--- /dev/null
+From efff1b01851d7c2bd1cc0d1fcacbdfe550c241a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 15:49:40 +0200
+Subject: ARM: imx6: disable the GIC CPU interface before calling stby-poweroff
+ sequence
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 783f3db030563f7bcdfe2d26428af98ea1699a8e ]
+
+Any pending interrupt can prevent entering standby based power off state.
+To avoid it, disable the GIC CPU interface.
+
+Fixes: 8148d2136002 ("ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/pm-imx6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
+index 6da26692f2fd..950c9f2ffe00 100644
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -15,6 +15,7 @@
+ #include <linux/io.h>
+ #include <linux/irq.h>
+ #include <linux/genalloc.h>
++#include <linux/irqchip/arm-gic.h>
+ #include <linux/mfd/syscon.h>
+ #include <linux/mfd/syscon/imx6q-iomuxc-gpr.h>
+ #include <linux/of.h>
+@@ -606,6 +607,7 @@ static void __init imx6_pm_common_init(const struct imx6_pm_socdata
+
+ static void imx6_pm_stby_poweroff(void)
+ {
++ gic_cpu_if_down(0);
+ imx6_set_lpm(STOP_POWER_OFF);
+ imx6q_suspend_finish(0);
+
+--
+2.33.0
+
--- /dev/null
+From 196c53db3b28fce112b3408edb4ea6a470e2e12a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 22:55:45 +0900
+Subject: bpf: Fix integer overflow in prealloc_elems_and_freelist()
+
+From: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+
+[ Upstream commit 30e29a9a2bc6a4888335a6ede968b75cd329657a ]
+
+In prealloc_elems_and_freelist(), the multiplication to calculate the
+size passed to bpf_map_area_alloc() could lead to an integer overflow.
+As a result, out-of-bounds write could occur in pcpu_freelist_populate()
+as reported by KASAN:
+
+[...]
+[ 16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100
+[ 16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78
+[ 16.970038]
+[ 16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1
+[ 16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+[ 16.972026] Call Trace:
+[ 16.972306] dump_stack_lvl+0x34/0x44
+[ 16.972687] print_address_description.constprop.0+0x21/0x140
+[ 16.973297] ? pcpu_freelist_populate+0xd9/0x100
+[ 16.973777] ? pcpu_freelist_populate+0xd9/0x100
+[ 16.974257] kasan_report.cold+0x7f/0x11b
+[ 16.974681] ? pcpu_freelist_populate+0xd9/0x100
+[ 16.975190] pcpu_freelist_populate+0xd9/0x100
+[ 16.975669] stack_map_alloc+0x209/0x2a0
+[ 16.976106] __sys_bpf+0xd83/0x2ce0
+[...]
+
+The possibility of this overflow was originally discussed in [0], but
+was overlooked.
+
+Fix the integer overflow by changing elem_size to u64 from u32.
+
+ [0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/
+
+Fixes: 557c0c6e7df8 ("bpf: convert stackmap to pre-allocation")
+Signed-off-by: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/stackmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
+index 2fdf6f96f976..6f09728cd1dd 100644
+--- a/kernel/bpf/stackmap.c
++++ b/kernel/bpf/stackmap.c
+@@ -28,7 +28,8 @@ struct bpf_stack_map {
+
+ static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
+ {
+- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
++ u64 elem_size = sizeof(struct stack_map_bucket) +
++ (u64)smap->map.value_size;
+ int err;
+
+ smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries);
+--
+2.33.0
+
--- /dev/null
+From 63062c383b48d578411730129ef212dd0b9d0254 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Sep 2021 15:50:23 +0800
+Subject: drm/nouveau/debugfs: fix file release memory leak
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f5a8703a9c418c6fc54eb772712dfe7641e3991c ]
+
+When using single_open() for opening, single_release() should be
+called, otherwise the 'op' allocated in single_open() will be leaked.
+
+Fixes: 6e9fc177399f ("drm/nouveau/debugfs: add copy of sysfs pstate interface ported to debugfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210911075023.3969054-2-yangyingliang@huawei.com
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_debugfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+index 411c12cdb249..bb516eb12421 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+@@ -178,6 +178,7 @@ static const struct file_operations nouveau_pstate_fops = {
+ .open = nouveau_debugfs_pstate_open,
+ .read = seq_read,
+ .write = nouveau_debugfs_pstate_set,
++ .release = single_release,
+ };
+
+ static struct drm_info_list nouveau_debugfs_list[] = {
+--
+2.33.0
+
--- /dev/null
+From 0b834fe1c4ae46fee835b9b8445ead377bfad77b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 10:54:42 +0200
+Subject: i40e: fix endless loop under rtnl
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit 857b6c6f665cca9828396d9743faf37fd09e9ac3 ]
+
+The loop in i40e_get_capabilities can never end. The problem is that
+although i40e_aq_discover_capabilities returns with an error if there's
+a firmware problem, the returned error is not checked. There is a check for
+pf->hw.aq.asq_last_status but that value is set to I40E_AQ_RC_OK on most
+firmware problems.
