--- /dev/null
+From a177057a95f6a3f1e0e52a17eea2178c15073648 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Wed, 16 Oct 2019 08:51:47 -0500
+Subject: ARM: dts: logicpd-torpedo-37xx-devkit-28: Reference new DRM panel
+
+From: Adam Ford <aford173@gmail.com>
+
+commit a177057a95f6a3f1e0e52a17eea2178c15073648 upstream.
+
+With the removal of the panel-dpi from the omap drivers, the
+LCD no longer works. This patch points the device tree to
+a newly created panel named "logicpd,type28"
+
+Fixes: 8bf4b1621178 ("drm/omap: Remove panel-dpi driver")
+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/logicpd-torpedo-37xx-devkit-28.dts | 20 +------------------
+ 1 file changed, 2 insertions(+), 18 deletions(-)
+
+--- a/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit-28.dts
++++ b/arch/arm/boot/dts/logicpd-torpedo-37xx-devkit-28.dts
+@@ -11,22 +11,6 @@
+ #include "logicpd-torpedo-37xx-devkit.dts"
+
+ &lcd0 {
+-
+- label = "28";
+-
+- panel-timing {
+- clock-frequency = <9000000>;
+- hactive = <480>;
+- vactive = <272>;
+- hfront-porch = <3>;
+- hback-porch = <2>;
+- hsync-len = <42>;
+- vback-porch = <3>;
+- vfront-porch = <2>;
+- vsync-len = <11>;
+- hsync-active = <1>;
+- vsync-active = <1>;
+- de-active = <1>;
+- pixelclk-active = <0>;
+- };
++ /* To make it work, set CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=4 */
++ compatible = "logicpd,type28";
+ };
--- /dev/null
+From 0b491904f053e41685162af5c5411b85b18c97a7 Mon Sep 17 00:00:00 2001
+From: Markus Elfring <elfring@users.sourceforge.net>
+Date: Sat, 9 Nov 2019 17:19:35 +0100
+Subject: ARM: OMAP2+: Add missing put_device() call in omapdss_init_of()
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+commit 0b491904f053e41685162af5c5411b85b18c97a7 upstream.
+
+A coccicheck run provided information like the following.
+
+arch/arm/mach-omap2/display.c:268:2-8: ERROR: missing put_device;
+call of_find_device_by_node on line 258, but without a corresponding
+object release within this function.
+
+Generated by: scripts/coccinelle/free/put_device.cocci
+
+Thus add the missed function call to fix the exception handling for
+this function implementation.
+
+Fixes: e0c827aca0730b51f38081aa4e8ecf0912aab55f ("drm/omap: Populate DSS children in omapdss driver")
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/display.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-omap2/display.c
++++ b/arch/arm/mach-omap2/display.c
+@@ -265,6 +265,7 @@ static int __init omapdss_init_of(void)
+ r = of_platform_populate(node, NULL, NULL, &pdev->dev);
+ if (r) {
+ pr_err("Unable to populate DSS submodule devices\n");
++ put_device(&pdev->dev);
+ return r;
+ }
+
--- /dev/null
+From df786c9b947639aedbc7bb44b5dae2a7824af360 Mon Sep 17 00:00:00 2001
+From: Stanislav Fomichev <sdf@google.com>
+Date: Wed, 27 Nov 2019 14:57:59 -0800
+Subject: bpf: Force .BTF section start to zero when dumping from vmlinux
+
+From: Stanislav Fomichev <sdf@google.com>
+
+commit df786c9b947639aedbc7bb44b5dae2a7824af360 upstream.
+
+While trying to figure out why fentry_fexit selftest doesn't pass for me
+(old pahole, broken BTF), I found out that my latest patch can break vmlinux
+.BTF generation. objcopy preserves section start when doing --only-section,
+so there is a chance (depending on where pahole inserts .BTF section) to
+have leading empty zeroes. Let's explicitly force section offset to zero.
+
+Before:
+
+$ objcopy --set-section-flags .BTF=alloc -O binary \
+ --only-section=.BTF vmlinux .btf.vmlinux.bin
+$ xxd .btf.vmlinux.bin | head -n1
+00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
+
+After:
+
+$ objcopy --change-section-address .BTF=0 \
+ --set-section-flags .BTF=alloc -O binary \
+ --only-section=.BTF vmlinux .btf.vmlinux.bin
+$ xxd .btf.vmlinux.bin | head -n1
+00000000: 9feb 0100 1800 0000 0000 0000 80e1 1c00 ................
+ ^BTF magic
+
+As part of this change, I'm also dropping '2>/dev/null' from objcopy
+invocation to be able to catch possible other issues (objcopy doesn't
+produce any warnings for me anymore, it did before with --dump-section).
+
+Fixes: da5fb18225b4 ("bpf: Support pre-2.25-binutils objcopy for vmlinux BTF")
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/20191127225759.39923-1-sdf@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/link-vmlinux.sh | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/scripts/link-vmlinux.sh
++++ b/scripts/link-vmlinux.sh
+@@ -127,8 +127,9 @@ gen_btf()
+ cut -d, -f1 | cut -d' ' -f2)
+ bin_format=$(LANG=C ${OBJDUMP} -f ${1} | grep 'file format' | \
+ awk '{print $4}')
+- ${OBJCOPY} --set-section-flags .BTF=alloc -O binary \
+- --only-section=.BTF ${1} .btf.vmlinux.bin 2>/dev/null
++ ${OBJCOPY} --change-section-address .BTF=0 \
++ --set-section-flags .BTF=alloc -O binary \
++ --only-section=.BTF ${1} .btf.vmlinux.bin
+ ${OBJCOPY} -I binary -O ${bin_format} -B ${bin_arch} \
+ --rename-section .data=.BTF .btf.vmlinux.bin ${2}
+ }
--- /dev/null
+From 7787657d7ee55a9ecf4aea4907b46b87a44eda67 Mon Sep 17 00:00:00 2001
+From: Alain Volmat <alain.volmat@st.com>
+Date: Tue, 12 Nov 2019 09:19:44 +0100
+Subject: i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop
+
+From: Alain Volmat <alain.volmat@st.com>
+
+commit 7787657d7ee55a9ecf4aea4907b46b87a44eda67 upstream.
+
+Fix a typo in the free slave id search loop. Instead of I2C_CLIENT_PEC,
+it should have been I2C_CLIENT_TEN. The slave id 1 can only handle 7-bit
+addresses and thus is not eligible in case of 10-bit addresses.
+As a matter of fact none of the slave id support I2C_CLIENT_PEC, overall
+check is performed at the beginning of the stm32f7_i2c_reg_slave function.
+
+Fixes: 60d609f30de2 ("i2c: i2c-stm32f7: Add slave support")
+Signed-off-by: Alain Volmat <alain.volmat@st.com>
+Reviewed-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -1268,7 +1268,7 @@ static int stm32f7_i2c_get_free_slave_id
+ * slave[1] supports 7-bit slave address only
+ */
+ for (i = STM32F7_I2C_MAX_SLAVE - 1; i >= 0; i--) {
+- if (i == 1 && (slave->flags & I2C_CLIENT_PEC))
++ if (i == 1 && (slave->flags & I2C_CLIENT_TEN))
+ continue;
+ if (!i2c_dev->slave[i]) {
+ *id = i;
--- /dev/null
+From 52d3be711e065a97a57c2f2ffba3098748855bd6 Mon Sep 17 00:00:00 2001
+From: Alain Volmat <alain.volmat@st.com>
+Date: Tue, 15 Oct 2019 15:03:09 +0200
+Subject: i2c: stm32f7: rework slave_id allocation
+
+From: Alain Volmat <alain.volmat@st.com>
+
+commit 52d3be711e065a97a57c2f2ffba3098748855bd6 upstream.
+
+The IP can handle two slave addresses. One address can either be
+7 bits or 10 bits while the other can only be 7 bits.
+In order to ensure that a 10 bits address can always be allocated
+(assuming there is only one 7 bits address already allocated),
+pick up the 7-bits only address slot in priority when performing a 7-bits
+address allocation.
+
+Fixes: 60d609f30de2 ("i2c: i2c-stm32f7: Add slave support")
+Signed-off-by: Alain Volmat <alain.volmat@st.com>
+Reviewed-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -1267,7 +1267,7 @@ static int stm32f7_i2c_get_free_slave_id
+ * slave[0] supports 7-bit and 10-bit slave address
+ * slave[1] supports 7-bit slave address only
+ */
+- for (i = 0; i < STM32F7_I2C_MAX_SLAVE; i++) {
++ for (i = STM32F7_I2C_MAX_SLAVE - 1; i >= 0; i--) {
+ if (i == 1 && (slave->flags & I2C_CLIENT_PEC))
+ continue;
+ if (!i2c_dev->slave[i]) {
--- /dev/null
+From 949375de945f7042df2b6488228a1a2b36e69f35 Mon Sep 17 00:00:00 2001
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Date: Fri, 8 Nov 2019 06:23:21 -0800
+Subject: ice: fix stack leakage
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+commit 949375de945f7042df2b6488228a1a2b36e69f35 upstream.
+
+In the case of an invalid virtchannel request the driver
+would return uninitialized data to the VF from the PF stack
+which is a bug. Fix by initializing the stack variable
+earlier in the function before any return paths can be taken.
+
+Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support")
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -1873,8 +1873,8 @@ static int ice_vc_get_stats_msg(struct i
+ enum virtchnl_status_code v_ret = VIRTCHNL_STATUS_SUCCESS;
+ struct virtchnl_queue_select *vqs =
+ (struct virtchnl_queue_select *)msg;
++ struct ice_eth_stats stats = { 0 };
+ struct ice_pf *pf = vf->pf;
+- struct ice_eth_stats stats;
+ struct ice_vsi *vsi;
+
+ if (!test_bit(ICE_VF_STATE_ACTIVE, vf->vf_states)) {
+@@ -1893,7 +1893,6 @@ static int ice_vc_get_stats_msg(struct i
+ goto error_param;
+ }
+
+- memset(&stats, 0, sizeof(struct ice_eth_stats));
+ ice_update_eth_stats(vsi);
+
+ stats = vsi->eth_stats;
--- /dev/null
+From dd3ab126379ec040b3edab8559f9c72de6ef9d29 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Wed, 6 Nov 2019 18:08:53 -0800
+Subject: libbpf: Fix another potential overflow issue in bpf_prog_linfo
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit dd3ab126379ec040b3edab8559f9c72de6ef9d29 upstream.
+
+Fix few issues found by Coverity and LGTM.
