--- /dev/null
+From 655e436dbe24dc3ef3c0fee9f28a5f8675fde7e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 19:17:37 +0530
+Subject: ALSA: compress: fix partial_drain completion state
+
+From: Vinod Koul <vkoul@kernel.org>
+
+[ Upstream commit f79a732a8325dfbd570d87f1435019d7e5501c6d ]
+
+On partial_drain completion we should be in SNDRV_PCM_STATE_RUNNING
+state, so set that for partially draining streams in
+snd_compr_drain_notify() and use a flag for partially draining streams
+
+While at it, add locks for stream state change in
+snd_compr_drain_notify() as well.
+
+Fixes: f44f2a5417b2 ("ALSA: compress: fix drain calls blocking other compress functions (v6)")
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Tested-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Link: https://lore.kernel.org/r/20200629134737.105993-4-vkoul@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/compress_driver.h | 10 +++++++++-
+ sound/core/compress_offload.c | 4 ++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
+index bc88d6f964da9..006f019224399 100644
+--- a/include/sound/compress_driver.h
++++ b/include/sound/compress_driver.h
+@@ -59,6 +59,7 @@ struct snd_compr_runtime {
+ * @direction: stream direction, playback/recording
+ * @metadata_set: metadata set flag, true when set
+ * @next_track: has userspace signal next track transition, true when set
++ * @partial_drain: undergoing partial_drain for stream, true when set
+ * @private_data: pointer to DSP private data
+ */
+ struct snd_compr_stream {
+@@ -70,6 +71,7 @@ struct snd_compr_stream {
+ enum snd_compr_direction direction;
+ bool metadata_set;
+ bool next_track;
++ bool partial_drain;
+ void *private_data;
+ };
+
+@@ -173,7 +175,13 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream)
+ if (snd_BUG_ON(!stream))
+ return;
+
+- stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ /* for partial_drain case we are back to running state on success */
++ if (stream->partial_drain) {
++ stream->runtime->state = SNDRV_PCM_STATE_RUNNING;
++ stream->partial_drain = false; /* clear this flag as well */
++ } else {
++ stream->runtime->state = SNDRV_PCM_STATE_SETUP;
++ }
+
+ wake_up(&stream->runtime->sleep);
+ }
+diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
+index f34ce564d92c4..1afa06b80f06c 100644
+--- a/sound/core/compress_offload.c
++++ b/sound/core/compress_offload.c
+@@ -722,6 +722,9 @@ static int snd_compr_stop(struct snd_compr_stream *stream)
+
+ retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP);
+ if (!retval) {
++ /* clear flags and stop any drain wait */
++ stream->partial_drain = false;
++ stream->metadata_set = false;
+ snd_compr_drain_notify(stream);
+ stream->runtime->total_bytes_available = 0;
+ stream->runtime->total_bytes_transferred = 0;
+@@ -879,6 +882,7 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream)
+ if (stream->next_track == false)
+ return -EPERM;
+
++ stream->partial_drain = true;
+ retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_PARTIAL_DRAIN);
+ if (retval) {
+ pr_debug("Partial drain returned failure\n");
+--
+2.25.1
+
--- /dev/null
+From bb2d40739b734e74f5bd0c1f31af170c676c8e76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 May 2020 05:41:56 +0800
+Subject: arm64: kgdb: Fix single-step exception handling oops
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit 8523c006264df65aac7d77284cc69aac46a6f842 ]
+
+After entering kdb due to breakpoint, when we execute 'ss' or 'go' (will
+delay installing breakpoints, do single-step first), it won't work
+correctly, and it will enter kdb due to oops.
+
+It's because the reason gotten in kdb_stub() is not as expected, and it
+seems that the ex_vector for single-step should be 0, like what arch
+powerpc/sh/parisc has implemented.
+
+Before the patch:
+Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry
+[0]kdb> bp printk
+Instruction(i) BP #0 at 0xffff8000101486cc (printk)
+ is enabled addr at ffff8000101486cc, hardtype=0 installed=0
+
+[0]kdb> g
+
+/ # echo h > /proc/sysrq-trigger
+
+Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 due to Breakpoint @ 0xffff8000101486cc
+[3]kdb> ss
+
+Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 Oops: (null)
+due to oops @ 0xffff800010082ab8
+CPU: 3 PID: 266 Comm: sh Not tainted 5.7.0-rc4-13839-gf0e5ad491718 #6
+Hardware name: linux,dummy-virt (DT)
+pstate: 00000085 (nzcv daIf -PAN -UAO)
+pc : el1_irq+0x78/0x180
+lr : __handle_sysrq+0x80/0x190
+sp : ffff800015003bf0
+x29: ffff800015003d20 x28: ffff0000fa878040
+x27: 0000000000000000 x26: ffff80001126b1f0
+x25: ffff800011b6a0d8 x24: 0000000000000000
+x23: 0000000080200005 x22: ffff8000101486cc
+x21: ffff800015003d30 x20: 0000ffffffffffff
+x19: ffff8000119f2000 x18: 0000000000000000
+x17: 0000000000000000 x16: 0000000000000000
+x15: 0000000000000000 x14: 0000000000000000
+x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000
+x9 : 0000000000000000 x8 : ffff800015003e50
+x7 : 0000000000000002 x6 : 00000000380b9990
+x5 : ffff8000106e99e8 x4 : ffff0000fadd83c0
+x3 : 0000ffffffffffff x2 : ffff800011b6a0d8
+x1 : ffff800011b6a000 x0 : ffff80001130c9d8
+Call trace:
+ el1_irq+0x78/0x180
+ printk+0x0/0x84
+ write_sysrq_trigger+0xb0/0x118
+ proc_reg_write+0xb4/0xe0
+ __vfs_write+0x18/0x40
+ vfs_write+0xb0/0x1b8
+ ksys_write+0x64/0xf0
+ __arm64_sys_write+0x14/0x20
+ el0_svc_common.constprop.2+0xb0/0x168
+ do_el0_svc+0x20/0x98
+ el0_sync_handler+0xec/0x1a8
+ el0_sync+0x140/0x180
+
+[3]kdb>
+
+After the patch:
+Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry
+[0]kdb> bp printk
+Instruction(i) BP #0 at 0xffff8000101486cc (printk)
+ is enabled addr at ffff8000101486cc, hardtype=0 installed=0
+
+[0]kdb> g
+
+/ # echo h > /proc/sysrq-trigger
+
+Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc
+[0]kdb> g
+
+Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc
+[0]kdb> ss
+
+Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to SS trap @ 0xffff800010082ab8
+[0]kdb>
+
+Fixes: 44679a4f142b ("arm64: KGDB: Add step debugging support")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20200509214159.19680-2-liwei391@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/kgdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c
+index 43119922341f8..1a157ca33262d 100644
+--- a/arch/arm64/kernel/kgdb.c
++++ b/arch/arm64/kernel/kgdb.c
+@@ -252,7 +252,7 @@ static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr)
+ if (!kgdb_single_step)
+ return DBG_HOOK_ERROR;
+
+- kgdb_handle_exception(1, SIGTRAP, 0, regs);
++ kgdb_handle_exception(0, SIGTRAP, 0, regs);
+ return DBG_HOOK_HANDLED;
+ }
+ NOKPROBE_SYMBOL(kgdb_step_brk_fn);
+--
+2.25.1
+
--- /dev/null
+From 6d445589bf6350b845584d0f654909de93456b9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 12:55:08 +0200
+Subject: bnxt_en: fix NULL dereference in case SR-IOV configuration fails
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit c8b1d7436045d3599bae56aef1682813ecccaad7 ]
+
+we need to set 'active_vfs' back to 0, if something goes wrong during the
+allocation of SR-IOV resources: otherwise, further VF configurations will
+wrongly assume that bp->pf.vf[x] are valid memory locations, and commands
+like the ones in the following sequence:
+
+ # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs
+ # ip link set dev ens1f0np0 up
+ # ip link set dev ens1f0np0 vf 0 trust on
+
+will cause a kernel crash similar to this:
+
+ bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV
+ BUG: kernel NULL pointer dereference, address: 0000000000000014
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] SMP PTI
+ CPU: 43 PID: 2059 Comm: ip Tainted: G I 5.8.0-rc2.upstream+ #871
+ Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019
+ RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en]
+ Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89
+ RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900
+ RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008
+ R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000
+ R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0
+ FS: 00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ do_setlink+0x994/0xfe0
+ __rtnl_newlink+0x544/0x8d0
+ rtnl_newlink+0x47/0x70
+ rtnetlink_rcv_msg+0x29f/0x350
+ netlink_rcv_skb+0x4a/0x110
+ netlink_unicast+0x21d/0x300
+ netlink_sendmsg+0x329/0x450
+ sock_sendmsg+0x5b/0x60
+ ____sys_sendmsg+0x204/0x280
+ ___sys_sendmsg+0x88/0xd0
+ __sys_sendmsg+0x5e/0xa0
+ do_syscall_64+0x47/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: c0c050c58d840 ("bnxt_en: New Broadcom ethernet driver.")
+Reported-by: Fei Liu <feliu@redhat.com>
+CC: Jonathan Toppins <jtoppins@redhat.com>
+CC: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Acked-by: Jonathan Toppins <jtoppins@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+index 1046b22220a30..452be9749827a 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+@@ -398,6 +398,7 @@ static void bnxt_free_vf_resources(struct bnxt *bp)
+ }
+ }
+
++ bp->pf.active_vfs = 0;
+ kfree(bp->pf.vf);
+ bp->pf.vf = NULL;
+ }
+@@ -833,7 +834,6 @@ void bnxt_sriov_disable(struct bnxt *bp)
+
+ bnxt_free_vf_resources(bp);
+
+- bp->pf.active_vfs = 0;
+ /* Reclaim all resources for the PF. */
+ rtnl_lock();
+ bnxt_restore_pf_fw_resources(bp);
+--
+2.25.1
+
--- /dev/null
+From 9b2b73fff3f99320a0b7423ddfbf9edabbe69b2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 16:13:18 -0700
+Subject: bpf, sockmap: RCU dereferenced psock may be used outside RCU block
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 8025751d4d55a2f32be6bdf825b6a80c299875f5 ]
+
+If an ingress verdict program specifies message sizes greater than
+skb->len and there is an ENOMEM error due to memory pressure we
+may call the rcv_msg handler outside the strp_data_ready() caller
+context. This is because on an ENOMEM error the strparser will
+retry from a workqueue. The caller currently protects the use of
+psock by calling the strp_data_ready() inside a rcu_read_lock/unlock
+block.
+
+But, in above workqueue error case the psock is accessed outside
+the read_lock/unlock block of the caller. So instead of using
+psock directly we must do a look up against the sk again to
+ensure the psock is available.
+
+There is an an ugly piece here where we must handle
+the case where we paused the strp and removed the psock. On
+psock removal we first pause the strparser and then remove
+the psock. If the strparser is paused while an skb is
+scheduled on the workqueue the skb will be dropped on the
+flow and kfree_skb() is called. If the workqueue manages
+to get called before we pause the strparser but runs the rcvmsg
+callback after the psock is removed we will hit the unlikely
+case where we run the sockmap rcvmsg handler but do not have
+a psock. For now we will follow strparser logic and drop the
+skb on the floor with skb_kfree(). This is ugly because the
+data is dropped. To date this has not caused problems in practice
+because either the application controlling the sockmap is
+coordinating with the datapath so that skbs are "flushed"
+before removal or we simply wait for the sock to be closed before
+removing it.
+
+This patch fixes the describe RCU bug and dropping the skb doesn't
+make things worse. Future patches will improve this by allowing
+the normal case where skbs are not merged to skip the strparser
+altogether. In practice many (most?) use cases have no need to
+merge skbs so its both a code complexity hit as seen above and
+a performance issue. For example, in the Cilium case we always
+set the strparser up to return sbks 1:1 without any merging and
+have avoided above issues.
