--- /dev/null
+From 74ccba322cbe8af60f76d4ce9236d0e1a4797f6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:27 +0100
+Subject: ASoC: cs42l42: Correct definition of ADC Volume control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ee86f680ff4c9b406d49d4e22ddf10805b8a2137 ]
+
+The ADC volume is a signed 8-bit number with range -97 to +12,
+with -97 being mute. Use a SOC_SINGLE_S8_TLV() to define this
+and fix the DECLARE_TLV_DB_SCALE() to have the correct start and
+mute flag.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210729170929.6589-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 8434c48354f1..3956912e23ac 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -404,7 +404,7 @@ static const struct regmap_config cs42l42_regmap = {
+ .use_single_write = true,
+ };
+
+-static DECLARE_TLV_DB_SCALE(adc_tlv, -9600, 100, false);
++static DECLARE_TLV_DB_SCALE(adc_tlv, -9700, 100, true);
+ static DECLARE_TLV_DB_SCALE(mixer_tlv, -6300, 100, true);
+
+ static const char * const cs42l42_hpf_freq_text[] = {
+@@ -443,8 +443,7 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_INV_SHIFT, true, false),
+ SOC_SINGLE("ADC Boost Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_DIG_BOOST_SHIFT, true, false),
+- SOC_SINGLE_SX_TLV("ADC Volume", CS42L42_ADC_VOLUME,
+- CS42L42_ADC_VOL_SHIFT, 0xA0, 0x6C, adc_tlv),
++ SOC_SINGLE_S8_TLV("ADC Volume", CS42L42_ADC_VOLUME, -97, 12, adc_tlv),
+ SOC_SINGLE("ADC WNF Switch", CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_EN_SHIFT, true, false),
+ SOC_SINGLE("ADC HPF Switch", CS42L42_ADC_WNF_HPF_CTL,
+--
+2.30.2
+
--- /dev/null
+From 4bf42c273db938f5f265a51465f2fffc75d6d194 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:28 +0100
+Subject: ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 64324bac750b84ca54711fb7d332132fcdb87293 ]
+
+The driver has no support for left-justified protocol so it should
+not have been allowing this to be passed to cs42l42_set_dai_fmt().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210729170929.6589-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 3956912e23ac..0d31c84b0445 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -778,7 +778,6 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+- case SND_SOC_DAIFMT_LEFT_J:
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From ae72638fd15ae9008743194ef6543acbf4322316 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:29 +0100
+Subject: ASoC: cs42l42: Fix bclk calculation for mono
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 926ef1a4c245c093acc07807e466ad2ef0ff6ccb ]
+
+An I2S frame always has a left and right channel slot even if mono
+data is being sent. So if channels==1 the actual bitclock frequency
+is 2 * snd_soc_params_to_bclk(params).
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2cdba9b045c7 ("ASoC: cs42l42: Use bclk from hw_params if set_sysclk was not called")
+Link: https://lore.kernel.org/r/20210729170929.6589-3-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 0d31c84b0445..fe73a5c70bdd 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -820,6 +820,10 @@ static int cs42l42_pcm_hw_params(struct snd_pcm_substream *substream,
+ cs42l42->srate = params_rate(params);
+ cs42l42->bclk = snd_soc_params_to_bclk(params);
+
++ /* I2S frame always has 2 channels even for mono audio */
++ if (channels == 1)
++ cs42l42->bclk *= 2;
++
+ switch(substream->stream) {
+ case SNDRV_PCM_STREAM_CAPTURE:
+ if (channels == 2) {
+--
+2.30.2
+
--- /dev/null
+From 49eab353c3714485fc1e832c756ac189bd008731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:33 +0100
+Subject: ASoC: cs42l42: Fix inversion of ADC Notch Switch control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 30615bd21b4cc3c3bb5ae8bd70e2a915cc5f75c7 ]
+
+The underlying register field has inverted sense (0 = enabled) so
+the control definition must be marked as inverted.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index fe73a5c70bdd..c7fb33a89224 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -436,7 +436,7 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+- CS42L42_ADC_NOTCH_DIS_SHIFT, true, false),
++ CS42L42_ADC_NOTCH_DIS_SHIFT, true, true),
+ SOC_SINGLE("ADC Weak Force Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_FORCE_WEAK_VCM_SHIFT, true, false),
+ SOC_SINGLE("ADC Invert Switch", CS42L42_ADC_CTL,
+--
+2.30.2
+
--- /dev/null
+From 7674273adf9ff4e5c03791f14d858e53cba214cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 17:11:05 +0100
+Subject: ASoC: cs42l42: Fix LRCLK frame start edge
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0c2f2ad4f16a58879463d0979a54293f8f296d6f ]
+
+An I2S frame starts on the falling edge of LRCLK so ASP_STP must
+be 0.
+
+At the same time, move other format settings in the same register
+from cs42l42_pll_config() to cs42l42_set_dai_fmt() where you'd
+expect to find them, and merge into a single write.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210805161111.10410-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 7b102a05a1b6..0c8cdfe78d96 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -657,15 +657,6 @@ static int cs42l42_pll_config(struct snd_soc_component *component)
+ CS42L42_FSYNC_PULSE_WIDTH_MASK,
+ CS42L42_FRAC1_VAL(fsync - 1) <<
+ CS42L42_FSYNC_PULSE_WIDTH_SHIFT);
+- snd_soc_component_update_bits(component,
+- CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_5050_MASK,
+- CS42L42_ASP_5050_MASK);
+- /* Set the frame delay to 1.0 SCLK clocks */
+- snd_soc_component_update_bits(component, CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_FSD_MASK,
+- CS42L42_ASP_FSD_1_0 <<
+- CS42L42_ASP_FSD_SHIFT);
+ /* Set the sample rates (96k or lower) */
+ snd_soc_component_update_bits(component, CS42L42_FS_RATE_EN,
+ CS42L42_FS_EN_MASK,
+@@ -765,6 +756,18 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
++ /*
++ * 5050 mode, frame starts on falling edge of LRCLK,
++ * frame delayed by 1.0 SCLKs
++ */
++ snd_soc_component_update_bits(component,
++ CS42L42_ASP_FRM_CFG,
++ CS42L42_ASP_STP_MASK |
++ CS42L42_ASP_5050_MASK |
++ CS42L42_ASP_FSD_MASK,
++ CS42L42_ASP_5050_MASK |
++ (CS42L42_ASP_FSD_1_0 <<
++ CS42L42_ASP_FSD_SHIFT));
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 59ff6dc638c28760af85d2825d5d3cad59b01439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 17:11:07 +0100
+Subject: ASoC: cs42l42: Fix mono playback
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit e5ada3f6787a4d6234adc6f2f3ae35c6d5b71ba0 ]
+
+I2S always has two LRCLK phases and both CH1 and CH2 of the RX
+must be enabled (corresponding to the low and high phases of LRCLK.)
+The selection of the valid data channels is done by setting the DAC
+CHA_SEL and CHB_SEL. CHA_SEL is always the first (left) channel,
+CHB_SEL depends on the number of active channels.
+
+Previously for mono ASP CH2 was not enabled, the result was playing
+mono data would not produce any audio output.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 621d65f3b868 ("ASoC: cs42l42: Provide finer control on playback path")
+Link: https://lore.kernel.org/r/20210805161111.10410-4-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 15 +++++++++++++--
+ sound/soc/codecs/cs42l42.h | 2 ++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 0c8cdfe78d96..e0a524f8e16c 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -459,8 +459,8 @@ static const struct snd_soc_dapm_widget cs42l42_dapm_widgets[] = {
+ SND_SOC_DAPM_OUTPUT("HP"),
+ SND_SOC_DAPM_DAC("DAC", NULL, CS42L42_PWR_CTL1, CS42L42_HP_PDN_SHIFT, 1),
+ SND_SOC_DAPM_MIXER("MIXER", CS42L42_PWR_CTL1, CS42L42_MIXER_PDN_SHIFT, 1, NULL, 0),
+- SND_SOC_DAPM_AIF_IN("SDIN1", NULL, 0, CS42L42_ASP_RX_DAI0_EN, CS42L42_ASP_RX0_CH1_SHIFT, 0),
+- SND_SOC_DAPM_AIF_IN("SDIN2", NULL, 1, CS42L42_ASP_RX_DAI0_EN, CS42L42_ASP_RX0_CH2_SHIFT, 0),
++ SND_SOC_DAPM_AIF_IN("SDIN1", NULL, 0, SND_SOC_NOPM, 0, 0),
++ SND_SOC_DAPM_AIF_IN("SDIN2", NULL, 1, SND_SOC_NOPM, 0, 0),
+
+ /* Playback Requirements */
+ SND_SOC_DAPM_SUPPLY("ASP DAI0", CS42L42_PWR_CTL1, CS42L42_ASP_DAI_PDN_SHIFT, 1, NULL, 0),
+@@ -837,6 +837,17 @@ static int cs42l42_pcm_hw_params(struct snd_pcm_substream *substream,
+ snd_soc_component_update_bits(component, CS42L42_ASP_RX_DAI0_CH2_AP_RES,
+ CS42L42_ASP_RX_CH_AP_MASK |
+ CS42L42_ASP_RX_CH_RES_MASK, val);
++
++ /* Channel B comes from the last active channel */
++ snd_soc_component_update_bits(component, CS42L42_SP_RX_CH_SEL,
++ CS42L42_SP_RX_CHB_SEL_MASK,
++ (channels - 1) << CS42L42_SP_RX_CHB_SEL_SHIFT);
++
++ /* Both LRCLK slots must be enabled */
++ snd_soc_component_update_bits(component, CS42L42_ASP_RX_DAI0_EN,
++ CS42L42_ASP_RX0_CH_EN_MASK,
++ BIT(CS42L42_ASP_RX0_CH1_SHIFT) |
++ BIT(CS42L42_ASP_RX0_CH2_SHIFT));
+ break;
+ default:
+ break;
+diff --git a/sound/soc/codecs/cs42l42.h b/sound/soc/codecs/cs42l42.h
+index 38fd91a168ae..10cf2e4c8ead 100644
+--- a/sound/soc/codecs/cs42l42.h
++++ b/sound/soc/codecs/cs42l42.h
+@@ -653,6 +653,8 @@
+
+ /* Page 0x25 Audio Port Registers */
+ #define CS42L42_SP_RX_CH_SEL (CS42L42_PAGE_25 + 0x01)
++#define CS42L42_SP_RX_CHB_SEL_SHIFT 2
++#define CS42L42_SP_RX_CHB_SEL_MASK (3 << CS42L42_SP_RX_CHB_SEL_SHIFT)
+
+ #define CS42L42_SP_RX_ISOC_CTL (CS42L42_PAGE_25 + 0x02)
+ #define CS42L42_SP_RX_RSYNC_SHIFT 6
+--
+2.30.2
+
--- /dev/null
+From 56dec09d5e7e7d11645eec87b6ab237a79b7ecbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 17:11:04 +0100
+Subject: ASoC: cs42l42: PLL must be running when changing MCLK_SRC_SEL
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit f1040e86f83b0f7d5f45724500a6a441731ff4b7 ]
+
+Both SCLK and PLL clocks must be running to drive the glitch-free mux
+behind MCLK_SRC_SEL and complete the switchover.
+
+This patch moves the writing of MCLK_SRC_SEL to when the PLL is started
+and stopped, so that it only transitions while the PLL is running.
+The unconditional write MCLK_SRC_SEL=0 in cs42l42_mute_stream() is safe
+because if the PLL is not running MCLK_SRC_SEL is already 0.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 43fc357199f9 ("ASoC: cs42l42: Set clock source for both ways of stream")
+Link: https://lore.kernel.org/r/20210805161111.10410-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 25 ++++++++++++++++++-------
+ sound/soc/codecs/cs42l42.h | 1 +
+ 2 files changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 22d8c8d03308..7b102a05a1b6 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -609,6 +609,8 @@ static int cs42l42_pll_config(struct snd_soc_component *component)
+
+ for (i = 0; i < ARRAY_SIZE(pll_ratio_table); i++) {
+ if (pll_ratio_table[i].sclk == clk) {
++ cs42l42->pll_config = i;
++
+ /* Configure the internal sample rate */
+ snd_soc_component_update_bits(component, CS42L42_MCLK_CTL,
+ CS42L42_INTERNAL_FS_MASK,
+@@ -617,14 +619,9 @@ static int cs42l42_pll_config(struct snd_soc_component *component)
+ (pll_ratio_table[i].mclk_int !=
+ 24000000)) <<
+ CS42L42_INTERNAL_FS_SHIFT);
+- /* Set the MCLK src (PLL or SCLK) and the divide
+- * ratio
+- */
++
+ snd_soc_component_update_bits(component, CS42L42_MCLK_SRC_SEL,
+- CS42L42_MCLK_SRC_SEL_MASK |
+ CS42L42_MCLKDIV_MASK,
+- (pll_ratio_table[i].mclk_src_sel
+- << CS42L42_MCLK_SRC_SEL_SHIFT) |
+ (pll_ratio_table[i].mclk_div <<
+ CS42L42_MCLKDIV_SHIFT));
+ /* Set up the LRCLK */
+@@ -882,13 +879,21 @@ static int cs42l42_mute_stream(struct snd_soc_dai *dai, int mute, int stream)
+ */
+ regmap_multi_reg_write(cs42l42->regmap, cs42l42_to_osc_seq,
+ ARRAY_SIZE(cs42l42_to_osc_seq));
++
++ /* Must disconnect PLL before stopping it */
++ snd_soc_component_update_bits(component,
++ CS42L42_MCLK_SRC_SEL,
++ CS42L42_MCLK_SRC_SEL_MASK,
++ 0);
++ usleep_range(100, 200);
++
+ snd_soc_component_update_bits(component, CS42L42_PLL_CTL1,
+ CS42L42_PLL_START_MASK, 0);
+ }
+ } else {
+ if (!cs42l42->stream_use) {
+ /* SCLK must be running before codec unmute */
+- if ((cs42l42->bclk < 11289600) && (cs42l42->sclk < 11289600)) {
++ if (pll_ratio_table[cs42l42->pll_config].mclk_src_sel) {
+ snd_soc_component_update_bits(component, CS42L42_PLL_CTL1,
+ CS42L42_PLL_START_MASK, 1);
+
+@@ -909,6 +914,12 @@ static int cs42l42_mute_stream(struct snd_soc_dai *dai, int mute, int stream)
+ CS42L42_PLL_LOCK_TIMEOUT_US);
+ if (ret < 0)
+ dev_warn(component->dev, "PLL failed to lock: %d\n", ret);
++
++ /* PLL must be running to drive glitchless switch logic */
++ snd_soc_component_update_bits(component,
++ CS42L42_MCLK_SRC_SEL,
++ CS42L42_MCLK_SRC_SEL_MASK,
++ CS42L42_MCLK_SRC_SEL_MASK);
+ }
+
+ /* Mark SCLK as present, turn off internal oscillator */
+diff --git a/sound/soc/codecs/cs42l42.h b/sound/soc/codecs/cs42l42.h
+index 5384105afe50..38fd91a168ae 100644
+--- a/sound/soc/codecs/cs42l42.h
++++ b/sound/soc/codecs/cs42l42.h
+@@ -775,6 +775,7 @@ struct cs42l42_private {
+ struct gpio_desc *reset_gpio;
+ struct completion pdn_done;
+ struct snd_soc_jack jack;
++ int pll_config;
+ int bclk;
+ u32 sclk;
+ u32 srate;
+--
+2.30.2
+
--- /dev/null
+From 5389c11cb4ff541c03a45a3628c18ad8d1d04949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:34 +0100
+Subject: ASoC: cs42l42: Remove duplicate control for WNF filter frequency
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 8b353bbeae20e2214c9d9d88bcb2fda4ba145d83 ]
+
+The driver was defining two ALSA controls that both change the same
+register field for the wind noise filter corner frequency. The filter
+response has two corners, at different frequencies, and the duplicate
+controls most likely were an attempt to be able to set the value using
+either of the frequencies.
+
+However, having two controls changing the same field can be problematic
+and it is unnecessary. Both frequencies are related to each other so
+setting one implies exactly what the other would be.
+
+Removing a control affects user-side code, but there is currently no
+known use of the removed control so it would be best to remove it now
+before it becomes a problem.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index c7fb33a89224..22d8c8d03308 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -424,15 +424,6 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf3_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_CF_SHIFT,
+ cs42l42_wnf3_freq_text);
+
+-static const char * const cs42l42_wnf05_freq_text[] = {
+- "280Hz", "315Hz", "350Hz", "385Hz",
+- "420Hz", "455Hz", "490Hz", "525Hz"
+-};
+-
+-static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+- CS42L42_ADC_WNF_CF_SHIFT,
+- cs42l42_wnf05_freq_text);
+-
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+@@ -450,7 +441,6 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_HPF_EN_SHIFT, true, false),
+ SOC_ENUM("HPF Corner Freq", cs42l42_hpf_freq_enum),
+ SOC_ENUM("WNF 3dB Freq", cs42l42_wnf3_freq_enum),
+- SOC_ENUM("WNF 05dB Freq", cs42l42_wnf05_freq_enum),
+
+ /* DAC Volume and Filter Controls */
+ SOC_SINGLE("DACA Invert Switch", CS42L42_DAC_CTL1,
+--
+2.30.2
+
--- /dev/null
+From cc5d9962fabd537d324d418b7bdad41b1e895c21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 10:17:49 -0500
+Subject: ASoC: SOF: Intel: hda-ipc: fix reply size checking
+
+From: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+
+[ Upstream commit 973b393fdf073a4ebd8d82ef6edea99fedc74af9 ]
+
+Checking that two values don't have common bits makes no sense,
+strict equality is meant.
+
+Fixes: f3b433e4699f ("ASoC: SOF: Implement Probe IPC API")
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210802151749.15417-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/hda-ipc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/intel/hda-ipc.c b/sound/soc/sof/intel/hda-ipc.c
+index c91aa951df22..acfeca42604c 100644
+--- a/sound/soc/sof/intel/hda-ipc.c
++++ b/sound/soc/sof/intel/hda-ipc.c
+@@ -107,8 +107,8 @@ void hda_dsp_ipc_get_reply(struct snd_sof_dev *sdev)
+ } else {
+ /* reply correct size ? */
+ if (reply.hdr.size != msg->reply_size &&
+- /* getter payload is never known upfront */
+- !(reply.hdr.cmd & SOF_IPC_GLB_PROBE)) {
++ /* getter payload is never known upfront */
++ ((reply.hdr.cmd & SOF_GLB_TYPE_MASK) != SOF_IPC_GLB_PROBE)) {
+ dev_err(sdev->dev, "error: reply expected %zu got %u bytes\n",
+ msg->reply_size, reply.hdr.size);
+ ret = -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 9b93d434b42a5ee3d55b56eea383cc635dff9750 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 10:16:28 -0500
+Subject: ASoC: SOF: Intel: Kconfig: fix SoundWire dependencies
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 6b994c554ebc4c065427f510db333081cbd7228d ]
+
+The previous Kconfig cleanup added simplifications but also introduced
+a new one by moving a boolean to a tristate. This leads to randconfig
+problems.
+
+This patch moves the select operations in the SOUNDWIRE_LINK_BASELINE
+option. The INTEL_SOUNDWIRE config remains a tristate for backwards
+compatibility with older configurations but is essentially an on/off
+switch.
+
+Fixes: cf5807f5f814f ('ASoC: SOF: Intel: SoundWire: simplify Kconfig')
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Rander Wang <rander.wang@intel.com>
+Reviewed-by: Bard Liao <bard.liao@intel.com>
+Tested-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20210802151628.15291-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/intel/Kconfig b/sound/soc/sof/intel/Kconfig
+index 4bce89b5ea40..4447f515e8b1 100644
+--- a/sound/soc/sof/intel/Kconfig
++++ b/sound/soc/sof/intel/Kconfig
+@@ -278,6 +278,8 @@ config SND_SOC_SOF_HDA
+
+ config SND_SOC_SOF_INTEL_SOUNDWIRE_LINK_BASELINE
+ tristate
++ select SOUNDWIRE_INTEL if SND_SOC_SOF_INTEL_SOUNDWIRE
++ select SND_INTEL_SOUNDWIRE_ACPI if SND_SOC_SOF_INTEL_SOUNDWIRE
+
+ config SND_SOC_SOF_INTEL_SOUNDWIRE
+ tristate "SOF support for SoundWire"
+@@ -285,8 +287,6 @@ config SND_SOC_SOF_INTEL_SOUNDWIRE
+ depends on SND_SOC_SOF_INTEL_SOUNDWIRE_LINK_BASELINE
+ depends on ACPI && SOUNDWIRE
+ depends on !(SOUNDWIRE=m && SND_SOC_SOF_INTEL_SOUNDWIRE_LINK_BASELINE=y)
+- select SOUNDWIRE_INTEL
+- select SND_INTEL_SOUNDWIRE_ACPI
+ help
+ This adds support for SoundWire with Sound Open Firmware
+ for Intel(R) platforms.
+--
+2.30.2
+
--- /dev/null
+From 1475d385586e021d23e0fe3849c3f18c429ba003 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 17:52:06 +0200
+Subject: bareudp: Fix invalid read beyond skb's linear data
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 143a8526ab5fd4f8a0c4fe2a9cb28c181dc5a95f ]
+
+Data beyond the UDP header might not be part of the skb's linear data.
+Use skb_copy_bits() instead of direct access to skb->data+X, so that
+we read the correct bytes even on a fragmented skb.
+
+Fixes: 4b5f67232d95 ("net: Special handling for IP & MPLS.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Link: https://lore.kernel.org/r/7741c46545c6ef02e70c80a9b32814b22d9616b3.1628264975.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index edfad93e7b68..22e26458a86e 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -71,12 +71,18 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ family = AF_INET6;
+
+ if (bareudp->ethertype == htons(ETH_P_IP)) {
+- struct iphdr *iphdr;
++ __u8 ipversion;
+
+- iphdr = (struct iphdr *)(skb->data + BAREUDP_BASE_HLEN);
+- if (iphdr->version == 4) {
+- proto = bareudp->ethertype;
+- } else if (bareudp->multi_proto_mode && (iphdr->version == 6)) {
++ if (skb_copy_bits(skb, BAREUDP_BASE_HLEN, &ipversion,
++ sizeof(ipversion))) {
++ bareudp->dev->stats.rx_dropped++;
++ goto drop;
++ }
++ ipversion >>= 4;
++
++ if (ipversion == 4) {
++ proto = htons(ETH_P_IP);
++ } else if (ipversion == 6 && bareudp->multi_proto_mode) {
+ proto = htons(ETH_P_IPV6);
+ } else {
+ bareudp->dev->stats.rx_dropped++;
+--
+2.30.2
+
--- /dev/null
+From 11715ad872972cb378221fe64e01f764b9bfa385 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 00:04:18 +0900
+Subject: bpf: Fix integer overflow involving bucket_size
+
+From: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+
+[ Upstream commit c4eb1f403243fc7bbb7de644db8587c03de36da6 ]
+
+In __htab_map_lookup_and_delete_batch(), hash buckets are iterated
+over to count the number of elements in each bucket (bucket_size).
+If bucket_size is large enough, the multiplication to calculate
+kvmalloc() size could overflow, resulting in out-of-bounds write
+as reported by KASAN:
+
+ [...]
+ [ 104.986052] BUG: KASAN: vmalloc-out-of-bounds in __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.986489] Write of size 4194224 at addr ffffc9010503be70 by task crash/112
+ [ 104.986889]
+ [ 104.987193] CPU: 0 PID: 112 Comm: crash Not tainted 5.14.0-rc4 #13
+ [ 104.987552] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ [ 104.988104] Call Trace:
+ [ 104.988410] dump_stack_lvl+0x34/0x44
+ [ 104.988706] print_address_description.constprop.0+0x21/0x140
+ [ 104.988991] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.989327] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.989622] kasan_report.cold+0x7f/0x11b
+ [ 104.989881] ? __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.990239] kasan_check_range+0x17c/0x1e0
+ [ 104.990467] memcpy+0x39/0x60
+ [ 104.990670] __htab_map_lookup_and_delete_batch+0x5ce/0xb60
+ [ 104.990982] ? __wake_up_common+0x4d/0x230
+ [ 104.991256] ? htab_of_map_free+0x130/0x130
+ [ 104.991541] bpf_map_do_batch+0x1fb/0x220
+ [...]
+
+In hashtable, if the elements' keys have the same jhash() value, the
+elements will be put into the same bucket. By putting a lot of elements
+into a single bucket, the value of bucket_size can be increased to
+trigger the integer overflow.
+
+Triggering the overflow is possible for both callers with CAP_SYS_ADMIN
+and callers without CAP_SYS_ADMIN.
+
+It will be trivial for a caller with CAP_SYS_ADMIN to intentionally
+reach this overflow by enabling BPF_F_ZERO_SEED. As this flag will set
+the random seed passed to jhash() to 0, it will be easy for the caller
+to prepare keys which will be hashed into the same value, and thus put
+all the elements into the same bucket.
+
+If the caller does not have CAP_SYS_ADMIN, BPF_F_ZERO_SEED cannot be
+used. However, it will be still technically possible to trigger the
+overflow, by guessing the random seed value passed to jhash() (32bit)
+and repeating the attempt to trigger the overflow. In this case,
+the probability to trigger the overflow will be low and will take
+a very long time.
