--- /dev/null
+From 1d5b83d7ff25c1c2ad9dbf55ebaba51285024cca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:38 -0400
+Subject: ALSA: hdsp: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ]
+
+hdsp wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device
+[ 1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.766985] Call Trace:
+[ 1.767121] snd_hdsp_card_free+0x94/0xf0 [snd_hdsp]
+[ 1.767388] release_card_device+0x4b/0x80 [snd]
+[ 1.767639] device_release+0x3b/0xa0
+[ 1.767838] kobject_put+0x94/0x1b0
+[ 1.768027] put_device+0x13/0x20
+[ 1.768207] snd_card_free+0x61/0x90 [snd]
+[ 1.768430] snd_hdsp_probe+0x524/0x5e0 [snd_hdsp]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/hdsp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
+index b044dea3c815..9843954698f4 100644
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -5314,7 +5314,8 @@ static int snd_hdsp_free(struct hdsp *hdsp)
+ if (hdsp->port)
+ pci_release_regions(hdsp->pci);
+
+- pci_disable_device(hdsp->pci);
++ if (pci_is_enabled(hdsp->pci))
++ pci_disable_device(hdsp->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b975d391a3363420871d3f405d835105da3c3940 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:39 -0400
+Subject: ALSA: hdspm: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ]
+
+hdspm wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device
+[ 1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.795181] Call Trace:
+[ 1.795320] snd_hdspm_card_free+0x58/0xa0 [snd_hdspm]
+[ 1.795595] release_card_device+0x4b/0x80 [snd]
+[ 1.795860] device_release+0x3b/0xa0
+[ 1.796072] kobject_put+0x94/0x1b0
+[ 1.796260] put_device+0x13/0x20
+[ 1.796438] snd_card_free+0x61/0x90 [snd]
+[ 1.796659] snd_hdspm_probe+0x97b/0x1440 [snd_hdspm]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/hdspm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
+index 9899ef4c7efa..a88a81fc638a 100644
+--- a/sound/pci/rme9652/hdspm.c
++++ b/sound/pci/rme9652/hdspm.c
+@@ -6912,7 +6912,8 @@ static int snd_hdspm_free(struct hdspm * hdspm)
+ if (hdspm->port)
+ pci_release_regions(hdspm->pci);
+
+- pci_disable_device(hdspm->pci);
++ if (pci_is_enabled(hdspm->pci))
++ pci_disable_device(hdspm->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4c69e63ce08c63c06e4553b9e6f742c43bca36cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Mar 2021 11:38:40 -0400
+Subject: ALSA: rme9652: don't disable if not enabled
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ]
+
+rme9652 wants to disable a not enabled pci device, which makes kernel
+throw a warning. Make sure the device is enabled before calling disable.
+
+[ 1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device
+[ 1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
+[ 1.759968] Call Trace:
+[ 1.760145] snd_rme9652_card_free+0x76/0xa0 [snd_rme9652]
+[ 1.760434] release_card_device+0x4b/0x80 [snd]
+[ 1.760679] device_release+0x3b/0xa0
+[ 1.760874] kobject_put+0x94/0x1b0
+[ 1.761059] put_device+0x13/0x20
+[ 1.761235] snd_card_free+0x61/0x90 [snd]
+[ 1.761454] snd_rme9652_probe+0x3be/0x700 [snd_rme9652]
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/rme9652/rme9652.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
+index a76b1f147660..67bd75fbdc7e 100644
+--- a/sound/pci/rme9652/rme9652.c
++++ b/sound/pci/rme9652/rme9652.c
+@@ -1761,7 +1761,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652)
+ if (rme9652->port)
+ pci_release_regions(rme9652->pci);
+
+- pci_disable_device(rme9652->pci);
++ if (pci_is_enabled(rme9652->pci))
++ pci_disable_device(rme9652->pci);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e053d7d8084fc914349d878445a28327b16a7deb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 03:00:05 +0100
+Subject: ARM: 9064/1: hw_breakpoint: Do not directly check the event's
+ overflow_handler hook
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ]
+
+The commit 1879445dfa7b ("perf/core: Set event's default
+::overflow_handler()") set a default event->overflow_handler in
+perf_event_alloc(), and replace the check event->overflow_handler with
+is_default_overflow_handler(), but one is missing.
+
+Currently, the bp->overflow_handler can not be NULL. As a result,
+enable_single_step() is always not invoked.
+
+Comments from Zhen Lei:
+
+ https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/
+
+Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()")
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Cc: Wang Nan <wangnan0@huawei.com>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kernel/hw_breakpoint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
+index 671dbc28e5d4..59e04e2d9d9d 100644
+--- a/arch/arm/kernel/hw_breakpoint.c
++++ b/arch/arm/kernel/hw_breakpoint.c
+@@ -891,7 +891,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
+ info->trigger = addr;
+ pr_debug("breakpoint fired: address = 0x%x\n", addr);
+ perf_bp_event(bp, regs);
+- if (!bp->overflow_handler)
++ if (is_default_overflow_handler(bp))
+ enable_single_step(bp, addr);
+ goto unlock;
+ }
+--
+2.30.2
+
--- /dev/null
+From 598db3c08eed9253e29bdb38ffc7452ba01ee93b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 09:46:58 -0400
+Subject: ASoC: rt286: Generalize support for ALC3263 codec
+
+From: David Ward <david.ward@gatech.edu>
+
+[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ]
+
+The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350
+and Venue 11 Pro 7140. They require the same handling for the combo jack to
+work with a headset: GPIO pin 6 must be set.
+
+The HDA driver always sets this pin on the ALC3263, which it distinguishes
+by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028
+(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to
+determine if Dell is the system vendor.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961
+Signed-off-by: David Ward <david.ward@gatech.edu>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt286.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
+index 7899a2cdeb42..4a0ab620983d 100644
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -1119,12 +1119,11 @@ static const struct dmi_system_id force_combo_jack_table[] = {
+ { }
+ };
+
+-static const struct dmi_system_id dmi_dell_dino[] = {
++static const struct dmi_system_id dmi_dell[] = {
+ {
+- .ident = "Dell Dino",
++ .ident = "Dell",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+- DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343")
+ }
+ },
+ { }
+@@ -1135,7 +1134,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ {
+ struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev);
+ struct rt286_priv *rt286;
+- int i, ret, val;
++ int i, ret, vendor_id;
+
+ rt286 = devm_kzalloc(&i2c->dev, sizeof(*rt286),
+ GFP_KERNEL);
+@@ -1151,14 +1150,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ }
+
+ ret = regmap_read(rt286->regmap,
+- RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val);
++ RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id);
+ if (ret != 0) {
+ dev_err(&i2c->dev, "I2C error %d\n", ret);
+ return ret;
+ }
+- if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) {
++ if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) {
+ dev_err(&i2c->dev,
+- "Device with ID register %#x is not rt286\n", val);
++ "Device with ID register %#x is not rt286\n",
++ vendor_id);
+ return -ENODEV;
+ }
+
+@@ -1182,8 +1182,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ if (pdata)
+ rt286->pdata = *pdata;
+
+- if (dmi_check_system(force_combo_jack_table) ||
+- dmi_check_system(dmi_dell_dino))
++ if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) ||
++ dmi_check_system(force_combo_jack_table))
+ rt286->pdata.cbj_en = true;
+
+ regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3);
+@@ -1222,7 +1222,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
+ regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737);
+ regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f);
+
+- if (dmi_check_system(dmi_dell_dino)) {
++ if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) {
+ regmap_update_bits(rt286->regmap,
+ RT286_SET_GPIO_MASK, 0x40, 0x40);
+ regmap_update_bits(rt286->regmap,
+--
+2.30.2
+
--- /dev/null
+From 8e37432dadd90046cc0d1b66bd77d090938b74fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 09:46:57 -0400
+Subject: ASoC: rt286: Make RT286_SET_GPIO_* readable and writable
+
+From: David Ward <david.ward@gatech.edu>
+
+[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ]
+
+The GPIO configuration cannot be applied if the registers are inaccessible.