+
+Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/159312679888.18340.15248924071966273998.stgit@john-XPS-13-9370
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 70ea352e3a3b6..118cf1ace43a6 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -785,11 +785,18 @@ static void sk_psock_verdict_apply(struct sk_psock *psock,
+
+ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)
+ {
+- struct sk_psock *psock = sk_psock_from_strp(strp);
++ struct sk_psock *psock;
+ struct bpf_prog *prog;
+ int ret = __SK_DROP;
++ struct sock *sk;
+
+ rcu_read_lock();
++ sk = strp->sk;
++ psock = sk_psock(sk);
++ if (unlikely(!psock)) {
++ kfree_skb(skb);
++ goto out;
++ }
+ prog = READ_ONCE(psock->progs.skb_verdict);
+ if (likely(prog)) {
+ skb_orphan(skb);
+@@ -798,6 +805,7 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)
+ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
+ }
+ sk_psock_verdict_apply(psock, skb, ret);
++out:
+ rcu_read_unlock();
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 6ef1ba2a95b84876ca1f687ba23b121aa619e75a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jun 2020 16:12:59 -0700
+Subject: bpf, sockmap: RCU splat with redirect and strparser error or TLS
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 93dd5f185916b05e931cffae636596f21f98546e ]
+
+There are two paths to generate the below RCU splat the first and
+most obvious is the result of the BPF verdict program issuing a
+redirect on a TLS socket (This is the splat shown below). Unlike
+the non-TLS case the caller of the *strp_read() hooks does not
+wrap the call in a rcu_read_lock/unlock. Then if the BPF program
+issues a redirect action we hit the RCU splat.
+
+However, in the non-TLS socket case the splat appears to be
+relatively rare, because the skmsg caller into the strp_data_ready()
+is wrapped in a rcu_read_lock/unlock. Shown here,
+
+ static void sk_psock_strp_data_ready(struct sock *sk)
+ {
+ struct sk_psock *psock;
+
+ rcu_read_lock();
+ psock = sk_psock(sk);
+ if (likely(psock)) {
+ if (tls_sw_has_ctx_rx(sk)) {
+ psock->parser.saved_data_ready(sk);
+ } else {
+ write_lock_bh(&sk->sk_callback_lock);
+ strp_data_ready(&psock->parser.strp);
+ write_unlock_bh(&sk->sk_callback_lock);
+ }
+ }
+ rcu_read_unlock();
+ }
+
+If the above was the only way to run the verdict program we
+would be safe. But, there is a case where the strparser may throw an
+ENOMEM error while parsing the skb. This is a result of a failed
+skb_clone, or alloc_skb_for_msg while building a new merged skb when
+the msg length needed spans multiple skbs. This will in turn put the
+skb on the strp_wrk workqueue in the strparser code. The skb will
+later be dequeued and verdict programs run, but now from a
+different context without the rcu_read_lock()/unlock() critical
+section in sk_psock_strp_data_ready() shown above. In practice
+I have not seen this yet, because as far as I know most users of the
+verdict programs are also only working on single skbs. In this case no
+merge happens which could trigger the above ENOMEM errors. In addition
+the system would need to be under memory pressure. For example, we
+can't hit the above case in selftests because we missed having tests
+to merge skbs. (Added in later patch)
+
+To fix the below splat extend the rcu_read_lock/unnlock block to
+include the call to sk_psock_tls_verdict_apply(). This will fix both
+TLS redirect case and non-TLS redirect+error case. Also remove
+psock from the sk_psock_tls_verdict_apply() function signature its
+not used there.
+
+[ 1095.937597] WARNING: suspicious RCU usage
+[ 1095.940964] 5.7.0-rc7-02911-g463bac5f1ca79 #1 Tainted: G W
+[ 1095.944363] -----------------------------
+[ 1095.947384] include/linux/skmsg.h:284 suspicious rcu_dereference_check() usage!
+[ 1095.950866]
+[ 1095.950866] other info that might help us debug this:
+[ 1095.950866]
+[ 1095.957146]
+[ 1095.957146] rcu_scheduler_active = 2, debug_locks = 1
+[ 1095.961482] 1 lock held by test_sockmap/15970:
+[ 1095.964501] #0: ffff9ea6b25de660 (sk_lock-AF_INET){+.+.}-{0:0}, at: tls_sw_recvmsg+0x13a/0x840 [tls]
+[ 1095.968568]
+[ 1095.968568] stack backtrace:
+[ 1095.975001] CPU: 1 PID: 15970 Comm: test_sockmap Tainted: G W 5.7.0-rc7-02911-g463bac5f1ca79 #1
+[ 1095.977883] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+[ 1095.980519] Call Trace:
+[ 1095.982191] dump_stack+0x8f/0xd0
+[ 1095.984040] sk_psock_skb_redirect+0xa6/0xf0
+[ 1095.986073] sk_psock_tls_strp_read+0x1d8/0x250
+[ 1095.988095] tls_sw_recvmsg+0x714/0x840 [tls]
+
+v2: Improve commit message to identify non-TLS redirect plus error case
+ condition as well as more common TLS case. In the process I decided
+ doing the rcu_read_unlock followed by the lock/unlock inside branches
+ was unnecessarily complex. We can just extend the current rcu block
+ and get the same effeective without the shuffling and branching.
+ Thanks Martin!
+
+Fixes: e91de6afa81c1 ("bpf: Fix running sk_skb program types with ktls")
+Reported-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/159312677907.18340.11064813152758406626.stgit@john-XPS-13-9370
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 0536ea9298e4c..70ea352e3a3b6 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -687,7 +687,7 @@ static struct sk_psock *sk_psock_from_strp(struct strparser *strp)
+ return container_of(parser, struct sk_psock, parser);
+ }
+
+-static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb)
++static void sk_psock_skb_redirect(struct sk_buff *skb)
+ {
+ struct sk_psock *psock_other;
+ struct sock *sk_other;
+@@ -719,12 +719,11 @@ static void sk_psock_skb_redirect(struct sk_psock *psock, struct sk_buff *skb)
+ }
+ }
+
+-static void sk_psock_tls_verdict_apply(struct sk_psock *psock,
+- struct sk_buff *skb, int verdict)
++static void sk_psock_tls_verdict_apply(struct sk_buff *skb, int verdict)
+ {
+ switch (verdict) {
+ case __SK_REDIRECT:
+- sk_psock_skb_redirect(psock, skb);
++ sk_psock_skb_redirect(skb);
+ break;
+ case __SK_PASS:
+ case __SK_DROP:
+@@ -745,8 +744,8 @@ int sk_psock_tls_strp_read(struct sk_psock *psock, struct sk_buff *skb)
+ ret = sk_psock_bpf_run(psock, prog, skb);
+ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
+ }
++ sk_psock_tls_verdict_apply(skb, ret);
+ rcu_read_unlock();
+- sk_psock_tls_verdict_apply(psock, skb, ret);
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(sk_psock_tls_strp_read);
+@@ -774,7 +773,7 @@ static void sk_psock_verdict_apply(struct sk_psock *psock,
+ }
+ goto out_free;
+ case __SK_REDIRECT:
+- sk_psock_skb_redirect(psock, skb);
++ sk_psock_skb_redirect(skb);
+ break;
+ case __SK_DROP:
+ /* fall-through */
+@@ -798,8 +797,8 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb)
+ ret = sk_psock_bpf_run(psock, prog, skb);
+ ret = sk_psock_map_verd(ret, tcp_skb_bpf_redirect_fetch(skb));
+ }
+- rcu_read_unlock();
+ sk_psock_verdict_apply(psock, skb, ret);
++ rcu_read_unlock();
+ }
+
+ static int sk_psock_strp_read_done(struct strparser *strp, int err)
+--
+2.25.1
+
--- /dev/null
+From a24cff2f0071faab09b5f4e353ed5db58e85d852 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 03:14:27 +0530
+Subject: cxgb4: fix all-mask IP address comparison
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 76c4d85c9260c3d741cbd194c30c61983d0a4303 ]
+
+Convert all-mask IP address to Big Endian, instead, for comparison.
+
+Fixes: f286dd8eaad5 ("cxgb4: use correct type for all-mask IP address comparison")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+index 375e1be6a2d8d..f459313357c78 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+@@ -839,16 +839,16 @@ static bool is_addr_all_mask(u8 *ipmask, int family)
+ struct in_addr *addr;
+
+ addr = (struct in_addr *)ipmask;
+- if (ntohl(addr->s_addr) == 0xffffffff)
++ if (addr->s_addr == htonl(0xffffffff))
+ return true;
+ } else if (family == AF_INET6) {
+ struct in6_addr *addr6;
+
+ addr6 = (struct in6_addr *)ipmask;
+- if (ntohl(addr6->s6_addr32[0]) == 0xffffffff &&
+- ntohl(addr6->s6_addr32[1]) == 0xffffffff &&
+- ntohl(addr6->s6_addr32[2]) == 0xffffffff &&
+- ntohl(addr6->s6_addr32[3]) == 0xffffffff)
++ if (addr6->s6_addr32[0] == htonl(0xffffffff) &&
++ addr6->s6_addr32[1] == htonl(0xffffffff) &&
++ addr6->s6_addr32[2] == htonl(0xffffffff) &&
++ addr6->s6_addr32[3] == htonl(0xffffffff))
+ return true;
+ }
+ return false;
+--
+2.25.1
+
--- /dev/null
+From 443da6a16d58831dec80c66e2069612f9cba6d31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jun 2020 23:57:53 +0800
+Subject: drm/mediatek: Check plane visibility in atomic_update
+
+From: Hsin-Yi Wang <hsinyi@chromium.org>
+
+[ Upstream commit c0b8892e2461b5fa740e47efbb1269a487b04020 ]
+
+Disable the plane if it's not visible. Otherwise mtk_ovl_layer_config()
+would proceed with invalid plane and we may see vblank timeout.
+
+Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
+Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
+Reviewed-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_plane.c | 25 ++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_plane.c b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+index 584a9ecadce62..b7592b16ea940 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_plane.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_plane.c
+@@ -101,6 +101,16 @@ static int mtk_plane_atomic_check(struct drm_plane *plane,
+ true, true);
+ }
+
++static void mtk_plane_atomic_disable(struct drm_plane *plane,
++ struct drm_plane_state *old_state)
++{
++ struct mtk_plane_state *state = to_mtk_plane_state(plane->state);
++
++ state->pending.enable = false;
++ wmb(); /* Make sure the above parameter is set before update */
++ state->pending.dirty = true;
++}
++
+ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ struct drm_plane_state *old_state)
+ {
+@@ -115,6 +125,11 @@ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ if (!crtc || WARN_ON(!fb))
+ return;
+
++ if (!plane->state->visible) {
++ mtk_plane_atomic_disable(plane, old_state);
++ return;
++ }
++
+ gem = fb->obj[0];
+ mtk_gem = to_mtk_gem_obj(gem);
+ addr = mtk_gem->dma_addr;
+@@ -136,16 +151,6 @@ static void mtk_plane_atomic_update(struct drm_plane *plane,
+ state->pending.dirty = true;
+ }
+
+-static void mtk_plane_atomic_disable(struct drm_plane *plane,
+- struct drm_plane_state *old_state)
+-{
+- struct mtk_plane_state *state = to_mtk_plane_state(plane->state);
+-
+- state->pending.enable = false;
+- wmb(); /* Make sure the above parameter is set before update */
+- state->pending.dirty = true;
+-}
+-
+ static const struct drm_plane_helper_funcs mtk_plane_helper_funcs = {
+ .prepare_fb = drm_gem_fb_prepare_fb,
+ .atomic_check = mtk_plane_atomic_check,
+--
+2.25.1
+
--- /dev/null
+From 50fa90bfce515c9bad5c05a0cfa05765a82c37b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jun 2020 14:49:06 +0300
+Subject: gpio: pca953x: Fix GPIO resource leak on Intel Galileo Gen 2
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 5d8913504ccfeea6120df5ae1c6f4479ff09b931 ]
+
+When adding a quirk for IRQ on Intel Galileo Gen 2 the commit ba8c90c61847
+("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2")
+missed GPIO resource release. We can safely do this in the same quirk, since
+IRQ will be locked by GPIO framework when requested and unlocked on freeing.