+
+Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191107020855.3834758-4-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/bpf_prog_linfo.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/tools/lib/bpf/bpf_prog_linfo.c
++++ b/tools/lib/bpf/bpf_prog_linfo.c
+@@ -101,6 +101,7 @@ struct bpf_prog_linfo *bpf_prog_linfo__n
+ {
+ struct bpf_prog_linfo *prog_linfo;
+ __u32 nr_linfo, nr_jited_func;
++ __u64 data_sz;
+
+ nr_linfo = info->nr_line_info;
+
+@@ -122,11 +123,11 @@ struct bpf_prog_linfo *bpf_prog_linfo__n
+ /* Copy xlated line_info */
+ prog_linfo->nr_linfo = nr_linfo;
+ prog_linfo->rec_size = info->line_info_rec_size;
+- prog_linfo->raw_linfo = malloc(nr_linfo * prog_linfo->rec_size);
++ data_sz = (__u64)nr_linfo * prog_linfo->rec_size;
++ prog_linfo->raw_linfo = malloc(data_sz);
+ if (!prog_linfo->raw_linfo)
+ goto err_free;
+- memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info,
+- nr_linfo * prog_linfo->rec_size);
++ memcpy(prog_linfo->raw_linfo, (void *)(long)info->line_info, data_sz);
+
+ nr_jited_func = info->nr_jited_ksyms;
+ if (!nr_jited_func ||
+@@ -142,13 +143,12 @@ struct bpf_prog_linfo *bpf_prog_linfo__n
+ /* Copy jited_line_info */
+ prog_linfo->nr_jited_func = nr_jited_func;
+ prog_linfo->jited_rec_size = info->jited_line_info_rec_size;
+- prog_linfo->raw_jited_linfo = malloc(nr_linfo *
+- prog_linfo->jited_rec_size);
++ data_sz = (__u64)nr_linfo * prog_linfo->jited_rec_size;
++ prog_linfo->raw_jited_linfo = malloc(data_sz);
+ if (!prog_linfo->raw_jited_linfo)
+ goto err_free;
+ memcpy(prog_linfo->raw_jited_linfo,
+- (void *)(long)info->jited_line_info,
+- nr_linfo * prog_linfo->jited_rec_size);
++ (void *)(long)info->jited_line_info, data_sz);
+
+ /* Number of jited_line_info per jited func */
+ prog_linfo->nr_jited_linfo_per_func = malloc(nr_jited_func *
--- /dev/null
+From a0d7da26ce86a25e97ae191cb90574ada6daea98 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Tue, 19 Nov 2019 14:44:47 -0800
+Subject: libbpf: Fix call relocation offset calculation bug
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit a0d7da26ce86a25e97ae191cb90574ada6daea98 upstream.
+
+When relocating subprogram call, libbpf doesn't take into account
+relo->text_off, which comes from symbol's value. This generally works fine for
+subprograms implemented as static functions, but breaks for global functions.
+
+Taking a simplified test_pkt_access.c as an example:
+
+__attribute__ ((noinline))
+static int test_pkt_access_subprog1(volatile struct __sk_buff *skb)
+{
+ return skb->len * 2;
+}
+
+__attribute__ ((noinline))
+static int test_pkt_access_subprog2(int val, volatile struct __sk_buff *skb)
+{
+ return skb->len + val;
+}
+
+SEC("classifier/test_pkt_access")
+int test_pkt_access(struct __sk_buff *skb)
+{
+ if (test_pkt_access_subprog1(skb) != skb->len * 2)
+ return TC_ACT_SHOT;
+ if (test_pkt_access_subprog2(2, skb) != skb->len + 2)
+ return TC_ACT_SHOT;
+ return TC_ACT_UNSPEC;
+}
+
+When compiled, we get two relocations, pointing to '.text' symbol. .text has
+st_value set to 0 (it points to the beginning of .text section):
+
+0000000000000008 000000050000000a R_BPF_64_32 0000000000000000 .text
+0000000000000040 000000050000000a R_BPF_64_32 0000000000000000 .text
+
+test_pkt_access_subprog1 and test_pkt_access_subprog2 offsets (targets of two
+calls) are encoded within call instruction's imm32 part as -1 and 2,
+respectively:
+
+0000000000000000 test_pkt_access_subprog1:
+ 0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
+ 1: 64 00 00 00 01 00 00 00 w0 <<= 1
+ 2: 95 00 00 00 00 00 00 00 exit
+
+0000000000000018 test_pkt_access_subprog2:
+ 3: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
+ 4: 04 00 00 00 02 00 00 00 w0 += 2
+ 5: 95 00 00 00 00 00 00 00 exit
+
+0000000000000000 test_pkt_access:
+ 0: bf 16 00 00 00 00 00 00 r6 = r1
+===> 1: 85 10 00 00 ff ff ff ff call -1
+ 2: bc 01 00 00 00 00 00 00 w1 = w0
+ 3: b4 00 00 00 02 00 00 00 w0 = 2
+ 4: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
+ 5: 64 02 00 00 01 00 00 00 w2 <<= 1
+ 6: 5e 21 08 00 00 00 00 00 if w1 != w2 goto +8 <LBB0_3>
+ 7: bf 61 00 00 00 00 00 00 r1 = r6
+===> 8: 85 10 00 00 02 00 00 00 call 2
+ 9: bc 01 00 00 00 00 00 00 w1 = w0
+ 10: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
+ 11: 04 02 00 00 02 00 00 00 w2 += 2
+ 12: b4 00 00 00 ff ff ff ff w0 = -1
+ 13: 1e 21 01 00 00 00 00 00 if w1 == w2 goto +1 <LBB0_3>
+ 14: b4 00 00 00 02 00 00 00 w0 = 2
+0000000000000078 LBB0_3:
+ 15: 95 00 00 00 00 00 00 00 exit
+
+Now, if we compile example with global functions, the setup changes.
+Relocations are now against specifically test_pkt_access_subprog1 and
+test_pkt_access_subprog2 symbols, with test_pkt_access_subprog2 pointing 24
+bytes into its respective section (.text), i.e., 3 instructions in:
+
+0000000000000008 000000070000000a R_BPF_64_32 0000000000000000 test_pkt_access_subprog1
+0000000000000048 000000080000000a R_BPF_64_32 0000000000000018 test_pkt_access_subprog2
+
+Calls instructions now encode offsets relative to function symbols and are both
+set ot -1:
+
+0000000000000000 test_pkt_access_subprog1:
+ 0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
+ 1: 64 00 00 00 01 00 00 00 w0 <<= 1
+ 2: 95 00 00 00 00 00 00 00 exit
+
+0000000000000018 test_pkt_access_subprog2:
+ 3: 61 20 00 00 00 00 00 00 r0 = *(u32 *)(r2 + 0)
+ 4: 0c 10 00 00 00 00 00 00 w0 += w1
+ 5: 95 00 00 00 00 00 00 00 exit
+
+0000000000000000 test_pkt_access:
+ 0: bf 16 00 00 00 00 00 00 r6 = r1
+===> 1: 85 10 00 00 ff ff ff ff call -1
+ 2: bc 01 00 00 00 00 00 00 w1 = w0
+ 3: b4 00 00 00 02 00 00 00 w0 = 2
+ 4: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
+ 5: 64 02 00 00 01 00 00 00 w2 <<= 1
+ 6: 5e 21 09 00 00 00 00 00 if w1 != w2 goto +9 <LBB2_3>
+ 7: b4 01 00 00 02 00 00 00 w1 = 2
+ 8: bf 62 00 00 00 00 00 00 r2 = r6
+===> 9: 85 10 00 00 ff ff ff ff call -1
+ 10: bc 01 00 00 00 00 00 00 w1 = w0
+ 11: 61 62 00 00 00 00 00 00 r2 = *(u32 *)(r6 + 0)
+ 12: 04 02 00 00 02 00 00 00 w2 += 2
+ 13: b4 00 00 00 ff ff ff ff w0 = -1
+ 14: 1e 21 01 00 00 00 00 00 if w1 == w2 goto +1 <LBB2_3>
+ 15: b4 00 00 00 02 00 00 00 w0 = 2
+0000000000000080 LBB2_3:
+ 16: 95 00 00 00 00 00 00 00 exit
+
+Thus the right formula to calculate target call offset after relocation should
+take into account relocation's target symbol value (offset within section),
+call instruction's imm32 offset, and (subtracting, to get relative instruction
+offset) instruction index of call instruction itself. All that is shifted by
+number of instructions in main program, given all sub-programs are copied over
+after main program.
+
+Convert few selftests relying on bpf-to-bpf calls to use global functions
+instead of static ones.
+
+Fixes: 48cca7e44f9f ("libbpf: add support for bpf_call")
+Reported-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20191119224447.3781271-1-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/libbpf.c | 8 ++++++--
+ tools/testing/selftests/bpf/progs/test_btf_haskv.c | 4 ++--
+ tools/testing/selftests/bpf/progs/test_btf_newkv.c | 4 ++--
+ tools/testing/selftests/bpf/progs/test_btf_nokv.c | 4 ++--
+ 4 files changed, 12 insertions(+), 8 deletions(-)
+
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -1791,9 +1791,13 @@ bpf_program__collect_reloc(struct bpf_pr
+ pr_warning("incorrect bpf_call opcode\n");
+ return -LIBBPF_ERRNO__RELOC;
+ }
++ if (sym.st_value % 8) {
++ pr_warn("bad call relo offset: %lu\n", sym.st_value);
++ return -LIBBPF_ERRNO__RELOC;
++ }
+ prog->reloc_desc[i].type = RELO_CALL;
+ prog->reloc_desc[i].insn_idx = insn_idx;
+- prog->reloc_desc[i].text_off = sym.st_value;
++ prog->reloc_desc[i].text_off = sym.st_value / 8;
+ obj->has_pseudo_calls = true;
+ continue;
+ }
+@@ -3239,7 +3243,7 @@ bpf_program__reloc_text(struct bpf_progr
+ prog->section_name);
+ }
+ insn = &prog->insns[relo->insn_idx];
+- insn->imm += prog->main_prog_cnt - relo->insn_idx;
++ insn->imm += relo->text_off + prog->main_prog_cnt - relo->insn_idx;
+ return 0;
+ }
+
+--- a/tools/testing/selftests/bpf/progs/test_btf_haskv.c
++++ b/tools/testing/selftests/bpf/progs/test_btf_haskv.c
+@@ -25,7 +25,7 @@ struct dummy_tracepoint_args {
+ };
+
+ __attribute__((noinline))
+-static int test_long_fname_2(struct dummy_tracepoint_args *arg)
++int test_long_fname_2(struct dummy_tracepoint_args *arg)
+ {
+ struct ipv_counts *counts;
+ int key = 0;
+@@ -43,7 +43,7 @@ static int test_long_fname_2(struct dumm
+ }
+
+ __attribute__((noinline))
+-static int test_long_fname_1(struct dummy_tracepoint_args *arg)
++int test_long_fname_1(struct dummy_tracepoint_args *arg)
+ {
+ return test_long_fname_2(arg);
+ }
+--- a/tools/testing/selftests/bpf/progs/test_btf_newkv.c
++++ b/tools/testing/selftests/bpf/progs/test_btf_newkv.c
+@@ -33,7 +33,7 @@ struct dummy_tracepoint_args {
+ };
+
+ __attribute__((noinline))
+-static int test_long_fname_2(struct dummy_tracepoint_args *arg)
++int test_long_fname_2(struct dummy_tracepoint_args *arg)
+ {
+ struct ipv_counts *counts;
+ int key = 0;
+@@ -56,7 +56,7 @@ static int test_long_fname_2(struct dumm
+ }
+
+ __attribute__((noinline))
+-static int test_long_fname_1(struct dummy_tracepoint_args *arg)
++int test_long_fname_1(struct dummy_tracepoint_args *arg)
+ {
+ return test_long_fname_2(arg);
+ }
+--- a/tools/testing/selftests/bpf/progs/test_btf_nokv.c
++++ b/tools/testing/selftests/bpf/progs/test_btf_nokv.c
+@@ -23,7 +23,7 @@ struct dummy_tracepoint_args {
+ };
+
+ __attribute__((noinline))
+-static int test_long_fname_2(struct dummy_tracepoint_args *arg)
++int test_long_fname_2(struct dummy_tracepoint_args *arg)
+ {
+ struct ipv_counts *counts;
+ int key = 0;
+@@ -41,7 +41,7 @@ static int test_long_fname_2(struct dumm
+ }
+
+ __attribute__((noinline))
+-static int test_long_fname_1(struct dummy_tracepoint_args *arg)
++int test_long_fname_1(struct dummy_tracepoint_args *arg)
+ {
+ return test_long_fname_2(arg);
+ }
--- /dev/null
+From 94ff9ebb49a546b7f009ed840bafa235c96d4c4b Mon Sep 17 00:00:00 2001
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+Date: Fri, 25 Oct 2019 11:17:15 +0200
+Subject: libbpf: Fix compatibility for kernels without need_wakeup
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+commit 94ff9ebb49a546b7f009ed840bafa235c96d4c4b upstream.
