--- /dev/null
+From 2904aafd568efa954cef61c4dc168bb52a94cd6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 14:53:36 +0800
+Subject: atm: iphase: fix possible use-after-free in ia_module_exit()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/iphase.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
+index fe47c924dc64..a1427cb9b9ed 100644
+--- a/drivers/atm/iphase.c
++++ b/drivers/atm/iphase.c
+@@ -3301,7 +3301,7 @@ static void __exit ia_module_exit(void)
+ {
+ pci_unregister_driver(&ia_driver);
+
+- del_timer(&ia_timer);
++ del_timer_sync(&ia_timer);
+ }
+
+ module_init(ia_module_init);
+--
+2.30.2
+
--- /dev/null
+From 571de5365d893da0a987a6678961d26fecbbef80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 15:00:24 +0800
+Subject: atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index 8bcd09fb0feb..b2bae94ffe4d 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -298,7 +298,7 @@ static void __exit nicstar_cleanup(void)
+ {
+ XPRINTK("nicstar: nicstar_cleanup() called.\n");
+
+- del_timer(&ns_timer);
++ del_timer_sync(&ns_timer);
+
+ pci_unregister_driver(&nicstar_driver);
+
+--
+2.30.2
+
--- /dev/null
+From 80688792a19272400d8d8a84193e41311b6b465d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 15:24:15 +0000
+Subject: atm: nicstar: register the interrupt handler in the right place
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ]
+
+Because the error handling is sequential, the application of resources
+should be carried out in the order of error handling, so the operation
+of registering the interrupt handler should be put in front, so as not
+to free the unregistered interrupt handler during error handling.
+
+This log reveals it:
+
+[ 3.438724] Trying to free already-free IRQ 23
+[ 3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480
+[ 3.440039] Modules linked in:
+[ 3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
+[ 3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.441561] RIP: 0010:free_irq+0xfb/0x480
+[ 3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
+[ 3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
+[ 3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
+[ 3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
+[ 3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
+[ 3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
+[ 3.444994] FS: 0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000
+[ 3.444994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.444994] Call Trace:
+[ 3.444994] ns_init_card_error+0x18e/0x250
+[ 3.444994] nicstar_init_one+0x10d2/0x1130
+[ 3.444994] local_pci_probe+0x4a/0xb0
+[ 3.444994] pci_device_probe+0x126/0x1d0
+[ 3.444994] ? pci_device_remove+0x100/0x100
+[ 3.444994] really_probe+0x27e/0x650
+[ 3.444994] driver_probe_device+0x84/0x1d0
+[ 3.444994] ? mutex_lock_nested+0x16/0x20
+[ 3.444994] device_driver_attach+0x63/0x70
+[ 3.444994] __driver_attach+0x117/0x1a0
+[ 3.444994] ? device_driver_attach+0x70/0x70
+[ 3.444994] bus_for_each_dev+0xb6/0x110
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] driver_attach+0x22/0x30
+[ 3.444994] bus_add_driver+0x1e6/0x2a0
+[ 3.444994] driver_register+0xa4/0x180
+[ 3.444994] __pci_register_driver+0x77/0x80
+[ 3.444994] ? uPD98402_module_init+0xd/0xd
+[ 3.444994] nicstar_init+0x1f/0x75
+[ 3.444994] do_one_initcall+0x7a/0x3d0
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.444994] kernel_init_freeable+0x2a7/0x2f9
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] kernel_init+0x13/0x180
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ret_from_fork+0x1f/0x30
+[ 3.444994] Kernel panic - not syncing: panic_on_warn set ...
+[ 3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
+[ 3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.444994] Call Trace:
+[ 3.444994] dump_stack+0xba/0xf5
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] panic+0x155/0x3ed
+[ 3.444994] ? __warn+0xed/0x150
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] __warn+0x103/0x150
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] report_bug+0x119/0x1c0
+[ 3.444994] handle_bug+0x3b/0x80
+[ 3.444994] exc_invalid_op+0x18/0x70
+[ 3.444994] asm_exc_invalid_op+0x12/0x20
+[ 3.444994] RIP: 0010:free_irq+0xfb/0x480
+[ 3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
+[ 3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
+[ 3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
+[ 3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
+[ 3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
+[ 3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
+[ 3.444994] ? vprintk_func+0x71/0x110
+[ 3.444994] ns_init_card_error+0x18e/0x250
+[ 3.444994] nicstar_init_one+0x10d2/0x1130
+[ 3.444994] local_pci_probe+0x4a/0xb0
+[ 3.444994] pci_device_probe+0x126/0x1d0
+[ 3.444994] ? pci_device_remove+0x100/0x100
+[ 3.444994] really_probe+0x27e/0x650
+[ 3.444994] driver_probe_device+0x84/0x1d0
+[ 3.444994] ? mutex_lock_nested+0x16/0x20
+[ 3.444994] device_driver_attach+0x63/0x70
+[ 3.444994] __driver_attach+0x117/0x1a0
+[ 3.444994] ? device_driver_attach+0x70/0x70
+[ 3.444994] bus_for_each_dev+0xb6/0x110
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] driver_attach+0x22/0x30
+[ 3.444994] bus_add_driver+0x1e6/0x2a0
+[ 3.444994] driver_register+0xa4/0x180
+[ 3.444994] __pci_register_driver+0x77/0x80
+[ 3.444994] ? uPD98402_module_init+0xd/0xd
+[ 3.444994] nicstar_init+0x1f/0x75
+[ 3.444994] do_one_initcall+0x7a/0x3d0
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.444994] kernel_init_freeable+0x2a7/0x2f9
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] kernel_init+0x13/0x180
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ret_from_fork+0x1f/0x30
+[ 3.444994] Dumping ftrace buffer:
+[ 3.444994] (ftrace buffer empty)
+[ 3.444994] Kernel Offset: disabled
+[ 3.444994] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index 7c9544ac1849..8c675c4f6d54 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -526,6 +526,15 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
+ /* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */
+ writel(0x00000000, card->membase + VPM);
+
++ card->intcnt = 0;
++ if (request_irq
++ (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
++ pr_err("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
++ error = 9;
++ ns_init_card_error(card, error);
++ return error;
++ }
++
+ /* Initialize TSQ */
+ card->tsq.org = dma_alloc_coherent(&card->pcidev->dev,
+ NS_TSQSIZE + NS_TSQ_ALIGNMENT,
+@@ -752,15 +761,6 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
+
+ card->efbie = 1;
+
+- card->intcnt = 0;
+- if (request_irq
+- (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
+- printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
+- error = 9;
+- ns_init_card_error(card, error);
+- return error;
+- }
+-
+ /* Register device */
+ card->atmdev = atm_dev_register("nicstar", &card->pcidev->dev, &atm_ops,
+ -1, NULL);
+--
+2.30.2
+
--- /dev/null
+From 9018985d8ab511f169ccc42f56766554fdc6d2ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 15:24:14 +0000
+Subject: atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ]
+
+When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for
+error handling, but the correct memory free function should be used,
+otherwise it will cause an error. Since 'card->rsq.org' and
+'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they
+should be freed using 'dma_free_coherent'.
+
+Fix this by using 'dma_free_coherent' instead of 'kfree'
+
+This log reveals it:
+
+[ 3.440294] kernel BUG at mm/slub.c:4206!
