--- /dev/null
+From e9eb47d199f56aa893dff7ffe8194fce632b4131 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 16:33:07 +0000
+Subject: afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit f4c79144edd8a49ffca8fa737a31d606be742a34 ]
+
+The cleanup for the yfs_store_opaque_acl2_operation calls the wrong
+function to destroy the ACL content buffer. It's an afs_acl struct, not
+a yfs_acl struct - and the free function for latter may pass invalid
+pointers to kfree().
+
+Fix this by using the afs_acl_put() function. The yfs_acl_put()
+function is then no longer used and can be removed.
+
+ general protection fault, probably for non-canonical address 0x7ebde00000000: 0000 [#1] SMP PTI
+ ...
+ RIP: 0010:compound_head+0x0/0x11
+ ...
+ Call Trace:
+ virt_to_cache+0x8/0x51
+ kfree+0x5d/0x79
+ yfs_free_opaque_acl+0x16/0x29
+ afs_put_operation+0x60/0x114
+ __vfs_setxattr+0x67/0x72
+ __vfs_setxattr_noperm+0x66/0xe9
+ vfs_setxattr+0x67/0xce
+ setxattr+0x14e/0x184
+ __do_sys_fsetxattr+0x66/0x8f
+ do_syscall_64+0x2d/0x3a
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/xattr.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
+index 38884d6c57cdc..95c573dcda116 100644
+--- a/fs/afs/xattr.c
++++ b/fs/afs/xattr.c
+@@ -148,11 +148,6 @@ static const struct xattr_handler afs_xattr_afs_acl_handler = {
+ .set = afs_xattr_set_acl,
+ };
+
+-static void yfs_acl_put(struct afs_operation *op)
+-{
+- yfs_free_opaque_acl(op->yacl);
+-}
+-
+ static const struct afs_operation_ops yfs_fetch_opaque_acl_operation = {
+ .issue_yfs_rpc = yfs_fs_fetch_opaque_acl,
+ .success = afs_acl_success,
+@@ -246,7 +241,7 @@ error:
+ static const struct afs_operation_ops yfs_store_opaque_acl2_operation = {
+ .issue_yfs_rpc = yfs_fs_store_opaque_acl2,
+ .success = afs_acl_success,
+- .put = yfs_acl_put,
++ .put = afs_acl_put,
+ };
+
+ /*
+--
+2.27.0
+
--- /dev/null
+From 0dc642a8ddb13c450c95d681e2001a090abd9b2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 16:32:58 +0000
+Subject: afs: Fix warning due to unadvanced marshalling pointer
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit c80afa1d9c3603d5eddeb8d63368823b1982f3f0 ]
+
+When using the afs.yfs.acl xattr to change an AuriStor ACL, a warning
+can be generated when the request is marshalled because the buffer
+pointer isn't increased after adding the last element, thereby
+triggering the check at the end if the ACL wasn't empty. This just
+causes something like the following warning, but doesn't stop the call
+from happening successfully:
+
+ kAFS: YFS.StoreOpaqueACL2: Request buffer underflow (36<108)
+
+Fix this simply by increasing the count prior to the check.
+
+Fixes: f5e4546347bc ("afs: Implement YFS ACL setting")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/yfsclient.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c
+index 3b1239b7e90d8..bd787e71a657f 100644
+--- a/fs/afs/yfsclient.c
++++ b/fs/afs/yfsclient.c
+@@ -1990,6 +1990,7 @@ void yfs_fs_store_opaque_acl2(struct afs_operation *op)
+ memcpy(bp, acl->data, acl->size);
+ if (acl->size != size)
+ memset((void *)bp + acl->size, 0, size - acl->size);
++ bp += size / sizeof(__be32);
+ yfs_check_req(call, bp);
+
+ trace_afs_make_fs_call(call, &vp->fid);
+--
+2.27.0
+
--- /dev/null
+From 0149302a30bc1010922510e171470f9e07683d36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 13:18:07 +0300
+Subject: ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 158e1886b6262c1d1c96a18c85fac5219b8bf804 ]
+
+This is harmless, but the "addr" comes from the user and it could lead
+to a negative shift or to shift wrapping if it's too high.
+
+Fixes: 0b00a5615dc4 ("ALSA: hdac_ext: add hdac extended controller")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20201103101807.GC1127762@mwanda
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/ext/hdac_ext_controller.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/hda/ext/hdac_ext_controller.c b/sound/hda/ext/hdac_ext_controller.c
+index 4d060d5b1db6d..b0c0ef824d7d9 100644
+--- a/sound/hda/ext/hdac_ext_controller.c
++++ b/sound/hda/ext/hdac_ext_controller.c
+@@ -148,6 +148,8 @@ struct hdac_ext_link *snd_hdac_ext_bus_get_link(struct hdac_bus *bus,
+ return NULL;
+ if (bus->idx != bus_idx)
+ return NULL;
++ if (addr < 0 || addr > 31)
++ return NULL;
+
+ list_for_each_entry(hlink, &bus->hlink_list, list) {
+ for (i = 0; i < HDA_MAX_CODECS; i++) {
+--
+2.27.0
+
--- /dev/null
+From f153716d460e7163a3a99b1592515fedabc2a1d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 15:43:40 +0000
+Subject: ASoC: codecs: wcd9335: Set digital gain range correctly
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit 6d6bc54ab4f2404d46078abc04bf4dee4db01def ]
+
+digital gain range is -84dB min to 40dB max, however this was not
+correctly specified in the range.
+
+Fix this by with correct range!
+
+Fixes: 8c4f021d806a ("ASoC: wcd9335: add basic controls")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20201028154340.17090-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index f2d9d52ee171b..4d2b1ec7c03bb 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -618,7 +618,7 @@ static const char * const sb_tx8_mux_text[] = {
+ "ZERO", "RX_MIX_TX8", "DEC8", "DEC8_192"
+ };
+
+-static const DECLARE_TLV_DB_SCALE(digital_gain, 0, 1, 0);
++static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
+ static const DECLARE_TLV_DB_SCALE(line_gain, 0, 7, 1);
+ static const DECLARE_TLV_DB_SCALE(analog_gain, 0, 25, 1);
+ static const DECLARE_TLV_DB_SCALE(ear_pa_gain, 0, 150, 0);
+--
+2.27.0
+
--- /dev/null
+From 20fa86e74ab809216024bdcc16ee84e2eb77adfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 15:43:39 +0000
+Subject: ASoC: codecs: wcd934x: Set digital gain range correctly
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit fc0522bbe02fa4beb95c0514ace66b585616f111 ]
+
+digital gain range is -84dB min to 40dB max, however this was not
+correctly specified in the range.
+
+Fix this by with correct range!
+
+Fixes: 1cde8b822332 ("ASoC: wcd934x: add basic controls")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20201028154340.17090-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd934x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c
+index 35697b072367a..40f682f5dab8b 100644
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -551,7 +551,7 @@ struct wcd_iir_filter_ctl {
+ struct soc_bytes_ext bytes_ext;
+ };
+
+-static const DECLARE_TLV_DB_SCALE(digital_gain, 0, 1, 0);
++static const DECLARE_TLV_DB_SCALE(digital_gain, -8400, 100, -8400);
+ static const DECLARE_TLV_DB_SCALE(line_gain, 0, 7, 1);
+ static const DECLARE_TLV_DB_SCALE(analog_gain, 0, 25, 1);
+ static const DECLARE_TLV_DB_SCALE(ear_pa_gain, 0, 150, 0);
+--
+2.27.0
+
--- /dev/null
+From ce14b5717cde677ab9006043a9f6a6f07a2fcfa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Oct 2020 14:05:18 +0100
+Subject: ASoC: codecs: wsa881x: add missing stream rates and format
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+[ Upstream commit f47d0742515748162d3fc35f04331c5b81c0ed47 ]
+
+Add missing supported rates and formats for the stream, without
+which attempt to do playback will fail to find any matching rates/format.
+
+Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support")
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20201022130518.31723-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wsa881x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/codecs/wsa881x.c b/sound/soc/codecs/wsa881x.c
+index d39d479e23786..5456124457a7c 100644
+--- a/sound/soc/codecs/wsa881x.c
++++ b/sound/soc/codecs/wsa881x.c
+@@ -1026,6 +1026,8 @@ static struct snd_soc_dai_driver wsa881x_dais[] = {
+ .id = 0,
+ .playback = {
+ .stream_name = "SPKR Playback",
++ .rates = SNDRV_PCM_RATE_48000,
++ .formats = SNDRV_PCM_FMTBIT_S16_LE,
+ .rate_max = 48000,
+ .rate_min = 48000,
+ .channels_min = 1,
+--
+2.27.0
+
--- /dev/null
+From f4cde55b1fbee0ed2dd3f352464b0dff920b6bce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 14:16:24 +0000
+Subject: ASoC: Intel: kbl_rt5663_max98927: Fix kabylake_ssp_fixup function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Figa <tfiga@chromium.org>
+
+[ Upstream commit 9fe9efd6924c9a62ebb759025bb8927e398f51f7 ]
+
+This is a copy of commit 5c5f1baee85a ("ASoC: Intel:
+kbl_rt5663_rt5514_max98927: Fix kabylake_ssp_fixup function") applied to
+the kbl_rt5663_max98927 board file.
+
+Original explanation of the change:
+
+kabylake_ssp_fixup function uses snd_soc_dpcm to identify the
+codecs DAIs. The HW parameters are changed based on the codec DAI of the
+stream. The earlier approach to get snd_soc_dpcm was using container_of()
+macro on snd_pcm_hw_params.
+
+The structures have been modified over time and snd_soc_dpcm does not have
+snd_pcm_hw_params as a reference but as a copy. This causes the current
+driver to crash when used.
+
+This patch changes the way snd_soc_dpcm is extracted. snd_soc_pcm_runtime
+holds 2 dpcm instances (one for playback and one for capture). 2 codecs
+on the SSP are dmic (capture) and speakers (playback). Based on the
+stream direction, snd_soc_dpcm is extracted from snd_soc_pcm_runtime.
+
+Fixes a boot crash on a HP Chromebook x2:
+
+[ 16.582225] BUG: kernel NULL pointer dereference, address: 0000000000000050
+[ 16.582231] #PF: supervisor read access in kernel mode
+[ 16.582233] #PF: error_code(0x0000) - not-present page
+[ 16.582234] PGD 0 P4D 0
+[ 16.582238] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 16.582241] CPU: 0 PID: 1980 Comm: cras Tainted: G C 5.4.58 #1
+[ 16.582243] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.75.0 08/30/2018
+[ 16.582247] RIP: 0010:kabylake_ssp_fixup+0x19/0xbb [snd_soc_kbl_rt5663_max98927]
+[ 16.582250] Code: c6 6f c5 80 c0 44 89 f2 31 c0 e8 3e c9 4c d6 eb de 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 f3 48 8b 46 c8 48 8b 4e d0 <48> 8b 49 10 4c 8b 78 10 4c 8b 31 4c 89 f7 48 c7 c6 4b c2 80 c0 e8
+[ 16.582252] RSP: 0000:ffffaf7e81e0b958 EFLAGS: 00010282
+[ 16.582254] RAX: ffffffff96f13e0d RBX: ffffaf7e81e0ba00 RCX: 0000000000000040
+[ 16.582256] RDX: ffffaf7e81e0ba00 RSI: ffffaf7e81e0ba00 RDI: ffffa3b208558028
+[ 16.582258] RBP: ffffaf7e81e0b970 R08: ffffa3b203b54160 R09: ffffaf7e81e0ba00
+[ 16.582259] R10: 0000000000000000 R11: ffffffffc080b345 R12: ffffa3b209fb6e00
+[ 16.582261] R13: ffffa3b1b1a47838 R14: ffffa3b1e6197f28 R15: ffffaf7e81e0ba00
+[ 16.582263] FS: 00007eb3f25aaf80(0000) GS:ffffa3b236a00000(0000) knlGS:0000000000000000
+[ 16.582265] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 16.582267] CR2: 0000000000000050 CR3: 0000000246bc8006 CR4: 00000000003606f0
+[ 16.582269] Call Trace:
+[ 16.582275] snd_soc_link_be_hw_params_fixup+0x21/0x68
+[ 16.582278] snd_soc_dai_hw_params+0x25/0x94
+[ 16.582282] soc_pcm_hw_params+0x2d8/0x583
+[ 16.582288] dpcm_be_dai_hw_params+0x172/0x29e
+[ 16.582291] dpcm_fe_dai_hw_params+0x9f/0x12f
+[ 16.582295] snd_pcm_hw_params+0x137/0x41c
+[ 16.582298] snd_pcm_hw_params_user+0x3c/0x71
+[ 16.582301] snd_pcm_common_ioctl+0x2c6/0x565
+[ 16.582304] snd_pcm_ioctl+0x32/0x36
+[ 16.582307] do_vfs_ioctl+0x506/0x783
+[ 16.582311] ksys_ioctl+0x58/0x83
+[ 16.582313] __x64_sys_ioctl+0x1a/0x1e
+[ 16.582316] do_syscall_64+0x54/0x7e
+[ 16.582319] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 16.582322] RIP: 0033:0x7eb3f1886157
+[ 16.582324] Code: 8a 66 90 48 8b 05 11 dd 2b 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e1 dc 2b 00 f7 d8 64 89 01 48
+[ 16.582326] RSP: 002b:00007ffff7559818 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 16.582329] RAX: ffffffffffffffda RBX: 00005acc9188b140 RCX: 00007eb3f1886157
+[ 16.582330] RDX: 00007ffff7559940 RSI: 00000000c2604111 RDI: 000000000000001e
+[ 16.582332] RBP: 00007ffff7559840 R08: 0000000000000004 R09: 0000000000000000
+[ 16.582333] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000bb80
+[ 16.582335] R13: 00005acc91702e80 R14: 00007ffff7559940 R15: 00005acc91702e80
+[ 16.582337] Modules linked in: rfcomm cmac algif_hash algif_skcipher af_alg uinput hid_google_hammer snd_soc_kbl_rt5663_max98927 snd_soc_hdac_hdmi snd_soc_dmic snd_soc_skl_ssp_clk snd_soc_skl snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_hdac_hda snd_soc_acpi_intel_match snd_soc_acpi snd_hda_ext_core snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core ipu3_cio2 ipu3_imgu(C) videobuf2_v4l2 videobuf2_common videobuf2_dma_sg videobuf2_memops snd_soc_rt5663 snd_soc_max98927 snd_soc_rl6231 ov5670 ov13858 acpi_als v4l2_fwnode dw9714 fuse xt_MASQUERADE iio_trig_sysfs cros_ec_light_prox cros_ec_sensors cros_ec_sensors_core cros_ec_sensors_ring industrialio_triggered_buffer kfifo_buf industrialio cros_ec_sensorhub cdc_ether usbnet btusb btrtl btintel btbcm bluetooth ecdh_generic ecc lzo_rle lzo_compress iwlmvm zram iwl7000_mac80211 r8152 mii iwlwifi cfg80211 joydev
+[ 16.584243] gsmi: Log Shutdown Reason 0x03
+[ 16.584246] CR2: 0000000000000050
+[ 16.584248] ---[ end trace c8511d090c11edff ]---
+
+Suggested-by: Łukasz Majczak <lmajczak@google.com>
+Fixes: 2e5894d73789e ("ASoC: pcm: Add support for DAI multicodec")
+Signed-off-by: Tomasz Figa <tfiga@chromium.org>
+Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20201014141624.4143453-1-tfiga@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/kbl_rt5663_max98927.c | 39 ++++++++++++++++----
+ 1 file changed, 31 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/intel/boards/kbl_rt5663_max98927.c b/sound/soc/intel/boards/kbl_rt5663_max98927.c
+index 3ea4602dfb3ee..9a4b3d0973f65 100644
+--- a/sound/soc/intel/boards/kbl_rt5663_max98927.c
++++ b/sound/soc/intel/boards/kbl_rt5663_max98927.c
+@@ -401,17 +401,40 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd,
+ struct snd_interval *chan = hw_param_interval(params,
+ SNDRV_PCM_HW_PARAM_CHANNELS);
+ struct snd_mask *fmt = hw_param_mask(params, SNDRV_PCM_HW_PARAM_FORMAT);
+- struct snd_soc_dpcm *dpcm = container_of(
+- params, struct snd_soc_dpcm, hw_params);
+- struct snd_soc_dai_link *fe_dai_link = dpcm->fe->dai_link;
+- struct snd_soc_dai_link *be_dai_link = dpcm->be->dai_link;
++ struct snd_soc_dpcm *dpcm, *rtd_dpcm = NULL;
++
++ /*
++ * The following loop will be called only for playback stream
++ * In this platform, there is only one playback device on every SSP
++ */
++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_PLAYBACK, dpcm) {
++ rtd_dpcm = dpcm;
++ break;
++ }
++
++ /*
++ * This following loop will be called only for capture stream
++ * In this platform, there is only one capture device on every SSP
++ */
++ for_each_dpcm_fe(rtd, SNDRV_PCM_STREAM_CAPTURE, dpcm) {
++ rtd_dpcm = dpcm;
++ break;
++ }
++
++ if (!rtd_dpcm)
++ return -EINVAL;
++
++ /*
++ * The above 2 loops are mutually exclusive based on the stream direction,
++ * thus rtd_dpcm variable will never be overwritten
++ */
+
+ /*
+ * The ADSP will convert the FE rate to 48k, stereo, 24 bit
+ */
+- if (!strcmp(fe_dai_link->name, "Kbl Audio Port") ||
+- !strcmp(fe_dai_link->name, "Kbl Audio Headset Playback") ||
+- !strcmp(fe_dai_link->name, "Kbl Audio Capture Port")) {
++ if (!strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Port") ||
++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Headset Playback") ||
++ !strcmp(rtd_dpcm->fe->dai_link->name, "Kbl Audio Capture Port")) {
+ rate->min = rate->max = 48000;
+ chan->min = chan->max = 2;
+ snd_mask_none(fmt);
+@@ -421,7 +444,7 @@ static int kabylake_ssp_fixup(struct snd_soc_pcm_runtime *rtd,
+ * The speaker on the SSP0 supports S16_LE and not S24_LE.
+ * thus changing the mask here
+ */
+- if (!strcmp(be_dai_link->name, "SSP0-Codec"))
++ if (!strcmp(rtd_dpcm->be->dai_link->name, "SSP0-Codec"))
+ snd_mask_set_format(fmt, SNDRV_PCM_FORMAT_S16_LE);
+
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 569c1356bc39fee1ebf16f4f58734451a7fb795f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2019 09:39:02 +0100
+Subject: can: can_create_echo_skb(): fix echo skb generation: always use
+ skb_clone()
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 286228d382ba6320f04fa2e7c6fc8d4d92e428f4 ]
+
+All user space generated SKBs are owned by a socket (unless injected into the
+key via AF_PACKET). If a socket is closed, all associated skbs will be cleaned
+up.
+
+This leads to a problem when a CAN driver calls can_put_echo_skb() on a
+unshared SKB. If the socket is closed prior to the TX complete handler,
+can_get_echo_skb() and the subsequent delivering of the echo SKB to all
+registered callbacks, a SKB with a refcount of 0 is delivered.
+
+To avoid the problem, in can_get_echo_skb() the original SKB is now always
+cloned, regardless of shared SKB or not. If the process exists it can now
+safely discard its SKBs, without disturbing the delivery of the echo SKB.
+
+The problem shows up in the j1939 stack, when it clones the incoming skb, which
+detects the already 0 refcount.
+
+We can easily reproduce this with following example:
+
+testj1939 -B -r can0: &
+cansend can0 1823ff40#0123
+
+WARNING: CPU: 0 PID: 293 at lib/refcount.c:25 refcount_warn_saturate+0x108/0x174
+refcount_t: addition on 0; use-after-free.
+Modules linked in: coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan
+CPU: 0 PID: 293 Comm: cansend Not tainted 5.5.0-rc6-00376-g9e20dcb7040d #1
+Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+Backtrace:
+[<c010f570>] (dump_backtrace) from [<c010f90c>] (show_stack+0x20/0x24)
+[<c010f8ec>] (show_stack) from [<c0c3e1a4>] (dump_stack+0x8c/0xa0)
+[<c0c3e118>] (dump_stack) from [<c0127fec>] (__warn+0xe0/0x108)
+[<c0127f0c>] (__warn) from [<c01283c8>] (warn_slowpath_fmt+0xa8/0xcc)
+[<c0128324>] (warn_slowpath_fmt) from [<c0539c0c>] (refcount_warn_saturate+0x108/0x174)
+[<c0539b04>] (refcount_warn_saturate) from [<c0ad2cac>] (j1939_can_recv+0x20c/0x210)
+[<c0ad2aa0>] (j1939_can_recv) from [<c0ac9dc8>] (can_rcv_filter+0xb4/0x268)
+[<c0ac9d14>] (can_rcv_filter) from [<c0aca2cc>] (can_receive+0xb0/0xe4)
+[<c0aca21c>] (can_receive) from [<c0aca348>] (can_rcv+0x48/0x98)
+[<c0aca300>] (can_rcv) from [<c09b1fdc>] (__netif_receive_skb_one_core+0x64/0x88)
+[<c09b1f78>] (__netif_receive_skb_one_core) from [<c09b2070>] (__netif_receive_skb+0x38/0x94)
+[<c09b2038>] (__netif_receive_skb) from [<c09b2130>] (netif_receive_skb_internal+0x64/0xf8)
+[<c09b20cc>] (netif_receive_skb_internal) from [<c09b21f8>] (netif_receive_skb+0x34/0x19c)
+[<c09b21c4>] (netif_receive_skb) from [<c0791278>] (can_rx_offload_napi_poll+0x58/0xb4)
+
+Fixes: 0ae89beb283a ("can: add destructor for self generated skbs")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: http://lore.kernel.org/r/20200124132656.22156-1-o.rempel@pengutronix.de
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/can/skb.h | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/can/skb.h b/include/linux/can/skb.h
+index 900b9f4e06054..fc61cf4eff1c9 100644
+--- a/include/linux/can/skb.h
++++ b/include/linux/can/skb.h
+@@ -61,21 +61,17 @@ static inline void can_skb_set_owner(struct sk_buff *skb, struct sock *sk)
+ */
+ static inline struct sk_buff *can_create_echo_skb(struct sk_buff *skb)
+ {
+- if (skb_shared(skb)) {
+- struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
++ struct sk_buff *nskb;
+
+- if (likely(nskb)) {
+- can_skb_set_owner(nskb, skb->sk);
+- consume_skb(skb);
+- return nskb;
+- } else {
+- kfree_skb(skb);
+- return NULL;
+- }
++ nskb = skb_clone(skb, GFP_ATOMIC);
++ if (unlikely(!nskb)) {
++ kfree_skb(skb);
++ return NULL;
+ }
+
+- /* we can assume to have an unshared skb with proper owner */
+- return skb;
++ can_skb_set_owner(nskb, skb->sk);
++ consume_skb(skb);
++ return nskb;
+ }
+
+ #endif /* !_CAN_SKB_H */
+--
+2.27.0
+
--- /dev/null
+From 852196da891535003d3192dfbf57584c046a6f3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Oct 2020 08:44:43 +0200
+Subject: can: dev: __can_get_echo_skb(): fix real payload length return value
+ for RTR frames
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit ed3320cec279407a86bc4c72edc4a39eb49165ec ]
+
+The can_get_echo_skb() function returns the number of received bytes to
+be used for netdev statistics. In the case of RTR frames we get a valid
+(potential non-zero) data length value which has to be passed for further
+operations. But on the wire RTR frames have no payload length. Therefore
+the value to be used in the statistics has to be zero for RTR frames.
+
+Reported-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/r/20201020064443.80164-1-socketcan@hartkopp.net
+Fixes: cf5046b309b3 ("can: dev: let can_get_echo_skb() return dlc of CAN frame")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index e291fda395a0f..d5e52ffc7ed25 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -486,9 +486,13 @@ __can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr)
+ */
+ struct sk_buff *skb = priv->echo_skb[idx];
+ struct canfd_frame *cf = (struct canfd_frame *)skb->data;
+- u8 len = cf->len;
+
+- *len_ptr = len;
++ /* get the real payload length for netdev statistics */
++ if (cf->can_id & CAN_RTR_FLAG)
++ *len_ptr = 0;
++ else
++ *len_ptr = cf->len;
++
+ priv->echo_skb[idx] = NULL;
+
+ return skb;
+--
+2.27.0
+
--- /dev/null
+From c94de5b05217edda78d390cbd1b411e088adf8d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Oct 2020 00:41:45 +0900
+Subject: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ
+ context
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 2283f79b22684d2812e5c76fc2280aae00390365 ]
+
+If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but
+not always, the case), the 'WARN_ON(in_irq)' in
+net/core/skbuff.c#skb_release_head_state() might be triggered, under network
+congestion circumstances, together with the potential risk of a NULL pointer
+dereference.
+
+The root cause of this issue is the call to kfree_skb() instead of
+dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog().
+
+This patch prevents the skb to be freed within the call to netif_rx() by
+incrementing its reference count with skb_get(). The skb is finally freed by
+one of the in-irq-context safe functions: dev_consume_skb_any() or
+dev_kfree_skb_any(). The "any" version is used because some drivers might call
+can_get_echo_skb() in a normal context.
+
+The reason for this issue to occur is that initially, in the core network
+stack, loopback skb were not supposed to be received in hardware IRQ context.
+The CAN stack is an exeption.
+
+This bug was previously reported back in 2017 in [1] but the proposed patch
+never got accepted.
+
+While [1] directly modifies net/core/dev.c, we try to propose here a
+smoother modification local to CAN network stack (the assumption
+behind is that only CAN devices are affected by this issue).
+
+[1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com
+
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/r/20201002154219.4887-2-mailhol.vincent@wanadoo.fr
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index 68834a2853c9d..e291fda395a0f 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -512,7 +512,11 @@ unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx)
+ if (!skb)
+ return 0;
+
+- netif_rx(skb);
++ skb_get(skb);
++ if (netif_rx(skb) == NET_RX_SUCCESS)
++ dev_consume_skb_any(skb);
++ else
++ dev_kfree_skb_any(skb);
+
+ return len;
+ }
+--
+2.27.0
+
--- /dev/null
+From 8ea425f85d44db83e6aad6821baeb0d91a959046 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Oct 2020 02:45:27 +0800
+Subject: can: flexcan: flexcan_remove(): disable wakeup completely
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit ab07ff1c92fa60f29438e655a1b4abab860ed0b6 ]
+
+With below sequence, we can see wakeup default is enabled after re-load module,
+if it was enabled before, so we need disable wakeup in flexcan_remove().
+
+| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| disabled
+| # echo enabled > /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| enabled
+| # rmmod flexcan
+| # modprobe flexcan
+| # cat /sys/bus/platform/drivers/flexcan/5a8e0000.can/power/wakeup
+| enabled
+
+Fixes: de3578c198c6 ("can: flexcan: add self wakeup support")
+Fixes: 915f9666421c ("can: flexcan: add support for DT property 'wakeup-source'")
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20201020184527.8190-1-qiangqing.zhang@nxp.com
+[mkl: streamlined commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index bc504e09f2259..a330d6c56242e 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -1695,6 +1695,8 @@ static int flexcan_remove(struct platform_device *pdev)
+ {
+ struct net_device *dev = platform_get_drvdata(pdev);
+
++ device_set_wakeup_enable(&pdev->dev, false);
++ device_set_wakeup_capable(&pdev->dev, false);
+ unregister_flexcandev(dev);
+ pm_runtime_disable(&pdev->dev);
+ free_candev(dev);
+--
+2.27.0
+
--- /dev/null
+From d4c641dae7d15e5f0dc7425aa18b2d6e35c81d07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Oct 2020 23:53:55 +0800
+Subject: can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 018799649071a1638c0c130526af36747df4355a ]
+
+After double check with Layerscape CAN owner (Pankaj Bansal), confirm that
+LS1021A doesn't support ECC feature, so remove FLEXCAN_QUIRK_DISABLE_MECR
+quirk.
