--- /dev/null
+From d9ed57fcb3d5aab70b64446839f83232d6aefc70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 11:26:01 +0200
+Subject: ACPI: Kconfig: Fix table override from built-in initrd
+
+From: Robert Richter <rrichter@amd.com>
+
+[ Upstream commit d2cbbf1fe503c07e466c62f83aa1926d74d15821 ]
+
+During a rework of initramfs code the INITRAMFS_COMPRESSION config
+option was removed in commit 65e00e04e5ae. A leftover as a dependency
+broke the config option ACPI_TABLE_OVERRIDE_VIA_ BUILTIN_INITRD that
+is used to enable the overriding of ACPI tables from built-in initrd.
+Fixing the dependency.
+
+Fixes: 65e00e04e5ae ("initramfs: refactor the initramfs build rules")
+Signed-off-by: Robert Richter <rrichter@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
+index eedec61e3476..226f849fe7dc 100644
+--- a/drivers/acpi/Kconfig
++++ b/drivers/acpi/Kconfig
+@@ -370,7 +370,7 @@ config ACPI_TABLE_UPGRADE
+ config ACPI_TABLE_OVERRIDE_VIA_BUILTIN_INITRD
+ bool "Override ACPI tables from built-in initrd"
+ depends on ACPI_TABLE_UPGRADE
+- depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION=""
++ depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION_NONE
+ help
+ This option provides functionality to override arbitrary ACPI tables
+ from built-in uncompressed initrd.
+--
+2.30.2
+
--- /dev/null
+From 9b33ed3a4be3985e11c6bc81e5789262794164b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 21:21:21 +0300
+Subject: ACPI: utils: Fix reference counting in for_each_acpi_dev_match()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit 71f6428332844f38c7cb10461d9f29e9c9b983a0 ]
+
+Currently it's possible to iterate over the dangling pointer in case the device
+suddenly disappears. This may happen becase callers put it at the end of a loop.
+
+Instead, let's move that call inside acpi_dev_get_next_match_dev().
+
+Fixes: 803abec64ef9 ("media: ipu3-cio2: Add cio2-bridge to ipu3-cio2 driver")
+Fixes: bf263f64e804 ("media: ACPI / bus: Add acpi_dev_get_next_match_dev() and helper macro")
+Fixes: edbd1bc4951e ("efi/dev-path-parser: Switch to use for_each_acpi_dev_match()")
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Daniel Scally <djrscally@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/utils.c | 7 +++----
+ drivers/firmware/efi/dev-path-parser.c | 1 -
+ drivers/media/pci/intel/ipu3/cio2-bridge.c | 6 ++----
+ include/acpi/acpi_bus.h | 5 -----
+ 4 files changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/acpi/utils.c b/drivers/acpi/utils.c
+index 3b54b8fd7396..27ec9d57f3b8 100644
+--- a/drivers/acpi/utils.c
++++ b/drivers/acpi/utils.c
+@@ -846,11 +846,9 @@ EXPORT_SYMBOL(acpi_dev_present);
+ * Return the next match of ACPI device if another matching device was present
+ * at the moment of invocation, or NULL otherwise.
+ *
+- * FIXME: The function does not tolerate the sudden disappearance of @adev, e.g.
+- * in the case of a hotplug event. That said, the caller should ensure that
+- * this will never happen.
+- *
+ * The caller is responsible for invoking acpi_dev_put() on the returned device.
++ * On the other hand the function invokes acpi_dev_put() on the given @adev
++ * assuming that its reference counter had been increased beforehand.
+ *
+ * See additional information in acpi_dev_present() as well.
+ */
+@@ -866,6 +864,7 @@ acpi_dev_get_next_match_dev(struct acpi_device *adev, const char *hid, const cha
+ match.hrv = hrv;
+
+ dev = bus_find_device(&acpi_bus_type, start, &match, acpi_dev_match_cb);
++ acpi_dev_put(adev);
+ return dev ? to_acpi_device(dev) : NULL;
+ }
+ EXPORT_SYMBOL(acpi_dev_get_next_match_dev);
+diff --git a/drivers/firmware/efi/dev-path-parser.c b/drivers/firmware/efi/dev-path-parser.c
+index 10d4457417a4..eb9c65f97841 100644
+--- a/drivers/firmware/efi/dev-path-parser.c
++++ b/drivers/firmware/efi/dev-path-parser.c
+@@ -34,7 +34,6 @@ static long __init parse_acpi_path(const struct efi_dev_path *node,
+ break;
+ if (!adev->pnp.unique_id && node->acpi.uid == 0)
+ break;
+- acpi_dev_put(adev);
+ }
+ if (!adev)
+ return -ENODEV;
+diff --git a/drivers/media/pci/intel/ipu3/cio2-bridge.c b/drivers/media/pci/intel/ipu3/cio2-bridge.c
+index 4657e99df033..59a36f922675 100644
+--- a/drivers/media/pci/intel/ipu3/cio2-bridge.c
++++ b/drivers/media/pci/intel/ipu3/cio2-bridge.c
+@@ -173,10 +173,8 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg,
+ int ret;
+
+ for_each_acpi_dev_match(adev, cfg->hid, NULL, -1) {
+- if (!adev->status.enabled) {
+- acpi_dev_put(adev);
++ if (!adev->status.enabled)
+ continue;
+- }
+
+ if (bridge->n_sensors >= CIO2_NUM_PORTS) {
+ acpi_dev_put(adev);
+@@ -185,7 +183,6 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg,
+ }
+
+ sensor = &bridge->sensors[bridge->n_sensors];
+- sensor->adev = adev;
+ strscpy(sensor->name, cfg->hid, sizeof(sensor->name));
+
+ ret = cio2_bridge_read_acpi_buffer(adev, "SSDB",
+@@ -215,6 +212,7 @@ static int cio2_bridge_connect_sensor(const struct cio2_sensor_config *cfg,
+ goto err_free_swnodes;
+ }
+
++ sensor->adev = acpi_dev_get(adev);
+ adev->fwnode.secondary = fwnode;
+
+ dev_info(&cio2->dev, "Found supported sensor %s\n",
+diff --git a/include/acpi/acpi_bus.h b/include/acpi/acpi_bus.h
+index 3a82faac5767..bff6a11bb21f 100644
+--- a/include/acpi/acpi_bus.h
++++ b/include/acpi/acpi_bus.h
+@@ -698,11 +698,6 @@ acpi_dev_get_first_match_dev(const char *hid, const char *uid, s64 hrv);
+ * @hrv: Hardware Revision of the device, pass -1 to not check _HRV
+ *
+ * The caller is responsible for invoking acpi_dev_put() on the returned device.
+- *
+- * FIXME: Due to above requirement there is a window that may invalidate @adev
+- * and next iteration will use a dangling pointer, e.g. in the case of a
+- * hotplug event. That said, the caller should ensure that this will never
+- * happen.
+ */
+ #define for_each_acpi_dev_match(adev, hid, uid, hrv) \
+ for (adev = acpi_dev_get_first_match_dev(hid, uid, hrv); \
+--
+2.30.2
+
--- /dev/null
+From ded551fd7f2c606ad13903a8d9fb0d2bb182d821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 08:50:31 -0700
+Subject: afs: check function return
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit afe6949862f77bcc14fa16ad7938a04e84586d6a ]
+
+Static analysis reports this problem
+
+write.c:773:29: warning: Assigned value is garbage or undefined
+ mapping->writeback_index = next;
+ ^ ~~~~
+The call to afs_writepages_region() can return without setting
+next. So check the function return before using next.
+
+Changes:
+ ver #2:
+ - Need to fix the range_cyclic case also[1].
+
+Fixes: e87b03f5830e ("afs: Prepare for use of THPs")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/20210430155031.3287870-1-trix@redhat.com
+Link: https://lore.kernel.org/r/CAB9dFdvHsLsw7CMnB+4cgciWDSqVjuij4mH3TaXnHQB8sz5rHw@mail.gmail.com/ [1]
+Link: https://lore.kernel.org/r/162609464716.3133237.10354897554363093252.stgit@warthog.procyon.org.uk/ # v1
+Link: https://lore.kernel.org/r/162610727640.3408253.8687445613469681311.stgit@warthog.procyon.org.uk/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/write.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/fs/afs/write.c b/fs/afs/write.c
+index 3104b62c2082..1ed62e0ccfe5 100644
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -771,13 +771,19 @@ int afs_writepages(struct address_space *mapping,
+ if (wbc->range_cyclic) {
+ start = mapping->writeback_index * PAGE_SIZE;
+ ret = afs_writepages_region(mapping, wbc, start, LLONG_MAX, &next);
+- if (start > 0 && wbc->nr_to_write > 0 && ret == 0)
+- ret = afs_writepages_region(mapping, wbc, 0, start,
+- &next);
+- mapping->writeback_index = next / PAGE_SIZE;
++ if (ret == 0) {
++ mapping->writeback_index = next / PAGE_SIZE;
++ if (start > 0 && wbc->nr_to_write > 0) {
++ ret = afs_writepages_region(mapping, wbc, 0,
++ start, &next);
++ if (ret == 0)
++ mapping->writeback_index =
++ next / PAGE_SIZE;
++ }
++ }
+ } else if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) {
+ ret = afs_writepages_region(mapping, wbc, 0, LLONG_MAX, &next);
+- if (wbc->nr_to_write > 0)
++ if (wbc->nr_to_write > 0 && ret == 0)
+ mapping->writeback_index = next;
+ } else {
+ ret = afs_writepages_region(mapping, wbc,
+--
+2.30.2
+
--- /dev/null
+From a990dead298b7aebcf47069a8a44342b5ae57555 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 17:04:47 +0100
+Subject: afs: Fix setting of writeback_index
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 5a972474cf685bf99ca430979657095bda3a15c8 ]
+
+Fix afs_writepages() to always set mapping->writeback_index to a page index
+and not a byte position[1].
+
+Fixes: 31143d5d515e ("AFS: implement basic file write support")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/CAB9dFdvHsLsw7CMnB+4cgciWDSqVjuij4mH3TaXnHQB8sz5rHw@mail.gmail.com/ [1]
+Link: https://lore.kernel.org/r/162610728339.3408253.4604750166391496546.stgit@warthog.procyon.org.uk/ # v2 (no v1)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/write.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/afs/write.c b/fs/afs/write.c
+index 1ed62e0ccfe5..c0534697268e 100644
+--- a/fs/afs/write.c
++++ b/fs/afs/write.c
+@@ -784,7 +784,7 @@ int afs_writepages(struct address_space *mapping,
+ } else if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) {
+ ret = afs_writepages_region(mapping, wbc, 0, LLONG_MAX, &next);
+ if (wbc->nr_to_write > 0 && ret == 0)
+- mapping->writeback_index = next;
++ mapping->writeback_index = next / PAGE_SIZE;
+ } else {
+ ret = afs_writepages_region(mapping, wbc,
+ wbc->range_start, wbc->range_end, &next);
+--
+2.30.2
+
--- /dev/null
+From 5ea6a4f4aef5c3b796659c564943431e3f2ef134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 11:57:26 +0100
+Subject: afs: Fix tracepoint string placement with built-in AFS
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 6c881ca0b3040f3e724eae513117ba4ddef86057 ]
+
+To quote Alexey[1]:
+
+ I was adding custom tracepoint to the kernel, grabbed full F34 kernel
+ .config, disabled modules and booted whole shebang as VM kernel.
+
+ Then did
+
+ perf record -a -e ...
+
+ It crashed:
+
+ general protection fault, probably for non-canonical address 0x435f5346592e4243: 0000 [#1] SMP PTI
+ CPU: 1 PID: 842 Comm: cat Not tainted 5.12.6+ #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+ RIP: 0010:t_show+0x22/0xd0
+
+ Then reproducer was narrowed to
+
+ # cat /sys/kernel/tracing/printk_formats
+
+ Original F34 kernel with modules didn't crash.
+
+ So I started to disable options and after disabling AFS everything
+ started working again.
+
+ The root cause is that AFS was placing char arrays content into a
+ section full of _pointers_ to strings with predictable consequences.
+
+ Non canonical address 435f5346592e4243 is "CB.YFS_" which came from
+ CM_NAME macro.
+
+ Steps to reproduce:
+
+ CONFIG_AFS=y
+ CONFIG_TRACING=y
+
+ # cat /sys/kernel/tracing/printk_formats
+
+Fix this by the following means:
+
+ (1) Add enum->string translation tables in the event header with the AFS
+ and YFS cache/callback manager operations listed by RPC operation ID.
+
+ (2) Modify the afs_cb_call tracepoint to print the string from the
+ translation table rather than using the string at the afs_call name
+ pointer.
+
+ (3) Switch translation table depending on the service we're being accessed
+ as (AFS or YFS) in the tracepoint print clause. Will this cause
+ problems to userspace utilities?
+
+ Note that the symbolic representation of the YFS service ID isn't
+ available to this header, so I've put it in as a number. I'm not sure
+ if this is the best way to do this.
+
+ (4) Remove the name wrangling (CM_NAME) macro and put the names directly
+ into the afs_call_type structs in cmservice.c.
+
+Fixes: 8e8d7f13b6d5a9 ("afs: Add some tracepoints")
+Reported-by: Alexey Dobriyan (SK hynix) <adobriyan@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: Andrew Morton <akpm@linux-foundation.org>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/YLAXfvZ+rObEOdc%2F@localhost.localdomain/ [1]
+Link: https://lore.kernel.org/r/643721.1623754699@warthog.procyon.org.uk/
+Link: https://lore.kernel.org/r/162430903582.2896199.6098150063997983353.stgit@warthog.procyon.org.uk/ # v1
+Link: https://lore.kernel.org/r/162609463957.3133237.15916579353149746363.stgit@warthog.procyon.org.uk/ # v1 (repost)
+Link: https://lore.kernel.org/r/162610726860.3408253.445207609466288531.stgit@warthog.procyon.org.uk/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cmservice.c | 25 ++++----------
+ include/trace/events/afs.h | 67 +++++++++++++++++++++++++++++++++++---
+ 2 files changed, 69 insertions(+), 23 deletions(-)
+
+diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
+index d3c6bb22c5f4..a3f5de28be79 100644
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -29,16 +29,11 @@ static void SRXAFSCB_TellMeAboutYourself(struct work_struct *);
+
+ static int afs_deliver_yfs_cb_callback(struct afs_call *);
+
+-#define CM_NAME(name) \
+- char afs_SRXCB##name##_name[] __tracepoint_string = \
+- "CB." #name
+-
+ /*
+ * CB.CallBack operation type
+ */
+-static CM_NAME(CallBack);
+ static const struct afs_call_type afs_SRXCBCallBack = {
+- .name = afs_SRXCBCallBack_name,
++ .name = "CB.CallBack",
+ .deliver = afs_deliver_cb_callback,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_CallBack,
+@@ -47,9 +42,8 @@ static const struct afs_call_type afs_SRXCBCallBack = {
+ /*
+ * CB.InitCallBackState operation type
+ */
+-static CM_NAME(InitCallBackState);
+ static const struct afs_call_type afs_SRXCBInitCallBackState = {
+- .name = afs_SRXCBInitCallBackState_name,
++ .name = "CB.InitCallBackState",
+ .deliver = afs_deliver_cb_init_call_back_state,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_InitCallBackState,
+@@ -58,9 +52,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState = {
+ /*
+ * CB.InitCallBackState3 operation type
+ */
+-static CM_NAME(InitCallBackState3);
+ static const struct afs_call_type afs_SRXCBInitCallBackState3 = {
+- .name = afs_SRXCBInitCallBackState3_name,
++ .name = "CB.InitCallBackState3",
+ .deliver = afs_deliver_cb_init_call_back_state3,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_InitCallBackState,
+@@ -69,9 +62,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState3 = {
+ /*
+ * CB.Probe operation type
+ */
+-static CM_NAME(Probe);
+ static const struct afs_call_type afs_SRXCBProbe = {
+- .name = afs_SRXCBProbe_name,
++ .name = "CB.Probe",
+ .deliver = afs_deliver_cb_probe,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_Probe,
+@@ -80,9 +72,8 @@ static const struct afs_call_type afs_SRXCBProbe = {
+ /*
+ * CB.ProbeUuid operation type
+ */
+-static CM_NAME(ProbeUuid);
+ static const struct afs_call_type afs_SRXCBProbeUuid = {
+- .name = afs_SRXCBProbeUuid_name,
++ .name = "CB.ProbeUuid",
+ .deliver = afs_deliver_cb_probe_uuid,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_ProbeUuid,
+@@ -91,9 +82,8 @@ static const struct afs_call_type afs_SRXCBProbeUuid = {
+ /*
+ * CB.TellMeAboutYourself operation type
+ */
+-static CM_NAME(TellMeAboutYourself);
+ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = {
+- .name = afs_SRXCBTellMeAboutYourself_name,
++ .name = "CB.TellMeAboutYourself",
+ .deliver = afs_deliver_cb_tell_me_about_yourself,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_TellMeAboutYourself,
+@@ -102,9 +92,8 @@ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = {
+ /*
+ * YFS CB.CallBack operation type
+ */
+-static CM_NAME(YFS_CallBack);
+ static const struct afs_call_type afs_SRXYFSCB_CallBack = {
+- .name = afs_SRXCBYFS_CallBack_name,
++ .name = "YFSCB.CallBack",
+ .deliver = afs_deliver_yfs_cb_callback,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_CallBack,
+diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
+index 3ccf591b2374..9f73ed2cf061 100644
+--- a/include/trace/events/afs.h
++++ b/include/trace/events/afs.h
+@@ -174,6 +174,34 @@ enum afs_vl_operation {
+ afs_VL_GetCapabilities = 65537, /* AFS Get VL server capabilities */
+ };
+
++enum afs_cm_operation {
++ afs_CB_CallBack = 204, /* AFS break callback promises */
++ afs_CB_InitCallBackState = 205, /* AFS initialise callback state */
++ afs_CB_Probe = 206, /* AFS probe client */
++ afs_CB_GetLock = 207, /* AFS get contents of CM lock table */
++ afs_CB_GetCE = 208, /* AFS get cache file description */
++ afs_CB_GetXStatsVersion = 209, /* AFS get version of extended statistics */
++ afs_CB_GetXStats = 210, /* AFS get contents of extended statistics data */
++ afs_CB_InitCallBackState3 = 213, /* AFS initialise callback state, version 3 */
++ afs_CB_ProbeUuid = 214, /* AFS check the client hasn't rebooted */
++};
++
++enum yfs_cm_operation {
++ yfs_CB_Probe = 206, /* YFS probe client */
++ yfs_CB_GetLock = 207, /* YFS get contents of CM lock table */
++ yfs_CB_XStatsVersion = 209, /* YFS get version of extended statistics */
++ yfs_CB_GetXStats = 210, /* YFS get contents of extended statistics data */
++ yfs_CB_InitCallBackState3 = 213, /* YFS initialise callback state, version 3 */
++ yfs_CB_ProbeUuid = 214, /* YFS check the client hasn't rebooted */
++ yfs_CB_GetServerPrefs = 215,
++ yfs_CB_GetCellServDV = 216,
++ yfs_CB_GetLocalCell = 217,
++ yfs_CB_GetCacheConfig = 218,
++ yfs_CB_GetCellByNum = 65537,
++ yfs_CB_TellMeAboutYourself = 65538, /* get client capabilities */
++ yfs_CB_CallBack = 64204,
++};
++
+ enum afs_edit_dir_op {
+ afs_edit_dir_create,
+ afs_edit_dir_create_error,
+@@ -436,6 +464,32 @@ enum afs_cb_break_reason {
+ EM(afs_YFSVL_GetCellName, "YFSVL.GetCellName") \
+ E_(afs_VL_GetCapabilities, "VL.GetCapabilities")
+
++#define afs_cm_operations \
++ EM(afs_CB_CallBack, "CB.CallBack") \
++ EM(afs_CB_InitCallBackState, "CB.InitCallBackState") \
++ EM(afs_CB_Probe, "CB.Probe") \
++ EM(afs_CB_GetLock, "CB.GetLock") \
++ EM(afs_CB_GetCE, "CB.GetCE") \
++ EM(afs_CB_GetXStatsVersion, "CB.GetXStatsVersion") \
++ EM(afs_CB_GetXStats, "CB.GetXStats") \
++ EM(afs_CB_InitCallBackState3, "CB.InitCallBackState3") \
++ E_(afs_CB_ProbeUuid, "CB.ProbeUuid")
++
++#define yfs_cm_operations \
++ EM(yfs_CB_Probe, "YFSCB.Probe") \
++ EM(yfs_CB_GetLock, "YFSCB.GetLock") \
++ EM(yfs_CB_XStatsVersion, "YFSCB.XStatsVersion") \
++ EM(yfs_CB_GetXStats, "YFSCB.GetXStats") \
++ EM(yfs_CB_InitCallBackState3, "YFSCB.InitCallBackState3") \
++ EM(yfs_CB_ProbeUuid, "YFSCB.ProbeUuid") \
++ EM(yfs_CB_GetServerPrefs, "YFSCB.GetServerPrefs") \
++ EM(yfs_CB_GetCellServDV, "YFSCB.GetCellServDV") \
++ EM(yfs_CB_GetLocalCell, "YFSCB.GetLocalCell") \
++ EM(yfs_CB_GetCacheConfig, "YFSCB.GetCacheConfig") \
++ EM(yfs_CB_GetCellByNum, "YFSCB.GetCellByNum") \
++ EM(yfs_CB_TellMeAboutYourself, "YFSCB.TellMeAboutYourself") \
++ E_(yfs_CB_CallBack, "YFSCB.CallBack")
++
+ #define afs_edit_dir_ops \
+ EM(afs_edit_dir_create, "create") \
+ EM(afs_edit_dir_create_error, "c_fail") \
+@@ -569,6 +623,8 @@ afs_server_traces;
+ afs_cell_traces;
+ afs_fs_operations;
+ afs_vl_operations;
++afs_cm_operations;
++yfs_cm_operations;
+ afs_edit_dir_ops;
+ afs_edit_dir_reasons;
+ afs_eproto_causes;
+@@ -649,20 +705,21 @@ TRACE_EVENT(afs_cb_call,
+
+ TP_STRUCT__entry(
+ __field(unsigned int, call )
+- __field(const char *, name )
+ __field(u32, op )
++ __field(u16, service_id )
+ ),
+
+ TP_fast_assign(
+ __entry->call = call->debug_id;
+- __entry->name = call->type->name;
+ __entry->op = call->operation_ID;
++ __entry->service_id = call->service_id;
+ ),
+
+- TP_printk("c=%08x %s o=%u",
++ TP_printk("c=%08x %s",
+ __entry->call,
+- __entry->name,
+- __entry->op)
++ __entry->service_id == 2501 ?
++ __print_symbolic(__entry->op, yfs_cm_operations) :
++ __print_symbolic(__entry->op, afs_cm_operations))
+ );
+
+ TRACE_EVENT(afs_call,
+--
+2.30.2
+
--- /dev/null
+From 4161552d7b8d12edf1d6df4865d1593f546d394c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 18:17:46 -0500
+Subject: ALSA: hda: intel-dsp-cfg: add missing ElkhartLake PCI ID
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 114613f62f42e7cbc1242c4e82076a0153043761 ]
+
+We missed the fact that ElkhartLake platforms have two different PCI
+IDs. We only added one so the SOF driver is never selected by the
+autodetection logic for the missing configuration.
+
+BugLink: https://github.com/thesofproject/linux/issues/2990
+Fixes: cc8f81c7e625 ('ALSA: hda: fix intel DSP config')
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210719231746.557325-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/intel-dsp-config.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c
+index d8be146793ee..c9d0ba353463 100644
+--- a/sound/hda/intel-dsp-config.c
++++ b/sound/hda/intel-dsp-config.c
+@@ -319,6 +319,10 @@ static const struct config_entry config_table[] = {
+ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC,
+ .device = 0x4b55,
+ },
++ {
++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC,
++ .device = 0x4b58,
++ },
+ #endif
+
+ /* Alder Lake */
+--
+2.30.2
+
--- /dev/null
+From b273a6e683bc23bf65737f830a7933d3492b60c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Apr 2021 02:51:13 -0500
+Subject: ARM: dts: aspeed: Update e3c246d4i vuart properties
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+[ Upstream commit 812bae32e5d50914f75a6e036d3bde39ca86b0c3 ]
+
+This device-tree was merged with a provisional vuart IRQ-polarity
+property that was still under review and ended up taking a somewhat
+different form. This patch updates it to match the final form of the
+new vuart properties, which additionally allow specifying the SIRQ
+number and LPC address.
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Fixes: ca03042f0f12 ("serial: 8250_aspeed_vuart: add aspeed, lpc-io-reg and aspeed, lpc-interrupts DT properties")
+Reviewed-by: Joel Stanley <joel@jms.id.au>
+Link: https://lore.kernel.org/r/20210416075113.18047-1-zev@bewilderbeest.net
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts b/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts
+index dcab6e78dfa4..8be40c8283af 100644
+--- a/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts
++++ b/arch/arm/boot/dts/aspeed-bmc-asrock-e3c246d4i.dts
+@@ -4,6 +4,7 @@
+ #include "aspeed-g5.dtsi"
+ #include <dt-bindings/gpio/aspeed-gpio.h>
+ #include <dt-bindings/i2c/i2c.h>
++#include <dt-bindings/interrupt-controller/irq.h>
+
+ /{
+ model = "ASRock E3C246D4I BMC";
+@@ -73,7 +74,8 @@
+
+ &vuart {
+ status = "okay";
+- aspeed,sirq-active-high;
++ aspeed,lpc-io-reg = <0x2f8>;
++ aspeed,lpc-interrupts = <3 IRQ_TYPE_LEVEL_HIGH>;
+ };
+
+ &mac0 {
+--
+2.30.2
+
--- /dev/null
+From 2b1ec6ffa87f73f4262093136a20066a4b74e637 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 15:38:41 +0100
+Subject: arm64: mte: fix restoration of GCR_EL1 from suspend
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 59f44069e0527523f27948da7b77599a73dab157 ]
+
+Since commit:
+
+ bad1e1c663e0a72f ("arm64: mte: switch GCR_EL1 in kernel entry and exit")
+
+we saved/restored the user GCR_EL1 value at exception boundaries, and
+update_gcr_el1_excl() is no longer used for this. However it is used to
+restore the kernel's GCR_EL1 value when returning from a suspend state.
+Thus, the comment is misleading (and an ISB is necessary).
+
+When restoring the kernel's GCR value, we need an ISB to ensure this is
+used by subsequent instructions. We don't necessarily get an ISB by
+other means (e.g. if the kernel is built without support for pointer
+authentication). As __cpu_setup() initialised GCR_EL1.Exclude to 0xffff,
+until a context synchronization event, allocation tag 0 may be used
+rather than the desired set of tags.
+
+This patch drops the misleading comment, adds the missing ISB, and for
+clarity folds update_gcr_el1_excl() into its only user.
+
+Fixes: bad1e1c663e0 ("arm64: mte: switch GCR_EL1 in kernel entry and exit")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20210714143843.56537-2-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/mte.c | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
+index 125a10e413e9..23e9879a6e78 100644
+--- a/arch/arm64/kernel/mte.c
++++ b/arch/arm64/kernel/mte.c
+@@ -185,18 +185,6 @@ void mte_check_tfsr_el1(void)
+ }
+ #endif
+
+-static void update_gcr_el1_excl(u64 excl)
+-{
+-
+- /*
+- * Note that the mask controlled by the user via prctl() is an
+- * include while GCR_EL1 accepts an exclude mask.
+- * No need for ISB since this only affects EL0 currently, implicit
+- * with ERET.
+- */
+- sysreg_clear_set_s(SYS_GCR_EL1, SYS_GCR_EL1_EXCL_MASK, excl);
+-}
+-
+ static void set_gcr_el1_excl(u64 excl)
+ {
+ current->thread.gcr_user_excl = excl;
+@@ -257,7 +245,8 @@ void mte_suspend_exit(void)
+ if (!system_supports_mte())
+ return;
+
+- update_gcr_el1_excl(gcr_kernel_excl);
++ sysreg_clear_set_s(SYS_GCR_EL1, SYS_GCR_EL1_EXCL_MASK, gcr_kernel_excl);
++ isb();
+ }
+
+ long set_mte_ctrl(struct task_struct *task, unsigned long arg)
+--
+2.30.2
+
--- /dev/null
+From 353e309753c5fc5c85cf50b0627d8857e7c7575b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 03:50:11 +0300
+Subject: ASoC: rt5631: Fix regcache sync errors on resume
+
+From: Maxim Schwalm <maxim.schwalm@gmail.com>
+
+[ Upstream commit c71f78a662611fe2c67f3155da19b0eff0f29762 ]
+
+The ALC5631 does not like multi-write accesses, avoid them. This fixes:
+
+rt5631 4-001a: Unable to sync registers 0x3a-0x3c. -121
+
+errors on resume from suspend (and all registers after the registers in
+the error not being synced).
+
+Inspired by commit 2d30e9494f1e ("ASoC: rt5651: Fix regcache sync errors
+on resume") from Hans de Geode, which fixed the same errors on ALC5651.
+
+Signed-off-by: Maxim Schwalm <maxim.schwalm@gmail.com>
+Link: https://lore.kernel.org/r/20210712005011.28536-1-digetx@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5631.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/codecs/rt5631.c b/sound/soc/codecs/rt5631.c
+index 3000bc128b5b..38356ea2bd6e 100644
+--- a/sound/soc/codecs/rt5631.c
++++ b/sound/soc/codecs/rt5631.c
+@@ -1695,6 +1695,8 @@ static const struct regmap_config rt5631_regmap_config = {
+ .reg_defaults = rt5631_reg,
+ .num_reg_defaults = ARRAY_SIZE(rt5631_reg),
+ .cache_type = REGCACHE_RBTREE,
++ .use_single_read = true,
++ .use_single_write = true,
+ };
+
+ static int rt5631_i2c_probe(struct i2c_client *i2c,
+--
+2.30.2
+
--- /dev/null
+From e1ee1d875f24ebb9fc43706e2198c08e65d14179 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 18:00:12 +0530
+Subject: ASoC: soc-pcm: add a flag to reverse the stop sequence
+
+From: Vijendar Mukunda <vijendar.mukunda@amd.com>
+
+[ Upstream commit 59dd33f82dc0975c55d3d46801e7ca45532d7673 ]
+
+On stream stop, currently CPU DAI stop sequence invoked first
+followed by DMA. For Few platforms, it is required to stop the
+DMA first before stopping CPU DAI.
+
+Introduced new flag in dai_link structure for reordering stop sequence.
+Based on flag check, ASoC core will re-order the stop sequence.
+
+Fixes: 4378f1fbe92405 ("ASoC: soc-pcm: Use different sequence for start/stop trigger")
+Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Link: https://lore.kernel.org/r/20210716123015.15697-1-vijendar.mukunda@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/soc.h | 6 ++++++
+ sound/soc/soc-pcm.c | 22 ++++++++++++++++------
+ 2 files changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/include/sound/soc.h b/include/sound/soc.h
+index e746da996351..723eeb1c3f78 100644
+--- a/include/sound/soc.h
++++ b/include/sound/soc.h
+@@ -712,6 +712,12 @@ struct snd_soc_dai_link {
+ /* Do not create a PCM for this DAI link (Backend link) */
+ unsigned int ignore:1;
+
++ /* This flag will reorder stop sequence. By enabling this flag
++ * DMA controller stop sequence will be invoked first followed by
++ * CPU DAI driver stop sequence
++ */
++ unsigned int stop_dma_first:1;
++
+ #ifdef CONFIG_SND_SOC_TOPOLOGY
+ struct snd_soc_dobj dobj; /* For topology */
+ #endif
+diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
+index 46513bb97904..d1c570ca21ea 100644
+--- a/sound/soc/soc-pcm.c
++++ b/sound/soc/soc-pcm.c
+@@ -1015,6 +1015,7 @@ out:
+
+ static int soc_pcm_trigger(struct snd_pcm_substream *substream, int cmd)
+ {
++ struct snd_soc_pcm_runtime *rtd = asoc_substream_to_rtd(substream);
+ int ret = -EINVAL, _ret = 0;
+ int rollback = 0;
+
+@@ -1055,14 +1056,23 @@ start_err:
+ case SNDRV_PCM_TRIGGER_STOP:
+ case SNDRV_PCM_TRIGGER_SUSPEND:
+ case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
+- ret = snd_soc_pcm_dai_trigger(substream, cmd, rollback);
+- if (ret < 0)
+- break;
++ if (rtd->dai_link->stop_dma_first) {
++ ret = snd_soc_pcm_component_trigger(substream, cmd, rollback);
++ if (ret < 0)
++ break;
+
+- ret = snd_soc_pcm_component_trigger(substream, cmd, rollback);
+- if (ret < 0)
+- break;
++ ret = snd_soc_pcm_dai_trigger(substream, cmd, rollback);
++ if (ret < 0)
++ break;
++ } else {
++ ret = snd_soc_pcm_dai_trigger(substream, cmd, rollback);
++ if (ret < 0)
++ break;
+
++ ret = snd_soc_pcm_component_trigger(substream, cmd, rollback);
++ if (ret < 0)
++ break;
++ }
+ ret = snd_soc_link_trigger(substream, cmd, rollback);
+ break;
+ }
+--
+2.30.2
+
--- /dev/null
+From 71a80379545a0be377e4f5a588de5c48ca3c3d06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 15:16:20 -0500
+Subject: ASoC: SOF: Intel: Update ADL descriptor to use ACPI power states
+
+From: Sathya Prakash M R <sathya.prakash.m.r@intel.com>
+
+[ Upstream commit aa21548e34c19c12e924c736f3fd9e6a4d0f5419 ]
+
+The ADL descriptor was missing an ACPI power setting, causing the DSP
+to enter D3 even with a D0i1-compatible wake-on-voice/hotwording
+capture stream.
+
+Fixes: 4ad03f894b3c ('ASoC: SOF: Intel: Update ADL P to use its own descriptor')
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Signed-off-by: Sathya Prakash M R <sathya.prakash.m.r@intel.com>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210712201620.44311-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/intel/pci-tgl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/sof/intel/pci-tgl.c b/sound/soc/sof/intel/pci-tgl.c
+index 88c3bf404dd7..d1fd0a330554 100644
+--- a/sound/soc/sof/intel/pci-tgl.c
++++ b/sound/soc/sof/intel/pci-tgl.c
+@@ -89,6 +89,7 @@ static const struct sof_dev_desc adls_desc = {
+ static const struct sof_dev_desc adl_desc = {
+ .machines = snd_soc_acpi_intel_adl_machines,
+ .alt_machines = snd_soc_acpi_intel_adl_sdw_machines,
++ .use_acpi_target_states = true,
+ .resindex_lpe_base = 0,
+ .resindex_pcicfg_base = -1,
+ .resindex_imr_base = -1,
+--
+2.30.2
+
--- /dev/null
+From 013e69950319145e4fd7febf9bbd76538670cb78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jun 2021 16:59:39 +0100
+Subject: ASoC: wm_adsp: Correct wm_coeff_tlv_get handling
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit dd6fb8ff2210f74b056bf9234d0605e8c26a8ac0 ]
+
+When wm_coeff_tlv_get was updated it was accidentally switch to the _raw
+version of the helper causing it to ignore the current DSP state it
+should be checking. Switch the code back to the correct helper so that
+users can't read the controls when they arn't available.
+
+Fixes: 73ecf1a673d3 ("ASoC: wm_adsp: Correct cache handling of new kernel control API")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210626155941.12251-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm_adsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
+index 3dc119daf2f6..cef05d81c39b 100644
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -1213,7 +1213,7 @@ static int wm_coeff_tlv_get(struct snd_kcontrol *kctl,
+
+ mutex_lock(&ctl->dsp->pwr_lock);
+
+- ret = wm_coeff_read_ctrl_raw(ctl, ctl->cache, size);
++ ret = wm_coeff_read_ctrl(ctl, ctl->cache, size);
+
+ if (!ret && copy_to_user(bytes, ctl->cache, size))
+ ret = -EFAULT;
+--
+2.30.2
+
--- /dev/null
+From c132b0ec59ddda39ebb214441260a2e61b5f08e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:28 -0400
+Subject: bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in
+ bnxt_fw_rset_task()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 6cd657cb3ee6f4de57e635b126ffbe0e51d00f1a ]
+
+In the BNXT_FW_RESET_STATE_POLL_VF state in bnxt_fw_reset_task() after all
+VFs have unregistered, we need to check for BNXT_STATE_ABORT_ERR after
+we acquire the rtnl_lock. If the flag is set, we need to abort.
+
+Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index d57fb1613cfc..07efab5bad95 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11882,6 +11882,10 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ }
+ bp->fw_reset_timestamp = jiffies;
+ rtnl_lock();
++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) {
++ rtnl_unlock();
++ goto fw_reset_abort;
++ }
+ bnxt_fw_reset_close(bp);
+ if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) {
+ bp->fw_reset_state = BNXT_FW_RESET_STATE_POLL_FW_DOWN;
+--
+2.30.2
+
--- /dev/null
+From e7a1a60f7338b929e244ff5242fd868dee3f321a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:31 -0400
+Subject: bnxt_en: Check abort error state in bnxt_half_open_nic()
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit 11a39259ff79b74bc99f8b7c44075a2d6d5e7ab1 ]
+
+bnxt_half_open_nic() is called during during ethtool self test and is
+protected by rtnl_lock. Firmware reset can be happening at the same
+time. Only critical portions of the entire firmware reset sequence
+are protected by the rtnl_lock. It is possible that bnxt_half_open_nic()
+can be called when the firmware reset sequence is aborting. In that
+case, bnxt_half_open_nic() needs to check if the ABORT_ERR flag is set
+and abort if it is. The ethtool self test will fail but the NIC will be
+brought to a consistent IF_DOWN state.
+
+Without this patch, if bnxt_half_open_nic() were to continue in this
+error state, it may crash like this:
+
+ bnxt_en 0000:82:00.1 enp130s0f1np1: FW reset in progress during close, FW reset will be aborted
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ ...
+ Process ethtool (pid: 333327, stack limit = 0x0000000046476577)
+ Call trace:
+ bnxt_alloc_mem+0x444/0xef0 [bnxt_en]
+ bnxt_half_open_nic+0x24/0xb8 [bnxt_en]
+ bnxt_self_test+0x2dc/0x390 [bnxt_en]
+ ethtool_self_test+0xe0/0x1f8
+ dev_ethtool+0x1744/0x22d0
+ dev_ioctl+0x190/0x3e0
+ sock_ioctl+0x238/0x480
+ do_vfs_ioctl+0xc4/0x758
+ ksys_ioctl+0x84/0xb8
+ __arm64_sys_ioctl+0x28/0x38
+ el0_svc_handler+0xb0/0x180
+ el0_svc+0x8/0xc
+
+Fixes: a1301f08c5ac ("bnxt_en: Check abort error state in bnxt_open_nic().")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index be36dee65f90..3c3aa9467310 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -10104,6 +10104,12 @@ int bnxt_half_open_nic(struct bnxt *bp)
+ {
+ int rc = 0;
+
++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) {
++ netdev_err(bp->dev, "A previous firmware reset has not completed, aborting half open\n");
++ rc = -ENODEV;
++ goto half_open_err;
++ }
++
+ rc = bnxt_alloc_mem(bp, false);
+ if (rc) {
+ netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc);
+--
+2.30.2
+
--- /dev/null
+From d0ed45ba2be9a100f83b3b362722227b8f7e26f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:25 -0400
+Subject: bnxt_en: don't disable an already disabled PCI device
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit c81cfb6256d90ea5ba4a6fb280ea3b171be4e05c ]
+
+If device is already disabled in reset path and PCI io error is
+detected before the device could be enabled, driver could
+call pci_disable_device() for already disabled device. Fix this
+problem by calling pci_disable_device() only if the device is already
+enabled.
+
+Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.")
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index aef3fccc27a9..d57fb1613cfc 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -13315,7 +13315,8 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev,
+ if (netif_running(netdev))
+ bnxt_close(netdev);
+
+- pci_disable_device(pdev);
++ if (pci_is_enabled(pdev))
++ pci_disable_device(pdev);
+ bnxt_free_ctx_mem(bp);
+ kfree(bp->ctx);
+ bp->ctx = NULL;
+--
+2.30.2
+
--- /dev/null
+From add722806a610b335b57e16f26f75ffb7d6ea904 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:29 -0400
+Subject: bnxt_en: fix error path of FW reset
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit 3958b1da725a477b4a222183d16a14d85445d4b6 ]
+
+When bnxt_open() fails in the firmware reset path, the driver needs to
+gracefully abort, but it is executing code that should be invoked only
+in the success path. Define a function to abort FW reset and
+consolidate all error paths to call this new function.