+[ 3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI
+[ 3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141
+[ 3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.442780] RIP: 0010:kfree+0x26a/0x300
+[ 3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
+[ 3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
+[ 3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
+[ 3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
+[ 3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
+[ 3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
+[ 3.443396] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 3.443396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.443396] Call Trace:
+[ 3.443396] ns_init_card_error+0x12c/0x220
+[ 3.443396] nicstar_init_one+0x10d2/0x1130
+[ 3.443396] local_pci_probe+0x4a/0xb0
+[ 3.443396] pci_device_probe+0x126/0x1d0
+[ 3.443396] ? pci_device_remove+0x100/0x100
+[ 3.443396] really_probe+0x27e/0x650
+[ 3.443396] driver_probe_device+0x84/0x1d0
+[ 3.443396] ? mutex_lock_nested+0x16/0x20
+[ 3.443396] device_driver_attach+0x63/0x70
+[ 3.443396] __driver_attach+0x117/0x1a0
+[ 3.443396] ? device_driver_attach+0x70/0x70
+[ 3.443396] bus_for_each_dev+0xb6/0x110
+[ 3.443396] ? rdinit_setup+0x40/0x40
+[ 3.443396] driver_attach+0x22/0x30
+[ 3.443396] bus_add_driver+0x1e6/0x2a0
+[ 3.443396] driver_register+0xa4/0x180
+[ 3.443396] __pci_register_driver+0x77/0x80
+[ 3.443396] ? uPD98402_module_init+0xd/0xd
+[ 3.443396] nicstar_init+0x1f/0x75
+[ 3.443396] do_one_initcall+0x7a/0x3d0
+[ 3.443396] ? rdinit_setup+0x40/0x40
+[ 3.443396] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.443396] kernel_init_freeable+0x2a7/0x2f9
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] kernel_init+0x13/0x180
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] ret_from_fork+0x1f/0x30
+[ 3.443396] Modules linked in:
+[ 3.443396] Dumping ftrace buffer:
+[ 3.443396] (ftrace buffer empty)
+[ 3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]---
+[ 3.458922] RIP: 0010:kfree+0x26a/0x300
+[ 3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
+[ 3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
+[ 3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
+[ 3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
+[ 3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
+[ 3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
+[ 3.463368] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 3.463949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.465860] Kernel panic - not syncing: Fatal exception
+[ 3.466370] Dumping ftrace buffer:
+[ 3.466616] (ftrace buffer empty)
+[ 3.466871] Kernel Offset: disabled
+[ 3.467122] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index b2bae94ffe4d..7c9544ac1849 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -838,10 +838,12 @@ static void ns_init_card_error(ns_dev *card, int error)
+ dev_kfree_skb_any(hb);
+ }
+ if (error >= 12) {
+- kfree(card->rsq.org);
++ dma_free_coherent(&card->pcidev->dev, NS_RSQSIZE + NS_RSQ_ALIGNMENT,
++ card->rsq.org, card->rsq.dma);
+ }
+ if (error >= 11) {
+- kfree(card->tsq.org);
++ dma_free_coherent(&card->pcidev->dev, NS_TSQSIZE + NS_TSQ_ALIGNMENT,
++ card->tsq.org, card->tsq.dma);
+ }
+ if (error >= 10) {
+ free_irq(card->pcidev->irq, card);
+--
+2.30.2
+
--- /dev/null
+From dc13246f32631c1f36622e4ce09b7f9ebf160039 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 17:57:10 +0800
+Subject: Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca
+ btsoc.
+
+From: Tim Jiang <tjiang@codeaurora.org>
+
+[ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ]
+
+This is btsoc timing issue, after host start to downloading bt firmware,
+ep2 need time to switch from function acl to function dfu, so host add
+20ms delay as workaround.
+
+Signed-off-by: Tim Jiang <tjiang@codeaurora.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 4e3b24a0511f..30c09b9ddbf0 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2508,6 +2508,11 @@ static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
+ sent += size;
+ count -= size;
+
++ /* ep2 need time to switch from function acl to function dfu,
++ * so we add 20ms delay here.
++ */
++ msleep(20);
++
+ while (count) {
+ size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
+
+--
+2.30.2
+
--- /dev/null
+From 1afaf5c3e8307e7cd118334ce2b58a1a37c9a52c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 16:53:30 -0700
+Subject: Bluetooth: Fix the HCI to MGMT status conversion table
+
+From: Yu Liu <yudiliu@google.com>
+
+[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ]
+
+0x2B, 0x31 and 0x33 are reserved for future use but were not present in
+the HCI to MGMT conversion table, this caused the conversion to be
+incorrect for the HCI status code greater than 0x2A.
+
+Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
+Signed-off-by: Yu Liu <yudiliu@google.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index fa9526712b0a..7aef6d23bc77 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -219,12 +219,15 @@ static u8 mgmt_status_table[] = {
+ MGMT_STATUS_TIMEOUT, /* Instant Passed */
+ MGMT_STATUS_NOT_SUPPORTED, /* Pairing Not Supported */
+ MGMT_STATUS_FAILED, /* Transaction Collision */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_INVALID_PARAMS, /* Unacceptable Parameter */
+ MGMT_STATUS_REJECTED, /* QoS Rejected */
+ MGMT_STATUS_NOT_SUPPORTED, /* Classification Not Supported */
+ MGMT_STATUS_REJECTED, /* Insufficient Security */
+ MGMT_STATUS_INVALID_PARAMS, /* Parameter Out Of Range */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_BUSY, /* Role Switch Pending */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_FAILED, /* Slot Violation */
+ MGMT_STATUS_FAILED, /* Role Switch Failed */
+ MGMT_STATUS_INVALID_PARAMS, /* EIR Too Large */
+--
+2.30.2
+
--- /dev/null
+From 53b2cb0953720831c942a4f5c29ca60657c3349f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 15:14:52 +0800
+Subject: Bluetooth: Shutdown controller after workqueues are flushed or
+ cancelled
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ]
+
+Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it
+stops working:
+[ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed
+[ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on
+[ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
+[ 545.660350] usb 3-10: device descriptor read/64, error -110
+[ 561.283530] usb 3-10: device descriptor read/64, error -110
+[ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
+[ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500
+[ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113)
+[ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110)
+[ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113)
+[ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110)
+
+Or kernel panics because other workqueues already freed skb:
+[ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 2048.663775] #PF: supervisor read access in kernel mode
+[ 2048.663779] #PF: error_code(0x0000) - not-present page
+[ 2048.663782] PGD 0 P4D 0
+[ 2048.663787] Oops: 0000 [#1] SMP NOPTI
+[ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G W 5.13.0-rc1-next-20210510+ #20
+[ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020
+[ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50
+[ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1
+07 83 f8 01
+[ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286
+[ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000
+[ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000
+[ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0
+[ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000
+[ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000
+[ 2048.663843] FS: 00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000
+[ 2048.663849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0
+[ 2048.663856] PKRU: 55555554
+[ 2048.663859] Call Trace:
+[ 2048.663865] ? skb_release_head_state+0x5e/0x80
+[ 2048.663873] kfree_skb+0x2f/0xb0
+[ 2048.663881] btusb_shutdown_intel_new+0x36/0x60 [btusb]
+[ 2048.663905] hci_dev_do_close+0x48c/0x5e0 [bluetooth]
+[ 2048.663954] ? __cond_resched+0x1a/0x50
+[ 2048.663962] hci_rfkill_set_block+0x56/0xa0 [bluetooth]
+[ 2048.664007] rfkill_set_block+0x98/0x170
+[ 2048.664016] rfkill_fop_write+0x136/0x1e0
+[ 2048.664022] vfs_write+0xc7/0x260
+[ 2048.664030] ksys_write+0xb1/0xe0
+[ 2048.664035] ? exit_to_user_mode_prepare+0x37/0x1c0
+[ 2048.664042] __x64_sys_write+0x1a/0x20
+[ 2048.664048] do_syscall_64+0x40/0xb0
+[ 2048.664055] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 2048.664060] RIP: 0033:0x7fe02ac23c27
+[ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
+[ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27
+[ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003
+[ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440
+[ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
+[ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff
+
+So move the shutdown callback to a place where workqueues are either
+flushed or cancelled to resolve the issue.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 839c534bdcdb..50b9a0bbe5df 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1533,14 +1533,6 @@ int hci_dev_do_close(struct hci_dev *hdev)
+
+ BT_DBG("%s %p", hdev->name, hdev);
+
+- if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
+- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
+- test_bit(HCI_UP, &hdev->flags)) {
+- /* Execute vendor specific shutdown routine */
+- if (hdev->shutdown)
+- hdev->shutdown(hdev);
+- }
+-
+ cancel_delayed_work(&hdev->power_off);
+
+ hci_request_cancel_all(hdev);
+@@ -1608,6 +1600,14 @@ int hci_dev_do_close(struct hci_dev *hdev)
+ clear_bit(HCI_INIT, &hdev->flags);
+ }
+
++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
++ test_bit(HCI_UP, &hdev->flags)) {
++ /* Execute vendor specific shutdown routine */
++ if (hdev->shutdown)
++ hdev->shutdown(hdev);
++ }
++
+ /* flush cmd work */
+ flush_work(&hdev->cmd_work);
+
+--
+2.30.2
+
--- /dev/null
+From 0fe58d0cf8036169e2c778d19fb7d53b4cd7d25a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 19:30:35 +0300
+Subject: clk: tegra: Ensure that PLLU configuration is applied properly
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit a7196048cd5168096c2c4f44a3939d7a6dcd06b9 ]
+
+The PLLU (USB) consists of the PLL configuration itself and configuration
+of the PLLU outputs. The PLLU programming is inconsistent on T30 vs T114,
+where T114 immediately bails out if PLLU is enabled and T30 re-enables
+a potentially already enabled PLL (left after bootloader) and then fully
+reprograms it, which could be unsafe to do. The correct way should be to
+skip enabling of the PLL if it's already enabled and then apply
+configuration to the outputs. This patch doesn't fix any known problems,
+it's a minor improvement.
