--- /dev/null
+From 4d5f5fe656e0d8fbdff7a9558a45ff92a56ee41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 16:05:31 +0800
+Subject: drm/amdgpu: fix gart.bo pin_count leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Leslie Shi <Yuliang.Shi@amd.com>
+
+[ Upstream commit 66805763a97f8f7bdf742fc0851d85c02ed9411f ]
+
+gmc_v{9,10}_0_gart_disable() isn't called matched with
+correspoding gart_enbale function in SRIOV case. This will
+lead to gart.bo pin_count leak on driver unload.
+
+Cc: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Leslie Shi <Yuliang.Shi@amd.com>
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c | 3 ++-
+ drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c
+index f642e066e67a..85ee0e849647 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v10_0.c
+@@ -903,6 +903,8 @@ static int gmc_v10_0_hw_fini(void *handle)
+ {
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
++ gmc_v10_0_gart_disable(adev);
++
+ if (amdgpu_sriov_vf(adev)) {
+ /* full access mode, so don't touch any GMC register */
+ DRM_DEBUG("For SRIOV client, shouldn't do anything.\n");
+@@ -910,7 +912,6 @@ static int gmc_v10_0_hw_fini(void *handle)
+ }
+
+ amdgpu_irq_put(adev, &adev->gmc.vm_fault, 0);
+- gmc_v10_0_gart_disable(adev);
+
+ return 0;
+ }
+diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+index 688111ef814d..63205de4a565 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+@@ -1526,6 +1526,8 @@ static int gmc_v9_0_hw_fini(void *handle)
+ {
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
++ gmc_v9_0_gart_disable(adev);
++
+ if (amdgpu_sriov_vf(adev)) {
+ /* full access mode, so don't touch any GMC register */
+ DRM_DEBUG("For SRIOV client, shouldn't do anything.\n");
+@@ -1534,7 +1536,6 @@ static int gmc_v9_0_hw_fini(void *handle)
+
+ amdgpu_irq_put(adev, &adev->gmc.ecc_irq, 0);
+ amdgpu_irq_put(adev, &adev->gmc.vm_fault, 0);
+- gmc_v9_0_gart_disable(adev);
+
+ return 0;
+ }
+--
+2.33.0
+
--- /dev/null
+From 8c18877ce624459842b59b834c0568509f1932ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 20:20:22 +0800
+Subject: ext4: correct the error path of ext4_write_inline_data_end()
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+[ Upstream commit 55ce2f649b9e88111270333a8127e23f4f8f42d7 ]
+
+Current error path of ext4_write_inline_data_end() is not correct.
+
+Firstly, it should pass out the error value if ext4_get_inode_loc()
+return fail, or else it could trigger infinite loop if we inject error
+here. And then it's better to add inode to orphan list if it return fail
+in ext4_journal_stop(), otherwise we could not restore inline xattr
+entry after power failure. Finally, we need to reset the 'ret' value if
+ext4_write_inline_data_end() return success in ext4_write_end() and
+ext4_journalled_write_end(), otherwise we could not get the error return
+value of ext4_journal_stop().
+
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210716122024.1105856-3-yi.zhang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 15 +++++----------
+ fs/ext4/inode.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index 46151bda6236..cdb10e9fded6 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -733,18 +733,13 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
+ void *kaddr;
+ struct ext4_iloc iloc;
+
+- if (unlikely(copied < len)) {
+- if (!PageUptodate(page)) {
+- copied = 0;
+- goto out;
+- }
+- }
++ if (unlikely(copied < len) && !PageUptodate(page))
++ return 0;
+
+ ret = ext4_get_inode_loc(inode, &iloc);
+ if (ret) {
+ ext4_std_error(inode->i_sb, ret);
+- copied = 0;
+- goto out;
++ return ret;
+ }
+
+ ext4_write_lock_xattr(inode, &no_expand);
+@@ -757,7 +752,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
+ (void) ext4_find_inline_data_nolock(inode);
+
+ kaddr = kmap_atomic(page);
+- ext4_write_inline_data(inode, &iloc, kaddr, pos, len);
++ ext4_write_inline_data(inode, &iloc, kaddr, pos, copied);
+ kunmap_atomic(kaddr);
+ SetPageUptodate(page);
+ /* clear page dirty so that writepages wouldn't work for us. */
+@@ -766,7 +761,7 @@ int ext4_write_inline_data_end(struct inode *inode, loff_t pos, unsigned len,
+ ext4_write_unlock_xattr(inode, &no_expand);
+ brelse(iloc.bh);
+ mark_inode_dirty(inode);
+-out:
++
+ return copied;
+ }
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 48b467353f6f..dcbd8ac8d471 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1439,6 +1439,7 @@ static int ext4_write_end(struct file *file,
+ goto errout;
+ }
+ copied = ret;
++ ret = 0;
+ } else
+ copied = block_write_end(file, mapping, pos,
+ len, copied, page, fsdata);
+@@ -1465,13 +1466,14 @@ static int ext4_write_end(struct file *file,
+ if (i_size_changed || inline_data)
+ ext4_mark_inode_dirty(handle, inode);
+
++errout:
+ if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode))
+ /* if we have allocated more blocks and copied
+ * less. We will have blocks allocated outside
+ * inode->i_size. So truncate them
+ */
+ ext4_orphan_add(handle, inode);
+-errout:
++
+ ret2 = ext4_journal_stop(handle);
+ if (!ret)
+ ret = ret2;
+@@ -1554,6 +1556,7 @@ static int ext4_journalled_write_end(struct file *file,
+ goto errout;
+ }
+ copied = ret;
++ ret = 0;
+ } else if (unlikely(copied < len) && !PageUptodate(page)) {
+ copied = 0;
+ ext4_journalled_zero_new_buffers(handle, page, from, to);
+@@ -1583,6 +1586,7 @@ static int ext4_journalled_write_end(struct file *file,
+ ret = ret2;
+ }
+
++errout:
+ if (pos + len > inode->i_size && !verity && ext4_can_truncate(inode))
+ /* if we have allocated more blocks and copied
+ * less. We will have blocks allocated outside
+@@ -1590,7 +1594,6 @@ static int ext4_journalled_write_end(struct file *file,
+ */
+ ext4_orphan_add(handle, inode);
+
+-errout:
+ ret2 = ext4_journal_stop(handle);
+ if (!ret)
+ ret = ret2;
+--
+2.33.0
+
--- /dev/null
+From dd19180ca7482668952b8c51499e0676f825189b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Aug 2021 10:49:27 -0400
+Subject: ext4: enforce buffer head state assertion in ext4_da_map_blocks
+
+From: Eric Whitney <enwlinux@gmail.com>
+
+[ Upstream commit 948ca5f30e1df0c11eb5b0f410b9ceb97fa77ad9 ]
+
+Remove the code that re-initializes a buffer head with an invalid block
+number and BH_New and BH_Delay bits when a matching delayed and
+unwritten block has been found in the extent status cache. Replace it
+with assertions that verify the buffer head already has this state
+correctly set. The current code masked an inline data truncation bug
+that left stale entries in the extent status cache. With this change,
+generic/130 can be used to reproduce and detect that bug.
