--- /dev/null
+From 1ec8a972ab71c69cb7cd35d970dd15e06b51fa90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 15:28:08 -0700
+Subject: ACPICA: Clean up context mutex during object deletion
+
+From: Erik Kaneda <erik.kaneda@intel.com>
+
+[ Upstream commit e4dfe108371214500ee10c2cf19268f53acaa803 ]
+
+ACPICA commit bc43c878fd4ff27ba75b1d111b97ee90d4a82707
+
+Fixes: c27f3d011b08 ("Fix race in GenericSerialBus (I2C) and GPIO OpRegion parameter handling")
+Link: https://github.com/acpica/acpica/commit/bc43c878
+Reported-by: John Garry <john.garry@huawei.com>
+Reported-by: Xiang Chen <chenxiang66@hisilicon.com>
+Tested-by: Xiang Chen <chenxiang66@hisilicon.com>
+Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/utdelete.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
+index 4c0d4e434196..72d2c0b65633 100644
+--- a/drivers/acpi/acpica/utdelete.c
++++ b/drivers/acpi/acpica/utdelete.c
+@@ -285,6 +285,14 @@ static void acpi_ut_delete_internal_obj(union acpi_operand_object *object)
+ }
+ break;
+
++ case ACPI_TYPE_LOCAL_ADDRESS_HANDLER:
++
++ ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
++ "***** Address handler %p\n", object));
++
++ acpi_os_delete_mutex(object->address_space.context_mutex);
++ break;
++
+ default:
+
+ break;
+--
+2.30.2
+
--- /dev/null
+From dd01496b6923c88f3a6e33886bb4760ceba13a08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 09:16:31 +0000
+Subject: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit ff40e51043af63715ab413995ff46996ecf9583f ]
+
+Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown")
+added an implementation of the locked_down LSM hook to SELinux, with the aim
+to restrict which domains are allowed to perform operations that would breach
+lockdown. This is indirectly also getting audit subsystem involved to report
+events. The latter is problematic, as reported by Ondrej and Serhei, since it
+can bring down the whole system via audit:
+
+ 1) The audit events that are triggered due to calls to security_locked_down()
+ can OOM kill a machine, see below details [0].
+
+ 2) It also seems to be causing a deadlock via avc_has_perm()/slow_avc_audit()
+ when trying to wake up kauditd, for example, when using trace_sched_switch()
+ tracepoint, see details in [1]. Triggering this was not via some hypothetical
+ corner case, but with existing tools like runqlat & runqslower from bcc, for
+ example, which make use of this tracepoint. Rough call sequence goes like:
+
+ rq_lock(rq) -> -------------------------+
+ trace_sched_switch() -> |
+ bpf_prog_xyz() -> +-> deadlock
+ selinux_lockdown() -> |
+ audit_log_end() -> |
+ wake_up_interruptible() -> |
+ try_to_wake_up() -> |
+ rq_lock(rq) --------------+
+
+What's worse is that the intention of 59438b46471a to further restrict lockdown
+settings for specific applications in respect to the global lockdown policy is
+completely broken for BPF. The SELinux policy rule for the current lockdown check
+looks something like this:
+
+ allow <who> <who> : lockdown { <reason> };
+
+However, this doesn't match with the 'current' task where the security_locked_down()
+is executed, example: httpd does a syscall. There is a tracing program attached
+to the syscall which triggers a BPF program to run, which ends up doing a
+bpf_probe_read_kernel{,_str}() helper call. The selinux_lockdown() hook does
+the permission check against 'current', that is, httpd in this example. httpd
+has literally zero relation to this tracing program, and it would be nonsensical
+having to write an SELinux policy rule against httpd to let the tracing helper
+pass. The policy in this case needs to be against the entity that is installing
+the BPF program. For example, if bpftrace would generate a histogram of syscall
+counts by user space application:
+
+ bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
+
+bpftrace would then go and generate a BPF program from this internally. One way
+of doing it [for the sake of the example] could be to call bpf_get_current_task()
+helper and then access current->comm via one of bpf_probe_read_kernel{,_str}()
+helpers. So the program itself has nothing to do with httpd or any other random
+app doing a syscall here. The BPF program _explicitly initiated_ the lockdown
+check. The allow/deny policy belongs in the context of bpftrace: meaning, you
+want to grant bpftrace access to use these helpers, but other tracers on the
+system like my_random_tracer _not_.
+
+Therefore fix all three issues at the same time by taking a completely different
+approach for the security_locked_down() hook, that is, move the check into the
+program verification phase where we actually retrieve the BPF func proto. This
+also reliably gets the task (current) that is trying to install the BPF tracing
+program, e.g. bpftrace/bcc/perf/systemtap/etc, and it also fixes the OOM since
+we're moving this out of the BPF helper's fast-path which can be called several
+millions of times per second.
+
+The check is then also in line with other security_locked_down() hooks in the
+system where the enforcement is performed at open/load time, for example,
+open_kcore() for /proc/kcore access or module_sig_check() for module signatures
+just to pick few random ones. What's out of scope in the fix as well as in
+other security_locked_down() hook locations /outside/ of BPF subsystem is that
+if the lockdown policy changes on the fly there is no retrospective action.
+This requires a different discussion, potentially complex infrastructure, and
+it's also not clear whether this can be solved generically. Either way, it is
+out of scope for a suitable stable fix which this one is targeting. Note that
+the breakage is specifically on 59438b46471a where it started to rely on 'current'
+as UAPI behavior, and _not_ earlier infrastructure such as 9d1f8be5cf42 ("bpf:
+Restrict bpf when kernel lockdown is in confidentiality mode").
+
+[0] https://bugzilla.redhat.com/show_bug.cgi?id=1955585, Jakub Hrozek says:
+
+ I starting seeing this with F-34. When I run a container that is traced with
+ BPF to record the syscalls it is doing, auditd is flooded with messages like:
+
+ type=AVC msg=audit(1619784520.593:282387): avc: denied { confidentiality }
+ for pid=476 comm="auditd" lockdown_reason="use of bpf to read kernel RAM"
+ scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:auditd_t:s0
+ tclass=lockdown permissive=0
+
+ This seems to be leading to auditd running out of space in the backlog buffer
+ and eventually OOMs the machine.
+
+ [...]
+ auditd running at 99% CPU presumably processing all the messages, eventually I get:
+ Apr 30 12:20:42 fedora kernel: audit: backlog limit exceeded
+ Apr 30 12:20:42 fedora kernel: audit: backlog limit exceeded
+ Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152579 > audit_backlog_limit=64
+ Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152626 > audit_backlog_limit=64
+ Apr 30 12:20:42 fedora kernel: audit: audit_backlog=2152694 > audit_backlog_limit=64
+ Apr 30 12:20:42 fedora kernel: audit: audit_lost=6878426 audit_rate_limit=0 audit_backlog_limit=64
+ Apr 30 12:20:45 fedora kernel: oci-seccomp-bpf invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=-1000
+ Apr 30 12:20:45 fedora kernel: CPU: 0 PID: 13284 Comm: oci-seccomp-bpf Not tainted 5.11.12-300.fc34.x86_64 #1
+ Apr 30 12:20:45 fedora kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014
+ [...]
+
+[1] https://lore.kernel.org/linux-audit/CANYvDQN7H5tVp47fbYcRasv4XF07eUbsDwT_eDCHXJUj43J7jQ@mail.gmail.com/,
+ Serhei Makarov says:
+
+ Upstream kernel 5.11.0-rc7 and later was found to deadlock during a
+ bpf_probe_read_compat() call within a sched_switch tracepoint. The problem
+ is reproducible with the reg_alloc3 testcase from SystemTap's BPF backend
+ testsuite on x86_64 as well as the runqlat, runqslower tools from bcc on
+ ppc64le. Example stack trace:
+
+ [...]
+ [ 730.868702] stack backtrace:
+ [ 730.869590] CPU: 1 PID: 701 Comm: in:imjournal Not tainted, 5.12.0-0.rc2.20210309git144c79ef3353.166.fc35.x86_64 #1
+ [ 730.871605] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
+ [ 730.873278] Call Trace:
+ [ 730.873770] dump_stack+0x7f/0xa1
+ [ 730.874433] check_noncircular+0xdf/0x100
+ [ 730.875232] __lock_acquire+0x1202/0x1e10
+ [ 730.876031] ? __lock_acquire+0xfc0/0x1e10
+ [ 730.876844] lock_acquire+0xc2/0x3a0
+ [ 730.877551] ? __wake_up_common_lock+0x52/0x90
+ [ 730.878434] ? lock_acquire+0xc2/0x3a0
+ [ 730.879186] ? lock_is_held_type+0xa7/0x120
+ [ 730.880044] ? skb_queue_tail+0x1b/0x50
+ [ 730.880800] _raw_spin_lock_irqsave+0x4d/0x90
+ [ 730.881656] ? __wake_up_common_lock+0x52/0x90
+ [ 730.882532] __wake_up_common_lock+0x52/0x90
+ [ 730.883375] audit_log_end+0x5b/0x100
+ [ 730.884104] slow_avc_audit+0x69/0x90
+ [ 730.884836] avc_has_perm+0x8b/0xb0
+ [ 730.885532] selinux_lockdown+0xa5/0xd0
+ [ 730.886297] security_locked_down+0x20/0x40
+ [ 730.887133] bpf_probe_read_compat+0x66/0xd0
+ [ 730.887983] bpf_prog_250599c5469ac7b5+0x10f/0x820
+ [ 730.888917] trace_call_bpf+0xe9/0x240
+ [ 730.889672] perf_trace_run_bpf_submit+0x4d/0xc0
+ [ 730.890579] perf_trace_sched_switch+0x142/0x180
+ [ 730.891485] ? __schedule+0x6d8/0xb20
+ [ 730.892209] __schedule+0x6d8/0xb20
+ [ 730.892899] schedule+0x5b/0xc0
+ [ 730.893522] exit_to_user_mode_prepare+0x11d/0x240
+ [ 730.894457] syscall_exit_to_user_mode+0x27/0x70
+ [ 730.895361] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [...]
+
+Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown")
+Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
+Reported-by: Jakub Hrozek <jhrozek@redhat.com>
+Reported-by: Serhei Makarov <smakarov@redhat.com>
+Reported-by: Jiri Olsa <jolsa@redhat.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Tested-by: Jiri Olsa <jolsa@redhat.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: James Morris <jamorris@linux.microsoft.com>
+Cc: Jerome Marchand <jmarchan@redhat.com>
+Cc: Frank Eigler <fche@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/bpf/01135120-8bf7-df2e-cff0-1d73f1f841c3@iogearbox.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 7 +++++--
+ kernel/trace/bpf_trace.c | 32 ++++++++++++--------------------
+ 2 files changed, 17 insertions(+), 22 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index d0fc091d2ab4..f7e99bb8c3b6 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -14,6 +14,7 @@
+ #include <linux/jiffies.h>
+ #include <linux/pid_namespace.h>
+ #include <linux/proc_ns.h>
++#include <linux/security.h>
+
+ #include "../../lib/kstrtox.h"
+
+@@ -728,11 +729,13 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+ case BPF_FUNC_probe_read_user:
+ return &bpf_probe_read_user_proto;
+ case BPF_FUNC_probe_read_kernel:
+- return &bpf_probe_read_kernel_proto;
++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
++ NULL : &bpf_probe_read_kernel_proto;
+ case BPF_FUNC_probe_read_user_str:
+ return &bpf_probe_read_user_str_proto;
+ case BPF_FUNC_probe_read_kernel_str:
+- return &bpf_probe_read_kernel_str_proto;
++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
++ NULL : &bpf_probe_read_kernel_str_proto;
+ case BPF_FUNC_snprintf_btf:
+ return &bpf_snprintf_btf_proto;
+ default:
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index fcbfc9564996..01710831fd02 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -212,16 +212,11 @@ const struct bpf_func_proto bpf_probe_read_user_str_proto = {
+ static __always_inline int
+ bpf_probe_read_kernel_common(void *dst, u32 size, const void *unsafe_ptr)
+ {
+- int ret = security_locked_down(LOCKDOWN_BPF_READ);
++ int ret;
+
+- if (unlikely(ret < 0))
+- goto fail;
+ ret = copy_from_kernel_nofault(dst, unsafe_ptr, size);
+ if (unlikely(ret < 0))
+- goto fail;
+- return ret;
+-fail:
+- memset(dst, 0, size);
++ memset(dst, 0, size);
+ return ret;
+ }
+
+@@ -243,10 +238,7 @@ const struct bpf_func_proto bpf_probe_read_kernel_proto = {
+ static __always_inline int
+ bpf_probe_read_kernel_str_common(void *dst, u32 size, const void *unsafe_ptr)
+ {
+- int ret = security_locked_down(LOCKDOWN_BPF_READ);
+-
+- if (unlikely(ret < 0))
+- goto fail;
++ int ret;
+
+ /*
+ * The strncpy_from_kernel_nofault() call will likely not fill the
+@@ -259,11 +251,7 @@ bpf_probe_read_kernel_str_common(void *dst, u32 size, const void *unsafe_ptr)
+ */
+ ret = strncpy_from_kernel_nofault(dst, unsafe_ptr, size);
+ if (unlikely(ret < 0))
+- goto fail;
+-
+- return ret;
+-fail:
+- memset(dst, 0, size);
++ memset(dst, 0, size);
+ return ret;
+ }
+
+@@ -1293,16 +1281,20 @@ bpf_tracing_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
+ case BPF_FUNC_probe_read_user:
+ return &bpf_probe_read_user_proto;
+ case BPF_FUNC_probe_read_kernel:
+- return &bpf_probe_read_kernel_proto;
++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
++ NULL : &bpf_probe_read_kernel_proto;
+ case BPF_FUNC_probe_read_user_str:
+ return &bpf_probe_read_user_str_proto;
+ case BPF_FUNC_probe_read_kernel_str:
+- return &bpf_probe_read_kernel_str_proto;
++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
++ NULL : &bpf_probe_read_kernel_str_proto;
+ #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
+ case BPF_FUNC_probe_read:
+- return &bpf_probe_read_compat_proto;
++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
++ NULL : &bpf_probe_read_compat_proto;
+ case BPF_FUNC_probe_read_str:
+- return &bpf_probe_read_compat_str_proto;
++ return security_locked_down(LOCKDOWN_BPF_READ) < 0 ?
++ NULL : &bpf_probe_read_compat_str_proto;
+ #endif
+ #ifdef CONFIG_CGROUPS
+ case BPF_FUNC_get_current_cgroup_id:
+--
+2.30.2
+
--- /dev/null
+From 5c9e06134f6ca8e4d2ebd5f390ad10211cf0b691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jan 2021 18:46:15 +0100
+Subject: bpf: Simplify cases in bpf_base_func_proto
+
+From: Tobias Klauser <tklauser@distanz.ch>
+
+[ Upstream commit 61ca36c8c4eb3bae35a285b1ae18c514cde65439 ]
+
+!perfmon_capable() is checked before the last switch(func_id) in
+bpf_base_func_proto. Thus, the cases BPF_FUNC_trace_printk and
+BPF_FUNC_snprintf_btf can be moved to that last switch(func_id) to omit
+the inline !perfmon_capable() checks.
+
+Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210127174615.3038-1-tklauser@distanz.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/helpers.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
+index c489430cac78..d0fc091d2ab4 100644
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -707,14 +707,6 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+ return &bpf_spin_lock_proto;
+ case BPF_FUNC_spin_unlock:
+ return &bpf_spin_unlock_proto;
+- case BPF_FUNC_trace_printk:
+- if (!perfmon_capable())
+- return NULL;
+- return bpf_get_trace_printk_proto();
+- case BPF_FUNC_snprintf_btf:
+- if (!perfmon_capable())
+- return NULL;
+- return &bpf_snprintf_btf_proto;
+ case BPF_FUNC_jiffies64:
+ return &bpf_jiffies64_proto;
+ case BPF_FUNC_per_cpu_ptr:
+@@ -729,6 +721,8 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+ return NULL;
+
+ switch (func_id) {
++ case BPF_FUNC_trace_printk:
++ return bpf_get_trace_printk_proto();
+ case BPF_FUNC_get_current_task:
+ return &bpf_get_current_task_proto;
+ case BPF_FUNC_probe_read_user:
+@@ -739,6 +733,8 @@ bpf_base_func_proto(enum bpf_func_id func_id)
+ return &bpf_probe_read_user_str_proto;
+ case BPF_FUNC_probe_read_kernel_str:
+ return &bpf_probe_read_kernel_str_proto;
++ case BPF_FUNC_snprintf_btf:
++ return &bpf_snprintf_btf_proto;
+ default:
+ return NULL;
+ }
+--
+2.30.2
+
--- /dev/null
+From 5569cb02350548ec789b47d371b653e69b2e2d18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 16:48:18 +0530
+Subject: cxgb4: avoid link re-train during TC-MQPRIO configuration
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 3822d0670c9d4342794d73e0d0e615322b40438e ]
+
+When configuring TC-MQPRIO offload, only turn off netdev carrier and
+don't bring physical link down in hardware. Otherwise, when the
+physical link is brought up again after configuration, it gets
+re-trained and stalls ongoing traffic.
+
+Also, when firmware is no longer accessible or crashed, avoid sending
+FLOWC and waiting for reply that will never come.
+
+Fix following hung_task_timeout_secs trace seen in these cases.