+
+When i40e_aq_discover_capabilities encounters a firmware problem, it will
+encounter the same problem on its next invocation. As the result, the loop
+becomes endless. We hit this with I40E_ERR_ADMIN_QUEUE_TIMEOUT but looking
+at the code, it can happen with a range of other firmware errors.
+
+I don't know what the correct behavior should be: whether the firmware
+should be retried a few times, or whether pf->hw.aq.asq_last_status should
+be always set to the encountered firmware error (but then it would be
+pointless and can be just replaced by the i40e_aq_discover_capabilities
+return value). However, the current behavior with an endless loop under the
+rtnl mutex(!) is unacceptable and Intel has not submitted a fix, although we
+explained the bug to them 7 months ago.
+
+This may not be the best possible fix but it's better than hanging the whole
+system on a firmware bug.
+
+Fixes: 56a62fc86895 ("i40e: init code and hardware support")
+Tested-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 832fffed4a1f..e7585f6c4665 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -6646,7 +6646,7 @@ static int i40e_get_capabilities(struct i40e_pf *pf)
+ if (pf->hw.aq.asq_last_status == I40E_AQ_RC_ENOMEM) {
+ /* retry with a larger buffer */
+ buf_len = data_size;
+- } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK) {
++ } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK || err) {
+ dev_info(&pf->pdev->dev,
+ "capability discovery failed, err %s aq_err %s\n",
+ i40e_stat_str(&pf->hw, err),
+--
+2.33.0
+
--- /dev/null
+From a87de2323d1479183520eed83eefeb0ca9ebfc21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 18:05:07 -0700
+Subject: net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dbe0b88064494b7bb6a9b2aa7e085b14a3112d44 ]
+
+bridge_fill_linkxstats() is using nla_reserve_64bit().
+
+We must use nla_total_size_64bit() instead of nla_total_size()
+for corresponding data structure.
+
+Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Nikolay Aleksandrov <nikolay@nvidia.com>
+Cc: Vivien Didelot <vivien.didelot@gmail.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index 4f831225d34f..ca8757090ae3 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -1298,7 +1298,7 @@ static size_t br_get_linkxstats_size(const struct net_device *dev, int attr)
+ }
+
+ return numvls * nla_total_size(sizeof(struct bridge_vlan_xstats)) +
+- nla_total_size(sizeof(struct br_mcast_stats)) +
++ nla_total_size_64bit(sizeof(struct br_mcast_stats)) +
+ nla_total_size(0);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 65850ec18591025990ac4f5f2dff9eb3ea1663aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 14:22:39 -0700
+Subject: net_sched: fix NULL deref in fifo_set_limit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc ]
+
+syzbot reported another NULL deref in fifo_set_limit() [1]
+
+I could repro the issue with :
+
+unshare -n
+tc qd add dev lo root handle 1:0 tbf limit 200000 burst 70000 rate 100Mbit
+tc qd replace dev lo parent 1:0 pfifo_fast
+tc qd change dev lo root handle 1:0 tbf limit 300000 burst 70000 rate 100Mbit
+
+pfifo_fast does not have a change() operation.
+Make fifo_set_limit() more robust about this.