+This prevented the headset mic from working on the Dell XPS 13 9343.
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171
+Signed-off-by: David Ward <david.ward@gatech.edu>
+Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt286.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
+index 4a0ab620983d..a41dd9d1eb82 100644
+--- a/sound/soc/codecs/rt286.c
++++ b/sound/soc/codecs/rt286.c
+@@ -174,6 +174,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg)
+ case RT286_PROC_COEF:
+ case RT286_SET_AMP_GAIN_ADC_IN1:
+ case RT286_SET_AMP_GAIN_ADC_IN2:
++ case RT286_SET_GPIO_MASK:
++ case RT286_SET_GPIO_DIRECTION:
++ case RT286_SET_GPIO_DATA:
+ case RT286_SET_POWER(RT286_DAC_OUT1):
+ case RT286_SET_POWER(RT286_DAC_OUT2):
+ case RT286_SET_POWER(RT286_ADC_IN1):
+--
+2.30.2
+
--- /dev/null
+From f041d42d6fbb75eb2941845060680eb732cf122a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 07:52:07 +0900
+Subject: Bluetooth: initialize skb_queue_head at l2cap_chan_create()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ]
+
+syzbot is hitting "INFO: trying to register non-static key." message [1],
+for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when
+l2cap_chan_del() is called due to e.g. timeout.
+
+Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create()
+immediately after "struct l2cap_chan" is allocated using kzalloc(), let's
+as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there.
+
+[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842
+
+Reported-and-tested-by: syzbot <syzbot+fadfba6a911f6bf71842@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index d586caaa3af4..204b6ebd2a24 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -445,6 +445,8 @@ struct l2cap_chan *l2cap_chan_create(void)
+ if (!chan)
+ return NULL;
+
++ skb_queue_head_init(&chan->tx_q);
++ skb_queue_head_init(&chan->srej_q);
+ mutex_init(&chan->lock);
+
+ /* Set default lock nesting level */
+--
+2.30.2
+
--- /dev/null
+From 23e5d2ca09f3fd3562b5b94a9b773098c079c91b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Mar 2021 14:02:15 +0800
+Subject: Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ]
+
+Currently l2cap_chan_set_defaults() reset chan->conf_state to zero.
+However, there is a flag CONF_NOT_COMPLETE which is set when
+creating the l2cap_chan. It is suggested that the flag should be
+cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults()
+is called, l2cap_chan is not yet ready. Therefore, we must set this
+flag as the default.
+
+Example crash call trace:
+__dump_stack lib/dump_stack.c:15 [inline]
+dump_stack+0xc4/0x118 lib/dump_stack.c:56
+panic+0x1c6/0x38b kernel/panic.c:117
+__warn+0x170/0x1b9 kernel/panic.c:471
+warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494
+debug_print_object+0x175/0x193 lib/debugobjects.c:260
+debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614
+debug_timer_assert_init kernel/time/timer.c:629 [inline]
+debug_assert_init kernel/time/timer.c:677 [inline]
+del_timer+0x7c/0x179 kernel/time/timer.c:1034
+try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230
+cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929
+l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834
+l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640
+l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756
+l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174
+l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217
+__sock_release+0xda/0x217 net/socket.c:580
+sock_close+0x1b/0x1f net/socket.c:1039
+__fput+0x322/0x55c fs/file_table.c:208
+____fput+0x17/0x19 fs/file_table.c:244
+task_work_run+0x19b/0x1d3 kernel/task_work.c:115
+exit_task_work include/linux/task_work.h:21 [inline]
+do_exit+0xe4c/0x204a kernel/exit.c:766
+do_group_exit+0x291/0x291 kernel/exit.c:891
+get_signal+0x749/0x1093 kernel/signal.c:2396
+do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737
+exit_to_usermode_loop arch/x86/entry/common.c:243 [inline]
+prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277
+syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348
+int_ret_from_sys_call+0x25/0xa3
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index b96818cda12d..d586caaa3af4 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -510,7 +510,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
+ chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
+ chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
+ chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
++
+ chan->conf_state = 0;
++ set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
+
+ set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
+ }
+--
+2.30.2
+
--- /dev/null
+From c7b66c1f62d31f84b9f847535b21f40c95140e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 10:40:58 +0200
+Subject: cuse: prevent clone
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]
+
+For cloned connections cuse_channel_release() will be called more than
+once, resulting in use after free.
+
+Prevent device cloning for CUSE, which does not make sense at this point,
+and highly unlikely to be used in real life.
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/cuse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
+index d9aba9700726..b83367300f48 100644
+--- a/fs/fuse/cuse.c
++++ b/fs/fuse/cuse.c
+@@ -616,6 +616,8 @@ static int __init cuse_init(void)
+ cuse_channel_fops.owner = THIS_MODULE;
+ cuse_channel_fops.open = cuse_channel_open;
+ cuse_channel_fops.release = cuse_channel_release;
++ /* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
++ cuse_channel_fops.unlocked_ioctl = NULL;
+
+ cuse_class = class_create(THIS_MODULE, "cuse");
+ if (IS_ERR(cuse_class))
+--
+2.30.2
+
--- /dev/null
+From 9bb940eac638d938e83bc7e60ac4ddde42513a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 2 May 2021 22:06:07 -0700
+Subject: drm/radeon: Fix off-by-one power_state index heap overwrite
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ]
+
+An out of bounds write happens when setting the default power state.
+KASAN sees this as:
+
+[drm] radeon: 512M of GTT memory ready.
+[drm] GART: num cpu pages 131072, num gpu pages 131072
+==================================================================
+BUG: KASAN: slab-out-of-bounds in
+radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
+Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157
+
+CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50
+Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008
+Call Trace:
+ dump_stack+0xa5/0xe6
+ print_address_description.constprop.0+0x18/0x239
+ kasan_report+0x170/0x1a8
+ radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
+ radeon_atombios_get_power_modes+0x144/0x1888 [radeon]
+ radeon_pm_init+0x1019/0x1904 [radeon]
+ rs690_init+0x76e/0x84a [radeon]
+ radeon_device_init+0x1c1a/0x21e5 [radeon]
+ radeon_driver_load_kms+0xf5/0x30b [radeon]
+ drm_dev_register+0x255/0x4a0 [drm]
+ radeon_pci_probe+0x246/0x2f6 [radeon]
+ pci_device_probe+0x1aa/0x294
+ really_probe+0x30e/0x850
+ driver_probe_device+0xe6/0x135
+ device_driver_attach+0xc1/0xf8
+ __driver_attach+0x13f/0x146
+ bus_for_each_dev+0xfa/0x146
+ bus_add_driver+0x2b3/0x447
+ driver_register+0x242/0x2c1
+ do_one_initcall+0x149/0x2fd
+ do_init_module+0x1ae/0x573
+ load_module+0x4dee/0x5cca
+ __do_sys_finit_module+0xf1/0x140
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Without KASAN, this will manifest later when the kernel attempts to
+allocate memory that was stomped, since it collides with the inline slab
+freelist pointer:
+
+invalid opcode: 0000 [#1] SMP NOPTI
+CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G W 5.10.12-gentoo-E620 #2
+Hardware name: eMachines eMachines E620 /Nile , BIOS V1.03 09/30/2008
+RIP: 0010:kfree+0x115/0x230
+Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7
+RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246
+RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d
+RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80
+RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000
+R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100
+FS: 00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0
+Call Trace:
+ __free_fdtable+0x16/0x1f
+ put_files_struct+0x81/0x9b
+ do_exit+0x433/0x94d
+ do_group_exit+0xa6/0xa6
+ __x64_sys_exit_group+0xf/0xf
+ do_syscall_64+0x33/0x40
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x7fe80ef64bea
+Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0.
+RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea
+RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0
+R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0
+Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ...
+
+Use a valid power_state index when initializing the "flags" and "misc"
+and "misc2" fields.