+
+Signed-off-by: Eric Whitney <enwlinux@gmail.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20210819144927.25163-3-enwlinux@gmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index dcbd8ac8d471..af594b5e4f9f 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1869,13 +1869,16 @@ static int ext4_da_map_blocks(struct inode *inode, sector_t iblock,
+ }
+
+ /*
+- * Delayed extent could be allocated by fallocate.
+- * So we need to check it.
++ * the buffer head associated with a delayed and not unwritten
++ * block found in the extent status cache must contain an
++ * invalid block number and have its BH_New and BH_Delay bits
++ * set, reflecting the state assigned when the block was
++ * initially delayed allocated
+ */
+- if (ext4_es_is_delayed(&es) && !ext4_es_is_unwritten(&es)) {
+- map_bh(bh, inode->i_sb, invalid_block);
+- set_buffer_new(bh);
+- set_buffer_delay(bh);
++ if (ext4_es_is_delonly(&es)) {
++ BUG_ON(bh->b_blocknr != invalid_block);
++ BUG_ON(!buffer_new(bh));
++ BUG_ON(!buffer_delay(bh));
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 63f41f1b2a64b3095f379397e5ba8924e7ac242e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 20:03:25 +0900
+Subject: HID: apple: Fix logical maximum and usage maximum of Magic Keyboard
+ JIS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mizuho Mori <morimolymoly@gmail.com>
+
+[ Upstream commit 67fd71ba16a37c663d139f5ba5296f344d80d072 ]
+
+Apple Magic Keyboard(JIS)'s Logical Maximum and Usage Maximum are wrong.
+
+Below is a report descriptor.
+
+0x05, 0x01, /* Usage Page (Desktop), */
+0x09, 0x06, /* Usage (Keyboard), */
+0xA1, 0x01, /* Collection (Application), */
+0x85, 0x01, /* Report ID (1), */
+0x05, 0x07, /* Usage Page (Keyboard), */
+0x15, 0x00, /* Logical Minimum (0), */
+0x25, 0x01, /* Logical Maximum (1), */
+0x19, 0xE0, /* Usage Minimum (KB Leftcontrol), */
+0x29, 0xE7, /* Usage Maximum (KB Right GUI), */
+0x75, 0x01, /* Report Size (1), */
+0x95, 0x08, /* Report Count (8), */
+0x81, 0x02, /* Input (Variable), */
+0x95, 0x05, /* Report Count (5), */
+0x75, 0x01, /* Report Size (1), */
+0x05, 0x08, /* Usage Page (LED), */
+0x19, 0x01, /* Usage Minimum (01h), */
+0x29, 0x05, /* Usage Maximum (05h), */
+0x91, 0x02, /* Output (Variable), */
+0x95, 0x01, /* Report Count (1), */
+0x75, 0x03, /* Report Size (3), */
+0x91, 0x03, /* Output (Constant, Variable), */
+0x95, 0x08, /* Report Count (8), */
+0x75, 0x01, /* Report Size (1), */
+0x15, 0x00, /* Logical Minimum (0), */
+0x25, 0x01, /* Logical Maximum (1), */
+
+here is a report descriptor which is parsed one in kernel.
+see sys/kernel/debug/hid/<dev>/rdesc
+
+05 01 09 06 a1 01 85 01 05 07
+15 00 25 01 19 e0 29 e7 75 01
+95 08 81 02 95 05 75 01 05 08
+19 01 29 05 91 02 95 01 75 03
+91 03 95 08 75 01 15 00 25 01
+06 00 ff 09 03 81 03 95 06 75
+08 15 00 25 [65] 05 07 19 00 29
+[65] 81 00 95 01 75 01 15 00 25
+01 05 0c 09 b8 81 02 95 01 75
+01 06 01 ff 09 03 81 02 95 01
+75 06 81 03 06 02 ff 09 55 85
+55 15 00 26 ff 00 75 08 95 40
+b1 a2 c0 06 00 ff 09 14 a1 01
+85 90 05 84 75 01 95 03 15 00
+25 01 09 61 05 85 09 44 09 46
+81 02 95 05 81 01 75 08 95 01
+15 00 26 ff 00 09 65 81 02 c0
+00
+
+Position 64(Logical Maximum) and 70(Usage Maximum) are 101.
+Both should be 0xE7 to support JIS specific keys(ろ, Eisu, Kana, |) support.
+position 117 is also 101 but not related(it is Usage 65h).
+
+There are no difference of product id between JIS and ANSI.
+They are same 0x0267.