+
+Fixes: ba8c90c61847 ("gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index c935019c0257c..81f5103dccb6f 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -176,7 +176,12 @@ static int pca953x_acpi_get_irq(struct device *dev)
+ if (ret)
+ return ret;
+
+- return gpio_to_irq(pin);
++ ret = gpio_to_irq(pin);
++
++ /* When pin is used as an IRQ, no need to keep it requested */
++ gpio_free(pin);
++
++ return ret;
+ }
+ #endif
+
+--
+2.25.1
+
--- /dev/null
+From d933f2a08dc7bd313220dfeb093f03d1b664f0de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jun 2020 16:40:34 +0300
+Subject: gpio: pca953x: Override IRQ for one of the expanders on Galileo Gen 2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ba8c90c6184784b397807b72403656085ac2f8c1 ]
+
+ACPI table on Intel Galileo Gen 2 has wrong pin number for IRQ resource
+of one of the I²C GPIO expanders. Since we know what that number is and
+luckily have GPIO bases fixed for SoC's controllers, we may use a simple
+DMI quirk to match the platform and retrieve GpioInt() pin on it for
+the expander in question.
+
+Mika suggested the way to avoid a quirk in the GPIO ACPI library and
+here is the second, almost rewritten version of it.
+
+Fixes: f32517bf1ae0 ("gpio: pca953x: support ACPI devices found on Galileo Gen2")
+Depends-on: 25e3ef894eef ("gpio: acpi: Split out acpi_gpio_get_irq_resource() helper")
+Suggested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-pca953x.c | 79 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 79 insertions(+)
+
+diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
+index 29ba26742c8f5..c935019c0257c 100644
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -107,6 +107,79 @@ static const struct i2c_device_id pca953x_id[] = {
+ };
+ MODULE_DEVICE_TABLE(i2c, pca953x_id);
+
++#ifdef CONFIG_GPIO_PCA953X_IRQ
++
++#include <linux/dmi.h>
++#include <linux/gpio.h>
++#include <linux/list.h>
++
++static const struct dmi_system_id pca953x_dmi_acpi_irq_info[] = {
++ {
++ /*
++ * On Intel Galileo Gen 2 board the IRQ pin of one of
++ * the I²C GPIO expanders, which has GpioInt() resource,
++ * is provided as an absolute number instead of being
++ * relative. Since first controller (gpio-sch.c) and
++ * second (gpio-dwapb.c) are at the fixed bases, we may
++ * safely refer to the number in the global space to get
++ * an IRQ out of it.
++ */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "GalileoGen2"),
++ },
++ },
++ {}
++};
++
++#ifdef CONFIG_ACPI
++static int pca953x_acpi_get_pin(struct acpi_resource *ares, void *data)
++{
++ struct acpi_resource_gpio *agpio;
++ int *pin = data;
++
++ if (acpi_gpio_get_irq_resource(ares, &agpio))
++ *pin = agpio->pin_table[0];
++ return 1;
++}
++
++static int pca953x_acpi_find_pin(struct device *dev)
++{
++ struct acpi_device *adev = ACPI_COMPANION(dev);
++ int pin = -ENOENT, ret;
++ LIST_HEAD(r);
++
++ ret = acpi_dev_get_resources(adev, &r, pca953x_acpi_get_pin, &pin);
++ acpi_dev_free_resource_list(&r);
++ if (ret < 0)
++ return ret;
++
++ return pin;
++}
++#else
++static inline int pca953x_acpi_find_pin(struct device *dev) { return -ENXIO; }
++#endif
++
++static int pca953x_acpi_get_irq(struct device *dev)
++{
++ int pin, ret;
++
++ pin = pca953x_acpi_find_pin(dev);
++ if (pin < 0)
++ return pin;
++
++ dev_info(dev, "Applying ACPI interrupt quirk (GPIO %d)\n", pin);
++
++ if (!gpio_is_valid(pin))
++ return -EINVAL;
++
++ ret = gpio_request(pin, "pca953x interrupt");
++ if (ret)
++ return ret;
++
++ return gpio_to_irq(pin);
++}
++#endif
++
+ static const struct acpi_device_id pca953x_acpi_ids[] = {
+ { "INT3491", 16 | PCA953X_TYPE | PCA_LATCH_INT, },
+ { }
+@@ -772,6 +845,12 @@ static int pca953x_irq_setup(struct pca953x_chip *chip,
+ u8 reg_direction[MAX_BANK];
+ int ret, i;
+
++ if (dmi_first_match(pca953x_dmi_acpi_irq_info)) {
++ ret = pca953x_acpi_get_irq(&client->dev);
++ if (ret > 0)
++ client->irq = ret;
++ }
++
+ if (!client->irq)
+ return 0;
+
+--
+2.25.1
+
--- /dev/null
+From 402bf4bc412b8a674186c822672b926c562c0a18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 14:06:11 +0300
+Subject: IB/mlx5: Fix 50G per lane indication
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 530c8632b547ff72f11ff83654b22462a73f1f7b ]
+
+Some released FW versions mistakenly don't set the capability that 50G per
+lane link-modes are supported for VFs (ptys_extended_ethernet capability
+bit).
+
+Use PTYS.ext_eth_proto_capability instead, as this indication is always
+accurate. If PTYS.ext_eth_proto_capability is valid
+(has a non-zero value) conclude that the HCA supports 50G per lane.
+
+Otherwise, conclude that the HCA doesn't support 50G per lane.
+
+Fixes: 08e8676f1607 ("IB/mlx5: Add support for 50Gbps per lane link modes")
+Link: https://lore.kernel.org/r/20200707110612.882962-3-leon@kernel.org
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 4f44a731a48e1..b781ad74e6de4 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -517,7 +517,7 @@ static int mlx5_query_port_roce(struct ib_device *device, u8 port_num,
+ mdev_port_num);
+ if (err)
+ goto out;
+- ext = MLX5_CAP_PCAM_FEATURE(dev->mdev, ptys_extended_ethernet);
++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability);
+ eth_prot_oper = MLX5_GET_ETH_PROTO(ptys_reg, out, ext, eth_proto_oper);
+
+ props->active_width = IB_WIDTH_4X;
+--
+2.25.1
+
--- /dev/null
+From 6ef115ce959caf0df3a7f83b7c7d5e63caa4ff19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jun 2020 19:13:09 -0700
+Subject: IB/sa: Resolv use-after-free in ib_nl_make_request()
+
+From: Divya Indi <divya.indi@oracle.com>
+
+[ Upstream commit f427f4d6214c183c474eeb46212d38e6c7223d6a ]
+
+There is a race condition where ib_nl_make_request() inserts the request
+data into the linked list but the timer in ib_nl_request_timeout() can see
+it and destroy it before ib_nl_send_msg() is done touching it. This could
+happen, for instance, if there is a long delay allocating memory during
+nlmsg_new()
+
+This causes a use-after-free in the send_mad() thread:
+
+ [<ffffffffa02f43cb>] ? ib_pack+0x17b/0x240 [ib_core]
+ [ <ffffffffa032aef1>] ib_sa_path_rec_get+0x181/0x200 [ib_sa]
+ [<ffffffffa0379db0>] rdma_resolve_route+0x3c0/0x8d0 [rdma_cm]
+ [<ffffffffa0374450>] ? cma_bind_port+0xa0/0xa0 [rdma_cm]
+ [<ffffffffa040f850>] ? rds_rdma_cm_event_handler_cmn+0x850/0x850 [rds_rdma]
+ [<ffffffffa040f22c>] rds_rdma_cm_event_handler_cmn+0x22c/0x850 [rds_rdma]
+ [<ffffffffa040f860>] rds_rdma_cm_event_handler+0x10/0x20 [rds_rdma]
+ [<ffffffffa037778e>] addr_handler+0x9e/0x140 [rdma_cm]
+ [<ffffffffa026cdb4>] process_req+0x134/0x190 [ib_addr]
+ [<ffffffff810a02f9>] process_one_work+0x169/0x4a0
+ [<ffffffff810a0b2b>] worker_thread+0x5b/0x560
+ [<ffffffff810a0ad0>] ? flush_delayed_work+0x50/0x50
+ [<ffffffff810a68fb>] kthread+0xcb/0xf0
+ [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
+ [<ffffffff816ec49a>] ? __schedule+0x24a/0x810
+ [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180
+ [<ffffffff816f25a7>] ret_from_fork+0x47/0x90
+ [<ffffffff810a6830>] ? kthread_create_on_node+0x180/0x180
+
+The ownership rule is once the request is on the list, ownership transfers
+to the list and the local thread can't touch it any more, just like for
+the normal MAD case in send_mad().
+
+Thus, instead of adding before send and then trying to delete after on
+errors, move the entire thing under the spinlock so that the send and
+update of the lists are atomic to the conurrent threads. Lightly reoganize
+things so spinlock safe memory allocations are done in the final NL send
+path and the rest of the setup work is done before and outside the lock.
+
+Fixes: 3ebd2fd0d011 ("IB/sa: Put netlink request into the request list before sending")
+Link: https://lore.kernel.org/r/1592964789-14533-1-git-send-email-divya.indi@oracle.com
+Signed-off-by: Divya Indi <divya.indi@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/sa_query.c | 38 +++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/infiniband/core/sa_query.c b/drivers/infiniband/core/sa_query.c
+index bddb5434fbed2..d2d70c89193ff 100644
+--- a/drivers/infiniband/core/sa_query.c
++++ b/drivers/infiniband/core/sa_query.c
+@@ -829,13 +829,20 @@ static int ib_nl_get_path_rec_attrs_len(ib_sa_comp_mask comp_mask)
+ return len;
+ }
+
+-static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask)
++static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask)
+ {
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
+ void *data;
+ struct ib_sa_mad *mad;
+ int len;
++ unsigned long flags;
++ unsigned long delay;
++ gfp_t gfp_flag;
++ int ret;
++
++ INIT_LIST_HEAD(&query->list);
++ query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq);
+
+ mad = query->mad_buf->mad;
+ len = ib_nl_get_path_rec_attrs_len(mad->sa_hdr.comp_mask);
+@@ -860,36 +867,25 @@ static int ib_nl_send_msg(struct ib_sa_query *query, gfp_t gfp_mask)
+ /* Repair the nlmsg header length */
+ nlmsg_end(skb, nlh);
+
+- return rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_mask);
+-}
++ gfp_flag = ((gfp_mask & GFP_ATOMIC) == GFP_ATOMIC) ? GFP_ATOMIC :
++ GFP_NOWAIT;
+
+-static int ib_nl_make_request(struct ib_sa_query *query, gfp_t gfp_mask)
+-{
+- unsigned long flags;
+- unsigned long delay;
+- int ret;
++ spin_lock_irqsave(&ib_nl_request_lock, flags);
++ ret = rdma_nl_multicast(&init_net, skb, RDMA_NL_GROUP_LS, gfp_flag);
+
+- INIT_LIST_HEAD(&query->list);
+- query->seq = (u32)atomic_inc_return(&ib_nl_sa_request_seq);
++ if (ret)
++ goto out;
+
+- /* Put the request on the list first.*/
+- spin_lock_irqsave(&ib_nl_request_lock, flags);
++ /* Put the request on the list.*/
+ delay = msecs_to_jiffies(sa_local_svc_timeout_ms);
+ query->timeout = delay + jiffies;
+ list_add_tail(&query->list, &ib_nl_request_list);
+ /* Start the timeout if this is the only request */
+ if (ib_nl_request_list.next == &query->list)
+ queue_delayed_work(ib_nl_wq, &ib_nl_timed_work, delay);
+- spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+
+- ret = ib_nl_send_msg(query, gfp_mask);
+- if (ret) {
+- ret = -EIO;
+- /* Remove the request */
+- spin_lock_irqsave(&ib_nl_request_lock, flags);
+- list_del(&query->list);
+- spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+- }
++out:
++ spin_unlock_irqrestore(&ib_nl_request_lock, flags);
+
+ return ret;
+ }
+--
+2.25.1
+
--- /dev/null
+From ee7a762c5ffda299f228b85544545489cc30e3fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 16:41:39 +0300
+Subject: mlxsw: pci: Fix use-after-free in case of failed devlink reload
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit c4317b11675b99af6641662ebcbd3c6010600e64 ]
+
+In case devlink reload failed, it is possible to trigger a
+use-after-free when querying the kernel for device info via 'devlink dev
+info' [1].
