--- /dev/null
+From bcce23e407ee6dd94409e5bd99687d8dd5dfc6fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:38 -0400
+Subject: ALSA: hdsp: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ]
+
+hdsp wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device
+[ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.766985] Call Trace:
+[ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp]
+[ 1.767388] release_card_device+0x4b/0x80 [snd]
+[ 1.767639] device_release+0x3b/0xa0
+[ 1.767838] kobject_put+0x94/0x1b0
+[ 1.768027] put_device+0x13/0x20
+[ 1.768207] snd_card_free+0x61/0x90 [snd]
+[ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/hdsp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index e41bb4100306..edd359772f1f 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -5343,7 +5343,8 @@ static int snd_hdsp_free(struct hdsp *hdsp)
+ if (hdsp->port)
+ pci_release_regions(hdsp->pci);
+
+- pci_disable_device(hdsp->pci);
++ if (pci_is_enabled(hdsp->pci))
++ pci_disable_device(hdsp->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 13988ac8a6cd23edf5e928e963ba75423cddb9a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:39 -0400
+Subject: ALSA: hdspm: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ]
+
+hdspm wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device
+[ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.795181] Call Trace:
+[ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm]
+[ 1.795595] release_card_device+0x4b/0x80 [snd]
+[ 1.795860] device_release+0x3b/0xa0
+[ 1.796072] kobject_put+0x94/0x1b0
+[ 1.796260] put_device+0x13/0x20
+[ 1.796438] snd_card_free+0x61/0x90 [snd]
+[ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/hdspm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index 343f533906ba..5bbbbba0817b 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -6913,7 +6913,8 @@ static int snd_hdspm_free(struct hdspm * hdspm)
+ if (hdspm->port)
+ pci_release_regions(hdspm->pci);
+
+- pci_disable_device(hdspm->pci);
++ if (pci_is_enabled(hdspm->pci))
++ pci_disable_device(hdspm->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From cbfdfbcd9cc9e221e02a2e1234a672694f289faf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:40 -0400
+Subject: ALSA: rme9652: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ]
+
+rme9652 wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device
+[ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.759968] Call Trace:
+[ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652]
+[ 1.760434] release_card_device+0x4b/0x80 [snd]
+[ 1.760679] device_release+0x3b/0xa0
+[ 1.760874] kobject_put+0x94/0x1b0
+[ 1.761059] put_device+0x13/0x20
+[ 1.761235] snd_card_free+0x61/0x90 [snd]
+[ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/rme9652.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
+index edd765e22377..f82fa5be7d33 100644
+--- a/sound/pci/rme9652/rme9652.c
++++ b/sound/pci/rme9652/rme9652.c
+@@ -1761,7 +1761,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652)
+ if (rme9652->port)
+ pci_release_regions(rme9652->pci);
+
+- pci_disable_device(rme9652->pci);
++ if (pci_is_enabled(rme9652->pci))
++ pci_disable_device(rme9652->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From a6b92d732500aa8603cb7521f85f84ccab0c2f6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 03:00:05 +0100
+Subject: ARM: 9064/1: hw_breakpoint: Do not directly check the event's
+ overflow_handler hook
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ]
+
+The commit 1879445dfa7b ("perf/core: Set event's default
+::overflow_handler()") set a default event->overflow_handler in
+perf_event_alloc(), and replace the check event->overflow_handler with
+is_default_overflow_handler(), but one is missing.
+
+Currently, the bp->overflow_handler can not be NULL. As a result,
+enable_single_step() is always not invoked.
+
+Comments from Zhen Lei:
+
+ https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/
+
+Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
+index e61697fb7efe..a8783964ebde 100644
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -891,7 +891,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
+ info->trigger = addr;
+ pr_debug("breakpoint fired: address = 0x%x\n", addr);
+ perf_bp_event(bp, regs);
+- if (!bp->overflow_handler)
++ if (is_default_overflow_handler(bp))
+ enable_single_step(bp, addr);
+ goto unlock;
+ }
+--
+2.30.2
+
--- /dev/null
+From 159a53d8cacc0057348cc264dc5d0e0657e749eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 09:46:58 -0400
+Subject: ASoC: rt286: Generalize support for ALC3263 codec
+
+From: David Ward <david.ward@gatech.edu>
+
+[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ]
+
+The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350
+and Venue 11 Pro 7140. They require the same handling for the combo jack to
+work with a headset: GPIO pin 6 must be set.
+
+The HDA driver always sets this pin on the ALC3263, which it distinguishes
+by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028
+(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to
+determine if Dell is the system vendor.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961
+Signed-off-by: David Ward <david.ward@gatech.edu>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt286.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
+index af6325c78292..17a66b4a46a2 100644
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -1119,12 +1119,11 @@ static const struct dmi_system_id force_combo_jack_table[] = {
+ { }
+ };
+
+-static const struct dmi_system_id dmi_dell_dino[] = {
++static const struct dmi_system_id dmi_dell[] = {
+ {
+- .ident = "Dell Dino",
++ .ident = "Dell",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343")
+ }
+ },
+ { }
+@@ -1135,7 +1134,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ {
+ struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev);
+ struct rt286_priv *rt286;
+- int i, ret, val;
++ int i, ret, vendor_id;
+
+ rt286 = devm_kzalloc(&i2c->dev, sizeof(*rt286),
+ GFP_KERNEL);
+@@ -1151,14 +1150,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ }
+
+ ret = regmap_read(rt286->regmap,
+- RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val);
++ RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id);
+ if (ret != 0) {
+ dev_err(&i2c->dev, "I2C error %d\n", ret);
+ return ret;
+ }
+- if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) {
++ if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) {
+ dev_err(&i2c->dev,
+- "Device with ID register %#x is not rt286\n", val);
++ "Device with ID register %#x is not rt286\n",
++ vendor_id);
+ return -ENODEV;
+ }
+
+@@ -1182,8 +1182,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ if (pdata)
+ rt286->pdata = *pdata;
+
+- if (dmi_check_system(force_combo_jack_table) ||
+- dmi_check_system(dmi_dell_dino))
++ if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) ||
++ dmi_check_system(force_combo_jack_table))
+ rt286->pdata.cbj_en = true;
+
+ regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3);
+@@ -1222,7 +1222,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737);
+ regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f);
+
+- if (dmi_check_system(dmi_dell_dino)) {
++ if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) {
+ regmap_update_bits(rt286->regmap,
+ RT286_SET_GPIO_MASK, 0x40, 0x40);
+ regmap_update_bits(rt286->regmap,
+--
+2.30.2
+
--- /dev/null
+From c2d25bf542717c5deba67722e05d6975f120cf18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 09:46:57 -0400
+Subject: ASoC: rt286: Make RT286_SET_GPIO_* readable and writable
+
+From: David Ward <david.ward@gatech.edu>
+
+[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ]
+
+The GPIO configuration cannot be applied if the registers are inaccessible.
+This prevented the headset mic from working on the Dell XPS 13 9343.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171
+Signed-off-by: David Ward <david.ward@gatech.edu>
+Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt286.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
+index 17a66b4a46a2..ce3865a8ddc2 100644
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -174,6 +174,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg)
+ case RT286_PROC_COEF:
+ case RT286_SET_AMP_GAIN_ADC_IN1:
+ case RT286_SET_AMP_GAIN_ADC_IN2:
++ case RT286_SET_GPIO_MASK:
++ case RT286_SET_GPIO_DIRECTION:
++ case RT286_SET_GPIO_DATA:
+ case RT286_SET_POWER(RT286_DAC_OUT1):
+ case RT286_SET_POWER(RT286_DAC_OUT2):
+ case RT286_SET_POWER(RT286_ADC_IN1):
+--
+2.30.2
+
--- /dev/null
+From c943e445442139f51d519edcb94bf6fa30f7910c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Mar 2021 16:32:20 +0800
+Subject: Bluetooth: check for zapped sk before connecting
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit 3af70b39fa2d415dc86c370e5b24ddb9fdacbd6f ]
+
+There is a possibility of receiving a zapped sock on
+l2cap_sock_connect(). This could lead to interesting crashes, one
+such case is tearing down an already tore l2cap_sock as is happened
+with this call trace:
+
+__dump_stack lib/dump_stack.c:15 [inline]
+dump_stack+0xc4/0x118 lib/dump_stack.c:56
+register_lock_class kernel/locking/lockdep.c:792 [inline]
+register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742
+__lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105
+lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599
+__raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline]
+_raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175
+spin_lock_bh include/linux/spinlock.h:307 [inline]
+lock_sock_nested+0x44/0xfa net/core/sock.c:2518
+l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345
+l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598
+l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756
+l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429
+process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064
+worker_thread+0x5a5/0x773 kernel/workqueue.c:2196
+kthread+0x291/0x2a6 kernel/kthread.c:211
+ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index f94b14beba2b..3905af1d300f 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -179,9 +179,17 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct sockaddr_l2 la;
+ int len, err = 0;
++ bool zapped;
+
+ BT_DBG("sk %p", sk);
+
++ lock_sock(sk);
++ zapped = sock_flag(sk, SOCK_ZAPPED);
++ release_sock(sk);
++
++ if (zapped)
++ return -EINVAL;
++
+ if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
+ addr->sa_family != AF_BLUETOOTH)
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 21ba978882f0da73809f1d154a718a6df6537ad3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 07:52:07 +0900
+Subject: Bluetooth: initialize skb_queue_head at l2cap_chan_create()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ]
+
+syzbot is hitting "INFO: trying to register non-static key." message [1],
+for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when
+l2cap_chan_del() is called due to e.g. timeout.