+
+Fix the integer overflow by calling kvmalloc_array() instead of
+kvmalloc() to allocate memory.
+
+Fixes: 057996380a42 ("bpf: Add batch ops to all htab bpf map")
+Signed-off-by: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210806150419.109658-1-th.yasumatsu@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/hashtab.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index d7ebb12ffffc..49857e8cd6ce 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -1464,8 +1464,8 @@ alloc:
+ /* We cannot do copy_from_user or copy_to_user inside
+ * the rcu_read_lock. Allocate enough space here.
+ */
+- keys = kvmalloc(key_size * bucket_size, GFP_USER | __GFP_NOWARN);
+- values = kvmalloc(value_size * bucket_size, GFP_USER | __GFP_NOWARN);
++ keys = kvmalloc_array(key_size, bucket_size, GFP_USER | __GFP_NOWARN);
++ values = kvmalloc_array(value_size, bucket_size, GFP_USER | __GFP_NOWARN);
+ if (!keys || !values) {
+ ret = -ENOMEM;
+ goto after_loop;
+--
+2.30.2
+
--- /dev/null
+From 12a653781ca0b5f94a9c0db1bb61e18d4d3a7fc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:04:13 -0700
+Subject: bpf: Fix potentially incorrect results with bpf_get_local_storage()
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit a2baf4e8bb0f306fbed7b5e6197c02896a638ab5 ]
+
+Commit b910eaaaa4b8 ("bpf: Fix NULL pointer dereference in bpf_get_local_storage()
+helper") fixed a bug for bpf_get_local_storage() helper so different tasks
+won't mess up with each other's percpu local storage.
+
+The percpu data contains 8 slots so it can hold up to 8 contexts (same or
+different tasks), for 8 different program runs, at the same time. This in
+general is sufficient. But our internal testing showed the following warning
+multiple times:
+
+ [...]
+ warning: WARNING: CPU: 13 PID: 41661 at include/linux/bpf-cgroup.h:193
+ __cgroup_bpf_run_filter_sock_ops+0x13e/0x180
+ RIP: 0010:__cgroup_bpf_run_filter_sock_ops+0x13e/0x180
+ <IRQ>
+ tcp_call_bpf.constprop.99+0x93/0xc0
+ tcp_conn_request+0x41e/0xa50
+ ? tcp_rcv_state_process+0x203/0xe00
+ tcp_rcv_state_process+0x203/0xe00
+ ? sk_filter_trim_cap+0xbc/0x210
+ ? tcp_v6_inbound_md5_hash.constprop.41+0x44/0x160
+ tcp_v6_do_rcv+0x181/0x3e0
+ tcp_v6_rcv+0xc65/0xcb0
+ ip6_protocol_deliver_rcu+0xbd/0x450
+ ip6_input_finish+0x11/0x20
+ ip6_input+0xb5/0xc0
+ ip6_sublist_rcv_finish+0x37/0x50
+ ip6_sublist_rcv+0x1dc/0x270
+ ipv6_list_rcv+0x113/0x140
+ __netif_receive_skb_list_core+0x1a0/0x210
+ netif_receive_skb_list_internal+0x186/0x2a0
+ gro_normal_list.part.170+0x19/0x40
+ napi_complete_done+0x65/0x150
+ mlx5e_napi_poll+0x1ae/0x680
+ __napi_poll+0x25/0x120
+ net_rx_action+0x11e/0x280
+ __do_softirq+0xbb/0x271
+ irq_exit_rcu+0x97/0xa0
+ common_interrupt+0x7f/0xa0
+ </IRQ>
+ asm_common_interrupt+0x1e/0x40
+ RIP: 0010:bpf_prog_1835a9241238291a_tw_egress+0x5/0xbac
+ ? __cgroup_bpf_run_filter_skb+0x378/0x4e0
+ ? do_softirq+0x34/0x70
+ ? ip6_finish_output2+0x266/0x590
+ ? ip6_finish_output+0x66/0xa0
+ ? ip6_output+0x6c/0x130
+ ? ip6_xmit+0x279/0x550
+ ? ip6_dst_check+0x61/0xd0
+ [...]
+
+Using drgn [0] to dump the percpu buffer contents showed that on this CPU
+slot 0 is still available, but slots 1-7 are occupied and those tasks in
+slots 1-7 mostly don't exist any more. So we might have issues in
+bpf_cgroup_storage_unset().
+
+Further debugging confirmed that there is a bug in bpf_cgroup_storage_unset().
+Currently, it tries to unset "current" slot with searching from the start.
+So the following sequence is possible:
+
+ 1. A task is running and claims slot 0
+ 2. Running BPF program is done, and it checked slot 0 has the "task"
+ and ready to reset it to NULL (not yet).
+ 3. An interrupt happens, another BPF program runs and it claims slot 1
+ with the *same* task.
+ 4. The unset() in interrupt context releases slot 0 since it matches "task".
+ 5. Interrupt is done, the task in process context reset slot 0.
+
+At the end, slot 1 is not reset and the same process can continue to occupy
+slots 2-7 and finally, when the above step 1-5 is repeated again, step 3 BPF
+program won't be able to claim an empty slot and a warning will be issued.
+
+To fix the issue, for unset() function, we should traverse from the last slot
+to the first. This way, the above issue can be avoided.
+
+The same reverse traversal should also be done in bpf_get_local_storage() helper
+itself. Otherwise, incorrect local storage may be returned to BPF program.
+
+ [0] https://github.com/osandov/drgn
+
+Fixes: b910eaaaa4b8 ("bpf: Fix NULL pointer dereference in bpf_get_local_storage() helper")
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210810010413.1976277-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf-cgroup.h | 4 ++--
+ kernel/bpf/helpers.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
+index 8b77d08d4b47..6c9b10d82c80 100644
+--- a/include/linux/bpf-cgroup.h
++++ b/include/linux/bpf-cgroup.h
+@@ -201,8 +201,8 @@ static inline void bpf_cgroup_storage_unset(void)
+ {
+ int i;
+
+- for (i = 0; i < BPF_CGROUP_STORAGE_NEST_MAX; i++) {
+- if (unlikely(this_cpu_read(bpf_cgroup_storage_info[i].task) != current))
++ for (i = BPF_CGROUP_STORAGE_NEST_MAX - 1; i >= 0; i--) {
++ if (likely(this_cpu_read(bpf_cgroup_storage_info[i].task) != current))
+ continue;
+
+ this_cpu_write(bpf_cgroup_storage_info[i].task, NULL);
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index a2f1f15ce432..728f1a0fb442 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -397,8 +397,8 @@ BPF_CALL_2(bpf_get_local_storage, struct bpf_map *, map, u64, flags)
+ void *ptr;
+ int i;
+
+- for (i = 0; i < BPF_CGROUP_STORAGE_NEST_MAX; i++) {
+- if (unlikely(this_cpu_read(bpf_cgroup_storage_info[i].task) != current))
++ for (i = BPF_CGROUP_STORAGE_NEST_MAX - 1; i >= 0; i--) {
++ if (likely(this_cpu_read(bpf_cgroup_storage_info[i].task) != current))
+ continue;
+
+ storage = this_cpu_read(bpf_cgroup_storage_info[i].storage[stype]);
+--
+2.30.2
+
--- /dev/null
+From 7ef268b071cbbeb19522166565a9bd1adedd8805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 20:37:14 +0200
+Subject: drm/amd/pm: Fix a memory leak in an error handling path in
+ 'vangogh_tables_init()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 5126da7d99cf6396c929f3b577ba3aed1e74acd7 ]
+
+'watermarks_table' must be freed instead 'clocks_table', because
+'clocks_table' is known to be NULL at this point and 'watermarks_table' is
+never freed if the last kzalloc fails.
+
+Fixes: c98ee89736b8 ("drm/amd/pm: add the fine grain tuning function for vangogh")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+index 77f532a49e37..bacef9120b8d 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+@@ -242,7 +242,7 @@ static int vangogh_tables_init(struct smu_context *smu)
+ return 0;
+
+ err3_out:
+- kfree(smu_table->clocks_table);
++ kfree(smu_table->watermarks_table);
+ err2_out:
+ kfree(smu_table->gpu_metrics_table);
+ err1_out:
+--
+2.30.2
+
--- /dev/null
+From 2b1b55dabb656a9427acd20c64238acb3dd18a84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 10:41:30 -0700
+Subject: drm/i915: Only access SFC_DONE when media domain is not fused off
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matt Roper <matthew.d.roper@intel.com>
+
+[ Upstream commit 24d032e2359e3abc926b3d423f49a7c33e0b7836 ]
+
+The SFC_DONE register lives within the corresponding VD0/VD2/VD4/VD6
+forcewake domain and is not accessible if the vdbox in that domain is
+fused off and the forcewake is not initialized.
+
+This mistake went unnoticed because until recently we were using the
+wrong register offset for the SFC_DONE register; once the register
+offset was corrected, we started hitting errors like
+
+ <4> [544.989065] i915 0000:cc:00.0: Uninitialized forcewake domain(s) 0x80 accessed at 0x1ce000
+
+on parts with fused-off vdbox engines.
+
+Fixes: e50dbdbfd9fb ("drm/i915/tgl: Add SFC instdone to error state")
+Fixes: 9c9c6d0ab08a ("drm/i915: Correct SFC_DONE register offset")
+Cc: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210806174130.1058960-1-matthew.d.roper@intel.com
+Reviewed-by: José Roberto de Souza <jose.souza@intel.com>
+(cherry picked from commit c5589bb5dccb0c5cb74910da93663f489589f3ce)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+[Changed Fixes tag to match the cherry-picked 82929a2140eb]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/i915_gpu_error.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
+index bb181fe5d47e..725f241a428c 100644
+--- a/drivers/gpu/drm/i915/i915_gpu_error.c
++++ b/drivers/gpu/drm/i915/i915_gpu_error.c
+@@ -728,9 +728,18 @@ static void err_print_gt(struct drm_i915_error_state_buf *m,
+ if (INTEL_GEN(m->i915) >= 12) {
+ int i;
+
+- for (i = 0; i < GEN12_SFC_DONE_MAX; i++)
++ for (i = 0; i < GEN12_SFC_DONE_MAX; i++) {
++ /*
++ * SFC_DONE resides in the VD forcewake domain, so it
++ * only exists if the corresponding VCS engine is
++ * present.
++ */
++ if (!HAS_ENGINE(gt->_gt, _VCS(i * 2)))
++ continue;
++
+ err_printf(m, " SFC_DONE[%d]: 0x%08x\n", i,
+ gt->sfc_done[i]);
++ }
+
+ err_printf(m, " GAM_DONE: 0x%08x\n", gt->gam_done);
+ }
+@@ -1586,6 +1595,14 @@ static void gt_record_regs(struct intel_gt_coredump *gt)
+
+ if (INTEL_GEN(i915) >= 12) {
+ for (i = 0; i < GEN12_SFC_DONE_MAX; i++) {
++ /*
++ * SFC_DONE resides in the VD forcewake domain, so it
++ * only exists if the corresponding VCS engine is
++ * present.
++ */
++ if (!HAS_ENGINE(gt->_gt, _VCS(i * 2)))
++ continue;
++
+ gt->sfc_done[i] =
+ intel_uncore_read(uncore, GEN12_SFC_DONE(i));
+ }
+--
+2.30.2
+
--- /dev/null
+From 5d5c74a385739f831e34778cd2f296e32605f5a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 09:47:43 +0800
+Subject: drm/mediatek: Fix cursor plane no update
+
+From: jason-jh.lin <jason-jh.lin@mediatek.com>
+
+[ Upstream commit 1a64a7aff8da352c9419de3d5c34343682916411 ]
+
+The cursor plane should use the current plane state in atomic_async_update
+because it would not be the new plane state in the global atomic state
+since _swap_state happened when those hook are run.
+
+Fix cursor plane issue by below modification:
+1. Remove plane_helper_funcs->atomic_update(plane, state) in
+ mtk_drm_crtc_async_update.
+2. Add mtk_drm_update_new_state in to mtk_plane_atomic_async_update to
+ update the cursor plane by current plane state hook and update
+ others plane by the new_state.
+
+Fixes: 37418bf14c13 ("drm: Use state helper instead of the plane state pointer")
+Signed-off-by: jason-jh.lin <jason-jh.lin@mediatek.com>
+Tested-by: Enric Balletbo i Serra <enric.balletbo@collabora.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 3 --
+ drivers/gpu/drm/mediatek/mtk_drm_plane.c | 60 ++++++++++++++----------
+ 2 files changed, 34 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+index 474efb844249..735efe79f075 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+@@ -532,13 +532,10 @@ void mtk_drm_crtc_async_update(struct drm_crtc *crtc, struct drm_plane *plane,
+ struct drm_atomic_state *state)
+ {
+ struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
+- const struct drm_plane_helper_funcs *plane_helper_funcs =
+- plane->helper_private;
+
+ if (!mtk_crtc->enabled)
+ return;
+
+- plane_helper_funcs->atomic_update(plane, state);
+ mtk_drm_crtc_update_config(mtk_crtc, false);
+ }
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+index b5582dcf564c..e6dcb34d3052 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+@@ -110,6 +110,35 @@ static int mtk_plane_atomic_async_check(struct drm_plane *plane,
+ true, true);
+ }
+
++static void mtk_plane_update_new_state(struct drm_plane_state *new_state,
++ struct mtk_plane_state *mtk_plane_state)
++{
++ struct drm_framebuffer *fb = new_state->fb;
++ struct drm_gem_object *gem;
++ struct mtk_drm_gem_obj *mtk_gem;
++ unsigned int pitch, format;
++ dma_addr_t addr;
++
++ gem = fb->obj[0];
++ mtk_gem = to_mtk_gem_obj(gem);
++ addr = mtk_gem->dma_addr;
++ pitch = fb->pitches[0];
++ format = fb->format->format;
++
++ addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
++ addr += (new_state->src.y1 >> 16) * pitch;
++
++ mtk_plane_state->pending.enable = true;
++ mtk_plane_state->pending.pitch = pitch;
++ mtk_plane_state->pending.format = format;
++ mtk_plane_state->pending.addr = addr;
++ mtk_plane_state->pending.x = new_state->dst.x1;
++ mtk_plane_state->pending.y = new_state->dst.y1;
++ mtk_plane_state->pending.width = drm_rect_width(&new_state->dst);
++ mtk_plane_state->pending.height = drm_rect_height(&new_state->dst);
++ mtk_plane_state->pending.rotation = new_state->rotation;
++}
++
+ static void mtk_plane_atomic_async_update(struct drm_plane *plane,
+ struct drm_atomic_state *state)
+ {
+@@ -126,8 +155,10 @@ static void mtk_plane_atomic_async_update(struct drm_plane *plane,
+ plane->state->src_h = new_state->src_h;
+ plane->state->src_w = new_state->src_w;
+ swap(plane->state->fb, new_state->fb);
+- new_plane_state->pending.async_dirty = true;
+
++ mtk_plane_update_new_state(new_state, new_plane_state);
++ wmb(); /* Make sure the above parameters are set before update */
++ new_plane_state->pending.async_dirty = true;
+ mtk_drm_crtc_async_update(new_state->crtc, plane, state);
+ }
+
+@@ -189,14 +220,8 @@ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ struct drm_plane_state *new_state = drm_atomic_get_new_plane_state(state,
+ plane);
+ struct mtk_plane_state *mtk_plane_state = to_mtk_plane_state(new_state);
+- struct drm_crtc *crtc = new_state->crtc;
+- struct drm_framebuffer *fb = new_state->fb;
+- struct drm_gem_object *gem;
+- struct mtk_drm_gem_obj *mtk_gem;
+- unsigned int pitch, format;
+- dma_addr_t addr;
+
+- if (!crtc || WARN_ON(!fb))
++ if (!new_state->crtc || WARN_ON(!new_state->fb))
+ return;
+
+ if (!new_state->visible) {
+@@ -204,24 +229,7 @@ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ return;
+ }
+
+- gem = fb->obj[0];
+- mtk_gem = to_mtk_gem_obj(gem);
+- addr = mtk_gem->dma_addr;
+- pitch = fb->pitches[0];
+- format = fb->format->format;
+-
+- addr += (new_state->src.x1 >> 16) * fb->format->cpp[0];
+- addr += (new_state->src.y1 >> 16) * pitch;
+-
+- mtk_plane_state->pending.enable = true;
+- mtk_plane_state->pending.pitch = pitch;
+- mtk_plane_state->pending.format = format;
+- mtk_plane_state->pending.addr = addr;
+- mtk_plane_state->pending.x = new_state->dst.x1;
+- mtk_plane_state->pending.y = new_state->dst.y1;
+- mtk_plane_state->pending.width = drm_rect_width(&new_state->dst);
+- mtk_plane_state->pending.height = drm_rect_height(&new_state->dst);
+- mtk_plane_state->pending.rotation = new_state->rotation;
++ mtk_plane_update_new_state(new_state, mtk_plane_state);
+ wmb(); /* Make sure the above parameters are set before update */
+ mtk_plane_state->pending.dirty = true;
+ }
+--
+2.30.2
+
--- /dev/null
+From d5df5762393fe476bc8a95c01e2562da17378218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 09:40:05 +0000
+Subject: drm/meson: fix colour distortion from HDR set during vendor u-boot
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit bf33677a3c394bb8fddd48d3bbc97adf0262e045 ]
+
+Add support for the OSD1 HDR registers so meson DRM can handle the HDR
+properties set by Amlogic u-boot on G12A and newer devices which result
+in blue/green/pink colour distortion to display output.
+
+This takes the original patch submissions from Mathias [0] and [1] with
+corrections for formatting and the missing description and attribution
+needed for merge.
+
+[0] https://lore.kernel.org/linux-amlogic/59dfd7e6-fc91-3d61-04c4-94e078a3188c@baylibre.com/T/
+[1] https://lore.kernel.org/linux-amlogic/CAOKfEHBx_fboUqkENEMd-OC-NSrf46nto+vDLgvgttzPe99kXg@mail.gmail.com/T/#u
+
+Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup")
+Suggested-by: Mathias Steiger <mathias.steiger@googlemail.com>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Tested-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Philip Milev <milev.philip@gmail.com>
+[narmsrong: adding missing space on second tested-by tag]
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210806094005.7136-1-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_registers.h | 5 +++++
+ drivers/gpu/drm/meson/meson_viu.c | 7 ++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_registers.h b/drivers/gpu/drm/meson/meson_registers.h
+index 446e7961da48..0f3cafab8860 100644
+--- a/drivers/gpu/drm/meson/meson_registers.h
++++ b/drivers/gpu/drm/meson/meson_registers.h
+@@ -634,6 +634,11 @@
+ #define VPP_WRAP_OSD3_MATRIX_PRE_OFFSET2 0x3dbc
+ #define VPP_WRAP_OSD3_MATRIX_EN_CTRL 0x3dbd
+
++/* osd1 HDR */
++#define OSD1_HDR2_CTRL 0x38a0
++#define OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN BIT(13)
++#define OSD1_HDR2_CTRL_REG_ONLY_MAT BIT(16)
++
+ /* osd2 scaler */
+ #define OSD2_VSC_PHASE_STEP 0x3d00
+ #define OSD2_VSC_INI_PHASE 0x3d01
+diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c
+index aede0c67a57f..259f3e6bec90 100644
+--- a/drivers/gpu/drm/meson/meson_viu.c
++++ b/drivers/gpu/drm/meson/meson_viu.c
+@@ -425,9 +425,14 @@ void meson_viu_init(struct meson_drm *priv)
+ if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) ||
+ meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXL))
+ meson_viu_load_matrix(priv);
+- else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
++ else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) {
+ meson_viu_set_g12a_osd1_matrix(priv, RGB709_to_YUV709l_coeff,
+ true);
++ /* fix green/pink color distortion from vendor u-boot */
++ writel_bits_relaxed(OSD1_HDR2_CTRL_REG_ONLY_MAT |
++ OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN, 0,
++ priv->io_base + _REG(OSD1_HDR2_CTRL));
++ }
+
+ /* Initialize OSD1 fifo control register */
+ reg = VIU_OSD_DDR_PRIORITY_URGENT |
+--
+2.30.2
+
--- /dev/null
+From 76a82685251402eaca0c50417971112543cc3f43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 09:53:33 -0700
+Subject: iavf: Set RSS LUT and key in reset handle path
+
+From: Md Fahad Iqbal Polash <md.fahad.iqbal.polash@intel.com>
+
+[ Upstream commit a7550f8b1c9712894f9e98d6caf5f49451ebd058 ]
+
+iavf driver should set RSS LUT and key unconditionally in reset
+path. Currently, the driver does not do that. This patch fixes
+this issue.
+
+Fixes: 2c86ac3c7079 ("i40evf: create a generic config RSS function")
+Signed-off-by: Md Fahad Iqbal Polash <md.fahad.iqbal.polash@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 44bafedd09f2..244ec74ceca7 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1506,11 +1506,6 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter)
+ set_bit(__IAVF_VSI_DOWN, adapter->vsi.state);
+
+ iavf_map_rings_to_vectors(adapter);
+-
+- if (RSS_AQ(adapter))
+- adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS;
+- else
+- err = iavf_init_rss(adapter);
+ err:
+ return err;
+ }
+@@ -2200,6 +2195,14 @@ continue_reset:
+ goto reset_err;
+ }
+
++ if (RSS_AQ(adapter)) {
++ adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS;
++ } else {
++ err = iavf_init_rss(adapter);
++ if (err)
++ goto reset_err;
++ }
++
+ adapter->aq_required |= IAVF_FLAG_AQ_GET_CONFIG;
+ adapter->aq_required |= IAVF_FLAG_AQ_MAP_VECTORS;
+
+--
+2.30.2
+
--- /dev/null
+From 1cc022e434b881b52255bf1c16a534f1e9ad76e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 09:51:27 -0700
+Subject: ice: don't remove netdev->dev_addr from uc sync list
+
+From: Brett Creeley <brett.creeley@intel.com>
+
+[ Upstream commit 3ba7f53f8bf1fb862e36c7f74434ac3aceb60158 ]
+
+In some circumstances, such as with bridging, it's possible that the
+stack will add the device's own MAC address to its unicast address list.
+
+If, later, the stack deletes this address, the driver will receive a
+request to remove this address.
+
+The driver stores its current MAC address as part of the VSI MAC filter
+list instead of separately. So, this causes a problem when the device's
+MAC address is deleted unexpectedly, which results in traffic failure in
+some cases.
+
+The following configuration steps will reproduce the previously
+mentioned problem:
+
+> ip link set eth0 up
+> ip link add dev br0 type bridge
+> ip link set br0 up
+> ip addr flush dev eth0
+> ip link set eth0 master br0
+> echo 1 > /sys/class/net/br0/bridge/vlan_filtering
+> modprobe -r veth
+> modprobe -r bridge
+> ip addr add 192.168.1.100/24 dev eth0
+
+The following ping command fails due to the netdev->dev_addr being
+deleted when removing the bridge module.
+> ping <link partner>
+
+Fix this by making sure to not delete the netdev->dev_addr during MAC
+address sync. After fixing this issue it was noticed that the
+netdev_warn() in .set_mac was overly verbose, so make it at
+netdev_dbg().
+
+Also, there is a possibility of a race condition between .set_mac and
+.set_rx_mode. Fix this by calling netif_addr_lock_bh() and
+netif_addr_unlock_bh() on the device's netdev when the netdev->dev_addr
+is going to be updated in .set_mac.
+
+Fixes: e94d44786693 ("ice: Implement filter sync, NDO operations and bump version")
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Tested-by: Liang Li <liali@redhat.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 6a72a3b93037..a7f2f5c490e3 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -183,6 +183,14 @@ static int ice_add_mac_to_unsync_list(struct net_device *netdev, const u8 *addr)
+ struct ice_netdev_priv *np = netdev_priv(netdev);
+ struct ice_vsi *vsi = np->vsi;
+
++ /* Under some circumstances, we might receive a request to delete our
++ * own device address from our uc list. Because we store the device
++ * address in the VSI's MAC filter list, we need to ignore such
++ * requests and not delete our device address from this list.
++ */
++ if (ether_addr_equal(addr, netdev->dev_addr))
++ return 0;
++
+ if (ice_fltr_add_mac_to_list(vsi, &vsi->tmp_unsync_list, addr,
+ ICE_FWD_TO_VSI))
+ return -EINVAL;
+@@ -4913,7 +4921,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi)
+ return -EADDRNOTAVAIL;
+
+ if (ether_addr_equal(netdev->dev_addr, mac)) {
+- netdev_warn(netdev, "already using mac %pM\n", mac);
++ netdev_dbg(netdev, "already using mac %pM\n", mac);
+ return 0;
+ }
+
+@@ -4924,6 +4932,7 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi)
+ return -EBUSY;
+ }
+
++ netif_addr_lock_bh(netdev);
+ /* Clean up old MAC filter. Not an error if old filter doesn't exist */
+ status = ice_fltr_remove_mac(vsi, netdev->dev_addr, ICE_FWD_TO_VSI);
+ if (status && status != ICE_ERR_DOES_NOT_EXIST) {
+@@ -4933,30 +4942,28 @@ static int ice_set_mac_address(struct net_device *netdev, void *pi)
+
+ /* Add filter for new MAC. If filter exists, return success */
+ status = ice_fltr_add_mac(vsi, mac, ICE_FWD_TO_VSI);
+- if (status == ICE_ERR_ALREADY_EXISTS) {
++ if (status == ICE_ERR_ALREADY_EXISTS)
+ /* Although this MAC filter is already present in hardware it's
+ * possible in some cases (e.g. bonding) that dev_addr was
+ * modified outside of the driver and needs to be restored back
+ * to this value.