+
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537
+Reported-by: Erhard F. <erhard_f@mailbox.org>
+Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)")
+Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 5df3ec73021b..0bfbced3862e 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -2259,10 +2259,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
+ rdev->pm.default_power_state_index = state_index - 1;
+ rdev->pm.power_state[state_index - 1].default_clock_mode =
+ &rdev->pm.power_state[state_index - 1].clock_info[0];
+- rdev->pm.power_state[state_index].flags &=
++ rdev->pm.power_state[state_index - 1].flags &=
+ ~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY;
+- rdev->pm.power_state[state_index].misc = 0;
+- rdev->pm.power_state[state_index].misc2 = 0;
++ rdev->pm.power_state[state_index - 1].misc = 0;
++ rdev->pm.power_state[state_index - 1].misc2 = 0;
+ }
+ return state_index;
+ }
+--
+2.30.2
+
--- /dev/null
+From cc4cee2f358d3235264971e1c02379d63433a4a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Mar 2021 09:21:18 +0000
+Subject: f2fs: fix a redundant call to f2fs_balance_fs if an error occurs
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ]
+
+The uninitialized variable dn.node_changed does not get set when a
+call to f2fs_get_node_page fails. This uninitialized value gets used
+in the call to f2fs_balance_fs() that may or not may not balances
+dirty node and dentry pages depending on the uninitialized state of
+the variable. Fix this by only calling f2fs_balance_fs if err is
+not set.
+
+Thanks to Jaegeuk Kim for suggesting an appropriate fix.
+
+Addresses-Coverity: ("Uninitialized scalar variable")
+Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inline.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
+index 482888ee8942..481fae63f163 100644
+--- a/fs/f2fs/inline.c
++++ b/fs/f2fs/inline.c
+@@ -196,7 +196,8 @@ out:
+
+ f2fs_put_page(page, 1);
+
+- f2fs_balance_fs(sbi, dn.node_changed);
++ if (!err)
++ f2fs_balance_fs(sbi, dn.node_changed);
+
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From f243746808e4c961e7c6c7a0150f8859caa78cf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 17:05:08 -0500
+Subject: fs: dlm: fix debugfs dump
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ]
+
+This patch fixes the following message which randomly pops up during
+glocktop call:
+
+seq_file: buggy .next function table_seq_next did not update position index
+
+The issue is that seq_read_iter() in fs/seq_file.c also needs an
+increment of the index in an non next record case as well which this
+patch fixes otherwise seq_read_iter() will print out the above message.
+
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dlm/debug_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c
+index 466f7d60edc2..fabce23fdbac 100644
+--- a/fs/dlm/debug_fs.c
++++ b/fs/dlm/debug_fs.c
+@@ -545,6 +545,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos)
+
+ if (bucket >= ls->ls_rsbtbl_size) {
+ kfree(ri);
++ ++*pos;
+ return NULL;
+ }
+ tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep;
+--
+2.30.2
+
--- /dev/null
+From 7f446a10d3f131e734a8f55c8c19696abea183ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 12:12:54 -0700
+Subject: ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ]
+
+After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
+a warning [1]
+
+Issue here is that:
+
+- all dev_put() should be paired with a corresponding prior dev_hold().
+
+- A driver doing a dev_put() in its ndo_uninit() MUST also
+ do a dev_hold() in its ndo_init(), only when ndo_init()
+ is returning 0.
+
+Otherwise, register_netdevice() would call ndo_uninit()
+in its error path and release a refcount too soon.
+
+Therefore, we need to move dev_hold() call from
+vti6_tnl_create2() to vti6_dev_init_gen()
+
+[1]
+WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Modules linked in:
+CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
+Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
+RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568
+R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40
+FS: 00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __refcount_dec include/linux/refcount.h:344 [inline]
+ refcount_dec include/linux/refcount.h:359 [inline]
+ dev_put include/linux/netdevice.h:4135 [inline]
+ vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10308
+ vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190
+ vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020
+ __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x331/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmmsg+0x195/0x470 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index b9f5155a77ef..d20ea696ecaa 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -196,7 +196,6 @@ static int vti6_tnl_create2(struct net_device *dev)
+
+ strcpy(t->parms.name, dev->name);
+
+- dev_hold(dev);
+ vti6_tnl_link(ip6n, t);
+
+ return 0;
+@@ -914,6 +913,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev)
+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+ if (!dev->tstats)
+ return -ENOMEM;
++ dev_hold(dev);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 3318e8071ee29233ce62ff0367860f6073ca788b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 09:28:03 +0200
+Subject: kconfig: nconf: stop endless search loops
+
+From: Mihai Moldovan <ionic@ionic.de>
+
+[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ]
+
+If the user selects the very first entry in a page and performs a
+search-up operation, or selects the very last entry in a page and
+performs a search-down operation that will not succeed (e.g., via
+[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page.
+
+The reason is that in this case, the starting point will be set to -1
+or n, which is then translated into (n - 1) (i.e., the last entry of
+the page) or 0 (i.e., the first entry of the page) and finally the
+search begins. This continues to work fine until the index reaches 0 or
+(n - 1), at which point it will be decremented to -1 or incremented to
+n, but not checked against the starting point right away. Instead, it's
+wrapped around to the bottom or top again, after which the starting
+point check occurs... and naturally fails.
+
+My original implementation added another check for -1 before wrapping
+the running index variable around, but Masahiro Yamada pointed out that
+the actual issue is that the comparison point (starting point) exceeds
+bounds (i.e., the [0,n-1] interval) in the first place and that,
+instead, the starting point should be fixed.
+
+This has the welcome side-effect of also fixing the case where the
+starting point was n while searching down, which also lead to an
+infinite loop.
+
+OTOH, this code is now essentially all his work.
+
+Amazingly, nobody seems to have been hit by this for 11 years - or at
+the very least nobody bothered to debug and fix this.
+
+Signed-off-by: Mihai Moldovan <ionic@ionic.de>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index f7049e288e93..c58a46904861 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -502,8 +502,8 @@ static int get_mext_match(const char *match_str, match_f flag)
+ else if (flag == FIND_NEXT_MATCH_UP)
+ --match_start;
+
++ match_start = (match_start + items_num) % items_num;
+ index = match_start;
+- index = (index + items_num) % items_num;
+ while (true) {
+ char *str = k_menu_items[index].str;
+ if (strcasestr(str, match_str) != 0)
+--
+2.30.2
+
--- /dev/null
+From 015655a19375e12e57b1e71fd946c00637912865 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 18:04:38 -0700
+Subject: kernel: kexec_file: fix error return code of
+ kexec_calculate_store_digests()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ]
+
+When vzalloc() returns NULL to sha_regions, no error return code of
+kexec_calculate_store_digests() is assigned. To fix this bug, ret is
+assigned with -ENOMEM in this case.
+
+Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com
+Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c")
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
+Acked-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_file.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
+index 037c321c5618..2edaed6803ff 100644
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -528,8 +528,10 @@ static int kexec_calculate_store_digests(struct kimage *image)
+
+ sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region);
+ sha_regions = vzalloc(sha_region_sz);
+- if (!sha_regions)
++ if (!sha_regions) {
++ ret = -ENOMEM;
+ goto out_free_desc;
++ }
+
+ desc->tfm = tfm;
+ desc->flags = 0;
+--
+2.30.2
+
--- /dev/null
+From 1d555eb89fd6631d1ea5a62c907f8e13e0187d0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:33:46 -0700
+Subject: khugepaged: fix wrong result value for
+ trace_mm_collapse_huge_page_isolate()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ]
+
+In writable and !referenced case, the result value should be
+SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate()
+instead of default 0 (SCAN_FAIL) here.