+
+Fixes: dab62e7c2de7 ("bnxt_en: Implement faster recovery for firmware fatal error.")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 31 +++++++++++++++--------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 07efab5bad95..49aca3289c00 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11849,10 +11849,21 @@ static bool bnxt_fw_reset_timeout(struct bnxt *bp)
+ (bp->fw_reset_max_dsecs * HZ / 10));
+ }
+
++static void bnxt_fw_reset_abort(struct bnxt *bp, int rc)
++{
++ clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state);
++ if (bp->fw_reset_state != BNXT_FW_RESET_STATE_POLL_VF) {
++ bnxt_ulp_start(bp, rc);
++ bnxt_dl_health_status_update(bp, false);
++ }
++ bp->fw_reset_state = 0;
++ dev_close(bp->dev);
++}
++
+ static void bnxt_fw_reset_task(struct work_struct *work)
+ {
+ struct bnxt *bp = container_of(work, struct bnxt, fw_reset_task.work);
+- int rc;
++ int rc = 0;
+
+ if (!test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)) {
+ netdev_err(bp->dev, "bnxt_fw_reset_task() called when not in fw reset mode!\n");
+@@ -11883,8 +11894,9 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ bp->fw_reset_timestamp = jiffies;
+ rtnl_lock();
+ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) {
++ bnxt_fw_reset_abort(bp, rc);
+ rtnl_unlock();
+- goto fw_reset_abort;
++ return;
+ }
+ bnxt_fw_reset_close(bp);
+ if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) {
+@@ -11933,6 +11945,7 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ if (val == 0xffff) {
+ if (bnxt_fw_reset_timeout(bp)) {
+ netdev_err(bp->dev, "Firmware reset aborted, PCI config space invalid\n");
++ rc = -ETIMEDOUT;
+ goto fw_reset_abort;
+ }
+ bnxt_queue_fw_reset_work(bp, HZ / 1000);
+@@ -11942,6 +11955,7 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ clear_bit(BNXT_STATE_FW_FATAL_COND, &bp->state);
+ if (pci_enable_device(bp->pdev)) {
+ netdev_err(bp->dev, "Cannot re-enable PCI device\n");
++ rc = -ENODEV;
+ goto fw_reset_abort;
+ }
+ pci_set_master(bp->pdev);
+@@ -11968,9 +11982,10 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ }
+ rc = bnxt_open(bp->dev);
+ if (rc) {
+- netdev_err(bp->dev, "bnxt_open_nic() failed\n");
+- clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state);
+- dev_close(bp->dev);
++ netdev_err(bp->dev, "bnxt_open() failed during FW reset\n");
++ bnxt_fw_reset_abort(bp, rc);
++ rtnl_unlock();
++ return;
+ }
+
+ bp->fw_reset_state = 0;
+@@ -11997,12 +12012,8 @@ fw_reset_abort_status:
+ netdev_err(bp->dev, "fw_health_status 0x%x\n", sts);
+ }
+ fw_reset_abort:
+- clear_bit(BNXT_STATE_IN_FW_RESET, &bp->state);
+- if (bp->fw_reset_state != BNXT_FW_RESET_STATE_POLL_VF)
+- bnxt_dl_health_status_update(bp, false);
+- bp->fw_reset_state = 0;
+ rtnl_lock();
+- dev_close(bp->dev);
++ bnxt_fw_reset_abort(bp, rc);
+ rtnl_unlock();
+ }
+
+--
+2.30.2
+
--- /dev/null
+From deefc285ac44c458554d81e47f71b4a28bf0e06a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:27 -0400
+Subject: bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 2c9f046bc377efd1f5e26e74817d5f96e9506c86 ]
+
+The capabilities can change after firmware upgrade/downgrade, so we
+should get the up-to-date RoCE capabilities everytime bnxt_ulp_probe()
+is called.
+
+Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+index a918e374f3c5..187ff643ad2a 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -479,16 +479,17 @@ struct bnxt_en_dev *bnxt_ulp_probe(struct net_device *dev)
+ if (!edev)
+ return ERR_PTR(-ENOMEM);
+ edev->en_ops = &bnxt_en_ops_tbl;
+- if (bp->flags & BNXT_FLAG_ROCEV1_CAP)
+- edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP;
+- if (bp->flags & BNXT_FLAG_ROCEV2_CAP)
+- edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP;
+ edev->net = dev;
+ edev->pdev = bp->pdev;
+ edev->l2_db_size = bp->db_size;
+ edev->l2_db_size_nc = bp->db_size;
+ bp->edev = edev;
+ }
++ edev->flags &= ~BNXT_EN_FLAG_ROCE_CAP;
++ if (bp->flags & BNXT_FLAG_ROCEV1_CAP)
++ edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP;
++ if (bp->flags & BNXT_FLAG_ROCEV2_CAP)
++ edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP;
+ return bp->edev;
+ }
+ EXPORT_SYMBOL(bnxt_ulp_probe);
+--
+2.30.2
+
--- /dev/null
+From 6ab90ea4a4c377f3ea00282ded5d551866fc7d06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:30 -0400
+Subject: bnxt_en: Validate vlan protocol ID on RX packets
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 96bdd4b9ea7ef9a12db8fdd0ce90e37dffbd3703 ]
+
+Only pass supported VLAN protocol IDs for stripped VLAN tags to the
+stack. The stack will hit WARN() if the protocol ID is unsupported.
+
+Existing firmware sets up the chip to strip 0x8100, 0x88a8, 0x9100.
+Only the 1st two protocols are supported by the kernel.
+
+Fixes: a196e96bb68f ("bnxt_en: clean up VLAN feature bit handling")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 49aca3289c00..be36dee65f90 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1640,11 +1640,16 @@ static inline struct sk_buff *bnxt_tpa_end(struct bnxt *bp,
+
+ if ((tpa_info->flags2 & RX_CMP_FLAGS2_META_FORMAT_VLAN) &&
+ (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) {
+- u16 vlan_proto = tpa_info->metadata >>
+- RX_CMP_FLAGS2_METADATA_TPID_SFT;
++ __be16 vlan_proto = htons(tpa_info->metadata >>
++ RX_CMP_FLAGS2_METADATA_TPID_SFT);
+ u16 vtag = tpa_info->metadata & RX_CMP_FLAGS2_METADATA_TCI_MASK;
+
+- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag);
++ if (eth_type_vlan(vlan_proto)) {
++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag);
++ } else {
++ dev_kfree_skb(skb);
++ return NULL;
++ }
+ }
+
+ skb_checksum_none_assert(skb);
+@@ -1865,9 +1870,15 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) {
+ u32 meta_data = le32_to_cpu(rxcmp1->rx_cmp_meta_data);
+ u16 vtag = meta_data & RX_CMP_FLAGS2_METADATA_TCI_MASK;
+- u16 vlan_proto = meta_data >> RX_CMP_FLAGS2_METADATA_TPID_SFT;
++ __be16 vlan_proto = htons(meta_data >>
++ RX_CMP_FLAGS2_METADATA_TPID_SFT);
+
+- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag);
++ if (eth_type_vlan(vlan_proto)) {
++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag);
++ } else {
++ dev_kfree_skb(skb);
++ goto next_rx;
++ }
+ }
+
+ skb_checksum_none_assert(skb);
+--
+2.30.2
+
--- /dev/null
+From 7f73ad149ebc700705833f47a650d85987afb409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:12 +0000
+Subject: bonding: Add struct bond_ipesc to manage SA
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 9a5605505d9c7dbfdb89cc29a8f5fc5cf9fd2334 ]
+
+bonding has been supporting ipsec offload.
+When SA is added, bonding just passes SA to its own active real interface.
+But it doesn't manage SA.
+So, when events(add/del real interface, active real interface change, etc)
+occur, bonding can't handle that well because It doesn't manage SA.
+So some problems(panic, UAF, refcnt leak)occur.
+
+In order to make it stable, it should manage SA.
+That's the reason why struct bond_ipsec is added.
+When a new SA is added to bonding interface, it is stored in the
+bond_ipsec list. And the SA is passed to a current active real interface.
+If events occur, it uses bond_ipsec data to handle these events.
+bond->ipsec_list is protected by bond->ipsec_lock.
+
+If a current active real interface is changed, the following logic works.
+1. delete all SAs from old active real interface
+2. Add all SAs to the new active real interface.
+3. If a new active real interface doesn't support ipsec offload or SA's
+option, it sets real_dev to NULL.
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 139 +++++++++++++++++++++++++++-----
+ include/net/bonding.h | 9 ++-
+ 2 files changed, 127 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index d85a19c06c69..3f67b4b794ac 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -401,6 +401,7 @@ static int bond_vlan_rx_kill_vid(struct net_device *bond_dev,
+ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ {
+ struct net_device *bond_dev = xs->xso.dev;
++ struct bond_ipsec *ipsec;
+ struct bonding *bond;
+ struct slave *slave;
+ int err;
+@@ -416,9 +417,6 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ return -ENODEV;
+ }
+
+- xs->xso.real_dev = slave->dev;
+- bond->xs = xs;
+-
+ if (!slave->dev->xfrmdev_ops ||
+ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
+ netif_is_bond_master(slave->dev)) {
+@@ -427,11 +425,63 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ return -EINVAL;
+ }
+
++ ipsec = kmalloc(sizeof(*ipsec), GFP_ATOMIC);
++ if (!ipsec) {
++ rcu_read_unlock();
++ return -ENOMEM;
++ }
++ xs->xso.real_dev = slave->dev;
++
+ err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);
++ if (!err) {
++ ipsec->xs = xs;
++ INIT_LIST_HEAD(&ipsec->list);
++ spin_lock_bh(&bond->ipsec_lock);
++ list_add(&ipsec->list, &bond->ipsec_list);
++ spin_unlock_bh(&bond->ipsec_lock);
++ } else {
++ kfree(ipsec);
++ }
+ rcu_read_unlock();
+ return err;
+ }
+
++static void bond_ipsec_add_sa_all(struct bonding *bond)
++{
++ struct net_device *bond_dev = bond->dev;
++ struct bond_ipsec *ipsec;
++ struct slave *slave;
++
++ rcu_read_lock();
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (!slave)
++ goto out;
++
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
++ netif_is_bond_master(slave->dev)) {
++ spin_lock_bh(&bond->ipsec_lock);
++ if (!list_empty(&bond->ipsec_list))
++ slave_warn(bond_dev, slave->dev,
++ "%s: no slave xdo_dev_state_add\n",
++ __func__);
++ spin_unlock_bh(&bond->ipsec_lock);
++ goto out;
++ }
++
++ spin_lock_bh(&bond->ipsec_lock);
++ list_for_each_entry(ipsec, &bond->ipsec_list, list) {
++ ipsec->xs->xso.real_dev = slave->dev;
++ if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs)) {
++ slave_warn(bond_dev, slave->dev, "%s: failed to add SA\n", __func__);
++ ipsec->xs->xso.real_dev = NULL;
++ }
++ }
++ spin_unlock_bh(&bond->ipsec_lock);
++out:
++ rcu_read_unlock();
++}
++
+ /**
+ * bond_ipsec_del_sa - clear out this specific SA
+ * @xs: pointer to transformer state struct
+@@ -439,6 +489,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+ {
+ struct net_device *bond_dev = xs->xso.dev;
++ struct bond_ipsec *ipsec;
+ struct bonding *bond;
+ struct slave *slave;
+
+@@ -452,7 +503,10 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+ if (!slave)
+ goto out;
+
+- xs->xso.real_dev = slave->dev;
++ if (!xs->xso.real_dev)
++ goto out;
++
++ WARN_ON(xs->xso.real_dev != slave->dev);
+
+ if (!slave->dev->xfrmdev_ops ||
+ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
+@@ -463,6 +517,48 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+
+ slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs);
+ out:
++ spin_lock_bh(&bond->ipsec_lock);
++ list_for_each_entry(ipsec, &bond->ipsec_list, list) {
++ if (ipsec->xs == xs) {
++ list_del(&ipsec->list);
++ kfree(ipsec);
++ break;
++ }
++ }
++ spin_unlock_bh(&bond->ipsec_lock);
++ rcu_read_unlock();
++}
++
++static void bond_ipsec_del_sa_all(struct bonding *bond)
++{
++ struct net_device *bond_dev = bond->dev;
++ struct bond_ipsec *ipsec;
++ struct slave *slave;
++
++ rcu_read_lock();
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (!slave) {
++ rcu_read_unlock();
++ return;
++ }
++
++ spin_lock_bh(&bond->ipsec_lock);
++ list_for_each_entry(ipsec, &bond->ipsec_list, list) {
++ if (!ipsec->xs->xso.real_dev)
++ continue;
++
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
++ netif_is_bond_master(slave->dev)) {
++ slave_warn(bond_dev, slave->dev,
++ "%s: no slave xdo_dev_state_delete\n",
++ __func__);
++ } else {
++ slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
++ }
++ ipsec->xs->xso.real_dev = NULL;
++ }
++ spin_unlock_bh(&bond->ipsec_lock);
+ rcu_read_unlock();
+ }
+
+@@ -474,22 +570,27 @@ out:
+ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ {
+ struct net_device *bond_dev = xs->xso.dev;
+- struct bonding *bond = netdev_priv(bond_dev);
+- struct slave *curr_active = rcu_dereference(bond->curr_active_slave);
+- struct net_device *slave_dev = curr_active->dev;
++ struct net_device *real_dev;
++ struct slave *curr_active;
++ struct bonding *bond;
++
++ bond = netdev_priv(bond_dev);
++ curr_active = rcu_dereference(bond->curr_active_slave);
++ real_dev = curr_active->dev;
+
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
+ return true;
+
+- if (!slave_dev->xfrmdev_ops ||
+- !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
+- netif_is_bond_master(slave_dev)) {
+- slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__);
++ if (!xs->xso.real_dev)
++ return false;
++
++ if (!real_dev->xfrmdev_ops ||
++ !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
++ netif_is_bond_master(real_dev)) {
+ return false;
+ }
+
+- xs->xso.real_dev = slave_dev;
+- return slave_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
++ return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
+ }
+
+ static const struct xfrmdev_ops bond_xfrmdev_ops = {
+@@ -1006,8 +1107,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active)
+ return;
+
+ #ifdef CONFIG_XFRM_OFFLOAD
+- if (old_active && bond->xs)
+- bond_ipsec_del_sa(bond->xs);
++ bond_ipsec_del_sa_all(bond);
+ #endif /* CONFIG_XFRM_OFFLOAD */
+
+ if (new_active) {
+@@ -1083,10 +1183,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active)
+ }
+
+ #ifdef CONFIG_XFRM_OFFLOAD
+- if (new_active && bond->xs) {
+- xfrm_dev_state_flush(dev_net(bond->dev), bond->dev, true);
+- bond_ipsec_add_sa(bond->xs);
+- }
++ bond_ipsec_add_sa_all(bond);
+ #endif /* CONFIG_XFRM_OFFLOAD */
+
+ /* resend IGMP joins since active slave has changed or
+@@ -3335,6 +3432,7 @@ static int bond_master_netdev_event(unsigned long event,
+ return bond_event_changename(event_bond);
+ case NETDEV_UNREGISTER:
+ bond_remove_proc_entry(event_bond);
++ xfrm_dev_state_flush(dev_net(bond_dev), bond_dev, true);
+ break;
+ case NETDEV_REGISTER:
+ bond_create_proc_entry(event_bond);
+@@ -4898,7 +4996,8 @@ void bond_setup(struct net_device *bond_dev)
+ #ifdef CONFIG_XFRM_OFFLOAD
+ /* set up xfrm device ops (only supported in active-backup right now) */
+ bond_dev->xfrmdev_ops = &bond_xfrmdev_ops;
+- bond->xs = NULL;
++ INIT_LIST_HEAD(&bond->ipsec_list);
++ spin_lock_init(&bond->ipsec_lock);
+ #endif /* CONFIG_XFRM_OFFLOAD */
+
+ /* don't acquire bond device's netif_tx_lock when transmitting */
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index 019e998d944a..a02b19843819 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -201,6 +201,11 @@ struct bond_up_slave {
+ */
+ #define BOND_LINK_NOCHANGE -1
+
++struct bond_ipsec {
++ struct list_head list;
++ struct xfrm_state *xs;
++};
++
+ /*
+ * Here are the locking policies for the two bonding locks:
+ * Get rcu_read_lock when reading or RTNL when writing slave list.
+@@ -249,7 +254,9 @@ struct bonding {
+ #endif /* CONFIG_DEBUG_FS */
+ struct rtnl_link_stats64 bond_stats;
+ #ifdef CONFIG_XFRM_OFFLOAD
+- struct xfrm_state *xs;
++ struct list_head ipsec_list;
++ /* protecting ipsec_list */
++ spinlock_t ipsec_lock;
+ #endif /* CONFIG_XFRM_OFFLOAD */
+ };
+
+--
+2.30.2
+
--- /dev/null
+From cb788b4d12704756371d156e3814b2baab4829dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:11 +0000
+Subject: bonding: disallow setting nested bonding + ipsec offload
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit b121693381b112b78c076dea171ee113e237c0e4 ]
+
+bonding interface can be nested and it supports ipsec offload.
+So, it allows setting the nested bonding + ipsec scenario.
+But code does not support this scenario.
+So, it should be disallowed.
+
+interface graph:
+bond2
+ |
+bond1
+ |
+eth0
+
+The nested bonding + ipsec offload may not a real usecase.
+So, disallowing this scenario is fine.
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index a7b6550063b2..d85a19c06c69 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -419,8 +419,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ xs->xso.real_dev = slave->dev;
+ bond->xs = xs;
+
+- if (!(slave->dev->xfrmdev_ops
+- && slave->dev->xfrmdev_ops->xdo_dev_state_add)) {
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
++ netif_is_bond_master(slave->dev)) {
+ slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n");
+ rcu_read_unlock();
+ return -EINVAL;
+@@ -453,8 +454,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+
+ xs->xso.real_dev = slave->dev;
+
+- if (!(slave->dev->xfrmdev_ops
+- && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) {
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
++ netif_is_bond_master(slave->dev)) {
+ slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
+ goto out;
+ }
+@@ -479,8 +481,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
+ return true;
+
+- if (!(slave_dev->xfrmdev_ops
+- && slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) {
++ if (!slave_dev->xfrmdev_ops ||
++ !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
++ netif_is_bond_master(slave_dev)) {
+ slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__);
+ return false;
+ }
+--
+2.30.2
+
--- /dev/null
+From 7ff106b0c11d0a819199e34289f700efbddf8455 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:14 +0000
+Subject: bonding: fix incorrect return value of bond_ipsec_offload_ok()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 168e696a36792a4a3b2525a06249e7472ef90186 ]
+
+bond_ipsec_offload_ok() is called to check whether the interface supports
+ipsec offload or not.
+bonding interface support ipsec offload only in active-backup mode.
+So, if a bond interface is not in active-backup mode, it should return
+false but it returns true.
+
+Fixes: a3b658cfb664 ("bonding: allow xfrm offload setup post-module-load")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index d267791a06c0..bf8ade982940 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -581,7 +581,7 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ real_dev = curr_active->dev;
+
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
+- err = true;
++ err = false;
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e0a044a0cefe6e1a505451eee2b02296397ce768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:07 +0000
+Subject: bonding: fix null dereference in bond_ipsec_add_sa()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 105cd17a866017b45f3c45901b394c711c97bf40 ]
+
+If bond doesn't have real device, bond->curr_active_slave is null.
+But bond_ipsec_add_sa() dereferences bond->curr_active_slave without
+null checking.
+So, null-ptr-deref would occur.
+
+Test commands:
+ ip link add bond0 type bond
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi \
+0x07 mode transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+
+Splat looks like:
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 4 PID: 680 Comm: ip Not tainted 5.13.0-rc3+ #1168
+RIP: 0010:bond_ipsec_add_sa+0xc4/0x2e0 [bonding]
+Code: 85 21 02 00 00 4d 8b a6 48 0c 00 00 e8 75 58 44 ce 85 c0 0f 85 14
+01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02
+00 0f 85 fc 01 00 00 48 8d bb e0 02 00 00 4d 8b 2c 24 48
+RSP: 0018:ffff88810946f508 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff88810b4e8040 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: ffffffff8fe34280 RDI: ffff888115abe100
+RBP: ffff88810946f528 R08: 0000000000000003 R09: fffffbfff2287e11
+R10: 0000000000000001 R11: ffff888115abe0c8 R12: 0000000000000000
+R13: ffffffffc0aea9a0 R14: ffff88800d7d2000 R15: ffff88810b4e8330
+FS: 00007efc5552e680(0000) GS:ffff888119c00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055c2530dbf40 CR3: 0000000103056004 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ xfrm_dev_state_add+0x2a9/0x770
+ ? memcpy+0x38/0x60
+ xfrm_add_sa+0x2278/0x3b10 [xfrm_user]
+ ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user]
+ ? register_lock_class+0x1750/0x1750
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? netlink_ack+0x9d0/0x9d0
+ ? netlink_deliver_tap+0x17c/0xa50
+ xfrm_netlink_rcv+0x68/0x80 [xfrm_user]
+ netlink_unicast+0x41c/0x610
+ ? netlink_attachskb+0x710/0x710
+ netlink_sendmsg+0x6b9/0xb70
+[ ...]
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 026f4511bf7b..24b33118105a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -411,6 +411,11 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
++ if (!slave) {
++ rcu_read_unlock();
++ return -ENODEV;
++ }
++
+ xs->xso.real_dev = slave->dev;
+ bond->xs = xs;
+
+--
+2.30.2
+
--- /dev/null
+From 135a5999c3b5c8f350ee70a65c5fafe11930da2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:06 +0000
+Subject: bonding: fix suspicious RCU usage in bond_ipsec_add_sa()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit b648eba4c69e5819880b4907e7fcb2bb576069ab ]
+
+To dereference bond->curr_active_slave, it uses rcu_dereference().
+But it and the caller doesn't acquire RCU so a warning occurs.
+So add rcu_read_lock().
+
+Test commands:
+ ip link add dummy0 type dummy
+ ip link add bond0 type bond
+ ip link set dummy0 master bond0
+ ip link set dummy0 up
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 \
+ mode transport \
+ reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+ 0x44434241343332312423222114131211f4f3f2f1 128 sel \
+ src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp offload \
+ dev bond0 dir in
+
+Splat looks like:
+=============================
+WARNING: suspicious RCU usage
+5.13.0-rc3+ #1168 Not tainted
+-----------------------------
+drivers/net/bonding/bond_main.c:411 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ip/684:
+ #0: ffffffff9a2757c0 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3},
+at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user]
+ 55.191733][ T684] stack backtrace:
+CPU: 0 PID: 684 Comm: ip Not tainted 5.13.0-rc3+ #1168
+Call Trace:
+ dump_stack+0xa4/0xe5
+ bond_ipsec_add_sa+0x18c/0x1f0 [bonding]
+ xfrm_dev_state_add+0x2a9/0x770
+ ? memcpy+0x38/0x60
+ xfrm_add_sa+0x2278/0x3b10 [xfrm_user]
+ ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user]
+ ? register_lock_class+0x1750/0x1750
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? netlink_ack+0x9d0/0x9d0
+ ? netlink_deliver_tap+0x17c/0xa50
+ xfrm_netlink_rcv+0x68/0x80 [xfrm_user]
+ netlink_unicast+0x41c/0x610
+ ? netlink_attachskb+0x710/0x710
+ netlink_sendmsg+0x6b9/0xb70
+[ ... ]
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index c5a646d06102..026f4511bf7b 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -403,10 +403,12 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ struct net_device *bond_dev = xs->xso.dev;
+ struct bonding *bond;
+ struct slave *slave;
++ int err;
+
+ if (!bond_dev)
+ return -EINVAL;
+
++ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
+ xs->xso.real_dev = slave->dev;
+@@ -415,10 +417,13 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ if (!(slave->dev->xfrmdev_ops
+ && slave->dev->xfrmdev_ops->xdo_dev_state_add)) {
+ slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n");
++ rcu_read_unlock();
+ return -EINVAL;
+ }
+
+- return slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);
++ err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);
++ rcu_read_unlock();
++ return err;
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From f41062b5a4253e1453928bee2390321bfb4033bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:10 +0000
+Subject: bonding: fix suspicious RCU usage in bond_ipsec_del_sa()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit a22c39b831a081da9b2c488bd970a4412d926f30 ]
+
+To dereference bond->curr_active_slave, it uses rcu_dereference().
+But it and the caller doesn't acquire RCU so a warning occurs.
+So add rcu_read_lock().
+
+Test commands:
+ ip netns add A
+ ip netns exec A bash
+ modprobe netdevsim
+ echo "1 1" > /sys/bus/netdevsim/new_device
+ ip link add bond0 type bond
+ ip link set eth0 master bond0
+ ip link set eth0 up
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \
+transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+ ip x s f
+
+Splat looks like:
+=============================
+WARNING: suspicious RCU usage
+5.13.0-rc3+ #1168 Not tainted
+-----------------------------
+drivers/net/bonding/bond_main.c:448 suspicious rcu_dereference_check()
+usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+2 locks held by ip/705:
+ #0: ffff888106701780 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3},
+at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user]
+ #1: ffff8880075b0098 (&x->lock){+.-.}-{2:2},
+at: xfrm_state_delete+0x16/0x30
+
+stack backtrace:
+CPU: 6 PID: 705 Comm: ip Not tainted 5.13.0-rc3+ #1168
+Call Trace:
+ dump_stack+0xa4/0xe5
+ bond_ipsec_del_sa+0x16a/0x1c0 [bonding]
+ __xfrm_state_delete+0x51f/0x730
+ xfrm_state_delete+0x1e/0x30
+ xfrm_state_flush+0x22f/0x390
+ xfrm_flush_sa+0xd8/0x260 [xfrm_user]
+ ? xfrm_flush_policy+0x290/0x290 [xfrm_user]
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+[ ... ]
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 24b33118105a..a7b6550063b2 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -444,21 +444,24 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+ if (!bond_dev)
+ return;
+
++ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
+
+ if (!slave)
+- return;
++ goto out;
+
+ xs->xso.real_dev = slave->dev;
+
+ if (!(slave->dev->xfrmdev_ops
+ && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) {
+ slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
+- return;
++ goto out;
+ }
+
+ slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs);
++out:
++ rcu_read_unlock();
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From d7145013c4c46dcaf9fe414cafd3f531dbfa7166 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:13 +0000
+Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ]
+
+To dereference bond->curr_active_slave, it uses rcu_dereference().
+But it and the caller doesn't acquire RCU so a warning occurs.
+So add rcu_read_lock().
+
+Splat looks like:
+WARNING: suspicious RCU usage
+5.13.0-rc6+ #1179 Not tainted
+drivers/net/bonding/bond_main.c:571 suspicious
+rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ping/974:
+ #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0},
+at: raw_sendmsg+0x1303/0x2cb0
+
+stack backtrace:
+CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179
+Call Trace:
+ dump_stack+0xa4/0xe5
+ bond_ipsec_offload_ok+0x1f4/0x260 [bonding]
+ xfrm_output+0x179/0x890
+ xfrm4_output+0xfa/0x410
+ ? __xfrm4_output+0x4b0/0x4b0
+ ? __ip_make_skb+0xecc/0x2030
+ ? xfrm4_udp_encap_rcv+0x800/0x800
+ ? ip_local_out+0x21/0x3a0
+ ip_send_skb+0x37/0xa0
+ raw_sendmsg+0x1bfd/0x2cb0
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 3f67b4b794ac..d267791a06c0 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -573,24 +573,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ struct net_device *real_dev;
+ struct slave *curr_active;
+ struct bonding *bond;
++ int err;
+
+ bond = netdev_priv(bond_dev);
++ rcu_read_lock();
+ curr_active = rcu_dereference(bond->curr_active_slave);
+ real_dev = curr_active->dev;
+
+- if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
+- return true;
++ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
++ err = true;
++ goto out;
++ }
+
+- if (!xs->xso.real_dev)
+- return false;
++ if (!xs->xso.real_dev) {
++ err = false;
++ goto out;
++ }
+
+ if (!real_dev->xfrmdev_ops ||
+ !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
+ netif_is_bond_master(real_dev)) {
+- return false;
++ err = false;
++ goto out;
+ }
+
+- return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
++ err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
++out:
++ rcu_read_unlock();
++ return err;
+ }
+
+ static const struct xfrmdev_ops bond_xfrmdev_ops = {
+--
+2.30.2
+
--- /dev/null
+From b830546e1f87a341595762df9be000f2c4207e4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 22:57:35 +0200
+Subject: bpf: Fix tail_call_reachable rejection for interpreter when jit
+ failed
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 5dd0a6b8582ffbfa88351949d50eccd5b6694ade ]
+
+During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly
+and fix use-after-free") under various failure conditions, for example, when
+jit_subprogs() fails and tries to clean up the program to be run under the
+interpreter, we ran into the following freeze:
+
+ [...]
+ #127/8 tailcall_bpf2bpf_3:FAIL
+ [...]
+ [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20
+ [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682
+ [ 92.043707]
+ [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87
+ [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+ [ 92.046785] Call Trace:
+ [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0
+ [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.049019] ? ktime_get+0x117/0x130
+ [...] // few hundred [similar] lines more
+ [ 92.659025] ? ktime_get+0x117/0x130
+ [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0
+ [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.662378] ? print_usage_bug+0x50/0x50
+ [ 92.663221] ? print_usage_bug+0x50/0x50
+ [ 92.664077] ? bpf_ksym_find+0x9c/0xe0
+ [ 92.664887] ? ktime_get+0x117/0x130
+ [ 92.665624] ? kernel_text_address+0xf5/0x100
+ [ 92.666529] ? __kernel_text_address+0xe/0x30
+ [ 92.667725] ? unwind_get_return_address+0x2f/0x50
+ [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20
+ [ 92.670185] ? ktime_get+0x117/0x130
+ [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0
+ [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.675159] ? ktime_get+0x117/0x130
+ [ 92.677074] ? lock_is_held_type+0xd5/0x130
+ [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20
+ [ 92.680046] ? ktime_get+0x117/0x130
+ [ 92.681285] ? __bpf_prog_run32+0x6b/0x90
+ [ 92.682601] ? __bpf_prog_run64+0x90/0x90
+ [ 92.683636] ? lock_downgrade+0x370/0x370
+ [ 92.684647] ? mark_held_locks+0x44/0x90
+ [ 92.685652] ? ktime_get+0x117/0x130
+ [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100
+ [ 92.688004] ? ktime_get+0x117/0x130
+ [ 92.688573] ? __cant_migrate+0x2b/0x80
+ [ 92.689192] ? bpf_test_run+0x2f4/0x510
+ [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0
+ [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90
+ [ 92.691506] ? __kasan_slab_alloc+0x61/0x80
+ [ 92.692128] ? eth_type_trans+0x128/0x240
+ [ 92.692737] ? __build_skb+0x46/0x50
+ [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50
+ [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0
+ [ 92.694639] ? __fget_light+0xa1/0x100
+ [ 92.695162] ? bpf_prog_inc+0x23/0x30
+ [ 92.695685] ? __sys_bpf+0xb40/0x2c80
+ [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90
+ [ 92.697150] ? mark_held_locks+0x24/0x90
+ [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220
+ [ 92.699045] ? finish_task_switch+0xe6/0x370
+ [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100
+ [ 92.701233] ? finish_task_switch+0x11d/0x370
+ [ 92.702264] ? __switch_to+0x2c0/0x740
+ [ 92.703148] ? mark_held_locks+0x24/0x90
+ [ 92.704155] ? __x64_sys_bpf+0x45/0x50
+ [ 92.705146] ? do_syscall_64+0x35/0x80
+ [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [...]
+
+Turns out that the program rejection from e411901c0b77 ("bpf: allow for tailcalls
+in BPF subprograms for x64 JIT") is buggy since env->prog->aux->tail_call_reachable
+is never true. Commit ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall
+handling in JIT") added a tracker into check_max_stack_depth() which propagates
+the tail_call_reachable condition throughout the subprograms. This info is then
+assigned to the subprogram's func[i]->aux->tail_call_reachable. However, in the
+case of the rejection check upon JIT failure, env->prog->aux->tail_call_reachable
+is used. func[0]->aux->tail_call_reachable which represents the main program's
+information did not propagate this to the outer env->prog->aux, though. Add this
+propagation into check_max_stack_depth() where it needs to belong so that the
+check can be done reliably.
+
+Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
+Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT")
+Co-developed-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/bpf/618c34e3163ad1a36b1e82377576a6081e182f25.1626123173.git.daniel@iogearbox.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index d8a6fcd28e39..e6db39a00de2 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -3675,6 +3675,8 @@ continue_func:
+ if (tail_call_reachable)
+ for (j = 0; j < frame; j++)
+ subprog[ret_prog[j]].tail_call_reachable = true;
++ if (subprog[0].tail_call_reachable)
++ env->prog->aux->tail_call_reachable = true;
+
+ /* end of for() loop means the last insn of the 'subprog'
+ * was reached. Doesn't matter whether it was JA or EXIT
+--
+2.30.2
+
--- /dev/null
+From 854b37b81b47443208c75ba7c3775fd49d335344 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 17:18:15 +0800
+Subject: bpf, samples: Fix xdpsock with '-M' parameter missing unload process
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 2620e92ae6ed83260eb46d214554cd308ee35d92 ]
+
+Execute the following command and exit, then execute it again, the following
+error will be reported:
+
+ $ sudo ./samples/bpf/xdpsock -i ens4f2 -M
+ ^C
+ $ sudo ./samples/bpf/xdpsock -i ens4f2 -M
+ libbpf: elf: skipping unrecognized data section(16) .eh_frame
+ libbpf: elf: skipping relo section(17) .rel.eh_frame for section(16) .eh_frame
+ libbpf: Kernel error message: XDP program already attached
+ ERROR: link set xdp fd failed
+
+Commit c9d27c9e8dc7 ("samples: bpf: Do not unload prog within xdpsock") removed
+the unloading prog code because of the presence of bpf_link. This is fine if
+XDP_SHARED_UMEM is disabled, but if it is enabled, unloading the prog is still
+needed.
+
+Fixes: c9d27c9e8dc7 ("samples: bpf: Do not unload prog within xdpsock")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Cc: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/bpf/20210628091815.2373487-1-wanghai38@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/xdpsock_user.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/samples/bpf/xdpsock_user.c b/samples/bpf/xdpsock_user.c
+index 53e300f860bb..33d0bdebbed8 100644
+--- a/samples/bpf/xdpsock_user.c
++++ b/samples/bpf/xdpsock_user.c
+@@ -96,6 +96,7 @@ static int opt_xsk_frame_size = XSK_UMEM__DEFAULT_FRAME_SIZE;
+ static int opt_timeout = 1000;
+ static bool opt_need_wakeup = true;
+ static u32 opt_num_xsks = 1;
++static u32 prog_id;
+ static bool opt_busy_poll;
+ static bool opt_reduced_cap;
+
+@@ -461,6 +462,23 @@ static void *poller(void *arg)
+ return NULL;
+ }
+
++static void remove_xdp_program(void)
++{
++ u32 curr_prog_id = 0;
++
++ if (bpf_get_link_xdp_id(opt_ifindex, &curr_prog_id, opt_xdp_flags)) {
++ printf("bpf_get_link_xdp_id failed\n");
++ exit(EXIT_FAILURE);
++ }
++
++ if (prog_id == curr_prog_id)
++ bpf_set_link_xdp_fd(opt_ifindex, -1, opt_xdp_flags);
++ else if (!curr_prog_id)
++ printf("couldn't find a prog id on a given interface\n");
++ else
++ printf("program on interface changed, not removing\n");
++}
++
+ static void int_exit(int sig)
+ {
+ benchmark_done = true;
+@@ -471,6 +489,9 @@ static void __exit_with_error(int error, const char *file, const char *func,
+ {
+ fprintf(stderr, "%s:%s:%i: errno: %d/\"%s\"\n", file, func,
+ line, error, strerror(error));
++
++ if (opt_num_xsks > 1)
++ remove_xdp_program();
+ exit(EXIT_FAILURE);
+ }
+
+@@ -490,6 +511,9 @@ static void xdpsock_cleanup(void)
+ if (write(sock, &cmd, sizeof(int)) < 0)
+ exit_with_error(errno);
+ }
++
++ if (opt_num_xsks > 1)
++ remove_xdp_program();
+ }
+
+ static void swap_mac_addresses(void *data)
+@@ -857,6 +881,10 @@ static struct xsk_socket_info *xsk_configure_socket(struct xsk_umem_info *umem,
+ if (ret)
+ exit_with_error(-ret);
+
++ ret = bpf_get_link_xdp_id(opt_ifindex, &prog_id, opt_xdp_flags);
++ if (ret)
++ exit_with_error(-ret);
++
+ xsk->app_stats.rx_empty_polls = 0;
+ xsk->app_stats.fill_fail_polls = 0;
+ xsk->app_stats.copy_tx_sendtos = 0;
+--
+2.30.2
+
--- /dev/null
+From 485b2e483d41e1673bb507e0a6549b821c9f7a22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 12:55:45 -0700
+Subject: bpf, sockmap: Fix potential memory leak on unlikely error case
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 7e6b27a69167f97c56b5437871d29e9722c3e470 ]
+
+If skb_linearize is needed and fails we could leak a msg on the error
+handling. To fix ensure we kfree the msg block before returning error.
+Found during code review.
+
+Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/bpf/20210712195546.423990-2-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 539c83a45665..b2410a1bfa23 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -531,10 +531,8 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ if (skb_linearize(skb))
+ return -EAGAIN;
+ num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len);
+- if (unlikely(num_sge < 0)) {
+- kfree(msg);
++ if (unlikely(num_sge < 0))
+ return num_sge;
+- }
+
+ copied = skb->len;
+ msg->sg.start = 0;
+@@ -553,6 +551,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb)
+ {
+ struct sock *sk = psock->sk;
+ struct sk_msg *msg;
++ int err;
+
+ /* If we are receiving on the same sock skb->sk is already assigned,
+ * skip memory accounting and owner transition seeing it already set
+@@ -571,7 +570,10 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb)
+ * into user buffers.
+ */
+ skb_set_owner_r(skb, sk);
+- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ if (err < 0)
++ kfree(msg);
++ return err;
+ }
+
+ /* Puts an skb on the ingress queue of the socket already assigned to the
+@@ -582,12 +584,16 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ {
+ struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC);
+ struct sock *sk = psock->sk;
++ int err;
+
+ if (unlikely(!msg))
+ return -EAGAIN;
+ sk_msg_init(msg);
+ skb_set_owner_r(skb, sk);
+- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ if (err < 0)
++ kfree(msg);
++ return err;
+ }
+
+ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
+--
+2.30.2
+
--- /dev/null
+From 5a33683654f4c64bd45012c99faa8eb364f6b134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 12:55:46 -0700
+Subject: bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 228a4a7ba8e99bb9ef980b62f71e3be33f4aae69 ]
+
+The proc socket stats use sk_prot->inuse_idx value to record inuse sock
+stats. We currently do not set this correctly from sockmap side. The
+result is reading sock stats '/proc/net/sockstat' gives incorrect values.
+The socket counter is incremented correctly, but because we don't set the
+counter correctly when we replace sk_prot we may omit the decrement.
+
+To get the correct inuse_idx value move the core_initcall that initializes
+the TCP proto handlers to late_initcall. This way it is initialized after
+TCP has the chance to assign the inuse_idx value from the register protocol
+handler.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/bpf/20210712195546.423990-3-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index ad9d17923fc5..b65201ba4d93 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -486,7 +486,7 @@ static int __init tcp_bpf_v4_build_proto(void)
+ tcp_bpf_rebuild_protos(tcp_bpf_prots[TCP_BPF_IPV4], &tcp_prot);
+ return 0;
+ }
+-core_initcall(tcp_bpf_v4_build_proto);
++late_initcall(tcp_bpf_v4_build_proto);
+
+ static int tcp_bpf_assert_proto_ops(struct proto *ops)
+ {
+--
+2.30.2
+
--- /dev/null
+From b042033226704e98bb329fc39a0fa76859e74dd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:47:50 +0200
+Subject: bpf, sockmap, udp: sk_prot needs inuse_idx set for proc stats
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit 54ea2f49fd9400dd698c25450be3352b5613b3b4 ]
+
+The proc socket stats use sk_prot->inuse_idx value to record inuse sock
+stats. We currently do not set this correctly from sockmap side. The
+result is reading sock stats '/proc/net/sockstat' gives incorrect values.