+
+When the need_wakeup flag was added to AF_XDP, the format of the
+XDP_MMAP_OFFSETS getsockopt was extended. Code was added to the
+kernel to take care of compatibility issues arrising from running
+applications using any of the two formats. However, libbpf was
+not extended to take care of the case when the application/libbpf
+uses the new format but the kernel only supports the old
+format. This patch adds support in libbpf for parsing the old
+format, before the need_wakeup flag was added, and emulating a
+set of static need_wakeup flags that will always work for the
+application.
+
+v2 -> v3:
+* Incorporated code improvements suggested by Jonathan Lemon
+
+v1 -> v2:
+* Rebased to bpf-next
+* Rewrote the code as the previous version made you blind
+
+Fixes: a4500432c2587cb2a ("libbpf: add support for need_wakeup flag in AF_XDP part")
+Reported-by: Eloy Degen <degeneloy@gmail.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Link: https://lore.kernel.org/bpf/1571995035-21889-1-git-send-email-magnus.karlsson@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/xsk.c | 83 ++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 71 insertions(+), 12 deletions(-)
+
+--- a/tools/lib/bpf/xsk.c
++++ b/tools/lib/bpf/xsk.c
+@@ -73,6 +73,21 @@ struct xsk_nl_info {
+ int fd;
+ };
+
++/* Up until and including Linux 5.3 */
++struct xdp_ring_offset_v1 {
++ __u64 producer;
++ __u64 consumer;
++ __u64 desc;
++};
++
++/* Up until and including Linux 5.3 */
++struct xdp_mmap_offsets_v1 {
++ struct xdp_ring_offset_v1 rx;
++ struct xdp_ring_offset_v1 tx;
++ struct xdp_ring_offset_v1 fr;
++ struct xdp_ring_offset_v1 cr;
++};
++
+ int xsk_umem__fd(const struct xsk_umem *umem)
+ {
+ return umem ? umem->fd : -EINVAL;
+@@ -133,6 +148,58 @@ static int xsk_set_xdp_socket_config(str
+ return 0;
+ }
+
++static void xsk_mmap_offsets_v1(struct xdp_mmap_offsets *off)
++{
++ struct xdp_mmap_offsets_v1 off_v1;
++
++ /* getsockopt on a kernel <= 5.3 has no flags fields.
++ * Copy over the offsets to the correct places in the >=5.4 format
++ * and put the flags where they would have been on that kernel.
++ */
++ memcpy(&off_v1, off, sizeof(off_v1));
++
++ off->rx.producer = off_v1.rx.producer;
++ off->rx.consumer = off_v1.rx.consumer;
++ off->rx.desc = off_v1.rx.desc;
++ off->rx.flags = off_v1.rx.consumer + sizeof(u32);
++
++ off->tx.producer = off_v1.tx.producer;
++ off->tx.consumer = off_v1.tx.consumer;
++ off->tx.desc = off_v1.tx.desc;
++ off->tx.flags = off_v1.tx.consumer + sizeof(u32);
++
++ off->fr.producer = off_v1.fr.producer;
++ off->fr.consumer = off_v1.fr.consumer;
++ off->fr.desc = off_v1.fr.desc;
++ off->fr.flags = off_v1.fr.consumer + sizeof(u32);
++
++ off->cr.producer = off_v1.cr.producer;
++ off->cr.consumer = off_v1.cr.consumer;
++ off->cr.desc = off_v1.cr.desc;
++ off->cr.flags = off_v1.cr.consumer + sizeof(u32);
++}
++
++static int xsk_get_mmap_offsets(int fd, struct xdp_mmap_offsets *off)
++{
++ socklen_t optlen;
++ int err;
++
++ optlen = sizeof(*off);
++ err = getsockopt(fd, SOL_XDP, XDP_MMAP_OFFSETS, off, &optlen);
++ if (err)
++ return err;
++
++ if (optlen == sizeof(*off))
++ return 0;
++
++ if (optlen == sizeof(struct xdp_mmap_offsets_v1)) {
++ xsk_mmap_offsets_v1(off);
++ return 0;
++ }
++
++ return -EINVAL;
++}
++
+ int xsk_umem__create_v0_0_4(struct xsk_umem **umem_ptr, void *umem_area,
+ __u64 size, struct xsk_ring_prod *fill,
+ struct xsk_ring_cons *comp,
+@@ -141,7 +208,6 @@ int xsk_umem__create_v0_0_4(struct xsk_u
+ struct xdp_mmap_offsets off;
+ struct xdp_umem_reg mr;
+ struct xsk_umem *umem;
+- socklen_t optlen;
+ void *map;
+ int err;
+
+@@ -190,8 +256,7 @@ int xsk_umem__create_v0_0_4(struct xsk_u
+ goto out_socket;
+ }
+
+- optlen = sizeof(off);
+- err = getsockopt(umem->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
++ err = xsk_get_mmap_offsets(umem->fd, &off);
+ if (err) {
+ err = -errno;
+ goto out_socket;
+@@ -499,7 +564,6 @@ int xsk_socket__create(struct xsk_socket
+ struct sockaddr_xdp sxdp = {};
+ struct xdp_mmap_offsets off;
+ struct xsk_socket *xsk;
+- socklen_t optlen;
+ int err;
+
+ if (!umem || !xsk_ptr || !rx || !tx)
+@@ -558,8 +622,7 @@ int xsk_socket__create(struct xsk_socket
+ }
+ }
+
+- optlen = sizeof(off);
+- err = getsockopt(xsk->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
++ err = xsk_get_mmap_offsets(xsk->fd, &off);
+ if (err) {
+ err = -errno;
+ goto out_socket;
+@@ -645,7 +708,6 @@ out_xsk_alloc:
+ int xsk_umem__delete(struct xsk_umem *umem)
+ {
+ struct xdp_mmap_offsets off;
+- socklen_t optlen;
+ int err;
+
+ if (!umem)
+@@ -654,8 +716,7 @@ int xsk_umem__delete(struct xsk_umem *um
+ if (umem->refcount)
+ return -EBUSY;
+
+- optlen = sizeof(off);
+- err = getsockopt(umem->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
++ err = xsk_get_mmap_offsets(umem->fd, &off);
+ if (!err) {
+ munmap(umem->fill->ring - off.fr.desc,
+ off.fr.desc + umem->config.fill_size * sizeof(__u64));
+@@ -673,7 +734,6 @@ void xsk_socket__delete(struct xsk_socke
+ {
+ size_t desc_sz = sizeof(struct xdp_desc);
+ struct xdp_mmap_offsets off;
+- socklen_t optlen;
+ int err;
+
+ if (!xsk)
+@@ -684,8 +744,7 @@ void xsk_socket__delete(struct xsk_socke
+ close(xsk->prog_fd);
+ }
+
+- optlen = sizeof(off);
+- err = getsockopt(xsk->fd, SOL_XDP, XDP_MMAP_OFFSETS, &off, &optlen);
++ err = xsk_get_mmap_offsets(xsk->fd, &off);
+ if (!err) {
+ if (xsk->rx) {
+ munmap(xsk->rx->ring - off.rx.desc,
--- /dev/null
+From 3dc5e059821376974177cc801d377e3fcdac6712 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Wed, 6 Nov 2019 18:08:51 -0800
+Subject: libbpf: Fix memory leak/double free issue
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit 3dc5e059821376974177cc801d377e3fcdac6712 upstream.
+
+Coverity scan against Github libbpf code found the issue of not freeing memory and
+leaving already freed memory still referenced from bpf_program. Fix it by
+re-assigning successfully reallocated memory sooner.
+
+Fixes: 2993e0515bb4 ("tools/bpf: add support to read .BTF.ext sections")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191107020855.3834758-2-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -3220,6 +3220,7 @@ bpf_program__reloc_text(struct bpf_progr
+ pr_warning("oom in prog realloc\n");
+ return -ENOMEM;
+ }
++ prog->insns = new_insn;
+
+ if (obj->btf_ext) {
+ err = bpf_program_reloc_btf_ext(prog, obj,
+@@ -3231,7 +3232,6 @@ bpf_program__reloc_text(struct bpf_progr
+
+ memcpy(new_insn + prog->insns_cnt, text->insns,
+ text->insns_cnt * sizeof(*insn));
+- prog->insns = new_insn;
+ prog->main_prog_cnt = prog->insns_cnt;
+ prog->insns_cnt = new_cnt;
+ pr_debug("added %zd insn from %s to prog %s\n",
--- /dev/null
+From 4ee1135615713387b869dfd099ffdf8656be6784 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Wed, 6 Nov 2019 18:08:52 -0800
+Subject: libbpf: Fix potential overflow issue
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit 4ee1135615713387b869dfd099ffdf8656be6784 upstream.
+
+Fix a potential overflow issue found by LGTM analysis, based on Github libbpf
+source code.
+
+Fixes: 3d65014146c6 ("bpf: libbpf: Add btf_line_info support to libbpf")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191107020855.3834758-3-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/lib/bpf/bpf.c
++++ b/tools/lib/bpf/bpf.c
+@@ -189,7 +189,7 @@ static void *
+ alloc_zero_tailing_info(const void *orecord, __u32 cnt,
+ __u32 actual_rec_size, __u32 expected_rec_size)
+ {
+- __u64 info_len = actual_rec_size * cnt;
++ __u64 info_len = (__u64)actual_rec_size * cnt;
+ void *info, *nrecord;
+ int i;
+
--- /dev/null
+From 994021a7e08477f7e51285920aac99fc967fae8a Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andriin@fb.com>
+Date: Wed, 6 Nov 2019 18:08:54 -0800
+Subject: libbpf: Make btf__resolve_size logic always check size error condition
+
+From: Andrii Nakryiko <andriin@fb.com>
+
+commit 994021a7e08477f7e51285920aac99fc967fae8a upstream.
+
+Perform size check always in btf__resolve_size. Makes the logic a bit more
+robust against corrupted BTF and silences LGTM/Coverity complaining about
+always true (size < 0) check.
+
+Fixes: 69eaab04c675 ("btf: extract BTF type size calculation")
+Signed-off-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20191107020855.3834758-5-andriin@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/lib/bpf/btf.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -269,10 +269,9 @@ __s64 btf__resolve_size(const struct btf
+ t = btf__type_by_id(btf, type_id);
+ }
+
++done:
+ if (size < 0)
+ return -EINVAL;
+-
+-done:
+ if (nelems && size > UINT32_MAX / nelems)
+ return -E2BIG;
+
--- /dev/null
+From 3f31bc67e4dc6a555341dffefe328ddd58e8b431 Mon Sep 17 00:00:00 2001
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Date: Wed, 4 Sep 2019 08:56:25 +0300
+Subject: mfd: intel-lpss: Add default I2C device properties for Gemini Lake
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+commit 3f31bc67e4dc6a555341dffefe328ddd58e8b431 upstream.
