--- /dev/null
+From 60e5ddcd93214194d629101f59636e298cbe4d00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 14:53:36 +0800
+Subject: atm: iphase: fix possible use-after-free in ia_module_exit()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/iphase.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
+index eef637fd90b3..a59554e5b8b0 100644
+--- a/drivers/atm/iphase.c
++++ b/drivers/atm/iphase.c
+@@ -3279,7 +3279,7 @@ static void __exit ia_module_exit(void)
+ {
+ pci_unregister_driver(&ia_driver);
+
+- del_timer(&ia_timer);
++ del_timer_sync(&ia_timer);
+ }
+
+ module_init(ia_module_init);
+--
+2.30.2
+
--- /dev/null
+From 41381f1ffa5a920788aa00755fc84e5dc3567606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 15:00:24 +0800
+Subject: atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index 09ad73361879..1351b05a3097 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -297,7 +297,7 @@ static void __exit nicstar_cleanup(void)
+ {
+ XPRINTK("nicstar: nicstar_cleanup() called.\n");
+
+- del_timer(&ns_timer);
++ del_timer_sync(&ns_timer);
+
+ pci_unregister_driver(&nicstar_driver);
+
+--
+2.30.2
+
--- /dev/null
+From 4c9a77cd36824893dd9751700bc24ed2a7c2c8b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 15:24:15 +0000
+Subject: atm: nicstar: register the interrupt handler in the right place
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ]
+
+Because the error handling is sequential, the application of resources
+should be carried out in the order of error handling, so the operation
+of registering the interrupt handler should be put in front, so as not
+to free the unregistered interrupt handler during error handling.
+
+This log reveals it:
+
+[ 3.438724] Trying to free already-free IRQ 23
+[ 3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480
+[ 3.440039] Modules linked in:
+[ 3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
+[ 3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.441561] RIP: 0010:free_irq+0xfb/0x480
+[ 3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
+[ 3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
+[ 3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
+[ 3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
+[ 3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
+[ 3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
+[ 3.444994] FS: 0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000
+[ 3.444994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.444994] Call Trace:
+[ 3.444994] ns_init_card_error+0x18e/0x250
+[ 3.444994] nicstar_init_one+0x10d2/0x1130
+[ 3.444994] local_pci_probe+0x4a/0xb0
+[ 3.444994] pci_device_probe+0x126/0x1d0
+[ 3.444994] ? pci_device_remove+0x100/0x100
+[ 3.444994] really_probe+0x27e/0x650
+[ 3.444994] driver_probe_device+0x84/0x1d0
+[ 3.444994] ? mutex_lock_nested+0x16/0x20
+[ 3.444994] device_driver_attach+0x63/0x70
+[ 3.444994] __driver_attach+0x117/0x1a0
+[ 3.444994] ? device_driver_attach+0x70/0x70
+[ 3.444994] bus_for_each_dev+0xb6/0x110
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] driver_attach+0x22/0x30
+[ 3.444994] bus_add_driver+0x1e6/0x2a0
+[ 3.444994] driver_register+0xa4/0x180
+[ 3.444994] __pci_register_driver+0x77/0x80
+[ 3.444994] ? uPD98402_module_init+0xd/0xd
+[ 3.444994] nicstar_init+0x1f/0x75
+[ 3.444994] do_one_initcall+0x7a/0x3d0
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.444994] kernel_init_freeable+0x2a7/0x2f9
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] kernel_init+0x13/0x180
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ret_from_fork+0x1f/0x30
+[ 3.444994] Kernel panic - not syncing: panic_on_warn set ...
+[ 3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
+[ 3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.444994] Call Trace:
+[ 3.444994] dump_stack+0xba/0xf5
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] panic+0x155/0x3ed
+[ 3.444994] ? __warn+0xed/0x150
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] __warn+0x103/0x150
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] report_bug+0x119/0x1c0
+[ 3.444994] handle_bug+0x3b/0x80
+[ 3.444994] exc_invalid_op+0x18/0x70
+[ 3.444994] asm_exc_invalid_op+0x12/0x20
+[ 3.444994] RIP: 0010:free_irq+0xfb/0x480
+[ 3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
+[ 3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
+[ 3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
+[ 3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
+[ 3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
+[ 3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
+[ 3.444994] ? vprintk_func+0x71/0x110
+[ 3.444994] ns_init_card_error+0x18e/0x250
+[ 3.444994] nicstar_init_one+0x10d2/0x1130
+[ 3.444994] local_pci_probe+0x4a/0xb0
+[ 3.444994] pci_device_probe+0x126/0x1d0
+[ 3.444994] ? pci_device_remove+0x100/0x100
+[ 3.444994] really_probe+0x27e/0x650
+[ 3.444994] driver_probe_device+0x84/0x1d0
+[ 3.444994] ? mutex_lock_nested+0x16/0x20
+[ 3.444994] device_driver_attach+0x63/0x70
+[ 3.444994] __driver_attach+0x117/0x1a0
+[ 3.444994] ? device_driver_attach+0x70/0x70
+[ 3.444994] bus_for_each_dev+0xb6/0x110
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] driver_attach+0x22/0x30
+[ 3.444994] bus_add_driver+0x1e6/0x2a0
+[ 3.444994] driver_register+0xa4/0x180
+[ 3.444994] __pci_register_driver+0x77/0x80
+[ 3.444994] ? uPD98402_module_init+0xd/0xd
+[ 3.444994] nicstar_init+0x1f/0x75
+[ 3.444994] do_one_initcall+0x7a/0x3d0
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.444994] kernel_init_freeable+0x2a7/0x2f9
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] kernel_init+0x13/0x180
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ret_from_fork+0x1f/0x30
+[ 3.444994] Dumping ftrace buffer:
+[ 3.444994] (ftrace buffer empty)
+[ 3.444994] Kernel Offset: disabled
+[ 3.444994] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index ce92ee95497a..6eb4ed256a7e 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -525,6 +525,15 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
+ /* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */
+ writel(0x00000000, card->membase + VPM);
+
++ card->intcnt = 0;
++ if (request_irq
++ (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
++ pr_err("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
++ error = 9;
++ ns_init_card_error(card, error);
++ return error;
++ }
++
+ /* Initialize TSQ */
+ card->tsq.org = dma_alloc_coherent(&card->pcidev->dev,
+ NS_TSQSIZE + NS_TSQ_ALIGNMENT,
+@@ -751,15 +760,6 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
+
+ card->efbie = 1;
+
+- card->intcnt = 0;
+- if (request_irq
+- (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
+- printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
+- error = 9;
+- ns_init_card_error(card, error);
+- return error;
+- }
+-
+ /* Register device */
+ card->atmdev = atm_dev_register("nicstar", &card->pcidev->dev, &atm_ops,
+ -1, NULL);
+--
+2.30.2
+
--- /dev/null
+From deb784a0df30abf6b58b47675f86378824900d6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 15:24:14 +0000
+Subject: atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ]
+
+When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for
+error handling, but the correct memory free function should be used,
+otherwise it will cause an error. Since 'card->rsq.org' and
+'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they
+should be freed using 'dma_free_coherent'.