+
+Fixes: 99b7668c04b27 ("can: flexcan: adding platform specific details for LS1021A")
+Cc: Pankaj Bansal <pankaj.bansal@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Link: https://lore.kernel.org/r/20201020155402.30318-4-qiangqing.zhang@nxp.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/flexcan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/flexcan.c b/drivers/net/can/flexcan.c
+index bc21a82cf3a76..bc504e09f2259 100644
+--- a/drivers/net/can/flexcan.c
++++ b/drivers/net/can/flexcan.c
+@@ -321,8 +321,7 @@ static const struct flexcan_devtype_data fsl_vf610_devtype_data = {
+
+ static const struct flexcan_devtype_data fsl_ls1021a_r2_devtype_data = {
+ .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS |
+- FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_BROKEN_PERR_STATE |
+- FLEXCAN_QUIRK_USE_OFF_TIMESTAMP,
++ FLEXCAN_QUIRK_BROKEN_PERR_STATE | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP,
+ };
+
+ static const struct can_bittiming_const flexcan_bittiming_const = {
+--
+2.27.0
+
--- /dev/null
+From eae4ba757e4d408654ab56aa86354eeb90eefcf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Sep 2020 14:31:48 +0800
+Subject: can: j1939: j1939_sk_bind(): return failure if netdev is down
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 08c487d8d807535f509ed80c6a10ad90e6872139 ]
+
+When a netdev down event occurs after a successful call to
+j1939_sk_bind(), j1939_netdev_notify() can handle it correctly.
+
+But if the netdev already in down state before calling j1939_sk_bind(),
+j1939_sk_release() will stay in wait_event_interruptible() blocked
+forever. Because in this case, j1939_netdev_notify() won't be called and
+j1939_tp_txtimer() won't call j1939_session_cancel() or other function
+to clear session for ENETDOWN error, this lead to mismatch of
+j1939_session_get/put() and jsk->skb_pending will never decrease to
+zero.
+
+To reproduce it use following commands:
+1. ip link add dev vcan0 type vcan
+2. j1939acd -r 100,80-120 1122334455667788 vcan0
+3. presses ctrl-c and thread will be blocked forever
+
+This patch adds check for ndev->flags in j1939_sk_bind() to avoid this
+kind of situation and return with -ENETDOWN.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1599460308-18770-1-git-send-email-zhangchangzhong@huawei.com
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/j1939/socket.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index 1be4c898b2fa8..f23966526a885 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -475,6 +475,12 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+ goto out_release_sock;
+ }
+
++ if (!(ndev->flags & IFF_UP)) {
++ dev_put(ndev);
++ ret = -ENETDOWN;
++ goto out_release_sock;
++ }
++
+ priv = j1939_netdev_start(ndev);
+ dev_put(ndev);
+ if (IS_ERR(priv)) {
+--
+2.27.0
+
--- /dev/null
+From 3502972a770226abf7ccb42324c7755ee1da8a13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Oct 2020 10:37:08 +0200
+Subject: can: j1939: swap addr and pgn in the send example
+
+From: Yegor Yefremov <yegorslists@googlemail.com>
+
+[ Upstream commit ea780d39b1888ed5afc243c29b23d9bdb3828c7a ]
+
+The address was wrongly assigned to the PGN field and vice versa.
+
+Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
+Link: https://lore.kernel.org/r/20201022083708.8755-1-yegorslists@googlemail.com
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/j1939.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/networking/j1939.rst b/Documentation/networking/j1939.rst
+index f5be243d250a4..4b0db514b2010 100644
+--- a/Documentation/networking/j1939.rst
++++ b/Documentation/networking/j1939.rst
+@@ -414,8 +414,8 @@ Send:
+ .can_family = AF_CAN,
+ .can_addr.j1939 = {
+ .name = J1939_NO_NAME;
+- .pgn = 0x30,
+- .addr = 0x12300,
++ .addr = 0x30,
++ .pgn = 0x12300,
+ },
+ };
+
+--
+2.27.0
+
--- /dev/null
+From 403a89e2f717c3540f88ffb933a9ad942331ffe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 17:39:47 +0200
+Subject: can: peak_canfd: pucan_handle_can_rx(): fix echo management when
+ loopback is on
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+[ Upstream commit 93ef65e5a6357cc7381f85fcec9283fe29970045 ]
+
+Echo management is driven by PUCAN_MSG_LOOPED_BACK bit, while loopback
+frames are identified with PUCAN_MSG_SELF_RECEIVE bit. Those bits are set
+for each outgoing frame written to the IP core so that a copy of each one
+will be placed into the rx path. Thus,
+
+- when PUCAN_MSG_LOOPED_BACK is set then the rx frame is an echo of a
+ previously sent frame,
+- when PUCAN_MSG_LOOPED_BACK+PUCAN_MSG_SELF_RECEIVE are set, then the rx
+ frame is an echo AND a loopback frame. Therefore, this frame must be
+ put into the socket rx path too.
+
+This patch fixes how CAN frames are handled when these are sent while the
+can interface is configured in "loopback on" mode.
+
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Link: https://lore.kernel.org/r/20201013153947.28012-1-s.grosjean@peak-system.com
+Fixes: 8ac8321e4a79 ("can: peak: add support for PEAK PCAN-PCIe FD CAN-FD boards")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/peak_canfd/peak_canfd.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/peak_canfd/peak_canfd.c b/drivers/net/can/peak_canfd/peak_canfd.c
+index 10aa3e457c33d..40c33b8a5fda3 100644
+--- a/drivers/net/can/peak_canfd/peak_canfd.c
++++ b/drivers/net/can/peak_canfd/peak_canfd.c
+@@ -262,8 +262,7 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv,
+ cf_len = get_can_dlc(pucan_msg_get_dlc(msg));
+
+ /* if this frame is an echo, */
+- if ((rx_msg_flags & PUCAN_MSG_LOOPED_BACK) &&
+- !(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) {
++ if (rx_msg_flags & PUCAN_MSG_LOOPED_BACK) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&priv->echo_lock, flags);
+@@ -277,7 +276,13 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv,
+ netif_wake_queue(priv->ndev);
+
+ spin_unlock_irqrestore(&priv->echo_lock, flags);
+- return 0;
++
++ /* if this frame is only an echo, stop here. Otherwise,
++ * continue to push this application self-received frame into
++ * its own rx queue.
++ */
++ if (!(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE))
++ return 0;
+ }
+
+ /* otherwise, it should be pushed into rx fifo */
+--
+2.27.0
+
--- /dev/null
+From 3123c58a778c43d5d161b3c3d3e5755f1cc14e59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Aug 2020 17:06:04 +0300
+Subject: can: peak_usb: add range checking in decode operations
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a6921dd524fe31d1f460c161d3526a407533b6db ]
+
+These values come from skb->data so Smatch considers them untrusted. I
+believe Smatch is correct but I don't have a way to test this.
+
+The usb_if->dev[] array has 2 elements but the index is in the 0-15
+range without checks. The cfd->len can be up to 255 but the maximum
+valid size is CANFD_MAX_DLEN (64) so that could lead to memory
+corruption.
+
+Fixes: 0a25e1f4f185 ("can: peak_usb: add support for PEAK new CANFD USB adapters")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20200813140604.GA456946@mwanda
+Acked-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 48 +++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+index 47cc1ff5b88e8..dee3e689b54da 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_fd.c
+@@ -468,12 +468,18 @@ static int pcan_usb_fd_decode_canmsg(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pucan_rx_msg *rm = (struct pucan_rx_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pucan_msg_get_channel(rm)];
+- struct net_device *netdev = dev->netdev;
++ struct peak_usb_device *dev;
++ struct net_device *netdev;
+ struct canfd_frame *cfd;
+ struct sk_buff *skb;
+ const u16 rx_msg_flags = le16_to_cpu(rm->flags);
+
++ if (pucan_msg_get_channel(rm) >= ARRAY_SIZE(usb_if->dev))
++ return -ENOMEM;
++
++ dev = usb_if->dev[pucan_msg_get_channel(rm)];
++ netdev = dev->netdev;
++
+ if (rx_msg_flags & PUCAN_MSG_EXT_DATA_LEN) {
+ /* CANFD frame case */
+ skb = alloc_canfd_skb(netdev, &cfd);
+@@ -519,15 +525,21 @@ static int pcan_usb_fd_decode_status(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pucan_status_msg *sm = (struct pucan_status_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pucan_stmsg_get_channel(sm)];
+- struct pcan_usb_fd_device *pdev =
+- container_of(dev, struct pcan_usb_fd_device, dev);
++ struct pcan_usb_fd_device *pdev;
+ enum can_state new_state = CAN_STATE_ERROR_ACTIVE;
+ enum can_state rx_state, tx_state;
+- struct net_device *netdev = dev->netdev;
++ struct peak_usb_device *dev;
++ struct net_device *netdev;
+ struct can_frame *cf;
+ struct sk_buff *skb;
+
++ if (pucan_stmsg_get_channel(sm) >= ARRAY_SIZE(usb_if->dev))
++ return -ENOMEM;
++
++ dev = usb_if->dev[pucan_stmsg_get_channel(sm)];
++ pdev = container_of(dev, struct pcan_usb_fd_device, dev);
++ netdev = dev->netdev;
++
+ /* nothing should be sent while in BUS_OFF state */
+ if (dev->can.state == CAN_STATE_BUS_OFF)
+ return 0;
+@@ -579,9 +591,14 @@ static int pcan_usb_fd_decode_error(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pucan_error_msg *er = (struct pucan_error_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pucan_ermsg_get_channel(er)];
+- struct pcan_usb_fd_device *pdev =
+- container_of(dev, struct pcan_usb_fd_device, dev);
++ struct pcan_usb_fd_device *pdev;
++ struct peak_usb_device *dev;
++
++ if (pucan_ermsg_get_channel(er) >= ARRAY_SIZE(usb_if->dev))
++ return -EINVAL;
++
++ dev = usb_if->dev[pucan_ermsg_get_channel(er)];
++ pdev = container_of(dev, struct pcan_usb_fd_device, dev);
+
+ /* keep a trace of tx and rx error counters for later use */
+ pdev->bec.txerr = er->tx_err_cnt;
+@@ -595,11 +612,17 @@ static int pcan_usb_fd_decode_overrun(struct pcan_usb_fd_if *usb_if,
+ struct pucan_msg *rx_msg)
+ {
+ struct pcan_ufd_ovr_msg *ov = (struct pcan_ufd_ovr_msg *)rx_msg;
+- struct peak_usb_device *dev = usb_if->dev[pufd_omsg_get_channel(ov)];
+- struct net_device *netdev = dev->netdev;
++ struct peak_usb_device *dev;
++ struct net_device *netdev;
+ struct can_frame *cf;
+ struct sk_buff *skb;
+
++ if (pufd_omsg_get_channel(ov) >= ARRAY_SIZE(usb_if->dev))
++ return -EINVAL;
++
++ dev = usb_if->dev[pufd_omsg_get_channel(ov)];
++ netdev = dev->netdev;
++
+ /* allocate an skb to store the error frame */
+ skb = alloc_can_err_skb(netdev, &cf);
+ if (!skb)
+@@ -716,6 +739,9 @@ static int pcan_usb_fd_encode_msg(struct peak_usb_device *dev,
+ u16 tx_msg_size, tx_msg_flags;
+ u8 can_dlc;
+
++ if (cfd->len > CANFD_MAX_DLEN)
++ return -EINVAL;
++
+ tx_msg_size = ALIGN(sizeof(struct pucan_tx_msg) + cfd->len, 4);
+ tx_msg->size = cpu_to_le16(tx_msg_size);
+ tx_msg->type = cpu_to_le16(PUCAN_MSG_CAN_TX);
+--
+2.27.0
+
--- /dev/null
+From 5a1e9ceca163ffd944ea01f6efbade9c33f353f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Oct 2020 10:56:31 +0200
+Subject: can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping
+
+From: Stephane Grosjean <s.grosjean@peak-system.com>
+
+[ Upstream commit ecc7b4187dd388549544195fb13a11b4ea8e6a84 ]
+
+Fabian Inostroza <fabianinostrozap@gmail.com> has discovered a potential
+problem in the hardware timestamp reporting from the PCAN-USB USB CAN interface
+(only), related to the fact that a timestamp of an event may precede the
+timestamp used for synchronization when both records are part of the same USB
+packet. However, this case was used to detect the wrapping of the time counter.
+
+This patch details and fixes the two identified cases where this problem can
+occur.
+
+Reported-by: Fabian Inostroza <fabianinostrozap@gmail.com>
+Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
+Link: https://lore.kernel.org/r/20201014085631.15128-1-s.grosjean@peak-system.com
+Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/usb/peak_usb/pcan_usb_core.c | 51 ++++++++++++++++++--
+ 1 file changed, 46 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+index d91df34e7fa88..c2764799f9efb 100644
+--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
++++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+@@ -130,14 +130,55 @@ void peak_usb_get_ts_time(struct peak_time_ref *time_ref, u32 ts, ktime_t *time)
+ /* protect from getting time before setting now */
+ if (ktime_to_ns(time_ref->tv_host)) {
+ u64 delta_us;
++ s64 delta_ts = 0;
++
++ /* General case: dev_ts_1 < dev_ts_2 < ts, with:
++ *
++ * - dev_ts_1 = previous sync timestamp
++ * - dev_ts_2 = last sync timestamp
++ * - ts = event timestamp
++ * - ts_period = known sync period (theoretical)
++ * ~ dev_ts2 - dev_ts1
++ * *but*:
++ *
++ * - time counters wrap (see adapter->ts_used_bits)
++ * - sometimes, dev_ts_1 < ts < dev_ts2
++ *
++ * "normal" case (sync time counters increase):
++ * must take into account case when ts wraps (tsw)
++ *
++ * < ts_period > < >
++ * | | |
++ * ---+--------+----+-------0-+--+-->
++ * ts_dev_1 | ts_dev_2 |
++ * ts tsw
++ */
++ if (time_ref->ts_dev_1 < time_ref->ts_dev_2) {
++ /* case when event time (tsw) wraps */
++ if (ts < time_ref->ts_dev_1)
++ delta_ts = 1 << time_ref->adapter->ts_used_bits;
++
++ /* Otherwise, sync time counter (ts_dev_2) has wrapped:
++ * handle case when event time (tsn) hasn't.
++ *
++ * < ts_period > < >
++ * | | |
++ * ---+--------+--0-+---------+--+-->
++ * ts_dev_1 | ts_dev_2 |
++ * tsn ts
++ */
++ } else if (time_ref->ts_dev_1 < ts) {
++ delta_ts = -(1 << time_ref->adapter->ts_used_bits);
++ }
+
+- delta_us = ts - time_ref->ts_dev_2;
+- if (ts < time_ref->ts_dev_2)
+- delta_us &= (1 << time_ref->adapter->ts_used_bits) - 1;
++ /* add delay between last sync and event timestamps */
++ delta_ts += (signed int)(ts - time_ref->ts_dev_2);
+
+- delta_us += time_ref->ts_total;
++ /* add time from beginning to last sync */
++ delta_ts += time_ref->ts_total;
+
+- delta_us *= time_ref->adapter->us_per_ts_scale;
++ /* convert ticks number into microseconds */
++ delta_us = delta_ts * time_ref->adapter->us_per_ts_scale;
+ delta_us >>= time_ref->adapter->us_per_ts_shift;
+
+ *time = ktime_add_us(time_ref->tv_host_0, delta_us);
+--
+2.27.0
+
--- /dev/null
+From 91a796aa525b3cd36419526bd7385b4e40b6815a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 12:47:06 +0200
+Subject: can: rx-offload: don't call kfree_skb() from IRQ context
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 2ddd6bfe7bdbb6c661835c3ff9cab8e0769940a6 ]
+
+A CAN driver, using the rx-offload infrastructure, is reading CAN frames
+(usually in IRQ context) from the hardware and placing it into the rx-offload
+queue to be delivered to the networking stack via NAPI.
+
+In case the rx-offload queue is full, trying to add more skbs results in the
+skbs being dropped using kfree_skb(). If done from hard-IRQ context this
+results in the following warning:
+
+[ 682.552693] ------------[ cut here ]------------
+[ 682.557360] WARNING: CPU: 0 PID: 3057 at net/core/skbuff.c:650 skb_release_head_state+0x74/0x84
+[ 682.566075] Modules linked in: can_raw can coda_vpu flexcan dw_hdmi_ahb_audio v4l2_jpeg imx_vdoa can_dev
+[ 682.575597] CPU: 0 PID: 3057 Comm: cansend Tainted: G W 5.7.0+ #18
+[ 682.583098] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
+[ 682.589657] [<c0112628>] (unwind_backtrace) from [<c010c1c4>] (show_stack+0x10/0x14)
+[ 682.597423] [<c010c1c4>] (show_stack) from [<c06c481c>] (dump_stack+0xe0/0x114)
+[ 682.604759] [<c06c481c>] (dump_stack) from [<c0128f10>] (__warn+0xc0/0x10c)
+[ 682.611742] [<c0128f10>] (__warn) from [<c0129314>] (warn_slowpath_fmt+0x5c/0xc0)
+[ 682.619248] [<c0129314>] (warn_slowpath_fmt) from [<c0b95dec>] (skb_release_head_state+0x74/0x84)
+[ 682.628143] [<c0b95dec>] (skb_release_head_state) from [<c0b95e08>] (skb_release_all+0xc/0x24)
+[ 682.636774] [<c0b95e08>] (skb_release_all) from [<c0b95eac>] (kfree_skb+0x74/0x1c8)
+[ 682.644479] [<c0b95eac>] (kfree_skb) from [<bf001d1c>] (can_rx_offload_queue_sorted+0xe0/0xe8 [can_dev])
+[ 682.654051] [<bf001d1c>] (can_rx_offload_queue_sorted [can_dev]) from [<bf001d6c>] (can_rx_offload_get_echo_skb+0x48/0x94 [can_dev])
+[ 682.666007] [<bf001d6c>] (can_rx_offload_get_echo_skb [can_dev]) from [<bf01efe4>] (flexcan_irq+0x194/0x5dc [flexcan])
+[ 682.676734] [<bf01efe4>] (flexcan_irq [flexcan]) from [<c019c1ec>] (__handle_irq_event_percpu+0x4c/0x3ec)
+[ 682.686322] [<c019c1ec>] (__handle_irq_event_percpu) from [<c019c5b8>] (handle_irq_event_percpu+0x2c/0x88)
+[ 682.695993] [<c019c5b8>] (handle_irq_event_percpu) from [<c019c64c>] (handle_irq_event+0x38/0x5c)
+[ 682.704887] [<c019c64c>] (handle_irq_event) from [<c01a1058>] (handle_fasteoi_irq+0xc8/0x180)
+[ 682.713432] [<c01a1058>] (handle_fasteoi_irq) from [<c019b2c0>] (generic_handle_irq+0x30/0x44)
+[ 682.722063] [<c019b2c0>] (generic_handle_irq) from [<c019b8f8>] (__handle_domain_irq+0x64/0xdc)
+[ 682.730783] [<c019b8f8>] (__handle_domain_irq) from [<c06df4a4>] (gic_handle_irq+0x48/0x9c)
+[ 682.739158] [<c06df4a4>] (gic_handle_irq) from [<c0100b30>] (__irq_svc+0x70/0x98)
+[ 682.746656] Exception stack(0xe80e9dd8 to 0xe80e9e20)
+[ 682.751725] 9dc0: 00000001 e80e8000
+[ 682.759922] 9de0: e820cf80 00000000 ffffe000 00000000 eaf08fe4 00000000 600d0013 00000000
+[ 682.768117] 9e00: c1732e3c c16093a8 e820d4c0 e80e9e28 c018a57c c018b870 600d0013 ffffffff
+[ 682.776315] [<c0100b30>] (__irq_svc) from [<c018b870>] (lock_acquire+0x108/0x4e8)
+[ 682.783821] [<c018b870>] (lock_acquire) from [<c0e938e4>] (down_write+0x48/0xa8)
+[ 682.791242] [<c0e938e4>] (down_write) from [<c02818dc>] (unlink_file_vma+0x24/0x40)
+[ 682.798922] [<c02818dc>] (unlink_file_vma) from [<c027a258>] (free_pgtables+0x34/0xb8)
+[ 682.806858] [<c027a258>] (free_pgtables) from [<c02835a4>] (exit_mmap+0xe4/0x170)
+[ 682.814361] [<c02835a4>] (exit_mmap) from [<c01248e0>] (mmput+0x5c/0x110)
+[ 682.821171] [<c01248e0>] (mmput) from [<c012e910>] (do_exit+0x374/0xbe4)
+[ 682.827892] [<c012e910>] (do_exit) from [<c0130888>] (do_group_exit+0x38/0xb4)
+[ 682.835132] [<c0130888>] (do_group_exit) from [<c0130914>] (__wake_up_parent+0x0/0x14)
+[ 682.843063] irq event stamp: 1936
+[ 682.846399] hardirqs last enabled at (1935): [<c02938b0>] rmqueue+0xf4/0xc64
+[ 682.853553] hardirqs last disabled at (1936): [<c0100b20>] __irq_svc+0x60/0x98
+[ 682.860799] softirqs last enabled at (1878): [<bf04cdcc>] raw_release+0x108/0x1f0 [can_raw]
+[ 682.869256] softirqs last disabled at (1876): [<c0b8f478>] release_sock+0x18/0x98
+[ 682.876753] ---[ end trace 7bca4751ce44c444 ]---
+
+This patch fixes the problem by replacing the kfree_skb() by
+dev_kfree_skb_any(), as rx-offload might be called from threaded IRQ handlers
+as well.
+
+Fixes: ca913f1ac024 ("can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak")
+Fixes: 6caf8a6d6586 ("can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak")
+Link: http://lore.kernel.org/r/20201019190524.1285319-3-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/rx-offload.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/rx-offload.c
+index e8328910a2349..0283b5cad746a 100644
+--- a/drivers/net/can/rx-offload.c
++++ b/drivers/net/can/rx-offload.c
+@@ -245,7 +245,7 @@ int can_rx_offload_queue_sorted(struct can_rx_offload *offload,
+
+ if (skb_queue_len(&offload->skb_queue) >
+ offload->skb_queue_len_max) {
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return -ENOBUFS;
+ }
+
+@@ -290,7 +290,7 @@ int can_rx_offload_queue_tail(struct can_rx_offload *offload,
+ {
+ if (skb_queue_len(&offload->skb_queue) >
+ offload->skb_queue_len_max) {
+- kfree_skb(skb);
++ dev_kfree_skb_any(skb);
+ return -ENOBUFS;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 64e42151eb0cdfe0e71d89c906b52775f46b8140 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jul 2020 16:04:39 +0800
+Subject: can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in
+ error path
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit e002103b36a695f7cb6048b96da73e66c86ddffb ]
+
+The driver forgets to call clk_disable_unprepare() in error path after
+a success calling for clk_prepare_enable().
+
+Fix it by adding a clk_disable_unprepare() in error path.
+
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1594973079-27743-1-git-send-email-zhangchangzhong@huawei.com
+Fixes: befa60113ce7 ("can: ti_hecc: add missing prepare and unprepare of the clock")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/ti_hecc.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
+index 94b1491b569f3..228ecd45ca6c1 100644
+--- a/drivers/net/can/ti_hecc.c
++++ b/drivers/net/can/ti_hecc.c
+@@ -950,7 +950,7 @@ static int ti_hecc_probe(struct platform_device *pdev)
+ err = clk_prepare_enable(priv->clk);
+ if (err) {
+ dev_err(&pdev->dev, "clk_prepare_enable() failed\n");
+- goto probe_exit_clk;
++ goto probe_exit_release_clk;
+ }
+
+ priv->offload.mailbox_read = ti_hecc_mailbox_read;
+@@ -959,7 +959,7 @@ static int ti_hecc_probe(struct platform_device *pdev)
+ err = can_rx_offload_add_timestamp(ndev, &priv->offload);
+ if (err) {
+ dev_err(&pdev->dev, "can_rx_offload_add_timestamp() failed\n");
+- goto probe_exit_clk;
++ goto probe_exit_disable_clk;
+ }
+
+ err = register_candev(ndev);
+@@ -977,7 +977,9 @@ static int ti_hecc_probe(struct platform_device *pdev)
+
+ probe_exit_offload:
+ can_rx_offload_del(&priv->offload);
+-probe_exit_clk:
++probe_exit_disable_clk:
++ clk_disable_unprepare(priv->clk);
++probe_exit_release_clk:
+ clk_put(priv->clk);
+ probe_exit_candev:
+ free_candev(ndev);
+--
+2.27.0
+
--- /dev/null
+From 2ca6b2767c36bc9ee62a79cb26cae7231b896c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jun 2020 22:32:39 -0500
+Subject: can: xilinx_can: handle failure cases of pm_runtime_get_sync
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 79c43333bdd5a7026a5aab606b53053b643585e7 ]
+
+Calling pm_runtime_get_sync increments the counter even in case of
+failure, causing incorrect ref count. Call pm_runtime_put if
+pm_runtime_get_sync fails.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Link: https://lore.kernel.org/r/20200605033239.60664-1-navid.emamdoost@gmail.com
+Fixes: 4716620d1b62 ("can: xilinx: Convert to runtime_pm")
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/xilinx_can.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c
+index c1dbab8c896d5..748ff70f6a7bf 100644
+--- a/drivers/net/can/xilinx_can.c
++++ b/drivers/net/can/xilinx_can.c
+@@ -1391,7 +1391,7 @@ static int xcan_open(struct net_device *ndev)
+ if (ret < 0) {
+ netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n",
+ __func__, ret);
+- return ret;
++ goto err;
+ }
+
+ ret = request_irq(ndev->irq, xcan_interrupt, priv->irq_flags,
+@@ -1475,6 +1475,7 @@ static int xcan_get_berr_counter(const struct net_device *ndev,
+ if (ret < 0) {
+ netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n",
+ __func__, ret);
++ pm_runtime_put(priv->dev);
+ return ret;
+ }
+
+@@ -1789,7 +1790,7 @@ static int xcan_probe(struct platform_device *pdev)
+ if (ret < 0) {
+ netdev_err(ndev, "%s: pm_runtime_get failed(%d)\n",
+ __func__, ret);
+- goto err_pmdisable;
++ goto err_disableclks;
+ }
+
+ if (priv->read_reg(priv, XCAN_SR_OFFSET) != XCAN_SR_CONFIG_MASK) {
+@@ -1824,7 +1825,6 @@ static int xcan_probe(struct platform_device *pdev)
+
+ err_disableclks:
+ pm_runtime_put(priv->dev);
+-err_pmdisable:
+ pm_runtime_disable(&pdev->dev);
+ err_free:
+ free_candev(ndev);
+--
+2.27.0
+
--- /dev/null
+From 137b1125848af6a44ce33ca52c9c684998b3d99b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Oct 2020 09:39:06 -0400
+Subject: ceph: check session state after bumping session->s_seq
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 62575e270f661aba64778cbc5f354511cf9abb21 ]
+
+Some messages sent by the MDS entail a session sequence number
+increment, and the MDS will drop certain types of requests on the floor
+when the sequence numbers don't match.
+
+In particular, a REQUEST_CLOSE message can cross with one of the
+sequence morphing messages from the MDS which can cause the client to
+stall, waiting for a response that will never come.
