--- /dev/null
+From 449052cfebf624b670faa040245d3feed770d22f Mon Sep 17 00:00:00 2001
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+Date: Thu, 18 Feb 2021 19:00:35 +0800
+Subject: can: flexcan: assert FRZ bit in flexcan_chip_freeze()
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+commit 449052cfebf624b670faa040245d3feed770d22f upstream.
+
+Assert HALT bit to enter freeze mode, there is a premise that FRZ bit is
+asserted. This patch asserts FRZ bit in flexcan_chip_freeze, although
+the reset value is 1b'1. This is a prepare patch, later patch will
+invoke flexcan_chip_freeze() to enter freeze mode, which polling freeze
+mode acknowledge.
+
+Fixes: b1aa1c7a2165b ("can: flexcan: fix transition from and to freeze mode in chip_{,un}freeze")
+Link: https://lore.kernel.org/r/20210218110037.16591-2-qiangqing.zhang@nxp.com
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/flexcan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -548,7 +548,7 @@ static int flexcan_chip_freeze(struct fl
+ u32 reg;
+
+ reg = priv->read(®s->mcr);
+- reg |= FLEXCAN_MCR_HALT;
++ reg |= FLEXCAN_MCR_FRZ | FLEXCAN_MCR_HALT;
+ priv->write(reg, ®s->mcr);
+
+ while (timeout-- && !(priv->read(®s->mcr) & FLEXCAN_MCR_FRZ_ACK))
--- /dev/null
+From ec15e27cc8904605846a354bb1f808ea1432f853 Mon Sep 17 00:00:00 2001
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+Date: Thu, 18 Feb 2021 19:00:36 +0800
+Subject: can: flexcan: enable RX FIFO after FRZ/HALT valid
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+commit ec15e27cc8904605846a354bb1f808ea1432f853 upstream.
+
+RX FIFO enable failed could happen when do system reboot stress test:
+
+[ 0.303958] flexcan 5a8d0000.can: 5a8d0000.can supply xceiver not found, using dummy regulator
+[ 0.304281] flexcan 5a8d0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
+[ 0.314640] flexcan 5a8d0000.can: registering netdev failed
+[ 0.320728] flexcan 5a8e0000.can: 5a8e0000.can supply xceiver not found, using dummy regulator
+[ 0.320991] flexcan 5a8e0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
+[ 0.331360] flexcan 5a8e0000.can: registering netdev failed
+[ 0.337444] flexcan 5a8f0000.can: 5a8f0000.can supply xceiver not found, using dummy regulator
+[ 0.337716] flexcan 5a8f0000.can (unnamed net_device) (uninitialized): Could not enable RX FIFO, unsupported core
+[ 0.348117] flexcan 5a8f0000.can: registering netdev failed
+
+RX FIFO should be enabled after the FRZ/HALT are valid. But the current
+code enable RX FIFO and FRZ/HALT at the same time.
+
+Fixes: e955cead03117 ("CAN: Add Flexcan CAN controller driver")
+Link: https://lore.kernel.org/r/20210218110037.16591-3-qiangqing.zhang@nxp.com
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/flexcan.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1432,10 +1432,14 @@ static int register_flexcandev(struct ne
+ if (err)
+ goto out_chip_disable;
+
+- /* set freeze, halt and activate FIFO, restrict register access */
++ /* set freeze, halt */
++ err = flexcan_chip_freeze(priv);
++ if (err)
++ goto out_chip_disable;
++
++ /* activate FIFO, restrict register access */
+ reg = priv->read(®s->mcr);
+- reg |= FLEXCAN_MCR_FRZ | FLEXCAN_MCR_HALT |
+- FLEXCAN_MCR_FEN | FLEXCAN_MCR_SUPV;
++ reg |= FLEXCAN_MCR_FEN | FLEXCAN_MCR_SUPV;
+ priv->write(reg, ®s->mcr);
+
+ /* Currently we only support newer versions of this core
--- /dev/null
+From c63820045e2000f05657467a08715c18c9f490d9 Mon Sep 17 00:00:00 2001
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+Date: Thu, 18 Feb 2021 19:00:37 +0800
+Subject: can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+commit c63820045e2000f05657467a08715c18c9f490d9 upstream.
+
+Invoke flexcan_chip_freeze() to enter freeze mode, since need poll
+freeze mode acknowledge.
+
+Fixes: e955cead03117 ("CAN: Add Flexcan CAN controller driver")
+Link: https://lore.kernel.org/r/20210218110037.16591-4-qiangqing.zhang@nxp.com
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/flexcan.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1057,10 +1057,13 @@ static int flexcan_chip_start(struct net
+
+ flexcan_set_bittiming(dev);
+
++ /* set freeze, halt */
++ err = flexcan_chip_freeze(priv);
++ if (err)
++ goto out_chip_disable;
++
+ /* MCR
+ *
+- * enable freeze
+- * halt now
+ * only supervisor access
+ * enable warning int
+ * enable individual RX masking
+@@ -1069,9 +1072,8 @@ static int flexcan_chip_start(struct net
+ */
+ reg_mcr = priv->read(®s->mcr);
+ reg_mcr &= ~FLEXCAN_MCR_MAXMB(0xff);
+- reg_mcr |= FLEXCAN_MCR_FRZ | FLEXCAN_MCR_HALT | FLEXCAN_MCR_SUPV |
+- FLEXCAN_MCR_WRN_EN | FLEXCAN_MCR_IRMQ | FLEXCAN_MCR_IDAM_C |
+- FLEXCAN_MCR_MAXMB(priv->tx_mb_idx);
++ reg_mcr |= FLEXCAN_MCR_SUPV | FLEXCAN_MCR_WRN_EN | FLEXCAN_MCR_IRMQ |
++ FLEXCAN_MCR_IDAM_C | FLEXCAN_MCR_MAXMB(priv->tx_mb_idx);
+
+ /* MCR
+ *
--- /dev/null
+From e940e0895a82c6fbaa259f2615eb52b57ee91a7e Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 26 Feb 2021 10:24:56 +0100
+Subject: can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit e940e0895a82c6fbaa259f2615eb52b57ee91a7e upstream.