+
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-pll.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c
+index 1ab36a355daf..789efad791a3 100644
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -1085,7 +1085,8 @@ static int clk_pllu_enable(struct clk_hw *hw)
+ if (pll->lock)
+ spin_lock_irqsave(pll->lock, flags);
+
+- _clk_pll_enable(hw);
++ if (!clk_pll_is_enabled(hw))
++ _clk_pll_enable(hw);
+
+ ret = clk_pll_wait_for_lock(pll);
+ if (ret < 0)
+@@ -1702,7 +1703,8 @@ static int clk_pllu_tegra114_enable(struct clk_hw *hw)
+ if (pll->lock)
+ spin_lock_irqsave(pll->lock, flags);
+
+- _clk_pll_enable(hw);
++ if (!clk_pll_is_enabled(hw))
++ _clk_pll_enable(hw);
+
+ ret = clk_pll_wait_for_lock(pll);
+ if (ret < 0)
+--
+2.30.2
+
--- /dev/null
+From 83b564853ca1f95fc9dd23bad63a5bd53e8c41ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 11:05:14 +0800
+Subject: cw1200: add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/st/cw1200/cw1200_sdio.c b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+index d3acc85932a5..de92107549ee 100644
+--- a/drivers/net/wireless/st/cw1200/cw1200_sdio.c
++++ b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+@@ -62,6 +62,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = {
+ { SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) },
+ { /* end: all zeroes */ },
+ };
++MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids);
+
+ /* hwbus_ops implemetation */
+
+--
+2.30.2
+
--- /dev/null
+From 080a67a0d19896fdd8093ae40fbeba750e9d61dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 09:03:49 +0100
+Subject: dm space maps: don't reset space map allocation cursor when
+ committing
+
+From: Joe Thornber <ejt@redhat.com>
+
+[ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ]
+
+Current commit code resets the place where the search for free blocks
+will begin back to the start of the metadata device. There are a couple
+of repercussions to this:
+
+- The first allocation after the commit is likely to take longer than
+ normal as it searches for a free block in an area that is likely to
+ have very few free blocks (if any).
+
+- Any free blocks it finds will have been recently freed. Reusing them
+ means we have fewer old copies of the metadata to aid recovery from
+ hardware error.
+
+Fix these issues by leaving the cursor alone, only resetting when the
+search hits the end of the metadata device.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/persistent-data/dm-space-map-disk.c | 9 ++++++++-
+ drivers/md/persistent-data/dm-space-map-metadata.c | 9 ++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c
+index bf4c5e2ccb6f..e0acae7a3815 100644
+--- a/drivers/md/persistent-data/dm-space-map-disk.c
++++ b/drivers/md/persistent-data/dm-space-map-disk.c
+@@ -171,6 +171,14 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b)
+ * Any block we allocate has to be free in both the old and current ll.
+ */
+ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b);
++ if (r == -ENOSPC) {
++ /*
++ * There's no free block between smd->begin and the end of the metadata device.
++ * We search before smd->begin in case something has been freed.
++ */
++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, 0, smd->begin, b);
++ }
++
+ if (r)
+ return r;
+
+@@ -199,7 +207,6 @@ static int sm_disk_commit(struct dm_space_map *sm)
+ return r;
+
+ memcpy(&smd->old_ll, &smd->ll, sizeof(smd->old_ll));
+- smd->begin = 0;
+ smd->nr_allocated_this_transaction = 0;
+
+ r = sm_disk_get_nr_free(sm, &nr_free);
+diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
+index 967d8f2a731f..62a4d7da9bd9 100644
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -451,6 +451,14 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b)
+ * Any block we allocate has to be free in both the old and current ll.
+ */
+ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b);
++ if (r == -ENOSPC) {
++ /*
++ * There's no free block between smm->begin and the end of the metadata device.
++ * We search before smm->begin in case something has been freed.
++ */
++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, 0, smm->begin, b);
++ }
++
+ if (r)
+ return r;
+
+@@ -502,7 +510,6 @@ static int sm_metadata_commit(struct dm_space_map *sm)
+ return r;
+
+ memcpy(&smm->old_ll, &smm->ll, sizeof(smm->old_ll));
+- smm->begin = 0;
+ smm->allocated_this_transaction = 0;
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 10fdf8b0f4cd01824e67c035d0276e94940101d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:49:12 +0800
+Subject: drm/virtio: Fix double free on probe failure
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ]
+
+The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure.
+But such failure will be caught by virtio_gpu_probe() and then
+virtio_gpu_release() will be called to do some cleanup which
+will free vgdev and vgdev->vbufs again. So let's set dev->dev_private
+to NULL to avoid double free.
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_kms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
+index ba7855da7c7f..6058bdab5fb8 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
+@@ -234,6 +234,7 @@ err_ttm:
+ err_vbufs:
+ vgdev->vdev->config->del_vqs(vgdev->vdev);
+ err_vqs:
++ dev->dev_private = NULL;
+ kfree(vgdev);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From a481f81c080912d8c2e09b6d353a1e73cb8f3cfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:38:24 -0700
+Subject: e100: handle eeprom as little endian
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ]
+
+Sparse tool was warning on some implicit conversions from
+little endian data read from the EEPROM on the e100 cards.
+
+Fix these by being explicit about the conversions using
+le16_to_cpu().