+
+It turned out Intel Gemini Lake doesn't use the same I2C timing
+parameters as Broxton.
+
+I got confirmation from the Windows team that Gemini Lake systems should
+use updated timing parameters that differ from those used in Broxton
+based systems.
+
+Fixes: f80e78aa11ad ("mfd: intel-lpss: Add Intel Gemini Lake PCI IDs")
+Tested-by: Chris Chiu <chiu@endlessm.com>
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/intel-lpss-pci.c | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+--- a/drivers/mfd/intel-lpss-pci.c
++++ b/drivers/mfd/intel-lpss-pci.c
+@@ -122,6 +122,18 @@ static const struct intel_lpss_platform_
+ .properties = apl_i2c_properties,
+ };
+
++static struct property_entry glk_i2c_properties[] = {
++ PROPERTY_ENTRY_U32("i2c-sda-hold-time-ns", 313),
++ PROPERTY_ENTRY_U32("i2c-sda-falling-time-ns", 171),
++ PROPERTY_ENTRY_U32("i2c-scl-falling-time-ns", 290),
++ { },
++};
++
++static const struct intel_lpss_platform_info glk_i2c_info = {
++ .clk_rate = 133000000,
++ .properties = glk_i2c_properties,
++};
++
+ static const struct intel_lpss_platform_info cnl_i2c_info = {
+ .clk_rate = 216000000,
+ .properties = spt_i2c_properties,
+@@ -174,14 +186,14 @@ static const struct pci_device_id intel_
+ { PCI_VDEVICE(INTEL, 0x1ac6), (kernel_ulong_t)&bxt_info },
+ { PCI_VDEVICE(INTEL, 0x1aee), (kernel_ulong_t)&bxt_uart_info },
+ /* GLK */
+- { PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31b0), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31b2), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31b4), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31b6), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31b8), (kernel_ulong_t)&bxt_i2c_info },
+- { PCI_VDEVICE(INTEL, 0x31ba), (kernel_ulong_t)&bxt_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31ac), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31ae), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31b0), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31b2), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31b4), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31b6), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31b8), (kernel_ulong_t)&glk_i2c_info },
++ { PCI_VDEVICE(INTEL, 0x31ba), (kernel_ulong_t)&glk_i2c_info },
+ { PCI_VDEVICE(INTEL, 0x31bc), (kernel_ulong_t)&bxt_uart_info },
+ { PCI_VDEVICE(INTEL, 0x31be), (kernel_ulong_t)&bxt_uart_info },
+ { PCI_VDEVICE(INTEL, 0x31c0), (kernel_ulong_t)&bxt_uart_info },
--- /dev/null
+From 23cb16d2ccb5f819d7acff602e5a153157bf2884 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sun, 17 Nov 2019 14:26:14 +0200
+Subject: mt76: mt76u: fix endpoint definition order
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit 23cb16d2ccb5f819d7acff602e5a153157bf2884 upstream.
+
+Even if they are not currently used fix BK/BE endpoint definition order.
+
+Fixes: b40b15e1521f ("mt76: add usb support to mt76 layer")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt76/mt76.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -367,8 +367,8 @@ enum mt76u_in_ep {
+
+ enum mt76u_out_ep {
+ MT_EP_OUT_INBAND_CMD,
+- MT_EP_OUT_AC_BK,
+ MT_EP_OUT_AC_BE,
++ MT_EP_OUT_AC_BK,
+ MT_EP_OUT_AC_VI,
+ MT_EP_OUT_AC_VO,
+ MT_EP_OUT_HCCA,
--- /dev/null
+From 15e14f76f85f4f0eab3b8146e1cd3c58ce272823 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sat, 21 Sep 2019 10:44:01 +0200
+Subject: mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit 15e14f76f85f4f0eab3b8146e1cd3c58ce272823 upstream.
+
+Fix bbp ready check in mt7601u_wait_bbp_ready. The issue is reported by
+coverity with the following error:
+
+Logical vs. bitwise operator
+The expression's value does not depend on the operands; inadvertent use
+of the wrong operator is a likely logic error.
+
+Addresses-Coverity-ID: 1309441 ("Logical vs. bitwise operator")
+Fixes: c869f77d6abb ("add mt7601u driver")
+Acked-by: Jakub Kicinski <kubakici@wp.pl>
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mediatek/mt7601u/phy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt7601u/phy.c
++++ b/drivers/net/wireless/mediatek/mt7601u/phy.c
+@@ -213,7 +213,7 @@ int mt7601u_wait_bbp_ready(struct mt7601
+
+ do {
+ val = mt7601u_bbp_rr(dev, MT_BBP_REG_VERSION);
+- if (val && ~val)
++ if (val && val != 0xff)
+ break;
+ } while (--i);
+
--- /dev/null
+From eb252c3a24fc5856fa62140c2f8269ddce6ce4e5 Mon Sep 17 00:00:00 2001
+From: Roi Dayan <roid@mellanox.com>
+Date: Mon, 2 Dec 2019 19:19:47 +0200
+Subject: net/mlx5e: Fix free peer_flow when refcount is 0
+
+From: Roi Dayan <roid@mellanox.com>
+
+commit eb252c3a24fc5856fa62140c2f8269ddce6ce4e5 upstream.
+
+It could be neigh update flow took a refcount on peer flow so
+sometimes we cannot release peer flow even if parent flow is
+being freed now.
+
+Fixes: 5a7e5bcb663d ("net/mlx5e: Extend tc flow struct with reference counter")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Eli Britstein <elibr@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -1615,8 +1615,11 @@ static void __mlx5e_tc_del_fdb_peer_flow
+
+ flow_flag_clear(flow, DUP);
+
+- mlx5e_tc_del_fdb_flow(flow->peer_flow->priv, flow->peer_flow);
+- kfree(flow->peer_flow);
++ if (refcount_dec_and_test(&flow->peer_flow->refcnt)) {
++ mlx5e_tc_del_fdb_flow(flow->peer_flow->priv, flow->peer_flow);
++ kfree(flow->peer_flow);
++ }
++
+ flow->peer_flow = NULL;
+ }
+
--- /dev/null
+From fea7fda7f50a6059220f83251e70709e45cc8040 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 3 Oct 2019 11:43:51 -0700
+Subject: net: phy: broadcom: Fix RGMII delays configuration for BCM54210E
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit fea7fda7f50a6059220f83251e70709e45cc8040 upstream.
+
+Commit 0fc9ae107669 ("net: phy: broadcom: add support for
+BCM54210E") added support for BCM54210E but also unconditionally cleared
+the RXC to RXD skew and the TXD to TXC skew, thus only making
+PHY_INTERFACE_MODE_RGMII a possible configuration. Use
+bcm54xx_config_clock_delay() which correctly sets the registers
+depending on the 4 possible PHY interface values that exist for RGMII.
+
+Fixes: 0fc9ae107669 ("net: phy: broadcom: add support for BCM54210E")
+Reported-by: Manasa Mudireddy <manasa.mudireddy@broadcom.com>
+Reported-by: Ray Jui <ray.jui@broadcom.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/phy/broadcom.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/phy/broadcom.c
++++ b/drivers/net/phy/broadcom.c
+@@ -26,18 +26,13 @@ MODULE_DESCRIPTION("Broadcom PHY driver"
+ MODULE_AUTHOR("Maciej W. Rozycki");
+ MODULE_LICENSE("GPL");
+
++static int bcm54xx_config_clock_delay(struct phy_device *phydev);
++
+ static int bcm54210e_config_init(struct phy_device *phydev)
+ {
+ int val;
+
+- val = bcm54xx_auxctl_read(phydev, MII_BCM54XX_AUXCTL_SHDWSEL_MISC);
+- val &= ~MII_BCM54XX_AUXCTL_SHDWSEL_MISC_RGMII_SKEW_EN;
+- val |= MII_BCM54XX_AUXCTL_MISC_WREN;
+- bcm54xx_auxctl_write(phydev, MII_BCM54XX_AUXCTL_SHDWSEL_MISC, val);
+-
+- val = bcm_phy_read_shadow(phydev, BCM54810_SHD_CLK_CTL);
+- val &= ~BCM54810_SHD_CLK_CTL_GTXCLK_EN;
+- bcm_phy_write_shadow(phydev, BCM54810_SHD_CLK_CTL, val);
++ bcm54xx_config_clock_delay(phydev);
+
+ if (phydev->dev_flags & PHY_BRCM_EN_MASTER_MODE) {
+ val = phy_read(phydev, MII_CTRL1000);
--- /dev/null
+From 82b5d164415549e74cfa1f9156ffd4463d0a76e2 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 4 Sep 2019 11:40:14 +0000
+Subject: phy: lantiq: vrx200-pcie: fix error return code in ltq_vrx200_pcie_phy_power_on()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 82b5d164415549e74cfa1f9156ffd4463d0a76e2 upstream.
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: e52a632195bf ("phy: lantiq: vrx200-pcie: add a driver for the Lantiq VRX200 PCIe PHY")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/lantiq/phy-lantiq-vrx200-pcie.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/phy/lantiq/phy-lantiq-vrx200-pcie.c
++++ b/drivers/phy/lantiq/phy-lantiq-vrx200-pcie.c
+@@ -323,7 +323,8 @@ static int ltq_vrx200_pcie_phy_power_on(
+ goto err_disable_pdi_clk;
+
+ /* Check if we are in "startup ready" status */
+- if (ltq_vrx200_pcie_phy_wait_for_pll(phy) != 0)
++ ret = ltq_vrx200_pcie_phy_wait_for_pll(phy);
++ if (ret)
+ goto err_disable_phy_clk;
+
+ ltq_vrx200_pcie_phy_apply_workarounds(phy);
--- /dev/null
+From 316b429459066215abb50060873ec0832efc4044 Mon Sep 17 00:00:00 2001
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+Date: Wed, 23 Oct 2019 17:47:44 +0300
+Subject: phy: ti: gmii-sel: fix mac tx internal delay for rgmii-rxid
+
+From: Grygorii Strashko <grygorii.strashko@ti.com>
+
+commit 316b429459066215abb50060873ec0832efc4044 upstream.
+
+Now phy-gmii-sel will disable MAC TX internal delay for PHY interface mode
+"rgmii-rxid" which is incorrect.
+Hence, fix it by enabling MAC TX internal delay in the case of "rgmii-rxid"
+mode.
+
+Fixes: 92b58b34741f ("phy: ti: introduce phy-gmii-sel driver")
+Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/ti/phy-gmii-sel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/phy/ti/phy-gmii-sel.c
++++ b/drivers/phy/ti/phy-gmii-sel.c
+@@ -69,11 +69,11 @@ static int phy_gmii_sel_mode(struct phy
+ break;
+
+ case PHY_INTERFACE_MODE_RGMII:
++ case PHY_INTERFACE_MODE_RGMII_RXID:
+ gmii_sel_mode = AM33XX_GMII_SEL_MODE_RGMII;
+ break;
+
+ case PHY_INTERFACE_MODE_RGMII_ID:
+- case PHY_INTERFACE_MODE_RGMII_RXID:
+ case PHY_INTERFACE_MODE_RGMII_TXID:
+ gmii_sel_mode = AM33XX_GMII_SEL_MODE_RGMII;
+ rgmii_id = 1;
--- /dev/null
+From b6afd1234cf93aa0d71b4be4788c47534905f0be Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Wed, 4 Dec 2019 11:50:15 +0000
+Subject: powerpc/archrandom: fix arch_get_random_seed_int()
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit b6afd1234cf93aa0d71b4be4788c47534905f0be upstream.