+
+Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com
+Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Ebru Akagunduz <ebru.akagunduz@gmail.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Rik van Riel <riel@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/khugepaged.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/mm/khugepaged.c b/mm/khugepaged.c
+index 753b0e2fef36..0f1bdbae45e2 100644
+--- a/mm/khugepaged.c
++++ b/mm/khugepaged.c
+@@ -596,17 +596,17 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
+ mmu_notifier_test_young(vma->vm_mm, address))
+ referenced++;
+ }
+- if (likely(writable)) {
+- if (likely(referenced)) {
+- result = SCAN_SUCCEED;
+- trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+- referenced, writable, result);
+- return 1;
+- }
+- } else {
++
++ if (unlikely(!writable)) {
+ result = SCAN_PAGE_RO;
++ } else if (unlikely(!referenced)) {
++ result = SCAN_LACK_REFERENCED_PAGE;
++ } else {
++ result = SCAN_SUCCEED;
++ trace_mm_collapse_huge_page_isolate(page, none_or_zero,
++ referenced, writable, result);
++ return 1;
+ }
+-
+ out:
+ release_pte_pages(pte, _pte);
+ trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+--
+2.30.2
+
--- /dev/null
+From e1500290509d3b14f8843867403458f6f847747e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:37:45 -0700
+Subject: ksm: fix potential missing rmap_item for stable_node
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ]
+
+When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is
+cleared with head reserved. So the following scenario might happen: For
+ksm page with rmap_item1:
+
+cmp_and_merge_page
+ stable_node->head = &migrate_nodes;
+ remove_rmap_item_from_tree, but head still equal to stable_node;
+ try_to_merge_with_ksm_page failed;
+ return;
+
+For the same ksm page with rmap_item2, stable node migration succeed this
+time. The stable_node->head does not equal to migrate_nodes now. For ksm
+page with rmap_item1 again:
+
+cmp_and_merge_page
+ stable_node->head != &migrate_nodes && rmap_item->head == stable_node
+ return;
+
+We would miss the rmap_item for stable_node and might result in failed
+rmap_walk_ksm(). Fix this by set rmap_item->head to NULL when rmap_item
+is removed from stable tree.
+
+Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com
+Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Hugh Dickins <hughd@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/ksm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/mm/ksm.c b/mm/ksm.c
+index d6c81a5076a7..27ff68050d85 100644
+--- a/mm/ksm.c
++++ b/mm/ksm.c
+@@ -629,6 +629,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item)
+ ksm_pages_shared--;
+
+ put_anon_vma(rmap_item->anon_vma);
++ rmap_item->head = NULL;
+ rmap_item->address &= PAGE_MASK;
+
+ } else if (rmap_item->address & UNSTABLE_FLAG) {
+--
+2.30.2
+
--- /dev/null
+From c1fd069ee79a172bd05c9237cc58c3ed1f99f967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 14:31:25 +0200
+Subject: mac80211: clear the beacon's CRC after channel switch
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ]
+
+After channel switch, we should consider any beacon with a
+CSA IE as a new switch. If the CSA IE is a leftover from
+before the switch that the AP forgot to remove, we'll get
+a CSA-to-Self.
+
+This caused issues in iwlwifi where the firmware saw a beacon
+with a CSA-to-Self with mode = 1 on the new channel after a
+switch. The firmware considered this a new switch and closed
+its queues. Since the beacon didn't change between before and
+after the switch, we wouldn't handle it (the CRC is the same)
+and we wouldn't let the firmware open its queues again or
+disconnect if the CSA IE stays for too long.
+
+Clear the CRC valid state after we switch to make sure that
+we handle the beacon and handle the CSA IE as required.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 58b80270e58c..3217c98f2b5a 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1101,6 +1101,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
+
+ sdata->vif.csa_active = false;
+ ifmgd->csa_waiting_bcn = false;
++ /*
++ * If the CSA IE is still present on the beacon after the switch,
++ * we need to consider it as a new CSA (possibly to self).
++ */
++ ifmgd->beacon_crc_valid = false;
+
+ ret = drv_post_channel_switch(sdata);
+ if (ret) {
+--
+2.30.2
+
--- /dev/null
+From f576ff5fdf3027ea9d845ff1b39ee76f061c7e10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:34:38 -0700
+Subject: mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ]
+
+A rare out of memory error would prevent removal of the reserve map region
+for a page. hugetlb_fix_reserve_counts() handles this rare case to avoid
+dangling with incorrect counts. Unfortunately, hugepage_subpool_get_pages
+and hugetlb_acct_memory could possibly fail too. We should correctly
+handle these cases.
+
+Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com
+Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Feilong Lin <linfeilong@huawei.com>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/hugetlb.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c
+index e2b5e38e7a4b..9049e8613237 100644
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -586,13 +586,20 @@ void hugetlb_fix_reserve_counts(struct inode *inode)
+ {
+ struct hugepage_subpool *spool = subpool_inode(inode);
+ long rsv_adjust;
++ bool reserved = false;
+
+ rsv_adjust = hugepage_subpool_get_pages(spool, 1);
+- if (rsv_adjust) {
++ if (rsv_adjust > 0) {
+ struct hstate *h = hstate_inode(inode);
+
+- hugetlb_acct_memory(h, 1);
++ if (!hugetlb_acct_memory(h, 1))
++ reserved = true;
++ } else if (!rsv_adjust) {
++ reserved = true;
+ }
++
++ if (!reserved)
++ pr_warn("hugetlb: Huge Page Reserved count may go negative.\n");
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From 44febb910ecf769fe10cc28cdbfbe5c1c1cfa308 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 22:20:54 -0700
+Subject: net: ethernet: mtk_eth_soc: fix RX VLAN offload
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ]
+
+The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is
+set. Fixes frames wrongly marked with VLAN tags.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+[Ilya: fix commit message]
+Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
+ drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index d10c8a8156bc..5b072bf80783 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -964,7 +964,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
+ skb->protocol = eth_type_trans(skb, netdev);
+
+ if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX &&
+- RX_DMA_VID(trxd.rxd3))
++ (trxd.rxd2 & RX_DMA_VTAG))
+ __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q),
+ RX_DMA_VID(trxd.rxd3));
+ napi_gro_receive(napi, skb);
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+index 99b1c8e9f16f..2e7ccd8261c3 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+@@ -272,6 +272,7 @@
+ #define RX_DMA_DONE BIT(31)
+ #define RX_DMA_PLEN0(_x) (((_x) & 0x3fff) << 16)
+ #define RX_DMA_GET_PLEN0(_x) (((_x) >> 16) & 0x3fff)
++#define RX_DMA_VTAG BIT(15)
+
+ /* QDMA descriptor rxd3 */
+ #define RX_DMA_VID(_x) ((_x) & 0xfff)
+--
+2.30.2
+
--- /dev/null
+From 79089d500ffc949aee960b697f508bbb1f8de55b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Mar 2021 13:18:26 +0000
+Subject: net: stmmac: Set FIFO sizes for ipq806x
+
+From: Jonathan McDowell <noodles@earth.li>
+
+[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ]
+
+Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values")
+started using the TX FIFO size to verify what counts as a valid MTU
+request for the stmmac driver. This is unset for the ipq806x variant.
+Looking at older patches for this it seems the RX + TXs buffers can be
+up to 8k, so set appropriately.
+
+(I sent this as an RFC patch in June last year, but received no replies.
+I've been running with this on my hardware (a MikroTik RB3011) since
+then with larger MTUs to support both the internal qca8k switch and
+VLANs with no problems. Without the patch it's impossible to set the
+larger MTU required to support this.)
+
+Signed-off-by: Jonathan McDowell <noodles@earth.li>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+index 1924788d28da..f4ff43a1b5ba 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+@@ -363,6 +363,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
+ plat_dat->bsp_priv = gmac;
+ plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed;
+ plat_dat->multicast_filter_bins = 0;
++ plat_dat->tx_fifo_size = 8192;
++ plat_dat->rx_fifo_size = 8192;
+
+ err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From 818a34d1a0774094d76b1dfa13693b85a2d324c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 16:46:05 -0400
+Subject: NFS: Deal correctly with attribute generation counter overflow
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ]
+
+We need to use unsigned long subtraction and then convert to signed in
+order to deal correcly with C overflow rules.
