--- /dev/null
+From d0344cab11a2b5ee82ae6737d064f0c12a8d22af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 06:38:07 -0700
+Subject: bonding: set dev->needed_headroom in bond_setup_by_slave()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f32f19339596b214c208c0dba716f4b6cc4f6958 ]
+
+syzbot managed to crash a host by creating a bond
+with a GRE device.
+
+For non Ethernet device, bonding calls bond_setup_by_slave()
+instead of ether_setup(), and unfortunately dev->needed_headroom
+was not copied from the new added member.
+
+[ 171.243095] skbuff: skb_under_panic: text:ffffffffa184b9ea len:116 put:20 head:ffff883f84012dc0 data:ffff883f84012dbc tail:0x70 end:0xd00 dev:bond0
+[ 171.243111] ------------[ cut here ]------------
+[ 171.243112] kernel BUG at net/core/skbuff.c:112!
+[ 171.243117] invalid opcode: 0000 [#1] SMP KASAN PTI
+[ 171.243469] gsmi: Log Shutdown Reason 0x03
+[ 171.243505] Call Trace:
+[ 171.243506] <IRQ>
+[ 171.243512] [<ffffffffa171be59>] skb_push+0x49/0x50
+[ 171.243516] [<ffffffffa184b9ea>] ipgre_header+0x2a/0xf0
+[ 171.243520] [<ffffffffa17452d7>] neigh_connected_output+0xb7/0x100
+[ 171.243524] [<ffffffffa186f1d3>] ip6_finish_output2+0x383/0x490
+[ 171.243528] [<ffffffffa186ede2>] __ip6_finish_output+0xa2/0x110
+[ 171.243531] [<ffffffffa186acbc>] ip6_finish_output+0x2c/0xa0
+[ 171.243534] [<ffffffffa186abe9>] ip6_output+0x69/0x110
+[ 171.243537] [<ffffffffa186ac90>] ? ip6_output+0x110/0x110
+[ 171.243541] [<ffffffffa189d952>] mld_sendpack+0x1b2/0x2d0
+[ 171.243544] [<ffffffffa189d290>] ? mld_send_report+0xf0/0xf0
+[ 171.243548] [<ffffffffa189c797>] mld_ifc_timer_expire+0x2d7/0x3b0
+[ 171.243551] [<ffffffffa189c4c0>] ? mld_gq_timer_expire+0x50/0x50
+[ 171.243556] [<ffffffffa0fea270>] call_timer_fn+0x30/0x130
+[ 171.243559] [<ffffffffa0fea17c>] expire_timers+0x4c/0x110
+[ 171.243563] [<ffffffffa0fea0e3>] __run_timers+0x213/0x260
+[ 171.243566] [<ffffffffa0fecb7d>] ? ktime_get+0x3d/0xa0
+[ 171.243570] [<ffffffffa0ff9c4e>] ? clockevents_program_event+0x7e/0xe0
+[ 171.243574] [<ffffffffa0f7e5d5>] ? sched_clock_cpu+0x15/0x190
+[ 171.243577] [<ffffffffa0fe973d>] run_timer_softirq+0x1d/0x40
+[ 171.243581] [<ffffffffa1c00152>] __do_softirq+0x152/0x2f0
+[ 171.243585] [<ffffffffa0f44e1f>] irq_exit+0x9f/0xb0
+[ 171.243588] [<ffffffffa1a02e1d>] smp_apic_timer_interrupt+0xfd/0x1a0
+[ 171.243591] [<ffffffffa1a01ea6>] apic_timer_interrupt+0x86/0x90
+
+Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 0d7a173f8e61c..6862c2ef24424 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1148,6 +1148,7 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
+
+ bond_dev->type = slave_dev->type;
+ bond_dev->hard_header_len = slave_dev->hard_header_len;
++ bond_dev->needed_headroom = slave_dev->needed_headroom;
+ bond_dev->addr_len = slave_dev->addr_len;
+
+ memcpy(bond_dev->broadcast, slave_dev->broadcast,
+--
+2.25.1
+
--- /dev/null
+From cc3a81f9e8cf3715aee1a9417fff87d8a0c1623d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Sep 2020 12:54:59 +0000
+Subject: iavf: Fix incorrect adapter get in iavf_resume
+
+From: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+
+[ Upstream commit 75598a8fc0e0dff2aa5d46c62531b36a595f1d4f ]
+
+When calling iavf_resume there was a crash because wrong
+function was used to get iavf_adapter and net_device pointers.
+Changed how iavf_resume is getting iavf_adapter and net_device
+pointers from pci_dev.
+
+Fixes: 5eae00c57f5e ("i40evf: main driver core")
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index bcb95b2ea792f..cd95d6af8fc1b 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -3813,8 +3813,8 @@ static int __maybe_unused iavf_suspend(struct device *dev_d)
+ static int __maybe_unused iavf_resume(struct device *dev_d)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev_d);
+- struct iavf_adapter *adapter = pci_get_drvdata(pdev);
+- struct net_device *netdev = adapter->netdev;
++ struct net_device *netdev = pci_get_drvdata(pdev);
++ struct iavf_adapter *adapter = netdev_priv(netdev);
+ u32 err;
+
+ pci_set_master(pdev);
+--
+2.25.1
+
--- /dev/null
+From 7063761771cfe18d4fa83817475f2e62904c29f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 14:59:39 +0530
+Subject: iavf: use generic power management
+
+From: Vaibhav Gupta <vaibhavgupta40@gmail.com>
+
+[ Upstream commit bc5cbd73eb493944b8665dc517f684c40eb18a4a ]
+
+With the support of generic PM callbacks, drivers no longer need to use
+legacy .suspend() and .resume() in which they had to maintain PCI states
+changes and device's power state themselves. The required operations are
+done by PCI core.
+
+PCI drivers are not expected to invoke PCI helper functions like
+pci_save/restore_state(), pci_enable/disable_device(),
+pci_set_power_state(), etc. Their tasks are completed by PCI core itself.
+
+Compile-tested only.
+
+Signed-off-by: Vaibhav Gupta <vaibhavgupta40@gmail.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 45 ++++++---------------
+ 1 file changed, 12 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 222ae76809aa1..bcb95b2ea792f 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -3773,7 +3773,6 @@ err_dma:
+ return err;
+ }
+
+-#ifdef CONFIG_PM
+ /**
+ * iavf_suspend - Power management suspend routine
+ * @pdev: PCI device information struct
+@@ -3781,11 +3780,10 @@ err_dma:
+ *
+ * Called when the system (VM) is entering sleep/suspend.
+ **/
+-static int iavf_suspend(struct pci_dev *pdev, pm_message_t state)
++static int __maybe_unused iavf_suspend(struct device *dev_d)
+ {
+- struct net_device *netdev = pci_get_drvdata(pdev);
++ struct net_device *netdev = dev_get_drvdata(dev_d);
+ struct iavf_adapter *adapter = netdev_priv(netdev);
+- int retval = 0;
+
+ netif_device_detach(netdev);
+
+@@ -3803,12 +3801,6 @@ static int iavf_suspend(struct pci_dev *pdev, pm_message_t state)
+
+ clear_bit(__IAVF_IN_CRITICAL_TASK, &adapter->crit_section);
+
+- retval = pci_save_state(pdev);
+- if (retval)
+- return retval;
+-
+- pci_disable_device(pdev);
+-
+ return 0;
+ }
+
+@@ -3818,24 +3810,13 @@ static int iavf_suspend(struct pci_dev *pdev, pm_message_t state)
+ *
+ * Called when the system (VM) is resumed from sleep/suspend.
+ **/
+-static int iavf_resume(struct pci_dev *pdev)
++static int __maybe_unused iavf_resume(struct device *dev_d)
+ {
++ struct pci_dev *pdev = to_pci_dev(dev_d);
+ struct iavf_adapter *adapter = pci_get_drvdata(pdev);
+ struct net_device *netdev = adapter->netdev;
+ u32 err;
+
+- pci_set_power_state(pdev, PCI_D0);
+- pci_restore_state(pdev);
+- /* pci_restore_state clears dev->state_saved so call
+- * pci_save_state to restore it.
+- */
+- pci_save_state(pdev);
+-
+- err = pci_enable_device_mem(pdev);
+- if (err) {
+- dev_err(&pdev->dev, "Cannot enable PCI device from suspend.\n");
+- return err;
+- }
+ pci_set_master(pdev);
+
+ rtnl_lock();
+@@ -3859,7 +3840,6 @@ static int iavf_resume(struct pci_dev *pdev)
+ return err;
+ }
+
+-#endif /* CONFIG_PM */
+ /**
+ * iavf_remove - Device Removal Routine
+ * @pdev: PCI device information struct
+@@ -3961,16 +3941,15 @@ static void iavf_remove(struct pci_dev *pdev)
+ pci_disable_device(pdev);
+ }
+
++static SIMPLE_DEV_PM_OPS(iavf_pm_ops, iavf_suspend, iavf_resume);
++
+ static struct pci_driver iavf_driver = {
+- .name = iavf_driver_name,
+- .id_table = iavf_pci_tbl,
+- .probe = iavf_probe,
+- .remove = iavf_remove,
+-#ifdef CONFIG_PM
+- .suspend = iavf_suspend,
+- .resume = iavf_resume,
+-#endif
+- .shutdown = iavf_shutdown,
++ .name = iavf_driver_name,
++ .id_table = iavf_pci_tbl,
++ .probe = iavf_probe,
++ .remove = iavf_remove,
++ .driver.pm = &iavf_pm_ops,
++ .shutdown = iavf_shutdown,
+ };
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From d902934e24c4ed4d307e242274e822215266d866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Sep 2020 21:33:43 -0700
+Subject: mdio: fix mdio-thunder.c dependency & build error
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7dbbcf496f2a4b6d82cfc7810a0746e160b79762 ]
+
+Fix build error by selecting MDIO_DEVRES for MDIO_THUNDER.