+
+There are two ref count variables controlling the free()ing of a socket:
+- struct sock::sk_refcnt - which is changed by sock_hold()/sock_put()
+- struct sock::sk_wmem_alloc - which accounts the memory allocated by
+ the skbs in the send path.
+
+In case there are still TX skbs on the fly and the socket() is closed,
+the struct sock::sk_refcnt reaches 0. In the TX-path the CAN stack
+clones an "echo" skb, calls sock_hold() on the original socket and
+references it. This produces the following back trace:
+
+| WARNING: CPU: 0 PID: 280 at lib/refcount.c:25 refcount_warn_saturate+0x114/0x134
+| refcount_t: addition on 0; use-after-free.
+| Modules linked in: coda_vpu(E) v4l2_jpeg(E) videobuf2_vmalloc(E) imx_vdoa(E)
+| CPU: 0 PID: 280 Comm: test_can.sh Tainted: G E 5.11.0-04577-gf8ff6603c617 #203
+| Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+| Backtrace:
+| [<80bafea4>] (dump_backtrace) from [<80bb0280>] (show_stack+0x20/0x24) r7:00000000 r6:600f0113 r5:00000000 r4:81441220
+| [<80bb0260>] (show_stack) from [<80bb593c>] (dump_stack+0xa0/0xc8)
+| [<80bb589c>] (dump_stack) from [<8012b268>] (__warn+0xd4/0x114) r9:00000019 r8:80f4a8c2 r7:83e4150c r6:00000000 r5:00000009 r4:80528f90
+| [<8012b194>] (__warn) from [<80bb09c4>] (warn_slowpath_fmt+0x88/0xc8) r9:83f26400 r8:80f4a8d1 r7:00000009 r6:80528f90 r5:00000019 r4:80f4a8c2
+| [<80bb0940>] (warn_slowpath_fmt) from [<80528f90>] (refcount_warn_saturate+0x114/0x134) r8:00000000 r7:00000000 r6:82b44000 r5:834e5600 r4:83f4d540
+| [<80528e7c>] (refcount_warn_saturate) from [<8079a4c8>] (__refcount_add.constprop.0+0x4c/0x50)
+| [<8079a47c>] (__refcount_add.constprop.0) from [<8079a57c>] (can_put_echo_skb+0xb0/0x13c)
+| [<8079a4cc>] (can_put_echo_skb) from [<8079ba98>] (flexcan_start_xmit+0x1c4/0x230) r9:00000010 r8:83f48610 r7:0fdc0000 r6:0c080000 r5:82b44000 r4:834e5600
+| [<8079b8d4>] (flexcan_start_xmit) from [<80969078>] (netdev_start_xmit+0x44/0x70) r9:814c0ba0 r8:80c8790c r7:00000000 r6:834e5600 r5:82b44000 r4:82ab1f00
+| [<80969034>] (netdev_start_xmit) from [<809725a4>] (dev_hard_start_xmit+0x19c/0x318) r9:814c0ba0 r8:00000000 r7:82ab1f00 r6:82b44000 r5:00000000 r4:834e5600
+| [<80972408>] (dev_hard_start_xmit) from [<809c6584>] (sch_direct_xmit+0xcc/0x264) r10:834e5600 r9:00000000 r8:00000000 r7:82b44000 r6:82ab1f00 r5:834e5600 r4:83f27400
+| [<809c64b8>] (sch_direct_xmit) from [<809c6c0c>] (__qdisc_run+0x4f0/0x534)
+
+To fix this problem, only set skb ownership to sockets which have still
+a ref count > 0.
+
+Fixes: 0ae89beb283a ("can: add destructor for self generated skbs")
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Andre Naujoks <nautsch2@gmail.com>
+Link: https://lore.kernel.org/r/20210226092456.27126-1-o.rempel@pengutronix.de
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/can/skb.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/include/linux/can/skb.h
++++ b/include/linux/can/skb.h
+@@ -49,8 +49,12 @@ static inline void can_skb_reserve(struc
+
+ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk)
+ {
+- if (sk) {
+- sock_hold(sk);
++ /* If the socket has already been closed by user space, the
++ * refcount may already be 0 (and the socket will be freed
++ * after the last TX skb has been freed). So only increase
++ * socket refcount if the refcount is > 0.
++ */
++ if (sk && refcount_inc_not_zero(&sk->sk_refcnt)) {
+ skb->destructor = sock_efree;
+ skb->sk = sk;
+ }
--- /dev/null
+From 2712625200ed69c642b9abc3a403830c4643364c Mon Sep 17 00:00:00 2001
+From: Torin Cooper-Bennun <torin@maxiluxsystems.com>
+Date: Fri, 26 Feb 2021 16:34:41 +0000
+Subject: can: tcan4x5x: tcan4x5x_init(): fix initialization - clear MRAM before entering Normal Mode
+
+From: Torin Cooper-Bennun <torin@maxiluxsystems.com>
+
+commit 2712625200ed69c642b9abc3a403830c4643364c upstream.