+
+Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create()
+immediately after "struct l2cap_chan" is allocated using kzalloc(), let's
+as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there.
+
+[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842
+
+Reported-and-tested-by: syzbot <syzbot+fadfba6a911f6bf71842@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index b5a7d04066ec..460401349255 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -445,6 +445,8 @@ struct l2cap_chan *l2cap_chan_create(void)
+ if (!chan)
+ return NULL;
+
++ skb_queue_head_init(&chan->tx_q);
++ skb_queue_head_init(&chan->srej_q);
+ mutex_init(&chan->lock);
+
+ /* Set default lock nesting level */
+--
+2.30.2
+
--- /dev/null
+From 46f51a88d0ec87cd8c35e348a03683b7592dc5a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 14:02:15 +0800
+Subject: Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ]
+
+Currently l2cap_chan_set_defaults() reset chan->conf_state to zero.
+However, there is a flag CONF_NOT_COMPLETE which is set when
+creating the l2cap_chan. It is suggested that the flag should be
+cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults()
+is called, l2cap_chan is not yet ready. Therefore, we must set this
+flag as the default.
+
+Example crash call trace:
+__dump_stack lib/dump_stack.c:15 [inline]
+dump_stack+0xc4/0x118 lib/dump_stack.c:56
+panic+0x1c6/0x38b kernel/panic.c:117
+__warn+0x170/0x1b9 kernel/panic.c:471
+warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494
+debug_print_object+0x175/0x193 lib/debugobjects.c:260
+debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614
+debug_timer_assert_init kernel/time/timer.c:629 [inline]
+debug_assert_init kernel/time/timer.c:677 [inline]
+del_timer+0x7c/0x179 kernel/time/timer.c:1034
+try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230
+cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929
+l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834
+l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640
+l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756
+l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174
+l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217
+__sock_release+0xda/0x217 net/socket.c:580
+sock_close+0x1b/0x1f net/socket.c:1039
+__fput+0x322/0x55c fs/file_table.c:208
+____fput+0x17/0x19 fs/file_table.c:244
+task_work_run+0x19b/0x1d3 kernel/task_work.c:115
+exit_task_work include/linux/task_work.h:21 [inline]
+do_exit+0xe4c/0x204a kernel/exit.c:766
+do_group_exit+0x291/0x291 kernel/exit.c:891
+get_signal+0x749/0x1093 kernel/signal.c:2396
+do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737
+exit_to_usermode_loop arch/x86/entry/common.c:243 [inline]
+prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277
+syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348
+int_ret_from_sys_call+0x25/0xa3
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index df8cc639c46d..b5a7d04066ec 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -510,7 +510,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
+ chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
+ chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
+ chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
++
+ chan->conf_state = 0;
++ set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
+
+ set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
+ }
+--
+2.30.2
+
--- /dev/null
+From 6ec09afb30337594fb223a1b3f3922384634bf7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 10:40:58 +0200
+Subject: cuse: prevent clone
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]
+
+For cloned connections cuse_channel_release() will be called more than
+once, resulting in use after free.
+
+Prevent device cloning for CUSE, which does not make sense at this point,
+and highly unlikely to be used in real life.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/cuse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
+index 55db06c7c587..b15eaa9e6cd7 100644
+--- a/fs/fuse/cuse.c
++++ b/fs/fuse/cuse.c
+@@ -616,6 +616,8 @@ static int __init cuse_init(void)
+ cuse_channel_fops.owner = THIS_MODULE;
+ cuse_channel_fops.open = cuse_channel_open;
+ cuse_channel_fops.release = cuse_channel_release;
++ /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
++ cuse_channel_fops.unlocked_ioctl = NULL;
+
+ cuse_class = class_create(THIS_MODULE, "cuse");
+ if (IS_ERR(cuse_class))
+--
+2.30.2
+
--- /dev/null
+From 3dd8ea59f21703b86afe521f5a4d50233399f907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 May 2021 22:06:07 -0700
+Subject: drm/radeon: Fix off-by-one power_state index heap overwrite
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ]
+
+An out of bounds write happens when setting the default power state.
+KASAN sees this as:
+
+[drm] radeon: 512M of GTT memory ready.
+[drm] GART: num cpu pages 131072, num gpu pages 131072
+==================================================================
+BUG: KASAN: slab-out-of-bounds in
+radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
+Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157
+
+CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50
+Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008
+Call Trace:
+ dump_stack+0xa5/0xe6
+ print_address_description.constprop.0+0x18/0x239
+ kasan_report+0x170/0x1a8
+ radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
+ radeon_atombios_get_power_modes+0x144/0x1888 [radeon]
+ radeon_pm_init+0x1019/0x1904 [radeon]
+ rs690_init+0x76e/0x84a [radeon]
+ radeon_device_init+0x1c1a/0x21e5 [radeon]
+ radeon_driver_load_kms+0xf5/0x30b [radeon]
+ drm_dev_register+0x255/0x4a0 [drm]
+ radeon_pci_probe+0x246/0x2f6 [radeon]
+ pci_device_probe+0x1aa/0x294
+ really_probe+0x30e/0x850
+ driver_probe_device+0xe6/0x135
+ device_driver_attach+0xc1/0xf8
+ __driver_attach+0x13f/0x146
+ bus_for_each_dev+0xfa/0x146
+ bus_add_driver+0x2b3/0x447
+ driver_register+0x242/0x2c1
+ do_one_initcall+0x149/0x2fd
+ do_init_module+0x1ae/0x573
+ load_module+0x4dee/0x5cca
+ __do_sys_finit_module+0xf1/0x140
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Without KASAN, this will manifest later when the kernel attempts to
+allocate memory that was stomped, since it collides with the inline slab
+freelist pointer:
+
+invalid opcode: 0000 [#1] SMP NOPTI
+CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2
+Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008
+RIP: 0010:kfree+0x115/0x230
+Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7
+RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246
+RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d
+RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80
+RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000
+R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100
+FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0
+Call Trace:
+ __free_fdtable+0x16/0x1f
+ put_files_struct+0x81/0x9b
+ do_exit+0x433/0x94d
+ do_group_exit+0xa6/0xa6
+ __x64_sys_exit_group+0xf/0xf
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7fe80ef64bea
+Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0.
+RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea
+RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0
+R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0
+Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ...
+
+Use a valid power_state index when initializing the "flags" and "misc"
+and "misc2" fields.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)")
+Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 4134759a6823..368ca6a5dbdd 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -2260,10 +2260,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
+ rdev->pm.default_power_state_index = state_index - 1;
+ rdev->pm.power_state[state_index - 1].default_clock_mode =
+ &rdev->pm.power_state[state_index - 1].clock_info[0];
+- rdev->pm.power_state[state_index].flags &=
++ rdev->pm.power_state[state_index - 1].flags &=
+ ~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY;
+- rdev->pm.power_state[state_index].misc = 0;
+- rdev->pm.power_state[state_index].misc2 = 0;
++ rdev->pm.power_state[state_index - 1].misc = 0;
++ rdev->pm.power_state[state_index - 1].misc2 = 0;
+ }
+ return state_index;
+ }
+--
+2.30.2
+
--- /dev/null
+From 747b597bb7742e87ef6e77bac3b8f3d6859a283d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 09:21:18 +0000
+Subject: f2fs: fix a redundant call to f2fs_balance_fs if an error occurs
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ]
+
+The uninitialized variable dn.node_changed does not get set when a
+call to f2fs_get_node_page fails. This uninitialized value gets used
+in the call to f2fs_balance_fs() that may or not may not balances
+dirty node and dentry pages depending on the uninitialized state of
+the variable. Fix this by only calling f2fs_balance_fs if err is
+not set.
+
+Thanks to Jaegeuk Kim for suggesting an appropriate fix.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inline.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
+index 8906f6381b1a..74bc861bab39 100644
+--- a/fs/f2fs/inline.c
++++ b/fs/f2fs/inline.c
+@@ -203,7 +203,8 @@ out:
+
+ f2fs_put_page(page, 1);
+
+- f2fs_balance_fs(sbi, dn.node_changed);
++ if (!err)
++ f2fs_balance_fs(sbi, dn.node_changed);
+
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From 22f3c5511541a5e57a2b61a9b9f3130b77693684 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 17:05:08 -0500
+Subject: fs: dlm: fix debugfs dump
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ]
+
+This patch fixes the following message which randomly pops up during
+glocktop call:
+
+seq_file: buggy .next function table_seq_next did not update position index
+
+The issue is that seq_read_iter() in fs/seq_file.c also needs an
+increment of the index in an non next record case as well which this
+patch fixes otherwise seq_read_iter() will print out the above message.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/debug_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c
+index fa08448e35dd..bb87dad03cd4 100644
+--- a/fs/dlm/debug_fs.c
++++ b/fs/dlm/debug_fs.c
+@@ -544,6 +544,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos)
+
+ if (bucket >= ls->ls_rsbtbl_size) {
+ kfree(ri);
++ ++*pos;
+ return NULL;
+ }
+ tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep;
+--
+2.30.2
+
--- /dev/null
+From 87913a50c1e436a898140443bb5bfdc02d736be1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 12:12:54 -0700
+Subject: ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ]
+
+After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
+a warning [1]
+
+Issue here is that:
+
+- all dev_put() should be paired with a corresponding prior dev_hold().