+
+INFO: task tc:20807 blocked for more than 122 seconds.
+ Tainted: G S 5.13.0-rc3+ #122
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:tc state:D stack:14768 pid:20807 ppid: 19366 flags:0x00000000
+Call Trace:
+ __schedule+0x27b/0x6a0
+ schedule+0x37/0xa0
+ schedule_preempt_disabled+0x5/0x10
+ __mutex_lock.isra.14+0x2a0/0x4a0
+ ? netlink_lookup+0x120/0x1a0
+ ? rtnl_fill_ifinfo+0x10f0/0x10f0
+ __netlink_dump_start+0x70/0x250
+ rtnetlink_rcv_msg+0x28b/0x380
+ ? rtnl_fill_ifinfo+0x10f0/0x10f0
+ ? rtnl_calcit.isra.42+0x120/0x120
+ netlink_rcv_skb+0x4b/0xf0
+ netlink_unicast+0x1a0/0x280
+ netlink_sendmsg+0x216/0x440
+ sock_sendmsg+0x56/0x60
+ __sys_sendto+0xe9/0x150
+ ? handle_mm_fault+0x6d/0x1b0
+ ? do_user_addr_fault+0x1c5/0x620
+ __x64_sys_sendto+0x1f/0x30
+ do_syscall_64+0x3c/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f7f73218321
+RSP: 002b:00007ffd19626208 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 000055b7c0a8b240 RCX: 00007f7f73218321
+RDX: 0000000000000028 RSI: 00007ffd19626210 RDI: 0000000000000003
+RBP: 000055b7c08680ff R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000055b7c085f5f6
+R13: 000055b7c085f60a R14: 00007ffd19636470 R15: 00007ffd196262a0
+
+Fixes: b1396c2bd675 ("cxgb4: parse and configure TC-MQPRIO offload")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 2 --
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 4 ++--
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c | 9 ++++++---
+ drivers/net/ethernet/chelsio/cxgb4/sge.c | 6 ++++++
+ 4 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
+index 27308600da15..2dd486915629 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
+@@ -2177,8 +2177,6 @@ int cxgb4_update_mac_filt(struct port_info *pi, unsigned int viid,
+ bool persistent, u8 *smt_idx);
+ int cxgb4_get_msix_idx_from_bmap(struct adapter *adap);
+ void cxgb4_free_msix_idx_in_bmap(struct adapter *adap, u32 msix_idx);
+-int cxgb_open(struct net_device *dev);
+-int cxgb_close(struct net_device *dev);
+ void cxgb4_enable_rx(struct adapter *adap, struct sge_rspq *q);
+ void cxgb4_quiesce_rx(struct sge_rspq *q);
+ int cxgb4_port_mirror_alloc(struct net_device *dev);
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 23c13f34a572..04dcb5e4b316 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -2834,7 +2834,7 @@ static void cxgb_down(struct adapter *adapter)
+ /*
+ * net_device operations
+ */
+-int cxgb_open(struct net_device *dev)
++static int cxgb_open(struct net_device *dev)
+ {
+ struct port_info *pi = netdev_priv(dev);
+ struct adapter *adapter = pi->adapter;
+@@ -2882,7 +2882,7 @@ out_unlock:
+ return err;
+ }
+
+-int cxgb_close(struct net_device *dev)
++static int cxgb_close(struct net_device *dev)
+ {
+ struct port_info *pi = netdev_priv(dev);
+ struct adapter *adapter = pi->adapter;
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c
+index 6c259de96f96..338b04f339b3 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_mqprio.c
+@@ -589,7 +589,8 @@ int cxgb4_setup_tc_mqprio(struct net_device *dev,
+ * down before configuring tc params.
+ */
+ if (netif_running(dev)) {
+- cxgb_close(dev);
++ netif_tx_stop_all_queues(dev);
++ netif_carrier_off(dev);
+ needs_bring_up = true;
+ }
+
+@@ -615,8 +616,10 @@ int cxgb4_setup_tc_mqprio(struct net_device *dev,
+ }
+
+ out:
+- if (needs_bring_up)
+- cxgb_open(dev);
++ if (needs_bring_up) {
++ netif_tx_start_all_queues(dev);
++ netif_carrier_on(dev);
++ }
+
+ mutex_unlock(&adap->tc_mqprio->mqprio_mutex);
+ return ret;
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/sge.c b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+index 546301272271..ccb6bd002b20 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -2552,6 +2552,12 @@ int cxgb4_ethofld_send_flowc(struct net_device *dev, u32 eotid, u32 tc)
+ if (!eosw_txq)
+ return -ENOMEM;
+
++ if (!(adap->flags & CXGB4_FW_OK)) {
++ /* Don't stall caller when access to FW is lost */
++ complete(&eosw_txq->completion);
++ return -EIO;
++ }
++
+ skb = alloc_skb(len, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+--
+2.30.2
+
--- /dev/null
+From e246bb4f038b1c41a20b8399863536b91d5c80c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 19:38:59 +0530
+Subject: cxgb4: fix regression with HASH tc prio value update
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit a27fb314cba8cb84cd6456a4699c3330a83c326d ]
+
+commit db43b30cd89c ("cxgb4: add ethtool n-tuple filter deletion")
+has moved searching for next highest priority HASH filter rule to
+cxgb4_flow_rule_destroy(), which searches the rhashtable before the
+the rule is removed from it and hence always finds at least 1 entry.
+Fix by removing the rule from rhashtable first before calling
+cxgb4_flow_rule_destroy() and hence avoid fetching stale info.
+
+Fixes: db43b30cd89c ("cxgb4: add ethtool n-tuple filter deletion")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
+index 1b88bd1c2dbe..dd9be229819a 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
+@@ -997,20 +997,16 @@ int cxgb4_tc_flower_destroy(struct net_device *dev,
+ if (!ch_flower)
+ return -ENOENT;
+
++ rhashtable_remove_fast(&adap->flower_tbl, &ch_flower->node,
++ adap->flower_ht_params);
++
+ ret = cxgb4_flow_rule_destroy(dev, ch_flower->fs.tc_prio,
+ &ch_flower->fs, ch_flower->filter_id);
+ if (ret)
+- goto err;
++ netdev_err(dev, "Flow rule destroy failed for tid: %u, ret: %d",
++ ch_flower->filter_id, ret);
+
+- ret = rhashtable_remove_fast(&adap->flower_tbl, &ch_flower->node,
+- adap->flower_ht_params);
+- if (ret) {
+- netdev_err(dev, "Flow remove from rhashtable failed");
+- goto err;
+- }
+ kfree_rcu(ch_flower, rcu);
+-
+-err:
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 421c7b220cb3e6c1e33648e992c0e4f7033733f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 23:00:27 +0300
+Subject: devlink: Correct VIRTUAL port to not have phys_port attributes
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit b28d8f0c25a9b0355116cace5f53ea52bd4020c8 ]
+
+Physical port name, port number attributes do not belong to virtual port
+flavour. When VF or SF virtual ports are registered they incorrectly
+append "np0" string in the netdevice name of the VF/SF.
+
+Before this fix, VF netdevice name were ens2f0np0v0, ens2f0np0v1 for VF
+0 and 1 respectively.
+
+After the fix, they are ens2f0v0, ens2f0v1.
+
+With this fix, reading /sys/class/net/ens2f0v0/phys_port_name returns
+-EOPNOTSUPP.
+
+Also devlink port show example for 2 VFs on one PF to ensure that any
+physical port attributes are not exposed.
+
+$ devlink port show
+pci/0000:06:00.0/65535: type eth netdev ens2f0np0 flavour physical port 0 splittable false
+pci/0000:06:00.3/196608: type eth netdev ens2f0v0 flavour virtual splittable false
+pci/0000:06:00.4/262144: type eth netdev ens2f0v1 flavour virtual splittable false
+
+This change introduces a netdevice name change on systemd/udev
+version 245 and higher which honors phys_port_name sysfs file for
+generation of netdevice name.
+
+This also aligns to phys_port_name usage which is limited to switchdev
+ports as described in [1].
+
+[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/tree/Documentation/networking/switchdev.rst
+
+Fixes: acf1ee44ca5d ("devlink: Introduce devlink port flavour virtual")
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20210526200027.14008-1-parav@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/devlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/devlink.c b/net/core/devlink.c
+index 5d397838bceb..90badb6f7227 100644
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -693,7 +693,6 @@ static int devlink_nl_port_attrs_put(struct sk_buff *msg,
+ case DEVLINK_PORT_FLAVOUR_PHYSICAL:
+ case DEVLINK_PORT_FLAVOUR_CPU:
+ case DEVLINK_PORT_FLAVOUR_DSA:
+- case DEVLINK_PORT_FLAVOUR_VIRTUAL:
+ if (nla_put_u32(msg, DEVLINK_ATTR_PORT_NUMBER,
+ attrs->phys.port_number))
+ return -EMSGSIZE;
+@@ -8376,7 +8375,6 @@ static int __devlink_port_phys_port_name_get(struct devlink_port *devlink_port,
+
+ switch (attrs->flavour) {
+ case DEVLINK_PORT_FLAVOUR_PHYSICAL:
+- case DEVLINK_PORT_FLAVOUR_VIRTUAL:
+ if (!attrs->split)
+ n = snprintf(name, len, "p%u", attrs->phys.port_number);
+ else
+@@ -8413,6 +8411,8 @@ static int __devlink_port_phys_port_name_get(struct devlink_port *devlink_port,
+ n = snprintf(name, len, "pf%uvf%u",
+ attrs->pci_vf.pf, attrs->pci_vf.vf);
+ break;
++ case DEVLINK_PORT_FLAVOUR_VIRTUAL:
++ return -EOPNOTSUPP;
+ }
+
+ if (n >= len)
+--
+2.30.2
+
--- /dev/null
+From 42af7186839cd6e04d05a7eb9157ca5bf00e9196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 09:19:35 +0000
+Subject: drm/i915/selftests: Fix return value check in
+ live_breadcrumbs_smoketest()
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 10c1f0cbcea93beec5d3bdc02b1a3b577b4985e7 ]
+
+In case of error, the function live_context() returns ERR_PTR() and never
+returns NULL. The NULL test in the return value check should be replaced
+with IS_ERR().
+
+Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/33c46ef24cd547d0ad21dc106441491a@intel.com
+[tursulin: Wrap commit text, fix Fixes: tag.]
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+(cherry picked from commit 8f4caef8d5401b42c6367d46c23da5e0e8111516)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_request.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
+index e424a6d1a68c..7a72faf29f27 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_request.c
++++ b/drivers/gpu/drm/i915/selftests/i915_request.c
+@@ -1391,8 +1391,8 @@ static int live_breadcrumbs_smoketest(void *arg)
+
+ for (n = 0; n < smoke[0].ncontexts; n++) {
+ smoke[0].contexts[n] = live_context(i915, file);
+- if (!smoke[0].contexts[n]) {
+- ret = -ENOMEM;
++ if (IS_ERR(smoke[0].contexts[n])) {
++ ret = PTR_ERR(smoke[0].contexts[n]);
+ goto out_contexts;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 496e4668f394016c668e93941905fef623b4dca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Apr 2021 16:22:51 +0200
+Subject: efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 45add3cc99feaaf57d4b6f01d52d532c16a1caee ]
+
+UEFI spec 2.9, p.108, table 4-1 lists the scenario that both attributes
+are cleared with the description "No memory access protection is
+possible for Entry". So we can have valid entries where both attributes
+are cleared, so remove the check.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory Attributes table")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/memattr.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c
+index 5737cb0fcd44..0a9aba5f9cef 100644
+--- a/drivers/firmware/efi/memattr.c
++++ b/drivers/firmware/efi/memattr.c
+@@ -67,11 +67,6 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out)
+ return false;
+ }
+
+- if (!(in->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))) {
+- pr_warn("Entry attributes invalid: RO and XP bits both cleared\n");
+- return false;
+- }
+-
+ if (PAGE_SIZE > EFI_PAGE_SIZE &&
+ (!PAGE_ALIGNED(in->phys_addr) ||
+ !PAGE_ALIGNED(in->num_pages << EFI_PAGE_SHIFT))) {
+--
+2.30.2
+
--- /dev/null
+From 7bd9212a4f93f184feb4c7ebcb6e5acadd4f5086 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 21:46:36 +0200
+Subject: efi: cper: fix snprintf() use in cper_dimm_err_location()
+
+From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+
+[ Upstream commit 942859d969de7f6f7f2659a79237a758b42782da ]
+
+snprintf() should be given the full buffer size, not one less. And it
+guarantees nul-termination, so doing it manually afterwards is
+pointless.
+
+It's even potentially harmful (though probably not in practice because
+CPER_REC_LEN is 256), due to the "return how much would have been
+written had the buffer been big enough" semantics. I.e., if the bank
+and/or device strings are long enough that the "DIMM location ..."
+output gets truncated, writing to msg[n] is a buffer overflow.
+
+Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Fixes: 3760cd20402d4 ("CPER: Adjust code flow of some functions")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/cper.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
+index e15d484b6a5a..ea7ca74fc173 100644
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -276,8 +276,7 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
+ if (!msg || !(mem->validation_bits & CPER_MEM_VALID_MODULE_HANDLE))
+ return 0;
+
+- n = 0;
+- len = CPER_REC_LEN - 1;
++ len = CPER_REC_LEN;
+ dmi_memdev_name(mem->mem_dev_handle, &bank, &device);
+ if (bank && device)
+ n = snprintf(msg, len, "DIMM location: %s %s ", bank, device);
+@@ -286,7 +285,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
+ "DIMM location: not present. DMI handle: 0x%.4x ",
+ mem->mem_dev_handle);
+
+- msg[n] = '\0';
+ return n;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 112a96c6772786bd30c58ee62d6a02abfc705416 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Mar 2021 22:54:35 +0800
+Subject: efi/fdt: fix panic when no valid fdt found
+
+From: Changbin Du <changbin.du@gmail.com>
+
+[ Upstream commit 668a84c1bfb2b3fd5a10847825a854d63fac7baa ]
+
+setup_arch() would invoke efi_init()->efi_get_fdt_params(). If no
+valid fdt found then initial_boot_params will be null. So we
+should stop further fdt processing here. I encountered this
+issue on risc-v.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Fixes: b91540d52a08b ("RISC-V: Add EFI runtime services")
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/fdtparams.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/firmware/efi/fdtparams.c b/drivers/firmware/efi/fdtparams.c
+index bb042ab7c2be..e901f8564ca0 100644
+--- a/drivers/firmware/efi/fdtparams.c
++++ b/drivers/firmware/efi/fdtparams.c
+@@ -98,6 +98,9 @@ u64 __init efi_get_fdt_params(struct efi_memory_map_data *mm)
+ BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(name));
+ BUILD_BUG_ON(ARRAY_SIZE(target) != ARRAY_SIZE(dt_params[0].params));
+
++ if (!fdt)
++ return 0;
++
+ for (i = 0; i < ARRAY_SIZE(dt_params); i++) {
+ node = fdt_path_offset(fdt, dt_params[i].path);
+ if (node < 0)
+--
+2.30.2
+
--- /dev/null
+From 96c57a4c19b895aefff2557b0a7dd8f168c0dd9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 14:48:31 +0300
+Subject: efi/libstub: prevent read overflow in find_file_option()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c4039b29fe9637e1135912813f830994af4c867f ]
+
+If the buffer has slashes up to the end then this will read past the end
+of the array. I don't anticipate that this is an issue for many people
+in real life, but it's the right thing to do and it makes static
+checkers happy.
+
+Fixes: 7a88a6227dc7 ("efi/libstub: Fix path separator regression")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/efi/libstub/file.c b/drivers/firmware/efi/libstub/file.c
+index 4e81c6077188..dd95f330fe6e 100644
+--- a/drivers/firmware/efi/libstub/file.c
++++ b/drivers/firmware/efi/libstub/file.c
+@@ -103,7 +103,7 @@ static int find_file_option(const efi_char16_t *cmdline, int cmdline_len,
+ return 0;
+
+ /* Skip any leading slashes */
+- while (cmdline[i] == L'/' || cmdline[i] == L'\\')
++ while (i < cmdline_len && (cmdline[i] == L'/' || cmdline[i] == L'\\'))
+ i++;
+
+ while (--result_len > 0 && i < cmdline_len) {
+--
+2.30.2
+
--- /dev/null
+From 2c9292b6ab3cb59cc47e2c9f6200deeae4ec88ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 15:58:50 +0200
+Subject: HID: i2c-hid: fix format string mismatch
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit dc5f9f55502e13ba05731d5046a14620aa2ff456 ]
+
+clang doesn't like printing a 32-bit integer using %hX format string:
+
+drivers/hid/i2c-hid/i2c-hid-core.c:994:18: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat]
+ client->name, hid->vendor, hid->product);
+ ^~~~~~~~~~~
+drivers/hid/i2c-hid/i2c-hid-core.c:994:31: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat]
+ client->name, hid->vendor, hid->product);
+ ^~~~~~~~~~~~
+
+Use an explicit cast to truncate it to the low 16 bits instead.
