--- /dev/null
+From e5f13b283754ea047cb9eeeace00b602ebff15ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:06:09 +0200
+Subject: bpftool: Check malloc return value in mount_bpffs_for_pin
+
+From: Tobias Klauser <tklauser@distanz.ch>
+
+[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ]
+
+Fix and add a missing NULL check for the prior malloc() call.
+
+Fixes: 49a086c201a9 ("bpftool: implement prog load command")
+Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index 158469f57461..7faf24ef3c80 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -182,6 +182,11 @@ int do_pin_fd(int fd, const char *name)
+ goto out;
+
+ file = malloc(strlen(name) + 1);
++ if (!file) {
++ p_err("mem alloc failed");
++ return -1;
++ }
++
+ strcpy(file, name);
+ dir = dirname(file);
+
+--
+2.30.2
+
--- /dev/null
+From b77190df5d1cd2391e0ba9938cc4b8fc3c8845ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 15:45:23 +0200
+Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ]
+
+The mipi_dsi_device allocated by mipi_dsi_device_register_full() is
+already free'd on release.
+
+Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
+index aab6a70ece7f..06bd03915973 100644
+--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
+@@ -454,7 +454,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c)
+ drm_panel_remove(&ts->base);
+
+ mipi_dsi_device_unregister(ts->dsi);
+- kfree(ts->dsi);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From a2e834c03a418cd8f75230bd100d7d92a88c5391 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:05:53 +0200
+Subject: e1000e: Fix an error handling path in 'e1000_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 111b9dc5c981 ("e1000e: add aer support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 6bbe7afdf30c..398f5951d11c 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -7369,6 +7369,7 @@ err_flashmap:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From a31e0cd458f7a4dd2a29c151a941c25e24886bdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:00:36 +0200
+Subject: fm10k: Fix an error handling path in 'fm10k_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+index c859ababeed5..6e888874010e 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+@@ -2228,6 +2228,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_netdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 17bed2ab8fea21c3dcdd642b4a312c03911d4dec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:53:02 +0200
+Subject: iavf: Fix an error handling path in 'iavf_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 5eae00c57f5e ("i40evf: main driver core")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40evf/i40evf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/i40evf/i40evf_main.c b/drivers/net/ethernet/intel/i40evf/i40evf_main.c
+index f50c19b83368..ac5709624c7a 100644
+--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c
++++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c
+@@ -3735,6 +3735,7 @@ static int i40evf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From cc025d23575797ee96008d4c80fbab5bccc7f017 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 10:19:23 +0000
+Subject: igb: Check if num of q_vectors is smaller than max before array
+ access
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ]
+
+Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed
+beyond its size. It was fixed by using a local variable num_q_vectors
+as a limit for loop index, and ensure that num_q_vectors is not bigger
+than MAX_Q_VECTORS.
+
+Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Grzegorz Siwik <grzegorz.siwik@intel.com>
+Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Reviewed-by: Slawomir Laba <slawomirx.laba@intel.com>
+Reviewed-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Reviewed-by: Mateusz Palczewski <mateusz.placzewski@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 8558d2e4ec18..243e304c35cd 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -938,6 +938,7 @@ static void igb_configure_msix(struct igb_adapter *adapter)
+ **/
+ static int igb_request_msix(struct igb_adapter *adapter)
+ {
++ unsigned int num_q_vectors = adapter->num_q_vectors;
+ struct net_device *netdev = adapter->netdev;
+ int i, err = 0, vector = 0, free_vector = 0;
+
+@@ -946,7 +947,13 @@ static int igb_request_msix(struct igb_adapter *adapter)
+ if (err)
+ goto err_out;
+
+- for (i = 0; i < adapter->num_q_vectors; i++) {
++ if (num_q_vectors > MAX_Q_VECTORS) {
++ num_q_vectors = MAX_Q_VECTORS;
++ dev_warn(&adapter->pdev->dev,
++ "The number of queue vectors (%d) is higher than max allowed (%d)\n",
++ adapter->num_q_vectors, MAX_Q_VECTORS);
++ }
++ for (i = 0; i < num_q_vectors; i++) {
+ struct igb_q_vector *q_vector = adapter->q_vector[i];
+
+ vector++;
+--
+2.30.2
+
--- /dev/null
+From c1001bb86518525a356e4dc03b96a97366ae2e97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 22:08:33 +0200
+Subject: igb: Fix an error handling path in 'igb_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index cee5baa6d646..8558d2e4ec18 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3495,6 +3495,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 526ed6628da6682cb061d173d3c07c491d8343f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 22:42:17 +0000
+Subject: igb: Fix position of assignment to *ring
+
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+
+[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ]
+
+Assignment to *ring should be done after correctness check of the
+argument queue.
+
+Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()")
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 243e304c35cd..6221dafc76b9 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1692,14 +1692,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter)
+ **/
+ static void igb_config_tx_modes(struct igb_adapter *adapter, int queue)
+ {
+- struct igb_ring *ring = adapter->tx_ring[queue];
+ struct net_device *netdev = adapter->netdev;
+ struct e1000_hw *hw = &adapter->hw;
++ struct igb_ring *ring;
+ u32 tqavcc, tqavctrl;
+ u16 value;
+
+ WARN_ON(hw->mac.type != e1000_i210);
+ WARN_ON(queue < 0 || queue > 1);
++ ring = adapter->tx_ring[queue];
+
+ /* If any of the Qav features is enabled, configure queues as SR and
+ * with HIGH PRIO. If none is, then configure them with LOW PRIO and
+--
+2.30.2
+
--- /dev/null
+From f9e6dc7c36bdf14f294d5ee0d4f44c5094cf046d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 17:31:04 -0700
+Subject: igb: Fix use-after-free error during reset
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ]
+
+Cleans the next descriptor to watch (next_to_watch) when cleaning the
+TX ring.
+
+Failure to do so can cause invalid memory accesses. If igb_poll() runs
+while the controller is reset this can lead to the driver try to free
+a skb that was already freed.