+
+This happens because as part of the reload error path the PCI command
+interface is de-initialized and its mailboxes are freed. When the
+devlink '->info_get()' callback is invoked the device is queried via the
+command interface and the freed mailboxes are accessed.
+
+Fix this by initializing the command interface once during probe and not
+during every reload.
+
+This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c')
+and also allows user space to query the running firmware version (for
+example) from the device after a failed reload.
+
+[1]
+BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline]
+BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
+Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355
+
+CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ check_memory_region_inline mm/kasan/generic.c:186 [inline]
+ check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
+ memcpy+0x39/0x60 mm/kasan/common.c:106
+ memcpy include/linux/string.h:406 [inline]
+ mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
+ mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335
+ mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline]
+ mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline]
+ mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985
+ mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline]
+ mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090
+ devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588
+ devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648
+ genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575
+ netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245
+ __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353
+ genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638
+ genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
+ genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753
+ netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0x150/0x190 net/socket.c:672
+ ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
+ ___sys_sendmsg+0xff/0x170 net/socket.c:2417
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
+ do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: a9c8336f6544 ("mlxsw: core: Add support for devlink info command")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/pci.c | 54 ++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/pci.c b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+index f3d1f9411d104..aa4fef7890841 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
+@@ -1401,23 +1401,12 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core,
+ u16 num_pages;
+ int err;
+
+- mutex_init(&mlxsw_pci->cmd.lock);
+- init_waitqueue_head(&mlxsw_pci->cmd.wait);
+-
+ mlxsw_pci->core = mlxsw_core;
+
+ mbox = mlxsw_cmd_mbox_alloc();
+ if (!mbox)
+ return -ENOMEM;
+
+- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
+- if (err)
+- goto mbox_put;
+-
+- err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
+- if (err)
+- goto err_out_mbox_alloc;
+-
+ err = mlxsw_pci_sw_reset(mlxsw_pci, mlxsw_pci->id);
+ if (err)
+ goto err_sw_reset;
+@@ -1524,9 +1513,6 @@ static int mlxsw_pci_init(void *bus_priv, struct mlxsw_core *mlxsw_core,
+ mlxsw_pci_free_irq_vectors(mlxsw_pci);
+ err_alloc_irq:
+ err_sw_reset:
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
+-err_out_mbox_alloc:
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
+ mbox_put:
+ mlxsw_cmd_mbox_free(mbox);
+ return err;
+@@ -1540,8 +1526,6 @@ static void mlxsw_pci_fini(void *bus_priv)
+ mlxsw_pci_aqs_fini(mlxsw_pci);
+ mlxsw_pci_fw_area_fini(mlxsw_pci);
+ mlxsw_pci_free_irq_vectors(mlxsw_pci);
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
+- mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
+ }
+
+ static struct mlxsw_pci_queue *
+@@ -1755,6 +1739,37 @@ static const struct mlxsw_bus mlxsw_pci_bus = {
+ .features = MLXSW_BUS_F_TXRX | MLXSW_BUS_F_RESET,
+ };
+
++static int mlxsw_pci_cmd_init(struct mlxsw_pci *mlxsw_pci)
++{
++ int err;
++
++ mutex_init(&mlxsw_pci->cmd.lock);
++ init_waitqueue_head(&mlxsw_pci->cmd.wait);
++
++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
++ if (err)
++ goto err_in_mbox_alloc;
++
++ err = mlxsw_pci_mbox_alloc(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
++ if (err)
++ goto err_out_mbox_alloc;
++
++ return 0;
++
++err_out_mbox_alloc:
++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
++err_in_mbox_alloc:
++ mutex_destroy(&mlxsw_pci->cmd.lock);
++ return err;
++}
++
++static void mlxsw_pci_cmd_fini(struct mlxsw_pci *mlxsw_pci)
++{
++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.out_mbox);
++ mlxsw_pci_mbox_free(mlxsw_pci, &mlxsw_pci->cmd.in_mbox);
++ mutex_destroy(&mlxsw_pci->cmd.lock);
++}
++
+ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ {
+ const char *driver_name = pdev->driver->name;
+@@ -1810,6 +1825,10 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ mlxsw_pci->pdev = pdev;
+ pci_set_drvdata(pdev, mlxsw_pci);
+
++ err = mlxsw_pci_cmd_init(mlxsw_pci);
++ if (err)
++ goto err_pci_cmd_init;
++
+ mlxsw_pci->bus_info.device_kind = driver_name;
+ mlxsw_pci->bus_info.device_name = pci_name(mlxsw_pci->pdev);
+ mlxsw_pci->bus_info.dev = &pdev->dev;
+@@ -1827,6 +1846,8 @@ static int mlxsw_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ return 0;
+
+ err_bus_device_register:
++ mlxsw_pci_cmd_fini(mlxsw_pci);
++err_pci_cmd_init:
+ iounmap(mlxsw_pci->hw_addr);
+ err_ioremap:
+ err_pci_resource_len_check:
+@@ -1844,6 +1865,7 @@ static void mlxsw_pci_remove(struct pci_dev *pdev)
+ struct mlxsw_pci *mlxsw_pci = pci_get_drvdata(pdev);
+
+ mlxsw_core_bus_device_unregister(mlxsw_pci->core, false);
++ mlxsw_pci_cmd_fini(mlxsw_pci);
+ iounmap(mlxsw_pci->hw_addr);
+ pci_release_regions(mlxsw_pci->pdev);
+ pci_disable_device(mlxsw_pci->pdev);
+--
+2.25.1
+
--- /dev/null
+From 89b332022aea7a0ff40a2ed07886e4f7faf56cfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 16:41:38 +0300
+Subject: mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON()
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit d9d5420273997664a1c09151ca86ac993f2f89c1 ]
+
+We should not trigger a warning when a memory allocation fails. Remove
+the WARN_ON().
+
+The warning is constantly triggered by syzkaller when it is injecting
+faults:
+
+[ 2230.758664] FAULT_INJECTION: forcing a failure.
+[ 2230.758664] name failslab, interval 1, probability 0, space 0, times 0
+[ 2230.762329] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
+...
+[ 2230.898175] WARNING: CPU: 3 PID: 1407 at drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:6265 mlxsw_sp_router_fib_event+0xfad/0x13e0
+[ 2230.898179] Kernel panic - not syncing: panic_on_warn set ...
+[ 2230.898183] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
+[ 2230.898190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+
+Fixes: 3057224e014c ("mlxsw: spectrum_router: Implement FIB offload in deferred work")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+index efdf8cb5114c2..2f013fc716985 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -6287,7 +6287,7 @@ static int mlxsw_sp_router_fib_event(struct notifier_block *nb,
+ }
+
+ fib_work = kzalloc(sizeof(*fib_work), GFP_ATOMIC);
+- if (WARN_ON(!fib_work))
++ if (!fib_work)
+ return NOTIFY_BAD;
+
+ fib_work->mlxsw_sp = router->mlxsw_sp;
+--
+2.25.1
+
--- /dev/null
+From 51f99126bd309daf8e405d708e4f6e7a37b6c9f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 09:23:49 +0800
+Subject: nbd: Fix memory leak in nbd_add_socket
+
+From: Zheng Bin <zhengbin13@huawei.com>
+
+[ Upstream commit 579dd91ab3a5446b148e7f179b6596b270dace46 ]
+
+When adding first socket to nbd, if nsock's allocation failed, the data
+structure member "config->socks" was reallocated, but the data structure
+member "config->num_connections" was not updated. A memory leak will occur
+then because the function "nbd_config_put" will free "config->socks" only
+when "config->num_connections" is not zero.
+
+Fixes: 03bf73c315ed ("nbd: prevent memory leak")
+Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com
+Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 78181908f0df6..7b61d53ba050e 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -1022,25 +1022,26 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
+ test_bit(NBD_RT_BOUND, &config->runtime_flags))) {
+ dev_err(disk_to_dev(nbd->disk),
+ "Device being setup by another task");
+- sockfd_put(sock);
+- return -EBUSY;
++ err = -EBUSY;
++ goto put_socket;
++ }
++
++ nsock = kzalloc(sizeof(*nsock), GFP_KERNEL);
++ if (!nsock) {
++ err = -ENOMEM;
++ goto put_socket;
+ }
+
+ socks = krealloc(config->socks, (config->num_connections + 1) *
+ sizeof(struct nbd_sock *), GFP_KERNEL);
+ if (!socks) {
+- sockfd_put(sock);
+- return -ENOMEM;
++ kfree(nsock);
++ err = -ENOMEM;
++ goto put_socket;
+ }
+
+ config->socks = socks;
+
+- nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL);
+- if (!nsock) {
+- sockfd_put(sock);
+- return -ENOMEM;
+- }
+-
+ nsock->fallback_index = -1;
+ nsock->dead = false;
+ mutex_init(&nsock->tx_lock);
+@@ -1052,6 +1053,10 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
+ atomic_inc(&config->live_connections);
+
+ return 0;
++
++put_socket:
++ sockfd_put(sock);
++ return err;
+ }
+
+ static int nbd_reconnect_socket(struct nbd_device *nbd, unsigned long arg)
+--
+2.25.1
+
--- /dev/null
+From 64e3ef8427b06c4e3721b3d503ff1903dd10e0f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 18:49:51 +0800
+Subject: net: cxgb4: fix return error value in t4_prep_fw
+
+From: Li Heng <liheng40@huawei.com>
+
+[ Upstream commit 8a259e6b73ad8181b0b2ef338b35043433db1075 ]
+
+t4_prep_fw goto bye tag with positive return value when something
+bad happened and which can not free resource in adap_init0.
+so fix it to return negative value.
+
+Fixes: 16e47624e76b ("cxgb4: Add new scheme to update T4/T5 firmware")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Li Heng <liheng40@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+index 31fcfc58e3373..588b63473c473 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -3499,7 +3499,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info,
+ drv_fw = &fw_info->fw_hdr;
+
+ /* Read the header of the firmware on the card */
+- ret = -t4_read_flash(adap, FLASH_FW_START,
++ ret = t4_read_flash(adap, FLASH_FW_START,
+ sizeof(*card_fw) / sizeof(uint32_t),
+ (uint32_t *)card_fw, 1);
+ if (ret == 0) {
+@@ -3528,8 +3528,8 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info,
+ should_install_fs_fw(adap, card_fw_usable,
+ be32_to_cpu(fs_fw->fw_ver),
+ be32_to_cpu(card_fw->fw_ver))) {
+- ret = -t4_fw_upgrade(adap, adap->mbox, fw_data,
+- fw_size, 0);
++ ret = t4_fw_upgrade(adap, adap->mbox, fw_data,
++ fw_size, 0);
+ if (ret != 0) {
+ dev_err(adap->pdev_dev,
+ "failed to install firmware: %d\n", ret);
+@@ -3560,7 +3560,7 @@ int t4_prep_fw(struct adapter *adap, struct fw_info *fw_info,
+ FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c),
+ FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k),
+ FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k));
+- ret = EINVAL;
++ ret = -EINVAL;
+ goto bye;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 6c1ad72626a3b11e3f18c7c0685ccb92f6d750dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 12:44:50 +0300
+Subject: net: dsa: microchip: set the correct number of ports
+
+From: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+
+[ Upstream commit af199a1a9cb02ec0194804bd46c174b6db262075 ]
+
+The number of ports is incorrectly set to the maximum available for a DSA
+switch. Even if the extra ports are not used, this causes some functions
+to be called later, like port_disable() and port_stp_state_set(). If the
+driver doesn't check the port index, it will end up modifying unknown
+registers.