+ */
+- memcpy(netdev->dev_addr, mac, netdev->addr_len);
+ netdev_dbg(netdev, "filter for MAC %pM already exists\n", mac);
+- return 0;
+- }
+-
+- /* error if the new filter addition failed */
+- if (status)
++ else if (status)
++ /* error if the new filter addition failed */
+ err = -EADDRNOTAVAIL;
+
+ err_update_filters:
+ if (err) {
+ netdev_err(netdev, "can't set MAC %pM. filter update failed\n",
+ mac);
++ netif_addr_unlock_bh(netdev);
+ return err;
+ }
+
+ /* change the netdev's MAC address */
+ memcpy(netdev->dev_addr, mac, netdev->addr_len);
++ netif_addr_unlock_bh(netdev);
+ netdev_dbg(vsi->netdev, "updated MAC address to %pM\n",
+ netdev->dev_addr);
+
+--
+2.30.2
+
--- /dev/null
+From d998c46420ba2ac2382e0dc13ba8bb88b53024d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 12:39:10 -0700
+Subject: ice: Prevent probing virtual functions
+
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+
+[ Upstream commit 50ac7479846053ca8054be833c1594e64de496bb ]
+
+The userspace utility "driverctl" can be used to change/override the
+system's default driver choices. This is useful in some situations
+(buggy driver, old driver missing a device ID, trying a workaround,
+etc.) where the user needs to load a different driver.
+
+However, this is also prone to user error, where a driver is mapped
+to a device it's not designed to drive. For example, if the ice driver
+is mapped to driver iavf devices, the ice driver crashes.
+
+Add a check to return an error if the ice driver is being used to
+probe a virtual function.
+
+Fixes: 837f08fdecbe ("ice: Add basic driver framework for Intel(R) E800 Series")
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 0eb2307325d3..6a72a3b93037 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -4014,6 +4014,11 @@ ice_probe(struct pci_dev *pdev, const struct pci_device_id __always_unused *ent)
+ struct ice_hw *hw;
+ int i, err;
+
++ if (pdev->is_virtfn) {
++ dev_err(dev, "can't probe a virtual function\n");
++ return -EINVAL;
++ }
++
+ /* this driver uses devres, see
+ * Documentation/driver-api/driver-model/devres.rst
+ */
+--
+2.30.2
+
--- /dev/null
+From 7a1fc6034a93450f0bb3447268122a905afe8262 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 12:12:42 -0700
+Subject: ice: Stop processing VF messages during teardown
+
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+
+[ Upstream commit c503e63200c679e362afca7aca9d3dc63a0f45ed ]
+
+When VFs are setup and torn down in quick succession, it is possible
+that a VF is torn down by the PF while the VF's virtchnl requests are
+still in the PF's mailbox ring. Processing the VF's virtchnl request
+when the VF itself doesn't exist results in undefined behavior. Fix
+this by adding a check to stop processing virtchnl requests when VF
+teardown is in progress.
+
+Fixes: ddf30f7ff840 ("ice: Add handler to configure SR-IOV")
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice.h | 1 +
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h
+index 2924c67567b8..13ffa3f6a521 100644
+--- a/drivers/net/ethernet/intel/ice/ice.h
++++ b/drivers/net/ethernet/intel/ice/ice.h
+@@ -226,6 +226,7 @@ enum ice_pf_state {
+ ICE_VFLR_EVENT_PENDING,
+ ICE_FLTR_OVERFLOW_PROMISC,
+ ICE_VF_DIS,
++ ICE_VF_DEINIT_IN_PROGRESS,
+ ICE_CFG_BUSY,
+ ICE_SERVICE_SCHED,
+ ICE_SERVICE_DIS,
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index 97a46c616aca..671902d9fc35 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -615,6 +615,8 @@ void ice_free_vfs(struct ice_pf *pf)
+ struct ice_hw *hw = &pf->hw;
+ unsigned int tmp, i;
+
++ set_bit(ICE_VF_DEINIT_IN_PROGRESS, pf->state);
++
+ if (!pf->vf)
+ return;
+
+@@ -680,6 +682,7 @@ void ice_free_vfs(struct ice_pf *pf)
+ i);
+
+ clear_bit(ICE_VF_DIS, pf->state);
++ clear_bit(ICE_VF_DEINIT_IN_PROGRESS, pf->state);
+ clear_bit(ICE_FLAG_SRIOV_ENA, pf->flags);
+ }
+
+@@ -4292,6 +4295,10 @@ void ice_vc_process_vf_msg(struct ice_pf *pf, struct ice_rq_event_info *event)
+ struct device *dev;
+ int err = 0;
+
++ /* if de-init is underway, don't process messages from VF */
++ if (test_bit(ICE_VF_DEINIT_IN_PROGRESS, pf->state))
++ return;
++
+ dev = ice_pf_to_dev(pf);
+ if (ice_validate_vf_id(pf, vf_id)) {
+ err = -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From 108b763c7abd701c6d26cdb8b08dfe67912c336c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 23:56:32 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_new_edge_nl
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 889d0e7dc68314a273627d89cbb60c09e1cc1c25 ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210707155633.1486603-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index cae52bfb871e..8caa61ec718f 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -418,7 +418,7 @@ static int hwsim_new_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ struct hwsim_edge *e;
+ u32 v0, v1;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From 27518ad9ffce249baf110dc1d3faf797db592f21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:13:20 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit e9faf53c5a5d01f6f2a09ae28ec63a3bbd6f64fd ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE,
+MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID and MAC802154_HWSIM_EDGE_ATTR_LQI
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210705131321.217111-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index ebc976b7fcc2..cae52bfb871e 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -528,14 +528,14 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ u32 v0, v1;
+ u8 lqi;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+ if (nla_parse_nested_deprecated(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX, info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE], hwsim_edge_policy, NULL))
+ return -EINVAL;
+
+- if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] &&
++ if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] ||
+ !edge_attrs[MAC802154_HWSIM_EDGE_ATTR_LQI])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From 76e19213bc5fb535ef72a6f70e9a43cf2b5d9c72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:54:32 -0700
+Subject: interconnect: qcom: icc-rpmh: Add BCMs to commit list in
+ pre_aggregate
+
+From: Mike Tipton <mdtipton@codeaurora.org>
+
+[ Upstream commit f84f5b6f72e68bbaeb850b58ac167e4a3a47532a ]
+
+We're only adding BCMs to the commit list in aggregate(), but there are
+cases where pre_aggregate() is called without subsequently calling
+aggregate(). In particular, in icc_sync_state() when a node with initial
+BW has zero requests. Since BCMs aren't added to the commit list in
+these cases, we don't actually send the zero BW request to HW. So the
+resources remain on unnecessarily.
+
+Add BCMs to the commit list in pre_aggregate() instead, which is always
+called even when there are no requests.
+
+Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support")
+Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
+Link: https://lore.kernel.org/r/20210721175432.2119-5-mdtipton@codeaurora.org
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/qcom/icc-rpmh.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/interconnect/qcom/icc-rpmh.c b/drivers/interconnect/qcom/icc-rpmh.c
+index f6fae64861ce..27cc5f03611c 100644
+--- a/drivers/interconnect/qcom/icc-rpmh.c
++++ b/drivers/interconnect/qcom/icc-rpmh.c
+@@ -20,13 +20,18 @@ void qcom_icc_pre_aggregate(struct icc_node *node)
+ {
+ size_t i;
+ struct qcom_icc_node *qn;
++ struct qcom_icc_provider *qp;
+
+ qn = node->data;
++ qp = to_qcom_provider(node->provider);
+
+ for (i = 0; i < QCOM_ICC_NUM_BUCKETS; i++) {
+ qn->sum_avg[i] = 0;
+ qn->max_peak[i] = 0;
+ }
++
++ for (i = 0; i < qn->num_bcms; i++)
++ qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
+ }
+ EXPORT_SYMBOL_GPL(qcom_icc_pre_aggregate);
+
+@@ -44,10 +49,8 @@ int qcom_icc_aggregate(struct icc_node *node, u32 tag, u32 avg_bw,
+ {
+ size_t i;
+ struct qcom_icc_node *qn;
+- struct qcom_icc_provider *qp;
+
+ qn = node->data;
+- qp = to_qcom_provider(node->provider);
+
+ if (!tag)
+ tag = QCOM_ICC_TAG_ALWAYS;
+@@ -67,9 +70,6 @@ int qcom_icc_aggregate(struct icc_node *node, u32 tag, u32 avg_bw,
+ *agg_avg += avg_bw;
+ *agg_peak = max_t(u32, *agg_peak, peak_bw);
+
+- for (i = 0; i < qn->num_bcms; i++)
+- qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
+-
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(qcom_icc_aggregate);
+--
+2.30.2
+
--- /dev/null
+From 45b408299e5be21e8c08a752360f0bc101bfa99a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 21:54:33 +0800
+Subject: io-wq: fix bug of creating io-wokers unconditionally
+
+From: Hao Xu <haoxu@linux.alibaba.com>
+
+[ Upstream commit 49e7f0c789add1330b111af0b7caeb0e87df063e ]
+
+The former patch to add check between nr_workers and max_workers has a
+bug, which will cause unconditionally creating io-workers. That's
+because the result of the check doesn't affect the call of
+create_io_worker(), fix it by bringing in a boolean value for it.
+
+Fixes: 21698274da5b ("io-wq: fix lack of acct->nr_workers < acct->max_workers judgement")
+Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20210808135434.68667-2-haoxu@linux.alibaba.com
+[axboe: drop hunk that isn't strictly needed]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io-wq.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/fs/io-wq.c b/fs/io-wq.c
+index 77026d42cb79..2c8a9a394884 100644
+--- a/fs/io-wq.c
++++ b/fs/io-wq.c
+@@ -283,16 +283,24 @@ static void create_worker_cb(struct callback_head *cb)
+ struct io_wq *wq;
+ struct io_wqe *wqe;
+ struct io_wqe_acct *acct;
++ bool do_create = false;
+
+ cwd = container_of(cb, struct create_worker_data, work);
+ wqe = cwd->wqe;
+ wq = wqe->wq;
+ acct = &wqe->acct[cwd->index];
+ raw_spin_lock_irq(&wqe->lock);
+- if (acct->nr_workers < acct->max_workers)
++ if (acct->nr_workers < acct->max_workers) {
+ acct->nr_workers++;
++ do_create = true;
++ }
+ raw_spin_unlock_irq(&wqe->lock);
+- create_io_worker(wq, cwd->wqe, cwd->index);
++ if (do_create) {
++ create_io_worker(wq, cwd->wqe, cwd->index);
++ } else {
++ atomic_dec(&acct->nr_running);
++ io_worker_ref_put(wq);
++ }
+ kfree(cwd);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From c30b2e989f186b88c165581e19bdc308794ebd1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 21:54:34 +0800
+Subject: io-wq: fix IO_WORKER_F_FIXED issue in create_io_worker()
+
+From: Hao Xu <haoxu@linux.alibaba.com>
+
+[ Upstream commit 47cae0c71f7a126903f930191e6e9f103674aca1 ]
+
+There may be cases like:
+ A B
+spin_lock(wqe->lock)
+nr_workers is 0
+nr_workers++
+spin_unlock(wqe->lock)
+ spin_lock(wqe->lock)
+ nr_wokers is 1
+ nr_workers++
+ spin_unlock(wqe->lock)
+create_io_worker()
+ acct->worker is 1
+ create_io_worker()
+ acct->worker is 1
+
+There should be one worker marked IO_WORKER_F_FIXED, but no one is.
+Fix this by introduce a new agrument for create_io_worker() to indicate
+if it is the first worker.
+
+Fixes: 3d4e4face9c1 ("io-wq: fix no lock protection of acct->nr_worker")
+Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20210808135434.68667-3-haoxu@linux.alibaba.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io-wq.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/fs/io-wq.c b/fs/io-wq.c
+index 2c8a9a394884..91b0d1fb90eb 100644
+--- a/fs/io-wq.c
++++ b/fs/io-wq.c
+@@ -130,7 +130,7 @@ struct io_cb_cancel_data {
+ bool cancel_all;
+ };
+
+-static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index);
++static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index, bool first);
+ static void io_wqe_dec_running(struct io_worker *worker);
+
+ static bool io_worker_get(struct io_worker *worker)
+@@ -249,18 +249,20 @@ static void io_wqe_wake_worker(struct io_wqe *wqe, struct io_wqe_acct *acct)
+ rcu_read_unlock();
+
+ if (!ret) {
+- bool do_create = false;
++ bool do_create = false, first = false;
+
+ raw_spin_lock_irq(&wqe->lock);
+ if (acct->nr_workers < acct->max_workers) {
+ atomic_inc(&acct->nr_running);
+ atomic_inc(&wqe->wq->worker_refs);
++ if (!acct->nr_workers)
++ first = true;
+ acct->nr_workers++;
+ do_create = true;
+ }
+ raw_spin_unlock_irq(&wqe->lock);
+ if (do_create)
+- create_io_worker(wqe->wq, wqe, acct->index);
++ create_io_worker(wqe->wq, wqe, acct->index, first);
+ }
+ }
+
+@@ -283,7 +285,7 @@ static void create_worker_cb(struct callback_head *cb)
+ struct io_wq *wq;
+ struct io_wqe *wqe;
+ struct io_wqe_acct *acct;
+- bool do_create = false;
++ bool do_create = false, first = false;
+
+ cwd = container_of(cb, struct create_worker_data, work);
+ wqe = cwd->wqe;
+@@ -291,12 +293,14 @@ static void create_worker_cb(struct callback_head *cb)
+ acct = &wqe->acct[cwd->index];
+ raw_spin_lock_irq(&wqe->lock);
+ if (acct->nr_workers < acct->max_workers) {
++ if (!acct->nr_workers)
++ first = true;
+ acct->nr_workers++;
+ do_create = true;
+ }
+ raw_spin_unlock_irq(&wqe->lock);
+ if (do_create) {
+- create_io_worker(wq, cwd->wqe, cwd->index);
++ create_io_worker(wq, wqe, cwd->index, first);
+ } else {
+ atomic_dec(&acct->nr_running);
+ io_worker_ref_put(wq);
+@@ -642,7 +646,7 @@ void io_wq_worker_sleeping(struct task_struct *tsk)
+ raw_spin_unlock_irq(&worker->wqe->lock);
+ }
+
+-static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
++static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index, bool first)
+ {
+ struct io_wqe_acct *acct = &wqe->acct[index];
+ struct io_worker *worker;
+@@ -683,7 +687,7 @@ fail:
+ worker->flags |= IO_WORKER_F_FREE;
+ if (index == IO_WQ_ACCT_BOUND)
+ worker->flags |= IO_WORKER_F_BOUND;
+- if ((acct->nr_workers == 1) && (worker->flags & IO_WORKER_F_BOUND))
++ if (first && (worker->flags & IO_WORKER_F_BOUND))
+ worker->flags |= IO_WORKER_F_FIXED;
+ raw_spin_unlock_irq(&wqe->lock);
+ wake_up_new_task(tsk);
+--
+2.30.2
+
--- /dev/null
+From 3bd1d80318a9736f4809128ded5bdbb849b058c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 17:13:41 -0700
+Subject: io_uring: clear TIF_NOTIFY_SIGNAL when running task work
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit ef98eb0409c31c39ab55ff46b2721c3b4f84c122 ]
+
+When using SQPOLL, the submission queue polling thread calls
+task_work_run() to run queued work. However, when work is added with
+TWA_SIGNAL - as done by io_uring itself - the TIF_NOTIFY_SIGNAL remains
+set afterwards and is never cleared.
+
+Consequently, when the submission queue polling thread checks whether
+signal_pending(), it may always find a pending signal, if
+task_work_add() was ever called before.
+
+The impact of this bug might be different on different kernel versions.
+It appears that on 5.14 it would only cause unnecessary calculation and
+prevent the polling thread from sleeping. On 5.13, where the bug was
+found, it stops the polling thread from finding newly submitted work.
+
+Instead of task_work_run(), use tracehook_notify_signal() that clears
+TIF_NOTIFY_SIGNAL. Test for TIF_NOTIFY_SIGNAL in addition to
+current->task_works to avoid a race in which task_works is cleared but
+the TIF_NOTIFY_SIGNAL is set.
+
+Fixes: 685fe7feedb96 ("io-wq: eliminate the need for a manager thread")
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Link: https://lore.kernel.org/r/20210808001342.964634-2-namit@vmware.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 32f3df13a812..8a8507cab580 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -78,6 +78,7 @@
+ #include <linux/task_work.h>
+ #include <linux/pagemap.h>
+ #include <linux/io_uring.h>
++#include <linux/tracehook.h>
+
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/io_uring.h>
+@@ -2250,9 +2251,9 @@ static inline unsigned int io_put_rw_kbuf(struct io_kiocb *req)
+
+ static inline bool io_run_task_work(void)
+ {
+- if (current->task_works) {
++ if (test_thread_flag(TIF_NOTIFY_SIGNAL) || current->task_works) {
+ __set_current_state(TASK_RUNNING);
+- task_work_run();
++ tracehook_notify_signal();
+ return true;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 83c7009971a1fbd8115dcaf3300a648218a6189d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 16:09:21 -0700
+Subject: libbpf: Do not close un-owned FD 0 on errors
+
+From: Daniel Xu <dxu@dxuuu.xyz>
+
+[ Upstream commit c34c338a40e4f3b6f80889cd17fd9281784d1c32 ]
+
+Before this patch, btf_new() was liable to close an arbitrary FD 0 if
+BTF parsing failed. This was because:
+
+* btf->fd was initialized to 0 through the calloc()
+* btf__free() (in the `done` label) closed any FDs >= 0
+* btf->fd is left at 0 if parsing fails
+
+This issue was discovered on a system using libbpf v0.3 (without
+BTF_KIND_FLOAT support) but with a kernel that had BTF_KIND_FLOAT types
+in BTF. Thus, parsing fails.
+
+While this patch technically doesn't fix any issues b/c upstream libbpf
+has BTF_KIND_FLOAT support, it'll help prevent issues in the future if
+more BTF types are added. It also allow the fix to be backported to
+older libbpf's.
+
+Fixes: 3289959b97ca ("libbpf: Support BTF loading and raw data output in both endianness")
+Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/5969bb991adedb03c6ae93e051fd2a00d293cf25.1627513670.git.dxu@dxuuu.xyz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c
+index d57e13a13798..1d9e5b35524c 100644
+--- a/tools/lib/bpf/btf.c
++++ b/tools/lib/bpf/btf.c
+@@ -805,6 +805,7 @@ static struct btf *btf_new(const void *data, __u32 size, struct btf *base_btf)
+ btf->nr_types = 0;
+ btf->start_id = 1;
+ btf->start_str_off = 0;
++ btf->fd = -1;
+
+ if (base_btf) {
+ btf->base_btf = base_btf;
+@@ -833,8 +834,6 @@ static struct btf *btf_new(const void *data, __u32 size, struct btf *base_btf)
+ if (err)
+ goto done;
+
+- btf->fd = -1;
+-
+ done:
+ if (err) {
+ btf__free(btf);
+--
+2.30.2
+
--- /dev/null
+From 19618fe1b0c496835c9b5add0e750c9366f546cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 00:58:25 +0200
+Subject: libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Robin Gögge <r.goegge@googlemail.com>
+
+[ Upstream commit 78d14bda861dd2729f15bb438fe355b48514bfe0 ]
+
+This patch fixes the probe for BPF_PROG_TYPE_CGROUP_SOCKOPT,
+so the probe reports accurate results when used by e.g.
+bpftool.
+
+Fixes: 4cdbfb59c44a ("libbpf: support sockopt hooks")
+Signed-off-by: Robin Gögge <r.goegge@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Link: https://lore.kernel.org/bpf/20210728225825.2357586-1-r.goegge@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf_probes.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c
+index ecaae2927ab8..cd8c703dde71 100644
+--- a/tools/lib/bpf/libbpf_probes.c
++++ b/tools/lib/bpf/libbpf_probes.c
+@@ -75,6 +75,9 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns,
+ case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
+ xattr.expected_attach_type = BPF_CGROUP_INET4_CONNECT;
+ break;
++ case BPF_PROG_TYPE_CGROUP_SOCKOPT:
++ xattr.expected_attach_type = BPF_CGROUP_GETSOCKOPT;
++ break;
+ case BPF_PROG_TYPE_SK_LOOKUP:
+ xattr.expected_attach_type = BPF_SK_LOOKUP;
+ break;
+@@ -104,7 +107,6 @@ probe_load(enum bpf_prog_type prog_type, const struct bpf_insn *insns,
+ case BPF_PROG_TYPE_SK_REUSEPORT:
+ case BPF_PROG_TYPE_FLOW_DISSECTOR:
+ case BPF_PROG_TYPE_CGROUP_SYSCTL:
+- case BPF_PROG_TYPE_CGROUP_SOCKOPT:
+ case BPF_PROG_TYPE_TRACING:
+ case BPF_PROG_TYPE_STRUCT_OPS:
+ case BPF_PROG_TYPE_EXT:
+--
+2.30.2
+
--- /dev/null
+From 3b4339a7b6e6475341cee98d5aa12de6b0024481 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:13:30 +0800
+Subject: nbd: Aovid double completion of a request
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit cddce01160582a5f52ada3da9626c052d852ec42 ]
+
+There is a race between iterating over requests in
+nbd_clear_que() and completing requests in recv_work(),
+which can lead to double completion of a request.
+
+To fix it, flush the recv worker before iterating over
+the requests and don't abort the completed request
+while iterating.
+
+Fixes: 96d97e17828f ("nbd: clear_sock on netlink disconnect")
+Reported-by: Jiang Yadong <jiangyadong@bytedance.com>
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20210813151330.96-1-xieyongji@bytedance.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 45d2c28c8fc8..1061894a55df 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -805,6 +805,10 @@ static bool nbd_clear_req(struct request *req, void *data, bool reserved)
+ {
+ struct nbd_cmd *cmd = blk_mq_rq_to_pdu(req);
+
++ /* don't abort one completed request */
++ if (blk_mq_request_completed(req))
++ return true;
++
+ mutex_lock(&cmd->lock);
+ cmd->status = BLK_STS_IOERR;
+ mutex_unlock(&cmd->lock);
+@@ -1973,15 +1977,19 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
+ {
+ mutex_lock(&nbd->config_lock);
+ nbd_disconnect(nbd);
+- nbd_clear_sock(nbd);
+- mutex_unlock(&nbd->config_lock);
++ sock_shutdown(nbd);
+ /*
+ * Make sure recv thread has finished, so it does not drop the last
+ * config ref and try to destroy the workqueue from inside the work
+- * queue.
++ * queue. And this also ensure that we can safely call nbd_clear_que()
++ * to cancel the inflight I/Os.
+ */
+ if (nbd->recv_workq)
+ flush_workqueue(nbd->recv_workq);
++ nbd_clear_que(nbd);
++ nbd->task_setup = NULL;
++ mutex_unlock(&nbd->config_lock);
++
+ if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF,
+ &nbd->config->runtime_flags))
+ nbd_config_put(nbd);
+--
+2.30.2
+
--- /dev/null
+From 28c39d51b518546d24e4b7d47cef632756e36905 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:00:10 +0300
+Subject: net: bridge: fix flags interpretation for extern learn fdb entries
+
+From: Nikolay Aleksandrov <nikolay@nvidia.com>
+
+[ Upstream commit 45a687879b31caae4032abd1c2402e289d2b8083 ]
+
+Ignore fdb flags when adding port extern learn entries and always set
+BR_FDB_LOCAL flag when adding bridge extern learn entries. This is
+closest to the behaviour we had before and avoids breaking any use cases
+which were allowed.
+
+This patch fixes iproute2 calls which assume NUD_PERMANENT and were
+allowed before, example:
+$ bridge fdb add 00:11:22:33:44:55 dev swp1 extern_learn
+
+Extern learn entries are allowed to roam, but do not expire, so static
+or dynamic flags make no sense for them.
+
+Also add a comment for future reference.
+
+Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space")
+Fixes: 0541a6293298 ("net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry")
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Tested-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20210810110010.43859-1-razor@blackwall.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/neighbour.h | 7 +++++--
+ net/bridge/br.c | 3 +--
+ net/bridge/br_fdb.c | 11 ++++-------
+ net/bridge/br_private.h | 2 +-
+ 4 files changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
+index dc8b72201f6c..00a60695fa53 100644
+--- a/include/uapi/linux/neighbour.h
++++ b/include/uapi/linux/neighbour.h
+@@ -66,8 +66,11 @@ enum {
+ #define NUD_NONE 0x00
+
+ /* NUD_NOARP & NUD_PERMANENT are pseudostates, they never change
+- and make no address resolution or NUD.