+
+(The crash is harder to reproduce with the igb driver, but the same
+potential problem exists as the code is identical to igc)
+
+Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reported-by: Erez Geva <erez.geva.ext@siemens.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index d85eb80d8249..cee5baa6d646 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -4684,6 +4684,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring)
+ DMA_TO_DEVICE);
+ }
+
++ tx_buffer->next_to_watch = NULL;
++
+ /* move us one more past the eop_desc for start of next pkt */
+ tx_buffer++;
+ i++;
+--
+2.30.2
+
--- /dev/null
+From ca54356ddbb695d8e7c085248ca6dfb5ff0be9eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jul 2021 11:13:35 +0200
+Subject: ipv6: fix 'disable_policy' for fwd packets
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ]
+
+The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of
+"disable_policy" sysctl") was to have the disable_policy from ipv4
+available on ipv6.
+However, it's not exactly the same mechanism. On IPv4, all packets coming
+from an interface, which has disable_policy set, bypass the policy check.
+For ipv6, this is done only for local packets, ie for packets destinated to
+an address configured on the incoming interface.
+
+Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same
+effect for both protocols.
+
+My first approach was to create a new kind of route cache entries, to be
+able to set DST_NOPOLICY without modifying routes. This would have added a
+lot of code. Because the local delivery path is already handled, I choose
+to focus on the forwarding path to minimize code churn.
+
+Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_output.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index aa8f19f852cc..fc36f3b0dceb 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -459,7 +459,9 @@ int ip6_forward(struct sk_buff *skb)
+ if (skb_warn_if_lro(skb))
+ goto drop;
+
+- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
++ if (!net->ipv6.devconf_all->disable_policy &&
++ !idev->cnf.disable_policy &&
++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
+ __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
+ goto drop;
+ }
+--
+2.30.2
+
--- /dev/null
+From 047a5d9d41bf07ea426fd68998771a4e0990361e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 15:46:09 +0200
+Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 8fcd3ffb43e0..4d9d97e0b6c4 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -10925,6 +10925,7 @@ err_ioremap:
+ disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state);
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 17b8dd5d9404fa42c949a627d874fdbdf47ad8cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 12:43:10 +1000
+Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ]
+
+vcpu_put is not called if the user copy fails. This can result in preempt
+notifier corruption and crashes, among other issues.
+
+Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/powerpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
+index 7c8354dfe80e..ad5a871a6cbf 100644
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -1995,9 +1995,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ {
+ struct kvm_enable_cap cap;
+ r = -EFAULT;
+- vcpu_load(vcpu);
+ if (copy_from_user(&cap, argp, sizeof(cap)))
+ goto out;
++ vcpu_load(vcpu);
+ r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap);
+ vcpu_put(vcpu);
+ break;
+@@ -2021,9 +2021,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ case KVM_DIRTY_TLB: {
+ struct kvm_dirty_tlb dirty;
+ r = -EFAULT;
+- vcpu_load(vcpu);
+ if (copy_from_user(&dirty, argp, sizeof(dirty)))
+ goto out;
++ vcpu_load(vcpu);
+ r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty);
+ vcpu_put(vcpu);
+ break;
+--
+2.30.2
+
--- /dev/null
+From efcc096758cf5b01ac8a647416ca6b589d1e33c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 16:23:43 +0100
+Subject: liquidio: Fix unintentional sign extension issue on left shift of u16
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ]
+
+Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS
+(29) bits will be promoted to a 32 bit signed int and then sign-extended
+to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7)
+the shifted value will be sign extended and the top 32 bits of the result
+will be set.
+
+Fix this by casting the u16 values to a u64 before the 29 bit left shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+
+Fixes: 3451b97cce2d ("liquidio: CN23XX register setup")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+index 55fe80ca10d3..9e447983d0aa 100644
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct)
+ * bits 32:47 indicate the PVF num.
+ */
+ for (q_no = 0; q_no < ern; q_no++) {
+- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS;
++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS;
+
+ /* for VF assigned queues. */
+ if (q_no < oct->sriov_info.pf_srn) {
+--
+2.30.2
+
--- /dev/null
+From 7bf48961bf86b202963e0f51b60c1730e85b86d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:13:20 +0800
+Subject: net: decnet: Fix sleeping inside in af_decnet
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ]
+
+The release_sock() is blocking function, it would change the state
+after sleeping. use wait_woken() instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/decnet/af_decnet.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index 0e6f32defd67..cc7077105969 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -823,7 +823,7 @@ static int dn_auto_bind(struct socket *sock)
+ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err;
+
+ if (scp->state != DN_CR)
+@@ -833,11 +833,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk));
+ dn_send_conn_conf(sk, allocation);
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -851,9 +851,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+ } else if (scp->state != DN_CC) {
+@@ -865,7 +864,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ static int dn_wait_run(struct sock *sk, long *timeo)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err = 0;
+
+ if (scp->state == DN_RUN)
+@@ -874,11 +873,11 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ if (!*timeo)
+ return -EALREADY;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CI || scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -892,9 +891,8 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ err = -ETIMEDOUT;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ out:
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+@@ -1039,16 +1037,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt)
+
+ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ {
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ struct sk_buff *skb = NULL;
+ int err = 0;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ if (skb == NULL) {
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ }
+ lock_sock(sk);
+@@ -1063,9 +1061,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+
+ return skb == NULL ? ERR_PTR(err) : skb;
+ }
+--
+2.30.2
+
--- /dev/null
+From f035cff6794e736190d6e08ec652b6237f1aa361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 20:22:04 +0800
+Subject: net: fix uninit-value in caif_seqpkt_sendmsg
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ]
+
+When nr_segs equal to zero in iovec_from_user, the object
+msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg
+which is defined in ___sys_sendmsg. So we cann't just judge
+msg->msg_iter.iov->base directlly. We can use nr_segs to judge
+msg in caif_seqpkt_sendmsg whether has data buffers.