+
+Commit 01c9348c7620ec65
+
+ powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_*
+
+updated arch_get_random_[int|long]() to be NOPs, and moved the hardware
+RNG backing to arch_get_random_seed_[int|long]() instead. However, it
+failed to take into account that arch_get_random_int() was implemented
+in terms of arch_get_random_long(), and so we ended up with a version
+of the former that is essentially a NOP as well.
+
+Fix this by calling arch_get_random_seed_long() from
+arch_get_random_seed_int() instead.
+
+Fixes: 01c9348c7620ec65 ("powerpc: Use hardware RNG for arch_get_random_seed_* not arch_get_random_*")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191204115015.18015-1-ardb@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/archrandom.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/include/asm/archrandom.h
++++ b/arch/powerpc/include/asm/archrandom.h
+@@ -28,7 +28,7 @@ static inline int arch_get_random_seed_i
+ unsigned long val;
+ int rc;
+
+- rc = arch_get_random_long(&val);
++ rc = arch_get_random_seed_long(&val);
+ if (rc)
+ *v = val;
+
--- /dev/null
+From 71eb40fc53371bc247c8066ae76ad9e22ae1e18d Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 29 Nov 2019 14:26:41 +0000
+Subject: powerpc/kasan: Fix boot failure with RELOCATABLE && FSL_BOOKE
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit 71eb40fc53371bc247c8066ae76ad9e22ae1e18d upstream.
+
+When enabling CONFIG_RELOCATABLE and CONFIG_KASAN on FSL_BOOKE,
+the kernel doesn't boot.
+
+relocate_init() requires KASAN early shadow area to be set up because
+it needs access to the device tree through generic functions.
+
+Call kasan_early_init() before calling relocate_init()
+
+Reported-by: Lexi Shao <shaolexi@huawei.com>
+Fixes: 2edb16efc899 ("powerpc/32: Add KASAN support")
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/b58426f1664a4b344ff696d18cacf3b3e8962111.1575036985.git.christophe.leroy@c-s.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/head_fsl_booke.S | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/head_fsl_booke.S
++++ b/arch/powerpc/kernel/head_fsl_booke.S
+@@ -238,6 +238,9 @@ set_ivor:
+
+ bl early_init
+
++#ifdef CONFIG_KASAN
++ bl kasan_early_init
++#endif
+ #ifdef CONFIG_RELOCATABLE
+ mr r3,r30
+ mr r4,r31
+@@ -264,9 +267,6 @@ set_ivor:
+ /*
+ * Decide what sort of machine this is and initialize the MMU.
+ */
+-#ifdef CONFIG_KASAN
+- bl kasan_early_init
+-#endif
+ mr r3,r30
+ mr r4,r31
+ bl machine_init
--- /dev/null
+From 0a87ccd3699983645f54cafd2258514a716b20b8 Mon Sep 17 00:00:00 2001
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+Date: Sun, 10 Nov 2019 23:21:37 -0600
+Subject: powerpc/pseries: Enable support for ibm,drc-info property
+
+From: Tyrel Datwyler <tyreld@linux.ibm.com>
+
+commit 0a87ccd3699983645f54cafd2258514a716b20b8 upstream.
+
+Advertise client support for the PAPR architected ibm,drc-info device
+tree property during CAS handshake.
+
+Fixes: c7a3275e0f9e ("powerpc/pseries: Revert support for ibm,drc-info devtree property")
+Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1573449697-5448-11-git-send-email-tyreld@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kernel/prom_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -1053,7 +1053,7 @@ static const struct ibm_arch_vec ibm_arc
+ .reserved2 = 0,
+ .reserved3 = 0,
+ .subprocessors = 1,
+- .byte22 = OV5_FEAT(OV5_DRMEM_V2),
++ .byte22 = OV5_FEAT(OV5_DRMEM_V2) | OV5_FEAT(OV5_DRC_INFO),
+ .intarch = 0,
+ .mmu = 0,
+ .hash_ext = 0,
--- /dev/null
+From 3b05a1e517e1a8cfda4866ec31d28b2bc4fee4c4 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 21 Oct 2019 16:23:09 +0200
+Subject: powerpc/security: Fix debugfs data leak on 32-bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 3b05a1e517e1a8cfda4866ec31d28b2bc4fee4c4 upstream.
+
+"powerpc_security_features" is "unsigned long", i.e. 32-bit or 64-bit,
+depending on the platform (PPC_FSL_BOOK3E or PPC_BOOK3S_64). Hence
+casting its address to "u64 *", and calling debugfs_create_x64() is
+wrong, and leaks 32-bit of nearby data to userspace on 32-bit platforms.
+
+While all currently defined SEC_FTR_* security feature flags fit in
+32-bit, they all have "ULL" suffixes to make them 64-bit constants.
+Hence fix the leak by changing the type of "powerpc_security_features"
+(and the parameter types of its accessors) to "u64". This also allows
+to drop the cast.
+
+Fixes: 398af571128fe75f ("powerpc/security: Show powerpc_security_features in debugfs")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20191021142309.28105-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/include/asm/security_features.h | 8 ++++----
+ arch/powerpc/kernel/security.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/powerpc/include/asm/security_features.h
++++ b/arch/powerpc/include/asm/security_features.h
+@@ -9,7 +9,7 @@
+ #define _ASM_POWERPC_SECURITY_FEATURES_H
+
+
+-extern unsigned long powerpc_security_features;
++extern u64 powerpc_security_features;
+ extern bool rfi_flush;
+
+ /* These are bit flags */
+@@ -24,17 +24,17 @@ void setup_stf_barrier(void);
+ void do_stf_barrier_fixups(enum stf_barrier_type types);
+ void setup_count_cache_flush(void);
+
+-static inline void security_ftr_set(unsigned long feature)
++static inline void security_ftr_set(u64 feature)
+ {
+ powerpc_security_features |= feature;
+ }
+
+-static inline void security_ftr_clear(unsigned long feature)
++static inline void security_ftr_clear(u64 feature)
+ {
+ powerpc_security_features &= ~feature;
+ }
+
+-static inline bool security_ftr_enabled(unsigned long feature)
++static inline bool security_ftr_enabled(u64 feature)
+ {
+ return !!(powerpc_security_features & feature);
+ }
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -16,7 +16,7 @@
+ #include <asm/setup.h>
+
+
+-unsigned long powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;
++u64 powerpc_security_features __read_mostly = SEC_FTR_DEFAULT;
+
+ enum count_cache_flush_type {
+ COUNT_CACHE_FLUSH_NONE = 0x1,
+@@ -109,7 +109,7 @@ device_initcall(barrier_nospec_debugfs_i
+ static __init int security_feature_debugfs_init(void)
+ {
+ debugfs_create_x64("security_features", 0400, powerpc_debugfs_root,
+- (u64 *)&powerpc_security_features);
++ &powerpc_security_features);
+ return 0;
+ }
+ device_initcall(security_feature_debugfs_init);
--- /dev/null
+From edbca120a8cdfa5a5793707e33497aa5185875ca Mon Sep 17 00:00:00 2001
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+Date: Mon, 2 Dec 2019 13:37:31 +0100
+Subject: samples/bpf: Fix broken xdp_rxq_info due to map order assumptions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jesper Dangaard Brouer <brouer@redhat.com>
+
+commit edbca120a8cdfa5a5793707e33497aa5185875ca upstream.
+
+In the days of using bpf_load.c the order in which the 'maps' sections
+were defines in BPF side (*_kern.c) file, were used by userspace side
+to identify the map via using the map order as an index. In effect the
+order-index is created based on the order the maps sections are stored
+in the ELF-object file, by the LLVM compiler.
+
+This have also carried over in libbpf via API bpf_map__next(NULL, obj)
+to extract maps in the order libbpf parsed the ELF-object file.
+
+When BTF based maps were introduced a new section type ".maps" were
+created. I found that the LLVM compiler doesn't create the ".maps"
+sections in the order they are defined in the C-file. The order in the
+ELF file is based on the order the map pointer is referenced in the code.
+
+This combination of changes lead to xdp_rxq_info mixing up the map
+file-descriptors in userspace, resulting in very broken behaviour, but
+without warning the user.
+
+This patch fix issue by instead using bpf_object__find_map_by_name()
+to find maps via their names. (Note, this is the ELF name, which can
+be longer than the name the kernel retains).
+
+Fixes: be5bca44aa6b ("samples: bpf: convert some XDP samples from bpf_load to libbpf")
+Fixes: 451d1dc886b5 ("samples: bpf: update map definition to new syntax BTF-defined map")
+Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Link: https://lore.kernel.org/bpf/157529025128.29832.5953245340679936909.stgit@firesoul
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ samples/bpf/xdp_rxq_info_user.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/samples/bpf/xdp_rxq_info_user.c
++++ b/samples/bpf/xdp_rxq_info_user.c
+@@ -489,9 +489,9 @@ int main(int argc, char **argv)
+ if (bpf_prog_load_xattr(&prog_load_attr, &obj, &prog_fd))
+ return EXIT_FAIL;
+
+- map = bpf_map__next(NULL, obj);
+- stats_global_map = bpf_map__next(map, obj);
+- rx_queue_index_map = bpf_map__next(stats_global_map, obj);
++ map = bpf_object__find_map_by_name(obj, "config_map");
++ stats_global_map = bpf_object__find_map_by_name(obj, "stats_global_map");
++ rx_queue_index_map = bpf_object__find_map_by_name(obj, "rx_queue_index_map");
+ if (!map || !stats_global_map || !rx_queue_index_map) {
+ printf("finding a map in obj file failed\n");
+ return EXIT_FAIL;
--- /dev/null
+From 451d1dc886b548d6e18c933adca326c1307023c9 Mon Sep 17 00:00:00 2001
+From: "Daniel T. Lee" <danieltimlee@gmail.com>
+Date: Thu, 7 Nov 2019 09:51:53 +0900
+Subject: samples: bpf: update map definition to new syntax BTF-defined map
+
+From: Daniel T. Lee <danieltimlee@gmail.com>
+
+commit 451d1dc886b548d6e18c933adca326c1307023c9 upstream.
+
+Since, the new syntax of BTF-defined map has been introduced,
+the syntax for using maps under samples directory are mixed up.
+For example, some are already using the new syntax, and some are using
+existing syntax by calling them as 'legacy'.
+
+As stated at commit abd29c931459 ("libbpf: allow specifying map
+definitions using BTF"), the BTF-defined map has more compatablility
+with extending supported map definition features.
+
+The commit doesn't replace all of the map to new BTF-defined map,
+because some of the samples still use bpf_load instead of libbpf, which
+can't properly create BTF-defined map.