+- NUD_PERMANENT also cannot be deleted by garbage collectors.
++ * and make no address resolution or NUD.
++ * NUD_PERMANENT also cannot be deleted by garbage collectors.
++ * When NTF_EXT_LEARNED is set for a bridge fdb entry the different cache entry
++ * states don't make sense and thus are ignored. Such entries don't age and
++ * can roam.
+ */
+
+ struct nda_cacheinfo {
+diff --git a/net/bridge/br.c b/net/bridge/br.c
+index bbab9984f24e..ef743f94254d 100644
+--- a/net/bridge/br.c
++++ b/net/bridge/br.c
+@@ -166,8 +166,7 @@ static int br_switchdev_event(struct notifier_block *unused,
+ case SWITCHDEV_FDB_ADD_TO_BRIDGE:
+ fdb_info = ptr;
+ err = br_fdb_external_learn_add(br, p, fdb_info->addr,
+- fdb_info->vid,
+- fdb_info->is_local, false);
++ fdb_info->vid, false);
+ if (err) {
+ err = notifier_from_errno(err);
+ break;
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 87ce52bba649..3451c888ff79 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -1026,10 +1026,7 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
+ "FDB entry towards bridge must be permanent");
+ return -EINVAL;
+ }
+-
+- err = br_fdb_external_learn_add(br, p, addr, vid,
+- ndm->ndm_state & NUD_PERMANENT,
+- true);
++ err = br_fdb_external_learn_add(br, p, addr, vid, true);
+ } else {
+ spin_lock_bh(&br->hash_lock);
+ err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb);
+@@ -1257,7 +1254,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p)
+ }
+
+ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+- const unsigned char *addr, u16 vid, bool is_local,
++ const unsigned char *addr, u16 vid,
+ bool swdev_notify)
+ {
+ struct net_bridge_fdb_entry *fdb;
+@@ -1275,7 +1272,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ if (swdev_notify)
+ flags |= BIT(BR_FDB_ADDED_BY_USER);
+
+- if (is_local)
++ if (!p)
+ flags |= BIT(BR_FDB_LOCAL);
+
+ fdb = fdb_create(br, p, addr, vid, flags);
+@@ -1304,7 +1301,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ if (swdev_notify)
+ set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
+
+- if (is_local)
++ if (!p)
+ set_bit(BR_FDB_LOCAL, &fdb->flags);
+
+ if (modified)
+diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
+index 4e3d26e0a2d1..e013d33f1c7c 100644
+--- a/net/bridge/br_private.h
++++ b/net/bridge/br_private.h
+@@ -707,7 +707,7 @@ int br_fdb_get(struct sk_buff *skb, struct nlattr *tb[], struct net_device *dev,
+ int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p);
+ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p);
+ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+- const unsigned char *addr, u16 vid, bool is_local,
++ const unsigned char *addr, u16 vid,
+ bool swdev_notify);
+ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
+ const unsigned char *addr, u16 vid,
+--
+2.30.2
+
--- /dev/null
+From 2a0cc0e38638d3e0c481bf8c542c9aa484477c98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 21:20:23 +0800
+Subject: net: bridge: fix memleak in br_add_if()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ]
+
+I got a memleak report:
+
+BUG: memory leak
+unreferenced object 0x607ee521a658 (size 240):
+comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s)
+hex dump (first 32 bytes, cpu 1):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000d830ea5a>] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693
+[<00000000274d9a71>] new_nbp net/bridge/br_if.c:435 [inline]
+[<00000000274d9a71>] br_add_if+0x670/0x1740 net/bridge/br_if.c:611
+[<0000000012ce888e>] do_set_master net/core/rtnetlink.c:2513 [inline]
+[<0000000012ce888e>] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487
+[<0000000099d1cafc>] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457
+[<00000000a01facc0>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
+[<00000000acc9186c>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550
+[<00000000d4aabb9c>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000bc2e12a3>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<00000000bc2e12a3>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000e4dc2d0e>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000d22c8b3>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000d22c8b3>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000e281417a>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000237aa2ab>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000004f2dc381>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<0000000005feca6c>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<000000007304477d>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+On error path of br_add_if(), p->mcast_stats allocated in
+new_nbp() need be freed, or it will be leaked.
+
+Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_if.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index 6e4a32354a13..14cd6ef96111 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -616,6 +616,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+
+ err = dev_set_allmulti(dev, 1);
+ if (err) {
++ br_multicast_del_port(p);
+ kfree(p); /* kobject not yet init'd, manually free */
+ goto err1;
+ }
+@@ -729,6 +730,7 @@ err4:
+ err3:
+ sysfs_remove_link(br->ifobj, p->dev->name);
+ err2:
++ br_multicast_del_port(p);
+ kobject_put(&p->kobj);
+ dev_set_allmulti(dev, -1);
+ err1:
+--
+2.30.2
+
--- /dev/null
+From a35a88b94fea9d50ec2a1b3c42025a3959bead90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:53 +0300
+Subject: net: dsa: hellcreek: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit cd391280bf4693ceddca8f19042cff42f98c1a89 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: e4b27ebc780f ("net: dsa: Add DSA driver for Hirschmann Hellcreek switches")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/hirschmann/hellcreek.c b/drivers/net/dsa/hirschmann/hellcreek.c
+index 4d78219da253..50109218baad 100644
+--- a/drivers/net/dsa/hirschmann/hellcreek.c
++++ b/drivers/net/dsa/hirschmann/hellcreek.c
+@@ -912,6 +912,7 @@ static int hellcreek_fdb_dump(struct dsa_switch *ds, int port,
+ {
+ struct hellcreek *hellcreek = ds->priv;
+ u16 entries;
++ int ret = 0;
+ size_t i;
+
+ mutex_lock(&hellcreek->reg_lock);
+@@ -944,12 +945,14 @@ static int hellcreek_fdb_dump(struct dsa_switch *ds, int port,
+ if (!(entry.portmask & BIT(port)))
+ continue;
+
+- cb(entry.mac, 0, entry.is_static, data);
++ ret = cb(entry.mac, 0, entry.is_static, data);
++ if (ret)
++ break;
+ }
+
+ mutex_unlock(&hellcreek->reg_lock);
+
+- return 0;
++ return ret;
+ }
+
+ static int hellcreek_vlan_filtering(struct dsa_switch *ds, int port,
+--
+2.30.2
+
--- /dev/null
+From 70050b5d9a505471726a0d4c6d770077a48ccb89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:54 +0300
+Subject: net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ada2fee185d8145afb89056558bb59545b9dbdd0 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: ab335349b852 ("net: dsa: lan9303: Add port_fast_age and port_fdb_dump methods")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index 344374025426..d7ce281570b5 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -557,12 +557,12 @@ static int lan9303_alr_make_entry_raw(struct lan9303 *chip, u32 dat0, u32 dat1)
+ return 0;
+ }
+
+-typedef void alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
+- int portmap, void *ctx);
++typedef int alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
++ int portmap, void *ctx);
+
+-static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
++static int lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ {
+- int i;
++ int ret = 0, i;
+
+ mutex_lock(&chip->alr_mutex);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+@@ -582,13 +582,17 @@ static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ LAN9303_ALR_DAT1_PORT_BITOFFS;
+ portmap = alrport_2_portmap[alrport];
+
+- cb(chip, dat0, dat1, portmap, ctx);
++ ret = cb(chip, dat0, dat1, portmap, ctx);
++ if (ret)
++ break;
+
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+ LAN9303_ALR_CMD_GET_NEXT);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, 0);
+ }
+ mutex_unlock(&chip->alr_mutex);
++
++ return ret;
+ }
+
+ static void alr_reg_to_mac(u32 dat0, u32 dat1, u8 mac[6])
+@@ -606,18 +610,20 @@ struct del_port_learned_ctx {
+ };
+
+ /* Clear learned (non-static) entry on given port */
+-static void alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct del_port_learned_ctx *del_ctx = ctx;
+ int port = del_ctx->port;
+
+ if (((BIT(port) & portmap) == 0) || (dat1 & LAN9303_ALR_DAT1_STATIC))
+- return;
++ return 0;
+
+ /* learned entries has only one port, we can just delete */
+ dat1 &= ~LAN9303_ALR_DAT1_VALID; /* delete entry */
+ lan9303_alr_make_entry_raw(chip, dat0, dat1);
++
++ return 0;
+ }
+
+ struct port_fdb_dump_ctx {
+@@ -626,19 +632,19 @@ struct port_fdb_dump_ctx {
+ dsa_fdb_dump_cb_t *cb;
+ };
+
+-static void alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct port_fdb_dump_ctx *dump_ctx = ctx;
+ u8 mac[ETH_ALEN];
+ bool is_static;
+
+ if ((BIT(dump_ctx->port) & portmap) == 0)
+- return;
++ return 0;
+
+ alr_reg_to_mac(dat0, dat1, mac);
+ is_static = !!(dat1 & LAN9303_ALR_DAT1_STATIC);
+- dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
++ return dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
+ }
+
+ /* Set a static ALR entry. Delete entry if port_map is zero */
+@@ -1210,9 +1216,7 @@ static int lan9303_port_fdb_dump(struct dsa_switch *ds, int port,
+ };
+
+ dev_dbg(chip->dev, "%s(%d)\n", __func__, port);
+- lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+-
+- return 0;
++ return lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+ }
+
+ static int lan9303_port_mdb_prepare(struct dsa_switch *ds, int port,
+--
+2.30.2
+
--- /dev/null
+From b443b08b892fc2493c8d555d8574e4d5d07e2942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:55 +0300
+Subject: net: dsa: lantiq: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 871a73a1c8f55da0a3db234e9dd816ea4fd546f2 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: 58c59ef9e930 ("net: dsa: lantiq: Add Forwarding Database access")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lantiq_gswip.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c
+index 314ae78bbdd6..e78026ef6d8c 100644
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -1404,11 +1404,17 @@ static int gswip_port_fdb_dump(struct dsa_switch *ds, int port,
+ addr[1] = mac_bridge.key[2] & 0xff;
+ addr[0] = (mac_bridge.key[2] >> 8) & 0xff;
+ if (mac_bridge.val[1] & GSWIP_TABLE_MAC_BRIDGE_STATIC) {
+- if (mac_bridge.val[0] & BIT(port))
+- cb(addr, 0, true, data);
++ if (mac_bridge.val[0] & BIT(port)) {
++ err = cb(addr, 0, true, data);
++ if (err)
++ return err;
++ }
+ } else {
+- if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port)
+- cb(addr, 0, false, data);
++ if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port) {
++ err = cb(addr, 0, false, data);
++ if (err)
++ return err;
++ }
+ }
+ }
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 798f43afe941204031a9d4b8a8d0be00a36e13ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:12 +0200
+Subject: net: dsa: microchip: Fix ksz_read64()
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit c34f674c8875235725c3ef86147a627f165d23b4 ]
+
+ksz_read64() currently does some dubious byte-swapping on the two
+halves of a 64-bit register, and then only returns the high bits.
+Replace this with a straightforward expression.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz_common.h | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h
+index 2e6bfd333f50..6afbb41ad39e 100644
+--- a/drivers/net/dsa/microchip/ksz_common.h
++++ b/drivers/net/dsa/microchip/ksz_common.h
+@@ -205,12 +205,8 @@ static inline int ksz_read64(struct ksz_device *dev, u32 reg, u64 *val)
+ int ret;
+
+ ret = regmap_bulk_read(dev->regmap[2], reg, value, 2);
+- if (!ret) {
+- /* Ick! ToDo: Add 64bit R/W to regmap on 32bit systems */
+- value[0] = swab32(value[0]);
+- value[1] = swab32(value[1]);
+- *val = swab64((u64)*value);
+- }
++ if (!ret)
++ *val = (u64)value[0] << 32 | value[1];
+
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 68fc3dc67e0fcd6d810f04d28dbcc8148f588d81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 01:00:15 +0200
+Subject: net: dsa: microchip: ksz8795: Don't use phy_port_cnt in VLAN table
+ lookup
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 411d466d94a6b16a20c8b552e403b7e8ce2397a2 ]
+
+The magic number 4 in VLAN table lookup was the number of entries we
+can read and write at once. Using phy_port_cnt here doesn't make
+sense and presumably broke VLAN filtering for 3-port switches. Change
+it back to 4.
+
+Fixes: 4ce2a984abd8 ("net: dsa: microchip: ksz8795: use phy_port_cnt ...")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 8e2a8103d590..8eb9a45c98cf 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -684,8 +684,8 @@ static void ksz8_r_vlan_entries(struct ksz_device *dev, u16 addr)
+ shifts = ksz8->shifts;
+
+ ksz8_r_table(dev, TABLE_VLAN, addr, &data);
+- addr *= dev->phy_port_cnt;
+- for (i = 0; i < dev->phy_port_cnt; i++) {
++ addr *= 4;
++ for (i = 0; i < 4; i++) {
+ dev->vlan_cache[addr + i].table[0] = (u16)data;
+ data >>= shifts[VLAN_TABLE];
+ }
+@@ -699,7 +699,7 @@ static void ksz8_r_vlan_table(struct ksz_device *dev, u16 vid, u16 *vlan)
+ u64 buf;
+
+ data = (u16 *)&buf;
+- addr = vid / dev->phy_port_cnt;
++ addr = vid / 4;
+ index = vid & 3;
+ ksz8_r_table(dev, TABLE_VLAN, addr, &buf);
+ *vlan = data[index];
+@@ -713,7 +713,7 @@ static void ksz8_w_vlan_table(struct ksz_device *dev, u16 vid, u16 vlan)
+ u64 buf;
+
+ data = (u16 *)&buf;
+- addr = vid / dev->phy_port_cnt;
++ addr = vid / 4;
+ index = vid & 3;
+ ksz8_r_table(dev, TABLE_VLAN, addr, &buf);
+ data[index] = vlan;
+--
+2.30.2
+
--- /dev/null
+From ff35a439ddd5053c51479d6d6e4e27461972ead6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:28 +0200
+Subject: net: dsa: microchip: ksz8795: Fix PVID tag insertion
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit ef3b02a1d79b691f9a354c4903cf1e6917e315f9 ]
+
+ksz8795 has never actually enabled PVID tag insertion, and it also
+programmed the PVID incorrectly. To fix this:
+
+* Allow tag insertion to be controlled per ingress port. On most
+ chips, set bit 2 in Global Control 19. On KSZ88x3 this control
+ flag doesn't exist.
+
+* When adding a PVID:
+ - Set the appropriate register bits to enable tag insertion on
+ egress at every other port if this was the packet's ingress port.
+ - Mask *out* the VID from the default tag, before or-ing in the new
+ PVID.
+
+* When removing a PVID:
+ - Clear the same control bits to disable tag insertion.
+ - Don't update the default tag. This wasn't doing anything useful.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 26 ++++++++++++++++++-------
+ drivers/net/dsa/microchip/ksz8795_reg.h | 4 ++++
+ 2 files changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index ad509a57a945..bc9ca2b0e091 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1083,6 +1083,16 @@ static int ksz8_port_vlan_filtering(struct dsa_switch *ds, int port, bool flag,
+ return 0;
+ }
+
++static void ksz8_port_enable_pvid(struct ksz_device *dev, int port, bool state)
++{
++ if (ksz_is_ksz88x3(dev)) {
++ ksz_cfg(dev, REG_SW_INSERT_SRC_PVID,
++ 0x03 << (4 - 2 * port), state);
++ } else {
++ ksz_pwrite8(dev, port, REG_PORT_CTRL_12, state ? 0x0f : 0x00);
++ }
++}
++
+ static int ksz8_port_vlan_add(struct dsa_switch *ds, int port,
+ const struct switchdev_obj_port_vlan *vlan,
+ struct netlink_ext_ack *extack)
+@@ -1119,9 +1129,11 @@ static int ksz8_port_vlan_add(struct dsa_switch *ds, int port,
+ u16 vid;
+
+ ksz_pread16(dev, port, REG_PORT_CTRL_VID, &vid);
+- vid &= 0xfff;
++ vid &= ~VLAN_VID_MASK;
+ vid |= new_pvid;
+ ksz_pwrite16(dev, port, REG_PORT_CTRL_VID, vid);
++
++ ksz8_port_enable_pvid(dev, port, true);
+ }
+
+ return 0;
+@@ -1132,7 +1144,7 @@ static int ksz8_port_vlan_del(struct dsa_switch *ds, int port,
+ {
+ bool untagged = vlan->flags & BRIDGE_VLAN_INFO_UNTAGGED;
+ struct ksz_device *dev = ds->priv;
+- u16 data, pvid, new_pvid = 0;
++ u16 data, pvid;
+ u8 fid, member, valid;
+
+ if (ksz_is_ksz88x3(dev))
+@@ -1154,14 +1166,11 @@ static int ksz8_port_vlan_del(struct dsa_switch *ds, int port,
+ valid = 0;
+ }
+
+- if (pvid == vlan->vid)
+- new_pvid = 1;
+-
+ ksz8_to_vlan(dev, fid, member, valid, &data);
+ ksz8_w_vlan_table(dev, vlan->vid, data);
+
+- if (new_pvid != pvid)
+- ksz_pwrite16(dev, port, REG_PORT_CTRL_VID, pvid);
++ if (pvid == vlan->vid)
++ ksz8_port_enable_pvid(dev, port, false);
+
+ return 0;
+ }
+@@ -1394,6 +1403,9 @@ static int ksz8_setup(struct dsa_switch *ds)
+
+ ksz_cfg(dev, S_MIRROR_CTRL, SW_MIRROR_RX_TX, false);
+
++ if (!ksz_is_ksz88x3(dev))
++ ksz_cfg(dev, REG_SW_CTRL_19, SW_INS_TAG_ENABLE, true);
++
+ /* set broadcast storm protection 10% rate */
+ regmap_update_bits(dev->regmap[1], S_REPLACE_VID_CTRL,
+ BROADCAST_STORM_RATE,
+diff --git a/drivers/net/dsa/microchip/ksz8795_reg.h b/drivers/net/dsa/microchip/ksz8795_reg.h
+index c2e52c40a54c..383ba7a90f9c 100644
+--- a/drivers/net/dsa/microchip/ksz8795_reg.h
++++ b/drivers/net/dsa/microchip/ksz8795_reg.h
+@@ -631,6 +631,10 @@
+ #define REG_PORT_4_OUT_RATE_3 0xEE
+ #define REG_PORT_5_OUT_RATE_3 0xFE
+
++/* 88x3 specific */
++
++#define REG_SW_INSERT_SRC_PVID 0xC2
++
+ /* PME */
+
+ #define SW_PME_OUTPUT_ENABLE BIT(1)
+--
+2.30.2
+
--- /dev/null
+From eef245cc3d841bd07f186cd0ccc0a837545c2768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 01:00:06 +0200
+Subject: net: dsa: microchip: ksz8795: Fix VLAN filtering
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 164844135a3f215d3018ee9d6875336beb942413 ]
+
+Currently ksz8_port_vlan_filtering() sets or clears the VLAN Enable
+hardware flag. That controls discarding of packets with a VID that
+has not been enabled for any port on the switch.
+
+Since it is a global flag, set the dsa_switch::vlan_filtering_is_global
+flag so that the DSA core understands this can't be controlled per
+port.
+
+When VLAN filtering is enabled, the switch should also discard packets
+with a VID that's not enabled on the ingress port. Set or clear each
+external port's VLAN Ingress Filter flag in ksz8_port_vlan_filtering()
+to make that happen.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 4bd735c5183c..8e2a8103d590 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1078,8 +1078,14 @@ static int ksz8_port_vlan_filtering(struct dsa_switch *ds, int port, bool flag,
+ if (ksz_is_ksz88x3(dev))
+ return -ENOTSUPP;
+
++ /* Discard packets with VID not enabled on the switch */
+ ksz_cfg(dev, S_MIRROR_CTRL, SW_VLAN_ENABLE, flag);
+
++ /* Discard packets with VID not enabled on the ingress port */
++ for (port = 0; port < dev->phy_port_cnt; ++port)
++ ksz_port_cfg(dev, port, REG_PORT_CTRL_2, PORT_INGRESS_FILTER,
++ flag);
++
+ return 0;
+ }
+
+@@ -1662,6 +1668,11 @@ static int ksz8_switch_init(struct ksz_device *dev)
+ */
+ dev->ds->untag_bridge_pvid = true;
+
++ /* VLAN filtering is partly controlled by the global VLAN
++ * Enable flag
++ */
++ dev->ds->vlan_filtering_is_global = true;
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 94a79daff5aa7484a50cce3121f98e6e2d0e8b88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:47 +0200
+Subject: net: dsa: microchip: ksz8795: Fix VLAN untagged flag change on
+ deletion
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit af01754f9e3c553a2ee63b4693c79a3956e230ab ]
+
+When a VLAN is deleted from a port, the flags in struct
+switchdev_obj_port_vlan are always 0. ksz8_port_vlan_del() copies the
+BRIDGE_VLAN_INFO_UNTAGGED flag to the port's Tag Removal flag, and
+therefore always clears it.
+
+In case there are multiple VLANs configured as untagged on this port -
+which seems useless, but is allowed - deleting one of them changes the
+remaining VLANs to be tagged.
+
+It's only ever necessary to change this flag when a VLAN is added to
+the port, so leave it unchanged in ksz8_port_vlan_del().
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index c20fb6edd420..46ef5bc79cbd 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1167,7 +1167,6 @@ static int ksz8_port_vlan_add(struct dsa_switch *ds, int port,
+ static int ksz8_port_vlan_del(struct dsa_switch *ds, int port,
+ const struct switchdev_obj_port_vlan *vlan)
+ {
+- bool untagged = vlan->flags & BRIDGE_VLAN_INFO_UNTAGGED;
+ struct ksz_device *dev = ds->priv;
+ u16 data, pvid;
+ u8 fid, member, valid;
+@@ -1178,8 +1177,6 @@ static int ksz8_port_vlan_del(struct dsa_switch *ds, int port,
+ ksz_pread16(dev, port, REG_PORT_CTRL_VID, &pvid);
+ pvid = pvid & 0xFFF;
+
+- ksz_port_cfg(dev, port, P_TAG_CTRL, PORT_REMOVE_TAG, untagged);
+-
+ ksz8_r_vlan_table(dev, vlan->vid, &data);
+ ksz8_from_vlan(dev, data, &fid, &member, &valid);
+
+--
+2.30.2
+
--- /dev/null
+From 187e251019f545878b53ab2b55babb03a7056570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:37 +0200
+Subject: net: dsa: microchip: ksz8795: Reject unsupported VLAN configuration
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 8f4f58f88fe0d9bd591f21f53de7dbd42baeb3fa ]
+
+The switches supported by ksz8795 only have a per-port flag for Tag
+Removal. This means it is not possible to support both tagged and
+untagged VLANs on the same port. Reject attempts to add a VLAN that
+requires the flag to be changed, unless there are no VLANs currently
+configured.
+
+VID 0 is excluded from this check since it is untagged regardless of
+the state of the flag.
+
+On the CPU port we could support tagged and untagged VLANs at the same
+time. This will be enabled by a later patch.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 27 +++++++++++++++++++++++++-
+ drivers/net/dsa/microchip/ksz_common.h | 1 +
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index bc9ca2b0e091..c20fb6edd420 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1099,13 +1099,38 @@ static int ksz8_port_vlan_add(struct dsa_switch *ds, int port,
+ {
+ bool untagged = vlan->flags & BRIDGE_VLAN_INFO_UNTAGGED;
+ struct ksz_device *dev = ds->priv;
++ struct ksz_port *p = &dev->ports[port];
+ u16 data, new_pvid = 0;
+ u8 fid, member, valid;
+
+ if (ksz_is_ksz88x3(dev))
+ return -ENOTSUPP;
+
+- ksz_port_cfg(dev, port, P_TAG_CTRL, PORT_REMOVE_TAG, untagged);
++ /* If a VLAN is added with untagged flag different from the
++ * port's Remove Tag flag, we need to change the latter.
++ * Ignore VID 0, which is always untagged.
++ */
++ if (untagged != p->remove_tag && vlan->vid != 0) {
++ unsigned int vid;
++
++ /* Reject attempts to add a VLAN that requires the
++ * Remove Tag flag to be changed, unless there are no
++ * other VLANs currently configured.