+Fixes this build error:
+
+ld: drivers/net/phy/mdio-thunder.o: in function `thunder_mdiobus_pci_probe':
+drivers/net/phy/mdio-thunder.c:78: undefined reference to `devm_mdiobus_alloc_size'
+
+Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: netdev@vger.kernel.org
+Cc: David Daney <david.daney@cavium.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
+index fe602648b99f5..dcf2051ef2c04 100644
+--- a/drivers/net/phy/Kconfig
++++ b/drivers/net/phy/Kconfig
+@@ -193,6 +193,7 @@ config MDIO_THUNDER
+ depends on 64BIT
+ depends on PCI
+ select MDIO_CAVIUM
++ select MDIO_DEVRES
+ help
+ This driver supports the MDIO interfaces found on Cavium
+ ThunderX SoCs when the MDIO bus device appears as a PCI
+--
+2.25.1
+
--- /dev/null
+From 5340445dddba8017547c048acd4da032ff270ddb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Sep 2020 09:42:11 +0300
+Subject: mlxsw: spectrum_acl: Fix mlxsw_sp_acl_tcam_group_add()'s error path
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 72865028582a678be1e05240e55d452e5c258eca ]
+
+If mlxsw_sp_acl_tcam_group_id_get() fails, the mutex initialized earlier
+is not destroyed.
+
+Fix this by initializing the mutex after calling the function. This is
+symmetric to mlxsw_sp_acl_tcam_group_del().
+
+Fixes: 5ec2ee28d27b ("mlxsw: spectrum_acl: Introduce a mutex to guard region list updates")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+index 295b27112d367..ec0d5a4a60a98 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+@@ -290,13 +290,14 @@ mlxsw_sp_acl_tcam_group_add(struct mlxsw_sp_acl_tcam *tcam,
+ int err;
+
+ group->tcam = tcam;
+- mutex_init(&group->lock);
+ INIT_LIST_HEAD(&group->region_list);
+
+ err = mlxsw_sp_acl_tcam_group_id_get(tcam, &group->id);
+ if (err)
+ return err;
+
++ mutex_init(&group->lock);
++
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From b639a8e20348dd68435035d6fff9c7bdc6d424bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 09:38:52 +0800
+Subject: mmc: core: don't set limits.discard_granularity as 0
+
+From: Coly Li <colyli@suse.de>
+
+[ Upstream commit 4243219141b67d7c2fdb2d8073c17c539b9263eb ]
+
+In mmc_queue_setup_discard() the mmc driver queue's discard_granularity
+might be set as 0 (when card->pref_erase > max_discard) while the mmc
+device still declares to support discard operation. This is buggy and
+triggered the following kernel warning message,
+
+WARNING: CPU: 0 PID: 135 at __blkdev_issue_discard+0x200/0x294
+CPU: 0 PID: 135 Comm: f2fs_discard-17 Not tainted 5.9.0-rc6 #1
+Hardware name: Google Kevin (DT)
+pstate: 00000005 (nzcv daif -PAN -UAO BTYPE=--)
+pc : __blkdev_issue_discard+0x200/0x294
+lr : __blkdev_issue_discard+0x54/0x294
+sp : ffff800011dd3b10
+x29: ffff800011dd3b10 x28: 0000000000000000 x27: ffff800011dd3cc4 x26: ffff800011dd3e18 x25: 000000000004e69b x24: 0000000000000c40 x23: ffff0000f1deaaf0 x22: ffff0000f2849200 x21: 00000000002734d8 x20: 0000000000000008 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000394 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 00000000000008b0 x9 : ffff800011dd3cb0 x8 : 000000000004e69b x7 : 0000000000000000 x6 : ffff0000f1926400 x5 : ffff0000f1940800 x4 : 0000000000000000 x3 : 0000000000000c40 x2 : 0000000000000008 x1 : 00000000002734d8 x0 : 0000000000000000 Call trace:
+__blkdev_issue_discard+0x200/0x294
+__submit_discard_cmd+0x128/0x374
+__issue_discard_cmd_orderly+0x188/0x244
+__issue_discard_cmd+0x2e8/0x33c
+issue_discard_thread+0xe8/0x2f0
+kthread+0x11c/0x120
+ret_from_fork+0x10/0x1c
+---[ end trace e4c8023d33dfe77a ]---
+
+This patch fixes the issue by setting discard_granularity as SECTOR_SIZE
+instead of 0 when (card->pref_erase > max_discard) is true. Now no more
+complain from __blkdev_issue_discard() for the improper value of discard
+granularity.
+
+This issue is exposed after commit b35fd7422c2f ("block: check queue's
+limits.discard_granularity in __blkdev_issue_discard()"), a "Fixes:" tag
+is also added for the commit to make sure people won't miss this patch
+after applying the change of __blkdev_issue_discard().
+
+Fixes: e056a1b5b67b ("mmc: queue: let host controllers specify maximum discard timeout")
+Fixes: b35fd7422c2f ("block: check queue's limits.discard_granularity in __blkdev_issue_discard()").
+Reported-and-tested-by: Vicente Bergas <vicencb@gmail.com>
+Signed-off-by: Coly Li <colyli@suse.de>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20201002013852.51968-1-colyli@suse.de
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c
+index 9c0ccb3744c28..81b8d5ede484e 100644
+--- a/drivers/mmc/core/queue.c
++++ b/drivers/mmc/core/queue.c
+@@ -184,7 +184,7 @@ static void mmc_queue_setup_discard(struct request_queue *q,
+ q->limits.discard_granularity = card->pref_erase << 9;
+ /* granularity must not be greater than max. discard */
+ if (card->pref_erase > max_discard)
+- q->limits.discard_granularity = 0;
++ q->limits.discard_granularity = SECTOR_SIZE;
+ if (mmc_can_secure_erase_trim(card))
+ blk_queue_flag_set(QUEUE_FLAG_SECERASE, q);
+ }
+--
+2.25.1
+
--- /dev/null
+From cd1098b34cadf6c739fd24c88e18cb95e7a6838d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 15:44:39 +0300
+Subject: net: ethernet: cavium: octeon_mgmt: use phy_start and phy_stop
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@gmail.com>
+
+[ Upstream commit 4663ff60257aec4ee1e2e969a7c046f0aff35ab8 ]
+
+To start also "phy state machine", with UP state as it should be,
+the phy_start() has to be used, in another case machine even is not
+triggered. After this change negotiation is supposed to be triggered
+by SM workqueue.
+
+It's not correct usage, but it appears after the following patch,
+so add it as a fix.
+
+Fixes: 74a992b3598a ("net: phy: add phy_check_link_status")
+Signed-off-by: Ivan Khoronzhuk <ikhoronz@cisco.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/octeon/octeon_mgmt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c
+index d375e438d8054..4fa9d485e2096 100644
+--- a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c
++++ b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c
+@@ -1222,7 +1222,7 @@ static int octeon_mgmt_open(struct net_device *netdev)
+ */
+ if (netdev->phydev) {
+ netif_carrier_off(netdev);
+- phy_start_aneg(netdev->phydev);
++ phy_start(netdev->phydev);
+ }
+
+ netif_wake_queue(netdev);
+@@ -1250,8 +1250,10 @@ static int octeon_mgmt_stop(struct net_device *netdev)
+ napi_disable(&p->napi);
+ netif_stop_queue(netdev);
+
+- if (netdev->phydev)
++ if (netdev->phydev) {
++ phy_stop(netdev->phydev);
+ phy_disconnect(netdev->phydev);
++ }
+
+ netif_carrier_off(netdev);
+
+--
+2.25.1
+
--- /dev/null
+From a6d6ca10c490986fad330be9cdd4bf6910463137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Aug 2020 10:40:21 +0300
+Subject: net/mlx5: Avoid possible free of command entry while timeout comp
+ handler
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 50b2412b7e7862c5af0cbf4b10d93bc5c712d021 ]
+
+Upon command completion timeout, driver simulates a forced command
+completion. In a rare case where real interrupt for that command arrives
+simultaneously, it might release the command entry while the forced
+handler might still access it.
+
+Fix that by adding an entry refcount, to track current amount of allowed
+handlers. Command entry to be released only when this refcount is
+decremented to zero.
+
+Command refcount is always initialized to one. For callback commands,
+command completion handler is the symmetric flow to decrement it. For
+non-callback commands, it is wait_func().
+
+Before ringing the doorbell, increment the refcount for the real completion
+handler. Once the real completion handler is called, it will decrement it.
+
+For callback commands, once the delayed work is scheduled, increment the
+refcount. Upon callback command completion handler, we will try to cancel
+the timeout callback. In case of success, we need to decrement the callback
+refcount as it will never run.