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index 93c29094ceff..9035cb5fc70d 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1423,7 +1423,7 @@ static int e100_phy_check_without_mii(struct nic *nic)
+ u8 phy_type;
+ int without_mii;
+
+- phy_type = (nic->eeprom[eeprom_phy_iface] >> 8) & 0x0f;
++ phy_type = (le16_to_cpu(nic->eeprom[eeprom_phy_iface]) >> 8) & 0x0f;
+
+ switch (phy_type) {
+ case NoSuchPhy: /* Non-MII PHY; UNTESTED! */
+@@ -1543,7 +1543,7 @@ static int e100_phy_init(struct nic *nic)
+ mdio_write(netdev, nic->mii.phy_id, MII_BMCR, bmcr);
+ } else if ((nic->mac >= mac_82550_D102) || ((nic->flags & ich) &&
+ (mdio_read(netdev, nic->mii.phy_id, MII_TPISTATUS) & 0x8000) &&
+- (nic->eeprom[eeprom_cnfg_mdix] & eeprom_mdix_enabled))) {
++ (le16_to_cpu(nic->eeprom[eeprom_cnfg_mdix]) & eeprom_mdix_enabled))) {
+ /* enable/disable MDI/MDI-X auto-switching. */
+ mdio_write(netdev, nic->mii.phy_id, MII_NCONFIG,
+ nic->mii.force_media ? 0 : NCONFIG_AUTO_SWITCH);
+@@ -2298,9 +2298,9 @@ static int e100_asf(struct nic *nic)
+ {
+ /* ASF can be enabled from eeprom */
+ return (nic->pdev->device >= 0x1050) && (nic->pdev->device <= 0x1057) &&
+- (nic->eeprom[eeprom_config_asf] & eeprom_asf) &&
+- !(nic->eeprom[eeprom_config_asf] & eeprom_gcl) &&
+- ((nic->eeprom[eeprom_smbus_addr] & 0xFF) != 0xFE);
++ (le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_asf) &&
++ !(le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_gcl) &&
++ ((le16_to_cpu(nic->eeprom[eeprom_smbus_addr]) & 0xFF) != 0xFE);
+ }
+
+ static int e100_up(struct nic *nic)
+@@ -2952,7 +2952,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ /* Wol magic packet can be enabled from eeprom */
+ if ((nic->mac >= mac_82558_D101_A4) &&
+- (nic->eeprom[eeprom_id] & eeprom_id_wol)) {
++ (le16_to_cpu(nic->eeprom[eeprom_id]) & eeprom_id_wol)) {
+ nic->flags |= wol_magic;
+ device_set_wakeup_enable(&pdev->dev, true);
+ }
+--
+2.30.2
+
--- /dev/null
+From 06e889192d2bb5494cd525c5a9b1619f0d241acb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 16:02:43 +0800
+Subject: fjes: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f18c11812c949553d2b2481ecaa274dd51bed1e7 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fjes/fjes_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c
+index 3511d40ba3f1..440047a239f5 100644
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1212,6 +1212,10 @@ static int fjes_probe(struct platform_device *plat_dev)
+ adapter->interrupt_watch_enable = false;
+
+ res = platform_get_resource(plat_dev, IORESOURCE_MEM, 0);
++ if (!res) {
++ err = -EINVAL;
++ goto err_free_control_wq;
++ }
+ hw->hw_res.start = res->start;
+ hw->hw_res.size = resource_size(res);
+ hw->hw_res.irq = platform_get_irq(plat_dev, 0);
+--
+2.30.2
+
--- /dev/null
+From 6d4b8892ca3eb67ba4ab06e7816d7bb92e37ad29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 21:15:32 +0800
+Subject: hugetlb: clear huge pte during flush function on mips platform
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+[ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ]
+
+If multiple threads are accessing the same huge page at the same
+time, hugetlb_cow will be called if one thread write the COW huge
+page. And function huge_ptep_clear_flush is called to notify other
+threads to clear the huge pte tlb entry. The other threads clear
+the huge pte tlb entry and reload it from page table, the reload
+huge pte entry may be old.
+
+This patch fixes this issue on mips platform, and it clears huge
+pte entry before notifying other threads to flush current huge
+page entry, it is similar with other architectures.
+
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/hugetlb.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h
+index 982bc0685330..4747a4694669 100644
+--- a/arch/mips/include/asm/hugetlb.h
++++ b/arch/mips/include/asm/hugetlb.h
+@@ -67,7 +67,13 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
+ static inline void huge_ptep_clear_flush(struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep)
+ {
+- flush_tlb_page(vma, addr & huge_page_mask(hstate_vma(vma)));
++ /*
++ * clear the huge pte entry firstly, so that the other smp threads will
++ * not get old pte entry after finishing flush_tlb_page and before
++ * setting new huge pte entry
++ */
++ huge_ptep_get_and_clear(vma->vm_mm, addr, ptep);
++ flush_tlb_page(vma, addr);
+ }
+
+ static inline int huge_pte_none(pte_t pte)
+--
+2.30.2
+
--- /dev/null
+From 79bc40cc876bc4d59847fc1e2aaf1e7aca7bbea3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 May 2021 13:07:46 +0200
+Subject: ipv6: use prandom_u32() for ID generation
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ]
+
+This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash
+table for IP ID generation"), but focusing on some specific aspects
+of IPv6.
+
+Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a
+minimum MTU of 1280, it's much less easy to force a remote peer to
+produce many fragments to explore its ID sequence. In addition packet
+IDs are 32-bit in IPv6, which further complicates their analysis. On
+the other hand, it is often easier to choose among plenty of possible
+source addresses and partially work around the bigger hash table the
+commit above permits, which leaves IPv6 partially exposed to some
+possibilities of remote analysis at the risk of weakening some
+protocols like DNS if some IDs can be predicted with a good enough
+probability.
+
+Given the wide range of permitted IDs, the risk of collision is extremely
+low so there's no need to rely on the positive increment algorithm that
+is shared with the IPv4 code via ip_idents_reserve(). We have a fast
+PRNG, so let's simply call prandom_u32() and be done with it.
+
+Performance measurements at 10 Gbps couldn't show any difference with
+the previous code, even when using a single core, because due to the
+large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost
+of the random generation is completely offset by other operations and by
+the network transfer time. In addition, this change removes the need to
+update a shared entry in the idents table so it may even end up being
+slightly faster on large scale systems where this matters.
+
+The risk of at least one collision here is about 1/80 million among
+10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,
+which remains very low compared to IPv4 where all IDs are reused
+every 4 to 80ms on a 10 Gbps flow depending on packet sizes.
+
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/output_core.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index 6a6d01cb1ace..9c25e8b09306 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -14,29 +14,11 @@ static u32 __ipv6_select_ident(struct net *net,
+ const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
+- const struct {
+- struct in6_addr dst;
+- struct in6_addr src;
+- } __aligned(SIPHASH_ALIGNMENT) combined = {
+- .dst = *dst,
+- .src = *src,
+- };
+- u32 hash, id;
+-
+- /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
+-
+- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+-
+- /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+- * set the hight order instead thus minimizing possible future
+- * collisions.
+- */
+- id = ip_idents_reserve(hash, 1);
+- if (unlikely(!id))
+- id = 1 << 31;
++ u32 id;
++
++ do {
++ id = prandom_u32();
++ } while (!id);
+
+ return id;
+ }
+--
+2.30.2
+
--- /dev/null
+From e81d37d99293707d8334c4f3b5f120e41dc9c875 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:09:46 +0800
+Subject: MIPS: add PMD table accounting into MIPS'pmd_alloc_one
+
+From: Huang Pei <huangpei@loongson.cn>
+
+[ Upstream commit ed914d48b6a1040d1039d371b56273d422c0081e ]
+
+This fixes Page Table accounting bug.
+
+MIPS is the ONLY arch just defining __HAVE_ARCH_PMD_ALLOC_ONE alone.
+Since commit b2b29d6d011944 (mm: account PMD tables like PTE tables),
+"pmd_free" in asm-generic with PMD table accounting and "pmd_alloc_one"
+in MIPS without PMD table accounting causes PageTable accounting number
+negative, which read by global_zone_page_state(), always returns 0.