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 1cf99067 P4D 1cf99067 PUD 7ca49067 PMD 0
+Oops: 0010 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 14443 Comm: syz-executor959 Not tainted 5.15.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+RSP: 0018:ffffc9000e2f7310 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffffffff8d6ecc00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff888024c27910 RDI: ffff888071e34000
+RBP: ffff888071e34000 R08: 0000000000000001 R09: ffffffff8fcfb947
+R10: 0000000000000001 R11: 0000000000000000 R12: ffff888024c27910
+R13: ffff888071e34018 R14: 0000000000000000 R15: ffff88801ef74800
+FS: 00007f321d897700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 00000000722c3000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ fifo_set_limit net/sched/sch_fifo.c:242 [inline]
+ fifo_set_limit+0x198/0x210 net/sched/sch_fifo.c:227
+ tbf_change+0x6ec/0x16d0 net/sched/sch_tbf.c:418
+ qdisc_change net/sched/sch_api.c:1332 [inline]
+ tc_modify_qdisc+0xd9a/0x1a60 net/sched/sch_api.c:1634
+ rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:704 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:724
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: fb0305ce1b03 ("net-sched: consolidate default fifo qdisc setup")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20210930212239.3430364-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_fifo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
+index 1e37247656f8..8b7110cbcce4 100644
+--- a/net/sched/sch_fifo.c
++++ b/net/sched/sch_fifo.c
+@@ -151,6 +151,9 @@ int fifo_set_limit(struct Qdisc *q, unsigned int limit)
+ if (strncmp(q->ops->id + 1, "fifo", 4) != 0)
+ return 0;
+
++ if (!q->ops->change)
++ return 0;
++
+ nla = kmalloc(nla_attr_size(sizeof(struct tc_fifo_qopt)), GFP_KERNEL);
+ if (nla) {
+ nla->nla_type = RTM_NEWQDISC;
+--
+2.33.0
+
--- /dev/null
+From bb2533aacf7ad7668886361ef40e97224535c3e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 14:24:15 -0700
+Subject: netlink: annotate data races around nlk->bound
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7707a4d01a648e4c655101a469c956cb11273655 ]
+
+While existing code is correct, KCSAN is reporting
+a data-race in netlink_insert / netlink_sendmsg [1]
+
+It is correct to read nlk->bound without a lock, as netlink_autobind()
+will acquire all needed locks.
+
+[1]
+BUG: KCSAN: data-race in netlink_insert / netlink_sendmsg
+
+write to 0xffff8881031c8b30 of 1 bytes by task 18752 on cpu 0:
+ netlink_insert+0x5cc/0x7f0 net/netlink/af_netlink.c:597
+ netlink_autobind+0xa9/0x150 net/netlink/af_netlink.c:842
+ netlink_sendmsg+0x479/0x7c0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2475
+ __do_sys_sendmsg net/socket.c:2484 [inline]
+ __se_sys_sendmsg net/socket.c:2482 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff8881031c8b30 of 1 bytes by task 18751 on cpu 1:
+ netlink_sendmsg+0x270/0x7c0 net/netlink/af_netlink.c:1891
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ __sys_sendto+0x2a8/0x370 net/socket.c:2019
+ __do_sys_sendto net/socket.c:2031 [inline]
+ __se_sys_sendto net/socket.c:2027 [inline]
+ __x64_sys_sendto+0x74/0x90 net/socket.c:2027
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 18751 Comm: syz-executor.0 Not tainted 5.14.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: da314c9923fe ("netlink: Replace rhash_portid with bound")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 453b0efdc0d7..1b70de5898c4 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -574,7 +574,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
+
+ /* We need to ensure that the socket is hashed and visible. */
+ smp_wmb();
+- nlk_sk(sk)->bound = portid;
++ /* Paired with lockless reads from netlink_bind(),
++ * netlink_connect() and netlink_sendmsg().
++ */
++ WRITE_ONCE(nlk_sk(sk)->bound, portid);
+
+ err:
+ release_sock(sk);
+@@ -993,7 +996,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
+ else if (nlk->ngroups < 8*sizeof(groups))
+ groups &= (1UL << nlk->ngroups) - 1;
+
+- bound = nlk->bound;
++ /* Paired with WRITE_ONCE() in netlink_insert() */
++ bound = READ_ONCE(nlk->bound);
+ if (bound) {
+ /* Ensure nlk->portid is up-to-date. */
+ smp_rmb();
+@@ -1073,8 +1077,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
+
+ /* No need for barriers here as we return to user-space without
+ * using any of the bound attributes.
++ * Paired with WRITE_ONCE() in netlink_insert().
+ */
+- if (!nlk->bound)
++ if (!READ_ONCE(nlk->bound))
+ err = netlink_autobind(sock);
+
+ if (err == 0) {
+@@ -1821,7 +1826,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ dst_group = nlk->dst_group;
+ }
+
+- if (!nlk->bound) {
++ /* Paired with WRITE_ONCE() in netlink_insert() */
++ if (!READ_ONCE(nlk->bound)) {
+ err = netlink_autobind(sock);
+ if (err)
+ goto out;
+--
+2.33.0
+
--- /dev/null
+From d25dd7a0590f991fdedb94556ae5002c5b91ca52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 20:50:28 +0300
+Subject: phy: mdio: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit ca6e11c337daf7925ff8a2aac8e84490a8691905 ]
+
+Syzbot reported memory leak in MDIO bus interface, the problem was in
+wrong state logic.