+
+=====================================================
+BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
+ ___sys_sendmsg net/socket.c:2397 [inline]
+ __sys_sendmmsg+0x808/0xc90 net/socket.c:2480
+ __compat_sys_sendmmsg net/compat.c:656 [inline]
+
+Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8
+Fixes: bece7b2398d0 ("caif: Rewritten socket implementation")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/caif_socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 4b31f0aaa96d..348b8cb0bc24 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto err;
+
+ ret = -EINVAL;
+- if (unlikely(msg->msg_iter.iov->iov_base == NULL))
++ if (unlikely(msg->msg_iter.nr_segs == 0) ||
++ unlikely(msg->msg_iter.iov->iov_base == NULL))
+ goto err;
+ noblock = msg->msg_flags & MSG_DONTWAIT;
+
+--
+2.30.2
+
--- /dev/null
+From 520a75f52bd6b3a13eb06e1aab7fec3a77cfc82a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 16:41:24 -0700
+Subject: net/sched: act_skbmod: Skip non-Ethernet packets
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ]
+
+Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2
+protocol, which is not always the case. As an example, for CAN devices:
+
+ $ ip link add dev vcan0 type vcan
+ $ ip link set up vcan0
+ $ tc qdisc add dev vcan0 root handle 1: htb
+ $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \
+ matchall action skbmod swap mac
+
+Doing the above silently corrupts all the packets. Do not perform skbmod
+actions for non-Ethernet packets.
+
+Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_skbmod.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
+index 21d195296121..03a272af664a 100644
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -10,6 +10,7 @@
+ */
+
+ #include <linux/module.h>
++#include <linux/if_arp.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/skbuff.h>
+@@ -36,6 +37,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a,
+ tcf_lastuse_update(&d->tcf_tm);
+ bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb);
+
++ action = READ_ONCE(d->tcf_action);
++ if (unlikely(action == TC_ACT_SHOT))
++ goto drop;
++
++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER)
++ return action;
++
+ /* XXX: if you are going to edit more fields beyond ethernet header
+ * (example when you add IP header replacement or vlan swap)
+ * then MAX_EDIT_LEN needs to change appropriately
+@@ -44,10 +52,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a,
+ if (unlikely(err)) /* best policy is to drop on the floor */
+ goto drop;
+
+- action = READ_ONCE(d->tcf_action);
+- if (unlikely(action == TC_ACT_SHOT))
+- goto drop;
+-
+ p = rcu_dereference_bh(d->skbmod_p);
+ flags = p->flags;
+ if (flags & SKBMOD_F_DMAC)
+--
+2.30.2
+
--- /dev/null
+From 045a51feedc6b3ba8c3ab1312925e16437318c6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 11:23:43 +0800
+Subject: net: sched: cls_api: Fix the the wrong parameter
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ]
+
+The 4th parameter in tc_chain_notify() should be flags rather than seq.
+Let's change it back correctly.
+
+Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index 184c20b86393..4413aa8d4e82 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -1918,7 +1918,7 @@ replay:
+ break;
+ case RTM_GETCHAIN:
+ err = tc_chain_notify(chain, skb, n->nlmsg_seq,
+- n->nlmsg_seq, n->nlmsg_type, true);
++ n->nlmsg_flags, n->nlmsg_type, true);
+ if (err < 0)
+ NL_SET_ERR_MSG(extack, "Failed to send chain notify message");
+ break;
+--
+2.30.2
+
--- /dev/null
+From f1bc05176c14590a3e89eccc4d40ef8d06799d66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 02:12:18 -0700
+Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ]
+
+tfo_active_disable_stamp is read and written locklessly.
+We need to annotate these accesses appropriately.
+
+Then, we need to perform the atomic_inc(tfo_active_disable_times)
+after the timestamp has been updated, and thus add barriers
+to make sure tcp_fastopen_active_should_disable() wont read
+a stale timestamp.
+
+Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 018a48477355..2ab371f55525 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -454,8 +454,15 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
++
++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable().
++ * We want net->ipv4.tfo_active_disable_stamp to be updated first.
++ */
++ smp_mb__before_atomic();
+ atomic_inc(&net->ipv4.tfo_active_disable_times);
+- net->ipv4.tfo_active_disable_stamp = jiffies;
++
+ NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE);
+ }
+
+@@ -473,10 +480,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk)
+ if (!tfo_da_times)
+ return false;
+
++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */
++ smp_rmb();
++
+ /* Limit timout to max: 2^6 * initial timeout */
+ multiplier = 1 << min(tfo_da_times - 1, 6);
+- timeout = multiplier * tfo_bh_timeout * HZ;
+- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout))
++
++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */
++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) +
++ multiplier * tfo_bh_timeout * HZ;
++ if (time_before(jiffies, timeout))
+ return true;
+
+ /* Mark check bit so we can check for successful active TFO
+--
+2.30.2
+
--- /dev/null
+From 5403c267e82cc1041bdd89951f6c24d2908e8136 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 22:40:13 +0800
+Subject: netrom: Decrease sock refcount when sock timers expire
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ]
+
+Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use
+sock timer API. It replaces mod_timer() by sk_reset_timer(), and
+del_timer() by sk_stop_timer().