+The socket counter is incremented correctly, but because we don't set the
+counter correctly when we replace sk_prot we may omit the decrement.
+
+To get the correct inuse_idx value move the core_initcall that initializes
+the UDP proto handlers to late_initcall. This way it is initialized after
+UDP has the chance to assign the inuse_idx value from the register protocol
+handler.
+
+Fixes: edc6741cc660 ("bpf: Add sockmap hooks for UDP sockets")
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20210714154750.528206-1-jakub@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c
+index 954c4591a6fd..725b6df4b2a2 100644
+--- a/net/ipv4/udp_bpf.c
++++ b/net/ipv4/udp_bpf.c
+@@ -101,7 +101,7 @@ static int __init udp_bpf_v4_build_proto(void)
+ udp_bpf_rebuild_protos(&udp_bpf_prots[UDP_BPF_IPV4], &udp_prot);
+ return 0;
+ }
+-core_initcall(udp_bpf_v4_build_proto);
++late_initcall(udp_bpf_v4_build_proto);
+
+ int udp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore)
+ {
+--
+2.30.2
+
--- /dev/null
+From 8164192e5497d59ca2481e657ff75310ee2b7f9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 16:04:09 +0800
+Subject: bpf, test: fix NULL pointer dereference on invalid
+ expected_attach_type
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit 5e21bb4e812566aef86fbb77c96a4ec0782286e4 ]
+
+These two types of XDP progs (BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be
+executed directly in the driver, therefore we should also not directly
+run them from here. To run in these two situations, there must be further
+preparations done, otherwise these may cause a kernel panic.
+
+For more details, see also dev_xdp_attach().
+
+ [ 46.982479] BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [ 46.984295] #PF: supervisor read access in kernel mode
+ [ 46.985777] #PF: error_code(0x0000) - not-present page
+ [ 46.987227] PGD 800000010dca4067 P4D 800000010dca4067 PUD 10dca6067 PMD 0
+ [ 46.989201] Oops: 0000 [#1] SMP PTI
+ [ 46.990304] CPU: 7 PID: 562 Comm: a.out Not tainted 5.13.0+ #44
+ [ 46.992001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/24
+ [ 46.995113] RIP: 0010:___bpf_prog_run+0x17b/0x1710
+ [ 46.996586] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
+ [ 47.001562] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
+ [ 47.003115] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
+ [ 47.005163] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
+ [ 47.007135] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
+ [ 47.009171] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
+ [ 47.011172] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
+ [ 47.013244] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
+ [ 47.015705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 47.017475] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
+ [ 47.019558] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 47.021595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 47.023574] PKRU: 55555554
+ [ 47.024571] Call Trace:
+ [ 47.025424] __bpf_prog_run32+0x32/0x50
+ [ 47.026296] ? printk+0x53/0x6a
+ [ 47.027066] ? ktime_get+0x39/0x90
+ [ 47.027895] bpf_test_run.cold.28+0x23/0x123
+ [ 47.028866] ? printk+0x53/0x6a
+ [ 47.029630] bpf_prog_test_run_xdp+0x149/0x1d0
+ [ 47.030649] __sys_bpf+0x1305/0x23d0
+ [ 47.031482] __x64_sys_bpf+0x17/0x20
+ [ 47.032316] do_syscall_64+0x3a/0x80
+ [ 47.033165] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 47.034254] RIP: 0033:0x7f04a51364dd
+ [ 47.035133] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 48
+ [ 47.038768] RSP: 002b:00007fff8f9fc518 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
+ [ 47.040344] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04a51364dd
+ [ 47.041749] RDX: 0000000000000048 RSI: 0000000020002a80 RDI: 000000000000000a
+ [ 47.043171] RBP: 00007fff8f9fc530 R08: 0000000002049300 R09: 0000000020000100
+ [ 47.044626] R10: 0000000000000004 R11: 0000000000000213 R12: 0000000000401070
+ [ 47.046088] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ [ 47.047579] Modules linked in:
+ [ 47.048318] CR2: 0000000000000000
+ [ 47.049120] ---[ end trace 7ad34443d5be719a ]---
+ [ 47.050273] RIP: 0010:___bpf_prog_run+0x17b/0x1710
+ [ 47.051343] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
+ [ 47.054943] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
+ [ 47.056068] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
+ [ 47.057522] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
+ [ 47.058961] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
+ [ 47.060390] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
+ [ 47.061803] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
+ [ 47.063249] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
+ [ 47.065070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 47.066307] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
+ [ 47.067747] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 47.069217] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 47.070652] PKRU: 55555554
+ [ 47.071318] Kernel panic - not syncing: Fatal exception
+ [ 47.072854] Kernel Offset: disabled
+ [ 47.073683] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap")
+Fixes: fbee97feed9b ("bpf: Add support to attach bpf program to a devmap entry")
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: David Ahern <dsahern@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20210708080409.73525-1-xuanzhuo@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index a5d72c48fb66..28ac3c96fa88 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -701,6 +701,9 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
+ void *data;
+ int ret;
+
++ if (prog->expected_attach_type == BPF_XDP_DEVMAP ||
++ prog->expected_attach_type == BPF_XDP_CPUMAP)
++ return -EINVAL;
+ if (kattr->test.ctx_in || kattr->test.ctx_out)
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From cb54a0b4c56ea4f82cb0c958b34a5806d2815a00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:06:09 +0200
+Subject: bpftool: Check malloc return value in mount_bpffs_for_pin
+
+From: Tobias Klauser <tklauser@distanz.ch>
+
+[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ]
+
+Fix and add a missing NULL check for the prior malloc() call.
+
+Fixes: 49a086c201a9 ("bpftool: implement prog load command")
+Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index 1828bba19020..dc6daa193557 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -222,6 +222,11 @@ int mount_bpffs_for_pin(const char *name)
+ int err = 0;
+
+ file = malloc(strlen(name) + 1);
++ if (!file) {
++ p_err("mem alloc failed");
++ return -1;
++ }
++
+ strcpy(file, name);
+ dir = dirname(file);
+
+--
+2.30.2
+
--- /dev/null
+From d1b58f35cce20485e1ff1521ecc0a6f710f55e9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 14:40:39 +0100
+Subject: ceph: don't WARN if we're still opening a session to an MDS
+
+From: Luis Henriques <lhenriques@suse.de>
+
+[ Upstream commit cdb330f4b41ab55feb35487729e883c9e08b8a54 ]
+
+If MDSs aren't available while mounting a filesystem, the session state
+will transition from SESSION_OPENING to SESSION_CLOSING. And in that
+scenario check_session_state() will be called from delayed_work() and
+trigger this WARN.
+
+Avoid this by only WARNing after a session has already been established
+(i.e., the s_ttl will be different from 0).
+
+Fixes: 62575e270f66 ("ceph: check session state after bumping session->s_seq")
+Signed-off-by: Luis Henriques <lhenriques@suse.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/mds_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index e5af591d3bd4..86f09b1110a2 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -4468,7 +4468,7 @@ bool check_session_state(struct ceph_mds_session *s)
+ break;
+ case CEPH_MDS_SESSION_CLOSING:
+ /* Should never reach this when we're unmounting */
+- WARN_ON_ONCE(true);
++ WARN_ON_ONCE(s->s_ttl);
+ fallthrough;
+ case CEPH_MDS_SESSION_NEW:
+ case CEPH_MDS_SESSION_RESTARTING:
+--
+2.30.2
+
--- /dev/null
+From fbd932a6124b49cb6d8fc4554f883d3b0af04760 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 11:21:24 +1000
+Subject: cifs: fix fallocate when trying to allocate a hole.
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit 488968a8945c119859d91bb6a8dc13bf50002f15 ]
+
+Remove the conditional checking for out_data_len and skipping the fallocate
+if it is 0. This is wrong will actually change any legitimate the fallocate
+where the entire region is unallocated into a no-op.
+
+Additionally, before allocating the range, if FALLOC_FL_KEEP_SIZE is set then
+we need to clamp the length of the fallocate region as to not extend the size of the file.
+
+Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation")
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index cc253bbff696..64cad843ce72 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3663,11 +3663,6 @@ static int smb3_simple_fallocate_range(unsigned int xid,
+ (char **)&out_data, &out_data_len);
+ if (rc)
+ goto out;
+- /*
+- * It is already all allocated
+- */
+- if (out_data_len == 0)
+- goto out;
+
+ buf = kzalloc(1024 * 1024, GFP_KERNEL);
+ if (buf == NULL) {
+@@ -3790,6 +3785,24 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon,
+ goto out;
+ }
+
++ if (keep_size == true) {
++ /*
++ * We can not preallocate pages beyond the end of the file
++ * in SMB2
++ */
++ if (off >= i_size_read(inode)) {
++ rc = 0;
++ goto out;
++ }
++ /*
++ * For fallocates that are partially beyond the end of file,
++ * clamp len so we only fallocate up to the end of file.
++ */
++ if (off + len > i_size_read(inode)) {
++ len = i_size_read(inode) - off;
++ }
++ }
++
+ if ((keep_size == true) || (i_size_read(inode) >= off + len)) {
+ /*
+ * At this point, we are trying to fallocate an internal
+--
+2.30.2
+
--- /dev/null
+From b3076ea07ec752c1bd23dad1bed21d444ecf2244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 14:53:32 +1000
+Subject: cifs: only write 64kb at a time when fallocating a small region of a
+ file
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit 2485bd7557a7edb4520b4072af464f0a08c8efe0 ]
+
+We only allow sending single credit writes through the SMB2_write() synchronous
+api so split this into smaller chunks.
+
+Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation")
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reported-by: Namjae Jeon <namjae.jeon@samsung.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 903de7449aa3..cc253bbff696 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3613,7 +3613,7 @@ static int smb3_simple_fallocate_write_range(unsigned int xid,
+ char *buf)
+ {
+ struct cifs_io_parms io_parms = {0};
+- int nbytes;
++ int rc, nbytes;
+ struct kvec iov[2];
+
+ io_parms.netfid = cfile->fid.netfid;
+@@ -3621,13 +3621,25 @@ static int smb3_simple_fallocate_write_range(unsigned int xid,
+ io_parms.tcon = tcon;
+ io_parms.persistent_fid = cfile->fid.persistent_fid;
+ io_parms.volatile_fid = cfile->fid.volatile_fid;
+- io_parms.offset = off;
+- io_parms.length = len;
+
+- /* iov[0] is reserved for smb header */
+- iov[1].iov_base = buf;
+- iov[1].iov_len = io_parms.length;
+- return SMB2_write(xid, &io_parms, &nbytes, iov, 1);
++ while (len) {
++ io_parms.offset = off;
++ io_parms.length = len;
++ if (io_parms.length > SMB2_MAX_BUFFER_SIZE)
++ io_parms.length = SMB2_MAX_BUFFER_SIZE;
++ /* iov[0] is reserved for smb header */
++ iov[1].iov_base = buf;
++ iov[1].iov_len = io_parms.length;
++ rc = SMB2_write(xid, &io_parms, &nbytes, iov, 1);
++ if (rc)
++ break;
++ if (nbytes > len)
++ return -EINVAL;
++ buf += nbytes;
++ off += nbytes;
++ len -= nbytes;
++ }
++ return rc;
+ }
+
+ static int smb3_simple_fallocate_range(unsigned int xid,
+--
+2.30.2
+
--- /dev/null
+From 16bba1557e2761fef53f030204d29d65d39fa2af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 21:51:56 +0530
+Subject: cxgb4: fix IRQ free race during driver unload
+
+From: Shahjada Abul Husain <shahjada@chelsio.com>
+
+[ Upstream commit 015fe6fd29c4b9ac0f61b8c4455ef88e6018b9cc ]
+
+IRQs are requested during driver's ndo_open() and then later
+freed up in disable_interrupts() during driver unload.
+A race exists where driver can set the CXGB4_FULL_INIT_DONE
+flag in ndo_open() after the disable_interrupts() in driver
+unload path checks it, and hence misses calling free_irq().
+
+Fix by unregistering netdevice first and sync with driver's
+ndo_open(). This ensures disable_interrupts() checks the flag
+correctly and frees up the IRQs properly.
+
+Fixes: b37987e8db5f ("cxgb4: Disable interrupts and napi before unregistering netdev")
+Signed-off-by: Shahjada Abul Husain <shahjada@chelsio.com>
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/chelsio/cxgb4/cxgb4_main.c | 18 ++++++++++--------
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 3 +++
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 762113a04dde..9f62ffe64781 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -2643,6 +2643,9 @@ static void detach_ulds(struct adapter *adap)
+ {
+ unsigned int i;
+
++ if (!is_uld(adap))
++ return;
++
+ mutex_lock(&uld_mutex);
+ list_del(&adap->list_node);
+
+@@ -7141,10 +7144,13 @@ static void remove_one(struct pci_dev *pdev)
+ */
+ destroy_workqueue(adapter->workq);
+
+- if (is_uld(adapter)) {
+- detach_ulds(adapter);
+- t4_uld_clean_up(adapter);
+- }
++ detach_ulds(adapter);
++
++ for_each_port(adapter, i)
++ if (adapter->port[i]->reg_state == NETREG_REGISTERED)
++ unregister_netdev(adapter->port[i]);
++
++ t4_uld_clean_up(adapter);
+
+ adap_free_hma_mem(adapter);
+
+@@ -7152,10 +7158,6 @@ static void remove_one(struct pci_dev *pdev)
+
+ cxgb4_free_mps_ref_entries(adapter);
+
+- for_each_port(adapter, i)
+- if (adapter->port[i]->reg_state == NETREG_REGISTERED)
+- unregister_netdev(adapter->port[i]);
+-
+ debugfs_remove_recursive(adapter->debugfs_root);
+
+ if (!is_t4(adapter->params.chip))
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+index 743af9e654aa..17faac715882 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+@@ -581,6 +581,9 @@ void t4_uld_clean_up(struct adapter *adap)
+ {
+ unsigned int i;
+
++ if (!is_uld(adap))
++ return;
++
+ mutex_lock(&uld_mutex);
+ for (i = 0; i < CXGB4_ULD_MAX; i++) {
+ if (!adap->uld[i].handle)
+--
+2.30.2
+
--- /dev/null
+From 9e8824e82babdc8a5675975caae203777afcb982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 11:39:34 +0300
+Subject: dma-mapping: handle vmalloc addresses in
+ dma_common_{mmap,get_sgtable}
+
+From: Roman Skakun <Roman_Skakun@epam.com>
+
+[ Upstream commit 40ac971eab89330d6153e7721e88acd2d98833f9 ]
+
+xen-swiotlb can use vmalloc backed addresses for dma coherent allocations
+and uses the common helpers. Properly handle them to unbreak Xen on
+ARM platforms.
+
+Fixes: 1b65c4e5a9af ("swiotlb-xen: use xen_alloc/free_coherent_pages")
+Signed-off-by: Roman Skakun <roman_skakun@epam.com>
+Reviewed-by: Andrii Anisov <andrii_anisov@epam.com>
+[hch: split the patch, renamed the helpers]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/ops_helpers.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/dma/ops_helpers.c b/kernel/dma/ops_helpers.c
+index 910ae69cae77..af4a6ef48ce0 100644
+--- a/kernel/dma/ops_helpers.c
++++ b/kernel/dma/ops_helpers.c
+@@ -5,6 +5,13 @@
+ */
+ #include <linux/dma-map-ops.h>
+
++static struct page *dma_common_vaddr_to_page(void *cpu_addr)
++{
++ if (is_vmalloc_addr(cpu_addr))
++ return vmalloc_to_page(cpu_addr);
++ return virt_to_page(cpu_addr);
++}
++
+ /*
+ * Create scatter-list for the already allocated DMA buffer.
+ */
+@@ -12,7 +19,7 @@ int dma_common_get_sgtable(struct device *dev, struct sg_table *sgt,
+ void *cpu_addr, dma_addr_t dma_addr, size_t size,
+ unsigned long attrs)
+ {
+- struct page *page = virt_to_page(cpu_addr);
++ struct page *page = dma_common_vaddr_to_page(cpu_addr);
+ int ret;
+
+ ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
+@@ -32,6 +39,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma,
+ unsigned long user_count = vma_pages(vma);
+ unsigned long count = PAGE_ALIGN(size) >> PAGE_SHIFT;
+ unsigned long off = vma->vm_pgoff;
++ struct page *page = dma_common_vaddr_to_page(cpu_addr);
+ int ret = -ENXIO;
+
+ vma->vm_page_prot = dma_pgprot(dev, vma->vm_page_prot, attrs);
+@@ -43,7 +51,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma,
+ return -ENXIO;
+
+ return remap_pfn_range(vma, vma->vm_start,
+- page_to_pfn(virt_to_page(cpu_addr)) + vma->vm_pgoff,
++ page_to_pfn(page) + vma->vm_pgoff,
+ user_count << PAGE_SHIFT, vma->vm_page_prot);
+ #else
+ return -ENXIO;
+--
+2.30.2
+
--- /dev/null
+From b895e1a06489b8dd8f2742024ceb36589fbd1b12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 15:15:51 +0300
+Subject: dpaa2-switch: seed the buffer pool after allocating the swp
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit 7aaa0f311e2df2704fa8ddb8ed681a3b5841d0bf ]
+
+Any interraction with the buffer pool (seeding a buffer, acquire one) is
+made through a software portal (SWP, a DPIO object).
+There are circumstances where the dpaa2-switch driver probes on a DPSW
+before any DPIO devices have been probed. In this case, seeding of the
+buffer pool will lead to a panic since no SWPs are initialized.
+
+To fix this, seed the buffer pool after making sure that the software
+portals have been probed and are ready to be used.
+
+Fixes: 0b1b71370458 ("staging: dpaa2-switch: handle Rx path on control interface")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+index 05de37c3b64c..87321b7239cf 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c
+@@ -2770,32 +2770,32 @@ static int dpaa2_switch_ctrl_if_setup(struct ethsw_core *ethsw)
+ if (err)
+ return err;
+
+- err = dpaa2_switch_seed_bp(ethsw);
+- if (err)
+- goto err_free_dpbp;
+-
+ err = dpaa2_switch_alloc_rings(ethsw);
+ if (err)
+- goto err_drain_dpbp;
++ goto err_free_dpbp;
+
+ err = dpaa2_switch_setup_dpio(ethsw);
+ if (err)
+ goto err_destroy_rings;
+
++ err = dpaa2_switch_seed_bp(ethsw);
++ if (err)
++ goto err_deregister_dpio;
++
+ err = dpsw_ctrl_if_enable(ethsw->mc_io, 0, ethsw->dpsw_handle);
+ if (err) {
+ dev_err(ethsw->dev, "dpsw_ctrl_if_enable err %d\n", err);
+- goto err_deregister_dpio;
++ goto err_drain_dpbp;
+ }
+
+ return 0;
+
++err_drain_dpbp:
++ dpaa2_switch_drain_bp(ethsw);
+ err_deregister_dpio:
+ dpaa2_switch_free_dpio(ethsw);
+ err_destroy_rings:
+ dpaa2_switch_destroy_rings(ethsw);
+-err_drain_dpbp:
+- dpaa2_switch_drain_bp(ethsw);
+ err_free_dpbp:
+ dpaa2_switch_free_dpbp(ethsw);
+
+--
+2.30.2
+
--- /dev/null
+From 285bf918fe4464a0a33a37b6cd7901a5919d4d10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 15:45:23 +0200
+Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ]
+
+The mipi_dsi_device allocated by mipi_dsi_device_register_full() is
+already free'd on release.
+
+Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
+index 5e9ccefb88f6..bbdd086be7f5 100644
+--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
+@@ -447,7 +447,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c)
+ drm_panel_remove(&ts->base);
+
+ mipi_dsi_device_unregister(ts->dsi);
+- kfree(ts->dsi);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 51a4cac7e1b6932191e4a17bc3ef046e82558907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 13:13:55 -0500
+Subject: drm/ttm: Force re-init if ttm_global_init() fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Ekstrand <jason@jlekstrand.net>
+
+[ Upstream commit 235c3610d5f02ee91244239b43cd9ae8b4859dff ]
+
+If we have a failure, decrement the reference count so that the next
+call to ttm_global_init() will actually do something instead of assume
+everything is all set up.
+
+Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
+Fixes: 62b53b37e4b1 ("drm/ttm: use a static ttm_bo_global instance")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210720181357.2760720-5-jason@jlekstrand.net
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_device.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_device.c b/drivers/gpu/drm/ttm/ttm_device.c
+index 3d9c62b93e29..ef6e0c042bb1 100644
+--- a/drivers/gpu/drm/ttm/ttm_device.c
++++ b/drivers/gpu/drm/ttm/ttm_device.c
+@@ -100,6 +100,8 @@ static int ttm_global_init(void)
+ debugfs_create_atomic_t("buffer_objects", 0444, ttm_debugfs_root,
+ &glob->bo_count);
+ out:
++ if (ret)
++ --ttm_glob_use_count;
+ mutex_unlock(&ttm_global_mutex);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 57d3edaddb8132977dd5bfe585a6d8d823a8e7f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 11:51:10 +0200
+Subject: drm/vc4: hdmi: Drop devm interrupt handler for CEC interrupts
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 32a19de21ae40f0601f48575b610dde4f518ccc6 ]
+
+The CEC interrupt handlers are registered through the
+devm_request_threaded_irq function. However, while free_irq is indeed
+called properly when the device is unbound or bind fails, it's called
+after unbind or bind is done.
+
+In our particular case, it means that on failure it creates a window
+where our interrupt handler can be called, but we're freeing every
+resource (CEC adapter, DRM objects, etc.) it might need.
+
+In order to address this, let's switch to the non-devm variant to
+control better when the handler will be unregistered and allow us to
+make it safe.
+
+Fixes: 15b4511a4af6 ("drm/vc4: add HDMI CEC support")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210707095112.1469670-2-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 49 +++++++++++++++++++++++-----------
+ 1 file changed, 33 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 188b74c9e9ff..edee565334d8 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -1690,38 +1690,46 @@ static int vc4_hdmi_cec_init(struct vc4_hdmi *vc4_hdmi)
+ vc4_hdmi_cec_update_clk_div(vc4_hdmi);
+
+ if (vc4_hdmi->variant->external_irq_controller) {
+- ret = devm_request_threaded_irq(&pdev->dev,
+- platform_get_irq_byname(pdev, "cec-rx"),
+- vc4_cec_irq_handler_rx_bare,
+- vc4_cec_irq_handler_rx_thread, 0,
+- "vc4 hdmi cec rx", vc4_hdmi);
++ ret = request_threaded_irq(platform_get_irq_byname(pdev, "cec-rx"),
++ vc4_cec_irq_handler_rx_bare,
++ vc4_cec_irq_handler_rx_thread, 0,
++ "vc4 hdmi cec rx", vc4_hdmi);
+ if (ret)
+ goto err_delete_cec_adap;
+
+- ret = devm_request_threaded_irq(&pdev->dev,
+- platform_get_irq_byname(pdev, "cec-tx"),
+- vc4_cec_irq_handler_tx_bare,
+- vc4_cec_irq_handler_tx_thread, 0,
+- "vc4 hdmi cec tx", vc4_hdmi);
++ ret = request_threaded_irq(platform_get_irq_byname(pdev, "cec-tx"),
++ vc4_cec_irq_handler_tx_bare,
++ vc4_cec_irq_handler_tx_thread, 0,
++ "vc4 hdmi cec tx", vc4_hdmi);
+ if (ret)
+- goto err_delete_cec_adap;
++ goto err_remove_cec_rx_handler;
+ } else {
+ HDMI_WRITE(HDMI_CEC_CPU_MASK_SET, 0xffffffff);
+
+- ret = devm_request_threaded_irq(&pdev->dev, platform_get_irq(pdev, 0),
+- vc4_cec_irq_handler,
+- vc4_cec_irq_handler_thread, 0,
+- "vc4 hdmi cec", vc4_hdmi);
++ ret = request_threaded_irq(platform_get_irq(pdev, 0),
++ vc4_cec_irq_handler,
++ vc4_cec_irq_handler_thread, 0,
++ "vc4 hdmi cec", vc4_hdmi);
+ if (ret)
+ goto err_delete_cec_adap;
+ }
+
+ ret = cec_register_adapter(vc4_hdmi->cec_adap, &pdev->dev);
+ if (ret < 0)
+- goto err_delete_cec_adap;
++ goto err_remove_handlers;
+
+ return 0;
+
++err_remove_handlers:
++ if (vc4_hdmi->variant->external_irq_controller)
++ free_irq(platform_get_irq_byname(pdev, "cec-tx"), vc4_hdmi);
++ else
++ free_irq(platform_get_irq(pdev, 0), vc4_hdmi);
++
++err_remove_cec_rx_handler:
++ if (vc4_hdmi->variant->external_irq_controller)
++ free_irq(platform_get_irq_byname(pdev, "cec-rx"), vc4_hdmi);
++
+ err_delete_cec_adap:
+ cec_delete_adapter(vc4_hdmi->cec_adap);
+
+@@ -1730,6 +1738,15 @@ err_delete_cec_adap:
+
+ static void vc4_hdmi_cec_exit(struct vc4_hdmi *vc4_hdmi)
+ {
++ struct platform_device *pdev = vc4_hdmi->pdev;
++
++ if (vc4_hdmi->variant->external_irq_controller) {
++ free_irq(platform_get_irq_byname(pdev, "cec-rx"), vc4_hdmi);
++ free_irq(platform_get_irq_byname(pdev, "cec-tx"), vc4_hdmi);
++ } else {
++ free_irq(platform_get_irq(pdev, 0), vc4_hdmi);
++ }
++
+ cec_unregister_adapter(vc4_hdmi->cec_adap);
+ }
+ #else
+--
+2.30.2
+
--- /dev/null
+From 8a5a7788fbe31aa1f76f413029b33c1775b29ea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 14:23:35 -0400
+Subject: drm/vmwgfx: Fix a bad merge in otable batch takedown
+
+From: Zack Rusin <zackr@vmware.com>
+
+[ Upstream commit 34bd46bcf3de72cbffcdc42d3fa67e543d1c869b ]
+
+Change
+2ef4fb92363c ("drm/vmwgfx: Make sure bo's are unpinned before putting them back")
+caused a conflict in one of the drm trees and the merge commit
+68a32ba14177 ("Merge tag 'drm-next-2021-04-28' of git://anongit.freedesktop.org/drm/drm")
+accidently re-added code that the original change was removing.
+Fixed by removing the incorrect buffer unpin - it has already been unpinned
+two lines above.
+
+Fixes: 68a32ba14177 ("Merge tag 'drm-next-2021-04-28' of git://anongit.freedesktop.org/drm/drm")
+Signed-off-by: Zack Rusin <zackr@vmware.com>
+Reviewed-by: Martin Krastev <krastevm@vmware.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210615182336.995192-4-zackr@vmware.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_mob.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
+index 5648664f71bc..f2d625415458 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_mob.c
+@@ -354,7 +354,6 @@ static void vmw_otable_batch_takedown(struct vmw_private *dev_priv,
+ ttm_bo_unpin(bo);
+ ttm_bo_unreserve(bo);
+
+- ttm_bo_unpin(batch->otable_bo);
+ ttm_bo_put(batch->otable_bo);
+ batch->otable_bo = NULL;
+ }
+--
+2.30.2
+
--- /dev/null
+From 86f7e714e37301896d425fa8b8fb5dcd88e4f7a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:05:53 +0200
+Subject: e1000e: Fix an error handling path in 'e1000_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 111b9dc5c981 ("e1000e: add aer support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index dc0ded7e5e61..86b7778dc9b4 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -7664,6 +7664,7 @@ err_flashmap:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From fb0431072f6b6dbac7fb5944cebe2a4ad2df3eb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Apr 2021 21:12:16 +0300
+Subject: efi/dev-path-parser: Switch to use for_each_acpi_dev_match()
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit edbd1bc4951eff8da65732dbe0d381e555054428 ]
+
+Switch to use for_each_acpi_dev_match() instead of home grown analogue.
+No functional change intended.
+
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/dev-path-parser.c | 49 ++++++++++----------------
+ 1 file changed, 18 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/firmware/efi/dev-path-parser.c b/drivers/firmware/efi/dev-path-parser.c
+index 5c9625e552f4..10d4457417a4 100644
+--- a/drivers/firmware/efi/dev-path-parser.c
++++ b/drivers/firmware/efi/dev-path-parser.c
+@@ -12,52 +12,39 @@
+ #include <linux/efi.h>
+ #include <linux/pci.h>
+
+-struct acpi_hid_uid {
+- struct acpi_device_id hid[2];
+- char uid[11]; /* UINT_MAX + null byte */
+-};
+-
+-static int __init match_acpi_dev(struct device *dev, const void *data)
+-{
+- struct acpi_hid_uid hid_uid = *(const struct acpi_hid_uid *)data;
+- struct acpi_device *adev = to_acpi_device(dev);
+-
+- if (acpi_match_device_ids(adev, hid_uid.hid))
+- return 0;
+-
+- if (adev->pnp.unique_id)
+- return !strcmp(adev->pnp.unique_id, hid_uid.uid);
+- else
+- return !strcmp("0", hid_uid.uid);
+-}
+-
+ static long __init parse_acpi_path(const struct efi_dev_path *node,
+ struct device *parent, struct device **child)
+ {
+- struct acpi_hid_uid hid_uid = {};
++ char hid[ACPI_ID_LEN], uid[11]; /* UINT_MAX + null byte */
++ struct acpi_device *adev;
+ struct device *phys_dev;
+
+ if (node->header.length != 12)
+ return -EINVAL;
+
+- sprintf(hid_uid.hid[0].id, "%c%c%c%04X",
++ sprintf(hid, "%c%c%c%04X",
+ 'A' + ((node->acpi.hid >> 10) & 0x1f) - 1,
+ 'A' + ((node->acpi.hid >> 5) & 0x1f) - 1,
+ 'A' + ((node->acpi.hid >> 0) & 0x1f) - 1,
+ node->acpi.hid >> 16);
+- sprintf(hid_uid.uid, "%u", node->acpi.uid);
+-
+- *child = bus_find_device(&acpi_bus_type, NULL, &hid_uid,
+- match_acpi_dev);
+- if (!*child)
++ sprintf(uid, "%u", node->acpi.uid);
++
++ for_each_acpi_dev_match(adev, hid, NULL, -1) {
++ if (adev->pnp.unique_id && !strcmp(adev->pnp.unique_id, uid))
++ break;
++ if (!adev->pnp.unique_id && node->acpi.uid == 0)
++ break;
++ acpi_dev_put(adev);
++ }
++ if (!adev)
+ return -ENODEV;
+
+- phys_dev = acpi_get_first_physical_node(to_acpi_device(*child));
++ phys_dev = acpi_get_first_physical_node(adev);
+ if (phys_dev) {
+- get_device(phys_dev);
+- put_device(*child);
+- *child = phys_dev;
+- }
++ *child = get_device(phys_dev);
++ acpi_dev_put(adev);
++ } else
++ *child = &adev->dev;
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From bd84dafb9d267b0bc0f6b955bbd467996204d715 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 11:46:54 +0200
+Subject: efi/tpm: Differentiate missing and invalid final event log table.
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit 674a9f1f6815849bfb5bf385e7da8fc198aaaba9 ]
+
+Missing TPM final event log table is not a firmware bug.
+
+Clearly if providing event log in the old format makes the final event
+log invalid it should not be provided at least in that case.
+
+Fixes: b4f1874c6216 ("tpm: check event log version before reading final events")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/tpm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c
+index c1955d320fec..8f665678e9e3 100644
+--- a/drivers/firmware/efi/tpm.c
++++ b/drivers/firmware/efi/tpm.c
+@@ -62,9 +62,11 @@ int __init efi_tpm_eventlog_init(void)
+ tbl_size = sizeof(*log_tbl) + log_tbl->size;
+ memblock_reserve(efi.tpm_log, tbl_size);
+
+- if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR ||
+- log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) {
+- pr_warn(FW_BUG "TPM Final Events table missing or invalid\n");
++ if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR) {
++ pr_info("TPM Final Events table not present\n");
++ goto out;
++ } else if (log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) {
++ pr_warn(FW_BUG "TPM Final Events table invalid\n");
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e80803ef5bee71ed04ad65f8055cb724e1a7a04e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 10:50:59 +0100
+Subject: firmware: arm_scmi: Ensure drivers provide a probe function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 5e469dac326555d2038d199a6329458cc82a34e5 ]
+
+The bus probe callback calls the driver callback without further
+checking. Better be safe than sorry and refuse registration of a driver
+without a probe function to prevent a NULL pointer exception.
+
+Link: https://lore.kernel.org/r/20210624095059.4010157-2-sudeep.holla@arm.com
+Fixes: 933c504424a2 ("firmware: arm_scmi: add scmi protocol bus to enumerate protocol devices")
+Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Tested-by: Cristian Marussi <cristian.marussi@arm.com>
+Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_scmi/bus.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/firmware/arm_scmi/bus.c b/drivers/firmware/arm_scmi/bus.c
+index 784cf0027da3..9184a0d5acbe 100644
+--- a/drivers/firmware/arm_scmi/bus.c
++++ b/drivers/firmware/arm_scmi/bus.c
+@@ -139,6 +139,9 @@ int scmi_driver_register(struct scmi_driver *driver, struct module *owner,
+ {
+ int retval;
+
++ if (!driver->probe)
++ return -EINVAL;
++
+ retval = scmi_protocol_device_request(driver->id_table);
+ if (retval)
+ return retval;
+--
+2.30.2
+
--- /dev/null
+From 02c18bb10279a1fe46803aad46f08b5d0f2f3ede Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:00:36 +0200
+Subject: fm10k: Fix an error handling path in 'fm10k_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+index 9e3103fae723..caedf24c24c1 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+@@ -2227,6 +2227,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_netdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From fd6ac0f1393630582fa6c5d48bfcb9569b0569cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 22:18:24 +0200
+Subject: gve: Fix an error handling path in 'gve_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2342ae10d1272d411a468a85a67647dd115b344f ]
+
+If the 'register_netdev() call fails, we must release the resources
+allocated by the previous 'gve_init_priv()' call, as already done in the
+remove function.
+
+Add a new label and the missing 'gve_teardown_priv_resources()' in the
+error handling path.
+
+Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Catherine Sullivan <csully@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 79cefe85a799..b43c6ff07614 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1349,13 +1349,16 @@ static int gve_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ err = register_netdev(dev);
+ if (err)
+- goto abort_with_wq;
++ goto abort_with_gve_init;
+
+ dev_info(&pdev->dev, "GVE version %s\n", gve_version_str);
+ gve_clear_probe_in_progress(priv);
+ queue_work(priv->gve_wq, &priv->service_task);
+ return 0;
+
++abort_with_gve_init:
++ gve_teardown_priv_resources(priv);
++
+ abort_with_wq:
+ destroy_workqueue(priv->gve_wq);
+
+--
+2.30.2
+
--- /dev/null
+From f8f913a456d059ab6943704eb2e823b3381d931b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 08:58:32 +1200
+Subject: i2c: mpc: Poll for MCF
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+[ Upstream commit 4a8ac5e45cdaa88884b4ce05303e304cbabeb367 ]
+
+During some transfers the bus can still be busy when an interrupt is
+received. Commit 763778cd7926 ("i2c: mpc: Restore reread of I2C status
+register") attempted to address this by re-reading MPC_I2C_SR once but
+that just made it less likely to happen without actually preventing it.
+Instead of a single re-read, poll with a timeout so that the bus is given
+enough time to settle but a genuine stuck SCL is still noticed.
+
+Fixes: 1538d82f4647 ("i2c: mpc: Interrupt driven transfer")
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-mpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c
+index 6d5014ebaab5..a6ea1eb1394e 100644
+--- a/drivers/i2c/busses/i2c-mpc.c
++++ b/drivers/i2c/busses/i2c-mpc.c
+@@ -635,8 +635,8 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id)
+
+ status = readb(i2c->base + MPC_I2C_SR);
+ if (status & CSR_MIF) {
+- /* Read again to allow register to stabilise */
+- status = readb(i2c->base + MPC_I2C_SR);
++ /* Wait up to 100us for transfer to properly complete */
++ readb_poll_timeout(i2c->base + MPC_I2C_SR, status, !(status & CSR_MCF), 0, 100);
+ writeb(0, i2c->base + MPC_I2C_SR);
+ mpc_i2c_do_intr(i2c, status);
+ return IRQ_HANDLED;
+--
+2.30.2
+
--- /dev/null
+From ac89c382a94330d0f7d6df6bcb5916bfa3ecd716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:53:02 +0200
+Subject: iavf: Fix an error handling path in 'iavf_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 5eae00c57f5e ("i40evf: main driver core")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index e612c24fa384..44bafedd09f2 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -3798,6 +3798,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 817278298dabcd9930a62c1d7b1bd72008dce4cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 19:34:39 -0700
+Subject: ibmvnic: Remove the proper scrq flush
+
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+
+[ Upstream commit bb55362bd6976631b662ca712779b6532d8de0a6 ]
+
+Commit 65d6470d139a ("ibmvnic: clean pending indirect buffs during reset")
+intended to remove the call to ibmvnic_tx_scrq_flush() when the
+->resetting flag is true and was tested that way. But during the final
+rebase to net-next, the hunk got applied to a block few lines below
+(which happened to have the same diff context) and the wrong call to
+ibmvnic_tx_scrq_flush() got removed.
+
+Fix that by removing the correct ibmvnic_tx_scrq_flush() and restoring
+the one that was incorrectly removed.
+
+Fixes: 65d6470d139a ("ibmvnic: clean pending indirect buffs during reset")
+Reported-by: Dany Madden <drt@linux.ibm.com>
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c
+index efc98903c0b7..5b4a7ef7dffa 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1707,7 +1707,6 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
+ tx_send_failed++;
+ tx_dropped++;
+ ret = NETDEV_TX_OK;
+- ibmvnic_tx_scrq_flush(adapter, tx_scrq);
+ goto out;
+ }
+
+@@ -1729,6 +1728,7 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev)
+ dev_kfree_skb_any(skb);
+ tx_send_failed++;
+ tx_dropped++;
++ ibmvnic_tx_scrq_flush(adapter, tx_scrq);
+ ret = NETDEV_TX_OK;
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From 9625a5ce2e87d6acaaf4618e14414055906bbb1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 10:19:23 +0000
+Subject: igb: Check if num of q_vectors is smaller than max before array
+ access
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ]
+
+Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed
+beyond its size. It was fixed by using a local variable num_q_vectors
+as a limit for loop index, and ensure that num_q_vectors is not bigger
+than MAX_Q_VECTORS.
+
+Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Grzegorz Siwik <grzegorz.siwik@intel.com>
+Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Reviewed-by: Slawomir Laba <slawomirx.laba@intel.com>
+Reviewed-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Reviewed-by: Mateusz Palczewski <mateusz.placzewski@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index a371c51a3fe8..9f83ff55394c 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -931,6 +931,7 @@ static void igb_configure_msix(struct igb_adapter *adapter)
+ **/
+ static int igb_request_msix(struct igb_adapter *adapter)
+ {
++ unsigned int num_q_vectors = adapter->num_q_vectors;
+ struct net_device *netdev = adapter->netdev;
+ int i, err = 0, vector = 0, free_vector = 0;
+
+@@ -939,7 +940,13 @@ static int igb_request_msix(struct igb_adapter *adapter)
+ if (err)
+ goto err_out;
+
+- for (i = 0; i < adapter->num_q_vectors; i++) {
++ if (num_q_vectors > MAX_Q_VECTORS) {
++ num_q_vectors = MAX_Q_VECTORS;
++ dev_warn(&adapter->pdev->dev,
++ "The number of queue vectors (%d) is higher than max allowed (%d)\n",
++ adapter->num_q_vectors, MAX_Q_VECTORS);
++ }
++ for (i = 0; i < num_q_vectors; i++) {
+ struct igb_q_vector *q_vector = adapter->q_vector[i];
+
+ vector++;
+--
+2.30.2
+
--- /dev/null
+From 8dafe304b023f9359f2b0ad4d17d02096fda8b62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 22:08:33 +0200
+Subject: igb: Fix an error handling path in 'igb_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index ed7ec27df8c2..a371c51a3fe8 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3615,6 +3615,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 07a3f5750217f99952b7fb4e63ab2b33689800f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 22:42:17 +0000
+Subject: igb: Fix position of assignment to *ring
+
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+
+[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ]
+
+Assignment to *ring should be done after correctness check of the
+argument queue.