+
+MDIOBUS_ALLOCATED indicates 2 states:
+ 1. Bus is only allocated
+ 2. Bus allocated and __mdiobus_register() fails, but
+ device_register() was called
+
+In case of device_register() has been called we should call put_device()
+to correctly free the memory allocated for this device, but mdiobus_free()
+calls just kfree(dev) in case of MDIOBUS_ALLOCATED state
+
+To avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED
+_before_ calling device_register(), because put_device() should be
+called even in case of device_register() failure.
+
+Link: https://lore.kernel.org/netdev/YVMRWNDZDUOvQjHL@shell.armlinux.org.uk/
+Fixes: 46abc02175b3 ("phylib: give mdio buses a device tree presence")
+Reported-and-tested-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/eceae1429fbf8fa5c73dd2a0d39d525aa905074d.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 8cc7563ab103..92fb664b56fb 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -316,6 +316,13 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
+ bus->dev.groups = NULL;
+ dev_set_name(&bus->dev, "%s", bus->id);
+
++ /* We need to set state to MDIOBUS_UNREGISTERED to correctly release
++ * the device in mdiobus_free()
++ *
++ * State will be updated later in this function in case of success
++ */
++ bus->state = MDIOBUS_UNREGISTERED;
++
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
+--
+2.33.0
+
--- /dev/null
+From 996729414b8e08b054dcf626594216c53b8bcb9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Oct 2021 11:04:09 +0200
+Subject: powerpc/fsl/dts: Fix phy-connection-type for fm1mac3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit eed183abc0d3b8adb64fd1363b7cea7986cd58d6 ]
+
+Property phy-connection-type contains invalid value "sgmii-2500" per scheme
+defined in file ethernet-controller.yaml.
+
+Correct phy-connection-type value should be "2500base-x".
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 84e0f1c13806 ("powerpc/mpc85xx: Add MDIO bus muxing support to the board device tree(s)")
+Acked-by: Scott Wood <oss@buserror.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/dts/fsl/t1023rdb.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/dts/fsl/t1023rdb.dts b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
+index 29757623e5ba..f5f8f969dd58 100644
+--- a/arch/powerpc/boot/dts/fsl/t1023rdb.dts
++++ b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
+@@ -125,7 +125,7 @@
+
+ fm1mac3: ethernet@e4000 {
+ phy-handle = <&sgmii_aqr_phy3>;
+- phy-connection-type = "sgmii-2500";
++ phy-connection-type = "2500base-x";
+ sleep = <&rcpm 0x20000000>;
+ };
+
+--
+2.33.0
+
--- /dev/null
+From 13424c189282ee59d93099efd46e5596b0c2c52f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Oct 2021 19:20:33 +0300
+Subject: ptp_pch: Load module automatically if ID matches
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7cd8b1542a7ba0720c5a0a85ed414a122015228b ]
+
+The driver can't be loaded automatically because it misses
+module alias to be provided. Add corresponding MODULE_DEVICE_TABLE()
+call to the driver.
+
+Fixes: 863d08ece9bf ("supports eg20t ptp clock")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
+index 3aa22ae4d94c..a911325fc0b4 100644
+--- a/drivers/ptp/ptp_pch.c
++++ b/drivers/ptp/ptp_pch.c
+@@ -698,6 +698,7 @@ static const struct pci_device_id pch_ieee1588_pcidev_id[] = {
+ },
+ {0}
+ };
++MODULE_DEVICE_TABLE(pci, pch_ieee1588_pcidev_id);
+
+ static struct pci_driver pch_driver = {
+ .name = KBUILD_MODNAME,
+--
+2.33.0
+
--- /dev/null
+From 8c12182633d5805d3bf9619804c556cc7f7fc534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 14:04:17 -0700
+Subject: rtnetlink: fix if_nlmsg_stats_size() under estimation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d34367991933d28bd7331f67a759be9a8c474014 ]
+
+rtnl_fill_statsinfo() is filling skb with one mandatory if_stats_msg structure.
+
+nlmsg_put(skb, pid, seq, type, sizeof(struct if_stats_msg), flags);
+
+But if_nlmsg_stats_size() never considered the needed storage.
+
+This bug did not show up because alloc_skb(X) allocates skb with
+extra tailroom, because of added alignments. This could very well
+be changed in the future to have deterministic behavior.