+
+Function sk_reset_timer() will increase the refcount of sock if it is
+called on an inactive timer, hence, in case the timer expires, we need to
+decrease the refcount ourselves in the handler, otherwise, the sock
+refcount will be unbalanced and the sock will never be freed.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
+Fixes: 63346650c1a9 ("netrom: switch to sock timer API")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_timer.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
+index 908e53ab47a4..426d49609524 100644
+--- a/net/netrom/nr_timer.c
++++ b/net/netrom/nr_timer.c
+@@ -124,11 +124,9 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
+- sock_hold(sk);
+ bh_unlock_sock(sk);
+ nr_destroy_socket(sk);
+- sock_put(sk);
+- return;
++ goto out;
+ }
+ break;
+
+@@ -149,6 +147,8 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+
+ nr_start_heartbeat(sk);
+ bh_unlock_sock(sk);
++out:
++ sock_put(sk);
+ }
+
+ static void nr_t2timer_expiry(struct timer_list *t)
+@@ -162,6 +162,7 @@ static void nr_t2timer_expiry(struct timer_list *t)
+ nr_enquiry_response(sk);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t4timer_expiry(struct timer_list *t)
+@@ -172,6 +173,7 @@ static void nr_t4timer_expiry(struct timer_list *t)
+ bh_lock_sock(sk);
+ nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY;
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_idletimer_expiry(struct timer_list *t)
+@@ -200,6 +202,7 @@ static void nr_idletimer_expiry(struct timer_list *t)
+ sock_set_flag(sk, SOCK_DEAD);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t1timer_expiry(struct timer_list *t)
+@@ -212,8 +215,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_1:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_CONNREQ);
+@@ -223,8 +225,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_2:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_DISCREQ);
+@@ -234,8 +235,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_3:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_requeue_frames(sk);
+@@ -244,5 +244,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ }
+
+ nr_start_t1timer(sk);
++out:
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+--
+2.30.2
+
--- /dev/null
+From d8159921fac2af5273e20e17cb14abadca1a9754 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 14:14:32 -0700
+Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove
+
+From: Casey Chen <cachen@purestorage.com>
+
+[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ]
+
+nvme_dev_remove_admin could free dev->admin_q and the admin_tagset
+while they are being accessed by nvme_dev_disable(), which can be called
+by nvme_reset_work via nvme_remove_dead_ctrl.
+
+Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
+intended to avoid requests being stuck on a removed controller by killing
+the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce
+admin queue on shutdown"), together with nvme_dev_disable(dev, true)
+right before nvme_dev_remove_admin() could help dispatch requests and
+fail them early, so we don't need nvme_dev_remove_admin() any more.
+
+Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
+Signed-off-by: Casey Chen <cachen@purestorage.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 82d87d2e280c..8f1f10fa0dd6 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2605,7 +2605,6 @@ static void nvme_remove(struct pci_dev *pdev)
+ if (!pci_device_is_present(pdev)) {
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
+ nvme_dev_disable(dev, true);
+- nvme_dev_remove_admin(dev);
+ }
+
+ flush_work(&dev->ctrl.reset_work);
+--
+2.30.2
+
--- /dev/null
+From 0f8fde288fb955b5b98d3550d792d5641b73dc17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:38:29 +0800
+Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not
+ RESETTING
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ]
+
+Followling process:
+nvme_probe
+ nvme_reset_ctrl
+ nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING)
+ queue_work(nvme_reset_wq, &ctrl->reset_work)
+
+--------------> nvme_remove
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING)
+worker_thread
+ process_one_work
+ nvme_reset_work
+ WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)
+
+, which will trigger WARN_ON in nvme_reset_work():
+[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594
+[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0
+[ 127.552518] Call Trace:
+[ 127.552840] ? kvm_sched_clock_read+0x25/0x40
+[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30
+[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130
+[ 127.556263] ? __smp_call_single_queue+0x48/0x60
+[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0
+[ 127.558231] ? try_to_wake_up+0x265/0x9d0
+[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290
+[ 127.560118] process_one_work+0x28c/0x640
+[ 127.561002] worker_thread+0x39a/0x700
+[ 127.561833] ? rescuer_thread+0x580/0x580
+[ 127.562714] kthread+0x18c/0x1e0
+[ 127.563444] ? set_kthread_struct+0x70/0x70
+[ 127.564347] ret_from_fork+0x1f/0x30
+
+The preceding problem can be easily reproduced by executing following
+script (based on blktests suite):
+test() {
+ pdev="$(_get_pci_dev_from_blkdev)"
+ sysfs="/sys/bus/pci/devices/${pdev}"
+ for ((i = 0; i < 10; i++)); do
+ echo 1 > "$sysfs/remove"
+ echo 1 > /sys/bus/pci/rescan
+ done
+}
+
+Since the device ctrl could be updated as an non-RESETTING state by
+repeating probe/remove in userspace (which is a normal situation), we
+can replace stack dumping WARN_ON with a warnning message.
+
+Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 8f1f10fa0dd6..d7cf3202cdd3 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2273,7 +2273,9 @@ static void nvme_reset_work(struct work_struct *work)
+ int result;
+ enum nvme_ctrl_state new_state = NVME_CTRL_LIVE;
+
+- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) {
++ if (dev->ctrl.state != NVME_CTRL_RESETTING) {
++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n",
++ dev->ctrl.state);
+ result = -ENODEV;
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From 1c12dcd6715446aaa9cc565ae70c809a046bc5c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:11 +0200
+Subject: perf dso: Fix memory leak in dso__new_map()
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "65: maps__merge_in".
+
+The causes of the leaks are two, this patch addresses only the first
+one, which is related to dso__new_map().
+
+The bug is that dso__new_map() creates a new dso but never decreases the
+refcount it gets from creating it.
+
+This patch adds the missing dso__put().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dso.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
+index 56f86317694d..1231f3181041 100644
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -1025,8 +1025,10 @@ struct map *dso__new_map(const char *name)
+ struct map *map = NULL;
+ struct dso *dso = dso__new(name);
+
+- if (dso)
++ if (dso) {
+ map = map__new2(0, dso);
++ dso__put(dso);
++ }
+
+ return map;
+ }
+--
+2.30.2
+
--- /dev/null
+From 6244f544c63f5073db63f6debe21a4b881e88be4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:19 +0200
+Subject: perf lzma: Close lzma stream on exit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ]
+
+ASan reports memory leaks when running:
+
+ # perf test "88: Check open filename arg using perf trace + vfs_getname"
+
+One of these is caused by the lzma stream never being closed inside
+lzma_decompress_to_file().