+
+This patch prevents a potentially destructive race condition. The
+device is fully operational on the bus after entering Normal Mode, so
+zeroing the MRAM after entering this mode may lead to loss of
+information, e.g. new received messages.
+
+This patch fixes the problem by first initializing the MRAM, then
+bringing the device into Normale Mode.
+
+Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel")
+Link: https://lore.kernel.org/r/20210226163440.313628-1-torin@maxiluxsystems.com
+Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Torin Cooper-Bennun <torin@maxiluxsystems.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/m_can/tcan4x5x.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/m_can/tcan4x5x.c
++++ b/drivers/net/can/m_can/tcan4x5x.c
+@@ -325,14 +325,14 @@ static int tcan4x5x_init(struct m_can_cl
+ if (ret)
+ return ret;
+
++ /* Zero out the MCAN buffers */
++ m_can_init_ram(cdev);
++
+ ret = regmap_update_bits(tcan4x5x->regmap, TCAN4X5X_CONFIG,
+ TCAN4X5X_MODE_SEL_MASK, TCAN4X5X_MODE_NORMAL);
+ if (ret)
+ return ret;
+
+- /* Zero out the MCAN buffers */
+- m_can_init_ram(cdev);
+-
+ return ret;
+ }
+
--- /dev/null
+From eb441337c7147514ab45036cadf09c3a71e4ce31 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 25 Feb 2021 18:33:20 +0200
+Subject: gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit eb441337c7147514ab45036cadf09c3a71e4ce31 upstream.
+
+The commit 0ea683931adb ("gpio: dwapb: Convert driver to using the
+GPIO-lib-based IRQ-chip") indeliberately made a regression on how
+IRQ line from GPIO I²C expander is handled. I.e. it reveals that
+the quirk for Intel Galileo Gen 2 misses the part of setting IRQ type
+which previously was predefined by gpio-dwapb driver. Now, we have to
+reorganize the approach to call necessary parts, which can be done via
+ACPI_GPIO_QUIRK_ABSOLUTE_NUMBER quirk.
+
+Without this fix and with above mentioned change the kernel hangs
+on the first IRQ event with:
+
+ gpio gpiochip3: Persistence not supported for GPIO 1
+ irq 32, desc: 62f8fb50, depth: 0, count: 0, unhandled: 0
+ ->handle_irq(): 41c7b0ab, handle_bad_irq+0x0/0x40
+ ->irq_data.chip(): e03f1e72, 0xc2539218
+ ->action(): 0ecc7e6f
+ ->action->handler(): 8a3db21e, irq_default_primary_handler+0x0/0x10
+ IRQ_NOPROBE set
+ unexpected IRQ trap at vector 20
+
+Fixes: ba8c90c61847 ("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2")
+Depends-on: 0ea683931adb ("gpio: dwapb: Convert driver to using the GPIO-lib-based IRQ-chip")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-pca953x.c | 78 ++++++++++++--------------------------------
+ 1 file changed, 23 insertions(+), 55 deletions(-)
+
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -110,8 +110,29 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id);
+ #ifdef CONFIG_GPIO_PCA953X_IRQ
+
+ #include <linux/dmi.h>
+-#include <linux/gpio.h>
+-#include <linux/list.h>
++
++static const struct acpi_gpio_params pca953x_irq_gpios = { 0, 0, true };
++
++static const struct acpi_gpio_mapping pca953x_acpi_irq_gpios[] = {
++ { "irq-gpios", &pca953x_irq_gpios, 1, ACPI_GPIO_QUIRK_ABSOLUTE_NUMBER },
++ { }
++};
++
++static int pca953x_acpi_get_irq(struct device *dev)
++{
++ int ret;
++
++ ret = devm_acpi_dev_add_driver_gpios(dev, pca953x_acpi_irq_gpios);
++ if (ret)
++ dev_warn(dev, "can't add GPIO ACPI mapping\n");
++
++ ret = acpi_dev_gpio_irq_get_by(ACPI_COMPANION(dev), "irq-gpios", 0);
++ if (ret < 0)
++ return ret;
++
++ dev_info(dev, "ACPI interrupt quirk (IRQ %d)\n", ret);
++ return ret;
++}
+
+ static const struct dmi_system_id pca953x_dmi_acpi_irq_info[] = {
+ {
+@@ -130,59 +151,6 @@ static const struct dmi_system_id pca953
+ },
+ {}
+ };
+-
+-#ifdef CONFIG_ACPI
+-static int pca953x_acpi_get_pin(struct acpi_resource *ares, void *data)
+-{
+- struct acpi_resource_gpio *agpio;
+- int *pin = data;
+-
+- if (acpi_gpio_get_irq_resource(ares, &agpio))
+- *pin = agpio->pin_table[0];
+- return 1;
+-}
+-
+-static int pca953x_acpi_find_pin(struct device *dev)
+-{
+- struct acpi_device *adev = ACPI_COMPANION(dev);
+- int pin = -ENOENT, ret;
+- LIST_HEAD(r);
+-
+- ret = acpi_dev_get_resources(adev, &r, pca953x_acpi_get_pin, &pin);
+- acpi_dev_free_resource_list(&r);
+- if (ret < 0)
+- return ret;
+-
+- return pin;
+-}
+-#else
+-static inline int pca953x_acpi_find_pin(struct device *dev) { return -ENXIO; }
+-#endif
+-
+-static int pca953x_acpi_get_irq(struct device *dev)
+-{
+- int pin, ret;
+-
+- pin = pca953x_acpi_find_pin(dev);
+- if (pin < 0)
+- return pin;
+-
+- dev_info(dev, "Applying ACPI interrupt quirk (GPIO %d)\n", pin);
+-
+- if (!gpio_is_valid(pin))
+- return -EINVAL;
+-
+- ret = gpio_request(pin, "pca953x interrupt");
+- if (ret)
+- return ret;
+-
+- ret = gpio_to_irq(pin);
+-
+- /* When pin is used as an IRQ, no need to keep it requested */
+- gpio_free(pin);
+-
+- return ret;
+-}
+ #endif
+
+ static const struct acpi_device_id pca953x_acpi_ids[] = {
--- /dev/null
+From 809390219fb9c2421239afe5c9eb862d73978ba0 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 25 Feb 2021 18:33:19 +0200
+Subject: gpiolib: acpi: Allow to find GpioInt() resource by name and index
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 809390219fb9c2421239afe5c9eb862d73978ba0 upstream.