+
+This will only updates the samples which uses libbpf API for loading bpf
+program. (ex. bpf_prog_load_xattr)
+
+Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com>
+Acked-by: Andrii Nakryiko <andriin@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ samples/bpf/sockex1_kern.c | 12 ++--
+ samples/bpf/sockex2_kern.c | 12 ++--
+ samples/bpf/xdp1_kern.c | 12 ++--
+ samples/bpf/xdp2_kern.c | 12 ++--
+ samples/bpf/xdp_adjust_tail_kern.c | 12 ++--
+ samples/bpf/xdp_fwd_kern.c | 13 ++--
+ samples/bpf/xdp_redirect_cpu_kern.c | 108 ++++++++++++++++++------------------
+ samples/bpf/xdp_redirect_kern.c | 24 ++++----
+ samples/bpf/xdp_redirect_map_kern.c | 24 ++++----
+ samples/bpf/xdp_router_ipv4_kern.c | 64 ++++++++++-----------
+ samples/bpf/xdp_rxq_info_kern.c | 37 ++++++------
+ samples/bpf/xdp_tx_iptunnel_kern.c | 24 ++++----
+ 12 files changed, 177 insertions(+), 177 deletions(-)
+
+--- a/samples/bpf/sockex1_kern.c
++++ b/samples/bpf/sockex1_kern.c
+@@ -4,12 +4,12 @@
+ #include <uapi/linux/ip.h>
+ #include "bpf_helpers.h"
+
+-struct bpf_map_def SEC("maps") my_map = {
+- .type = BPF_MAP_TYPE_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(long),
+- .max_entries = 256,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_ARRAY);
++ __type(key, u32);
++ __type(value, long);
++ __uint(max_entries, 256);
++} my_map SEC(".maps");
+
+ SEC("socket1")
+ int bpf_prog1(struct __sk_buff *skb)
+--- a/samples/bpf/sockex2_kern.c
++++ b/samples/bpf/sockex2_kern.c
+@@ -189,12 +189,12 @@ struct pair {
+ long bytes;
+ };
+
+-struct bpf_map_def SEC("maps") hash_map = {
+- .type = BPF_MAP_TYPE_HASH,
+- .key_size = sizeof(__be32),
+- .value_size = sizeof(struct pair),
+- .max_entries = 1024,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_HASH);
++ __type(key, __be32);
++ __type(value, struct pair);
++ __uint(max_entries, 1024);
++} hash_map SEC(".maps");
+
+ SEC("socket2")
+ int bpf_prog2(struct __sk_buff *skb)
+--- a/samples/bpf/xdp1_kern.c
++++ b/samples/bpf/xdp1_kern.c
+@@ -14,12 +14,12 @@
+ #include <linux/ipv6.h>
+ #include "bpf_helpers.h"
+
+-struct bpf_map_def SEC("maps") rxcnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(long),
+- .max_entries = 256,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, long);
++ __uint(max_entries, 256);
++} rxcnt SEC(".maps");
+
+ static int parse_ipv4(void *data, u64 nh_off, void *data_end)
+ {
+--- a/samples/bpf/xdp2_kern.c
++++ b/samples/bpf/xdp2_kern.c
+@@ -14,12 +14,12 @@
+ #include <linux/ipv6.h>
+ #include "bpf_helpers.h"
+
+-struct bpf_map_def SEC("maps") rxcnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(long),
+- .max_entries = 256,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, long);
++ __uint(max_entries, 256);
++} rxcnt SEC(".maps");
+
+ static void swap_src_dst_mac(void *data)
+ {
+--- a/samples/bpf/xdp_adjust_tail_kern.c
++++ b/samples/bpf/xdp_adjust_tail_kern.c
+@@ -25,12 +25,12 @@
+ #define ICMP_TOOBIG_SIZE 98
+ #define ICMP_TOOBIG_PAYLOAD_SIZE 92
+
+-struct bpf_map_def SEC("maps") icmpcnt = {
+- .type = BPF_MAP_TYPE_ARRAY,
+- .key_size = sizeof(__u32),
+- .value_size = sizeof(__u64),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_ARRAY);
++ __type(key, __u32);
++ __type(value, __u64);
++ __uint(max_entries, 1);
++} icmpcnt SEC(".maps");
+
+ static __always_inline void count_icmp(void)
+ {
+--- a/samples/bpf/xdp_fwd_kern.c
++++ b/samples/bpf/xdp_fwd_kern.c
+@@ -23,13 +23,12 @@
+
+ #define IPV6_FLOWINFO_MASK cpu_to_be32(0x0FFFFFFF)
+
+-/* For TX-traffic redirect requires net_device ifindex to be in this devmap */
+-struct bpf_map_def SEC("maps") xdp_tx_ports = {
+- .type = BPF_MAP_TYPE_DEVMAP,
+- .key_size = sizeof(int),
+- .value_size = sizeof(int),
+- .max_entries = 64,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_DEVMAP);
++ __uint(key_size, sizeof(int));
++ __uint(value_size, sizeof(int));
++ __uint(max_entries, 64);
++} xdp_tx_ports SEC(".maps");
+
+ /* from include/net/ip.h */
+ static __always_inline int ip_decrease_ttl(struct iphdr *iph)
+--- a/samples/bpf/xdp_redirect_cpu_kern.c
++++ b/samples/bpf/xdp_redirect_cpu_kern.c
+@@ -18,12 +18,12 @@
+ #define MAX_CPUS 64 /* WARNING - sync with _user.c */
+
+ /* Special map type that can XDP_REDIRECT frames to another CPU */
+-struct bpf_map_def SEC("maps") cpu_map = {
+- .type = BPF_MAP_TYPE_CPUMAP,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(u32),
+- .max_entries = MAX_CPUS,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_CPUMAP);
++ __uint(key_size, sizeof(u32));
++ __uint(value_size, sizeof(u32));
++ __uint(max_entries, MAX_CPUS);
++} cpu_map SEC(".maps");
+
+ /* Common stats data record to keep userspace more simple */
+ struct datarec {
+@@ -35,67 +35,67 @@ struct datarec {
+ /* Count RX packets, as XDP bpf_prog doesn't get direct TX-success
+ * feedback. Redirect TX errors can be caught via a tracepoint.
+ */
+-struct bpf_map_def SEC("maps") rx_cnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, 1);
++} rx_cnt SEC(".maps");
+
+ /* Used by trace point */
+-struct bpf_map_def SEC("maps") redirect_err_cnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = 2,
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, 2);
+ /* TODO: have entries for all possible errno's */
+-};
++} redirect_err_cnt SEC(".maps");
+
+ /* Used by trace point */
+-struct bpf_map_def SEC("maps") cpumap_enqueue_cnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = MAX_CPUS,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, MAX_CPUS);
++} cpumap_enqueue_cnt SEC(".maps");
+
+ /* Used by trace point */
+-struct bpf_map_def SEC("maps") cpumap_kthread_cnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, 1);
++} cpumap_kthread_cnt SEC(".maps");
+
+ /* Set of maps controlling available CPU, and for iterating through
+ * selectable redirect CPUs.
+ */
+-struct bpf_map_def SEC("maps") cpus_available = {
+- .type = BPF_MAP_TYPE_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(u32),
+- .max_entries = MAX_CPUS,
+-};
+-struct bpf_map_def SEC("maps") cpus_count = {
+- .type = BPF_MAP_TYPE_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(u32),
+- .max_entries = 1,
+-};
+-struct bpf_map_def SEC("maps") cpus_iterator = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(u32),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_ARRAY);
++ __type(key, u32);
++ __type(value, u32);
++ __uint(max_entries, MAX_CPUS);
++} cpus_available SEC(".maps");
++struct {
++ __uint(type, BPF_MAP_TYPE_ARRAY);
++ __type(key, u32);
++ __type(value, u32);
++ __uint(max_entries, 1);
++} cpus_count SEC(".maps");
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, u32);
++ __uint(max_entries, 1);
++} cpus_iterator SEC(".maps");
+
+ /* Used by trace point */
+-struct bpf_map_def SEC("maps") exception_cnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, 1);
++} exception_cnt SEC(".maps");
+
+ /* Helper parse functions */
+
+--- a/samples/bpf/xdp_redirect_kern.c
++++ b/samples/bpf/xdp_redirect_kern.c
+@@ -19,22 +19,22 @@
+ #include <linux/ipv6.h>
+ #include "bpf_helpers.h"
+
+-struct bpf_map_def SEC("maps") tx_port = {
+- .type = BPF_MAP_TYPE_ARRAY,
+- .key_size = sizeof(int),
+- .value_size = sizeof(int),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_ARRAY);
++ __type(key, int);
++ __type(value, int);
++ __uint(max_entries, 1);
++} tx_port SEC(".maps");
+
+ /* Count RX packets, as XDP bpf_prog doesn't get direct TX-success
+ * feedback. Redirect TX errors can be caught via a tracepoint.
+ */
+-struct bpf_map_def SEC("maps") rxcnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(long),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, long);
++ __uint(max_entries, 1);
++} rxcnt SEC(".maps");
+
+ static void swap_src_dst_mac(void *data)
+ {
+--- a/samples/bpf/xdp_redirect_map_kern.c
++++ b/samples/bpf/xdp_redirect_map_kern.c
+@@ -19,22 +19,22 @@
+ #include <linux/ipv6.h>
+ #include "bpf_helpers.h"
+
+-struct bpf_map_def SEC("maps") tx_port = {
+- .type = BPF_MAP_TYPE_DEVMAP,
+- .key_size = sizeof(int),
+- .value_size = sizeof(int),
+- .max_entries = 100,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_DEVMAP);
++ __uint(key_size, sizeof(int));
++ __uint(value_size, sizeof(int));
++ __uint(max_entries, 100);
++} tx_port SEC(".maps");
+
+ /* Count RX packets, as XDP bpf_prog doesn't get direct TX-success
+ * feedback. Redirect TX errors can be caught via a tracepoint.