+
+Fixes: 9ee3e06610fd ("HID: i2c-hid: override HID descriptors for certain devices")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+index cb7758d59014..13bc59ed1d9e 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -1131,8 +1131,8 @@ static int i2c_hid_probe(struct i2c_client *client,
+ hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID);
+ hid->product = le16_to_cpu(ihid->hdesc.wProductID);
+
+- snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX",
+- client->name, hid->vendor, hid->product);
++ snprintf(hid->name, sizeof(hid->name), "%s %04X:%04X",
++ client->name, (u16)hid->vendor, (u16)hid->product);
+ strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys));
+
+ ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product);
+--
+2.30.2
+
--- /dev/null
+From 0c21415b6229a6a78206a7bde198135e1aacca2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 May 2021 12:18:19 -0700
+Subject: HID: logitech-hidpp: initialize level variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 81c8bf9170477d453b24a6bc3300d201d641e645 ]
+
+Static analysis reports this representative problem
+
+hid-logitech-hidpp.c:1356:23: warning: Assigned value is
+ garbage or undefined
+ hidpp->battery.level = level;
+ ^ ~~~~~
+
+In some cases, 'level' is never set in hidpp20_battery_map_status_voltage()
+Since level is not available on all hw, initialize level to unknown.
+
+Fixes: be281368f297 ("hid-logitech-hidpp: read battery voltage from newer devices")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Filipe LaÃns <lains@riseup.net>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-logitech-hidpp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
+index 74ebfb12c360..66b105162039 100644
+--- a/drivers/hid/hid-logitech-hidpp.c
++++ b/drivers/hid/hid-logitech-hidpp.c
+@@ -1259,6 +1259,7 @@ static int hidpp20_battery_map_status_voltage(u8 data[3], int *voltage,
+ int status;
+
+ long flags = (long) data[2];
++ *level = POWER_SUPPLY_CAPACITY_LEVEL_UNKNOWN;
+
+ if (flags & 0x80)
+ switch (flags & 0x07) {
+--
+2.30.2
+
--- /dev/null
+From a339ae58939aead141d09cd3eae8cfffbf471223 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 10:47:37 +0800
+Subject: HID: pidff: fix error return code in hid_pidff_init()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 3dd653c077efda8152f4dd395359617d577a54cd ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/usbhid/hid-pidff.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
+index fddac7c72f64..07a9fe97d2e0 100644
+--- a/drivers/hid/usbhid/hid-pidff.c
++++ b/drivers/hid/usbhid/hid-pidff.c
+@@ -1292,6 +1292,7 @@ int hid_pidff_init(struct hid_device *hid)
+
+ if (pidff->pool[PID_DEVICE_MANAGED_POOL].value &&
+ pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) {
++ error = -EPERM;
+ hid_notice(hid,
+ "device does not support device managed pool\n");
+ goto fail;
+--
+2.30.2
+
--- /dev/null
+From 6f051a3c7e1a1d4d9d40e657d36d0ad6bea61298 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 17:45:46 +0200
+Subject: hwmon: (dell-smm-hwmon) Fix index values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 35d470b5fbc9f82feb77b56bb0d5d0b5cd73e9da ]
+
+When support for up to 10 temp sensors and for disabling automatic BIOS
+fan control was added, noone updated the index values used for
+disallowing fan support and fan type calls.
+Fix those values.
+
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20210513154546.12430-1-W_Armin@gmx.de
+Fixes: 1bb46a20e73b ("hwmon: (dell-smm) Support up to 10 temp sensors")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/dell-smm-hwmon.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
+index 73b9db9e3aab..63b74e781c5d 100644
+--- a/drivers/hwmon/dell-smm-hwmon.c
++++ b/drivers/hwmon/dell-smm-hwmon.c
+@@ -838,10 +838,10 @@ static struct attribute *i8k_attrs[] = {
+ static umode_t i8k_is_visible(struct kobject *kobj, struct attribute *attr,
+ int index)
+ {
+- if (disallow_fan_support && index >= 8)
++ if (disallow_fan_support && index >= 20)
+ return 0;
+ if (disallow_fan_type_call &&
+- (index == 9 || index == 12 || index == 15))
++ (index == 21 || index == 25 || index == 28))
+ return 0;
+ if (index >= 0 && index <= 1 &&
+ !(i8k_hwmon_flags & I8K_HWMON_HAVE_TEMP1))
+--
+2.30.2
+
--- /dev/null
+From 9db5ca8653a607cc418ed6ea1dfc2b17caaed99a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 16:19:55 -0500
+Subject: hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_3 for RAA228228
+
+From: Grant Peltier <grantpeltier93@gmail.com>
+
+[ Upstream commit 2a29db088c7ae7121801a0d7a60740ed2d18c4f3 ]
+
+The initial version of the RAA228228 datasheet claimed that the device
+supported READ_TEMPERATURE_3 but not READ_TEMPERATURE_1. It has since been
+discovered that the datasheet was incorrect. The RAA228228 does support
+READ_TEMPERATURE_1 but does not support READ_TEMPERATURE_3.
+
+Signed-off-by: Grant Peltier <grantpeltier93@gmail.com>
+Fixes: 51fb91ed5a6f ("hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_1 telemetry for RAA228228")
+Link: https://lore.kernel.org/r/20210514211954.GA24646@raspberrypi
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pmbus/isl68137.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/pmbus/isl68137.c b/drivers/hwmon/pmbus/isl68137.c
+index 7cad76e07f70..3f1b826dac8a 100644
+--- a/drivers/hwmon/pmbus/isl68137.c
++++ b/drivers/hwmon/pmbus/isl68137.c
+@@ -244,8 +244,8 @@ static int isl68137_probe(struct i2c_client *client)
+ info->read_word_data = raa_dmpvr2_read_word_data;
+ break;
+ case raa_dmpvr2_2rail_nontc:
+- info->func[0] &= ~PMBUS_HAVE_TEMP;
+- info->func[1] &= ~PMBUS_HAVE_TEMP;
++ info->func[0] &= ~PMBUS_HAVE_TEMP3;
++ info->func[1] &= ~PMBUS_HAVE_TEMP3;
+ fallthrough;
+ case raa_dmpvr2_2rail:
+ info->pages = 2;
+--
+2.30.2
+
--- /dev/null
+From 12f6f81d4a27556fa133caf397617f5def96a094 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 18:40:50 +0530
+Subject: i2c: qcom-geni: Add shutdown callback for i2c
+
+From: Roja Rani Yarubandi <rojay@codeaurora.org>
+
+[ Upstream commit 9f78c607600ce4f2a952560de26534715236f612 ]
+
+If the hardware is still accessing memory after SMMU translation
+is disabled (as part of smmu shutdown callback), then the
+IOVAs (I/O virtual address) which it was using will go on the bus
+as the physical addresses which will result in unknown crashes
+like NoC/interconnect errors.
+
+So, implement shutdown callback for i2c driver to suspend the bus
+during system "reboot" or "shutdown".
+
+Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller")
+Signed-off-by: Roja Rani Yarubandi <rojay@codeaurora.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-qcom-geni.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
+index 4a6dd05d6dbf..899ad2c7d67d 100644
+--- a/drivers/i2c/busses/i2c-qcom-geni.c
++++ b/drivers/i2c/busses/i2c-qcom-geni.c
+@@ -654,6 +654,14 @@ static int geni_i2c_remove(struct platform_device *pdev)
+ return 0;
+ }
+
++static void geni_i2c_shutdown(struct platform_device *pdev)
++{
++ struct geni_i2c_dev *gi2c = platform_get_drvdata(pdev);
++
++ /* Make client i2c transfers start failing */
++ i2c_mark_adapter_suspended(&gi2c->adap);
++}
++
+ static int __maybe_unused geni_i2c_runtime_suspend(struct device *dev)
+ {
+ int ret;
+@@ -718,6 +726,7 @@ MODULE_DEVICE_TABLE(of, geni_i2c_dt_match);
+ static struct platform_driver geni_i2c_driver = {
+ .probe = geni_i2c_probe,
+ .remove = geni_i2c_remove,
++ .shutdown = geni_i2c_shutdown,
+ .driver = {
+ .name = "geni_i2c",
+ .pm = &geni_i2c_pm_ops,
+--
+2.30.2
+
--- /dev/null
+From d5c03fed779e1f5e37ac7f4e90400b50fc4cd322 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 11:38:49 +0200
+Subject: i40e: add correct exception tracing for XDP
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit f6c10b48f8c8da44adaff730d8e700b6272add2b ]
+
+Add missing exception tracing to XDP when a number of different errors
+can occur. The support was only partial. Several errors where not
+logged which would confuse the user quite a lot not knowing where and
+why the packets disappeared.
+
+Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action")
+Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support")
+Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Kiran Bhandare <kiranx.bhandare@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 7 ++++++-
+ drivers/net/ethernet/intel/i40e/i40e_xsk.c | 8 ++++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 011f484606a3..c40ac82db863 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -2205,15 +2205,20 @@ static int i40e_run_xdp(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
+ case XDP_TX:
+ xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index];
+ result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring);
++ if (result == I40E_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ case XDP_REDIRECT:
+ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
++ result = I40E_XDP_REDIR;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough; /* handle aborts by dropping packet */
+ case XDP_DROP:
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+index 18e8d4e456d6..86c79f71c685 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+@@ -161,9 +161,10 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
+
+ if (likely(act == XDP_REDIRECT)) {
+ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
+ rcu_read_unlock();
+- return result;
++ return I40E_XDP_REDIR;
+ }
+
+ switch (act) {
+@@ -172,11 +173,14 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
+ case XDP_TX:
+ xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index];
+ result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring);
++ if (result == I40E_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough; /* handle aborts by dropping packet */
+ case XDP_DROP:
+--
+2.30.2
+
--- /dev/null
+From 7d0bccde6ae41e381e5e83b73872c36ec3d066c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Dec 2020 16:07:22 +0100
+Subject: i40e: optimize for XDP_REDIRECT in xsk path
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 346497c78d15cdd5bdc3b642a895009359e5457f ]
+
+Optimize i40e_run_xdp_zc() for the XDP program verdict being
+XDP_REDIRECT in the xsk zero-copy path. This path is only used when
+having AF_XDP zero-copy on and in that case most packets will be
+directed to user space. This provides a little over 100k extra packets
+in throughput on my server when running l2fwd in xdpsock.
+
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_xsk.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+index 8557807b4171..18e8d4e456d6 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+@@ -159,6 +159,13 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
+ xdp_prog = READ_ONCE(rx_ring->xdp_prog);
+ act = bpf_prog_run_xdp(xdp_prog, xdp);
+
++ if (likely(act == XDP_REDIRECT)) {
++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
++ result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
++ rcu_read_unlock();
++ return result;
++ }
++
+ switch (act) {
+ case XDP_PASS:
+ break;
+@@ -166,10 +173,6 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
+ xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index];
+ result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring);
+ break;
+- case XDP_REDIRECT:
+- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
+- break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+--
+2.30.2
+
--- /dev/null
+From 0760242a954452b2bdb5b234bc939f3ec52c1b85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 11:38:50 +0200
+Subject: ice: add correct exception tracing for XDP
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 89d65df024c59988291f643b4e45d1528c51aef9 ]
+
+Add missing exception tracing to XDP when a number of different
+errors can occur. The support was only partial. Several errors
+where not logged which would confuse the user quite a lot not
+knowing where and why the packets disappeared.
+
+Fixes: efc2214b6047 ("ice: Add support for XDP")
+Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
+Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Kiran Bhandare <kiranx.bhandare@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_txrx.c | 12 +++++++++---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 8 ++++++--
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
+index 5cc2854a5d48..442a9bcbf60a 100644
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
+@@ -538,7 +538,7 @@ ice_run_xdp(struct ice_ring *rx_ring, struct xdp_buff *xdp,
+ struct bpf_prog *xdp_prog)
+ {
+ struct ice_ring *xdp_ring;
+- int err;
++ int err, result;
+ u32 act;
+
+ act = bpf_prog_run_xdp(xdp_prog, xdp);
+@@ -547,14 +547,20 @@ ice_run_xdp(struct ice_ring *rx_ring, struct xdp_buff *xdp,
+ return ICE_XDP_PASS;
+ case XDP_TX:
+ xdp_ring = rx_ring->vsi->xdp_rings[smp_processor_id()];
+- return ice_xmit_xdp_buff(xdp, xdp_ring);
++ result = ice_xmit_xdp_buff(xdp, xdp_ring);
++ if (result == ICE_XDP_CONSUMED)
++ goto out_failure;
++ return result;
+ case XDP_REDIRECT:
+ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- return !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
++ return ICE_XDP_REDIR;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough;
+ case XDP_DROP:
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index 952148eede30..9f36f8d7a985 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -527,9 +527,10 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp)
+
+ if (likely(act == XDP_REDIRECT)) {
+ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
+ rcu_read_unlock();
+- return result;
++ return ICE_XDP_REDIR;
+ }
+
+ switch (act) {
+@@ -538,11 +539,14 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp)
+ case XDP_TX:
+ xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->q_index];
+ result = ice_xmit_xdp_buff(xdp, xdp_ring);
++ if (result == ICE_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough;
+ case XDP_DROP:
+--
+2.30.2
+
--- /dev/null
+From 077b950fff8b6c4b0f552ac0160fcbd80391bd8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 14:17:59 -0700
+Subject: ice: Allow all LLDP packets from PF to Tx
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit f9f83202b7263ac371d616d6894a2c9ed79158ef ]
+
+Currently in the ice driver, the check whether to
+allow a LLDP packet to egress the interface from the
+PF_VSI is being based on the SKB's priority field.
+It checks to see if the packets priority is equal to
+TC_PRIO_CONTROL. Injected LLDP packets do not always
+meet this condition.
+
+SCAPY defaults to a sk_buff->protocol value of ETH_P_ALL
+(0x0003) and does not set the priority field. There will
+be other injection methods (even ones used by end users)
+that will not correctly configure the socket so that
+SKB fields are correctly populated.
+
+Then ethernet header has to have to correct value for
+the protocol though.
+
+Add a check to also allow packets whose ethhdr->h_proto
+matches ETH_P_LLDP (0x88CC).
+
+Fixes: 0c3a6101ff2d ("ice: Allow egress control packets from PF_VSI")
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_txrx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
+index 0f2544c420ac..1510091a63e8 100644
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
+@@ -2373,6 +2373,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring)
+ struct ice_tx_offload_params offload = { 0 };
+ struct ice_vsi *vsi = tx_ring->vsi;
+ struct ice_tx_buf *first;
++ struct ethhdr *eth;
+ unsigned int count;
+ int tso, csum;
+
+@@ -2419,7 +2420,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring)
+ goto out_drop;
+
+ /* allow CONTROL frames egress from main VSI if FW LLDP disabled */
+- if (unlikely(skb->priority == TC_PRIO_CONTROL &&
++ eth = (struct ethhdr *)skb_mac_header(skb);
++ if (unlikely((skb->priority == TC_PRIO_CONTROL ||
++ eth->h_proto == htons(ETH_P_LLDP)) &&
+ vsi->type == ICE_VSI_PF &&
+ vsi->port_info->qos_cfg.is_sw_lldp))
+ offload.cd_qw1 |= (u64)(ICE_TX_DESC_DTYPE_CTX |
+--
+2.30.2
+
--- /dev/null
+From d8b6c7e6508d450f877bb6b39edd180cade3401c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Feb 2021 13:19:20 -0800
+Subject: ice: Fix allowing VF to request more/less queues via virtchnl
+
+From: Brett Creeley <brett.creeley@intel.com>
+
+[ Upstream commit f0457690af56673cb0c47af6e25430389a149225 ]
+
+Commit 12bb018c538c ("ice: Refactor VF reset") caused a regression
+that removes the ability for a VF to request a different amount of
+queues via VIRTCHNL_OP_REQUEST_QUEUES. This prevents VF drivers to
+either increase or decrease the number of queue pairs they are
+allocated. Fix this by using the variable vf->num_req_qs when
+determining the vf->num_vf_qs during VF VSI creation.
+
+Fixes: 12bb018c538c ("ice: Refactor VF reset")
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index e1384503dd4d..fb20c6971f4c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -192,6 +192,8 @@ static void ice_vsi_set_num_qs(struct ice_vsi *vsi, u16 vf_id)
+ break;
+ case ICE_VSI_VF:
+ vf = &pf->vf[vsi->vf_id];
++ if (vf->num_req_qs)
++ vf->num_vf_qs = vf->num_req_qs;
+ vsi->alloc_txq = vf->num_vf_qs;
+ vsi->alloc_rxq = vf->num_vf_qs;
+ /* pf->num_msix_per_vf includes (VF miscellaneous vector +
+--
+2.30.2
+
--- /dev/null
+From 2398985480ee16b7d441089850502c37d6d2b526 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Feb 2021 13:19:21 -0800
+Subject: ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared
+
+From: Brett Creeley <brett.creeley@intel.com>
+
+[ Upstream commit 8679f07a9922068b9b6be81b632f52cac45d1b91 ]
+
+Some AVF drivers expect the VF_MBX_ATQLEN register to be cleared for any
+type of VFR/VFLR. Fix this by clearing the VF_MBX_ATQLEN register at the
+same time as VF_MBX_ARQLEN.