+
+Currently only search by index is supported. However, in some cases
+we might need to pass the quirks to the acpi_dev_gpio_irq_get().
+
+For this, split out acpi_dev_gpio_irq_get_by() and replace
+acpi_dev_gpio_irq_get() by calling above with NULL for name parameter.
+
+Fixes: ba8c90c61847 ("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2")
+Depends-on: 0ea683931adb ("gpio: dwapb: Convert driver to using the GPIO-lib-based IRQ-chip")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-acpi.c | 12 ++++++++----
+ include/linux/acpi.h | 10 ++++++++--
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -904,8 +904,9 @@ struct gpio_desc *acpi_node_get_gpiod(st
+ }
+
+ /**
+- * acpi_dev_gpio_irq_get() - Find GpioInt and translate it to Linux IRQ number
++ * acpi_dev_gpio_irq_get_by() - Find GpioInt and translate it to Linux IRQ number
+ * @adev: pointer to a ACPI device to get IRQ from
++ * @name: optional name of GpioInt resource
+ * @index: index of GpioInt resource (starting from %0)
+ *
+ * If the device has one or more GpioInt resources, this function can be
+@@ -915,9 +916,12 @@ struct gpio_desc *acpi_node_get_gpiod(st
+ * The function is idempotent, though each time it runs it will configure GPIO
+ * pin direction according to the flags in GpioInt resource.
+ *
++ * The function takes optional @name parameter. If the resource has a property
++ * name, then only those will be taken into account.
++ *
+ * Return: Linux IRQ number (> %0) on success, negative errno on failure.
+ */
+-int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index)
++int acpi_dev_gpio_irq_get_by(struct acpi_device *adev, const char *name, int index)
+ {
+ int idx, i;
+ unsigned int irq_flags;
+@@ -927,7 +931,7 @@ int acpi_dev_gpio_irq_get(struct acpi_de
+ struct acpi_gpio_info info;
+ struct gpio_desc *desc;
+
+- desc = acpi_get_gpiod_by_index(adev, NULL, i, &info);
++ desc = acpi_get_gpiod_by_index(adev, name, i, &info);
+
+ /* Ignore -EPROBE_DEFER, it only matters if idx matches */
+ if (IS_ERR(desc) && PTR_ERR(desc) != -EPROBE_DEFER)
+@@ -964,7 +968,7 @@ int acpi_dev_gpio_irq_get(struct acpi_de
+ }
+ return -ENOENT;
+ }
+-EXPORT_SYMBOL_GPL(acpi_dev_gpio_irq_get);
++EXPORT_SYMBOL_GPL(acpi_dev_gpio_irq_get_by);
+
+ static acpi_status
+ acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address,
+--- a/include/linux/acpi.h
++++ b/include/linux/acpi.h
+@@ -1019,19 +1019,25 @@ void __acpi_handle_debug(struct _ddebug
+ #if defined(CONFIG_ACPI) && defined(CONFIG_GPIOLIB)
+ bool acpi_gpio_get_irq_resource(struct acpi_resource *ares,
+ struct acpi_resource_gpio **agpio);
+-int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index);
++int acpi_dev_gpio_irq_get_by(struct acpi_device *adev, const char *name, int index);
+ #else
+ static inline bool acpi_gpio_get_irq_resource(struct acpi_resource *ares,
+ struct acpi_resource_gpio **agpio)
+ {
+ return false;
+ }
+-static inline int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index)
++static inline int acpi_dev_gpio_irq_get_by(struct acpi_device *adev,
++ const char *name, int index)
+ {
+ return -ENXIO;
+ }
+ #endif
+
++static inline int acpi_dev_gpio_irq_get(struct acpi_device *adev, int index)
++{
++ return acpi_dev_gpio_irq_get_by(adev, NULL, index);
++}
++
+ /* Device properties */
+
+ #ifdef CONFIG_ACPI
--- /dev/null
+From 67eb211487f0c993d9f402d1c196ef159fd6a3b5 Mon Sep 17 00:00:00 2001
+From: Jiri Wiesner <jwiesner@suse.com>
+Date: Thu, 4 Mar 2021 17:18:28 +0100
+Subject: ibmvnic: always store valid MAC address
+
+From: Jiri Wiesner <jwiesner@suse.com>
+
+commit 67eb211487f0c993d9f402d1c196ef159fd6a3b5 upstream.