+
+Originally, this meant an up to 5s delay before the recurring workqueue
+job kicked in and resent the request, but a recent change made it so
+that the client would never resend, causing a 60s stall unmounting and
+sometimes a blockisting event.
+
+Add a new helper for incrementing the session sequence and then testing
+to see whether a REQUEST_CLOSE needs to be resent, and move the handling
+of CEPH_MDS_SESSION_CLOSING into that function. Change all of the
+bare sequence counter increments to use the new helper.
+
+Reorganize check_session_state with a switch statement. It should no
+longer be called when the session is CLOSING, so throw a warning if it
+ever is (but still handle that case sanely).
+
+[ idryomov: whitespace, pr_err() call fixup ]
+
+URL: https://tracker.ceph.com/issues/47563
+Fixes: fa9967734227 ("ceph: fix potential mdsc use-after-free crash")
+Reported-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/caps.c | 2 +-
+ fs/ceph/mds_client.c | 50 +++++++++++++++++++++++++++++++-------------
+ fs/ceph/mds_client.h | 1 +
+ fs/ceph/quota.c | 2 +-
+ fs/ceph/snap.c | 2 +-
+ 5 files changed, 39 insertions(+), 18 deletions(-)
+
+diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
+index 034b3f4fdd3a7..64a64a29f5c79 100644
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -4064,7 +4064,7 @@ void ceph_handle_caps(struct ceph_mds_session *session,
+ vino.snap, inode);
+
+ mutex_lock(&session->s_mutex);
+- session->s_seq++;
++ inc_session_sequence(session);
+ dout(" mds%d seq %lld cap seq %u\n", session->s_mds, session->s_seq,
+ (unsigned)seq);
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index 76d8d9495d1d4..b2214679baf4e 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -4227,7 +4227,7 @@ static void handle_lease(struct ceph_mds_client *mdsc,
+ dname.len, dname.name);
+
+ mutex_lock(&session->s_mutex);
+- session->s_seq++;
++ inc_session_sequence(session);
+
+ if (!inode) {
+ dout("handle_lease no inode %llx\n", vino.ino);
+@@ -4381,28 +4381,48 @@ static void maybe_recover_session(struct ceph_mds_client *mdsc)
+
+ bool check_session_state(struct ceph_mds_session *s)
+ {
+- if (s->s_state == CEPH_MDS_SESSION_CLOSING) {
+- dout("resending session close request for mds%d\n",
+- s->s_mds);
+- request_close_session(s);
+- return false;
+- }
+- if (s->s_ttl && time_after(jiffies, s->s_ttl)) {
+- if (s->s_state == CEPH_MDS_SESSION_OPEN) {
++ switch (s->s_state) {
++ case CEPH_MDS_SESSION_OPEN:
++ if (s->s_ttl && time_after(jiffies, s->s_ttl)) {
+ s->s_state = CEPH_MDS_SESSION_HUNG;
+ pr_info("mds%d hung\n", s->s_mds);
+ }
+- }
+- if (s->s_state == CEPH_MDS_SESSION_NEW ||
+- s->s_state == CEPH_MDS_SESSION_RESTARTING ||
+- s->s_state == CEPH_MDS_SESSION_CLOSED ||
+- s->s_state == CEPH_MDS_SESSION_REJECTED)
+- /* this mds is failed or recovering, just wait */
++ break;
++ case CEPH_MDS_SESSION_CLOSING:
++ /* Should never reach this when we're unmounting */
++ WARN_ON_ONCE(true);
++ fallthrough;
++ case CEPH_MDS_SESSION_NEW:
++ case CEPH_MDS_SESSION_RESTARTING:
++ case CEPH_MDS_SESSION_CLOSED:
++ case CEPH_MDS_SESSION_REJECTED:
+ return false;
++ }
+
+ return true;
+ }
+
++/*
++ * If the sequence is incremented while we're waiting on a REQUEST_CLOSE reply,
++ * then we need to retransmit that request.
++ */
++void inc_session_sequence(struct ceph_mds_session *s)
++{
++ lockdep_assert_held(&s->s_mutex);
++
++ s->s_seq++;
++
++ if (s->s_state == CEPH_MDS_SESSION_CLOSING) {
++ int ret;
++
++ dout("resending session close request for mds%d\n", s->s_mds);
++ ret = request_close_session(s);
++ if (ret < 0)
++ pr_err("unable to close session to mds%d: %d\n",
++ s->s_mds, ret);
++ }
++}
++
+ /*
+ * delayed work -- periodically trim expired leases, renew caps with mds
+ */
+diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
+index 658800605bfb4..11f20a4d36bc5 100644
+--- a/fs/ceph/mds_client.h
++++ b/fs/ceph/mds_client.h
+@@ -480,6 +480,7 @@ struct ceph_mds_client {
+ extern const char *ceph_mds_op_name(int op);
+
+ extern bool check_session_state(struct ceph_mds_session *s);
++void inc_session_sequence(struct ceph_mds_session *s);
+
+ extern struct ceph_mds_session *
+ __ceph_lookup_mds_session(struct ceph_mds_client *, int mds);
+diff --git a/fs/ceph/quota.c b/fs/ceph/quota.c
+index cc2c4d40b0222..2b213f864c564 100644
+--- a/fs/ceph/quota.c
++++ b/fs/ceph/quota.c
+@@ -53,7 +53,7 @@ void ceph_handle_quota(struct ceph_mds_client *mdsc,
+
+ /* increment msg sequence number */
+ mutex_lock(&session->s_mutex);
+- session->s_seq++;
++ inc_session_sequence(session);
+ mutex_unlock(&session->s_mutex);
+
+ /* lookup inode */
+diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
+index 923be9399b21c..cc9a9bfc790a3 100644
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -873,7 +873,7 @@ void ceph_handle_snap(struct ceph_mds_client *mdsc,
+ ceph_snap_op_name(op), split, trace_len);
+
+ mutex_lock(&session->s_mutex);
+- session->s_seq++;
++ inc_session_sequence(session);
+ mutex_unlock(&session->s_mutex);
+
+ down_write(&mdsc->snap_rwsem);
+--
+2.27.0
+
--- /dev/null
+From ba4db06d47008d44d789bd54bf849665577a6468 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Sep 2020 13:14:52 -0400
+Subject: dm raid: fix discard limits for raid1 and raid10
+
+From: Mike Snitzer <snitzer@redhat.com>
+
+[ Upstream commit e0910c8e4f87bb9f767e61a778b0d9271c4dc512 ]
+
+Block core warned that discard_granularity was 0 for dm-raid with
+personality of raid1. Reason is that raid_io_hints() was incorrectly
+special-casing raid1 rather than raid0.
+
+But since commit 29efc390b9462 ("md/md0: optimize raid0 discard
+handling") even raid0 properly handles large discards.
+
+Fix raid_io_hints() by removing discard limits settings for raid1.
+Also, fix limits for raid10 by properly stacking underlying limits as
+done in blk_stack_limits().
+
+Depends-on: 29efc390b9462 ("md/md0: optimize raid0 discard handling")
+Fixes: 61697a6abd24a ("dm: eliminate 'split_discard_bios' flag from DM target interface")
+Cc: stable@vger.kernel.org
+Reported-by: Zdenek Kabelac <zkabelac@redhat.com>
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-raid.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
+index 8d2b835d7a108..b45232f9b5c6c 100644
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -3730,12 +3730,14 @@ static void raid_io_hints(struct dm_target *ti, struct queue_limits *limits)
+ blk_limits_io_opt(limits, chunk_size_bytes * mddev_data_stripes(rs));
+
+ /*
+- * RAID1 and RAID10 personalities require bio splitting,
+- * RAID0/4/5/6 don't and process large discard bios properly.
++ * RAID10 personality requires bio splitting,
++ * RAID0/1/4/5/6 don't and process large discard bios properly.
+ */
+- if (rs_is_raid1(rs) || rs_is_raid10(rs)) {
+- limits->discard_granularity = chunk_size_bytes;
+- limits->max_discard_sectors = rs->md.chunk_sectors;
++ if (rs_is_raid10(rs)) {
++ limits->discard_granularity = max(chunk_size_bytes,
++ limits->discard_granularity);
++ limits->max_discard_sectors = min_not_zero(rs->md.chunk_sectors,
++ limits->max_discard_sectors);
+ }
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 796f969672c3ccafe78d092aef05be6de0fac156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Oct 2020 21:38:25 +0100
+Subject: drm/i915/gem: Flush coherency domains on first set-domain-ioctl
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 59dd13ad310793757e34afa489dd6fc8544fc3da ]
+
+Avoid skipping what appears to be a no-op set-domain-ioctl if the cache
+coherency state is inconsistent with our target domain. This also has
+the utility of using the population of the pages to validate the backing
+store.
+
+The danger in skipping the first set-domain is leaving the cache
+inconsistent and submitting stale data, or worse leaving the clean data
+in the cache and not flushing it to the GPU. The impact should be small
+as it requires a no-op set-domain as the very first ioctl in a
+particular sequence not found in typical userspace.
+
+Reported-by: Zbigniew Kempczyński <zbigniew.kempczynski@intel.com>
+Fixes: 754a25442705 ("drm/i915: Skip object locking around a no-op set-domain ioctl")
+Testcase: igt/gem_mmap_offset/blt-coherency
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Cc: Matthew Auld <matthew.william.auld@gmail.com>
+Cc: Zbigniew Kempczyński <zbigniew.kempczynski@intel.com>
+Cc: <stable@vger.kernel.org> # v5.2+
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201019203825.10966-1-chris@chris-wilson.co.uk
+(cherry picked from commit 44c2200afcd59f441b43f27829b4003397cc495d)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_domain.c | 28 ++++++++++------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_domain.c b/drivers/gpu/drm/i915/gem/i915_gem_domain.c
+index 7f76fc68f498a..ba8758011e297 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_domain.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_domain.c
+@@ -484,21 +484,6 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ if (!obj)
+ return -ENOENT;
+
+- /*
+- * Already in the desired write domain? Nothing for us to do!
+- *
+- * We apply a little bit of cunning here to catch a broader set of
+- * no-ops. If obj->write_domain is set, we must be in the same
+- * obj->read_domains, and only that domain. Therefore, if that
+- * obj->write_domain matches the request read_domains, we are
+- * already in the same read/write domain and can skip the operation,
+- * without having to further check the requested write_domain.
+- */
+- if (READ_ONCE(obj->write_domain) == read_domains) {
+- err = 0;
+- goto out;
+- }
+-
+ /*
+ * Try to flush the object off the GPU without holding the lock.
+ * We will repeat the flush holding the lock in the normal manner
+@@ -536,6 +521,19 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
+ if (err)
+ goto out;
+
++ /*
++ * Already in the desired write domain? Nothing for us to do!
++ *
++ * We apply a little bit of cunning here to catch a broader set of
++ * no-ops. If obj->write_domain is set, we must be in the same
++ * obj->read_domains, and only that domain. Therefore, if that
++ * obj->write_domain matches the request read_domains, we are
++ * already in the same read/write domain and can skip the operation,
++ * without having to further check the requested write_domain.
++ */
++ if (READ_ONCE(obj->write_domain) == read_domains)
++ goto out_unpin;
++
+ err = i915_gem_object_lock_interruptible(obj);
+ if (err)
+ goto out_unpin;
+--
+2.27.0
+
--- /dev/null
+From 933bb75072aac04a8d2c6eb8b870c89e5eebcc84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 16:19:31 +0000
+Subject: drm/i915: Hold onto an explicit ref to i915_vma_work.pinned
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+[ Upstream commit 537457a979a02a410b555fab289dcb28b588f33b ]
+
+Since __vma_release is run by a kworker after the fence has been
+signaled, it is no longer protected by the active reference on the vma,
+and so the alias of vw->pinned to vma->obj is also not protected by a
+reference on the object. Add an explicit reference for vw->pinned so it
+will always be safe.
+
+Found by inspection.
+
+Fixes: 54d7195f8c64 ("drm/i915: Unpin vma->obj on early error")
+Reported-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Cc: <stable@vger.kernel.org> # v5.6+
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201102161931.30031-1-chris@chris-wilson.co.uk
+(cherry picked from commit bc73e5d33048b7ab5f12b11b5d923700467a8e1d)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/i915_vma.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c
+index bc64f773dcdb4..034d0a8d24c8c 100644
+--- a/drivers/gpu/drm/i915/i915_vma.c
++++ b/drivers/gpu/drm/i915/i915_vma.c
+@@ -315,8 +315,10 @@ static void __vma_release(struct dma_fence_work *work)
+ {
+ struct i915_vma_work *vw = container_of(work, typeof(*vw), base);
+
+- if (vw->pinned)
++ if (vw->pinned) {
+ __i915_gem_object_unpin_pages(vw->pinned);
++ i915_gem_object_put(vw->pinned);
++ }
+ }
+
+ static const struct dma_fence_work_ops bind_ops = {
+@@ -430,7 +432,7 @@ int i915_vma_bind(struct i915_vma *vma,
+
+ if (vma->obj) {
+ __i915_gem_object_pin_pages(vma->obj);
+- work->pinned = vma->obj;
++ work->pinned = i915_gem_object_get(vma->obj);
+ }
+ } else {
+ ret = vma->ops->bind_vma(vma->vm, vma, cache_level, bind_flags);
+--
+2.27.0
+
--- /dev/null
+From 04412c80432c7d657050cc38e488089690229778 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Oct 2020 14:58:33 +0000
+Subject: drm/panfrost: Fix module unload
+
+From: Steven Price <steven.price@arm.com>
+
+[ Upstream commit 876b15d2c88d8c005f1aebeaa23f1e448d834757 ]
+
+When unloading the call to pm_runtime_put_sync_suspend() will attempt to
+turn the GPU cores off, however panfrost_device_fini() will have turned
+the clocks off. This leads to the hardware locking up.
+
+Instead don't call pm_runtime_put_sync_suspend() and instead simply mark
+the device as suspended using pm_runtime_set_suspended(). And also
+include this on the error path in panfrost_probe().
+
+Fixes: aebe8c22a912 ("drm/panfrost: Fix possible suspend in panfrost_remove")
+Signed-off-by: Steven Price <steven.price@arm.com>
+Reviewed-by: Tomeu Vizoso <tomeu.vizoso@collabora.com>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201030145833.29006-1-steven.price@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_drv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c
+index f2dd259f28995..5d95917f923a1 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
+@@ -626,6 +626,7 @@ static int panfrost_probe(struct platform_device *pdev)
+ err_out1:
+ pm_runtime_disable(pfdev->dev);
+ panfrost_device_fini(pfdev);
++ pm_runtime_set_suspended(pfdev->dev);
+ err_out0:
+ drm_dev_put(ddev);
+ return err;
+@@ -640,9 +641,9 @@ static int panfrost_remove(struct platform_device *pdev)
+ panfrost_gem_shrinker_cleanup(ddev);
+
+ pm_runtime_get_sync(pfdev->dev);
+- panfrost_device_fini(pfdev);
+- pm_runtime_put_sync_suspend(pfdev->dev);
+ pm_runtime_disable(pfdev->dev);
++ panfrost_device_fini(pfdev);
++ pm_runtime_set_suspended(pfdev->dev);
+
+ drm_dev_put(ddev);
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 6ad41a41c6f760cc18a411a3ce534e177d895c09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 11:54:03 +0200
+Subject: drm/panfrost: move devfreq_init()/fini() in device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Péron <peron.clem@gmail.com>
+
+[ Upstream commit 25e247bbf85af3ad721dfeb2e2caf405f43b7e66 ]
+
+Later we will introduce devfreq probing regulator if they
+are present. As regulator should be probe only one time we
+need to get this logic in the device_init().
+
+panfrost_device is already taking care of devfreq_resume()
+and devfreq_suspend(), so it's not totally illogic to move
+the devfreq_init() and devfreq_fini() here.
+
+Reviewed-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Clément Péron <peron.clem@gmail.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200710095409.407087-9-peron.clem@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_device.c | 12 +++++++++++-
+ drivers/gpu/drm/panfrost/panfrost_drv.c | 15 ++-------------
+ 2 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_device.c b/drivers/gpu/drm/panfrost/panfrost_device.c
+index 9f89984f652a6..36b5c8fea3eba 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_device.c
++++ b/drivers/gpu/drm/panfrost/panfrost_device.c
+@@ -214,9 +214,16 @@ int panfrost_device_init(struct panfrost_device *pfdev)
+ return err;
+ }
+
++ err = panfrost_devfreq_init(pfdev);
++ if (err) {
++ if (err != -EPROBE_DEFER)
++ dev_err(pfdev->dev, "devfreq init failed %d\n", err);
++ goto out_clk;
++ }
++
+ err = panfrost_regulator_init(pfdev);
+ if (err)
+- goto out_clk;
++ goto out_devfreq;
+
+ err = panfrost_reset_init(pfdev);
+ if (err) {
+@@ -265,6 +272,8 @@ out_reset:
+ panfrost_reset_fini(pfdev);
+ out_regulator:
+ panfrost_regulator_fini(pfdev);
++out_devfreq:
++ panfrost_devfreq_fini(pfdev);
+ out_clk:
+ panfrost_clk_fini(pfdev);
+ return err;
+@@ -278,6 +287,7 @@ void panfrost_device_fini(struct panfrost_device *pfdev)
+ panfrost_gpu_fini(pfdev);
+ panfrost_pm_domain_fini(pfdev);
+ panfrost_reset_fini(pfdev);
++ panfrost_devfreq_fini(pfdev);
+ panfrost_regulator_fini(pfdev);
+ panfrost_clk_fini(pfdev);
+ }
+diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c
+index f6d5d03201fad..f2dd259f28995 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
+@@ -14,7 +14,6 @@
+ #include <drm/drm_utils.h>
+
+ #include "panfrost_device.h"
+-#include "panfrost_devfreq.h"
+ #include "panfrost_gem.h"
+ #include "panfrost_mmu.h"
+ #include "panfrost_job.h"
+@@ -606,13 +605,6 @@ static int panfrost_probe(struct platform_device *pdev)
+ goto err_out0;
+ }
+
+- err = panfrost_devfreq_init(pfdev);
+- if (err) {
+- if (err != -EPROBE_DEFER)
+- dev_err(&pdev->dev, "Fatal error during devfreq init\n");
+- goto err_out1;
+- }
+-
+ pm_runtime_set_active(pfdev->dev);
+ pm_runtime_mark_last_busy(pfdev->dev);
+ pm_runtime_enable(pfdev->dev);
+@@ -625,16 +617,14 @@ static int panfrost_probe(struct platform_device *pdev)
+ */
+ err = drm_dev_register(ddev, 0);
+ if (err < 0)
+- goto err_out2;
++ goto err_out1;
+
+ panfrost_gem_shrinker_init(ddev);
+
+ return 0;
+
+-err_out2:
+- pm_runtime_disable(pfdev->dev);
+- panfrost_devfreq_fini(pfdev);
+ err_out1:
++ pm_runtime_disable(pfdev->dev);
+ panfrost_device_fini(pfdev);
+ err_out0:
+ drm_dev_put(ddev);
+@@ -650,7 +640,6 @@ static int panfrost_remove(struct platform_device *pdev)
+ panfrost_gem_shrinker_cleanup(ddev);
+
+ pm_runtime_get_sync(pfdev->dev);
+- panfrost_devfreq_fini(pfdev);
+ panfrost_device_fini(pfdev);
+ pm_runtime_put_sync_suspend(pfdev->dev);
+ pm_runtime_disable(pfdev->dev);
+--
+2.27.0
+
--- /dev/null
+From 0dc5248217e94653466fe3a4bb23fa8bf76f3f7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 11:54:02 +0200
+Subject: drm/panfrost: rename error labels in device_init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Péron <peron.clem@gmail.com>
+
+[ Upstream commit d3c335da0200be9287cdf5755d19f62ce1670a8d ]
+
+Rename goto labels in device_init it will be easier to maintain.
+
+Reviewed-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Reviewed-by: Steven Price <steven.price@arm.com>
+Signed-off-by: Clément Péron <peron.clem@gmail.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200710095409.407087-8-peron.clem@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panfrost/panfrost_device.c | 30 +++++++++++-----------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/panfrost/panfrost_device.c b/drivers/gpu/drm/panfrost/panfrost_device.c
+index b172087eee6ae..9f89984f652a6 100644
+--- a/drivers/gpu/drm/panfrost/panfrost_device.c
++++ b/drivers/gpu/drm/panfrost/panfrost_device.c
+@@ -216,56 +216,56 @@ int panfrost_device_init(struct panfrost_device *pfdev)
+
+ err = panfrost_regulator_init(pfdev);
+ if (err)
+- goto err_out0;
++ goto out_clk;
+
+ err = panfrost_reset_init(pfdev);
+ if (err) {
+ dev_err(pfdev->dev, "reset init failed %d\n", err);
+- goto err_out1;
++ goto out_regulator;
+ }
+
+ err = panfrost_pm_domain_init(pfdev);
+ if (err)
+- goto err_out2;
++ goto out_reset;
+
+ res = platform_get_resource(pfdev->pdev, IORESOURCE_MEM, 0);
+ pfdev->iomem = devm_ioremap_resource(pfdev->dev, res);
+ if (IS_ERR(pfdev->iomem)) {
+ dev_err(pfdev->dev, "failed to ioremap iomem\n");
+ err = PTR_ERR(pfdev->iomem);
+- goto err_out3;
++ goto out_pm_domain;
+ }
+
+ err = panfrost_gpu_init(pfdev);
+ if (err)
+- goto err_out3;
++ goto out_pm_domain;
+
+ err = panfrost_mmu_init(pfdev);
+ if (err)
+- goto err_out4;
++ goto out_gpu;
+
+ err = panfrost_job_init(pfdev);
+ if (err)
+- goto err_out5;
++ goto out_mmu;
+
+ err = panfrost_perfcnt_init(pfdev);
+ if (err)
+- goto err_out6;
++ goto out_job;
+
+ return 0;
+-err_out6:
++out_job:
+ panfrost_job_fini(pfdev);
+-err_out5:
++out_mmu:
+ panfrost_mmu_fini(pfdev);
+-err_out4:
++out_gpu:
+ panfrost_gpu_fini(pfdev);
+-err_out3:
++out_pm_domain:
+ panfrost_pm_domain_fini(pfdev);
+-err_out2:
++out_reset:
+ panfrost_reset_fini(pfdev);
+-err_out1:
++out_regulator:
+ panfrost_regulator_fini(pfdev);
+-err_out0:
++out_clk:
+ panfrost_clk_fini(pfdev);
+ return err;
+ }
+--
+2.27.0
+
--- /dev/null
+From 7e21d1e98be880d8552099b0f0b7c7332843a7a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 20:00:59 +0100
+Subject: drm/vc4: bo: Add a managed action to cleanup the cache
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 1c80be48c70a2198f7cf04a546b3805b92293ac6 ]
+
+The BO cache needs to be cleaned up using vc4_bo_cache_destroy, but it's
+not used consistently (vc4_drv's bind calls it in its error path, but
+doesn't in unbind), and we can make that automatic through a managed
+action. Let's remove the requirement to call vc4_bo_cache_destroy.
+
+Fixes: c826a6e10644 ("drm/vc4: Add a BO cache.")
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/20201029190104.2181730-1-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_bo.c | 5 +++--
+ drivers/gpu/drm/vc4/vc4_drv.c | 1 -
+ drivers/gpu/drm/vc4/vc4_drv.h | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_bo.c b/drivers/gpu/drm/vc4/vc4_bo.c
+index 74ceebd62fbce..073b528f33337 100644
+--- a/drivers/gpu/drm/vc4/vc4_bo.c
++++ b/drivers/gpu/drm/vc4/vc4_bo.c
+@@ -1005,6 +1005,7 @@ int vc4_get_tiling_ioctl(struct drm_device *dev, void *data,
+ return 0;
+ }
+
++static void vc4_bo_cache_destroy(struct drm_device *dev, void *unused);
+ int vc4_bo_cache_init(struct drm_device *dev)
+ {
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+@@ -1033,10 +1034,10 @@ int vc4_bo_cache_init(struct drm_device *dev)
+ INIT_WORK(&vc4->bo_cache.time_work, vc4_bo_cache_time_work);
+ timer_setup(&vc4->bo_cache.time_timer, vc4_bo_cache_time_timer, 0);
+
+- return 0;
++ return drmm_add_action_or_reset(dev, vc4_bo_cache_destroy, NULL);
+ }
+
+-void vc4_bo_cache_destroy(struct drm_device *dev)
++static void vc4_bo_cache_destroy(struct drm_device *dev, void *unused)
+ {
+ struct vc4_dev *vc4 = to_vc4_dev(dev);
+ int i;
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c
+index f6995e7f6eb6e..c7aeaba3fabe8 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.c
++++ b/drivers/gpu/drm/vc4/vc4_drv.c
+@@ -311,7 +311,6 @@ unbind_all:
+ gem_destroy:
+ vc4_gem_destroy(drm);
+ drm_mode_config_cleanup(drm);
+- vc4_bo_cache_destroy(drm);
+ dev_put:
+ drm_dev_put(drm);
+ return ret;
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h
+index fa19160c801f8..528c28895a8e0 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.h
++++ b/drivers/gpu/drm/vc4/vc4_drv.h
+@@ -14,6 +14,7 @@
+ #include <drm/drm_device.h>
+ #include <drm/drm_encoder.h>
+ #include <drm/drm_gem_cma_helper.h>
++#include <drm/drm_managed.h>
+ #include <drm/drm_mm.h>
+ #include <drm/drm_modeset_lock.h>
+
+@@ -786,7 +787,6 @@ struct drm_gem_object *vc4_prime_import_sg_table(struct drm_device *dev,
+ struct sg_table *sgt);
+ void *vc4_prime_vmap(struct drm_gem_object *obj);
+ int vc4_bo_cache_init(struct drm_device *dev);
+-void vc4_bo_cache_destroy(struct drm_device *dev);
+ int vc4_bo_inc_usecnt(struct vc4_bo *bo);
+ void vc4_bo_dec_usecnt(struct vc4_bo *bo);
+ void vc4_bo_add_to_purgeable_pool(struct vc4_bo *bo);
+--
+2.27.0
+
--- /dev/null
+From 422eb8bc1382ef82fb9bd7acc415e825583e041e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 21:41:44 +0100
+Subject: genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 151a535171be6ff824a0a3875553ea38570f4c05 ]
+
+kernel/irq/ipi.c otherwise fails to compile if nothing else
+selects it.
+
+Fixes: 379b656446a3 ("genirq: Add GENERIC_IRQ_IPI Kconfig symbol")
+Reported-by: Pavel Machek <pavel@ucw.cz>
+Tested-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20201015101222.GA32747@amd
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/irq/Kconfig b/kernel/irq/Kconfig
+index 10a5aff4eecc8..164a031cfdb66 100644
+--- a/kernel/irq/Kconfig
++++ b/kernel/irq/Kconfig
+@@ -82,6 +82,7 @@ config IRQ_FASTEOI_HIERARCHY_HANDLERS
+ # Generic IRQ IPI support
+ config GENERIC_IRQ_IPI
+ bool
++ select IRQ_DOMAIN_HIERARCHY
+
+ # Generic MSI interrupt support
+ config GENERIC_MSI_IRQ
+--
+2.27.0
+
--- /dev/null
+From 2b7944f307e1f27b334f656ab15277d741f2cb6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 09:12:15 +0200
+Subject: hv_balloon: disable warning when floor reached
+
+From: Olaf Hering <olaf@aepfle.de>
+
+[ Upstream commit 2c3bd2a5c86fe744e8377733c5e511a5ca1e14f5 ]
+
+It is not an error if the host requests to balloon down, but the VM
+refuses to do so. Without this change a warning is logged in dmesg
+every five minutes.