+
+Fixes: 82ba01282cf8 ("ice: clear VF ARQLEN register on reset")
+Signed-off-by: Brett Creeley <brett.creeley@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_hw_autogen.h | 1 +
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 12 +++++++-----
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h
+index 90abc8612a6a..406dd6bd97a7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h
++++ b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h
+@@ -31,6 +31,7 @@
+ #define PF_FW_ATQLEN_ATQOVFL_M BIT(29)
+ #define PF_FW_ATQLEN_ATQCRIT_M BIT(30)
+ #define VF_MBX_ARQLEN(_VF) (0x0022BC00 + ((_VF) * 4))
++#define VF_MBX_ATQLEN(_VF) (0x0022A800 + ((_VF) * 4))
+ #define PF_FW_ATQLEN_ATQENABLE_M BIT(31)
+ #define PF_FW_ATQT 0x00080400
+ #define PF_MBX_ARQBAH 0x0022E400
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index b3161c5def46..374ccce2a784 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -435,13 +435,15 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr)
+ */
+ clear_bit(ICE_VF_STATE_INIT, vf->vf_states);
+
+- /* VF_MBX_ARQLEN is cleared by PFR, so the driver needs to clear it
+- * in the case of VFR. If this is done for PFR, it can mess up VF
+- * resets because the VF driver may already have started cleanup
+- * by the time we get here.
++ /* VF_MBX_ARQLEN and VF_MBX_ATQLEN are cleared by PFR, so the driver
++ * needs to clear them in the case of VFR/VFLR. If this is done for
++ * PFR, it can mess up VF resets because the VF driver may already
++ * have started cleanup by the time we get here.
+ */
+- if (!is_pfr)
++ if (!is_pfr) {
+ wr32(hw, VF_MBX_ARQLEN(vf->vf_id), 0);
++ wr32(hw, VF_MBX_ATQLEN(vf->vf_id), 0);
++ }
+
+ /* In the case of a VFLR, the HW has already reset the VF and we
+ * just need to clean up, so don't hit the VFRTRIG register.
+--
+2.30.2
+
--- /dev/null
+From 321064fd632b36e24c82c09a223920904e45d964 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Feb 2021 13:19:31 -0800
+Subject: ice: handle the VF VSI rebuild failure
+
+From: Haiyue Wang <haiyue.wang@intel.com>
+
+[ Upstream commit c7ee6ce1cf60b7fcdbdd2354d377d00bae3fa2d2 ]
+
+VSI rebuild can be failed for LAN queue config, then the VF's VSI will
+be NULL, the VF reset should be stopped with the VF entering into the
+disable state.
+
+Fixes: 12bb018c538c ("ice: Refactor VF reset")
+Signed-off-by: Haiyue Wang <haiyue.wang@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+index 374ccce2a784..c9f82fd3cf48 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+@@ -1341,7 +1341,12 @@ bool ice_reset_vf(struct ice_vf *vf, bool is_vflr)
+ }
+
+ ice_vf_pre_vsi_rebuild(vf);
+- ice_vf_rebuild_vsi_with_release(vf);
++
++ if (ice_vf_rebuild_vsi_with_release(vf)) {
++ dev_err(dev, "Failed to release and setup the VF%u's VSI\n", vf->vf_id);
++ return false;
++ }
++
+ ice_vf_post_vsi_rebuild(vf);
+
+ return true;
+--
+2.30.2
+
--- /dev/null
+From ee8a6150909454313ddd35141da8a5858f2b74ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Dec 2020 16:07:24 +0100
+Subject: ice: optimize for XDP_REDIRECT in xsk path
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit bb52073645a618ab4d93c8d932fb8faf114c55bc ]
+
+Optimize ice_run_xdp_zc() for the XDP program verdict being
+XDP_REDIRECT in the xsk zero-copy path. This path is only used when
+having AF_XDP zero-copy on and in that case most packets will be
+directed to user space. This provides a little over 100k extra packets
+in throughput on my server when running l2fwd in xdpsock.
+
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index 98101a8e2952..952148eede30 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -524,6 +524,14 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp)
+ }
+
+ act = bpf_prog_run_xdp(xdp_prog, xdp);
++
++ if (likely(act == XDP_REDIRECT)) {
++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
++ result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED;
++ rcu_read_unlock();
++ return result;
++ }
++
+ switch (act) {
+ case XDP_PASS:
+ break;
+@@ -531,10 +539,6 @@ ice_run_xdp_zc(struct ice_ring *rx_ring, struct xdp_buff *xdp)
+ xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->q_index];
+ result = ice_xmit_xdp_buff(xdp, xdp_ring);
+ break;
+- case XDP_REDIRECT:
+- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED;
+- break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+--
+2.30.2
+
--- /dev/null
+From b63c2a4f3b58e89b98d8c5827ed06cacbef7bb52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 May 2021 14:17:58 -0700
+Subject: ice: report supported and advertised autoneg using PHY capabilities
+
+From: Paul Greenwalt <paul.greenwalt@intel.com>
+
+[ Upstream commit 5cd349c349d6ec52862e550d3576893d35ab8ac2 ]
+
+Ethtool incorrectly reported supported and advertised auto-negotiation
+settings for a backplane PHY image which did not support auto-negotiation.
+This can occur when using media or PHY type for reporting ethtool
+supported and advertised auto-negotiation settings.
+
+Remove setting supported and advertised auto-negotiation settings based
+on PHY type in ice_phy_type_to_ethtool(), and MAC type in
+ice_get_link_ksettings().
+
+Ethtool supported and advertised auto-negotiation settings should be
+based on the PHY image using the AQ command get PHY capabilities with
+media. Add setting supported and advertised auto-negotiation settings
+based get PHY capabilities with media in ice_get_link_ksettings().
+
+Fixes: 48cb27f2fd18 ("ice: Implement handlers for ethtool PHY/link operations")
+Signed-off-by: Paul Greenwalt <paul.greenwalt@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 51 +++-----------------
+ 1 file changed, 6 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index d70573f5072c..a7975afecf70 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -1797,49 +1797,6 @@ ice_phy_type_to_ethtool(struct net_device *netdev,
+ ice_ethtool_advertise_link_mode(ICE_AQ_LINK_SPEED_100GB,
+ 100000baseKR4_Full);
+ }
+-
+- /* Autoneg PHY types */
+- if (phy_types_low & ICE_PHY_TYPE_LOW_100BASE_TX ||
+- phy_types_low & ICE_PHY_TYPE_LOW_1000BASE_T ||
+- phy_types_low & ICE_PHY_TYPE_LOW_1000BASE_KX ||
+- phy_types_low & ICE_PHY_TYPE_LOW_2500BASE_T ||
+- phy_types_low & ICE_PHY_TYPE_LOW_2500BASE_KX ||
+- phy_types_low & ICE_PHY_TYPE_LOW_5GBASE_T ||
+- phy_types_low & ICE_PHY_TYPE_LOW_5GBASE_KR ||
+- phy_types_low & ICE_PHY_TYPE_LOW_10GBASE_T ||
+- phy_types_low & ICE_PHY_TYPE_LOW_10GBASE_KR_CR1 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_T ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_CR ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_CR_S ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_CR1 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_KR ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_KR_S ||
+- phy_types_low & ICE_PHY_TYPE_LOW_25GBASE_KR1 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_40GBASE_CR4 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_40GBASE_KR4) {
+- ethtool_link_ksettings_add_link_mode(ks, supported,
+- Autoneg);
+- ethtool_link_ksettings_add_link_mode(ks, advertising,
+- Autoneg);
+- }
+- if (phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_CR2 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_KR2 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_CP ||
+- phy_types_low & ICE_PHY_TYPE_LOW_50GBASE_KR_PAM4) {
+- ethtool_link_ksettings_add_link_mode(ks, supported,
+- Autoneg);
+- ethtool_link_ksettings_add_link_mode(ks, advertising,
+- Autoneg);
+- }
+- if (phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_CR4 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_KR4 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_KR_PAM4 ||
+- phy_types_low & ICE_PHY_TYPE_LOW_100GBASE_CP2) {
+- ethtool_link_ksettings_add_link_mode(ks, supported,
+- Autoneg);
+- ethtool_link_ksettings_add_link_mode(ks, advertising,
+- Autoneg);
+- }
+ }
+
+ #define TEST_SET_BITS_TIMEOUT 50
+@@ -1996,9 +1953,7 @@ ice_get_link_ksettings(struct net_device *netdev,
+ ks->base.port = PORT_TP;
+ break;
+ case ICE_MEDIA_BACKPLANE:
+- ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg);
+ ethtool_link_ksettings_add_link_mode(ks, supported, Backplane);
+- ethtool_link_ksettings_add_link_mode(ks, advertising, Autoneg);
+ ethtool_link_ksettings_add_link_mode(ks, advertising,
+ Backplane);
+ ks->base.port = PORT_NONE;
+@@ -2073,6 +2028,12 @@ ice_get_link_ksettings(struct net_device *netdev,
+ if (caps->link_fec_options & ICE_AQC_PHY_FEC_25G_RS_CLAUSE91_EN)
+ ethtool_link_ksettings_add_link_mode(ks, supported, FEC_RS);
+
++ /* Set supported and advertised autoneg */
++ if (ice_is_phy_caps_an_enabled(caps)) {
++ ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg);
++ ethtool_link_ksettings_add_link_mode(ks, advertising, Autoneg);
++ }
++
+ done:
+ kfree(caps);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From 93d7a63fc01401f7166ca1751adaf969e8bded3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jan 2021 16:13:11 +0100
+Subject: ice: simplify ice_run_xdp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit 59c97d1b51b119eace6b1e61a6f820701f5a8299 ]
+
+There's no need for 'result' variable, we can directly return the
+internal status based on action returned by xdp prog.
+
+Reviewed-by: Björn Töpel <bjorn.topel@intel.com>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Kiran Bhandare <kiranx.bhandare@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_txrx.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
+index 1510091a63e8..5cc2854a5d48 100644
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
+@@ -537,22 +537,20 @@ static int
+ ice_run_xdp(struct ice_ring *rx_ring, struct xdp_buff *xdp,
+ struct bpf_prog *xdp_prog)
+ {
+- int err, result = ICE_XDP_PASS;
+ struct ice_ring *xdp_ring;
++ int err;
+ u32 act;
+
+ act = bpf_prog_run_xdp(xdp_prog, xdp);
+ switch (act) {
+ case XDP_PASS:
+- break;
++ return ICE_XDP_PASS;
+ case XDP_TX:
+ xdp_ring = rx_ring->vsi->xdp_rings[smp_processor_id()];
+- result = ice_xmit_xdp_buff(xdp, xdp_ring);
+- break;
++ return ice_xmit_xdp_buff(xdp, xdp_ring);
+ case XDP_REDIRECT:
+ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED;
+- break;
++ return !err ? ICE_XDP_REDIR : ICE_XDP_CONSUMED;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+@@ -560,11 +558,8 @@ ice_run_xdp(struct ice_ring *rx_ring, struct xdp_buff *xdp,
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough;
+ case XDP_DROP:
+- result = ICE_XDP_CONSUMED;
+- break;
++ return ICE_XDP_CONSUMED;
+ }
+-
+- return result;
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From 8672738995d4b360434033f3419c2d1dc11fc843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 14:25:17 +0800
+Subject: ieee802154: fix error return code in ieee802154_add_iface()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 79c6b8ed30e54b401c873dbad2511f2a1c525fd5 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: be51da0f3e34 ("ieee802154: Stop using NLA_PUT*().")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Link: https://lore.kernel.org/r/20210508062517.2574-1-thunder.leizhen@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/nl-phy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
+index 2cdc7e63fe17..88215b5c93aa 100644
+--- a/net/ieee802154/nl-phy.c
++++ b/net/ieee802154/nl-phy.c
+@@ -241,8 +241,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info)
+ }
+
+ if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) ||
+- nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name))
++ nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) {
++ rc = -EMSGSIZE;
+ goto nla_put_failure;
++ }
+ dev_put(dev);
+
+ wpan_phy_put(phy);
+--
+2.30.2
+
--- /dev/null
+From 76ed37a58532b6886221a1ffa9a7c718c0b028ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 14:16:14 +0000
+Subject: ieee802154: fix error return code in ieee802154_llsec_getparams()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 373e864cf52403b0974c2f23ca8faf9104234555 ]
+
+Fix to return negative error code -ENOBUFS from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20210519141614.3040055-1-weiyongjun1@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/nl-mac.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c
+index d19c40c684e8..71be75112321 100644
+--- a/net/ieee802154/nl-mac.c
++++ b/net/ieee802154/nl-mac.c
+@@ -680,8 +680,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info)
+ nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) ||
+ nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER,
+ be32_to_cpu(params.frame_counter)) ||
+- ieee802154_llsec_fill_key_id(msg, ¶ms.out_key))
++ ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) {
++ rc = -ENOBUFS;
+ goto out_free;
++ }
+
+ dev_put(dev);
+
+--
+2.30.2
+
--- /dev/null
+From fbf9b20420008be04b287df5da5eff332afef580 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 11:38:52 +0200
+Subject: igb: add correct exception tracing for XDP
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 74431c40b9c5fa673fff83ec157a76a69efd5c72 ]
+
+Add missing exception tracing to XDP when a number of different
+errors can occur. The support was only partial. Several errors
+where not logged which would confuse the user quite a lot not
+knowing where and why the packets disappeared.
+
+Fixes: 9cbc948b5a20 ("igb: add XDP support")
+Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Vishakha Jambekar <vishakha.jambekar@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 368f0aac5e1d..5c87c0a7ce3d 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -8419,18 +8419,20 @@ static struct sk_buff *igb_run_xdp(struct igb_adapter *adapter,
+ break;
+ case XDP_TX:
+ result = igb_xdp_xmit_back(adapter, xdp);
++ if (result == IGB_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ case XDP_REDIRECT:
+ err = xdp_do_redirect(adapter->netdev, xdp, xdp_prog);
+- if (!err)
+- result = IGB_XDP_REDIR;
+- else
+- result = IGB_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
++ result = IGB_XDP_REDIR;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough;
+ case XDP_DROP:
+--
+2.30.2
+
--- /dev/null
+From e432f9654bc58d7436637523a873858bfad488f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 07:32:58 +0000
+Subject: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions
+
+From: Coco Li <lixiaoyan@google.com>
+
+[ Upstream commit 821bbf79fe46a8b1d18aa456e8ed0a3c208c3754 ]
+
+Reported by syzbot:
+HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..
+git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
+dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7
+compiler: Debian clang version 11.0.1-2
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]
+BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732
+Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760
+
+CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x202/0x31e lib/dump_stack.c:120
+ print_address_description+0x5f/0x3b0 mm/kasan/report.c:232
+ __kasan_report mm/kasan/report.c:399 [inline]
+ kasan_report+0x15c/0x200 mm/kasan/report.c:416
+ fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]
+ fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732
+ fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536
+ fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174
+ rcu_do_batch kernel/rcu/tree.c:2559 [inline]
+ rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794
+ __do_softirq+0x372/0x7a6 kernel/softirq.c:345
+ invoke_softirq kernel/softirq.c:221 [inline]
+ __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:434
+ sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
+ </IRQ>
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
+RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515
+Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d
+RSP: 0018:ffffc90009e06560 EFLAGS: 00000206
+RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1
+R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000
+R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4
+ rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267
+ rcu_read_lock include/linux/rcupdate.h:656 [inline]
+ ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231
+ ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212
+ ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379
+ ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982
+ ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238
+ ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638
+ ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848
+ ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900
+ ext4_append+0x1a4/0x360 fs/ext4/namei.c:67
+ ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768
+ ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814
+ vfs_mkdir+0x45b/0x640 fs/namei.c:3819
+ ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]
+ ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146
+ ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193
+ ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788
+ ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355
+ ovl_get_workdir fs/overlayfs/super.c:1492 [inline]
+ ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035
+ mount_nodev+0x52/0xe0 fs/super.c:1413
+ legacy_get_tree+0xea/0x180 fs/fs_context.c:592
+ vfs_get_tree+0x86/0x270 fs/super.c:1497
+ do_new_mount fs/namespace.c:2903 [inline]
+ path_mount+0x196f/0x2be0 fs/namespace.c:3233
+ do_mount fs/namespace.c:3246 [inline]
+ __do_sys_mount fs/namespace.c:3454 [inline]
+ __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x4665f9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f68f2b87188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
+RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
+RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 000000000040000a
+RBP: 00000000004bfbb9 R08: 0000000020000100 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
+R13: 00007ffe19002dff R14: 00007f68f2b87300 R15: 0000000000022000
+
+Allocated by task 17768:
+ kasan_save_stack mm/kasan/common.c:38 [inline]
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:427 [inline]
+ ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
+ kasan_kmalloc include/linux/kasan.h:233 [inline]
+ __kmalloc+0xb4/0x380 mm/slub.c:4055
+ kmalloc include/linux/slab.h:559 [inline]
+ kzalloc include/linux/slab.h:684 [inline]
+ fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154
+ ip6_route_info_create+0x55d/0x1a10 net/ipv6/route.c:3638
+ ip6_route_add+0x22/0x120 net/ipv6/route.c:3728
+ inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352
+ rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmsg+0x319/0x400 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Last potentially related work creation:
+ kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
+ kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
+ __call_rcu kernel/rcu/tree.c:3039 [inline]
+ call_rcu+0x1b1/0xa30 kernel/rcu/tree.c:3114
+ fib6_info_release include/net/ip6_fib.h:337 [inline]
+ ip6_route_info_create+0x10c4/0x1a10 net/ipv6/route.c:3718
+ ip6_route_add+0x22/0x120 net/ipv6/route.c:3728
+ inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352
+ rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553
+ netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmsg+0x319/0x400 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
+ kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
+ insert_work+0x54/0x400 kernel/workqueue.c:1331
+ __queue_work+0x981/0xcc0 kernel/workqueue.c:1497
+ queue_work_on+0x111/0x200 kernel/workqueue.c:1524
+ queue_work include/linux/workqueue.h:507 [inline]
+ call_usermodehelper_exec+0x283/0x470 kernel/umh.c:433
+ kobject_uevent_env+0x1349/0x1730 lib/kobject_uevent.c:617
+ kvm_uevent_notify_change+0x309/0x3b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4809
+ kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:877 [inline]
+ kvm_put_kvm+0x9c/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:920
+ kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3120
+ __fput+0x352/0x7b0 fs/file_table.c:280
+ task_work_run+0x146/0x1c0 kernel/task_work.c:140
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
+ exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
+ syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff8880145c7800
+ which belongs to the cache kmalloc-192 of size 192
+The buggy address is located 56 bytes to the right of
+ 192-byte region [ffff8880145c7800, ffff8880145c78c0)
+The buggy address belongs to the page:
+page:ffffea00005171c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c7
+flags: 0xfff00000000200(slab)
+raw: 00fff00000000200 ffffea00006474c0 0000000200000002 ffff888010c41a00
+raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880145c7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8880145c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8880145c7880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff8880145c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880145c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+==================================================================
+
+In the ip6_route_info_create function, in the case that the nh pointer
+is not NULL, the fib6_nh in fib6_info has not been allocated.