++ */
++ for (vid = 1; vid < dev->num_vlans; ++vid) {
++ /* Skip the VID we are going to add or reconfigure */
++ if (vid == vlan->vid)
++ continue;
++
++ ksz8_from_vlan(dev, dev->vlan_cache[vid].table[0],
++ &fid, &member, &valid);
++ if (valid && (member & BIT(port)))
++ return -EINVAL;
++ }
++
++ ksz_port_cfg(dev, port, P_TAG_CTRL, PORT_REMOVE_TAG, untagged);
++ p->remove_tag = untagged;
++ }
+
+ ksz8_r_vlan_table(dev, vlan->vid, &data);
+ ksz8_from_vlan(dev, data, &fid, &member, &valid);
+diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h
+index 6afbb41ad39e..1597c63988b4 100644
+--- a/drivers/net/dsa/microchip/ksz_common.h
++++ b/drivers/net/dsa/microchip/ksz_common.h
+@@ -27,6 +27,7 @@ struct ksz_port_mib {
+ struct ksz_port {
+ u16 member;
+ u16 vid_member;
++ bool remove_tag; /* Remove Tag flag set, for ksz8795 only */
+ int stp_state;
+ struct phy_device phydev;
+
+--
+2.30.2
+
--- /dev/null
+From cfdb858e8ba4005eb752ef353a303170cc322971 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:57 +0200
+Subject: net: dsa: microchip: ksz8795: Use software untagging on CPU port
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 9130c2d30c17846287b803a9803106318cbe5266 ]
+
+On the CPU port, we can support both tagged and untagged VLANs at the
+same time by doing any necessary untagging in software rather than
+hardware. To enable that, keep the CPU port's Remove Tag flag cleared
+and set the dsa_switch::untag_bridge_pvid flag.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 46ef5bc79cbd..4bd735c5183c 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1109,8 +1109,10 @@ static int ksz8_port_vlan_add(struct dsa_switch *ds, int port,
+ /* If a VLAN is added with untagged flag different from the
+ * port's Remove Tag flag, we need to change the latter.
+ * Ignore VID 0, which is always untagged.
++ * Ignore CPU port, which will always be tagged.
+ */
+- if (untagged != p->remove_tag && vlan->vid != 0) {
++ if (untagged != p->remove_tag && vlan->vid != 0 &&
++ port != dev->cpu_port) {
+ unsigned int vid;
+
+ /* Reject attempts to add a VLAN that requires the
+@@ -1655,6 +1657,11 @@ static int ksz8_switch_init(struct ksz_device *dev)
+ /* set the real number of ports */
+ dev->ds->num_ports = dev->port_cnt;
+
++ /* We rely on software untagging on the CPU port, so that we
++ * can support both tagged and untagged VLANs
++ */
++ dev->ds->untag_bridge_pvid = true;
++
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 324adf6f18b9ad29630f5e11ba163fb5f0b8d405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:05:27 +0800
+Subject: net: dsa: mt7530: add the missing RxUnicast MIB counter
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+[ Upstream commit aff51c5da3208bd164381e1488998667269c6cf4 ]
+
+Add the missing RxUnicast counter.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 9b90f3d3a8f5..167c599a81a5 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -46,6 +46,7 @@ static const struct mt7530_mib_desc mt7530_mib[] = {
+ MIB_DESC(2, 0x48, "TxBytes"),
+ MIB_DESC(1, 0x60, "RxDrop"),
+ MIB_DESC(1, 0x64, "RxFiltering"),
++ MIB_DESC(1, 0x68, "RxUnicast"),
+ MIB_DESC(1, 0x6c, "RxMulticast"),
+ MIB_DESC(1, 0x70, "RxBroadcast"),
+ MIB_DESC(1, 0x74, "RxAlignErr"),
+--
+2.30.2
+
--- /dev/null
+From 3a648d479689c03bde42ba327bfe49b4000647d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 11:47:23 +0200
+Subject: net: dsa: qca: ar9331: make proper initial port defaults
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 47fac45600aafc5939d9620055c3c46f7135d316 ]
+
+Make sure that all external port are actually isolated from each other,
+so no packets are leaked.
+
+Fixes: ec6698c272de ("net: dsa: add support for Atheros AR9331 built-in switch")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/qca/ar9331.c | 73 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 72 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/qca/ar9331.c b/drivers/net/dsa/qca/ar9331.c
+index 6686192e1883..563d8a279030 100644
+--- a/drivers/net/dsa/qca/ar9331.c
++++ b/drivers/net/dsa/qca/ar9331.c
+@@ -101,6 +101,23 @@
+ AR9331_SW_PORT_STATUS_RX_FLOW_EN | AR9331_SW_PORT_STATUS_TX_FLOW_EN | \
+ AR9331_SW_PORT_STATUS_SPEED_M)
+
++#define AR9331_SW_REG_PORT_CTRL(_port) (0x104 + (_port) * 0x100)
++#define AR9331_SW_PORT_CTRL_HEAD_EN BIT(11)
++#define AR9331_SW_PORT_CTRL_PORT_STATE GENMASK(2, 0)
++#define AR9331_SW_PORT_CTRL_PORT_STATE_DISABLED 0
++#define AR9331_SW_PORT_CTRL_PORT_STATE_BLOCKING 1
++#define AR9331_SW_PORT_CTRL_PORT_STATE_LISTENING 2
++#define AR9331_SW_PORT_CTRL_PORT_STATE_LEARNING 3
++#define AR9331_SW_PORT_CTRL_PORT_STATE_FORWARD 4
++
++#define AR9331_SW_REG_PORT_VLAN(_port) (0x108 + (_port) * 0x100)
++#define AR9331_SW_PORT_VLAN_8021Q_MODE GENMASK(31, 30)
++#define AR9331_SW_8021Q_MODE_SECURE 3
++#define AR9331_SW_8021Q_MODE_CHECK 2
++#define AR9331_SW_8021Q_MODE_FALLBACK 1
++#define AR9331_SW_8021Q_MODE_NONE 0
++#define AR9331_SW_PORT_VLAN_PORT_VID_MEMBER GENMASK(25, 16)
++
+ /* MIB registers */
+ #define AR9331_MIB_COUNTER(x) (0x20000 + ((x) * 0x100))
+
+@@ -371,12 +388,60 @@ static int ar9331_sw_mbus_init(struct ar9331_sw_priv *priv)
+ return 0;
+ }
+
+-static int ar9331_sw_setup(struct dsa_switch *ds)
++static int ar9331_sw_setup_port(struct dsa_switch *ds, int port)
+ {
+ struct ar9331_sw_priv *priv = (struct ar9331_sw_priv *)ds->priv;
+ struct regmap *regmap = priv->regmap;
++ u32 port_mask, port_ctrl, val;
+ int ret;
+
++ /* Generate default port settings */
++ port_ctrl = FIELD_PREP(AR9331_SW_PORT_CTRL_PORT_STATE,
++ AR9331_SW_PORT_CTRL_PORT_STATE_FORWARD);
++
++ if (dsa_is_cpu_port(ds, port)) {
++ /* CPU port should be allowed to communicate with all user
++ * ports.
++ */
++ port_mask = dsa_user_ports(ds);
++ /* Enable Atheros header on CPU port. This will allow us
++ * communicate with each port separately
++ */
++ port_ctrl |= AR9331_SW_PORT_CTRL_HEAD_EN;
++ } else if (dsa_is_user_port(ds, port)) {
++ /* User ports should communicate only with the CPU port.
++ */
++ port_mask = BIT(dsa_upstream_port(ds, port));
++ } else {
++ /* Other ports do not need to communicate at all */
++ port_mask = 0;
++ }
++
++ val = FIELD_PREP(AR9331_SW_PORT_VLAN_8021Q_MODE,
++ AR9331_SW_8021Q_MODE_NONE) |
++ FIELD_PREP(AR9331_SW_PORT_VLAN_PORT_VID_MEMBER, port_mask);
++
++ ret = regmap_write(regmap, AR9331_SW_REG_PORT_VLAN(port), val);
++ if (ret)
++ goto error;
++
++ ret = regmap_write(regmap, AR9331_SW_REG_PORT_CTRL(port), port_ctrl);
++ if (ret)
++ goto error;
++
++ return 0;
++error:
++ dev_err(priv->dev, "%s: error: %i\n", __func__, ret);
++
++ return ret;
++}
++
++static int ar9331_sw_setup(struct dsa_switch *ds)
++{
++ struct ar9331_sw_priv *priv = (struct ar9331_sw_priv *)ds->priv;
++ struct regmap *regmap = priv->regmap;
++ int ret, i;
++
+ ret = ar9331_sw_reset(priv);
+ if (ret)
+ return ret;
+@@ -402,6 +467,12 @@ static int ar9331_sw_setup(struct dsa_switch *ds)
+ if (ret)
+ goto error;
+
++ for (i = 0; i < ds->num_ports; i++) {
++ ret = ar9331_sw_setup_port(ds, i);
++ if (ret)
++ goto error;
++ }
++
+ ds->configure_vlan_while_not_filtering = false;
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 7c804a67609201ab1c7f984126c6881e2de9b01d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:56 +0300
+Subject: net: dsa: sja1105: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 21b52fed928e96d2f75d2f6aa9eac7a4b0b55d22 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 4b05a2424623..0aaf599119cd 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1625,7 +1625,9 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port,
+ /* We need to hide the dsa_8021q VLANs from the user. */
+ if (priv->vlan_state == SJA1105_VLAN_UNAWARE)
+ l2_lookup.vlanid = 0;
+- cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data);
++ rc = cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data);
++ if (rc)
++ return rc;
+ }
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 4abe485d7738a98261aca1a086b06b96e982c6e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 16:54:14 +0900
+Subject: net: Fix memory leak in ieee802154_raw_deliver
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]
+
+If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
+Fix this, by freeing sk_receive_queue in sk->sk_destruct().
+
+syzbot report:
+BUG: memory leak
+unreferenced object 0xffff88810f644600 (size 232):
+ comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
+ hex dump (first 32 bytes):
+ 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K.....
+ 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K.....
+ backtrace:
+ [<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
+ [<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
+ [<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
+ [<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
+ [<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
+ [<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
+ [<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
+ [<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
+ [<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
+ [<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
+ [<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
+ [<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
+ [<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
+ [<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
+ [<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
+ [<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
+ [<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
+ [<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
+ [<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
+ [<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
+ [<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
+ [<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
+ [<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
+ [<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
+ [<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
+ [<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
+ [<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
+
+Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
+Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index a45a0401adc5..c25f7617770c 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -984,6 +984,11 @@ static const struct proto_ops ieee802154_dgram_ops = {
+ .sendpage = sock_no_sendpage,
+ };
+
++static void ieee802154_sock_destruct(struct sock *sk)
++{
++ skb_queue_purge(&sk->sk_receive_queue);
++}
++
+ /* Create a socket. Initialise the socket, blank the addresses
+ * set the state.
+ */
+@@ -1024,7 +1029,7 @@ static int ieee802154_create(struct net *net, struct socket *sock,
+ sock->ops = ops;
+
+ sock_init_data(sock, sk);
+- /* FIXME: sk->sk_destruct */
++ sk->sk_destruct = ieee802154_sock_destruct;
+ sk->sk_family = PF_IEEE802154;
+
+ /* Checksums on by default */
+--
+2.30.2
+
--- /dev/null
+From ce437080648ddf0e13523ea66d6ab1b24d3ac401 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 02:45:47 -0700
+Subject: net: igmp: fix data-race in igmp_ifc_timer_expire()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a2b285e7e103d4d6c6ed3e5052a0ff74a5d7f15 ]
+
+Fix the data-race reported by syzbot [1]
+Issue here is that igmp_ifc_timer_expire() can update in_dev->mr_ifc_count
+while another change just occured from another context.
+
+in_dev->mr_ifc_count is only 8bit wide, so the race had little
+consequences.
+
+[1]
+BUG: KCSAN: data-race in igmp_ifc_event / igmp_ifc_timer_expire
+
+write to 0xffff8881051e3062 of 1 bytes by task 12547 on cpu 0:
+ igmp_ifc_event+0x1d5/0x290 net/ipv4/igmp.c:821
+ igmp_group_added+0x462/0x490 net/ipv4/igmp.c:1356
+ ____ip_mc_inc_group+0x3ff/0x500 net/ipv4/igmp.c:1461
+ __ip_mc_join_group+0x24d/0x2c0 net/ipv4/igmp.c:2199
+ ip_mc_join_group_ssm+0x20/0x30 net/ipv4/igmp.c:2218
+ do_ip_setsockopt net/ipv4/ip_sockglue.c:1285 [inline]
+ ip_setsockopt+0x1827/0x2a80 net/ipv4/ip_sockglue.c:1423
+ tcp_setsockopt+0x8c/0xa0 net/ipv4/tcp.c:3657
+ sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3362
+ __sys_setsockopt+0x18f/0x200 net/socket.c:2159
+ __do_sys_setsockopt net/socket.c:2170 [inline]
+ __se_sys_setsockopt net/socket.c:2167 [inline]
+ __x64_sys_setsockopt+0x62/0x70 net/socket.c:2167
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff8881051e3062 of 1 bytes by interrupt on cpu 1:
+ igmp_ifc_timer_expire+0x706/0xa30 net/ipv4/igmp.c:808
+ call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1419
+ expire_timers+0x135/0x250 kernel/time/timer.c:1464
+ __run_timers+0x358/0x420 kernel/time/timer.c:1732
+ run_timer_softirq+0x19/0x30 kernel/time/timer.c:1745
+ __do_softirq+0x12c/0x26e kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu+0x9a/0xb0 kernel/softirq.c:636
+ sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
+ console_unlock+0x8e8/0xb30 kernel/printk/printk.c:2646
+ vprintk_emit+0x125/0x3d0 kernel/printk/printk.c:2174
+ vprintk_default+0x22/0x30 kernel/printk/printk.c:2185
+ vprintk+0x15a/0x170 kernel/printk/printk_safe.c:392
+ printk+0x62/0x87 kernel/printk/printk.c:2216
+ selinux_netlink_send+0x399/0x400 security/selinux/hooks.c:6041
+ security_netlink_send+0x42/0x90 security/security.c:2070
+ netlink_sendmsg+0x59e/0x7c0 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2475
+ __do_sys_sendmsg net/socket.c:2484 [inline]
+ __se_sys_sendmsg net/socket.c:2482 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x01 -> 0x02
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 12539 Comm: syz-executor.1 Not tainted 5.14.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 6b3c558a4f23..a51360087b19 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -803,10 +803,17 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
++ u8 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+- if (in_dev->mr_ifc_count) {
+- in_dev->mr_ifc_count--;
++restart:
++ mr_ifc_count = READ_ONCE(in_dev->mr_ifc_count);
++
++ if (mr_ifc_count) {
++ if (cmpxchg(&in_dev->mr_ifc_count,
++ mr_ifc_count,
++ mr_ifc_count - 1) != mr_ifc_count)
++ goto restart;
+ igmp_ifc_start_timer(in_dev,
+ unsolicited_report_interval(in_dev));
+ }
+@@ -818,7 +825,7 @@ static void igmp_ifc_event(struct in_device *in_dev)
+ struct net *net = dev_net(in_dev->dev);
+ if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev))
+ return;
+- in_dev->mr_ifc_count = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
++ WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv);
+ igmp_ifc_start_timer(in_dev, 1);
+ }
+
+@@ -957,7 +964,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
+ in_dev->mr_qri;
+ }
+ /* cancel the interface change timer */
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ /* clear deleted report items */
+@@ -1724,7 +1731,7 @@ void ip_mc_down(struct in_device *in_dev)
+ igmp_group_dropped(pmc);
+
+ #ifdef CONFIG_IP_MULTICAST
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ in_dev->mr_gq_running = 0;
+@@ -1941,7 +1948,7 @@ static int ip_mc_del_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ pmc->sfmode = MCAST_INCLUDE;
+ #ifdef CONFIG_IP_MULTICAST
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(pmc->interface);
+@@ -2120,7 +2127,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ /* else no filters; keep old mode for reports */
+
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(in_dev);
+--
+2.30.2
+
--- /dev/null
+From 89a9a0991afde6807ae2f6bc041d1e4dcfae07ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 12:57:15 -0700
+Subject: net: igmp: increase size of mr_ifc_count
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b69dd5b3780a7298bd893816a09da751bc0636f7 ]
+
+Some arches support cmpxchg() on 4-byte and 8-byte only.
+Increase mr_ifc_count width to 32bit to fix this problem.
+
+Fixes: 4a2b285e7e10 ("net: igmp: fix data-race in igmp_ifc_timer_expire()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210811195715.3684218-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/inetdevice.h | 2 +-
+ net/ipv4/igmp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index 53aa0343bf69..aaf4f1b4c277 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -41,7 +41,7 @@ struct in_device {
+ unsigned long mr_qri; /* Query Response Interval */
+ unsigned char mr_qrv; /* Query Robustness Variable */
+ unsigned char mr_gq_running;
+- unsigned char mr_ifc_count;
++ u32 mr_ifc_count;
+ struct timer_list mr_gq_timer; /* general query timer */
+ struct timer_list mr_ifc_timer; /* interface change timer */
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index a51360087b19..00576bae183d 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -803,7 +803,7 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
+- u8 mr_ifc_count;
++ u32 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+ restart:
+--
+2.30.2
+
--- /dev/null
+From 326746a84f563b5ca79f8e09df23c3d88418cd9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:06:28 +0200
+Subject: net: linkwatch: fix failure to restore device state across
+ suspend/resume
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 6922110d152e56d7569616b45a1f02876cf3eb9f ]
+
+After migrating my laptop from 4.19-LTS to 5.4-LTS a while ago I noticed
+that my Ethernet port to which a bond and a VLAN interface are attached
+appeared to remain up after resuming from suspend with the cable unplugged
+(and that problem still persists with 5.10-LTS).
+
+It happens that the following happens:
+
+ - the network driver (e1000e here) prepares to suspend, calls e1000e_down()
+ which calls netif_carrier_off() to signal that the link is going down.
+ - netif_carrier_off() adds a link_watch event to the list of events for
+ this device
+ - the device is completely stopped.
+ - the machine suspends
+ - the cable is unplugged and the machine brought to another location
+ - the machine is resumed
+ - the queued linkwatch events are processed for the device
+ - the device doesn't yet have the __LINK_STATE_PRESENT bit and its events
+ are silently dropped
+ - the device is resumed with its link down
+ - the upper VLAN and bond interfaces are never notified that the link had
+ been turned down and remain up
+ - the only way to provoke a change is to physically connect the machine
+ to a port and possibly unplug it.
+
+The state after resume looks like this:
+ $ ip -br li | egrep 'bond|eth'
+ bond0 UP e8:6a:64:64:64:64 <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP>
+ eth0 DOWN e8:6a:64:64:64:64 <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP>
+ eth0.2@eth0 UP e8:6a:64:64:64:64 <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP>
+
+Placing an explicit call to netdev_state_change() either in the suspend
+or the resume code in the NIC driver worked around this but the solution
+is not satisfying.
+
+The issue in fact really is in link_watch that loses events while it
+ought not to. It happens that the test for the device being present was
+added by commit 124eee3f6955 ("net: linkwatch: add check for netdevice
+being present to linkwatch_do_dev") in 4.20 to avoid an access to
+devices that are not present.
+
+Instead of dropping events, this patch proceeds slightly differently by
+postponing their handling so that they happen after the device is fully
+resumed.
+
+Fixes: 124eee3f6955 ("net: linkwatch: add check for netdevice being present to linkwatch_do_dev")
+Link: https://lists.openwall.net/netdev/2018/03/15/62
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20210809160628.22623-1-w@1wt.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/link_watch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/link_watch.c b/net/core/link_watch.c
+index 75431ca9300f..1a455847da54 100644
+--- a/net/core/link_watch.c
++++ b/net/core/link_watch.c
+@@ -158,7 +158,7 @@ static void linkwatch_do_dev(struct net_device *dev)
+ clear_bit(__LINK_STATE_LINKWATCH_PENDING, &dev->state);
+
+ rfc2863_policy(dev);
+- if (dev->flags & IFF_UP && netif_device_present(dev)) {
++ if (dev->flags & IFF_UP) {
+ if (netif_carrier_ok(dev))
+ dev_activate(dev);
+ else
+@@ -204,7 +204,8 @@ static void __linkwatch_run_queue(int urgent_only)
+ dev = list_first_entry(&wrk, struct net_device, link_watch_list);
+ list_del_init(&dev->link_watch_list);
+
+- if (urgent_only && !linkwatch_urgent_event(dev)) {
++ if (!netif_device_present(dev) ||
++ (urgent_only && !linkwatch_urgent_event(dev))) {
+ list_add_tail(&dev->link_watch_list, &lweventlist);
+ continue;
+ }
+--
+2.30.2
+
--- /dev/null
+From ab2ef338ca66fcec67a7ef5337e175e4b181932d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 18:18:59 +0300
+Subject: net/mlx5: Block switchdev mode while devlink traps are active
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit c85a6b8feb16c0cdbbc8d9f581c7861c4a9ac351 ]
+
+Since switchdev mode can't support devlink traps, verify there are
+no active devlink traps before moving eswitch to switchdev mode. If
+there are active traps, prevent the switchdev mode configuration.
+
+Fixes: eb3862a0525d ("net/mlx5e: Enable traps according to link state")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index b66e12753f37..d0e4daa55a4a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -48,6 +48,7 @@
+ #include "lib/fs_chains.h"
+ #include "en_tc.h"
+ #include "en/mapping.h"
++#include "devlink.h"
+
+ #define mlx5_esw_for_each_rep(esw, i, rep) \
+ xa_for_each(&((esw)->offloads.vport_reps), i, rep)
+@@ -2984,12 +2985,19 @@ int mlx5_devlink_eswitch_mode_set(struct devlink *devlink, u16 mode,
+ if (cur_mlx5_mode == mlx5_mode)
+ goto unlock;
+
+- if (mode == DEVLINK_ESWITCH_MODE_SWITCHDEV)
++ if (mode == DEVLINK_ESWITCH_MODE_SWITCHDEV) {
++ if (mlx5_devlink_trap_get_num_active(esw->dev)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Can't change mode while devlink traps are active");
++ err = -EOPNOTSUPP;
++ goto unlock;
++ }
+ err = esw_offloads_start(esw, extack);
+- else if (mode == DEVLINK_ESWITCH_MODE_LEGACY)
++ } else if (mode == DEVLINK_ESWITCH_MODE_LEGACY) {
+ err = esw_offloads_stop(esw, extack);
+- else
++ } else {
+ err = -EINVAL;
++ }
+
+ unlock:
+ mlx5_esw_unlock(esw);
+--
+2.30.2
+
--- /dev/null
+From 68d1b441f54858422f5a324ec96eef3561e2c24f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Aug 2021 16:39:54 +0300
+Subject: net/mlx5: Don't skip subfunction cleanup in case of error in module
+ init
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit c633e799641cf13960bd83189b4d5b1b2adb0d4e ]
+
+Clean SF resources if mlx5 eth failed to initialize.
+
+Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver")
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 12 ++++--------
+ drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h | 5 +++++
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index 0d0f63a27aba..8c6d7f70e783 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1781,16 +1781,14 @@ static int __init init(void)
+ if (err)
+ goto err_sf;
+
+-#ifdef CONFIG_MLX5_CORE_EN
+ err = mlx5e_init();
+- if (err) {
+- pci_unregister_driver(&mlx5_core_driver);
+- goto err_debug;
+- }
+-#endif
++ if (err)
++ goto err_en;
+
+ return 0;
+
++err_en:
++ mlx5_sf_driver_unregister();
+ err_sf:
+ pci_unregister_driver(&mlx5_core_driver);
+ err_debug:
+@@ -1800,9 +1798,7 @@ err_debug:
+
+ static void __exit cleanup(void)
+ {
+-#ifdef CONFIG_MLX5_CORE_EN
+ mlx5e_cleanup();
+-#endif
+ mlx5_sf_driver_unregister();
+ pci_unregister_driver(&mlx5_core_driver);
+ mlx5_unregister_debugfs();
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+index a22b706eebd3..1824eb0b0e9a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+@@ -223,8 +223,13 @@ int mlx5_firmware_flash(struct mlx5_core_dev *dev, const struct firmware *fw,
+ int mlx5_fw_version_query(struct mlx5_core_dev *dev,
+ u32 *running_ver, u32 *stored_ver);
+
++#ifdef CONFIG_MLX5_CORE_EN
+ int mlx5e_init(void);
+ void mlx5e_cleanup(void);
++#else
++static inline int mlx5e_init(void){ return 0; }
++static inline void mlx5e_cleanup(void){}
++#endif
+
+ static inline bool mlx5_sriov_is_enabled(struct mlx5_core_dev *dev)
+ {
+--
+2.30.2
+
--- /dev/null
+From d239e404ff6d083c71f3c413d3936036892e4f60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 16:51:58 +0300
+Subject: net/mlx5: DR, Add fail on error check on decap
+
+From: Alex Vesker <valex@nvidia.com>
+
+[ Upstream commit d3875924dae632d5edd908d285fffc5f07c835a3 ]
+
+While processing encapsulated packet on RX, one of the fields that is
+checked is the inner packet length. If the length as specified in the header
+doesn't match the actual inner packet length, the packet is invalid
+and should be dropped. However, such packet caused the NIC to hang.
+
+This patch turns on a 'fail_on_error' HW bit which allows HW to drop
+such an invalid packet while processing RX packet and trying to decap it.