+
+Fix this by using 'dma_free_coherent' instead of 'kfree'
+
+This log reveals it:
+
+[ 3.440294] kernel BUG at mm/slub.c:4206!
+[ 3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI
+[ 3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141
+[ 3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.442780] RIP: 0010:kfree+0x26a/0x300
+[ 3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
+[ 3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
+[ 3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
+[ 3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
+[ 3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
+[ 3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
+[ 3.443396] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 3.443396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.443396] Call Trace:
+[ 3.443396] ns_init_card_error+0x12c/0x220
+[ 3.443396] nicstar_init_one+0x10d2/0x1130
+[ 3.443396] local_pci_probe+0x4a/0xb0
+[ 3.443396] pci_device_probe+0x126/0x1d0
+[ 3.443396] ? pci_device_remove+0x100/0x100
+[ 3.443396] really_probe+0x27e/0x650
+[ 3.443396] driver_probe_device+0x84/0x1d0
+[ 3.443396] ? mutex_lock_nested+0x16/0x20
+[ 3.443396] device_driver_attach+0x63/0x70
+[ 3.443396] __driver_attach+0x117/0x1a0
+[ 3.443396] ? device_driver_attach+0x70/0x70
+[ 3.443396] bus_for_each_dev+0xb6/0x110
+[ 3.443396] ? rdinit_setup+0x40/0x40
+[ 3.443396] driver_attach+0x22/0x30
+[ 3.443396] bus_add_driver+0x1e6/0x2a0
+[ 3.443396] driver_register+0xa4/0x180
+[ 3.443396] __pci_register_driver+0x77/0x80
+[ 3.443396] ? uPD98402_module_init+0xd/0xd
+[ 3.443396] nicstar_init+0x1f/0x75
+[ 3.443396] do_one_initcall+0x7a/0x3d0
+[ 3.443396] ? rdinit_setup+0x40/0x40
+[ 3.443396] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.443396] kernel_init_freeable+0x2a7/0x2f9
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] kernel_init+0x13/0x180
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] ret_from_fork+0x1f/0x30
+[ 3.443396] Modules linked in:
+[ 3.443396] Dumping ftrace buffer:
+[ 3.443396] (ftrace buffer empty)
+[ 3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]---
+[ 3.458922] RIP: 0010:kfree+0x26a/0x300
+[ 3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
+[ 3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
+[ 3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
+[ 3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
+[ 3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
+[ 3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
+[ 3.463368] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 3.463949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.465860] Kernel panic - not syncing: Fatal exception
+[ 3.466370] Dumping ftrace buffer:
+[ 3.466616] (ftrace buffer empty)
+[ 3.466871] Kernel Offset: disabled
+[ 3.467122] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index 1351b05a3097..ce92ee95497a 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -837,10 +837,12 @@ static void ns_init_card_error(ns_dev *card, int error)
+ dev_kfree_skb_any(hb);
+ }
+ if (error >= 12) {
+- kfree(card->rsq.org);
++ dma_free_coherent(&card->pcidev->dev, NS_RSQSIZE + NS_RSQ_ALIGNMENT,
++ card->rsq.org, card->rsq.dma);
+ }
+ if (error >= 11) {
+- kfree(card->tsq.org);
++ dma_free_coherent(&card->pcidev->dev, NS_TSQSIZE + NS_TSQ_ALIGNMENT,
++ card->tsq.org, card->tsq.dma);
+ }
+ if (error >= 10) {
+ free_irq(card->pcidev->irq, card);
+--
+2.30.2
+
--- /dev/null
+From 324688488f3ac9d25cc46c4c060c1c5dfd33d696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 10:25:46 -0700
+Subject: Bluetooth: btusb: Add a new QCA_ROME device (0cf3:e500)
+
+From: Daniel Lenski <dlenski@gmail.com>
+
+[ Upstream commit 0324d19cb99804d99e42c990b8b1e191575a091b ]
+
+This patch adds the 0cf3:e500 Bluetooth device (from a QCA9377 board) as a
+QCA_ROME device. It appears to be functionally identical to another device
+ID, also from a QCA9377 board, which was previously marked as QCA_ROME in
+0a03f98b98c201191e3ba15a0e33f46d8660e1fd
+("Bluetooth: Add a new 04ca:3015 QCA_ROME device").
+
+Without this patch, the WiFi side of the QCA9377 board is slow or unusable
+when the Bluetooth side is in use.
+
+See https://askubuntu.com/a/1137852 for another report of QCA_ROME fixing
+this issue for this device ID.