+
+Fixes: b3bb97b8a49f3 ("Drivers: hv: balloon: Add logging for dynamic memory operations")
+
+Signed-off-by: Olaf Hering <olaf@aepfle.de>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Link: https://lore.kernel.org/r/20201008071216.16554-1-olaf@aepfle.de
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/hv_balloon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
+index 32e3bc0aa665a..0f50295d02149 100644
+--- a/drivers/hv/hv_balloon.c
++++ b/drivers/hv/hv_balloon.c
+@@ -1275,7 +1275,7 @@ static void balloon_up(struct work_struct *dummy)
+
+ /* Refuse to balloon below the floor. */
+ if (avail_pages < num_pages || avail_pages - num_pages < floor) {
+- pr_warn("Balloon request will be partially fulfilled. %s\n",
++ pr_info("Balloon request will be partially fulfilled. %s\n",
+ avail_pages < num_pages ? "Not enough memory." :
+ "Balloon floor reached.");
+
+--
+2.27.0
+
--- /dev/null
+From 6a24226663e79dcf79a0035b3cb02ba9030f8862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 08:50:51 +0200
+Subject: IB/srpt: Fix memory leak in srpt_add_one
+
+From: Maor Gottlieb <maorg@nvidia.com>
+
+[ Upstream commit 372a1786283e50e7cb437ab7fdb1b95597310ad7 ]
+
+Failure in srpt_refresh_port() for the second port will leave MAD
+registered for the first one, however, the srpt_add_one() will be marked
+as "failed" and SRPT will leak resources for that registered but not used
+and released first port.
+
+Unregister the MAD agent for all ports in case of failure.
+
+Fixes: a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
+Link: https://lore.kernel.org/r/20201028065051.112430-1-leon@kernel.org
+Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/srpt/ib_srpt.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c b/drivers/infiniband/ulp/srpt/ib_srpt.c
+index 0065eb17ae36b..1b096305de1a4 100644
+--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
+@@ -622,10 +622,11 @@ static int srpt_refresh_port(struct srpt_port *sport)
+ /**
+ * srpt_unregister_mad_agent - unregister MAD callback functions
+ * @sdev: SRPT HCA pointer.
++ * #port_cnt: number of ports with registered MAD
+ *
+ * Note: It is safe to call this function more than once for the same device.
+ */
+-static void srpt_unregister_mad_agent(struct srpt_device *sdev)
++static void srpt_unregister_mad_agent(struct srpt_device *sdev, int port_cnt)
+ {
+ struct ib_port_modify port_modify = {
+ .clr_port_cap_mask = IB_PORT_DEVICE_MGMT_SUP,
+@@ -633,7 +634,7 @@ static void srpt_unregister_mad_agent(struct srpt_device *sdev)
+ struct srpt_port *sport;
+ int i;
+
+- for (i = 1; i <= sdev->device->phys_port_cnt; i++) {
++ for (i = 1; i <= port_cnt; i++) {
+ sport = &sdev->port[i - 1];
+ WARN_ON(sport->port != i);
+ if (sport->mad_agent) {
+@@ -3185,7 +3186,8 @@ static int srpt_add_one(struct ib_device *device)
+ if (ret) {
+ pr_err("MAD registration failed for %s-%d.\n",
+ dev_name(&sdev->device->dev), i);
+- goto err_event;
++ i--;
++ goto err_port;
+ }
+ }
+
+@@ -3197,7 +3199,8 @@ static int srpt_add_one(struct ib_device *device)
+ pr_debug("added %s.\n", dev_name(&device->dev));
+ return 0;
+
+-err_event:
++err_port:
++ srpt_unregister_mad_agent(sdev, i);
+ ib_unregister_event_handler(&sdev->event_handler);
+ err_cm:
+ if (sdev->cm_id)
+@@ -3221,7 +3224,7 @@ static void srpt_remove_one(struct ib_device *device, void *client_data)
+ struct srpt_device *sdev = client_data;
+ int i;
+
+- srpt_unregister_mad_agent(sdev);
++ srpt_unregister_mad_agent(sdev, sdev->device->phys_port_cnt);
+
+ ib_unregister_event_handler(&sdev->event_handler);
+
+--
+2.27.0
+
--- /dev/null
+From be8046cd68b521f8e5e2744b4e226e4ab10854b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 10:39:05 -0700
+Subject: io_uring: ensure consistent view of original task ->mm from SQPOLL
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 4b70cf9dea4cd239b425f3282fa56ce19e234c8a ]
+
+Ensure we get a valid view of the task mm, by using task_lock() when
+attempting to grab the original task mm.
+
+Reported-by: syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com
+Fixes: 2aede0e417db ("io_uring: stash ctx task reference for SQPOLL")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 1033e0e18f24f..2d5ca9476814d 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -952,20 +952,33 @@ static void io_sq_thread_drop_mm(void)
+ if (mm) {
+ kthread_unuse_mm(mm);
+ mmput(mm);
++ current->mm = NULL;
+ }
+ }
+
+ static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
+ {
+- if (!current->mm) {
+- if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL) ||
+- !ctx->sqo_task->mm ||
+- !mmget_not_zero(ctx->sqo_task->mm)))
+- return -EFAULT;
+- kthread_use_mm(ctx->sqo_task->mm);
++ struct mm_struct *mm;
++
++ if (current->mm)
++ return 0;
++
++ /* Should never happen */
++ if (unlikely(!(ctx->flags & IORING_SETUP_SQPOLL)))
++ return -EFAULT;
++
++ task_lock(ctx->sqo_task);
++ mm = ctx->sqo_task->mm;
++ if (unlikely(!mm || !mmget_not_zero(mm)))
++ mm = NULL;
++ task_unlock(ctx->sqo_task);
++
++ if (mm) {
++ kthread_use_mm(mm);
++ return 0;
+ }
+
+- return 0;
++ return -EFAULT;
+ }
+
+ static int io_sq_thread_acquire_mm(struct io_ring_ctx *ctx,
+--
+2.27.0
+
--- /dev/null
+From b0aaf97350602138d182daa076a416b4c324caa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Oct 2020 10:37:24 +0800
+Subject: iommu/vt-d: Fix a bug for PDP check in prq_event_thread
+
+From: Liu, Yi L <yi.l.liu@intel.com>
+
+[ Upstream commit 71cd8e2d16703a9df5c86a9e19f4cba99316cc53 ]
+
+In prq_event_thread(), the QI_PGRP_PDP is wrongly set by
+'req->pasid_present' which should be replaced to
+'req->priv_data_present'.
+
+Fixes: 5b438f4ba315 ("iommu/vt-d: Support page request in scalable mode")
+Signed-off-by: Liu, Yi L <yi.l.liu@intel.com>
+Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com>
+Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/1604025444-6954-3-git-send-email-yi.y.sun@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/svm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c
+index a71fbbddaa66e..20fa8c7fcd8e7 100644
+--- a/drivers/iommu/intel/svm.c
++++ b/drivers/iommu/intel/svm.c
+@@ -1001,7 +1001,7 @@ no_pasid:
+ resp.qw0 = QI_PGRP_PASID(req->pasid) |
+ QI_PGRP_DID(req->rid) |
+ QI_PGRP_PASID_P(req->pasid_present) |
+- QI_PGRP_PDP(req->pasid_present) |
++ QI_PGRP_PDP(req->priv_data_present) |
+ QI_PGRP_RESP_CODE(result) |
+ QI_PGRP_RESP_TYPE;
+ resp.qw1 = QI_PGRP_IDX(req->prg_index) |
+--
+2.27.0
+
--- /dev/null
+From 7f11f1c050fab9d379f8e2f23bb5af51e651b0b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Oct 2020 10:37:23 +0800
+Subject: iommu/vt-d: Fix sid not set issue in intel_svm_bind_gpasid()
+
+From: Liu Yi L <yi.l.liu@intel.com>
+
+[ Upstream commit eea4e29ab8bef254b228d6e1e3de188087b2c7d0 ]
+
+Should get correct sid and set it into sdev. Because we execute
+'sdev->sid != req->rid' in the loop of prq_event_thread().
+
+Fixes: eb8d93ea3c1d ("iommu/vt-d: Report page request faults for guest SVA")
+Signed-off-by: Liu Yi L <yi.l.liu@intel.com>
+Signed-off-by: Yi Sun <yi.y.sun@linux.intel.com>
+Acked-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/1604025444-6954-2-git-send-email-yi.y.sun@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/svm.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/iommu/intel/svm.c b/drivers/iommu/intel/svm.c
+index 95c3164a2302f..a71fbbddaa66e 100644
+--- a/drivers/iommu/intel/svm.c
++++ b/drivers/iommu/intel/svm.c
+@@ -278,6 +278,7 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev,
+ struct intel_iommu *iommu = device_to_iommu(dev, NULL, NULL);
+ struct intel_svm_dev *sdev = NULL;
+ struct dmar_domain *dmar_domain;
++ struct device_domain_info *info;
+ struct intel_svm *svm = NULL;
+ int ret = 0;
+
+@@ -302,6 +303,10 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev,
+ if (data->hpasid <= 0 || data->hpasid >= PASID_MAX)
+ return -EINVAL;
+
++ info = get_domain_info(dev);
++ if (!info)
++ return -EINVAL;
++
+ dmar_domain = to_dmar_domain(domain);
+
+ mutex_lock(&pasid_mutex);
+@@ -349,6 +354,7 @@ int intel_svm_bind_gpasid(struct iommu_domain *domain, struct device *dev,
+ goto out;
+ }
+ sdev->dev = dev;
++ sdev->sid = PCI_DEVID(info->bus, info->devfn);
+
+ /* Only count users if device has aux domains */
+ if (iommu_dev_feature_enabled(dev, IOMMU_DEV_FEAT_AUX))
+--
+2.27.0
+
--- /dev/null
+From f4a8ef6867bf285e1c0a26f11388a90f7b958f49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Oct 2020 16:15:32 +0800
+Subject: irqchip/sifive-plic: Fix broken irq_set_affinity() callback
+
+From: Greentime Hu <greentime.hu@sifive.com>
+
+[ Upstream commit a7480c5d725c4ecfc627e70960f249c34f5d13e8 ]
+
+An interrupt submitted to an affinity change will always be left enabled
+after plic_set_affinity() has been called, while the expectation is that
+it should stay in whatever state it was before the call.
+
+Preserving the configuration fixes a PWM hang issue on the Unleashed
+board.
+
+[ 919.015783] rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
+[ 919.020922] rcu: 0-...0: (0 ticks this GP)
+idle=7d2/1/0x4000000000000002 softirq=1424/1424 fqs=105807
+[ 919.030295] (detected by 1, t=225825 jiffies, g=1561, q=3496)
+[ 919.036109] Task dump for CPU 0:
+[ 919.039321] kworker/0:1 R running task 0 30 2 0x00000008
+[ 919.046359] Workqueue: events set_brightness_delayed
+[ 919.051302] Call Trace:
+[ 919.053738] [<ffffffe000930d92>] __schedule+0x194/0x4de
+[ 982.035783] rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
+[ 982.040923] rcu: 0-...0: (0 ticks this GP)
+idle=7d2/1/0x4000000000000002 softirq=1424/1424 fqs=113325
+[ 982.050294] (detected by 1, t=241580 jiffies, g=1561, q=3509)
+[ 982.056108] Task dump for CPU 0:
+[ 982.059321] kworker/0:1 R running task 0 30 2 0x00000008
+[ 982.066359] Workqueue: events set_brightness_delayed
+[ 982.071302] Call Trace:
+[ 982.073739] [<ffffffe000930d92>] __schedule+0x194/0x4de
+[..]
+
+Fixes: bb0fed1c60cc ("irqchip/sifive-plic: Switch to fasteoi flow")
+Signed-off-by: Greentime Hu <greentime.hu@sifive.com>
+[maz: tidy-up commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Link: https://lore.kernel.org/r/20201020081532.2377-1-greentime.hu@sifive.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-sifive-plic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c
+index eaa3e9fe54e91..4048657ece0ac 100644
+--- a/drivers/irqchip/irq-sifive-plic.c
++++ b/drivers/irqchip/irq-sifive-plic.c
+@@ -151,7 +151,7 @@ static int plic_set_affinity(struct irq_data *d,
+ return -EINVAL;
+
+ plic_irq_toggle(&priv->lmask, d, 0);
+- plic_irq_toggle(cpumask_of(cpu), d, 1);
++ plic_irq_toggle(cpumask_of(cpu), d, !irqd_irq_masked(d));
+
+ irq_data_update_effective_affinity(d, cpumask_of(cpu));
+
+--
+2.27.0
+
--- /dev/null
+From c10f2dab0f055acbb1e163d207859a47f600f811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 10:37:38 +0800
+Subject: irqchip/sifive-plic: Fix chip_data access within a hierarchy
+
+From: Greentime Hu <greentime.hu@sifive.com>
+
+[ Upstream commit f9ac7bbd6e4540dcc6df621b9c9b6eb2e26ded1d ]
+
+The plic driver crashes in plic_irq_unmask() when the interrupt is within a
+hierarchy, as it picks the top-level chip_data instead of its local one.
+
+Using irq_data_get_irq_chip_data() instead of irq_get_chip_data() solves
+the issue for good.
+
+Fixes: f1ad1133b18f ("irqchip/sifive-plic: Add support for multiple PLICs")
+Signed-off-by: Greentime Hu <greentime.hu@sifive.com>
+[maz: rewrote commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Reviewed-by: Atish Patra <atish.patra@wdc.com>
+Link: https://lore.kernel.org/r/20201029023738.127472-1-greentime.hu@sifive.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-sifive-plic.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c
+index 4048657ece0ac..6f432d2a5cebd 100644
+--- a/drivers/irqchip/irq-sifive-plic.c
++++ b/drivers/irqchip/irq-sifive-plic.c
+@@ -99,7 +99,7 @@ static inline void plic_irq_toggle(const struct cpumask *mask,
+ struct irq_data *d, int enable)
+ {
+ int cpu;
+- struct plic_priv *priv = irq_get_chip_data(d->irq);
++ struct plic_priv *priv = irq_data_get_irq_chip_data(d);
+
+ writel(enable, priv->regs + PRIORITY_BASE + d->hwirq * PRIORITY_PER_ID);
+ for_each_cpu(cpu, mask) {
+@@ -115,7 +115,7 @@ static void plic_irq_unmask(struct irq_data *d)
+ {
+ struct cpumask amask;
+ unsigned int cpu;
+- struct plic_priv *priv = irq_get_chip_data(d->irq);
++ struct plic_priv *priv = irq_data_get_irq_chip_data(d);
+
+ cpumask_and(&amask, &priv->lmask, cpu_online_mask);
+ cpu = cpumask_any_and(irq_data_get_affinity_mask(d),
+@@ -127,7 +127,7 @@ static void plic_irq_unmask(struct irq_data *d)
+
+ static void plic_irq_mask(struct irq_data *d)
+ {
+- struct plic_priv *priv = irq_get_chip_data(d->irq);
++ struct plic_priv *priv = irq_data_get_irq_chip_data(d);
+
+ plic_irq_toggle(&priv->lmask, d, 0);
+ }
+@@ -138,7 +138,7 @@ static int plic_set_affinity(struct irq_data *d,
+ {
+ unsigned int cpu;
+ struct cpumask amask;
+- struct plic_priv *priv = irq_get_chip_data(d->irq);
++ struct plic_priv *priv = irq_data_get_irq_chip_data(d);
+
+ cpumask_and(&amask, &priv->lmask, mask_val);
+
+--
+2.27.0
+
--- /dev/null
+From c64a75c279af31423368be8bbbfb3d0423efbd0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Sep 2020 16:21:40 -0700
+Subject: kbuild: explicitly specify the build id style
+
+From: Bill Wendling <morbo@google.com>
+
+[ Upstream commit a968433723310f35898b4a2f635a7991aeef66b1 ]
+
+ld's --build-id defaults to "sha1" style, while lld defaults to "fast".
+The build IDs are very different between the two, which may confuse
+programs that reference them.
+
+Signed-off-by: Bill Wendling <morbo@google.com>
+Acked-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 4 ++--
+ arch/arm/vdso/Makefile | 2 +-
+ arch/arm64/kernel/vdso/Makefile | 2 +-
+ arch/arm64/kernel/vdso32/Makefile | 2 +-
+ arch/mips/vdso/Makefile | 2 +-
+ arch/riscv/kernel/vdso/Makefile | 2 +-
+ arch/s390/kernel/vdso64/Makefile | 2 +-
+ arch/sparc/vdso/Makefile | 2 +-
+ arch/x86/entry/vdso/Makefile | 2 +-
+ tools/testing/selftests/bpf/Makefile | 2 +-
+ 10 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 035d86a0d291d..245c66fa8be17 100644
+--- a/Makefile
++++ b/Makefile
+@@ -973,8 +973,8 @@ KBUILD_CPPFLAGS += $(KCPPFLAGS)
+ KBUILD_AFLAGS += $(KAFLAGS)
+ KBUILD_CFLAGS += $(KCFLAGS)
+
+-KBUILD_LDFLAGS_MODULE += --build-id
+-LDFLAGS_vmlinux += --build-id
++KBUILD_LDFLAGS_MODULE += --build-id=sha1
++LDFLAGS_vmlinux += --build-id=sha1
+
+ ifeq ($(CONFIG_STRIP_ASM_SYMS),y)
+ LDFLAGS_vmlinux += $(call ld-option, -X,)
+diff --git a/arch/arm/vdso/Makefile b/arch/arm/vdso/Makefile
+index a54f70731d9f1..150ce6e6a5d31 100644
+--- a/arch/arm/vdso/Makefile
++++ b/arch/arm/vdso/Makefile
+@@ -19,7 +19,7 @@ ccflags-y += -DDISABLE_BRANCH_PROFILING -DBUILD_VDSO32
+ ldflags-$(CONFIG_CPU_ENDIAN_BE8) := --be8
+ ldflags-y := -Bsymbolic --no-undefined -soname=linux-vdso.so.1 \
+ -z max-page-size=4096 -nostdlib -shared $(ldflags-y) \
+- --hash-style=sysv --build-id \
++ --hash-style=sysv --build-id=sha1 \
+ -T
+
+ obj-$(CONFIG_VDSO) += vdso.o
+diff --git a/arch/arm64/kernel/vdso/Makefile b/arch/arm64/kernel/vdso/Makefile
+index 45d5cfe464290..871915097f9d1 100644
+--- a/arch/arm64/kernel/vdso/Makefile
++++ b/arch/arm64/kernel/vdso/Makefile
+@@ -24,7 +24,7 @@ btildflags-$(CONFIG_ARM64_BTI_KERNEL) += -z force-bti
+ # routines, as x86 does (see 6f121e548f83 ("x86, vdso: Reimplement vdso.so
+ # preparation in build-time C")).
+ ldflags-y := -shared -nostdlib -soname=linux-vdso.so.1 --hash-style=sysv \
+- -Bsymbolic $(call ld-option, --no-eh-frame-hdr) --build-id -n \
++ -Bsymbolic $(call ld-option, --no-eh-frame-hdr) --build-id=sha1 -n \
+ $(btildflags-y) -T
+
+ ccflags-y := -fno-common -fno-builtin -fno-stack-protector -ffixed-x18
+diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile
+index d6adb4677c25f..4fa4b3fe8efb7 100644
+--- a/arch/arm64/kernel/vdso32/Makefile
++++ b/arch/arm64/kernel/vdso32/Makefile
+@@ -128,7 +128,7 @@ VDSO_LDFLAGS += -Wl,-Bsymbolic -Wl,--no-undefined -Wl,-soname=linux-vdso.so.1
+ VDSO_LDFLAGS += -Wl,-z,max-page-size=4096 -Wl,-z,common-page-size=4096
+ VDSO_LDFLAGS += -nostdlib -shared -mfloat-abi=soft
+ VDSO_LDFLAGS += -Wl,--hash-style=sysv
+-VDSO_LDFLAGS += -Wl,--build-id
++VDSO_LDFLAGS += -Wl,--build-id=sha1
+ VDSO_LDFLAGS += $(call cc32-ldoption,-fuse-ld=bfd)
+
+
+diff --git a/arch/mips/vdso/Makefile b/arch/mips/vdso/Makefile
+index 57fe832352819..5810cc12bc1d9 100644
+--- a/arch/mips/vdso/Makefile
++++ b/arch/mips/vdso/Makefile
+@@ -61,7 +61,7 @@ endif
+ # VDSO linker flags.
+ ldflags-y := -Bsymbolic --no-undefined -soname=linux-vdso.so.1 \
+ $(filter -E%,$(KBUILD_CFLAGS)) -nostdlib -shared \
+- -G 0 --eh-frame-hdr --hash-style=sysv --build-id -T
++ -G 0 --eh-frame-hdr --hash-style=sysv --build-id=sha1 -T
+
+ CFLAGS_REMOVE_vdso.o = -pg
+
+diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile
+index 478e7338ddc10..7d6a94d45ec94 100644
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -49,7 +49,7 @@ $(obj)/vdso.so.dbg: $(src)/vdso.lds $(obj-vdso) FORCE
+ # refer to these symbols in the kernel code rather than hand-coded addresses.
+
+ SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \
+- -Wl,--build-id -Wl,--hash-style=both
++ -Wl,--build-id=sha1 -Wl,--hash-style=both
+ $(obj)/vdso-dummy.o: $(src)/vdso.lds $(obj)/rt_sigreturn.o FORCE
+ $(call if_changed,vdsold)
+
+diff --git a/arch/s390/kernel/vdso64/Makefile b/arch/s390/kernel/vdso64/Makefile
+index 4a66a1cb919b1..edc473b32e420 100644
+--- a/arch/s390/kernel/vdso64/Makefile
++++ b/arch/s390/kernel/vdso64/Makefile
+@@ -19,7 +19,7 @@ KBUILD_AFLAGS_64 += -m64 -s
+ KBUILD_CFLAGS_64 := $(filter-out -m64,$(KBUILD_CFLAGS))
+ KBUILD_CFLAGS_64 += -m64 -fPIC -shared -fno-common -fno-builtin
+ ldflags-y := -fPIC -shared -nostdlib -soname=linux-vdso64.so.1 \
+- --hash-style=both --build-id -T
++ --hash-style=both --build-id=sha1 -T
+
+ $(targets:%=$(obj)/%.dbg): KBUILD_CFLAGS = $(KBUILD_CFLAGS_64)
+ $(targets:%=$(obj)/%.dbg): KBUILD_AFLAGS = $(KBUILD_AFLAGS_64)
+diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile
+index f44355e46f31f..469dd23887abb 100644
+--- a/arch/sparc/vdso/Makefile
++++ b/arch/sparc/vdso/Makefile
+@@ -115,7 +115,7 @@ quiet_cmd_vdso = VDSO $@
+ -T $(filter %.lds,$^) $(filter %.o,$^) && \
+ sh $(srctree)/$(src)/checkundef.sh '$(OBJDUMP)' '$@'
+
+-VDSO_LDFLAGS = -shared --hash-style=both --build-id -Bsymbolic
++VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 -Bsymbolic
+ GCOV_PROFILE := n
+
+ #
+diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
+index 215376d975a29..ebba25ed9a386 100644
+--- a/arch/x86/entry/vdso/Makefile
++++ b/arch/x86/entry/vdso/Makefile
+@@ -176,7 +176,7 @@ quiet_cmd_vdso = VDSO $@
+ -T $(filter %.lds,$^) $(filter %.o,$^) && \
+ sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
+
+-VDSO_LDFLAGS = -shared --hash-style=both --build-id \
++VDSO_LDFLAGS = -shared --hash-style=both --build-id=sha1 \
+ $(call ld-option, --eh-frame-hdr) -Bsymbolic
+ GCOV_PROFILE := n
+
+diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
+index fc946b7ac288d..daf186f88a636 100644
+--- a/tools/testing/selftests/bpf/Makefile
++++ b/tools/testing/selftests/bpf/Makefile
+@@ -133,7 +133,7 @@ $(OUTPUT)/%:%.c
+
+ $(OUTPUT)/urandom_read: urandom_read.c
+ $(call msg,BINARY,,$@)
+- $(Q)$(CC) $(LDFLAGS) -o $@ $< $(LDLIBS) -Wl,--build-id
++ $(Q)$(CC) $(LDFLAGS) -o $@ $< $(LDLIBS) -Wl,--build-id=sha1
+
+ $(OUTPUT)/test_stub.o: test_stub.c $(BPFOBJ)
+ $(call msg,CC,,$@)
+--
+2.27.0
+
--- /dev/null
+From c6267c8d4eaae58ccc94a9beb113d17438b39d6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Oct 2020 19:28:17 +0300
+Subject: kunit: Don't fail test suites if one of them is empty
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 3fc48259d5250f7a3ee021ad0492b604c428c564 ]
+
+Empty test suite is okay test suite.
+
+Don't fail the rest of the test suites if one of them is empty.
+
+Fixes: 6ebf5866f2e8 ("kunit: tool: add Python wrappers for running KUnit tests")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
+Tested-by: Brendan Higgins <brendanhiggins@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/kunit/kunit_parser.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
+index 62a0848699671..91036d5d51cf6 100644
+--- a/tools/testing/kunit/kunit_parser.py
++++ b/tools/testing/kunit/kunit_parser.py
+@@ -232,7 +232,7 @@ def parse_test_suite(lines: List[str]) -> TestSuite:
+ return None
+ test_suite.name = name
+ expected_test_case_num = parse_subtest_plan(lines)
+- if not expected_test_case_num:
++ if expected_test_case_num is None:
+ return None
+ while expected_test_case_num > 0:
+ test_case = parse_test_case(lines)
+--
+2.27.0
+
--- /dev/null
+From c30ba428ac8ffcf752527d283f2beb484a11eef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Oct 2020 20:04:55 -0700
+Subject: kunit: Fix kunit.py --raw_output option
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 3023d8ff3fc60e5d32dc1d05f99ad6ffa12b0033 ]
+
+Due to the raw_output() function on kunit_parser.py actually being a
+generator, it only runs if something reads the lines it returns. Since
+we no-longer do that (parsing doesn't actually happen if raw_output is
+enabled), it was not printing anything.
+
+Fixes: 45ba7a893ad8 ("kunit: kunit_tool: Separate out config/build/exec/parse")
+Signed-off-by: David Gow <davidgow@google.com>
+Reviewed-by: Brendan Higgins <brendanhiggins@google.com>
+Tested-by: Brendan Higgins <brendanhiggins@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/kunit/kunit_parser.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/testing/kunit/kunit_parser.py b/tools/testing/kunit/kunit_parser.py
+index f13e0c0d66639..62a0848699671 100644
+--- a/tools/testing/kunit/kunit_parser.py
++++ b/tools/testing/kunit/kunit_parser.py
+@@ -65,7 +65,6 @@ def isolate_kunit_output(kernel_output):
+ def raw_output(kernel_output):
+ for line in kernel_output:
+ print(line)
+- yield line
+
+ DIVIDER = '=' * 60
+
+--
+2.27.0
+
--- /dev/null
+From 9839f6b9a91436708dc4912c681327bc1a7d5427 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Oct 2020 16:54:07 +0530
+Subject: KVM: arm64: Force PTE mapping on fault resulting in a device mapping
+
+From: Santosh Shukla <sashukla@nvidia.com>
+
+[ Upstream commit 91a2c34b7d6fadc9c5d9433c620ea4c32ee7cae8 ]
+
+VFIO allows a device driver to resolve a fault by mapping a MMIO
+range. This can be subsequently result in user_mem_abort() to
+try and compute a huge mapping based on the MMIO pfn, which is
+a sure recipe for things to go wrong.
+
+Instead, force a PTE mapping when the pfn faulted in has a device
+mapping.