+
+Signed-off-by: Mizuho Mori <morimolymoly@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-apple.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index 6909c045fece..07df64daf7da 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -301,12 +301,19 @@ static int apple_event(struct hid_device *hdev, struct hid_field *field,
+
+ /*
+ * MacBook JIS keyboard has wrong logical maximum
++ * Magic Keyboard JIS has wrong logical maximum
+ */
+ static __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+ struct apple_sc *asc = hid_get_drvdata(hdev);
+
++ if(*rsize >=71 && rdesc[70] == 0x65 && rdesc[64] == 0x65) {
++ hid_info(hdev,
++ "fixing up Magic Keyboard JIS report descriptor\n");
++ rdesc[64] = rdesc[70] = 0xe7;
++ }
++
+ if ((asc->quirks & APPLE_RDESC_JIS) && *rsize >= 60 &&
+ rdesc[53] == 0x65 && rdesc[59] == 0x65) {
+ hid_info(hdev,
+--
+2.33.0
+
--- /dev/null
+From b5d277e9a836d3f30b541952c5bf80f0bf4b7a7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 13:28:25 -0400
+Subject: HID: wacom: Add new Intuos BT (CTL-4100WL/CTL-6100WL) device IDs
+
+From: Joshua-Dickens <Joshua@Joshua-Dickens.com>
+
+[ Upstream commit 0c8fbaa553077630e8eae45bd9676cfc01836aeb ]
+
+Add the new PIDs to wacom_wac.c to support the new models in the Intuos series.
+
+[jkosina@suse.cz: fix changelog]
+Signed-off-by: Joshua Dickens <joshua.dickens@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index d5425bc1ad61..f6be2e70a496 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -4715,6 +4715,12 @@ static const struct wacom_features wacom_features_0x393 =
+ { "Wacom Intuos Pro S", 31920, 19950, 8191, 63,
+ INTUOSP2S_BT, WACOM_INTUOS3_RES, WACOM_INTUOS3_RES, 7,
+ .touch_max = 10 };
++static const struct wacom_features wacom_features_0x3c6 =
++ { "Wacom Intuos BT S", 15200, 9500, 4095, 63,
++ INTUOSHT3_BT, WACOM_INTUOS_RES, WACOM_INTUOS_RES, 4 };
++static const struct wacom_features wacom_features_0x3c8 =
++ { "Wacom Intuos BT M", 21600, 13500, 4095, 63,
++ INTUOSHT3_BT, WACOM_INTUOS_RES, WACOM_INTUOS_RES, 4 };
+
+ static const struct wacom_features wacom_features_HID_ANY_ID =
+ { "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID };
+@@ -4888,6 +4894,8 @@ const struct hid_device_id wacom_ids[] = {
+ { USB_DEVICE_WACOM(0x37A) },
+ { USB_DEVICE_WACOM(0x37B) },
+ { BT_DEVICE_WACOM(0x393) },
++ { BT_DEVICE_WACOM(0x3c6) },
++ { BT_DEVICE_WACOM(0x3c8) },
+ { USB_DEVICE_WACOM(0x4001) },
+ { USB_DEVICE_WACOM(0x4004) },
+ { USB_DEVICE_WACOM(0x5000) },
+--
+2.33.0
+
--- /dev/null
+From 9317cb69478454b478f015cfff32164e2e76fdf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 17:19:00 +0000
+Subject: m68k: Handle arrivals of multiple signals correctly
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 4bb0bd81ce5e97092dfda6a106d414b703ec0ee8 ]
+
+When we have several pending signals, have entered with the kernel
+with large exception frame *and* have already built at least one
+sigframe, regs->stkadj is going to be non-zero and regs->format/sr/pc
+are going to be junk - the real values are in shifted exception stack
+frame we'd built when putting together the first sigframe.
+
+If that happens, subsequent sigframes are going to be garbage.
+Not hard to fix - just need to find the "adjusted" frame first
+and look for format/vector/sr/pc in it.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Finn Thain <fthain@linux-m68k.org>
+Link: https://lore.kernel.org/r/YP2dBIAPTaVvHiZ6@zeniv-ca.linux.org.uk
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/signal.c | 88 +++++++++++++++++++--------------------
+ 1 file changed, 42 insertions(+), 46 deletions(-)
+
+diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c
+index 05610e6924c1..f7121b775e5f 100644
+--- a/arch/m68k/kernel/signal.c
++++ b/arch/m68k/kernel/signal.c
+@@ -448,7 +448,7 @@ static inline void save_fpu_state(struct sigcontext *sc, struct pt_regs *regs)
+
+ if (CPU_IS_060 ? sc->sc_fpstate[2] : sc->sc_fpstate[0]) {
+ fpu_version = sc->sc_fpstate[0];
+- if (CPU_IS_020_OR_030 &&
++ if (CPU_IS_020_OR_030 && !regs->stkadj &&
+ regs->vector >= (VEC_FPBRUC * 4) &&
+ regs->vector <= (VEC_FPNAN * 4)) {
+ /* Clear pending exception in 68882 idle frame */
+@@ -511,7 +511,7 @@ static inline int rt_save_fpu_state(struct ucontext __user *uc, struct pt_regs *
+ if (!(CPU_IS_060 || CPU_IS_COLDFIRE))
+ context_size = fpstate[1];
+ fpu_version = fpstate[0];
+- if (CPU_IS_020_OR_030 &&
++ if (CPU_IS_020_OR_030 && !regs->stkadj &&
+ regs->vector >= (VEC_FPBRUC * 4) &&
+ regs->vector <= (VEC_FPNAN * 4)) {
+ /* Clear pending exception in 68882 idle frame */
+@@ -829,18 +829,24 @@ badframe:
+ return 0;
+ }
+
++static inline struct pt_regs *rte_regs(struct pt_regs *regs)
++{
++ return (void *)regs + regs->stkadj;
++}
++
+ static void setup_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
+ unsigned long mask)
+ {
++ struct pt_regs *tregs = rte_regs(regs);
+ sc->sc_mask = mask;
+ sc->sc_usp = rdusp();
+ sc->sc_d0 = regs->d0;
+ sc->sc_d1 = regs->d1;
+ sc->sc_a0 = regs->a0;
+ sc->sc_a1 = regs->a1;
+- sc->sc_sr = regs->sr;
+- sc->sc_pc = regs->pc;
+- sc->sc_formatvec = regs->format << 12 | regs->vector;