+
+/sys/kernel/debug/usb/devices:
+
+T: Bus=05 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
+D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0cf3 ProdID=e500 Rev= 0.01
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Signed-off-by: Daniel Lenski <dlenski@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 8195333e5665..8f38a2a7da8c 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -269,6 +269,8 @@ static const struct usb_device_id blacklist_table[] = {
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0cf3, 0xe360), .driver_info = BTUSB_QCA_ROME |
+ BTUSB_WIDEBAND_SPEECH },
++ { USB_DEVICE(0x0cf3, 0xe500), .driver_info = BTUSB_QCA_ROME |
++ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe092), .driver_info = BTUSB_QCA_ROME |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe09f), .driver_info = BTUSB_QCA_ROME |
+--
+2.30.2
+
--- /dev/null
+From 38bb497594f943ab48c933546219f5c69eee47d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 11:19:01 +0800
+Subject: Bluetooth: btusb: Add support USB ALT 3 for WBS
+
+From: Hilda Wu <hildawu@realtek.com>
+
+[ Upstream commit e848dbd364aca44c9d23c04bef964fab79e2b34f ]
+
+Because mSBC frames do not need to be aligned to the SCO packet
+boundary. Using USB ALT 3 let HCI payload >= 60 bytes, let mSBC
+data satisfy 60 Bytes avoid payload unaligned situation and fixed
+some headset no voise issue.
+
+USB Alt 3 supported also need HFP support transparent MTU in 72 Bytes.
+
+Signed-off-by: Hilda Wu <hildawu@realtek.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 8f38a2a7da8c..b3c63e06838d 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1721,6 +1721,13 @@ static void btusb_work(struct work_struct *work)
+ * which work with WBS at all.
+ */
+ new_alts = btusb_find_altsetting(data, 6) ? 6 : 1;
++ /* Because mSBC frames do not need to be aligned to the
++ * SCO packet boundary. If support the Alt 3, use the
++ * Alt 3 for HCI payload >= 60 Bytes let air packet
++ * data satisfy 60 bytes.
++ */
++ if (new_alts == 1 && btusb_find_altsetting(data, 3))
++ new_alts = 3;
+ }
+
+ if (btusb_switch_alt_setting(hdev, new_alts) < 0)
+--
+2.30.2
+
--- /dev/null
+From 864d26803c4e078395a4afaa3d7731c28f9452c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 17:57:10 +0800
+Subject: Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca
+ btsoc.
+
+From: Tim Jiang <tjiang@codeaurora.org>
+
+[ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ]
+
+This is btsoc timing issue, after host start to downloading bt firmware,
+ep2 need time to switch from function acl to function dfu, so host add
+20ms delay as workaround.
+
+Signed-off-by: Tim Jiang <tjiang@codeaurora.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b3c63e06838d..afd2b1f12d49 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3558,6 +3558,11 @@ static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
+ sent += size;
+ count -= size;
+
++ /* ep2 need time to switch from function acl to function dfu,
++ * so we add 20ms delay here.
++ */
++ msleep(20);
++
+ while (count) {
+ size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
+
+--
+2.30.2
+
--- /dev/null
+From 853ac75de7a94295dc77d86d4781e41c9673d284 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Apr 2021 23:06:26 +0800
+Subject: Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip.
+
+From: mark-yw.chen <mark-yw.chen@mediatek.com>
+
+[ Upstream commit 8454ed9ff9647e31e061fb5eb2e39ce79bc5e960 ]
+
+This patch reduce in-token during download patch procedure.
+Don't submit urb for polling event before sending hci command.
+
+Signed-off-by: mark-yw.chen <mark-yw.chen@mediatek.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b1f0b13cc8bc..8195333e5665 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2963,11 +2963,6 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
+ struct btmtk_wmt_hdr *hdr;
+ int err;
+
+- /* Submit control IN URB on demand to process the WMT event */
+- err = btusb_mtk_submit_wmt_recv_urb(hdev);
+- if (err < 0)
+- return err;
+-
+ /* Send the WMT command and wait until the WMT event returns */
+ hlen = sizeof(*hdr) + wmt_params->dlen;
+ if (hlen > 255)
+@@ -2989,6 +2984,11 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
+ return err;
+ }
+
++ /* Submit control IN URB on demand to process the WMT event */
++ err = btusb_mtk_submit_wmt_recv_urb(hdev);
++ if (err < 0)
++ return err;
++
+ /* The vendor specific WMT commands are all answered by a vendor
+ * specific event and will have the Command Status or Command
+ * Complete as with usual HCI command flow control.
+--
+2.30.2
+
--- /dev/null
+From d9af2c22f5004b98aadbf63ebfaf8b6498619bd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 22:31:59 +0530
+Subject: Bluetooth: Fix alt settings for incoming SCO with transparent coding
+ format
+
+From: Kiran K <kiran.k@intel.com>
+
+[ Upstream commit 06d213d8a89a6f55b708422c3dda2b22add10748 ]
+
+For incoming SCO connection with transparent coding format, alt setting
+of CVSD is getting applied instead of Transparent.
+
+Before fix:
+< HCI Command: Accept Synchron.. (0x01|0x0029) plen 21 #2196 [hci0] 321.342548
+ Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd)
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 13
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x003f
+ HV1 may be used
+ HV2 may be used
+ HV3 may be used
+ EV3 may be used
+ EV4 may be used
+ EV5 may be used
+> HCI Event: Command Status (0x0f) plen 4 #2197 [hci0] 321.343585
+ Accept Synchronous Connection Request (0x01|0x0029) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Synchronous Connect Comp.. (0x2c) plen 17 #2198 [hci0] 321.351666
+ Status: Success (0x00)
+ Handle: 257
+ Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x0c
+ Retransmission window: 0x04
+ RX packet length: 60
+ TX packet length: 60
+ Air mode: Transparent (0x03)
+........