+
+Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477")
+Signed-off-by: Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz8795.c | 3 +++
+ drivers/net/dsa/microchip/ksz9477.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/microchip/ksz8795.c b/drivers/net/dsa/microchip/ksz8795.c
+index 24a5e99f7fd5b..84c4319e3b31f 100644
+--- a/drivers/net/dsa/microchip/ksz8795.c
++++ b/drivers/net/dsa/microchip/ksz8795.c
+@@ -1267,6 +1267,9 @@ static int ksz8795_switch_init(struct ksz_device *dev)
+ return -ENOMEM;
+ }
+
++ /* set the real number of ports */
++ dev->ds->num_ports = dev->port_cnt;
++
+ return 0;
+ }
+
+diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c
+index 50ffc63d62319..3afb596d8e43f 100644
+--- a/drivers/net/dsa/microchip/ksz9477.c
++++ b/drivers/net/dsa/microchip/ksz9477.c
+@@ -1587,6 +1587,9 @@ static int ksz9477_switch_init(struct ksz_device *dev)
+ return -ENOMEM;
+ }
+
++ /* set the real number of ports */
++ dev->ds->num_ports = dev->port_cnt;
++
+ return 0;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 8001aa02cc7a196942c88cb13db11614db923f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 19:26:01 +0800
+Subject: net: hns3: add a missing uninit debugfs when unload driver
+
+From: Huazhong Tan <tanhuazhong@huawei.com>
+
+[ Upstream commit e22b5e728bbb179b912d3a3cd5c25894a89a26a2 ]
+
+When unloading driver, if flag HNS3_NIC_STATE_INITED has been
+already cleared, the debugfs will not be uninitialized, so fix it.
+
+Fixes: b2292360bb2a ("net: hns3: Add debugfs framework registration")
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 403e0f089f2af..37537c3020806 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3993,9 +3993,8 @@ static void hns3_client_uninit(struct hnae3_handle *handle, bool reset)
+
+ hns3_put_ring_config(priv);
+
+- hns3_dbg_uninit(handle);
+-
+ out_netdev_free:
++ hns3_dbg_uninit(handle);
+ free_netdev(netdev);
+ }
+
+--
+2.25.1
+
--- /dev/null
+From fce83a8539e82a370658a408066e991222540994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 19:26:02 +0800
+Subject: net: hns3: fix use-after-free when doing self test
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit a06656211304fec653c1931c2ca6d644013b5bbb ]
+
+Enable promisc mode of PF, set VF link state to enable, and
+run iperf of the VF, then do self test of the PF. The self test
+will fail with a low frequency, and may cause a use-after-free
+problem.
+
+[ 87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+[ 87.159722] ==================================================================
+[ 87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608
+[ 87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186
+[ 87.201012]
+[ 87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4
+[ 87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020
+[ 87.238292] Call trace:
+[ 87.243173] dump_backtrace+0x0/0x280
+[ 87.250491] show_stack+0x24/0x30
+[ 87.257114] dump_stack+0xe8/0x140
+[ 87.263911] print_address_description.isra.8+0x70/0x380
+[ 87.274538] __kasan_report+0x12c/0x230
+[ 87.282203] kasan_report+0xc/0x18
+[ 87.288999] __asan_load1+0x60/0x68
+[ 87.295969] hex_dump_to_buffer+0x140/0x608
+[ 87.304332] print_hex_dump+0x140/0x1e0
+[ 87.312000] hns3_lb_check_skb_data+0x168/0x170
+[ 87.321060] hns3_clean_rx_ring+0xa94/0xfe0
+[ 87.329422] hns3_self_test+0x708/0x8c0
+
+The length of packet sent by the selftest process is only
+128 + 14 bytes, and the min buffer size of a BD is 256 bytes,
+and the receive process will make sure the packet sent by
+the selftest process is in the linear part, so only check
+the linear part in hns3_lb_check_skb_data().
+
+So fix this use-after-free by using skb_headlen() to dump
+skb->data instead of skb->len.
+
+Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index 52c9d204fe3d9..34e5448d59f6f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -174,18 +174,21 @@ static void hns3_lb_check_skb_data(struct hns3_enet_ring *ring,
+ {
+ struct hns3_enet_tqp_vector *tqp_vector = ring->tqp_vector;
+ unsigned char *packet = skb->data;
++ u32 len = skb_headlen(skb);
+ u32 i;
+
+- for (i = 0; i < skb->len; i++)
++ len = min_t(u32, len, HNS3_NIC_LB_TEST_PACKET_SIZE);
++
++ for (i = 0; i < len; i++)
+ if (packet[i] != (unsigned char)(i & 0xff))
+ break;
+
+ /* The packet is correctly received */
+- if (i == skb->len)
++ if (i == HNS3_NIC_LB_TEST_PACKET_SIZE)
+ tqp_vector->rx_group.total_packets++;
+ else
+ print_hex_dump(KERN_ERR, "selftest:", DUMP_PREFIX_OFFSET, 16, 1,
+- skb->data, skb->len, true);
++ skb->data, len, true);
+
+ dev_kfree_skb_any(skb);
+ }
+--
+2.25.1
+
--- /dev/null
+From 1ec2cfedee4c0001903e98e21555cbf7f73f2586 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:45 +0200
+Subject: net: macb: fix call to pm_runtime in the suspend/resume functions
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit 6c8f85cac98a4c6b767c4c4f6af7283724c32b47 ]
+
+The calls to pm_runtime_force_suspend/resume() functions are only
+relevant if the device is not configured to act as a WoL wakeup source.
+Add the device_may_wakeup() test before calling them.
+
+Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Cc: Sergio Prado <sergio.prado@e-labworks.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index e7fafe2fcae5d..01ed4d4296db2 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4453,7 +4453,8 @@ static int __maybe_unused macb_suspend(struct device *dev)
+ netif_carrier_off(netdev);
+ if (bp->ptp_info)
+ bp->ptp_info->ptp_remove(netdev);
+- pm_runtime_force_suspend(dev);
++ if (!device_may_wakeup(dev))
++ pm_runtime_force_suspend(dev);
+
+ return 0;
+ }
+@@ -4468,7 +4469,8 @@ static int __maybe_unused macb_resume(struct device *dev)
+ if (!netif_running(netdev))
+ return 0;
+
+- pm_runtime_force_resume(dev);
++ if (!device_may_wakeup(dev))
++ pm_runtime_force_resume(dev);
+
+ if (bp->wol & MACB_WOL_ENABLED) {
+ macb_writel(bp, IDR, MACB_BIT(WOL));
+--
+2.25.1
+
--- /dev/null
+From 274904ecd58aab3112fb64740aa8eb5938c7be19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:41 +0200
+Subject: net: macb: fix wakeup test in runtime suspend/resume routines
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit 515a10a701d570e26dfbe6ee373f77c8bf11053f ]
+
+Use the proper struct device pointer to check if the wakeup flag
+and wakeup source are positioned.
+Use the one passed by function call which is equivalent to
+&bp->dev->dev.parent.
+
+It's preventing the trigger of a spurious interrupt in case the
+Wake-on-Lan feature is used.
+
+Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 1ec19d9fab00c..16f5c62ba6dfe 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4507,7 +4507,7 @@ static int __maybe_unused macb_runtime_suspend(struct device *dev)
+ struct net_device *netdev = dev_get_drvdata(dev);
+ struct macb *bp = netdev_priv(netdev);
+
+- if (!(device_may_wakeup(&bp->dev->dev))) {
++ if (!(device_may_wakeup(dev))) {
+ clk_disable_unprepare(bp->tx_clk);
+ clk_disable_unprepare(bp->hclk);
+ clk_disable_unprepare(bp->pclk);
+@@ -4523,7 +4523,7 @@ static int __maybe_unused macb_runtime_resume(struct device *dev)
+ struct net_device *netdev = dev_get_drvdata(dev);
+ struct macb *bp = netdev_priv(netdev);
+
+- if (!(device_may_wakeup(&bp->dev->dev))) {
++ if (!(device_may_wakeup(dev))) {
+ clk_prepare_enable(bp->pclk);
+ clk_prepare_enable(bp->hclk);
+ clk_prepare_enable(bp->tx_clk);
+--
+2.25.1
+
--- /dev/null
+From b408db556d537a85a29a7ed52e55a77b03b50040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 14:46:42 +0200
+Subject: net: macb: mark device wake capable when "magic-packet" property
+ present
+
+From: Nicolas Ferre <nicolas.ferre@microchip.com>
+
+[ Upstream commit ced4799d06375929e013eea04ba6908207afabbe ]
+
+Change the way the "magic-packet" DT property is handled in the
+macb_probe() function, matching DT binding documentation.
+Now we mark the device as "wakeup capable" instead of calling the
+device_init_wakeup() function that would enable the wakeup source.
+
+For Ethernet WoL, enabling the wakeup_source is done by
+using ethtool and associated macb_set_wol() function that
+already calls device_set_wakeup_enable() for this purpose.
+
+That would reduce power consumption by cutting more clocks if
+"magic-packet" property is set but WoL is not configured by ethtool.
+
+Fixes: 3e2a5e153906 ("net: macb: add wake-on-lan support via magic packet")
+Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
+Cc: Harini Katakam <harini.katakam@xilinx.com>
+Cc: Sergio Prado <sergio.prado@e-labworks.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 16f5c62ba6dfe..e7fafe2fcae5d 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4260,7 +4260,7 @@ static int macb_probe(struct platform_device *pdev)
+ bp->wol = 0;
+ if (of_get_property(np, "magic-packet", NULL))
+ bp->wol |= MACB_WOL_HAS_MAGIC_PACKET;
+- device_init_wakeup(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET);
++ device_set_wakeup_capable(&pdev->dev, bp->wol & MACB_WOL_HAS_MAGIC_PACKET);
+
+ spin_lock_init(&bp->lock);
+
+--
+2.25.1
+
--- /dev/null
+From e3a57a771f7b79f8de4ed299a8d91f545d001930 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jun 2020 17:31:26 +0300
+Subject: net/mlx5: Fix eeprom support for SFP module
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 47afbdd2fa4c5775c383ba376a3d1da7d7f694dc ]
+
+Fix eeprom SFP query support by setting i2c_addr, offset and page number
+correctly. Unlike QSFP modules, SFP eeprom params are as follow:
+- i2c_addr is 0x50 for offset 0 - 255 and 0x51 for offset 256 - 511.
+- Page number is always zero.
+- Page offset is always relative to zero.
+
+As part of eeprom query, query the module ID (SFP / QSFP*) via helper
+function to set the params accordingly.
+
+In addition, change mlx5_qsfp_eeprom_page() input type to be u16 to avoid
+unnecessary casting.