+
+Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 6c0035761d17..7a94f5a5f8c8 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1469,10 +1469,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle);
+ */
+ static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr)
+ {
+- const struct nfs_inode *nfsi = NFS_I(inode);
++ unsigned long attr_gencount = NFS_I(inode)->attr_gencount;
+
+- return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 ||
+- ((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0);
++ return (long)(fattr->gencount - attr_gencount) > 0 ||
++ (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0;
+ }
+
+ static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
+@@ -1882,7 +1882,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
+ nfsi->attrtimeo_timestamp = now;
+ }
+ /* Set the barrier to be more recent than this fattr */
+- if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0)
++ if ((long)(fattr->gencount - nfsi->attr_gencount) > 0)
+ nfsi->attr_gencount = fattr->gencount;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 76c648e62713252323a1dcc89858d00882a85387 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Mar 2021 18:17:14 -0400
+Subject: NFSv4.2: Always flush out writes in nfs42_proc_fallocate()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ]
+
+Whether we're allocating or delallocating space, we should flush out the
+pending writes in order to avoid races with attribute updates.
+
+Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 5cda392028ce..7e9fb1119bcf 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -56,7 +56,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ loff_t offset, loff_t len)
+ {
+- struct nfs_server *server = NFS_SERVER(file_inode(filep));
++ struct inode *inode = file_inode(filep);
++ struct nfs_server *server = NFS_SERVER(inode);
+ struct nfs4_exception exception = { };
+ struct nfs_lock_context *lock;
+ int err;
+@@ -65,9 +66,13 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ if (IS_ERR(lock))
+ return PTR_ERR(lock);
+
+- exception.inode = file_inode(filep);
++ exception.inode = inode;
+ exception.state = lock->open_context->state;
+
++ err = nfs_sync_inode(inode);
++ if (err)
++ goto out;
++
+ do {
+ err = _nfs42_proc_fallocate(msg, filep, lock, offset, len);
+ if (err == -ENOTSUPP) {
+@@ -76,7 +81,7 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
+ }
+ err = nfs4_handle_exception(server, err, &exception);
+ } while (exception.retry);
+-
++out:
+ nfs_put_lock_context(lock);
+ return err;
+ }
+@@ -114,16 +119,13 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
+ return -EOPNOTSUPP;
+
+ inode_lock(inode);
+- err = nfs_sync_inode(inode);
+- if (err)
+- goto out_unlock;
+
+ err = nfs42_proc_fallocate(&msg, filep, offset, len);
+ if (err == 0)
+ truncate_pagecache_range(inode, offset, (offset + len) -1);
+ if (err == -EOPNOTSUPP)
+ NFS_SERVER(inode)->caps &= ~NFS_CAP_DEALLOCATE;
+-out_unlock:
++
+ inode_unlock(inode);
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From 46fcf3eae107e8b17e50b5876112aa483b1c9458 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 15:30:25 -0400
+Subject: NFSv4.2 fix handling of sr_eof in SEEK's reply
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ]
+
+Currently the client ignores the value of the sr_eof of the SEEK
+operation. According to the spec, if the server didn't find the
+requested extent and reached the end of the file, the server
+would return sr_eof=true. In case the request for DATA and no
+data was found (ie in the middle of the hole), then the lseek
+expects that ENXIO would be returned.
+
+Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42proc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
+index 7e9fb1119bcf..7efb9e0e9f25 100644
+--- a/fs/nfs/nfs42proc.c
++++ b/fs/nfs/nfs42proc.c
+@@ -294,7 +294,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep,
+ if (status)
+ return status;
+
+- return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
++ if (whence == SEEK_DATA && res.sr_eof)
++ return -NFS4ERR_NXIO;
++ else
++ return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
+ }
+
+ loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence)
+--
+2.30.2
+
--- /dev/null
+From 6e6268adc5ad490783c9f8f019a9f540bb9a76ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Jan 2021 02:28:26 +0300
+Subject: PCI: Release OF node in pci_scan_device()'s error path
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ]
+
+In pci_scan_device(), if pci_setup_device() fails for any reason, the code
+will not release device's of_node by calling pci_release_of_node(). Fix
+that by calling the release function.
+
+Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically")
+Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 19658873b4c1..ddf5ba63b195 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1694,6 +1694,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn)
+ pci_set_of_node(dev);
+
+ if (pci_setup_device(dev)) {
++ pci_release_of_node(dev);
+ pci_bus_put(dev->bus);
+ kfree(dev);
+ return NULL;
+--
+2.30.2
+
--- /dev/null
+From b66ef274db402e866511cc91860a15929112b53f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 11:56:49 +0300
+Subject: pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
+
+From: Nikola Livic <nlivic@gmail.com>
+
+[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ]
+
+We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym
+bazalii) observed the check:
+
+ if (fh->size > sizeof(struct nfs_fh))
+
+should not use the size of the nfs_fh struct which includes an extra two
+bytes from the size field.
+
+struct nfs_fh {
+ unsigned short size;
+ unsigned char data[NFS_MAXFHSIZE];
+}
+
+but should determine the size from data[NFS_MAXFHSIZE] so the memcpy
+will not write 2 bytes beyond destination. The proposed fix is to
+compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs
+code base.
+
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Nikola Livic <nlivic@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index 83149cbae093..ee1225369700 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -93,7 +93,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh)
+ if (unlikely(!p))
+ return -ENOBUFS;
+ fh->size = be32_to_cpup(p++);
+- if (fh->size > sizeof(struct nfs_fh)) {
++ if (fh->size > NFS_MAXFHSIZE) {
+ printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n",
+ fh->size);
+ return -EOVERFLOW;
+--
+2.30.2
+
--- /dev/null
+From 6bd3455c2ccc281467336c9d6609c5802b526900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 17:36:53 +1100
+Subject: powerpc/iommu: Annotate nested lock for lockdep
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ]
+
+The IOMMU table is divided into pools for concurrent mappings and each
+pool has a separate spinlock. When taking the ownership of an IOMMU group
+to pass through a device to a VM, we lock these spinlocks which triggers
+a false negative warning in lockdep (below).
+
+This fixes it by annotating the large pool's spinlock as a nest lock
+which makes lockdep not complaining when locking nested locks if
+the nest lock is locked already.
+
+===
+WARNING: possible recursive locking detected
+5.11.0-le_syzkaller_a+fstn1 #100 Not tainted
+--------------------------------------------
+qemu-system-ppc/4129 is trying to acquire lock:
+c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0
+
+but task is already holding lock:
+c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(p->lock)/1);
+ lock(&(p->lock)/1);
+===
+
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
+index 9bfdd2510fd5..2cf900d16527 100644
+--- a/arch/powerpc/kernel/iommu.c
++++ b/arch/powerpc/kernel/iommu.c
+@@ -1021,7 +1021,7 @@ int iommu_take_ownership(struct iommu_table *tbl)
+
+ spin_lock_irqsave(&tbl->large_pool.lock, flags);
+ for (i = 0; i < tbl->nr_pools; i++)
+- spin_lock(&tbl->pools[i].lock);
++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
+
+ if (tbl->it_offset == 0)
+ clear_bit(0, tbl->it_map);
+@@ -1050,7 +1050,7 @@ void iommu_release_ownership(struct iommu_table *tbl)
+
+ spin_lock_irqsave(&tbl->large_pool.lock, flags);
+ for (i = 0; i < tbl->nr_pools; i++)
+- spin_lock(&tbl->pools[i].lock);
++ spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
+
+ memset(tbl->it_map, 0, sz);
+
+--
+2.30.2
+
--- /dev/null
+From 814fd56deb570901ffeab99dd1cc6131e593c659 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Apr 2021 23:54:13 +1000
+Subject: powerpc/pseries: Stop calling printk in rtas_stop_self()
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ]
+
+RCU complains about us calling printk() from an offline CPU:
+
+ =============================
+ WARNING: suspicious RCU usage
+ 5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted
+ -----------------------------
+ kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+
+ RCU used illegally from offline CPU!