+
+Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings")
+Suggested-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Santosh Shukla <sashukla@nvidia.com>
+[maz: rewritten commit message]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/1603711447-11998-2-git-send-email-sashukla@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/mmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
+index 3d26b47a13430..7a4ad984d54e0 100644
+--- a/arch/arm64/kvm/mmu.c
++++ b/arch/arm64/kvm/mmu.c
+@@ -1920,6 +1920,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
+ if (kvm_is_device_pfn(pfn)) {
+ mem_type = PAGE_S2_DEVICE;
+ flags |= KVM_S2PTE_FLAG_IS_IOMAP;
++ force_pte = true;
+ } else if (logging_active) {
+ /*
+ * Faults on pages in a memslot with logging enabled
+--
+2.27.0
+
--- /dev/null
+From 6db73e4b05335fe318b2d00d97b6291ee17532e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Oct 2020 14:01:57 +0200
+Subject: mac80211: don't require VHT elements for HE on 2.4 GHz
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit c2f46814521113f6699a74e0a0424cbc5b305479 ]
+
+After the previous similar bugfix there was another bug here,
+if no VHT elements were found we also disabled HE. Fix this to
+disable HE only on the 5 GHz band; on 6 GHz it was already not
+disabled, and on 2.4 GHz there need (should) not be any VHT.
+
+Fixes: 57fa5e85d53c ("mac80211: determine chandef from HE 6 GHz operation")
+Link: https://lore.kernel.org/r/20201013140156.535a2fc6192f.Id6e5e525a60ac18d245d86f4015f1b271fce6ee6@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 2e400b0ff6961..0f30f50c46b1b 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -5359,6 +5359,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
+ struct cfg80211_assoc_request *req)
+ {
+ bool is_6ghz = req->bss->channel->band == NL80211_BAND_6GHZ;
++ bool is_5ghz = req->bss->channel->band == NL80211_BAND_5GHZ;
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+ struct ieee80211_bss *bss = (void *)req->bss->priv;
+@@ -5507,7 +5508,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
+ if (vht_ie && vht_ie[1] >= sizeof(struct ieee80211_vht_cap))
+ memcpy(&assoc_data->ap_vht_cap, vht_ie + 2,
+ sizeof(struct ieee80211_vht_cap));
+- else if (!is_6ghz)
++ else if (is_5ghz)
+ ifmgd->flags |= IEEE80211_STA_DISABLE_VHT |
+ IEEE80211_STA_DISABLE_HE;
+ rcu_read_unlock();
+--
+2.27.0
+
--- /dev/null
+From 77f999a460d1455d7f0513e20c01c52605b5577a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Nov 2020 17:07:34 -0800
+Subject: mm: memcg: link page counters to root if use_hierarchy is false
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roman Gushchin <guro@fb.com>
+
+[ Upstream commit 8de15e920dc85d1705ab9c202c95d56845bc2d48 ]
+
+Richard reported a warning which can be reproduced by running the LTP
+madvise6 test (cgroup v1 in the non-hierarchical mode should be used):
+
+ WARNING: CPU: 0 PID: 12 at mm/page_counter.c:57 page_counter_uncharge (mm/page_counter.c:57 mm/page_counter.c:50 mm/page_counter.c:156)
+ Modules linked in:
+ CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.9.0-rc7-22-default #77
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812d-rebuilt.opensuse.org 04/01/2014
+ Workqueue: events drain_local_stock
+ RIP: 0010:page_counter_uncharge (mm/page_counter.c:57 mm/page_counter.c:50 mm/page_counter.c:156)
+ Call Trace:
+ __memcg_kmem_uncharge (mm/memcontrol.c:3022)
+ drain_obj_stock (./include/linux/rcupdate.h:689 mm/memcontrol.c:3114)
+ drain_local_stock (mm/memcontrol.c:2255)
+ process_one_work (./arch/x86/include/asm/jump_label.h:25 ./include/linux/jump_label.h:200 ./include/trace/events/workqueue.h:108 kernel/workqueue.c:2274)
+ worker_thread (./include/linux/list.h:282 kernel/workqueue.c:2416)
+ kthread (kernel/kthread.c:292)
+ ret_from_fork (arch/x86/entry/entry_64.S:300)
+
+The problem occurs because in the non-hierarchical mode non-root page
+counters are not linked to root page counters, so the charge is not
+propagated to the root memory cgroup.
+
+After the removal of the original memory cgroup and reparenting of the
+object cgroup, the root cgroup might be uncharged by draining a objcg
+stock, for example. It leads to an eventual underflow of the charge and
+triggers a warning.
+
+Fix it by linking all page counters to corresponding root page counters
+in the non-hierarchical mode.
+
+Please note, that in the non-hierarchical mode all objcgs are always
+reparented to the root memory cgroup, even if the hierarchy has more
+than 1 level. This patch doesn't change it.
+
+The patch also doesn't affect how the hierarchical mode is working,
+which is the only sane and truly supported mode now.
+
+Thanks to Richard for reporting, debugging and providing an alternative
+version of the fix!
+
+Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
+Reported-by: <ltp@lists.linux.it>
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20201026231326.3212225-1-guro@fb.com
+Debugged-by: Richard Palethorpe <rpalethorpe@suse.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memcontrol.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index 9eefdb9cc2303..de51787831728 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5298,7 +5298,13 @@ mem_cgroup_css_alloc(struct cgroup_subsys_state *parent_css)
+ memcg->swappiness = mem_cgroup_swappiness(parent);
+ memcg->oom_kill_disable = parent->oom_kill_disable;
+ }
+- if (parent && parent->use_hierarchy) {
++ if (!parent) {
++ page_counter_init(&memcg->memory, NULL);
++ page_counter_init(&memcg->swap, NULL);
++ page_counter_init(&memcg->memsw, NULL);
++ page_counter_init(&memcg->kmem, NULL);
++ page_counter_init(&memcg->tcpmem, NULL);
++ } else if (parent->use_hierarchy) {
+ memcg->use_hierarchy = true;
+ page_counter_init(&memcg->memory, &parent->memory);
+ page_counter_init(&memcg->swap, &parent->swap);
+@@ -5306,11 +5312,11 @@ mem_cgroup_css_alloc(struct cgroup_subsys_state *parent_css)
+ page_counter_init(&memcg->kmem, &parent->kmem);
+ page_counter_init(&memcg->tcpmem, &parent->tcpmem);
+ } else {
+- page_counter_init(&memcg->memory, NULL);
+- page_counter_init(&memcg->swap, NULL);
+- page_counter_init(&memcg->memsw, NULL);
+- page_counter_init(&memcg->kmem, NULL);
+- page_counter_init(&memcg->tcpmem, NULL);
++ page_counter_init(&memcg->memory, &root_mem_cgroup->memory);
++ page_counter_init(&memcg->swap, &root_mem_cgroup->swap);
++ page_counter_init(&memcg->memsw, &root_mem_cgroup->memsw);
++ page_counter_init(&memcg->kmem, &root_mem_cgroup->kmem);
++ page_counter_init(&memcg->tcpmem, &root_mem_cgroup->tcpmem);
+ /*
+ * Deeper hierachy with use_hierarchy == false doesn't make
+ * much sense so let cgroup subsystem know about this
+--
+2.27.0
+
--- /dev/null
+From d12f5cc12212b466bb5612e7a826a94bb12d1451 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Nov 2020 17:07:30 -0800
+Subject: mm: memcontrol: correct the NR_ANON_THPS counter of hierarchical
+ memcg
+
+From: zhongjiang-ali <zhongjiang-ali@linux.alibaba.com>
+
+[ Upstream commit 7de2e9f195b9cb27583c5c64deaaf5e6afcc163e ]
+
+memcg_page_state will get the specified number in hierarchical memcg, It
+should multiply by HPAGE_PMD_NR rather than an page if the item is
+NR_ANON_THPS.
+
+[akpm@linux-foundation.org: fix printk warning]
+[akpm@linux-foundation.org: use u64 cast, per Michal]
+
+Fixes: 468c398233da ("mm: memcontrol: switch to native NR_ANON_THPS counter")
+Signed-off-by: zhongjiang-ali <zhongjiang-ali@linux.alibaba.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Link: https://lkml.kernel.org/r/1603722395-72443-1-git-send-email-zhongjiang-ali@linux.alibaba.com
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memcontrol.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/mm/memcontrol.c b/mm/memcontrol.c
+index de51787831728..51ce5d172855a 100644
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -4068,11 +4068,17 @@ static int memcg_stat_show(struct seq_file *m, void *v)
+ (u64)memsw * PAGE_SIZE);
+
+ for (i = 0; i < ARRAY_SIZE(memcg1_stats); i++) {
++ unsigned long nr;
++
+ if (memcg1_stats[i] == MEMCG_SWAP && !do_memsw_account())
+ continue;
++ nr = memcg_page_state(memcg, memcg1_stats[i]);
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
++ if (memcg1_stats[i] == NR_ANON_THPS)
++ nr *= HPAGE_PMD_NR;
++#endif
+ seq_printf(m, "total_%s %llu\n", memcg1_stat_names[i],
+- (u64)memcg_page_state(memcg, memcg1_stats[i]) *
+- PAGE_SIZE);
++ (u64)nr * PAGE_SIZE);
+ }
+
+ for (i = 0; i < ARRAY_SIZE(memcg1_events); i++)
+--
+2.27.0
+
--- /dev/null
+From 8438202b95b0fa25e2ed0f8eb044476494ee61a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Oct 2020 15:23:46 +0200
+Subject: mtd: spi-nor: Fix address width on flash chips > 16MB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bert Vermeulen <bert@biot.com>
+
+[ Upstream commit 324f78dfb442b82365548b657ec4e6974c677502 ]
+
+If a flash chip has more than 16MB capacity but its BFPT reports
+BFPT_DWORD1_ADDRESS_BYTES_3_OR_4, the spi-nor framework defaults to 3.
+
+The check in spi_nor_set_addr_width() doesn't catch it because addr_width
+did get set. This fixes that check.
+
+Fixes: f9acd7fa80be ("mtd: spi-nor: sfdp: default to addr_width of 3 for configurable widths")
+Signed-off-by: Bert Vermeulen <bert@biot.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Reviewed-by: Pratyush Yadav <p.yadav@ti.com>
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Tested-by: Joel Stanley <joel@jms.id.au>
+Tested-by: Cédric Le Goater <clg@kaod.org>
+Link: https://lore.kernel.org/r/20201006132346.12652-1-bert@biot.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/spi-nor/core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
+index b37d6c1936de1..f0ae7a01703a1 100644
+--- a/drivers/mtd/spi-nor/core.c
++++ b/drivers/mtd/spi-nor/core.c
+@@ -3008,13 +3008,15 @@ static int spi_nor_set_addr_width(struct spi_nor *nor)
+ /* already configured from SFDP */
+ } else if (nor->info->addr_width) {
+ nor->addr_width = nor->info->addr_width;
+- } else if (nor->mtd.size > 0x1000000) {
+- /* enable 4-byte addressing if the device exceeds 16MiB */
+- nor->addr_width = 4;
+ } else {
+ nor->addr_width = 3;
+ }
+
++ if (nor->addr_width == 3 && nor->mtd.size > 0x1000000) {
++ /* enable 4-byte addressing if the device exceeds 16MiB */
++ nor->addr_width = 4;
++ }
++
+ if (nor->addr_width > SPI_NOR_MAX_ADDR_WIDTH) {
+ dev_dbg(nor->dev, "address width is too large: %u\n",
+ nor->addr_width);
+--
+2.27.0
+
--- /dev/null
+From 80d138ac02a0858d064a435d9e552a87c179d710 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 15:24:34 +0800
+Subject: nbd: don't update block size after device is started
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit b40813ddcd6bf9f01d020804e4cb8febc480b9e4 ]
+
+Mounted NBD device can be resized, one use case is rbd-nbd.
+
+Fix the issue by setting up default block size, then not touch it
+in nbd_size_update() any more. This kind of usage is aligned with loop
+which has same use case too.
+
+Cc: stable@vger.kernel.org
+Fixes: c8a83a6b54d0 ("nbd: Use set_blocksize() to set device blocksize")
+Reported-by: lining <lining2020x@163.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Cc: Jan Kara <jack@suse.cz>
+Tested-by: lining <lining2020x@163.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index f46e26c9d9b3c..d76fca629c143 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -296,7 +296,7 @@ static void nbd_size_clear(struct nbd_device *nbd)
+ }
+ }
+
+-static void nbd_size_update(struct nbd_device *nbd)
++static void nbd_size_update(struct nbd_device *nbd, bool start)
+ {
+ struct nbd_config *config = nbd->config;
+ struct block_device *bdev = bdget_disk(nbd->disk, 0);
+@@ -312,7 +312,8 @@ static void nbd_size_update(struct nbd_device *nbd)
+ if (bdev) {
+ if (bdev->bd_disk) {
+ bd_set_size(bdev, config->bytesize);
+- set_blocksize(bdev, config->blksize);
++ if (start)
++ set_blocksize(bdev, config->blksize);
+ } else
+ bdev->bd_invalidated = 1;
+ bdput(bdev);
+@@ -327,7 +328,7 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize,
+ config->blksize = blocksize;
+ config->bytesize = blocksize * nr_blocks;
+ if (nbd->task_recv != NULL)
+- nbd_size_update(nbd);
++ nbd_size_update(nbd, false);
+ }
+
+ static void nbd_complete_rq(struct request *req)
+@@ -1307,7 +1308,7 @@ static int nbd_start_device(struct nbd_device *nbd)
+ args->index = i;
+ queue_work(nbd->recv_workq, &args->work);
+ }
+- nbd_size_update(nbd);
++ nbd_size_update(nbd, true);
+ return error;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From b542aa3f9477cb620eb6a301b92412cc96fdeca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Oct 2020 09:05:35 +0200
+Subject: net: xfrm: fix a race condition during allocing spi
+
+From: zhuoliang zhang <zhuoliang.zhang@mediatek.com>
+
+[ Upstream commit a779d91314ca7208b7feb3ad817b62904397c56d ]
+
+we found that the following race condition exists in
+xfrm_alloc_userspi flow:
+
+user thread state_hash_work thread
+---- ----
+xfrm_alloc_userspi()
+ __find_acq_core()
+ /*alloc new xfrm_state:x*/
+ xfrm_state_alloc()
+ /*schedule state_hash_work thread*/
+ xfrm_hash_grow_check() xfrm_hash_resize()
+ xfrm_alloc_spi /*hold lock*/
+ x->id.spi = htonl(spi) spin_lock_bh(&net->xfrm.xfrm_state_lock)
+ /*waiting lock release*/ xfrm_hash_transfer()
+ spin_lock_bh(&net->xfrm.xfrm_state_lock) /*add x into hlist:net->xfrm.state_byspi*/
+ hlist_add_head_rcu(&x->byspi)
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock)
+
+ /*add x into hlist:net->xfrm.state_byspi 2 times*/
+ hlist_add_head_rcu(&x->byspi)
+
+1. a new state x is alloced in xfrm_state_alloc() and added into the bydst hlist
+in __find_acq_core() on the LHS;
+2. on the RHS, state_hash_work thread travels the old bydst and tranfers every xfrm_state
+(include x) into the new bydst hlist and new byspi hlist;
+3. user thread on the LHS gets the lock and adds x into the new byspi hlist again.
+
+So the same xfrm_state (x) is added into the same list_hash
+(net->xfrm.state_byspi) 2 times that makes the list_hash become
+an inifite loop.
+
+To fix the race, x->id.spi = htonl(spi) in the xfrm_alloc_spi() is moved
+to the back of spin_lock_bh, sothat state_hash_work thread no longer add x
+which id.spi is zero into the hash_list.
+
+Fixes: f034b5d4efdf ("[XFRM]: Dynamic xfrm_state hash table sizing.")
+Signed-off-by: zhuoliang zhang <zhuoliang.zhang@mediatek.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index efc89a92961df..ee6ac32bb06d7 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -2004,6 +2004,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
+ int err = -ENOENT;
+ __be32 minspi = htonl(low);
+ __be32 maxspi = htonl(high);
++ __be32 newspi = 0;
+ u32 mark = x->mark.v & x->mark.m;
+
+ spin_lock_bh(&x->lock);
+@@ -2022,21 +2023,22 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
+ xfrm_state_put(x0);
+ goto unlock;
+ }
+- x->id.spi = minspi;
++ newspi = minspi;
+ } else {
+ u32 spi = 0;
+ for (h = 0; h < high-low+1; h++) {
+ spi = low + prandom_u32()%(high-low+1);
+ x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family);
+ if (x0 == NULL) {
+- x->id.spi = htonl(spi);
++ newspi = htonl(spi);
+ break;
+ }
+ xfrm_state_put(x0);
+ }
+ }
+- if (x->id.spi) {
++ if (newspi) {
+ spin_lock_bh(&net->xfrm.xfrm_state_lock);
++ x->id.spi = newspi;
+ h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
+ hlist_add_head_rcu(&x->byspi, net->xfrm.state_byspi + h);
+ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+--
+2.27.0
+
--- /dev/null
+From 7dfaef808151e6a502d4fef8beb3a013f5bb2bf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 16:39:46 +0100
+Subject: netfilter: ipset: Update byte and packet counters regardless of
+ whether they match
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 7d10e62c2ff8e084c136c94d32d9a94de4d31248 ]
+
+In ip_set_match_extensions(), for sets with counters, we take care of
+updating counters themselves by calling ip_set_update_counter(), and of
+checking if the given comparison and values match, by calling
+ip_set_match_counter() if needed.
+
+However, if a given comparison on counters doesn't match the configured
+values, that doesn't mean the set entry itself isn't matching.
+
+This fix restores the behaviour we had before commit 4750005a85f7
+("netfilter: ipset: Fix "don't update counters" mode when counters used
+at the matching"), without reintroducing the issue fixed there: back
+then, mtype_data_match() first updated counters in any case, and then
+took care of matching on counters.
+
+Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
+ip_set_update_counter() will anyway skip counter updates if desired.
+
+The issue observed is illustrated by this reproducer:
+
+ ipset create c hash:ip counters
+ ipset add c 192.0.2.1
+ iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
+
+if we now send packets from 192.0.2.1, bytes and packets counters
+for the entry as shown by 'ipset list' are always zero, and, no
+matter how many bytes we send, the rule will never match, because
+counters themselves are not updated.
+
+Reported-by: Mithil Mhatre <mmhatre@redhat.com>
+Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 920b7c4331f0c..2643dc982eb4e 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -652,13 +652,14 @@ ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext,
+ if (SET_WITH_COUNTER(set)) {
+ struct ip_set_counter *counter = ext_counter(data, set);
+
++ ip_set_update_counter(counter, ext, flags);
++
+ if (flags & IPSET_FLAG_MATCH_COUNTERS &&
+ !(ip_set_match_counter(ip_set_get_packets(counter),
+ mext->packets, mext->packets_op) &&
+ ip_set_match_counter(ip_set_get_bytes(counter),
+ mext->bytes, mext->bytes_op)))
+ return false;
+- ip_set_update_counter(counter, ext, flags);
+ }
+ if (SET_WITH_SKBINFO(set))
+ ip_set_get_skbinfo(ext_skbinfo(data, set),
+--
+2.27.0
+
--- /dev/null
+From d6dad3d8cc56f69645aadd6204af0f1b39258f04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 13:50:03 +0100
+Subject: netfilter: nf_tables: missing validation from the abort path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit c0391b6ab810381df632677a1dcbbbbd63d05b6d ]
+
+If userspace does not include the trailing end of batch message, then
+nfnetlink aborts the transaction. This allows to check that ruleset
+updates trigger no errors.
+
+After this patch, invoking this command from the prerouting chain:
+
+ # nft -c add rule x y fib saddr . oif type local
+
+fails since oif is not supported there.
+
+This patch fixes the lack of rule validation from the abort/check path
+to catch configuration errors such as the one above.
+
+Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter/nfnetlink.h | 9 ++++++++-
+ net/netfilter/nf_tables_api.c | 15 ++++++++++-----
+ net/netfilter/nfnetlink.c | 22 ++++++++++++++++++----
+ 3 files changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
+index 89016d08f6a27..f6267e2883f26 100644
+--- a/include/linux/netfilter/nfnetlink.h
++++ b/include/linux/netfilter/nfnetlink.h
+@@ -24,6 +24,12 @@ struct nfnl_callback {
+ const u_int16_t attr_count; /* number of nlattr's */
+ };
+
++enum nfnl_abort_action {
++ NFNL_ABORT_NONE = 0,
++ NFNL_ABORT_AUTOLOAD,
++ NFNL_ABORT_VALIDATE,
++};
++
+ struct nfnetlink_subsystem {
+ const char *name;
+ __u8 subsys_id; /* nfnetlink subsystem ID */
+@@ -31,7 +37,8 @@ struct nfnetlink_subsystem {
+ const struct nfnl_callback *cb; /* callback for individual types */
+ struct module *owner;
+ int (*commit)(struct net *net, struct sk_buff *skb);
+- int (*abort)(struct net *net, struct sk_buff *skb, bool autoload);
++ int (*abort)(struct net *net, struct sk_buff *skb,
++ enum nfnl_abort_action action);
+ void (*cleanup)(struct net *net);
+ bool (*valid_genid)(struct net *net, u32 genid);
+ };
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 1c90bd1fce60c..4305d96334082 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7992,12 +7992,16 @@ static void nf_tables_abort_release(struct nft_trans *trans)
+ kfree(trans);
+ }
+
+-static int __nf_tables_abort(struct net *net, bool autoload)
++static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ {
+ struct nft_trans *trans, *next;
+ struct nft_trans_elem *te;
+ struct nft_hook *hook;
+
++ if (action == NFNL_ABORT_VALIDATE &&
++ nf_tables_validate(net) < 0)
++ return -EAGAIN;
++
+ list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
+ list) {
+ switch (trans->msg_type) {
+@@ -8129,7 +8133,7 @@ static int __nf_tables_abort(struct net *net, bool autoload)
+ nf_tables_abort_release(trans);
+ }
+
+- if (autoload)
++ if (action == NFNL_ABORT_AUTOLOAD)
+ nf_tables_module_autoload(net);
+ else
+ nf_tables_module_autoload_cleanup(net);
+@@ -8142,9 +8146,10 @@ static void nf_tables_cleanup(struct net *net)
+ nft_validate_state_update(net, NFT_VALIDATE_SKIP);
+ }
+
+-static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
++static int nf_tables_abort(struct net *net, struct sk_buff *skb,
++ enum nfnl_abort_action action)
+ {
+- int ret = __nf_tables_abort(net, autoload);
++ int ret = __nf_tables_abort(net, action);
+
+ mutex_unlock(&net->nft.commit_mutex);
+
+@@ -8775,7 +8780,7 @@ static void __net_exit nf_tables_exit_net(struct net *net)
+ {
+ mutex_lock(&net->nft.commit_mutex);
+ if (!list_empty(&net->nft.commit_list))
+- __nf_tables_abort(net, false);
++ __nf_tables_abort(net, NFNL_ABORT_NONE);
+ __nft_release_tables(net);
+ mutex_unlock(&net->nft.commit_mutex);
+ WARN_ON_ONCE(!list_empty(&net->nft.tables));
+diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
+index 3a2e64e13b227..212c37f53f5f4 100644
+--- a/net/netfilter/nfnetlink.c
++++ b/net/netfilter/nfnetlink.c
+@@ -316,7 +316,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return netlink_ack(skb, nlh, -EINVAL, NULL);
+ replay:
+ status = 0;
+-
++replay_abort:
+ skb = netlink_skb_clone(oskb, GFP_KERNEL);
+ if (!skb)
+ return netlink_ack(oskb, nlh, -ENOMEM, NULL);
+@@ -482,7 +482,7 @@ ack:
+ }
+ done:
+ if (status & NFNL_BATCH_REPLAY) {
+- ss->abort(net, oskb, true);
++ ss->abort(net, oskb, NFNL_ABORT_AUTOLOAD);
+ nfnl_err_reset(&err_list);
+ kfree_skb(skb);
+ module_put(ss->owner);
+@@ -493,11 +493,25 @@ done:
+ status |= NFNL_BATCH_REPLAY;
+ goto done;
+ } else if (err) {
+- ss->abort(net, oskb, false);
++ ss->abort(net, oskb, NFNL_ABORT_NONE);
+ netlink_ack(oskb, nlmsg_hdr(oskb), err, NULL);
+ }
+ } else {
+- ss->abort(net, oskb, false);
++ enum nfnl_abort_action abort_action;
++
++ if (status & NFNL_BATCH_FAILURE)
++ abort_action = NFNL_ABORT_NONE;
++ else
++ abort_action = NFNL_ABORT_VALIDATE;
++
++ err = ss->abort(net, oskb, abort_action);
++ if (err == -EAGAIN) {
++ nfnl_err_reset(&err_list);
++ kfree_skb(skb);
++ module_put(ss->owner);
++ status |= NFNL_BATCH_FAILURE;
++ goto replay_abort;
++ }
+ }
+ if (ss->cleanup)
+ ss->cleanup(net);
+--
+2.27.0
+
--- /dev/null
+From a6576bc2267b0911403d3d2c2c5a480200ae80bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Oct 2020 22:17:49 +0200
+Subject: netfilter: nftables: fix netlink report logic in flowtable and genid
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit dceababac29d1c53cbc1f7ddf6f688d2df01da87 ]
+
+The netlink report should be sent regardless the available listeners.
+
+Fixes: 84d7fce69388 ("netfilter: nf_tables: export rule-set generation ID")
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 72f3ee47e478f..1c90bd1fce60c 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7076,7 +7076,7 @@ static void nf_tables_flowtable_notify(struct nft_ctx *ctx,
+ GFP_KERNEL);
+ kfree(buf);
+
+- if (ctx->report &&
++ if (!ctx->report &&
+ !nfnetlink_has_listeners(ctx->net, NFNLGRP_NFTABLES))
+ return;
+
+@@ -7198,7 +7198,7 @@ static void nf_tables_gen_notify(struct net *net, struct sk_buff *skb,
+ audit_log_nfcfg("?:0;?:0", 0, net->nft.base_seq,
+ AUDIT_NFT_OP_GEN_REGISTER, GFP_KERNEL);
+
+- if (nlmsg_report(nlh) &&
++ if (!nlmsg_report(nlh) &&
+ !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
+ return;
+
+--
+2.27.0
+
--- /dev/null
+From 83ee66e525b133e3c0b7a6beb0a373cbd7264fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 03:56:06 +0100
+Subject: netfilter: use actual socket sk rather than skb sk when routing
+ harder
+
+From: Jason A. Donenfeld <Jason@zx2c4.com>
+
+[ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ]
+
+If netfilter changes the packet mark when mangling, the packet is
+rerouted using the route_me_harder set of functions. Prior to this
+commit, there's one big difference between route_me_harder and the
+ordinary initial routing functions, described in the comment above
+__ip_queue_xmit():
+
+ /* Note: skb->sk can be different from sk, in case of tunnels */
+ int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
+
+That function goes on to correctly make use of sk->sk_bound_dev_if,
+rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a
+tunnel will receive a packet in ndo_start_xmit with an initial skb->sk.
+It will make some transformations to that packet, and then it will send
+the encapsulated packet out of a *new* socket. That new socket will
+basically always have a different sk_bound_dev_if (otherwise there'd be
+a routing loop). So for the purposes of routing the encapsulated packet,
+the routing information as it pertains to the socket should come from
+that socket's sk, rather than the packet's original skb->sk. For that
+reason __ip_queue_xmit() and related functions all do the right thing.