+
+- A driver doing a dev_put() in its ndo_uninit() MUST also
+ do a dev_hold() in its ndo_init(), only when ndo_init()
+ is returning 0.
+
+Otherwise, register_netdevice() would call ndo_uninit()
+in its error path and release a refcount too soon.
+
+Therefore, we need to move dev_hold() call from
+vti6_tnl_create2() to vti6_dev_init_gen()
+
+[1]
+WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Modules linked in:
+CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
+RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568
+R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40
+FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __refcount_dec include/linux/refcount.h:344 [inline]
+ refcount_dec include/linux/refcount.h:359 [inline]
+ dev_put include/linux/netdevice.h:4135 [inline]
+ vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10308
+ vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190
+ vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x331/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmmsg+0x195/0x470 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index 207bf342e995..72f51504cfc8 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -196,7 +196,6 @@ static int vti6_tnl_create2(struct net_device *dev)
+
+ strcpy(t->parms.name, dev->name);
+
+- dev_hold(dev);
+ vti6_tnl_link(ip6n, t);
+
+ return 0;
+@@ -903,6 +902,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev)
+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+ if (!dev->tstats)
+ return -ENOMEM;
++ dev_hold(dev);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 9165994d85eb552891c0d9694385ed1de22811b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 09:28:03 +0200
+Subject: kconfig: nconf: stop endless search loops
+
+From: Mihai Moldovan <ionic@ionic.de>
+
+[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ]
+
+If the user selects the very first entry in a page and performs a
+search-up operation, or selects the very last entry in a page and
+performs a search-down operation that will not succeed (e.g., via
+[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page.
+
+The reason is that in this case, the starting point will be set to -1
+or n, which is then translated into (n - 1) (i.e., the last entry of
+the page) or 0 (i.e., the first entry of the page) and finally the
+search begins. This continues to work fine until the index reaches 0 or
+(n - 1), at which point it will be decremented to -1 or incremented to
+n, but not checked against the starting point right away. Instead, it's
+wrapped around to the bottom or top again, after which the starting
+point check occurs... and naturally fails.
+
+My original implementation added another check for -1 before wrapping
+the running index variable around, but Masahiro Yamada pointed out that
+the actual issue is that the comparison point (starting point) exceeds
+bounds (i.e., the [0,n-1] interval) in the first place and that,
+instead, the starting point should be fixed.
+
+This has the welcome side-effect of also fixing the case where the
+starting point was n while searching down, which also lead to an
+infinite loop.
+
+OTOH, this code is now essentially all his work.
+
+Amazingly, nobody seems to have been hit by this for 11 years - or at
+the very least nobody bothered to debug and fix this.
+
+Signed-off-by: Mihai Moldovan <ionic@ionic.de>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index e8e1944fa09b..7be47bf8e3d2 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -504,8 +504,8 @@ static int get_mext_match(const char *match_str, match_f flag)
+ else if (flag == FIND_NEXT_MATCH_UP)
+ --match_start;
+
++ match_start = (match_start + items_num) % items_num;
+ index = match_start;
+- index = (index + items_num) % items_num;
+ while (true) {
+ char *str = k_menu_items[index].str;
+ if (strcasestr(str, match_str) != NULL)
+--
+2.30.2
+
--- /dev/null
+From 3d76250a6ddca0ea4c87046552ade2dd5179ef02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 18:04:38 -0700
+Subject: kernel: kexec_file: fix error return code of
+ kexec_calculate_store_digests()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ]
+
+When vzalloc() returns NULL to sha_regions, no error return code of
+kexec_calculate_store_digests() is assigned. To fix this bug, ret is
+assigned with -ENOMEM in this case.
+
+Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com
+Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c")
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Acked-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index 6d0bdedb2e20..9d979b2954ef 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -554,8 +554,10 @@ static int kexec_calculate_store_digests(struct kimage *image)
+
+ sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region);
+ sha_regions = vzalloc(sha_region_sz);
+- if (!sha_regions)
++ if (!sha_regions) {
++ ret = -ENOMEM;
+ goto out_free_desc;
++ }
+
+ desc->tfm = tfm;
+ desc->flags = 0;
+--
+2.30.2
+
--- /dev/null
+From 3f228bf189439b2985364895bced70dc4935c90d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:33:46 -0700
+Subject: khugepaged: fix wrong result value for
+ trace_mm_collapse_huge_page_isolate()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ]
+
+In writable and !referenced case, the result value should be
+SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate()
+instead of default 0 (SCAN_FAIL) here.
+
+Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com
+Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Ebru Akagunduz <ebru.akagunduz@gmail.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Rik van Riel <riel@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 349b4782d9f4..f426d42d629d 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -597,17 +597,17 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
+ mmu_notifier_test_young(vma->vm_mm, address))
+ referenced++;
+ }
+- if (likely(writable)) {
+- if (likely(referenced)) {
+- result = SCAN_SUCCEED;
+- trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+- referenced, writable, result);
+- return 1;
+- }
+- } else {
++
++ if (unlikely(!writable)) {
+ result = SCAN_PAGE_RO;
++ } else if (unlikely(!referenced)) {
++ result = SCAN_LACK_REFERENCED_PAGE;
++ } else {
++ result = SCAN_SUCCEED;
++ trace_mm_collapse_huge_page_isolate(page, none_or_zero,
++ referenced, writable, result);
++ return 1;
+ }
+-
+ out:
+ release_pte_pages(pte, _pte);
+ trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+--
+2.30.2
+
--- /dev/null
+From 0e1c201efded93cbb5360351bc5ddd13304ee826 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:37:45 -0700
+Subject: ksm: fix potential missing rmap_item for stable_node
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ]
+
+When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is
+cleared with head reserved. So the following scenario might happen: For
+ksm page with rmap_item1:
+
+cmp_and_merge_page
+ stable_node->head = &migrate_nodes;
+ remove_rmap_item_from_tree, but head still equal to stable_node;
+ try_to_merge_with_ksm_page failed;
+ return;
+
+For the same ksm page with rmap_item2, stable node migration succeed this
+time. The stable_node->head does not equal to migrate_nodes now. For ksm
+page with rmap_item1 again:
+
+cmp_and_merge_page
+ stable_node->head != &migrate_nodes && rmap_item->head == stable_node
+ return;
+
+We would miss the rmap_item for stable_node and might result in failed
+rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item
+is removed from stable tree.
+
+Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com
+Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/ksm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index 65d4bf52f543..6d3bc2723c9b 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -768,6 +768,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item)
+ stable_node->rmap_hlist_len--;
+
+ put_anon_vma(rmap_item->anon_vma);
++ rmap_item->head = NULL;
+ rmap_item->address &= PAGE_MASK;
+
+ } else if (rmap_item->address & UNSTABLE_FLAG) {
+--
+2.30.2
+
--- /dev/null
+From 61f231e7f2b653bac6abd4ec94d77a51df89c405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 14:31:25 +0200
+Subject: mac80211: clear the beacon's CRC after channel switch
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ]
+
+After channel switch, we should consider any beacon with a
+CSA IE as a new switch. If the CSA IE is a leftover from
+before the switch that the AP forgot to remove, we'll get
+a CSA-to-Self.
+
+This caused issues in iwlwifi where the firmware saw a beacon
+with a CSA-to-Self with mode = 1 on the new channel after a
+switch. The firmware considered this a new switch and closed
+its queues. Since the beacon didn't change between before and
+after the switch, we wouldn't handle it (the CRC is the same)
+and we wouldn't let the firmware open its queues again or
+disconnect if the CSA IE stays for too long.
+
+Clear the CRC valid state after we switch to make sure that
+we handle the beacon and handle the CSA IE as required.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index ab26b8b95471..a3ec3b1bb324 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1100,6 +1100,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
+
+ sdata->vif.csa_active = false;
+ ifmgd->csa_waiting_bcn = false;
++ /*
++ * If the CSA IE is still present on the beacon after the switch,
++ * we need to consider it as a new CSA (possibly to self).
++ */
++ ifmgd->beacon_crc_valid = false;
+
+ ret = drv_post_channel_switch(sdata);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From 07268d7bf46b92fd6b68f99dba71ff2397fbc146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:34:38 -0700
+Subject: mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ]
+
+A rare out of memory error would prevent removal of the reserve map region
+for a page. hugetlb_fix_reserve_counts() handles this rare case to avoid
+dangling with incorrect counts. Unfortunately, hugepage_subpool_get_pages
+and hugetlb_acct_memory could possibly fail too. We should correctly
+handle these cases.
