ make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel
+ make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1
+some files are still compiled with gcc. This patch
+fixed lib.mk issue which sets CC to gcc in all cases.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/lib.mk | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
+index 3ed0134a764d..67386aa3f31d 100644
+--- a/tools/testing/selftests/lib.mk
++++ b/tools/testing/selftests/lib.mk
+@@ -1,6 +1,10 @@
+ # This mimics the top-level Makefile. We do it explicitly here so that this
+ # Makefile can operate with or without the kbuild infrastructure.
++ifneq ($(LLVM),)
++CC := clang
++else
+ CC := $(CROSS_COMPILE)gcc
++endif
+
+ ifeq (0,$(MAKELEVEL))
+ ifeq ($(OUTPUT),)
+--
+2.30.2
+
tpm-tpm_tis-reserve-locality-in-tpm_tis_resume.patch
kvm-x86-mmu-remove-the-defunct-update_pte-paging-hook.patch
pm-runtime-fix-unpaired-parent-child_count-for-force_resume.patch
+fs-dlm-fix-debugfs-dump.patch
+tipc-convert-dest-node-s-address-to-network-order.patch
+asoc-intel-bytcr_rt5640-enable-jack-detect-support-o.patch
+net-stmmac-set-fifo-sizes-for-ipq806x.patch
+asoc-rsnd-core-check-convert-rate-in-rsnd_hw_params.patch
+i2c-bail-out-early-when-rdwr-parameters-are-wrong.patch
+alsa-hdsp-don-t-disable-if-not-enabled.patch
+alsa-hdspm-don-t-disable-if-not-enabled.patch
+alsa-rme9652-don-t-disable-if-not-enabled.patch
+alsa-bebob-enable-to-deliver-midi-messages-for-multi.patch
+bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch
+bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch
+net-bridge-when-suppression-is-enabled-exclude-rarp-.patch
+bluetooth-check-for-zapped-sk-before-connecting.patch
+ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch
+asoc-intel-bytcr_rt5640-add-quirk-for-the-chuwi-hi8-.patch
+i2c-add-i2c_aq_no_rep_start-adapter-quirk.patch
+mac80211-clear-the-beacon-s-crc-after-channel-switch.patch
+pinctrl-samsung-use-int-for-register-masks-in-exynos.patch
+mt76-mt76x0-disable-gtk-offloading.patch
+cuse-prevent-clone.patch
+asoc-rsnd-call-rsnd_ssi_master_clk_start-from-rsnd_s.patch
+revert-iommu-amd-fix-performance-counter-initializat.patch
+iommu-amd-remove-performance-counter-pre-initializat.patch
+drm-amd-display-force-vsync-flip-when-reconfiguring-.patch
+selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch
+kconfig-nconf-stop-endless-search-loops.patch
+alsa-hda-hdmi-fix-race-in-handling-acomp-eld-notific.patch
+sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch
+flow_dissector-fix-out-of-bounds-warning-in-__skb_fl.patch
+powerpc-smp-set-numa-node-before-updating-mask.patch
+asoc-rt286-generalize-support-for-alc3263-codec.patch
+ethtool-ioctl-fix-out-of-bounds-warning-in-store_lin.patch
+net-sched-tapr-prevent-cycle_time-0-in-parse_taprio_.patch
+samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch
+powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch
+drm-amd-display-fixed-divide-by-zero-kernel-crash-du.patch
+wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch
+wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch
+qtnfmac-fix-possible-buffer-overflow-in-qtnf_event_h.patch
+powerpc-iommu-annotate-nested-lock-for-lockdep.patch
+iavf-remove-duplicate-free-resources-calls.patch
+net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch
+bnxt_en-add-pci-ids-for-hyper-v-vf-devices.patch
+ia64-module-fix-symbolizer-crash-on-fdescr.patch
+asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch
+thermal-thermal_of-fix-error-return-code-of-thermal_.patch
+f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch
+pci-iproc-fix-return-value-of-iproc_msi_irq_domain_a.patch
+pci-release-of-node-in-pci_scan_device-s-error-path.patch
+arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch
+rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch
+nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch
+nfs-deal-correctly-with-attribute-generation-counter.patch
+pci-endpoint-fix-missing-destroy_workqueue.patch
+pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch
+nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch
+rtc-fsl-ftm-alarm-add-module_table.patch