+ */
+-struct bpf_map_def SEC("maps") rxcnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(long),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, long);
++ __uint(max_entries, 1);
++} rxcnt SEC(".maps");
+
+ static void swap_src_dst_mac(void *data)
+ {
+--- a/samples/bpf/xdp_router_ipv4_kern.c
++++ b/samples/bpf/xdp_router_ipv4_kern.c
+@@ -42,44 +42,44 @@ struct direct_map {
+ };
+
+ /* Map for trie implementation*/
+-struct bpf_map_def SEC("maps") lpm_map = {
+- .type = BPF_MAP_TYPE_LPM_TRIE,
+- .key_size = 8,
+- .value_size = sizeof(struct trie_value),
+- .max_entries = 50,
+- .map_flags = BPF_F_NO_PREALLOC,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_LPM_TRIE);
++ __uint(key_size, 8);
++ __uint(value_size, sizeof(struct trie_value));
++ __uint(max_entries, 50);
++ __uint(map_flags, BPF_F_NO_PREALLOC);
++} lpm_map SEC(".maps");
+
+ /* Map for counter*/
+-struct bpf_map_def SEC("maps") rxcnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(u64),
+- .max_entries = 256,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, u64);
++ __uint(max_entries, 256);
++} rxcnt SEC(".maps");
+
+ /* Map for ARP table*/
+-struct bpf_map_def SEC("maps") arp_table = {
+- .type = BPF_MAP_TYPE_HASH,
+- .key_size = sizeof(__be32),
+- .value_size = sizeof(__be64),
+- .max_entries = 50,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_HASH);
++ __type(key, __be32);
++ __type(value, __be64);
++ __uint(max_entries, 50);
++} arp_table SEC(".maps");
+
+ /* Map to keep the exact match entries in the route table*/
+-struct bpf_map_def SEC("maps") exact_match = {
+- .type = BPF_MAP_TYPE_HASH,
+- .key_size = sizeof(__be32),
+- .value_size = sizeof(struct direct_map),
+- .max_entries = 50,
+-};
+-
+-struct bpf_map_def SEC("maps") tx_port = {
+- .type = BPF_MAP_TYPE_DEVMAP,
+- .key_size = sizeof(int),
+- .value_size = sizeof(int),
+- .max_entries = 100,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_HASH);
++ __type(key, __be32);
++ __type(value, struct direct_map);
++ __uint(max_entries, 50);
++} exact_match SEC(".maps");
++
++struct {
++ __uint(type, BPF_MAP_TYPE_DEVMAP);
++ __uint(key_size, sizeof(int));
++ __uint(value_size, sizeof(int));
++ __uint(max_entries, 100);
++} tx_port SEC(".maps");
+
+ /* Function to set source and destination mac of the packet */
+ static inline void set_src_dst_mac(void *data, void *src, void *dst)
+--- a/samples/bpf/xdp_rxq_info_kern.c
++++ b/samples/bpf/xdp_rxq_info_kern.c
+@@ -23,12 +23,13 @@ enum cfg_options_flags {
+ READ_MEM = 0x1U,
+ SWAP_MAC = 0x2U,
+ };
+-struct bpf_map_def SEC("maps") config_map = {
+- .type = BPF_MAP_TYPE_ARRAY,
+- .key_size = sizeof(int),
+- .value_size = sizeof(struct config),
+- .max_entries = 1,
+-};
++
++struct {
++ __uint(type, BPF_MAP_TYPE_ARRAY);
++ __type(key, int);
++ __type(value, struct config);
++ __uint(max_entries, 1);
++} config_map SEC(".maps");
+
+ /* Common stats data record (shared with userspace) */
+ struct datarec {
+@@ -36,22 +37,22 @@ struct datarec {
+ __u64 issue;
+ };
+
+-struct bpf_map_def SEC("maps") stats_global_map = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, 1);
++} stats_global_map SEC(".maps");
+
+ #define MAX_RXQs 64
+
+ /* Stats per rx_queue_index (per CPU) */
+-struct bpf_map_def SEC("maps") rx_queue_index_map = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(u32),
+- .value_size = sizeof(struct datarec),
+- .max_entries = MAX_RXQs + 1,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, u32);
++ __type(value, struct datarec);
++ __uint(max_entries, MAX_RXQs + 1);
++} rx_queue_index_map SEC(".maps");
+
+ static __always_inline
+ void swap_src_dst_mac(void *data)
+--- a/samples/bpf/xdp_tx_iptunnel_kern.c
++++ b/samples/bpf/xdp_tx_iptunnel_kern.c
+@@ -19,19 +19,19 @@
+ #include "bpf_helpers.h"
+ #include "xdp_tx_iptunnel_common.h"
+
+-struct bpf_map_def SEC("maps") rxcnt = {
+- .type = BPF_MAP_TYPE_PERCPU_ARRAY,
+- .key_size = sizeof(__u32),
+- .value_size = sizeof(__u64),
+- .max_entries = 256,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
++ __type(key, __u32);
++ __type(value, __u64);
++ __uint(max_entries, 256);
++} rxcnt SEC(".maps");
+
+-struct bpf_map_def SEC("maps") vip2tnl = {
+- .type = BPF_MAP_TYPE_HASH,
+- .key_size = sizeof(struct vip),
+- .value_size = sizeof(struct iptnl_info),
+- .max_entries = MAX_IPTNL_ENTRIES,
+-};
++struct {
++ __uint(type, BPF_MAP_TYPE_HASH);
++ __type(key, struct vip);
++ __type(value, struct iptnl_info);
++ __uint(max_entries, MAX_IPTNL_ENTRIES);
++} vip2tnl SEC(".maps");
+
+ static __always_inline void count_tx(u32 protocol)
+ {
drm-i915-fix-pid-leak-with-banned-clients.patch
+libbpf-fix-compatibility-for-kernels-without-need_wakeup.patch
+libbpf-fix-memory-leak-double-free-issue.patch
+libbpf-fix-potential-overflow-issue.patch
+libbpf-fix-another-potential-overflow-issue-in-bpf_prog_linfo.patch
+libbpf-make-btf__resolve_size-logic-always-check-size-error-condition.patch
+libbpf-fix-call-relocation-offset-calculation-bug.patch
+bpf-force-.btf-section-start-to-zero-when-dumping-from-vmlinux.patch
+samples-bpf-update-map-definition-to-new-syntax-btf-defined-map.patch
+samples-bpf-fix-broken-xdp_rxq_info-due-to-map-order-assumptions.patch
+arm-dts-logicpd-torpedo-37xx-devkit-28-reference-new-drm-panel.patch
+arm-omap2-add-missing-put_device-call-in-omapdss_init_of.patch
+xfs-sanity-check-flags-of-q_xquotarm-call.patch
+i2c-stm32f7-rework-slave_id-allocation.patch
+i2c-i2c-stm32f7-fix-10-bits-check-in-slave-free-id-search-loop.patch
+mfd-intel-lpss-add-default-i2c-device-properties-for-gemini-lake.patch
+sunrpc-fix-svcauth_gss_proxy_init.patch
+sunrpc-fix-backchannel-latency-metrics.patch
+powerpc-security-fix-debugfs-data-leak-on-32-bit.patch
+powerpc-pseries-enable-support-for-ibm-drc-info-property.patch
+powerpc-kasan-fix-boot-failure-with-relocatable-fsl_booke.patch
+powerpc-archrandom-fix-arch_get_random_seed_int.patch
+tipc-reduce-sensitive-to-retransmit-failures.patch
+tipc-update-mon-s-self-addr-when-node-addr-generated.patch
+tipc-fix-potential-memory-leak-in-__tipc_sendmsg.patch
+tipc-fix-wrong-socket-reference-counter-after-tipc_sk_timeout-returns.patch
+tipc-fix-wrong-timeout-input-for-tipc_wait_for_cond.patch
+net-mlx5e-fix-free-peer_flow-when-refcount-is-0.patch
+phy-lantiq-vrx200-pcie-fix-error-return-code-in-ltq_vrx200_pcie_phy_power_on.patch
+net-phy-broadcom-fix-rgmii-delays-configuration-for-bcm54210e.patch
+phy-ti-gmii-sel-fix-mac-tx-internal-delay-for-rgmii-rxid.patch
+mt76-mt76u-fix-endpoint-definition-order.patch
+mt7601u-fix-bbp-version-check-in-mt7601u_wait_bbp_ready.patch
+ice-fix-stack-leakage.patch
--- /dev/null
+From 8729aaba74626c4ebce3abf1b9e96bb62d2958ca Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Wed, 20 Nov 2019 16:25:46 -0500
+Subject: SUNRPC: Fix backchannel latency metrics
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 8729aaba74626c4ebce3abf1b9e96bb62d2958ca upstream.
+
+I noticed that for callback requests, the reported backlog latency
+is always zero, and the rtt value is crazy big. The problem was that
+rqst->rq_xtime is never set for backchannel requests.
+
+Fixes: 78215759e20d ("SUNRPC: Make RTT measurement more ... ")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 1 +
+ net/sunrpc/xprtsock.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
+@@ -195,6 +195,7 @@ rpcrdma_bc_send_request(struct svcxprt_r
+ pr_info("%s: %*ph\n", __func__, 64, rqst->rq_buffer);
+ #endif
+
++ rqst->rq_xtime = ktime_get();
+ rc = svc_rdma_bc_sendto(rdma, rqst, ctxt);
+ if (rc) {
+ svc_rdma_send_ctxt_put(rdma, ctxt);
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -2659,6 +2659,8 @@ static int bc_sendto(struct rpc_rqst *re
+ .iov_len = sizeof(marker),
+ };
+
++ req->rq_xtime = ktime_get();
++
+ len = kernel_sendmsg(transport->sock, &msg, &iov, 1, iov.iov_len);
+ if (len != iov.iov_len)
+ return -EAGAIN;
+@@ -2684,7 +2686,6 @@ static int bc_send_request(struct rpc_rq
+ struct svc_xprt *xprt;
+ int len;
+
+- dprintk("sending request with xid: %08x\n", ntohl(req->rq_xid));
+ /*
+ * Get the server socket associated with this callback xprt
+ */
--- /dev/null
+From 5866efa8cbfbadf3905072798e96652faf02dbe8 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Thu, 24 Oct 2019 09:34:16 -0400
+Subject: SUNRPC: Fix svcauth_gss_proxy_init()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 5866efa8cbfbadf3905072798e96652faf02dbe8 upstream.
+
+gss_read_proxy_verf() assumes things about the XDR buffer containing
+the RPC Call that are not true for buffers generated by
+svc_rdma_recv().
+
+RDMA's buffers look more like what the upper layer generates for
+sending: head is a kmalloc'd buffer; it does not point to a page
+whose contents are contiguous with the first page in the buffers'
+page array. The result is that ACCEPT_SEC_CONTEXT via RPC/RDMA has
+stopped working on Linux NFS servers that use gssproxy.
+
+This does not affect clients that use only TCP to send their
+ACCEPT_SEC_CONTEXT operation (that's all Linux clients). Other
+clients, like Solaris NFS clients, send ACCEPT_SEC_CONTEXT on the
+same transport as they send all other NFS operations. Such clients
+can send ACCEPT_SEC_CONTEXT via RPC/RDMA.
+
+I thought I had found every direct reference in the server RPC code
+to the rqstp->rq_pages field.
+
+Bug found at the 2019 Westford NFS bake-a-thon.
+
+Fixes: 3316f0631139 ("svcrdma: Persistently allocate and DMA- ... ")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Bill Baker <bill.baker@oracle.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 84 ++++++++++++++++++++++++++++----------
+ 1 file changed, 63 insertions(+), 21 deletions(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -1075,24 +1075,32 @@ gss_read_verf(struct rpc_gss_wire_cred *
+ return 0;
+ }
+
+-/* Ok this is really heavily depending on a set of semantics in
+- * how rqstp is set up by svc_recv and pages laid down by the
+- * server when reading a request. We are basically guaranteed that
+- * the token lays all down linearly across a set of pages, starting
+- * at iov_base in rq_arg.head[0] which happens to be the first of a
+- * set of pages stored in rq_pages[].
+- * rq_arg.head[0].iov_base will provide us the page_base to pass
+- * to the upcall.