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2336 [hci0] 321.383655
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2337 [hci0] 321.389558
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2338 [hci0] 321.393615
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2339 [hci0] 321.393618
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2340 [hci0] 321.393618
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2341 [hci0] 321.397070
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2342 [hci0] 321.403622
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2343 [hci0] 321.403625
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2344 [hci0] 321.403625
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2345 [hci0] 321.403625
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2346 [hci0] 321.404569
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2347 [hci0] 321.412091
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2348 [hci0] 321.413626
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2349 [hci0] 321.413630
+> SCO Data RX: Handle 257 flags 0x00 dlen 48 #2350 [hci0] 321.413630
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #2351 [hci0] 321.419674
+
+After fix:
+
+< HCI Command: Accept Synchronou.. (0x01|0x0029) plen 21 #309 [hci0] 49.439693
+ Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd)
+ Transmit bandwidth: 8000
+ Receive bandwidth: 8000
+ Max latency: 13
+ Setting: 0x0003
+ Input Coding: Linear
+ Input Data Format: 1's complement
+ Input Sample Size: 8-bit
+ # of bits padding at MSB: 0
+ Air Coding Format: Transparent Data
+ Retransmission effort: Optimize for link quality (0x02)
+ Packet type: 0x003f
+ HV1 may be used
+ HV2 may be used
+ HV3 may be used
+ EV3 may be used
+ EV4 may be used
+ EV5 may be used
+> HCI Event: Command Status (0x0f) plen 4 #310 [hci0] 49.440308
+ Accept Synchronous Connection Request (0x01|0x0029) ncmd 1
+ Status: Success (0x00)
+> HCI Event: Synchronous Connect Complete (0x2c) plen 17 #311 [hci0] 49.449308
+ Status: Success (0x00)
+ Handle: 257
+ Address: 1C:CC:D6:E2:EA:80 (Xiaomi Communications Co Ltd)
+ Link type: eSCO (0x02)
+ Transmission interval: 0x0c
+ Retransmission window: 0x04
+ RX packet length: 60
+ TX packet length: 60
+ Air mode: Transparent (0x03)
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #312 [hci0] 49.450421
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #313 [hci0] 49.457927
+> HCI Event: Max Slots Change (0x1b) plen 3 #314 [hci0] 49.460345
+ Handle: 256
+ Max slots: 5
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #315 [hci0] 49.465453
+> SCO Data RX: Handle 257 flags 0x00 dlen 60 #316 [hci0] 49.470502
+> SCO Data RX: Handle 257 flags 0x00 dlen 60 #317 [hci0] 49.470519
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #318 [hci0] 49.472996
+> SCO Data RX: Handle 257 flags 0x00 dlen 60 #319 [hci0] 49.480412
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #320 [hci0] 49.480492
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #321 [hci0] 49.487989
+> SCO Data RX: Handle 257 flags 0x00 dlen 60 #322 [hci0] 49.490303
+< SCO Data TX: Handle 257 flags 0x00 dlen 60 #323 [hci0] 49.495496
+> SCO Data RX: Handle 257 flags 0x00 dlen 60 #324 [hci0] 49.500304
+> SCO Data RX: Handle 257 flags 0x00 dlen 60 #325 [hci0] 49.500311
+
+Signed-off-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Lokendra Singh <lokendra.singh@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d62ac4b73709..e59ae24a8f17 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4360,12 +4360,12 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev,
+
+ bt_dev_dbg(hdev, "SCO connected with air mode: %02x", ev->air_mode);
+
+- switch (conn->setting & SCO_AIRMODE_MASK) {
+- case SCO_AIRMODE_CVSD:
++ switch (ev->air_mode) {
++ case 0x02:
+ if (hdev->notify)
+ hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_CVSD);
+ break;
+- case SCO_AIRMODE_TRANSP:
++ case 0x03:
+ if (hdev->notify)
+ hdev->notify(hdev, HCI_NOTIFY_ENABLE_SCO_TRANSP);
+ break;
+--
+2.30.2
+
--- /dev/null
+From ca731a6301b11595d995b3f3c1ac0eacdf7c2fe2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 16:53:30 -0700
+Subject: Bluetooth: Fix the HCI to MGMT status conversion table
+
+From: Yu Liu <yudiliu@google.com>
+
+[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ]
+
+0x2B, 0x31 and 0x33 are reserved for future use but were not present in
+the HCI to MGMT conversion table, this caused the conversion to be
+incorrect for the HCI status code greater than 0x2A.
+
+Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
+Signed-off-by: Yu Liu <yudiliu@google.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 13520c7b4f2f..7dfb96946220 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -247,12 +247,15 @@ static const u8 mgmt_status_table[] = {
+ MGMT_STATUS_TIMEOUT, /* Instant Passed */
+ MGMT_STATUS_NOT_SUPPORTED, /* Pairing Not Supported */
+ MGMT_STATUS_FAILED, /* Transaction Collision */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_INVALID_PARAMS, /* Unacceptable Parameter */
+ MGMT_STATUS_REJECTED, /* QoS Rejected */
+ MGMT_STATUS_NOT_SUPPORTED, /* Classification Not Supported */
+ MGMT_STATUS_REJECTED, /* Insufficient Security */
+ MGMT_STATUS_INVALID_PARAMS, /* Parameter Out Of Range */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_BUSY, /* Role Switch Pending */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_FAILED, /* Slot Violation */
+ MGMT_STATUS_FAILED, /* Role Switch Failed */
+ MGMT_STATUS_INVALID_PARAMS, /* EIR Too Large */
+--
+2.30.2
+
--- /dev/null
+From 6c367442e6cc32d56d4cd04c7a8e3c3c7ffc8cde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 13:41:50 -0700
+Subject: Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 1fa20d7d4aad02206e84b74915819fbe9f81dab3 ]
+
+The use of l2cap_chan_del is not safe under a loop using
+list_for_each_entry.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index cdc386337173..17520133093a 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6237,7 +6237,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
+ {
+- struct l2cap_chan *chan;
++ struct l2cap_chan *chan, *tmp;
+ struct l2cap_ecred_conn_rsp *rsp = (void *) data;
+ u16 result;
+
+@@ -6251,7 +6251,7 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
+ if (!result)
+ return 0;
+
+- list_for_each_entry(chan, &conn->chan_l, list) {
++ list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ if (chan->ident != cmd->ident)
+ continue;
+
+--
+2.30.2
+
--- /dev/null
+From 0dea22401425b58e3a39e24c0b800a0882990380 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 13:41:51 -0700
+Subject: Bluetooth: L2CAP: Fix invalid access on ECRED Connection response
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit de895b43932cb47e69480540be7eca289af24f23 ]
+
+The use of l2cap_chan_del is not safe under a loop using
+list_for_each_entry.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 17520133093a..0ddbc415ce15 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -6055,7 +6055,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
+ struct l2cap_ecred_conn_rsp *rsp = (void *) data;
+ struct hci_conn *hcon = conn->hcon;
+ u16 mtu, mps, credits, result;
+- struct l2cap_chan *chan;
++ struct l2cap_chan *chan, *tmp;
+ int err = 0, sec_level;
+ int i = 0;
+
+@@ -6074,7 +6074,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
+
+ cmd_len -= sizeof(*rsp);
+
+- list_for_each_entry(chan, &conn->chan_l, list) {
++ list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ u16 dcid;
+
+ if (chan->ident != cmd->ident ||
+--
+2.30.2
+
--- /dev/null
+From ceed3361a0cf10fcd09c28575891feb57a3ad718 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 10:36:22 -0700
+Subject: Bluetooth: mgmt: Fix the command returns garbage parameter value
+
+From: Tedd Ho-Jeong An <tedd.an@intel.com>
+
+[ Upstream commit 02ce2c2c24024aade65a8d91d6a596651eaf2d0a ]
+
+When the Get Device Flags command fails, it returns the error status
+with the parameters filled with the garbage values. Although the
+parameters are not used, it is better to fill with zero than the random
+values.