+
+In addition, gather the entry index free and the entry free into a one
+flow for all command types release.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 109 ++++++++++++------
+ include/linux/mlx5/driver.h | 2 +
+ 2 files changed, 73 insertions(+), 38 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index b6a3370068f1c..7089ffcc4e512 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -69,12 +69,10 @@ enum {
+ MLX5_CMD_DELIVERY_STAT_CMD_DESCR_ERR = 0x10,
+ };
+
+-static struct mlx5_cmd_work_ent *alloc_cmd(struct mlx5_cmd *cmd,
+- struct mlx5_cmd_msg *in,
+- struct mlx5_cmd_msg *out,
+- void *uout, int uout_size,
+- mlx5_cmd_cbk_t cbk,
+- void *context, int page_queue)
++static struct mlx5_cmd_work_ent *
++cmd_alloc_ent(struct mlx5_cmd *cmd, struct mlx5_cmd_msg *in,
++ struct mlx5_cmd_msg *out, void *uout, int uout_size,
++ mlx5_cmd_cbk_t cbk, void *context, int page_queue)
+ {
+ gfp_t alloc_flags = cbk ? GFP_ATOMIC : GFP_KERNEL;
+ struct mlx5_cmd_work_ent *ent;
+@@ -83,6 +81,7 @@ static struct mlx5_cmd_work_ent *alloc_cmd(struct mlx5_cmd *cmd,
+ if (!ent)
+ return ERR_PTR(-ENOMEM);
+
++ ent->idx = -EINVAL;
+ ent->in = in;
+ ent->out = out;
+ ent->uout = uout;
+@@ -91,10 +90,16 @@ static struct mlx5_cmd_work_ent *alloc_cmd(struct mlx5_cmd *cmd,
+ ent->context = context;
+ ent->cmd = cmd;
+ ent->page_queue = page_queue;
++ refcount_set(&ent->refcnt, 1);
+
+ return ent;
+ }
+
++static void cmd_free_ent(struct mlx5_cmd_work_ent *ent)
++{
++ kfree(ent);
++}
++
+ static u8 alloc_token(struct mlx5_cmd *cmd)
+ {
+ u8 token;
+@@ -109,7 +114,7 @@ static u8 alloc_token(struct mlx5_cmd *cmd)
+ return token;
+ }
+
+-static int alloc_ent(struct mlx5_cmd *cmd)
++static int cmd_alloc_index(struct mlx5_cmd *cmd)
+ {
+ unsigned long flags;
+ int ret;
+@@ -123,7 +128,7 @@ static int alloc_ent(struct mlx5_cmd *cmd)
+ return ret < cmd->max_reg_cmds ? ret : -ENOMEM;
+ }
+
+-static void free_ent(struct mlx5_cmd *cmd, int idx)
++static void cmd_free_index(struct mlx5_cmd *cmd, int idx)
+ {
+ unsigned long flags;
+
+@@ -132,6 +137,22 @@ static void free_ent(struct mlx5_cmd *cmd, int idx)
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+ }
+
++static void cmd_ent_get(struct mlx5_cmd_work_ent *ent)
++{
++ refcount_inc(&ent->refcnt);
++}
++
++static void cmd_ent_put(struct mlx5_cmd_work_ent *ent)
++{
++ if (!refcount_dec_and_test(&ent->refcnt))
++ return;
++
++ if (ent->idx >= 0)
++ cmd_free_index(ent->cmd, ent->idx);
++
++ cmd_free_ent(ent);
++}
++
+ static struct mlx5_cmd_layout *get_inst(struct mlx5_cmd *cmd, int idx)
+ {
+ return cmd->cmd_buf + (idx << cmd->log_stride);
+@@ -219,11 +240,6 @@ static void poll_timeout(struct mlx5_cmd_work_ent *ent)
+ ent->ret = -ETIMEDOUT;
+ }
+
+-static void free_cmd(struct mlx5_cmd_work_ent *ent)
+-{
+- kfree(ent);
+-}
+-
+ static int verify_signature(struct mlx5_cmd_work_ent *ent)
+ {
+ struct mlx5_cmd_mailbox *next = ent->out->next;
+@@ -842,6 +858,7 @@ static void cb_timeout_handler(struct work_struct *work)
+ mlx5_command_str(msg_to_opcode(ent->in)),
+ msg_to_opcode(ent->in));
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ cmd_ent_put(ent); /* for the cmd_ent_get() took on schedule delayed work */
+ }
+
+ static void free_msg(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *msg);
+@@ -865,14 +882,14 @@ static void cmd_work_handler(struct work_struct *work)
+ sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
+ down(sem);
+ if (!ent->page_queue) {
+- alloc_ret = alloc_ent(cmd);
++ alloc_ret = cmd_alloc_index(cmd);
+ if (alloc_ret < 0) {
+ mlx5_core_err(dev, "failed to allocate command entry\n");
+ if (ent->callback) {
+ ent->callback(-EAGAIN, ent->context);
+ mlx5_free_cmd_msg(dev, ent->out);
+ free_msg(dev, ent->in);
+- free_cmd(ent);
++ cmd_ent_put(ent);
+ } else {
+ ent->ret = -EAGAIN;
+ complete(&ent->done);
+@@ -908,8 +925,8 @@ static void cmd_work_handler(struct work_struct *work)
+ ent->ts1 = ktime_get_ns();
+ cmd_mode = cmd->mode;
+
+- if (ent->callback)
+- schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
++ if (ent->callback && schedule_delayed_work(&ent->cb_timeout_work, cb_timeout))
++ cmd_ent_get(ent);
+ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+
+ /* Skip sending command to fw if internal error */
+@@ -923,13 +940,10 @@ static void cmd_work_handler(struct work_struct *work)
+ MLX5_SET(mbox_out, ent->out, syndrome, drv_synd);
+
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
+- /* no doorbell, no need to keep the entry */
+- free_ent(cmd, ent->idx);
+- if (ent->callback)
+- free_cmd(ent);
+ return;
+ }
+
++ cmd_ent_get(ent); /* for the _real_ FW event on completion */
+ /* ring doorbell after the descriptor is valid */
+ mlx5_core_dbg(dev, "writing 0x%x to command doorbell\n", 1 << ent->idx);
+ wmb();
+@@ -1029,11 +1043,16 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+ if (callback && page_queue)
+ return -EINVAL;
+
+- ent = alloc_cmd(cmd, in, out, uout, uout_size, callback, context,
+- page_queue);
++ ent = cmd_alloc_ent(cmd, in, out, uout, uout_size,
++ callback, context, page_queue);
+ if (IS_ERR(ent))
+ return PTR_ERR(ent);
+
++ /* put for this ent is when consumed, depending on the use case
++ * 1) (!callback) blocking flow: by caller after wait_func completes
++ * 2) (callback) flow: by mlx5_cmd_comp_handler() when ent is handled
++ */
++
+ ent->token = token;
+ ent->polling = force_polling;
+
+@@ -1052,12 +1071,10 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+ }
+
+ if (callback)
+- goto out;
++ goto out; /* mlx5_cmd_comp_handler() will put(ent) */
+
+ err = wait_func(dev, ent);
+- if (err == -ETIMEDOUT)
+- goto out;
+- if (err == -ECANCELED)
++ if (err == -ETIMEDOUT || err == -ECANCELED)
+ goto out_free;
+
+ ds = ent->ts2 - ent->ts1;
+@@ -1075,7 +1092,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in,
+ *status = ent->status;
+
+ out_free:
+- free_cmd(ent);
++ cmd_ent_put(ent);
+ out:
+ return err;
+ }
+@@ -1490,14 +1507,19 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+ if (!forced) {
+ mlx5_core_err(dev, "Command completion arrived after timeout (entry idx = %d).\n",
+ ent->idx);
+- free_ent(cmd, ent->idx);
+- free_cmd(ent);
++ cmd_ent_put(ent);
+ }
+ continue;
+ }
+
+- if (ent->callback)
+- cancel_delayed_work(&ent->cb_timeout_work);
++ if (ent->callback && cancel_delayed_work(&ent->cb_timeout_work))
++ cmd_ent_put(ent); /* timeout work was canceled */
++
++ if (!forced || /* Real FW completion */
++ pci_channel_offline(dev->pdev) || /* FW is inaccessible */
++ dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)
++ cmd_ent_put(ent);
++
+ if (ent->page_queue)
+ sem = &cmd->pages_sem;
+ else
+@@ -1519,10 +1541,6 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+ ent->ret, deliv_status_to_str(ent->status), ent->status);
+ }
+
+- /* only real completion will free the entry slot */
+- if (!forced)
+- free_ent(cmd, ent->idx);
+-
+ if (ent->callback) {
+ ds = ent->ts2 - ent->ts1;
+ if (ent->op < ARRAY_SIZE(cmd->stats)) {
+@@ -1550,10 +1568,13 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+ free_msg(dev, ent->in);
+
+ err = err ? err : ent->status;
+- if (!forced)
+- free_cmd(ent);
++ /* final consumer is done, release ent */
++ cmd_ent_put(ent);
+ callback(err, context);
+ } else {
++ /* release wait_func() so mlx5_cmd_invoke()
++ * can make the final ent_put()
++ */
+ complete(&ent->done);
+ }
+ up(sem);
+@@ -1563,8 +1584,11 @@ static void mlx5_cmd_comp_handler(struct mlx5_core_dev *dev, u64 vec, bool force
+
+ void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ {
++ struct mlx5_cmd *cmd = &dev->cmd;
++ unsigned long bitmask;
+ unsigned long flags;
+ u64 vector;
++ int i;
+
+ /* wait for pending handlers to complete */
+ mlx5_eq_synchronize_cmd_irq(dev);
+@@ -1573,11 +1597,20 @@ void mlx5_cmd_trigger_completions(struct mlx5_core_dev *dev)
+ if (!vector)
+ goto no_trig;
+
++ bitmask = vector;
++ /* we must increment the allocated entries refcount before triggering the completions
++ * to guarantee pending commands will not get freed in the meanwhile.