+
+The last change to ibmvnic_set_mac(), 8fc3672a8ad3, meant to prevent
+users from setting an invalid MAC address on an ibmvnic interface
+that has not been brought up yet. The change also prevented the
+requested MAC address from being stored by the adapter object for an
+ibmvnic interface when the state of the ibmvnic interface is
+VNIC_PROBED - that is after probing has finished but before the
+ibmvnic interface is brought up. The MAC address stored by the
+adapter object is used and sent to the hypervisor for checking when
+an ibmvnic interface is brought up.
+
+The ibmvnic driver ignoring the requested MAC address when in
+VNIC_PROBED state caused LACP bonds (bonds in 802.3ad mode) with more
+than one slave to malfunction. The bonding code must be able to
+change the MAC address of its slaves before they are brought up
+during enslaving. The inability of kernels with 8fc3672a8ad3 to set
+the MAC addresses of bonding slaves is observable in the output of
+"ip address show". The MAC addresses of the slaves are the same as
+the MAC address of the bond on a working system whereas the slaves
+retain their original MAC addresses on a system with a malfunctioning
+LACP bond.
+
+Fixes: 8fc3672a8ad3 ("ibmvnic: fix ibmvnic_set_mac")
+Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1753,10 +1753,9 @@ static int ibmvnic_set_mac(struct net_de
+ if (!is_valid_ether_addr(addr->sa_data))
+ return -EADDRNOTAVAIL;
+
+- if (adapter->state != VNIC_PROBED) {
+- ether_addr_copy(adapter->mac_addr, addr->sa_data);
++ ether_addr_copy(adapter->mac_addr, addr->sa_data);
++ if (adapter->state != VNIC_PROBED)
+ rc = __ibmvnic_set_mac(netdev, addr->sa_data);
+- }
+
+ return rc;
+ }
--- /dev/null
+From d0bd52c591a1070c54dc428e926660eb4f981099 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sun, 7 Feb 2021 12:48:31 +0100
+Subject: mt76: dma: do not report truncated frames to mac80211
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit d0bd52c591a1070c54dc428e926660eb4f981099 upstream.
+
+Commit b102f0c522cf6 ("mt76: fix array overflow on receiving too many
+fragments for a packet") fixes a possible OOB access but it introduces a
+memory leak since the pending frame is not released to page_frag_cache
+if the frag array of skb_shared_info is full. Commit 93a1d4791c10
+("mt76: dma: fix a possible memory leak in mt76_add_fragment()") fixes
+the issue but does not free the truncated skb that is forwarded to
+mac80211 layer. Fix the leftover issue discarding even truncated skbs.
+
+Fixes: 93a1d4791c10 ("mt76: dma: fix a possible memory leak in mt76_add_fragment()")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/a03166fcc8214644333c68674a781836e0f57576.1612697217.git.lorenzo@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/dma.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/dma.c
+@@ -454,13 +454,13 @@ mt76_add_fragment(struct mt76_dev *dev,
+ {
+ struct sk_buff *skb = q->rx_head;
+ struct skb_shared_info *shinfo = skb_shinfo(skb);
++ int nr_frags = shinfo->nr_frags;
+
+- if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
++ if (nr_frags < ARRAY_SIZE(shinfo->frags)) {
+ struct page *page = virt_to_head_page(data);
+ int offset = data - page_address(page) + q->buf_offset;
+
+- skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
+- q->buf_size);
++ skb_add_rx_frag(skb, nr_frags, page, offset, len, q->buf_size);
+ } else {
+ skb_free_frag(data);
+ }
+@@ -469,7 +469,10 @@ mt76_add_fragment(struct mt76_dev *dev,
+ return;
+
+ q->rx_head = NULL;
+- dev->drv->rx_skb(dev, q - dev->q_rx, skb);
++ if (nr_frags < ARRAY_SIZE(shinfo->frags))
++ dev->drv->rx_skb(dev, q - dev->q_rx, skb);
++ else
++ dev_kfree_skb(skb);
+ }
+
+ static int
--- /dev/null
+From 03a3ca37e4c6478e3a84f04c8429dd5889e107fd Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 24 Feb 2021 17:23:19 +0100
+Subject: netfilter: nf_nat: undo erroneous tcp edemux lookup
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 03a3ca37e4c6478e3a84f04c8429dd5889e107fd upstream.
+
+Under extremely rare conditions TCP early demux will retrieve the wrong
+socket.
+
+1. local machine establishes a connection to a remote server, S, on port
+ p.
+
+ This gives:
+ laddr:lport -> S:p
+ ... both in tcp and conntrack.
+
+2. local machine establishes a connection to host H, on port p2.
+ 2a. TCP stack choses same laddr:lport, so we have
+ laddr:lport -> H:p2 from TCP point of view.
+ 2b). There is a destination NAT rewrite in place, translating
+ H:p2 to S:p. This results in following conntrack entries:
+
+ I) laddr:lport -> S:p (origin) S:p -> laddr:lport (reply)
+ II) laddr:lport -> H:p2 (origin) S:p -> laddr:lport2 (reply)
+
+ NAT engine has rewritten laddr:lport to laddr:lport2 to map
+ the reply packet to the correct origin.