+
+Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()")
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 9f83ff55394c..b0e900d1eae2 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1685,14 +1685,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter)
+ **/
+ static void igb_config_tx_modes(struct igb_adapter *adapter, int queue)
+ {
+- struct igb_ring *ring = adapter->tx_ring[queue];
+ struct net_device *netdev = adapter->netdev;
+ struct e1000_hw *hw = &adapter->hw;
++ struct igb_ring *ring;
+ u32 tqavcc, tqavctrl;
+ u16 value;
+
+ WARN_ON(hw->mac.type != e1000_i210);
+ WARN_ON(queue < 0 || queue > 1);
++ ring = adapter->tx_ring[queue];
+
+ /* If any of the Qav features is enabled, configure queues as SR and
+ * with HIGH PRIO. If none is, then configure them with LOW PRIO and
+--
+2.30.2
+
--- /dev/null
+From 68e373c948875a472b20dbde5773acf5ecebdfc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 17:31:04 -0700
+Subject: igb: Fix use-after-free error during reset
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ]
+
+Cleans the next descriptor to watch (next_to_watch) when cleaning the
+TX ring.
+
+Failure to do so can cause invalid memory accesses. If igb_poll() runs
+while the controller is reset this can lead to the driver try to free
+a skb that was already freed.
+
+(The crash is harder to reproduce with the igb driver, but the same
+potential problem exists as the code is identical to igc)
+
+Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reported-by: Erez Geva <erez.geva.ext@siemens.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 7b1885f9ce03..ed7ec27df8c2 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -4835,6 +4835,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring)
+ DMA_TO_DEVICE);
+ }
+
++ tx_buffer->next_to_watch = NULL;
++
+ /* move us one more past the eop_desc for start of next pkt */
+ tx_buffer++;
+ i++;
+--
+2.30.2
+
--- /dev/null
+From ef6841dc5c7c8d3bbfd8b6c8c901d664fed8635e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 12:50:19 -0700
+Subject: igc: change default return of igc_read_phy_reg()
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 05682a0a61b6cbecd97a0f37f743b2cbfd516977 ]
+
+Static analysis reports this problem
+
+igc_main.c:4944:20: warning: The left operand of '&'
+ is a garbage value
+ if (!(phy_data & SR_1000T_REMOTE_RX_STATUS) &&
+ ~~~~~~~~ ^
+
+phy_data is set by the call to igc_read_phy_reg() only if
+there is a read_reg() op, else it is unset and a 0 is
+returned. Change the return to -EOPNOTSUPP.
+
+Fixes: 208983f099d9 ("igc: Add watchdog")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 25871351730b..58e842cbf6ef 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -560,7 +560,7 @@ static inline s32 igc_read_phy_reg(struct igc_hw *hw, u32 offset, u16 *data)
+ if (hw->phy.ops.read_reg)
+ return hw->phy.ops.read_reg(hw, offset, data);
+
+- return 0;
++ return -EOPNOTSUPP;
+ }
+
+ void igc_reinit_locked(struct igc_adapter *);
+--
+2.30.2
+
--- /dev/null
+From 106a0b76122cc8b34046e038b734356a99819d83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 22:00:05 +0200
+Subject: igc: Fix an error handling path in 'igc_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c6bc9e5ce5d37cb3e6b552f41b92a193db1806ab ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: c9a11c23ceb6 ("igc: Add netdev")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 9cac1e74a2ba..a8d5f196fdbd 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5596,6 +5596,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 31a0da16501566341ff4393309bcc802e0e6d7c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 17:31:03 -0700
+Subject: igc: Fix use-after-free error during reset
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 56ea7ed103b46970e171eb1c95916f393d64eeff ]
+
+Cleans the next descriptor to watch (next_to_watch) when cleaning the
+TX ring.
+
+Failure to do so can cause invalid memory accesses. If igc_poll() runs
+while the controller is being reset this can lead to the driver try to
+free a skb that was already freed.
+
+Log message:
+
+ [ 101.525242] refcount_t: underflow; use-after-free.
+ [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0
+ [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E)
+ x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E)
+ ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E)
+ rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E)
+ soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E)
+ iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E)
+ soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E)
+ autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E)
+ i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E)
+ [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E)
+ e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E)
+ usbcore(E) drm(E) button(E) video(E)
+ [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe
+ [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017
+ [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0
+ [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48
+ 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3
+ [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286
+ [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001
+ [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff
+ [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50
+ [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00
+ [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40
+ [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000
+ [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0
+ [ 101.525343] Call Trace:
+ [ 101.525346] sock_wfree+0x9c/0xa0
+ [ 101.525353] unix_destruct_scm+0x7b/0xa0
+ [ 101.525358] skb_release_head_state+0x40/0x90
+ [ 101.525362] skb_release_all+0xe/0x30
+ [ 101.525364] napi_consume_skb+0x57/0x160
+ [ 101.525367] igc_poll+0xb7/0xc80 [igc]
+ [ 101.525376] ? sched_clock+0x5/0x10
+ [ 101.525381] ? sched_clock_cpu+0xe/0x100
+ [ 101.525385] net_rx_action+0x14c/0x410
+ [ 101.525388] __do_softirq+0xe9/0x2f4
+ [ 101.525391] __local_bh_enable_ip+0xe3/0x110
+ [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0
+ [ 101.525398] irq_forced_thread_fn+0x6a/0x80
+ [ 101.525401] irq_thread+0xe8/0x180
+ [ 101.525403] ? wake_threads_waitq+0x30/0x30
+ [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0
+ [ 101.525408] kthread+0x183/0x1a0
+ [ 101.525412] ? kthread_park+0x80/0x80
+ [ 101.525415] ret_from_fork+0x22/0x30
+
+Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings")
+Reported-by: Erez Geva <erez.geva.ext@siemens.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index f1adf154ec4a..9cac1e74a2ba 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -217,6 +217,8 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring)
+ DMA_TO_DEVICE);
+ }
+
++ tx_buffer->next_to_watch = NULL;
++
+ /* move us one more past the eop_desc for start of next pkt */
+ tx_buffer++;
+ i++;
+--
+2.30.2
+
--- /dev/null
+From c3fc1f8d3c2f07f557c33f940349651959fcb753 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 16:38:05 +0800
+Subject: io_uring: fix memleak in io_init_wq_offload()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 362a9e65289284f36403058eea2462d0330c1f24 ]
+
+I got memory leak report when doing fuzz test:
+
+BUG: memory leak
+unreferenced object 0xffff888107310a80 (size 96):
+comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s)
+hex dump (first 32 bytes):
+01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+backtrace:
+[<000000001974933b>] kmalloc include/linux/slab.h:591 [inline]
+[<000000001974933b>] kzalloc include/linux/slab.h:721 [inline]
+[<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline]
+[<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955
+[<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016
+[<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]
+[<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]
+[<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]
+[<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301
+[<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+[<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+[<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+CPU0 CPU1
+io_uring_enter io_uring_enter
+io_uring_add_tctx_node io_uring_add_tctx_node
+__io_uring_add_tctx_node __io_uring_add_tctx_node
+io_uring_alloc_task_context io_uring_alloc_task_context
+io_init_wq_offload io_init_wq_offload
+hash = kzalloc hash = kzalloc
+ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked
+
+When calling io_uring_enter() in parallel, the 'hash_map' will be leaked,
+add uring_lock to protect 'hash_map'.
+
+Fixes: e941894eae31 ("io-wq: make buffered file write hashed work map per-ctx")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/20210720083805.3030730-1-yangyingliang@huawei.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index eeea6b8c8bee..8843f48ace27 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -7859,15 +7859,19 @@ static struct io_wq *io_init_wq_offload(struct io_ring_ctx *ctx,
+ struct io_wq_data data;
+ unsigned int concurrency;
+
++ mutex_lock(&ctx->uring_lock);
+ hash = ctx->hash_map;
+ if (!hash) {
+ hash = kzalloc(sizeof(*hash), GFP_KERNEL);
+- if (!hash)
++ if (!hash) {
++ mutex_unlock(&ctx->uring_lock);
+ return ERR_PTR(-ENOMEM);
++ }
+ refcount_set(&hash->refs, 1);
+ init_waitqueue_head(&hash->wait);
+ ctx->hash_map = hash;
+ }
++ mutex_unlock(&ctx->uring_lock);
+
+ data.hash = hash;
+ data.task = task;
+--
+2.30.2
+
--- /dev/null
+From a4305c656837721339166821f687e517a1773012 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 15:08:40 +0200
+Subject: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8fb4792f091e608a0a1d353dfdf07ef55a719db5 ]
+
+While running the self-tests on a KASAN enabled kernel, I observed a
+slab-out-of-bounds splat very similar to the one reported in
+commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in
+ fib6_nh_flush_exceptions").
+
+We additionally need to take care of fib6_metrics initialization
+failure when the caller provides an nh.
+
+The fix is similar, explicitly free the route instead of calling
+fib6_info_release on a half-initialized object.
+
+Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index d417e514bd52..09e84161b731 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3642,7 +3642,7 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
+ err = PTR_ERR(rt->fib6_metrics);
+ /* Do not leave garbage there. */
+ rt->fib6_metrics = (struct dst_metrics *)&dst_default_metrics;
+- goto out;
++ goto out_free;
+ }
+
+ if (cfg->fc_flags & RTF_ADDRCONF)
+--
+2.30.2
+
--- /dev/null
+From e0622e1971e0b3143e7ab8fc9653379d16fd981a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jul 2021 11:13:35 +0200
+Subject: ipv6: fix 'disable_policy' for fwd packets
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ]
+
+The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of
+"disable_policy" sysctl") was to have the disable_policy from ipv4
+available on ipv6.
+However, it's not exactly the same mechanism. On IPv4, all packets coming
+from an interface, which has disable_policy set, bypass the policy check.
+For ipv6, this is done only for local packets, ie for packets destinated to
+an address configured on the incoming interface.
+
+Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same
+effect for both protocols.
+
+My first approach was to create a new kind of route cache entries, to be
+able to set DST_NOPOLICY without modifying routes. This would have added a
+lot of code. Because the local delivery path is already handled, I choose
+to focus on the forwarding path to minimize code churn.
+
+Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_output.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 497974b4372a..b7ffb4f227a4 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -479,7 +479,9 @@ int ip6_forward(struct sk_buff *skb)
+ if (skb_warn_if_lro(skb))
+ goto drop;
+
+- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
++ if (!net->ipv6.devconf_all->disable_policy &&
++ !idev->cnf.disable_policy &&
++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
+ __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
+ goto drop;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2288de7f6413d33a114cc2a269aa11b53225959f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 15:46:09 +0200
+Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 2ac5b82676f3..39fdc46f34f9 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -11069,6 +11069,7 @@ err_ioremap:
+ disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state);
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 0ee73e7624e98dee3e86d02e36841a144d2b7653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:09 +0000
+Subject: ixgbevf: use xso.real_dev instead of xso.dev in callback functions of
+ struct xfrmdev_ops
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 2de7e4f67599affc97132bd07e30e3bd59d0b777 ]
+
+There are two pointers in struct xfrm_state_offload, *dev, *real_dev.
+These are used in callback functions of struct xfrmdev_ops.
+The *dev points whether bonding interface or real interface.
+If bonding ipsec offload is used, it points bonding interface If not,
+it points real interface.
+And real_dev always points real interface.
+So, ixgbevf should always use real_dev instead of dev.
+Of course, real_dev always not be null.
+
+Test commands:
+ ip link add bond0 type bond
+ #eth0 is ixgbevf interface
+ ip link set eth0 master bond0
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \
+transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+
+Splat looks like:
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 6 PID: 688 Comm: ip Not tainted 5.13.0-rc3+ #1168
+RIP: 0010:ixgbevf_ipsec_find_empty_idx+0x28/0x1b0 [ixgbevf]
+Code: 00 00 0f 1f 44 00 00 55 53 48 89 fb 48 83 ec 08 40 84 f6 0f 84 9c
+00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
+84 c0 74 08 3c 01 0f 8e 4c 01 00 00 66 81 3b 00 04 0f
+RSP: 0018:ffff8880089af390 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+RBP: ffff8880089af4f8 R08: 0000000000000003 R09: fffffbfff4287e11
+R10: 0000000000000001 R11: ffff888005de8908 R12: 0000000000000000
+R13: ffff88810936a000 R14: ffff88810936a000 R15: ffff888004d78040
+FS: 00007fdf9883a680(0000) GS:ffff88811a400000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055bc14adbf40 CR3: 000000000b87c005 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ixgbevf_ipsec_add_sa+0x1bf/0x9c0 [ixgbevf]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? ixgbevf_ipsec_parse_proto_keys.isra.9+0x280/0x280 [ixgbevf]
+ ? lock_acquire+0x191/0x720
+ ? bond_ipsec_add_sa+0x48/0x350 [bonding]
+ ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0
+ ? rcu_read_lock_held+0x91/0xa0
+ ? rcu_read_lock_sched_held+0xc0/0xc0
+ bond_ipsec_add_sa+0x193/0x350 [bonding]
+ xfrm_dev_state_add+0x2a9/0x770
+ ? memcpy+0x38/0x60
+ xfrm_add_sa+0x2278/0x3b10 [xfrm_user]
+ ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user]
+ ? register_lock_class+0x1750/0x1750
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+[ ... ]
+
+Fixes: 272c2330adc9 ("xfrm: bail early on slave pass over skb")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ipsec.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+index caaea2c920a6..e3e4676af9e4 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+@@ -211,7 +211,7 @@ struct xfrm_state *ixgbevf_ipsec_find_rx_state(struct ixgbevf_ipsec *ipsec,
+ static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs,
+ u32 *mykey, u32 *mysalt)
+ {
+- struct net_device *dev = xs->xso.dev;
++ struct net_device *dev = xs->xso.real_dev;
+ unsigned char *key_data;
+ char *alg_name = NULL;
+ int key_len;
+@@ -260,12 +260,15 @@ static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs,
+ **/
+ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
+ {
+- struct net_device *dev = xs->xso.dev;
+- struct ixgbevf_adapter *adapter = netdev_priv(dev);
+- struct ixgbevf_ipsec *ipsec = adapter->ipsec;
++ struct net_device *dev = xs->xso.real_dev;
++ struct ixgbevf_adapter *adapter;
++ struct ixgbevf_ipsec *ipsec;
+ u16 sa_idx;
+ int ret;
+
++ adapter = netdev_priv(dev);
++ ipsec = adapter->ipsec;
++
+ if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
+ netdev_err(dev, "Unsupported protocol 0x%04x for IPsec offload\n",
+ xs->id.proto);
+@@ -383,11 +386,14 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
+ **/
+ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
+ {
+- struct net_device *dev = xs->xso.dev;
+- struct ixgbevf_adapter *adapter = netdev_priv(dev);
+- struct ixgbevf_ipsec *ipsec = adapter->ipsec;
++ struct net_device *dev = xs->xso.real_dev;
++ struct ixgbevf_adapter *adapter;
++ struct ixgbevf_ipsec *ipsec;
+ u16 sa_idx;
+
++ adapter = netdev_priv(dev);
++ ipsec = adapter->ipsec;
++
+ if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
+ sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
+
+--
+2.30.2
+
--- /dev/null
+From 8266618ca2aa08c19836f2c97967de55bfa098c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 15:37:16 +0800
+Subject: Kbuild: lto: fix module versionings mismatch in GNU make 3.X
+
+From: Lecopzer Chen <lecopzer.chen@mediatek.com>
+
+[ Upstream commit 1d11053dc63094075bf9e4809fffd3bb5e72f9a6 ]
+
+When building modules(CONFIG_...=m), I found some of module versions
+are incorrect and set to 0.
+This can be found in build log for first clean build which shows
+
+WARNING: EXPORT symbol "XXXX" [drivers/XXX/XXX.ko] version generation failed,
+symbol will not be versioned.
+
+But in second build(incremental build), the WARNING disappeared and the
+module version becomes valid CRC and make someone who want to change
+modules without updating kernel image can't insert their modules.
+
+The problematic code is
++ $(foreach n, $(filter-out FORCE,$^), \
++ $(if $(wildcard $(n).symversions), \
++ ; cat $(n).symversions >> $@.symversions))
+
+For example:
+ rm -f fs/notify/built-in.a.symversions ; rm -f fs/notify/built-in.a; \
+llvm-ar cDPrST fs/notify/built-in.a fs/notify/fsnotify.o \
+fs/notify/notification.o fs/notify/group.o ...
+
+`foreach n` shows nothing to `cat` into $(n).symversions because
+`if $(wildcard $(n).symversions)` return nothing, but actually
+they do exist during this line was executed.
+
+-rw-r--r-- 1 root root 168580 Jun 13 19:10 fs/notify/fsnotify.o
+-rw-r--r-- 1 root root 111 Jun 13 19:10 fs/notify/fsnotify.o.symversions
+
+The reason is the $(n).symversions are generated at runtime, but
+Makefile wildcard function expends and checks the file exist or not
+during parsing the Makefile.
+
+Thus fix this by use `test` shell command to check the file
+existence in runtime.
+
+Rebase from both:
+1. [https://lore.kernel.org/lkml/20210616080252.32046-1-lecopzer.chen@mediatek.com/]
+2. [https://lore.kernel.org/lkml/20210702032943.7865-1-lecopzer.chen@mediatek.com/]
+
+Fixes: 38e891849003 ("kbuild: lto: fix module versioning")
+Co-developed-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Makefile.build b/scripts/Makefile.build
+index 34d257653fb4..c6bd62f518ff 100644
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -388,7 +388,7 @@ ifeq ($(CONFIG_LTO_CLANG) $(CONFIG_MODVERSIONS),y y)
+ cmd_update_lto_symversions = \
+ rm -f $@.symversions \
+ $(foreach n, $(filter-out FORCE,$^), \
+- $(if $(wildcard $(n).symversions), \
++ $(if $(shell test -s $(n).symversions && echo y), \
+ ; cat $(n).symversions >> $@.symversions))
+ else
+ cmd_update_lto_symversions = echo >/dev/null
+--
+2.30.2
+
--- /dev/null
+From ae3915adb5e544247519546df1411b596e8d6556 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 12:43:09 +1000
+Subject: KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bd31ecf44b8e18ccb1e5f6b50f85de6922a60de3 ]
+
+When running CPU_FTR_P9_TM_HV_ASSIST, HFSCR[TM] is set for the guest
+even if the host has CONFIG_TRANSACTIONAL_MEM=n, which causes it to be
+unprepared to handle guest exits while transactional.
+
+Normal guests don't have a problem because the HTM capability will not
+be advertised, but a rogue or buggy one could crash the host.
+
+Fixes: 4bb3c7a0208f ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210716024310.164448-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 67cc164c4ac1..395f98158e81 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2445,8 +2445,10 @@ static int kvmppc_core_vcpu_create_hv(struct kvm_vcpu *vcpu)
+ HFSCR_DSCR | HFSCR_VECVSX | HFSCR_FP | HFSCR_PREFIX;
+ if (cpu_has_feature(CPU_FTR_HVMODE)) {
+ vcpu->arch.hfscr &= mfspr(SPRN_HFSCR);
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ if (cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST))
+ vcpu->arch.hfscr |= HFSCR_TM;
++#endif
+ }
+ if (cpu_has_feature(CPU_FTR_TM_COMP))
+ vcpu->arch.hfscr |= HFSCR_TM;
+--
+2.30.2
+
--- /dev/null
+From 6906cdef6d72b58c7850b14d5dc45eaaf0b4f41c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 12:43:10 +1000
+Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ]
+
+vcpu_put is not called if the user copy fails. This can result in preempt
+notifier corruption and crashes, among other issues.
+
+Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/powerpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
+index a2a68a958fa0..6e4f03c02a0a 100644
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -2045,9 +2045,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ {
+ struct kvm_enable_cap cap;
+ r = -EFAULT;
+- vcpu_load(vcpu);
+ if (copy_from_user(&cap, argp, sizeof(cap)))
+ goto out;
++ vcpu_load(vcpu);
+ r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap);
+ vcpu_put(vcpu);
+ break;
+@@ -2071,9 +2071,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ case KVM_DIRTY_TLB: {
+ struct kvm_dirty_tlb dirty;
+ r = -EFAULT;
+- vcpu_load(vcpu);
+ if (copy_from_user(&dirty, argp, sizeof(dirty)))
+ goto out;
++ vcpu_load(vcpu);
+ r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty);
+ vcpu_put(vcpu);
+ break;
+--
+2.30.2
+
--- /dev/null
+From 75e0cd354b91b3344d8a9b19045e5865dfa89d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 10:58:26 -0700
+Subject: KVM: SVM: Fix sev_pin_memory() error checks in SEV migration
+ utilities
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit c7a1b2b678c54ac19320daf525038d0e2e43ca7c ]
+
+Use IS_ERR() instead of checking for a NULL pointer when querying for
+sev_pin_memory() failures. sev_pin_memory() always returns an error code
+cast to a pointer, or a valid pointer; it never returns NULL.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Steve Rutherford <srutherford@google.com>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: Ashish Kalra <ashish.kalra@amd.com>
+Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command")
+Fixes: 15fb7de1a7f5 ("KVM: SVM: Add KVM_SEV_RECEIVE_UPDATE_DATA command")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210506175826.2166383-3-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm/sev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
+index 3dc3e2897804..02d60d7f903d 100644
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -1271,8 +1271,8 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
+ /* Pin guest memory */
+ guest_page = sev_pin_memory(kvm, params.guest_uaddr & PAGE_MASK,
+ PAGE_SIZE, &n, 0);
+- if (!guest_page)
+- return -EFAULT;
++ if (IS_ERR(guest_page))
++ return PTR_ERR(guest_page);
+
+ /* allocate memory for header and transport buffer */
+ ret = -ENOMEM;
+@@ -1463,11 +1463,12 @@ static int sev_receive_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
+ data.trans_len = params.trans_len;
+
+ /* Pin guest memory */
+- ret = -EFAULT;
+ guest_page = sev_pin_memory(kvm, params.guest_uaddr & PAGE_MASK,
+ PAGE_SIZE, &n, 0);
+- if (!guest_page)
++ if (IS_ERR(guest_page)) {
++ ret = PTR_ERR(guest_page);
+ goto e_free_trans;
++ }
+
+ /* The RECEIVE_UPDATE_DATA command requires C-bit to be always set. */
+ data.guest_address = (page_to_pfn(guest_page[0]) << PAGE_SHIFT) + offset;
+--
+2.30.2
+
--- /dev/null
+From b43a089c497e506ba3b8c957d51a4df87c8938dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 10:58:25 -0700
+Subject: KVM: SVM: Return -EFAULT if copy_to_user() for SEV mig packet header
+ fails
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit b4a693924aab93f3747465b2261add46c82c3220 ]
+
+Return -EFAULT if copy_to_user() fails; if accessing user memory faults,
+copy_to_user() returns the number of bytes remaining, not an error code.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Steve Rutherford <srutherford@google.com>
+Cc: Brijesh Singh <brijesh.singh@amd.com>
+Cc: Ashish Kalra <ashish.kalra@amd.com>
+Fixes: d3d1af85e2c7 ("KVM: SVM: Add KVM_SEND_UPDATE_DATA command")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210506175826.2166383-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/svm/sev.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kvm/svm/sev.c b/arch/x86/kvm/svm/sev.c
+index 8d36f0c73071..3dc3e2897804 100644
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -1309,8 +1309,9 @@ static int sev_send_update_data(struct kvm *kvm, struct kvm_sev_cmd *argp)
+ }
+
+ /* Copy packet header to userspace. */
+- ret = copy_to_user((void __user *)(uintptr_t)params.hdr_uaddr, hdr,
+- params.hdr_len);
++ if (copy_to_user((void __user *)(uintptr_t)params.hdr_uaddr, hdr,
++ params.hdr_len))
++ ret = -EFAULT;
+
+ e_free_trans_data:
+ kfree(trans_data);
+--
+2.30.2
+
--- /dev/null
+From 48483717b4e3f3dea5dd69d9472aeec3516918f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 15:43:54 +0800
+Subject: KVM: x86/pmu: Clear anythread deprecated bit when 0xa leaf is
+ unsupported on the SVM
+
+From: Like Xu <like.xu.linux@gmail.com>
+
+[ Upstream commit 7234c362ccb3c2228f06f19f93b132de9cfa7ae4 ]
+
+The AMD platform does not support the functions Ah CPUID leaf. The returned
+results for this entry should all remain zero just like the native does:
+
+AMD host:
+ 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
+(uncanny) AMD guest:
+ 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00008000
+
+Fixes: cadbaa039b99 ("perf/x86/intel: Make anythread filter support conditional")
+Signed-off-by: Like Xu <likexu@tencent.com>
+Message-Id: <20210628074354.33848-1-likexu@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index ca7866d63e98..739be5da3bca 100644
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -765,7 +765,8 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function)
+
+ edx.split.num_counters_fixed = min(cap.num_counters_fixed, MAX_FIXED_COUNTERS);
+ edx.split.bit_width_fixed = cap.bit_width_fixed;
+- edx.split.anythread_deprecated = 1;
++ if (cap.version)
++ edx.split.anythread_deprecated = 1;
+ edx.split.reserved1 = 0;
+ edx.split.reserved2 = 0;
+
+--
+2.30.2
+
--- /dev/null
+From cac23668a7c35be066cd8f93fb373c95e41ac3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 16:23:43 +0100
+Subject: liquidio: Fix unintentional sign extension issue on left shift of u16
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ]
+
+Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS
+(29) bits will be promoted to a 32 bit signed int and then sign-extended
+to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7)
+the shifted value will be sign extended and the top 32 bits of the result
+will be set.
+
+Fix this by casting the u16 values to a u64 before the 29 bit left shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+
+Fixes: 3451b97cce2d ("liquidio: CN23XX register setup")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+index 4cddd628d41b..9ed3d1ab2ca5 100644
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct)
+ * bits 32:47 indicate the PVF num.
+ */
+ for (q_no = 0; q_no < ern; q_no++) {
+- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS;
++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS;
+
+ /* for VF assigned queues. */
+ if (q_no < oct->sriov_info.pf_srn) {
+--
+2.30.2
+
--- /dev/null
+From f6a62e5ab9da159ac1e154dcb49326a50b8c959a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 16:46:12 -0700
+Subject: mptcp: add sk parameter for mptcp_get_options
+
+From: Geliang Tang <geliangtang@gmail.com>
+
+[ Upstream commit c863225b79426459feca2ef5b0cc2f07e8e68771 ]
+
+This patch added a new parameter name sk in mptcp_get_options().
+
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Geliang Tang <geliangtang@gmail.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/options.c | 5 +++--
+ net/mptcp/protocol.h | 3 ++-
+ net/mptcp/subflow.c | 10 +++++-----
+ 3 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/mptcp/options.c b/net/mptcp/options.c
+index b87e46f515fb..72b1067d5aa2 100644
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -323,7 +323,8 @@ static void mptcp_parse_option(const struct sk_buff *skb,
+ }
+ }
+
+-void mptcp_get_options(const struct sk_buff *skb,
++void mptcp_get_options(const struct sock *sk,
++ const struct sk_buff *skb,
+ struct mptcp_options_received *mp_opt)
+ {
+ const struct tcphdr *th = tcp_hdr(skb);
+@@ -1010,7 +1011,7 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
+ return;
+ }
+
+- mptcp_get_options(skb, &mp_opt);
++ mptcp_get_options(sk, skb, &mp_opt);
+ if (!check_fully_established(msk, sk, subflow, skb, &mp_opt))
+ return;
+
+diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
+index 7b634568f49c..f74258377c05 100644
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -576,7 +576,8 @@ int __init mptcp_proto_v6_init(void);
+ struct sock *mptcp_sk_clone(const struct sock *sk,
+ const struct mptcp_options_received *mp_opt,
+ struct request_sock *req);
+-void mptcp_get_options(const struct sk_buff *skb,
++void mptcp_get_options(const struct sock *sk,
++ const struct sk_buff *skb,
+ struct mptcp_options_received *mp_opt);
+
+ void mptcp_finish_connect(struct sock *sk);
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index 5221cfce5390..78e787ef8fff 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -150,7 +150,7 @@ static int subflow_check_req(struct request_sock *req,
+ return -EINVAL;
+ #endif
+
+- mptcp_get_options(skb, &mp_opt);
++ mptcp_get_options(sk_listener, skb, &mp_opt);
+
+ if (mp_opt.mp_capable) {
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEPASSIVE);
+@@ -244,7 +244,7 @@ int mptcp_subflow_init_cookie_req(struct request_sock *req,
+ int err;
+
+ subflow_init_req(req, sk_listener);
+- mptcp_get_options(skb, &mp_opt);
++ mptcp_get_options(sk_listener, skb, &mp_opt);
+
+ if (mp_opt.mp_capable && mp_opt.mp_join)
+ return -EINVAL;
+@@ -403,7 +403,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb)
+ subflow->ssn_offset = TCP_SKB_CB(skb)->seq;
+ pr_debug("subflow=%p synack seq=%x", subflow, subflow->ssn_offset);
+
+- mptcp_get_options(skb, &mp_opt);
++ mptcp_get_options(sk, skb, &mp_opt);
+ if (subflow->request_mptcp) {
+ if (!mp_opt.mp_capable) {
+ MPTCP_INC_STATS(sock_net(sk),
+@@ -650,7 +650,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+ * reordered MPC will cause fallback, but we don't have other
+ * options.
+ */
+- mptcp_get_options(skb, &mp_opt);
++ mptcp_get_options(sk, skb, &mp_opt);
+ if (!mp_opt.mp_capable) {
+ fallback = true;
+ goto create_child;
+@@ -660,7 +660,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+ if (!new_msk)
+ fallback = true;
+ } else if (subflow_req->mp_join) {
+- mptcp_get_options(skb, &mp_opt);
++ mptcp_get_options(sk, skb, &mp_opt);
+ if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) ||
+ !mptcp_can_accept_new_subflow(subflow_req->msk)) {
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
+--
+2.30.2
+
--- /dev/null
+From abc2f2567f1620aed353c12a6a7e3faf31b92b4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:49 -0700
+Subject: mptcp: avoid processing packet if a subflow reset
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 6787b7e350d3552651a3422d3d8980fbc8d65368 ]
+
+If check_fully_established() causes a subflow reset, it should not
+continue to process the packet in tcp_data_queue().
+Add a return value to mptcp_incoming_options(), and return false if a
+subflow has been reset, else return true. Then drop the packet in
+tcp_data_queue()/tcp_rcv_state_process() if mptcp_incoming_options()
+return false.
+
+Fixes: d582484726c4 ("mptcp: fix fallback for MP_JOIN subflows")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mptcp.h | 5 +++--
+ net/ipv4/tcp_input.c | 19 +++++++++++++++----
+ net/mptcp/options.c | 19 +++++++++++++------
+ 3 files changed, 31 insertions(+), 12 deletions(-)
+
+diff --git a/include/net/mptcp.h b/include/net/mptcp.h
+index 83f23774b908..f1d798ff29e9 100644
+--- a/include/net/mptcp.h
++++ b/include/net/mptcp.h
+@@ -101,7 +101,7 @@ bool mptcp_synack_options(const struct request_sock *req, unsigned int *size,
+ bool mptcp_established_options(struct sock *sk, struct sk_buff *skb,
+ unsigned int *size, unsigned int remaining,
+ struct mptcp_out_options *opts);
+-void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb);
++bool mptcp_incoming_options(struct sock *sk, struct sk_buff *skb);
+
+ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp,
+ struct mptcp_out_options *opts);
+@@ -223,9 +223,10 @@ static inline bool mptcp_established_options(struct sock *sk,
+ return false;
+ }
+
+-static inline void mptcp_incoming_options(struct sock *sk,
++static inline bool mptcp_incoming_options(struct sock *sk,
+ struct sk_buff *skb)
+ {
++ return true;
+ }
+
+ static inline void mptcp_skb_ext_move(struct sk_buff *to,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 6bd628f08ded..0f1b4bfddfd4 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4247,6 +4247,9 @@ void tcp_reset(struct sock *sk, struct sk_buff *skb)
+ {
+ trace_tcp_receive_reset(sk);
+
++ /* mptcp can't tell us to ignore reset pkts,
++ * so just ignore the return value of mptcp_incoming_options().
++ */
+ if (sk_is_mptcp(sk))
+ mptcp_incoming_options(sk, skb);
+
+@@ -4941,8 +4944,13 @@ static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
+ bool fragstolen;
+ int eaten;
+
+- if (sk_is_mptcp(sk))
+- mptcp_incoming_options(sk, skb);
++ /* If a subflow has been reset, the packet should not continue
++ * to be processed, drop the packet.
++ */
++ if (sk_is_mptcp(sk) && !mptcp_incoming_options(sk, skb)) {
++ __kfree_skb(skb);
++ return;
++ }
+
+ if (TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) {
+ __kfree_skb(skb);
+@@ -6522,8 +6530,11 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
+ case TCP_CLOSING:
+ case TCP_LAST_ACK:
+ if (!before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
+- if (sk_is_mptcp(sk))
+- mptcp_incoming_options(sk, skb);
++ /* If a subflow has been reset, the packet should not
++ * continue to be processed, drop the packet.
++ */
++ if (sk_is_mptcp(sk) && !mptcp_incoming_options(sk, skb))
++ goto discard;
+ break;
+ }
+ fallthrough;
+diff --git a/net/mptcp/options.c b/net/mptcp/options.c
+index 72b1067d5aa2..4f08e04e1ab7 100644
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -990,7 +990,8 @@ static bool add_addr_hmac_valid(struct mptcp_sock *msk,
+ return hmac == mp_opt->ahmac;
+ }
+
+-void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
++/* Return false if a subflow has been reset, else return true */
++bool mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
+ {
+ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
+ struct mptcp_sock *msk = mptcp_sk(subflow->conn);
+@@ -1008,12 +1009,16 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
+ __mptcp_check_push(subflow->conn, sk);
+ __mptcp_data_acked(subflow->conn);
+ mptcp_data_unlock(subflow->conn);
+- return;
++ return true;
+ }
+
+ mptcp_get_options(sk, skb, &mp_opt);
++
++ /* The subflow can be in close state only if check_fully_established()
++ * just sent a reset. If so, tell the caller to ignore the current packet.
++ */
+ if (!check_fully_established(msk, sk, subflow, skb, &mp_opt))
+- return;
++ return sk->sk_state != TCP_CLOSE;
+
+ if (mp_opt.fastclose &&
+ msk->local_key == mp_opt.rcvr_key) {
+@@ -1055,7 +1060,7 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
+ }
+
+ if (!mp_opt.dss)
+- return;
++ return true;
+
+ /* we can't wait for recvmsg() to update the ack_seq, otherwise
+ * monodirectional flows will stuck
+@@ -1074,12 +1079,12 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
+ schedule_work(&msk->work))
+ sock_hold(subflow->conn);
+
+- return;
++ return true;
+ }
+
+ mpext = skb_ext_add(skb, SKB_EXT_MPTCP);
+ if (!mpext)
+- return;
++ return true;
+
+ memset(mpext, 0, sizeof(*mpext));
+
+@@ -1104,6 +1109,8 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
+ mpext->data_len = mp_opt.data_len;
+ mpext->use_map = 1;
+ }
++
++ return true;
+ }
+
+ static void mptcp_set_rwin(const struct tcp_sock *tp)
+--
+2.30.2
+
--- /dev/null
+From 4a6674ff37b902fe4e5dbbe5f5de1638cd8df3d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:48 -0700
+Subject: mptcp: fix syncookie process if mptcp can not_accept new subflow
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 8547ea5f52dd8ef19b69c25c41b1415481b3503b ]
+
+Lots of "TCP: tcp_fin: Impossible, sk->sk_state=7" in client side
+when doing stress testing using wrk and webfsd.
+
+There are at least two cases may trigger this warning:
+1.mptcp is in syncookie, and server recv MP_JOIN SYN request,
+ in subflow_check_req(), the mptcp_can_accept_new_subflow()
+ return false, so subflow_init_req_cookie_join_save() isn't
+ called, i.e. not store the data present in the MP_JOIN syn
+ request and the random nonce in hash table - join_entries[],
+ but still send synack. When recv 3rd-ack,
+ mptcp_token_join_cookie_init_state() will return false, and
+ 3rd-ack is dropped, then if mptcp conn is closed by client,
+ client will send a DATA_FIN and a MPTCP FIN, the DATA_FIN
+ doesn't have MP_CAPABLE or MP_JOIN,
+ so mptcp_subflow_init_cookie_req() will return 0, and pass
+ the cookie check, MP_JOIN request is fallback to normal TCP.
+ Server will send a TCP FIN if closed, in client side,
+ when process TCP FIN, it will do reset, the code path is:
+ tcp_data_queue()->mptcp_incoming_options()
+ ->check_fully_established()->mptcp_subflow_reset().
+ mptcp_subflow_reset() will set sock state to TCP_CLOSE,
+ so tcp_fin will hit TCP_CLOSE, and print the warning.
+
+2.mptcp is in syncookie, and server recv 3rd-ack, in
+ mptcp_subflow_init_cookie_req(), mptcp_can_accept_new_subflow()
+ return false, and subflow_req->mp_join is not set to 1,
+ so in subflow_syn_recv_sock() will not reset the MP_JOIN
+ subflow, but fallback to normal TCP, and then the same thing
+ happens when server will send a TCP FIN if closed.
+
+For case1, subflow_check_req() return -EPERM,
+then tcp_conn_request() will drop MP_JOIN SYN.
+
+For case2, let subflow_syn_recv_sock() call
+mptcp_can_accept_new_subflow(), and do fatal fallback, send reset.
+
+Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/subflow.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index 5493c851ca6c..5221cfce5390 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -223,6 +223,8 @@ again:
+ if (unlikely(req->syncookie)) {
+ if (mptcp_can_accept_new_subflow(subflow_req->msk))
+ subflow_init_req_cookie_join_save(subflow_req, skb);
++ else
++ return -EPERM;
+ }
+
+ pr_debug("token=%u, remote_nonce=%u msk=%p", subflow_req->token,
+@@ -262,9 +264,7 @@ int mptcp_subflow_init_cookie_req(struct request_sock *req,
+ if (!mptcp_token_join_cookie_init_state(subflow_req, skb))
+ return -EINVAL;
+
+- if (mptcp_can_accept_new_subflow(subflow_req->msk))
+- subflow_req->mp_join = 1;
+-
++ subflow_req->mp_join = 1;
+ subflow_req->ssn_offset = TCP_SKB_CB(skb)->seq - 1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 8a8a0a058235860ad7a0be9a3e25ef032c7bf63b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:46 -0700
+Subject: mptcp: fix warning in __skb_flow_dissect() when do syn cookie for
+ subflow join
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 0c71929b5893e410e0efbe1bbeca6f19a5f19956 ]
+
+I did stress test with wrk[1] and webfsd[2] with the assistance of
+mptcp-tools[3]:
+
+ Server side:
+ ./use_mptcp.sh webfsd -4 -R /tmp/ -p 8099
+ Client side:
+ ./use_mptcp.sh wrk -c 200 -d 30 -t 4 http://192.168.174.129:8099/
+
+and got the following warning message:
+
+[ 55.552626] TCP: request_sock_subflow: Possible SYN flooding on port 8099. Sending cookies. Check SNMP counters.
+[ 55.553024] ------------[ cut here ]------------
+[ 55.553027] WARNING: CPU: 0 PID: 10 at net/core/flow_dissector.c:984 __skb_flow_dissect+0x280/0x1650
+...
+[ 55.553117] CPU: 0 PID: 10 Comm: ksoftirqd/0 Not tainted 5.12.0+ #18
+[ 55.553121] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020
+[ 55.553124] RIP: 0010:__skb_flow_dissect+0x280/0x1650
+...