++ sc->sc_sr = tregs->sr;
++ sc->sc_pc = tregs->pc;
++ sc->sc_formatvec = tregs->format << 12 | tregs->vector;
+ save_a5_state(sc, regs);
+ save_fpu_state(sc, regs);
+ }
+@@ -848,6 +854,7 @@ static void setup_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
+ static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs *regs)
+ {
+ struct switch_stack *sw = (struct switch_stack *)regs - 1;
++ struct pt_regs *tregs = rte_regs(regs);
+ greg_t __user *gregs = uc->uc_mcontext.gregs;
+ int err = 0;
+
+@@ -868,9 +875,9 @@ static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs *
+ err |= __put_user(sw->a5, &gregs[13]);
+ err |= __put_user(sw->a6, &gregs[14]);
+ err |= __put_user(rdusp(), &gregs[15]);
+- err |= __put_user(regs->pc, &gregs[16]);
+- err |= __put_user(regs->sr, &gregs[17]);
+- err |= __put_user((regs->format << 12) | regs->vector, &uc->uc_formatvec);
++ err |= __put_user(tregs->pc, &gregs[16]);
++ err |= __put_user(tregs->sr, &gregs[17]);
++ err |= __put_user((tregs->format << 12) | tregs->vector, &uc->uc_formatvec);
+ err |= rt_save_fpu_state(uc, regs);
+ return err;
+ }
+@@ -887,13 +894,14 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
+ {
+ struct sigframe __user *frame;
+- int fsize = frame_extra_sizes(regs->format);
++ struct pt_regs *tregs = rte_regs(regs);
++ int fsize = frame_extra_sizes(tregs->format);
+ struct sigcontext context;
+ int err = 0, sig = ksig->sig;
+
+ if (fsize < 0) {
+ pr_debug("setup_frame: Unknown frame format %#x\n",
+- regs->format);
++ tregs->format);
+ return -EFAULT;
+ }
+
+@@ -904,7 +912,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+
+ err |= __put_user(sig, &frame->sig);
+
+- err |= __put_user(regs->vector, &frame->code);
++ err |= __put_user(tregs->vector, &frame->code);
+ err |= __put_user(&frame->sc, &frame->psc);
+
+ if (_NSIG_WORDS > 1)
+@@ -929,34 +937,28 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+
+ push_cache ((unsigned long) &frame->retcode);
+
+- /*
+- * Set up registers for signal handler. All the state we are about
+- * to destroy is successfully copied to sigframe.
+- */
+- wrusp ((unsigned long) frame);
+- regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
+- adjustformat(regs);
+-
+ /*
+ * This is subtle; if we build more than one sigframe, all but the
+ * first one will see frame format 0 and have fsize == 0, so we won't
+ * screw stkadj.
+ */
+- if (fsize)
++ if (fsize) {
+ regs->stkadj = fsize;
+-
+- /* Prepare to skip over the extra stuff in the exception frame. */
+- if (regs->stkadj) {
+- struct pt_regs *tregs =
+- (struct pt_regs *)((ulong)regs + regs->stkadj);
++ tregs = rte_regs(regs);
+ pr_debug("Performing stackadjust=%04lx\n", regs->stkadj);
+- /* This must be copied with decreasing addresses to
+- handle overlaps. */
+ tregs->vector = 0;
+ tregs->format = 0;
+- tregs->pc = regs->pc;
+ tregs->sr = regs->sr;
+ }
++
++ /*
++ * Set up registers for signal handler. All the state we are about
++ * to destroy is successfully copied to sigframe.
++ */
++ wrusp ((unsigned long) frame);
++ tregs->pc = (unsigned long) ksig->ka.sa.sa_handler;
++ adjustformat(regs);
++
+ return 0;
+ }
+
+@@ -964,7 +966,8 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
+ {
+ struct rt_sigframe __user *frame;
+- int fsize = frame_extra_sizes(regs->format);
++ struct pt_regs *tregs = rte_regs(regs);
++ int fsize = frame_extra_sizes(tregs->format);
+ int err = 0, sig = ksig->sig;
+
+ if (fsize < 0) {
+@@ -1013,34 +1016,27 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+
+ push_cache ((unsigned long) &frame->retcode);
+
+- /*
+- * Set up registers for signal handler. All the state we are about
+- * to destroy is successfully copied to sigframe.
+- */
+- wrusp ((unsigned long) frame);
+- regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
+- adjustformat(regs);
+-
+ /*
+ * This is subtle; if we build more than one sigframe, all but the
+ * first one will see frame format 0 and have fsize == 0, so we won't
+ * screw stkadj.
+ */
+- if (fsize)
++ if (fsize) {
+ regs->stkadj = fsize;
+-
+- /* Prepare to skip over the extra stuff in the exception frame. */
+- if (regs->stkadj) {
+- struct pt_regs *tregs =
+- (struct pt_regs *)((ulong)regs + regs->stkadj);
++ tregs = rte_regs(regs);
+ pr_debug("Performing stackadjust=%04lx\n", regs->stkadj);
+- /* This must be copied with decreasing addresses to
+- handle overlaps. */
+ tregs->vector = 0;
+ tregs->format = 0;
+- tregs->pc = regs->pc;
+ tregs->sr = regs->sr;
+ }
++
++ /*
++ * Set up registers for signal handler. All the state we are about
++ * to destroy is successfully copied to sigframe.
++ */
++ wrusp ((unsigned long) frame);
++ tregs->pc = (unsigned long) ksig->ka.sa.sa_handler;
++ adjustformat(regs);
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From cd3735b9d90aa26ceaa8c66026693db594dc1790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 03:34:57 +0000
+Subject: mac80211: check return value of rhashtable_init
+
+From: MichelleJin <shjy180909@gmail.com>
+
+[ Upstream commit 111461d573741c17eafad029ac93474fa9adcce0 ]
+
+When rhashtable_init() fails, it returns -EINVAL.