+ceph-fix-inode-leak-on-getattr-error-in-__fh_to_dent.patch
+rtc-ds1307-fix-wday-settings-for-rx8130.patch
+net-hns3-fix-incorrect-configuration-for-igu_egu_hw_.patch
+net-hns3-initialize-the-message-content-in-hclge_get.patch
+net-hns3-add-check-for-hns3_nic_state_inited-in-hns3.patch
+net-hns3-fix-for-vxlan-gpe-tx-checksum-bug.patch
+net-hns3-use-netif_tx_disable-to-stop-the-transmit-q.patch
+net-hns3-disable-phy-loopback-setting-in-hclge_mac_s.patch
+sctp-do-asoc-update-earlier-in-sctp_sf_do_dupcook_a.patch
+risc-v-fix-error-code-returned-by-riscv_hartid_to_cp.patch
+sunrpc-fix-misplaced-barrier-in-call_decode.patch
+ethernet-enic-fix-a-use-after-free-bug-in-enic_hard_.patch
+sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch
+netfilter-xt_secmark-add-new-revision-to-fix-structu.patch
+drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch
+drm-radeon-avoid-power-table-parsing-memory-leaks.patch
+khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch
+mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch
+mm-migrate.c-fix-potential-indeterminate-pte-entry-i.patch
+ksm-fix-potential-missing-rmap_item-for-stable_node.patch
+net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch
+smc-disallow-tcp_ulp-in-smc_setsockopt.patch
+netfilter-nfnetlink_osf-fix-a-missing-skb_header_poi.patch
+can-m_can-m_can_tx_work_queue-fix-tx_skb-race-condit.patch
+sched-fix-out-of-bound-access-in-uclamp.patch
+sched-fair-fix-unfairness-caused-by-missing-load-dec.patch
+kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch
+netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch
+i40e-fix-use-after-free-in-i40e_client_subtask.patch
+i40e-fix-the-restart-auto-negotiation-after-fec-modi.patch
+i40e-fix-phy-type-identifiers-for-2.5g-and-5g-adapte.patch
--- /dev/null
+From e3625a14ce2c8c8d324e72c1bb9151a7708d461c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 12:40:48 -0700
+Subject: smc: disallow TCP_ULP in smc_setsockopt()
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit 8621436671f3a4bba5db57482e1ee604708bf1eb ]
+
+syzbot is able to setup kTLS on an SMC socket which coincidentally
+uses sk_user_data too. Later, kTLS treats it as psock so triggers a
+refcnt warning. The root cause is that smc_setsockopt() simply calls
+TCP setsockopt() which includes TCP_ULP. I do not think it makes
+sense to setup kTLS on top of SMC sockets, so we should just disallow
+this setup.
+
+It is hard to find a commit to blame, but we can apply this patch
+since the beginning of TCP_ULP.
+
+Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com
+Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
+Cc: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index dc09a72f8110..51986f7ead81 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1709,6 +1709,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ struct smc_sock *smc;
+ int val, rc;
+
++ if (level == SOL_TCP && optname == TCP_ULP)
++ return -EOPNOTSUPP;
++
+ smc = smc_sk(sk);
+
+ /* generic setsockopts reaching us here always apply to the
+@@ -1730,7 +1733,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
+ if (rc || smc->use_fallback)
+ goto out;
+ switch (optname) {
+- case TCP_ULP:
+ case TCP_FASTOPEN:
+ case TCP_FASTOPEN_CONNECT:
+ case TCP_FASTOPEN_KEY:
+--
+2.30.2
+
--- /dev/null
+From d34390948374f5671720d840b14d29a0e98fe209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 May 2021 14:10:51 +1000
+Subject: sunrpc: Fix misplaced barrier in call_decode
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+[ Upstream commit f8f7e0fb22b2e75be55f2f0c13e229e75b0eac07 ]
+
+Fix a misplaced barrier in call_decode. The struct rpc_rqst is modified
+as follows by xprt_complete_rqst:
+
+req->rq_private_buf.len = copied;
+/* Ensure all writes are done before we update */
+/* req->rq_reply_bytes_recvd */
+smp_wmb();
+req->rq_reply_bytes_recvd = copied;
+
+And currently read as follows by call_decode:
+
+smp_rmb(); // misplaced
+if (!req->rq_reply_bytes_recvd)
+ goto out;
+req->rq_rcv_buf.len = req->rq_private_buf.len;
+
+This patch places the smp_rmb after the if to ensure that
+rq_reply_bytes_recvd and rq_private_buf.len are read in order.