+[ 55.553133] RSP: 0018:ffffb79580087770 EFLAGS: 00010246
+[ 55.553137] RAX: 0000000000000000 RBX: ffffffff8ddb58e0 RCX: ffffb79580087888
+[ 55.553139] RDX: ffffffff8ddb58e0 RSI: ffff8f7e4652b600 RDI: 0000000000000000
+[ 55.553141] RBP: ffffb79580087858 R08: 0000000000000000 R09: 0000000000000008
+[ 55.553143] R10: 000000008c622965 R11: 00000000d3313a5b R12: ffff8f7e4652b600
+[ 55.553146] R13: ffff8f7e465c9062 R14: 0000000000000000 R15: ffffb79580087888
+[ 55.553149] FS: 0000000000000000(0000) GS:ffff8f7f75e00000(0000) knlGS:0000000000000000
+[ 55.553152] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 55.553154] CR2: 00007f73d1d19000 CR3: 0000000135e10004 CR4: 00000000003706f0
+[ 55.553160] Call Trace:
+[ 55.553166] ? __sha256_final+0x67/0xd0
+[ 55.553173] ? sha256+0x7e/0xa0
+[ 55.553177] __skb_get_hash+0x57/0x210
+[ 55.553182] subflow_init_req_cookie_join_save+0xac/0xc0
+[ 55.553189] subflow_check_req+0x474/0x550
+[ 55.553195] ? ip_route_output_key_hash+0x67/0x90
+[ 55.553200] ? xfrm_lookup_route+0x1d/0xa0
+[ 55.553207] subflow_v4_route_req+0x8e/0xd0
+[ 55.553212] tcp_conn_request+0x31e/0xab0
+[ 55.553218] ? selinux_socket_sock_rcv_skb+0x116/0x210
+[ 55.553224] ? tcp_rcv_state_process+0x179/0x6d0
+[ 55.553229] tcp_rcv_state_process+0x179/0x6d0
+[ 55.553235] tcp_v4_do_rcv+0xaf/0x220
+[ 55.553239] tcp_v4_rcv+0xce4/0xd80
+[ 55.553243] ? ip_route_input_rcu+0x246/0x260
+[ 55.553248] ip_protocol_deliver_rcu+0x35/0x1b0
+[ 55.553253] ip_local_deliver_finish+0x44/0x50
+[ 55.553258] ip_local_deliver+0x6c/0x110
+[ 55.553262] ? ip_rcv_finish_core.isra.19+0x5a/0x400
+[ 55.553267] ip_rcv+0xd1/0xe0
+...
+
+After debugging, I found in __skb_flow_dissect(), skb->dev and skb->sk
+are both NULL, then net is NULL, and trigger WARN_ON_ONCE(!net),
+actually net is always NULL in this code path, as skb->dev is set to
+NULL in tcp_v4_rcv(), and skb->sk is never set.
+
+Code snippet in __skb_flow_dissect() that trigger warning:
+ 975 if (skb) {
+ 976 if (!net) {
+ 977 if (skb->dev)
+ 978 net = dev_net(skb->dev);
+ 979 else if (skb->sk)
+ 980 net = sock_net(skb->sk);
+ 981 }
+ 982 }
+ 983
+ 984 WARN_ON_ONCE(!net);
+
+So, using seq and transport header derived hash.
+
+[1] https://github.com/wg/wrk
+[2] https://github.com/ourway/webfsd
+[3] https://github.com/pabeni/mptcp-tools
+
+Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use")
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/syncookies.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/net/mptcp/syncookies.c b/net/mptcp/syncookies.c
+index abe0fd099746..37127781aee9 100644
+--- a/net/mptcp/syncookies.c
++++ b/net/mptcp/syncookies.c
+@@ -37,7 +37,21 @@ static spinlock_t join_entry_locks[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp
+
+ static u32 mptcp_join_entry_hash(struct sk_buff *skb, struct net *net)
+ {
+- u32 i = skb_get_hash(skb) ^ net_hash_mix(net);
++ static u32 mptcp_join_hash_secret __read_mostly;
++ struct tcphdr *th = tcp_hdr(skb);
++ u32 seq, i;
++
++ net_get_random_once(&mptcp_join_hash_secret,
++ sizeof(mptcp_join_hash_secret));
++
++ if (th->syn)
++ seq = TCP_SKB_CB(skb)->seq;
++ else
++ seq = TCP_SKB_CB(skb)->seq - 1;
++
++ i = jhash_3words(seq, net_hash_mix(net),
++ (__force __u32)th->source << 16 | (__force __u32)th->dest,
++ mptcp_join_hash_secret);
+
+ return i % ARRAY_SIZE(join_entries);
+ }
+--
+2.30.2
+
--- /dev/null
+From ea1f17d1c56fe3cfab272ce7760bb31df09bc042 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:51 -0700
+Subject: mptcp: properly account bulk freed memory
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit ce599c516386f09ca30848a1a4eb93d3fffbe187 ]
+
+After commit 879526030c8b ("mptcp: protect the rx path with
+the msk socket spinlock") the rmem currently used by a given
+msk is really sk_rmem_alloc - rmem_released.
+
+The safety check in mptcp_data_ready() does not take the above
+in due account, as a result legit incoming data is kept in
+subflow receive queue with no reason, delaying or blocking
+MPTCP-level ack generation.
+
+This change addresses the issue introducing a new helper to fetch
+the rmem memory and using it as needed. Additionally add a MIB
+counter for the exceptional event described above - the peer is
+misbehaving.
+
+Finally, introduce the required annotation when rmem_released is
+updated.
+
+Fixes: 879526030c8b ("mptcp: protect the rx path with the msk socket spinlock")
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/211
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/mib.c | 1 +
+ net/mptcp/mib.h | 1 +
+ net/mptcp/protocol.c | 12 +++++++-----
+ net/mptcp/protocol.h | 10 +++++++++-
+ 4 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/net/mptcp/mib.c b/net/mptcp/mib.c
+index eb2dc6dbe212..c8f4823cd79f 100644
+--- a/net/mptcp/mib.c
++++ b/net/mptcp/mib.c
+@@ -42,6 +42,7 @@ static const struct snmp_mib mptcp_snmp_list[] = {
+ SNMP_MIB_ITEM("RmSubflow", MPTCP_MIB_RMSUBFLOW),
+ SNMP_MIB_ITEM("MPPrioTx", MPTCP_MIB_MPPRIOTX),
+ SNMP_MIB_ITEM("MPPrioRx", MPTCP_MIB_MPPRIORX),
++ SNMP_MIB_ITEM("RcvPruned", MPTCP_MIB_RCVPRUNED),
+ SNMP_MIB_SENTINEL
+ };
+
+diff --git a/net/mptcp/mib.h b/net/mptcp/mib.h
+index f0da4f060fe1..93fa7c95e206 100644
+--- a/net/mptcp/mib.h
++++ b/net/mptcp/mib.h
+@@ -35,6 +35,7 @@ enum linux_mptcp_mib_field {
+ MPTCP_MIB_RMSUBFLOW, /* Remove a subflow */
+ MPTCP_MIB_MPPRIOTX, /* Transmit a MP_PRIO */
+ MPTCP_MIB_MPPRIORX, /* Received a MP_PRIO */
++ MPTCP_MIB_RCVPRUNED, /* Incoming packet dropped due to memory limit */
+ __MPTCP_MIB_MAX
+ };
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 18f152bdb66f..94b707a39bc3 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -465,7 +465,7 @@ static void mptcp_cleanup_rbuf(struct mptcp_sock *msk)
+ bool cleanup, rx_empty;
+
+ cleanup = (space > 0) && (space >= (old_space << 1));
+- rx_empty = !atomic_read(&sk->sk_rmem_alloc);
++ rx_empty = !__mptcp_rmem(sk);
+
+ mptcp_for_each_subflow(msk, subflow) {
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+@@ -714,8 +714,10 @@ void mptcp_data_ready(struct sock *sk, struct sock *ssk)
+ sk_rbuf = ssk_rbuf;
+
+ /* over limit? can't append more skbs to msk, Also, no need to wake-up*/
+- if (atomic_read(&sk->sk_rmem_alloc) > sk_rbuf)
++ if (__mptcp_rmem(sk) > sk_rbuf) {
++ MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_RCVPRUNED);
+ return;
++ }
+
+ /* Wake-up the reader only for in-sequence data */
+ mptcp_data_lock(sk);
+@@ -1799,7 +1801,7 @@ static int __mptcp_recvmsg_mskq(struct mptcp_sock *msk,
+ if (!(flags & MSG_PEEK)) {
+ /* we will bulk release the skb memory later */
+ skb->destructor = NULL;
+- msk->rmem_released += skb->truesize;
++ WRITE_ONCE(msk->rmem_released, msk->rmem_released + skb->truesize);
+ __skb_unlink(skb, &msk->receive_queue);
+ __kfree_skb(skb);
+ }
+@@ -1918,7 +1920,7 @@ static void __mptcp_update_rmem(struct sock *sk)
+
+ atomic_sub(msk->rmem_released, &sk->sk_rmem_alloc);
+ sk_mem_uncharge(sk, msk->rmem_released);
+- msk->rmem_released = 0;
++ WRITE_ONCE(msk->rmem_released, 0);
+ }
+
+ static void __mptcp_splice_receive_queue(struct sock *sk)
+@@ -2420,7 +2422,7 @@ static int __mptcp_init_sock(struct sock *sk)
+ msk->out_of_order_queue = RB_ROOT;
+ msk->first_pending = NULL;
+ msk->wmem_reserved = 0;
+- msk->rmem_released = 0;
++ WRITE_ONCE(msk->rmem_released, 0);
+ msk->tx_pending_data = 0;
+ msk->size_goal_cache = TCP_BASE_MSS;
+
+diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
+index f842c832f6b0..dc5b71de0a9a 100644
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -290,9 +290,17 @@ static inline struct mptcp_sock *mptcp_sk(const struct sock *sk)
+ return (struct mptcp_sock *)sk;
+ }
+
++/* the msk socket don't use the backlog, also account for the bulk
++ * free memory
++ */
++static inline int __mptcp_rmem(const struct sock *sk)
++{
++ return atomic_read(&sk->sk_rmem_alloc) - READ_ONCE(mptcp_sk(sk)->rmem_released);
++}
++
+ static inline int __mptcp_space(const struct sock *sk)
+ {
+- return tcp_space(sk) + READ_ONCE(mptcp_sk(sk)->rmem_released);
++ return tcp_win_from_space(sk, READ_ONCE(sk->sk_rcvbuf) - __mptcp_rmem(sk));
+ }
+
+ static inline struct mptcp_data_frag *mptcp_send_head(const struct sock *sk)
+--
+2.30.2
+
--- /dev/null
+From d593d14d946f59aab07b1c121ec377196ce39cb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jun 2021 12:25:23 -0700
+Subject: mptcp: refine mptcp_cleanup_rbuf
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit fde56eea01f96b664eb63033990be0fd2a945da5 ]
+
+The current cleanup rbuf tries a bit too hard to avoid acquiring
+the subflow socket lock. We may end-up delaying the needed ack,
+or skip acking a blocked subflow.
+
+Address the above extending the conditions used to trigger the cleanup
+to reflect more closely what TCP does and invoking tcp_cleanup_rbuf()
+on all the active subflows.
+
+Note that we can't replicate the exact tests implemented in
+tcp_cleanup_rbuf(), as MPTCP lacks some of the required info - e.g.
+ping-pong mode.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/protocol.c | 56 ++++++++++++++++++--------------------------
+ net/mptcp/protocol.h | 1 -
+ 2 files changed, 23 insertions(+), 34 deletions(-)
+
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 0f36fefcc77e..18f152bdb66f 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -433,49 +433,46 @@ static void mptcp_send_ack(struct mptcp_sock *msk)
+ }
+ }
+
+-static bool mptcp_subflow_cleanup_rbuf(struct sock *ssk)
++static void mptcp_subflow_cleanup_rbuf(struct sock *ssk)
+ {
+ bool slow;
+- int ret;
+
+ slow = lock_sock_fast(ssk);
+- ret = tcp_can_send_ack(ssk);
+- if (ret)
++ if (tcp_can_send_ack(ssk))
+ tcp_cleanup_rbuf(ssk, 1);
+ unlock_sock_fast(ssk, slow);
+- return ret;
++}
++
++static bool mptcp_subflow_could_cleanup(const struct sock *ssk, bool rx_empty)
++{
++ const struct inet_connection_sock *icsk = inet_csk(ssk);
++ bool ack_pending = READ_ONCE(icsk->icsk_ack.pending);
++ const struct tcp_sock *tp = tcp_sk(ssk);
++
++ return (ack_pending & ICSK_ACK_SCHED) &&
++ ((READ_ONCE(tp->rcv_nxt) - READ_ONCE(tp->rcv_wup) >
++ READ_ONCE(icsk->icsk_ack.rcv_mss)) ||
++ (rx_empty && ack_pending &
++ (ICSK_ACK_PUSHED2 | ICSK_ACK_PUSHED)));
+ }
+
+ static void mptcp_cleanup_rbuf(struct mptcp_sock *msk)
+ {
+- struct sock *ack_hint = READ_ONCE(msk->ack_hint);
+ int old_space = READ_ONCE(msk->old_wspace);
+ struct mptcp_subflow_context *subflow;
+ struct sock *sk = (struct sock *)msk;
+- bool cleanup;
++ int space = __mptcp_space(sk);
++ bool cleanup, rx_empty;
+
+- /* this is a simple superset of what tcp_cleanup_rbuf() implements
+- * so that we don't have to acquire the ssk socket lock most of the time
+- * to do actually nothing
+- */
+- cleanup = __mptcp_space(sk) - old_space >= max(0, old_space);
+- if (!cleanup)
+- return;
++ cleanup = (space > 0) && (space >= (old_space << 1));
++ rx_empty = !atomic_read(&sk->sk_rmem_alloc);
+
+- /* if the hinted ssk is still active, try to use it */
+- if (likely(ack_hint)) {
+- mptcp_for_each_subflow(msk, subflow) {
+- struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ mptcp_for_each_subflow(msk, subflow) {
++ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+
+- if (ack_hint == ssk && mptcp_subflow_cleanup_rbuf(ssk))
+- return;
+- }
++ if (cleanup || mptcp_subflow_could_cleanup(ssk, rx_empty))
++ mptcp_subflow_cleanup_rbuf(ssk);
+ }
+-
+- /* otherwise pick the first active subflow */
+- mptcp_for_each_subflow(msk, subflow)
+- if (mptcp_subflow_cleanup_rbuf(mptcp_subflow_tcp_sock(subflow)))
+- return;
+ }
+
+ static bool mptcp_check_data_fin(struct sock *sk)
+@@ -620,7 +617,6 @@ static bool __mptcp_move_skbs_from_subflow(struct mptcp_sock *msk,
+ break;
+ }
+ } while (more_data_avail);
+- WRITE_ONCE(msk->ack_hint, ssk);
+
+ *bytes += moved;
+ return done;
+@@ -1955,7 +1951,6 @@ static bool __mptcp_move_skbs(struct mptcp_sock *msk)
+ __mptcp_update_rmem(sk);
+ done = __mptcp_move_skbs_from_subflow(msk, ssk, &moved);
+ mptcp_data_unlock(sk);
+- tcp_cleanup_rbuf(ssk, moved);
+
+ if (unlikely(ssk->sk_err))
+ __mptcp_error_report(sk);
+@@ -1971,7 +1966,6 @@ static bool __mptcp_move_skbs(struct mptcp_sock *msk)
+ ret |= __mptcp_ofo_queue(msk);
+ __mptcp_splice_receive_queue(sk);
+ mptcp_data_unlock(sk);
+- mptcp_cleanup_rbuf(msk);
+ }
+ if (ret)
+ mptcp_check_data_fin((struct sock *)msk);
+@@ -2216,9 +2210,6 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk,
+ if (ssk == msk->last_snd)
+ msk->last_snd = NULL;
+
+- if (ssk == msk->ack_hint)
+- msk->ack_hint = NULL;
+-
+ if (ssk == msk->first)
+ msk->first = NULL;
+
+@@ -2433,7 +2424,6 @@ static int __mptcp_init_sock(struct sock *sk)
+ msk->tx_pending_data = 0;
+ msk->size_goal_cache = TCP_BASE_MSS;
+
+- msk->ack_hint = NULL;
+ msk->first = NULL;
+ inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss;
+
+diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
+index f74258377c05..f842c832f6b0 100644
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -236,7 +236,6 @@ struct mptcp_sock {
+ bool rcv_fastclose;
+ bool use_64bit_ack; /* Set when we received a 64-bit DSN */
+ spinlock_t join_list_lock;
+- struct sock *ack_hint;
+ struct work_struct work;
+ struct sk_buff *ooo_last_skb;
+ struct rb_root out_of_order_queue;
+--
+2.30.2
+
--- /dev/null
+From 3e03e81c2dfd3661089f67a0a981b09e8a628982 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:47 -0700
+Subject: mptcp: remove redundant req destruct in subflow_check_req()
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 030d37bd1cd2443a1f21db47eb301899bfa45a2a ]
+
+In subflow_check_req(), if subflow sport is mismatch, will put msk,
+destroy token, and destruct req, then return -EPERM, which can be
+done by subflow_req_destructor() via:
+
+ tcp_conn_request()
+ |--__reqsk_free()
+ |--subflow_req_destructor()
+
+So we should remove these redundant code, otherwise will call
+tcp_v4_reqsk_destructor() twice, and may double free
+inet_rsk(req)->ireq_opt.
+
+Fixes: 5bc56388c74f ("mptcp: add port number check for MP_JOIN")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/subflow.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index cbc452d0901e..5493c851ca6c 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -212,11 +212,6 @@ again:
+ ntohs(inet_sk(sk_listener)->inet_sport),
+ ntohs(inet_sk((struct sock *)subflow_req->msk)->inet_sport));
+ if (!mptcp_pm_sport_in_anno_list(subflow_req->msk, sk_listener)) {
+- sock_put((struct sock *)subflow_req->msk);
+- mptcp_token_destroy_request(req);
+- tcp_request_sock_ops.destructor(req);
+- subflow_req->msk = NULL;
+- subflow_req->mp_join = 0;
+ SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MISMATCHPORTSYNRX);
+ return -EPERM;
+ }
+--
+2.30.2
+
--- /dev/null
+From d35c64c47e2e29662d3d18a400ee8a33ee74b617 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 15:54:34 -0700
+Subject: mptcp: use fast lock for subflows when possible
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 75e908c33615999abe1f3a8429d25dea30d28e4e ]
+
+There are a bunch of callsite where the ssk socket
+lock is acquired using the full-blown version eligible for
+the fast variant. Let's move to the latter.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/pm_netlink.c | 10 ++++++----
+ net/mptcp/protocol.c | 15 +++++++++------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
+index 3f5d90a20235..fce1d057d19e 100644
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -540,6 +540,7 @@ void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
+ subflow = list_first_entry_or_null(&msk->conn_list, typeof(*subflow), node);
+ if (subflow) {
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ bool slow;
+
+ spin_unlock_bh(&msk->pm.lock);
+ pr_debug("send ack for %s%s%s",
+@@ -547,9 +548,9 @@ void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
+ mptcp_pm_should_add_signal_ipv6(msk) ? " [ipv6]" : "",
+ mptcp_pm_should_add_signal_port(msk) ? " [port]" : "");
+
+- lock_sock(ssk);
++ slow = lock_sock_fast(ssk);
+ tcp_send_ack(ssk);
+- release_sock(ssk);
++ unlock_sock_fast(ssk, slow);
+ spin_lock_bh(&msk->pm.lock);
+ }
+ }
+@@ -566,6 +567,7 @@ int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk,
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ struct sock *sk = (struct sock *)msk;
+ struct mptcp_addr_info local;
++ bool slow;
+
+ local_address((struct sock_common *)ssk, &local);
+ if (!addresses_equal(&local, addr, addr->port))
+@@ -578,9 +580,9 @@ int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk,
+
+ spin_unlock_bh(&msk->pm.lock);
+ pr_debug("send ack for mp_prio");
+- lock_sock(ssk);
++ slow = lock_sock_fast(ssk);
+ tcp_send_ack(ssk);
+- release_sock(ssk);
++ unlock_sock_fast(ssk, slow);
+ spin_lock_bh(&msk->pm.lock);
+
+ return 0;
+diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
+index 8ead550df8b1..0f36fefcc77e 100644
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -424,23 +424,25 @@ static void mptcp_send_ack(struct mptcp_sock *msk)
+
+ mptcp_for_each_subflow(msk, subflow) {
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
++ bool slow;
+
+- lock_sock(ssk);
++ slow = lock_sock_fast(ssk);
+ if (tcp_can_send_ack(ssk))
+ tcp_send_ack(ssk);
+- release_sock(ssk);
++ unlock_sock_fast(ssk, slow);
+ }
+ }
+
+ static bool mptcp_subflow_cleanup_rbuf(struct sock *ssk)
+ {
++ bool slow;
+ int ret;
+
+- lock_sock(ssk);
++ slow = lock_sock_fast(ssk);
+ ret = tcp_can_send_ack(ssk);
+ if (ret)
+ tcp_cleanup_rbuf(ssk, 1);
+- release_sock(ssk);
++ unlock_sock_fast(ssk, slow);
+ return ret;
+ }
+
+@@ -2288,13 +2290,14 @@ static void mptcp_check_fastclose(struct mptcp_sock *msk)
+
+ list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) {
+ struct sock *tcp_sk = mptcp_subflow_tcp_sock(subflow);
++ bool slow;
+
+- lock_sock(tcp_sk);
++ slow = lock_sock_fast(tcp_sk);
+ if (tcp_sk->sk_state != TCP_CLOSE) {
+ tcp_send_active_reset(tcp_sk, GFP_ATOMIC);
+ tcp_set_state(tcp_sk, TCP_CLOSE);
+ }
+- release_sock(tcp_sk);
++ unlock_sock_fast(tcp_sk, slow);
+ }
+
+ inet_sk_state_store(sk, TCP_CLOSE);
+--
+2.30.2
+
--- /dev/null
+From e06c26f449e7a7b7a0ac82108d4bf3686a30e129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:13:20 +0800
+Subject: net: decnet: Fix sleeping inside in af_decnet
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ]
+
+The release_sock() is blocking function, it would change the state
+after sleeping. use wait_woken() instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/decnet/af_decnet.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index 5dbd45dc35ad..dc92a67baea3 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -816,7 +816,7 @@ static int dn_auto_bind(struct socket *sock)
+ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err;
+
+ if (scp->state != DN_CR)
+@@ -826,11 +826,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk));
+ dn_send_conn_conf(sk, allocation);
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -844,9 +844,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+ } else if (scp->state != DN_CC) {
+@@ -858,7 +857,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ static int dn_wait_run(struct sock *sk, long *timeo)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err = 0;
+
+ if (scp->state == DN_RUN)
+@@ -867,11 +866,11 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ if (!*timeo)
+ return -EALREADY;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CI || scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -885,9 +884,8 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ err = -ETIMEDOUT;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ out:
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+@@ -1032,16 +1030,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt)
+
+ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ {
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ struct sk_buff *skb = NULL;
+ int err = 0;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ if (skb == NULL) {
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ }
+ lock_sock(sk);
+@@ -1056,9 +1054,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+
+ return skb == NULL ? ERR_PTR(err) : skb;
+ }
+--
+2.30.2
+
--- /dev/null
+From 3198103a756821b310008b12b8b12c637854aef0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 11:58:12 +0200
+Subject: net: dsa: mv88e6xxx: NET_DSA_MV88E6XXX_PTP should depend on
+ NET_DSA_MV88E6XXX
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 99bb2ebab953435852340cdb198c5abbf0bb5dd3 ]
+
+Making global2 support mandatory removed the Kconfig symbol
+NET_DSA_MV88E6XXX_GLOBAL2. This symbol also served as an intermediate
+symbol to make NET_DSA_MV88E6XXX_PTP depend on NET_DSA_MV88E6XXX. With
+the symbol removed, the user is always asked about PTP support for
+Marvell 88E6xxx switches, even if the latter support is not enabled.
+
+Fix this by reinstating the dependency.
+
+Fixes: 63368a7416df144b ("net: dsa: mv88e6xxx: Make global2 support mandatory")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/Kconfig b/drivers/net/dsa/mv88e6xxx/Kconfig
+index 05af632b0f59..634a48e6616b 100644
+--- a/drivers/net/dsa/mv88e6xxx/Kconfig
++++ b/drivers/net/dsa/mv88e6xxx/Kconfig
+@@ -12,7 +12,7 @@ config NET_DSA_MV88E6XXX
+ config NET_DSA_MV88E6XXX_PTP
+ bool "PTP support for Marvell 88E6xxx"
+ default n
+- depends on PTP_1588_CLOCK
++ depends on NET_DSA_MV88E6XXX && PTP_1588_CLOCK
+ help
+ Say Y to enable PTP hardware timestamping on Marvell 88E6xxx switch
+ chips that support it.
+--
+2.30.2
+
--- /dev/null
+From 2ce1a71e4b702f549b39b2de4f7791581a894cbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 15:37:59 +0300
+Subject: net: dsa: sja1105: make VID 4095 a bridge VLAN too
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit e40cba9490bab1414d45c2d62defc0ad4f6e4136 ]
+
+This simple series of commands:
+
+ip link add br0 type bridge vlan_filtering 1
+ip link set swp0 master br0
+
+fails on sja1105 with the following error:
+[ 33.439103] sja1105 spi0.1: vlan-lookup-table needs to have at least the default untagged VLAN
+[ 33.447710] sja1105 spi0.1: Invalid config, cannot upload
+Warning: sja1105: Failed to change VLAN Ethertype.
+
+For context, sja1105 has 3 operating modes:
+- SJA1105_VLAN_UNAWARE: the dsa_8021q_vlans are committed to hardware
+- SJA1105_VLAN_FILTERING_FULL: the bridge_vlans are committed to hardware
+- SJA1105_VLAN_FILTERING_BEST_EFFORT: both the dsa_8021q_vlans and the
+ bridge_vlans are committed to hardware
+
+Swapping out a VLAN list and another in happens in
+sja1105_build_vlan_table(), which performs a delta update procedure.
+That function is called from a few places, notably from
+sja1105_vlan_filtering() which is called from the
+SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler.
+
+The above set of 2 commands fails when run on a kernel pre-commit
+8841f6e63f2c ("net: dsa: sja1105: make devlink property
+best_effort_vlan_filtering true by default"). So the priv->vlan_state
+transition that takes place is between VLAN-unaware and full VLAN
+filtering. So the dsa_8021q_vlans are swapped out and the bridge_vlans
+are swapped in.
+
+So why does it fail?
+
+Well, the bridge driver, through nbp_vlan_init(), first sets up the
+SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING attribute, and only then
+proceeds to call nbp_vlan_add for the default_pvid.
+
+So when we swap out the dsa_8021q_vlans and swap in the bridge_vlans in
+the SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler, there are no bridge
+VLANs (yet). So we have wiped the VLAN table clean, and the low-level
+static config checker complains of an invalid configuration. We _will_
+add the bridge VLANs using the dynamic config interface, albeit later,
+when nbp_vlan_add() calls us. So it is natural that it fails.
+
+So why did it ever work?
+
+Surprisingly, it looks like I only tested this configuration with 2
+things set up in a particular way:
+- a network manager that brings all ports up
+- a kernel with CONFIG_VLAN_8021Q=y
+
+It is widely known that commit ad1afb003939 ("vlan_dev: VLAN 0 should be
+treated as "no vlan tag" (802.1p packet)") installs VID 0 to every net
+device that comes up. DSA treats these VLANs as bridge VLANs, and
+therefore, in my testing, the list of bridge_vlans was never empty.
+
+However, if CONFIG_VLAN_8021Q is not enabled, or the port is not up when
+it joins a VLAN-aware bridge, the bridge_vlans list will be temporarily
+empty, and the sja1105_static_config_reload() call from
+sja1105_vlan_filtering() will fail.
+
+To fix this, the simplest thing is to keep VID 4095, the one used for
+CPU-injected control packets since commit ed040abca4c1 ("net: dsa:
+sja1105: use 4095 as the private VLAN for untagged traffic"), in the
+list of bridge VLANs too, not just the list of tag_8021q VLANs. This
+ensures that the list of bridge VLANs will never be empty.
+
+Fixes: ec5ae61076d0 ("net: dsa: sja1105: save/restore VLANs using a delta commit method")
+Reported-by: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index ebe4d33cda27..6e5dbe9f3892 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -378,6 +378,12 @@ static int sja1105_init_static_vlan(struct sja1105_private *priv)
+ if (dsa_is_cpu_port(ds, port))
+ v->pvid = true;
+ list_add(&v->list, &priv->dsa_8021q_vlans);
++
++ v = kmemdup(v, sizeof(*v), GFP_KERNEL);
++ if (!v)
++ return -ENOMEM;
++
++ list_add(&v->list, &priv->bridge_vlans);
+ }
+
+ ((struct sja1105_vlan_lookup_entry *)table->entries)[0] = pvid;
+--
+2.30.2
+
--- /dev/null
+From 8e6e76aec9dfc1d7313302c7cc170ee44d648178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 20:22:04 +0800
+Subject: net: fix uninit-value in caif_seqpkt_sendmsg
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ]
+
+When nr_segs equal to zero in iovec_from_user, the object
+msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg
+which is defined in ___sys_sendmsg. So we cann't just judge
+msg->msg_iter.iov->base directlly. We can use nr_segs to judge
+msg in caif_seqpkt_sendmsg whether has data buffers.
+
+=====================================================
+BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
+ ___sys_sendmsg net/socket.c:2397 [inline]
+ __sys_sendmmsg+0x808/0xc90 net/socket.c:2480
+ __compat_sys_sendmmsg net/compat.c:656 [inline]
+
+Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8
+Fixes: bece7b2398d0 ("caif: Rewritten socket implementation")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/caif_socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 3ad0a1df6712..9d26c5e9da05 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto err;
+
+ ret = -EINVAL;
+- if (unlikely(msg->msg_iter.iov->iov_base == NULL))
++ if (unlikely(msg->msg_iter.nr_segs == 0) ||
++ unlikely(msg->msg_iter.iov->iov_base == NULL))
+ goto err;
+ noblock = msg->msg_flags & MSG_DONTWAIT;
+
+--
+2.30.2
+
--- /dev/null
+From 5a1813dbcef53a4db8b30ff3745d3feb08de5694 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 13:38:34 -0700
+Subject: net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b16f3299ae1aa3c327e1fb742d0379ae4d6e86f2 ]
+
+Building on ARCH=arc causes a "redefined" warning, so rename this
+driver's CACHE_LINE_MASK to avoid the warning.
+
+../drivers/net/ethernet/hisilicon/hip04_eth.c:134: warning: "CACHE_LINE_MASK" redefined
+ 134 | #define CACHE_LINE_MASK 0x3F
+In file included from ../include/linux/cache.h:6,
+ from ../include/linux/printk.h:9,
+ from ../include/linux/kernel.h:19,
+ from ../include/linux/list.h:9,
+ from ../include/linux/module.h:12,
+ from ../drivers/net/ethernet/hisilicon/hip04_eth.c:7:
+../arch/arc/include/asm/cache.h:17: note: this is the location of the previous definition
+ 17 | #define CACHE_LINE_MASK (~(L1_CACHE_BYTES - 1))
+
+Fixes: d413779cdd93 ("net: hisilicon: Add an tx_desc to adapt HI13X1_GMAC")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 12f6c2442a7a..e53512f6878a 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -131,7 +131,7 @@
+ /* buf unit size is cache_line_size, which is 64, so the shift is 6 */
+ #define PPE_BUF_SIZE_SHIFT 6
+ #define PPE_TX_BUF_HOLD BIT(31)
+-#define CACHE_LINE_MASK 0x3F
++#define SOC_CACHE_LINE_MASK 0x3F
+ #else
+ #define PPE_CFG_QOS_VMID_GRP_SHIFT 8
+ #define PPE_CFG_RX_CTRL_ALIGN_SHIFT 11
+@@ -531,8 +531,8 @@ hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ #if defined(CONFIG_HI13X1_GMAC)
+ desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV
+ | TX_RELEASE_TO_PPE | priv->port << TX_POOL_SHIFT);
+- desc->data_offset = (__force u32)cpu_to_be32(phys & CACHE_LINE_MASK);
+- desc->send_addr = (__force u32)cpu_to_be32(phys & ~CACHE_LINE_MASK);
++ desc->data_offset = (__force u32)cpu_to_be32(phys & SOC_CACHE_LINE_MASK);
++ desc->send_addr = (__force u32)cpu_to_be32(phys & ~SOC_CACHE_LINE_MASK);
+ #else
+ desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV);
+ desc->send_addr = (__force u32)cpu_to_be32(phys);
+--
+2.30.2
+
--- /dev/null
+From 9703afa7b479d08ac472e38cf7683d83d1844ea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 17:13:05 +0800
+Subject: net: hns3: fix possible mismatches resp of mailbox
+
+From: Chengwen Feng <fengchengwen@huawei.com>
+
+[ Upstream commit 1b713d14dc3c077ec45e65dab4ea01a8bc41b8c1 ]
+
+Currently, the mailbox synchronous communication between VF and PF use
+the following fields to maintain communication:
+1. Origin_mbx_msg which was combined by message code and subcode, used
+to match request and response.
+2. Received_resp which means whether received response.
+
+There may possible mismatches of the following situation:
+1. VF sends message A with code=1 subcode=1.
+2. PF was blocked about 500ms when processing the message A.
+3. VF will detect message A timeout because it can't get the response
+within 500ms.
+4. VF sends message B with code=1 subcode=1 which equal message A.
+5. PF processes the first message A and send the response message to
+VF.
+6. VF will identify the response matched the message B because the
+code/subcode is the same. This will lead to mismatch of request and
+response.
+
+To fix the above bug, we use the following scheme:
+1. The message sent from VF was labelled with match_id which was a
+unique 16-bit non-zero value.
+2. The response sent from PF will label with match_id which got from
+the request.
+3. The VF uses the match_id to match request and response message.
+
+As for PF driver, it only needs to copy the match_id from request to
+response.
+
+Fixes: dde1a86e93ca ("net: hns3: Add mailbox support to PF driver")
+Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h | 6 ++++--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
+index a2c17af57fde..d283beec9f66 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
+@@ -135,7 +135,8 @@ struct hclge_mbx_vf_to_pf_cmd {
+ u8 mbx_need_resp;
+ u8 rsv1[1];
+ u8 msg_len;
+- u8 rsv2[3];
++ u8 rsv2;
++ u16 match_id;
+ struct hclge_vf_to_pf_msg msg;
+ };
+
+@@ -145,7 +146,8 @@ struct hclge_mbx_pf_to_vf_cmd {
+ u8 dest_vfid;
+ u8 rsv[3];
+ u8 msg_len;
+- u8 rsv1[3];
++ u8 rsv1;
++ u16 match_id;
+ struct hclge_pf_to_vf_msg msg;
+ };
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+index f1c9f4ada348..38b601031db4 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+@@ -47,6 +47,7 @@ static int hclge_gen_resp_to_vf(struct hclge_vport *vport,
+
+ resp_pf_to_vf->dest_vfid = vf_to_pf_req->mbx_src_vfid;
+ resp_pf_to_vf->msg_len = vf_to_pf_req->msg_len;
++ resp_pf_to_vf->match_id = vf_to_pf_req->match_id;
+
+ resp_pf_to_vf->msg.code = HCLGE_MBX_PF_VF_RESP;
+ resp_pf_to_vf->msg.vf_mbx_msg_code = vf_to_pf_req->msg.code;
+--
+2.30.2
+
--- /dev/null
+From 44d5336842732c60ce9b01337e2747ce7020b988 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 17:13:08 +0800
+Subject: net: hns3: fix rx VLAN offload state inconsistent issue
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit bbfd4506f962e7e6fff8f37f017154a3c3791264 ]
+
+Currently, VF doesn't enable rx VLAN offload when initializating,
+and PF does it for VFs. If user disable the rx VLAN offload for
+VF with ethtool -K, and reload the VF driver, it may cause the
+rx VLAN offload state being inconsistent between hardware and
+software.
+
+Fixes it by enabling rx VLAN offload when VF initializing.
+
+Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 0db51ef15ef6..fe03c8419890 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2621,6 +2621,16 @@ static int hclgevf_rss_init_hw(struct hclgevf_dev *hdev)
+
+ static int hclgevf_init_vlan_config(struct hclgevf_dev *hdev)
+ {
++ struct hnae3_handle *nic = &hdev->nic;
++ int ret;
++
++ ret = hclgevf_en_hw_strip_rxvtag(nic, true);
++ if (ret) {
++ dev_err(&hdev->pdev->dev,
++ "failed to enable rx vlan offload, ret = %d\n", ret);
++ return ret;
++ }
++
+ return hclgevf_set_vlan_filter(&hdev->nic, htons(ETH_P_8021Q), 0,
+ false);
+ }
+--
+2.30.2
+
--- /dev/null
+From cb8509f365a30c31fa03133b4dd95922e02cce5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 12:33:50 +0300
+Subject: net: ocelot: fix switchdev objects synced for wrong netdev with LAG
+ offload
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit e56c6bbd98dc1cefb6f9c5d795fd29016e4f2fe7 ]
+
+The point with a *dev and a *brport_dev is that when we have a LAG net
+device that is a bridge port, *dev is an ocelot net device and
+*brport_dev is the bonding/team net device. The ocelot net device
+beneath the LAG does not exist from the bridge's perspective, so we need
+to sync the switchdev objects belonging to the brport_dev and not to the
+dev.
+
+Fixes: e4bd44e89dcf ("net: ocelot: replay switchdev events when joining bridge")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_net.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_net.c b/drivers/net/ethernet/mscc/ocelot_net.c
+index aad33d22c33f..3dc577183a40 100644
+--- a/drivers/net/ethernet/mscc/ocelot_net.c
++++ b/drivers/net/ethernet/mscc/ocelot_net.c
+@@ -1287,6 +1287,7 @@ static int ocelot_netdevice_lag_leave(struct net_device *dev,
+ }
+
+ static int ocelot_netdevice_changeupper(struct net_device *dev,
++ struct net_device *brport_dev,
+ struct netdev_notifier_changeupper_info *info)
+ {
+ struct netlink_ext_ack *extack;
+@@ -1296,11 +1297,11 @@ static int ocelot_netdevice_changeupper(struct net_device *dev,
+
+ if (netif_is_bridge_master(info->upper_dev)) {
+ if (info->linking)
+- err = ocelot_netdevice_bridge_join(dev, dev,
++ err = ocelot_netdevice_bridge_join(dev, brport_dev,
+ info->upper_dev,
+ extack);
+ else
+- err = ocelot_netdevice_bridge_leave(dev, dev,
++ err = ocelot_netdevice_bridge_leave(dev, brport_dev,
+ info->upper_dev);
+ }
+ if (netif_is_lag_master(info->upper_dev)) {
+@@ -1335,7 +1336,7 @@ ocelot_netdevice_lag_changeupper(struct net_device *dev,
+ if (ocelot_port->bond != dev)
+ return NOTIFY_OK;
+
+- err = ocelot_netdevice_changeupper(lower, info);
++ err = ocelot_netdevice_changeupper(lower, dev, info);
+ if (err)
+ return notifier_from_errno(err);
+ }
+@@ -1374,7 +1375,7 @@ static int ocelot_netdevice_event(struct notifier_block *unused,
+ struct netdev_notifier_changeupper_info *info = ptr;
+
+ if (ocelot_netdevice_dev_check(dev))
+- return ocelot_netdevice_changeupper(dev, info);
++ return ocelot_netdevice_changeupper(dev, dev, info);
+
+ if (netif_is_lag_master(dev))
+ return ocelot_netdevice_lag_changeupper(dev, info);
+--
+2.30.2
+
--- /dev/null
+From dbe1079d0d2698e54884986a4a5d156ceef654cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 Jul 2021 18:38:15 +0200
+Subject: net: phy: marvell10g: fix differentiation of 88X3310 from 88X3340
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit a5de4be0aaaa66a2fa98e8a33bdbed3bd0682804 ]
+
+It seems that we cannot differentiate 88X3310 from 88X3340 by simply
+looking at bit 3 of revision ID. This only works on revisions A0 and A1.
+On revision B0, this bit is always 1.
+
+Instead use the 3.d00d register for differentiation, since this register
+contains information about number of ports on the device.
+
+Fixes: 9885d016ffa9 ("net: phy: marvell10g: add separate structure for 88X3340")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Reported-by: Matteo Croce <mcroce@linux.microsoft.com>
+Tested-by: Matteo Croce <mcroce@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/marvell10g.c | 40 +++++++++++++++++++++++++++++++-----
+ include/linux/marvell_phy.h | 6 +-----
+ 2 files changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/phy/marvell10g.c b/drivers/net/phy/marvell10g.c
+index bbbc6ac8fa82..53a433442803 100644
+--- a/drivers/net/phy/marvell10g.c
++++ b/drivers/net/phy/marvell10g.c
+@@ -78,6 +78,11 @@ enum {
+ /* Temperature read register (88E2110 only) */
+ MV_PCS_TEMP = 0x8042,
+
++ /* Number of ports on the device */
++ MV_PCS_PORT_INFO = 0xd00d,
++ MV_PCS_PORT_INFO_NPORTS_MASK = 0x0380,
++ MV_PCS_PORT_INFO_NPORTS_SHIFT = 7,
++
+ /* These registers appear at 0x800X and 0xa00X - the 0xa00X control
+ * registers appear to set themselves to the 0x800X when AN is
+ * restarted, but status registers appear readable from either.