+However, since error return value of rhashtable_init is not checked,
+it can cause use of uninitialized pointers.
+So, fix unhandled errors of rhashtable_init.
+
+Signed-off-by: MichelleJin <shjy180909@gmail.com>
+Link: https://lore.kernel.org/r/20210927033457.1020967-4-shjy180909@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 1708b64d4109..d7ae7415d54d 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -60,7 +60,10 @@ static struct mesh_table *mesh_table_alloc(void)
+ atomic_set(&newtbl->entries, 0);
+ spin_lock_init(&newtbl->gates_lock);
+ spin_lock_init(&newtbl->walk_lock);
+- rhashtable_init(&newtbl->rhead, &mesh_rht_params);
++ if (rhashtable_init(&newtbl->rhead, &mesh_rht_params)) {
++ kfree(newtbl);
++ return NULL;
++ }
+
+ return newtbl;
+ }
+--
+2.33.0
+
--- /dev/null
+From 2f5c33275abb54e6ab904bcdec7365056b599bc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 22:42:30 +0800
+Subject: mac80211: Drop frames from invalid MAC address in ad-hoc mode
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit a6555f844549cd190eb060daef595f94d3de1582 ]
+
+WARNING: CPU: 1 PID: 9 at net/mac80211/sta_info.c:554
+sta_info_insert_rcu+0x121/0x12a0
+Modules linked in:
+CPU: 1 PID: 9 Comm: kworker/u8:1 Not tainted 5.14.0-rc7+ #253
+Workqueue: phy3 ieee80211_iface_work
+RIP: 0010:sta_info_insert_rcu+0x121/0x12a0
+...
+Call Trace:
+ ieee80211_ibss_finish_sta+0xbc/0x170
+ ieee80211_ibss_work+0x13f/0x7d0
+ ieee80211_iface_work+0x37a/0x500
+ process_one_work+0x357/0x850
+ worker_thread+0x41/0x4d0
+
+If an Ad-Hoc node receives packets with invalid source MAC address,
+it hits a WARN_ON in sta_info_insert_check(), this can spam the log.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20210827144230.39944-1-yuehaibing@huawei.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 670d84e54db7..c7e6bf7c22c7 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3952,7 +3952,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+ if (!bssid)
+ return false;
+ if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
+- ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
++ ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2) ||
++ !is_valid_ether_addr(hdr->addr2))
+ return false;
+ if (ieee80211_is_beacon(hdr->frame_control))
+ return true;
+--
+2.33.0
+
--- /dev/null
+From c5a62d2db2e1bcf118c0c8dbd0559f63b6ff9dfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 10:35:58 +0800
+Subject: net: prevent user from passing illegal stab size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: 王贇 <yun.wang@linux.alibaba.com>
+
+[ Upstream commit b193e15ac69d56f35e1d8e2b5d16cbd47764d053 ]
+
+We observed below report when playing with netlink sock:
+
+ UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
+ shift exponent 249 is too large for 32-bit type
+ CPU: 0 PID: 685 Comm: a.out Not tainted
+ Call Trace:
+ dump_stack_lvl+0x8d/0xcf
+ ubsan_epilogue+0xa/0x4e
+ __ubsan_handle_shift_out_of_bounds+0x161/0x182
+ __qdisc_calculate_pkt_len+0xf0/0x190
+ __dev_queue_xmit+0x2ed/0x15b0
+
+it seems like kernel won't check the stab log value passing from
+user, and will use the insane value later to calculate pkt_len.
+
+This patch just add a check on the size/cell_log to avoid insane
+calculation.
+
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/pkt_sched.h | 1 +
+ net/sched/sch_api.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
+index b16f9236de14..d1585b54fb0b 100644
+--- a/include/net/pkt_sched.h
++++ b/include/net/pkt_sched.h
+@@ -11,6 +11,7 @@
+ #include <uapi/linux/pkt_sched.h>
+
+ #define DEFAULT_TX_QUEUE_LEN 1000
++#define STAB_SIZE_LOG_MAX 30
+
+ struct qdisc_walker {
+ int stop;
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 3b1b5ee52137..e70f99033408 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -510,6 +510,12 @@ static struct qdisc_size_table *qdisc_get_stab(struct nlattr *opt,
+ return stab;
+ }
+
++ if (s->size_log > STAB_SIZE_LOG_MAX ||
++ s->cell_log > STAB_SIZE_LOG_MAX) {
++ NL_SET_ERR_MSG(extack, "Invalid logarithmic size of size table");
++ return ERR_PTR(-EINVAL);
++ }
++
+ stab = kmalloc(sizeof(*stab) + tsize * sizeof(u16), GFP_KERNEL);
+ if (!stab)
+ return ERR_PTR(-ENOMEM);
+--
+2.33.0
+
--- /dev/null
+From 87ab5886ae811526c63eab8251baa83065e45945 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 14:48:23 -0700
+Subject: net: sun: SUNVNET_COMMON should depend on INET
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 103bde372f084206c6972be543ecc247ebbff9f3 ]
+
+When CONFIG_INET is not set, there are failing references to IPv4
+functions, so make this driver depend on INET.