+
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/pgalloc.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
+index a03e86969f78..ff982d8b62f6 100644
+--- a/arch/mips/include/asm/pgalloc.h
++++ b/arch/mips/include/asm/pgalloc.h
+@@ -107,11 +107,15 @@ do { \
+
+ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
+ {
+- pmd_t *pmd;
++ pmd_t *pmd = NULL;
++ struct page *pg;
+
+- pmd = (pmd_t *) __get_free_pages(GFP_KERNEL, PMD_ORDER);
+- if (pmd)
++ pg = alloc_pages(GFP_KERNEL | __GFP_ACCOUNT, PMD_ORDER);
++ if (pg) {
++ pgtable_pmd_page_ctor(pg);
++ pmd = (pmd_t *)page_address(pg);
+ pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table);
++ }
+ return pmd;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 365d1bce5dd2ffa36a1924bf5425310bb127f421 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 14:58:53 +0800
+Subject: mISDN: fix possible use-after-free in HFC_cleanup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcpci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
+index ff48da61c94c..89cf1d695a01 100644
+--- a/drivers/isdn/hardware/mISDN/hfcpci.c
++++ b/drivers/isdn/hardware/mISDN/hfcpci.c
+@@ -2352,7 +2352,7 @@ static void __exit
+ HFC_cleanup(void)
+ {
+ if (timer_pending(&hfc_tl))
+- del_timer(&hfc_tl);
++ del_timer_sync(&hfc_tl);
+
+ pci_unregister_driver(&hfc_driver);
+ }
+--
+2.30.2
+
--- /dev/null
+From d107b0ffd56861a9613d38433832a41b30c104d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 22:55:21 +0800
+Subject: net: micrel: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8842.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8842.c b/drivers/net/ethernet/micrel/ks8842.c
+index cb0102dd7f70..d691c33dffc6 100644
+--- a/drivers/net/ethernet/micrel/ks8842.c
++++ b/drivers/net/ethernet/micrel/ks8842.c
+@@ -1150,6 +1150,10 @@ static int ks8842_probe(struct platform_device *pdev)
+ unsigned i;
+
+ iomem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!iomem) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ if (!request_mem_region(iomem->start, resource_size(iomem), DRV_NAME))
+ goto err_mem_region;
+
+--
+2.30.2
+
--- /dev/null
+From cd8f4d5f36e62966eb94ad2bb0d594848f775e61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 23:02:59 +0800
+Subject: net: moxa: Use devm_platform_get_and_ioremap_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 35cba15a504bf4f585bb9d78f47b22b28a1a06b2 ]
+
+Use devm_platform_get_and_ioremap_resource() to simplify
+code and avoid a null-ptr-deref by checking 'res' in it.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/moxa/moxart_ether.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c
+index 6fe61d9343cb..9673fbe16774 100644
+--- a/drivers/net/ethernet/moxa/moxart_ether.c
++++ b/drivers/net/ethernet/moxa/moxart_ether.c
+@@ -487,14 +487,13 @@ static int moxart_mac_probe(struct platform_device *pdev)
+ priv = netdev_priv(ndev);
+ priv->ndev = ndev;
+
+- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- ndev->base_addr = res->start;
+- priv->base = devm_ioremap_resource(p_dev, res);
++ priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+ if (IS_ERR(priv->base)) {
+ dev_err(p_dev, "devm_ioremap_resource failed\n");
+ ret = PTR_ERR(priv->base);
+ goto init_fail;
+ }
++ ndev->base_addr = res->start;
+
+ spin_lock_init(&priv->txlock);
+
+--
+2.30.2
+
--- /dev/null
+From 8876f62f5822bc3e2a1c5108371b183790773b81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 19:39:30 +0300
+Subject: net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ]
+
+Sparse is not happy about handling of strict types in pch_ptp_match():
+
+ .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types)
+ .../pch_gbe_main.c:158:33: expected unsigned short [usertype] uid_hi
+ .../pch_gbe_main.c:158:33: got restricted __be16 [usertype]
+ .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types)
+ .../pch_gbe_main.c:158:45: expected unsigned int [usertype] uid_lo
+ .../pch_gbe_main.c:158:45: got restricted __be32 [usertype]
+ .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types)
+ .../pch_gbe_main.c:158:56: expected unsigned short [usertype] seqid
+ .../pch_gbe_main.c:158:56: got restricted __be16 [usertype]
+
+Fix that by switching to use proper accessors to BE data.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Flavio Suligoi <f.suligoi@asem.it>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 5d39b5319d50..cd59577a0c92 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -124,7 +124,7 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
+ {
+ u8 *data = skb->data;
+ unsigned int offset;
+- u16 *hi, *id;
++ u16 hi, id;
+ u32 lo;
+
+ if (ptp_classify_raw(skb) == PTP_CLASS_NONE)
+@@ -135,14 +135,11 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
+ if (skb->len < offset + OFF_PTP_SEQUENCE_ID + sizeof(seqid))
+ return 0;
+
+- hi = (u16 *)(data + offset + OFF_PTP_SOURCE_UUID);
+- id = (u16 *)(data + offset + OFF_PTP_SEQUENCE_ID);
++ hi = get_unaligned_be16(data + offset + OFF_PTP_SOURCE_UUID + 0);
++ lo = get_unaligned_be32(data + offset + OFF_PTP_SOURCE_UUID + 2);
++ id = get_unaligned_be16(data + offset + OFF_PTP_SEQUENCE_ID);
+
+- memcpy(&lo, &hi[1], sizeof(lo));
+-
+- return (uid_hi == *hi &&
+- uid_lo == lo &&
+- seqid == *id);
++ return (uid_hi == hi && uid_lo == lo && seqid == id);
+ }
+
+ static void
+@@ -152,7 +149,6 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
+ struct pci_dev *pdev;
+ u64 ns;
+ u32 hi, lo, val;
+- u16 uid, seq;
+
+ if (!adapter->hwts_rx_en)
+ return;
+@@ -168,10 +164,7 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
+ lo = pch_src_uuid_lo_read(pdev);
+ hi = pch_src_uuid_hi_read(pdev);
+
+- uid = hi & 0xffff;
+- seq = (hi >> 16) & 0xffff;
+-
+- if (!pch_ptp_match(skb, htons(uid), htonl(lo), htons(seq)))
++ if (!pch_ptp_match(skb, hi, lo, hi >> 16))
+ goto out;
+
+ ns = pch_rx_snap_read(pdev);
+--
+2.30.2
+
--- /dev/null
+From bc136019d670c5e2bf9a7f6e7559ecc884d6a55c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 23:43:24 +0200
+Subject: net: Treat __napi_schedule_irqoff() as __napi_schedule() on
+ PREEMPT_RT
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ]
+
+__napi_schedule_irqoff() is an optimized version of __napi_schedule()
+which can be used where it is known that interrupts are disabled,
+e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer
+callbacks.
+
+On PREEMPT_RT enabled kernels this assumptions is not true. Force-
+threaded interrupt handlers and spinlocks are not disabling interrupts
+and the NAPI hrtimer callback is forced into softirq context which runs
+with interrupts enabled as well.
+
+Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole
+game so make __napi_schedule_irqoff() invoke __napi_schedule() for
+PREEMPT_RT kernels.
+
+The callers of ____napi_schedule() in the networking core have been
+audited and are correct on PREEMPT_RT kernels as well.
+
+Reported-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 5b69a9a41dd5..47468fc5d0c9 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4998,11 +4998,18 @@ EXPORT_SYMBOL(__napi_schedule);
+ * __napi_schedule_irqoff - schedule for receive
+ * @n: entry to schedule
+ *
+- * Variant of __napi_schedule() assuming hard irqs are masked
++ * Variant of __napi_schedule() assuming hard irqs are masked.
++ *
++ * On PREEMPT_RT enabled kernels this maps to __napi_schedule()
++ * because the interrupt disabled assumption might not be true
++ * due to force-threaded interrupts and spinlock substitution.
+ */
+ void __napi_schedule_irqoff(struct napi_struct *n)
+ {
+- ____napi_schedule(this_cpu_ptr(&softnet_data), n);
++ if (!IS_ENABLED(CONFIG_PREEMPT_RT))
++ ____napi_schedule(this_cpu_ptr(&softnet_data), n);
++ else
++ __napi_schedule(n);
+ }
+ EXPORT_SYMBOL(__napi_schedule_irqoff);
+
+--
+2.30.2
+
--- /dev/null
+From e323917a2a71e56f10909fc9f1aa79bf7885a896 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 11:55:31 -0700
+Subject: RDMA/cma: Fix rdma_resolve_route() memory leak
+
+From: Gerd Rausch <gerd.rausch@oracle.com>
+
+[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ]
+
+Fix a memory leak when "mda_resolve_route() is called more than once on
+the same "rdma_cm_id".