++ * For that reason, it also has to be done inside the alloc_lock.
++ */
++ for_each_set_bit(i, &bitmask, (1 << cmd->log_sz))
++ cmd_ent_get(cmd->ent_arr[i]);
+ vector |= MLX5_TRIGGERED_CMD_COMP;
+ spin_unlock_irqrestore(&dev->cmd.alloc_lock, flags);
+
+ mlx5_core_dbg(dev, "vector 0x%llx\n", vector);
+ mlx5_cmd_comp_handler(dev, vector, true);
++ for_each_set_bit(i, &bitmask, (1 << cmd->log_sz))
++ cmd_ent_put(cmd->ent_arr[i]);
+ return;
+
+ no_trig:
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 897829651204b..6b4f86dfca382 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -769,6 +769,8 @@ struct mlx5_cmd_work_ent {
+ u64 ts2;
+ u16 op;
+ bool polling;
++ /* Track the max comp handlers */
++ refcount_t refcnt;
+ };
+
+ struct mlx5_pas {
+--
+2.25.1
+
--- /dev/null
+From 6fe832bede36e40431d79c0ba29ae8712b76b88e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Aug 2020 21:37:31 +0300
+Subject: net/mlx5: Fix request_irqs error flow
+
+From: Maor Gottlieb <maorg@nvidia.com>
+
+[ Upstream commit 732ebfab7fe96b7ac9a3df3208f14752a4bb6db3 ]
+
+Fix error flow handling in request_irqs which try to free irq
+that we failed to request.
+It fixes the below trace.
+
+WARNING: CPU: 1 PID: 7587 at kernel/irq/manage.c:1684 free_irq+0x4d/0x60
+CPU: 1 PID: 7587 Comm: bash Tainted: G W OE 4.15.15-1.el7MELLANOXsmp-x86_64 #1
+Hardware name: Advantech SKY-6200/SKY-6200, BIOS F2.00 08/06/2020
+RIP: 0010:free_irq+0x4d/0x60
+RSP: 0018:ffffc9000ef47af0 EFLAGS: 00010282
+RAX: ffff88001476ae00 RBX: 0000000000000655 RCX: 0000000000000000
+RDX: ffff88001476ae00 RSI: ffffc9000ef47ab8 RDI: ffff8800398bb478
+RBP: ffff88001476a838 R08: ffff88001476ae00 R09: 000000000000156d
+R10: 0000000000000000 R11: 0000000000000004 R12: ffff88001476a838
+R13: 0000000000000006 R14: ffff88001476a888 R15: 00000000ffffffe4
+FS: 00007efeadd32740(0000) GS:ffff88047fc40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc9cc010008 CR3: 00000001a2380004 CR4: 00000000007606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ mlx5_irq_table_create+0x38d/0x400 [mlx5_core]
+ ? atomic_notifier_chain_register+0x50/0x60
+ mlx5_load_one+0x7ee/0x1130 [mlx5_core]
+ init_one+0x4c9/0x650 [mlx5_core]
+ pci_device_probe+0xb8/0x120
+ driver_probe_device+0x2a1/0x470
+ ? driver_allows_async_probing+0x30/0x30
+ bus_for_each_drv+0x54/0x80
+ __device_attach+0xa3/0x100
+ pci_bus_add_device+0x4a/0x90
+ pci_iov_add_virtfn+0x2dc/0x2f0
+ pci_enable_sriov+0x32e/0x420
+ mlx5_core_sriov_configure+0x61/0x1b0 [mlx5_core]
+ ? kstrtoll+0x22/0x70
+ num_vf_store+0x4b/0x70 [mlx5_core]
+ kernfs_fop_write+0x102/0x180
+ __vfs_write+0x26/0x140
+ ? rcu_all_qs+0x5/0x80
+ ? _cond_resched+0x15/0x30
+ ? __sb_start_write+0x41/0x80
+ vfs_write+0xad/0x1a0
+ SyS_write+0x42/0x90
+ do_syscall_64+0x60/0x110
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 24163189da48 ("net/mlx5: Separate IRQ request/free from EQ life cycle")
+Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
+Reviewed-by: Eran Ben Elisha <eranbe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+index 373981a659c7c..6fd9749203944 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+@@ -115,7 +115,7 @@ static int request_irqs(struct mlx5_core_dev *dev, int nvec)
+ return 0;
+
+ err_request_irq:
+- for (; i >= 0; i--) {
++ while (i--) {
+ struct mlx5_irq *irq = mlx5_irq_get(dev, i);
+ int irqn = pci_irq_vector(dev->pdev, i);
+
+--
+2.25.1
+
--- /dev/null
+From 18cc0f9662d871b469c0e7ea6605bb62ec2097fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jul 2020 16:53:18 +0300
+Subject: net/mlx5e: Add resiliency in Striding RQ mode for packets larger than
+ MTU
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit c3c9402373fe20e2d08c04f437ce4dcd252cffb2 ]
+
+Prior to this fix, in Striding RQ mode the driver was vulnerable when
+receiving packets in the range (stride size - headroom, stride size].
+Where stride size is calculated by mtu+headroom+tailroom aligned to the
+closest power of 2.
+Usually, this filtering is performed by the HW, except for a few cases:
+- Between 2 VFs over the same PF with different MTUs
+- On bluefield, when the host physical function sets a larger MTU than
+ the ARM has configured on its representor and uplink representor.
+
+When the HW filtering is not present, packets that are larger than MTU
+might be harmful for the RQ's integrity, in the following impacts:
+1) Overflow from one WQE to the next, causing a memory corruption that
+in most cases is unharmful: as the write happens to the headroom of next
+packet, which will be overwritten by build_skb(). In very rare cases,
+high stress/load, this is harmful. When the next WQE is not yet reposted
+and points to existing SKB head.
+2) Each oversize packet overflows to the headroom of the next WQE. On
+the last WQE of the WQ, where addresses wrap-around, the address of the
+remainder headroom does not belong to the next WQE, but it is out of the
+memory region range. This results in a HW CQE error that moves the RQ
+into an error state.
+
+Solution:
+Add a page buffer at the end of each WQE to absorb the leak. Actually
+the maximal overflow size is headroom but since all memory units must be
+of the same size, we use page size to comply with UMR WQEs. The increase
+in memory consumption is of a single page per RQ. Initialize the mkey
+with all MTTs pointing to a default page. When the channels are
+activated, UMR WQEs will redirect the RX WQEs to the actual memory from
+the RQ's pool, while the overflow MTTs remain mapped to the default page.
+
+Fixes: 73281b78a37a ("net/mlx5e: Derive Striding RQ size from MTU")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 8 ++-
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 55 +++++++++++++++++--
+ 2 files changed, 58 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+index 98304c42e4952..b5c8afe8cd10d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -92,7 +92,12 @@ struct page_pool;
+ #define MLX5_MPWRQ_PAGES_PER_WQE BIT(MLX5_MPWRQ_WQE_PAGE_ORDER)
+
+ #define MLX5_MTT_OCTW(npages) (ALIGN(npages, 8) / 2)
+-#define MLX5E_REQUIRED_WQE_MTTS (ALIGN(MLX5_MPWRQ_PAGES_PER_WQE, 8))
++/* Add another page to MLX5E_REQUIRED_WQE_MTTS as a buffer between
++ * WQEs, This page will absorb write overflow by the hardware, when
++ * receiving packets larger than MTU. These oversize packets are
++ * dropped by the driver at a later stage.
++ */
++#define MLX5E_REQUIRED_WQE_MTTS (ALIGN(MLX5_MPWRQ_PAGES_PER_WQE + 1, 8))
+ #define MLX5E_LOG_ALIGNED_MPWQE_PPW (ilog2(MLX5E_REQUIRED_WQE_MTTS))
+ #define MLX5E_REQUIRED_MTTS(wqes) (wqes * MLX5E_REQUIRED_WQE_MTTS)
+ #define MLX5E_MAX_RQ_NUM_MTTS \
+@@ -694,6 +699,7 @@ struct mlx5e_rq {
+ u32 rqn;
+ struct mlx5_core_dev *mdev;
+ struct mlx5_core_mkey umr_mkey;
++ struct mlx5e_dma_info wqe_overflow;
+
+ /* XDP read-mostly */
+ struct xdp_rxq_info xdp_rxq;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index ee0d78f801af5..fc710648d2ef3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -266,12 +266,17 @@ static int mlx5e_rq_alloc_mpwqe_info(struct mlx5e_rq *rq,
+
+ static int mlx5e_create_umr_mkey(struct mlx5_core_dev *mdev,
+ u64 npages, u8 page_shift,
+- struct mlx5_core_mkey *umr_mkey)
++ struct mlx5_core_mkey *umr_mkey,
++ dma_addr_t filler_addr)
+ {
+- int inlen = MLX5_ST_SZ_BYTES(create_mkey_in);
++ struct mlx5_mtt *mtt;
++ int inlen;
+ void *mkc;
+ u32 *in;
+ int err;
++ int i;
++
++ inlen = MLX5_ST_SZ_BYTES(create_mkey_in) + sizeof(*mtt) * npages;
+
+ in = kvzalloc(inlen, GFP_KERNEL);
+ if (!in)
+@@ -291,6 +296,18 @@ static int mlx5e_create_umr_mkey(struct mlx5_core_dev *mdev,
+ MLX5_SET(mkc, mkc, translations_octword_size,
+ MLX5_MTT_OCTW(npages));
+ MLX5_SET(mkc, mkc, log_page_size, page_shift);
++ MLX5_SET(create_mkey_in, in, translations_octword_actual_size,
++ MLX5_MTT_OCTW(npages));
++
++ /* Initialize the mkey with all MTTs pointing to a default
++ * page (filler_addr). When the channels are activated, UMR
++ * WQEs will redirect the RX WQEs to the actual memory from
++ * the RQ's pool, while the gaps (wqe_overflow) remain mapped
++ * to the default page.