+
+Fixes: 9ba828861c56a ("SUNRPC: Don't try to parse incomplete RPC messages")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/clnt.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index f1088ca39d44..b6039642df67 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -2505,12 +2505,6 @@ call_decode(struct rpc_task *task)
+ task->tk_flags &= ~RPC_CALL_MAJORSEEN;
+ }
+
+- /*
+- * Ensure that we see all writes made by xprt_complete_rqst()
+- * before it changed req->rq_reply_bytes_recvd.
+- */
+- smp_rmb();
+-
+ /*
+ * Did we ever call xprt_complete_rqst()? If not, we should assume
+ * the message is incomplete.
+@@ -2519,6 +2513,11 @@ call_decode(struct rpc_task *task)
+ if (!req->rq_reply_bytes_recvd)
+ goto out;
+
++ /* Ensure that we see all writes made by xprt_complete_rqst()
++ * before it changed req->rq_reply_bytes_recvd.
++ */
++ smp_rmb();
++
+ req->rq_rcv_buf.len = req->rq_private_buf.len;
+
+ /* Check that the softirq receive buffer is valid */
+--
+2.30.2
+
--- /dev/null
+From 255918129d51c48f7d36f963a0c23dfc6a6adbd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Mar 2021 04:24:23 -0800
+Subject: thermal: thermal_of: Fix error return code of
+ thermal_of_populate_bind_params()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 45c7eaeb29d67224db4ba935deb575586a1fda09 ]
+
+When kcalloc() returns NULL to __tcbp or of_count_phandle_with_args()
+returns zero or -ENOENT to count, no error return code of
+thermal_of_populate_bind_params() is assigned.
+To fix these bugs, ret is assigned with -ENOMEM and -ENOENT in these
+cases, respectively.
+
+Fixes: a92bab8919e3 ("of: thermal: Allow multiple devices to share cooling map")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210310122423.3266-1-baijiaju1990@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/of-thermal.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c
+index dc5093be553e..68d0c181ec7b 100644
+--- a/drivers/thermal/of-thermal.c
++++ b/drivers/thermal/of-thermal.c
+@@ -712,14 +712,17 @@ static int thermal_of_populate_bind_params(struct device_node *np,
+
+ count = of_count_phandle_with_args(np, "cooling-device",
+ "#cooling-cells");
+- if (!count) {
++ if (count <= 0) {
+ pr_err("Add a cooling_device property with at least one device\n");
++ ret = -ENOENT;
+ goto end;
+ }
+
+ __tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL);
+- if (!__tcbp)
++ if (!__tcbp) {
++ ret = -ENOMEM;
+ goto end;
++ }
+
+ for (i = 0; i < count; i++) {
+ ret = of_parse_phandle_with_args(np, "cooling-device",
+--
+2.30.2
+
--- /dev/null
+From 1ea2ce82b5c70ca7311f960e13967845495658d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 10:33:22 +0700
+Subject: tipc: convert dest node's address to network order
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ]
+
+(struct tipc_link_info)->dest is in network order (__be32), so we must
+convert the value to network order before assigning. The problem detected
+by sparse:
+
+net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types)
+net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest
+net/tipc/netlink_compat.c:699:24: got int
+
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink_compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 11be9a84f8de..561ea834f732 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -673,7 +673,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
+ if (err)
+ return err;
+
+- link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
++ link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST]));
+ link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+ nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME],
+ TIPC_MAX_LINK_NAME);
+--
+2.30.2
+
--- /dev/null
+From f6990f8069e6214c1b94fdd042572cc11258f531 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 18:45:15 -0500
+Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ]
+