+
+Fixes these build errors:
+
+sparc64-linux-ld: drivers/net/ethernet/sun/sunvnet_common.o: in function `sunvnet_start_xmit_common':
+sunvnet_common.c:(.text+0x1a68): undefined reference to `__icmp_send'
+sparc64-linux-ld: drivers/net/ethernet/sun/sunvnet_common.o: in function `sunvnet_poll_common':
+sunvnet_common.c:(.text+0x358c): undefined reference to `ip_send_check'
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Aaron Young <aaron.young@oracle.com>
+Cc: Rashmi Narasimhan <rashmi.narasimhan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/sun/Kconfig b/drivers/net/ethernet/sun/Kconfig
+index 7b982e02ea3a..1080a2a3e13a 100644
+--- a/drivers/net/ethernet/sun/Kconfig
++++ b/drivers/net/ethernet/sun/Kconfig
+@@ -73,6 +73,7 @@ config CASSINI
+ config SUNVNET_COMMON
+ tristate "Common routines to support Sun Virtual Networking"
+ depends on SUN_LDOMS
++ depends on INET
+ default m
+
+ config SUNVNET
+--
+2.33.0
+
--- /dev/null
+From 839882ba8809184115ac328d645fa14fb7478ee3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Sep 2021 22:24:33 +0100
+Subject: netfilter: ip6_tables: zero-initialize fragment offset
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 310e2d43c3ad429c1fba4b175806cf1f55ed73a6 ]
+
+ip6tables only sets the `IP6T_F_PROTO` flag on a rule if a protocol is
+specified (`-p tcp`, for example). However, if the flag is not set,
+`ip6_packet_match` doesn't call `ipv6_find_hdr` for the skb, in which
+case the fragment offset is left uninitialized and a garbage value is
+passed to each matcher.
+
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6_tables.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 8bb543b0e775..41268612bdd4 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -273,6 +273,7 @@ ip6t_do_table(struct sk_buff *skb,
+ * things we don't know, ie. tcp syn flag or ports). If the
+ * rule is also a fragment-specific rule, non-fragments won't
+ * match it. */
++ acpar.fragoff = 0;
+ acpar.hotdrop = false;
+ acpar.state = state;
+
+--
+2.33.0
+
--- /dev/null
+From cb14d5dbfd8933bd6657be6e1d6956711e18d452 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 16:46:39 +0200
+Subject: netfilter: nf_nat_masquerade: defer conntrack walk to work queue
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 7970a19b71044bf4dc2c1becc200275bdf1884d4 ]
+
+The ipv4 and device notifiers are called with RTNL mutex held.
+The table walk can take some time, better not block other RTNL users.
+
+'ip a' has been reported to block for up to 20 seconds when conntrack table
+has many entries and device down events are frequent (e.g., PPP).
+
+Reported-and-tested-by: Martin Zaharinov <micron10@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_nat_masquerade.c | 50 +++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 26 deletions(-)
+
+diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
+index 415919a6ac1a..acd73f717a08 100644
+--- a/net/netfilter/nf_nat_masquerade.c
++++ b/net/netfilter/nf_nat_masquerade.c
+@@ -131,13 +131,14 @@ static void nf_nat_masq_schedule(struct net *net, union nf_inet_addr *addr,
+ put_net(net);
+ }
+
+-static int device_cmp(struct nf_conn *i, void *ifindex)
++static int device_cmp(struct nf_conn *i, void *arg)
+ {
+ const struct nf_conn_nat *nat = nfct_nat(i);
++ const struct masq_dev_work *w = arg;
+
+ if (!nat)
+ return 0;
+- return nat->masq_index == (int)(long)ifindex;
++ return nat->masq_index == w->ifindex;
+ }
+
+ static int masq_device_event(struct notifier_block *this,
+@@ -153,8 +154,8 @@ static int masq_device_event(struct notifier_block *this,
+ * and forget them.
+ */
+
+- nf_ct_iterate_cleanup_net(net, device_cmp,
+- (void *)(long)dev->ifindex, 0, 0);
++ nf_nat_masq_schedule(net, NULL, dev->ifindex,
++ device_cmp, GFP_KERNEL);
+ }
+
+ return NOTIFY_DONE;
+@@ -162,35 +163,45 @@ static int masq_device_event(struct notifier_block *this,
+
+ static int inet_cmp(struct nf_conn *ct, void *ptr)
+ {
+- struct in_ifaddr *ifa = (struct in_ifaddr *)ptr;
+- struct net_device *dev = ifa->ifa_dev->dev;
+ struct nf_conntrack_tuple *tuple;
++ struct masq_dev_work *w = ptr;
+
+- if (!device_cmp(ct, (void *)(long)dev->ifindex))
++ if (!device_cmp(ct, ptr))
+ return 0;
+
+ tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+
+- return ifa->ifa_address == tuple->dst.u3.ip;
++ return nf_inet_addr_cmp(&w->addr, &tuple->dst.u3);
+ }
+
+ static int masq_inet_event(struct notifier_block *this,
+ unsigned long event,
+ void *ptr)
+ {
+- struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
+- struct net *net = dev_net(idev->dev);
++ const struct in_ifaddr *ifa = ptr;
++ const struct in_device *idev;
++ const struct net_device *dev;
++ union nf_inet_addr addr;
++
++ if (event != NETDEV_DOWN)
++ return NOTIFY_DONE;
+
+ /* The masq_dev_notifier will catch the case of the device going
+ * down. So if the inetdev is dead and being destroyed we have
+ * no work to do. Otherwise this is an individual address removal
+ * and we have to perform the flush.
+ */
++ idev = ifa->ifa_dev;
+ if (idev->dead)
+ return NOTIFY_DONE;
+
+- if (event == NETDEV_DOWN)
+- nf_ct_iterate_cleanup_net(net, inet_cmp, ptr, 0, 0);
++ memset(&addr, 0, sizeof(addr));
++
++ addr.ip = ifa->ifa_address;
++
++ dev = idev->dev;
++ nf_nat_masq_schedule(dev_net(idev->dev), &addr, dev->ifindex,
++ inet_cmp, GFP_KERNEL);
+
+ return NOTIFY_DONE;
+ }
+@@ -253,19 +264,6 @@ nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6);
+
+-static int inet6_cmp(struct nf_conn *ct, void *work)
+-{
+- struct masq_dev_work *w = (struct masq_dev_work *)work;
+- struct nf_conntrack_tuple *tuple;
+-
+- if (!device_cmp(ct, (void *)(long)w->ifindex))
+- return 0;
+-
+- tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+-
+- return nf_inet_addr_cmp(&w->addr, &tuple->dst.u3);
+-}
+-
+ /* atomic notifier; can't call nf_ct_iterate_cleanup_net (it can sleep).