+
+This is possible if cma_query_handler() triggers the
+RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and
+allows rdma_resolve_route() to be called again.
+
+Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com
+Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 0a6cc78ebcf7..149d210c68ab 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2370,7 +2370,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv, int timeout_ms)
+ work->new_state = RDMA_CM_ROUTE_RESOLVED;
+ work->event.event = RDMA_CM_EVENT_ROUTE_RESOLVED;
+
+- route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
++ if (!route->path_rec)
++ route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
+ if (!route->path_rec) {
+ ret = -ENOMEM;
+ goto err1;
+--
+2.30.2
+
--- /dev/null
+From 4ae70bbbb6eeefc8630bfd707a4bb841a8cf3eb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 19:07:49 +0800
+Subject: RDMA/cxgb4: Fix missing error code in create_qp()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ]
+
+The error code is missing in this code scenario so 0 will be returned. Add
+the error code '-EINVAL' to the return value 'ret'.
+
+Eliminates the follow smatch warning:
+
+drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'.
+
+Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index 36bdb04f8f01..87bc7b0db892 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -277,6 +277,7 @@ static int create_qp(struct c4iw_rdev *rdev, struct t4_wq *wq,
+ if (user && (!wq->sq.bar2_pa || !wq->rq.bar2_pa)) {
+ pr_warn(MOD "%s: sqid %u or rqid %u not in BAR2 range.\n",
+ pci_name(rdev->lldi.pdev), wq->sq.qid, wq->rq.qid);
++ ret = -EINVAL;
+ goto free_dma;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From ccda6666c1a4aa2248ea35b0e2fcb1f8a63eea3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 15:14:56 +0800
+Subject: RDMA/rxe: Don't overwrite errno from ib_umem_get()
+
+From: Xiao Yang <yangx.jy@fujitsu.com>
+
+[ Upstream commit 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 ]
+
+rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get()
+fails so it's hard for user to know which actual error happens in
+ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when
+trying to pin pages on a DAX file.
+
+Return actual error as mlx4/mlx5 does.
+
+Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com
+Signed-off-by: Xiao Yang <yangx.jy@fujitsu.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
+index 6d1ba75398a1..e23b322224ab 100644
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -175,7 +175,7 @@ int rxe_mem_init_user(struct rxe_dev *rxe, struct rxe_pd *pd, u64 start,
+ if (IS_ERR(umem)) {
+ pr_warn("err %d from rxe_umem_get\n",
+ (int)PTR_ERR(umem));
+- err = -EINVAL;
++ err = PTR_ERR(umem);
+ goto err1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 777c2a5d3c7274741c58f0ebfde765ef4f3cd8e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 15:15:45 +0300
+Subject: reiserfs: add check for invalid 1st journal block
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ]
+
+syzbot reported divide error in reiserfs.
+The problem was in incorrect journal 1st block.
+
+Syzbot's reproducer manualy generated wrong superblock
+with incorrect 1st block. In journal_init() wasn't
+any checks about this particular case.
+
+For example, if 1st journal block is before superblock
+1st block, it can cause zeroing important superblock members
+in do_journal_end().
+
+Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com
+Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/journal.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
+index 2a5c4813c47d..94871f611fa8 100644
+--- a/fs/reiserfs/journal.c
++++ b/fs/reiserfs/journal.c
+@@ -2766,6 +2766,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
+ goto free_and_return;
+ }
+
++ /*
++ * Sanity check to see if journal first block is correct.
++ * If journal first block is invalid it can cause
++ * zeroing important superblock members.
++ */
++ if (!SB_ONDISK_JOURNAL_DEVICE(sb) &&
++ SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) {
++ reiserfs_warning(sb, "journal-1393",
++ "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d",
++ SB_JOURNAL_1st_RESERVED_BLOCK(sb),
++ SB_ONDISK_JOURNAL_1st_BLOCK(sb));
++ goto free_and_return;
++ }
++
+ if (journal_init_dev(sb, journal, j_dev_name) != 0) {
+ reiserfs_warning(sb, "sh-462",
+ "unable to initialize journal device");
+--
+2.30.2
+
--- /dev/null
+From 6aac9b66e68583d00292261f3740141b2c94d0bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 16:13:42 -0300
+Subject: sctp: add size validation when walking chunks
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]
+
+The first chunk in a packet is ensured to be present at the beginning of
+sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
+one, may not be completely available and ch->length can be over
+uninitialized memory.
+
+Fix here is by only trying to walk on the next chunk if there is enough to
+hold at least the header, and then proceed with the ch->length validation
+that is already there.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 12d821ea8a1f..8f4574c4aa6c 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1165,7 +1165,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
+
+ ch = (sctp_chunkhdr_t *) ch_end;
+ chunk_num++;
+- } while (ch_end < skb_tail_pointer(skb));
++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
+
+ return asoc;
+ }
+--
+2.30.2
+
--- /dev/null
+From 479fd7856a07c0321db4e480388cf4809f61c5cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 09:37:17 -0700
+Subject: selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
+
+From: Minchan Kim <minchan@kernel.org>
+
+[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ]
+
+In the field, we have seen lots of allocation failure from the call
+path below.
+
+06-03 13:29:12.999 1010315 31557 31557 W Binder : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0
+...
+...
+06-03 13:29:12.999 1010315 31557 31557 W Call trace:
+06-03 13:29:12.999 1010315 31557 31557 W : dump_backtrace.cfi_jt+0x0/0x8
+06-03 13:29:12.999 1010315 31557 31557 W : dump_stack+0xc8/0x14c
+06-03 13:29:12.999 1010315 31557 31557 W : warn_alloc+0x158/0x1c8
+06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_slowpath+0x9d8/0xb80
+06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_nodemask+0x1c4/0x430
+06-03 13:29:12.999 1010315 31557 31557 W : allocate_slab+0xb4/0x390
+06-03 13:29:12.999 1010315 31557 31557 W : ___slab_alloc+0x12c/0x3a4
+06-03 13:29:12.999 1010315 31557 31557 W : kmem_cache_alloc+0x358/0x5e4
+06-03 13:29:12.999 1010315 31557 31557 W : avc_alloc_node+0x30/0x184
+06-03 13:29:12.999 1010315 31557 31557 W : avc_update_node+0x54/0x4f0
+06-03 13:29:12.999 1010315 31557 31557 W : avc_has_extended_perms+0x1a4/0x460
+06-03 13:29:12.999 1010315 31557 31557 W : selinux_file_ioctl+0x320/0x3d0
+06-03 13:29:12.999 1010315 31557 31557 W : __arm64_sys_ioctl+0xec/0x1fc
+06-03 13:29:12.999 1010315 31557 31557 W : el0_svc_common+0xc0/0x24c
+06-03 13:29:12.999 1010315 31557 31557 W : el0_svc+0x28/0x88
+06-03 13:29:12.999 1010315 31557 31557 W : el0_sync_handler+0x8c/0xf0
+06-03 13:29:12.999 1010315 31557 31557 W : el0_sync+0x1a4/0x1c0
+..
+..
+06-03 13:29:12.999 1010315 31557 31557 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010315 31557 31557 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010315 31557 31557 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 10230 30892 30892 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+
+Based on [1], selinux is tolerate for failure of memory allocation.
+Then, use __GFP_NOWARN together.