+Therefore, when trying to free fib6_info in this error case using
+fib6_info_release, the function will call fib6_info_destroy_rcu,
+which it will access fib6_nh_release(f6i->fib6_nh);
+However, f6i->fib6_nh doesn't have any refcount yet given the lack of allocation
+causing the reported memory issue above.
+Therefore, releasing the empty pointer directly instead would be the solution.
+
+Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info")
+Fixes: 706ec91916462 ("ipv6: Fix nexthop refcnt leak when creating ipv6 route info")
+Signed-off-by: Coco Li <lixiaoyan@google.com>
+Cc: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 71e578ed8699..ccff4738313c 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3671,11 +3671,11 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
+ if (nh) {
+ if (rt->fib6_src.plen) {
+ NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing");
+- goto out;
++ goto out_free;
+ }
+ if (!nexthop_get(nh)) {
+ NL_SET_ERR_MSG(extack, "Nexthop has been deleted");
+- goto out;
++ goto out_free;
+ }
+ rt->nh = nh;
+ fib6_nh = nexthop_fib6_nh(rt->nh);
+@@ -3712,6 +3712,10 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
+ out:
+ fib6_info_release(rt);
+ return ERR_PTR(err);
++out_free:
++ ip_fib_metrics_put(rt->fib6_metrics);
++ kfree(rt);
++ return ERR_PTR(err);
+ }
+
+ int ip6_route_add(struct fib6_config *cfg, gfp_t gfp_flags,
+--
+2.30.2
+
--- /dev/null
+From e7ebd91bdc59f4ab7d85ede5b0204ab3346f87ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 22:54:57 +0300
+Subject: ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service
+
+From: Julian Anastasov <ja@ssi.bg>
+
+[ Upstream commit 56e4ee82e850026d71223262c07df7d6af3bd872 ]
+
+syzbot reported memory leak [1] when adding service with
+HASHED flag. We should ignore this flag both from sockopt
+and netlink provided data, otherwise the service is not
+hashed and not visible while releasing resources.
+
+[1]
+BUG: memory leak
+unreferenced object 0xffff888115227800 (size 512):
+ comm "syz-executor263", pid 8658, jiffies 4294951882 (age 12.560s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff83977188>] kmalloc include/linux/slab.h:556 [inline]
+ [<ffffffff83977188>] kzalloc include/linux/slab.h:686 [inline]
+ [<ffffffff83977188>] ip_vs_add_service+0x598/0x7c0 net/netfilter/ipvs/ip_vs_ctl.c:1343
+ [<ffffffff8397d770>] do_ip_vs_set_ctl+0x810/0xa40 net/netfilter/ipvs/ip_vs_ctl.c:2570
+ [<ffffffff838449a8>] nf_setsockopt+0x68/0xa0 net/netfilter/nf_sockopt.c:101
+ [<ffffffff839ae4e9>] ip_setsockopt+0x259/0x1ff0 net/ipv4/ip_sockglue.c:1435
+ [<ffffffff839fa03c>] raw_setsockopt+0x18c/0x1b0 net/ipv4/raw.c:857
+ [<ffffffff83691f20>] __sys_setsockopt+0x1b0/0x360 net/socket.c:2117
+ [<ffffffff836920f2>] __do_sys_setsockopt net/socket.c:2128 [inline]
+ [<ffffffff836920f2>] __se_sys_setsockopt net/socket.c:2125 [inline]
+ [<ffffffff836920f2>] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2125
+ [<ffffffff84350efa>] do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
+ [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Reported-and-tested-by: syzbot+e562383183e4b1766930@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Reviewed-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
+index d45dbcba8b49..c25097092a06 100644
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1367,7 +1367,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
+ ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
+ svc->port = u->port;
+ svc->fwmark = u->fwmark;
+- svc->flags = u->flags;
++ svc->flags = u->flags & ~IP_VS_SVC_F_HASHED;
+ svc->timeout = u->timeout * HZ;
+ svc->netmask = u->netmask;
+ svc->ipvs = ipvs;
+--
+2.30.2
+
--- /dev/null
+From 39fd8b86edc2aa4d7510b7b79bf4c79d8c1c6cbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 11:38:51 +0200
+Subject: ixgbe: add correct exception tracing for XDP
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 8281356b1cab1cccc71412eb4cf28b99d6bb2c19 ]
+
+Add missing exception tracing to XDP when a number of different
+errors can occur. The support was only partial. Several errors
+where not logged which would confuse the user quite a lot not
+knowing where and why the packets disappeared.
+
+Fixes: 33fdc82f0883 ("ixgbe: add support for XDP_TX action")
+Fixes: d0bcacd0a130 ("ixgbe: add AF_XDP zero-copy Rx support")
+Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Vishakha Jambekar <vishakha.jambekar@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 16 ++++++++--------
+ drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 14 ++++++++------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 0b9fddbc5db4..1bfba87f1ff6 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -2218,23 +2218,23 @@ static struct sk_buff *ixgbe_run_xdp(struct ixgbe_adapter *adapter,
+ break;
+ case XDP_TX:
+ xdpf = xdp_convert_buff_to_frame(xdp);
+- if (unlikely(!xdpf)) {
+- result = IXGBE_XDP_CONSUMED;
+- break;
+- }
++ if (unlikely(!xdpf))
++ goto out_failure;
+ result = ixgbe_xmit_xdp_ring(adapter, xdpf);
++ if (result == IXGBE_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ case XDP_REDIRECT:
+ err = xdp_do_redirect(adapter->netdev, xdp, xdp_prog);
+- if (!err)
+- result = IXGBE_XDP_REDIR;
+- else
+- result = IXGBE_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
++ result = IXGBE_XDP_REDIR;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough; /* handle aborts by dropping packet */
+ case XDP_DROP:
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+index 91ad5b902673..f72d2978263b 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+@@ -106,9 +106,10 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter,
+
+ if (likely(act == XDP_REDIRECT)) {
+ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? IXGBE_XDP_REDIR : IXGBE_XDP_CONSUMED;
++ if (err)
++ goto out_failure;
+ rcu_read_unlock();
+- return result;
++ return IXGBE_XDP_REDIR;
+ }
+
+ switch (act) {
+@@ -116,16 +117,17 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter,
+ break;
+ case XDP_TX:
+ xdpf = xdp_convert_buff_to_frame(xdp);
+- if (unlikely(!xdpf)) {
+- result = IXGBE_XDP_CONSUMED;
+- break;
+- }
++ if (unlikely(!xdpf))
++ goto out_failure;
+ result = ixgbe_xmit_xdp_ring(adapter, xdpf);
++ if (result == IXGBE_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough; /* handle aborts by dropping packet */
+ case XDP_DROP:
+--
+2.30.2
+
--- /dev/null
+From e57ce7faf3a83411b2ab99bfba46f85ed05e3186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Dec 2020 16:07:23 +0100
+Subject: ixgbe: optimize for XDP_REDIRECT in xsk path
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 7d52fe2eaddfa3d7255d43c3e89ebf2748b7ea7a ]
+
+Optimize ixgbe_run_xdp_zc() for the XDP program verdict being
+XDP_REDIRECT in the xsk zero-copy path. This path is only used when
+having AF_XDP zero-copy on and in that case most packets will be
+directed to user space. This provides a little under 100k extra
+packets in throughput on my server when running l2fwd in xdpsock.
+
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Vishakha Jambekar <vishakha.jambekar@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+index 3771857cf887..91ad5b902673 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c
+@@ -104,6 +104,13 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter,
+ xdp_prog = READ_ONCE(rx_ring->xdp_prog);
+ act = bpf_prog_run_xdp(xdp_prog, xdp);
+
++ if (likely(act == XDP_REDIRECT)) {
++ err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
++ result = !err ? IXGBE_XDP_REDIR : IXGBE_XDP_CONSUMED;
++ rcu_read_unlock();
++ return result;
++ }
++
+ switch (act) {
+ case XDP_PASS:
+ break;
+@@ -115,10 +122,6 @@ static int ixgbe_run_xdp_zc(struct ixgbe_adapter *adapter,
+ }
+ result = ixgbe_xmit_xdp_ring(adapter, xdpf);
+ break;
+- case XDP_REDIRECT:
+- err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+- result = !err ? IXGBE_XDP_REDIR : IXGBE_XDP_CONSUMED;
+- break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+--
+2.30.2
+
--- /dev/null
+From 18576c720ef8ee0cd235c37339ab1bb0ad326be6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 11:38:53 +0200
+Subject: ixgbevf: add correct exception tracing for XDP
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit faae81420d162551b6ef2d804aafc00f4cd68e0e ]
+
+Add missing exception tracing to XDP when a number of different
+errors can occur. The support was only partial. Several errors
+where not logged which would confuse the user quite a lot not
+knowing where and why the packets disappeared.
+
+Fixes: 21092e9ce8b1 ("ixgbevf: Add support for XDP_TX action")
+Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Tested-by: Vishakha Jambekar <vishakha.jambekar@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+index 82fce27f682b..a7d0a459969a 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -1072,11 +1072,14 @@ static struct sk_buff *ixgbevf_run_xdp(struct ixgbevf_adapter *adapter,
+ case XDP_TX:
+ xdp_ring = adapter->xdp_ring[rx_ring->queue_index];
+ result = ixgbevf_xmit_xdp_ring(xdp_ring, xdp);
++ if (result == IXGBEVF_XDP_CONSUMED)
++ goto out_failure;
+ break;
+ default:
+ bpf_warn_invalid_xdp_action(act);
+ fallthrough;
+ case XDP_ABORTED:
++out_failure:
+ trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
+ fallthrough; /* handle aborts by dropping packet */
+ case XDP_DROP:
+--
+2.30.2
+
--- /dev/null
+From 71554605406924e548a635a1788c56dc9374905e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 16:31:38 -0700
+Subject: mptcp: always parse mptcp options for MPC reqsk
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 06f9a435b3aa12f4de6da91f11fdce8ce7b46205 ]
+
+In subflow_syn_recv_sock() we currently skip options parsing
+for OoO packet, given that such packets may not carry the relevant
+MPC option.
+
+If the peer generates an MPC+data TSO packet and some of the early
+segments are lost or get reorder, we server will ignore the peer key,
+causing transient, unexpected fallback to TCP.
+
+The solution is always parsing the incoming MPTCP options, and
+do the fallback only for in-order packets. This actually cleans
+the existing code a bit.
+
+Fixes: d22f4988ffec ("mptcp: process MP_CAPABLE data option")
+Reported-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/subflow.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
+index bdd6af38a9ae..96b6aca9d0ae 100644
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -527,21 +527,20 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
+
+ /* if the sk is MP_CAPABLE, we try to fetch the client key */
+ if (subflow_req->mp_capable) {
+- if (TCP_SKB_CB(skb)->seq != subflow_req->ssn_offset + 1) {
+- /* here we can receive and accept an in-window,
+- * out-of-order pkt, which will not carry the MP_CAPABLE
+- * opt even on mptcp enabled paths
+- */
+- goto create_msk;
+- }
+-
++ /* we can receive and accept an in-window, out-of-order pkt,
++ * which may not carry the MP_CAPABLE opt even on mptcp enabled
++ * paths: always try to extract the peer key, and fallback
++ * for packets missing it.
++ * Even OoO DSS packets coming legitly after dropped or
++ * reordered MPC will cause fallback, but we don't have other
++ * options.
++ */
+ mptcp_get_options(skb, &mp_opt);
+ if (!mp_opt.mp_capable) {
+ fallback = true;
+ goto create_child;
+ }
+
+-create_msk:
+ new_msk = mptcp_sk_clone(listener->conn, &mp_opt, req);
+ if (!new_msk)
+ fallback = true;
+--
+2.30.2
+
--- /dev/null
+From 36d3502aceebd28e13b6465b9ca280dfc5aca573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 May 2021 18:50:19 +0200
+Subject: mt76: mt76x0e: fix device hang during suspend/resume
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 509559c35bcd23d5a046624b225cb3e99a9f1481 ]
+
+Similar to usb device, re-initialize mt76x0e device after resume in order
+to fix mt7630e hang during suspend/resume
+
+Reported-by: Luca Trombin <luca.trombin@gmail.com>
+Fixes: c2a4d9fbabfb9 ("mt76x0: inital split between pci and usb")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/4812f9611624b34053c1592fd9c175b67d4ffcb4.1620406022.git.lorenzo@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt76x0/pci.c | 81 ++++++++++++++++++-
+ 1 file changed, 77 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c b/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c
+index b87d8e136cb9..a594ae11b1f7 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x0/pci.c
+@@ -87,7 +87,7 @@ static const struct ieee80211_ops mt76x0e_ops = {
+ .reconfig_complete = mt76x02_reconfig_complete,
+ };
+
+-static int mt76x0e_register_device(struct mt76x02_dev *dev)
++static int mt76x0e_init_hardware(struct mt76x02_dev *dev, bool resume)
+ {
+ int err;
+
+@@ -100,9 +100,11 @@ static int mt76x0e_register_device(struct mt76x02_dev *dev)
+ if (err < 0)
+ return err;
+
+- err = mt76x02_dma_init(dev);
+- if (err < 0)
+- return err;
++ if (!resume) {
++ err = mt76x02_dma_init(dev);
++ if (err < 0)
++ return err;
++ }
+
+ err = mt76x0_init_hardware(dev);
+ if (err < 0)
+@@ -123,6 +125,17 @@ static int mt76x0e_register_device(struct mt76x02_dev *dev)
+ mt76_clear(dev, 0x110, BIT(9));
+ mt76_set(dev, MT_MAX_LEN_CFG, BIT(13));
+
++ return 0;
++}
++
++static int mt76x0e_register_device(struct mt76x02_dev *dev)
++{
++ int err;
++
++ err = mt76x0e_init_hardware(dev, false);
++ if (err < 0)
++ return err;
++
+ err = mt76x0_register_device(dev);
+ if (err < 0)
+ return err;
+@@ -167,6 +180,8 @@ mt76x0e_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (ret)
+ return ret;
+
++ mt76_pci_disable_aspm(pdev);
++
+ mdev = mt76_alloc_device(&pdev->dev, sizeof(*dev), &mt76x0e_ops,
+ &drv_ops);
+ if (!mdev)
+@@ -220,6 +235,60 @@ mt76x0e_remove(struct pci_dev *pdev)
+ mt76_free_device(mdev);
+ }
+
++#ifdef CONFIG_PM
++static int mt76x0e_suspend(struct pci_dev *pdev, pm_message_t state)
++{
++ struct mt76_dev *mdev = pci_get_drvdata(pdev);
++ struct mt76x02_dev *dev = container_of(mdev, struct mt76x02_dev, mt76);
++ int i;
++
++ mt76_worker_disable(&mdev->tx_worker);
++ for (i = 0; i < ARRAY_SIZE(mdev->phy.q_tx); i++)
++ mt76_queue_tx_cleanup(dev, mdev->phy.q_tx[i], true);
++ for (i = 0; i < ARRAY_SIZE(mdev->q_mcu); i++)
++ mt76_queue_tx_cleanup(dev, mdev->q_mcu[i], true);
++ napi_disable(&mdev->tx_napi);
++
++ mt76_for_each_q_rx(mdev, i)
++ napi_disable(&mdev->napi[i]);
++
++ mt76x02_dma_disable(dev);
++ mt76x02_mcu_cleanup(dev);
++ mt76x0_chip_onoff(dev, false, false);
++
++ pci_enable_wake(pdev, pci_choose_state(pdev, state), true);
++ pci_save_state(pdev);
++
++ return pci_set_power_state(pdev, pci_choose_state(pdev, state));
++}
++
++static int mt76x0e_resume(struct pci_dev *pdev)
++{
++ struct mt76_dev *mdev = pci_get_drvdata(pdev);
++ struct mt76x02_dev *dev = container_of(mdev, struct mt76x02_dev, mt76);
++ int err, i;
++
++ err = pci_set_power_state(pdev, PCI_D0);
++ if (err)
++ return err;
++
++ pci_restore_state(pdev);
++
++ mt76_worker_enable(&mdev->tx_worker);
++
++ mt76_for_each_q_rx(mdev, i) {
++ mt76_queue_rx_reset(dev, i);
++ napi_enable(&mdev->napi[i]);
++ napi_schedule(&mdev->napi[i]);
++ }
++
++ napi_enable(&mdev->tx_napi);
++ napi_schedule(&mdev->tx_napi);
++
++ return mt76x0e_init_hardware(dev, true);
++}
++#endif /* CONFIG_PM */
++
+ static const struct pci_device_id mt76x0e_device_table[] = {
+ { PCI_DEVICE(0x14c3, 0x7610) },
+ { PCI_DEVICE(0x14c3, 0x7630) },
+@@ -237,6 +306,10 @@ static struct pci_driver mt76x0e_driver = {
+ .id_table = mt76x0e_device_table,
+ .probe = mt76x0e_probe,
+ .remove = mt76x0e_remove,
++#ifdef CONFIG_PM
++ .suspend = mt76x0e_suspend,
++ .resume = mt76x0e_resume,
++#endif /* CONFIG_PM */
+ };
+
+ module_pci_driver(mt76x0e_driver);
+--
+2.30.2
+
--- /dev/null
+From 3b01206c633c1a9c4392fc2eb15ac184962194e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 13:20:45 +0300
+Subject: net: dsa: tag_8021q: fix the VLAN IDs used for encoding sub-VLANs
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 4ef8d857b5f494e62bce9085031563fda35f9563 ]
+
+When using sub-VLANs in the range of 1-7, the resulting value from:
+
+ rx_vid = dsa_8021q_rx_vid_subvlan(ds, port, subvlan);
+
+is wrong according to the description from tag_8021q.c:
+
+ | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
+ +-----------+-----+-----------------+-----------+-----------------------+
+ | DIR | SVL | SWITCH_ID | SUBVLAN | PORT |
+ +-----------+-----+-----------------+-----------+-----------------------+
+
+For example, when ds->index == 0, port == 3 and subvlan == 1,
+dsa_8021q_rx_vid_subvlan() returns 1027, same as it returns for
+subvlan == 0, but it should have returned 1043.