+
+ When server sends SYN/ACK to laddr:lport2, the PREROUTING hook
+ will undo-the SNAT transformation, rewriting IP header to
+ S:p -> laddr:lport
+
+ This causes TCP early demux to associate the skb with the TCP socket
+ of the first connection.
+
+ The INPUT hook will then reverse the DNAT transformation, rewriting
+ the IP header to H:p2 -> laddr:lport.
+
+Because packet ends up with the wrong socket, the new connection
+never completes: originator stays in SYN_SENT and conntrack entry
+remains in SYN_RECV until timeout, and responder retransmits SYN/ACK
+until it gives up.
+
+To resolve this, orphan the skb after the input rewrite:
+Because the source IP address changed, the socket must be incorrect.
+We can't move the DNAT undo to prerouting due to backwards
+compatibility, doing so will make iptables/nftables rules to no longer
+match the way they did.
+
+After orphan, the packet will be handed to the next protocol layer
+(tcp, udp, ...) and that will repeat the socket lookup just like as if
+early demux was disabled.
+
+Fixes: 41063e9dd1195 ("ipv4: Early TCP socket demux.")
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1427
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_nat_proto.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_nat_proto.c
++++ b/net/netfilter/nf_nat_proto.c
+@@ -646,8 +646,8 @@ nf_nat_ipv4_fn(void *priv, struct sk_buf
+ }
+
+ static unsigned int
+-nf_nat_ipv4_in(void *priv, struct sk_buff *skb,
+- const struct nf_hook_state *state)
++nf_nat_ipv4_pre_routing(void *priv, struct sk_buff *skb,
++ const struct nf_hook_state *state)
+ {
+ unsigned int ret;
+ __be32 daddr = ip_hdr(skb)->daddr;
+@@ -660,6 +660,23 @@ nf_nat_ipv4_in(void *priv, struct sk_buf
+ }
+
+ static unsigned int
++nf_nat_ipv4_local_in(void *priv, struct sk_buff *skb,
++ const struct nf_hook_state *state)
++{
++ __be32 saddr = ip_hdr(skb)->saddr;
++ struct sock *sk = skb->sk;
++ unsigned int ret;
++
++ ret = nf_nat_ipv4_fn(priv, skb, state);
++
++ if (ret == NF_ACCEPT && sk && saddr != ip_hdr(skb)->saddr &&
++ !inet_sk_transparent(sk))
++ skb_orphan(skb); /* TCP edemux obtained wrong socket */
++
++ return ret;
++}
++
++static unsigned int
+ nf_nat_ipv4_out(void *priv, struct sk_buff *skb,
+ const struct nf_hook_state *state)
+ {
+@@ -736,7 +753,7 @@ nf_nat_ipv4_local_fn(void *priv, struct
+ static const struct nf_hook_ops nf_nat_ipv4_ops[] = {
+ /* Before packet filtering, change destination */
+ {
+- .hook = nf_nat_ipv4_in,
++ .hook = nf_nat_ipv4_pre_routing,
+ .pf = NFPROTO_IPV4,
+ .hooknum = NF_INET_PRE_ROUTING,
+ .priority = NF_IP_PRI_NAT_DST,
+@@ -757,7 +774,7 @@ static const struct nf_hook_ops nf_nat_i
+ },
+ /* After packet filtering, change source */
+ {
+- .hook = nf_nat_ipv4_fn,
++ .hook = nf_nat_ipv4_local_in,
+ .pf = NFPROTO_IPV4,
+ .hooknum = NF_INET_LOCAL_IN,
+ .priority = NF_IP_PRI_NAT_SRC,
--- /dev/null
+From 8e24edddad152b998b37a7f583175137ed2e04a5 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Sat, 27 Feb 2021 11:27:45 +0300
+Subject: netfilter: x_tables: gpf inside xt_find_revision()
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit 8e24edddad152b998b37a7f583175137ed2e04a5 upstream.
+
+nested target/match_revfn() calls work with xt[NFPROTO_UNSPEC] lists
+without taking xt[NFPROTO_UNSPEC].mutex. This can race with module unload
+and cause host to crash:
+
+general protection fault: 0000 [#1]
+Modules linked in: ... [last unloaded: xt_cluster]
+CPU: 0 PID: 542455 Comm: iptables
+RIP: 0010:[<ffffffff8ffbd518>] [<ffffffff8ffbd518>] strcmp+0x18/0x40
+RDX: 0000000000000003 RSI: ffff9a5a5d9abe10 RDI: dead000000000111
+R13: ffff9a5a5d9abe10 R14: ffff9a5a5d9abd8c R15: dead000000000100
+(VvS: %R15 -- &xt_match, %RDI -- &xt_match.name,
+xt_cluster unregister match in xt[NFPROTO_UNSPEC].match list)
+Call Trace:
+ [<ffffffff902ccf44>] match_revfn+0x54/0xc0
+ [<ffffffff902ccf9f>] match_revfn+0xaf/0xc0
+ [<ffffffff902cd01e>] xt_find_revision+0x6e/0xf0
+ [<ffffffffc05a5be0>] do_ipt_get_ctl+0x100/0x420 [ip_tables]
+ [<ffffffff902cc6bf>] nf_getsockopt+0x4f/0x70
+ [<ffffffff902dd99e>] ip_getsockopt+0xde/0x100
+ [<ffffffff903039b5>] raw_getsockopt+0x25/0x50
+ [<ffffffff9026c5da>] sock_common_getsockopt+0x1a/0x20
+ [<ffffffff9026b89d>] SyS_getsockopt+0x7d/0xf0
+ [<ffffffff903cbf92>] system_call_fastpath+0x25/0x2a
+
+Fixes: 656caff20e1 ("netfilter 04/09: x_tables: fix match/target revision lookup")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/x_tables.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -330,6 +330,7 @@ static int match_revfn(u8 af, const char