+
+Fixes: 10c9ead9f3c6 ("rtnetlink: add new RTM_GETSTATS message to dump link stats")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Roopa Prabhu <roopa@nvidia.com>
+Acked-by: Roopa Prabhu <roopa@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 911752e8a3e6..012143f313a8 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3900,7 +3900,7 @@ nla_put_failure:
+ static size_t if_nlmsg_stats_size(const struct net_device *dev,
+ u32 filter_mask)
+ {
+- size_t size = 0;
++ size_t size = NLMSG_ALIGN(sizeof(struct if_stats_msg));
+
+ if (stats_attr_valid(filter_mask, IFLA_STATS_LINK_64, 0))
+ size += nla_total_size_64bit(sizeof(struct rtnl_link_stats64));
+--
+2.33.0
+
ovl-fix-missing-negative-dentry-check-in-ovl_rename.patch
nfsd4-handle-the-nfsv4-readdir-dircount-hint-being-zero.patch
arm-dts-omap3430-sdp-fix-nand-device-node.patch
+xtensa-call-irqchip_init-only-when-config_use_of-is-.patch
+bpf-fix-integer-overflow-in-prealloc_elems_and_freel.patch
+phy-mdio-fix-memory-leak.patch
+net_sched-fix-null-deref-in-fifo_set_limit.patch
+powerpc-fsl-dts-fix-phy-connection-type-for-fm1mac3.patch
+ptp_pch-load-module-automatically-if-id-matches.patch
+arm-imx6-disable-the-gic-cpu-interface-before-callin.patch
+net-bridge-use-nla_total_size_64bit-in-br_get_linkxs.patch
+netlink-annotate-data-races-around-nlk-bound.patch
+drm-nouveau-debugfs-fix-file-release-memory-leak.patch
+rtnetlink-fix-if_nlmsg_stats_size-under-estimation.patch
+i40e-fix-endless-loop-under-rtnl.patch
--- /dev/null
+From 1089eb7c1d42bdf2f0c9937b53da0971e16bdbe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 09:46:33 -0700
+Subject: xtensa: call irqchip_init only when CONFIG_USE_OF is selected
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 6489f8d0e1d93a3603d8dad8125797559e4cf2a2 ]
+
+During boot time kernel configured with OF=y but USE_OF=n displays the
+following warnings and hangs shortly after starting userspace:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 0 at kernel/irq/irqdomain.c:695 irq_create_mapping_affinity+0x29/0xc0
+irq_create_mapping_affinity(, 6) called with NULL domain
+CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.0-rc3-00001-gd67ed2510d28 #30
+Call Trace:
+ __warn+0x69/0xc4
+ warn_slowpath_fmt+0x6c/0x94
+ irq_create_mapping_affinity+0x29/0xc0
+ local_timer_setup+0x40/0x88
+ time_init+0xb1/0xe8
+ start_kernel+0x31d/0x3f4
+ _startup+0x13b/0x13b
+---[ end trace 1e6630e1c5eda35b ]---
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 0 at arch/xtensa/kernel/time.c:141 local_timer_setup+0x58/0x88
+error: can't map timer irq
+CPU: 0 PID: 0 Comm: swapper Tainted: G W 5.15.0-rc3-00001-gd67ed2510d28 #30
+Call Trace:
+ __warn+0x69/0xc4
+ warn_slowpath_fmt+0x6c/0x94
+ local_timer_setup+0x58/0x88
+ time_init+0xb1/0xe8
+ start_kernel+0x31d/0x3f4
+ _startup+0x13b/0x13b
+---[ end trace 1e6630e1c5eda35c ]---
+Failed to request irq 0 (timer)
+
+Fix that by calling irqchip_init only when CONFIG_USE_OF is selected and
+calling legacy interrupt controller init otherwise.
+
+Fixes: da844a81779e ("xtensa: add device trees support")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/irq.c b/arch/xtensa/kernel/irq.c
+index 441694464b1e..fbbc24b914e3 100644
+--- a/arch/xtensa/kernel/irq.c
++++ b/arch/xtensa/kernel/irq.c
+@@ -144,7 +144,7 @@ unsigned xtensa_get_ext_irq_no(unsigned irq)
+
+ void __init init_IRQ(void)
+ {
+-#ifdef CONFIG_OF
++#ifdef CONFIG_USE_OF
+ irqchip_init();
+ #else
+ #ifdef CONFIG_HAVE_SMP
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