+
+One might argue that all tunnels should just call skb_orphan(skb) before
+transmitting the encapsulated packet into the new socket. But tunnels do
+*not* do this -- and this is wisely avoided in skb_scrub_packet() too --
+because features like TSQ rely on skb->destructor() being called when
+that buffer space is truely available again. Calling skb_orphan(skb) too
+early would result in buffers filling up unnecessarily and accounting
+info being all wrong. Instead, additional routing must take into account
+the new sk, just as __ip_queue_xmit() notes.
+
+So, this commit addresses the problem by fishing the correct sk out of
+state->sk -- it's already set properly in the call to nf_hook() in
+__ip_local_out(), which receives the sk as part of its normal
+functionality. So we make sure to plumb state->sk through the various
+route_me_harder functions, and then make correct use of it following the
+example of __ip_queue_xmit().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter_ipv4.h | 2 +-
+ include/linux/netfilter_ipv6.h | 10 +++++-----
+ net/ipv4/netfilter.c | 8 +++++---
+ net/ipv4/netfilter/iptable_mangle.c | 2 +-
+ net/ipv4/netfilter/nf_reject_ipv4.c | 2 +-
+ net/ipv6/netfilter.c | 6 +++---
+ net/ipv6/netfilter/ip6table_mangle.c | 2 +-
+ net/netfilter/ipvs/ip_vs_core.c | 4 ++--
+ net/netfilter/nf_nat_proto.c | 4 ++--
+ net/netfilter/nf_synproxy_core.c | 2 +-
+ net/netfilter/nft_chain_route.c | 4 ++--
+ net/netfilter/utils.c | 4 ++--
+ 12 files changed, 26 insertions(+), 24 deletions(-)
+
+diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
+index 082e2c41b7ff9..5b70ca868bb19 100644
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -16,7 +16,7 @@ struct ip_rt_info {
+ u_int32_t mark;
+ };
+
+-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned addr_type);
+
+ struct nf_queue_entry;
+
+diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
+index 9b67394471e1c..48314ade1506f 100644
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -42,7 +42,7 @@ struct nf_ipv6_ops {
+ #if IS_MODULE(CONFIG_IPV6)
+ int (*chk_addr)(struct net *net, const struct in6_addr *addr,
+ const struct net_device *dev, int strict);
+- int (*route_me_harder)(struct net *net, struct sk_buff *skb);
++ int (*route_me_harder)(struct net *net, struct sock *sk, struct sk_buff *skb);
+ int (*dev_get_saddr)(struct net *net, const struct net_device *dev,
+ const struct in6_addr *daddr, unsigned int srcprefs,
+ struct in6_addr *saddr);
+@@ -143,9 +143,9 @@ static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk,
+ #endif
+ }
+
+-int ip6_route_me_harder(struct net *net, struct sk_buff *skb);
++int ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb);
+
+-static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
++static inline int nf_ip6_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+ #if IS_MODULE(CONFIG_IPV6)
+ const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();
+@@ -153,9 +153,9 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb)
+ if (!v6_ops)
+ return -EHOSTUNREACH;
+
+- return v6_ops->route_me_harder(net, skb);
++ return v6_ops->route_me_harder(net, sk, skb);
+ #elif IS_BUILTIN(CONFIG_IPV6)
+- return ip6_route_me_harder(net, skb);
++ return ip6_route_me_harder(net, sk, skb);
+ #else
+ return -EHOSTUNREACH;
+ #endif
+diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
+index a058213b77a78..7c841037c5334 100644
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -17,17 +17,19 @@
+ #include <net/netfilter/nf_queue.h>
+
+ /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
+-int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_type)
++int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, unsigned int addr_type)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+ struct rtable *rt;
+ struct flowi4 fl4 = {};
+ __be32 saddr = iph->saddr;
+- const struct sock *sk = skb_to_full_sk(skb);
+- __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0;
++ __u8 flags;
+ struct net_device *dev = skb_dst(skb)->dev;
+ unsigned int hh_len;
+
++ sk = sk_to_full_sk(sk);
++ flags = sk ? inet_sk_flowi_flags(sk) : 0;
++
+ if (addr_type == RTN_UNSPEC)
+ addr_type = inet_addr_type_dev_table(net, dev, saddr);
+ if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
+diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
+index f703a717ab1d2..8330795892730 100644
+--- a/net/ipv4/netfilter/iptable_mangle.c
++++ b/net/ipv4/netfilter/iptable_mangle.c
+@@ -62,7 +62,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
+ iph->daddr != daddr ||
+ skb->mark != mark ||
+ iph->tos != tos) {
+- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
+index 9dcfa4e461b65..93b07739807b2 100644
+--- a/net/ipv4/netfilter/nf_reject_ipv4.c
++++ b/net/ipv4/netfilter/nf_reject_ipv4.c
+@@ -145,7 +145,7 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
+ ip4_dst_hoplimit(skb_dst(nskb)));
+ nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
+
+- if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC))
+ goto free_nskb;
+
+ niph = ip_hdr(nskb);
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 6d0e942d082d4..ab9a279dd6d47 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -20,10 +20,10 @@
+ #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
+ #include "../bridge/br_private.h"
+
+-int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
++int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff *skb)
+ {
+ const struct ipv6hdr *iph = ipv6_hdr(skb);
+- struct sock *sk = sk_to_full_sk(skb->sk);
++ struct sock *sk = sk_to_full_sk(sk_partial);
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ int strict = (ipv6_addr_type(&iph->daddr) &
+@@ -84,7 +84,7 @@ static int nf_ip6_reroute(struct sk_buff *skb,
+ if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
+ !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
+ skb->mark != rt_info->mark)
+- return ip6_route_me_harder(entry->state.net, skb);
++ return ip6_route_me_harder(entry->state.net, entry->state.sk, skb);
+ }
+ return 0;
+ }
+diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
+index 1a2748611e003..cee74803d7a1c 100644
+--- a/net/ipv6/netfilter/ip6table_mangle.c
++++ b/net/ipv6/netfilter/ip6table_mangle.c
+@@ -57,7 +57,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct nf_hook_state *state)
+ skb->mark != mark ||
+ ipv6_hdr(skb)->hop_limit != hop_limit ||
+ flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) {
+- err = ip6_route_me_harder(state->net, skb);
++ err = ip6_route_me_harder(state->net, state->sk, skb);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
+index e3668a6e54e47..570d8ef6fb8b6 100644
+--- a/net/netfilter/ipvs/ip_vs_core.c
++++ b/net/netfilter/ipvs/ip_vs_core.c
+@@ -742,12 +742,12 @@ static int ip_vs_route_me_harder(struct netns_ipvs *ipvs, int af,
+ struct dst_entry *dst = skb_dst(skb);
+
+ if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
+- ip6_route_me_harder(ipvs->net, skb) != 0)
++ ip6_route_me_harder(ipvs->net, skb->sk, skb) != 0)
+ return 1;
+ } else
+ #endif
+ if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
+- ip_route_me_harder(ipvs->net, skb, RTN_LOCAL) != 0)
++ ip_route_me_harder(ipvs->net, skb->sk, skb, RTN_LOCAL) != 0)
+ return 1;
+
+ return 0;
+diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
+index 59151dc07fdc1..e87b6bd6b3cdb 100644
+--- a/net/netfilter/nf_nat_proto.c
++++ b/net/netfilter/nf_nat_proto.c
+@@ -715,7 +715,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb,
+
+ if (ct->tuplehash[dir].tuple.dst.u3.ip !=
+ ct->tuplehash[!dir].tuple.src.u3.ip) {
+- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+@@ -953,7 +953,7 @@ nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb,
+
+ if (!nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3,
+ &ct->tuplehash[!dir].tuple.src.u3)) {
+- err = nf_ip6_route_me_harder(state->net, skb);
++ err = nf_ip6_route_me_harder(state->net, state->sk, skb);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index 9cca35d229273..d7d34a62d3bf5 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -446,7 +446,7 @@ synproxy_send_tcp(struct net *net,
+
+ skb_dst_set_noref(nskb, skb_dst(skb));
+ nskb->protocol = htons(ETH_P_IP);
+- if (ip_route_me_harder(net, nskb, RTN_UNSPEC))
++ if (ip_route_me_harder(net, nskb->sk, nskb, RTN_UNSPEC))
+ goto free_nskb;
+
+ if (nfct) {
+diff --git a/net/netfilter/nft_chain_route.c b/net/netfilter/nft_chain_route.c
+index 8826bbe71136c..edd02cda57fca 100644
+--- a/net/netfilter/nft_chain_route.c
++++ b/net/netfilter/nft_chain_route.c
+@@ -42,7 +42,7 @@ static unsigned int nf_route_table_hook4(void *priv,
+ iph->daddr != daddr ||
+ skb->mark != mark ||
+ iph->tos != tos) {
+- err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
++ err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+@@ -92,7 +92,7 @@ static unsigned int nf_route_table_hook6(void *priv,
+ skb->mark != mark ||
+ ipv6_hdr(skb)->hop_limit != hop_limit ||
+ flowlabel != *((u32 *)ipv6_hdr(skb)))) {
+- err = nf_ip6_route_me_harder(state->net, skb);
++ err = nf_ip6_route_me_harder(state->net, state->sk, skb);
+ if (err < 0)
+ ret = NF_DROP_ERR(err);
+ }
+diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
+index cedf47ab3c6f9..2182d361e273f 100644
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -191,8 +191,8 @@ static int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry
+ skb->mark == rt_info->mark &&
+ iph->daddr == rt_info->daddr &&
+ iph->saddr == rt_info->saddr))
+- return ip_route_me_harder(entry->state.net, skb,
+- RTN_UNSPEC);
++ return ip_route_me_harder(entry->state.net, entry->state.sk,
++ skb, RTN_UNSPEC);
+ }
+ #endif
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 75e57ebf1fdc934806624492fbc27c2a2848baf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 16:15:45 -0700
+Subject: PCI: Always enable ACS even if no ACS Capability
+
+From: Rajat Jain <rajatja@google.com>
+
+[ Upstream commit 462b58fb033996e999cc213ed0b430d4f22a28fe ]
+
+Some devices support ACS functionality even though they don't have a
+spec-compliant ACS Capability; pci_enable_acs() has a quirk mechanism to
+handle them.
+
+We want to enable ACS whenever possible, but 52fbf5bdeeef ("PCI: Cache ACS
+capability offset in device") inadvertently broke this by calling
+pci_enable_acs() only if we find an ACS Capability.
+
+This resulted in ACS not being enabled for these non-compliant devices,
+which means devices can't be separated into different IOMMU groups, which
+in turn means we may not be able to pass those devices through to VMs, as
+reported by Boris V:
+
+ https://lore.kernel.org/r/74aeea93-8a46-5f5a-343c-790d4c655da3@bstnet.org
+
+Fixes: 52fbf5bdeeef ("PCI: Cache ACS capability offset in device")
+Link: https://lore.kernel.org/r/20201028231545.4116866-1-rajatja@google.com
+Reported-by: Boris V <borisvk@bstnet.org>
+Signed-off-by: Rajat Jain <rajatja@google.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index e39c5499770ff..b2fed944903e2 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3503,8 +3503,13 @@ void pci_acs_init(struct pci_dev *dev)
+ {
+ dev->acs_cap = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_ACS);
+
+- if (dev->acs_cap)
+- pci_enable_acs(dev);
++ /*
++ * Attempt to enable ACS regardless of capability because some Root
++ * Ports (e.g. those quirked with *_intel_pch_acs_*) do not have
++ * the standard ACS capability but still support ACS via those
++ * quirks.
++ */
++ pci_enable_acs(dev);
+ }
+
+ /**
+--
+2.27.0
+
--- /dev/null
+From 4877125f37ee1cfbab0066b38332b3667229cbee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Oct 2020 09:52:52 -0500
+Subject: PCI: mvebu: Fix duplicate resource requests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 832ea234277a2465ec6602fa6a4db5cd9ee87ae3 ]
+
+With commit 669cbc708122 ("PCI: Move DT resource setup into
+devm_pci_alloc_host_bridge()"), the DT 'ranges' is parsed and populated
+into resources when the host bridge is allocated. The resources are
+requested as well, but that happens a second time for the mvebu driver in
+mvebu_pcie_parse_request_resources(). We should only be requesting the
+additional resources added in mvebu_pcie_parse_request_resources(). These
+are not added by default because they use custom properties rather than
+standard DT address translation.
+
+Also, the bus ranges was also populated by default, so we can remove it
+from mvebu_pci_host_probe().
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=209729
+Fixes: 669cbc708122 ("PCI: Move DT resource setup into devm_pci_alloc_host_bridge()")
+Link: https://lore.kernel.org/r/20201023145252.2691779-1-robh@kernel.org
+Reported-by: vtolkm@googlemail.com
+Tested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
+Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Russell King <linux@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pci-mvebu.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
+index c39978b750ec6..653c0b3d29125 100644
+--- a/drivers/pci/controller/pci-mvebu.c
++++ b/drivers/pci/controller/pci-mvebu.c
+@@ -960,25 +960,16 @@ static void mvebu_pcie_powerdown(struct mvebu_pcie_port *port)
+ }
+
+ /*
+- * We can't use devm_of_pci_get_host_bridge_resources() because we
+- * need to parse our special DT properties encoding the MEM and IO
+- * apertures.
++ * devm_of_pci_get_host_bridge_resources() only sets up translateable resources,
++ * so we need extra resource setup parsing our special DT properties encoding
++ * the MEM and IO apertures.
+ */
+ static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie)
+ {
+ struct device *dev = &pcie->pdev->dev;
+- struct device_node *np = dev->of_node;
+ struct pci_host_bridge *bridge = pci_host_bridge_from_priv(pcie);
+ int ret;
+
+- /* Get the bus range */
+- ret = of_pci_parse_bus_range(np, &pcie->busn);
+- if (ret) {
+- dev_err(dev, "failed to parse bus-range property: %d\n", ret);
+- return ret;
+- }
+- pci_add_resource(&bridge->windows, &pcie->busn);
+-
+ /* Get the PCIe memory aperture */
+ mvebu_mbus_get_pcie_mem_aperture(&pcie->mem);
+ if (resource_size(&pcie->mem) == 0) {
+@@ -988,6 +979,9 @@ static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie)
+
+ pcie->mem.name = "PCI MEM";
+ pci_add_resource(&bridge->windows, &pcie->mem);
++ ret = devm_request_resource(dev, &iomem_resource, &pcie->mem);
++ if (ret)
++ return ret;
+
+ /* Get the PCIe IO aperture */
+ mvebu_mbus_get_pcie_io_aperture(&pcie->io);
+@@ -1001,9 +995,12 @@ static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie)
+ pcie->realio.name = "PCI I/O";
+
+ pci_add_resource(&bridge->windows, &pcie->realio);
++ ret = devm_request_resource(dev, &ioport_resource, &pcie->realio);
++ if (ret)
++ return ret;
+ }
+
+- return devm_request_pci_bus_resources(dev, &bridge->windows);
++ return 0;
+ }
+
+ /*
+--
+2.27.0
+
--- /dev/null
+From 77ecb2e3e0c0074fae6ea060b032dc3e4866b3cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 23:02:28 +0900
+Subject: perf tools: Add missing swap for cgroup events
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 2c589d933e54d183ee2a052971b730e423c62031 ]
+
+It was missed to add a swap function for PERF_RECORD_CGROUP.
+
+Fixes: ba78c1c5461c ("perf tools: Basic support for CGROUP event")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Stephane Eranian <eranian@google.com>
+Link: http://lore.kernel.org/lkml/20201102140228.303657-1-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/session.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
+index d20b16ee73772..098080287c687 100644
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -711,6 +711,18 @@ static void perf_event__namespaces_swap(union perf_event *event,
+ swap_sample_id_all(event, &event->namespaces.link_info[i]);
+ }
+
++static void perf_event__cgroup_swap(union perf_event *event, bool sample_id_all)
++{
++ event->cgroup.id = bswap_64(event->cgroup.id);
++
++ if (sample_id_all) {
++ void *data = &event->cgroup.path;
++
++ data += PERF_ALIGN(strlen(data) + 1, sizeof(u64));
++ swap_sample_id_all(event, data);
++ }
++}
++
+ static u8 revbyte(u8 b)
+ {
+ int rev = (b >> 4) | ((b & 0xf) << 4);
+@@ -953,6 +965,7 @@ static perf_event__swap_op perf_event__swap_ops[] = {
+ [PERF_RECORD_SWITCH] = perf_event__switch_swap,
+ [PERF_RECORD_SWITCH_CPU_WIDE] = perf_event__switch_swap,
+ [PERF_RECORD_NAMESPACES] = perf_event__namespaces_swap,
++ [PERF_RECORD_CGROUP] = perf_event__cgroup_swap,
+ [PERF_RECORD_TEXT_POKE] = perf_event__text_poke_swap,
+ [PERF_RECORD_HEADER_ATTR] = perf_event__hdr_attr_swap,
+ [PERF_RECORD_HEADER_EVENT_TYPE] = perf_event__event_type_swap,
+--
+2.27.0
+
--- /dev/null
+From 633de747c6939e97205a83d2bf48316490394449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 00:31:03 +0100
+Subject: perf tools: Add missing swap for ino_generation
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit fe01adb72356a4e2f8735e4128af85921ca98fa1 ]
+
+We are missing swap for ino_generation field.
+
+Fixes: 5c5e854bc760 ("perf tools: Add attr->mmap2 support")
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20201101233103.3537427-2-jolsa@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/session.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
+index 7a5f03764702b..d20b16ee73772 100644
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -595,6 +595,7 @@ static void perf_event__mmap2_swap(union perf_event *event,
+ event->mmap2.maj = bswap_32(event->mmap2.maj);
+ event->mmap2.min = bswap_32(event->mmap2.min);
+ event->mmap2.ino = bswap_64(event->mmap2.ino);
++ event->mmap2.ino_generation = bswap_64(event->mmap2.ino_generation);
+
+ if (sample_id_all) {
+ void *data = &event->mmap2.filename;
+--
+2.27.0
+
--- /dev/null
+From ce447a3b1adf6d52d377fc6b565ded78f4b31739 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Oct 2020 12:43:57 +0300
+Subject: perf trace: Fix segfault when trying to trace events by cgroup
+
+From: Stanislav Ivanichkin <sivanichkin@yandex-team.ru>
+
+[ Upstream commit a6293f36ac92ab513771a98efe486477be2f981f ]
+
+ # ./perf trace -e sched:sched_switch -G test -a sleep 1
+ perf: Segmentation fault
+ Obtained 11 stack frames.
+ ./perf(sighandler_dump_stack+0x43) [0x55cfdc636db3]
+ /lib/x86_64-linux-gnu/libc.so.6(+0x3efcf) [0x7fd23eecafcf]
+ ./perf(parse_cgroups+0x36) [0x55cfdc673f36]
+ ./perf(+0x3186ed) [0x55cfdc70d6ed]
+ ./perf(parse_options_subcommand+0x629) [0x55cfdc70e999]
+ ./perf(cmd_trace+0x9c2) [0x55cfdc5ad6d2]
+ ./perf(+0x1e8ae0) [0x55cfdc5ddae0]
+ ./perf(+0x1e8ded) [0x55cfdc5ddded]
+ ./perf(main+0x370) [0x55cfdc556f00]
+ /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe6) [0x7fd23eeadb96]
+ ./perf(_start+0x29) [0x55cfdc557389]
+ Segmentation fault
+ #
+
+ It happens because "struct trace" in option->value is passed to the
+ parse_cgroups function instead of "struct evlist".
+
+Fixes: 9ea42ba4411ac ("perf trace: Support setting cgroups as targets")
+Signed-off-by: Stanislav Ivanichkin <sivanichkin@yandex-team.ru>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Link: http://lore.kernel.org/lkml/20201027094357.94881-1-sivanichkin@yandex-team.ru
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 44a75f234db17..de80534473afa 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -4639,9 +4639,9 @@ do_concat:
+ err = 0;
+
+ if (lists[0]) {
+- struct option o = OPT_CALLBACK('e', "event", &trace->evlist, "event",
+- "event selector. use 'perf list' to list available events",
+- parse_events_option);
++ struct option o = {
++ .value = &trace->evlist,
++ };
+ err = parse_events_option(&o, lists[0], 0);
+ }
+ out:
+@@ -4655,9 +4655,12 @@ static int trace__parse_cgroups(const struct option *opt, const char *str, int u
+ {
+ struct trace *trace = opt->value;
+
+- if (!list_empty(&trace->evlist->core.entries))
+- return parse_cgroups(opt, str, unset);
+-
++ if (!list_empty(&trace->evlist->core.entries)) {
++ struct option o = {
++ .value = &trace->evlist,
++ };
++ return parse_cgroups(&o, str, unset);
++ }
+ trace->cgroup = evlist__findnew_cgroup(trace->evlist, str);
+
+ return 0;
+--
+2.27.0
+
--- /dev/null
+From 0311b13aa594f40bbc05ccadaac241fdec20726c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 11:27:17 -0400
+Subject: powerpc/eeh_cache: Fix a possible debugfs deadlock
+
+From: Qian Cai <cai@redhat.com>
+
+[ Upstream commit fd552e0542b4532483289cce48fdbd27b692984b ]
+
+Lockdep complains that a possible deadlock below in
+eeh_addr_cache_show() because it is acquiring a lock with IRQ enabled,
+but eeh_addr_cache_insert_dev() needs to acquire the same lock with IRQ
+disabled. Let's just make eeh_addr_cache_show() acquire the lock with
+IRQ disabled as well.
+
+ CPU0 CPU1
+ ---- ----
+ lock(&pci_io_addr_cache_root.piar_lock);
+ local_irq_disable();
+ lock(&tp->lock);
+ lock(&pci_io_addr_cache_root.piar_lock);
+ <Interrupt>
+ lock(&tp->lock);
+
+ *** DEADLOCK ***
+
+ lock_acquire+0x140/0x5f0
+ _raw_spin_lock_irqsave+0x64/0xb0
+ eeh_addr_cache_insert_dev+0x48/0x390
+ eeh_probe_device+0xb8/0x1a0
+ pnv_pcibios_bus_add_device+0x3c/0x80
+ pcibios_bus_add_device+0x118/0x290
+ pci_bus_add_device+0x28/0xe0
+ pci_bus_add_devices+0x54/0xb0
+ pcibios_init+0xc4/0x124
+ do_one_initcall+0xac/0x528
+ kernel_init_freeable+0x35c/0x3fc
+ kernel_init+0x24/0x148
+ ret_from_kernel_thread+0x5c/0x80
+
+ lock_acquire+0x140/0x5f0
+ _raw_spin_lock+0x4c/0x70
+ eeh_addr_cache_show+0x38/0x110
+ seq_read+0x1a0/0x660
+ vfs_read+0xc8/0x1f0
+ ksys_read+0x74/0x130
+ system_call_exception+0xf8/0x1d0
+ system_call_common+0xe8/0x218
+
+Fixes: 5ca85ae6318d ("powerpc/eeh_cache: Add a way to dump the EEH address cache")
+Signed-off-by: Qian Cai <cai@redhat.com>
+Reviewed-by: Oliver O'Halloran <oohall@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20201028152717.8967-1-cai@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/eeh_cache.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/eeh_cache.c b/arch/powerpc/kernel/eeh_cache.c
+index 6b50bf15d8c19..bf3270426d82d 100644
+--- a/arch/powerpc/kernel/eeh_cache.c
++++ b/arch/powerpc/kernel/eeh_cache.c
+@@ -264,8 +264,9 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v)
+ {
+ struct pci_io_addr_range *piar;
+ struct rb_node *n;
++ unsigned long flags;
+
+- spin_lock(&pci_io_addr_cache_root.piar_lock);
++ spin_lock_irqsave(&pci_io_addr_cache_root.piar_lock, flags);
+ for (n = rb_first(&pci_io_addr_cache_root.rb_root); n; n = rb_next(n)) {
+ piar = rb_entry(n, struct pci_io_addr_range, rb_node);
+
+@@ -273,7 +274,7 @@ static int eeh_addr_cache_show(struct seq_file *s, void *v)
+ (piar->flags & IORESOURCE_IO) ? "i/o" : "mem",
+ &piar->addr_lo, &piar->addr_hi, pci_name(piar->pcidev));
+ }
+- spin_unlock(&pci_io_addr_cache_root.piar_lock);
++ spin_unlock_irqrestore(&pci_io_addr_cache_root.piar_lock, flags);
+
+ return 0;
+ }
+--
+2.27.0
+
--- /dev/null
+From 7cf00d16fe4cffcc645be7118f502d812d59d44a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Aug 2020 15:05:16 +0300
+Subject: RDMA/ucma: Fix error cases around ucma_alloc_ctx()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit 620db1a1183d69cc49981ee59c9207e53befeae4 ]
+
+The store to ctx->cm_id was based on the idea that _ucma_find_context()
+would not return the ctx until it was fully setup.
+
+Without locking this doesn't work properly.
+
+Split things so that the xarray is allocated with NULL to reserve the ID
+and once everything is final set the cm_id and store.
+
+Along the way this shows that the error unwind in ucma_get_event() if a
+new ctx is created is wrong, fix it up.