+- */
+-static inline int
+-gss_read_proxy_verf(struct svc_rqst *rqstp,
+- struct rpc_gss_wire_cred *gc, __be32 *authp,
+- struct xdr_netobj *in_handle,
+- struct gssp_in_token *in_token)
++static void gss_free_in_token_pages(struct gssp_in_token *in_token)
+ {
+- struct kvec *argv = &rqstp->rq_arg.head[0];
+ u32 inlen;
+- int res;
++ int i;
++
++ i = 0;
++ inlen = in_token->page_len;
++ while (inlen) {
++ if (in_token->pages[i])
++ put_page(in_token->pages[i]);
++ inlen -= inlen > PAGE_SIZE ? PAGE_SIZE : inlen;
++ }
++
++ kfree(in_token->pages);
++ in_token->pages = NULL;
++}
++
++static int gss_read_proxy_verf(struct svc_rqst *rqstp,
++ struct rpc_gss_wire_cred *gc, __be32 *authp,
++ struct xdr_netobj *in_handle,
++ struct gssp_in_token *in_token)
++{
++ struct kvec *argv = &rqstp->rq_arg.head[0];
++ unsigned int page_base, length;
++ int pages, i, res;
++ size_t inlen;
+
+ res = gss_read_common_verf(gc, argv, authp, in_handle);
+ if (res)
+@@ -1102,10 +1110,36 @@ gss_read_proxy_verf(struct svc_rqst *rqs
+ if (inlen > (argv->iov_len + rqstp->rq_arg.page_len))
+ return SVC_DENIED;
+
+- in_token->pages = rqstp->rq_pages;
+- in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK;
++ pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
++ in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
++ if (!in_token->pages)
++ return SVC_DENIED;
++ in_token->page_base = 0;
+ in_token->page_len = inlen;
++ for (i = 0; i < pages; i++) {
++ in_token->pages[i] = alloc_page(GFP_KERNEL);
++ if (!in_token->pages[i]) {
++ gss_free_in_token_pages(in_token);
++ return SVC_DENIED;
++ }
++ }
+
++ length = min_t(unsigned int, inlen, argv->iov_len);
++ memcpy(page_address(in_token->pages[0]), argv->iov_base, length);
++ inlen -= length;
++
++ i = 1;
++ page_base = rqstp->rq_arg.page_base;
++ while (inlen) {
++ length = min_t(unsigned int, inlen, PAGE_SIZE);
++ memcpy(page_address(in_token->pages[i]),
++ page_address(rqstp->rq_arg.pages[i]) + page_base,
++ length);
++
++ inlen -= length;
++ page_base = 0;
++ i++;
++ }
+ return 0;
+ }
+
+@@ -1280,8 +1314,11 @@ static int svcauth_gss_proxy_init(struct
+ break;
+ case GSS_S_COMPLETE:
+ status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &handle);
+- if (status)
++ if (status) {
++ pr_info("%s: gss_proxy_save_rsc failed (%d)\n",
++ __func__, status);
+ goto out;
++ }
+ cli_handle.data = (u8 *)&handle;
+ cli_handle.len = sizeof(handle);
+ break;
+@@ -1292,15 +1329,20 @@ static int svcauth_gss_proxy_init(struct
+
+ /* Got an answer to the upcall; use it: */
+ if (gss_write_init_verf(sn->rsc_cache, rqstp,
+- &cli_handle, &ud.major_status))
++ &cli_handle, &ud.major_status)) {
++ pr_info("%s: gss_write_init_verf failed\n", __func__);
+ goto out;
++ }
+ if (gss_write_resv(resv, PAGE_SIZE,
+ &cli_handle, &ud.out_token,
+- ud.major_status, ud.minor_status))
++ ud.major_status, ud.minor_status)) {
++ pr_info("%s: gss_write_resv failed\n", __func__);
+ goto out;
++ }
+
+ ret = SVC_COMPLETE;
+ out:
++ gss_free_in_token_pages(&ud.in_token);
+ gssp_free_upcall_data(&ud);
+ return ret;
+ }
--- /dev/null
+From 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c Mon Sep 17 00:00:00 2001
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Date: Thu, 28 Nov 2019 10:10:05 +0700
+Subject: tipc: fix potential memory leak in __tipc_sendmsg()
+
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+
+commit 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c upstream.
+
+When initiating a connection message to a server side, the connection
+message is cloned and added to the socket write queue. However, if the
+cloning is failed, only the socket write queue is purged. It causes
+memory leak because the original connection message is not freed.
+
+This commit fixes it by purging the list of connection message when
+it cannot be cloned.
+
+Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
+Reported-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/socket.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1396,8 +1396,10 @@ static int __tipc_sendmsg(struct socket
+ rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts);
+ if (unlikely(rc != dlen))
+ return rc;
+- if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue)))
++ if (unlikely(syn && !tipc_msg_skb_clone(&pkts, &sk->sk_write_queue))) {
++ __skb_queue_purge(&pkts);
+ return -ENOMEM;
++ }
+
+ trace_tipc_sk_sendmsg(sk, skb_peek(&pkts), TIPC_DUMP_SK_SNDQ, " ");
+ rc = tipc_node_xmit(net, &pkts, dnode, tsk->portid);
--- /dev/null
+From 91a4a3eb433e4d786420c41f3c08d1d16c605962 Mon Sep 17 00:00:00 2001
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Date: Thu, 28 Nov 2019 10:10:06 +0700
+Subject: tipc: fix wrong socket reference counter after tipc_sk_timeout() returns
+
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+
+commit 91a4a3eb433e4d786420c41f3c08d1d16c605962 upstream.
+
+When tipc_sk_timeout() is executed but user space is grabbing
+ownership, this function rearms itself and returns. However, the
+socket reference counter is not reduced. This causes potential
+unexpected behavior.
+
+This commit fixes it by calling sock_put() before tipc_sk_timeout()
+returns in the above-mentioned case.
+
+Fixes: afe8792fec69 ("tipc: refactor function tipc_sk_timeout()")
+Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2687,6 +2687,7 @@ static void tipc_sk_timeout(struct timer
+ if (sock_owned_by_user(sk)) {
+ sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ / 20);
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ return;
+ }
+
--- /dev/null
+From 12db3c8083fcab4270866a88191933f2d9f24f89 Mon Sep 17 00:00:00 2001
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Date: Thu, 28 Nov 2019 10:10:07 +0700
+Subject: tipc: fix wrong timeout input for tipc_wait_for_cond()
+
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+
+commit 12db3c8083fcab4270866a88191933f2d9f24f89 upstream.
+
+In function __tipc_shutdown(), the timeout value passed to
+tipc_wait_for_cond() is not jiffies.
+
+This commit fixes it by converting that value from milliseconds
+to jiffies.
+
+Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
+Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -504,7 +504,7 @@ static void __tipc_shutdown(struct socke
+ struct sock *sk = sock->sk;
+ struct tipc_sock *tsk = tipc_sk(sk);
+ struct net *net = sock_net(sk);
+- long timeout = CONN_TIMEOUT_DEFAULT;
++ long timeout = msecs_to_jiffies(CONN_TIMEOUT_DEFAULT);
+ u32 dnode = tsk_peer_node(tsk);
+ struct sk_buff *skb;
+
--- /dev/null
+From 426071f1f3995d7e9603246bffdcbf344cd31719 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Wed, 6 Nov 2019 13:26:10 +0700
+Subject: tipc: reduce sensitive to retransmit failures
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit 426071f1f3995d7e9603246bffdcbf344cd31719 upstream.
+
+With huge cluster (e.g >200nodes), the amount of that flow:
+gap -> retransmit packet -> acked will take time in case of STATE_MSG
+dropped/delayed because a lot of traffic. This lead to 1.5 sec tolerance
+value criteria made link easy failure around 2nd, 3rd of failed
+retransmission attempts.
+
+Instead of re-introduced criteria of 99 faled retransmissions to fix the
+issue, we increase failure detection timer to ten times tolerance value.
+
+Fixes: 77cf8edbc0e7 ("tipc: simplify stale link failure criteria")
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Acked-by: Jon
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -1084,7 +1084,7 @@ static bool link_retransmit_failure(stru
+ return false;
+
+ if (!time_after(jiffies, TIPC_SKB_CB(skb)->retr_stamp +
+- msecs_to_jiffies(r->tolerance)))
++ msecs_to_jiffies(r->tolerance * 10)))
+ return false;
+
+ hdr = buf_msg(skb);
--- /dev/null
+From 46cb01eeeb86fca6afe24dda1167b0cb95424e29 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Tue, 12 Nov 2019 07:40:04 +0700
+Subject: tipc: update mon's self addr when node addr generated
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit 46cb01eeeb86fca6afe24dda1167b0cb95424e29 upstream.
+
+In commit 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address
+hash values"), the 32-bit node address only generated after one second
+trial period expired. However the self's addr in struct tipc_monitor do
+not update according to node address generated. This lead to it is
+always zero as initial value. As result, sorting algorithm using this
+value does not work as expected, neither neighbor monitoring framework.
+
+In this commit, we add a fix to update self's addr when 32-bit node
+address generated.
+
+Fixes: 25b0b9c4e835 ("tipc: handle collisions of 32-bit node address hash values")
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/tipc/monitor.c | 15 +++++++++++++++
+ net/tipc/monitor.h | 1 +
+ net/tipc/net.c | 2 ++
+ 3 files changed, 18 insertions(+)
+
+--- a/net/tipc/monitor.c
++++ b/net/tipc/monitor.c
+@@ -665,6 +665,21 @@ void tipc_mon_delete(struct net *net, in
+ kfree(mon);
+ }
+
++void tipc_mon_reinit_self(struct net *net)
++{
++ struct tipc_monitor *mon;
++ int bearer_id;
++
++ for (bearer_id = 0; bearer_id < MAX_BEARERS; bearer_id++) {
++ mon = tipc_monitor(net, bearer_id);
++ if (!mon)
++ continue;
++ write_lock_bh(&mon->lock);
++ mon->self->addr = tipc_own_addr(net);
++ write_unlock_bh(&mon->lock);
++ }
++}
++
+ int tipc_nl_monitor_set_threshold(struct net *net, u32 cluster_size)
+ {
+ struct tipc_net *tn = tipc_net(net);
+--- a/net/tipc/monitor.h
++++ b/net/tipc/monitor.h
+@@ -77,6 +77,7 @@ int __tipc_nl_add_monitor(struct net *ne
+ u32 bearer_id);
+ int tipc_nl_add_monitor_peer(struct net *net, struct tipc_nl_msg *msg,
+ u32 bearer_id, u32 *prev_node);
++void tipc_mon_reinit_self(struct net *net);
+
+ extern const int tipc_max_domain_size;
+ #endif
+--- a/net/tipc/net.c
++++ b/net/tipc/net.c
+@@ -42,6 +42,7 @@
+ #include "node.h"
+ #include "bcast.h"
+ #include "netlink.h"
++#include "monitor.h"
+
+ /*
+ * The TIPC locking policy is designed to ensure a very fine locking
+@@ -136,6 +137,7 @@ static void tipc_net_finalize(struct net
+ tipc_set_node_addr(net, addr);
+ tipc_named_reinit(net);
+ tipc_sk_reinit(net);
++ tipc_mon_reinit_self(net);
+ tipc_nametbl_publish(net, TIPC_CFG_SRV, addr, addr,
+ TIPC_CLUSTER_SCOPE, 0, addr);
+ }
--- /dev/null
+From 3dd4d40b420846dd35869ccc8f8627feef2cff32 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 23 Oct 2019 17:00:45 -0700
+Subject: xfs: Sanity check flags of Q_XQUOTARM call
+
+From: Jan Kara <jack@suse.cz>
+
+commit 3dd4d40b420846dd35869ccc8f8627feef2cff32 upstream.
+
+Flags passed to Q_XQUOTARM were not sanity checked for invalid values.
+Fix that.
+
+Fixes: 9da93f9b7cdf ("xfs: fix Q_XQUOTARM ioctl")
+Reported-by: Yang Xu <xuyang2018.jy@cn.fujitsu.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_quotaops.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/xfs/xfs_quotaops.c
++++ b/fs/xfs/xfs_quotaops.c
+@@ -201,6 +201,9 @@ xfs_fs_rm_xquota(
+ if (XFS_IS_QUOTA_ON(mp))
+ return -EINVAL;
+
++ if (uflags & ~(FS_USER_QUOTA | FS_GROUP_QUOTA | FS_PROJ_QUOTA))
++ return -EINVAL;
++
+ if (uflags & FS_USER_QUOTA)
+ flags |= XFS_DQ_USER;
+ if (uflags & FS_GROUP_QUOTA)
projects / thirdparty / kernel / stable-queue.git / commitdiff