+
+Fixes: ad17dc8cf910 ("net/mlx5: DR, Move STEv0 action apply logic")
+Signed-off-by: Alex Vesker <valex@nvidia.com>
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c
+index 0757a4e8540e..42446e92aa38 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste_v0.c
+@@ -352,6 +352,7 @@ static void dr_ste_v0_set_rx_decap(u8 *hw_ste_p)
+ {
+ MLX5_SET(ste_rx_steering_mult, hw_ste_p, tunneling_action,
+ DR_STE_TUNL_ACTION_DECAP);
++ MLX5_SET(ste_rx_steering_mult, hw_ste_p, fail_on_error, 1);
+ }
+
+ static void dr_ste_v0_set_rx_pop_vlan(u8 *hw_ste_p)
+@@ -365,6 +366,7 @@ static void dr_ste_v0_set_rx_decap_l3(u8 *hw_ste_p, bool vlan)
+ MLX5_SET(ste_rx_steering_mult, hw_ste_p, tunneling_action,
+ DR_STE_TUNL_ACTION_L3_DECAP);
+ MLX5_SET(ste_modify_packet, hw_ste_p, action_description, vlan ? 1 : 0);
++ MLX5_SET(ste_rx_steering_mult, hw_ste_p, fail_on_error, 1);
+ }
+
+ static void dr_ste_v0_set_rewrite_actions(u8 *hw_ste_p, u16 num_of_actions,
+--
+2.30.2
+
--- /dev/null
+From fd4c3879d93b99658f348103e5ece7a2bba68957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 16:38:30 +0300
+Subject: net/mlx5: Fix return value from tracer initialization
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit bd37c2888ccaa5ceb9895718f6909b247cc372e0 ]
+
+Check return value of mlx5_fw_tracer_start(), set error path and fix
+return value of mlx5_fw_tracer_init() accordingly.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index 01a1d02dcf15..3f8a98093f8c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -1019,12 +1019,19 @@ int mlx5_fw_tracer_init(struct mlx5_fw_tracer *tracer)
+ MLX5_NB_INIT(&tracer->nb, fw_tracer_event, DEVICE_TRACER);
+ mlx5_eq_notifier_register(dev, &tracer->nb);
+
+- mlx5_fw_tracer_start(tracer);
+-
++ err = mlx5_fw_tracer_start(tracer);
++ if (err) {
++ mlx5_core_warn(dev, "FWTracer: Failed to start tracer %d\n", err);
++ goto err_notifier_unregister;
++ }
+ return 0;
+
++err_notifier_unregister:
++ mlx5_eq_notifier_unregister(dev, &tracer->nb);
++ mlx5_core_destroy_mkey(dev, &tracer->buff.mkey);
+ err_dealloc_pd:
+ mlx5_core_dealloc_pd(dev, tracer->buff.pdn);
++ cancel_work_sync(&tracer->read_fw_strings_work);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 9da1faf22b64975be399c0e2c05bb1352ccc75dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Apr 2021 15:32:55 +0300
+Subject: net/mlx5: Synchronize correct IRQ when destroying CQ
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 563476ae0c5e48a028cbfa38fa9d2fc0418eb88f ]
+
+The CQ destroy is performed based on the IRQ number that is stored in
+cq->irqn. That number wasn't set explicitly during CQ creation and as
+expected some of the API users of mlx5_core_create_cq() forgot to update
+it.
+
+This caused to wrong synchronization call of the wrong IRQ with a number
+0 instead of the real one.
+
+As a fix, set the IRQ number directly in the mlx5_core_create_cq() and
+update all users accordingly.
+
+Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices")
+Fixes: ef1659ade359 ("IB/mlx5: Add DEVX support for CQ events")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/cq.c | 4 +---
+ drivers/infiniband/hw/mlx5/devx.c | 3 +--
+ drivers/net/ethernet/mellanox/mlx5/core/cq.c | 1 +
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 13 ++----------
+ drivers/net/ethernet/mellanox/mlx5/core/eq.c | 20 +++++++++++++++----
+ .../ethernet/mellanox/mlx5/core/fpga/conn.c | 4 +---
+ .../net/ethernet/mellanox/mlx5/core/lib/eq.h | 2 ++
+ .../mellanox/mlx5/core/steering/dr_send.c | 4 +---
+ drivers/vdpa/mlx5/net/mlx5_vnet.c | 3 +--
+ include/linux/mlx5/driver.h | 3 +--
+ 10 files changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index 9ce01f729673..e14a14b634a5 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -941,7 +941,6 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ u32 *cqb = NULL;
+ void *cqc;
+ int cqe_size;
+- unsigned int irqn;
+ int eqn;
+ int err;
+
+@@ -980,7 +979,7 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ INIT_WORK(&cq->notify_work, notify_soft_wc_handler);
+ }
+
+- err = mlx5_vector2eqn(dev->mdev, vector, &eqn, &irqn);
++ err = mlx5_vector2eqn(dev->mdev, vector, &eqn);
+ if (err)
+ goto err_cqb;
+
+@@ -1003,7 +1002,6 @@ int mlx5_ib_create_cq(struct ib_cq *ibcq, const struct ib_cq_init_attr *attr,
+ goto err_cqb;
+
+ mlx5_ib_dbg(dev, "cqn 0x%x\n", cq->mcq.cqn);
+- cq->mcq.irqn = irqn;
+ if (udata)
+ cq->mcq.tasklet_ctx.comp = mlx5_ib_cq_comp;
+ else
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index eb9b0a2707f8..c869b2a91a28 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -975,7 +975,6 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_QUERY_EQN)(
+ struct mlx5_ib_dev *dev;
+ int user_vector;
+ int dev_eqn;
+- unsigned int irqn;
+ int err;
+
+ if (uverbs_copy_from(&user_vector, attrs,
+@@ -987,7 +986,7 @@ static int UVERBS_HANDLER(MLX5_IB_METHOD_DEVX_QUERY_EQN)(
+ return PTR_ERR(c);
+ dev = to_mdev(c->ibucontext.device);
+
+- err = mlx5_vector2eqn(dev->mdev, user_vector, &dev_eqn, &irqn);
++ err = mlx5_vector2eqn(dev->mdev, user_vector, &dev_eqn);
+ if (err < 0)
+ return err;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cq.c b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
+index df3e4938ecdd..360e093874d4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
+@@ -134,6 +134,7 @@ int mlx5_core_create_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq,
+ cq->cqn);
+
+ cq->uar = dev->priv.uar;
++ cq->irqn = eq->core.irqn;
+
+ return 0;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 3221a6a2f221..779a4abead01 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -1531,15 +1531,9 @@ static int mlx5e_alloc_cq_common(struct mlx5e_priv *priv,
+ {
+ struct mlx5_core_dev *mdev = priv->mdev;
+ struct mlx5_core_cq *mcq = &cq->mcq;
+- int eqn_not_used;
+- unsigned int irqn;
+ int err;
+ u32 i;
+
+- err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn_not_used, &irqn);
+- if (err)
+- return err;
+-
+ err = mlx5_cqwq_create(mdev, ¶m->wq, param->cqc, &cq->wq,
+ &cq->wq_ctrl);
+ if (err)
+@@ -1553,7 +1547,6 @@ static int mlx5e_alloc_cq_common(struct mlx5e_priv *priv,
+ mcq->vector = param->eq_ix;
+ mcq->comp = mlx5e_completion_event;
+ mcq->event = mlx5e_cq_error_event;
+- mcq->irqn = irqn;
+
+ for (i = 0; i < mlx5_cqwq_get_size(&cq->wq); i++) {
+ struct mlx5_cqe64 *cqe = mlx5_cqwq_get_wqe(&cq->wq, i);
+@@ -1601,11 +1594,10 @@ static int mlx5e_create_cq(struct mlx5e_cq *cq, struct mlx5e_cq_param *param)
+ void *in;
+ void *cqc;
+ int inlen;
+- unsigned int irqn_not_used;
+ int eqn;
+ int err;
+
+- err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn, &irqn_not_used);
++ err = mlx5_vector2eqn(mdev, param->eq_ix, &eqn);
+ if (err)
+ return err;
+
+@@ -1979,9 +1971,8 @@ static int mlx5e_open_channel(struct mlx5e_priv *priv, int ix,
+ struct mlx5e_channel *c;
+ unsigned int irq;
+ int err;
+- int eqn;
+
+- err = mlx5_vector2eqn(priv->mdev, ix, &eqn, &irq);
++ err = mlx5_vector2irqn(priv->mdev, ix, &irq);
+ if (err)
+ return err;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eq.c b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+index 940333410267..0879551161d2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eq.c
+@@ -871,8 +871,8 @@ clean:
+ return err;
+ }
+
+-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+- unsigned int *irqn)
++static int vector2eqnirqn(struct mlx5_core_dev *dev, int vector, int *eqn,
++ unsigned int *irqn)
+ {
+ struct mlx5_eq_table *table = dev->priv.eq_table;
+ struct mlx5_eq_comp *eq, *n;
+@@ -881,8 +881,10 @@ int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+
+ list_for_each_entry_safe(eq, n, &table->comp_eqs_list, list) {
+ if (i++ == vector) {
+- *eqn = eq->core.eqn;
+- *irqn = eq->core.irqn;
++ if (irqn)
++ *irqn = eq->core.irqn;
++ if (eqn)
++ *eqn = eq->core.eqn;
+ err = 0;
+ break;
+ }
+@@ -890,8 +892,18 @@ int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+
+ return err;
+ }
++
++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn)
++{
++ return vector2eqnirqn(dev, vector, eqn, NULL);
++}
+ EXPORT_SYMBOL(mlx5_vector2eqn);
+
++int mlx5_vector2irqn(struct mlx5_core_dev *dev, int vector, unsigned int *irqn)
++{
++ return vector2eqnirqn(dev, vector, NULL, irqn);
++}
++
+ unsigned int mlx5_comp_vectors_count(struct mlx5_core_dev *dev)
+ {
+ return dev->priv.eq_table->num_comp_eqs;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
+index bd66ab2af5b5..d5da4ab65766 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c
+@@ -417,7 +417,6 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ struct mlx5_wq_param wqp;
+ struct mlx5_cqe64 *cqe;
+ int inlen, err, eqn;
+- unsigned int irqn;
+ void *cqc, *in;
+ __be64 *pas;
+ u32 i;
+@@ -446,7 +445,7 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ goto err_cqwq;
+ }
+
+- err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn, &irqn);
++ err = mlx5_vector2eqn(mdev, smp_processor_id(), &eqn);
+ if (err) {
+ kvfree(in);
+ goto err_cqwq;
+@@ -476,7 +475,6 @@ static int mlx5_fpga_conn_create_cq(struct mlx5_fpga_conn *conn, int cq_size)
+ *conn->cq.mcq.arm_db = 0;
+ conn->cq.mcq.vector = 0;
+ conn->cq.mcq.comp = mlx5_fpga_conn_cq_complete;
+- conn->cq.mcq.irqn = irqn;
+ conn->cq.mcq.uar = fdev->conn_res.uar;
+ tasklet_setup(&conn->cq.tasklet, mlx5_fpga_conn_cq_tasklet);
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h b/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h
+index f607a3858ef5..bd3ed8660483 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/eq.h
+@@ -103,4 +103,6 @@ void mlx5_core_eq_free_irqs(struct mlx5_core_dev *dev);
+ struct cpu_rmap *mlx5_eq_table_get_rmap(struct mlx5_core_dev *dev);
+ #endif
+
++int mlx5_vector2irqn(struct mlx5_core_dev *dev, int vector, unsigned int *irqn);
++
+ #endif
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+index 12cf323a5943..9df0e73d1c35 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+@@ -749,7 +749,6 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ struct mlx5_cqe64 *cqe;
+ struct mlx5dr_cq *cq;
+ int inlen, err, eqn;
+- unsigned int irqn;
+ void *cqc, *in;
+ __be64 *pas;
+ int vector;
+@@ -782,7 +781,7 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ goto err_cqwq;
+
+ vector = raw_smp_processor_id() % mlx5_comp_vectors_count(mdev);
+- err = mlx5_vector2eqn(mdev, vector, &eqn, &irqn);
++ err = mlx5_vector2eqn(mdev, vector, &eqn);
+ if (err) {
+ kvfree(in);
+ goto err_cqwq;
+@@ -818,7 +817,6 @@ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ *cq->mcq.arm_db = cpu_to_be32(2 << 28);
+
+ cq->mcq.vector = 0;
+- cq->mcq.irqn = irqn;
+ cq->mcq.uar = uar;
+
+ return cq;
+diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+index 32dd5ed712cb..f3495386698a 100644
+--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+@@ -526,7 +526,6 @@ static int cq_create(struct mlx5_vdpa_net *ndev, u16 idx, u32 num_ent)
+ void __iomem *uar_page = ndev->mvdev.res.uar->map;
+ u32 out[MLX5_ST_SZ_DW(create_cq_out)];
+ struct mlx5_vdpa_cq *vcq = &mvq->cq;
+- unsigned int irqn;
+ __be64 *pas;
+ int inlen;
+ void *cqc;
+@@ -566,7 +565,7 @@ static int cq_create(struct mlx5_vdpa_net *ndev, u16 idx, u32 num_ent)
+ /* Use vector 0 by default. Consider adding code to choose least used
+ * vector.
+ */
+- err = mlx5_vector2eqn(mdev, 0, &eqn, &irqn);
++ err = mlx5_vector2eqn(mdev, 0, &eqn);
+ if (err)
+ goto err_vec;
+
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index f8902bcd91e2..58236808fdf4 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1042,8 +1042,7 @@ void mlx5_unregister_debugfs(void);
+ void mlx5_fill_page_array(struct mlx5_frag_buf *buf, __be64 *pas);
+ void mlx5_fill_page_frag_array_perm(struct mlx5_frag_buf *buf, __be64 *pas, u8 perm);
+ void mlx5_fill_page_frag_array(struct mlx5_frag_buf *frag_buf, __be64 *pas);
+-int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn,
+- unsigned int *irqn);
++int mlx5_vector2eqn(struct mlx5_core_dev *dev, int vector, int *eqn);
+ int mlx5_core_attach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
+ int mlx5_core_detach_mcg(struct mlx5_core_dev *dev, union ib_gid *mgid, u32 qpn);
+
+--
+2.30.2
+
--- /dev/null
+From 0528cca3d25e9e1cecf13174ec9d373c3a5652db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Aug 2021 15:47:46 +0300
+Subject: net/mlx5e: Avoid creating tunnel headers for local route
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit c623c95afa56bf4bf64e4f58742dc94616ef83db ]
+
+It could be local and remote are on the same machine and the route
+result will be a local route which will result in creating encap id
+with src/dst mac address of 0.
+
+Fixes: a54e20b4fcae ("net/mlx5e: Add basic TC tunnel set action for SRIOV offloads")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 172e0474f2e6..3980a3905084 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -124,6 +124,11 @@ static int mlx5e_route_lookup_ipv4_get(struct mlx5e_priv *priv,
+ if (IS_ERR(rt))
+ return PTR_ERR(rt);
+
++ if (rt->rt_type != RTN_UNICAST) {
++ ret = -ENETUNREACH;
++ goto err_rt_release;
++ }
++
+ if (mlx5_lag_is_multipath(mdev) && rt->rt_gw_family != AF_INET) {
+ ret = -ENETUNREACH;
+ goto err_rt_release;
+--
+2.30.2
+
--- /dev/null
+From 555812ad75de658231fd2ace732c458771095013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 16:15:22 +0300
+Subject: net/mlx5e: Destroy page pool after XDP SQ to fix use-after-free
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 8ba3e4c85825c8801a2c298dcadac650a40d7137 ]
+
+mlx5e_close_xdpsq does the cleanup: it calls mlx5e_free_xdpsq_descs to
+free the outstanding descriptors, which relies on
+mlx5e_page_release_dynamic and page_pool_release_page. However,
+page_pool_destroy is already called by this point, because
+mlx5e_close_rq runs before mlx5e_close_xdpsq.
+
+This commit fixes the use-after-free by swapping mlx5e_close_xdpsq and
+mlx5e_close_rq.
+
+The commit cited below started calling page_pool_destroy directly from
+the driver. Previously, the page pool was destroyed under a call_rcu
+from xdp_rxq_info_unreg_mem_model, which would defer the deallocation
+until after the XDPSQ is cleaned up.
+
+Fixes: 1da4bbeffe41 ("net: core: page_pool: add user refcnt and reintroduce page_pool_destroy")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_main.c | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index d0d9acb17253..3221a6a2f221 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -1887,30 +1887,30 @@ static int mlx5e_open_queues(struct mlx5e_channel *c,
+ if (err)
+ goto err_close_icosq;
+
++ err = mlx5e_open_rxq_rq(c, params, &cparam->rq);
++ if (err)
++ goto err_close_sqs;
++
+ if (c->xdp) {
+ err = mlx5e_open_xdpsq(c, params, &cparam->xdp_sq, NULL,
+ &c->rq_xdpsq, false);
+ if (err)
+- goto err_close_sqs;
++ goto err_close_rq;
+ }
+
+- err = mlx5e_open_rxq_rq(c, params, &cparam->rq);
+- if (err)
+- goto err_close_xdp_sq;
+-
+ err = mlx5e_open_xdpsq(c, params, &cparam->xdp_sq, NULL, &c->xdpsq, true);
+ if (err)
+- goto err_close_rq;
++ goto err_close_xdp_sq;
+
+ return 0;
+
+-err_close_rq:
+- mlx5e_close_rq(&c->rq);
+-
+ err_close_xdp_sq:
+ if (c->xdp)
+ mlx5e_close_xdpsq(&c->rq_xdpsq);
+
++err_close_rq:
++ mlx5e_close_rq(&c->rq);
++
+ err_close_sqs:
+ mlx5e_close_sqs(c);
+
+@@ -1945,9 +1945,9 @@ err_close_async_icosq_cq:
+ static void mlx5e_close_queues(struct mlx5e_channel *c)
+ {
+ mlx5e_close_xdpsq(&c->xdpsq);
+- mlx5e_close_rq(&c->rq);
+ if (c->xdp)
+ mlx5e_close_xdpsq(&c->rq_xdpsq);
++ mlx5e_close_rq(&c->rq);
+ mlx5e_close_sqs(c);
+ mlx5e_close_icosq(&c->icosq);
+ mlx5e_close_icosq(&c->async_icosq);
+--
+2.30.2
+
--- /dev/null
+From af869dd5267096512ecd07028995feed73eaaec7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 11:40:34 +0800
+Subject: net/mlx5e: TC, Fix error handling memory leak
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit 88bbd7b2369aca4598eb8f38c5f16be98c3bb5d4 ]
+
+Free the offload sample action on error.
+
+Fixes: f94d6389f6a8 ("net/mlx5e: TC, Add support to offload sample action")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Oz Shlomo <ozsh@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/sample.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/sample.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/sample.c
+index 794012c5c476..d3ad78aa9d45 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/sample.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/sample.c
+@@ -501,6 +501,7 @@ err_sampler:
+ err_offload_rule:
+ mlx5_esw_vporttbl_put(esw, &per_vport_tbl_attr);
+ err_default_tbl:
++ kfree(sample_flow);
+ return ERR_PTR(err);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 6981715e1000453455de45d50805978d06cdc8f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 23:53:30 -0700
+Subject: net: mvvp2: fix short frame size on s390
+
+From: John Hubbard <jhubbard@nvidia.com>
+
+[ Upstream commit 704e624f7b3e8a4fc1ce43fb564746d1d07b20c0 ]
+
+On s390, the following build warning occurs:
+
+drivers/net/ethernet/marvell/mvpp2/mvpp2.h:844:2: warning: overflow in
+conversion from 'long unsigned int' to 'int' changes value from
+'18446744073709551584' to '-32' [-Woverflow]
+844 | ((total_size) - MVPP2_SKB_HEADROOM - MVPP2_SKB_SHINFO_SIZE)
+
+This happens because MVPP2_SKB_SHINFO_SIZE, which is 320 bytes (which is
+already 64-byte aligned) on some architectures, actually gets ALIGN'd up
+to 512 bytes in the s390 case.
+
+So then, when this is invoked:
+
+ MVPP2_RX_MAX_PKT_SIZE(MVPP2_BM_SHORT_FRAME_SIZE)
+
+...that turns into:
+
+ 704 - 224 - 512 == -32
+
+...which is not a good frame size to end up with! The warning above is a
+bit lucky: it notices a signed/unsigned bad behavior here, which leads
+to the real problem of a frame that is too short for its contents.
+
+Increase MVPP2_BM_SHORT_FRAME_SIZE by 32 (from 704 to 736), which is
+just exactly big enough. (The other values can't readily be changed
+without causing a lot of other problems.)
+
+Fixes: 07dd0a7aae7f ("mvpp2: add basic XDP support")
+Cc: Sven Auhagen <sven.auhagen@voleatech.de>
+Cc: Matteo Croce <mcroce@microsoft.com>
+Cc: David S. Miller <davem@davemloft.net>
+Signed-off-by: John Hubbard <jhubbard@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+index 4a61c90003b5..722209a14f53 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+@@ -938,7 +938,7 @@ enum mvpp22_ptp_packet_format {
+ #define MVPP2_BM_COOKIE_POOL_OFFS 8
+ #define MVPP2_BM_COOKIE_CPU_OFFS 24
+
+-#define MVPP2_BM_SHORT_FRAME_SIZE 704 /* frame size 128 */
++#define MVPP2_BM_SHORT_FRAME_SIZE 736 /* frame size 128 */
+ #define MVPP2_BM_LONG_FRAME_SIZE 2240 /* frame size 1664 */
+ #define MVPP2_BM_JUMBO_FRAME_SIZE 10432 /* frame size 9856 */
+ /* BM short pool packet size
+--
+2.30.2
+
--- /dev/null
+From 2dd6499f31d37dae5ea98291ea7a4a6a2f588db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 02:06:18 +0200
+Subject: net: phy: micrel: Fix link detection on ksz87xx switch"
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 2383cb9497d113360137a2be308b390faa80632d ]
+
+Commit a5e63c7d38d5 "net: phy: micrel: Fix detection of ksz87xx
+switch" broke link detection on the external ports of the KSZ8795.
+
+The previously unused phy_driver structure for these devices specifies
+config_aneg and read_status functions that appear to be designed for a
+fixed link and do not work with the embedded PHYs in the KSZ8795.
+
+Delete the use of these functions in favour of the generic PHY
+implementations which were used previously.
+
+Fixes: a5e63c7d38d5 ("net: phy: micrel: Fix detection of ksz87xx switch")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 7afd9edaf249..22ca29cc9ad7 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -1406,8 +1406,6 @@ static struct phy_driver ksphy_driver[] = {
+ .name = "Micrel KSZ87XX Switch",
+ /* PHY_BASIC_FEATURES */
+ .config_init = kszphy_config_init,
+- .config_aneg = ksz8873mll_config_aneg,
+- .read_status = ksz8873mll_read_status,
+ .match_phy_device = ksz8795_match_phy_device,
+ .suspend = genphy_suspend,
+ .resume = genphy_resume,
+--
+2.30.2
+
--- /dev/null
+From 8223def4179400e69d3e85c8b268306e0a4f1a66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 15:04:55 +0800
+Subject: net: sched: act_mirred: Reset ct info when mirror/redirect skb
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit d09c548dbf3b31cb07bba562e0f452edfa01efe3 ]
+
+When mirror/redirect a skb to a different port, the ct info should be reset
+for reclassification. Or the pkts will match unexpected rules. For example,
+with following topology and commands:
+
+ -----------
+ |
+ veth0 -+-------
+ |
+ veth1 -+-------
+ |
+ ------------
+
+ tc qdisc add dev veth0 clsact
+ # The same with "action mirred egress mirror dev veth1" or "action mirred ingress redirect dev veth1"
+ tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action mirred ingress mirror dev veth1
+ tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action ct commit action goto chain 1
+ tc qdisc add dev veth1 clsact
+ tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action drop
+
+ ping <remove ip via veth0> &
+ tc -s filter show dev veth1 ingress
+
+With command 'tc -s filter show', we can find the pkts were dropped on
+veth1.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 7153c67f641e..2ef4cd2c848b 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -273,6 +273,9 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ goto out;
+ }
+
++ /* All mirred/redirected skbs should clear previous ct info */
++ nf_reset_ct(skb2);
++
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+
+ expects_nh = want_ingress || !m_mac_header_xmit;
+--
+2.30.2
+
--- /dev/null
+From e8369a3205c360042f0a45fa2ed48fa7458bd9f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 11:05:57 +0200
+Subject: net/smc: Correct smc link connection counter in case of smc client
+
+From: Guvenc Gulce <guvenc@linux.ibm.com>
+
+[ Upstream commit 64513d269e8971aabb7e787955a1b320e3031306 ]
+
+SMC clients may be assigned to a different link after the initial
+connection between two peers was established. In such a case,
+the connection counter was not correctly set.
+
+Update the connection counter correctly when a smc client connection
+is assigned to a different smc link.