+
+This patch adds the missing lzma_end().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/lzma.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c
+index b1dd29a9d915..6c844110fc25 100644
+--- a/tools/perf/util/lzma.c
++++ b/tools/perf/util/lzma.c
+@@ -68,7 +68,7 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+
+ if (ferror(infile)) {
+ pr_err("lzma: read error: %s\n", strerror(errno));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+
+ if (feof(infile))
+@@ -82,7 +82,7 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+
+ if (writen(output_fd, buf_out, write_size) != write_size) {
+ pr_err("lzma: write error: %s\n", strerror(errno));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+
+ strm.next_out = buf_out;
+@@ -94,11 +94,13 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+ break;
+
+ pr_err("lzma: failed %s\n", lzma_strerror(ret));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+ }
+
+ err = 0;
++err_lzma_end:
++ lzma_end(&strm);
+ err_fclose:
+ fclose(infile);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From 1fb1e147340bfc55d4ad273d65aaabf0061a4057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf map: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ]
+
+ASan reports a memory leak of nsinfo during the execution of
+
+ # perf test "31: Lookup mmap thread"
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased whenever a
+refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/map.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index 769d11575a7b..603086692290 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -209,6 +209,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len,
+ if (!(prot & PROT_EXEC))
+ dso__set_loaded(dso);
+ }
++
++ nsinfo__put(dso->nsinfo);
+ dso->nsinfo = nsi;
+ dso__put(dso);
+ }
+--
+2.30.2
+
--- /dev/null
+From 007a4796bdf2e8b726af4adf059d8cfccdc6c502 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:25 +0200
+Subject: perf probe-file: Delete namelist in del_events() on the error path
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ]
+
+ASan reports some memory leaks when running:
+
+ # perf test "42: BPF filter"
+
+This second leak is caused by a strlist not being dellocated on error
+inside probe_file__del_events.
+
+This patch adds a goto label before the deallocation and makes the error
+path jump to it.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
+index 6a6548890d5a..b67ae3b8d996 100644
+--- a/tools/perf/util/probe-file.c
++++ b/tools/perf/util/probe-file.c
+@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter)
+
+ ret = probe_file__get_events(fd, filter, namelist);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ ret = probe_file__del_strlist(fd, namelist);
++out:
+ strlist__delete(namelist);
+-
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 6c6242b07f507b3f5444f8e95b3b931d1221afb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf probe: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ]
+
+ASan reports a memory leak of nsinfo during the execution of:
+
+ # perf test "31: Lookup mmap thread".
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased whenever
+a refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-event.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
+index 4ac3c89bfac8..633fa5425fd9 100644
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -184,8 +184,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user)
+ struct map *map;
+
+ map = dso__new_map(target);
+- if (map && map->dso)
++ if (map && map->dso) {
++ nsinfo__put(map->dso->nsinfo);
+ map->dso->nsinfo = nsinfo__get(nsi);
++ }
+ return map;
+ } else {
+ return kernel_get_module_map(target);
+--
+2.30.2
+
--- /dev/null
+From 7acf0058cce8d835d61faa2be62da52e43fed751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:18 +0200
+Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ]
+
+ASan reports several memory leaks while running:
+
+ # perf test "82: Use vfs_getname probe to get syscall args filenames"
+
+Two of these are caused by some refcounts not being decreased on
+perf-script exit, namely script.threads and script.cpus.
+
+This patch adds the missing __put calls in a new perf_script__exit
+function, which is called at the end of cmd_script.
+
+This patch concludes the fixes of all remaining memory leaks in perf
+test "82: Use vfs_getname probe to get syscall args filenames".
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index 1200973c77cb..5f369d4b08f7 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -2207,6 +2207,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script)
+ }
+ }
+
++static void perf_script__exit(struct perf_script *script)
++{
++ perf_thread_map__put(script->threads);
++ perf_cpu_map__put(script->cpus);
++}
++
+ static int __cmd_script(struct perf_script *script)
+ {
+ int ret;
+@@ -3534,6 +3540,7 @@ out_delete:
+
+ perf_evlist__free_stats(session->evlist);
+ perf_session__delete(session);
++ perf_script__exit(&script);
+
+ if (script_started)
+ cleanup_scripting();
+--
+2.30.2
+
--- /dev/null
+From 05dc5096c61999a8815260420879a6124e3e1457 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:24 +0200
+Subject: perf test bpf: Free obj_buf
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 937654ce497fb6e977a8c52baee5f7d9616302d9 ]
+
+ASan reports some memory leaks when running:
+
+ # perf test "42: BPF filter"
+
+The first of these leaks is caused by obj_buf never being deallocated in
+__test__bpf.
+
+This patch adds the missing free.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: ba1fae431e74bb42 ("perf test: Add 'perf test BPF'")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Wang Nan <wangnan0@huawei.com>
+Link: http://lore.kernel.org/lkml/60f3ca935fe6672e7e866276ce6264c9e26e4c87.1626343282.git.rickyman7@gmail.com
+[ Added missing stdlib.h include ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/bpf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/tests/bpf.c b/tools/perf/tests/bpf.c
+index 79b54f8ddebf..df478f67b6b6 100644
+--- a/tools/perf/tests/bpf.c
++++ b/tools/perf/tests/bpf.c
+@@ -1,5 +1,6 @@
+ #include <errno.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <sys/epoll.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+@@ -277,6 +278,7 @@ static int __test__bpf(int idx)
+ }
+
+ out:
++ free(obj_buf);
+ bpf__clear();
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 6df97b58f5d003c3451f5531e650fb73dc11971a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:08 +0200
+Subject: perf test session_topology: Delete session->evlist
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ]
+
+ASan reports a memory leak related to session->evlist while running:
+
+ # perf test "41: Session topology".
+
+When perf_data is in write mode, session->evlist is owned by the caller,
+which should also take care of deleting it.