+ *
+ * Defer it to the system workqueue.
+@@ -289,7 +287,7 @@ static int masq_inet6_event(struct notifier_block *this,
+
+ addr.in6 = ifa->addr;
+
+- nf_nat_masq_schedule(dev_net(dev), &addr, dev->ifindex, inet6_cmp,
++ nf_nat_masq_schedule(dev_net(dev), &addr, dev->ifindex, inet_cmp,
+ GFP_ATOMIC);
+ return NOTIFY_DONE;
+ }
+--
+2.33.0
+
--- /dev/null
+From b93da75902221bfa226e187f44f72d7d9ce0370f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Sep 2021 16:46:38 +0200
+Subject: netfilter: nf_nat_masquerade: make async masq_inet6_event handling
+ generic
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 30db406923b9285a9bac06a6af5e74bd6d0f1d06 ]
+
+masq_inet6_event is called asynchronously from system work queue,
+because the inet6 notifier is atomic and nf_iterate_cleanup can sleep.
+
+The ipv4 and device notifiers call nf_iterate_cleanup directly.
+
+This is legal, but these notifiers are called with RTNL mutex held.
+A large conntrack table with many devices coming and going will have severe
+impact on the system usability, with 'ip a' blocking for several seconds.
+
+This change places the defer code into a helper and makes it more
+generic so ipv4 and ifdown notifiers can be converted to defer the
+cleanup walk as well in a follow patch.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_nat_masquerade.c | 122 ++++++++++++++++++------------
+ 1 file changed, 75 insertions(+), 47 deletions(-)
+
+diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
+index 8e8a65d46345..415919a6ac1a 100644
+--- a/net/netfilter/nf_nat_masquerade.c
++++ b/net/netfilter/nf_nat_masquerade.c
+@@ -9,8 +9,19 @@
+
+ #include <net/netfilter/nf_nat_masquerade.h>
+
++struct masq_dev_work {
++ struct work_struct work;
++ struct net *net;
++ union nf_inet_addr addr;
++ int ifindex;
++ int (*iter)(struct nf_conn *i, void *data);
++};
++
++#define MAX_MASQ_WORKER_COUNT 16
++
+ static DEFINE_MUTEX(masq_mutex);
+ static unsigned int masq_refcnt __read_mostly;
++static atomic_t masq_worker_count __read_mostly;
+
+ unsigned int
+ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+@@ -63,6 +74,63 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv4);
+
++static void iterate_cleanup_work(struct work_struct *work)
++{
++ struct masq_dev_work *w;
++
++ w = container_of(work, struct masq_dev_work, work);
++
++ nf_ct_iterate_cleanup_net(w->net, w->iter, (void *)w, 0, 0);
++
++ put_net(w->net);
++ kfree(w);
++ atomic_dec(&masq_worker_count);
++ module_put(THIS_MODULE);
++}
++
++/* Iterate conntrack table in the background and remove conntrack entries
++ * that use the device/address being removed.
++ *
++ * In case too many work items have been queued already or memory allocation
++ * fails iteration is skipped, conntrack entries will time out eventually.
++ */
++static void nf_nat_masq_schedule(struct net *net, union nf_inet_addr *addr,
++ int ifindex,
++ int (*iter)(struct nf_conn *i, void *data),
++ gfp_t gfp_flags)
++{
++ struct masq_dev_work *w;
++
++ if (atomic_read(&masq_worker_count) > MAX_MASQ_WORKER_COUNT)
++ return;
++
++ net = maybe_get_net(net);
++ if (!net)
++ return;
++
++ if (!try_module_get(THIS_MODULE))
++ goto err_module;
++
++ w = kzalloc(sizeof(*w), gfp_flags);
++ if (w) {
++ /* We can overshoot MAX_MASQ_WORKER_COUNT, no big deal */
++ atomic_inc(&masq_worker_count);
++
++ INIT_WORK(&w->work, iterate_cleanup_work);
++ w->ifindex = ifindex;
++ w->net = net;
++ w->iter = iter;
++ if (addr)
++ w->addr = *addr;
++ schedule_work(&w->work);
++ return;
++ }
++
++ module_put(THIS_MODULE);
++ err_module:
++ put_net(net);
++}
++
+ static int device_cmp(struct nf_conn *i, void *ifindex)
+ {
+ const struct nf_conn_nat *nat = nfct_nat(i);
+@@ -136,8 +204,6 @@ static struct notifier_block masq_inet_notifier = {
+ };
+
+ #if IS_ENABLED(CONFIG_IPV6)
+-static atomic_t v6_worker_count __read_mostly;
+-
+ static int
+ nat_ipv6_dev_get_saddr(struct net *net, const struct net_device *dev,
+ const struct in6_addr *daddr, unsigned int srcprefs,
+@@ -187,13 +253,6 @@ nf_nat_masquerade_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
+ }
+ EXPORT_SYMBOL_GPL(nf_nat_masquerade_ipv6);
+
+-struct masq_dev_work {
+- struct work_struct work;
+- struct net *net;
+- struct in6_addr addr;
+- int ifindex;
+-};
+-
+ static int inet6_cmp(struct nf_conn *ct, void *work)
+ {
+ struct masq_dev_work *w = (struct masq_dev_work *)work;
+@@ -204,21 +263,7 @@ static int inet6_cmp(struct nf_conn *ct, void *work)
+
+ tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+
+- return ipv6_addr_equal(&w->addr, &tuple->dst.u3.in6);
+-}
+-
+-static void iterate_cleanup_work(struct work_struct *work)
+-{
+- struct masq_dev_work *w;
+-
+- w = container_of(work, struct masq_dev_work, work);
+-
+- nf_ct_iterate_cleanup_net(w->net, inet6_cmp, (void *)w, 0, 0);
+-
+- put_net(w->net);
+- kfree(w);
+- atomic_dec(&v6_worker_count);
+- module_put(THIS_MODULE);
++ return nf_inet_addr_cmp(&w->addr, &tuple->dst.u3);
+ }
+
+ /* atomic notifier; can't call nf_ct_iterate_cleanup_net (it can sleep).