+Fix the following out-of-bounds warnings by adding a new structure
+wl3501_req instead of duplicating the same members in structure
+wl3501_join_req and wl3501_scan_confirm:
+
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds]
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds]
+
+Refactor the code, accordingly:
+
+$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_req {
+ u16 beacon_period; /* 0 2 */
+ u16 dtim_period; /* 2 2 */
+ u16 cap_info; /* 4 2 */
+ u8 bss_type; /* 6 1 */
+ u8 bssid[6]; /* 7 6 */
+ struct iw_mgmt_essid_pset ssid; /* 13 34 */
+ struct iw_mgmt_ds_pset ds_pset; /* 47 3 */
+ struct iw_mgmt_cf_pset cf_pset; /* 50 8 */
+ struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */
+ struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */
+
+ /* size: 72, cachelines: 2, members: 10 */
+ /* last cacheline: 8 bytes */
+};
+
+$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_join_req {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 reserved; /* 3 1 */
+ struct iw_mgmt_data_rset operational_rset; /* 4 10 */
+ u16 reserved2; /* 14 2 */
+ u16 timeout; /* 16 2 */
+ u16 probe_delay; /* 18 2 */
+ u8 timestamp[8]; /* 20 8 */
+ u8 local_time[8]; /* 28 8 */
+ struct wl3501_req req; /* 36 72 */
+
+ /* size: 108, cachelines: 2, members: 10 */
+ /* last cacheline: 44 bytes */
+};
+
+$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o
+struct wl3501_scan_confirm {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 reserved; /* 3 1 */
+ u16 status; /* 4 2 */
+ char timestamp[8]; /* 6 8 */
+ char localtime[8]; /* 14 8 */
+ struct wl3501_req req; /* 22 72 */
+ /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */
+ u8 rssi; /* 94 1 */
+
+ /* size: 96, cachelines: 2, members: 8 */
+ /* padding: 1 */
+ /* last cacheline: 32 bytes */
+};
+
+The problem is that the original code is trying to copy data into a
+bunch of struct members adjacent to each other in a single call to
+memcpy(). Now that a new struct wl3501_req enclosing all those adjacent
+members is introduced, memcpy() doesn't overrun the length of
+&sig.beacon_period and &this->bss_set[i].beacon_period, because the
+address of the new struct object _req_ is used as the destination,
+instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501.h | 35 +++++++++++--------------
+ drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++---------------
+ 2 files changed, 38 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
+index 077a934ae3b5..a10ee5a68012 100644
+--- a/drivers/net/wireless/wl3501.h
++++ b/drivers/net/wireless/wl3501.h
+@@ -379,16 +379,7 @@ struct wl3501_get_confirm {
+ u8 mib_value[100];
+ };
+
+-struct wl3501_join_req {
+- u16 next_blk;
+- u8 sig_id;
+- u8 reserved;
+- struct iw_mgmt_data_rset operational_rset;
+- u16 reserved2;
+- u16 timeout;
+- u16 probe_delay;
+- u8 timestamp[8];
+- u8 local_time[8];
++struct wl3501_req {
+ u16 beacon_period;
+ u16 dtim_period;
+ u16 cap_info;
+@@ -401,6 +392,19 @@ struct wl3501_join_req {
+ struct iw_mgmt_data_rset bss_basic_rset;
+ };
+
++struct wl3501_join_req {
++ u16 next_blk;
++ u8 sig_id;
++ u8 reserved;
++ struct iw_mgmt_data_rset operational_rset;
++ u16 reserved2;
++ u16 timeout;
++ u16 probe_delay;
++ u8 timestamp[8];
++ u8 local_time[8];
++ struct wl3501_req req;
++};
++
+ struct wl3501_join_confirm {
+ u16 next_blk;
+ u8 sig_id;
+@@ -443,16 +447,7 @@ struct wl3501_scan_confirm {
+ u16 status;
+ char timestamp[8];
+ char localtime[8];
+- u16 beacon_period;
+- u16 dtim_period;
+- u16 cap_info;
+- u8 bss_type;
+- u8 bssid[ETH_ALEN];
+- struct iw_mgmt_essid_pset ssid;
+- struct iw_mgmt_ds_pset ds_pset;
+- struct iw_mgmt_cf_pset cf_pset;
+- struct iw_mgmt_ibss_pset ibss_pset;
+- struct iw_mgmt_data_rset bss_basic_rset;
++ struct wl3501_req req;
+ u8 rssi;
+ };
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 96eb69678855..122d36439319 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -590,7 +590,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