+ const struct xt_match *m;
+ int have_rev = 0;
+
++ mutex_lock(&xt[af].mutex);
+ list_for_each_entry(m, &xt[af].match, list) {
+ if (strcmp(m->name, name) == 0) {
+ if (m->revision > *bestp)
+@@ -338,6 +339,7 @@ static int match_revfn(u8 af, const char
+ have_rev = 1;
+ }
+ }
++ mutex_unlock(&xt[af].mutex);
+
+ if (af != NFPROTO_UNSPEC && !have_rev)
+ return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+@@ -350,6 +352,7 @@ static int target_revfn(u8 af, const cha
+ const struct xt_target *t;
+ int have_rev = 0;
+
++ mutex_lock(&xt[af].mutex);
+ list_for_each_entry(t, &xt[af].target, list) {
+ if (strcmp(t->name, name) == 0) {
+ if (t->revision > *bestp)
+@@ -358,6 +361,7 @@ static int target_revfn(u8 af, const cha
+ have_rev = 1;
+ }
+ }
++ mutex_unlock(&xt[af].mutex);
+
+ if (af != NFPROTO_UNSPEC && !have_rev)
+ return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+@@ -371,12 +375,10 @@ int xt_find_revision(u8 af, const char *
+ {
+ int have_rev, best = -1;
+
+- mutex_lock(&xt[af].mutex);
+ if (target == 1)
+ have_rev = target_revfn(af, name, revision, &best);
+ else
+ have_rev = match_revfn(af, name, revision, &best);
+- mutex_unlock(&xt[af].mutex);
+
+ /* Nothing at all? Return 0 to try loading module. */
+ if (best == -1) {
--- /dev/null
+From 6bc6699881012b5bd5d49fa861a69a37fc01b49c Mon Sep 17 00:00:00 2001
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Date: Wed, 3 Mar 2021 19:56:35 +0100
+Subject: samples, bpf: Add missing munmap in xdpsock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+commit 6bc6699881012b5bd5d49fa861a69a37fc01b49c upstream.
+
+We mmap the umem region, but we never munmap it.
+Add the missing call at the end of the cleanup.
+
+Fixes: 3945b37a975d ("samples/bpf: use hugepages in xdpsock app")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Link: https://lore.kernel.org/bpf/20210303185636.18070-3-maciej.fijalkowski@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ samples/bpf/xdpsock_user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/samples/bpf/xdpsock_user.c
++++ b/samples/bpf/xdpsock_user.c
+@@ -783,5 +783,7 @@ int main(int argc, char **argv)
+ else
+ l2fwd_all();
+
++ munmap(bufs, NUM_FRAMES * opt_xsk_frame_size);
++
+ return 0;
+ }
--- /dev/null
+From 6185266c5a853bb0f2a459e3ff594546f277609b Mon Sep 17 00:00:00 2001
+From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Date: Sun, 28 Feb 2021 12:30:17 +0200
+Subject: selftests/bpf: Mask bpf_csum_diff() return value to 16 bits in test_verifier
+
+From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+
+commit 6185266c5a853bb0f2a459e3ff594546f277609b upstream.
+
+The verifier test labelled "valid read map access into a read-only array
+2" calls the bpf_csum_diff() helper and checks its return value. However,
+architecture implementations of csum_partial() (which is what the helper
+uses) differ in whether they fold the return value to 16 bit or not. For
+example, x86 version has ...
+
+ if (unlikely(odd)) {
+ result = from32to16(result);
+ result = ((result >> 8) & 0xff) | ((result & 0xff) << 8);
+ }
+
+... while generic lib/checksum.c does:
+
+ result = from32to16(result);
+ if (odd)
+ result = ((result >> 8) & 0xff) | ((result & 0xff) << 8);
+
+This makes the helper return different values on different architectures,
+breaking the test on non-x86. To fix this, add an additional instruction
+to always mask the return value to 16 bits, and update the expected return
+value accordingly.
+
+Fixes: fb2abb73e575 ("bpf, selftest: test {rd, wr}only flags and direct value access")
+Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210228103017.320240-1-yauheni.kaliuta@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/verifier/array_access.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/bpf/verifier/array_access.c
++++ b/tools/testing/selftests/bpf/verifier/array_access.c
+@@ -250,12 +250,13 @@
+ BPF_MOV64_IMM(BPF_REG_5, 0),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+ BPF_FUNC_csum_diff),
++ BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+ .fixup_map_array_ro = { 3 },
+ .result = ACCEPT,
+- .retval = -29,
++ .retval = 65507,
+ },
+ {
+ "invalid write map access into a read-only array 1",
--- /dev/null
+From 557c223b643a35effec9654958d8edc62fd2603a Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 24 Feb 2021 16:14:03 +0800
+Subject: selftests/bpf: No need to drop the packet when there is no geneve opt
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 557c223b643a35effec9654958d8edc62fd2603a upstream.