+
+Fixes: 07d51580ff65 ("net/smc: Add connection counters for links")
+Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
+Tested-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 2 +-
+ net/smc/smc_core.c | 4 ++--
+ net/smc/smc_core.h | 2 ++
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 5eff7cccceff..66fbdc63f965 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -757,7 +757,7 @@ static int smc_connect_rdma(struct smc_sock *smc,
+ reason_code = SMC_CLC_DECL_NOSRVLINK;
+ goto connect_abort;
+ }
+- smc->conn.lnk = link;
++ smc_switch_link_and_count(&smc->conn, link);
+ }
+
+ /* create send buffer and rmb */
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index 0df85a12651e..39b24f98eac5 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -916,8 +916,8 @@ static int smc_switch_cursor(struct smc_sock *smc, struct smc_cdc_tx_pend *pend,
+ return rc;
+ }
+
+-static void smc_switch_link_and_count(struct smc_connection *conn,
+- struct smc_link *to_lnk)
++void smc_switch_link_and_count(struct smc_connection *conn,
++ struct smc_link *to_lnk)
+ {
+ atomic_dec(&conn->lnk->conn_cnt);
+ conn->lnk = to_lnk;
+diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
+index 64d86298e4df..c043ecdca5c4 100644
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -446,6 +446,8 @@ void smc_core_exit(void);
+ int smcr_link_init(struct smc_link_group *lgr, struct smc_link *lnk,
+ u8 link_idx, struct smc_init_info *ini);
+ void smcr_link_clear(struct smc_link *lnk, bool log);
++void smc_switch_link_and_count(struct smc_connection *conn,
++ struct smc_link *to_lnk);
+ int smcr_buf_map_lgr(struct smc_link *lnk);
+ int smcr_buf_reg_lgr(struct smc_link *lnk);
+ void smcr_lgr_set_type(struct smc_link_group *lgr, enum smc_lgr_type new_type);
+--
+2.30.2
+
--- /dev/null
+From 05d0d5bea984cefac0f5ab2a2078dab7451f1bdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 11:05:56 +0200
+Subject: net/smc: fix wait on already cleared link
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+[ Upstream commit 8f3d65c166797746455553f4eaf74a5f89f996d4 ]
+
+There can be a race between the waiters for a tx work request buffer
+and the link down processing that finally clears the link. Although
+all waiters are woken up before the link is cleared there might be
+waiters which did not yet get back control and are still waiting.
+This results in an access to a cleared wait queue head.
+
+Fix this by introducing atomic reference counting around the wait calls,
+and wait with the link clear processing until all waiters have finished.
+Move the work request layer related calls into smc_wr.c and set the
+link state to INACTIVE before calling smcr_link_clear() in
+smc_llc_srv_add_link().
+
+Fixes: 15e1b99aadfb ("net/smc: no WR buffer wait for terminating link group")
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Guvenc Gulce <guvenc@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.h | 2 ++
+ net/smc/smc_llc.c | 10 ++++------
+ net/smc/smc_tx.c | 18 +++++++++++++++++-
+ net/smc/smc_wr.c | 10 ++++++++++
+ 4 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
+index 6d6fd1397c87..64d86298e4df 100644
+--- a/net/smc/smc_core.h
++++ b/net/smc/smc_core.h
+@@ -97,6 +97,7 @@ struct smc_link {
+ unsigned long *wr_tx_mask; /* bit mask of used indexes */
+ u32 wr_tx_cnt; /* number of WR send buffers */
+ wait_queue_head_t wr_tx_wait; /* wait for free WR send buf */
++ atomic_t wr_tx_refcnt; /* tx refs to link */
+
+ struct smc_wr_buf *wr_rx_bufs; /* WR recv payload buffers */
+ struct ib_recv_wr *wr_rx_ibs; /* WR recv meta data */
+@@ -109,6 +110,7 @@ struct smc_link {
+
+ struct ib_reg_wr wr_reg; /* WR register memory region */
+ wait_queue_head_t wr_reg_wait; /* wait for wr_reg result */
++ atomic_t wr_reg_refcnt; /* reg refs to link */
+ enum smc_wr_reg_state wr_reg_state; /* state of wr_reg request */
+
+ u8 gid[SMC_GID_SIZE];/* gid matching used vlan id*/
+diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c
+index 273eaf1bfe49..2e7560eba981 100644
+--- a/net/smc/smc_llc.c
++++ b/net/smc/smc_llc.c
+@@ -888,6 +888,7 @@ int smc_llc_cli_add_link(struct smc_link *link, struct smc_llc_qentry *qentry)
+ if (!rc)
+ goto out;
+ out_clear_lnk:
++ lnk_new->state = SMC_LNK_INACTIVE;
+ smcr_link_clear(lnk_new, false);
+ out_reject:
+ smc_llc_cli_add_link_reject(qentry);
+@@ -1184,6 +1185,7 @@ int smc_llc_srv_add_link(struct smc_link *link)
+ goto out_err;
+ return 0;
+ out_err:
++ link_new->state = SMC_LNK_INACTIVE;
+ smcr_link_clear(link_new, false);
+ return rc;
+ }
+@@ -1286,10 +1288,8 @@ static void smc_llc_process_cli_delete_link(struct smc_link_group *lgr)
+ del_llc->reason = 0;
+ smc_llc_send_message(lnk, &qentry->msg); /* response */
+
+- if (smc_link_downing(&lnk_del->state)) {
+- if (smc_switch_conns(lgr, lnk_del, false))
+- smc_wr_tx_wait_no_pending_sends(lnk_del);
+- }
++ if (smc_link_downing(&lnk_del->state))
++ smc_switch_conns(lgr, lnk_del, false);
+ smcr_link_clear(lnk_del, true);
+
+ active_links = smc_llc_active_link_count(lgr);
+@@ -1805,8 +1805,6 @@ void smc_llc_link_clear(struct smc_link *link, bool log)
+ link->smcibdev->ibdev->name, link->ibport);
+ complete(&link->llc_testlink_resp);
+ cancel_delayed_work_sync(&link->llc_testlink_wrk);
+- smc_wr_wakeup_reg_wait(link);
+- smc_wr_wakeup_tx_wait(link);
+ }
+
+ /* register a new rtoken at the remote peer (for all links) */
+diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
+index 4532c16bf85e..ff02952b3d03 100644
+--- a/net/smc/smc_tx.c
++++ b/net/smc/smc_tx.c
+@@ -479,7 +479,7 @@ static int smc_tx_rdma_writes(struct smc_connection *conn,
+ /* Wakeup sndbuf consumers from any context (IRQ or process)
+ * since there is more data to transmit; usable snd_wnd as max transmit
+ */
+-static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
++static int _smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
+ {
+ struct smc_cdc_producer_flags *pflags = &conn->local_tx_ctrl.prod_flags;
+ struct smc_link *link = conn->lnk;
+@@ -533,6 +533,22 @@ out_unlock:
+ return rc;
+ }
+
++static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
++{
++ struct smc_link *link = conn->lnk;
++ int rc = -ENOLINK;
++
++ if (!link)
++ return rc;
++
++ atomic_inc(&link->wr_tx_refcnt);
++ if (smc_link_usable(link))
++ rc = _smcr_tx_sndbuf_nonempty(conn);
++ if (atomic_dec_and_test(&link->wr_tx_refcnt))
++ wake_up_all(&link->wr_tx_wait);
++ return rc;
++}
++
+ static int smcd_tx_sndbuf_nonempty(struct smc_connection *conn)
+ {
+ struct smc_cdc_producer_flags *pflags = &conn->local_tx_ctrl.prod_flags;
+diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
+index cbc73a7e4d59..a419e9af36b9 100644
+--- a/net/smc/smc_wr.c
++++ b/net/smc/smc_wr.c
+@@ -322,9 +322,12 @@ int smc_wr_reg_send(struct smc_link *link, struct ib_mr *mr)
+ if (rc)
+ return rc;
+
++ atomic_inc(&link->wr_reg_refcnt);
+ rc = wait_event_interruptible_timeout(link->wr_reg_wait,
+ (link->wr_reg_state != POSTED),
+ SMC_WR_REG_MR_WAIT_TIME);
++ if (atomic_dec_and_test(&link->wr_reg_refcnt))
++ wake_up_all(&link->wr_reg_wait);
+ if (!rc) {
+ /* timeout - terminate link */
+ smcr_link_down_cond_sched(link);
+@@ -566,10 +569,15 @@ void smc_wr_free_link(struct smc_link *lnk)
+ return;
+ ibdev = lnk->smcibdev->ibdev;
+
++ smc_wr_wakeup_reg_wait(lnk);
++ smc_wr_wakeup_tx_wait(lnk);
++
+ if (smc_wr_tx_wait_no_pending_sends(lnk))
+ memset(lnk->wr_tx_mask, 0,
+ BITS_TO_LONGS(SMC_WR_BUF_CNT) *
+ sizeof(*lnk->wr_tx_mask));
++ wait_event(lnk->wr_reg_wait, (!atomic_read(&lnk->wr_reg_refcnt)));
++ wait_event(lnk->wr_tx_wait, (!atomic_read(&lnk->wr_tx_refcnt)));
+
+ if (lnk->wr_rx_dma_addr) {
+ ib_dma_unmap_single(ibdev, lnk->wr_rx_dma_addr,
+@@ -728,7 +736,9 @@ int smc_wr_create_link(struct smc_link *lnk)
+ memset(lnk->wr_tx_mask, 0,
+ BITS_TO_LONGS(SMC_WR_BUF_CNT) * sizeof(*lnk->wr_tx_mask));
+ init_waitqueue_head(&lnk->wr_tx_wait);
++ atomic_set(&lnk->wr_tx_refcnt, 0);
+ init_waitqueue_head(&lnk->wr_reg_wait);
++ atomic_set(&lnk->wr_reg_refcnt, 0);
+ return rc;
+
+ dma_unmap:
+--
+2.30.2
+
--- /dev/null
+From 64fbc7cf542234e8a7712dad7e7ba2811b28f285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:20:21 +0800
+Subject: netfilter: nf_conntrack_bridge: Fix memory leak when error
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 38ea9def5b62f9193f6bad96c5d108e2830ecbde ]
+
+It should be added kfree_skb_list() when err is not equal to zero
+in nf_br_ip_fragment().
+
+v2: keep this aligned with IPv6.
+v3: modify iter.frag_list to iter.frag.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index 8d033a75a766..fdbed3158555 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -88,6 +88,12 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+
+ skb = ip_fraglist_next(&iter);
+ }
++
++ if (!err)
++ return 0;
++
++ kfree_skb_list(iter.frag);
++
+ return err;
+ }
+ slow_path:
+--
+2.30.2
+
--- /dev/null
+From 72177e693865df95b193ec9bed45028d2b8fca34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Jul 2021 10:38:43 +0200
+Subject: ovl: fix deadlock in splice write
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+[ Upstream commit 9b91b6b019fda817eb52f728eb9c79b3579760bc ]
+
+There's possibility of an ABBA deadlock in case of a splice write to an
+overlayfs file and a concurrent splice write to a corresponding real file.
+
+The call chain for splice to an overlay file:
+
+ -> do_splice [takes sb_writers on overlay file]
+ -> do_splice_from
+ -> iter_file_splice_write [takes pipe->mutex]
+ -> vfs_iter_write
+ ...
+ -> ovl_write_iter [takes sb_writers on real file]
+
+And the call chain for splice to a real file:
+
+ -> do_splice [takes sb_writers on real file]
+ -> do_splice_from
+ -> iter_file_splice_write [takes pipe->mutex]
+
+Syzbot successfully bisected this to commit 82a763e61e2b ("ovl: simplify
+file splice").
+
+Fix by reverting the write part of the above commit and by adding missing
+bits from ovl_write_iter() into ovl_splice_write().
+
+Fixes: 82a763e61e2b ("ovl: simplify file splice")
+Reported-and-tested-by: syzbot+579885d1a9a833336209@syzkaller.appspotmail.com
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/file.c | 47 ++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
+index 4d53d3b7e5fe..d081faa55e83 100644
+--- a/fs/overlayfs/file.c
++++ b/fs/overlayfs/file.c
+@@ -392,6 +392,51 @@ out_unlock:
+ return ret;
+ }
+
++/*
++ * Calling iter_file_splice_write() directly from overlay's f_op may deadlock
++ * due to lock order inversion between pipe->mutex in iter_file_splice_write()
++ * and file_start_write(real.file) in ovl_write_iter().
++ *
++ * So do everything ovl_write_iter() does and call iter_file_splice_write() on
++ * the real file.
++ */
++static ssize_t ovl_splice_write(struct pipe_inode_info *pipe, struct file *out,
++ loff_t *ppos, size_t len, unsigned int flags)
++{
++ struct fd real;
++ const struct cred *old_cred;
++ struct inode *inode = file_inode(out);
++ struct inode *realinode = ovl_inode_real(inode);
++ ssize_t ret;
++
++ inode_lock(inode);
++ /* Update mode */
++ ovl_copyattr(realinode, inode);
++ ret = file_remove_privs(out);
++ if (ret)
++ goto out_unlock;
++
++ ret = ovl_real_fdget(out, &real);
++ if (ret)
++ goto out_unlock;
++
++ old_cred = ovl_override_creds(inode->i_sb);
++ file_start_write(real.file);
++
++ ret = iter_file_splice_write(pipe, real.file, ppos, len, flags);
++
++ file_end_write(real.file);
++ /* Update size */
++ ovl_copyattr(realinode, inode);
++ revert_creds(old_cred);
++ fdput(real);
++
++out_unlock:
++ inode_unlock(inode);
++
++ return ret;
++}
++
+ static int ovl_fsync(struct file *file, loff_t start, loff_t end, int datasync)
+ {
+ struct fd real;
+@@ -603,7 +648,7 @@ const struct file_operations ovl_file_operations = {
+ .fadvise = ovl_fadvise,
+ .flush = ovl_flush,
+ .splice_read = generic_file_splice_read,
+- .splice_write = iter_file_splice_write,
++ .splice_write = ovl_splice_write,
+
+ .copy_file_range = ovl_copy_file_range,
+ .remap_file_range = ovl_remap_file_range,
+--
+2.30.2
+
--- /dev/null
+From 220779bf5bd4fdcb875ff91c9c32782a20d94808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 06:25:28 -0700
+Subject: perf/x86/intel: Apply mid ACK for small core
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit acade6379930dfa7987f4bd9b26d1a701cc1b542 ]
+
+A warning as below may be occasionally triggered in an ADL machine when
+these conditions occur:
+
+ - Two perf record commands run one by one. Both record a PEBS event.
+ - Both runs on small cores.
+ - They have different adaptive PEBS configuration (PEBS_DATA_CFG).
+
+ [ ] WARNING: CPU: 4 PID: 9874 at arch/x86/events/intel/ds.c:1743 setup_pebs_adaptive_sample_data+0x55e/0x5b0
+ [ ] RIP: 0010:setup_pebs_adaptive_sample_data+0x55e/0x5b0
+ [ ] Call Trace:
+ [ ] <NMI>
+ [ ] intel_pmu_drain_pebs_icl+0x48b/0x810
+ [ ] perf_event_nmi_handler+0x41/0x80
+ [ ] </NMI>
+ [ ] __perf_event_task_sched_in+0x2c2/0x3a0
+
+Different from the big core, the small core requires the ACK right
+before re-enabling counters in the NMI handler, otherwise a stale PEBS
+record may be dumped into the later NMI handler, which trigger the
+warning.
+
+Add a new mid_ack flag to track the case. Add all PMI handler bits in
+the struct x86_hybrid_pmu to track the bits for different types of
+PMUs. Apply mid ACK for the small cores on an Alder Lake machine.
+
+The existing hybrid() macro has a compile error when taking address of
+a bit-field variable. Add a new macro hybrid_bit() to get the
+bit-field value of a given PMU.
+
+Fixes: f83d2f91d259 ("perf/x86/intel: Add Alder Lake Hybrid support")
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Andi Kleen <ak@linux.intel.com>
+Tested-by: Ammy Yi <ammy.yi@intel.com>
+Link: https://lkml.kernel.org/r/1627997128-57891-1-git-send-email-kan.liang@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/intel/core.c | 23 +++++++++++++++--------
+ arch/x86/events/perf_event.h | 15 +++++++++++++++
+ 2 files changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
+index d76be3bba11e..511d1f9a9bf8 100644
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -2904,24 +2904,28 @@ static int handle_pmi_common(struct pt_regs *regs, u64 status)
+ */
+ static int intel_pmu_handle_irq(struct pt_regs *regs)
+ {
+- struct cpu_hw_events *cpuc;
++ struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
++ bool late_ack = hybrid_bit(cpuc->pmu, late_ack);
++ bool mid_ack = hybrid_bit(cpuc->pmu, mid_ack);
+ int loops;
+ u64 status;
+ int handled;
+ int pmu_enabled;
+
+- cpuc = this_cpu_ptr(&cpu_hw_events);
+-
+ /*
+ * Save the PMU state.
+ * It needs to be restored when leaving the handler.
+ */
+ pmu_enabled = cpuc->enabled;
+ /*
+- * No known reason to not always do late ACK,
+- * but just in case do it opt-in.
++ * In general, the early ACK is only applied for old platforms.
++ * For the big core starts from Haswell, the late ACK should be
++ * applied.
++ * For the small core after Tremont, we have to do the ACK right
++ * before re-enabling counters, which is in the middle of the
++ * NMI handler.
+ */
+- if (!x86_pmu.late_ack)
++ if (!late_ack && !mid_ack)
+ apic_write(APIC_LVTPC, APIC_DM_NMI);
+ intel_bts_disable_local();
+ cpuc->enabled = 0;
+@@ -2958,6 +2962,8 @@ again:
+ goto again;
+
+ done:
++ if (mid_ack)
++ apic_write(APIC_LVTPC, APIC_DM_NMI);
+ /* Only restore PMU state when it's active. See x86_pmu_disable(). */
+ cpuc->enabled = pmu_enabled;
+ if (pmu_enabled)
+@@ -2969,7 +2975,7 @@ done:
+ * have been reset. This avoids spurious NMIs on
+ * Haswell CPUs.
+ */
+- if (x86_pmu.late_ack)
++ if (late_ack)
+ apic_write(APIC_LVTPC, APIC_DM_NMI);
+ return handled;
+ }
+@@ -6123,7 +6129,6 @@ __init int intel_pmu_init(void)
+ static_branch_enable(&perf_is_hybrid);
+ x86_pmu.num_hybrid_pmus = X86_HYBRID_NUM_PMUS;
+
+- x86_pmu.late_ack = true;
+ x86_pmu.pebs_aliases = NULL;
+ x86_pmu.pebs_prec_dist = true;
+ x86_pmu.pebs_block = true;
+@@ -6161,6 +6166,7 @@ __init int intel_pmu_init(void)
+ pmu = &x86_pmu.hybrid_pmu[X86_HYBRID_PMU_CORE_IDX];
+ pmu->name = "cpu_core";
+ pmu->cpu_type = hybrid_big;
++ pmu->late_ack = true;
+ if (cpu_feature_enabled(X86_FEATURE_HYBRID_CPU)) {
+ pmu->num_counters = x86_pmu.num_counters + 2;
+ pmu->num_counters_fixed = x86_pmu.num_counters_fixed + 1;
+@@ -6186,6 +6192,7 @@ __init int intel_pmu_init(void)
+ pmu = &x86_pmu.hybrid_pmu[X86_HYBRID_PMU_ATOM_IDX];
+ pmu->name = "cpu_atom";
+ pmu->cpu_type = hybrid_small;
++ pmu->mid_ack = true;
+ pmu->num_counters = x86_pmu.num_counters;
+ pmu->num_counters_fixed = x86_pmu.num_counters_fixed;
+ pmu->max_pebs_events = x86_pmu.max_pebs_events;
+diff --git a/arch/x86/events/perf_event.h b/arch/x86/events/perf_event.h
+index 2938c902ffbe..e3ac05c97b5e 100644
+--- a/arch/x86/events/perf_event.h
++++ b/arch/x86/events/perf_event.h
+@@ -656,6 +656,10 @@ struct x86_hybrid_pmu {
+ struct event_constraint *event_constraints;
+ struct event_constraint *pebs_constraints;
+ struct extra_reg *extra_regs;
++
++ unsigned int late_ack :1,
++ mid_ack :1,
++ enabled_ack :1;
+ };
+
+ static __always_inline struct x86_hybrid_pmu *hybrid_pmu(struct pmu *pmu)
+@@ -686,6 +690,16 @@ extern struct static_key_false perf_is_hybrid;
+ __Fp; \
+ }))
+
++#define hybrid_bit(_pmu, _field) \
++({ \
++ bool __Fp = x86_pmu._field; \
++ \
++ if (is_hybrid() && (_pmu)) \
++ __Fp = hybrid_pmu(_pmu)->_field; \
++ \
++ __Fp; \
++})
++
+ enum hybrid_pmu_type {
+ hybrid_big = 0x40,
+ hybrid_small = 0x20,
+@@ -755,6 +769,7 @@ struct x86_pmu {
+
+ /* PMI handler bits */
+ unsigned int late_ack :1,
++ mid_ack :1,
+ enabled_ack :1;
+ /*
+ * sysfs attrs
+--
+2.30.2
+
--- /dev/null
+From 523b405d0a74d3b169e1f3b19bde9f1e7f0542b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 16:09:55 +0800
+Subject: pinctrl: mediatek: Fix fallback behavior for bias_set_combo
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit 798a315fc359aa6dbe48e09d802aa59b7e158ffc ]
+
+Some pin doesn't support PUPD register, if it fails and fallbacks with
+bias_set_combo case, it will call mtk_pinconf_bias_set_pupd_r1_r0() to
+modify the PUPD pin again.
+
+Since the general bias set are either PU/PD or PULLSEL/PULLEN, try
+bias_set or bias_set_rev1 for the other fallback case. If the pin
+doesn't support neither PU/PD nor PULLSEL/PULLEN, it will return
+-ENOTSUPP.
+
+Fixes: 81bd1579b43e ("pinctrl: mediatek: Fix fallback call path")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
+Link: https://lore.kernel.org/r/20210701080955.2660294-1-hsinyi@chromium.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+index 5b3b048725cc..45ebdeba985a 100644
+--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
++++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+@@ -925,12 +925,10 @@ int mtk_pinconf_adv_pull_set(struct mtk_pinctrl *hw,
+ err = hw->soc->bias_set(hw, desc, pullup);
+ if (err)
+ return err;
+- } else if (hw->soc->bias_set_combo) {
+- err = hw->soc->bias_set_combo(hw, desc, pullup, arg);
+- if (err)
+- return err;
+ } else {
+- return -ENOTSUPP;
++ err = mtk_pinconf_bias_set_rev1(hw, desc, pullup);
++ if (err)
++ err = mtk_pinconf_bias_set(hw, desc, pullup);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e41910a828ba96f0d027f9d11bfcc5bc96c851ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 14:25:48 +0100
+Subject: pinctrl: sunxi: Don't underestimate number of functions
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit d1dee814168538eba166ae4150b37f0d88257884 ]
+
+When we are building all the various pinctrl structures for the
+Allwinner pinctrl devices, we do some estimation about the maximum
+number of distinct function (names) that we will need.
+
+So far we take the number of pins as an upper bound, even though we
+can actually have up to four special functions per pin. This wasn't a
+problem until now, since we indeed have typically far more pins than
+functions, and most pins share common functions.
+
+However the H616 "-r" pin controller has only two pins, but four
+functions, so we run over the end of the array when we are looking for
+a matching function name in sunxi_pinctrl_add_function - there is no
+NULL sentinel left that would terminate the loop:
+
+[ 8.200648] Unable to handle kernel paging request at virtual address fffdff7efbefaff5
+[ 8.209179] Mem abort info:
+....
+[ 8.368456] Call trace:
+[ 8.370925] __pi_strcmp+0x90/0xf0
+[ 8.374559] sun50i_h616_r_pinctrl_probe+0x1c/0x28
+[ 8.379557] platform_probe+0x68/0xd8
+
+Do an actual worst case allocation (4 functions per pin, three common
+functions and the sentinel) for the initial array allocation. This is
+now heavily overestimating the number of functions in the common case,
+but we will reallocate this array later with the actual number of
+functions, so it's only temporarily.
+
+Fixes: 561c1cf17c46 ("pinctrl: sunxi: Add support for the Allwinner H616-R pin controller")
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Acked-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20210722132548.22121-1-andre.przywara@arm.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pinctrl/sunxi/pinctrl-sunxi.c b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+index dc8d39ae045b..9c7679c06dca 100644
+--- a/drivers/pinctrl/sunxi/pinctrl-sunxi.c
++++ b/drivers/pinctrl/sunxi/pinctrl-sunxi.c
+@@ -1219,10 +1219,12 @@ static int sunxi_pinctrl_build_state(struct platform_device *pdev)
+ }
+
+ /*
+- * We suppose that we won't have any more functions than pins,
+- * we'll reallocate that later anyway
++ * Find an upper bound for the maximum number of functions: in
++ * the worst case we have gpio_in, gpio_out, irq and up to four
++ * special functions per pin, plus one entry for the sentinel.
++ * We'll reallocate that later anyway.
+ */
+- pctl->functions = kcalloc(pctl->ngroups,
++ pctl->functions = kcalloc(4 * pctl->ngroups + 4,
+ sizeof(*pctl->functions),
+ GFP_KERNEL);
+ if (!pctl->functions)
+--
+2.30.2
+
--- /dev/null
+From 16eb9e7ea361938884bbc4e5cdac79f9c10f564f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 14:21:41 +0300
+Subject: pinctrl: tigerlake: Fix GPIO mapping for newer version of software
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 2f658f7a3953f6d70bab90e117aff8d0ad44e200 ]
+
+The software mapping for GPIO, which initially comes from Microsoft,
+is subject to change by respective Windows and firmware developers.
+Due to the above the driver had been written and published way ahead
+of the schedule, and thus the numbering schema used in it is outdated.
+
+Fix the numbering schema in accordance with the real products on market.