+ struct wl3501_join_req sig = {
+ .sig_id = WL3501_SIG_JOIN_REQ,
+ .timeout = 10,
+- .ds_pset = {
++ .req.ds_pset = {
+ .el = {
+ .id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET,
+ .len = 1,
+@@ -599,7 +599,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
+ },
+ };
+
+- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72);
++ memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req));
+ return wl3501_esbq_exec(this, &sig, sizeof(sig));
+ }
+
+@@ -667,35 +667,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
+ if (sig.status == WL3501_STATUS_SUCCESS) {
+ pr_debug("success");
+ if ((this->net_type == IW_MODE_INFRA &&
+- (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
+ (this->net_type == IW_MODE_ADHOC &&
+- (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
+ this->net_type == IW_MODE_AUTO) {
+ if (!this->essid.el.len)
+ matchflag = 1;
+ else if (this->essid.el.len == 3 &&
+ !memcmp(this->essid.essid, "ANY", 3))
+ matchflag = 1;
+- else if (this->essid.el.len != sig.ssid.el.len)
++ else if (this->essid.el.len != sig.req.ssid.el.len)
+ matchflag = 0;
+- else if (memcmp(this->essid.essid, sig.ssid.essid,
++ else if (memcmp(this->essid.essid, sig.req.ssid.essid,
+ this->essid.el.len))
+ matchflag = 0;
+ else
+ matchflag = 1;
+ if (matchflag) {
+ for (i = 0; i < this->bss_cnt; i++) {
+- if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) {
++ if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid,
++ sig.req.bssid)) {
+ matchflag = 0;
+ break;
+ }
+ }
+ }
+ if (matchflag && (i < 20)) {
+- memcpy(&this->bss_set[i].beacon_period,
+- &sig.beacon_period, 73);
++ memcpy(&this->bss_set[i].req,
++ &sig.req, sizeof(sig.req));
+ this->bss_cnt++;
+ this->rssi = sig.rssi;
++ this->bss_set[i].rssi = sig.rssi;
+ }
+ }
+ } else if (sig.status == WL3501_STATUS_TIMEOUT) {
+@@ -887,19 +889,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr)
+ if (this->join_sta_bss < this->bss_cnt) {
+ const int i = this->join_sta_bss;
+ memcpy(this->bssid,
+- this->bss_set[i].bssid, ETH_ALEN);
+- this->chan = this->bss_set[i].ds_pset.chan;
++ this->bss_set[i].req.bssid, ETH_ALEN);
++ this->chan = this->bss_set[i].req.ds_pset.chan;
+ iw_copy_mgmt_info_element(&this->keep_essid.el,
+- &this->bss_set[i].ssid.el);
++ &this->bss_set[i].req.ssid.el);
+ wl3501_mgmt_auth(this);
+ }
+ } else {
+ const int i = this->join_sta_bss;
+
+- memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN);
+- this->chan = this->bss_set[i].ds_pset.chan;
++ memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN);
++ this->chan = this->bss_set[i].req.ds_pset.chan;
+ iw_copy_mgmt_info_element(&this->keep_essid.el,
+- &this->bss_set[i].ssid.el);
++ &this->bss_set[i].req.ssid.el);
+ wl3501_online(dev);
+ }
+ } else {
+@@ -1575,30 +1577,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info,
+ for (i = 0; i < this->bss_cnt; ++i) {
+ iwe.cmd = SIOCGIWAP;
+ iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
+- memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN);
++ memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN);
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_ADDR_LEN);
+ iwe.cmd = SIOCGIWESSID;
+ iwe.u.data.flags = 1;
+- iwe.u.data.length = this->bss_set[i].ssid.el.len;
++ iwe.u.data.length = this->bss_set[i].req.ssid.el.len;
+ current_ev = iwe_stream_add_point(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe,
+- this->bss_set[i].ssid.essid);
++ this->bss_set[i].req.ssid.essid);
+ iwe.cmd = SIOCGIWMODE;
+- iwe.u.mode = this->bss_set[i].bss_type;
++ iwe.u.mode = this->bss_set[i].req.bss_type;
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_UINT_LEN);
+ iwe.cmd = SIOCGIWFREQ;
+- iwe.u.freq.m = this->bss_set[i].ds_pset.chan;
++ iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan;
+ iwe.u.freq.e = 0;
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_FREQ_LEN);