+
+In bpf geneve tunnel test we set geneve option on tx side. On rx side we
+only call bpf_skb_get_tunnel_opt(). Since commit 9c2e14b48119 ("ip_tunnels:
+Set tunnel option flag when tunnel metadata is present") geneve_rx() will
+not add TUNNEL_GENEVE_OPT flag if there is no geneve option, which cause
+bpf_skb_get_tunnel_opt() return ENOENT and _geneve_get_tunnel() in
+test_tunnel_kern.c drop the packet.
+
+As it should be valid that bpf_skb_get_tunnel_opt() return error when
+there is not tunnel option, there is no need to drop the packet and
+break all geneve rx traffic. Just set opt_class to 0 in this test and
+keep returning TC_ACT_OK.
+
+Fixes: 933a741e3b82 ("selftests/bpf: bpf tunnel test.")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: William Tu <u9012063@gmail.com>
+Link: https://lore.kernel.org/bpf/20210224081403.1425474-1-liuhangbin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/progs/test_tunnel_kern.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
++++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
+@@ -446,10 +446,8 @@ int _geneve_get_tunnel(struct __sk_buff
+ }
+
+ ret = bpf_skb_get_tunnel_opt(skb, &gopt, sizeof(gopt));
+- if (ret < 0) {
+- ERROR(ret);
+- return TC_ACT_SHOT;
+- }
++ if (ret < 0)
++ gopt.opt_class = 0;
+
+ bpf_trace_printk(fmt, sizeof(fmt),
+ key.tunnel_id, key.remote_ipv4, gopt.opt_class);
net-fix-gro-aggregation-for-udp-encaps-with-zero-csum.patch
net-check-if-protocol-extracted-by-virtio_net_hdr_set_proto-is-correct.patch
net-avoid-infinite-loop-in-mpls_gso_segment-when-mpls_hlen-0.patch
+gpiolib-acpi-allow-to-find-gpioint-resource-by-name-and-index.patch
+can-skb-can_skb_set_owner-fix-ref-counting-if-socket-was-closed-before-setting-skb-ownership.patch
+gpio-pca953x-set-irq-type-when-handle-intel-galileo-gen-2.patch
+can-flexcan-assert-frz-bit-in-flexcan_chip_freeze.patch
+can-flexcan-enable-rx-fifo-after-frz-halt-valid.patch
+can-flexcan-invoke-flexcan_chip_freeze-to-enter-freeze-mode.patch
+can-tcan4x5x-tcan4x5x_init-fix-initialization-clear-mram-before-entering-normal-mode.patch
+tcp-add-sanity-tests-to-tcp_queue_seq.patch
+netfilter-nf_nat-undo-erroneous-tcp-edemux-lookup.patch
+netfilter-x_tables-gpf-inside-xt_find_revision.patch
+selftests-bpf-no-need-to-drop-the-packet-when-there-is-no-geneve-opt.patch
+selftests-bpf-mask-bpf_csum_diff-return-value-to-16-bits-in-test_verifier.patch
+samples-bpf-add-missing-munmap-in-xdpsock.patch
+ibmvnic-always-store-valid-mac-address.patch
+mt76-dma-do-not-report-truncated-frames-to-mac80211.patch
--- /dev/null
+From 8811f4a9836e31c14ecdf79d9f3cb7c5d463265d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 1 Mar 2021 10:29:17 -0800
+Subject: tcp: add sanity tests to TCP_QUEUE_SEQ
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8811f4a9836e31c14ecdf79d9f3cb7c5d463265d upstream.
+
+Qingyu Li reported a syzkaller bug where the repro
+changes RCV SEQ _after_ restoring data in the receive queue.
+
+mprotect(0x4aa000, 12288, PROT_READ) = 0
+mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
+mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
+mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
+socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
+setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
+connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
+sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
+setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
+setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
+recvfrom(3, NULL, 20, 0, NULL, NULL) = -1 ECONNRESET (Connection reset by peer)
+
+syslog shows:
+[ 111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
+[ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0
+
+This should not be allowed. TCP_QUEUE_SEQ should only be used
+when queues are empty.
+
+This patch fixes this case, and the tx path as well.
+
+Fixes: ee9952831cfd ("tcp: Initial repair mode")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=212005
+Reported-by: Qingyu Li <ieatmuttonchuan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2957,16 +2957,23 @@ static int do_tcp_setsockopt(struct sock
+ break;
+
+ case TCP_QUEUE_SEQ:
+- if (sk->sk_state != TCP_CLOSE)
++ if (sk->sk_state != TCP_CLOSE) {
+ err = -EPERM;
+- else if (tp->repair_queue == TCP_SEND_QUEUE)
+- WRITE_ONCE(tp->write_seq, val);
+- else if (tp->repair_queue == TCP_RECV_QUEUE) {
+- WRITE_ONCE(tp->rcv_nxt, val);
+- WRITE_ONCE(tp->copied_seq, val);
+- }
+- else
++ } else if (tp->repair_queue == TCP_SEND_QUEUE) {
++ if (!tcp_rtx_queue_empty(sk))
++ err = -EPERM;
++ else
++ WRITE_ONCE(tp->write_seq, val);
++ } else if (tp->repair_queue == TCP_RECV_QUEUE) {
++ if (tp->rcv_nxt != tp->copied_seq) {
++ err = -EPERM;
++ } else {
++ WRITE_ONCE(tp->rcv_nxt, val);
++ WRITE_ONCE(tp->copied_seq, val);
++ }
++ } else {
+ err = -EINVAL;
++ }
+ break;
+
+ case TCP_REPAIR_OPTIONS:
projects / thirdparty / kernel / stable-queue.git / commitdiff