+
+Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com
+Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Feilong Lin <linfeilong@huawei.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/hugetlb.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index 0f6959961f9a..777ad49dbd46 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -589,13 +589,20 @@ void hugetlb_fix_reserve_counts(struct inode *inode)
+ {
+ struct hugepage_subpool *spool = subpool_inode(inode);
+ long rsv_adjust;
++ bool reserved = false;
+
+ rsv_adjust = hugepage_subpool_get_pages(spool, 1);
+- if (rsv_adjust) {
++ if (rsv_adjust > 0) {
+ struct hstate *h = hstate_inode(inode);
+
+- hugetlb_acct_memory(h, 1);
++ if (!hugetlb_acct_memory(h, 1))
++ reserved = true;
++ } else if (!rsv_adjust) {
++ reserved = true;
+ }
++
++ if (!reserved)
++ pr_warn("hugetlb: Huge Page Reserved count may go negative.\n");
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From d53499c727ea9ac933f92cf2d50d14c417632c5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 22:20:54 -0700
+Subject: net: ethernet: mtk_eth_soc: fix RX VLAN offload
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ]
+
+The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is
+set. Fixes frames wrongly marked with VLAN tags.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+[Ilya: fix commit message]
+Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index a52909db67f6..dbd16dd5aa04 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1041,7 +1041,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
+ skb->protocol = eth_type_trans(skb, netdev);
+
+ if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX &&
+- RX_DMA_VID(trxd.rxd3))
++ (trxd.rxd2 & RX_DMA_VTAG))
+ __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q),
+ RX_DMA_VID(trxd.rxd3));
+ skb_record_rx_queue(skb, 0);
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 3d3c24a28112..ef82a30b2a0d 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -283,6 +283,7 @@
+ #define RX_DMA_DONE BIT(31)
+ #define RX_DMA_PLEN0(_x) (((_x) & 0x3fff) << 16)
+ #define RX_DMA_GET_PLEN0(_x) (((_x) >> 16) & 0x3fff)
++#define RX_DMA_VTAG BIT(15)
+
+ /* QDMA descriptor rxd3 */
+ #define RX_DMA_VID(_x) ((_x) & 0xfff)
+--
+2.30.2
+
--- /dev/null
+From c08ffdab2f0b6b175ba4ee8637023e2925d57b07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 09:58:31 -0700
+Subject: net: fix nla_strcmp to handle more then one trailing null character
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ]
+
+Android userspace has been using TCA_KIND with a char[IFNAMESIZ]
+many-null-terminated buffer containing the string 'bpf'.
+
+This works on 4.19 and ceases to work on 5.10.
+
+I'm not entirely sure what fixes tag to use, but I think the issue
+was likely introduced in the below mentioned 5.4 commit.
+
+Reported-by: Nucca Chen <nuccachen@google.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@mellanox.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND")
+Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/nlattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/nlattr.c b/lib/nlattr.c
+index 3d8295c85505..5cf179aeefe6 100644
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -379,7 +379,7 @@ int nla_strcmp(const struct nlattr *nla, const char *str)
+ int attrlen = nla_len(nla);
+ int d;
+
+- if (attrlen > 0 && buf[attrlen - 1] == '\0')
++ while (attrlen > 0 && buf[attrlen - 1] == '\0')
+ attrlen--;
+
+ d = attrlen - len;
+--
+2.30.2
+
--- /dev/null
+From 2f50b79ee5f6f137b2ec46ab7f9aa56a8fbce3de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Mar 2021 13:18:26 +0000
+Subject: net: stmmac: Set FIFO sizes for ipq806x
+
+From: Jonathan McDowell <noodles@earth.li>
+
+[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ]
+
+Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values")
+started using the TX FIFO size to verify what counts as a valid MTU
+request for the stmmac driver. This is unset for the ipq806x variant.
+Looking at older patches for this it seems the RX + TXs buffers can be
+up to 8k, so set appropriately.
+
+(I sent this as an RFC patch in June last year, but received no replies.
+I've been running with this on my hardware (a MikroTik RB3011) since
+then with larger MTUs to support both the internal qca8k switch and
+VLANs with no problems. Without the patch it's impossible to set the
+larger MTU required to support this.)
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+index 1924788d28da..f4ff43a1b5ba 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -363,6 +363,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ plat_dat->bsp_priv = gmac;
+ plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed;
+ plat_dat->multicast_filter_bins = 0;
++ plat_dat->tx_fifo_size = 8192;
++ plat_dat->rx_fifo_size = 8192;
+
+ err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From 02f11f4254177365e802b9b76d05975ce235c97d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 05:53:23 -0700
+Subject: netfilter: nftables: avoid overflows in nft_hash_buckets()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a54754ec9891830ba548e2010c889e3c8146e449 ]
+
+Number of buckets being stored in 32bit variables, we have to
+ensure that no overflows occur in nft_hash_buckets()
+
+syzbot injected a size == 0x40000000 and reported:
+
+UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
+shift exponent 64 is too large for 64-bit type 'long unsigned int'
+CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
+ __roundup_pow_of_two include/linux/log2.h:57 [inline]
+ nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]
+ nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652
+ nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline]
+ nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322
+ nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488
+ nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline]
+ nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+
+Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_hash.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
+index 73f8f99b1193..a8daa80143ef 100644
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -364,9 +364,17 @@ static void nft_rhash_destroy(const struct nft_set *set)
+ (void *)set);
+ }
+
++/* Number of buckets is stored in u32, so cap our result to 1U<<31 */
++#define NFT_MAX_BUCKETS (1U << 31)
++
+ static u32 nft_hash_buckets(u32 size)
+ {
+- return roundup_pow_of_two(size * 4 / 3);
++ u64 val = div_u64((u64)size * 4, 3);
++
++ if (val >= NFT_MAX_BUCKETS)
++ return NFT_MAX_BUCKETS;
++
++ return roundup_pow_of_two(val);
+ }
+
+ static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features,
+--
+2.30.2
+
--- /dev/null
+From 36510f697fc4dc2d6c9d01b6aeaf0ac10af4ded7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 16:46:05 -0400
+Subject: NFS: Deal correctly with attribute generation counter overflow
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ]
+
+We need to use unsigned long subtraction and then convert to signed in
+order to deal correcly with C overflow rules.
+
+Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index f0534b356f07..33cc69687792 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1533,10 +1533,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle);
+ */
+ static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr)
+ {
+- const struct nfs_inode *nfsi = NFS_I(inode);
++ unsigned long attr_gencount = NFS_I(inode)->attr_gencount;
+
+- return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 ||
+- ((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0);
++ return (long)(fattr->gencount - attr_gencount) > 0 ||
++ (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0;
+ }
+
+ static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+@@ -1939,7 +1939,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ nfsi->attrtimeo_timestamp = now;
+ }
+ /* Set the barrier to be more recent than this fattr */
+- if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0)
++ if ((long)(fattr->gencount - nfsi->attr_gencount) > 0)
+ nfsi->attr_gencount = fattr->gencount;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e78709ac4f1fdbcf1022f2d0725abeda5ed0d808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 18:17:14 -0400
+Subject: NFSv4.2: Always flush out writes in nfs42_proc_fallocate()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ]
+
+Whether we're allocating or delallocating space, we should flush out the
+pending writes in order to avoid races with attribute updates.
+
+Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 9c374441f660..1c4361aed415 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -58,7 +58,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ loff_t offset, loff_t len)
+ {
+- struct nfs_server *server = NFS_SERVER(file_inode(filep));
++ struct inode *inode = file_inode(filep);
++ struct nfs_server *server = NFS_SERVER(inode);
+ struct nfs4_exception exception = { };
+ struct nfs_lock_context *lock;
+ int err;
+@@ -67,9 +68,13 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ if (IS_ERR(lock))
+ return PTR_ERR(lock);
+
+- exception.inode = file_inode(filep);
++ exception.inode = inode;
+ exception.state = lock->open_context->state;
+
++ err = nfs_sync_inode(inode);
++ if (err)
++ goto out;
++
+ do {
+ err = _nfs42_proc_fallocate(msg, filep, lock, offset, len);
+ if (err == -ENOTSUPP) {
+@@ -78,7 +83,7 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ }
+ err = nfs4_handle_exception(server, err, &exception);
+ } while (exception.retry);
+-
++out:
+ nfs_put_lock_context(lock);
+ return err;
+ }
+@@ -116,16 +121,13 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
+ return -EOPNOTSUPP;
+
+ inode_lock(inode);
+- err = nfs_sync_inode(inode);
+- if (err)
+- goto out_unlock;
+
+ err = nfs42_proc_fallocate(&msg, filep, offset, len);
+ if (err == 0)
+ truncate_pagecache_range(inode, offset, (offset + len) -1);
+ if (err == -EOPNOTSUPP)
+ NFS_SERVER(inode)->caps &= ~NFS_CAP_DEALLOCATE;
+-out_unlock:
++
+ inode_unlock(inode);
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From c50f50e6a60b8ea86b9a227a52f972fced046a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 15:30:25 -0400
+Subject: NFSv4.2 fix handling of sr_eof in SEEK's reply
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ]
+
+Currently the client ignores the value of the sr_eof of the SEEK
+operation. According to the spec, if the server didn't find the
+requested extent and reached the end of the file, the server
+would return sr_eof=true. In case the request for DATA and no
+data was found (ie in the middle of the hole), then the lseek
+expects that ENXIO would be returned.