+@@ -966,6 +971,30 @@ static const struct mv3310_chip mv2111_type = {
+ #endif
+ };
+
++static int mv3310_get_number_of_ports(struct phy_device *phydev)
++{
++ int ret;
++
++ ret = phy_read_mmd(phydev, MDIO_MMD_PCS, MV_PCS_PORT_INFO);
++ if (ret < 0)
++ return ret;
++
++ ret &= MV_PCS_PORT_INFO_NPORTS_MASK;
++ ret >>= MV_PCS_PORT_INFO_NPORTS_SHIFT;
++
++ return ret + 1;
++}
++
++static int mv3310_match_phy_device(struct phy_device *phydev)
++{
++ return mv3310_get_number_of_ports(phydev) == 1;
++}
++
++static int mv3340_match_phy_device(struct phy_device *phydev)
++{
++ return mv3310_get_number_of_ports(phydev) == 4;
++}
++
+ static int mv211x_match_phy_device(struct phy_device *phydev, bool has_5g)
+ {
+ int val;
+@@ -994,7 +1023,8 @@ static int mv2111_match_phy_device(struct phy_device *phydev)
+ static struct phy_driver mv3310_drivers[] = {
+ {
+ .phy_id = MARVELL_PHY_ID_88X3310,
+- .phy_id_mask = MARVELL_PHY_ID_88X33X0_MASK,
++ .phy_id_mask = MARVELL_PHY_ID_MASK,
++ .match_phy_device = mv3310_match_phy_device,
+ .name = "mv88x3310",
+ .driver_data = &mv3310_type,
+ .get_features = mv3310_get_features,
+@@ -1011,8 +1041,9 @@ static struct phy_driver mv3310_drivers[] = {
+ .set_loopback = genphy_c45_loopback,
+ },
+ {
+- .phy_id = MARVELL_PHY_ID_88X3340,
+- .phy_id_mask = MARVELL_PHY_ID_88X33X0_MASK,
++ .phy_id = MARVELL_PHY_ID_88X3310,
++ .phy_id_mask = MARVELL_PHY_ID_MASK,
++ .match_phy_device = mv3340_match_phy_device,
+ .name = "mv88x3340",
+ .driver_data = &mv3340_type,
+ .get_features = mv3310_get_features,
+@@ -1069,8 +1100,7 @@ static struct phy_driver mv3310_drivers[] = {
+ module_phy_driver(mv3310_drivers);
+
+ static struct mdio_device_id __maybe_unused mv3310_tbl[] = {
+- { MARVELL_PHY_ID_88X3310, MARVELL_PHY_ID_88X33X0_MASK },
+- { MARVELL_PHY_ID_88X3340, MARVELL_PHY_ID_88X33X0_MASK },
++ { MARVELL_PHY_ID_88X3310, MARVELL_PHY_ID_MASK },
+ { MARVELL_PHY_ID_88E2110, MARVELL_PHY_ID_MASK },
+ { },
+ };
+diff --git a/include/linux/marvell_phy.h b/include/linux/marvell_phy.h
+index acee44b9db26..0f06c2287b52 100644
+--- a/include/linux/marvell_phy.h
++++ b/include/linux/marvell_phy.h
+@@ -22,14 +22,10 @@
+ #define MARVELL_PHY_ID_88E1545 0x01410ea0
+ #define MARVELL_PHY_ID_88E1548P 0x01410ec0
+ #define MARVELL_PHY_ID_88E3016 0x01410e60
++#define MARVELL_PHY_ID_88X3310 0x002b09a0
+ #define MARVELL_PHY_ID_88E2110 0x002b09b0
+ #define MARVELL_PHY_ID_88X2222 0x01410f10
+
+-/* PHY IDs and mask for Alaska 10G PHYs */
+-#define MARVELL_PHY_ID_88X33X0_MASK 0xfffffff8
+-#define MARVELL_PHY_ID_88X3310 0x002b09a0
+-#define MARVELL_PHY_ID_88X3340 0x002b09a8
+-
+ /* Marvel 88E1111 in Finisar SFP module with modified PHY ID */
+ #define MARVELL_PHY_ID_88E1111_FINISAR 0x01ff0cc0
+
+--
+2.30.2
+
--- /dev/null
+From 5c04a1c8f4da7661eb294b8800266537bcf9f359 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 16:41:24 -0700
+Subject: net/sched: act_skbmod: Skip non-Ethernet packets
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ]
+
+Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2
+protocol, which is not always the case. As an example, for CAN devices:
+
+ $ ip link add dev vcan0 type vcan
+ $ ip link set up vcan0
+ $ tc qdisc add dev vcan0 root handle 1: htb
+ $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \
+ matchall action skbmod swap mac
+
+Doing the above silently corrupts all the packets. Do not perform skbmod
+actions for non-Ethernet packets.
+
+Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_skbmod.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
+index 81a1c67335be..8d17a543cc9f 100644
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -6,6 +6,7 @@
+ */
+
+ #include <linux/module.h>
++#include <linux/if_arp.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/skbuff.h>
+@@ -33,6 +34,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a,
+ tcf_lastuse_update(&d->tcf_tm);
+ bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb);
+
++ action = READ_ONCE(d->tcf_action);
++ if (unlikely(action == TC_ACT_SHOT))
++ goto drop;
++
++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER)
++ return action;
++
+ /* XXX: if you are going to edit more fields beyond ethernet header
+ * (example when you add IP header replacement or vlan swap)
+ * then MAX_EDIT_LEN needs to change appropriately
+@@ -41,10 +49,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a,
+ if (unlikely(err)) /* best policy is to drop on the floor */
+ goto drop;
+
+- action = READ_ONCE(d->tcf_action);
+- if (unlikely(action == TC_ACT_SHOT))
+- goto drop;
+-
+ p = rcu_dereference_bh(d->skbmod_p);
+ flags = p->flags;
+ if (flags & SKBMOD_F_DMAC)
+--
+2.30.2
+
--- /dev/null
+From 5d15445b146fcb6b672278d37478b6c6baa819c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 11:23:43 +0800
+Subject: net: sched: cls_api: Fix the the wrong parameter
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ]
+
+The 4th parameter in tc_chain_notify() should be flags rather than seq.
+Let's change it back correctly.
+
+Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index d73b5c5514a9..e3e79e9bd706 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -2904,7 +2904,7 @@ replay:
+ break;
+ case RTM_GETCHAIN:
+ err = tc_chain_notify(chain, skb, n->nlmsg_seq,
+- n->nlmsg_seq, n->nlmsg_type, true);
++ n->nlmsg_flags, n->nlmsg_type, true);
+ if (err < 0)
+ NL_SET_ERR_MSG(extack, "Failed to send chain notify message");
+ break;
+--
+2.30.2
+
--- /dev/null
+From 573a4767480bab63ac5b13e43f393ee79269e900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jul 2021 14:29:33 +0300
+Subject: net: sched: fix memory leak in tcindex_partial_destroy_work
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit f5051bcece50140abd1a11a2d36dc3ec5484fc32 ]
+
+Syzbot reported memory leak in tcindex_set_parms(). The problem was in
+non-freed perfect hash in tcindex_partial_destroy_work().
+
+In tcindex_set_parms() new tcindex_data is allocated and some fields from
+old one are copied to new one, but not the perfect hash. Since
+tcindex_partial_destroy_work() is the destroy function for old
+tcindex_data, we need to free perfect hash to avoid memory leak.
+
+Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
+Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_tcindex.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index 5b274534264c..e9a8a2c86bbd 100644
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -278,6 +278,8 @@ static int tcindex_filter_result_init(struct tcindex_filter_result *r,
+ TCA_TCINDEX_POLICE);
+ }
+
++static void tcindex_free_perfect_hash(struct tcindex_data *cp);
++
+ static void tcindex_partial_destroy_work(struct work_struct *work)
+ {
+ struct tcindex_data *p = container_of(to_rcu_work(work),
+@@ -285,7 +287,8 @@ static void tcindex_partial_destroy_work(struct work_struct *work)
+ rwork);
+
+ rtnl_lock();
+- kfree(p->perfect);
++ if (p->perfect)
++ tcindex_free_perfect_hash(p);
+ kfree(p);
+ rtnl_unlock();
+ }
+--
+2.30.2
+
--- /dev/null
+From 1554660dae2c8fc91d61e926876bcaaa3327fb60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 17:59:35 +0800
+Subject: net: stmmac: Terminate FPE workqueue in suspend
+
+From: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+
+[ Upstream commit 6b28a86d6c0bb02119f386ec2f56efde909e9bcb ]
+
+Add stmmac_fpe_stop_wq() in stmmac_suspend() to terminate FPE workqueue
+during suspend. So, in suspend mode, there will be no FPE workqueue
+available. Without this fix, new additional FPE workqueue will be created
+in every suspend->resume cycle.
+
+Fixes: 5a5586112b92 ("net: stmmac: support FPE link partner hand-shaking procedure")
+Signed-off-by: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 91cd5073ddb2..980a60477b02 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -7170,6 +7170,7 @@ int stmmac_suspend(struct device *dev)
+ priv->plat->rx_queues_to_use, false);
+
+ stmmac_fpe_handshake(priv, false);
++ stmmac_fpe_stop_wq(priv);
+ }
+
+ priv->speed = SPEED_UNKNOWN;
+--
+2.30.2
+
--- /dev/null
+From a1bbb421a282c3c5d1f7b647677e2132296a8c81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 02:12:18 -0700
+Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ]
+
+tfo_active_disable_stamp is read and written locklessly.
+We need to annotate these accesses appropriately.
+
+Then, we need to perform the atomic_inc(tfo_active_disable_times)
+after the timestamp has been updated, and thus add barriers
+to make sure tcp_fastopen_active_should_disable() wont read
+a stale timestamp.
+
+Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index af2814c9342a..08548ff23d83 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -507,8 +507,15 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
++
++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable().
++ * We want net->ipv4.tfo_active_disable_stamp to be updated first.
++ */
++ smp_mb__before_atomic();
+ atomic_inc(&net->ipv4.tfo_active_disable_times);
+- net->ipv4.tfo_active_disable_stamp = jiffies;
++
+ NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE);
+ }
+
+@@ -526,10 +533,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk)
+ if (!tfo_da_times)
+ return false;
+
++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */
++ smp_rmb();
++
+ /* Limit timout to max: 2^6 * initial timeout */
+ multiplier = 1 << min(tfo_da_times - 1, 6);
+- timeout = multiplier * tfo_bh_timeout * HZ;
+- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout))
++
++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */
++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) +
++ multiplier * tfo_bh_timeout * HZ;
++ if (time_before(jiffies, timeout))
+ return true;
+
+ /* Mark check bit so we can check for successful active TFO
+--
+2.30.2
+
--- /dev/null
+From 52e99ce86ce4cc270042cc7b2ef53fd695749b9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 22:40:13 +0800
+Subject: netrom: Decrease sock refcount when sock timers expire
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ]
+
+Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use
+sock timer API. It replaces mod_timer() by sk_reset_timer(), and
+del_timer() by sk_stop_timer().
+
+Function sk_reset_timer() will increase the refcount of sock if it is
+called on an inactive timer, hence, in case the timer expires, we need to
+decrease the refcount ourselves in the handler, otherwise, the sock
+refcount will be unbalanced and the sock will never be freed.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
+Fixes: 63346650c1a9 ("netrom: switch to sock timer API")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_timer.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
+index 9115f8a7dd45..a8da88db7893 100644
+--- a/net/netrom/nr_timer.c
++++ b/net/netrom/nr_timer.c
+@@ -121,11 +121,9 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
+- sock_hold(sk);
+ bh_unlock_sock(sk);
+ nr_destroy_socket(sk);
+- sock_put(sk);
+- return;
++ goto out;
+ }
+ break;
+
+@@ -146,6 +144,8 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+
+ nr_start_heartbeat(sk);
+ bh_unlock_sock(sk);
++out:
++ sock_put(sk);
+ }
+
+ static void nr_t2timer_expiry(struct timer_list *t)
+@@ -159,6 +159,7 @@ static void nr_t2timer_expiry(struct timer_list *t)
+ nr_enquiry_response(sk);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t4timer_expiry(struct timer_list *t)
+@@ -169,6 +170,7 @@ static void nr_t4timer_expiry(struct timer_list *t)
+ bh_lock_sock(sk);
+ nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY;
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_idletimer_expiry(struct timer_list *t)
+@@ -197,6 +199,7 @@ static void nr_idletimer_expiry(struct timer_list *t)
+ sock_set_flag(sk, SOCK_DEAD);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t1timer_expiry(struct timer_list *t)
+@@ -209,8 +212,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_1:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_CONNREQ);
+@@ -220,8 +222,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_2:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_DISCREQ);
+@@ -231,8 +232,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_3:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_requeue_frames(sk);
+@@ -241,5 +241,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ }
+
+ nr_start_t1timer(sk);
++out:
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+--
+2.30.2
+
--- /dev/null
+From 307d10b1411f730070e56919d007e6aaf7c8fbdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 14:14:32 -0700
+Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove
+
+From: Casey Chen <cachen@purestorage.com>
+
+[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ]
+
+nvme_dev_remove_admin could free dev->admin_q and the admin_tagset
+while they are being accessed by nvme_dev_disable(), which can be called
+by nvme_reset_work via nvme_remove_dead_ctrl.
+
+Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
+intended to avoid requests being stuck on a removed controller by killing
+the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce
+admin queue on shutdown"), together with nvme_dev_disable(dev, true)
+right before nvme_dev_remove_admin() could help dispatch requests and
+fail them early, so we don't need nvme_dev_remove_admin() any more.
+
+Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
+Signed-off-by: Casey Chen <cachen@purestorage.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 42ad75ff1348..c625da463330 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2998,7 +2998,6 @@ static void nvme_remove(struct pci_dev *pdev)
+ if (!pci_device_is_present(pdev)) {
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
+ nvme_dev_disable(dev, true);
+- nvme_dev_remove_admin(dev);
+ }
+
+ flush_work(&dev->ctrl.reset_work);
+--
+2.30.2
+
--- /dev/null
+From 23b3efad451cd52b9ef3deda831707f741881984 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:38:29 +0800
+Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not
+ RESETTING
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ]
+
+Followling process:
+nvme_probe
+ nvme_reset_ctrl
+ nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING)
+ queue_work(nvme_reset_wq, &ctrl->reset_work)
+
+--------------> nvme_remove
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING)
+worker_thread
+ process_one_work
+ nvme_reset_work
+ WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)
+
+, which will trigger WARN_ON in nvme_reset_work():
+[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594
+[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0
+[ 127.552518] Call Trace:
+[ 127.552840] ? kvm_sched_clock_read+0x25/0x40
+[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30
+[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130
+[ 127.556263] ? __smp_call_single_queue+0x48/0x60
+[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0
+[ 127.558231] ? try_to_wake_up+0x265/0x9d0
+[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290
+[ 127.560118] process_one_work+0x28c/0x640
+[ 127.561002] worker_thread+0x39a/0x700
+[ 127.561833] ? rescuer_thread+0x580/0x580
+[ 127.562714] kthread+0x18c/0x1e0
+[ 127.563444] ? set_kthread_struct+0x70/0x70
+[ 127.564347] ret_from_fork+0x1f/0x30
+
+The preceding problem can be easily reproduced by executing following
+script (based on blktests suite):
+test() {
+ pdev="$(_get_pci_dev_from_blkdev)"
+ sysfs="/sys/bus/pci/devices/${pdev}"
+ for ((i = 0; i < 10; i++)); do
+ echo 1 > "$sysfs/remove"
+ echo 1 > /sys/bus/pci/rescan
+ done
+}
+
+Since the device ctrl could be updated as an non-RESETTING state by
+repeating probe/remove in userspace (which is a normal situation), we
+can replace stack dumping WARN_ON with a warnning message.
+
+Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index c625da463330..fb1c5ae0da39 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2591,7 +2591,9 @@ static void nvme_reset_work(struct work_struct *work)
+ bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL);
+ int result;
+
+- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) {
++ if (dev->ctrl.state != NVME_CTRL_RESETTING) {
++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n",
++ dev->ctrl.state);
+ result = -ENODEV;
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From e6f1ce812e6851424b83c26974d5aadf7d7868fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:00:11 +0200
+Subject: nvme: set the PRACT bit when using Write Zeroes with T10 PI
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit aaeb7bb061be545251606f4d9c82d710ca2a7c8e ]
+
+When using Write Zeroes on a namespace that has protection
+information enabled they behavior without the PRACT bit
+counter-intuitive and will generally lead to validation failures
+when reading the written blocks. Fix this by always setting the
+PRACT bit that generates matching PI data on the fly.
+
+Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 66973bb56305..148e756857a8 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -880,7 +880,10 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns,
+ cpu_to_le64(nvme_sect_to_lba(ns, blk_rq_pos(req)));
+ cmnd->write_zeroes.length =
+ cpu_to_le16((blk_rq_bytes(req) >> ns->lba_shift) - 1);
+- cmnd->write_zeroes.control = 0;
++ if (nvme_ns_has_pi(ns))
++ cmnd->write_zeroes.control = cpu_to_le16(NVME_RW_PRINFO_PRACT);
++ else
++ cmnd->write_zeroes.control = 0;
+ return BLK_STS_OK;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d18292b8d5ce67eb1b10f79776d7b112b2ec1bb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 16:11:20 +0200
+Subject: perf data: Close all files in close_dir()
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit d4b3eedce151e63932ce4a00f1d0baa340a8b907 ]
+
+When using 'perf report' in directory mode, the first file is not closed
+on exit, causing a memory leak.
+
+The problem is caused by the iterating variable never reaching 0.
+
+Fixes: 145520631130bd64 ("perf data: Add perf_data__(create_dir|close_dir) functions")
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Zhen Lei <thunder.leizhen@huawei.com>
+Link: http://lore.kernel.org/lkml/20210716141122.858082-1-rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c
+index 8fca4779ae6a..70b91ce35178 100644
+--- a/tools/perf/util/data.c
++++ b/tools/perf/util/data.c
+@@ -20,7 +20,7 @@
+
+ static void close_dir(struct perf_data_file *files, int nr)
+ {
+- while (--nr >= 1) {
++ while (--nr >= 0) {
+ close(files[nr].fd);
+ zfree(&files[nr].path);
+ }
+--
+2.30.2
+
--- /dev/null
+From e5705303dd59fa99aae6351a0cbf5ed1261db681 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:11 +0200
+Subject: perf dso: Fix memory leak in dso__new_map()
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "65: maps__merge_in".
+
+The causes of the leaks are two, this patch addresses only the first
+one, which is related to dso__new_map().
+
+The bug is that dso__new_map() creates a new dso but never decreases the
+refcount it gets from creating it.
+
+This patch adds the missing dso__put().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dso.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
+index d786cf6b0cfa..ee15db2be2f4 100644
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -1154,8 +1154,10 @@ struct map *dso__new_map(const char *name)
+ struct map *map = NULL;
+ struct dso *dso = dso__new(name);
+
+- if (dso)
++ if (dso) {
+ map = map__new2(0, dso);
++ dso__put(dso);
++ }
+
+ return map;
+ }
+--
+2.30.2
+
--- /dev/null
+From b31d2996dfbd038cbf264b24eb3a5a5abca32145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:13 +0200
+Subject: perf env: Fix memory leak of cpu_pmu_caps
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit da6b7c6c0626901428245f65712385805e42eba6 ]
+
+ASan reports memory leaks while running:
+
+ # perf test "83: Zstd perf.data compression/decompression"
+
+The first of the leaks is caused by env->cpu_pmu_caps not being freed.
+
+This patch adds the missing (z)free inside perf_env__exit.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 6f91ea283a1ed23e ("perf header: Support CPU PMU capabilities")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/6ba036a8220156ec1f3d6be3e5d25920f6145028.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/env.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index f3b90412cc70..16a111b62cc3 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -191,6 +191,7 @@ void perf_env__exit(struct perf_env *env)
+ zfree(&env->sibling_threads);
+ zfree(&env->pmu_mappings);
+ zfree(&env->cpu);
++ zfree(&env->cpu_pmu_caps);
+ zfree(&env->numa_map);
+
+ for (i = 0; i < env->nr_numa_nodes; i++)
+--
+2.30.2
+
--- /dev/null
+From 85e6a9028253e29b3af7d1704d6398d008ba301d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:07 +0200
+Subject: perf env: Fix sibling_dies memory leak
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 42db3d9ded555f7148b5695109a7dc8d66f0dde4 ]
+
+ASan reports a memory leak in perf_env while running:
+
+ # perf test "41: Session topology"
+
+Caused by sibling_dies not being freed.
+
+This patch adds the required free.
+
+Fixes: acae8b36cded0ee6 ("perf header: Add die information in CPU topology")
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/2140d0b57656e4eb9021ca9772250c24c032924b.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/env.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index bc5e4f294e9e..f3b90412cc70 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -186,6 +186,7 @@ void perf_env__exit(struct perf_env *env)
+ zfree(&env->cpuid);
+ zfree(&env->cmdline);
+ zfree(&env->cmdline_argv);
++ zfree(&env->sibling_dies);
+ zfree(&env->sibling_cores);
+ zfree(&env->sibling_threads);
+ zfree(&env->pmu_mappings);
+--
+2.30.2
+
--- /dev/null
+From 487e8d6cfccb31f6a31771ee2c57b40ae24ae99e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf inject: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 0967ebffe098157180a0bbd180ac90348c6e07d7 ]
+
+ASan reports a memory leak of nsinfo during the execution of:
+
+ # perf test "31: Lookup mmap thread"
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased when a
+refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 27c9c3424fc217da ("perf inject: Add --buildid-all option")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-inject.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
+index ddccc0eb7390..614e428e4ac5 100644
+--- a/tools/perf/builtin-inject.c
++++ b/tools/perf/builtin-inject.c
+@@ -358,9 +358,10 @@ static struct dso *findnew_dso(int pid, int tid, const char *filename,
+ dso = machine__findnew_dso_id(machine, filename, id);
+ }
+
+- if (dso)
++ if (dso) {
++ nsinfo__put(dso->nsinfo);
+ dso->nsinfo = nsi;
+- else
++ } else
+ nsinfo__put(nsi);
+
+ thread__put(thread);
+--
+2.30.2
+
--- /dev/null
+From 3035c719dfbeb0a0961d951d6e26a17436ad59be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:19 +0200
+Subject: perf lzma: Close lzma stream on exit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ]
+
+ASan reports memory leaks when running:
+
+ # perf test "88: Check open filename arg using perf trace + vfs_getname"
+
+One of these is caused by the lzma stream never being closed inside
+lzma_decompress_to_file().
+
+This patch adds the missing lzma_end().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/lzma.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c
+index 39062df02629..51424cdc3b68 100644
+--- a/tools/perf/util/lzma.c
++++ b/tools/perf/util/lzma.c
+@@ -69,7 +69,7 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+
+ if (ferror(infile)) {
+ pr_err("lzma: read error: %s\n", strerror(errno));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+
+ if (feof(infile))
+@@ -83,7 +83,7 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+
+ if (writen(output_fd, buf_out, write_size) != write_size) {
+ pr_err("lzma: write error: %s\n", strerror(errno));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+
+ strm.next_out = buf_out;
+@@ -95,11 +95,13 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+ break;
+
+ pr_err("lzma: failed %s\n", lzma_strerror(ret));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+ }
+
+ err = 0;
++err_lzma_end:
++ lzma_end(&strm);
+ err_fclose:
+ fclose(infile);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From 902b249e761ac06778d97ea01e29d49a36141dce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf map: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ]
+
+ASan reports a memory leak of nsinfo during the execution of
+
+ # perf test "31: Lookup mmap thread"
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased whenever a
+refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/map.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index 8af693d9678c..72e7f3616157 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -192,6 +192,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len,
+ if (!(prot & PROT_EXEC))
+ dso__set_loaded(dso);
+ }
++
++ nsinfo__put(dso->nsinfo);
+ dso->nsinfo = nsi;
+
+ if (build_id__is_defined(bid))
+--
+2.30.2
+
--- /dev/null
+From f48c3cbd4b3a765cf75523307ffdc321de4a6742 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:25 +0200
+Subject: perf probe-file: Delete namelist in del_events() on the error path
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ]
+
+ASan reports some memory leaks when running:
+
+ # perf test "42: BPF filter"
+
+This second leak is caused by a strlist not being dellocated on error
+inside probe_file__del_events.
+
+This patch adds a goto label before the deallocation and makes the error
+path jump to it.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
+index 52273542e6ef..3f6de459ac2b 100644
+--- a/tools/perf/util/probe-file.c
++++ b/tools/perf/util/probe-file.c
+@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter)
+
+ ret = probe_file__get_events(fd, filter, namelist);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ ret = probe_file__del_strlist(fd, namelist);
++out:
+ strlist__delete(namelist);
+-
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 24e4b406552ebc851df64c8d27c0ea3124293b65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf probe: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ]
+
+ASan reports a memory leak of nsinfo during the execution of:
+
+ # perf test "31: Lookup mmap thread".
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased whenever
+a refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-event.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
+index a78c8d59a555..9cc89a047b15 100644
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -180,8 +180,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user)
+ struct map *map;
+
+ map = dso__new_map(target);
+- if (map && map->dso)
++ if (map && map->dso) {
++ nsinfo__put(map->dso->nsinfo);
+ map->dso->nsinfo = nsinfo__get(nsi);
++ }
+ return map;
+ } else {
+ return kernel_get_module_map(target);
+--
+2.30.2
+
--- /dev/null
+From a2ecdfe2c248eeb6ca09add68392972fc758915b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:14 +0200
+Subject: perf report: Free generated help strings for sort option
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit a37338aad8c4d8676173ead14e881d2ec308155c ]
+
+ASan reports the memory leak of the strings allocated by sort_help() when
+running perf report.
+
+This patch changes the returned pointer to char* (instead of const
+char*), saves it in a temporary variable, and finally deallocates it at
+function exit.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 702fb9b415e7c99b ("perf report: Show all sort keys in help output")
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/a38b13f02812a8a6759200b9063c6191337f44d4.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 33 ++++++++++++++++++++++-----------
+ tools/perf/util/sort.c | 2 +-
+ tools/perf/util/sort.h | 2 +-
+ 3 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index 36f9ccfeb38a..ce420f910ff8 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -1167,6 +1167,8 @@ int cmd_report(int argc, const char **argv)
+ .annotation_opts = annotation__default_options,
+ .skip_empty = true,
+ };
++ char *sort_order_help = sort_help("sort by key(s):");
++ char *field_order_help = sort_help("output field(s): overhead period sample ");
+ const struct option options[] = {
+ OPT_STRING('i', "input", &input_name, "file",
+ "input file name"),
+@@ -1201,9 +1203,9 @@ int cmd_report(int argc, const char **argv)
+ OPT_BOOLEAN(0, "header-only", &report.header_only,
+ "Show only data header."),
+ OPT_STRING('s', "sort", &sort_order, "key[,key2...]",
+- sort_help("sort by key(s):")),
++ sort_order_help),
+ OPT_STRING('F', "fields", &field_order, "key[,keys...]",
+- sort_help("output field(s): overhead period sample ")),
++ field_order_help),
+ OPT_BOOLEAN(0, "show-cpu-utilization", &symbol_conf.show_cpu_utilization,
+ "Show sample percentage for different cpu modes"),
+ OPT_BOOLEAN_FLAG(0, "showcpuutilization", &symbol_conf.show_cpu_utilization,
+@@ -1336,11 +1338,11 @@ int cmd_report(int argc, const char **argv)
+ char sort_tmp[128];
+
+ if (ret < 0)
+- return ret;
++ goto exit;
+
+ ret = perf_config(report__config, &report);
+ if (ret)
+- return ret;
++ goto exit;
+
+ argc = parse_options(argc, argv, options, report_usage, 0);
+ if (argc) {
+@@ -1354,8 +1356,10 @@ int cmd_report(int argc, const char **argv)
+ report.symbol_filter_str = argv[0];
+ }
+
+- if (annotate_check_args(&report.annotation_opts) < 0)
+- return -EINVAL;
++ if (annotate_check_args(&report.annotation_opts) < 0) {
++ ret = -EINVAL;
++ goto exit;
++ }
+
+ if (report.mmaps_mode)
+ report.tasks_mode = true;
+@@ -1369,12 +1373,14 @@ int cmd_report(int argc, const char **argv)
+ if (symbol_conf.vmlinux_name &&
+ access(symbol_conf.vmlinux_name, R_OK)) {
+ pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto exit;
+ }
+ if (symbol_conf.kallsyms_name &&
+ access(symbol_conf.kallsyms_name, R_OK)) {
+ pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto exit;
+ }
+
+ if (report.inverted_callchain)
+@@ -1398,12 +1404,14 @@ int cmd_report(int argc, const char **argv)
+
+ repeat:
+ session = perf_session__new(&data, false, &report.tool);
+- if (IS_ERR(session))
+- return PTR_ERR(session);
++ if (IS_ERR(session)) {
++ ret = PTR_ERR(session);
++ goto exit;
++ }
+
+ ret = evswitch__init(&report.evswitch, session->evlist, stderr);
+ if (ret)
+- return ret;
++ goto exit;
+
+ if (zstd_init(&(session->zstd_data), 0) < 0)
+ pr_warning("Decompression initialization failed. Reported data may be incomplete.\n");
+@@ -1638,5 +1646,8 @@ error:
+
+ zstd_fini(&(session->zstd_data));
+ perf_session__delete(session);
++exit:
++ free(sort_order_help);
++ free(field_order_help);
+ return ret;
+ }
+diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c
+index 88ce47f2547e..568a88c001c6 100644
+--- a/tools/perf/util/sort.c
++++ b/tools/perf/util/sort.c
+@@ -3370,7 +3370,7 @@ static void add_hpp_sort_string(struct strbuf *sb, struct hpp_dimension *s, int
+ add_key(sb, s[i].name, llen);
+ }
+
+-const char *sort_help(const char *prefix)
++char *sort_help(const char *prefix)
+ {
+ struct strbuf sb;
+ char *s;
+diff --git a/tools/perf/util/sort.h b/tools/perf/util/sort.h
+index 87a092645aa7..b67c469aba79 100644
+--- a/tools/perf/util/sort.h
++++ b/tools/perf/util/sort.h
+@@ -302,7 +302,7 @@ void reset_output_field(void);
+ void sort__setup_elide(FILE *fp);
+ void perf_hpp__set_elide(int idx, bool elide);
+
+-const char *sort_help(const char *prefix);
++char *sort_help(const char *prefix);
+
+ int report_parse_ignore_callees_opt(const struct option *opt, const char *arg, int unset);
+
+--
+2.30.2
+
--- /dev/null
+From 93e0db86dd4062835dbbb6da142ce0a25c941016 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 19:23:58 +0800
+Subject: perf sched: Fix record failure when CONFIG_SCHEDSTATS is not set
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit b0f008551f0bf4d5f6db9b5f0e071b02790d6a2e ]
+
+The tracepoints trace_sched_stat_{wait, sleep, iowait} are not exposed to user
+if CONFIG_SCHEDSTATS is not set, "perf sched record" records the three events.
+As a result, the command fails.
+
+Before:
+
+ #perf sched record sleep 1
+ event syntax error: 'sched:sched_stat_wait'
+ \___ unknown tracepoint
+
+ Error: File /sys/kernel/tracing/events/sched/sched_stat_wait not found.
+ Hint: Perhaps this kernel misses some CONFIG_ setting to enable this feature?.
+
+ Run 'perf list' for a list of valid events
+
+ Usage: perf record [<options>] [<command>]
+ or: perf record [<options>] -- <command> [<options>]
+
+ -e, --event <event> event selector. use 'perf list' to list available events
+
+Solution:
+ Check whether schedstat tracepoints are exposed. If no, these events are not recorded.
+
+After:
+ # perf sched record sleep 1
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.163 MB perf.data (1091 samples) ]
+ # perf sched report
+ run measurement overhead: 4736 nsecs
+ sleep measurement overhead: 9059979 nsecs
+ the run test took 999854 nsecs
+ the sleep test took 8945271 nsecs
+ nr_run_events: 716
+ nr_sleep_events: 785
+ nr_wakeup_events: 0
+ ...
+ ------------------------------------------------------------
+
+Fixes: 2a09b5de235a6 ("sched/fair: do not expose some tracepoints to user if CONFIG_SCHEDSTATS is not set")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Yafang Shao <laoar.shao@gmail.com>
+Link: http://lore.kernel.org/lkml/20210713112358.194693-1-yangjihong1@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 954ce2f594e9..3e5b7faf0c16 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3335,6 +3335,16 @@ static void setup_sorting(struct perf_sched *sched, const struct option *options
+ sort_dimension__add("pid", &sched->cmp_pid);
+ }
+
++static bool schedstat_events_exposed(void)
++{
++ /*
++ * Select "sched:sched_stat_wait" event to check
++ * whether schedstat tracepoints are exposed.
++ */
++ return IS_ERR(trace_event__tp_format("sched", "sched_stat_wait")) ?
++ false : true;
++}
++
+ static int __cmd_record(int argc, const char **argv)
+ {
+ unsigned int rec_argc, i, j;
+@@ -3346,21 +3356,33 @@ static int __cmd_record(int argc, const char **argv)
+ "-m", "1024",
+ "-c", "1",
+ "-e", "sched:sched_switch",
+- "-e", "sched:sched_stat_wait",
+- "-e", "sched:sched_stat_sleep",
+- "-e", "sched:sched_stat_iowait",
+ "-e", "sched:sched_stat_runtime",
+ "-e", "sched:sched_process_fork",
+ "-e", "sched:sched_wakeup_new",
+ "-e", "sched:sched_migrate_task",
+ };
++
++ /*
++ * The tracepoints trace_sched_stat_{wait, sleep, iowait}
++ * are not exposed to user if CONFIG_SCHEDSTATS is not set,
++ * to prevent "perf sched record" execution failure, determine
++ * whether to record schedstat events according to actual situation.
++ */
++ const char * const schedstat_args[] = {
++ "-e", "sched:sched_stat_wait",
++ "-e", "sched:sched_stat_sleep",
++ "-e", "sched:sched_stat_iowait",
++ };
++ unsigned int schedstat_argc = schedstat_events_exposed() ?
++ ARRAY_SIZE(schedstat_args) : 0;
++
+ struct tep_event *waking_event;
+
+ /*
+ * +2 for either "-e", "sched:sched_wakeup" or
+ * "-e", "sched:sched_waking"
+ */
+- rec_argc = ARRAY_SIZE(record_args) + 2 + argc - 1;
++ rec_argc = ARRAY_SIZE(record_args) + 2 + schedstat_argc + argc - 1;
+ rec_argv = calloc(rec_argc + 1, sizeof(char *));
+
+ if (rec_argv == NULL)
+@@ -3376,6 +3398,9 @@ static int __cmd_record(int argc, const char **argv)
+ else
+ rec_argv[i++] = strdup("sched:sched_wakeup");
+
++ for (j = 0; j < schedstat_argc; j++)
++ rec_argv[i++] = strdup(schedstat_args[j]);
++
+ for (j = 1; j < (unsigned int)argc; j++, i++)
+ rec_argv[i] = argv[j];
+
+--
+2.30.2
+
--- /dev/null
+From 647163832bf833cf7320cb62d1e33a4cb660fcc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:18 +0200
+Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ]
+
+ASan reports several memory leaks while running:
+
+ # perf test "82: Use vfs_getname probe to get syscall args filenames"
+
+Two of these are caused by some refcounts not being decreased on
+perf-script exit, namely script.threads and script.cpus.
+
+This patch adds the missing __put calls in a new perf_script__exit
+function, which is called at the end of cmd_script.
+
+This patch concludes the fixes of all remaining memory leaks in perf
+test "82: Use vfs_getname probe to get syscall args filenames".
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index 8a6656ab835b..c43c2963117d 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -2534,6 +2534,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script)
+ }
+ }
+
++static void perf_script__exit(struct perf_script *script)
++{
++ perf_thread_map__put(script->threads);
++ perf_cpu_map__put(script->cpus);
++}
++
+ static int __cmd_script(struct perf_script *script)
+ {
+ int ret;
+@@ -3994,6 +4000,7 @@ out_delete:
+ zstd_fini(&(session->zstd_data));
+ evlist__free_stats(session->evlist);
+ perf_session__delete(session);
++ perf_script__exit(&script);
+
+ if (script_started)
+ cleanup_scripting();
+--
+2.30.2
+
--- /dev/null
+From c7af91b89950c0fe6ce26ebcdc936fcdb5aba993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:17 +0200
+Subject: perf script: Release zstd data
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 1b1f57cf9e4c8eb16c8f6b2ce12cc5dd3517fc61 ]
+
+ASan reports several memory leak while running:
+
+ # perf test "82: Use vfs_getname probe to get syscall args filenames"
+
+One of the leaks is caused by zstd data not being released on exit in
+perf-script.
+
+This patch adds the missing zstd_fini().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: b13b04d9382113f7 ("perf script: Initialize zstd_data")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Milian Wolff <milian.wolff@kdab.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/39388e8cc2f85ca219ea18697a17b7bd8f74b693.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index 1280cbfad4db..8a6656ab835b 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -3991,6 +3991,7 @@ out_delete:
+ zfree(&script.ptime_range);
+ }
+
++ zstd_fini(&(session->zstd_data));
+ evlist__free_stats(session->evlist);
+ perf_session__delete(session);
+
+--
+2.30.2
+
--- /dev/null
+From 5b3ecd812a8f546accd209ac0219522874a482fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:09 +0200
+Subject: perf test event_update: Fix memory leak of evlist
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit fc56f54f6fcd5337634f4545af6459613129b432 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "49: Synthesize attr update"
+
+Caused by evlist not being deleted.
+
+This patch adds the missing evlist__delete and removes the
+perf_cpu_map__put since it's already being deleted by evlist__delete.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/f7994ad63d248f7645f901132d208fadf9f2b7e4.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/event_update.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c
+index 656218179222..932ab0740d11 100644
+--- a/tools/perf/tests/event_update.c
++++ b/tools/perf/tests/event_update.c
+@@ -118,6 +118,6 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu
+ TEST_ASSERT_VAL("failed to synthesize attr update cpus",
+ !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus));
+
+- perf_cpu_map__put(evsel->core.own_cpus);
++ evlist__delete(evlist);
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 1dc38f156ad7cbd5c4c2253c7367a5447e2fa75a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:10 +0200
+Subject: perf test event_update: Fix memory leak of unit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit dccfca926c351ba0893af4c8b481477bdb2881a4 ]
+
+ASan reports a memory leak while running:
+
+ # perf test "49: Synthesize attr update"
+
+Caused by a string being duplicated but never freed.
+
+This patch adds the missing free().
+
+Note that evsel->unit is not deallocated together with evsel since it is
+supposed to be a constant string.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/1fbc8158663fb0d4d5392e36bae564f6ad60be3c.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/event_update.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c
+index 932ab0740d11..44a50527f9d9 100644
+--- a/tools/perf/tests/event_update.c
++++ b/tools/perf/tests/event_update.c
+@@ -88,6 +88,7 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu
+ struct evsel *evsel;
+ struct event_name tmp;
+ struct evlist *evlist = evlist__new_default();
++ char *unit = strdup("KRAVA");
+
+ TEST_ASSERT_VAL("failed to get evlist", evlist);
+
+@@ -98,7 +99,7 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu
+
+ perf_evlist__id_add(&evlist->core, &evsel->core, 0, 0, 123);
+
+- evsel->unit = strdup("KRAVA");
++ evsel->unit = unit;
+
+ TEST_ASSERT_VAL("failed to synthesize attr update unit",
+ !perf_event__synthesize_event_update_unit(NULL, evsel, process_event_unit));
+@@ -118,6 +119,7 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu
+ TEST_ASSERT_VAL("failed to synthesize attr update cpus",
+ !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus));
+
++ free(unit);
+ evlist__delete(evlist);
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 7e934c4ff7acf9c91e5291049f04ec89b2990e60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:12 +0200
+Subject: perf test maps__merge_in: Fix memory leak of maps
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 244d1797c8c8e850b8de7992af713aa5c70d5650 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "65: maps__merge_in"
+
+This is the second and final patch addressing these memory leaks.
+
+This time, the problem is simply that the maps object is never
+destructed.