+
+This patch adds the missing evlist__delete().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/topology.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c
+index 9497d02f69e6..bed53ed82af7 100644
+--- a/tools/perf/tests/topology.c
++++ b/tools/perf/tests/topology.c
+@@ -52,6 +52,7 @@ static int session_write_header(char *path)
+ TEST_ASSERT_VAL("failed to write header",
+ !perf_session__write_header(session, session->evlist, data.file.fd, true));
+
++ evlist__delete(session->evlist);
+ perf_session__delete(session);
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From b996b1b8420756280eaa8501cfffbdc525aa7ce4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:54:38 -0700
+Subject: proc: Avoid mixing integer types in mem_rw()
+
+From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+
+[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ]
+
+Use size_t when capping the count argument received by mem_rw(). Since
+count is size_t, using min_t(int, ...) can lead to a negative value
+that will later be passed to access_remote_vm(), which can cause
+unexpected behavior.
+
+Since we are capping the value to at maximum PAGE_SIZE, the conversion
+from size_t to int when passing it to access_remote_vm() as "len"
+shouldn't be a problem.
+
+Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Souza Cascardo <cascardo@canonical.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 317a0762fc5f..e3f10c110b74 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -835,7 +835,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+ flags = FOLL_FORCE | (write ? FOLL_WRITE : 0);
+
+ while (count > 0) {
+- int this_len = min_t(int, count, PAGE_SIZE);
++ size_t this_len = min_t(size_t, count, PAGE_SIZE);
+
+ if (write && copy_from_user(page, buf, this_len)) {
+ copied = -EFAULT;
+--
+2.30.2
+
--- /dev/null
+From 8b7487b4b0a561596f4e269c5ee708b91f34a2ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 11:25:16 +0200
+Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE
+ modem"
+
+From: Vincent Palatin <vpalatin@chromium.org>
+
+[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ]
+
+This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd.
+
+While the patch was working as stated,ie preventing the L850-GL LTE modem
+from crashing on some U3 wake-ups due to a race condition between the
+host wake-up and the modem-side wake-up, when using the MBIM interface,
+this would force disabling the USB runtime PM on the device.
+
+The increased power consumption is significant for LTE laptops,
+and given that with decently recent modem firmwares, when the modem hits
+the bug, it automatically recovers (ie it drops from the bus, but
+automatically re-enumerates after less than half a second, rather than being
+stuck until a power cycle as it was doing with ancient firmware), for
+most people, the trade-off now seems in favor of re-enabling it by
+default.
+
+For people with access to the platform code, the bug can also be worked-around
+successfully by changing the USB3 LFPM polling off-time for the XHCI
+controller in the BIOS code.
+
+Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
+Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org
+Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/quirks.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index f6a6c54cba35..d97544fd339b 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
+- /* Fibocom L850-GL LTE Modem */
+- { USB_DEVICE(0x2cb7, 0x0007), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
+--
+2.30.2
+
--- /dev/null
+From 30e18b4fb29739e154448a4e754e2bb4184861d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:57:12 +0100
+Subject: s390/bpf: Perform r1 range checking before accessing
+ jit->seen_reg[r1]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ]
+
+Currently array jit->seen_reg[r1] is being accessed before the range
+checking of index r1. The range changing on r1 should be performed
+first since it will avoid any potential out-of-range accesses on the
+array seen_reg[] and also it is more optimal to perform checks on r1
+before fetching data from the array. Fix this by swapping the order
+of the checks before the array access.
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 2617e426c792..e42354b15e0b 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -113,7 +113,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
+ {
+ u32 r1 = reg2hex[b1];
+
+- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)
++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])
+ jit->seen_reg[r1] = 1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 8266ddf25b4291ba130967a88a04304f4d06a0a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 19:25:59 -0500
+Subject: scsi: iscsi: Fix iface sysfs attr detection
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ]
+
+A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when
+iscsi_iface_attr_is_visible tries to figure out the type by just checking
+the value, we can collide and return the wrong type. When we call into the
+driver we might not match and return that we don't want attr visible in
+sysfs. The patch fixes this by setting the type when we figure out what the
+param is.
+
+Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com
+Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------
+ 1 file changed, 34 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 2aaa5a2bd613..20e69052161e 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -427,39 +427,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct device *dev = container_of(kobj, struct device, kobj);
+ struct iscsi_iface *iface = iscsi_dev_to_iface(dev);
+ struct iscsi_transport *t = iface->transport;
+- int param;
+- int param_type;
++ int param = -1;
+
+ if (attr == &dev_attr_iface_enabled.attr)
+ param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_vlan_id.attr)
+- param = ISCSI_NET_PARAM_VLAN_ID;
+- else if (attr == &dev_attr_iface_vlan_priority.attr)
+- param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+- else if (attr == &dev_attr_iface_vlan_enabled.attr)
+- param = ISCSI_NET_PARAM_VLAN_ENABLED;
+- else if (attr == &dev_attr_iface_mtu.attr)
+- param = ISCSI_NET_PARAM_MTU;
+- else if (attr == &dev_attr_iface_port.attr)
+- param = ISCSI_NET_PARAM_PORT;
+- else if (attr == &dev_attr_iface_ipaddress_state.attr)
+- param = ISCSI_NET_PARAM_IPADDR_STATE;
+- else if (attr == &dev_attr_iface_delayed_ack_en.attr)
+- param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
+- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF;
+- else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
+- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
+- else if (attr == &dev_attr_iface_cache_id.attr)
+- param = ISCSI_NET_PARAM_CACHE_ID;
+- else if (attr == &dev_attr_iface_redirect_en.attr)
+- param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+@@ -496,6 +467,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN;
+ else if (attr == &dev_attr_iface_initiator_name.attr)
+ param = ISCSI_IFACE_PARAM_INITIATOR_NAME;