+
+[1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches")
+
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+[PM: subj fix, line wraps, normalized commit refs]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/avc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/security/selinux/avc.c b/security/selinux/avc.c
+index f3c473791b69..a16c72c2a967 100644
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -348,26 +348,27 @@ static struct avc_xperms_decision_node
+ struct avc_xperms_decision_node *xpd_node;
+ struct extended_perms_decision *xpd;
+
+- xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT);
++ xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd_node)
+ return NULL;
+
+ xpd = &xpd_node->xpd;
+ if (which & XPERMS_ALLOWED) {
+ xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->allowed)
+ goto error;
+ }
+ if (which & XPERMS_AUDITALLOW) {
+ xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->auditallow)
+ goto error;
+ }
+ if (which & XPERMS_DONTAUDIT) {
+ xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->dontaudit)
+ goto error;
+ }
+@@ -395,7 +396,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void)
+ {
+ struct avc_xperms_node *xp_node;
+
+- xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT);
++ xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN);
+ if (!xp_node)
+ return xp_node;
+ INIT_LIST_HEAD(&xp_node->xpd_head);
+@@ -548,7 +549,7 @@ static struct avc_node *avc_alloc_node(void)
+ {
+ struct avc_node *node;
+
+- node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT);
++ node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN);
+ if (!node)
+ goto out;
+
+--
+2.30.2
+
selftests-vm-pkeys-fix-alloc_random_pkey-to-make-it-.patch
mmc-vub3000-fix-control-request-direction.patch
scsi-core-retry-i-o-for-notify-enable-spinup-required-error.patch
+net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch
+hugetlb-clear-huge-pte-during-flush-function-on-mips.patch
+atm-iphase-fix-possible-use-after-free-in-ia_module_.patch
+misdn-fix-possible-use-after-free-in-hfc_cleanup.patch
+atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch
+net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch
+reiserfs-add-check-for-invalid-1st-journal-block.patch
+drm-virtio-fix-double-free-on-probe-failure.patch
+udf-fix-null-pointer-dereference-in-udf_symlink-func.patch
+e100-handle-eeprom-as-little-endian.patch
+clk-tegra-ensure-that-pllu-configuration-is-applied-.patch
+ipv6-use-prandom_u32-for-id-generation.patch
+rdma-cxgb4-fix-missing-error-code-in-create_qp.patch
+dm-space-maps-don-t-reset-space-map-allocation-curso.patch
+net-micrel-check-return-value-after-calling-platform.patch
+net-moxa-use-devm_platform_get_and_ioremap_resource.patch
+fjes-check-return-value-after-calling-platform_get_r.patch
+selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch
+xfrm-fix-error-reporting-in-xfrm_state_construct.patch
+wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch
+wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
+cw1200-add-missing-module_device_table.patch
+mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch
+atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch
+atm-nicstar-register-the-interrupt-handler-in-the-ri.patch
+rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch
+sfc-avoid-double-pci_remove-of-vfs.patch
+sfc-error-code-if-sriov-cannot-be-disabled.patch
+wireless-wext-spy-fix-out-of-bounds-warning.patch
+rdma-cma-fix-rdma_resolve_route-memory-leak.patch
+bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch
+bluetooth-shutdown-controller-after-workqueues-are-f.patch
+bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch
+sctp-add-size-validation-when-walking-chunks.patch
--- /dev/null
+From 4bd2bf03c31fd67e500173f2d75bbb4d088980f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 17:32:35 +0200
+Subject: sfc: avoid double pci_remove of VFs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ]
+
+If pci_remove was called for a PF with VFs, the removal of the VFs was
+called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove
+and another implicit by calling pci_disable_sriov, which also perform
+the VFs remove. This was leading to crashing the kernel on the second
+attempt.
+
+Given that pci_disable_sriov already calls to pci remove function, get
+rid of the direct call to pci_driver->remove from the driver.
+
+2 different ways to trigger the bug:
+- Create one or more VFs, then attach the PF to a virtual machine (at
+ least with qemu/KVM)
+- Create one or more VFs, then remove the PF with:
+ echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove
+
+Removing sfc module does not trigger the error, at least for me, because
+it removes the VF first, and then the PF.
+
+Example of a log with the error:
+ list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100)
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:47!
+ [...trimmed...]
+ RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c
+ [...trimmed...]
+ Call Trace:
+ efx_dissociate+0x1f/0x140 [sfc]
+ efx_pci_remove+0x27/0x150 [sfc]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x103/0x1f0
+ pci_stop_bus_device+0x69/0x90
+ pci_stop_and_remove_bus_device+0xe/0x20
+ pci_iov_remove_virtfn+0xba/0x120
+ sriov_disable+0x2f/0xe0
+ efx_ef10_pci_sriov_disable+0x52/0x80 [sfc]
+ ? pcie_aer_is_native+0x12/0x40
+ efx_ef10_sriov_fini+0x72/0x110 [sfc]
+ efx_pci_remove+0x62/0x150 [sfc]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x103/0x1f0
+ unbind_store+0xf6/0x130
+ kernfs_fop_write+0x116/0x190
+ vfs_write+0xa5/0x1a0
+ ksys_write+0x4f/0xb0
+ do_syscall_64+0x5b/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10_sriov.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
+index a949b9d27329..23aac3b37d6e 100644
+--- a/drivers/net/ethernet/sfc/ef10_sriov.c
++++ b/drivers/net/ethernet/sfc/ef10_sriov.c
+@@ -442,7 +442,6 @@ int efx_ef10_sriov_init(struct efx_nic *efx)
+ void efx_ef10_sriov_fini(struct efx_nic *efx)
+ {
+ struct efx_ef10_nic_data *nic_data = efx->nic_data;
+- unsigned int i;
+ int rc;
+
+ if (!nic_data->vf) {
+@@ -452,14 +451,7 @@ void efx_ef10_sriov_fini(struct efx_nic *efx)
+ return;
+ }
+
+- /* Remove any VFs in the host */
+- for (i = 0; i < efx->vf_count; ++i) {
+- struct efx_nic *vf_efx = nic_data->vf[i].efx;
+-
+- if (vf_efx)
+- vf_efx->pci_dev->driver->remove(vf_efx->pci_dev);
+- }
+-
++ /* Disable SRIOV and remove any VFs in the host */
+ rc = efx_ef10_pci_sriov_disable(efx, true);
+ if (rc)
+ netif_dbg(efx, drv, efx->net_dev,
+--
+2.30.2
+
--- /dev/null
+From 3a368d9c90d078e627053a5fc161b3384776089a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 17:32:36 +0200
+Subject: sfc: error code if SRIOV cannot be disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ]
+
+If SRIOV cannot be disabled during device removal or module unloading,
+return error code so it can be logged properly in the calling function.
+
+Note that this can only happen if any VF is currently attached to a
+guest using Xen, but not with vfio/KVM. Despite that in that case the
+VFs won't work properly with PF removed and/or the module unloaded, I
+have let it as is because I don't know what side effects may have
+changing it, and also it seems to be the same that other drivers are
+doing in this situation.
+
+In the case of being called during SRIOV reconfiguration, the behavior
+hasn't changed because the function is called with force=false.
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10_sriov.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
+index 23aac3b37d6e..bef23e19cbbd 100644
+--- a/drivers/net/ethernet/sfc/ef10_sriov.c
++++ b/drivers/net/ethernet/sfc/ef10_sriov.c
+@@ -405,12 +405,17 @@ fail1:
+ return rc;
+ }
+
++/* Disable SRIOV and remove VFs
++ * If some VFs are attached to a guest (using Xen, only) nothing is
++ * done if force=false, and vports are freed if force=true (for the non
++ * attachedc ones, only) but SRIOV is not disabled and VFs are not
++ * removed in either case.