+ iwe.cmd = SIOCGIWENCODE;
+- if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
++ if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
+ iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
+ else
+ iwe.u.data.flags = IW_ENCODE_DISABLED;
+--
+2.30.2
+
--- /dev/null
+From adfde0528333101ad267b6ec8b5e059c33476d00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 18:43:19 -0500
+Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ]
+
+Fix the following out-of-bounds warnings by enclosing structure members
+daddr and saddr into new struct addr, in structures wl3501_md_req and
+wl3501_md_ind:
+
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
+
+Refactor the code, accordingly:
+
+$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_md_req {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 routing; /* 3 1 */
+ u16 data; /* 4 2 */
+ u16 size; /* 6 2 */
+ u8 pri; /* 8 1 */
+ u8 service_class; /* 9 1 */
+ struct {
+ u8 daddr[6]; /* 10 6 */
+ u8 saddr[6]; /* 16 6 */
+ } addr; /* 10 12 */
+
+ /* size: 22, cachelines: 1, members: 8 */
+ /* last cacheline: 22 bytes */
+};
+
+$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o
+struct wl3501_md_ind {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 routing; /* 3 1 */
+ u16 data; /* 4 2 */
+ u16 size; /* 6 2 */
+ u8 reception; /* 8 1 */
+ u8 pri; /* 9 1 */
+ u8 service_class; /* 10 1 */
+ struct {
+ u8 daddr[6]; /* 11 6 */
+ u8 saddr[6]; /* 17 6 */
+ } addr; /* 11 12 */
+
+ /* size: 24, cachelines: 1, members: 9 */
+ /* padding: 1 */
+ /* last cacheline: 24 bytes */
+};
+
+The problem is that the original code is trying to copy data into a
+couple of arrays adjacent to each other in a single call to memcpy().
+Now that a new struct _addr_ enclosing those two adjacent arrays
+is introduced, memcpy() doesn't overrun the length of &sig.daddr[0]
+and &sig.daddr, because the address of the new struct object _addr_
+is used, instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501.h | 12 ++++++++----
+ drivers/net/wireless/wl3501_cs.c | 10 ++++++----
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
+index efdce9ae36ea..077a934ae3b5 100644
+--- a/drivers/net/wireless/wl3501.h
++++ b/drivers/net/wireless/wl3501.h
+@@ -471,8 +471,10 @@ struct wl3501_md_req {
+ u16 size;
+ u8 pri;
+ u8 service_class;
+- u8 daddr[ETH_ALEN];
+- u8 saddr[ETH_ALEN];
++ struct {
++ u8 daddr[ETH_ALEN];
++ u8 saddr[ETH_ALEN];
++ } addr;
+ };
+
+ struct wl3501_md_ind {
+@@ -484,8 +486,10 @@ struct wl3501_md_ind {
+ u8 reception;
+ u8 pri;
+ u8 service_class;
+- u8 daddr[ETH_ALEN];
+- u8 saddr[ETH_ALEN];
++ struct {
++ u8 daddr[ETH_ALEN];
++ u8 saddr[ETH_ALEN];
++ } addr;
+ };
+
+ struct wl3501_md_confirm {
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 007bf6803293..96eb69678855 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -469,6 +469,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+ struct wl3501_md_req sig = {
+ .sig_id = WL3501_SIG_MD_REQ,
+ };
++ size_t sig_addr_len = sizeof(sig.addr);
+ u8 *pdata = (char *)data;
+ int rc = -EIO;
+
+@@ -484,9 +485,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+ goto out;
+ }
+ rc = 0;
+- memcpy(&sig.daddr[0], pdata, 12);
+- pktlen = len - 12;
+- pdata += 12;
++ memcpy(&sig.addr, pdata, sig_addr_len);
++ pktlen = len - sig_addr_len;
++ pdata += sig_addr_len;
+ sig.data = bf;
+ if (((*pdata) * 256 + (*(pdata + 1))) > 1500) {
+ u8 addr4[ETH_ALEN] = {
+@@ -980,7 +981,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev,
+ } else {
+ skb->dev = dev;
+ skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */
+- skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12);
++ skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr,
++ sizeof(sig.addr));
+ wl3501_receive(this, skb->data, pkt_len);
+ skb_put(skb, pkt_len);
+ skb->protocol = eth_type_trans(skb, dev);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