+
+Fixes: 653d96455e1e ("pinctrl: tigerlake: Add support for Tiger Lake-H")
+Reported-and-tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reported-by: Riccardo Mori <patacca@autistici.org>
+Reported-and-tested-by: Lovesh <lovesh.bond@gmail.com>
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213463
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213579
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213857
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/intel/pinctrl-tigerlake.c | 26 +++++++++++------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pinctrl/intel/pinctrl-tigerlake.c b/drivers/pinctrl/intel/pinctrl-tigerlake.c
+index 75b6d66955bf..3ddaeffc0415 100644
+--- a/drivers/pinctrl/intel/pinctrl-tigerlake.c
++++ b/drivers/pinctrl/intel/pinctrl-tigerlake.c
+@@ -701,32 +701,32 @@ static const struct pinctrl_pin_desc tglh_pins[] = {
+
+ static const struct intel_padgroup tglh_community0_gpps[] = {
+ TGL_GPP(0, 0, 24, 0), /* GPP_A */
+- TGL_GPP(1, 25, 44, 128), /* GPP_R */
+- TGL_GPP(2, 45, 70, 32), /* GPP_B */
+- TGL_GPP(3, 71, 78, INTEL_GPIO_BASE_NOMAP), /* vGPIO_0 */
++ TGL_GPP(1, 25, 44, 32), /* GPP_R */
++ TGL_GPP(2, 45, 70, 64), /* GPP_B */
++ TGL_GPP(3, 71, 78, 96), /* vGPIO_0 */
+ };
+
+ static const struct intel_padgroup tglh_community1_gpps[] = {
+- TGL_GPP(0, 79, 104, 96), /* GPP_D */
+- TGL_GPP(1, 105, 128, 64), /* GPP_C */
+- TGL_GPP(2, 129, 136, 160), /* GPP_S */
+- TGL_GPP(3, 137, 153, 192), /* GPP_G */
+- TGL_GPP(4, 154, 180, 224), /* vGPIO */
++ TGL_GPP(0, 79, 104, 128), /* GPP_D */
++ TGL_GPP(1, 105, 128, 160), /* GPP_C */
++ TGL_GPP(2, 129, 136, 192), /* GPP_S */
++ TGL_GPP(3, 137, 153, 224), /* GPP_G */
++ TGL_GPP(4, 154, 180, 256), /* vGPIO */
+ };
+
+ static const struct intel_padgroup tglh_community3_gpps[] = {
+- TGL_GPP(0, 181, 193, 256), /* GPP_E */
+- TGL_GPP(1, 194, 217, 288), /* GPP_F */
++ TGL_GPP(0, 181, 193, 288), /* GPP_E */
++ TGL_GPP(1, 194, 217, 320), /* GPP_F */
+ };
+
+ static const struct intel_padgroup tglh_community4_gpps[] = {
+- TGL_GPP(0, 218, 241, 320), /* GPP_H */
++ TGL_GPP(0, 218, 241, 352), /* GPP_H */
+ TGL_GPP(1, 242, 251, 384), /* GPP_J */
+- TGL_GPP(2, 252, 266, 352), /* GPP_K */
++ TGL_GPP(2, 252, 266, 416), /* GPP_K */
+ };
+
+ static const struct intel_padgroup tglh_community5_gpps[] = {
+- TGL_GPP(0, 267, 281, 416), /* GPP_I */
++ TGL_GPP(0, 267, 281, 448), /* GPP_I */
+ TGL_GPP(1, 282, 290, INTEL_GPIO_BASE_NOMAP), /* JTAG */
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 758970567985d29bcf971078faacf3fd8fa64a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 13:55:15 +0200
+Subject: platform/x86: pcengines-apuv2: Add missing terminating entries to
+ gpio-lookup tables
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 9d7b132e62e41b7d49bf157aeaf9147c27492e0f ]
+
+The gpiod_lookup_table.table passed to gpiod_add_lookup_table() must
+be terminated with an empty entry, add this.
+
+Note we have likely been getting away with this not being present because
+the GPIO lookup code first matches on the dev_id, causing most lookups to
+skip checking the table and the lookups which do check the table will
+find a matching entry before reaching the end. With that said, terminating
+these tables properly still is obviously the correct thing to do.
+
+Fixes: f8eb0235f659 ("x86: pcengines apuv2 gpio/leds/keys platform driver")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210806115515.12184-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pcengines-apuv2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/platform/x86/pcengines-apuv2.c b/drivers/platform/x86/pcengines-apuv2.c
+index c37349f97bb8..d063d91db9bc 100644
+--- a/drivers/platform/x86/pcengines-apuv2.c
++++ b/drivers/platform/x86/pcengines-apuv2.c
+@@ -94,6 +94,7 @@ static struct gpiod_lookup_table gpios_led_table = {
+ NULL, 1, GPIO_ACTIVE_LOW),
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_LED3,
+ NULL, 2, GPIO_ACTIVE_LOW),
++ {} /* Terminating entry */
+ }
+ };
+
+@@ -123,6 +124,7 @@ static struct gpiod_lookup_table gpios_key_table = {
+ .table = {
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_MODESW,
+ NULL, 0, GPIO_ACTIVE_LOW),
++ {} /* Terminating entry */
+ }
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 3a23e1c2a34563f6607b56a699ae62ea09811073 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 15:27:03 +0200
+Subject: ppp: Fix generating ifname when empty IFLA_IFNAME is specified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2459dcb96bcba94c08d6861f8a050185ff301672 ]
+
+IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be
+larger than length of string which contains.
+
+Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME
+was not specified at all or userspace passed empty nul-term string.
+
+It is expected that if userspace does not specify ifname for new ppp netdev
+then kernel generates one in format "ppp<id>" where id matches to the ppp
+unit id which can be later obtained by PPPIOCGUNIT ioctl.
+
+And it works in this way if IFLA_IFNAME is not specified at all. But it
+does not work when IFLA_IFNAME is specified with empty string.
+
+So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function
+and correctly generates ifname based on ppp unit identifier if userspace
+did not provided preferred ifname.
+
+Without this patch when IFLA_IFNAME was specified with empty string then
+kernel created a new ppp interface in format "ppp<id>" but id did not
+match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some
+number generated by __rtnl_newlink() function.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: bb8082f69138 ("ppp: build ifname using unit identifier for rtnl based devices")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index b9dd47bd597f..7a099c37527f 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1317,7 +1317,7 @@ static int ppp_nl_newlink(struct net *src_net, struct net_device *dev,
+ * the PPP unit identifer as suffix (i.e. ppp<unit_id>). This allows
+ * userspace to infer the device name using to the PPPIOCGUNIT ioctl.
+ */
+- if (!tb[IFLA_IFNAME])
++ if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME]))
+ conf.ifname_is_set = false;
+
+ err = ppp_dev_configure(src_net, dev, &conf);
+--
+2.30.2
+
--- /dev/null
+From 93b63069976bda21c768eb20a49f83d08a51e21b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 09:52:42 +0300
+Subject: psample: Add a fwd declaration for skbuff
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit beb7f2de5728b0bd2140a652fa51f6ad85d159f7 ]
+
+Without this there is a warning if source files include psample.h
+before skbuff.h or doesn't include it at all.
+
+Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Link: https://lore.kernel.org/r/20210808065242.1522535-1-roid@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/psample.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/psample.h b/include/net/psample.h
+index e328c5127757..0509d2d6be67 100644
+--- a/include/net/psample.h
++++ b/include/net/psample.h
+@@ -31,6 +31,8 @@ struct psample_group *psample_group_get(struct net *net, u32 group_num);
+ void psample_group_take(struct psample_group *group);
+ void psample_group_put(struct psample_group *group);
+
++struct sk_buff;
++
+ #if IS_ENABLED(CONFIG_PSAMPLE)
+
+ void psample_sample_packet(struct psample_group *group, struct sk_buff *skb,
+--
+2.30.2
+
--- /dev/null
+From af6336a636dc4103d27dd6baed3a98445accbc05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 08:09:21 +0300
+Subject: selftests/sgx: Fix Q1 and Q2 calculation in sigstruct.c
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+[ Upstream commit 567c39047dbee341244fe3bf79fea24ee0897ff9 ]
+
+Q1 and Q2 are numbers with *maximum* length of 384 bytes. If the
+calculated length of Q1 and Q2 is less than 384 bytes, things will
+go wrong.
+
+E.g. if Q2 is 383 bytes, then
+
+1. The bytes of q2 are copied to sigstruct->q2 in calc_q1q2().
+2. The entire sigstruct->q2 is reversed, which results it being
+ 256 * Q2, given that the last byte of sigstruct->q2 is added
+ to before the bytes given by calc_q1q2().
+
+Either change in key or measurement can trigger the bug. E.g. an
+unmeasured heap could cause a devastating change in Q1 or Q2.
+
+Reverse exactly the bytes of Q1 and Q2 in calc_q1q2() before returning
+to the caller.
+
+Fixes: 2adcba79e69d ("selftests/x86: Add a selftest for SGX")
+Link: https://lore.kernel.org/linux-sgx/20210301051836.30738-1-tianjia.zhang@linux.alibaba.com/
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/sgx/sigstruct.c | 41 +++++++++++++------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/tools/testing/selftests/sgx/sigstruct.c b/tools/testing/selftests/sgx/sigstruct.c
+index dee7a3d6c5a5..92bbc5a15c39 100644
+--- a/tools/testing/selftests/sgx/sigstruct.c
++++ b/tools/testing/selftests/sgx/sigstruct.c
+@@ -55,10 +55,27 @@ static bool alloc_q1q2_ctx(const uint8_t *s, const uint8_t *m,
+ return true;
+ }
+
++static void reverse_bytes(void *data, int length)
++{
++ int i = 0;
++ int j = length - 1;
++ uint8_t temp;
++ uint8_t *ptr = data;
++
++ while (i < j) {
++ temp = ptr[i];
++ ptr[i] = ptr[j];
++ ptr[j] = temp;
++ i++;
++ j--;
++ }
++}
++
+ static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1,
+ uint8_t *q2)
+ {
+ struct q1q2_ctx ctx;
++ int len;
+
+ if (!alloc_q1q2_ctx(s, m, &ctx)) {
+ fprintf(stderr, "Not enough memory for Q1Q2 calculation\n");
+@@ -89,8 +106,10 @@ static bool calc_q1q2(const uint8_t *s, const uint8_t *m, uint8_t *q1,
+ goto out;
+ }
+
+- BN_bn2bin(ctx.q1, q1);
+- BN_bn2bin(ctx.q2, q2);
++ len = BN_bn2bin(ctx.q1, q1);
++ reverse_bytes(q1, len);
++ len = BN_bn2bin(ctx.q2, q2);
++ reverse_bytes(q2, len);
+
+ free_q1q2_ctx(&ctx);
+ return true;
+@@ -152,22 +171,6 @@ static RSA *gen_sign_key(void)
+ return key;
+ }
+
+-static void reverse_bytes(void *data, int length)
+-{
+- int i = 0;
+- int j = length - 1;
+- uint8_t temp;
+- uint8_t *ptr = data;
+-
+- while (i < j) {
+- temp = ptr[i];
+- ptr[i] = ptr[j];
+- ptr[j] = temp;
+- i++;
+- j--;
+- }
+-}
+-
+ enum mrtags {
+ MRECREATE = 0x0045544145524345,
+ MREADD = 0x0000000044444145,
+@@ -367,8 +370,6 @@ bool encl_measure(struct encl *encl)
+ /* BE -> LE */
+ reverse_bytes(sigstruct->signature, SGX_MODULUS_SIZE);
+ reverse_bytes(sigstruct->modulus, SGX_MODULUS_SIZE);
+- reverse_bytes(sigstruct->q1, SGX_MODULUS_SIZE);
+- reverse_bytes(sigstruct->q2, SGX_MODULUS_SIZE);
+
+ EVP_MD_CTX_destroy(ctx);
+ RSA_free(key);
+--
+2.30.2
+
--- /dev/null
+ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch
+ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch
+drm-mediatek-fix-cursor-plane-no-update.patch
+pinctrl-mediatek-fix-fallback-behavior-for-bias_set_.patch
+asoc-cs42l42-correct-definition-of-adc-volume-contro.patch
+asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch
+asoc-cs42l42-fix-bclk-calculation-for-mono.patch
+interconnect-qcom-icc-rpmh-add-bcms-to-commit-list-i.patch
+selftests-sgx-fix-q1-and-q2-calculation-in-sigstruct.patch
+asoc-sof-intel-kconfig-fix-soundwire-dependencies.patch
+asoc-sof-intel-hda-ipc-fix-reply-size-checking.patch
+asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch
+asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch
+netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch
+pinctrl-tigerlake-fix-gpio-mapping-for-newer-version.patch
+asoc-cs42l42-pll-must-be-running-when-changing-mclk_.patch
+asoc-cs42l42-fix-lrclk-frame-start-edge.patch
+asoc-cs42l42-fix-mono-playback.patch
+net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch
+net-mvvp2-fix-short-frame-size-on-s390.patch
+platform-x86-pcengines-apuv2-add-missing-terminating.patch
+perf-x86-intel-apply-mid-ack-for-small-core.patch
+drm-amd-pm-fix-a-memory-leak-in-an-error-handling-pa.patch
+libbpf-fix-probe-for-bpf_prog_type_cgroup_sockopt.patch
+libbpf-do-not-close-un-owned-fd-0-on-errors.patch
+bpf-fix-integer-overflow-involving-bucket_size.patch
+net-dsa-qca-ar9331-make-proper-initial-port-defaults.patch
+net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch
+ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch
+io_uring-clear-tif_notify_signal-when-running-task-w.patch
+net-smc-fix-wait-on-already-cleared-link.patch
+net-smc-correct-smc-link-connection-counter-in-case-.patch
+net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch
+ice-prevent-probing-virtual-functions.patch
+ice-stop-processing-vf-messages-during-teardown.patch
+ice-don-t-remove-netdev-dev_addr-from-uc-sync-list.patch
+iavf-set-rss-lut-and-key-in-reset-handle-path.patch
+psample-add-a-fwd-declaration-for-skbuff.patch
+bareudp-fix-invalid-read-beyond-skb-s-linear-data.patch
+io-wq-fix-bug-of-creating-io-wokers-unconditionally.patch
+io-wq-fix-io_worker_f_fixed-issue-in-create_io_worke.patch
+net-mlx5-don-t-skip-subfunction-cleanup-in-case-of-e.patch
+net-mlx5-dr-add-fail-on-error-check-on-decap.patch
+net-mlx5e-avoid-creating-tunnel-headers-for-local-ro.patch
+net-mlx5e-destroy-page-pool-after-xdp-sq-to-fix-use-.patch
+net-mlx5-block-switchdev-mode-while-devlink-traps-ar.patch
+net-mlx5e-tc-fix-error-handling-memory-leak.patch
+net-mlx5-synchronize-correct-irq-when-destroying-cq.patch
+net-mlx5-fix-return-value-from-tracer-initialization.patch
+drm-meson-fix-colour-distortion-from-hdr-set-during-.patch
+ovl-fix-deadlock-in-splice-write.patch
+bpf-fix-potentially-incorrect-results-with-bpf_get_l.patch
+net-dsa-microchip-fix-ksz_read64.patch
+net-dsa-microchip-ksz8795-fix-pvid-tag-insertion.patch
+net-dsa-microchip-ksz8795-reject-unsupported-vlan-co.patch
+net-dsa-microchip-ksz8795-fix-vlan-untagged-flag-cha.patch
+net-dsa-microchip-ksz8795-use-software-untagging-on-.patch
+net-dsa-microchip-ksz8795-fix-vlan-filtering.patch
+net-dsa-microchip-ksz8795-don-t-use-phy_port_cnt-in-.patch
+net-fix-memory-leak-in-ieee802154_raw_deliver.patch
+net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch
+net-dsa-hellcreek-fix-broken-backpressure-in-.port_f.patch
+net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch
+net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch
+net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch
+pinctrl-sunxi-don-t-underestimate-number-of-function.patch
+net-bridge-fix-flags-interpretation-for-extern-learn.patch
+net-bridge-fix-memleak-in-br_add_if.patch
+net-linkwatch-fix-failure-to-restore-device-state-ac.patch
+tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch
+net-igmp-increase-size-of-mr_ifc_count.patch
+drm-i915-only-access-sfc_done-when-media-domain-is-n.patch
+xen-events-fix-race-in-set_evtchn_to_irq.patch
+vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch
+nbd-aovid-double-completion-of-a-request.patch
--- /dev/null
+From 5eedda713860d86891a9e3090cbac0464b9b5054 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 22:40:56 -0400
+Subject: tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after
+ 2B packets
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]
+
+Currently if BBR congestion control is initialized after more than 2B
+packets have been delivered, depending on the phase of the
+tp->delivered counter the tracking of BBR round trips can get stuck.
+
+The bug arises because if tp->delivered is between 2^31 and 2^32 at
+the time the BBR congestion control module is initialized, then the
+initialization of bbr->next_rtt_delivered to 0 will cause the logic to
+believe that the end of the round trip is still billions of packets in
+the future. More specifically, the following check will fail
+repeatedly:
+
+ !before(rs->prior_delivered, bbr->next_rtt_delivered)
+
+and thus the connection will take up to 2B packets delivered before
+that check will pass and the connection will set:
+
+ bbr->round_start = 1;
+
+This could cause many mechanisms in BBR to fail to trigger, for
+example bbr_check_full_bw_reached() would likely never exit STARTUP.
+
+This bug is 5 years old and has not been observed, and as a practical
+matter this would likely rarely trigger, since it would require
+transferring at least 2B packets, or likely more than 3 terabytes of
+data, before switching congestion control algorithms to BBR.
+
+This patch is a stable candidate for kernels as far back as v4.9,
+when tcp_bbr.c was added.
+
+Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Kevin Yang <yyd@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bbr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
+index 6ea3dc2e4219..6274462b86b4 100644
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -1041,7 +1041,7 @@ static void bbr_init(struct sock *sk)
+ bbr->prior_cwnd = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ bbr->rtt_cnt = 0;
+- bbr->next_rtt_delivered = 0;
++ bbr->next_rtt_delivered = tp->delivered;
+ bbr->prev_ca_state = TCP_CA_Open;
+ bbr->packet_conservation = 0;
+
+--
+2.30.2
+
--- /dev/null
+From 31db097ff6f7c0b31568ce58982f6fc51dfbebe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:30:56 +0800
+Subject: vsock/virtio: avoid potential deadlock when vsock device remove
+
+From: Longpeng(Mike) <longpeng2@huawei.com>
+
+[ Upstream commit 49b0b6ffe20c5344f4173f3436298782a08da4f2 ]
+
+There's a potential deadlock case when remove the vsock device or
+process the RESET event:
+
+ vsock_for_each_connected_socket:
+ spin_lock_bh(&vsock_table_lock) ----------- (1)
+ ...
+ virtio_vsock_reset_sock:
+ lock_sock(sk) --------------------- (2)
+ ...
+ spin_unlock_bh(&vsock_table_lock)
+
+lock_sock() may do initiative schedule when the 'sk' is owned by
+other thread at the same time, we would receivce a warning message
+that "scheduling while atomic".
+
+Even worse, if the next task (selected by the scheduler) try to
+release a 'sk', it need to request vsock_table_lock and the deadlock
+occur, cause the system into softlockup state.
+ Call trace:
+ queued_spin_lock_slowpath
+ vsock_remove_bound
+ vsock_remove_sock
+ virtio_transport_release
+ __vsock_release
+ vsock_release
+ __sock_release
+ sock_close
+ __fput
+ ____fput
+
+So we should not require sk_lock in this case, just like the behavior
+in vhost_vsock or vmci.
+
+Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/20210812053056.1699-1-longpeng2@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 2700a63ab095..3a056f8affd1 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -356,11 +356,14 @@ static void virtio_vsock_event_fill(struct virtio_vsock *vsock)
+
+ static void virtio_vsock_reset_sock(struct sock *sk)
+ {
+- lock_sock(sk);
++ /* vmci_transport.c doesn't take sk_lock here either. At least we're
++ * under vsock_table_lock so the sock cannot disappear while we're
++ * executing.
++ */
++
+ sk->sk_state = TCP_CLOSE;
+ sk->sk_err = ECONNRESET;
+ sk->sk_error_report(sk);
+- release_sock(sk);
+ }
+
+ static void virtio_vsock_update_guest_cid(struct virtio_vsock *vsock)
+--
+2.30.2
+
--- /dev/null
+From 8fb99778edb74b20342edcbad890ef0d6f0551e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:09:27 +0000
+Subject: xen/events: Fix race in set_evtchn_to_irq
+
+From: Maximilian Heyne <mheyne@amazon.de>
+
+[ Upstream commit 88ca2521bd5b4e8b83743c01a2d4cb09325b51e9 ]
+
+There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq
+mapping are lazily allocated in this function. The check whether the row
+is already present and the row initialization is not synchronized. Two
+threads can at the same time allocate a new row for evtchn_to_irq and
+add the irq mapping to the their newly allocated row. One thread will
+overwrite what the other has set for evtchn_to_irq[row] and therefore
+the irq mapping is lost. This will trigger a BUG_ON later in
+bind_evtchn_to_cpu:
+
+ INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802
+ INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002)
+ INFO: nvme nvme77: 1/0/0 default/read/poll queues
+ CRIT: kernel BUG at drivers/xen/events/events_base.c:427!
+ WARN: invalid opcode: 0000 [#1] SMP NOPTI
+ WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0
+ WARN: Call Trace:
+ WARN: set_affinity_irq+0x121/0x150
+ WARN: irq_do_set_affinity+0x37/0xe0
+ WARN: irq_setup_affinity+0xf6/0x170
+ WARN: irq_startup+0x64/0xe0
+ WARN: __setup_irq+0x69e/0x740
+ WARN: ? request_threaded_irq+0xad/0x160
+ WARN: request_threaded_irq+0xf5/0x160
+ WARN: ? nvme_timeout+0x2f0/0x2f0 [nvme]
+ WARN: pci_request_irq+0xa9/0xf0
+ WARN: ? pci_alloc_irq_vectors_affinity+0xbb/0x130
+ WARN: queue_request_irq+0x4c/0x70 [nvme]
+ WARN: nvme_reset_work+0x82d/0x1550 [nvme]
+ WARN: ? check_preempt_wakeup+0x14f/0x230
+ WARN: ? check_preempt_curr+0x29/0x80
+ WARN: ? nvme_irq_check+0x30/0x30 [nvme]
+ WARN: process_one_work+0x18e/0x3c0
+ WARN: worker_thread+0x30/0x3a0
+ WARN: ? process_one_work+0x3c0/0x3c0
+ WARN: kthread+0x113/0x130
+ WARN: ? kthread_park+0x90/0x90
+ WARN: ret_from_fork+0x3a/0x50
+
+This patch sets evtchn_to_irq rows via a cmpxchg operation so that they
+will be set only once. The row is now cleared before writing it to
+evtchn_to_irq in order to not create a race once the row is visible for
+other threads.
+
+While at it, do not require the page to be zeroed, because it will be
+overwritten with -1's in clear_evtchn_to_irq_row anyway.
+
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Fixes: d0b075ffeede ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated")
+Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/events/events_base.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index d7e361fb0548..0e44098f3977 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -198,12 +198,12 @@ static void disable_dynirq(struct irq_data *data);
+
+ static DEFINE_PER_CPU(unsigned int, irq_epoch);
+
+-static void clear_evtchn_to_irq_row(unsigned row)
++static void clear_evtchn_to_irq_row(int *evtchn_row)
+ {
+ unsigned col;
+
+ for (col = 0; col < EVTCHN_PER_ROW; col++)
+- WRITE_ONCE(evtchn_to_irq[row][col], -1);
++ WRITE_ONCE(evtchn_row[col], -1);
+ }
+
+ static void clear_evtchn_to_irq_all(void)
+@@ -213,7 +213,7 @@ static void clear_evtchn_to_irq_all(void)
+ for (row = 0; row < EVTCHN_ROW(xen_evtchn_max_channels()); row++) {
+ if (evtchn_to_irq[row] == NULL)
+ continue;
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_to_irq[row]);
+ }
+ }
+
+@@ -221,6 +221,7 @@ static int set_evtchn_to_irq(evtchn_port_t evtchn, unsigned int irq)
+ {
+ unsigned row;
+ unsigned col;
++ int *evtchn_row;
+
+ if (evtchn >= xen_evtchn_max_channels())
+ return -EINVAL;
+@@ -233,11 +234,18 @@ static int set_evtchn_to_irq(evtchn_port_t evtchn, unsigned int irq)
+ if (irq == -1)
+ return 0;
+
+- evtchn_to_irq[row] = (int *)get_zeroed_page(GFP_KERNEL);
+- if (evtchn_to_irq[row] == NULL)
++ evtchn_row = (int *) __get_free_pages(GFP_KERNEL, 0);
++ if (evtchn_row == NULL)
+ return -ENOMEM;
+
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_row);
++
++ /*
++ * We've prepared an empty row for the mapping. If a different
++ * thread was faster inserting it, we can drop ours.
++ */
++ if (cmpxchg(&evtchn_to_irq[row], NULL, evtchn_row) != NULL)
++ free_page((unsigned long) evtchn_row);
+ }
+
+ WRITE_ONCE(evtchn_to_irq[row][col], irq);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