++ */
+ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
+ {
+ struct pci_dev *dev = efx->pci_dev;
+- unsigned int vfs_assigned = 0;
+-
+- vfs_assigned = pci_vfs_assigned(dev);
++ unsigned int vfs_assigned = pci_vfs_assigned(dev);
++ int rc = 0;
+
+ if (vfs_assigned && !force) {
+ netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; "
+@@ -420,10 +425,12 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
+
+ if (!vfs_assigned)
+ pci_disable_sriov(dev);
++ else
++ rc = -EBUSY;
+
+ efx_ef10_sriov_free_vf_vswitching(efx);
+ efx->vf_count = 0;
+- return 0;
++ return rc;
+ }
+
+ int efx_ef10_sriov_configure(struct efx_nic *efx, int num_vfs)
+--
+2.30.2
+
--- /dev/null
+From 9cf85b79e85b61b009d341e8d1f89d245decde62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 12:34:57 +0200
+Subject: udf: Fix NULL pointer dereference in udf_symlink function
+
+From: Arturo Giusti <koredump@protonmail.com>
+
+[ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ]
+
+In function udf_symlink, epos.bh is assigned with the value returned
+by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c
+and returns the value of sb_getblk function that could be NULL.
+Then, epos.bh is used without any check, causing a possible
+NULL pointer dereference when sb_getblk fails.
+
+This fix adds a check to validate the value of epos.bh.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083
+Signed-off-by: Arturo Giusti <koredump@protonmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/namei.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 348b922d1b6a..bfa53dead8c8 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -956,6 +956,10 @@ static int udf_symlink(struct inode *dir, struct dentry *dentry,
+ iinfo->i_location.partitionReferenceNum,
+ 0);
+ epos.bh = udf_tgetblk(sb, block);
++ if (unlikely(!epos.bh)) {
++ err = -ENOMEM;
++ goto out_no_entry;
++ }
+ lock_buffer(epos.bh);
+ memset(epos.bh->b_data, 0x00, bsize);
+ set_buffer_uptodate(epos.bh);
+--
+2.30.2
+
--- /dev/null
+From 17247698809f539b7ae650e09b8847f77c8160bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 15:00:32 -0500
+Subject: wireless: wext-spy: Fix out-of-bounds warning
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ]
+
+Fix the following out-of-bounds warning:
+
+net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds]
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). This causes a legitimate compiler warning because memcpy()
+overruns the length of &threshold.low and &spydata->spy_thr_low. As
+these are just a couple of struct members, fix this by using direct
+assignments, instead of memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/wext-spy.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c
+index 33bef22e44e9..b379a0371653 100644
+--- a/net/wireless/wext-spy.c
++++ b/net/wireless/wext-spy.c
+@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev,
+ return -EOPNOTSUPP;
+
+ /* Just do it */
+- memcpy(&(spydata->spy_thr_low), &(threshold->low),
+- 2 * sizeof(struct iw_quality));
++ spydata->spy_thr_low = threshold->low;
++ spydata->spy_thr_high = threshold->high;
+
+ /* Clear flag */
+ memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under));
+@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device * dev,
+ return -EOPNOTSUPP;
+
+ /* Just do it */
+- memcpy(&(threshold->low), &(spydata->spy_thr_low),
+- 2 * sizeof(struct iw_quality));
++ threshold->low = spydata->spy_thr_low;
++ threshold->high = spydata->spy_thr_high;
+
+ return 0;
+ }
+@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev,
+ memcpy(threshold.addr.sa_data, address, ETH_ALEN);
+ threshold.addr.sa_family = ARPHRD_ETHER;
+ /* Copy stats */
+- memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality));
++ threshold.qual = *wstats;
+ /* Copy also thresholds */
+- memcpy(&(threshold.low), &(spydata->spy_thr_low),
+- 2 * sizeof(struct iw_quality));
++ threshold.low = spydata->spy_thr_low;
++ threshold.high = spydata->spy_thr_high;
+
+ /* Send event to user space */
+ wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
+--
+2.30.2
+
--- /dev/null
+From 1fc09bf580d03455c110708d13f40165fd10163f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 12:55:08 +0100
+Subject: wl1251: Fix possible buffer overflow in wl1251_cmd_scan
+
+From: Lee Gibson <leegib@gmail.com>
+
+[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ]
+
+Function wl1251_cmd_scan calls memcpy without checking the length.
+Harden by checking the length is within the maximum allowed size.
+
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
+index ede31f048ef9..247f4310a38f 100644
+--- a/drivers/net/wireless/ti/wl1251/cmd.c
++++ b/drivers/net/wireless/ti/wl1251/cmd.c
+@@ -465,9 +465,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
+ cmd->channels[i].channel = channels[i]->hw_value;
+ }
+
+- cmd->params.ssid_len = ssid_len;
+- if (ssid)
+- memcpy(cmd->params.ssid, ssid, ssid_len);
++ if (ssid) {
++ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
++
++ cmd->params.ssid_len = len;
++ memcpy(cmd->params.ssid, ssid, len);
++ }
+
+ ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
+ if (ret < 0) {
+--
+2.30.2
+
--- /dev/null
+From 9ce0c80aea5b2b95b2734072d33b7e62cef00cd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 09:28:14 +0300
+Subject: wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ]
+
+At least on wl12xx, reading the MAC after boot can fail with a warning
+at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read.
+The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls
+after request_firmware_work_func().
+
+After the error, no wireless interface is created. Reloading the wl12xx
+module makes the interface work.
+
+Turns out the wlan controller can be in a low-power ELP state after the
+boot from the bootloader or kexec, and needs to be woken up first.
+
+Let's wake the hardware and add a sleep after that similar to
+wl12xx_pre_boot() is already doing.
+
+Note that a similar issue could exist for wl18xx, but I have not seen it
+so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not
+produce similar errors.
+
+Cc: Carl Philipp Klemm <philipp@uvos.xyz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
+index 9bd635ec7827..72991d3a55f1 100644
+--- a/drivers/net/wireless/ti/wl12xx/main.c
++++ b/drivers/net/wireless/ti/wl12xx/main.c
+@@ -1516,6 +1516,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl)
+ u32 mac1, mac2;
+ int ret;
+
++ /* Device may be in ELP from the bootloader or kexec */
++ ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL);
++ if (ret < 0)
++ goto out;
++
++ usleep_range(500000, 700000);
++
+ ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]);
+ if (ret < 0)
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From a698e1a9c3b39b47d05785ffcbd0631e5a8d0f1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 15:21:49 +0200
+Subject: xfrm: Fix error reporting in xfrm_state_construct.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ]
+
+When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails,
+the error will not be reported because the -ENOMEM assignment
+to the err variable is overwritten before. Fix this by moving
+these two in front of the function so that memory allocation
+failures will be reported.
+
+Reported-by: Tobias Brunner <tobias@strongswan.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index feb24ca530f2..48139e1a0ac9 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -566,6 +566,20 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+
+ copy_from_user_state(x, p);
+
++ if (attrs[XFRMA_ENCAP]) {
++ x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
++ sizeof(*x->encap), GFP_KERNEL);
++ if (x->encap == NULL)
++ goto error;
++ }
++
++ if (attrs[XFRMA_COADDR]) {
++ x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
++ sizeof(*x->coaddr), GFP_KERNEL);
++ if (x->coaddr == NULL)
++ goto error;
++ }
++
+ if (attrs[XFRMA_SA_EXTRA_FLAGS])
+ x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]);
+
+@@ -586,23 +600,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+ attrs[XFRMA_ALG_COMP])))
+ goto error;
+
+- if (attrs[XFRMA_ENCAP]) {
+- x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
+- sizeof(*x->encap), GFP_KERNEL);
+- if (x->encap == NULL)
+- goto error;
+- }
+-
+ if (attrs[XFRMA_TFCPAD])
+ x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
+
+- if (attrs[XFRMA_COADDR]) {
+- x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
+- sizeof(*x->coaddr), GFP_KERNEL);
+- if (x->coaddr == NULL)
+- goto error;
+- }
+-
+ xfrm_mark_get(attrs, &x->mark);
+
+ err = __xfrm_init_state(x, false);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