+
+Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 1c4361aed415..a61792f777be 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -305,7 +305,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep,
+ if (status)
+ return status;
+
+- return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
++ if (whence == SEEK_DATA && res.sr_eof)
++ return -NFS4ERR_NXIO;
++ else
++ return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
+ }
+
+ loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence)
+--
+2.30.2
+
--- /dev/null
+From 84ba8ecc9fc3ed6f07a6b294e6c864ee9ac1f112 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jan 2021 02:28:26 +0300
+Subject: PCI: Release OF node in pci_scan_device()'s error path
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ]
+
+In pci_scan_device(), if pci_setup_device() fails for any reason, the code
+will not release device's of_node by calling pci_release_of_node(). Fix
+that by calling the release function.
+
+Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically")
+Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 55ece07e584a..e716d8bba227 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -2014,6 +2014,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn)
+ pci_set_of_node(dev);
+
+ if (pci_setup_device(dev)) {
++ pci_release_of_node(dev);
+ pci_bus_put(dev->bus);
+ kfree(dev);
+ return NULL;
+--
+2.30.2
+
--- /dev/null
+From 9d387816857cd7666d558e3f8615ac98c6023d3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 21:50:29 +0200
+Subject: pinctrl: samsung: use 'int' for register masks in Exynos
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+[ Upstream commit fa0c10a5f3a49130dd11281aa27e7e1c8654abc7 ]
+
+The Special Function Registers on all Exynos SoC, including ARM64, are
+32-bit wide, so entire driver uses matching functions like readl() or
+writel(). On 64-bit ARM using unsigned long for register masks:
+1. makes little sense as immediately after bitwise operation it will be
+ cast to 32-bit value when calling writel(),
+2. is actually error-prone because it might promote other operands to
+ 64-bit.
+
+Addresses-Coverity: Unintentional integer overflow
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Link: https://lore.kernel.org/r/20210408195029.69974-1-krzysztof.kozlowski@canonical.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/samsung/pinctrl-exynos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/samsung/pinctrl-exynos.c b/drivers/pinctrl/samsung/pinctrl-exynos.c
+index 6925a3d969e2..13d6a50ca96c 100644
+--- a/drivers/pinctrl/samsung/pinctrl-exynos.c
++++ b/drivers/pinctrl/samsung/pinctrl-exynos.c
+@@ -55,7 +55,7 @@ static void exynos_irq_mask(struct irq_data *irqd)
+ struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip);
+ struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset;
+- unsigned long mask;
++ unsigned int mask;
+ unsigned long flags;
+
+ spin_lock_irqsave(&bank->slock, flags);
+@@ -83,7 +83,7 @@ static void exynos_irq_unmask(struct irq_data *irqd)
+ struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip);
+ struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
+ unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset;
+- unsigned long mask;
++ unsigned int mask;
+ unsigned long flags;
+
+ /*
+@@ -409,7 +409,7 @@ static void exynos_irq_eint0_15(struct irq_desc *desc)
+ chained_irq_exit(chip, desc);
+ }
+
+-static inline void exynos_irq_demux_eint(unsigned long pend,
++static inline void exynos_irq_demux_eint(unsigned int pend,
+ struct irq_domain *domain)
+ {
+ unsigned int irq;
+@@ -426,8 +426,8 @@ static void exynos_irq_demux_eint16_31(struct irq_desc *desc)
+ {
+ struct irq_chip *chip = irq_desc_get_chip(desc);
+ struct exynos_muxed_weint_data *eintd = irq_desc_get_handler_data(desc);
+- unsigned long pend;
+- unsigned long mask;
++ unsigned int pend;
++ unsigned int mask;
+ int i;
+
+ chained_irq_enter(chip, desc);
+--
+2.30.2
+
--- /dev/null
+From 50993ccd3103ed14b5f3b164c9fc4e50d132fa36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 11:56:49 +0300
+Subject: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
+
+From: Nikola Livic <nlivic@gmail.com>
+
+[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ]
+
+We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym
+bazalii) observed the check:
+
+ if (fh->size > sizeof(struct nfs_fh))
+
+should not use the size of the nfs_fh struct which includes an extra two
+bytes from the size field.
+
+struct nfs_fh {
+ unsigned short size;
+ unsigned char data[NFS_MAXFHSIZE];
+}
+
+but should determine the size from data[NFS_MAXFHSIZE] so the memcpy
+will not write 2 bytes beyond destination. The proposed fix is to
+compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs
+code base.
+
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Nikola Livic <nlivic@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index 74f15498c9bf..9d99e19d98bd 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -101,7 +101,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh)
+ if (unlikely(!p))
+ return -ENOBUFS;
+ fh->size = be32_to_cpup(p++);
+- if (fh->size > sizeof(struct nfs_fh)) {
++ if (fh->size > NFS_MAXFHSIZE) {
+ printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n",
+ fh->size);
+ return -EOVERFLOW;
+--
+2.30.2
+
--- /dev/null
+From 242bf9dcc0d38abcdd84fcbdb92b39763d2997f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 17:36:53 +1100
+Subject: powerpc/iommu: Annotate nested lock for lockdep
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ]
+
+The IOMMU table is divided into pools for concurrent mappings and each
+pool has a separate spinlock. When taking the ownership of an IOMMU group
+to pass through a device to a VM, we lock these spinlocks which triggers
+a false negative warning in lockdep (below).
+
+This fixes it by annotating the large pool's spinlock as a nest lock
+which makes lockdep not complaining when locking nested locks if
+the nest lock is locked already.
+
+===
+WARNING: possible recursive locking detected
+5.11.0-le_syzkaller_a+fstn1 #100 Not tainted
+--------------------------------------------
+qemu-system-ppc/4129 is trying to acquire lock:
+c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0
+
+but task is already holding lock:
+c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(p->lock)/1);
+ lock(&(p->lock)/1);
+===
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
+index 80b6caaa9b92..87af91937c8a 100644
+--- a/arch/powerpc/kernel/iommu.c
++++ b/arch/powerpc/kernel/iommu.c
+@@ -1055,7 +1055,7 @@ int iommu_take_ownership(struct iommu_table *tbl)
+
+ spin_lock_irqsave(&tbl->large_pool.lock, flags);
+ for (i = 0; i < tbl->nr_pools; i++)
+- spin_lock(&tbl->pools[i].lock);
++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
+
+ if (tbl->it_offset == 0)
+ clear_bit(0, tbl->it_map);
+@@ -1084,7 +1084,7 @@ void iommu_release_ownership(struct iommu_table *tbl)
+
+ spin_lock_irqsave(&tbl->large_pool.lock, flags);
+ for (i = 0; i < tbl->nr_pools; i++)
+- spin_lock(&tbl->pools[i].lock);
++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
+
+ memset(tbl->it_map, 0, sz);
+
+--
+2.30.2
+
--- /dev/null
+From 291909be1fb8f2d9987056aeb1ef04013dc6043d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 23:54:13 +1000
+Subject: powerpc/pseries: Stop calling printk in rtas_stop_self()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ]
+
+RCU complains about us calling printk() from an offline CPU:
+
+ =============================
+ WARNING: suspicious RCU usage
+ 5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted
+ -----------------------------
+ kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ RCU used illegally from offline CPU!
+ rcu_scheduler_active = 2, debug_locks = 1
+ no locks held by swapper/0/0.
+
+ stack backtrace:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1
+ Call Trace:
+ dump_stack+0xec/0x144 (unreliable)
+ lockdep_rcu_suspicious+0x124/0x144
+ __lock_acquire+0x1098/0x28b0
+ lock_acquire+0x128/0x600
+ _raw_spin_lock_irqsave+0x6c/0xc0
+ down_trylock+0x2c/0x70
+ __down_trylock_console_sem+0x60/0x140
+ vprintk_emit+0x1a8/0x4b0
+ vprintk_func+0xcc/0x200
+ printk+0x40/0x54
+ pseries_cpu_offline_self+0xc0/0x120
+ arch_cpu_idle_dead+0x54/0x70
+ do_idle+0x174/0x4a0
+ cpu_startup_entry+0x38/0x40
+ rest_init+0x268/0x388
+ start_kernel+0x748/0x790
+ start_here_common+0x1c/0x614
+
+Which happens because by the time we get to rtas_stop_self() we are
+already offline. In addition the message can be spammy, and is not that
+helpful for users, so remove it.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+index 0baaaa6b0929..73071c4339c5 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+@@ -95,9 +95,6 @@ static void rtas_stop_self(void)
+
+ BUG_ON(rtas_stop_self_token == RTAS_UNKNOWN_SERVICE);
+
+- printk("cpu %u (hwid %u) Ready to die...\n",
+- smp_processor_id(), hard_smp_processor_id());
+-
+ rtas_call_unlocked(&args, rtas_stop_self_token, 0, 1, NULL);
+
+ panic("Alas, I survived.\n");
+--
+2.30.2
+
--- /dev/null
+From 0883bbc1ceb450c62a2787afff4d7091c0ea2666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Apr 2021 21:12:00 +0530
+Subject: powerpc/smp: Set numa node before updating mask
+
+From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+
+[ Upstream commit 6980d13f0dd189846887bbbfa43793d9a41768d3 ]
+
+Geethika reported a trace when doing a dlpar CPU add.