+
+This is because the low portion of the subvlan bits are not masked
+properly when writing into the 12-bit VLAN value. They are masked into
+bits 4:3, but they should be masked into bits 5:4.
+
+Fixes: 3eaae1d05f2b ("net: dsa: tag_8021q: support up to 8 VLANs per port using sub-VLANs")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_8021q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_8021q.c b/net/dsa/tag_8021q.c
+index 8e3e8a5b8559..a00b513c22a1 100644
+--- a/net/dsa/tag_8021q.c
++++ b/net/dsa/tag_8021q.c
+@@ -64,7 +64,7 @@
+ #define DSA_8021Q_SUBVLAN_HI_SHIFT 9
+ #define DSA_8021Q_SUBVLAN_HI_MASK GENMASK(9, 9)
+ #define DSA_8021Q_SUBVLAN_LO_SHIFT 4
+-#define DSA_8021Q_SUBVLAN_LO_MASK GENMASK(4, 3)
++#define DSA_8021Q_SUBVLAN_LO_MASK GENMASK(5, 4)
+ #define DSA_8021Q_SUBVLAN_HI(x) (((x) & GENMASK(2, 2)) >> 2)
+ #define DSA_8021Q_SUBVLAN_LO(x) ((x) & GENMASK(1, 0))
+ #define DSA_8021Q_SUBVLAN(x) \
+--
+2.30.2
+
--- /dev/null
+From b8648d8f597799a581fafdaf1f8776c399628e60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 07:30:57 +0300
+Subject: net/mlx5: Check firmware sync reset requested is set before trying to
+ abort it
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 5940e64281c09976ce2b560244217e610bf9d029 ]
+
+In case driver sent NACK to firmware on sync reset request, it will get
+sync reset abort event while it didn't set sync reset requested mode.
+Thus, on abort sync reset event handler, driver should check reset
+requested is set before trying to stop sync reset poll.
+
+Fixes: 7dd6df329d4c ("net/mlx5: Handle sync reset abort event")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+index f9042e147c7f..ee710ce00795 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+@@ -354,6 +354,9 @@ static void mlx5_sync_reset_abort_event(struct work_struct *work)
+ reset_abort_work);
+ struct mlx5_core_dev *dev = fw_reset->dev;
+
++ if (!test_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags))
++ return;
++
+ mlx5_sync_reset_clear_reset_requested(dev, true);
+ mlx5_core_warn(dev, "PCI Sync FW Update Reset Aborted.\n");
+ }
+--
+2.30.2
+
--- /dev/null
+From 7665b6f2d7b7cd69ce7042fc61b5e7fea35f1f6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Dec 2020 16:40:38 +0200
+Subject: net/mlx5: DR, Create multi-destination flow table with level less
+ than 64
+
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+
+[ Upstream commit 216214c64a8c1cb9078c2c0aec7bb4a2f8e75397 ]
+
+Flow table that contains flow pointing to multiple flow tables or multiple
+TIRs must have a level lower than 64. In our case it applies to muli-
+destination flow table.
+Fix the level of the created table to comply with HW Spec definitions, and
+still make sure that its level lower than SW-owned tables, so that it
+would be possible to point from the multi-destination FW table to SW
+tables.
+
+Fixes: 34583beea4b7 ("net/mlx5: DR, Create multi-destination table for SW-steering use")
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Reviewed-by: Alex Vesker <valex@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c | 3 ++-
+ include/linux/mlx5/mlx5_ifc.h | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c
+index 1fbcd012bb85..7ccfd40586ce 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_fw.c
+@@ -112,7 +112,8 @@ int mlx5dr_fw_create_md_tbl(struct mlx5dr_domain *dmn,
+ int ret;
+
+ ft_attr.table_type = MLX5_FLOW_TABLE_TYPE_FDB;
+- ft_attr.level = dmn->info.caps.max_ft_level - 2;
++ ft_attr.level = min_t(int, dmn->info.caps.max_ft_level - 2,
++ MLX5_FT_MAX_MULTIPATH_LEVEL);
+ ft_attr.reformat_en = reformat_req;
+ ft_attr.decap_en = reformat_req;
+
+diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h
+index cc9ee0776974..af8f4e2cf21d 100644
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1223,6 +1223,8 @@ enum mlx5_fc_bulk_alloc_bitmask {
+
+ #define MLX5_FC_BULK_NUM_FCS(fc_enum) (MLX5_FC_BULK_SIZE_FACTOR * (fc_enum))
+
++#define MLX5_FT_MAX_MULTIPATH_LEVEL 63
++
+ enum {
+ MLX5_STEERING_FORMAT_CONNECTX_5 = 0,
+ MLX5_STEERING_FORMAT_CONNECTX_6DX = 1,
+--
+2.30.2
+
--- /dev/null
+From 6fcf120eec7348050b5ee629c460863dd023eb1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 14:35:22 +0300
+Subject: net/mlx5e: Check for needed capability for cvlan matching
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit afe93f71b5d3cdae7209213ec8ef25210b837b93 ]
+
+If not supported show an error and return instead of trying to offload
+to the hardware and fail.
+
+Fixes: 699e96ddf47f ("net/mlx5e: Support offloading tc double vlan headers match")
+Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 1bdeb948f56d..80abdb0b47d7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2253,11 +2253,13 @@ static int __parse_cls_flower(struct mlx5e_priv *priv,
+ misc_parameters);
+ struct flow_rule *rule = flow_cls_offload_flow_rule(f);
+ struct flow_dissector *dissector = rule->match.dissector;
++ enum fs_flow_table_type fs_type;
+ u16 addr_type = 0;
+ u8 ip_proto = 0;
+ u8 *match_level;
+ int err;
+
++ fs_type = mlx5e_is_eswitch_flow(flow) ? FS_FT_FDB : FS_FT_NIC_RX;
+ match_level = outer_match_level;
+
+ if (dissector->used_keys &
+@@ -2382,6 +2384,13 @@ static int __parse_cls_flower(struct mlx5e_priv *priv,
+ if (match.mask->vlan_id ||
+ match.mask->vlan_priority ||
+ match.mask->vlan_tpid) {
++ if (!MLX5_CAP_FLOWTABLE_TYPE(priv->mdev, ft_field_support.outer_second_vid,
++ fs_type)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Matching on CVLAN is not supported");
++ return -EOPNOTSUPP;
++ }
++
+ if (match.key->vlan_tpid == htons(ETH_P_8021AD)) {
+ MLX5_SET(fte_match_set_misc, misc_c,
+ outer_second_svlan_tag, 1);
+--
+2.30.2
+
--- /dev/null
+From b38d7b03f4a4afb858620d5b8a7e4551155b6c9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 May 2021 15:35:25 +0300
+Subject: net/mlx5e: Fix incompatible casting
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit d8ec92005f806dfa7524e9171eca707c0bb1267e ]
+
+Device supports setting of a single fec mode at a time, enforce this
+by bitmap_weight == 1. Input from fec command is in u32, avoid cast to
+unsigned long and use bitmap_from_arr32 to populate bitmap safely.
+
+Fixes: 4bd9d5070b92 ("net/mlx5e: Enforce setting of a single FEC mode")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index 986f0d86e94d..bc7c1962f9e6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1618,12 +1618,13 @@ static int mlx5e_set_fecparam(struct net_device *netdev,
+ {
+ struct mlx5e_priv *priv = netdev_priv(netdev);
+ struct mlx5_core_dev *mdev = priv->mdev;
++ unsigned long fec_bitmap;
+ u16 fec_policy = 0;
+ int mode;
+ int err;
+
+- if (bitmap_weight((unsigned long *)&fecparam->fec,
+- ETHTOOL_FEC_LLRS_BIT + 1) > 1)
++ bitmap_from_arr32(&fec_bitmap, &fecparam->fec, sizeof(fecparam->fec) * BITS_PER_BYTE);
++ if (bitmap_weight(&fec_bitmap, ETHTOOL_FEC_LLRS_BIT + 1) > 1)
+ return -EOPNOTSUPP;
+
+ for (mode = 0; mode < ARRAY_SIZE(pplm_fec_2_ethtool); mode++) {
+--
+2.30.2
+
--- /dev/null
+From f483361e9b3c1d77866291c95fb5f4c14c38656c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 20:01:10 +0300
+Subject: net/sched: act_ct: Fix ct template allocation for zone 0
+
+From: Ariel Levkovich <lariel@nvidia.com>
+
+[ Upstream commit fb91702b743dec78d6507c53a2dec8a8883f509d ]
+
+Fix current behavior of skipping template allocation in case the
+ct action is in zone 0.
+
+Skipping the allocation may cause the datapath ct code to ignore the
+entire ct action with all its attributes (commit, nat) in case the ct
+action in zone 0 was preceded by a ct clear action.
+
+The ct clear action sets the ct_state to untracked and resets the
+skb->_nfct pointer. Under these conditions and without an allocated
+ct template, the skb->_nfct pointer will remain NULL which will
+cause the tc ct action handler to exit without handling commit and nat
+actions, if such exist.
+
+For example, the following rule in OVS dp:
+recirc_id(0x2),ct_state(+new-est-rel-rpl+trk),ct_label(0/0x1), \
+in_port(eth0),actions:ct_clear,ct(commit,nat(src=10.11.0.12)), \
+recirc(0x37a)
+
+Will result in act_ct skipping the commit and nat actions in zone 0.
+
+The change removes the skipping of template allocation for zone 0 and
+treats it the same as any other zone.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Ariel Levkovich <lariel@nvidia.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Link: https://lore.kernel.org/r/20210526170110.54864-1-lariel@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index 6376b7b22325..315a5b2f3add 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -1199,9 +1199,6 @@ static int tcf_ct_fill_params(struct net *net,
+ sizeof(p->zone));
+ }
+
+- if (p->zone == NF_CT_DEFAULT_ZONE_ID)
+- return 0;
+-
+ nf_ct_zone_init(&zone, p->zone, NF_CT_DEFAULT_ZONE_DIR, 0);
+ tmpl = nf_ct_tmpl_alloc(net, &zone, GFP_KERNEL);
+ if (!tmpl) {
+--
+2.30.2
+
--- /dev/null
+From 9368ab08d4aa1d1689c5ee1893f341695afef4d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 14:44:09 +0300
+Subject: net/sched: act_ct: Offload connections with commit action
+
+From: Paul Blakey <paulb@nvidia.com>
+
+[ Upstream commit 0cc254e5aa37cf05f65bcdcdc0ac5c58010feb33 ]
+
+Currently established connections are not offloaded if the filter has a
+"ct commit" action. This behavior will not offload connections of the
+following scenario:
+
+$ tc_filter add dev $DEV ingress protocol ip prio 1 flower \
+ ct_state -trk \
+ action ct commit action goto chain 1
+
+$ tc_filter add dev $DEV ingress protocol ip chain 1 prio 1 flower \
+ action mirred egress redirect dev $DEV2
+
+$ tc_filter add dev $DEV2 ingress protocol ip prio 1 flower \
+ action ct commit action goto chain 1
+
+$ tc_filter add dev $DEV2 ingress protocol ip prio 1 chain 1 flower \
+ ct_state +trk+est \
+ action mirred egress redirect dev $DEV
+
+Offload established connections, regardless of the commit flag.
+
+Fixes: 46475bb20f4b ("net/sched: act_ct: Software offload of established flows")
+Reviewed-by: Oz Shlomo <ozsh@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Paul Blakey <paulb@nvidia.com>
+Link: https://lore.kernel.org/r/1622029449-27060-1-git-send-email-paulb@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index aba3cd85f284..6376b7b22325 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -979,7 +979,7 @@ static int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
+ */
+ cached = tcf_ct_skb_nfct_cached(net, skb, p->zone, force);
+ if (!cached) {
+- if (!commit && tcf_ct_flow_table_lookup(p, skb, family)) {
++ if (tcf_ct_flow_table_lookup(p, skb, family)) {
+ skip_add = true;
+ goto do_nat;
+ }
+@@ -1019,10 +1019,11 @@ do_nat:
+ * even if the connection is already confirmed.
+ */
+ nf_conntrack_confirm(skb);
+- } else if (!skip_add) {
+- tcf_ct_flow_table_process_conn(p->ct_ft, ct, ctinfo);
+ }
+
++ if (!skip_add)
++ tcf_ct_flow_table_process_conn(p->ct_ft, ct, ctinfo);
++
+ out_push:
+ skb_push_rcsum(skb, nh_ofs);
+
+--
+2.30.2
+
--- /dev/null
+From 2b02504dda48e9c31f0b485b97f34d9e99b4d602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 17:00:30 -0400
+Subject: net: sock: fix in-kernel mark setting
+
+From: Alexander Aring <aahringo@redhat.com>
+
+[ Upstream commit dd9082f4a9f94280fbbece641bf8fc0a25f71f7a ]
+
+This patch fixes the in-kernel mark setting by doing an additional
+sk_dst_reset() which was introduced by commit 50254256f382 ("sock: Reset
+dst when changing sk_mark via setsockopt"). The code is now shared to
+avoid any further suprises when changing the socket mark value.
+
+Fixes: 84d1c617402e ("net: sock: add sock_set_mark")
+Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index dee29f41beaf..7de51ea15cdf 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -807,10 +807,18 @@ void sock_set_rcvbuf(struct sock *sk, int val)
+ }
+ EXPORT_SYMBOL(sock_set_rcvbuf);
+
++static void __sock_set_mark(struct sock *sk, u32 val)
++{
++ if (val != sk->sk_mark) {
++ sk->sk_mark = val;
++ sk_dst_reset(sk);
++ }
++}
++
+ void sock_set_mark(struct sock *sk, u32 val)
+ {
+ lock_sock(sk);
+- sk->sk_mark = val;
++ __sock_set_mark(sk, val);
+ release_sock(sk);
+ }
+ EXPORT_SYMBOL(sock_set_mark);
+@@ -1118,10 +1126,10 @@ set_sndbuf:
+ case SO_MARK:
+ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+ ret = -EPERM;
+- } else if (val != sk->sk_mark) {
+- sk->sk_mark = val;
+- sk_dst_reset(sk);
++ break;
+ }
++
++ __sock_set_mark(sk, val);
+ break;
+
+ case SO_RXQ_OVFL:
+--
+2.30.2
+
--- /dev/null
+From 16acb513d314f7577127f38f9df7159941fab76d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 15:08:00 +0300
+Subject: net/tls: Fix use-after-free after the TLS device goes down and up
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit c55dcdd435aa6c6ad6ccac0a4c636d010ee367a4 ]
+
+When a netdev with active TLS offload goes down, tls_device_down is
+called to stop the offload and tear down the TLS context. However, the
+socket stays alive, and it still points to the TLS context, which is now
+deallocated. If a netdev goes up, while the connection is still active,
+and the data flow resumes after a number of TCP retransmissions, it will
+lead to a use-after-free of the TLS context.
+
+This commit addresses this bug by keeping the context alive until its
+normal destruction, and implements the necessary fallbacks, so that the
+connection can resume in software (non-offloaded) kTLS mode.
+
+On the TX side tls_sw_fallback is used to encrypt all packets. The RX
+side already has all the necessary fallbacks, because receiving
+non-decrypted packets is supported. The thing needed on the RX side is
+to block resync requests, which are normally produced after receiving
+non-decrypted packets.