++
++ if (param != -1)
++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
++
++ if (attr == &dev_attr_iface_vlan_id.attr)
++ param = ISCSI_NET_PARAM_VLAN_ID;
++ else if (attr == &dev_attr_iface_vlan_priority.attr)
++ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
++ else if (attr == &dev_attr_iface_vlan_enabled.attr)
++ param = ISCSI_NET_PARAM_VLAN_ENABLED;
++ else if (attr == &dev_attr_iface_mtu.attr)
++ param = ISCSI_NET_PARAM_MTU;
++ else if (attr == &dev_attr_iface_port.attr)
++ param = ISCSI_NET_PARAM_PORT;
++ else if (attr == &dev_attr_iface_ipaddress_state.attr)
++ param = ISCSI_NET_PARAM_IPADDR_STATE;
++ else if (attr == &dev_attr_iface_delayed_ack_en.attr)
++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF;
++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
++ else if (attr == &dev_attr_iface_cache_id.attr)
++ param = ISCSI_NET_PARAM_CACHE_ID;
++ else if (attr == &dev_attr_iface_redirect_en.attr)
++ param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) {
+ if (attr == &dev_attr_ipv4_iface_ipaddress.attr)
+ param = ISCSI_NET_PARAM_IPV4_ADDR;
+@@ -586,32 +589,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ return 0;
+ }
+
+- switch (param) {
+- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO:
+- case ISCSI_IFACE_PARAM_HDRDGST_EN:
+- case ISCSI_IFACE_PARAM_DATADGST_EN:
+- case ISCSI_IFACE_PARAM_IMM_DATA_EN:
+- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN:
+- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN:
+- case ISCSI_IFACE_PARAM_PDU_INORDER_EN:
+- case ISCSI_IFACE_PARAM_ERL:
+- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH:
+- case ISCSI_IFACE_PARAM_FIRST_BURST:
+- case ISCSI_IFACE_PARAM_MAX_R2T:
+- case ISCSI_IFACE_PARAM_MAX_BURST:
+- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN:
+- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN:
+- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL:
+- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN:
+- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN:
+- case ISCSI_IFACE_PARAM_INITIATOR_NAME:
+- param_type = ISCSI_IFACE_PARAM;
+- break;
+- default:
+- param_type = ISCSI_NET_PARAM;
+- }
+-
+- return t->attr_is_visible(param_type, param);
++ return t->attr_is_visible(ISCSI_NET_PARAM, param);
+ }
+
+ static struct attribute *iscsi_iface_attrs[] = {
+--
+2.30.2
+
--- /dev/null
+From 9f53d40b1c9cdb7e67dba1f99d285dc9f90578bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 12:16:55 +0300
+Subject: scsi: target: Fix protect handling in WRITE SAME(32)
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ]
+
+WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st
+byte instead of 10th byte.
+
+Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com
+Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME")
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_sbc.c | 35 ++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index ebac2b49b9c6..af9b038da3ba 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -38,7 +38,7 @@
+ #include "target_core_alua.h"
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool);
++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool);
+ static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd);
+
+ static sense_reason_t
+@@ -292,14 +292,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb)
+ }
+
+ static sense_reason_t
+-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops)
+ {
+ struct se_device *dev = cmd->se_dev;
+ sector_t end_lba = dev->transport->get_blocks(dev) + 1;
+ unsigned int sectors = sbc_get_write_same_sectors(cmd);
+ sense_reason_t ret;
+
+- if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
++ if ((flags & 0x04) || (flags & 0x02)) {
+ pr_err("WRITE_SAME PBDATA and LBDATA"
+ " bits not supported for Block Discard"
+ " Emulation\n");
+@@ -321,7 +321,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ }
+
+ /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
+- if (flags[0] & 0x10) {
++ if (flags & 0x10) {
+ pr_warn("WRITE SAME with ANCHOR not supported\n");
+ return TCM_INVALID_CDB_FIELD;
+ }
+@@ -329,7 +329,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting
+ * translated into block discard requests within backend code.
+ */
+- if (flags[0] & 0x08) {
++ if (flags & 0x08) {
+ if (!ops->execute_unmap)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+@@ -344,7 +344,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ if (!ops->execute_write_same)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true);
++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -702,10 +702,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_
+ }
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect,
+ u32 sectors, bool is_write)
+ {
+- u8 protect = cdb[1] >> 5;
+ int sp_ops = cmd->se_sess->sup_prot_ops;
+ int pi_prot_type = dev->dev_attrib.pi_prot_type;
+ bool fabric_prot = false;
+@@ -753,7 +752,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
+ /* Fallthrough */
+ default:
+ pr_err("Unable to determine pi_prot_type for CDB: 0x%02x "
+- "PROTECT: 0x%02x\n", cdb[0], protect);
++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect);
+ return TCM_INVALID_CDB_FIELD;
+ }
+
+@@ -828,7 +827,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -842,7 +841,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -856,7 +855,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -877,7 +876,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -891,7 +890,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -906,7 +905,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -965,7 +964,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[12]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[10], ops);
++ ret = sbc_setup_write_same(cmd, cdb[10], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1064,7 +1063,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[2]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1082,7 +1081,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ * Follow sbcr26 with WRITE_SAME (10) and check for the existence
+ * of byte 1 bit 3 UNMAP instead of original reserved field
+ */
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+--
+2.30.2
+
--- /dev/null
+From ac9addef1d7f7594ee48f5926ee11ab7f8554dc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 16:07:01 -0400
+Subject: sctp: update active_key for asoc when old key is being replaced
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 58acd10092268831e49de279446c314727101292 ]
+
+syzbot reported a call trace:
+
+ BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ Call Trace:
+ sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ sctp_set_owner_w net/sctp/socket.c:131 [inline]
+ sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
+ sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
+ inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:723
+
+This is an use-after-free issue caused by not updating asoc->shkey after
+it was replaced in the key list asoc->endpoint_shared_keys, and the old
+key was freed.