+
+------------[ cut here ]------------
+WARNING: CPU: 152 PID: 1134 at kernel/sched/topology.c:2057
+CPU: 152 PID: 1134 Comm: kworker/152:1 Not tainted 5.12.0-rc5-master #5
+Workqueue: events cpuset_hotplug_workfn
+NIP: c0000000001cfc14 LR: c0000000001cfc10 CTR: c0000000007e3420
+REGS: c0000034a08eb260 TRAP: 0700 Not tainted (5.12.0-rc5-master+)
+MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28828422 XER: 00000020
+CFAR: c0000000001fd888 IRQMASK: 0 #012GPR00: c0000000001cfc10
+c0000034a08eb500 c000000001f35400 0000000000000027 #012GPR04:
+c0000035abaa8010 c0000035abb30a00 0000000000000027 c0000035abaa8018
+#012GPR08: 0000000000000023 c0000035abaaef48 00000035aa540000
+c0000035a49dffe8 #012GPR12: 0000000028828424 c0000035bf1a1c80
+0000000000000497 0000000000000004 #012GPR16: c00000000347a258
+0000000000000140 c00000000203d468 c000000001a1a490 #012GPR20:
+c000000001f9c160 c0000034adf70920 c0000034aec9fd20 0000000100087bd3
+#012GPR24: 0000000100087bd3 c0000035b3de09f8 0000000000000030
+c0000035b3de09f8 #012GPR28: 0000000000000028 c00000000347a280
+c0000034aefe0b00 c0000000010a2a68
+NIP [c0000000001cfc14] build_sched_domains+0x6a4/0x1500
+LR [c0000000001cfc10] build_sched_domains+0x6a0/0x1500
+Call Trace:
+[c0000034a08eb500] [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 (unreliable)
+[c0000034a08eb640] [c0000000001d1e6c] partition_sched_domains_locked+0x3ec/0x530
+[c0000034a08eb6e0] [c0000000002936d4] rebuild_sched_domains_locked+0x524/0xbf0
+[c0000034a08eb7e0] [c000000000296bb0] rebuild_sched_domains+0x40/0x70
+[c0000034a08eb810] [c000000000296e74] cpuset_hotplug_workfn+0x294/0xe20
+[c0000034a08ebc30] [c000000000178dd0] process_one_work+0x300/0x670
+[c0000034a08ebd10] [c0000000001791b8] worker_thread+0x78/0x520
+[c0000034a08ebda0] [c000000000185090] kthread+0x1a0/0x1b0
+[c0000034a08ebe10] [c00000000000ccec] ret_from_kernel_thread+0x5c/0x70
+Instruction dump:
+7d2903a6 4e800421 e8410018 7f67db78 7fe6fb78 7f45d378 7f84e378 7c681b78
+3c62ff1a 3863c6f8 4802dc35 60000000 <0fe00000> 3920fff4 f9210070 e86100a0
+---[ end trace 532d9066d3d4d7ec ]---
+
+Some of the per-CPU masks use cpu_cpu_mask as a filter to limit the search
+for related CPUs. On a dlpar add of a CPU, update cpu_cpu_mask before
+updating the per-CPU masks. This will ensure the cpu_cpu_mask is updated
+correctly before its used in setting the masks. Setting the numa_node will
+ensure that when cpu_cpu_mask() gets called, the correct node number is
+used. This code movement helped fix the above call trace.
+
+Reported-by: Geetika Moolchandani <Geetika.Moolchandani1@ibm.com>
+Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Reviewed-by: Nathan Lynch <nathanl@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210401154200.150077-1-srikar@linux.vnet.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/smp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
+index e0a4c1f82e25..7c7aa7c98ba3 100644
+--- a/arch/powerpc/kernel/smp.c
++++ b/arch/powerpc/kernel/smp.c
+@@ -985,6 +985,9 @@ void start_secondary(void *unused)
+
+ vdso_getcpu_init();
+ #endif
++ set_numa_node(numa_cpu_lookup_table[cpu]);
++ set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu]));
++
+ /* Update topology CPU masks */
+ add_cpu_to_masks(cpu);
+
+@@ -995,9 +998,6 @@ void start_secondary(void *unused)
+ if (!cpumask_equal(cpu_l2_cache_mask(cpu), cpu_sibling_mask(cpu)))
+ shared_caches = true;
+
+- set_numa_node(numa_cpu_lookup_table[cpu]);
+- set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu]));
+-
+ smp_wmb();
+ notify_cpu_starting(cpu);
+ set_cpu_online(cpu, true);
+--
+2.30.2
+
--- /dev/null
+From cdbf0f18c316ff003d9d8f574bf081d91b78927a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Mar 2021 05:36:24 -0800
+Subject: rpmsg: qcom_glink_native: fix error return code of
+ qcom_glink_rx_data()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 26594c6bbb60c6bc87e3762a86ceece57d164c66 ]
+
+When idr_find() returns NULL to intent, no error return code of
+qcom_glink_rx_data() is assigned.
+To fix this bug, ret is assigned with -ENOENT in this case.
+
+Fixes: 64f95f87920d ("rpmsg: glink: Use the local intents when receiving data")
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.com
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_glink_native.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
+index 7802663efe33..67711537d3ff 100644
+--- a/drivers/rpmsg/qcom_glink_native.c
++++ b/drivers/rpmsg/qcom_glink_native.c
+@@ -856,6 +856,7 @@ static int qcom_glink_rx_data(struct qcom_glink *glink, size_t avail)
+ dev_err(glink->dev,
+ "no intent found for channel %s intent %d",
+ channel->name, liid);
++ ret = -ENOENT;
+ goto advance_rx;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 0cc8733a13185a8602ccf0c6cb9331bf7238ba1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Apr 2021 11:39:17 +0900
+Subject: rtc: ds1307: Fix wday settings for rx8130
+
+From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+
+[ Upstream commit 204756f016726a380bafe619438ed979088bd04a ]
+
+rx8130 wday specifies the bit position, not BCD.
+
+Fixes: ee0981be7704 ("rtc: ds1307: Add support for Epson RX8130CE")
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jp
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 8d45d93b1db6..19749ec87b24 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -417,7 +417,11 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
+ t->tm_min = bcd2bin(regs[DS1307_REG_MIN] & 0x7f);
+ tmp = regs[DS1307_REG_HOUR] & 0x3f;
+ t->tm_hour = bcd2bin(tmp);
+- t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1;
++ /* rx8130 is bit position, not BCD */
++ if (ds1307->type == rx_8130)
++ t->tm_wday = fls(regs[DS1307_REG_WDAY] & 0x7f);
++ else
++ t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1;
+ t->tm_mday = bcd2bin(regs[DS1307_REG_MDAY] & 0x3f);
+ tmp = regs[DS1307_REG_MONTH] & 0x1f;
+ t->tm_mon = bcd2bin(tmp) - 1;
+@@ -465,7 +469,11 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
+ regs[DS1307_REG_SECS] = bin2bcd(t->tm_sec);
+ regs[DS1307_REG_MIN] = bin2bcd(t->tm_min);
+ regs[DS1307_REG_HOUR] = bin2bcd(t->tm_hour);
+- regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1);
++ /* rx8130 is bit position, not BCD */
++ if (ds1307->type == rx_8130)
++ regs[DS1307_REG_WDAY] = 1 << t->tm_wday;
++ else
++ regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1);
+ regs[DS1307_REG_MDAY] = bin2bcd(t->tm_mday);
+ regs[DS1307_REG_MONTH] = bin2bcd(t->tm_mon + 1);
+
+--
+2.30.2
+
--- /dev/null
+From 998e2541339d52881e37e6e79f780bd601b5b917 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 23:48:03 +0800
+Subject: samples/bpf: Fix broken tracex1 due to kprobe argument change
+
+From: Yaqi Chen <chendotjs@gmail.com>
+
+[ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ]
+
+>From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by
+reference"), the first argument passed into __netif_receive_skb_core
+has changed to reference of a skb pointer.
+
+This commit fixes by using bpf_probe_read_kernel.
+
+Signed-off-by: Yaqi Chen <chendotjs@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/tracex1_kern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c
+index 107da148820f..9c74b45c5720 100644
+--- a/samples/bpf/tracex1_kern.c
++++ b/samples/bpf/tracex1_kern.c
+@@ -20,7 +20,7 @@
+ SEC("kprobe/__netif_receive_skb_core")
+ int bpf_prog1(struct pt_regs *ctx)
+ {
+- /* attaches to kprobe netif_receive_skb,
++ /* attaches to kprobe __netif_receive_skb_core,
+ * looks for packets on loobpack device and prints them
+ */
+ char devname[IFNAMSIZ];
+@@ -29,7 +29,7 @@ int bpf_prog1(struct pt_regs *ctx)
+ int len;
+
+ /* non-portable! works for the given kernel only */
+- skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
++ bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx));
+ dev = _(skb->dev);
+ len = _(skb->len);
+
+--
+2.30.2
+
--- /dev/null
+From b50fae6504307ca77f88b98880f886cbb3a33729 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 04:41:20 +0800
+Subject: sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ]
+
+Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into
+ESTABLISHED from the state < ESTABLISHED and decremented when the asoc
+is being deleted.