+
+Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 7dfb96946220..31a585fe0c7c 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -4038,6 +4038,8 @@ static int get_device_flags(struct sock *sk, struct hci_dev *hdev, void *data,
+
+ hci_dev_lock(hdev);
+
++ memset(&rp, 0, sizeof(rp));
++
+ if (cp->addr.type == BDADDR_BREDR) {
+ br_params = hci_bdaddr_list_lookup_with_flags(&hdev->whitelist,
+ &cp->addr.bdaddr,
+--
+2.30.2
+
--- /dev/null
+From 924858386356ecbf979a9007e4bb9faf933dbb61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 15:14:52 +0800
+Subject: Bluetooth: Shutdown controller after workqueues are flushed or
+ cancelled
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ]
+
+Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it
+stops working:
+[ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed
+[ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on
+[ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
+[ 545.660350] usb 3-10: device descriptor read/64, error -110
+[ 561.283530] usb 3-10: device descriptor read/64, error -110
+[ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
+[ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500
+[ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113)
+[ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110)
+[ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113)
+[ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110)
+
+Or kernel panics because other workqueues already freed skb:
+[ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 2048.663775] #PF: supervisor read access in kernel mode
+[ 2048.663779] #PF: error_code(0x0000) - not-present page
+[ 2048.663782] PGD 0 P4D 0
+[ 2048.663787] Oops: 0000 [#1] SMP NOPTI
+[ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G W 5.13.0-rc1-next-20210510+ #20
+[ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020
+[ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50
+[ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1
+07 83 f8 01
+[ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286
+[ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000
+[ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000
+[ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0
+[ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000
+[ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000
+[ 2048.663843] FS: 00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000
+[ 2048.663849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0
+[ 2048.663856] PKRU: 55555554
+[ 2048.663859] Call Trace:
+[ 2048.663865] ? skb_release_head_state+0x5e/0x80
+[ 2048.663873] kfree_skb+0x2f/0xb0
+[ 2048.663881] btusb_shutdown_intel_new+0x36/0x60 [btusb]
+[ 2048.663905] hci_dev_do_close+0x48c/0x5e0 [bluetooth]
+[ 2048.663954] ? __cond_resched+0x1a/0x50
+[ 2048.663962] hci_rfkill_set_block+0x56/0xa0 [bluetooth]
+[ 2048.664007] rfkill_set_block+0x98/0x170
+[ 2048.664016] rfkill_fop_write+0x136/0x1e0
+[ 2048.664022] vfs_write+0xc7/0x260
+[ 2048.664030] ksys_write+0xb1/0xe0
+[ 2048.664035] ? exit_to_user_mode_prepare+0x37/0x1c0
+[ 2048.664042] __x64_sys_write+0x1a/0x20
+[ 2048.664048] do_syscall_64+0x40/0xb0
+[ 2048.664055] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 2048.664060] RIP: 0033:0x7fe02ac23c27
+[ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
+[ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27
+[ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003
+[ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440
+[ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
+[ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff
+
+So move the shutdown callback to a place where workqueues are either
+flushed or cancelled to resolve the issue.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 86ebfc6ae698..0854f1b35683 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1713,14 +1713,6 @@ int hci_dev_do_close(struct hci_dev *hdev)
+
+ BT_DBG("%s %p", hdev->name, hdev);
+
+- if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
+- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
+- test_bit(HCI_UP, &hdev->flags)) {
+- /* Execute vendor specific shutdown routine */
+- if (hdev->shutdown)
+- hdev->shutdown(hdev);
+- }
+-
+ cancel_delayed_work(&hdev->power_off);
+
+ hci_request_cancel_all(hdev);
+@@ -1796,6 +1788,14 @@ int hci_dev_do_close(struct hci_dev *hdev)
+ clear_bit(HCI_INIT, &hdev->flags);
+ }
+
++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
++ test_bit(HCI_UP, &hdev->flags)) {
++ /* Execute vendor specific shutdown routine */
++ if (hdev->shutdown)
++ hdev->shutdown(hdev);
++ }
++
+ /* flush cmd work */
+ flush_work(&hdev->cmd_work);
+
+--
+2.30.2
+
--- /dev/null
+From 21ff640ec40b953cd38c9e3287cb4629469260d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jun 2021 11:11:56 -0700
+Subject: bpf: Fix false positive kmemleak report in bpf_ringbuf_area_alloc()
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+[ Upstream commit ccff81e1d028bbbf8573d3364a87542386c707bf ]
+
+kmemleak scans struct page, but it does not scan the page content. If we
+allocate some memory with kmalloc(), then allocate page with alloc_page(),
+and if we put kmalloc pointer somewhere inside that page, kmemleak will
+report kmalloc pointer as a false positive.