++ */
++ mtt = MLX5_ADDR_OF(create_mkey_in, in, klm_pas_mtt);
++ for (i = 0 ; i < npages ; i++)
++ mtt[i].ptag = cpu_to_be64(filler_addr);
+
+ err = mlx5_core_create_mkey(mdev, umr_mkey, in, inlen);
+
+@@ -302,7 +319,8 @@ static int mlx5e_create_rq_umr_mkey(struct mlx5_core_dev *mdev, struct mlx5e_rq
+ {
+ u64 num_mtts = MLX5E_REQUIRED_MTTS(mlx5_wq_ll_get_size(&rq->mpwqe.wq));
+
+- return mlx5e_create_umr_mkey(mdev, num_mtts, PAGE_SHIFT, &rq->umr_mkey);
++ return mlx5e_create_umr_mkey(mdev, num_mtts, PAGE_SHIFT, &rq->umr_mkey,
++ rq->wqe_overflow.addr);
+ }
+
+ static inline u64 mlx5e_get_mpwqe_offset(struct mlx5e_rq *rq, u16 wqe_ix)
+@@ -370,6 +388,28 @@ static void mlx5e_rq_err_cqe_work(struct work_struct *recover_work)
+ mlx5e_reporter_rq_cqe_err(rq);
+ }
+
++static int mlx5e_alloc_mpwqe_rq_drop_page(struct mlx5e_rq *rq)
++{
++ rq->wqe_overflow.page = alloc_page(GFP_KERNEL);
++ if (!rq->wqe_overflow.page)
++ return -ENOMEM;
++
++ rq->wqe_overflow.addr = dma_map_page(rq->pdev, rq->wqe_overflow.page, 0,
++ PAGE_SIZE, rq->buff.map_dir);
++ if (dma_mapping_error(rq->pdev, rq->wqe_overflow.addr)) {
++ __free_page(rq->wqe_overflow.page);
++ return -ENOMEM;
++ }
++ return 0;
++}
++
++static void mlx5e_free_mpwqe_rq_drop_page(struct mlx5e_rq *rq)
++{
++ dma_unmap_page(rq->pdev, rq->wqe_overflow.addr, PAGE_SIZE,
++ rq->buff.map_dir);
++ __free_page(rq->wqe_overflow.page);
++}
++
+ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
+ struct mlx5e_params *params,
+ struct mlx5e_xsk_param *xsk,
+@@ -434,6 +474,10 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
+ if (err)
+ goto err_rq_wq_destroy;
+
++ err = mlx5e_alloc_mpwqe_rq_drop_page(rq);
++ if (err)
++ goto err_rq_wq_destroy;
++
+ rq->mpwqe.wq.db = &rq->mpwqe.wq.db[MLX5_RCV_DBR];
+
+ wq_sz = mlx5_wq_ll_get_size(&rq->mpwqe.wq);
+@@ -474,7 +518,7 @@ static int mlx5e_alloc_rq(struct mlx5e_channel *c,
+
+ err = mlx5e_create_rq_umr_mkey(mdev, rq);
+ if (err)
+- goto err_rq_wq_destroy;
++ goto err_rq_drop_page;
+ rq->mkey_be = cpu_to_be32(rq->umr_mkey.key);
+
+ err = mlx5e_rq_alloc_mpwqe_info(rq, c);
+@@ -622,6 +666,8 @@ err_free:
+ case MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ:
+ kvfree(rq->mpwqe.info);
+ mlx5_core_destroy_mkey(mdev, &rq->umr_mkey);
++err_rq_drop_page:
++ mlx5e_free_mpwqe_rq_drop_page(rq);
+ break;
+ default: /* MLX5_WQ_TYPE_CYCLIC */
+ kvfree(rq->wqe.frags);
+@@ -649,6 +695,7 @@ static void mlx5e_free_rq(struct mlx5e_rq *rq)
+ case MLX5_WQ_TYPE_LINKED_LIST_STRIDING_RQ:
+ kvfree(rq->mpwqe.info);
+ mlx5_core_destroy_mkey(rq->mdev, &rq->umr_mkey);
++ mlx5e_free_mpwqe_rq_drop_page(rq);
+ break;
+ default: /* MLX5_WQ_TYPE_CYCLIC */
+ kvfree(rq->wqe.frags);
+--
+2.25.1
+
--- /dev/null
+From 9c165c4d9a1dd1371666faa3ced60140d9b0a899 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Sep 2020 17:57:23 +0300
+Subject: net/mlx5e: Fix VLAN cleanup flow
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit 8c7353b6f716436ad0bfda2b5c5524ab2dde5894 ]
+
+Prior to this patch unloading an interface in promiscuous mode with RX
+VLAN filtering feature turned off - resulted in a warning. This is due
+to a wrong condition in the VLAN rules cleanup flow, which left the
+any-vid rules in the VLAN steering table. These rules prevented
+destroying the flow group and the flow table.
+
+The any-vid rules are removed in 2 flows, but none of them remove it in
+case both promiscuous is set and VLAN filtering is off. Fix the issue by
+changing the condition of the VLAN table cleanup flow to clean also in
+case of promiscuous mode.
+
+mlx5_core 0000:00:08.0: mlx5_destroy_flow_group:2123:(pid 28729): Flow group 20 wasn't destroyed, refcount > 1
+mlx5_core 0000:00:08.0: mlx5_destroy_flow_group:2123:(pid 28729): Flow group 19 wasn't destroyed, refcount > 1
+mlx5_core 0000:00:08.0: mlx5_destroy_flow_table:2112:(pid 28729): Flow table 262149 wasn't destroyed, refcount > 1
+...
+...
+------------[ cut here ]------------
+FW pages counter is 11560 after reclaiming all pages
+WARNING: CPU: 1 PID: 28729 at
+drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:660
+mlx5_reclaim_startup_pages+0x178/0x230 [mlx5_core]
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ mlx5_function_teardown+0x2f/0x90 [mlx5_core]
+ mlx5_unload_one+0x71/0x110 [mlx5_core]
+ remove_one+0x44/0x80 [mlx5_core]
+ pci_device_remove+0x3e/0xc0
+ device_release_driver_internal+0xfb/0x1c0
+ device_release_driver+0x12/0x20
+ pci_stop_bus_device+0x68/0x90
+ pci_stop_and_remove_bus_device+0x12/0x20
+ hv_eject_device_work+0x6f/0x170 [pci_hyperv]
+ ? __schedule+0x349/0x790
+ process_one_work+0x206/0x400
+ worker_thread+0x34/0x3f0
+ ? process_one_work+0x400/0x400
+ kthread+0x126/0x140
+ ? kthread_park+0x90/0x90
+ ret_from_fork+0x22/0x30
+ ---[ end trace 6283bde8d26170dc ]---
+
+Fixes: 9df30601c843 ("net/mlx5e: Restore vlan filter after seamless reset")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+index 73d3dc07331f1..c5be0cdfaf0fa 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+@@ -415,8 +415,12 @@ static void mlx5e_del_vlan_rules(struct mlx5e_priv *priv)
+ for_each_set_bit(i, priv->fs.vlan.active_svlans, VLAN_N_VID)
+ mlx5e_del_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_STAG_VID, i);
+
+- if (priv->fs.vlan.cvlan_filter_disabled &&
+- !(priv->netdev->flags & IFF_PROMISC))
++ WARN_ON_ONCE(!(test_bit(MLX5E_STATE_DESTROYING, &priv->state)));
++
++ /* must be called after DESTROY bit is set and
++ * set_rx_mode is called and flushed
++ */
++ if (priv->fs.vlan.cvlan_filter_disabled)
+ mlx5e_del_any_vid_rules(priv);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 49d4353e393b9158195c8d270fd814be57e9c3a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Sep 2020 18:05:40 +0300
+Subject: net/mlx5e: Fix VLAN create flow
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit d4a16052bccdd695982f89d815ca075825115821 ]
+
+When interface is attached while in promiscuous mode and with VLAN
+filtering turned off, both configurations are not respected and VLAN
+filtering is performed.
+There are 2 flows which add the any-vid rules during interface attach:
+VLAN creation table and set rx mode. Each is relaying on the other to
+add any-vid rules, eventually non of them does.
+
+Fix this by adding any-vid rules on VLAN creation regardless of
+promiscuous mode.