+
+Link: https://lore.kernel.org/r/20200818120526.702120-5-leon@kernel.org
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/ucma.c | 68 +++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index 6f42ff8f2ec57..45b3e9f76c3b2 100644
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -130,6 +130,7 @@ static DEFINE_XARRAY_ALLOC(ctx_table);
+ static DEFINE_XARRAY_ALLOC(multicast_table);
+
+ static const struct file_operations ucma_fops;
++static int __destroy_id(struct ucma_context *ctx);
+
+ static inline struct ucma_context *_ucma_find_context(int id,
+ struct ucma_file *file)
+@@ -139,7 +140,7 @@ static inline struct ucma_context *_ucma_find_context(int id,
+ ctx = xa_load(&ctx_table, id);
+ if (!ctx)
+ ctx = ERR_PTR(-ENOENT);
+- else if (ctx->file != file || !ctx->cm_id)
++ else if (ctx->file != file)
+ ctx = ERR_PTR(-EINVAL);
+ return ctx;
+ }
+@@ -217,18 +218,23 @@ static struct ucma_context *ucma_alloc_ctx(struct ucma_file *file)
+ refcount_set(&ctx->ref, 1);
+ init_completion(&ctx->comp);
+ INIT_LIST_HEAD(&ctx->mc_list);
++ /* So list_del() will work if we don't do ucma_finish_ctx() */
++ INIT_LIST_HEAD(&ctx->list);
+ ctx->file = file;
+ mutex_init(&ctx->mutex);
+
+- if (xa_alloc(&ctx_table, &ctx->id, ctx, xa_limit_32b, GFP_KERNEL))
+- goto error;
+-
+- list_add_tail(&ctx->list, &file->ctx_list);
++ if (xa_alloc(&ctx_table, &ctx->id, NULL, xa_limit_32b, GFP_KERNEL)) {
++ kfree(ctx);
++ return NULL;
++ }
+ return ctx;
++}
+
+-error:
+- kfree(ctx);
+- return NULL;
++static void ucma_finish_ctx(struct ucma_context *ctx)
++{
++ lockdep_assert_held(&ctx->file->mut);
++ list_add_tail(&ctx->list, &ctx->file->ctx_list);
++ xa_store(&ctx_table, ctx->id, ctx, GFP_KERNEL);
+ }
+
+ static struct ucma_multicast* ucma_alloc_multicast(struct ucma_context *ctx)
+@@ -399,7 +405,7 @@ out:
+ static ssize_t ucma_get_event(struct ucma_file *file, const char __user *inbuf,
+ int in_len, int out_len)
+ {
+- struct ucma_context *ctx;
++ struct ucma_context *ctx = NULL;
+ struct rdma_ucm_get_event cmd;
+ struct ucma_event *uevent;
+ int ret = 0;
+@@ -429,33 +435,46 @@ static ssize_t ucma_get_event(struct ucma_file *file, const char __user *inbuf,
+ mutex_lock(&file->mut);
+ }
+
+- uevent = list_entry(file->event_list.next, struct ucma_event, list);
++ uevent = list_first_entry(&file->event_list, struct ucma_event, list);
+
+ if (uevent->resp.event == RDMA_CM_EVENT_CONNECT_REQUEST) {
+ ctx = ucma_alloc_ctx(file);
+ if (!ctx) {
+ ret = -ENOMEM;
+- goto done;
++ goto err_unlock;
+ }
+- uevent->ctx->backlog++;
+- ctx->cm_id = uevent->cm_id;
+- ctx->cm_id->context = ctx;
+ uevent->resp.id = ctx->id;
++ ctx->cm_id = uevent->cm_id;
+ }
+
+ if (copy_to_user(u64_to_user_ptr(cmd.response),
+ &uevent->resp,
+ min_t(size_t, out_len, sizeof(uevent->resp)))) {
+ ret = -EFAULT;
+- goto done;
++ goto err_ctx;
++ }
++
++ if (ctx) {
++ uevent->ctx->backlog++;
++ uevent->cm_id->context = ctx;
++ ucma_finish_ctx(ctx);
+ }
+
+ list_del(&uevent->list);
+ uevent->ctx->events_reported++;
+ if (uevent->mc)
+ uevent->mc->events_reported++;
++ mutex_unlock(&file->mut);
++
+ kfree(uevent);
+-done:
++ return 0;
++
++err_ctx:
++ if (ctx) {
++ xa_erase(&ctx_table, ctx->id);
++ kfree(ctx);
++ }
++err_unlock:
+ mutex_unlock(&file->mut);
+ return ret;
+ }
+@@ -498,9 +517,7 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
+ if (ret)
+ return ret;
+
+- mutex_lock(&file->mut);
+ ctx = ucma_alloc_ctx(file);
+- mutex_unlock(&file->mut);
+ if (!ctx)
+ return -ENOMEM;
+
+@@ -511,24 +528,23 @@ static ssize_t ucma_create_id(struct ucma_file *file, const char __user *inbuf,
+ ret = PTR_ERR(cm_id);
+ goto err1;
+ }
++ ctx->cm_id = cm_id;
+
+ resp.id = ctx->id;
+ if (copy_to_user(u64_to_user_ptr(cmd.response),
+ &resp, sizeof(resp))) {
+- ret = -EFAULT;
+- goto err2;
++ xa_erase(&ctx_table, ctx->id);
++ __destroy_id(ctx);
++ return -EFAULT;
+ }
+
+- ctx->cm_id = cm_id;
++ mutex_lock(&file->mut);
++ ucma_finish_ctx(ctx);
++ mutex_unlock(&file->mut);
+ return 0;
+
+-err2:
+- rdma_destroy_id(cm_id);
+ err1:
+ xa_erase(&ctx_table, ctx->id);
+- mutex_lock(&file->mut);
+- list_del(&ctx->list);
+- mutex_unlock(&file->mut);
+ kfree(ctx);
+ return ret;
+ }
+--
+2.27.0
+
--- /dev/null
+From 466d696117db97802e4c2b2745f7af9c259ac92a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Oct 2020 21:50:47 -0700
+Subject: RISC-V: Fix the VDSO symbol generaton for binutils-2.35+
+
+From: Palmer Dabbelt <palmerdabbelt@google.com>
+
+[ Upstream commit c2c81bb2f69138f902e1a58d3bef6ad97fb8a92c ]
+
+We were relying on GNU ld's ability to re-link executable files in order
+to extract our VDSO symbols. This behavior was deemed a bug as of
+binutils-2.35 (specifically the binutils-gdb commit a87e1817a4 ("Have
+the linker fail if any attempt to link in an executable is made."), but
+as that has been backported to at least Debian's binutils-2.34 in may
+manifest in other places.
+
+The previous version of this was a bit of a mess: we were linking a
+static executable version of the VDSO, containing only a subset of the
+input symbols, which we then linked into the kernel. This worked, but
+certainly wasn't a supported path through the toolchain. Instead this
+new version parses the textual output of nm to produce a symbol table.
+Both rely on near-zero addresses being linkable, but as we rely on weak
+undefined symbols being linkable elsewhere I don't view this as a major
+issue.
+
+Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API")
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/vdso/.gitignore | 1 +
+ arch/riscv/kernel/vdso/Makefile | 18 +++++++++---------
+ arch/riscv/kernel/vdso/so2s.sh | 6 ++++++
+ 3 files changed, 16 insertions(+), 9 deletions(-)
+ create mode 100755 arch/riscv/kernel/vdso/so2s.sh
+
+diff --git a/arch/riscv/kernel/vdso/.gitignore b/arch/riscv/kernel/vdso/.gitignore
+index 11ebee9e4c1d6..3a19def868ecc 100644
+--- a/arch/riscv/kernel/vdso/.gitignore
++++ b/arch/riscv/kernel/vdso/.gitignore
+@@ -1,3 +1,4 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ vdso.lds
+ *.tmp
++vdso-syms.S
+diff --git a/arch/riscv/kernel/vdso/Makefile b/arch/riscv/kernel/vdso/Makefile
+index 7d6a94d45ec94..cb8f9e4cfcbf8 100644
+--- a/arch/riscv/kernel/vdso/Makefile
++++ b/arch/riscv/kernel/vdso/Makefile
+@@ -43,19 +43,14 @@ $(obj)/vdso.o: $(obj)/vdso.so
+ SYSCFLAGS_vdso.so.dbg = $(c_flags)
+ $(obj)/vdso.so.dbg: $(src)/vdso.lds $(obj-vdso) FORCE
+ $(call if_changed,vdsold)
++SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \
++ -Wl,--build-id -Wl,--hash-style=both
+
+ # We also create a special relocatable object that should mirror the symbol
+ # table and layout of the linked DSO. With ld --just-symbols we can then
+ # refer to these symbols in the kernel code rather than hand-coded addresses.
+-
+-SYSCFLAGS_vdso.so.dbg = -shared -s -Wl,-soname=linux-vdso.so.1 \
+- -Wl,--build-id=sha1 -Wl,--hash-style=both
+-$(obj)/vdso-dummy.o: $(src)/vdso.lds $(obj)/rt_sigreturn.o FORCE
+- $(call if_changed,vdsold)
+-
+-LDFLAGS_vdso-syms.o := -r --just-symbols
+-$(obj)/vdso-syms.o: $(obj)/vdso-dummy.o FORCE
+- $(call if_changed,ld)
++$(obj)/vdso-syms.S: $(obj)/vdso.so FORCE
++ $(call if_changed,so2s)
+
+ # strip rule for the .so file
+ $(obj)/%.so: OBJCOPYFLAGS := -S
+@@ -73,6 +68,11 @@ quiet_cmd_vdsold = VDSOLD $@
+ $(patsubst %, -G __vdso_%, $(vdso-syms)) $@.tmp $@ && \
+ rm $@.tmp
+
++# Extracts symbol offsets from the VDSO, converting them into an assembly file
++# that contains the same symbols at the same offsets.
++quiet_cmd_so2s = SO2S $@
++ cmd_so2s = $(NM) -D $< | $(srctree)/$(src)/so2s.sh > $@
++
+ # install commands for the unstripped file
+ quiet_cmd_vdso_install = INSTALL $@
+ cmd_vdso_install = cp $(obj)/$@.dbg $(MODLIB)/vdso/$@
+diff --git a/arch/riscv/kernel/vdso/so2s.sh b/arch/riscv/kernel/vdso/so2s.sh
+new file mode 100755
+index 0000000000000..e64cb6d9440e7
+--- /dev/null
++++ b/arch/riscv/kernel/vdso/so2s.sh
+@@ -0,0 +1,6 @@
++#!/bin/sh
++# SPDX-License-Identifier: GPL-2.0+
++# Copyright 2020 Palmer Dabbelt <palmerdabbelt@google.com>
++
++sed 's!\([0-9a-f]*\) T \([a-z0-9_]*\)\(@@LINUX_4.15\)*!.global \2\n.set \2,0x\1!' \
++| grep '^\.'
+--
+2.27.0
+
--- /dev/null
+From 136e5e1c303e14f5b19bfa1093692f08e0166f34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 15:26:33 +0300
+Subject: selftests: binderfs: use SKIP instead of XFAIL
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+[ Upstream commit 7d764b685ee1bc73a9fa2b6cb4d42fa72b943145 ]
+
+XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL
+into SKIP"), use SKIP instead.
+
+Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/filesystems/binderfs/binderfs_test.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/filesystems/binderfs/binderfs_test.c b/tools/testing/selftests/filesystems/binderfs/binderfs_test.c
+index 1d27f52c61e61..477cbb042f5ba 100644
+--- a/tools/testing/selftests/filesystems/binderfs/binderfs_test.c
++++ b/tools/testing/selftests/filesystems/binderfs/binderfs_test.c
+@@ -74,7 +74,7 @@ static int __do_binderfs_test(struct __test_metadata *_metadata)
+ ret = mount(NULL, binderfs_mntpt, "binder", 0, 0);
+ EXPECT_EQ(ret, 0) {
+ if (errno == ENODEV)
+- XFAIL(goto out, "binderfs missing");
++ SKIP(goto out, "binderfs missing");
+ TH_LOG("%s - Failed to mount binderfs", strerror(errno));
+ goto rmdir;
+ }
+@@ -475,10 +475,10 @@ TEST(binderfs_stress)
+ TEST(binderfs_test_privileged)
+ {
+ if (geteuid() != 0)
+- XFAIL(return, "Tests are not run as root. Skipping privileged tests");
++ SKIP(return, "Tests are not run as root. Skipping privileged tests");
+
+ if (__do_binderfs_test(_metadata))
+- XFAIL(return, "The Android binderfs filesystem is not available");
++ SKIP(return, "The Android binderfs filesystem is not available");
+ }
+
+ TEST(binderfs_test_unprivileged)
+@@ -511,7 +511,7 @@ TEST(binderfs_test_unprivileged)
+ ret = wait_for_pid(pid);
+ if (ret) {
+ if (ret == 2)
+- XFAIL(return, "The Android binderfs filesystem is not available");
++ SKIP(return, "The Android binderfs filesystem is not available");
+ ASSERT_EQ(ret, 0) {
+ TH_LOG("wait_for_pid() failed");
+ }
+--
+2.27.0
+
--- /dev/null
+From 88a10f8f8a2afb68a6aa4939d84b53b301194952 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 15:26:32 +0300
+Subject: selftests: clone3: use SKIP instead of XFAIL
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+[ Upstream commit afba8b0a2cc532b54eaf4254092f57bba5d7eb65 ]
+
+XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL
+into SKIP"), use SKIP instead.
+
+Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c b/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c
+index 9562425aa0a90..614091de4c545 100644
+--- a/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c
++++ b/tools/testing/selftests/clone3/clone3_cap_checkpoint_restore.c
+@@ -145,7 +145,7 @@ TEST(clone3_cap_checkpoint_restore)
+ test_clone3_supported();
+
+ EXPECT_EQ(getuid(), 0)
+- XFAIL(return, "Skipping all tests as non-root\n");
++ SKIP(return, "Skipping all tests as non-root");
+
+ memset(&set_tid, 0, sizeof(set_tid));
+
+--
+2.27.0
+
--- /dev/null
+From 46825b77cbae15b2f59d28e4a5b05d2a9ae4c989 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 15:26:31 +0300
+Subject: selftests: core: use SKIP instead of XFAIL in close_range_test.c
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+[ Upstream commit 1d44d0dd61b6121b49f25b731f2f7f605cb3c896 ]
+
+XFAIL is gone since commit 9847d24af95c ("selftests/harness: Refactor XFAIL
+into SKIP"), use SKIP instead.
+
+Fixes: 9847d24af95c ("selftests/harness: Refactor XFAIL into SKIP")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/core/close_range_test.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/core/close_range_test.c b/tools/testing/selftests/core/close_range_test.c
+index c99b98b0d461f..575b391ddc78d 100644
+--- a/tools/testing/selftests/core/close_range_test.c
++++ b/tools/testing/selftests/core/close_range_test.c
+@@ -44,7 +44,7 @@ TEST(close_range)
+ fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
+ ASSERT_GE(fd, 0) {
+ if (errno == ENOENT)
+- XFAIL(return, "Skipping test since /dev/null does not exist");
++ SKIP(return, "Skipping test since /dev/null does not exist");
+ }
+
+ open_fds[i] = fd;
+@@ -52,7 +52,7 @@ TEST(close_range)
+
+ EXPECT_EQ(-1, sys_close_range(open_fds[0], open_fds[100], -1)) {
+ if (errno == ENOSYS)
+- XFAIL(return, "close_range() syscall not supported");
++ SKIP(return, "close_range() syscall not supported");
+ }
+
+ EXPECT_EQ(0, sys_close_range(open_fds[0], open_fds[50], 0));
+@@ -108,7 +108,7 @@ TEST(close_range_unshare)
+ fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
+ ASSERT_GE(fd, 0) {
+ if (errno == ENOENT)
+- XFAIL(return, "Skipping test since /dev/null does not exist");
++ SKIP(return, "Skipping test since /dev/null does not exist");
+ }
+
+ open_fds[i] = fd;
+@@ -197,7 +197,7 @@ TEST(close_range_unshare_capped)
+ fd = open("/dev/null", O_RDONLY | O_CLOEXEC);
+ ASSERT_GE(fd, 0) {
+ if (errno == ENOENT)
+- XFAIL(return, "Skipping test since /dev/null does not exist");
++ SKIP(return, "Skipping test since /dev/null does not exist");
+ }
+
+ open_fds[i] = fd;
+--
+2.27.0
+
--- /dev/null
+From 3892606be20bea6f1144b0c81836e9c555f0b53b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 15:26:21 +0300
+Subject: selftests: filter kselftest headers from command in lib.mk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tommi Rantala <tommi.t.rantala@nokia.com>
+
+[ Upstream commit f825d3f7ed9305e7dd0a3e0a74673a4257d0cc53 ]
+
+Commit 1056d3d2c97e ("selftests: enforce local header dependency in
+lib.mk") added header dependency to the rule, but as the rule uses $^,
+the headers are added to the compiler command line.
+
+This can cause unexpected precompiled header files being generated when
+compilation fails:
+
+ $ echo { >> openat2_test.c
+
+ $ make
+ gcc -Wall -O2 -g -fsanitize=address -fsanitize=undefined openat2_test.c
+ tools/testing/selftests/kselftest_harness.h tools/testing/selftests/kselftest.h helpers.c
+ -o tools/testing/selftests/openat2/openat2_test
+ openat2_test.c:313:1: error: expected identifier or ‘(’ before ‘{’ token
+ 313 | {
+ | ^
+ make: *** [../lib.mk:140: tools/testing/selftests/openat2/openat2_test] Error 1
+
+ $ file openat2_test*
+ openat2_test: GCC precompiled header (version 014) for C
+ openat2_test.c: C source, ASCII text
+
+Fix it by filtering out the headers, so that we'll only pass the actual
+*.c files in the compiler command line.
+
+Fixes: 1056d3d2c97e ("selftests: enforce local header dependency in lib.mk")
+Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/lib.mk | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
+index 7a17ea8157367..66f3317dc3654 100644
+--- a/tools/testing/selftests/lib.mk
++++ b/tools/testing/selftests/lib.mk
+@@ -137,7 +137,7 @@ endif
+ ifeq ($(OVERRIDE_TARGETS),)
+ LOCAL_HDRS := $(selfdir)/kselftest_harness.h $(selfdir)/kselftest.h
+ $(OUTPUT)/%:%.c $(LOCAL_HDRS)
+- $(LINK.c) $^ $(LDLIBS) -o $@
++ $(LINK.c) $(filter-out $(LOCAL_HDRS),$^) $(LDLIBS) -o $@
+
+ $(OUTPUT)/%.o:%.S
+ $(COMPILE.S) $^ -o $@
+--
+2.27.0
+
--- /dev/null
+drm-i915-hold-onto-an-explicit-ref-to-i915_vma_work..patch
+drm-i915-gem-flush-coherency-domains-on-first-set-do.patch
+mm-memcg-link-page-counters-to-root-if-use_hierarchy.patch
+rdma-ucma-fix-error-cases-around-ucma_alloc_ctx.patch
+nbd-don-t-update-block-size-after-device-is-started.patch
+kvm-arm64-force-pte-mapping-on-fault-resulting-in-a-.patch
+dm-raid-fix-discard-limits-for-raid1-and-raid10.patch
+xfrm-interface-fix-the-priorities-for-ipip-and-ipv6-.patch
+asoc-intel-kbl_rt5663_max98927-fix-kabylake_ssp_fixu.patch
+genirq-let-generic_irq_ipi-select-irq_domain_hierarc.patch
+hv_balloon-disable-warning-when-floor-reached.patch
+net-xfrm-fix-a-race-condition-during-allocing-spi.patch
+asoc-codecs-wsa881x-add-missing-stream-rates-and-for.patch
+spi-imx-fix-runtime-pm-support-for-config_pm.patch
+irqchip-sifive-plic-fix-broken-irq_set_affinity-call.patch
+kunit-fix-kunit.py-raw_output-option.patch
+kunit-don-t-fail-test-suites-if-one-of-them-is-empty.patch
+usb-gadget-fsl-fix-null-pointer-checking.patch
+selftests-filter-kselftest-headers-from-command-in-l.patch
+asoc-codecs-wcd934x-set-digital-gain-range-correctly.patch
+asoc-codecs-wcd9335-set-digital-gain-range-correctly.patch
+mtd-spi-nor-fix-address-width-on-flash-chips-16mb.patch
+xfs-set-xefi_discard-when-creating-a-deferred-agfl-f.patch
+mac80211-don-t-require-vht-elements-for-he-on-2.4-gh.patch
+netfilter-nftables-fix-netlink-report-logic-in-flowt.patch
+netfilter-use-actual-socket-sk-rather-than-skb-sk-wh.patch
+netfilter-nf_tables-missing-validation-from-the-abor.patch
+pci-always-enable-acs-even-if-no-acs-capability.patch
+netfilter-ipset-update-byte-and-packet-counters-rega.patch
+irqchip-sifive-plic-fix-chip_data-access-within-a-hi.patch
+powerpc-eeh_cache-fix-a-possible-debugfs-deadlock.patch
+drm-vc4-bo-add-a-managed-action-to-cleanup-the-cache.patch
+ib-srpt-fix-memory-leak-in-srpt_add_one.patch
+mm-memcontrol-correct-the-nr_anon_thps-counter-of-hi.patch
+drm-panfrost-rename-error-labels-in-device_init.patch
+drm-panfrost-move-devfreq_init-fini-in-device.patch
+drm-panfrost-fix-module-unload.patch
+perf-trace-fix-segfault-when-trying-to-trace-events-.patch
+perf-tools-add-missing-swap-for-ino_generation.patch
+perf-tools-add-missing-swap-for-cgroup-events.patch
+alsa-hda-prevent-undefined-shift-in-snd_hdac_ext_bus.patch
+iommu-vt-d-fix-sid-not-set-issue-in-intel_svm_bind_g.patch
+iommu-vt-d-fix-a-bug-for-pdp-check-in-prq_event_thre.patch
+afs-fix-warning-due-to-unadvanced-marshalling-pointe.patch
+afs-fix-incorrect-freeing-of-the-acl-passed-to-the-y.patch
+vfio-pci-implement-ioeventfd-thread-handler-for-cont.patch
+can-rx-offload-don-t-call-kfree_skb-from-irq-context.patch
+can-dev-can_get_echo_skb-prevent-call-to-kfree_skb-i.patch
+can-dev-__can_get_echo_skb-fix-real-payload-length-r.patch
+can-can_create_echo_skb-fix-echo-skb-generation-alwa.patch
+can-j1939-swap-addr-and-pgn-in-the-send-example.patch
+can-j1939-j1939_sk_bind-return-failure-if-netdev-is-.patch
+can-ti_hecc-ti_hecc_probe-add-missed-clk_disable_unp.patch
+can-xilinx_can-handle-failure-cases-of-pm_runtime_ge.patch
+can-peak_usb-add-range-checking-in-decode-operations.patch
+can-peak_usb-peak_usb_get_ts_time-fix-timestamp-wrap.patch
+can-peak_canfd-pucan_handle_can_rx-fix-echo-manageme.patch
+can-flexcan-remove-flexcan_quirk_disable_mecr-quirk-.patch
+can-flexcan-flexcan_remove-disable-wakeup-completely.patch
+xfs-flush-new-eof-page-on-truncate-to-avoid-post-eof.patch
+xfs-fix-missing-cow-blocks-writeback-conversion-retr.patch
+xfs-fix-scrub-flagging-rtinherit-even-if-there-is-no.patch
+io_uring-ensure-consistent-view-of-original-task-mm-.patch
+spi-fsl-dspi-fix-wrong-pointer-in-suspend-resume.patch
+pci-mvebu-fix-duplicate-resource-requests.patch
+ceph-check-session-state-after-bumping-session-s_seq.patch
+selftests-core-use-skip-instead-of-xfail-in-close_ra.patch
+selftests-clone3-use-skip-instead-of-xfail.patch
+selftests-binderfs-use-skip-instead-of-xfail.patch
+x86-speculation-allow-ibpb-to-be-conditionally-enabl.patch
+kbuild-explicitly-specify-the-build-id-style.patch
+risc-v-fix-the-vdso-symbol-generaton-for-binutils-2..patch
+usb-apple-mfi-fastcharge-fix-reference-leak-in-apple.patch
+tpm-efi-don-t-create-binary_bios_measurements-file-f.patch
--- /dev/null
+From 5a682944eeb3f1c606aa5c5b93da13f61d4602f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Nov 2020 10:05:46 +0800
+Subject: spi: fsl-dspi: fix wrong pointer in suspend/resume
+
+From: Zhao Qiang <qiang.zhao@nxp.com>
+
+[ Upstream commit 9bd77a9ce31dd242fece27219d14fbee5068dd85 ]
+
+Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
+remove path"), this driver causes a "NULL pointer dereference"
+in dspi_suspend/resume.
+This is because since this commit, the drivers private data point to
+"dspi" instead of "ctlr", the codes in suspend and resume func were
+not modified correspondly.
+
+Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
+Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20201103020546.1822-1-qiang.zhao@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index 108a7d50d2c37..a96762ffb70b6 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -1106,12 +1106,11 @@ MODULE_DEVICE_TABLE(of, fsl_dspi_dt_ids);
+ #ifdef CONFIG_PM_SLEEP
+ static int dspi_suspend(struct device *dev)
+ {
+- struct spi_controller *ctlr = dev_get_drvdata(dev);
+- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
++ struct fsl_dspi *dspi = dev_get_drvdata(dev);
+
+ if (dspi->irq)
+ disable_irq(dspi->irq);
+- spi_controller_suspend(ctlr);
++ spi_controller_suspend(dspi->ctlr);
+ clk_disable_unprepare(dspi->clk);
+
+ pinctrl_pm_select_sleep_state(dev);
+@@ -1121,8 +1120,7 @@ static int dspi_suspend(struct device *dev)
+
+ static int dspi_resume(struct device *dev)
+ {
+- struct spi_controller *ctlr = dev_get_drvdata(dev);
+- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
++ struct fsl_dspi *dspi = dev_get_drvdata(dev);
+ int ret;
+
+ pinctrl_pm_select_default_state(dev);
+@@ -1130,7 +1128,7 @@ static int dspi_resume(struct device *dev)
+ ret = clk_prepare_enable(dspi->clk);
+ if (ret)
+ return ret;
+- spi_controller_resume(ctlr);
++ spi_controller_resume(dspi->ctlr);
+ if (dspi->irq)
+ enable_irq(dspi->irq);
+
+--
+2.27.0
+
--- /dev/null
+From ebf9fb3dbbbcf9b66cd578ab8da5cc2992fa15a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Oct 2020 12:45:13 +0200
+Subject: spi: imx: fix runtime pm support for !CONFIG_PM
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit 43b6bf406cd0319e522638f97c9086b7beebaeaa ]
+
+525c9e5a32bd introduced pm_runtime support for the i.MX SPI driver. With
+this pm_runtime is used to bring up the clocks initially. When CONFIG_PM
+is disabled the clocks are no longer enabled and the driver doesn't work
+anymore. Fix this by enabling the clocks in the probe function and
+telling pm_runtime that the device is active using
+pm_runtime_set_active().
+
+Fixes: 525c9e5a32bd spi: imx: enable runtime pm support
+Tested-by: Christian Eggers <ceggers@arri.de> [tested for !CONFIG_PM only]
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://lore.kernel.org/r/20201021104513.21560-1-s.hauer@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index e38e5ad3c7068..9aac515b718c8 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1674,15 +1674,18 @@ static int spi_imx_probe(struct platform_device *pdev)
+ goto out_master_put;
+ }
+
+- pm_runtime_enable(spi_imx->dev);
++ ret = clk_prepare_enable(spi_imx->clk_per);
++ if (ret)
++ goto out_master_put;
++
++ ret = clk_prepare_enable(spi_imx->clk_ipg);
++ if (ret)
++ goto out_put_per;
++
+ pm_runtime_set_autosuspend_delay(spi_imx->dev, MXC_RPM_TIMEOUT);
+ pm_runtime_use_autosuspend(spi_imx->dev);
+-
+- ret = pm_runtime_get_sync(spi_imx->dev);
+- if (ret < 0) {
+- dev_err(spi_imx->dev, "failed to enable clock\n");
+- goto out_runtime_pm_put;
+- }
++ pm_runtime_set_active(spi_imx->dev);
++ pm_runtime_enable(spi_imx->dev);
+
+ spi_imx->spi_clk = clk_get_rate(spi_imx->clk_per);
+ /*
+@@ -1722,8 +1725,12 @@ out_bitbang_start:
+ spi_imx_sdma_exit(spi_imx);
+ out_runtime_pm_put:
+ pm_runtime_dont_use_autosuspend(spi_imx->dev);
+- pm_runtime_put_sync(spi_imx->dev);
++ pm_runtime_set_suspended(&pdev->dev);
+ pm_runtime_disable(spi_imx->dev);
++
++ clk_disable_unprepare(spi_imx->clk_ipg);
++out_put_per:
++ clk_disable_unprepare(spi_imx->clk_per);
+ out_master_put:
+ spi_master_put(master);
+
+--
+2.27.0
+
--- /dev/null
+From 558310d399b3b86e56aed221dd933dd4c799383f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Oct 2020 10:41:02 -0500
+Subject: tpm: efi: Don't create binary_bios_measurements file for an empty log
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tyler Hicks <tyhicks@linux.microsoft.com>
+
+[ Upstream commit 8ffd778aff45be760292225049e0141255d4ad6e ]
+
+Mimic the pre-existing ACPI and Device Tree event log behavior by not
+creating the binary_bios_measurements file when the EFI TPM event log is
+empty.
+
+This fixes the following NULL pointer dereference that can occur when
+reading /sys/kernel/security/tpm0/binary_bios_measurements after the
+kernel received an empty event log from the firmware:
+
+ BUG: kernel NULL pointer dereference, address: 000000000000002c
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17
+ Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019
+ RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550
+ Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49
+ RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246
+ RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010
+ RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258
+ RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300
+ R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280
+ R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258
+ FS: 00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ ? __kmalloc_node+0x113/0x320
+ ? kvmalloc_node+0x31/0x80
+ seq_read+0x94/0x420
+ vfs_read+0xa7/0x190
+ ksys_read+0xa7/0xe0
+ __x64_sys_read+0x1a/0x20
+ do_syscall_64+0x37/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+In this situation, the bios_event_log pointer in the tpm_bios_log struct
+was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was
+due to the following kmemdup() in tpm_read_log_efi():
+
+int tpm_read_log_efi(struct tpm_chip *chip)
+{
+...