+@@ -233,36 +278,19 @@ static int masq_inet6_event(struct notifier_block *this,
+ {
+ struct inet6_ifaddr *ifa = ptr;
+ const struct net_device *dev;
+- struct masq_dev_work *w;
+- struct net *net;
++ union nf_inet_addr addr;
+
+- if (event != NETDEV_DOWN || atomic_read(&v6_worker_count) >= 16)
++ if (event != NETDEV_DOWN)
+ return NOTIFY_DONE;
+
+ dev = ifa->idev->dev;
+- net = maybe_get_net(dev_net(dev));
+- if (!net)
+- return NOTIFY_DONE;
+
+- if (!try_module_get(THIS_MODULE))
+- goto err_module;
++ memset(&addr, 0, sizeof(addr));
+
+- w = kmalloc(sizeof(*w), GFP_ATOMIC);
+- if (w) {
+- atomic_inc(&v6_worker_count);
++ addr.in6 = ifa->addr;
+
+- INIT_WORK(&w->work, iterate_cleanup_work);
+- w->ifindex = dev->ifindex;
+- w->net = net;
+- w->addr = ifa->addr;
+- schedule_work(&w->work);
+-
+- return NOTIFY_DONE;
+- }
+-
+- module_put(THIS_MODULE);
+- err_module:
+- put_net(net);
++ nf_nat_masq_schedule(dev_net(dev), &addr, dev->ifindex, inet6_cmp,
++ GFP_ATOMIC);
+ return NOTIFY_DONE;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From f5b8119688ff89e2b18aa6e01d16882a3424ca6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 15:31:11 +0200
+Subject: sched: Always inline is_percpu_thread()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 83d40a61046f73103b4e5d8f1310261487ff63b0 ]
+
+ vmlinux.o: warning: objtool: check_preemption_disabled()+0x81: call to is_percpu_thread() leaves .noinstr.text section
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210928084218.063371959@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 5710b80f8050..afee5d5eb945 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1500,7 +1500,7 @@ extern struct pid *cad_pid;
+ #define tsk_used_math(p) ((p)->flags & PF_USED_MATH)
+ #define used_math() tsk_used_math(current)
+
+-static inline bool is_percpu_thread(void)
++static __always_inline bool is_percpu_thread(void)
+ {
+ #ifdef CONFIG_SMP
+ return (current->flags & PF_NO_SETAFFINITY) &&
+--
+2.33.0
+
--- /dev/null
+From bf82bb488c3380eed1b6f74863e80571afa96015 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 17:51:53 +0800
+Subject: scsi: ses: Fix unsigned comparison with less than zero
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit dd689ed5aa905daf4ba4c99319a52aad6ea0a796 ]
+
+Fix the following coccicheck warning:
+
+./drivers/scsi/ses.c:137:10-16: WARNING: Unsigned expression compared
+with zero: result > 0.
+
+Link: https://lore.kernel.org/r/1632477113-90378-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ses.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
+index 43e682297fd5..0a1734f34587 100644
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -118,7 +118,7 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
+ static int ses_send_diag(struct scsi_device *sdev, int page_code,
+ void *buf, int bufflen)
+ {
+- u32 result;
++ int result;
+
+ unsigned char cmd[] = {
+ SEND_DIAGNOSTIC,
+--
+2.33.0
+
--- /dev/null
+From cee63eab61f92ed0894d47e9617e9f590363a6f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Sep 2021 00:03:30 +0100
+Subject: scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported"
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit cced4c0ec7c06f5230a2958907a409c849762293 ]
+
+There are a couple of spelling mistakes in pr_info and pr_err messages.
+Fix them.
+
+Link: https://lore.kernel.org/r/20210924230330.143785-1-colin.king@canonical.com
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/virtio_scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
+index bfec84aacd90..cb833c5fb9ce 100644
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -297,7 +297,7 @@ static void virtscsi_handle_transport_reset(struct virtio_scsi *vscsi,
+ }
+ break;
+ default:
+- pr_info("Unsupport virtio scsi event reason %x\n", event->reason);
++ pr_info("Unsupported virtio scsi event reason %x\n", event->reason);
+ }
+ }
+
+@@ -381,7 +381,7 @@ static void virtscsi_handle_event(struct work_struct *work)
+ virtscsi_handle_param_change(vscsi, event);
+ break;
+ default:
+- pr_err("Unsupport virtio scsi event %x\n", event->event);
++ pr_err("Unsupported virtio scsi event %x\n", event->event);
+ }
+ virtscsi_kick_event(vscsi, event_node);
+ }
+--
+2.33.0
+
net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch
+ext4-correct-the-error-path-of-ext4_write_inline_dat.patch
+ext4-enforce-buffer-head-state-assertion-in-ext4_da_.patch
+hid-apple-fix-logical-maximum-and-usage-maximum-of-m.patch
+netfilter-ip6_tables-zero-initialize-fragment-offset.patch
+hid-wacom-add-new-intuos-bt-ctl-4100wl-ctl-6100wl-de.patch
+netfilter-nf_nat_masquerade-make-async-masq_inet6_ev.patch
+netfilter-nf_nat_masquerade-defer-conntrack-walk-to-.patch
+mac80211-drop-frames-from-invalid-mac-address-in-ad-.patch
+m68k-handle-arrivals-of-multiple-signals-correctly.patch
+net-prevent-user-from-passing-illegal-stab-size.patch
+mac80211-check-return-value-of-rhashtable_init.patch
+net-sun-sunvnet_common-should-depend-on-inet.patch
+drm-amdgpu-fix-gart.bo-pin_count-leak.patch
+scsi-ses-fix-unsigned-comparison-with-less-than-zero.patch
+scsi-virtio_scsi-fix-spelling-mistake-unsupport-unsu.patch
+sched-always-inline-is_percpu_thread.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