+
+Fixes: 9df30601c843 ("net/mlx5e: Restore vlan filter after seamless reset")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_fs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+index c5be0cdfaf0fa..713dc210f710c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+@@ -217,6 +217,9 @@ static int __mlx5e_add_vlan_rule(struct mlx5e_priv *priv,
+ break;
+ }
+
++ if (WARN_ONCE(*rule_p, "VLAN rule already exists type %d", rule_type))
++ return 0;
++
+ *rule_p = mlx5_add_flow_rules(ft, spec, &flow_act, &dest, 1);
+
+ if (IS_ERR(*rule_p)) {
+@@ -397,8 +400,7 @@ static void mlx5e_add_vlan_rules(struct mlx5e_priv *priv)
+ for_each_set_bit(i, priv->fs.vlan.active_svlans, VLAN_N_VID)
+ mlx5e_add_vlan_rule(priv, MLX5E_VLAN_RULE_TYPE_MATCH_STAG_VID, i);
+
+- if (priv->fs.vlan.cvlan_filter_disabled &&
+- !(priv->netdev->flags & IFF_PROMISC))
++ if (priv->fs.vlan.cvlan_filter_disabled)
+ mlx5e_add_any_vid_rules(priv);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 9b6fb670f840e832e3f7df42a03c20fc887e8e96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Sep 2020 16:56:14 +0800
+Subject: net: stmmac: removed enabling eee in EEE set callback
+
+From: Voon Weifeng <weifeng.voon@intel.com>
+
+[ Upstream commit 7241c5a697479c7d0c5a96595822cdab750d41ae ]
+
+EEE should be only be enabled during stmmac_mac_link_up() when the
+link are up and being set up properly. set_eee should only do settings
+configuration and disabling the eee.
+
+Without this fix, turning on EEE using ethtool will return
+"Operation not supported". This is due to the driver is in a dead loop
+waiting for eee to be advertised in the for eee to be activated but the
+driver will only configure the EEE advertisement after the eee is
+activated.
+
+Ethtool should only return "Operation not supported" if there is no EEE
+capbility in the MAC controller.
+
+Fixes: 8a7493e58ad6 ("net: stmmac: Fix a race in EEE enable callback")
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Acked-by: Mark Gross <mgross@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+index 1a768837ca728..ce1346c14b05a 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -662,23 +662,16 @@ static int stmmac_ethtool_op_set_eee(struct net_device *dev,
+ struct stmmac_priv *priv = netdev_priv(dev);
+ int ret;
+
+- if (!edata->eee_enabled) {
++ if (!priv->dma_cap.eee)
++ return -EOPNOTSUPP;
++
++ if (!edata->eee_enabled)
+ stmmac_disable_eee_mode(priv);
+- } else {
+- /* We are asking for enabling the EEE but it is safe
+- * to verify all by invoking the eee_init function.
+- * In case of failure it will return an error.
+- */
+- edata->eee_enabled = stmmac_eee_init(priv);
+- if (!edata->eee_enabled)
+- return -EOPNOTSUPP;
+- }
+
+ ret = phylink_ethtool_set_eee(priv->phylink, edata);
+ if (ret)
+ return ret;
+
+- priv->eee_enabled = edata->eee_enabled;
+ priv->tx_lpi_timer = edata->tx_lpi_timer;
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From cf2ff975222d9d98611bf59d39b301ea8cf9b69a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Sep 2020 11:01:04 +0200
+Subject: net: usb: ax88179_178a: fix missing stop entry in driver_info
+
+From: Wilken Gottwalt <wilken.gottwalt@mailbox.org>
+
+[ Upstream commit 9666ea66a74adfe295cb3a8760c76e1ef70f9caf ]
+
+Adds the missing .stop entry in the Belkin driver_info structure.
+
+Fixes: e20bd60bf62a ("net: usb: asix88179_178a: Add support for the Belkin B2B128")
+Signed-off-by: Wilken Gottwalt <wilken.gottwalt@mailbox.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ax88179_178a.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c
+index df2f7cc6dc03a..8e37e1f58c4b9 100644
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -1719,6 +1719,7 @@ static const struct driver_info belkin_info = {
+ .status = ax88179_status,
+ .link_reset = ax88179_link_reset,
+ .reset = ax88179_reset,
++ .stop = ax88179_stop,
+ .flags = FLAG_ETHER | FLAG_FRAMING_AX,
+ .rx_fixup = ax88179_rx_fixup,
+ .tx_fixup = ax88179_tx_fixup,
+--
+2.25.1
+
--- /dev/null
+From 57ff29b6f941afda4aeb55ee95b0bf1273cc1fe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Aug 2020 12:17:32 +0530
+Subject: perf: Fix task_function_call() error handling
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 6d6b8b9f4fceab7266ca03d194f60ec72bd4b654 ]
+
+The error handling introduced by commit:
+
+ 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()")
+
+looses any return value from smp_call_function_single() that is not
+{0, -EINVAL}. This is a problem because it will return -EXNIO when the
+target CPU is offline. Worse, in that case it'll turn into an infinite
+loop.
+
+Fixes: 2ed6edd33a21 ("perf: Add cond_resched() to task_function_call()")
+Reported-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Barret Rhoden <brho@google.com>
+Tested-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Link: https://lkml.kernel.org/r/20200827064732.20860-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 47646050efa0c..09e1cc22221fe 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -97,7 +97,7 @@ static void remote_function(void *data)
+ * retry due to any failures in smp_call_function_single(), such as if the
+ * task_cpu() goes offline concurrently.
+ *
+- * returns @func return value or -ESRCH when the process isn't running
++ * returns @func return value or -ESRCH or -ENXIO when the process isn't running
+ */
+ static int
+ task_function_call(struct task_struct *p, remote_function_f func, void *info)
+@@ -113,7 +113,8 @@ task_function_call(struct task_struct *p, remote_function_f func, void *info)
+ for (;;) {
+ ret = smp_call_function_single(task_cpu(p), remote_function,
+ &data, 1);
+- ret = !ret ? data.ret : -EAGAIN;
++ if (!ret)
++ ret = data.ret;
+
+ if (ret != -EAGAIN)
+ break;
+--
+2.25.1
+
--- /dev/null
+From 599f63e279fd37af9c6b13ef20fb7a672fb65c41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Sep 2020 19:16:53 +0300
+Subject: platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit afdd1ebb72051e8b6b83c4d7dc542a9be0e1352d ]
+
+When FUJITSU_LAPTOP is enabled and NEW_LEDS is disabled, it results in the
+following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for LEDS_CLASS
+ Depends on [n]: NEW_LEDS [=n]
+ Selected by [y]:
+ - FUJITSU_LAPTOP [=y] && X86 [=y] && X86_PLATFORM_DEVICES [=y] && ACPI [=y] && INPUT [=y] && BACKLIGHT_CLASS_DEVICE [=y] && (ACPI_VIDEO [=n] || ACPI_VIDEO [=n]=n)
+
+The reason is that FUJITSU_LAPTOP selects LEDS_CLASS without depending on
+or selecting NEW_LEDS while LEDS_CLASS is subordinate to NEW_LEDS.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Fixes: d89bcc83e709 ("platform/x86: fujitsu-laptop: select LEDS_CLASS")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/Kconfig b/drivers/platform/x86/Kconfig
+index 1cab993205142..000d5693fae74 100644
+--- a/drivers/platform/x86/Kconfig
++++ b/drivers/platform/x86/Kconfig
+@@ -269,6 +269,7 @@ config FUJITSU_LAPTOP
+ depends on BACKLIGHT_CLASS_DEVICE
+ depends on ACPI_VIDEO || ACPI_VIDEO = n
+ select INPUT_SPARSEKMAP
++ select NEW_LEDS
+ select LEDS_CLASS
+ ---help---
+ This is a driver for laptops built by Fujitsu:
+--
+2.25.1
+
--- /dev/null
+From f010fdb11c6ed4fe0a5dde8b90ac778887e07629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Sep 2020 19:44:29 +0200
+Subject: r8169: fix RTL8168f/RTL8411 EPHY config
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 709a16be0593c08190982cfbdca6df95e6d5823b ]
+
+Mistakenly bit 2 was set instead of bit 3 as in the vendor driver.
+
+Fixes: a7a92cf81589 ("r8169: sync PCIe PHY init with vendor driver 8.047.01")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 903212ad9bb2f..66c97049f52b7 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4701,7 +4701,7 @@ static void rtl_hw_start_8168f_1(struct rtl8169_private *tp)
+ { 0x08, 0x0001, 0x0002 },
+ { 0x09, 0x0000, 0x0080 },
+ { 0x19, 0x0000, 0x0224 },
+- { 0x00, 0x0000, 0x0004 },
++ { 0x00, 0x0000, 0x0008 },
+ { 0x0c, 0x3df0, 0x0200 },
+ };
+
+@@ -4718,7 +4718,7 @@ static void rtl_hw_start_8411(struct rtl8169_private *tp)
+ { 0x06, 0x00c0, 0x0020 },
+ { 0x0f, 0xffff, 0x5200 },
+ { 0x19, 0x0000, 0x0224 },
+- { 0x00, 0x0000, 0x0004 },
++ { 0x00, 0x0000, 0x0008 },
+ { 0x0c, 0x3df0, 0x0200 },
+ };
+
+--
+2.25.1
+
--- /dev/null
+From e69359a0e7af35cdcaf94984a7e29967da149e0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Sep 2020 22:09:04 +0100
+Subject: rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9a059cd5ca7d9c5c4ca5a6e755cf72f230176b6a ]
+
+If rxrpc_read() (which allows KEYCTL_READ to read a key), sees a token of a
+type it doesn't recognise, it can BUG in a couple of places, which is
+unnecessary as it can easily get back to userspace.
+
+Fix this to print an error message instead.