+
+This patch adds the missing maps__exit call.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 79b6bb73f888933c ("perf maps: Merge 'struct maps' with 'struct map_groups'")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/a1a29b97a58738987d150e94d4ebfad0282fb038.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/maps.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c
+index edcbc70ff9d6..1ac72919fa35 100644
+--- a/tools/perf/tests/maps.c
++++ b/tools/perf/tests/maps.c
+@@ -116,5 +116,7 @@ int test__maps__merge_in(struct test *t __maybe_unused, int subtest __maybe_unus
+
+ ret = check_maps(merged3, ARRAY_SIZE(merged3), &maps);
+ TEST_ASSERT_VAL("merge check failed", !ret);
++
++ maps__exit(&maps);
+ return TEST_OK;
+ }
+--
+2.30.2
+
--- /dev/null
+From 0f16ee3b21dc62324d2604f5484fe423e3bbb862 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:08 +0200
+Subject: perf test session_topology: Delete session->evlist
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ]
+
+ASan reports a memory leak related to session->evlist while running:
+
+ # perf test "41: Session topology".
+
+When perf_data is in write mode, session->evlist is owned by the caller,
+which should also take care of deleting it.
+
+This patch adds the missing evlist__delete().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/topology.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c
+index ec4e3b21b831..b5efe675b321 100644
+--- a/tools/perf/tests/topology.c
++++ b/tools/perf/tests/topology.c
+@@ -61,6 +61,7 @@ static int session_write_header(char *path)
+ TEST_ASSERT_VAL("failed to write header",
+ !perf_session__write_header(session, session->evlist, data.file.fd, true));
+
++ evlist__delete(session->evlist);
+ perf_session__delete(session);
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 1894f079302d9e21e0d10206b2fe92eee4e44f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:54:38 -0700
+Subject: proc: Avoid mixing integer types in mem_rw()
+
+From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+
+[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ]
+
+Use size_t when capping the count argument received by mem_rw(). Since
+count is size_t, using min_t(int, ...) can lead to a negative value
+that will later be passed to access_remote_vm(), which can cause
+unexpected behavior.
+
+Since we are capping the value to at maximum PAGE_SIZE, the conversion
+from size_t to int when passing it to access_remote_vm() as "len"
+shouldn't be a problem.
+
+Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Souza Cascardo <cascardo@canonical.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 9cbd915025ad..a0a2fc1c9da2 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -854,7 +854,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+ flags = FOLL_FORCE | (write ? FOLL_WRITE : 0);
+
+ while (count > 0) {
+- int this_len = min_t(int, count, PAGE_SIZE);
++ size_t this_len = min_t(size_t, count, PAGE_SIZE);
+
+ if (write && copy_from_user(page, buf, this_len)) {
+ copied = -EFAULT;
+--
+2.30.2
+
--- /dev/null
+From 532d2b8d4eb9874ee48994367547ba1985cceb90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 10:27:51 +0200
+Subject: pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly
+ skipped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 65e2e6c1c20104ed19060a38f4edbf14e9f9a9a5 ]
+
+As the last call to sprd_pwm_apply() might have exited early if
+state->enabled was false, the values for period and duty_cycle stored in
+pwm->state might not have been written to hardware and it must be
+ensured that they are configured before enabling the PWM.
+
+Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sprd.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c
+index 98c479dfae31..3041f0b3bbb6 100644
+--- a/drivers/pwm/pwm-sprd.c
++++ b/drivers/pwm/pwm-sprd.c
+@@ -183,13 +183,10 @@ static int sprd_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ }
+ }
+
+- if (state->period != cstate->period ||
+- state->duty_cycle != cstate->duty_cycle) {
+- ret = sprd_pwm_config(spc, pwm, state->duty_cycle,
+- state->period);
+- if (ret)
+- return ret;
+- }
++ ret = sprd_pwm_config(spc, pwm, state->duty_cycle,
++ state->period);
++ if (ret)
++ return ret;
+
+ sprd_pwm_write(spc, pwm->hwpwm, SPRD_PWM_ENABLE, 1);
+ } else if (cstate->enabled) {
+--
+2.30.2
+
--- /dev/null
+From 60062f6eb37fb568d4d9e58d3d8056683864d209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 17:17:40 +0100
+Subject: r8169: Avoid duplicate sysfs entry creation error
+
+From: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
+
+[ Upstream commit e9a72f874d5b95cef0765bafc56005a50f72c5fe ]
+
+When registering the MDIO bus for a r8169 device, we use the PCI
+bus/device specifier as a (seemingly) unique device identifier.
+However the very same BDF number can be used on another PCI segment,
+which makes the driver fail probing:
+
+[ 27.544136] r8169 0002:07:00.0: enabling device (0000 -> 0003)
+[ 27.559734] sysfs: cannot create duplicate filename '/class/mdio_bus/r8169-700'
+....
+[ 27.684858] libphy: mii_bus r8169-700 failed to register
+[ 27.695602] r8169: probe of 0002:07:00.0 failed with error -22
+
+Add the segment number to the device name to make it more unique.
+
+This fixes operation on ARM N1SDP boards, with two boards connected
+together to form an SMP system, and all on-board devices showing up
+twice, just on different PCI segments. A similar issue would occur on
+large systems with many PCI slots and multiple RTL8169 NICs.
+
+Fixes: f1e911d5d0dfd ("r8169: add basic phylib support")
+Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
+[Andre: expand commit message, use pci_domain_nr()]
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Acked-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index a0d4e052a79e..b8eb1b2a8de3 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -5085,7 +5085,8 @@ static int r8169_mdio_register(struct rtl8169_private *tp)
+ new_bus->priv = tp;
+ new_bus->parent = &pdev->dev;
+ new_bus->irq[0] = PHY_MAC_INTERRUPT;
+- snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x", pci_dev_id(pdev));
++ snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x-%x",
++ pci_domain_nr(pdev->bus), pci_dev_id(pdev));
+
+ new_bus->read = r8169_mdio_read_reg;
+ new_bus->write = r8169_mdio_write_reg;
+--
+2.30.2
+
--- /dev/null
+From 3f491eb12e467487a2fd113634cb158401b92041 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 17:59:59 +0800
+Subject: regulator: hi6421: Fix getting wrong drvdata
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit 1c73daee4bf30ccdff5e86dc400daa6f74735da5 ]
+
+Since config.dev = pdev->dev.parent in current code, so
+dev_get_drvdata(rdev->dev.parent) call in hi6421_regulator_enable
+returns the drvdata of the mfd device rather than the regulator. Fix it.
+
+This was broken while converting to use simplified DT parsing because the
+config.dev changed from pdev->dev to pdev->dev.parent for parsing the
+parent's of_node.
+
+Fixes: 29dc269a85ef ("regulator: hi6421: Convert to use simplified DT parsing")
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210630095959.2411543-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/hi6421-regulator.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c
+index bff8c515dcde..d144a4bdb76d 100644
+--- a/drivers/regulator/hi6421-regulator.c
++++ b/drivers/regulator/hi6421-regulator.c
+@@ -366,9 +366,8 @@ static struct hi6421_regulator_info
+
+ static int hi6421_regulator_enable(struct regulator_dev *rdev)
+ {
+- struct hi6421_regulator_pdata *pdata;
++ struct hi6421_regulator_pdata *pdata = rdev_get_drvdata(rdev);
+
+- pdata = dev_get_drvdata(rdev->dev.parent);
+ /* hi6421 spec requires regulator enablement must be serialized:
+ * - Because when BUCK, LDO switching from off to on, it will have
+ * a huge instantaneous current; so you can not turn on two or
+@@ -385,9 +384,10 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev)
+
+ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int reg_val;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+ return REGULATOR_MODE_IDLE;
+@@ -397,9 +397,10 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+
+ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int reg_val;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+ return REGULATOR_MODE_STANDBY;
+@@ -410,9 +411,10 @@ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev)
+ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int new_mode;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+ new_mode = 0;
+@@ -434,9 +436,10 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev,
+ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int new_mode;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+ new_mode = 0;
+@@ -459,7 +462,9 @@ static unsigned int
+ hi6421_regulator_ldo_get_optimum_mode(struct regulator_dev *rdev,
+ int input_uV, int output_uV, int load_uA)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
++
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+
+ if (load_uA > info->eco_microamp)
+ return REGULATOR_MODE_NORMAL;
+@@ -543,14 +548,13 @@ static int hi6421_regulator_probe(struct platform_device *pdev)
+ if (!pdata)
+ return -ENOMEM;
+ mutex_init(&pdata->lock);
+- platform_set_drvdata(pdev, pdata);
+
+ for (i = 0; i < ARRAY_SIZE(hi6421_regulator_info); i++) {
+ /* assign per-regulator data */
+ info = &hi6421_regulator_info[i];
+
+ config.dev = pdev->dev.parent;
+- config.driver_data = info;
++ config.driver_data = pdata;
+ config.regmap = pmic->regmap;
+
+ rdev = devm_regulator_register(&pdev->dev, &info->desc,
+--
+2.30.2
+
--- /dev/null
+From 4ede73473ab44fef23dcebab32fa608aa6a463d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 20:41:33 +0800
+Subject: regulator: hi6421: Use correct variable type for regmap api val
+ argument
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit ae60e6a9d24e89a74e2512204ad04de94921bdd2 ]
+
+Use unsigned int instead of u32 for regmap_read/regmap_update_bits val
+argument.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210619124133.4096683-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/hi6421-regulator.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c
+index dc631c1a46b4..bff8c515dcde 100644
+--- a/drivers/regulator/hi6421-regulator.c
++++ b/drivers/regulator/hi6421-regulator.c
+@@ -386,7 +386,7 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev)
+ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 reg_val;
++ unsigned int reg_val;
+
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+@@ -398,7 +398,7 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 reg_val;
++ unsigned int reg_val;
+
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+@@ -411,7 +411,7 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 new_mode;
++ unsigned int new_mode;
+
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+@@ -435,7 +435,7 @@ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 new_mode;
++ unsigned int new_mode;
+
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+--
+2.30.2
+
--- /dev/null
+From 3eb6ea52bc28b00a79422675b42bfb8cf57362ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 11:25:16 +0200
+Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE
+ modem"
+
+From: Vincent Palatin <vpalatin@chromium.org>
+
+[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ]
+
+This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd.
+
+While the patch was working as stated,ie preventing the L850-GL LTE modem
+from crashing on some U3 wake-ups due to a race condition between the
+host wake-up and the modem-side wake-up, when using the MBIM interface,
+this would force disabling the USB runtime PM on the device.
+
+The increased power consumption is significant for LTE laptops,
+and given that with decently recent modem firmwares, when the modem hits
+the bug, it automatically recovers (ie it drops from the bus, but
+automatically re-enumerates after less than half a second, rather than being
+stuck until a power cycle as it was doing with ancient firmware), for
+most people, the trade-off now seems in favor of re-enabling it by
+default.
+
+For people with access to the platform code, the bug can also be worked-around
+successfully by changing the USB3 LFPM polling off-time for the XHCI
+controller in the BIOS code.
+
+Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
+Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org
+Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/quirks.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 21e7522655ac..a54a735b6384 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
+- /* Fibocom L850-GL LTE Modem */
+- { USB_DEVICE(0x2cb7, 0x0007), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
+--
+2.30.2
+
--- /dev/null
+From 466b30138b3e9cb57189bf8c86291241ae97f297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jun 2021 15:40:18 +0200
+Subject: RISC-V: load initrd wherever it fits into memory
+
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+
+[ Upstream commit c79e89ecaa246c880292ba68cbe08c9c30db77e3 ]
+
+Requiring that initrd is loaded below RAM start + 256 MiB led to failure
+to boot SUSE Linux with GRUB on QEMU, cf.
+https://lists.gnu.org/archive/html/grub-devel/2021-06/msg00037.html
+
+Remove the constraint.
+
+Reported-by: Andreas Schwab <schwab@linux-m68k.org>
+Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Reviewed-by: Atish Patra <atish.patra@wdc.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Fixes: d7071743db31 ("RISC-V: Add EFI stub support.")
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/efi.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/include/asm/efi.h b/arch/riscv/include/asm/efi.h
+index 6d98cd999680..7b3483ba2e84 100644
+--- a/arch/riscv/include/asm/efi.h
++++ b/arch/riscv/include/asm/efi.h
+@@ -27,10 +27,10 @@ int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md);
+
+ #define ARCH_EFI_IRQ_FLAGS_MASK (SR_IE | SR_SPIE)
+
+-/* Load initrd at enough distance from DRAM start */
++/* Load initrd anywhere in system RAM */
+ static inline unsigned long efi_get_max_initrd_addr(unsigned long image_addr)
+ {
+- return image_addr + SZ_256M;
++ return ULONG_MAX;
+ }
+
+ #define alloc_screen_info(x...) (&screen_info)
+--
+2.30.2
+
--- /dev/null
+From f754e1456505a7a04b3b949f50f12565f768a106 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jun 2021 21:51:17 +0800
+Subject: riscv: Fix 32-bit RISC-V boot failure
+
+From: Bin Meng <bmeng.cn@gmail.com>
+
+[ Upstream commit d0e4dae74470fb709fc0ab61862c317938f4cc4d ]
+
+Commit dd2d082b5760 ("riscv: Cleanup setup_bootmem()") adjusted
+the calling sequence in setup_bootmem(), which invalidates the fix
+commit de043da0b9e7 ("RISC-V: Fix usage of memblock_enforce_memory_limit")
+did for 32-bit RISC-V unfortunately.
+
+So now 32-bit RISC-V does not boot again when testing booting kernel
+on QEMU 'virt' with '-m 2G', which was exactly what the original
+commit de043da0b9e7 ("RISC-V: Fix usage of memblock_enforce_memory_limit")
+tried to fix.
+
+Fixes: dd2d082b5760 ("riscv: Cleanup setup_bootmem()")
+Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
+index 4c4c92ce0bb8..9b23b95c50cf 100644
+--- a/arch/riscv/mm/init.c
++++ b/arch/riscv/mm/init.c
+@@ -123,7 +123,7 @@ void __init setup_bootmem(void)
+ {
+ phys_addr_t vmlinux_end = __pa_symbol(&_end);
+ phys_addr_t vmlinux_start = __pa_symbol(&_start);
+- phys_addr_t dram_end = memblock_end_of_DRAM();
++ phys_addr_t dram_end;
+ phys_addr_t max_mapped_addr = __pa(~(ulong)0);
+
+ #ifdef CONFIG_XIP_KERNEL
+@@ -146,6 +146,8 @@ void __init setup_bootmem(void)
+ #endif
+ memblock_reserve(vmlinux_start, vmlinux_end - vmlinux_start);
+
++ dram_end = memblock_end_of_DRAM();
++
+ /*
+ * memblock allocator is not aware of the fact that last 4K bytes of
+ * the addressable memory can not be mapped because of IS_ERR_VALUE
+--
+2.30.2
+
--- /dev/null
+From e8b00c95c9eb15a63fc60ab51b361640b6006594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:57:12 +0100
+Subject: s390/bpf: Perform r1 range checking before accessing
+ jit->seen_reg[r1]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ]
+
+Currently array jit->seen_reg[r1] is being accessed before the range
+checking of index r1. The range changing on r1 should be performed
+first since it will avoid any potential out-of-range accesses on the
+array seen_reg[] and also it is more optimal to perform checks on r1
+before fetching data from the array. Fix this by swapping the order
+of the checks before the array access.
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 63cae0476bb4..2ae419f5115a 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -112,7 +112,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
+ {
+ u32 r1 = reg2hex[b1];
+
+- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)
++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])
+ jit->seen_reg[r1] = 1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 1c8e4e209c84b84731ed68db1fc2947847f077e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 19:25:59 -0500
+Subject: scsi: iscsi: Fix iface sysfs attr detection
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ]
+
+A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when
+iscsi_iface_attr_is_visible tries to figure out the type by just checking
+the value, we can collide and return the wrong type. When we call into the
+driver we might not match and return that we don't want attr visible in
+sysfs. The patch fixes this by setting the type when we figure out what the
+param is.
+
+Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com
+Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------
+ 1 file changed, 34 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index b07105ae7c91..d8b05d8b5470 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -439,39 +439,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct device *dev = container_of(kobj, struct device, kobj);
+ struct iscsi_iface *iface = iscsi_dev_to_iface(dev);
+ struct iscsi_transport *t = iface->transport;
+- int param;
+- int param_type;
++ int param = -1;
+
+ if (attr == &dev_attr_iface_enabled.attr)
+ param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_vlan_id.attr)
+- param = ISCSI_NET_PARAM_VLAN_ID;
+- else if (attr == &dev_attr_iface_vlan_priority.attr)
+- param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+- else if (attr == &dev_attr_iface_vlan_enabled.attr)
+- param = ISCSI_NET_PARAM_VLAN_ENABLED;
+- else if (attr == &dev_attr_iface_mtu.attr)
+- param = ISCSI_NET_PARAM_MTU;
+- else if (attr == &dev_attr_iface_port.attr)
+- param = ISCSI_NET_PARAM_PORT;
+- else if (attr == &dev_attr_iface_ipaddress_state.attr)
+- param = ISCSI_NET_PARAM_IPADDR_STATE;
+- else if (attr == &dev_attr_iface_delayed_ack_en.attr)
+- param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
+- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF;
+- else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
+- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
+- else if (attr == &dev_attr_iface_cache_id.attr)
+- param = ISCSI_NET_PARAM_CACHE_ID;
+- else if (attr == &dev_attr_iface_redirect_en.attr)
+- param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+@@ -508,6 +479,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN;
+ else if (attr == &dev_attr_iface_initiator_name.attr)
+ param = ISCSI_IFACE_PARAM_INITIATOR_NAME;
++
++ if (param != -1)
++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
++
++ if (attr == &dev_attr_iface_vlan_id.attr)
++ param = ISCSI_NET_PARAM_VLAN_ID;
++ else if (attr == &dev_attr_iface_vlan_priority.attr)
++ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
++ else if (attr == &dev_attr_iface_vlan_enabled.attr)
++ param = ISCSI_NET_PARAM_VLAN_ENABLED;
++ else if (attr == &dev_attr_iface_mtu.attr)
++ param = ISCSI_NET_PARAM_MTU;
++ else if (attr == &dev_attr_iface_port.attr)
++ param = ISCSI_NET_PARAM_PORT;
++ else if (attr == &dev_attr_iface_ipaddress_state.attr)
++ param = ISCSI_NET_PARAM_IPADDR_STATE;
++ else if (attr == &dev_attr_iface_delayed_ack_en.attr)
++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF;
++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
++ else if (attr == &dev_attr_iface_cache_id.attr)
++ param = ISCSI_NET_PARAM_CACHE_ID;
++ else if (attr == &dev_attr_iface_redirect_en.attr)
++ param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) {
+ if (attr == &dev_attr_ipv4_iface_ipaddress.attr)
+ param = ISCSI_NET_PARAM_IPV4_ADDR;
+@@ -598,32 +601,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ return 0;
+ }
+
+- switch (param) {
+- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO:
+- case ISCSI_IFACE_PARAM_HDRDGST_EN:
+- case ISCSI_IFACE_PARAM_DATADGST_EN:
+- case ISCSI_IFACE_PARAM_IMM_DATA_EN:
+- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN:
+- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN:
+- case ISCSI_IFACE_PARAM_PDU_INORDER_EN:
+- case ISCSI_IFACE_PARAM_ERL:
+- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH:
+- case ISCSI_IFACE_PARAM_FIRST_BURST:
+- case ISCSI_IFACE_PARAM_MAX_R2T:
+- case ISCSI_IFACE_PARAM_MAX_BURST:
+- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN:
+- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN:
+- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL:
+- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN:
+- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN:
+- case ISCSI_IFACE_PARAM_INITIATOR_NAME:
+- param_type = ISCSI_IFACE_PARAM;
+- break;
+- default:
+- param_type = ISCSI_NET_PARAM;
+- }
+-
+- return t->attr_is_visible(param_type, param);
++ return t->attr_is_visible(ISCSI_NET_PARAM, param);
+ }
+
+ static struct attribute *iscsi_iface_attrs[] = {
+--
+2.30.2
+
--- /dev/null
+From e588e16f0f8644bda153699767cfe75ad72e98de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 00:55:22 +0200
+Subject: scsi: target: Fix NULL dereference on XCOPY completion
+
+From: David Disseldorp <ddiss@suse.de>
+
+[ Upstream commit a47fa41381a09e5997afd762664db4f5f6657e03 ]
+
+CPU affinity control added with commit 39ae3edda325 ("scsi: target: core:
+Make completion affinity configurable") makes target_complete_cmd() queue
+work on a CPU based on se_tpg->se_tpg_wwn->cmd_compl_affinity state.
+
+LIO's EXTENDED COPY worker is a special case in that read/write cmds are
+dispatched using the global xcopy_pt_tpg, which carries a NULL se_tpg_wwn
+pointer following initialization in target_xcopy_setup_pt().
+
+The NULL xcopy_pt_tpg->se_tpg_wwn pointer is dereferenced on completion of
+any EXTENDED COPY initiated read/write cmds. E.g using the libiscsi
+SCSI.ExtendedCopy.Simple test:
+
+ BUG: kernel NULL pointer dereference, address: 00000000000001a8
+ RIP: 0010:target_complete_cmd+0x9d/0x130 [target_core_mod]
+ Call Trace:
+ fd_execute_rw+0x148/0x42a [target_core_file]
+ ? __dynamic_pr_debug+0xa7/0xe0
+ ? target_check_reservation+0x5b/0x940 [target_core_mod]
+ __target_execute_cmd+0x1e/0x90 [target_core_mod]
+ transport_generic_new_cmd+0x17c/0x330 [target_core_mod]
+ target_xcopy_issue_pt_cmd+0x9/0x60 [target_core_mod]
+ target_xcopy_read_source.isra.7+0x10b/0x1b0 [target_core_mod]
+ ? target_check_fua+0x40/0x40 [target_core_mod]
+ ? transport_complete_task_attr+0x130/0x130 [target_core_mod]
+ target_xcopy_do_work+0x61f/0xc00 [target_core_mod]
+
+This fix makes target_complete_cmd() queue work on se_cmd->cpuid if
+se_tpg_wwn is NULL.
+
+Link: https://lore.kernel.org/r/20210720225522.26291-1-ddiss@suse.de
+Fixes: 39ae3edda325 ("scsi: target: core: Make completion affinity configurable")
+Cc: Lee Duncan <lduncan@suse.com>
+Cc: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
+index 7e35eddd9eb7..26ceabe34de5 100644
+--- a/drivers/target/target_core_transport.c
++++ b/drivers/target/target_core_transport.c
+@@ -886,7 +886,7 @@ void target_complete_cmd(struct se_cmd *cmd, u8 scsi_status)
+ INIT_WORK(&cmd->work, success ? target_complete_ok_work :
+ target_complete_failure_work);
+
+- if (wwn->cmd_compl_affinity == SE_COMPL_AFFINITY_CPUID)
++ if (!wwn || wwn->cmd_compl_affinity == SE_COMPL_AFFINITY_CPUID)
+ cpu = cmd->cpuid;
+ else
+ cpu = wwn->cmd_compl_affinity;
+--
+2.30.2
+
--- /dev/null
+From 5568ae84761eef3be8d8ceb2c2e9ac61f864d065 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 12:16:55 +0300
+Subject: scsi: target: Fix protect handling in WRITE SAME(32)
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ]
+
+WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st
+byte instead of 10th byte.
+
+Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com
+Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME")
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_sbc.c | 35 ++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index 7b07e557dc8d..6594bb0b9df0 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -25,7 +25,7 @@
+ #include "target_core_alua.h"
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool);
++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool);
+ static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd);
+
+ static sense_reason_t
+@@ -279,14 +279,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb)
+ }
+
+ static sense_reason_t
+-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops)
+ {
+ struct se_device *dev = cmd->se_dev;
+ sector_t end_lba = dev->transport->get_blocks(dev) + 1;
+ unsigned int sectors = sbc_get_write_same_sectors(cmd);
+ sense_reason_t ret;
+
+- if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
++ if ((flags & 0x04) || (flags & 0x02)) {
+ pr_err("WRITE_SAME PBDATA and LBDATA"
+ " bits not supported for Block Discard"
+ " Emulation\n");
+@@ -308,7 +308,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ }
+
+ /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
+- if (flags[0] & 0x10) {
++ if (flags & 0x10) {
+ pr_warn("WRITE SAME with ANCHOR not supported\n");
+ return TCM_INVALID_CDB_FIELD;
+ }
+@@ -316,7 +316,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting
+ * translated into block discard requests within backend code.
+ */
+- if (flags[0] & 0x08) {
++ if (flags & 0x08) {
+ if (!ops->execute_unmap)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+@@ -331,7 +331,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ if (!ops->execute_write_same)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true);
++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -717,10 +717,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_
+ }
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect,
+ u32 sectors, bool is_write)
+ {
+- u8 protect = cdb[1] >> 5;
+ int sp_ops = cmd->se_sess->sup_prot_ops;
+ int pi_prot_type = dev->dev_attrib.pi_prot_type;
+ bool fabric_prot = false;
+@@ -768,7 +767,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
+ fallthrough;
+ default:
+ pr_err("Unable to determine pi_prot_type for CDB: 0x%02x "
+- "PROTECT: 0x%02x\n", cdb[0], protect);
++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect);
+ return TCM_INVALID_CDB_FIELD;
+ }
+
+@@ -843,7 +842,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -857,7 +856,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -871,7 +870,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -892,7 +891,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -906,7 +905,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -921,7 +920,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -980,7 +979,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[12]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[10], ops);
++ ret = sbc_setup_write_same(cmd, cdb[10], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1079,7 +1078,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[2]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1097,7 +1096,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ * Follow sbcr26 with WRITE_SAME (10) and check for the existence
+ * of byte 1 bit 3 UNMAP instead of original reserved field
+ */
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+--
+2.30.2
+
--- /dev/null
+From 567efd3b001b1d7a6a8d9d0388cfa750d8d59aae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jul 2021 17:19:19 -0400
+Subject: sctp: trim optlen when it's a huge value in sctp_setsockopt
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 2f3fdd8d4805015fa964807e1c7f3d88f31bd389 ]
+
+After commit ca84bd058dae ("sctp: copy the optval from user space in
+sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
+the optlen, and it would fail the allocation and return error if the
+optlen from user space is a huge value.
+
+This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
+SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
+be trimmed to a biggest value it needs when optlen is a huge value,
+instead of failing the allocation and returning error.
+
+This patch is to fix the allocation failure when it's a huge optlen from
+user space by trimming it to the biggest size sctp sockopt may need when
+necessary, and this biggest size is from sctp_setsockopt_reset_streams()
+for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT
+and SCTP_AUTH_KEY.
+
+Fixes: ca84bd058dae ("sctp: copy the optval from user space in sctp_setsockopt")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index a79d193ff872..dbd074f4d450 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4521,6 +4521,10 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname,
+ }
+
+ if (optlen > 0) {
++ /* Trim it to the biggest size sctp sockopt may need if necessary */
++ optlen = min_t(unsigned int, optlen,
++ PAGE_ALIGN(USHRT_MAX +
++ sizeof(__u16) * sizeof(struct sctp_reset_streams)));
+ kopt = memdup_sockptr(optval, optlen);
+ if (IS_ERR(kopt))
+ return PTR_ERR(kopt);
+--
+2.30.2
+
--- /dev/null
+From 3bb2712ad81c878bf0f568b01ff381cd7ef6c24e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 16:07:01 -0400
+Subject: sctp: update active_key for asoc when old key is being replaced
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 58acd10092268831e49de279446c314727101292 ]
+
+syzbot reported a call trace:
+
+ BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ Call Trace:
+ sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ sctp_set_owner_w net/sctp/socket.c:131 [inline]
+ sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
+ sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
+ inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:723
+
+This is an use-after-free issue caused by not updating asoc->shkey after
+it was replaced in the key list asoc->endpoint_shared_keys, and the old
+key was freed.
+
+This patch is to fix by also updating active_key for asoc when old key is
+being replaced with a new one. Note that this issue doesn't exist in
+sctp_auth_del_key_id(), as it's not allowed to delete the active_key
+from the asoc.
+
+Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
+Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/auth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 6f8319b828b0..fe74c5f95630 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -860,6 +860,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ if (replace) {
+ list_del_init(&shkey->key_list);
+ sctp_auth_shkey_release(shkey);
++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+ }
+ list_add(&cur_key->key_list, sh_keys);
+
+--
+2.30.2
+
--- /dev/null
+From 18416bbbabf3f281e26fe9e62527d94a7d7da506 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 16:15:30 +0800
+Subject: selftests: icmp_redirect: IPv6 PMTU info should be cleared after
+ redirect
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 0e02bf5de46ae30074a2e1a8194a422a84482a1a ]
+
+After redirecting, it's already a new path. So the old PMTU info should
+be cleared. The IPv6 test "mtu exception plus redirect" should only
+has redirect info without old PMTU.
+
+The IPv4 test can not be changed because of legacy.
+
+Fixes: ec8105352869 ("selftests: Add redirect tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/icmp_redirect.sh | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh
+index bfcabee50155..104a7a5f13b1 100755
+--- a/tools/testing/selftests/net/icmp_redirect.sh
++++ b/tools/testing/selftests/net/icmp_redirect.sh
+@@ -309,9 +309,10 @@ check_exception()
+ fi
+ log_test $? 0 "IPv4: ${desc}"
+
+- if [ "$with_redirect" = "yes" ]; then
++ # No PMTU info for test "redirect" and "mtu exception plus redirect"
++ if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+- grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}"
++ grep -v "mtu" | grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0"
+ elif [ -n "${mtu}" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+ grep -q "${mtu}"
+--
+2.30.2
+
--- /dev/null
+From bb941f960e0d2b65039af6f752036837fb3be0c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 16:15:29 +0800
+Subject: selftests: icmp_redirect: remove from checking for IPv6 route get
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 24b671aad4eae423e1abf5b7f08d9a5235458b8d ]
+
+If the kernel doesn't enable option CONFIG_IPV6_SUBTREES, the RTA_SRC
+info will not be exported to userspace in rt6_fill_node(). And ip cmd will
+not print "from ::" to the route output. So remove this check.
+
+Fixes: ec8105352869 ("selftests: Add redirect tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/icmp_redirect.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh
+index bf361f30d6ef..bfcabee50155 100755
+--- a/tools/testing/selftests/net/icmp_redirect.sh
++++ b/tools/testing/selftests/net/icmp_redirect.sh
+@@ -311,7 +311,7 @@ check_exception()
+
+ if [ "$with_redirect" = "yes" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+- grep -q "${H2_N2_IP6} from :: via ${R2_LLADDR} dev br0.*${mtu}"
++ grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}"
+ elif [ -n "${mtu}" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+ grep -q "${mtu}"
+--
+2.30.2
+
--- /dev/null
+From 1dc7f9b4af96d2370b1634517ed99f364351e330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:50 -0700
+Subject: selftests: mptcp: fix case multiple subflows limited by server
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit a7da441621c7945fbfd43ed239c93b8073cda502 ]
+
+After patch "mptcp: fix syncookie process if mptcp can not_accept new
+subflow", if subflow is limited, MP_JOIN SYN is dropped, and no SYN/ACK
+will be replied.
+
+So in case "multiple subflows limited by server", the expected SYN/ACK
+number should be 1.
+
+Fixes: 00587187ad30 ("selftests: mptcp: add test cases for mptcp join tests with syn cookies")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+index fd99485cf2a4..e8ac852c6ff6 100755
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -1341,7 +1341,7 @@ syncookies_tests()
+ ip netns exec $ns2 ./pm_nl_ctl add 10.0.3.2 flags subflow
+ ip netns exec $ns2 ./pm_nl_ctl add 10.0.2.2 flags subflow
+ run_tests $ns1 $ns2 10.0.1.1
+- chk_join_nr "subflows limited by server w cookies" 2 2 1
++ chk_join_nr "subflows limited by server w cookies" 2 1 1
+
+ # test signal address with cookies
+ reset_with_cookies
+--
+2.30.2
+
--- /dev/null
+igc-fix-use-after-free-error-during-reset.patch
+igb-fix-use-after-free-error-during-reset.patch
+igc-change-default-return-of-igc_read_phy_reg.patch
+ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch
+igc-fix-an-error-handling-path-in-igc_probe.patch
+igb-fix-an-error-handling-path-in-igb_probe.patch
+fm10k-fix-an-error-handling-path-in-fm10k_probe.patch
+e1000e-fix-an-error-handling-path-in-e1000_probe.patch
+iavf-fix-an-error-handling-path-in-iavf_probe.patch
+igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch
+igb-fix-position-of-assignment-to-ring.patch
+net-stmmac-terminate-fpe-workqueue-in-suspend.patch
+gve-fix-an-error-handling-path-in-gve_probe.patch
+bpf-samples-fix-xdpsock-with-m-parameter-missing-unl.patch
+bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch
+bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch
+ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch
+bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch
+bonding-disallow-setting-nested-bonding-ipsec-offloa.patch
+bonding-add-struct-bond_ipesc-to-manage-sa.patch
+bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch
+bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch
+ipv6-fix-disable_policy-for-fwd-packets.patch
+stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch
+selftests-icmp_redirect-remove-from-checking-for-ipv.patch
+selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch
+pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch
+cxgb4-fix-irq-free-race-during-driver-unload.patch
+drm-vmwgfx-fix-a-bad-merge-in-otable-batch-takedown.patch
+mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch
+mptcp-remove-redundant-req-destruct-in-subflow_check.patch
+mptcp-fix-syncookie-process-if-mptcp-can-not_accept-.patch
+mptcp-add-sk-parameter-for-mptcp_get_options.patch
+mptcp-avoid-processing-packet-if-a-subflow-reset.patch
+selftests-mptcp-fix-case-multiple-subflows-limited-b.patch
+mptcp-use-fast-lock-for-subflows-when-possible.patch
+mptcp-refine-mptcp_cleanup_rbuf.patch
+mptcp-properly-account-bulk-freed-memory.patch
+net-phy-marvell10g-fix-differentiation-of-88x3310-fr.patch
+nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch
+net-ocelot-fix-switchdev-objects-synced-for-wrong-ne.patch
+sfc-fix-lack-of-xdp-tx-queues-error-xdp-tx-failed-22.patch
+kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch
+kvm-svm-return-efault-if-copy_to_user-for-sev-mig-pa.patch
+kvm-svm-fix-sev_pin_memory-error-checks-in-sev-migra.patch
+arm64-mte-fix-restoration-of-gcr_el1-from-suspend.patch
+arm-dts-aspeed-update-e3c246d4i-vuart-properties.patch
+firmware-arm_scmi-ensure-drivers-provide-a-probe-fun.patch
+perf-inject-fix-dso-nsinfo-refcounting.patch
+perf-map-fix-dso-nsinfo-refcounting.patch
+perf-probe-fix-dso-nsinfo-refcounting.patch
+perf-env-fix-sibling_dies-memory-leak.patch
+perf-test-session_topology-delete-session-evlist.patch
+perf-test-event_update-fix-memory-leak-of-evlist.patch
+perf-test-event_update-fix-memory-leak-of-unit.patch
+perf-dso-fix-memory-leak-in-dso__new_map.patch
+perf-test-maps__merge_in-fix-memory-leak-of-maps.patch
+perf-env-fix-memory-leak-of-cpu_pmu_caps.patch
+perf-report-free-generated-help-strings-for-sort-opt.patch
+perf-script-release-zstd-data.patch
+perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch
+perf-lzma-close-lzma-stream-on-exit.patch
+perf-probe-file-delete-namelist-in-del_events-on-the.patch
+perf-data-close-all-files-in-close_dir.patch
+perf-sched-fix-record-failure-when-config_schedstats.patch
+kbuild-lto-fix-module-versionings-mismatch-in-gnu-ma.patch
+asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch
+spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch
+spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch
+regulator-hi6421-use-correct-variable-type-for-regma.patch
+regulator-hi6421-fix-getting-wrong-drvdata.patch
+spi-mediatek-fix-fifo-rx-mode.patch
+asoc-rt5631-fix-regcache-sync-errors-on-resume.patch
+bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch
+bpf-fix-tail_call_reachable-rejection-for-interprete.patch
+xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch
+asoc-sof-intel-update-adl-descriptor-to-use-acpi-pow.patch
+timers-fix-get_next_timer_interrupt-with-no-timers-p.patch
+drm-vc4-hdmi-drop-devm-interrupt-handler-for-cec-int.patch
+net-dsa-mv88e6xxx-net_dsa_mv88e6xxx_ptp-should-depen.patch
+liquidio-fix-unintentional-sign-extension-issue-on-l.patch
+s390-bpf-perform-r1-range-checking-before-accessing-.patch
+bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch
+bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch
+bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch
+bpftool-check-malloc-return-value-in-mount_bpffs_for.patch
+net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch
+spi-spi-cadence-quadspi-fix-division-by-zero-warning.patch
+usb-hso-fix-error-handling-code-of-hso_create_net_de.patch
+dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch
+asoc-soc-pcm-add-a-flag-to-reverse-the-stop-sequence.patch
+efi-tpm-differentiate-missing-and-invalid-final-even.patch
+net-decnet-fix-sleeping-inside-in-af_decnet.patch
+kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch
+kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch
+net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch
+sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch
+netrom-decrease-sock-refcount-when-sock-timers-expir.patch
+scsi-iscsi-fix-iface-sysfs-attr-detection.patch
+scsi-target-fix-protect-handling-in-write-same-32.patch
+spi-cadence-correct-initialisation-of-runtime-pm-aga.patch
+acpi-kconfig-fix-table-override-from-built-in-initrd.patch
+efi-dev-path-parser-switch-to-use-for_each_acpi_dev_.patch
+acpi-utils-fix-reference-counting-in-for_each_acpi_d.patch
+bnxt_en-don-t-disable-an-already-disabled-pci-device.patch
+bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch
+bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch
+bnxt_en-fix-error-path-of-fw-reset.patch
+bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch
+bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch
+net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch
+net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch
+alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch
+net-hns3-fix-possible-mismatches-resp-of-mailbox.patch
+net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch
+spi-spi-bcm2835-fix-deadlock.patch
+io_uring-fix-memleak-in-io_init_wq_offload.patch
+net-sched-act_skbmod-skip-non-ethernet-packets.patch
+ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch
+ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch
+i2c-mpc-poll-for-mcf.patch
+scsi-target-fix-null-dereference-on-xcopy-completion.patch
+drm-ttm-force-re-init-if-ttm_global_init-fails.patch
+nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch
+revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch
+afs-fix-tracepoint-string-placement-with-built-in-af.patch
+afs-check-function-return.patch
+afs-fix-setting-of-writeback_index.patch
+r8169-avoid-duplicate-sysfs-entry-creation-error.patch
+nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch
+sctp-update-active_key-for-asoc-when-old-key-is-bein.patch
+udp-check-encap-socket-in-__udp_lib_err.patch
+ibmvnic-remove-the-proper-scrq-flush.patch
+riscv-fix-32-bit-risc-v-boot-failure.patch
+tcp-disable-tfo-blackhole-logic-by-default.patch
+net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch
+risc-v-load-initrd-wherever-it-fits-into-memory.patch
+net-sched-cls_api-fix-the-the-wrong-parameter.patch
+drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch
+dpaa2-switch-seed-the-buffer-pool-after-allocating-t.patch
+cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch
+cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch
+proc-avoid-mixing-integer-types-in-mem_rw.patch
--- /dev/null
+From 2a3f2e814fa0ed753ae56beb5c0c86caca9d52d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 16:21:27 +0200
+Subject: sfc: fix lack of XDP TX queues - error XDP TX failed (-22)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit f28100cb9c9645c07cbd22431278ac9492f6a01c ]
+
+Fixes: e26ca4b53582 sfc: reduce the number of requested xdp ev queues
+
+The buggy commit intended to allocate less channels for XDP in order to
+be more unlikely to reach the limit of 32 channels of the driver.
+
+The idea was to use each IRQ/eventqeue for more XDP TX queues than
+before, calculating which is the maximum number of TX queues that one
+event queue can handle. For example, in EF10 each event queue could
+handle up to 8 queues, better than the 4 they were handling before the
+change. This way, it would have to allocate half of channels than before
+for XDP TX.
+
+The problem is that the TX queues are also contained inside the channel
+structs, and there are only 4 queues per channel. Reducing the number of
+channels means also reducing the number of queues, resulting in not
+having the desired number of 1 queue per CPU.