+ rcu_scheduler_active = 2, debug_locks = 1
+ no locks held by swapper/0/0.
+
+ stack backtrace:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1
+ Call Trace:
+ dump_stack+0xec/0x144 (unreliable)
+ lockdep_rcu_suspicious+0x124/0x144
+ __lock_acquire+0x1098/0x28b0
+ lock_acquire+0x128/0x600
+ _raw_spin_lock_irqsave+0x6c/0xc0
+ down_trylock+0x2c/0x70
+ __down_trylock_console_sem+0x60/0x140
+ vprintk_emit+0x1a8/0x4b0
+ vprintk_func+0xcc/0x200
+ printk+0x40/0x54
+ pseries_cpu_offline_self+0xc0/0x120
+ arch_cpu_idle_dead+0x54/0x70
+ do_idle+0x174/0x4a0
+ cpu_startup_entry+0x38/0x40
+ rest_init+0x268/0x388
+ start_kernel+0x748/0x790
+ start_here_common+0x1c/0x614
+
+Which happens because by the time we get to rtas_stop_self() we are
+already offline. In addition the message can be spammy, and is not that
+helpful for users, so remove it.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+index 7a2beedb9740..a7d9dd029850 100644
+--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
++++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
+@@ -92,9 +92,6 @@ static void rtas_stop_self(void)
+
+ BUG_ON(rtas_stop_self_token == RTAS_UNKNOWN_SERVICE);
+
+- printk("cpu %u (hwid %u) Ready to die...\n",
+- smp_processor_id(), hard_smp_processor_id());
+-
+ rtas_call_unlocked(&args, rtas_stop_self_token, 0, 1, NULL);
+
+ panic("Alas, I survived.\n");
+--
+2.30.2
+
--- /dev/null
+From b35277a5a3665feff3f226ae4c3a10f26e242e69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 23:48:03 +0800
+Subject: samples/bpf: Fix broken tracex1 due to kprobe argument change
+
+From: Yaqi Chen <chendotjs@gmail.com>
+
+[ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ]
+
+>From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by
+reference"), the first argument passed into __netif_receive_skb_core
+has changed to reference of a skb pointer.
+
+This commit fixes by using bpf_probe_read_kernel.
+
+Signed-off-by: Yaqi Chen <chendotjs@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Yonghong Song <yhs@fb.com>
+Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/tracex1_kern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c
+index 107da148820f..9c74b45c5720 100644
+--- a/samples/bpf/tracex1_kern.c
++++ b/samples/bpf/tracex1_kern.c
+@@ -20,7 +20,7 @@
+ SEC("kprobe/__netif_receive_skb_core")
+ int bpf_prog1(struct pt_regs *ctx)
+ {
+- /* attaches to kprobe netif_receive_skb,
++ /* attaches to kprobe __netif_receive_skb_core,
+ * looks for packets on loobpack device and prints them
+ */
+ char devname[IFNAMSIZ];
+@@ -29,7 +29,7 @@ int bpf_prog1(struct pt_regs *ctx)
+ int len;
+
+ /* non-portable! works for the given kernel only */
+- skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
++ bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx));
+ dev = _(skb->dev);
+ len = _(skb->len);
+
+--
+2.30.2
+
--- /dev/null
+From 38c22978c7c3d469012e6e1b08dc0bccb0b0997c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 04:41:20 +0800
+Subject: sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ]
+
+Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into
+ESTABLISHED from the state < ESTABLISHED and decremented when the asoc
+is being deleted.
+
+However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to
+ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment
+SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB
+multiple times but only decrement once at the end.
+
+I was able to reproduce it by using scapy to do the 4-way shakehands,
+after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field
+changed to different values, and SCTP_MIB_CURRESTAB was incremented
+multiple times and never went back to 0 even when the asoc was freed.
+
+This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when
+the state < ESTABLISHED in sctp_sf_do_dupcook_b().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 146b568962e0..9045f6bcb34c 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1851,7 +1851,8 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(struct net *net,
+ sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
+ sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+ SCTP_STATE(SCTP_STATE_ESTABLISHED));
+- SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
++ if (asoc->state < SCTP_STATE_ESTABLISHED)
++ SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
+ sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
+
+ repl = sctp_make_cookie_ack(new_asoc, chunk);
+--
+2.30.2
+
--- /dev/null
+From 1113d99301f8037652562eaedc8a36a5c16aea01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 14:12:36 -0500
+Subject: sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ]
+
+Fix the following out-of-bounds warning:
+
+net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds]
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_make_chunk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index acb0c2631c79..0c5aff3bb539 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -3129,7 +3129,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ * primary.
+ */
+ if (af->is_any(&addr))
+- memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
++ memcpy(&addr, sctp_source(asconf), sizeof(addr));
+
+ peer = sctp_assoc_lookup_paddr(asoc, &addr);
+ if (!peer)
+--
+2.30.2
+
--- /dev/null
+From 110540dbb944d89db043bf10dfb70a31a2f72cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 08:34:13 -0700
+Subject: selftests: Set CC to clang in lib.mk if LLVM is set
+
+From: Yonghong Song <yhs@fb.com>
+
+[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ]
+
+selftests/bpf/Makefile includes lib.mk. With the following command
+ make -j60 LLVM=1 LLVM_IAS=1 <=== compile kernel
+ make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1
+some files are still compiled with gcc. This patch
+fixed lib.mk issue which sets CC to gcc in all cases.
+
+Signed-off-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/lib.mk | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
+index 50a93f5f13d6..d8fa6c72b7ca 100644
+--- a/tools/testing/selftests/lib.mk
++++ b/tools/testing/selftests/lib.mk
+@@ -1,6 +1,10 @@
+ # This mimics the top-level Makefile. We do it explicitly here so that this
+ # Makefile can operate with or without the kbuild infrastructure.