+
+Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index d77e89766406a..32f46edcf7c67 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -1108,7 +1108,8 @@ static long rxrpc_read(const struct key *key,
+ break;
+
+ default: /* we have a ticket we can't encode */
+- BUG();
++ pr_err("Unsupported key token type (%u)\n",
++ token->security_index);
+ continue;
+ }
+
+@@ -1224,7 +1225,6 @@ static long rxrpc_read(const struct key *key,
+ break;
+
+ default:
+- BUG();
+ break;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 8ada0b56a41a542a864dc87fb456d393684bce07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 14:01:24 -0300
+Subject: rxrpc: Fix rxkad token xdr encoding
+
+From: Marc Dionne <marc.dionne@auristor.com>
+
+[ Upstream commit 56305118e05b2db8d0395bba640ac9a3aee92624 ]
+
+The session key should be encoded with just the 8 data bytes and
+no length; ENCODE_DATA precedes it with a 4 byte length, which
+confuses some existing tools that try to parse this format.
+
+Add an ENCODE_BYTES macro that does not include a length, and use
+it for the key. Also adjust the expected length.
+
+Note that commit 774521f353e1d ("rxrpc: Fix an assertion in
+rxrpc_read()") had fixed a BUG by changing the length rather than
+fixing the encoding. The original length was correct.
+
+Fixes: 99455153d067 ("RxRPC: Parse security index 5 keys (Kerberos 5)")
+Signed-off-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index 0c98313dd7a8c..d77e89766406a 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -1073,7 +1073,7 @@ static long rxrpc_read(const struct key *key,
+
+ switch (token->security_index) {
+ case RXRPC_SECURITY_RXKAD:
+- toksize += 9 * 4; /* viceid, kvno, key*2 + len, begin,
++ toksize += 8 * 4; /* viceid, kvno, key*2, begin,
+ * end, primary, tktlen */
+ toksize += RND(token->kad->ticket_len);
+ break;
+@@ -1139,6 +1139,14 @@ static long rxrpc_read(const struct key *key,
+ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \
+ xdr += (_l + 3) >> 2; \
+ } while(0)
++#define ENCODE_BYTES(l, s) \
++ do { \
++ u32 _l = (l); \
++ memcpy(xdr, (s), _l); \
++ if (_l & 3) \
++ memcpy((u8 *)xdr + _l, &zero, 4 - (_l & 3)); \
++ xdr += (_l + 3) >> 2; \
++ } while(0)
+ #define ENCODE64(x) \
+ do { \
+ __be64 y = cpu_to_be64(x); \
+@@ -1166,7 +1174,7 @@ static long rxrpc_read(const struct key *key,
+ case RXRPC_SECURITY_RXKAD:
+ ENCODE(token->kad->vice_id);
+ ENCODE(token->kad->kvno);
+- ENCODE_DATA(8, token->kad->session_key);
++ ENCODE_BYTES(8, token->kad->session_key);
+ ENCODE(token->kad->start);
+ ENCODE(token->kad->expiry);
+ ENCODE(token->kad->primary_flag);
+--
+2.25.1
+
--- /dev/null
+From 4ccac4fb1ced957ffbb6e8191d66179994d7701f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Oct 2020 14:04:51 +0100
+Subject: rxrpc: Fix server keyring leak
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 38b1dc47a35ba14c3f4472138ea56d014c2d609b ]
+
+If someone calls setsockopt() twice to set a server key keyring, the first
+keyring is leaked.
+
+Fix it to return an error instead if the server key keyring is already set.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index 64cbbd2f16944..85a9ff8cd236a 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -903,7 +903,7 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
+
+ _enter("");
+
+- if (optlen <= 0 || optlen > PAGE_SIZE - 1)
++ if (optlen <= 0 || optlen > PAGE_SIZE - 1 || rx->securities)
+ return -EINVAL;
+
+ description = memdup_user_nul(optval, optlen);
+--
+2.25.1
+
--- /dev/null
+From 72e7806cb9459eb2a4d7b374d62d153f0db40d2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Oct 2020 11:57:40 +0100
+Subject: rxrpc: Fix some missing _bh annotations on locking conn->state_lock
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit fa1d113a0f96f9ab7e4fe4f8825753ba1e34a9d3 ]
+
+conn->state_lock may be taken in softirq mode, but a previous patch
+replaced an outer lock in the response-packet event handling code, and lost
+the _bh from that when doing so.
+
+Fix this by applying the _bh annotation to the state_lock locking.
+
+Fixes: a1399f8bb033 ("rxrpc: Call channels should have separate call number spaces")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/conn_event.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
+index 06fcff2ebbba1..b5864683f200d 100644
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -341,18 +341,18 @@ static int rxrpc_process_event(struct rxrpc_connection *conn,
+ return ret;
+
+ spin_lock(&conn->channel_lock);
+- spin_lock(&conn->state_lock);
++ spin_lock_bh(&conn->state_lock);
+
+ if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
+ conn->state = RXRPC_CONN_SERVICE;
+- spin_unlock(&conn->state_lock);
++ spin_unlock_bh(&conn->state_lock);
+ for (loop = 0; loop < RXRPC_MAXCALLS; loop++)
+ rxrpc_call_is_secure(
+ rcu_dereference_protected(
+ conn->channels[loop].call,
+ lockdep_is_held(&conn->channel_lock)));
+ } else {
+- spin_unlock(&conn->state_lock);
++ spin_unlock_bh(&conn->state_lock);
+ }
+
+ spin_unlock(&conn->channel_lock);
+--
+2.25.1
+
--- /dev/null
+From 095b25533f5e7fc776bcbcf057b57b6a3d46dc1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Sep 2020 19:52:08 +0100
+Subject: rxrpc: The server keyring isn't network-namespaced
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit fea99111244bae44e7d82a973744d27ea1567814 ]
+
+The keyring containing the server's tokens isn't network-namespaced, so it
+shouldn't be looked up with a network namespace. It is expected to be
+owned specifically by the server, so namespacing is unnecessary.
+
+Fixes: a58946c158a0 ("keys: Pass the network namespace into request_key mechanism")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
+index 32f46edcf7c67..64cbbd2f16944 100644
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -941,7 +941,7 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval,
+ if (IS_ERR(description))
+ return PTR_ERR(description);
+
+- key = request_key_net(&key_type_keyring, description, sock_net(&rx->sk), NULL);
++ key = request_key(&key_type_keyring, description, NULL);
+ if (IS_ERR(key)) {
+ kfree(description);
+ _leave(" = %ld", PTR_ERR(key));
+--
+2.25.1
+
openvswitch-handle-dnat-tuple-collision.patch
drm-amdgpu-prevent-double-kfree-ttm-sg.patch
iommu-vt-d-fix-lockdep-splat-in-iommu_flush_dev_iotl.patch
+xfrm-clone-xfrma_set_mark-in-xfrm_do_migrate.patch
+xfrm-clone-xfrma_replay_esn_val-in-xfrm_do_migrate.patch
+xfrm-clone-xfrma_sec_ctx-in-xfrm_do_migrate.patch
+xfrm-clone-whole-liftime_cur-structure-in-xfrm_do_mi.patch
+net-stmmac-removed-enabling-eee-in-eee-set-callback.patch
+platform-x86-fix-kconfig-dependency-warning-for-fuji.patch
+xfrm-use-correct-address-family-in-xfrm_state_find.patch
+iavf-use-generic-power-management.patch
+iavf-fix-incorrect-adapter-get-in-iavf_resume.patch
+net-ethernet-cavium-octeon_mgmt-use-phy_start-and-ph.patch
+bonding-set-dev-needed_headroom-in-bond_setup_by_sla.patch
+mdio-fix-mdio-thunder.c-dependency-build-error.patch
+mlxsw-spectrum_acl-fix-mlxsw_sp_acl_tcam_group_add-s.patch
+r8169-fix-rtl8168f-rtl8411-ephy-config.patch
+net-usb-ax88179_178a-fix-missing-stop-entry-in-drive.patch
+virtio-net-don-t-disable-guest-csum-when-disable-lro.patch
+net-mlx5-avoid-possible-free-of-command-entry-while-.patch
+net-mlx5-fix-request_irqs-error-flow.patch
+net-mlx5e-add-resiliency-in-striding-rq-mode-for-pac.patch
+net-mlx5e-fix-vlan-cleanup-flow.patch
+net-mlx5e-fix-vlan-create-flow.patch
+rxrpc-fix-rxkad-token-xdr-encoding.patch
+rxrpc-downgrade-the-bug-for-unsupported-token-type-i.patch
+rxrpc-fix-some-missing-_bh-annotations-on-locking-co.patch
+rxrpc-the-server-keyring-isn-t-network-namespaced.patch
+rxrpc-fix-server-keyring-leak.patch
+perf-fix-task_function_call-error-handling.patch
+mmc-core-don-t-set-limits.discard_granularity-as-0.patch
--- /dev/null
+From 2551e13ad0573461640c5d346089312bb8eb9295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Sep 2020 09:58:06 +0800
+Subject: virtio-net: don't disable guest csum when disable LRO
+
+From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
+
+[ Upstream commit 1a03b8a35a957f9f38ecb8a97443b7380bbf6a8b ]
+
+Open vSwitch and Linux bridge will disable LRO of the interface
+when this interface added to them. Now when disable the LRO, the
+virtio-net csum is disable too. That drops the forwarding performance.