+
+Fixes: a708fb7b1f8d ("net/mlx5e: ethtool, Add support for EEPROM high pages query")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/port.c | 93 +++++++++++++++----
+ 1 file changed, 77 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c
+index cc262b30aed53..dc589322940c5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c
+@@ -293,7 +293,40 @@ static int mlx5_query_module_num(struct mlx5_core_dev *dev, int *module_num)
+ return 0;
+ }
+
+-static int mlx5_eeprom_page(int offset)
++static int mlx5_query_module_id(struct mlx5_core_dev *dev, int module_num,
++ u8 *module_id)
++{
++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {};
++ u32 out[MLX5_ST_SZ_DW(mcia_reg)];
++ int err, status;
++ u8 *ptr;
++
++ MLX5_SET(mcia_reg, in, i2c_device_address, MLX5_I2C_ADDR_LOW);
++ MLX5_SET(mcia_reg, in, module, module_num);
++ MLX5_SET(mcia_reg, in, device_address, 0);
++ MLX5_SET(mcia_reg, in, page_number, 0);
++ MLX5_SET(mcia_reg, in, size, 1);
++ MLX5_SET(mcia_reg, in, l, 0);
++
++ err = mlx5_core_access_reg(dev, in, sizeof(in), out,
++ sizeof(out), MLX5_REG_MCIA, 0, 0);
++ if (err)
++ return err;
++
++ status = MLX5_GET(mcia_reg, out, status);
++ if (status) {
++ mlx5_core_err(dev, "query_mcia_reg failed: status: 0x%x\n",
++ status);
++ return -EIO;
++ }
++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
++
++ *module_id = ptr[0];
++
++ return 0;
++}
++
++static int mlx5_qsfp_eeprom_page(u16 offset)
+ {
+ if (offset < MLX5_EEPROM_PAGE_LENGTH)
+ /* Addresses between 0-255 - page 00 */
+@@ -307,7 +340,7 @@ static int mlx5_eeprom_page(int offset)
+ MLX5_EEPROM_HIGH_PAGE_LENGTH);
+ }
+
+-static int mlx5_eeprom_high_page_offset(int page_num)
++static int mlx5_qsfp_eeprom_high_page_offset(int page_num)
+ {
+ if (!page_num) /* Page 0 always start from low page */
+ return 0;
+@@ -316,35 +349,62 @@ static int mlx5_eeprom_high_page_offset(int page_num)
+ return page_num * MLX5_EEPROM_HIGH_PAGE_LENGTH;
+ }
+
++static void mlx5_qsfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset)
++{
++ *i2c_addr = MLX5_I2C_ADDR_LOW;
++ *page_num = mlx5_qsfp_eeprom_page(*offset);
++ *offset -= mlx5_qsfp_eeprom_high_page_offset(*page_num);
++}
++
++static void mlx5_sfp_eeprom_params_set(u16 *i2c_addr, int *page_num, u16 *offset)
++{
++ *i2c_addr = MLX5_I2C_ADDR_LOW;
++ *page_num = 0;
++
++ if (*offset < MLX5_EEPROM_PAGE_LENGTH)
++ return;
++
++ *i2c_addr = MLX5_I2C_ADDR_HIGH;
++ *offset -= MLX5_EEPROM_PAGE_LENGTH;
++}
++
+ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
+ u16 offset, u16 size, u8 *data)
+ {
+- int module_num, page_num, status, err;
++ int module_num, status, err, page_num = 0;
++ u32 in[MLX5_ST_SZ_DW(mcia_reg)] = {};
+ u32 out[MLX5_ST_SZ_DW(mcia_reg)];
+- u32 in[MLX5_ST_SZ_DW(mcia_reg)];
+- u16 i2c_addr;
+- void *ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
++ u16 i2c_addr = 0;
++ u8 module_id;
++ void *ptr;
+
+ err = mlx5_query_module_num(dev, &module_num);
+ if (err)
+ return err;
+
+- memset(in, 0, sizeof(in));
+- size = min_t(int, size, MLX5_EEPROM_MAX_BYTES);
+-
+- /* Get the page number related to the given offset */
+- page_num = mlx5_eeprom_page(offset);
++ err = mlx5_query_module_id(dev, module_num, &module_id);
++ if (err)
++ return err;
+
+- /* Set the right offset according to the page number,
+- * For page_num > 0, relative offset is always >= 128 (high page).
+- */
+- offset -= mlx5_eeprom_high_page_offset(page_num);
++ switch (module_id) {
++ case MLX5_MODULE_ID_SFP:
++ mlx5_sfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ case MLX5_MODULE_ID_QSFP:
++ case MLX5_MODULE_ID_QSFP_PLUS:
++ case MLX5_MODULE_ID_QSFP28:
++ mlx5_qsfp_eeprom_params_set(&i2c_addr, &page_num, &offset);
++ break;
++ default:
++ mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id);
++ return -EINVAL;
++ }
+
+ if (offset + size > MLX5_EEPROM_PAGE_LENGTH)
+ /* Cross pages read, read until offset 256 in low page */
+ size -= offset + size - MLX5_EEPROM_PAGE_LENGTH;
+
+- i2c_addr = MLX5_I2C_ADDR_LOW;
++ size = min_t(int, size, MLX5_EEPROM_MAX_BYTES);
+
+ MLX5_SET(mcia_reg, in, l, 0);
+ MLX5_SET(mcia_reg, in, module, module_num);
+@@ -365,6 +425,7 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
+ return -EIO;
+ }
+
++ ptr = MLX5_ADDR_OF(mcia_reg, out, dword_0);
+ memcpy(data, ptr, size);
+
+ return size;
+--
+2.25.1
+
--- /dev/null
+From 21acdcac664d9f4b7c3dafbfddd41ed8f69873cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2020 12:48:47 +0300
+Subject: net/mlx5e: Fix 50G per lane indication
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 6a1cf4e443a3b0a4d690d3c93b84b1e9cbfcb1bd ]
+
+Some released FW versions mistakenly don't set the capability that 50G
+per lane link-modes are supported for VFs (ptys_extended_ethernet
+capability bit). When the capability is unset, read
+PTYS.ext_eth_proto_capability (always reliable).
+If PTYS.ext_eth_proto_capability is valid (has a non-zero value)
+conclude that the HCA supports 50G per lane. Otherwise, conclude that
+the HCA doesn't support 50G per lane.
+
+Fixes: a08b4ed1373d ("net/mlx5: Add support to ext_* fields introduced in Port Type and Speed register")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en/port.c | 21 ++++++++++++++++---
+ .../net/ethernet/mellanox/mlx5/core/en/port.h | 2 +-
+ .../ethernet/mellanox/mlx5/core/en_ethtool.c | 8 +++----
+ 3 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
+index fce6eccdcf8b2..fa81a97f6ba9e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.c
+@@ -78,11 +78,26 @@ static const u32 mlx5e_ext_link_speed[MLX5E_EXT_LINK_MODES_NUMBER] = {
+ [MLX5E_400GAUI_8] = 400000,
+ };
+
++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev)
++{
++ struct mlx5e_port_eth_proto eproto;
++ int err;
++
++ if (MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet))
++ return true;
++
++ err = mlx5_port_query_eth_proto(mdev, 1, true, &eproto);
++ if (err)
++ return false;
++
++ return !!eproto.cap;
++}
++
+ static void mlx5e_port_get_speed_arr(struct mlx5_core_dev *mdev,
+ const u32 **arr, u32 *size,
+ bool force_legacy)
+ {
+- bool ext = force_legacy ? false : MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ bool ext = force_legacy ? false : mlx5e_ptys_ext_supported(mdev);
+
+ *size = ext ? ARRAY_SIZE(mlx5e_ext_link_speed) :
+ ARRAY_SIZE(mlx5e_link_speed);
+@@ -177,7 +192,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed)
+ bool ext;
+ int err;
+
+- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext = mlx5e_ptys_ext_supported(mdev);
+ err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto);
+ if (err)
+ goto out;
+@@ -205,7 +220,7 @@ int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed)
+ int err;
+ int i;
+
+- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext = mlx5e_ptys_ext_supported(mdev);
+ err = mlx5_port_query_eth_proto(mdev, 1, ext, &eproto);
+ if (err)
+ return err;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h
+index 4a7f4497692bc..e196888f7056b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/port.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/port.h
+@@ -54,7 +54,7 @@ int mlx5e_port_linkspeed(struct mlx5_core_dev *mdev, u32 *speed);
+ int mlx5e_port_max_linkspeed(struct mlx5_core_dev *mdev, u32 *speed);
+ u32 mlx5e_port_speed2linkmodes(struct mlx5_core_dev *mdev, u32 speed,
+ bool force_legacy);
+-
++bool mlx5e_ptys_ext_supported(struct mlx5_core_dev *mdev);
+ int mlx5e_port_query_pbmc(struct mlx5_core_dev *mdev, void *out);
+ int mlx5e_port_set_pbmc(struct mlx5_core_dev *mdev, void *in);
+ int mlx5e_port_query_priority2buffer(struct mlx5_core_dev *mdev, u8 *buffer);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index 39ee32518b106..8cd529556b214 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -200,7 +200,7 @@ static void mlx5e_ethtool_get_speed_arr(struct mlx5_core_dev *mdev,
+ struct ptys2ethtool_config **arr,
+ u32 *size)
+ {
+- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ bool ext = mlx5e_ptys_ext_supported(mdev);
+
+ *arr = ext ? ptys2ext_ethtool_table : ptys2legacy_ethtool_table;
+ *size = ext ? ARRAY_SIZE(ptys2ext_ethtool_table) :
+@@ -871,7 +871,7 @@ static void get_lp_advertising(struct mlx5_core_dev *mdev, u32 eth_proto_lp,
+ struct ethtool_link_ksettings *link_ksettings)
+ {
+ unsigned long *lp_advertising = link_ksettings->link_modes.lp_advertising;
+- bool ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ bool ext = mlx5e_ptys_ext_supported(mdev);
+
+ ptys2ethtool_adver_link(lp_advertising, eth_proto_lp, ext);
+ }
+@@ -900,7 +900,7 @@ int mlx5e_ethtool_get_link_ksettings(struct mlx5e_priv *priv,
+ __func__, err);
+ goto err_query_regs;
+ }
+- ext = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext = !!MLX5_GET_ETH_PROTO(ptys_reg, out, true, eth_proto_capability);
+ eth_proto_cap = MLX5_GET_ETH_PROTO(ptys_reg, out, ext,
+ eth_proto_capability);
+ eth_proto_admin = MLX5_GET_ETH_PROTO(ptys_reg, out, ext,
+@@ -1052,7 +1052,7 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv,
+ autoneg = link_ksettings->base.autoneg;
+ speed = link_ksettings->base.speed;
+
+- ext_supported = MLX5_CAP_PCAM_FEATURE(mdev, ptys_extended_ethernet);
++ ext_supported = mlx5e_ptys_ext_supported(mdev);
+ ext = ext_requested(autoneg, adver, ext_supported);
+ if (!ext_supported && ext)
+ return -EOPNOTSUPP;
+--
+2.25.1
+
--- /dev/null
+From 65470ea7d6aa1d9f2a1fc31ae9da66c441c393d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 11:04:40 +0100
+Subject: net: mvneta: fix use of state->speed
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit f2ca673d2cd5df9a76247b670e9ffd4d63682b3f ]
+
+When support for short preambles was added, it incorrectly keyed its
+decision off state->speed instead of state->interface. state->speed
+is not guaranteed to be correct for in-band modes, which can lead to
+short preambles being unexpectedly disabled.
+
+Fix this by keying off the interface mode, which is the only way that
+mvneta can operate at 2.5Gbps.
+
+Fixes: da58a931f248 ("net: mvneta: Add support for 2500Mbps SGMII")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 9799253948281..ffdb7b113f172 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3594,7 +3594,7 @@ static void mvneta_mac_config(struct phylink_config *config, unsigned int mode,
+ /* When at 2.5G, the link partner can send frames with shortened
+ * preambles.
+ */
+- if (state->speed == SPEED_2500)
++ if (state->interface == PHY_INTERFACE_MODE_2500BASEX)
+ new_ctrl4 |= MVNETA_GMAC4_SHORT_PREAMBLE_ENABLE;
+
+ if (pp->phy_interface != state->interface) {
+--
+2.25.1
+
--- /dev/null
+From 2b62181ade0918942d061e6fd6db0b7f4ed929ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jul 2020 13:17:40 +0200
+Subject: netfilter: conntrack: refetch conntrack after nf_conntrack_update()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d005fbb855d3b5660d62ee5a6bd2d99c13ff8cf3 ]
+
+__nf_conntrack_update() might refresh the conntrack object that is
+attached to the skbuff. Otherwise, this triggers UAF.