++ifneq ($(LLVM),)
++CC := clang
++else
+ CC := $(CROSS_COMPILE)gcc
++endif
+
+ define RUN_TESTS
+ @for TEST in $(TEST_PROGS); do \
+--
+2.30.2
+
sctp-delay-auto_asconf-init-until-binding-the-first-addr.patch
revert-of-fdt-make-sure-no-map-does-not-remove-already-reserved-regions.patch
revert-fdt-properly-handle-no-map-field-in-the-memory-region.patch
+fs-dlm-fix-debugfs-dump.patch
+tipc-convert-dest-node-s-address-to-network-order.patch
+net-stmmac-set-fifo-sizes-for-ipq806x.patch
+alsa-hdsp-don-t-disable-if-not-enabled.patch
+alsa-hdspm-don-t-disable-if-not-enabled.patch
+alsa-rme9652-don-t-disable-if-not-enabled.patch
+bluetooth-set-conf_not_complete-as-l2cap_chan-defaul.patch
+bluetooth-initialize-skb_queue_head-at-l2cap_chan_cr.patch
+ip6_vti-proper-dev_-hold-put-in-ndo_-un-init-methods.patch
+mac80211-clear-the-beacon-s-crc-after-channel-switch.patch
+cuse-prevent-clone.patch
+selftests-set-cc-to-clang-in-lib.mk-if-llvm-is-set.patch
+kconfig-nconf-stop-endless-search-loops.patch
+sctp-fix-out-of-bounds-warning-in-sctp_process_ascon.patch
+asoc-rt286-generalize-support-for-alc3263-codec.patch
+samples-bpf-fix-broken-tracex1-due-to-kprobe-argumen.patch
+powerpc-pseries-stop-calling-printk-in-rtas_stop_sel.patch
+wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_send_.patch
+wl3501_cs-fix-out-of-bounds-warnings-in-wl3501_mgmt_.patch
+powerpc-iommu-annotate-nested-lock-for-lockdep.patch
+net-ethernet-mtk_eth_soc-fix-rx-vlan-offload.patch
+asoc-rt286-make-rt286_set_gpio_-readable-and-writabl.patch
+f2fs-fix-a-redundant-call-to-f2fs_balance_fs-if-an-e.patch
+pci-release-of-node-in-pci_scan_device-s-error-path.patch
+arm-9064-1-hw_breakpoint-do-not-directly-check-the-e.patch
+nfsv4.2-always-flush-out-writes-in-nfs42_proc_falloc.patch
+nfs-deal-correctly-with-attribute-generation-counter.patch
+pnfs-flexfiles-fix-incorrect-size-check-in-decode_nf.patch
+nfsv4.2-fix-handling-of-sr_eof-in-seek-s-reply.patch
+sctp-fix-a-sctp_mib_currestab-leak-in-sctp_sf_do_dup.patch
+drm-radeon-fix-off-by-one-power_state-index-heap-ove.patch
+khugepaged-fix-wrong-result-value-for-trace_mm_colla.patch
+mm-hugeltb-handle-the-error-case-in-hugetlb_fix_rese.patch
+ksm-fix-potential-missing-rmap_item-for-stable_node.patch
+kernel-kexec_file-fix-error-return-code-of-kexec_cal.patch
--- /dev/null
+From 73befa6dc9f9f9aa0bd19158551fce46c9da622a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Mar 2021 10:33:22 +0700
+Subject: tipc: convert dest node's address to network order
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ]
+
+(struct tipc_link_info)->dest is in network order (__be32), so we must
+convert the value to network order before assigning. The problem detected
+by sparse:
+
+net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types)
+net/tipc/netlink_compat.c:699:24: expected restricted __be32 [usertype] dest
+net/tipc/netlink_compat.c:699:24: got int
+
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink_compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index 403be9bfd8d1..69151de9657c 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -662,7 +662,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
+ if (err)
+ return err;
+
+- link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
++ link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST]));
+ link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
+ nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME],
+ TIPC_MAX_LINK_NAME);
+--
+2.30.2
+
--- /dev/null
+From dfb6cdb2ae8f08f87f7e07501a46b129cc1f874b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 18:45:15 -0500
+Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ]
+
+Fix the following out-of-bounds warnings by adding a new structure
+wl3501_req instead of duplicating the same members in structure
+wl3501_join_req and wl3501_scan_confirm:
+
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds]
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds]
+
+Refactor the code, accordingly:
+
+$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_req {
+ u16 beacon_period; /* 0 2 */
+ u16 dtim_period; /* 2 2 */
+ u16 cap_info; /* 4 2 */
+ u8 bss_type; /* 6 1 */
+ u8 bssid[6]; /* 7 6 */
+ struct iw_mgmt_essid_pset ssid; /* 13 34 */
+ struct iw_mgmt_ds_pset ds_pset; /* 47 3 */
+ struct iw_mgmt_cf_pset cf_pset; /* 50 8 */
+ struct iw_mgmt_ibss_pset ibss_pset; /* 58 4 */
+ struct iw_mgmt_data_rset bss_basic_rset; /* 62 10 */
+
+ /* size: 72, cachelines: 2, members: 10 */
+ /* last cacheline: 8 bytes */
+};
+
+$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_join_req {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 reserved; /* 3 1 */
+ struct iw_mgmt_data_rset operational_rset; /* 4 10 */
+ u16 reserved2; /* 14 2 */
+ u16 timeout; /* 16 2 */
+ u16 probe_delay; /* 18 2 */
+ u8 timestamp[8]; /* 20 8 */
+ u8 local_time[8]; /* 28 8 */
+ struct wl3501_req req; /* 36 72 */
+
+ /* size: 108, cachelines: 2, members: 10 */
+ /* last cacheline: 44 bytes */
+};
+
+$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o
+struct wl3501_scan_confirm {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 reserved; /* 3 1 */
+ u16 status; /* 4 2 */
+ char timestamp[8]; /* 6 8 */
+ char localtime[8]; /* 14 8 */
+ struct wl3501_req req; /* 22 72 */
+ /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */
+ u8 rssi; /* 94 1 */
+
+ /* size: 96, cachelines: 2, members: 8 */
+ /* padding: 1 */
+ /* last cacheline: 32 bytes */
+};
+
+The problem is that the original code is trying to copy data into a
+bunch of struct members adjacent to each other in a single call to
+memcpy(). Now that a new struct wl3501_req enclosing all those adjacent
+members is introduced, memcpy() doesn't overrun the length of
+&sig.beacon_period and &this->bss_set[i].beacon_period, because the
+address of the new struct object _req_ is used as the destination,
+instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501.h | 35 +++++++++++--------------
+ drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++---------------
+ 2 files changed, 38 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
+index ba2a36cfb1c8..ca2021bcac14 100644
+--- a/drivers/net/wireless/wl3501.h
++++ b/drivers/net/wireless/wl3501.h
+@@ -378,16 +378,7 @@ struct wl3501_get_confirm {
+ u8 mib_value[100];
+ };
+
+-struct wl3501_join_req {
+- u16 next_blk;
+- u8 sig_id;
+- u8 reserved;
+- struct iw_mgmt_data_rset operational_rset;
+- u16 reserved2;
+- u16 timeout;
+- u16 probe_delay;
+- u8 timestamp[8];
+- u8 local_time[8];
++struct wl3501_req {
+ u16 beacon_period;
+ u16 dtim_period;
+ u16 cap_info;
+@@ -400,6 +391,19 @@ struct wl3501_join_req {
+ struct iw_mgmt_data_rset bss_basic_rset;
+ };
+
++struct wl3501_join_req {
++ u16 next_blk;
++ u8 sig_id;
++ u8 reserved;
++ struct iw_mgmt_data_rset operational_rset;
++ u16 reserved2;
++ u16 timeout;
++ u16 probe_delay;
++ u8 timestamp[8];
++ u8 local_time[8];
++ struct wl3501_req req;
++};
++
+ struct wl3501_join_confirm {
+ u16 next_blk;
+ u8 sig_id;
+@@ -442,16 +446,7 @@ struct wl3501_scan_confirm {
+ u16 status;
+ char timestamp[8];
+ char localtime[8];
+- u16 beacon_period;
+- u16 dtim_period;
+- u16 cap_info;
+- u8 bss_type;
+- u8 bssid[ETH_ALEN];
+- struct iw_mgmt_essid_pset ssid;
+- struct iw_mgmt_ds_pset ds_pset;
+- struct iw_mgmt_cf_pset cf_pset;
+- struct iw_mgmt_ibss_pset ibss_pset;
+- struct iw_mgmt_data_rset bss_basic_rset;
++ struct wl3501_req req;
+ u8 rssi;
+ };
+
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index f49a44581ede..959844a10861 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -589,7 +589,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
+ struct wl3501_join_req sig = {
+ .sig_id = WL3501_SIG_JOIN_REQ,
+ .timeout = 10,
+- .ds_pset = {
++ .req.ds_pset = {
+ .el = {
+ .id = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET,