+
+This leads to getting errors on XDP_TX and XDP_REDIRECT if they're
+executed from a high numbered CPU, because there only exist queues for
+the low half of CPUs, actually. If XDP_TX/REDIRECT is executed in a low
+numbered CPU, the error doesn't happen. This is the error in the logs
+(repeated many times, even rate limited):
+sfc 0000:5e:00.0 ens3f0np0: XDP TX failed (-22)
+
+This errors happens in function efx_xdp_tx_buffers, where it expects to
+have a dedicated XDP TX queue per CPU.
+
+Reverting the change makes again more likely to reach the limit of 32
+channels in machines with many CPUs. If this happen, no XDP_TX/REDIRECT
+will be possible at all, and we will have this log error messages:
+
+At interface probe:
+sfc 0000:5e:00.0: Insufficient resources for 12 XDP event queues (24 other channels, max 32)
+
+At every subsequent XDP_TX/REDIRECT failure, rate limited:
+sfc 0000:5e:00.0 ens3f0np0: XDP TX failed (-22)
+
+However, without reverting the change, it makes the user to think that
+everything is OK at probe time, but later it fails in an unpredictable
+way, depending on the CPU that handles the packet.
+
+It is better to restore the predictable behaviour. If the user sees the
+error message at probe time, he/she can try to configure the best way it
+fits his/her needs. At least, he/she will have 2 options:
+- Accept that XDP_TX/REDIRECT is not available (he/she may not need it)
+- Load sfc module with modparam 'rss_cpus' with a lower number, thus
+ creating less normal RX queues/channels, letting more free resources
+ for XDP, with some performance penalty.
+
+Anyway, let the calculation of maximum TX queues that can be handled by
+a single event queue, and use it only if it's less than the number of TX
+queues per channel. This doesn't happen in practice, but could happen if
+some constant values are tweaked in the future, such us
+EFX_MAX_TXQ_PER_CHANNEL, EFX_MAX_EVQ_SIZE or EFX_MAX_DMAQ_SIZE.
+
+Related mailing list thread:
+https://lore.kernel.org/bpf/20201215104327.2be76156@carbon/
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/efx_channels.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/efx_channels.c b/drivers/net/ethernet/sfc/efx_channels.c
+index a3ca406a3561..5b71f8a03a6d 100644
+--- a/drivers/net/ethernet/sfc/efx_channels.c
++++ b/drivers/net/ethernet/sfc/efx_channels.c
+@@ -152,6 +152,7 @@ static int efx_allocate_msix_channels(struct efx_nic *efx,
+ * maximum size.
+ */
+ tx_per_ev = EFX_MAX_EVQ_SIZE / EFX_TXQ_MAX_ENT(efx);
++ tx_per_ev = min(tx_per_ev, EFX_MAX_TXQ_PER_CHANNEL);
+ n_xdp_tx = num_possible_cpus();
+ n_xdp_ev = DIV_ROUND_UP(n_xdp_tx, tx_per_ev);
+
+@@ -181,7 +182,7 @@ static int efx_allocate_msix_channels(struct efx_nic *efx,
+ efx->xdp_tx_queue_count = 0;
+ } else {
+ efx->n_xdp_channels = n_xdp_ev;
+- efx->xdp_tx_per_channel = EFX_MAX_TXQ_PER_CHANNEL;
++ efx->xdp_tx_per_channel = tx_per_ev;
+ efx->xdp_tx_queue_count = n_xdp_tx;
+ n_channels += n_xdp_ev;
+ netif_dbg(efx, drv, efx->net_dev,
+--
+2.30.2
+
--- /dev/null
+From 23ad06329184e13e239d4ab505784a043a881414 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 20:21:33 +0200
+Subject: spi: cadence: Correct initialisation of runtime PM again
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ]
+
+The original implementation of RPM handling in probe() was mostly
+correct, except it failed to call pm_runtime_get_*() to activate the
+hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct
+initialisation of runtime PM"), breaks the implementation further,
+to the point where the system using this hard IP on ZynqMP hangs on
+boot, because it accesses hardware which is gated off.
+
+Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime
+PM") and instead add missing pm_runtime_get_noresume() and move the
+RPM disabling all the way to the end of probe(). That makes ZynqMP
+not hang on boot yet again.
+
+Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Charles Keepax <ckeepax@opensource.cirrus.com>
+Cc: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
+index a3afd1b9ac56..ceb16e70d235 100644
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -517,6 +517,12 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ goto clk_dis_apb;
+ }
+
++ pm_runtime_use_autosuspend(&pdev->dev);
++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
++ pm_runtime_get_noresume(&pdev->dev);
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs);
+ if (ret < 0)
+ master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS;
+@@ -531,11 +537,6 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ /* SPI controller initializations */
+ cdns_spi_init_hw(xspi);
+
+- pm_runtime_set_active(&pdev->dev);
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_use_autosuspend(&pdev->dev);
+- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
+-
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0) {
+ ret = -ENXIO;
+@@ -566,6 +567,9 @@ static int cdns_spi_probe(struct platform_device *pdev)
+
+ master->bits_per_word_mask = SPI_BPW_MASK(8);
+
++ pm_runtime_mark_last_busy(&pdev->dev);
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ ret = spi_register_master(master);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_master failed\n");
+--
+2.30.2
+
--- /dev/null
+From fb8623bcde96db8aed19abf7d473beba70b30c8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jul 2021 04:23:00 +0200
+Subject: spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 135cbd378eab336da15de9c84bbb22bf743b38a5 ]
+
+Since 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to
+prepare_message hook."), the MX51_ECSPI_CONFIG write no longer happens
+in prepare_transfer hook, but rather in prepare_message hook, however
+the MX51_ECSPI_CONFIG delay is still left in prepare_transfer hook and
+thus has no effect. This leads to low bus frequency operation problems
+described in 6fd8b8503a0dc ("spi: spi-imx: Fix out-of-order CS/SCLK
+operation at low speeds") again.
+
+Move the MX51_ECSPI_CONFIG write delay into the prepare_message hook
+as well, thus reinstating the low bus frequency fix.
+
+Fixes: 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Cc: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20210703022300.296114-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 39dc02e366f4..4aee3db6d6df 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -506,7 +506,7 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+ {
+ struct spi_device *spi = msg->spi;
+ u32 ctrl = MX51_ECSPI_CTRL_ENABLE;
+- u32 testreg;
++ u32 testreg, delay;
+ u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG);
+
+ /* set Master or Slave mode */
+@@ -567,6 +567,23 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+
+ writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
+
++ /*
++ * Wait until the changes in the configuration register CONFIGREG
++ * propagate into the hardware. It takes exactly one tick of the
++ * SCLK clock, but we will wait two SCLK clock just to be sure. The
++ * effect of the delay it takes for the hardware to apply changes
++ * is noticable if the SCLK clock run very slow. In such a case, if
++ * the polarity of SCLK should be inverted, the GPIO ChipSelect might
++ * be asserted before the SCLK polarity changes, which would disrupt
++ * the SPI communication as the device on the other end would consider
++ * the change of SCLK polarity as a clock tick already.
++ */
++ delay = (2 * 1000000) / spi_imx->spi_bus_clk;
++ if (likely(delay < 10)) /* SCLK is faster than 100 kHz */
++ udelay(delay);
++ else /* SCLK is _very_ slow */
++ usleep_range(delay, delay + 10);
++
+ return 0;
+ }
+
+@@ -574,7 +591,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+ struct spi_device *spi)
+ {
+ u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL);
+- u32 clk, delay;
++ u32 clk;
+
+ /* Clear BL field and set the right value */
+ ctrl &= ~MX51_ECSPI_CTRL_BL_MASK;
+@@ -596,23 +613,6 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+
+ writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
+
+- /*
+- * Wait until the changes in the configuration register CONFIGREG
+- * propagate into the hardware. It takes exactly one tick of the
+- * SCLK clock, but we will wait two SCLK clock just to be sure. The
+- * effect of the delay it takes for the hardware to apply changes
+- * is noticable if the SCLK clock run very slow. In such a case, if
+- * the polarity of SCLK should be inverted, the GPIO ChipSelect might
+- * be asserted before the SCLK polarity changes, which would disrupt
+- * the SPI communication as the device on the other end would consider
+- * the change of SCLK polarity as a clock tick already.
+- */
+- delay = (2 * 1000000) / clk;
+- if (likely(delay < 10)) /* SCLK is faster than 100 kHz */
+- udelay(delay);
+- else /* SCLK is _very_ slow */
+- usleep_range(delay, delay + 10);
+-
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5696fa7e864fe6011c3398d05225a5d55b50eb08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jul 2021 14:16:09 +0200
+Subject: spi: mediatek: fix fifo rx mode
+
+From: Peter Hess <peter.hess@ph-home.de>
+
+[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ]
+
+In FIFO mode were two problems:
+- RX mode was never handled and
+- in this case the tx_buf pointer was NULL and caused an exception
+
+fix this by handling RX mode in mtk_spi_fifo_transfer
+
+Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173")
+Signed-off-by: Peter Hess <peter.hess@ph-home.de>
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt65xx.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
+index 976f73b9e299..8d5fa7f1e506 100644
+--- a/drivers/spi/spi-mt65xx.c
++++ b/drivers/spi/spi-mt65xx.c
+@@ -427,13 +427,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master,
+ mtk_spi_setup_packet(master);
+
+ cnt = xfer->len / 4;
+- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt);
++ if (xfer->tx_buf)
++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt);
++
++ if (xfer->rx_buf)
++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt);
+
+ remainder = xfer->len % 4;
+ if (remainder > 0) {
+ reg_val = 0;
+- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
+- writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ if (xfer->tx_buf) {
++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
++ writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ }
++ if (xfer->rx_buf) {
++ reg_val = readl(mdata->base + SPI_RX_DATA_REG);
++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder);
++ }
+ }
+
+ mtk_spi_enable_transfer(master);
+--
+2.30.2
+
--- /dev/null
+From 9d5a82d054d50789b520e60a01e4732acd064c5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jul 2021 00:02:45 +0300
+Subject: spi: spi-bcm2835: Fix deadlock
+
+From: Alexandru Tachici <alexandru.tachici@analog.com>
+
+[ Upstream commit c45c1e82bba130db4f19d9dbc1deefcf4ea994ed ]
+
+The bcm2835_spi_transfer_one function can create a deadlock
+if it is called while another thread already has the
+CCF lock.
+
+Signed-off-by: Alexandru Tachici <alexandru.tachici@analog.com>
+Fixes: f8043872e796 ("spi: add driver for BCM2835")
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20210716210245.13240-2-alexandru.tachici@analog.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm2835.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index fe40626e45aa..61cbcc7e2121 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -84,6 +84,7 @@ MODULE_PARM_DESC(polling_limit_us,
+ * struct bcm2835_spi - BCM2835 SPI controller
+ * @regs: base address of register map
+ * @clk: core clock, divided to calculate serial clock
++ * @clk_hz: core clock cached speed
+ * @irq: interrupt, signals TX FIFO empty or RX FIFO ¾ full
+ * @tfr: SPI transfer currently processed
+ * @ctlr: SPI controller reverse lookup
+@@ -124,6 +125,7 @@ MODULE_PARM_DESC(polling_limit_us,
+ struct bcm2835_spi {
+ void __iomem *regs;
+ struct clk *clk;
++ unsigned long clk_hz;
+ int irq;
+ struct spi_transfer *tfr;
+ struct spi_controller *ctlr;
+@@ -1082,19 +1084,18 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr,
+ struct spi_transfer *tfr)
+ {
+ struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr);
+- unsigned long spi_hz, clk_hz, cdiv;
++ unsigned long spi_hz, cdiv;
+ unsigned long hz_per_byte, byte_limit;
+ u32 cs = bs->prepare_cs[spi->chip_select];
+
+ /* set clock */
+ spi_hz = tfr->speed_hz;
+- clk_hz = clk_get_rate(bs->clk);
+
+- if (spi_hz >= clk_hz / 2) {
++ if (spi_hz >= bs->clk_hz / 2) {
+ cdiv = 2; /* clk_hz/2 is the fastest we can go */
+ } else if (spi_hz) {
+ /* CDIV must be a multiple of two */
+- cdiv = DIV_ROUND_UP(clk_hz, spi_hz);
++ cdiv = DIV_ROUND_UP(bs->clk_hz, spi_hz);
+ cdiv += (cdiv % 2);
+
+ if (cdiv >= 65536)
+@@ -1102,7 +1103,7 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr,
+ } else {
+ cdiv = 0; /* 0 is the slowest we can go */
+ }
+- tfr->effective_speed_hz = cdiv ? (clk_hz / cdiv) : (clk_hz / 65536);
++ tfr->effective_speed_hz = cdiv ? (bs->clk_hz / cdiv) : (bs->clk_hz / 65536);
+ bcm2835_wr(bs, BCM2835_SPI_CLK, cdiv);
+
+ /* handle all the 3-wire mode */
+@@ -1320,6 +1321,7 @@ static int bcm2835_spi_probe(struct platform_device *pdev)
+ return bs->irq ? bs->irq : -ENODEV;
+
+ clk_prepare_enable(bs->clk);
++ bs->clk_hz = clk_get_rate(bs->clk);
+
+ err = bcm2835_dma_init(ctlr, &pdev->dev, bs);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From 8e7f9650f5d883bca7b0239529c1b704673abd38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 16:21:32 +0000
+Subject: spi: spi-cadence-quadspi: Fix division by zero warning
+
+From: Yoshitaka Ikeda <ikeda@nskint.co.jp>
+
+[ Upstream commit 55cef88bbf12f3bfbe5c2379a8868a034707e755 ]
+
+Fix below division by zero warning:
+- Added an if statement because buswidth can be zero, resulting in division by zero.
+- The modified code was based on another driver (atmel-quadspi).
+
+[ 0.795337] Division by zero in kernel.
+ :
+[ 0.834051] [<807fd40c>] (__div0) from [<804e1acc>] (Ldiv0+0x8/0x10)
+[ 0.839097] [<805f0710>] (cqspi_exec_mem_op) from [<805edb4c>] (spi_mem_exec_op+0x3b0/0x3f8)
+
+Fixes: 7512eaf54190 ("spi: cadence-quadspi: Fix dummy cycle calculation when buswidth > 1")
+Signed-off-by: Yoshitaka Ikeda <ikeda@nskint.co.jp>
+Link: https://lore.kernel.org/r/ed989af6-da88-4e0b-9ed8-126db6cad2e4@nskint.co.jp
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
+index 7a00346ff9b9..13d1f0ce618e 100644
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -307,11 +307,13 @@ static unsigned int cqspi_calc_rdreg(struct cqspi_flash_pdata *f_pdata)
+
+ static unsigned int cqspi_calc_dummy(const struct spi_mem_op *op, bool dtr)
+ {
+- unsigned int dummy_clk;
++ unsigned int dummy_clk = 0;
+
+- dummy_clk = op->dummy.nbytes * (8 / op->dummy.buswidth);
+- if (dtr)
+- dummy_clk /= 2;
++ if (op->dummy.buswidth && op->dummy.nbytes) {
++ dummy_clk = op->dummy.nbytes * (8 / op->dummy.buswidth);
++ if (dtr)
++ dummy_clk /= 2;
++ }
+
+ return dummy_clk;
+ }
+--
+2.30.2
+
--- /dev/null
+From 019bbd7dfba577f89af5e1e2edb05cb06a735245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 10:27:00 +0200
+Subject: spi: stm32: fixes pm_runtime calls in probe/remove
+
+From: Alain Volmat <alain.volmat@foss.st.com>
+
+[ Upstream commit 7999d2555c9f879d006ea8469d74db9cdb038af0 ]
+
+Add pm_runtime calls in probe/probe error path and remove
+in order to be consistent in all places in ordering and
+ensure that pm_runtime is disabled prior to resources used
+by the SPI controller.
+
+This patch also fixes the 2 following warnings on driver remove:
+WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:594 clk_core_disable_lock+0x18/0x24
+WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:476 clk_unprepare+0x24/0x2c
+
+Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support")
+
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
+Link: https://lore.kernel.org/r/1625646426-5826-2-git-send-email-alain.volmat@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index 8ffcffbb8157..a92a28933edb 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -1925,6 +1925,7 @@ static int stm32_spi_probe(struct platform_device *pdev)
+ master->can_dma = stm32_spi_can_dma;
+
+ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_get_noresume(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+ ret = spi_register_master(master);
+@@ -1940,6 +1941,8 @@ static int stm32_spi_probe(struct platform_device *pdev)
+
+ err_pm_disable:
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
+ err_dma_release:
+ if (spi->dma_tx)
+ dma_release_channel(spi->dma_tx);
+@@ -1956,9 +1959,14 @@ static int stm32_spi_remove(struct platform_device *pdev)
+ struct spi_master *master = platform_get_drvdata(pdev);
+ struct stm32_spi *spi = spi_master_get_devdata(master);
+
++ pm_runtime_get_sync(&pdev->dev);
++
+ spi_unregister_master(master);
+ spi->cfg->disable(spi);
+
++ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
+ if (master->dma_tx)
+ dma_release_channel(master->dma_tx);
+ if (master->dma_rx)
+@@ -1966,7 +1974,6 @@ static int stm32_spi_remove(struct platform_device *pdev)
+
+ clk_disable_unprepare(spi->clk);
+
+- pm_runtime_disable(&pdev->dev);
+
+ pinctrl_pm_select_sleep_state(&pdev->dev);
+
+--
+2.30.2
+
--- /dev/null
+From cf2b18efc7f5047dd5e00043045e3ff97441a159 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 15:53:35 +0800
+Subject: stmmac: platform: Fix signedness bug in stmmac_probe_config_dt()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit eca81f09145d765c21dd8fb1ba5d874ca255c32c ]
+
+The "plat->phy_interface" variable is an enum and in this context GCC
+will treat it as an unsigned int so the error handling is never
+triggered.
+
+Fixes: b9f0b2f634c0 ("net: stmmac: platform: fix probe for ACPI devices")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index a696ada013eb..cad9e466353f 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -399,6 +399,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ struct device_node *np = pdev->dev.of_node;
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_dma_cfg *dma_cfg;
++ int phy_mode;
+ void *ret;
+ int rc;
+
+@@ -414,10 +415,11 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ eth_zero_addr(mac);
+ }
+
+- plat->phy_interface = device_get_phy_mode(&pdev->dev);
+- if (plat->phy_interface < 0)
+- return ERR_PTR(plat->phy_interface);
++ phy_mode = device_get_phy_mode(&pdev->dev);
++ if (phy_mode < 0)
++ return ERR_PTR(phy_mode);
+
++ plat->phy_interface = phy_mode;
+ plat->interface = stmmac_of_get_mac_mode(np);
+ if (plat->interface < 0)
+ plat->interface = plat->phy_interface;
+--
+2.30.2
+
--- /dev/null
+From 417a2ba2f5e341cb7a842132e7685d187c251675 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:27:38 -0700
+Subject: tcp: disable TFO blackhole logic by default
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ]
+
+Multiple complaints have been raised from the TFO users on the internet
+stating that the TFO blackhole logic is too aggressive and gets falsely
+triggered too often.
+(e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/)
+Considering that most middleboxes no longer drop TFO packets, we decide
+to disable the blackhole logic by setting
+/proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by default.
+
+Fixes: cf1ef3f0719b4 ("net/tcp_fastopen: Disable active side TFO in certain scenarios")
+Signed-off-by: Wei Wang <weiwan@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/ip-sysctl.rst | 2 +-
+ net/ipv4/tcp_fastopen.c | 9 ++++++++-
+ net/ipv4/tcp_ipv4.c | 2 +-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
+index c2ecc9894fd0..9a57e972dae4 100644
+--- a/Documentation/networking/ip-sysctl.rst
++++ b/Documentation/networking/ip-sysctl.rst
+@@ -772,7 +772,7 @@ tcp_fastopen_blackhole_timeout_sec - INTEGER
+ initial value when the blackhole issue goes away.
+ 0 to disable the blackhole detection.
+
+- By default, it is set to 1hr.
++ By default, it is set to 0 (feature is disabled).
+
+ tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
+ The list consists of a primary key and an optional backup key. The
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 08548ff23d83..d49709ba8e16 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -507,6 +507,9 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
++ if (!sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout)
++ return;
++
+ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
+ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
+
+@@ -526,10 +529,14 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ bool tcp_fastopen_active_should_disable(struct sock *sk)
+ {
+ unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
+- int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
+ unsigned long timeout;
++ int tfo_da_times;
+ int multiplier;
+
++ if (!tfo_bh_timeout)
++ return false;
++
++ tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
+ if (!tfo_da_times)
+ return false;
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index e409f2de5dc4..8bb5f7f51dae 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2954,7 +2954,7 @@ static int __net_init tcp_sk_init(struct net *net)
+ net->ipv4.sysctl_tcp_comp_sack_nr = 44;
+ net->ipv4.sysctl_tcp_fastopen = TFO_CLIENT_ENABLE;
+ spin_lock_init(&net->ipv4.tcp_fastopen_ctx_lock);
+- net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 60 * 60;
++ net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 0;
+ atomic_set(&net->ipv4.tfo_active_disable_times, 0);
+
+ /* Reno is always built in */
+--
+2.30.2
+
--- /dev/null
+From 41464c66dab40b71048a037f6be348272aa8d17d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 16:13:25 +0200
+Subject: timers: Fix get_next_timer_interrupt() with no timers pending
+
+From: Nicolas Saenz Julienne <nsaenzju@redhat.com>
+
+[ Upstream commit aebacb7f6ca1926918734faae14d1f0b6fae5cb7 ]
+
+31cd0e119d50 ("timers: Recalculate next timer interrupt only when
+necessary") subtly altered get_next_timer_interrupt()'s behaviour. The
+function no longer consistently returns KTIME_MAX with no timers
+pending.
+
+In order to decide if there are any timers pending we check whether the
+next expiry will happen NEXT_TIMER_MAX_DELTA jiffies from now.
+Unfortunately, the next expiry time and the timer base clock are no
+longer updated in unison. The former changes upon certain timer
+operations (enqueue, expire, detach), whereas the latter keeps track of
+jiffies as they move forward. Ultimately breaking the logic above.
+
+A simplified example:
+
+- Upon entering get_next_timer_interrupt() with:
+
+ jiffies = 1
+ base->clk = 0;
+ base->next_expiry = NEXT_TIMER_MAX_DELTA;
+
+ 'base->next_expiry == base->clk + NEXT_TIMER_MAX_DELTA', the function
+ returns KTIME_MAX.
+
+- 'base->clk' is updated to the jiffies value.
+
+- The next time we enter get_next_timer_interrupt(), taking into account
+ no timer operations happened:
+
+ base->clk = 1;
+ base->next_expiry = NEXT_TIMER_MAX_DELTA;
+
+ 'base->next_expiry != base->clk + NEXT_TIMER_MAX_DELTA', the function
+ returns a valid expire time, which is incorrect.
+
+This ultimately might unnecessarily rearm sched's timer on nohz_full
+setups, and add latency to the system[1].
+
+So, introduce 'base->timers_pending'[2], update it every time
+'base->next_expiry' changes, and use it in get_next_timer_interrupt().
+
+[1] See tick_nohz_stop_tick().
+[2] A quick pahole check on x86_64 and arm64 shows it doesn't make
+ 'struct timer_base' any bigger.
+
+Fixes: 31cd0e119d50 ("timers: Recalculate next timer interrupt only when necessary")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzju@redhat.com>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timer.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/time/timer.c b/kernel/time/timer.c
+index d111adf4a0cb..99b97ccefdbd 100644
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -207,6 +207,7 @@ struct timer_base {
+ unsigned int cpu;
+ bool next_expiry_recalc;
+ bool is_idle;
++ bool timers_pending;
+ DECLARE_BITMAP(pending_map, WHEEL_SIZE);
+ struct hlist_head vectors[WHEEL_SIZE];
+ } ____cacheline_aligned;
+@@ -595,6 +596,7 @@ static void enqueue_timer(struct timer_base *base, struct timer_list *timer,
+ * can reevaluate the wheel:
+ */
+ base->next_expiry = bucket_expiry;
++ base->timers_pending = true;
+ base->next_expiry_recalc = false;
+ trigger_dyntick_cpu(base, timer);
+ }
+@@ -1596,6 +1598,7 @@ static unsigned long __next_timer_interrupt(struct timer_base *base)
+ }
+
+ base->next_expiry_recalc = false;
++ base->timers_pending = !(next == base->clk + NEXT_TIMER_MAX_DELTA);
+
+ return next;
+ }
+@@ -1647,7 +1650,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
+ struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
+ u64 expires = KTIME_MAX;
+ unsigned long nextevt;
+- bool is_max_delta;
+
+ /*
+ * Pretend that there is no timer pending if the cpu is offline.
+@@ -1660,7 +1662,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
+ if (base->next_expiry_recalc)
+ base->next_expiry = __next_timer_interrupt(base);
+ nextevt = base->next_expiry;
+- is_max_delta = (nextevt == base->clk + NEXT_TIMER_MAX_DELTA);
+
+ /*
+ * We have a fresh next event. Check whether we can forward the
+@@ -1678,7 +1679,7 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
+ expires = basem;
+ base->is_idle = false;
+ } else {
+- if (!is_max_delta)
++ if (base->timers_pending)
+ expires = basem + (u64)(nextevt - basej) * TICK_NSEC;
+ /*
+ * If we expect to sleep more than a tick, mark the base idle.
+@@ -1961,6 +1962,7 @@ int timers_prepare_cpu(unsigned int cpu)
+ base = per_cpu_ptr(&timer_bases[b], cpu);
+ base->clk = jiffies;
+ base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA;
++ base->timers_pending = false;
+ base->is_idle = false;
+ }
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 664797f4a5ddb9b2842a10b4e95a0a8a677dcd59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 23:35:28 +0300
+Subject: udp: check encap socket in __udp_lib_err
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+[ Upstream commit 9bfce73c8921c92a9565562e6e7d458d37b7ce80 ]
+
+Commit d26796ae5894 ("udp: check udp sock encap_type in __udp_lib_err")
+added checks for encapsulated sockets but it broke cases when there is
+no implementation of encap_err_lookup for encapsulation, i.e. ESP in
+UDP encapsulation. Fix it by calling encap_err_lookup only if socket
+implements this method otherwise treat it as legal socket.
+
+Fixes: d26796ae5894 ("udp: check udp sock encap_type in __udp_lib_err")
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 25 +++++++++++++++++++------
+ net/ipv6/udp.c | 25 +++++++++++++++++++------
+ 2 files changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index ca9cf1051b1e..568dc31a0467 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -645,10 +645,12 @@ static struct sock *__udp4_lib_err_encap(struct net *net,
+ const struct iphdr *iph,
+ struct udphdr *uh,
+ struct udp_table *udptable,
++ struct sock *sk,
+ struct sk_buff *skb, u32 info)
+ {
++ int (*lookup)(struct sock *sk, struct sk_buff *skb);
+ int network_offset, transport_offset;
+- struct sock *sk;
++ struct udp_sock *up;
+
+ network_offset = skb_network_offset(skb);
+ transport_offset = skb_transport_offset(skb);
+@@ -659,18 +661,28 @@ static struct sock *__udp4_lib_err_encap(struct net *net,
+ /* Transport header needs to point to the UDP header */
+ skb_set_transport_header(skb, iph->ihl << 2);
+
++ if (sk) {
++ up = udp_sk(sk);
++
++ lookup = READ_ONCE(up->encap_err_lookup);
++ if (lookup && lookup(sk, skb))
++ sk = NULL;
++
++ goto out;
++ }
++
+ sk = __udp4_lib_lookup(net, iph->daddr, uh->source,
+ iph->saddr, uh->dest, skb->dev->ifindex, 0,
+ udptable, NULL);
+ if (sk) {
+- int (*lookup)(struct sock *sk, struct sk_buff *skb);
+- struct udp_sock *up = udp_sk(sk);
++ up = udp_sk(sk);
+
+ lookup = READ_ONCE(up->encap_err_lookup);
+ if (!lookup || lookup(sk, skb))
+ sk = NULL;
+ }
+
++out:
+ if (!sk)
+ sk = ERR_PTR(__udp4_lib_err_encap_no_sk(skb, info));
+
+@@ -707,15 +719,16 @@ int __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
+ sk = __udp4_lib_lookup(net, iph->daddr, uh->dest,
+ iph->saddr, uh->source, skb->dev->ifindex,
+ inet_sdif(skb), udptable, NULL);
++
+ if (!sk || udp_sk(sk)->encap_type) {
+ /* No socket for error: try tunnels before discarding */
+- sk = ERR_PTR(-ENOENT);
+ if (static_branch_unlikely(&udp_encap_needed_key)) {
+- sk = __udp4_lib_err_encap(net, iph, uh, udptable, skb,
++ sk = __udp4_lib_err_encap(net, iph, uh, udptable, sk, skb,
+ info);
+ if (!sk)
+ return 0;
+- }
++ } else
++ sk = ERR_PTR(-ENOENT);
+
+ if (IS_ERR(sk)) {
+ __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 6774e776228c..2d3bd4a9b0d0 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -502,12 +502,14 @@ static struct sock *__udp6_lib_err_encap(struct net *net,
+ const struct ipv6hdr *hdr, int offset,
+ struct udphdr *uh,
+ struct udp_table *udptable,
++ struct sock *sk,
+ struct sk_buff *skb,
+ struct inet6_skb_parm *opt,
+ u8 type, u8 code, __be32 info)
+ {
++ int (*lookup)(struct sock *sk, struct sk_buff *skb);
+ int network_offset, transport_offset;
+- struct sock *sk;
++ struct udp_sock *up;
+
+ network_offset = skb_network_offset(skb);
+ transport_offset = skb_transport_offset(skb);
+@@ -518,18 +520,28 @@ static struct sock *__udp6_lib_err_encap(struct net *net,
+ /* Transport header needs to point to the UDP header */
+ skb_set_transport_header(skb, offset);
+
++ if (sk) {
++ up = udp_sk(sk);
++
++ lookup = READ_ONCE(up->encap_err_lookup);
++ if (lookup && lookup(sk, skb))
++ sk = NULL;
++
++ goto out;
++ }
++
+ sk = __udp6_lib_lookup(net, &hdr->daddr, uh->source,
+ &hdr->saddr, uh->dest,
+ inet6_iif(skb), 0, udptable, skb);
+ if (sk) {
+- int (*lookup)(struct sock *sk, struct sk_buff *skb);
+- struct udp_sock *up = udp_sk(sk);
++ up = udp_sk(sk);
+
+ lookup = READ_ONCE(up->encap_err_lookup);
+ if (!lookup || lookup(sk, skb))
+ sk = NULL;
+ }
+
++out:
+ if (!sk) {
+ sk = ERR_PTR(__udp6_lib_err_encap_no_sk(skb, opt, type, code,
+ offset, info));
+@@ -558,16 +570,17 @@ int __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+
+ sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source,
+ inet6_iif(skb), inet6_sdif(skb), udptable, NULL);
++
+ if (!sk || udp_sk(sk)->encap_type) {
+ /* No socket for error: try tunnels before discarding */
+- sk = ERR_PTR(-ENOENT);
+ if (static_branch_unlikely(&udpv6_encap_needed_key)) {
+ sk = __udp6_lib_err_encap(net, hdr, offset, uh,
+- udptable, skb,
++ udptable, sk, skb,
+ opt, type, code, info);
+ if (!sk)
+ return 0;
+- }
++ } else
++ sk = ERR_PTR(-ENOENT);
+
+ if (IS_ERR(sk)) {
+ __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev),
+--
+2.30.2
+
--- /dev/null
+From b91519ff60db3fd5b20c000b9e89b6305185ef5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:13:22 +0800
+Subject: usb: hso: fix error handling code of hso_create_net_device
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit a6ecfb39ba9d7316057cea823b196b734f6b18ca ]
+
+The current error handling code of hso_create_net_device is
+hso_free_net_device, no matter which errors lead to. For example,
+WARNING in hso_free_net_device [1].
+
+Fix this by refactoring the error handling code of
+hso_create_net_device by handling different errors by different code.
+
+[1] https://syzkaller.appspot.com/bug?id=66eff8d49af1b28370ad342787413e35bbe76efe
+
+Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
+Fixes: 5fcfb6d0bfcd ("hso: fix bailout in error case of probe")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/hso.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index 5c779cc0ea11..28ebf4955b83 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -2496,7 +2496,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ hso_net_init);
+ if (!net) {
+ dev_err(&interface->dev, "Unable to create ethernet device\n");
+- goto exit;
++ goto err_hso_dev;
+ }
+
+ hso_net = netdev_priv(net);
+@@ -2509,13 +2509,13 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ USB_DIR_IN);
+ if (!hso_net->in_endp) {
+ dev_err(&interface->dev, "Can't find BULK IN endpoint\n");
+- goto exit;
++ goto err_net;
+ }
+ hso_net->out_endp = hso_get_ep(interface, USB_ENDPOINT_XFER_BULK,
+ USB_DIR_OUT);
+ if (!hso_net->out_endp) {
+ dev_err(&interface->dev, "Can't find BULK OUT endpoint\n");
+- goto exit;
++ goto err_net;
+ }
+ SET_NETDEV_DEV(net, &interface->dev);
+ SET_NETDEV_DEVTYPE(net, &hso_type);
+@@ -2524,18 +2524,18 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) {
+ hso_net->mux_bulk_rx_urb_pool[i] = usb_alloc_urb(0, GFP_KERNEL);
+ if (!hso_net->mux_bulk_rx_urb_pool[i])
+- goto exit;
++ goto err_mux_bulk_rx;
+ hso_net->mux_bulk_rx_buf_pool[i] = kzalloc(MUX_BULK_RX_BUF_SIZE,
+ GFP_KERNEL);
+ if (!hso_net->mux_bulk_rx_buf_pool[i])
+- goto exit;
++ goto err_mux_bulk_rx;
+ }
+ hso_net->mux_bulk_tx_urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!hso_net->mux_bulk_tx_urb)
+- goto exit;
++ goto err_mux_bulk_rx;
+ hso_net->mux_bulk_tx_buf = kzalloc(MUX_BULK_TX_BUF_SIZE, GFP_KERNEL);
+ if (!hso_net->mux_bulk_tx_buf)
+- goto exit;
++ goto err_free_tx_urb;
+
+ add_net_device(hso_dev);
+
+@@ -2543,7 +2543,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ result = register_netdev(net);
+ if (result) {
+ dev_err(&interface->dev, "Failed to register device\n");
+- goto exit;
++ goto err_free_tx_buf;
+ }
+
+ hso_log_port(hso_dev);
+@@ -2551,8 +2551,21 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ hso_create_rfkill(hso_dev, interface);
+
+ return hso_dev;
+-exit:
+- hso_free_net_device(hso_dev, true);
++
++err_free_tx_buf:
++ remove_net_device(hso_dev);
++ kfree(hso_net->mux_bulk_tx_buf);
++err_free_tx_urb:
++ usb_free_urb(hso_net->mux_bulk_tx_urb);
++err_mux_bulk_rx:
++ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) {
++ usb_free_urb(hso_net->mux_bulk_rx_urb_pool[i]);
++ kfree(hso_net->mux_bulk_rx_buf_pool[i]);
++ }
++err_net:
++ free_netdev(net);
++err_hso_dev:
++ kfree(hso_dev);
+ return NULL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 12fd148b9e54b095dcf0338d501d8d8f62a6e7e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Jul 2021 11:16:35 +0800
+Subject: xdp, net: Fix use-after-free in bpf_xdp_link_release
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit 5acc7d3e8d342858405fbbc671221f676b547ce7 ]
+
+The problem occurs between dev_get_by_index() and dev_xdp_attach_link().
+At this point, dev_xdp_uninstall() is called. Then xdp link will not be
+detached automatically when dev is released. But link->dev already
+points to dev, when xdp link is released, dev will still be accessed,
+but dev has been released.
+
+dev_get_by_index() |
+link->dev = dev |
+ | rtnl_lock()
+ | unregister_netdevice_many()
+ | dev_xdp_uninstall()
+ | rtnl_unlock()
+rtnl_lock(); |
+dev_xdp_attach_link() |
+rtnl_unlock(); |
+ | netdev_run_todo() // dev released
+bpf_xdp_link_release() |
+ /* access dev. |
+ use-after-free */ |
+
+[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0
+[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732
+[ 45.968297]
+[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22
+[ 45.969222] Hardware name: linux,dummy-virt (DT)
+[ 45.969795] Call trace:
+[ 45.970106] dump_backtrace+0x0/0x4c8
+[ 45.970564] show_stack+0x30/0x40
+[ 45.970981] dump_stack_lvl+0x120/0x18c
+[ 45.971470] print_address_description.constprop.0+0x74/0x30c
+[ 45.972182] kasan_report+0x1e8/0x200
+[ 45.972659] __asan_report_load8_noabort+0x2c/0x50
+[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0
+[ 45.973834] bpf_link_free+0xd0/0x188
+[ 45.974315] bpf_link_put+0x1d0/0x218
+[ 45.974790] bpf_link_release+0x3c/0x58
+[ 45.975291] __fput+0x20c/0x7e8
+[ 45.975706] ____fput+0x24/0x30
+[ 45.976117] task_work_run+0x104/0x258
+[ 45.976609] do_notify_resume+0x894/0xaf8
+[ 45.977121] work_pending+0xc/0x328
+[ 45.977575]
+[ 45.977775] The buggy address belongs to the page:
+[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998
+[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)
+[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000
+[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 45.982259] page dumped because: kasan: bad access detected
+[ 45.982948]
+[ 45.983153] Memory state around the buggy address:
+[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.986419] ^
+[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.988895] ==================================================================
+[ 45.989773] Disabling lock debugging due to kernel taint
+[ 45.990552] Kernel panic - not syncing: panic_on_warn set ...
+[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22
+[ 45.991929] Hardware name: linux,dummy-virt (DT)
+[ 45.992448] Call trace:
+[ 45.992753] dump_backtrace+0x0/0x4c8
+[ 45.993208] show_stack+0x30/0x40
+[ 45.993627] dump_stack_lvl+0x120/0x18c
+[ 45.994113] dump_stack+0x1c/0x34
+[ 45.994530] panic+0x3a4/0x7d8
+[ 45.994930] end_report+0x194/0x198
+[ 45.995380] kasan_report+0x134/0x200
+[ 45.995850] __asan_report_load8_noabort+0x2c/0x50
+[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0
+[ 45.997007] bpf_link_free+0xd0/0x188
+[ 45.997474] bpf_link_put+0x1d0/0x218
+[ 45.997942] bpf_link_release+0x3c/0x58
+[ 45.998429] __fput+0x20c/0x7e8
+[ 45.998833] ____fput+0x24/0x30
+[ 45.999247] task_work_run+0x104/0x258
+[ 45.999731] do_notify_resume+0x894/0xaf8
+[ 46.000236] work_pending+0xc/0x328
+[ 46.000697] SMP: stopping secondary CPUs
+[ 46.001226] Dumping ftrace buffer:
+[ 46.001663] (ftrace buffer empty)
+[ 46.002110] Kernel Offset: disabled
+[ 46.002545] CPU features: 0x00000001,23202c00
+[ 46.003080] Memory Limit: none
+
+Fixes: aa8d3a716b59db6c ("bpf, xdp: Add bpf_link-based XDP attachment API")
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210710031635.41649-1-xuanzhuo@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 4f29dde4ed0a..0dcedcdf6d7e 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -9659,14 +9659,17 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
+ struct net_device *dev;
+ int err, fd;
+
++ rtnl_lock();
+ dev = dev_get_by_index(net, attr->link_create.target_ifindex);
+- if (!dev)
++ if (!dev) {
++ rtnl_unlock();
+ return -EINVAL;
++ }
+
+ link = kzalloc(sizeof(*link), GFP_USER);
+ if (!link) {
+ err = -ENOMEM;
+- goto out_put_dev;
++ goto unlock;
+ }
+
+ bpf_link_init(&link->link, BPF_LINK_TYPE_XDP, &bpf_xdp_link_lops, prog);
+@@ -9676,14 +9679,14 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
+ err = bpf_link_prime(&link->link, &link_primer);
+ if (err) {
+ kfree(link);
+- goto out_put_dev;
++ goto unlock;
+ }
+
+- rtnl_lock();
+ err = dev_xdp_attach_link(dev, NULL, link);
+ rtnl_unlock();
+
+ if (err) {
++ link->dev = NULL;
+ bpf_link_cleanup(&link_primer);
+ goto out_put_dev;
+ }
+@@ -9693,6 +9696,9 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
+ dev_put(dev);
+ return fd;
+
++unlock:
++ rtnl_unlock();
++
+ out_put_dev:
+ dev_put(dev);
+ return err;
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