+
+[ 633.200434] ==================================================================
+[ 633.200472] BUG: KASAN: use-after-free in nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200478] Read of size 1 at addr ffff888370804c00 by task nfqnl_test/6769
+
+[ 633.200487] CPU: 1 PID: 6769 Comm: nfqnl_test Not tainted 5.8.0-rc2+ #388
+[ 633.200490] Hardware name: LENOVO 23259H1/23259H1, BIOS G2ET32WW (1.12 ) 05/30/2012
+[ 633.200491] Call Trace:
+[ 633.200499] dump_stack+0x7c/0xb0
+[ 633.200526] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200532] print_address_description.constprop.6+0x1a/0x200
+[ 633.200539] ? _raw_write_lock_irqsave+0xc0/0xc0
+[ 633.200568] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200594] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200598] kasan_report.cold.9+0x1f/0x42
+[ 633.200604] ? call_rcu+0x2c0/0x390
+[ 633.200633] ? nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200659] nf_conntrack_update+0x34e/0x770 [nf_conntrack]
+[ 633.200687] ? nf_conntrack_find_get+0x30/0x30 [nf_conntrack]
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1436
+Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 48db4aec02dea..200cdad3ff3ab 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -2012,6 +2012,8 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb)
+ err = __nf_conntrack_update(net, skb, ct, ctinfo);
+ if (err < 0)
+ return err;
++
++ ct = nf_ct_get(skb, &ctinfo);
+ }
+
+ return nf_confirm_cthelper(skb, ct, ctinfo);
+--
+2.25.1
+
--- /dev/null
+From da2a16f86295dc24f69af2e439426ead5a463408 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 17:04:17 -0700
+Subject: netfilter: ipset: call ip_set_free() instead of kfree()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c4e8fa9074ad94f80e5c0dcaa16b313e50e958c5 ]
+
+Whenever ip_set_alloc() is used, allocated memory can either
+use kmalloc() or vmalloc(). We should call kvfree() or
+ip_set_free()
+
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 21935 Comm: syz-executor.3 Not tainted 5.8.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__phys_addr+0xa7/0x110 arch/x86/mm/physaddr.c:28
+Code: 1d 7a 09 4c 89 e3 31 ff 48 d3 eb 48 89 de e8 d0 58 3f 00 48 85 db 75 0d e8 26 5c 3f 00 4c 89 e0 5b 5d 41 5c c3 e8 19 5c 3f 00 <0f> 0b e8 12 5c 3f 00 48 c7 c0 10 10 a8 89 48 ba 00 00 00 00 00 fc
+RSP: 0000:ffffc900018572c0 EFLAGS: 00010046
+RAX: 0000000000040000 RBX: 0000000000000001 RCX: ffffc9000fac3000
+RDX: 0000000000040000 RSI: ffffffff8133f437 RDI: 0000000000000007
+RBP: ffffc90098aff000 R08: 0000000000000000 R09: ffff8880ae636cdb
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000408018aff000
+R13: 0000000000080000 R14: 000000000000001d R15: ffffc900018573d8
+FS: 00007fc540c66700(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc9dcd67200 CR3: 0000000059411000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ virt_to_head_page include/linux/mm.h:841 [inline]
+ virt_to_cache mm/slab.h:474 [inline]
+ kfree+0x77/0x2c0 mm/slab.c:3749
+ hash_net_create+0xbb2/0xd70 net/netfilter/ipset/ip_set_hash_gen.h:1536
+ ip_set_create+0x6a2/0x13c0 net/netfilter/ipset/ip_set_core.c:1128
+ nfnetlink_rcv_msg+0xbe8/0xea0 net/netfilter/nfnetlink.c:230
+ netlink_rcv_skb+0x15a/0x430 net/netlink/af_netlink.c:2469
+ nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:564
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2352
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2406
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45cb19
+Code: Bad RIP value.
+RSP: 002b:00007fc540c65c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004fed80 RCX: 000000000045cb19
+RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003
+RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000095e R14: 00000000004cc295 R15: 00007fc540c666d4
+
+Fixes: f66ee0410b1c ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports")
+Fixes: 03c8b234e61a ("netfilter: ipset: Generalize extensions support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_port.c | 2 +-
+ net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
+ 4 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
+index d934384f31ad6..6e3cf4d19ce88 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -314,7 +314,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ set->variant = &bitmap_ip;
+ if (!init_map_ip(set, map, first_ip, last_ip,
+ elements, hosts, netmask)) {
+- kfree(map);
++ ip_set_free(map);
+ return -ENOMEM;
+ }
+ if (tb[IPSET_ATTR_TIMEOUT]) {
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+index e8532783b43aa..ae7cdc0d0f29a 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_ipmac;
+ if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
+- kfree(map);
++ ip_set_free(map);
+ return -ENOMEM;
+ }
+ if (tb[IPSET_ATTR_TIMEOUT]) {
+diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
+index e3ac914fff1a5..d4a14750f5c42 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_port.c
++++ b/net/netfilter/ipset/ip_set_bitmap_port.c
+@@ -247,7 +247,7 @@ bitmap_port_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
+ map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
+ set->variant = &bitmap_port;
+ if (!init_map_port(set, map, first_port, last_port)) {
+- kfree(map);
++ ip_set_free(map);
+ return -ENOMEM;
+ }
+ if (tb[IPSET_ATTR_TIMEOUT]) {
+diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
+index 2389c9f89e481..a7a982a3e6761 100644
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -682,7 +682,7 @@ mtype_resize(struct ip_set *set, bool retried)
+ }
+ t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits));
+ if (!t->hregion) {
+- kfree(t);
++ ip_set_free(t);
+ ret = -ENOMEM;
+ goto out;
+ }
+@@ -1533,7 +1533,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
+ }
+ t->hregion = ip_set_alloc(ahash_sizeof_regions(hbits));
+ if (!t->hregion) {
+- kfree(t);
++ ip_set_free(t);
+ kfree(h);
+ return -ENOMEM;
+ }
+--
+2.25.1
+
--- /dev/null
+From d93cd81f6fbe38c48be355c0cc0d390af4c38f20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jun 2020 12:49:39 +0300
+Subject: nl80211: don't return err unconditionally in nl80211_start_ap()
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit bc7a39b4272b9672d806d422b6850e8c1a09914c ]
+
+When a memory leak was fixed, a return err was changed to goto err,
+but, accidentally, the if (err) was removed, so now we always exit at
+this point.
+
+Fix it by adding if (err) back.
+
+Fixes: 9951ebfcdf2b ("nl80211: fix potential leak in AP start")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20200626124931.871ba5b31eee.I97340172d92164ee92f3c803fe20a8a6e97714e1@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index b65180e874fb9..a34bbca80f498 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4798,7 +4798,8 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
+ err = nl80211_parse_he_obss_pd(
+ info->attrs[NL80211_ATTR_HE_OBSS_PD],
+ ¶ms.he_obss_pd);
+- goto out;
++ if (err)
++ goto out;
+ }
+
+ nl80211_calculate_ap_params(¶ms);
+--
+2.25.1
+
--- /dev/null
+From 3f152efcfda2d822e6ff44bb78ce53644798db7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 16:39:35 +0300
+Subject: perf intel-pt: Fix PEBS sample for XMM registers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 4c95ad261cfac120dd66238fcae222766754c219 ]
+
+The condition to add XMM registers was missing, the regs array needed to
+be in the outer scope, and the size of the regs array was too small.
+
+Fixes: 143d34a6b387b ("perf intel-pt: Add XMM registers to synthesized PEBS sample")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Luwei Kang <luwei.kang@intel.com>
+Link: http://lore.kernel.org/lkml/20200630133935.11150-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index a1c9eb6d4f40d..c5cce3a60476b 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -1707,6 +1707,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+ u64 sample_type = evsel->core.attr.sample_type;
+ u64 id = evsel->core.id[0];
+ u8 cpumode;
++ u64 regs[8 * sizeof(sample.intr_regs.mask)];
+
+ if (intel_pt_skip_event(pt))
+ return 0;
+@@ -1756,8 +1757,8 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+ }
+
+ if (sample_type & PERF_SAMPLE_REGS_INTR &&
+- items->mask[INTEL_PT_GP_REGS_POS]) {
+- u64 regs[sizeof(sample.intr_regs.mask)];
++ (items->mask[INTEL_PT_GP_REGS_POS] ||
++ items->mask[INTEL_PT_XMM_POS])) {
+ u64 regs_mask = evsel->core.attr.sample_regs_intr;
+ u64 *pos;
+
+--
+2.25.1
+
--- /dev/null
+From 9897085e038de72c48a3f39318eaabb757bfc641 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jun 2020 16:39:33 +0300
+Subject: perf intel-pt: Fix recording PEBS-via-PT with registers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 75bcb8776dc987538f267ba4ba05ca43fc2b1676 ]
+
+When recording PEBS-via-PT, the kernel will not accept the intel_pt
+event with register sampling e.g.
+
+ # perf record --kcore -c 10000 -e '{intel_pt/branch=0/,branch-loads/aux-output/ppp}' -I -- ls -l
+ Error:
+ intel_pt/branch=0/: PMU Hardware doesn't support sampling/overflow-interrupts. Try 'perf stat'
+
+Fix by suppressing register sampling on the intel_pt evsel.
+
+Committer notes:
+
+Adrian informed that this is only available from Tremont onwards, so on
+older processors the error continues the same as before.
+
+Fixes: 9e64cefe4335b ("perf intel-pt: Process options for PEBS event synthesis")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Luwei Kang <luwei.kang@intel.com>
+Link: http://lore.kernel.org/lkml/20200630133935.11150-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/arch/x86/util/intel-pt.c | 1 +
+ tools/perf/util/evsel.c | 4 ++--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/arch/x86/util/intel-pt.c b/tools/perf/arch/x86/util/intel-pt.c
+index d43f9dec69980..e768c02ef2ab9 100644
+--- a/tools/perf/arch/x86/util/intel-pt.c
++++ b/tools/perf/arch/x86/util/intel-pt.c
+@@ -596,6 +596,7 @@ static int intel_pt_recording_options(struct auxtrace_record *itr,
+ }
+ evsel->core.attr.freq = 0;
+ evsel->core.attr.sample_period = 1;
++ evsel->no_aux_samples = true;
+ intel_pt_evsel = evsel;
+ opts->full_auxtrace = true;
+ }
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index abc7fda4a0fe1..a844715a352d8 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -1028,12 +1028,12 @@ void perf_evsel__config(struct evsel *evsel, struct record_opts *opts,
+ if (callchain && callchain->enabled && !evsel->no_aux_samples)
+ perf_evsel__config_callchain(evsel, opts, callchain);
+
+- if (opts->sample_intr_regs) {
++ if (opts->sample_intr_regs && !evsel->no_aux_samples) {
+ attr->sample_regs_intr = opts->sample_intr_regs;
+ perf_evsel__set_sample_bit(evsel, REGS_INTR);
+ }
+
+- if (opts->sample_user_regs) {
++ if (opts->sample_user_regs && !evsel->no_aux_samples) {
+ attr->sample_regs_user |= opts->sample_user_regs;
+ perf_evsel__set_sample_bit(evsel, REGS_USER);
+ }
+--
+2.25.1
+
--- /dev/null
+From d3da71065dd81f9169074f2347ab99266d8cc0f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jun 2020 17:43:22 +0800
+Subject: perf report TUI: Fix segmentation fault in perf_evsel__hists_browse()
+
+From: Wei Li <liwei391@huawei.com>
+
+[ Upstream commit d61cbb859b45fdb6b4997f2d51834fae41af0e94 ]
+
+The segmentation fault can be reproduced as following steps:
+
+1) Executing perf report in tui.
+
+2) Typing '/xxxxx' to filter the symbol to get nothing matched.
+
+3) Pressing enter with no entry selected.
+
+Then it will report a segmentation fault.
+
+It is caused by the lack of check of browser->he_selection when
+accessing it's member res_samples in perf_evsel__hists_browse().
+
+These processes are meaningful for specified samples, so we can skip
+these when nothing is selected.
+
+Fixes: 4968ac8fb7c3 ("perf report: Implement browsing of individual samples")
+Signed-off-by: Wei Li <liwei391@huawei.com>
+Acked-by: Jiri Olsa <jolsa@redhat.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Hanjun Guo <guohanjun@huawei.com>
+Cc: Jin Yao <yao.jin@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Link: http://lore.kernel.org/lkml/20200612094322.39565-1-liwei391@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/hists.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
+index 88c3df24b748c..514cef3a17b40 100644
+--- a/tools/perf/ui/browsers/hists.c
++++ b/tools/perf/ui/browsers/hists.c
+@@ -2224,6 +2224,11 @@ static struct thread *hist_browser__selected_thread(struct hist_browser *browser
+ return browser->he_selection->thread;
+ }
+
++static struct res_sample *hist_browser__selected_res_sample(struct hist_browser *browser)
++{
++ return browser->he_selection ? browser->he_selection->res_samples : NULL;
++}
++
+ /* Check whether the browser is for 'top' or 'report' */
+ static inline bool is_report_browser(void *timer)
+ {
+@@ -3170,16 +3175,16 @@ static int perf_evsel__hists_browse(struct evsel *evsel, int nr_events,
+ &options[nr_options], NULL, NULL, evsel);
+ nr_options += add_res_sample_opt(browser, &actions[nr_options],
+ &options[nr_options],
+- hist_browser__selected_entry(browser)->res_samples,
+- evsel, A_NORMAL);
++ hist_browser__selected_res_sample(browser),
++ evsel, A_NORMAL);
+ nr_options += add_res_sample_opt(browser, &actions[nr_options],
+ &options[nr_options],
+- hist_browser__selected_entry(browser)->res_samples,
+- evsel, A_ASM);
++ hist_browser__selected_res_sample(browser),
++ evsel, A_ASM);
+ nr_options += add_res_sample_opt(browser, &actions[nr_options],
+ &options[nr_options],
+- hist_browser__selected_entry(browser)->res_samples,
+- evsel, A_SOURCE);
++ hist_browser__selected_res_sample(browser),
++ evsel, A_SOURCE);
+ nr_options += add_switch_opt(browser, &actions[nr_options],
+ &options[nr_options]);
+ skip_scripting:
+--
+2.25.1
+
--- /dev/null
+From 53f37023c26c9e451cdf18ade628817eca47a6ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jul 2020 20:14:29 -0700
+Subject: qed: Populate nvm-file attributes while reading nvm config partition.