+
+The necessary synchronization is implemented for a graceful teardown:
+first the fallbacks are deployed, then the driver resources are released
+(it used to be possible to have a tls_dev_resync after tls_dev_del).
+
+A new flag called TLS_RX_DEV_DEGRADED is added to indicate the fallback
+mode. It's used to skip the RX resync logic completely, as it becomes
+useless, and some objects may be released (for example, resync_async,
+which is allocated and freed by the driver).
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 9 ++++++
+ net/tls/tls_device.c | 52 +++++++++++++++++++++++++++++++----
+ net/tls/tls_device_fallback.c | 7 +++++
+ net/tls/tls_main.c | 1 +
+ 4 files changed, 64 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index d32a06705587..43891b28fc48 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -193,6 +193,11 @@ struct tls_offload_context_tx {
+ (sizeof(struct tls_offload_context_tx) + TLS_DRIVER_STATE_SIZE_TX)
+
+ enum tls_context_flags {
++ /* tls_device_down was called after the netdev went down, device state
++ * was released, and kTLS works in software, even though rx_conf is
++ * still TLS_HW (needed for transition).
++ */
++ TLS_RX_DEV_DEGRADED = 0,
+ /* Unlike RX where resync is driven entirely by the core in TX only
+ * the driver knows when things went out of sync, so we need the flag
+ * to be atomic.
+@@ -264,6 +269,7 @@ struct tls_context {
+
+ /* cache cold stuff */
+ struct proto *sk_proto;
++ struct sock *sk;
+
+ void (*sk_destruct)(struct sock *sk);
+
+@@ -446,6 +452,9 @@ static inline u16 tls_user_config(struct tls_context *ctx, bool tx)
+ struct sk_buff *
+ tls_validate_xmit_skb(struct sock *sk, struct net_device *dev,
+ struct sk_buff *skb);
++struct sk_buff *
++tls_validate_xmit_skb_sw(struct sock *sk, struct net_device *dev,
++ struct sk_buff *skb);
+
+ static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
+ {
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index abc04045577d..f718c7346088 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -50,6 +50,7 @@ static void tls_device_gc_task(struct work_struct *work);
+ static DECLARE_WORK(tls_device_gc_work, tls_device_gc_task);
+ static LIST_HEAD(tls_device_gc_list);
+ static LIST_HEAD(tls_device_list);
++static LIST_HEAD(tls_device_down_list);
+ static DEFINE_SPINLOCK(tls_device_lock);
+
+ static void tls_device_free_ctx(struct tls_context *ctx)
+@@ -759,6 +760,8 @@ void tls_device_rx_resync_new_rec(struct sock *sk, u32 rcd_len, u32 seq)
+
+ if (tls_ctx->rx_conf != TLS_HW)
+ return;
++ if (unlikely(test_bit(TLS_RX_DEV_DEGRADED, &tls_ctx->flags)))
++ return;
+
+ prot = &tls_ctx->prot_info;
+ rx_ctx = tls_offload_ctx_rx(tls_ctx);
+@@ -961,6 +964,17 @@ int tls_device_decrypted(struct sock *sk, struct tls_context *tls_ctx,
+
+ ctx->sw.decrypted |= is_decrypted;
+
++ if (unlikely(test_bit(TLS_RX_DEV_DEGRADED, &tls_ctx->flags))) {
++ if (likely(is_encrypted || is_decrypted))
++ return 0;
++
++ /* After tls_device_down disables the offload, the next SKB will
++ * likely have initial fragments decrypted, and final ones not
++ * decrypted. We need to reencrypt that single SKB.
++ */
++ return tls_device_reencrypt(sk, skb);
++ }
++
+ /* Return immediately if the record is either entirely plaintext or
+ * entirely ciphertext. Otherwise handle reencrypt partially decrypted
+ * record.
+@@ -1288,6 +1302,26 @@ static int tls_device_down(struct net_device *netdev)
+ spin_unlock_irqrestore(&tls_device_lock, flags);
+
+ list_for_each_entry_safe(ctx, tmp, &list, list) {
++ /* Stop offloaded TX and switch to the fallback.
++ * tls_is_sk_tx_device_offloaded will return false.
++ */
++ WRITE_ONCE(ctx->sk->sk_validate_xmit_skb, tls_validate_xmit_skb_sw);
++
++ /* Stop the RX and TX resync.
++ * tls_dev_resync must not be called after tls_dev_del.
++ */
++ WRITE_ONCE(ctx->netdev, NULL);
++
++ /* Start skipping the RX resync logic completely. */
++ set_bit(TLS_RX_DEV_DEGRADED, &ctx->flags);
++
++ /* Sync with inflight packets. After this point:
++ * TX: no non-encrypted packets will be passed to the driver.
++ * RX: resync requests from the driver will be ignored.
++ */
++ synchronize_net();
++
++ /* Release the offload context on the driver side. */
+ if (ctx->tx_conf == TLS_HW)
+ netdev->tlsdev_ops->tls_dev_del(netdev, ctx,
+ TLS_OFFLOAD_CTX_DIR_TX);
+@@ -1295,13 +1329,21 @@ static int tls_device_down(struct net_device *netdev)
+ !test_bit(TLS_RX_DEV_CLOSED, &ctx->flags))
+ netdev->tlsdev_ops->tls_dev_del(netdev, ctx,
+ TLS_OFFLOAD_CTX_DIR_RX);
+- WRITE_ONCE(ctx->netdev, NULL);
+- synchronize_net();
++
+ dev_put(netdev);
+- list_del_init(&ctx->list);
+
+- if (refcount_dec_and_test(&ctx->refcount))
+- tls_device_free_ctx(ctx);
++ /* Move the context to a separate list for two reasons:
++ * 1. When the context is deallocated, list_del is called.
++ * 2. It's no longer an offloaded context, so we don't want to
++ * run offload-specific code on this context.
++ */
++ spin_lock_irqsave(&tls_device_lock, flags);
++ list_move_tail(&ctx->list, &tls_device_down_list);
++ spin_unlock_irqrestore(&tls_device_lock, flags);
++
++ /* Device contexts for RX and TX will be freed in on sk_destruct
++ * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW.
++ */
+ }
+
+ up_write(&device_offload_lock);
+diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c
+index 28895333701e..0d40016bf69e 100644
+--- a/net/tls/tls_device_fallback.c
++++ b/net/tls/tls_device_fallback.c
+@@ -430,6 +430,13 @@ struct sk_buff *tls_validate_xmit_skb(struct sock *sk,
+ }
+ EXPORT_SYMBOL_GPL(tls_validate_xmit_skb);
+
++struct sk_buff *tls_validate_xmit_skb_sw(struct sock *sk,
++ struct net_device *dev,
++ struct sk_buff *skb)
++{
++ return tls_sw_fallback(sk, skb);
++}
++
+ struct sk_buff *tls_encrypt_skb(struct sk_buff *skb)
+ {
+ return tls_sw_fallback(skb->sk, skb);
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 8d93cea99f2c..32a51b20509c 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -633,6 +633,7 @@ struct tls_context *tls_ctx_create(struct sock *sk)
+ mutex_init(&ctx->tx_lock);
+ rcu_assign_pointer(icsk->icsk_ulp_data, ctx);
+ ctx->sk_proto = READ_ONCE(sk->sk_prot);
++ ctx->sk = sk;
+ return ctx;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From c3c7cb093cd8c50e14ce4142c4d7250335784d9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 15:07:59 +0300
+Subject: net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 05fc8b6cbd4f979a6f25759c4a17dd5f657f7ecd ]
+
+RCU synchronization is guaranteed to finish in finite time, unlike a
+busy loop that polls a flag. This patch is a preparation for the bugfix
+in the next patch, where the same synchronize_net() call will also be
+used to sync with the TX datapath.
+
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tls.h | 1 -
+ net/tls/tls_device.c | 10 +++-------
+ 2 files changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/tls.h b/include/net/tls.h
+index 2bdd802212fe..d32a06705587 100644
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -193,7 +193,6 @@ struct tls_offload_context_tx {
+ (sizeof(struct tls_offload_context_tx) + TLS_DRIVER_STATE_SIZE_TX)
+
+ enum tls_context_flags {
+- TLS_RX_SYNC_RUNNING = 0,
+ /* Unlike RX where resync is driven entirely by the core in TX only
+ * the driver knows when things went out of sync, so we need the flag
+ * to be atomic.
+diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
+index a3ab2d3d4e4e..abc04045577d 100644
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -680,15 +680,13 @@ static void tls_device_resync_rx(struct tls_context *tls_ctx,
+ struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
+ struct net_device *netdev;
+
+- if (WARN_ON(test_and_set_bit(TLS_RX_SYNC_RUNNING, &tls_ctx->flags)))
+- return;
+-
+ trace_tls_device_rx_resync_send(sk, seq, rcd_sn, rx_ctx->resync_type);
++ rcu_read_lock();
+ netdev = READ_ONCE(tls_ctx->netdev);
+ if (netdev)
+ netdev->tlsdev_ops->tls_dev_resync(netdev, sk, seq, rcd_sn,
+ TLS_OFFLOAD_CTX_DIR_RX);
+- clear_bit_unlock(TLS_RX_SYNC_RUNNING, &tls_ctx->flags);
++ rcu_read_unlock();
+ TLS_INC_STATS(sock_net(sk), LINUX_MIB_TLSRXDEVICERESYNC);
+ }
+
+@@ -1298,9 +1296,7 @@ static int tls_device_down(struct net_device *netdev)
+ netdev->tlsdev_ops->tls_dev_del(netdev, ctx,
+ TLS_OFFLOAD_CTX_DIR_RX);
+ WRITE_ONCE(ctx->netdev, NULL);
+- smp_mb__before_atomic(); /* pairs with test_and_set_bit() */
+- while (test_bit(TLS_RX_SYNC_RUNNING, &ctx->flags))
+- usleep_range(10, 200);
++ synchronize_net();
+ dev_put(netdev);
+ list_del_init(&ctx->list);
+
+--
+2.30.2
+
--- /dev/null
+From ee12f2f735ec6c12074620988b8f0926307be889 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 16:40:00 +0200
+Subject: netfilter: conntrack: unregister ipv4 sockopts on error unwind
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 22cbdbcfb61acc78d5fc21ebb13ccc0d7e29f793 ]
+
+When ipv6 sockopt register fails, the ipv4 one needs to be removed.
+
+Fixes: a0ae2562c6c ("netfilter: conntrack: remove l3proto abstraction")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_proto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
+index 47e9319d2cf3..71892822bbf5 100644
+--- a/net/netfilter/nf_conntrack_proto.c
++++ b/net/netfilter/nf_conntrack_proto.c
+@@ -660,7 +660,7 @@ int nf_conntrack_proto_init(void)
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ cleanup_sockopt:
+- nf_unregister_sockopt(&so_getorigdst6);
++ nf_unregister_sockopt(&so_getorigdst);
+ #endif
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 6c9e9df7e1c85aa9a12ff05e6e098342d581256d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 13:45:16 +0200
+Subject: netfilter: nfnetlink_cthelper: hit EBUSY on updates if size
+ mismatches
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 8971ee8b087750a23f3cd4dc55bff2d0303fd267 ]
+
+The private helper data size cannot be updated. However, updates that
+contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is
+the same.
+
+Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
+index 5b0d0a77379c..91afbf8ac8cf 100644
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -380,10 +380,14 @@ static int
+ nfnl_cthelper_update(const struct nlattr * const tb[],
+ struct nf_conntrack_helper *helper)
+ {
++ u32 size;
+ int ret;
+
+- if (tb[NFCTH_PRIV_DATA_LEN])
+- return -EBUSY;
++ if (tb[NFCTH_PRIV_DATA_LEN]) {
++ size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
++ if (size != helper->data_len)
++ return -EBUSY;
++ }
+
+ if (tb[NFCTH_POLICY]) {
+ ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
+--
+2.30.2
+
--- /dev/null
+From 31071b9cb64ec9219a8f52654b12a50fc9a9bd37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 21:54:42 +0200
+Subject: netfilter: nft_ct: skip expectations for confirmed conntrack
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 1710eb913bdcda3917f44d383c32de6bdabfc836 ]
+
+nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
+conntrack entry. However, nf_ct_ext_add() can only be called for
+!nf_ct_is_confirmed().
+
+[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
+[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
+[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
+[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
+[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
+[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
+[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
+[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
+[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
+[ 1825.352240] FS: 00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
+[ 1825.352343] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
+[ 1825.352508] Call Trace:
+[ 1825.352544] nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
+[ 1825.352641] nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
+[ 1825.352716] nft_do_chain+0x232/0x850 [nf_tables]
+
+Add the ct helper extension only for unconfirmed conntrack. Skip rule
+evaluation if the ct helper extension does not exist. Thus, you can
+only create expectations from the first packet.
+
+It should be possible to remove this limitation by adding a new action
+to attach a generic ct helper to the first packet. Then, use this ct
+helper extension from follow up packets to create the ct expectation.
+
+While at it, add a missing check to skip the template conntrack too
+and remove check for IPCT_UNTRACK which is implicit to !ct.
+
+Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_ct.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index a1b0aac46e9e..70d46e0bbf06 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1218,7 +1218,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(pkt->skb, &ctinfo);
+- if (!ct || ctinfo == IP_CT_UNTRACKED) {
++ if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+--
+2.30.2
+
--- /dev/null
+From aba123b755cc5233cf48342bf96bfac4da46468f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 18:16:38 -0700
+Subject: nvme-rdma: fix in-casule data send for chained sgls
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 12b2aaadb6d5ef77434e8db21f469f46fe2d392e ]
+
+We have only 2 inline sg entries and we allow 4 sg entries for the send
+wr sge. Larger sgls entries will be chained. However when we build
+in-capsule send wr sge, we iterate without taking into account that the
+sgl may be chained and still fit in-capsule (which can happen if the sgl
+is bigger than 2, but lower-equal to 4).
+
+Fix in-capsule data mapping to correctly iterate chained sgls.
+
+Fixes: 38e1800275d3 ("nvme-rdma: Avoid preallocating big SGL for data")
+Reported-by: Walker, Benjamin <benjamin.walker@intel.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/rdma.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c
+index 8b326508a480..e6d58402b829 100644
+--- a/drivers/nvme/host/rdma.c
++++ b/drivers/nvme/host/rdma.c
+@@ -1327,16 +1327,17 @@ static int nvme_rdma_map_sg_inline(struct nvme_rdma_queue *queue,
+ int count)
+ {
+ struct nvme_sgl_desc *sg = &c->common.dptr.sgl;
+- struct scatterlist *sgl = req->data_sgl.sg_table.sgl;
+ struct ib_sge *sge = &req->sge[1];
++ struct scatterlist *sgl;
+ u32 len = 0;
+ int i;
+
+- for (i = 0; i < count; i++, sgl++, sge++) {
++ for_each_sg(req->data_sgl.sg_table.sgl, sgl, count, i) {
+ sge->addr = sg_dma_address(sgl);
+ sge->length = sg_dma_len(sgl);
+ sge->lkey = queue->device->pd->local_dma_lkey;
+ len += sge->length;
++ sge++;
+ }
+
+ sg->addr = cpu_to_le64(queue->ctrl->ctrl.icdoff);
+--
+2.30.2
+
--- /dev/null
+From 06bbeb80a12adc06c4400d2fa9ddcb6d9a9526f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 19:22:05 +0300
+Subject: nvmet: fix freeing unallocated p2pmem
+
+From: Max Gurtovoy <mgurtovoy@nvidia.com>
+
+[ Upstream commit bcd9a0797d73eeff659582f23277e7ab6e5f18f3 ]
+
+In case p2p device was found but the p2p pool is empty, the nvme target
+is still trying to free the sgl from the p2p pool instead of the
+regular sgl pool and causing a crash (BUG() is called). Instead, assign
+the p2p_dev for the request only if it was allocated from p2p pool.
+
+This is the crash that was caused:
+
+[Sun May 30 19:13:53 2021] ------------[ cut here ]------------
+[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!
+[Sun May 30 19:13:53 2021] invalid opcode: 0000 [#1] SMP PTI
+...
+[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!
+...
+[Sun May 30 19:13:53 2021] RIP: 0010:gen_pool_free_owner+0xa8/0xb0
+...
+[Sun May 30 19:13:53 2021] Call Trace:
+[Sun May 30 19:13:53 2021] ------------[ cut here ]------------
+[Sun May 30 19:13:53 2021] pci_free_p2pmem+0x2b/0x70
+[Sun May 30 19:13:53 2021] pci_p2pmem_free_sgl+0x4f/0x80
+[Sun May 30 19:13:53 2021] nvmet_req_free_sgls+0x1e/0x80 [nvmet]
+[Sun May 30 19:13:53 2021] kernel BUG at lib/genalloc.c:518!