+
+However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to
+ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment
+SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB
+multiple times but only decrement once at the end.
+
+I was able to reproduce it by using scapy to do the 4-way shakehands,
+after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field
+changed to different values, and SCTP_MIB_CURRESTAB was incremented
+multiple times and never went back to 0 even when the asoc was freed.
+
+This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when
+the state < ESTABLISHED in sctp_sf_do_dupcook_b().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 80b9f7f097fa..e943fb28f581 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1888,7 +1888,8 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
+ sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_ESTABLISHED));
+- SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
++ if (asoc->state < SCTP_STATE_ESTABLISHED)
++ SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
+ sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
+
+ repl = sctp_make_cookie_ack(new_asoc, chunk);
+--
+2.30.2
+
--- /dev/null
+From ef3730ca115ec088e876ce8aa9a6dc57b320fc86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 14:12:36 -0500
+Subject: sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ]
+
+Fix the following out-of-bounds warning:
+
+net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds]
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_make_chunk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index e698edd56bd5..1cd22a38fe42 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -3128,7 +3128,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ * primary.
+ */
+ if (af->is_any(&addr))
+- memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
++ memcpy(&addr, sctp_source(asconf), sizeof(addr));
+
+ peer = sctp_assoc_lookup_paddr(asoc, &addr);
+ if (!peer)
+--
+2.30.2
+
--- /dev/null
+From eba897735059966e6429362ba90f284c22d7bf1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 08:34:13 -0700
+Subject: selftests: Set CC to clang in lib.mk if LLVM is set
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ]
+
+selftests/bpf/Makefile includes lib.mk. With the following command
+ make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel
+ make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1
+some files are still compiled with gcc. This patch
+fixed lib.mk issue which sets CC to gcc in all cases.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/lib.mk | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
+index c9be64dc681d..cd3034602ea5 100644
+--- a/tools/testing/selftests/lib.mk
++++ b/tools/testing/selftests/lib.mk
+@@ -1,6 +1,10 @@
+ # This mimics the top-level Makefile. We do it explicitly here so that this
+ # Makefile can operate with or without the kbuild infrastructure.
++ifneq ($(LLVM),)
++CC := clang
++else
+ CC := $(CROSS_COMPILE)gcc
++endif
+
+ ifeq (0,$(MAKELEVEL))
+ OUTPUT := $(shell pwd)
+--
+2.30.2
+
revert-of-fdt-make-sure-no-map-does-not-remove-already-reserved-regions.patch
revert-fdt-properly-handle-no-map-field-in-the-memory-region.patch
tpm-fix-error-return-code-in-tpm2_get_cc_attrs_tbl.patch
+fs-dlm-fix-debugfs-dump.patch
+tipc-convert-dest-node-s-address-to-network-order.patch
+net-stmmac-set-fifo-sizes-for-ipq806x.patch
+alsa-hdsp-don-t-disable-if-not-enabled.patch
+alsa-hdspm-don-t-disable-if-not-enabled.patch
+alsa-rme9652-don-t-disable-if-not-enabled.patch
+bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch
+bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch
+bluetooth-check-for-zapped-sk-before-connecting.patch
+ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch
+mac80211-clear-the-beacon-s-crc-after-channel-switch.patch
+pinctrl-samsung-use-int-for-register-masks-in-exynos.patch
+cuse-prevent-clone.patch
+selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch
+kconfig-nconf-stop-endless-search-loops.patch
+sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch
+powerpc-smp-set-numa-node-before-updating-mask.patch
+asoc-rt286-generalize-support-for-alc3263-codec.patch
+samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch
+powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch
+wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch
+wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch
+powerpc-iommu-annotate-nested-lock-for-lockdep.patch
+net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch
+asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch
+f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch
+pci-release-of-node-in-pci_scan_device-s-error-path.patch
+arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch
+rpmsg-qcom_glink_native-fix-error-return-code-of-qco.patch
+nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch
+nfs-deal-correctly-with-attribute-generation-counter.patch
+pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch
+nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch
+rtc-ds1307-fix-wday-settings-for-rx8130.patch
+sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch
+drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch
+khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch
+mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch
+ksm-fix-potential-missing-rmap_item-for-stable_node.patch
+net-fix-nla_strcmp-to-handle-more-then-one-trailing-.patch
+kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch
+netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch
--- /dev/null
+From 499d67cad4bb29f41a4dd7483b07916d85fabfc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 10:33:22 +0700
+Subject: tipc: convert dest node's address to network order
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ]
+
+(struct tipc_link_info)->dest is in network order (__be32), so we must
+convert the value to network order before assigning. The problem detected
+by sparse:
+
+net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types)
+net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest
+net/tipc/netlink_compat.c:699:24: got int
+
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink_compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 99c69489bb44..9aa0d789d25e 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -662,7 +662,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
+ if (err)
+ return err;
+
+- link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
++ link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST]));
+ link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+ nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME],
+ TIPC_MAX_LINK_NAME);
+--
+2.30.2
+
--- /dev/null
+From df64f0988746be822ff4441d4d4af0c154d807a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 18:45:15 -0500
+Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ]
+
+Fix the following out-of-bounds warnings by adding a new structure
+wl3501_req instead of duplicating the same members in structure
+wl3501_join_req and wl3501_scan_confirm:
+
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds]
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds]
+
+Refactor the code, accordingly:
+
+$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_req {
+ u16 beacon_period; /* 0 2 */
+ u16 dtim_period; /* 2 2 */
+ u16 cap_info; /* 4 2 */
+ u8 bss_type; /* 6 1 */
+ u8 bssid[6]; /* 7 6 */
+ struct iw_mgmt_essid_pset ssid; /* 13 34 */
+ struct iw_mgmt_ds_pset ds_pset; /* 47 3 */
+ struct iw_mgmt_cf_pset cf_pset; /* 50 8 */
+ struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */
+ struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */
+
+ /* size: 72, cachelines: 2, members: 10 */
+ /* last cacheline: 8 bytes */
+};
+
+$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_join_req {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 reserved; /* 3 1 */
+ struct iw_mgmt_data_rset operational_rset; /* 4 10 */
+ u16 reserved2; /* 14 2 */
+ u16 timeout; /* 16 2 */
+ u16 probe_delay; /* 18 2 */
+ u8 timestamp[8]; /* 20 8 */
+ u8 local_time[8]; /* 28 8 */
+ struct wl3501_req req; /* 36 72 */
+
+ /* size: 108, cachelines: 2, members: 10 */
+ /* last cacheline: 44 bytes */
+};
+
+$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o
+struct wl3501_scan_confirm {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 reserved; /* 3 1 */
+ u16 status; /* 4 2 */
+ char timestamp[8]; /* 6 8 */
+ char localtime[8]; /* 14 8 */
+ struct wl3501_req req; /* 22 72 */
+ /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */
+ u8 rssi; /* 94 1 */
+
+ /* size: 96, cachelines: 2, members: 8 */
+ /* padding: 1 */
+ /* last cacheline: 32 bytes */
+};
+
+The problem is that the original code is trying to copy data into a
+bunch of struct members adjacent to each other in a single call to
+memcpy(). Now that a new struct wl3501_req enclosing all those adjacent
+members is introduced, memcpy() doesn't overrun the length of
+&sig.beacon_period and &this->bss_set[i].beacon_period, because the
+address of the new struct object _req_ is used as the destination,
+instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501.h | 35 +++++++++++--------------
+ drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++---------------