+
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+
+[ Upstream commit 13cf8aab7425a253070433b5a55b4209ceac8b19 ]
+
+NVM config file address will be modified when the MBI image is upgraded.
+Driver would return stale config values if user reads the nvm-config
+(via ethtool -d) in this state. The fix is to re-populate nvm attribute
+info while reading the nvm config values/partition.
+
+Changes from previous version:
+-------------------------------
+v3: Corrected the formatting in 'Fixes' tag.
+v2: Added 'Fixes' tag.
+
+Fixes: 1ac4329a1cff ("qed: Add configuration information to register dump and debug data")
+Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_debug.c | 4 ++++
+ drivers/net/ethernet/qlogic/qed/qed_dev.c | 12 +++---------
+ drivers/net/ethernet/qlogic/qed/qed_mcp.c | 7 +++++++
+ drivers/net/ethernet/qlogic/qed/qed_mcp.h | 7 +++++++
+ 4 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+index 859caa6c1a1fb..8e7be214f9598 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
+@@ -8197,6 +8197,10 @@ int qed_dbg_all_data(struct qed_dev *cdev, void *buffer)
+ DP_ERR(cdev, "qed_dbg_mcp_trace failed. rc = %d\n", rc);
+ }
+
++ /* Re-populate nvm attribute info */
++ qed_mcp_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_populate(p_hwfn);
++
+ /* nvm cfg1 */
+ rc = qed_dbg_nvm_image(cdev,
+ (u8 *)buffer + offset + REGDUMP_HEADER_SIZE,
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+index ecd14474a6031..638047b937c65 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
+@@ -4423,12 +4423,6 @@ static int qed_get_dev_info(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt)
+ return 0;
+ }
+
+-static void qed_nvm_info_free(struct qed_hwfn *p_hwfn)
+-{
+- kfree(p_hwfn->nvm_info.image_att);
+- p_hwfn->nvm_info.image_att = NULL;
+-}
+-
+ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ void __iomem *p_regview,
+ void __iomem *p_doorbells,
+@@ -4513,7 +4507,7 @@ static int qed_hw_prepare_single(struct qed_hwfn *p_hwfn,
+ return rc;
+ err3:
+ if (IS_LEAD_HWFN(p_hwfn))
+- qed_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_free(p_hwfn);
+ err2:
+ if (IS_LEAD_HWFN(p_hwfn))
+ qed_iov_free_hw_info(p_hwfn->cdev);
+@@ -4574,7 +4568,7 @@ int qed_hw_prepare(struct qed_dev *cdev,
+ if (rc) {
+ if (IS_PF(cdev)) {
+ qed_init_free(p_hwfn);
+- qed_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_free(p_hwfn);
+ qed_mcp_free(p_hwfn);
+ qed_hw_hwfn_free(p_hwfn);
+ }
+@@ -4608,7 +4602,7 @@ void qed_hw_remove(struct qed_dev *cdev)
+
+ qed_iov_free_hw_info(cdev);
+
+- qed_nvm_info_free(p_hwfn);
++ qed_mcp_nvm_info_free(p_hwfn);
+ }
+
+ static void qed_chain_free_next_ptr(struct qed_dev *cdev,
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.c b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+index 36ddb89856a86..9401b49275f0a 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c
+@@ -3149,6 +3149,13 @@ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn)
+ return rc;
+ }
+
++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn)
++{
++ kfree(p_hwfn->nvm_info.image_att);
++ p_hwfn->nvm_info.image_att = NULL;
++ p_hwfn->nvm_info.valid = false;
++}
++
+ int
+ qed_mcp_get_nvm_image_att(struct qed_hwfn *p_hwfn,
+ enum qed_nvm_images image_id,
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_mcp.h b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+index 9c4c2763de8d7..e38297383b007 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h
++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h
+@@ -1192,6 +1192,13 @@ void qed_mcp_read_ufp_config(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt);
+ */
+ int qed_mcp_nvm_info_populate(struct qed_hwfn *p_hwfn);
+
++/**
++ * @brief Delete nvm info shadow in the given hardware function
++ *
++ * @param p_hwfn
++ */
++void qed_mcp_nvm_info_free(struct qed_hwfn *p_hwfn);
++
+ /**
+ * @brief Get the engine affinity configuration.
+ *
+--
+2.25.1
+
--- /dev/null
+From cec8c02e6dac9acc156283a2aae48b36781e829f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jul 2020 16:09:31 +0300
+Subject: RDMA/siw: Fix reporting vendor_part_id
+
+From: Kamal Heib <kamalheib1@gmail.com>
+
+[ Upstream commit 04340645f69ab7abb6f9052688a60f0213b3f79c ]
+
+Move the initialization of the vendor_part_id to be before calling
+ib_register_device(), this is needed because the query_device() callback
+is called from the context of ib_register_device() before initializing the
+vendor_part_id, so the reported value is wrong.
+
+Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface")
+Link: https://lore.kernel.org/r/20200707130931.444724-1-kamalheib1@gmail.com
+Signed-off-by: Kamal Heib <kamalheib1@gmail.com>
+Reviewed-by: Bernard Metzler <bmt@zurich.ibm.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/siw/siw_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/siw/siw_main.c b/drivers/infiniband/sw/siw/siw_main.c
+index 130b1e31b9780..fb66d67572787 100644
+--- a/drivers/infiniband/sw/siw/siw_main.c
++++ b/drivers/infiniband/sw/siw/siw_main.c
+@@ -66,12 +66,13 @@ static int siw_device_register(struct siw_device *sdev, const char *name)
+ static int dev_id = 1;
+ int rv;
+
++ sdev->vendor_part_id = dev_id++;
++
+ rv = ib_register_device(base_dev, name);
+ if (rv) {
+ pr_warn("siw: device registration error %d\n", rv);
+ return rv;
+ }
+- sdev->vendor_part_id = dev_id++;
+
+ siw_dbg(base_dev, "HWaddr=%pM\n", sdev->netdev->dev_addr);
+
+--
+2.25.1
+
nvme-rdma-assign-completion-vector-correctly.patch
x86-entry-increase-entry_stack-size-to-a-full-page.patch
sched-core-check-cpus_mask-not-cpus_ptr-in-__set_cpu.patch
+gpio-pca953x-override-irq-for-one-of-the-expanders-o.patch
+gpio-pca953x-fix-gpio-resource-leak-on-intel-galileo.patch
+nl80211-don-t-return-err-unconditionally-in-nl80211_.patch
+drm-mediatek-check-plane-visibility-in-atomic_update.patch
+bpf-sockmap-rcu-splat-with-redirect-and-strparser-er.patch
+bpf-sockmap-rcu-dereferenced-psock-may-be-used-outsi.patch
+netfilter-ipset-call-ip_set_free-instead-of-kfree.patch
+net-mvneta-fix-use-of-state-speed.patch
+net-cxgb4-fix-return-error-value-in-t4_prep_fw.patch
+ib-sa-resolv-use-after-free-in-ib_nl_make_request.patch
+net-dsa-microchip-set-the-correct-number-of-ports.patch
+netfilter-conntrack-refetch-conntrack-after-nf_connt.patch
+perf-report-tui-fix-segmentation-fault-in-perf_evsel.patch
+perf-intel-pt-fix-recording-pebs-via-pt-with-registe.patch
+perf-intel-pt-fix-pebs-sample-for-xmm-registers.patch
+smsc95xx-check-return-value-of-smsc95xx_reset.patch
+smsc95xx-avoid-memory-leak-in-smsc95xx_bind.patch
+net-hns3-add-a-missing-uninit-debugfs-when-unload-dr.patch
+net-hns3-fix-use-after-free-when-doing-self-test.patch
+alsa-compress-fix-partial_drain-completion-state.patch
+rdma-siw-fix-reporting-vendor_part_id.patch
+arm64-kgdb-fix-single-step-exception-handling-oops.patch
+nbd-fix-memory-leak-in-nbd_add_socket.patch
+cxgb4-fix-all-mask-ip-address-comparison.patch
+ib-mlx5-fix-50g-per-lane-indication.patch
+qed-populate-nvm-file-attributes-while-reading-nvm-c.patch
+net-mlx5-fix-eeprom-support-for-sfp-module.patch
+net-mlx5e-fix-50g-per-lane-indication.patch
+bnxt_en-fix-null-dereference-in-case-sr-iov-configur.patch
+net-macb-fix-wakeup-test-in-runtime-suspend-resume-r.patch
+net-macb-mark-device-wake-capable-when-magic-packet-.patch
+net-macb-fix-call-to-pm_runtime-in-the-suspend-resum.patch
+mlxsw-spectrum_router-remove-inappropriate-usage-of-.patch
+mlxsw-pci-fix-use-after-free-in-case-of-failed-devli.patch
--- /dev/null
+From 36e4709154c704cd9677d6586ef216d72c28d566 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 10:39:35 +0200
+Subject: smsc95xx: avoid memory leak in smsc95xx_bind
+
+From: Andre Edich <andre.edich@microchip.com>
+
+[ Upstream commit 3ed58f96a70b85ef646d5427258f677f1395b62f ]
+
+In a case where the ID_REV register read is failed, the memory for a
+private data structure has to be freed before returning error from the
+function smsc95xx_bind.
+
+Fixes: bbd9f9ee69242 ("smsc95xx: add wol support for more frame types")
+Signed-off-by: Andre Edich <andre.edich@microchip.com>
+Signed-off-by: Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index eb404bb74e18e..bb4ccbda031ab 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1293,7 +1293,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ /* detect device revision as different features may be available */
+ ret = smsc95xx_read_reg(dev, ID_REV, &val);
+ if (ret < 0)
+- return ret;
++ goto free_pdata;
++
+ val >>= 16;
+ pdata->chip_id = val;
+ pdata->mdix_ctrl = get_mdix_status(dev->net);
+--
+2.25.1
+
--- /dev/null
+From 3ccb972cdbcd05d2c33034253285da10d68afb73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 10:39:34 +0200
+Subject: smsc95xx: check return value of smsc95xx_reset
+
+From: Andre Edich <andre.edich@microchip.com>
+
+[ Upstream commit 7c8b1e855f94f88a0c569be6309fc8d5c8844cd1 ]
+
+The return value of the function smsc95xx_reset() must be checked
+to avoid returning false success from the function smsc95xx_bind().
+
+Fixes: 2f7ca802bdae2 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Signed-off-by: Andre Edich <andre.edich@microchip.com>
+Signed-off-by: Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 3cf4dc3433f91..eb404bb74e18e 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1287,6 +1287,8 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+
+ /* Init all registers */
+ ret = smsc95xx_reset(dev);
++ if (ret)
++ goto free_pdata;
+
+ /* detect device revision as different features may be available */
+ ret = smsc95xx_read_reg(dev, ID_REV, &val);
+@@ -1317,6 +1319,10 @@ static int smsc95xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ schedule_delayed_work(&pdata->carrier_check, CARRIER_CHECK_DELAY);
+
+ return 0;
++
++free_pdata:
++ kfree(pdata);
++ return ret;
+ }
+
+ static void smsc95xx_unbind(struct usbnet *dev, struct usb_interface *intf)
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