+
+We can instruct kmemleak to scan the memory area by calling kmemleak_alloc()
+and kmemleak_free(), but part of struct bpf_ringbuf is mmaped to user space,
+and if struct bpf_ringbuf changes we would have to revisit and review size
+argument in kmemleak_alloc(), because we do not want kmemleak to scan the
+user space memory. Let's simplify things and use kmemleak_not_leak() here.
+
+For posterity, also adding additional prior analysis from Andrii:
+
+ I think either kmemleak or syzbot are misreporting this. I've added a
+ bunch of printks around all allocations performed by BPF ringbuf. [...]
+ On repro side I get these two warnings:
+
+ [vmuser@archvm bpf]$ sudo ./repro
+ BUG: memory leak
+ unreferenced object 0xffff88810d538c00 (size 64):
+ comm "repro", pid 2140, jiffies 4294692933 (age 14.540s)
+ hex dump (first 32 bytes):
+ 00 af 19 04 00 ea ff ff c0 ae 19 04 00 ea ff ff ................
+ 80 ae 19 04 00 ea ff ff c0 29 2e 04 00 ea ff ff .........)......
+ backtrace:
+ [<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0
+ [<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218
+ [<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90
+ [<00000000f601d565>] do_syscall_64+0x2d/0x40
+ [<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ BUG: memory leak
+ unreferenced object 0xffff88810d538c80 (size 64):
+ comm "repro", pid 2143, jiffies 4294699025 (age 8.448s)
+ hex dump (first 32 bytes):
+ 80 aa 19 04 00 ea ff ff 00 ab 19 04 00 ea ff ff ................
+ c0 ab 19 04 00 ea ff ff 80 44 28 04 00 ea ff ff .........D(.....
+ backtrace:
+ [<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0
+ [<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218
+ [<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90
+ [<00000000f601d565>] do_syscall_64+0x2d/0x40
+ [<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+ Note that both reported leaks (ffff88810d538c80 and ffff88810d538c00)
+ correspond to pages array bpf_ringbuf is allocating and tracking properly
+ internally. Note also that syzbot repro doesn't close FD of created BPF
+ ringbufs, and even when ./repro itself exits with error, there are still
+ two forked processes hanging around in my system. So clearly ringbuf maps
+ are alive at that point. So reporting any memory leak looks weird at that
+ point, because that memory is being used by active referenced BPF ringbuf.
+
+ It's also a question why repro doesn't clean up its forks. But if I do a
+ `pkill repro`, I do see that all the allocated memory is /properly/ cleaned
+ up [and the] "leaks" are deallocated properly.
+
+ BTW, if I add close() right after bpf() syscall in syzbot repro, I see that
+ everything is immediately deallocated, like designed. And no memory leak
+ is reported. So I don't think the problem is anywhere in bpf_ringbuf code,
+ rather in the leak detection and/or repro itself.
+
+Reported-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+[ Daniel: also included analysis from Andrii to the commit log ]
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/CAEf4BzYk+dqs+jwu6VKXP-RttcTEGFe+ySTGWT9CRNkagDiJVA@mail.gmail.com
+Link: https://lore.kernel.org/lkml/YNTAqiE7CWJhOK2M@nuc10
+Link: https://lore.kernel.org/lkml/20210615101515.GC26027@arm.com
+Link: https://syzkaller.appspot.com/bug?extid=5d895828587f49e7fe9b
+Link: https://lore.kernel.org/bpf/20210626181156.1873604-1-rkovhaev@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/ringbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
+index add0b34f2b34..f9913bc65ef8 100644
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -8,6 +8,7 @@
+ #include <linux/vmalloc.h>
+ #include <linux/wait.h>
+ #include <linux/poll.h>
++#include <linux/kmemleak.h>
+ #include <uapi/linux/btf.h>
+
+ #define RINGBUF_CREATE_FLAG_MASK (BPF_F_NUMA_NODE)
+@@ -109,6 +110,7 @@ static struct bpf_ringbuf *bpf_ringbuf_area_alloc(size_t data_sz, int numa_node)
+ rb = vmap(pages, nr_meta_pages + 2 * nr_data_pages,
+ VM_ALLOC | VM_USERMAP, PAGE_KERNEL);
+ if (rb) {
++ kmemleak_not_leak(pages);
+ rb->pages = pages;
+ rb->nr_pages = nr_pages;
+ return rb;
+--
+2.30.2
+
--- /dev/null
+From db828581326d3ae206f5a93b7447b4a067cd112f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 11:25:11 +0200
+Subject: bpf: Fix up register-based shifts in interpreter to silence KUBSAN
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 28131e9d933339a92f78e7ab6429f4aaaa07061c ]
+
+syzbot reported a shift-out-of-bounds that KUBSAN observed in the
+interpreter:
+
+ [...]
+ UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1420:2
+ shift exponent 255 is too large for 64-bit type 'long long unsigned int'
+ CPU: 1 PID: 11097 Comm: syz-executor.4 Not tainted 5.12.0-rc2-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
+ ___bpf_prog_run.cold+0x19/0x56c kernel/bpf/core.c:1420
+ __bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1735
+ bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
+ bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline]
+ bpf_prog_run_clear_cb include/linux/filter.h:755 [inline]
+ run_filter+0x1a1/0x470 net/packet/af_packet.c:2031
+ packet_rcv+0x313/0x13e0 net/packet/af_packet.c:2104
+ dev_queue_xmit_nit+0x7c2/0xa90 net/core/dev.c:2387
+ xmit_one net/core/dev.c:3588 [inline]
+ dev_hard_start_xmit+0xad/0x920 net/core/dev.c:3609
+ __dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182
+ __bpf_tx_skb net/core/filter.c:2116 [inline]
+ __bpf_redirect_no_mac net/core/filter.c:2141 [inline]
+ __bpf_redirect+0x548/0xc80 net/core/filter.c:2164
+ ____bpf_clone_redirect net/core/filter.c:2448 [inline]
+ bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420
+ ___bpf_prog_run+0x34e1/0x77d0 kernel/bpf/core.c:1523
+ __bpf_prog_run512+0x99/0xe0 kernel/bpf/core.c:1737
+ bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
+ bpf_test_run+0x3ed/0xc50 net/bpf/test_run.c:50
+ bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:582
+ bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline]
+ __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [...]