+[Sun May 30 19:13:53 2021] nvmet_rdma_release_rsp+0x4e/0x1f0 [nvmet_rdma]
+[Sun May 30 19:13:53 2021] nvmet_rdma_send_done+0x1c/0x60 [nvmet_rdma]
+
+Fixes: c6e3f1339812 ("nvmet: add metadata support for block devices")
+Reviewed-by: Israel Rukshin <israelr@nvidia.com>
+Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/core.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c
+index 46e4f7ea34c8..8b939e9db470 100644
+--- a/drivers/nvme/target/core.c
++++ b/drivers/nvme/target/core.c
+@@ -988,19 +988,23 @@ static unsigned int nvmet_data_transfer_len(struct nvmet_req *req)
+ return req->transfer_len - req->metadata_len;
+ }
+
+-static int nvmet_req_alloc_p2pmem_sgls(struct nvmet_req *req)
++static int nvmet_req_alloc_p2pmem_sgls(struct pci_dev *p2p_dev,
++ struct nvmet_req *req)
+ {
+- req->sg = pci_p2pmem_alloc_sgl(req->p2p_dev, &req->sg_cnt,
++ req->sg = pci_p2pmem_alloc_sgl(p2p_dev, &req->sg_cnt,
+ nvmet_data_transfer_len(req));
+ if (!req->sg)
+ goto out_err;
+
+ if (req->metadata_len) {
+- req->metadata_sg = pci_p2pmem_alloc_sgl(req->p2p_dev,
++ req->metadata_sg = pci_p2pmem_alloc_sgl(p2p_dev,
+ &req->metadata_sg_cnt, req->metadata_len);
+ if (!req->metadata_sg)
+ goto out_free_sg;
+ }
++
++ req->p2p_dev = p2p_dev;
++
+ return 0;
+ out_free_sg:
+ pci_p2pmem_free_sgl(req->p2p_dev, req->sg);
+@@ -1008,25 +1012,19 @@ out_err:
+ return -ENOMEM;
+ }
+
+-static bool nvmet_req_find_p2p_dev(struct nvmet_req *req)
++static struct pci_dev *nvmet_req_find_p2p_dev(struct nvmet_req *req)
+ {
+- if (!IS_ENABLED(CONFIG_PCI_P2PDMA))
+- return false;
+-
+- if (req->sq->ctrl && req->sq->qid && req->ns) {
+- req->p2p_dev = radix_tree_lookup(&req->sq->ctrl->p2p_ns_map,
+- req->ns->nsid);
+- if (req->p2p_dev)
+- return true;
+- }
+-
+- req->p2p_dev = NULL;
+- return false;
++ if (!IS_ENABLED(CONFIG_PCI_P2PDMA) ||
++ !req->sq->ctrl || !req->sq->qid || !req->ns)
++ return NULL;
++ return radix_tree_lookup(&req->sq->ctrl->p2p_ns_map, req->ns->nsid);
+ }
+
+ int nvmet_req_alloc_sgls(struct nvmet_req *req)
+ {
+- if (nvmet_req_find_p2p_dev(req) && !nvmet_req_alloc_p2pmem_sgls(req))
++ struct pci_dev *p2p_dev = nvmet_req_find_p2p_dev(req);
++
++ if (p2p_dev && !nvmet_req_alloc_p2pmem_sgls(p2p_dev, req))
+ return 0;
+
+ req->sg = sgl_alloc(nvmet_data_transfer_len(req), GFP_KERNEL,
+@@ -1055,6 +1053,7 @@ void nvmet_req_free_sgls(struct nvmet_req *req)
+ pci_p2pmem_free_sgl(req->p2p_dev, req->sg);
+ if (req->metadata_sg)
+ pci_p2pmem_free_sgl(req->p2p_dev, req->metadata_sg);
++ req->p2p_dev = NULL;
+ } else {
+ sgl_free(req->sg);
+ if (req->metadata_sg)
+--
+2.30.2
+
--- /dev/null
+From 4be73d8991466323bfeb88ea5f6a00743d498648 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 17:27:50 +0800
+Subject: perf probe: Fix NULL pointer dereference in
+ convert_variable_location()
+
+From: Li Huafei <lihuafei1@huawei.com>
+
+[ Upstream commit 3cb17cce1e76ccc5499915a4d7e095a1ad6bf7ff ]
+
+If we just check whether the variable can be converted, 'tvar' should be
+a null pointer. However, the null pointer check is missing in the
+'Constant value' execution path.
+
+The following cases can trigger this problem:
+
+ $ cat test.c
+ #include <stdio.h>
+
+ void main(void)
+ {
+ int a;
+ const int b = 1;
+
+ asm volatile("mov %1, %0" : "=r"(a): "i"(b));
+ printf("a: %d\n", a);
+ }
+
+ $ gcc test.c -o test -O -g
+ $ sudo ./perf probe -x ./test -L "main"
+ <main@/home/lhf/test.c:0>
+ 0 void main(void)
+ {
+ 2 int a;
+ const int b = 1;
+
+ asm volatile("mov %1, %0" : "=r"(a): "i"(b));
+ 6 printf("a: %d\n", a);
+ }
+
+ $ sudo ./perf probe -x ./test -V "main:6"
+ Segmentation fault
+
+The check on 'tvar' is added. If 'tavr' is a null pointer, we return 0
+to indicate that the variable can be converted. Now, we can successfully
+show the variables that can be accessed.
+
+ $ sudo ./perf probe -x ./test -V "main:6"
+ Available variables at main:6
+ @<main+13>
+ char* __fmt
+ int a
+ int b
+
+However, the variable 'b' cannot be tracked.
+
+ $ sudo ./perf probe -x ./test -D "main:6 b"
+ Failed to find the location of the 'b' variable at this address.
+ Perhaps it has been optimized out.
+ Use -V with the --range option to show 'b' location range.
+ Error: Failed to add events.
+
+This is because __die_find_variable_cb() did not successfully match
+variable 'b', which has the DW_AT_const_value attribute instead of
+DW_AT_location. We added support for DW_AT_const_value in
+__die_find_variable_cb(). With this modification, we can successfully
+track the variable 'b'.
+
+ $ sudo ./perf probe -x ./test -D "main:6 b"
+ p:probe_test/main_L6 /home/lhf/test:0x1156 b=\1:s32
+
+Fixes: 66f69b219716 ("perf probe: Support DW_AT_const_value constant value")
+Signed-off-by: Li Huafei <lihuafei1@huawei.com>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Frank Ch. Eigler <fche@redhat.com>
+Cc: Jianlin Lv <jianlin.lv@arm.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
+Cc: Yang Jihong <yangjihong1@huawei.com>
+Cc: Zhang Jinhao <zhangjinhao2@huawei.com>
+http://lore.kernel.org/lkml/20210601092750.169601-1-lihuafei1@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dwarf-aux.c | 8 ++++++--
+ tools/perf/util/probe-finder.c | 3 +++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
+index 7b2d471a6419..4343356f3cf9 100644
+--- a/tools/perf/util/dwarf-aux.c
++++ b/tools/perf/util/dwarf-aux.c
+@@ -975,9 +975,13 @@ static int __die_find_variable_cb(Dwarf_Die *die_mem, void *data)
+ if ((tag == DW_TAG_formal_parameter ||
+ tag == DW_TAG_variable) &&
+ die_compare_name(die_mem, fvp->name) &&
+- /* Does the DIE have location information or external instance? */
++ /*
++ * Does the DIE have location information or const value
++ * or external instance?
++ */
+ (dwarf_attr(die_mem, DW_AT_external, &attr) ||
+- dwarf_attr(die_mem, DW_AT_location, &attr)))
++ dwarf_attr(die_mem, DW_AT_location, &attr) ||
++ dwarf_attr(die_mem, DW_AT_const_value, &attr)))
+ return DIE_FIND_CB_END;
+ if (dwarf_haspc(die_mem, fvp->addr))
+ return DIE_FIND_CB_CONTINUE;
+diff --git a/tools/perf/util/probe-finder.c b/tools/perf/util/probe-finder.c
+index 76dd349aa48d..fdafbfcef687 100644
+--- a/tools/perf/util/probe-finder.c
++++ b/tools/perf/util/probe-finder.c
+@@ -190,6 +190,9 @@ static int convert_variable_location(Dwarf_Die *vr_die, Dwarf_Addr addr,
+ immediate_value_is_supported()) {
+ Dwarf_Sword snum;
+
++ if (!tvar)
++ return 0;
++
+ dwarf_formsdata(&attr, &snum);
+ ret = asprintf(&tvar->value, "\\%ld", (long)snum);
+
+--
+2.30.2
+
--- /dev/null
+From 4ae6dad34346481f07849a0a18b3e9bf3e961477 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 13:36:41 +0000
+Subject: samples: vfio-mdev: fix error handing in mdpy_fb_probe()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 752774ce7793a1f8baa55aae31f3b4caac49cbe4 ]
+
+Fix to return a negative error code from the framebuffer_alloc() error
+handling case instead of 0, also release regions in some error handing
+cases.
+
+Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Message-Id: <20210520133641.1421378-1-weiyongjun1@huawei.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/vfio-mdev/mdpy-fb.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c
+index 21dbf63d6e41..9ec93d90e8a5 100644
+--- a/samples/vfio-mdev/mdpy-fb.c
++++ b/samples/vfio-mdev/mdpy-fb.c
+@@ -117,22 +117,27 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
+ if (format != DRM_FORMAT_XRGB8888) {
+ pci_err(pdev, "format mismatch (0x%x != 0x%x)\n",
+ format, DRM_FORMAT_XRGB8888);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_release_regions;
+ }
+ if (width < 100 || width > 10000) {
+ pci_err(pdev, "width (%d) out of range\n", width);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_release_regions;
+ }
+ if (height < 100 || height > 10000) {
+ pci_err(pdev, "height (%d) out of range\n", height);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto err_release_regions;
+ }
+ pci_info(pdev, "mdpy found: %dx%d framebuffer\n",
+ width, height);
+
+ info = framebuffer_alloc(sizeof(struct mdpy_fb_par), &pdev->dev);
+- if (!info)
++ if (!info) {
++ ret = -ENOMEM;
+ goto err_release_regions;
++ }
+ pci_set_drvdata(pdev, info);
+ par = info->par;
+
+--
+2.30.2
+
btrfs-tree-checker-do-not-error-out-if-extent-ref-ha.patch
net-usb-cdc_ncm-don-t-spew-notifications.patch
+mt76-mt76x0e-fix-device-hang-during-suspend-resume.patch
+hwmon-dell-smm-hwmon-fix-index-values.patch
+hwmon-pmbus-isl68137-remove-read_temperature_3-for-r.patch
+netfilter-conntrack-unregister-ipv4-sockopts-on-erro.patch
+efi-fdt-fix-panic-when-no-valid-fdt-found.patch
+efi-allow-efi_memory_xp-and-efi_memory_ro-both-to-be.patch
+efi-libstub-prevent-read-overflow-in-find_file_optio.patch
+efi-cper-fix-snprintf-use-in-cper_dimm_err_location.patch
+vfio-pci-fix-error-return-code-in-vfio_ecap_init.patch
+vfio-pci-zap_vma_ptes-needs-mmu.patch
+samples-vfio-mdev-fix-error-handing-in-mdpy_fb_probe.patch
+vfio-platform-fix-module_put-call-in-error-flow.patch
+ipvs-ignore-ip_vs_svc_f_hashed-flag-when-adding-serv.patch
+hid-logitech-hidpp-initialize-level-variable.patch
+hid-pidff-fix-error-return-code-in-hid_pidff_init.patch
+hid-i2c-hid-fix-format-string-mismatch.patch
+devlink-correct-virtual-port-to-not-have-phys_port-a.patch
+net-sched-act_ct-offload-connections-with-commit-act.patch
+net-sched-act_ct-fix-ct-template-allocation-for-zone.patch
+mptcp-always-parse-mptcp-options-for-mpc-reqsk.patch
+nvme-rdma-fix-in-casule-data-send-for-chained-sgls.patch
+acpica-clean-up-context-mutex-during-object-deletion.patch
+perf-probe-fix-null-pointer-dereference-in-convert_v.patch
+net-dsa-tag_8021q-fix-the-vlan-ids-used-for-encoding.patch
+net-sock-fix-in-kernel-mark-setting.patch
+net-tls-replace-tls_rx_sync_running-with-rcu.patch
+net-tls-fix-use-after-free-after-the-tls-device-goes.patch
+net-mlx5e-fix-incompatible-casting.patch
+net-mlx5-check-firmware-sync-reset-requested-is-set-.patch
+net-mlx5e-check-for-needed-capability-for-cvlan-matc.patch
+net-mlx5-dr-create-multi-destination-flow-table-with.patch
+nvmet-fix-freeing-unallocated-p2pmem.patch
+netfilter-nft_ct-skip-expectations-for-confirmed-con.patch
+netfilter-nfnetlink_cthelper-hit-ebusy-on-updates-if.patch
+drm-i915-selftests-fix-return-value-check-in-live_br.patch
+bpf-simplify-cases-in-bpf_base_func_proto.patch
+bpf-lockdown-audit-fix-buggy-selinux-lockdown-permis.patch
+ieee802154-fix-error-return-code-in-ieee802154_add_i.patch
+ieee802154-fix-error-return-code-in-ieee802154_llsec.patch
+igb-add-correct-exception-tracing-for-xdp.patch
+ixgbevf-add-correct-exception-tracing-for-xdp.patch
+cxgb4-fix-regression-with-hash-tc-prio-value-update.patch
+ipv6-fix-kasan-slab-out-of-bounds-read-in-fib6_nh_fl.patch
+ice-fix-allowing-vf-to-request-more-less-queues-via-.patch
+ice-fix-vfr-issues-for-avf-drivers-that-expect-atqle.patch
+ice-handle-the-vf-vsi-rebuild-failure.patch
+ice-report-supported-and-advertised-autoneg-using-ph.patch
+ice-allow-all-lldp-packets-from-pf-to-tx.patch
+i2c-qcom-geni-add-shutdown-callback-for-i2c.patch
+cxgb4-avoid-link-re-train-during-tc-mqprio-configura.patch
+i40e-optimize-for-xdp_redirect-in-xsk-path.patch
+i40e-add-correct-exception-tracing-for-xdp.patch
+ice-simplify-ice_run_xdp.patch
+ice-optimize-for-xdp_redirect-in-xsk-path.patch
+ice-add-correct-exception-tracing-for-xdp.patch
+ixgbe-optimize-for-xdp_redirect-in-xsk-path.patch
+ixgbe-add-correct-exception-tracing-for-xdp.patch
--- /dev/null
+From 7d05f79df7133d961f2c1558bb1ba0257530d869 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 10:04:58 +0800
+Subject: vfio/pci: Fix error return code in vfio_ecap_init()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit d1ce2c79156d3baf0830990ab06d296477b93c26 ]
+
+The error code returned from vfio_ext_cap_len() is stored in 'len', not
+in 'ret'.
+
+Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Message-Id: <20210515020458.6771-1-thunder.leizhen@huawei.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
+index a402adee8a21..47f21a6ca7fe 100644
+--- a/drivers/vfio/pci/vfio_pci_config.c
++++ b/drivers/vfio/pci/vfio_pci_config.c
+@@ -1581,7 +1581,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev)
+ if (len == 0xFF) {
+ len = vfio_ext_cap_len(vdev, ecap, epos);
+ if (len < 0)
+- return ret;
++ return len;
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From acf42300cbc3b7db3af84ac07a1cab65fd274fbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 12:08:56 -0700
+Subject: vfio/pci: zap_vma_ptes() needs MMU
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 2a55ca37350171d9b43d561528f23d4130097255 ]
+
+zap_vma_ptes() is only available when CONFIG_MMU is set/enabled.
+Without CONFIG_MMU, vfio_pci.o has build errors, so make
+VFIO_PCI depend on MMU.
+
+riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `vfio_pci_mmap_open':
+vfio_pci.c:(.text+0x1ec): undefined reference to `zap_vma_ptes'
+riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `.L0 ':
+vfio_pci.c:(.text+0x165c): undefined reference to `zap_vma_ptes'
+
+Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Cornelia Huck <cohuck@redhat.com>
+Cc: kvm@vger.kernel.org
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Eric Auger <eric.auger@redhat.com>
+Message-Id: <20210515190856.2130-1-rdunlap@infradead.org>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig
+index 0f28bf99efeb..4e1107767e29 100644
+--- a/drivers/vfio/pci/Kconfig
++++ b/drivers/vfio/pci/Kconfig
+@@ -2,6 +2,7 @@
+ config VFIO_PCI
+ tristate "VFIO support for PCI devices"
+ depends on VFIO && PCI && EVENTFD
++ depends on MMU
+ select VFIO_VIRQFD
+ select IRQ_BYPASS_MANAGER
+ help
+--
+2.30.2
+
--- /dev/null
+From ac7cd28f2deee4cf227ab341e981cbf226d35657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 22:21:31 +0300
+Subject: vfio/platform: fix module_put call in error flow
+
+From: Max Gurtovoy <mgurtovoy@nvidia.com>
+
+[ Upstream commit dc51ff91cf2d1e9a2d941da483602f71d4a51472 ]
+
+The ->parent_module is the one that use in try_module_get. It should
+also be the one the we use in module_put during vfio_platform_open().
+
+Fixes: 32a2d71c4e80 ("vfio: platform: introduce vfio-platform-base module")
+Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Message-Id: <20210518192133.59195-1-mgurtovoy@nvidia.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
+index fb4b385191f2..e83a7cd15c95 100644
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -289,7 +289,7 @@ err_irq:
+ vfio_platform_regions_cleanup(vdev);
+ err_reg:
+ mutex_unlock(&driver_lock);
+- module_put(THIS_MODULE);
++ module_put(vdev->parent_module);
+ return ret;
+ }
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