+
+Fixes: a02e8964eaf9 ("virtio-net: ethtool configurable LRO")
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 030d30603c295..99e1a7bc06886 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -63,6 +63,11 @@ static const unsigned long guest_offloads[] = {
+ VIRTIO_NET_F_GUEST_CSUM
+ };
+
++#define GUEST_OFFLOAD_LRO_MASK ((1ULL << VIRTIO_NET_F_GUEST_TSO4) | \
++ (1ULL << VIRTIO_NET_F_GUEST_TSO6) | \
++ (1ULL << VIRTIO_NET_F_GUEST_ECN) | \
++ (1ULL << VIRTIO_NET_F_GUEST_UFO))
++
+ struct virtnet_stat_desc {
+ char desc[ETH_GSTRING_LEN];
+ size_t offset;
+@@ -2572,7 +2577,8 @@ static int virtnet_set_features(struct net_device *dev,
+ if (features & NETIF_F_LRO)
+ offloads = vi->guest_offloads_capable;
+ else
+- offloads = 0;
++ offloads = vi->guest_offloads_capable &
++ ~GUEST_OFFLOAD_LRO_MASK;
+
+ err = virtnet_set_guest_offloads(vi, offloads);
+ if (err)
+--
+2.25.1
+
--- /dev/null
+From 183f4b7479af357e339d44ec4685f5d809c68376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:50:29 +0200
+Subject: xfrm: clone whole liftime_cur structure in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 8366685b2883e523f91e9816d7be371eb1144749 ]
+
+When we clone state only add_time was cloned. It missed values like
+bytes, packets. Now clone the all members of the structure.
+
+v1->v3:
+ - use memcpy to copy the entire structure
+
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index fc1b391ba1554..8df460eaac275 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1547,7 +1547,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ x->tfcpad = orig->tfcpad;
+ x->replay_maxdiff = orig->replay_maxdiff;
+ x->replay_maxage = orig->replay_maxage;
+- x->curlft.add_time = orig->curlft.add_time;
++ memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft));
+ x->km.state = orig->km.state;
+ x->km.seq = orig->km.seq;
+ x->replay = orig->replay;
+--
+2.25.1
+
--- /dev/null
+From 324db4382c9cc627ed46fc5a9703cb18dac6abb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:49:55 +0200
+Subject: xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 91a46c6d1b4fcbfa4773df9421b8ad3e58088101 ]
+
+XFRMA_REPLAY_ESN_VAL was not cloned completely from the old to the new.
+Migrate this attribute during XFRMA_MSG_MIGRATE
+
+v1->v2:
+ - move curleft cloning to a separate patch
+
+Fixes: af2f464e326e ("xfrm: Assign esn pointers when cloning a state")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/xfrm.h | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 12aa6e15e43f6..c00b9ae71ae40 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1773,21 +1773,17 @@ static inline unsigned int xfrm_replay_state_esn_len(struct xfrm_replay_state_es
+ static inline int xfrm_replay_clone(struct xfrm_state *x,
+ struct xfrm_state *orig)
+ {
+- x->replay_esn = kzalloc(xfrm_replay_state_esn_len(orig->replay_esn),
++
++ x->replay_esn = kmemdup(orig->replay_esn,
++ xfrm_replay_state_esn_len(orig->replay_esn),
+ GFP_KERNEL);
+ if (!x->replay_esn)
+ return -ENOMEM;
+-
+- x->replay_esn->bmp_len = orig->replay_esn->bmp_len;
+- x->replay_esn->replay_window = orig->replay_esn->replay_window;
+-
+- x->preplay_esn = kmemdup(x->replay_esn,
+- xfrm_replay_state_esn_len(x->replay_esn),
++ x->preplay_esn = kmemdup(orig->preplay_esn,
++ xfrm_replay_state_esn_len(orig->preplay_esn),
+ GFP_KERNEL);
+- if (!x->preplay_esn) {
+- kfree(x->replay_esn);
++ if (!x->preplay_esn)
+ return -ENOMEM;
+- }
+
+ return 0;
+ }
+--
+2.25.1
+
--- /dev/null
+From 41bbccbb622dbc3c2764aa4ef84521f3bdc8bcab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:50:11 +0200
+Subject: xfrm: clone XFRMA_SEC_CTX in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 7aa05d304785204703a67a6aa7f1db402889a172 ]
+
+XFRMA_SEC_CTX was not cloned from the old to the new.
+Migrate this attribute during XFRMA_MSG_MIGRATE
+
+v1->v2:
+ - return -ENOMEM on error
+v2->v3:
+ - fix return type to int
+
+Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 10d30f0338d72..fc1b391ba1554 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1438,6 +1438,30 @@ out:
+ EXPORT_SYMBOL(xfrm_state_add);
+
+ #ifdef CONFIG_XFRM_MIGRATE
++static inline int clone_security(struct xfrm_state *x, struct xfrm_sec_ctx *security)
++{
++ struct xfrm_user_sec_ctx *uctx;
++ int size = sizeof(*uctx) + security->ctx_len;
++ int err;
++
++ uctx = kmalloc(size, GFP_KERNEL);
++ if (!uctx)
++ return -ENOMEM;
++
++ uctx->exttype = XFRMA_SEC_CTX;
++ uctx->len = size;
++ uctx->ctx_doi = security->ctx_doi;
++ uctx->ctx_alg = security->ctx_alg;
++ uctx->ctx_len = security->ctx_len;
++ memcpy(uctx + 1, security->ctx_str, security->ctx_len);
++ err = security_xfrm_state_alloc(x, uctx);
++ kfree(uctx);
++ if (err)
++ return err;
++
++ return 0;
++}
++
+ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ struct xfrm_encap_tmpl *encap)
+ {
+@@ -1494,6 +1518,10 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ goto error;
+ }
+
++ if (orig->security)
++ if (clone_security(x, orig->security))
++ goto error;
++
+ if (orig->coaddr) {
+ x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
+ GFP_KERNEL);
+--
+2.25.1
+
--- /dev/null
+From 68b9e644eab0891de58787d1f67d37178ea7d7e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Sep 2020 08:49:38 +0200
+Subject: xfrm: clone XFRMA_SET_MARK in xfrm_do_migrate
+
+From: Antony Antony <antony.antony@secunet.com>
+
+[ Upstream commit 545e5c571662b1cd79d9588f9d3b6e36985b8007 ]
+
+XFRMA_SET_MARK and XFRMA_SET_MARK_MASK was not cloned from the old
+to the new. Migrate these two attributes during XFRMA_MSG_MIGRATE
+
+Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction and masking.")
+Signed-off-by: Antony Antony <antony.antony@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index f3423562d9336..10d30f0338d72 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1507,6 +1507,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
+ }
+
+ memcpy(&x->mark, &orig->mark, sizeof(x->mark));
++ memcpy(&x->props.smark, &orig->props.smark, sizeof(x->props.smark));
+
+ if (xfrm_init_state(x) < 0)
+ goto error;
+--
+2.25.1
+
--- /dev/null
+From 0e6a6e460eddd116adf83eb7340541b27224b603 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Sep 2020 14:42:56 +1000
+Subject: xfrm: Use correct address family in xfrm_state_find
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit e94ee171349db84c7cfdc5fefbebe414054d0924 ]
+
+The struct flowi must never be interpreted by itself as its size
+depends on the address family. Therefore it must always be grouped
+with its original family value.
+
+In this particular instance, the original family value is lost in
+the function xfrm_state_find. Therefore we get a bogus read when
+it's coupled with the wrong family which would occur with inter-
+family xfrm states.
+
+This patch fixes it by keeping the original family value.
+
+Note that the same bug could potentially occur in LSM through
+the xfrm_state_pol_flow_match hook. I checked the current code
+there and it seems to be safe for now as only secid is used which
+is part of struct flowi_common. But that API should be changed
+so that so that we don't get new bugs in the future. We could
+do that by replacing fl with just secid or adding a family field.
+
+Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com
+Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 8df460eaac275..aaea8cb7459d8 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1016,7 +1016,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
+ */
+ if (x->km.state == XFRM_STATE_VALID) {
+ if ((x->sel.family &&
+- !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
++ (x->sel.family != family ||
++ !xfrm_selector_match(&x->sel, fl, family))) ||
+ !security_xfrm_state_pol_flow_match(x, pol, fl))
+ return;
+
+@@ -1029,7 +1030,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
+ *acq_in_progress = 1;
+ } else if (x->km.state == XFRM_STATE_ERROR ||
+ x->km.state == XFRM_STATE_EXPIRED) {
+- if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
++ if ((!x->sel.family ||
++ (x->sel.family == family &&
++ xfrm_selector_match(&x->sel, fl, family))) &&
+ security_xfrm_state_pol_flow_match(x, pol, fl))
+ *error = -ESRCH;
+ }
+@@ -1069,7 +1072,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ tmpl->mode == x->props.mode &&
+ tmpl->id.proto == x->id.proto &&
+ (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
+- xfrm_state_look_at(pol, x, fl, encap_family,
++ xfrm_state_look_at(pol, x, fl, family,
+ &best, &acquire_in_progress, &error);
+ }
+ if (best || acquire_in_progress)
+@@ -1086,7 +1089,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ tmpl->mode == x->props.mode &&
+ tmpl->id.proto == x->id.proto &&
+ (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
+- xfrm_state_look_at(pol, x, fl, encap_family,
++ xfrm_state_look_at(pol, x, fl, family,
+ &best, &acquire_in_progress, &error);
+ }
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