+
+This patch is to fix by also updating active_key for asoc when old key is
+being replaced with a new one. Note that this issue doesn't exist in
+sctp_auth_del_key_id(), as it's not allowed to delete the active_key
+from the asoc.
+
+Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
+Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/auth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 2bd8c80bd85f..b2ca66c4a21d 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -883,6 +883,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ if (replace) {
+ list_del_init(&shkey->key_list);
+ sctp_auth_shkey_release(shkey);
++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+ }
+ list_add(&cur_key->key_list, sh_keys);
+
+--
+2.30.2
+
bpftool-properly-close-va_list-ap-by-va_end-on-error.patch
udp-annotate-data-races-around-unix_sk-sk-gso_size.patch
net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
+igb-fix-use-after-free-error-during-reset.patch
+ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch
+igb-fix-an-error-handling-path-in-igb_probe.patch
+fm10k-fix-an-error-handling-path-in-fm10k_probe.patch
+e1000e-fix-an-error-handling-path-in-e1000_probe.patch
+iavf-fix-an-error-handling-path-in-iavf_probe.patch
+igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch
+igb-fix-position-of-assignment-to-ring.patch
+ipv6-fix-disable_policy-for-fwd-packets.patch
+nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch
+perf-map-fix-dso-nsinfo-refcounting.patch
+perf-probe-fix-dso-nsinfo-refcounting.patch
+perf-test-session_topology-delete-session-evlist.patch
+perf-dso-fix-memory-leak-in-dso__new_map.patch
+perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch
+perf-lzma-close-lzma-stream-on-exit.patch
+perf-test-bpf-free-obj_buf.patch
+perf-probe-file-delete-namelist-in-del_events-on-the.patch
+spi-mediatek-fix-fifo-rx-mode.patch
+liquidio-fix-unintentional-sign-extension-issue-on-l.patch
+s390-bpf-perform-r1-range-checking-before-accessing-.patch
+bpftool-check-malloc-return-value-in-mount_bpffs_for.patch
+net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch
+net-decnet-fix-sleeping-inside-in-af_decnet.patch
+kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch
+netrom-decrease-sock-refcount-when-sock-timers-expir.patch
+scsi-iscsi-fix-iface-sysfs-attr-detection.patch
+scsi-target-fix-protect-handling-in-write-same-32.patch
+spi-cadence-correct-initialisation-of-runtime-pm-aga.patch
+net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch
+net-sched-act_skbmod-skip-non-ethernet-packets.patch
+nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch
+revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch
+sctp-update-active_key-for-asoc-when-old-key-is-bein.patch
+net-sched-cls_api-fix-the-the-wrong-parameter.patch
+drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch
+proc-avoid-mixing-integer-types-in-mem_rw.patch
--- /dev/null
+From eb6077f9255d36cc88818158311b1434914367df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 20:21:33 +0200
+Subject: spi: cadence: Correct initialisation of runtime PM again
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ]
+
+The original implementation of RPM handling in probe() was mostly
+correct, except it failed to call pm_runtime_get_*() to activate the
+hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct
+initialisation of runtime PM"), breaks the implementation further,
+to the point where the system using this hard IP on ZynqMP hangs on
+boot, because it accesses hardware which is gated off.
+
+Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime
+PM") and instead add missing pm_runtime_get_noresume() and move the
+RPM disabling all the way to the end of probe(). That makes ZynqMP
+not hang on boot yet again.
+
+Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Charles Keepax <ckeepax@opensource.cirrus.com>
+Cc: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
+index f5055ceb7529..91f83683c15a 100644
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -585,6 +585,12 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ goto clk_dis_apb;
+ }
+
++ pm_runtime_use_autosuspend(&pdev->dev);
++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
++ pm_runtime_get_noresume(&pdev->dev);
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs);
+ if (ret < 0)
+ master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS;
+@@ -599,11 +605,6 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ /* SPI controller initializations */
+ cdns_spi_init_hw(xspi);
+
+- pm_runtime_set_active(&pdev->dev);
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_use_autosuspend(&pdev->dev);
+- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
+-
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0) {
+ ret = -ENXIO;
+@@ -636,6 +637,9 @@ static int cdns_spi_probe(struct platform_device *pdev)
+
+ master->bits_per_word_mask = SPI_BPW_MASK(8);
+
++ pm_runtime_mark_last_busy(&pdev->dev);
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ ret = spi_register_master(master);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_master failed\n");
+--
+2.30.2
+
--- /dev/null
+From 132c36cfa0c2ea8edeb929b48d57698b38f87bb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jul 2021 14:16:09 +0200
+Subject: spi: mediatek: fix fifo rx mode
+
+From: Peter Hess <peter.hess@ph-home.de>
+
+[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ]
+
+In FIFO mode were two problems:
+- RX mode was never handled and
+- in this case the tx_buf pointer was NULL and caused an exception
+
+fix this by handling RX mode in mtk_spi_fifo_transfer
+
+Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173")
+Signed-off-by: Peter Hess <peter.hess@ph-home.de>
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt65xx.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
+index da28c52c9da1..e2b171057b3b 100644
+--- a/drivers/spi/spi-mt65xx.c
++++ b/drivers/spi/spi-mt65xx.c
+@@ -392,13 +392,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master,
+ mtk_spi_setup_packet(master);
+
+ cnt = xfer->len / 4;
+- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt);
++ if (xfer->tx_buf)
++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt);
++
++ if (xfer->rx_buf)
++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt);
+
+ remainder = xfer->len % 4;
+ if (remainder > 0) {
+ reg_val = 0;
+- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
+- writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ if (xfer->tx_buf) {
++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
++ writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ }
++ if (xfer->rx_buf) {
++ reg_val = readl(mdata->base + SPI_RX_DATA_REG);
++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder);
++ }
+ }
+
+ mtk_spi_enable_transfer(master);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