+ .len = 1,
+@@ -598,7 +598,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
+ },
+ };
+
+- memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72);
++ memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req));
+ return wl3501_esbq_exec(this, &sig, sizeof(sig));
+ }
+
+@@ -666,35 +666,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
+ if (sig.status == WL3501_STATUS_SUCCESS) {
+ pr_debug("success");
+ if ((this->net_type == IW_MODE_INFRA &&
+- (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
+ (this->net_type == IW_MODE_ADHOC &&
+- (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
++ (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
+ this->net_type == IW_MODE_AUTO) {
+ if (!this->essid.el.len)
+ matchflag = 1;
+ else if (this->essid.el.len == 3 &&
+ !memcmp(this->essid.essid, "ANY", 3))
+ matchflag = 1;
+- else if (this->essid.el.len != sig.ssid.el.len)
++ else if (this->essid.el.len != sig.req.ssid.el.len)
+ matchflag = 0;
+- else if (memcmp(this->essid.essid, sig.ssid.essid,
++ else if (memcmp(this->essid.essid, sig.req.ssid.essid,
+ this->essid.el.len))
+ matchflag = 0;
+ else
+ matchflag = 1;
+ if (matchflag) {
+ for (i = 0; i < this->bss_cnt; i++) {
+- if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) {
++ if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid,
++ sig.req.bssid)) {
+ matchflag = 0;
+ break;
+ }
+ }
+ }
+ if (matchflag && (i < 20)) {
+- memcpy(&this->bss_set[i].beacon_period,
+- &sig.beacon_period, 73);
++ memcpy(&this->bss_set[i].req,
++ &sig.req, sizeof(sig.req));
+ this->bss_cnt++;
+ this->rssi = sig.rssi;
++ this->bss_set[i].rssi = sig.rssi;
+ }
+ }
+ } else if (sig.status == WL3501_STATUS_TIMEOUT) {
+@@ -886,19 +888,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr)
+ if (this->join_sta_bss < this->bss_cnt) {
+ const int i = this->join_sta_bss;
+ memcpy(this->bssid,
+- this->bss_set[i].bssid, ETH_ALEN);
+- this->chan = this->bss_set[i].ds_pset.chan;
++ this->bss_set[i].req.bssid, ETH_ALEN);
++ this->chan = this->bss_set[i].req.ds_pset.chan;
+ iw_copy_mgmt_info_element(&this->keep_essid.el,
+- &this->bss_set[i].ssid.el);
++ &this->bss_set[i].req.ssid.el);
+ wl3501_mgmt_auth(this);
+ }
+ } else {
+ const int i = this->join_sta_bss;
+
+- memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN);
+- this->chan = this->bss_set[i].ds_pset.chan;
++ memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN);
++ this->chan = this->bss_set[i].req.ds_pset.chan;
+ iw_copy_mgmt_info_element(&this->keep_essid.el,
+- &this->bss_set[i].ssid.el);
++ &this->bss_set[i].req.ssid.el);
+ wl3501_online(dev);
+ }
+ } else {
+@@ -1576,30 +1578,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info,
+ for (i = 0; i < this->bss_cnt; ++i) {
+ iwe.cmd = SIOCGIWAP;
+ iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
+- memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN);
++ memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN);
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_ADDR_LEN);
+ iwe.cmd = SIOCGIWESSID;
+ iwe.u.data.flags = 1;
+- iwe.u.data.length = this->bss_set[i].ssid.el.len;
++ iwe.u.data.length = this->bss_set[i].req.ssid.el.len;
+ current_ev = iwe_stream_add_point(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe,
+- this->bss_set[i].ssid.essid);
++ this->bss_set[i].req.ssid.essid);
+ iwe.cmd = SIOCGIWMODE;
+- iwe.u.mode = this->bss_set[i].bss_type;
++ iwe.u.mode = this->bss_set[i].req.bss_type;
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_UINT_LEN);
+ iwe.cmd = SIOCGIWFREQ;
+- iwe.u.freq.m = this->bss_set[i].ds_pset.chan;
++ iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan;
+ iwe.u.freq.e = 0;
+ current_ev = iwe_stream_add_event(info, current_ev,
+ extra + IW_SCAN_MAX_DATA,
+ &iwe, IW_EV_FREQ_LEN);
+ iwe.cmd = SIOCGIWENCODE;
+- if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
++ if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
+ iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
+ else
+ iwe.u.data.flags = IW_ENCODE_DISABLED;
+--
+2.30.2
+
--- /dev/null
+From 894e8c47f7a96713308239603b84579fd57cd02e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Apr 2021 18:43:19 -0500
+Subject: wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ]
+
+Fix the following out-of-bounds warnings by enclosing structure members
+daddr and saddr into new struct addr, in structures wl3501_md_req and
+wl3501_md_ind:
+
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
+arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
+
+Refactor the code, accordingly:
+
+$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o
+struct wl3501_md_req {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 routing; /* 3 1 */
+ u16 data; /* 4 2 */
+ u16 size; /* 6 2 */
+ u8 pri; /* 8 1 */
+ u8 service_class; /* 9 1 */
+ struct {
+ u8 daddr[6]; /* 10 6 */
+ u8 saddr[6]; /* 16 6 */
+ } addr; /* 10 12 */
+
+ /* size: 22, cachelines: 1, members: 8 */
+ /* last cacheline: 22 bytes */
+};
+
+$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o
+struct wl3501_md_ind {
+ u16 next_blk; /* 0 2 */
+ u8 sig_id; /* 2 1 */
+ u8 routing; /* 3 1 */
+ u16 data; /* 4 2 */
+ u16 size; /* 6 2 */
+ u8 reception; /* 8 1 */
+ u8 pri; /* 9 1 */
+ u8 service_class; /* 10 1 */
+ struct {
+ u8 daddr[6]; /* 11 6 */
+ u8 saddr[6]; /* 17 6 */
+ } addr; /* 11 12 */
+
+ /* size: 24, cachelines: 1, members: 9 */
+ /* padding: 1 */
+ /* last cacheline: 24 bytes */
+};
+
+The problem is that the original code is trying to copy data into a
+couple of arrays adjacent to each other in a single call to memcpy().
+Now that a new struct _addr_ enclosing those two adjacent arrays
+is introduced, memcpy() doesn't overrun the length of &sig.daddr[0]
+and &sig.daddr, because the address of the new struct object _addr_
+is used, instead.
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/wl3501.h | 12 ++++++++----
+ drivers/net/wireless/wl3501_cs.c | 10 ++++++----
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
+index 3fbfd19818f1..ba2a36cfb1c8 100644
+--- a/drivers/net/wireless/wl3501.h
++++ b/drivers/net/wireless/wl3501.h
+@@ -470,8 +470,10 @@ struct wl3501_md_req {
+ u16 size;
+ u8 pri;
+ u8 service_class;
+- u8 daddr[ETH_ALEN];
+- u8 saddr[ETH_ALEN];
++ struct {
++ u8 daddr[ETH_ALEN];
++ u8 saddr[ETH_ALEN];
++ } addr;
+ };
+
+ struct wl3501_md_ind {
+@@ -483,8 +485,10 @@ struct wl3501_md_ind {
+ u8 reception;
+ u8 pri;
+ u8 service_class;
+- u8 daddr[ETH_ALEN];
+- u8 saddr[ETH_ALEN];
++ struct {
++ u8 daddr[ETH_ALEN];
++ u8 saddr[ETH_ALEN];
++ } addr;
+ };
+
+ struct wl3501_md_confirm {
+diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
+index 932f3f81e8cf..f49a44581ede 100644
+--- a/drivers/net/wireless/wl3501_cs.c
++++ b/drivers/net/wireless/wl3501_cs.c
+@@ -468,6 +468,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+ struct wl3501_md_req sig = {
+ .sig_id = WL3501_SIG_MD_REQ,
+ };
++ size_t sig_addr_len = sizeof(sig.addr);
+ u8 *pdata = (char *)data;
+ int rc = -EIO;
+
+@@ -483,9 +484,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
+ goto out;
+ }
+ rc = 0;
+- memcpy(&sig.daddr[0], pdata, 12);
+- pktlen = len - 12;
+- pdata += 12;
++ memcpy(&sig.addr, pdata, sig_addr_len);
++ pktlen = len - sig_addr_len;
++ pdata += sig_addr_len;
+ sig.data = bf;
+ if (((*pdata) * 256 + (*(pdata + 1))) > 1500) {
+ u8 addr4[ETH_ALEN] = {
+@@ -979,7 +980,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev,
+ } else {
+ skb->dev = dev;
+ skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */
+- skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12);
++ skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr,
++ sizeof(sig.addr));
+ wl3501_receive(this, skb->data, pkt_len);
+ skb_put(skb, pkt_len);
+ skb->protocol = eth_type_trans(skb, dev);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