+ /* malloc EventLog space */
+ log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL);
+ if (!log->bios_event_log) {
+ ret = -ENOMEM;
+ goto out;
+ }
+...
+}
+
+When log_size is zero, due to an empty event log from firmware,
+ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the
+binary_bios_measurements file, the tpm2_bios_measurements_start()
+function does not perform a ZERO_OR_NULL_PTR() check on the
+bios_event_log pointer before dereferencing it.
+
+Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of
+the bios_event_log pointer, simply avoid creating the
+binary_bios_measurements_file as is done in other event log retrieval
+backends.
+
+Explicitly ignore all of the events in the final event log when the main
+event log is empty. The list of events in the final event log cannot be
+accurately parsed without referring to the first event in the main event
+log (the event log header) so the final event log is useless in such a
+situation.
+
+Fixes: 58cc1e4faf10 ("tpm: parse TPM event logs based on EFI table")
+Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/
+Reported-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reported-by: Kenneth R. Crudup <kenny@panix.com>
+Reported-by: Mimi Zohar <zohar@linux.ibm.com>
+Cc: Thiébaud Weksteen <tweek@google.com>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/eventlog/efi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/char/tpm/eventlog/efi.c b/drivers/char/tpm/eventlog/efi.c
+index 6bb023de17f1f..35229e5143cac 100644
+--- a/drivers/char/tpm/eventlog/efi.c
++++ b/drivers/char/tpm/eventlog/efi.c
+@@ -41,6 +41,11 @@ int tpm_read_log_efi(struct tpm_chip *chip)
+ log_size = log_tbl->size;
+ memunmap(log_tbl);
+
++ if (!log_size) {
++ pr_warn("UEFI TPM log area empty\n");
++ return -EIO;
++ }
++
+ log_tbl = memremap(efi.tpm_log, sizeof(*log_tbl) + log_size,
+ MEMREMAP_WB);
+ if (!log_tbl) {
+--
+2.27.0
+
--- /dev/null
+From 6641a47aee2349af02dbc8501f62519b2de15ada Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 10:26:50 +0800
+Subject: USB: apple-mfi-fastcharge: fix reference leak in
+ apple_mfi_fc_set_property
+
+From: Zhang Qilong <zhangqilong3@huawei.com>
+
+[ Upstream commit 00bd6bca3fb1e98190a24eda2583062803c9e8b5 ]
+
+pm_runtime_get_sync() will increment pm usage at first and it
+will resume the device later. If runtime of the device has
+error or device is in inaccessible state(or other error state),
+resume operation will fail. If we do not call put operation to
+decrease the reference, the result is that this device cannot
+enter the idle state and always stay busy or other non-idle
+state.
+
+Fixes: 249fa8217b846 ("USB: Add driver to control USB fast charge for iOS devices")
+Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
+Link: https://lore.kernel.org/r/20201102022650.67115-1-zhangqilong3@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/misc/apple-mfi-fastcharge.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/misc/apple-mfi-fastcharge.c b/drivers/usb/misc/apple-mfi-fastcharge.c
+index 579d8c84de42c..9de0171b51776 100644
+--- a/drivers/usb/misc/apple-mfi-fastcharge.c
++++ b/drivers/usb/misc/apple-mfi-fastcharge.c
+@@ -120,8 +120,10 @@ static int apple_mfi_fc_set_property(struct power_supply *psy,
+ dev_dbg(&mfi->udev->dev, "prop: %d\n", psp);
+
+ ret = pm_runtime_get_sync(&mfi->udev->dev);
+- if (ret < 0)
++ if (ret < 0) {
++ pm_runtime_put_noidle(&mfi->udev->dev);
+ return ret;
++ }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_CHARGE_TYPE:
+--
+2.27.0
+
--- /dev/null
+From 90648ddb3f7f59eb7dcbc1330221759cc8782258 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Oct 2020 12:33:26 +0800
+Subject: usb: gadget: fsl: fix null pointer checking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ran Wang <ran.wang_1@nxp.com>
+
+[ Upstream commit 48e7bbbbb261b007fe78aa14ae62df01d236497e ]
+
+fsl_ep_fifo_status() should return error if _ep->desc is null.
+
+Fixes: 75eaa498c99e (“usb: gadget: Correct NULL pointer checking in fsl gadget”)
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Ran Wang <ran.wang_1@nxp.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index a6f7b2594c090..c0cb007b749ff 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -1051,7 +1051,7 @@ static int fsl_ep_fifo_status(struct usb_ep *_ep)
+ u32 bitmask;
+ struct ep_queue_head *qh;
+
+- if (!_ep || _ep->desc || !(_ep->desc->bEndpointAddress&0xF))
++ if (!_ep || !_ep->desc || !(_ep->desc->bEndpointAddress&0xF))
+ return -ENODEV;
+
+ ep = container_of(_ep, struct fsl_ep, ep);
+--
+2.27.0
+
--- /dev/null
+From ef3bbb2d3a2ef48c5d4280b619a63bf796d613f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 15:02:00 -0700
+Subject: vfio/pci: Implement ioeventfd thread handler for contended memory
+ lock
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit 38565c93c8a1306dc5f245572a545fbea908ac41 ]
+
+The ioeventfd is called under spinlock with interrupts disabled,
+therefore if the memory lock is contended defer code that might
+sleep to a thread context.
+
+Fixes: bc93b9ae0151 ("vfio-pci: Avoid recursive read-lock usage")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209253#c1
+Reported-by: Ian Pilcher <arequipeno@gmail.com>
+Tested-by: Ian Pilcher <arequipeno@gmail.com>
+Tested-by: Justin Gatzen <justin.gatzen@gmail.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_rdwr.c | 43 ++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
+index 9e353c484ace2..a0b5fc8e46f4d 100644
+--- a/drivers/vfio/pci/vfio_pci_rdwr.c
++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
+@@ -356,34 +356,60 @@ ssize_t vfio_pci_vga_rw(struct vfio_pci_device *vdev, char __user *buf,
+ return done;
+ }
+
+-static int vfio_pci_ioeventfd_handler(void *opaque, void *unused)
++static void vfio_pci_ioeventfd_do_write(struct vfio_pci_ioeventfd *ioeventfd,
++ bool test_mem)
+ {
+- struct vfio_pci_ioeventfd *ioeventfd = opaque;
+-
+ switch (ioeventfd->count) {
+ case 1:
+- vfio_pci_iowrite8(ioeventfd->vdev, ioeventfd->test_mem,
++ vfio_pci_iowrite8(ioeventfd->vdev, test_mem,
+ ioeventfd->data, ioeventfd->addr);
+ break;
+ case 2:
+- vfio_pci_iowrite16(ioeventfd->vdev, ioeventfd->test_mem,
++ vfio_pci_iowrite16(ioeventfd->vdev, test_mem,
+ ioeventfd->data, ioeventfd->addr);
+ break;
+ case 4:
+- vfio_pci_iowrite32(ioeventfd->vdev, ioeventfd->test_mem,
++ vfio_pci_iowrite32(ioeventfd->vdev, test_mem,
+ ioeventfd->data, ioeventfd->addr);
+ break;
+ #ifdef iowrite64
+ case 8:
+- vfio_pci_iowrite64(ioeventfd->vdev, ioeventfd->test_mem,
++ vfio_pci_iowrite64(ioeventfd->vdev, test_mem,
+ ioeventfd->data, ioeventfd->addr);
+ break;
+ #endif
+ }
++}
++
++static int vfio_pci_ioeventfd_handler(void *opaque, void *unused)
++{
++ struct vfio_pci_ioeventfd *ioeventfd = opaque;
++ struct vfio_pci_device *vdev = ioeventfd->vdev;
++
++ if (ioeventfd->test_mem) {
++ if (!down_read_trylock(&vdev->memory_lock))
++ return 1; /* Lock contended, use thread */
++ if (!__vfio_pci_memory_enabled(vdev)) {
++ up_read(&vdev->memory_lock);
++ return 0;
++ }
++ }
++
++ vfio_pci_ioeventfd_do_write(ioeventfd, false);
++
++ if (ioeventfd->test_mem)
++ up_read(&vdev->memory_lock);
+
+ return 0;
+ }
+
++static void vfio_pci_ioeventfd_thread(void *opaque, void *unused)
++{
++ struct vfio_pci_ioeventfd *ioeventfd = opaque;
++
++ vfio_pci_ioeventfd_do_write(ioeventfd, ioeventfd->test_mem);
++}
++
+ long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset,
+ uint64_t data, int count, int fd)
+ {
+@@ -457,7 +483,8 @@ long vfio_pci_ioeventfd(struct vfio_pci_device *vdev, loff_t offset,
+ ioeventfd->test_mem = vdev->pdev->resource[bar].flags & IORESOURCE_MEM;
+
+ ret = vfio_virqfd_enable(ioeventfd, vfio_pci_ioeventfd_handler,
+- NULL, NULL, &ioeventfd->virqfd, fd);
++ vfio_pci_ioeventfd_thread, NULL,
++ &ioeventfd->virqfd, fd);
+ if (ret) {
+ kfree(ioeventfd);
+ goto out_unlock;
+--
+2.27.0
+
--- /dev/null
+From 9fa98c9d7b16c30f06d59f4a782052e49db8aec9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Nov 2020 16:33:04 +1100
+Subject: x86/speculation: Allow IBPB to be conditionally enabled on CPUs with
+ always-on STIBP
+
+From: Anand K Mistry <amistry@google.com>
+
+[ Upstream commit 1978b3a53a74e3230cd46932b149c6e62e832e9a ]
+
+On AMD CPUs which have the feature X86_FEATURE_AMD_STIBP_ALWAYS_ON,
+STIBP is set to on and
+
+ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED
+
+At the same time, IBPB can be set to conditional.
+
+However, this leads to the case where it's impossible to turn on IBPB
+for a process because in the PR_SPEC_DISABLE case in ib_prctl_set() the
+
+ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED
+
+condition leads to a return before the task flag is set. Similarly,
+ib_prctl_get() will return PR_SPEC_DISABLE even though IBPB is set to
+conditional.
+
+More generally, the following cases are possible:
+
+1. STIBP = conditional && IBPB = on for spectre_v2_user=seccomp,ibpb
+2. STIBP = on && IBPB = conditional for AMD CPUs with
+ X86_FEATURE_AMD_STIBP_ALWAYS_ON
+
+The first case functions correctly today, but only because
+spectre_v2_user_ibpb isn't updated to reflect the IBPB mode.
+
+At a high level, this change does one thing. If either STIBP or IBPB
+is set to conditional, allow the prctl to change the task flag.
+Also, reflect that capability when querying the state. This isn't
+perfect since it doesn't take into account if only STIBP or IBPB is
+unconditionally on. But it allows the conditional feature to work as
+expected, without affecting the unconditional one.
+
+ [ bp: Massage commit message and comment; space out statements for
+ better readability. ]
+
+Fixes: 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.")
+Signed-off-by: Anand K Mistry <amistry@google.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Link: https://lkml.kernel.org/r/20201105163246.v2.1.Ifd7243cd3e2c2206a893ad0a5b9a4f19549e22c6@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 51 ++++++++++++++++++++++++--------------
+ 1 file changed, 33 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index d3f0db463f96a..581fb7223ad0e 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1254,6 +1254,14 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
+ return 0;
+ }
+
++static bool is_spec_ib_user_controlled(void)
++{
++ return spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
++ spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
++ spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
++ spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP;
++}
++
+ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
+ {
+ switch (ctrl) {
+@@ -1261,16 +1269,26 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
+ if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
+ spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
+ return 0;
++
+ /*
+- * Indirect branch speculation is always disabled in strict
+- * mode. It can neither be enabled if it was force-disabled
+- * by a previous prctl call.
++ * With strict mode for both IBPB and STIBP, the instruction
++ * code paths avoid checking this task flag and instead,
++ * unconditionally run the instruction. However, STIBP and IBPB
++ * are independent and either can be set to conditionally
++ * enabled regardless of the mode of the other.
++ *
++ * If either is set to conditional, allow the task flag to be
++ * updated, unless it was force-disabled by a previous prctl
++ * call. Currently, this is possible on an AMD CPU which has the
++ * feature X86_FEATURE_AMD_STIBP_ALWAYS_ON. In this case, if the
++ * kernel is booted with 'spectre_v2_user=seccomp', then
++ * spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP and
++ * spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED.
+ */
+- if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED ||
++ if (!is_spec_ib_user_controlled() ||
+ task_spec_ib_force_disable(task))
+ return -EPERM;
++
+ task_clear_spec_ib_disable(task);
+ task_update_spec_tif(task);
+ break;
+@@ -1283,10 +1301,10 @@ static int ib_prctl_set(struct task_struct *task, unsigned long ctrl)
+ if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
+ spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
+ return -EPERM;
+- if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
++
++ if (!is_spec_ib_user_controlled())
+ return 0;
++
+ task_set_spec_ib_disable(task);
+ if (ctrl == PR_SPEC_FORCE_DISABLE)
+ task_set_spec_ib_force_disable(task);
+@@ -1351,20 +1369,17 @@ static int ib_prctl_get(struct task_struct *task)
+ if (spectre_v2_user_ibpb == SPECTRE_V2_USER_NONE &&
+ spectre_v2_user_stibp == SPECTRE_V2_USER_NONE)
+ return PR_SPEC_ENABLE;
+- else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
+- return PR_SPEC_DISABLE;
+- else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_PRCTL ||
+- spectre_v2_user_ibpb == SPECTRE_V2_USER_SECCOMP ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_PRCTL ||
+- spectre_v2_user_stibp == SPECTRE_V2_USER_SECCOMP) {
++ else if (is_spec_ib_user_controlled()) {
+ if (task_spec_ib_force_disable(task))
+ return PR_SPEC_PRCTL | PR_SPEC_FORCE_DISABLE;
+ if (task_spec_ib_disable(task))
+ return PR_SPEC_PRCTL | PR_SPEC_DISABLE;
+ return PR_SPEC_PRCTL | PR_SPEC_ENABLE;
+- } else
++ } else if (spectre_v2_user_ibpb == SPECTRE_V2_USER_STRICT ||
++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT ||
++ spectre_v2_user_stibp == SPECTRE_V2_USER_STRICT_PREFERRED)
++ return PR_SPEC_DISABLE;
++ else
+ return PR_SPEC_NOT_AFFECTED;
+ }
+
+--
+2.27.0
+
--- /dev/null
+From 8c18562e3e4a54a66866e3ac13bd111616864af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Oct 2020 16:13:24 +0800
+Subject: xfrm: interface: fix the priorities for ipip and ipv6 tunnels
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 7fe94612dd4cfcd35fe0ec87745fb31ad2be71f8 ]
+
+As Nicolas noticed in his case, when xfrm_interface module is installed
+the standard IP tunnels will break in receiving packets.
+
+This is caused by the IP tunnel handlers with a higher priority in xfrm
+interface processing incoming packets by xfrm_input(), which would drop
+the packets and return 0 instead when anything wrong happens.
+
+Rather than changing xfrm_input(), this patch is to adjust the priority
+for the IP tunnel handlers in xfrm interface, so that the packets would
+go to xfrmi's later than the others', as the others' would not drop the
+packets when the handlers couldn't process them.
+
+Note that IPCOMP also defines its own IPIP tunnel handler and it calls
+xfrm_input() as well, so we must make its priority lower than xfrmi's,
+which means having xfrmi loaded would still break IPCOMP. We may seek
+another way to fix it in xfrm_input() in the future.
+
+Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler")
+FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/xfrm4_tunnel.c | 4 ++--
+ net/ipv6/xfrm6_tunnel.c | 4 ++--
+ net/xfrm/xfrm_interface.c | 8 ++++----
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_tunnel.c b/net/ipv4/xfrm4_tunnel.c
+index dc19aff7c2e00..fb0648e7fb32f 100644
+--- a/net/ipv4/xfrm4_tunnel.c
++++ b/net/ipv4/xfrm4_tunnel.c
+@@ -64,14 +64,14 @@ static int xfrm_tunnel_err(struct sk_buff *skb, u32 info)
+ static struct xfrm_tunnel xfrm_tunnel_handler __read_mostly = {
+ .handler = xfrm_tunnel_rcv,
+ .err_handler = xfrm_tunnel_err,
+- .priority = 3,
++ .priority = 4,
+ };
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ static struct xfrm_tunnel xfrm64_tunnel_handler __read_mostly = {
+ .handler = xfrm_tunnel_rcv,
+ .err_handler = xfrm_tunnel_err,
+- .priority = 2,
++ .priority = 3,
+ };
+ #endif
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index 25b7ebda2fabf..f696d46e69100 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -303,13 +303,13 @@ static const struct xfrm_type xfrm6_tunnel_type = {
+ static struct xfrm6_tunnel xfrm6_tunnel_handler __read_mostly = {
+ .handler = xfrm6_tunnel_rcv,
+ .err_handler = xfrm6_tunnel_err,
+- .priority = 2,
++ .priority = 3,
+ };
+
+ static struct xfrm6_tunnel xfrm46_tunnel_handler __read_mostly = {
+ .handler = xfrm6_tunnel_rcv,
+ .err_handler = xfrm6_tunnel_err,
+- .priority = 2,
++ .priority = 3,
+ };
+
+ static int __net_init xfrm6_tunnel_net_init(struct net *net)
+diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
+index a8f66112c52b4..0bb7963b9f6bc 100644
+--- a/net/xfrm/xfrm_interface.c
++++ b/net/xfrm/xfrm_interface.c
+@@ -830,14 +830,14 @@ static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = {
+ .handler = xfrmi6_rcv_tunnel,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi6_err,
+- .priority = -1,
++ .priority = 2,
+ };
+
+ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
+ .handler = xfrmi6_rcv_tunnel,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi6_err,
+- .priority = -1,
++ .priority = 2,
+ };
+ #endif
+
+@@ -875,14 +875,14 @@ static struct xfrm_tunnel xfrmi_ipip_handler __read_mostly = {
+ .handler = xfrmi4_rcv_tunnel,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi4_err,
+- .priority = -1,
++ .priority = 3,
+ };
+
+ static struct xfrm_tunnel xfrmi_ipip6_handler __read_mostly = {
+ .handler = xfrmi4_rcv_tunnel,
+ .cb_handler = xfrmi_rcv_cb,
+ .err_handler = xfrmi4_err,
+- .priority = -1,
++ .priority = 2,
+ };
+ #endif
+
+--
+2.27.0
+
--- /dev/null
+From 2eb13dd8159ae8a5ccdfbccb9c353f3920a9057a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 17:14:06 -0800
+Subject: xfs: fix missing CoW blocks writeback conversion retry
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit c2f09217a4305478c55adc9a98692488dd19cd32 ]
+
+In commit 7588cbeec6df, we tried to fix a race stemming from the lack of
+coordination between higher level code that wants to allocate and remap
+CoW fork extents into the data fork. Christoph cites as examples the
+always_cow mode, and a directio write completion racing with writeback.
+
+According to the comments before the goto retry, we want to restart the
+lookup to catch the extent in the data fork, but we don't actually reset
+whichfork or cow_fsb, which means the second try executes using stale
+information. Up until now I think we've gotten lucky that either
+there's something left in the CoW fork to cause cow_fsb to be reset, or
+either data/cow fork sequence numbers have advanced enough to force a
+fresh lookup from the data fork. However, if we reach the retry with an
+empty stable CoW fork and a stable data fork, neither of those things
+happens. The retry foolishly re-calls xfs_convert_blocks on the CoW
+fork which fails again. This time, we toss the write.
+
+I've recently been working on extending reflink to the realtime device.
+When the realtime extent size is larger than a single block, we have to
+force the page cache to CoW the entire rt extent if a write (or
+fallocate) are not aligned with the rt extent size. The strategy I've
+chosen to deal with this is derived from Dave's blocksize > pagesize
+series: dirtying around the write range, and ensuring that writeback
+always starts mapping on an rt extent boundary. This has brought this
+race front and center, since generic/522 blows up immediately.
+
+However, I'm pretty sure this is a bug outright, independent of that.
+
+Fixes: 7588cbeec6df ("xfs: retry COW fork delalloc conversion when no extent was found")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_aops.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/xfs/xfs_aops.c b/fs/xfs/xfs_aops.c
+index b35611882ff9c..e4210779cd79e 100644
+--- a/fs/xfs/xfs_aops.c
++++ b/fs/xfs/xfs_aops.c
+@@ -346,8 +346,8 @@ xfs_map_blocks(
+ ssize_t count = i_blocksize(inode);
+ xfs_fileoff_t offset_fsb = XFS_B_TO_FSBT(mp, offset);
+ xfs_fileoff_t end_fsb = XFS_B_TO_FSB(mp, offset + count);
+- xfs_fileoff_t cow_fsb = NULLFILEOFF;
+- int whichfork = XFS_DATA_FORK;
++ xfs_fileoff_t cow_fsb;
++ int whichfork;
+ struct xfs_bmbt_irec imap;
+ struct xfs_iext_cursor icur;
+ int retries = 0;
+@@ -381,6 +381,8 @@ xfs_map_blocks(
+ * landed in a hole and we skip the block.
+ */
+ retry:
++ cow_fsb = NULLFILEOFF;
++ whichfork = XFS_DATA_FORK;
+ xfs_ilock(ip, XFS_ILOCK_SHARED);
+ ASSERT(ip->i_df.if_format != XFS_DINODE_FMT_BTREE ||
+ (ip->i_df.if_flags & XFS_IFEXTENTS));
+--
+2.27.0
+
--- /dev/null
+From 23097d9884840590461d8c241aa35e83c26f3254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Nov 2020 17:14:07 -0800
+Subject: xfs: fix scrub flagging rtinherit even if there is no rt device
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit c1f6b1ac00756a7108e5fcb849a2f8230c0b62a5 ]
+
+The kernel has always allowed directories to have the rtinherit flag
+set, even if there is no rt device, so this check is wrong.
+
+Fixes: 80e4e1268802 ("xfs: scrub inodes")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/scrub/inode.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/xfs/scrub/inode.c b/fs/xfs/scrub/inode.c
+index 6d483ab29e639..1bea029b634a6 100644
+--- a/fs/xfs/scrub/inode.c
++++ b/fs/xfs/scrub/inode.c
+@@ -121,8 +121,7 @@ xchk_inode_flags(
+ goto bad;
+
+ /* rt flags require rt device */
+- if ((flags & (XFS_DIFLAG_REALTIME | XFS_DIFLAG_RTINHERIT)) &&
+- !mp->m_rtdev_targp)
++ if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp)
+ goto bad;
+
+ /* new rt bitmap flag only valid for rbmino */
+--
+2.27.0
+
--- /dev/null
+From 2a8a108c4f863fe03c8766595dd25627ef1c5f4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 14:30:48 -0700
+Subject: xfs: flush new eof page on truncate to avoid post-eof corruption
+
+From: Brian Foster <bfoster@redhat.com>
+
+[ Upstream commit 869ae85dae64b5540e4362d7fe4cd520e10ec05c ]
+
+It is possible to expose non-zeroed post-EOF data in XFS if the new
+EOF page is dirty, backed by an unwritten block and the truncate
+happens to race with writeback. iomap_truncate_page() will not zero
+the post-EOF portion of the page if the underlying block is
+unwritten. The subsequent call to truncate_setsize() will, but
+doesn't dirty the page. Therefore, if writeback happens to complete
+after iomap_truncate_page() (so it still sees the unwritten block)
+but before truncate_setsize(), the cached page becomes inconsistent
+with the on-disk block. A mapped read after the associated page is
+reclaimed or invalidated exposes non-zero post-EOF data.
+
+For example, consider the following sequence when run on a kernel
+modified to explicitly flush the new EOF page within the race
+window:
+
+$ xfs_io -fc "falloc 0 4k" -c fsync /mnt/file
+$ xfs_io -c "pwrite 0 4k" -c "truncate 1k" /mnt/file
+ ...
+$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file
+00000400: 00 00 00 00 00 00 00 00 ........
+$ umount /mnt/; mount <dev> /mnt/
+$ xfs_io -c "mmap 0 4k" -c "mread -v 1k 8" /mnt/file
+00000400: cd cd cd cd cd cd cd cd ........
+
+Update xfs_setattr_size() to explicitly flush the new EOF page prior
+to the page truncate to ensure iomap has the latest state of the
+underlying block.
+
+Fixes: 68a9f5e7007c ("xfs: implement iomap based buffered write path")
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_iops.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
+index 80a13c8561d85..bf93a7152181c 100644
+--- a/fs/xfs/xfs_iops.c
++++ b/fs/xfs/xfs_iops.c
+@@ -911,6 +911,16 @@ xfs_setattr_size(
+ error = iomap_zero_range(inode, oldsize, newsize - oldsize,
+ &did_zeroing, &xfs_buffered_write_iomap_ops);
+ } else {
++ /*
++ * iomap won't detect a dirty page over an unwritten block (or a
++ * cow block over a hole) and subsequently skips zeroing the
++ * newly post-EOF portion of the page. Flush the new EOF to
++ * convert the block before the pagecache truncate.
++ */
++ error = filemap_write_and_wait_range(inode->i_mapping, newsize,
++ newsize);
++ if (error)
++ return error;
+ error = iomap_truncate_page(inode, newsize, &did_zeroing,
+ &xfs_buffered_write_iomap_ops);
+ }
+--
+2.27.0
+
--- /dev/null
+From 7d092328e4b3c551753675b00f7c910c3636f577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Oct 2020 15:19:38 -0700
+Subject: xfs: set xefi_discard when creating a deferred agfl free log intent
+ item
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+[ Upstream commit 2c334e12f957cd8c6bb66b4aa3f79848b7c33cab ]
+
+Make sure that we actually initialize xefi_discard when we're scheduling
+a deferred free of an AGFL block. This was (eventually) found by the
+UBSAN while I was banging on realtime rmap problems, but it exists in
+the upstream codebase. While we're at it, rearrange the structure to
+reduce the struct size from 64 to 56 bytes.
+
+Fixes: fcb762f5de2e ("xfs: add bmapi nodiscard flag")
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_alloc.c | 1 +
+ fs/xfs/libxfs/xfs_bmap.h | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
+index 852b536551b53..15640015be9d2 100644
+--- a/fs/xfs/libxfs/xfs_alloc.c
++++ b/fs/xfs/libxfs/xfs_alloc.c
+@@ -2467,6 +2467,7 @@ xfs_defer_agfl_block(
+ new->xefi_startblock = XFS_AGB_TO_FSB(mp, agno, agbno);
+ new->xefi_blockcount = 1;
+ new->xefi_oinfo = *oinfo;
++ new->xefi_skip_discard = false;
+
+ trace_xfs_agfl_free_defer(mp, agno, 0, agbno, 1);
+
+diff --git a/fs/xfs/libxfs/xfs_bmap.h b/fs/xfs/libxfs/xfs_bmap.h
+index e1bd484e55485..6747e97a79490 100644
+--- a/fs/xfs/libxfs/xfs_bmap.h
++++ b/fs/xfs/libxfs/xfs_bmap.h
+@@ -52,9 +52,9 @@ struct xfs_extent_free_item
+ {
+ xfs_fsblock_t xefi_startblock;/* starting fs block number */
+ xfs_extlen_t xefi_blockcount;/* number of blocks in extent */
++ bool xefi_skip_discard;
+ struct list_head xefi_list;
+ struct xfs_owner_info xefi_oinfo; /* extent owner */
+- bool xefi_skip_discard;
+ };
+
+ #define XFS_BMAP_MAX_NMAP 4
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