+
+Generally speaking, KUBSAN reports from the kernel should be fixed.
+However, in case of BPF, this particular report caused concerns since
+the large shift is not wrong from BPF point of view, just undefined.
+In the verifier, K-based shifts that are >= {64,32} (depending on the
+bitwidth of the instruction) are already rejected. The register-based
+cases were not given their content might not be known at verification
+time. Ideas such as verifier instruction rewrite with an additional
+AND instruction for the source register were brought up, but regularly
+rejected due to the additional runtime overhead they incur.
+
+As Edward Cree rightly put it:
+
+ Shifts by more than insn bitness are legal in the BPF ISA; they are
+ implementation-defined behaviour [of the underlying architecture],
+ rather than UB, and have been made legal for performance reasons.
+ Each of the JIT backends compiles the BPF shift operations to machine
+ instructions which produce implementation-defined results in such a
+ case; the resulting contents of the register may be arbitrary but
+ program behaviour as a whole remains defined.
+
+ Guard checks in the fast path (i.e. affecting JITted code) will thus
+ not be accepted.
+
+ The case of division by zero is not truly analogous here, as division
+ instructions on many of the JIT-targeted architectures will raise a
+ machine exception / fault on division by zero, whereas (to the best
+ of my knowledge) none will do so on an out-of-bounds shift.
+
+Given the KUBSAN report only affects the BPF interpreter, but not JITs,
+one solution is to add the ANDs with 63 or 31 into ___bpf_prog_run().
+That would make the shifts defined, and thus shuts up KUBSAN, and the
+compiler would optimize out the AND on any CPU that interprets the shift
+amounts modulo the width anyway (e.g., confirmed from disassembly that
+on x86-64 and arm64 the generated interpreter code is the same before
+and after this fix).
+
+The BPF interpreter is slow path, and most likely compiled out anyway
+as distros select BPF_JIT_ALWAYS_ON to avoid speculative execution of
+BPF instructions by the interpreter. Given the main argument was to
+avoid sacrificing performance, the fact that the AND is optimized away
+from compiler for mainstream archs helps as well as a solution moving
+forward. Also add a comment on LSH/RSH/ARSH translation for JIT authors
+to provide guidance when they see the ___bpf_prog_run() interpreter
+code and use it as a model for a new JIT backend.
+
+Reported-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
+Reported-by: Kurt Manucredo <fuzzybritches0@gmail.com>
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Co-developed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
+Cc: Edward Cree <ecree.xilinx@gmail.com>
+Link: https://lore.kernel.org/bpf/0000000000008f912605bd30d5d7@google.com
+Link: https://lore.kernel.org/bpf/bac16d8d-c174-bdc4-91bd-bfa62b410190@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 61 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 43 insertions(+), 18 deletions(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 182e162f8fd0..239c6b3b5993 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1395,29 +1395,54 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
+ select_insn:
+ goto *jumptable[insn->code];
+
+- /* ALU */
+-#define ALU(OPCODE, OP) \
+- ALU64_##OPCODE##_X: \
+- DST = DST OP SRC; \
+- CONT; \
+- ALU_##OPCODE##_X: \
+- DST = (u32) DST OP (u32) SRC; \
+- CONT; \
+- ALU64_##OPCODE##_K: \
+- DST = DST OP IMM; \
+- CONT; \
+- ALU_##OPCODE##_K: \
+- DST = (u32) DST OP (u32) IMM; \
++ /* Explicitly mask the register-based shift amounts with 63 or 31
++ * to avoid undefined behavior. Normally this won't affect the
++ * generated code, for example, in case of native 64 bit archs such
++ * as x86-64 or arm64, the compiler is optimizing the AND away for
++ * the interpreter. In case of JITs, each of the JIT backends compiles
++ * the BPF shift operations to machine instructions which produce
++ * implementation-defined results in such a case; the resulting
++ * contents of the register may be arbitrary, but program behaviour
++ * as a whole remains defined. In other words, in case of JIT backends,
++ * the AND must /not/ be added to the emitted LSH/RSH/ARSH translation.
++ */
++ /* ALU (shifts) */
++#define SHT(OPCODE, OP) \
++ ALU64_##OPCODE##_X: \
++ DST = DST OP (SRC & 63); \
++ CONT; \
++ ALU_##OPCODE##_X: \
++ DST = (u32) DST OP ((u32) SRC & 31); \
++ CONT; \
++ ALU64_##OPCODE##_K: \
++ DST = DST OP IMM; \
++ CONT; \
++ ALU_##OPCODE##_K: \
++ DST = (u32) DST OP (u32) IMM; \
++ CONT;
++ /* ALU (rest) */
++#define ALU(OPCODE, OP) \
++ ALU64_##OPCODE##_X: \
++ DST = DST OP SRC; \
++ CONT; \
++ ALU_##OPCODE##_X: \
++ DST = (u32) DST OP (u32) SRC; \
++ CONT; \
++ ALU64_##OPCODE##_K: \
++ DST = DST OP IMM; \
++ CONT; \
++ ALU_##OPCODE##_K: \
++ DST = (u32) DST OP (u32) IMM; \
+ CONT;
+-
+ ALU(ADD, +)
+ ALU(SUB, -)
+ ALU(AND, &)
+ ALU(OR, |)
+- ALU(LSH, <<)
+- ALU(RSH, >>)
+ ALU(XOR, ^)
+ ALU(MUL, *)
++ SHT(LSH, <<)
++ SHT(RSH, >>)
++#undef SHT
+ #undef ALU
+ ALU_NEG:
+ DST = (u32) -DST;
+@@ -1442,13 +1467,13 @@ select_insn:
+ insn++;
+ CONT;
+ ALU_ARSH_X:
+- DST = (u64) (u32) (((s32) DST) >> SRC);
++ DST = (u64) (u32) (((s32) DST) >> (SRC & 31));
+ CONT;
+ ALU_ARSH_K:
+ DST = (u64) (u32) (((s32) DST) >> IMM);
+ CONT;
+ ALU64_ARSH_X:
+- (*(s64 *) &DST) >>= SRC;
++ (*(s64 *) &DST) >>= (SRC & 63);
+ CONT;
+ ALU64_ARSH_K:
+ (*(s64 *) &DST) >>= IMM;
+--
+2.30.2
+
--- /dev/null
+From a7da7e3b87b320a9b819023d8b37dffacb4b9e6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 15:59:44 +0800
+Subject: cfg80211: fix default HE tx bitrate mask in 2G band
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit 9df66d5b9f45c39b3925d16e8947cc10009b186d ]
+
+In 2G band, a HE sta can only supports HT and HE, but not supports VHT.