+ 2 files changed, 38 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
+index 077a934ae3b5..a10ee5a68012 100644
+--- a/drivers/net/wireless/wl3501.h
++++ b/drivers/net/wireless/wl3501.h
+@@ -379,16 +379,7 @@ struct wl3501_get_confirm {
+ u8 mib_value[100];
+ };
+
+-struct wl3501_join_req {
+- u16 next_blk;
+- u8 sig_id;
+- u8 reserved;
+- struct iw_mgmt_data_rset operational_rset;
+- u16 reserved2;
+- u16 timeout;
+- u16 probe_delay;
+- u8 timestamp[8];
+- u8 local_time[8];
++struct wl3501_req {
+ u16 beacon_period;
+ u16 dtim_period;
+ u16 cap_info;
+@@ -401,6 +392,19 @@ struct wl3501_join_req {
+ struct iw_mgmt_data_rset bss_basic_rset;
+ };
+
++struct wl3501_join_req {
++ u16 next_blk;
++ u8 sig_id;
++ u8 reserved;
++ struct iw_mgmt_data_rset operational_rset;
++ u16 reserved2;
++ u16 timeout;
++ u16 probe_delay;
++ u8 timestamp[8];
++ u8 local_time[8];
++ struct wl3501_req req;
++};
++
+ struct wl3501_join_confirm {
+ u16 next_blk;
+ u8 sig_id;
+@@ -443,16 +447,7 @@ struct wl3501_scan_confirm {
+ u16 status;
+ char timestamp[8];
+ char localtime[8];
+- u16 beacon_period;
+- u16 dtim_period;
+- u16 cap_info;
+- u8 bss_type;
+- u8 bssid[ETH_ALEN];
+- struct iw_mgmt_essid_pset ssid;
+- struct iw_mgmt_ds_pset ds_pset;
+- struct iw_mgmt_cf_pset cf_pset;
+- struct iw_mgmt_ibss_pset ibss_pset;
+- struct iw_mgmt_data_rset bss_basic_rset;
++ struct wl3501_req req;
+ u8 rssi;
+ };
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 0019b01145ba..f33ece937047 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -589,7 +589,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
+ struct wl3501_join_req sig = {
+ .sig_id = WL3501_SIG_JOIN_REQ,
+ .timeout = 10,
+- .ds_pset = {
++ .req.ds_pset = {
+ .el = {
+ .id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET,
+ .len = 1,
+@@ -598,7 +598,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
+ },
+ };
+
+- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72);
++ memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req));
+ return wl3501_esbq_exec(this, &sig, sizeof(sig));
+ }
+
+@@ -666,35 +666,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
+ if (sig.status == WL3501_STATUS_SUCCESS) {
+ pr_debug("success");
+ if ((this->net_type == IW_MODE_INFRA &&
+- (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
+ (this->net_type == IW_MODE_ADHOC &&
+- (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
+ this->net_type == IW_MODE_AUTO) {
+ if (!this->essid.el.len)
+ matchflag = 1;
+ else if (this->essid.el.len == 3 &&
+ !memcmp(this->essid.essid, "ANY", 3))
+ matchflag = 1;
+- else if (this->essid.el.len != sig.ssid.el.len)
++ else if (this->essid.el.len != sig.req.ssid.el.len)
+ matchflag = 0;
+- else if (memcmp(this->essid.essid, sig.ssid.essid,
++ else if (memcmp(this->essid.essid, sig.req.ssid.essid,
+ this->essid.el.len))
+ matchflag = 0;
+ else
+ matchflag = 1;
+ if (matchflag) {
+ for (i = 0; i < this->bss_cnt; i++) {
+- if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) {
++ if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid,
++ sig.req.bssid)) {
+ matchflag = 0;
+ break;
+ }
+ }
+ }
+ if (matchflag && (i < 20)) {
+- memcpy(&this->bss_set[i].beacon_period,
+- &sig.beacon_period, 73);
++ memcpy(&this->bss_set[i].req,
++ &sig.req, sizeof(sig.req));
+ this->bss_cnt++;
+ this->rssi = sig.rssi;
++ this->bss_set[i].rssi = sig.rssi;
+ }
+ }
+ } else if (sig.status == WL3501_STATUS_TIMEOUT) {
+@@ -886,19 +888,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr)
+ if (this->join_sta_bss < this->bss_cnt) {
+ const int i = this->join_sta_bss;
+ memcpy(this->bssid,
+- this->bss_set[i].bssid, ETH_ALEN);
+- this->chan = this->bss_set[i].ds_pset.chan;
++ this->bss_set[i].req.bssid, ETH_ALEN);
++ this->chan = this->bss_set[i].req.ds_pset.chan;
+ iw_copy_mgmt_info_element(&this->keep_essid.el,
+- &this->bss_set[i].ssid.el);
++ &this->bss_set[i].req.ssid.el);
+ wl3501_mgmt_auth(this);
+ }
+ } else {
+ const int i = this->join_sta_bss;
+
+- memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN);
+- this->chan = this->bss_set[i].ds_pset.chan;
++ memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN);
++ this->chan = this->bss_set[i].req.ds_pset.chan;
+ iw_copy_mgmt_info_element(&this->keep_essid.el,
+- &this->bss_set[i].ssid.el);
++ &this->bss_set[i].req.ssid.el);
+ wl3501_online(dev);
+ }
+ } else {
+@@ -1576,30 +1578,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info,
+ for (i = 0; i < this->bss_cnt; ++i) {
+ iwe.cmd = SIOCGIWAP;
+ iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
+- memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN);
++ memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN);
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_ADDR_LEN);
+ iwe.cmd = SIOCGIWESSID;
+ iwe.u.data.flags = 1;
+- iwe.u.data.length = this->bss_set[i].ssid.el.len;
++ iwe.u.data.length = this->bss_set[i].req.ssid.el.len;
+ current_ev = iwe_stream_add_point(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe,
+- this->bss_set[i].ssid.essid);
++ this->bss_set[i].req.ssid.essid);
+ iwe.cmd = SIOCGIWMODE;
+- iwe.u.mode = this->bss_set[i].bss_type;
++ iwe.u.mode = this->bss_set[i].req.bss_type;
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_UINT_LEN);
+ iwe.cmd = SIOCGIWFREQ;
+- iwe.u.freq.m = this->bss_set[i].ds_pset.chan;
++ iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan;
+ iwe.u.freq.e = 0;
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_FREQ_LEN);
+ iwe.cmd = SIOCGIWENCODE;
+- if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
++ if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
+ iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
+ else
+ iwe.u.data.flags = IW_ENCODE_DISABLED;
+--
+2.30.2
+
--- /dev/null
+From 2f36e2f1c4913364f5268eff44b1e2f6abde6c6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 18:43:19 -0500
+Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ]
+
+Fix the following out-of-bounds warnings by enclosing structure members
+daddr and saddr into new struct addr, in structures wl3501_md_req and
+wl3501_md_ind:
+
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
+
+Refactor the code, accordingly:
+
+$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_md_req {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 routing; /* 3 1 */
+ u16 data; /* 4 2 */
+ u16 size; /* 6 2 */
+ u8 pri; /* 8 1 */
+ u8 service_class; /* 9 1 */
+ struct {
+ u8 daddr[6]; /* 10 6 */
+ u8 saddr[6]; /* 16 6 */
+ } addr; /* 10 12 */
+
+ /* size: 22, cachelines: 1, members: 8 */
+ /* last cacheline: 22 bytes */
+};
+
+$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o
+struct wl3501_md_ind {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 routing; /* 3 1 */
+ u16 data; /* 4 2 */
+ u16 size; /* 6 2 */
+ u8 reception; /* 8 1 */
+ u8 pri; /* 9 1 */
+ u8 service_class; /* 10 1 */
+ struct {
+ u8 daddr[6]; /* 11 6 */
+ u8 saddr[6]; /* 17 6 */
+ } addr; /* 11 12 */
+
+ /* size: 24, cachelines: 1, members: 9 */
+ /* padding: 1 */
+ /* last cacheline: 24 bytes */
+};
+
+The problem is that the original code is trying to copy data into a
+couple of arrays adjacent to each other in a single call to memcpy().
+Now that a new struct _addr_ enclosing those two adjacent arrays
+is introduced, memcpy() doesn't overrun the length of &sig.daddr[0]
+and &sig.daddr, because the address of the new struct object _addr_
+is used, instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501.h | 12 ++++++++----
+ drivers/net/wireless/wl3501_cs.c | 10 ++++++----
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
+index efdce9ae36ea..077a934ae3b5 100644
+--- a/drivers/net/wireless/wl3501.h
++++ b/drivers/net/wireless/wl3501.h
+@@ -471,8 +471,10 @@ struct wl3501_md_req {
+ u16 size;
+ u8 pri;
+ u8 service_class;
+- u8 daddr[ETH_ALEN];
+- u8 saddr[ETH_ALEN];
++ struct {
++ u8 daddr[ETH_ALEN];
++ u8 saddr[ETH_ALEN];
++ } addr;
+ };
+
+ struct wl3501_md_ind {
+@@ -484,8 +486,10 @@ struct wl3501_md_ind {
+ u8 reception;
+ u8 pri;
+ u8 service_class;
+- u8 daddr[ETH_ALEN];
+- u8 saddr[ETH_ALEN];
++ struct {
++ u8 daddr[ETH_ALEN];
++ u8 saddr[ETH_ALEN];
++ } addr;
+ };
+
+ struct wl3501_md_confirm {
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index da62220b9c01..0019b01145ba 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -468,6 +468,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+ struct wl3501_md_req sig = {
+ .sig_id = WL3501_SIG_MD_REQ,
+ };
++ size_t sig_addr_len = sizeof(sig.addr);
+ u8 *pdata = (char *)data;
+ int rc = -EIO;
+
+@@ -483,9 +484,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+ goto out;
+ }
+ rc = 0;
+- memcpy(&sig.daddr[0], pdata, 12);
+- pktlen = len - 12;
+- pdata += 12;
++ memcpy(&sig.addr, pdata, sig_addr_len);
++ pktlen = len - sig_addr_len;
++ pdata += sig_addr_len;
+ sig.data = bf;
+ if (((*pdata) * 256 + (*(pdata + 1))) > 1500) {
+ u8 addr4[ETH_ALEN] = {
+@@ -979,7 +980,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev,
+ } else {
+ skb->dev = dev;
+ skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */
+- skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12);
++ skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr,
++ sizeof(sig.addr));
+ wl3501_receive(this, skb->data, pkt_len);
+ skb_put(skb, pkt_len);
+ skb->protocol = eth_type_trans(skb, dev);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