+In this case, default HE tx bitrate mask isn't filled, when we use iw to
+set bitrates without any parameter.
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20210609075944.51130-1-pkshih@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index daf3f29c7f0c..8fb0478888fb 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4625,11 +4625,10 @@ static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
+ sband->ht_cap.mcs.rx_mask,
+ sizeof(mask->control[i].ht_mcs));
+
+- if (!sband->vht_cap.vht_supported)
+- continue;
+-
+- vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
+- vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
++ if (sband->vht_cap.vht_supported) {
++ vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
++ vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
++ }
+
+ he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
+ if (!he_cap)
+--
+2.30.2
+
--- /dev/null
+From 053b48f6deeb6792579bb3792b549d734b728ad1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 13:36:38 +0900
+Subject: clk: renesas: r8a77995: Add ZA2 clock
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 790c06cc5df263cdaff748670cc65958c81b0951 ]
+
+R-Car D3 ZA2 clock is from PLL0D3 or S0,
+and it can be controlled by ZA2CKCR.
+It is needed for R-Car Sound, but is not used so far.
+Using default settings is very enough at this point.
+This patch adds it by DEF_FIXED().
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87pmxclrmy.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a77995-cpg-mssr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/renesas/r8a77995-cpg-mssr.c b/drivers/clk/renesas/r8a77995-cpg-mssr.c
+index 5b4691117b47..026e2612c33c 100644
+--- a/drivers/clk/renesas/r8a77995-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a77995-cpg-mssr.c
+@@ -75,6 +75,7 @@ static const struct cpg_core_clk r8a77995_core_clks[] __initconst = {
+ DEF_RATE(".oco", CLK_OCO, 8 * 1000 * 1000),
+
+ /* Core Clock Outputs */
++ DEF_FIXED("za2", R8A77995_CLK_ZA2, CLK_PLL0D3, 2, 1),
+ DEF_FIXED("z2", R8A77995_CLK_Z2, CLK_PLL0D3, 1, 1),
+ DEF_FIXED("ztr", R8A77995_CLK_ZTR, CLK_PLL1, 6, 1),
+ DEF_FIXED("zt", R8A77995_CLK_ZT, CLK_PLL1, 4, 1),
+--
+2.30.2
+
--- /dev/null
+From b32edc53f5fce6fe7eed50967466d6536b7930b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 15:33:38 +0800
+Subject: clk: renesas: rcar-usb2-clock-sel: Fix error handling in .probe()
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit a20a40a8bbc2cf4b29d7248ea31e974e9103dd7f ]
+
+The error handling paths after pm_runtime_get_sync() have no refcount
+decrement, which leads to refcount leak.
+
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Link: https://lore.kernel.org/r/20210415073338.22287-1-dinghao.liu@zju.edu.cn
+[geert: Remove now unused variable priv]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/rcar-usb2-clock-sel.c | 24 ++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/clk/renesas/rcar-usb2-clock-sel.c b/drivers/clk/renesas/rcar-usb2-clock-sel.c
+index d4c02986c34e..0ccc6e709a38 100644
+--- a/drivers/clk/renesas/rcar-usb2-clock-sel.c
++++ b/drivers/clk/renesas/rcar-usb2-clock-sel.c
+@@ -128,10 +128,8 @@ static int rcar_usb2_clock_sel_resume(struct device *dev)
+ static int rcar_usb2_clock_sel_remove(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- struct usb2_clock_sel_priv *priv = platform_get_drvdata(pdev);
+
+ of_clk_del_provider(dev->of_node);
+- clk_hw_unregister(&priv->hw);
+ pm_runtime_put(dev);
+ pm_runtime_disable(dev);
+
+@@ -164,9 +162,6 @@ static int rcar_usb2_clock_sel_probe(struct platform_device *pdev)
+ if (IS_ERR(priv->rsts))
+ return PTR_ERR(priv->rsts);
+
+- pm_runtime_enable(dev);
+- pm_runtime_get_sync(dev);
+-
+ clk = devm_clk_get(dev, "usb_extal");
+ if (!IS_ERR(clk) && !clk_prepare_enable(clk)) {
+ priv->extal = !!clk_get_rate(clk);
+@@ -183,6 +178,8 @@ static int rcar_usb2_clock_sel_probe(struct platform_device *pdev)
+ return -ENOENT;
+ }
+
++ pm_runtime_enable(dev);
++ pm_runtime_get_sync(dev);
+ platform_set_drvdata(pdev, priv);
+ dev_set_drvdata(dev, priv);
+
+@@ -193,11 +190,20 @@ static int rcar_usb2_clock_sel_probe(struct platform_device *pdev)
+ init.num_parents = 0;
+ priv->hw.init = &init;
+
+- clk = clk_register(NULL, &priv->hw);
+- if (IS_ERR(clk))
+- return PTR_ERR(clk);
++ ret = devm_clk_hw_register(NULL, &priv->hw);
++ if (ret)
++ goto pm_put;
++
++ ret = of_clk_add_hw_provider(np, of_clk_hw_simple_get, &priv->hw);
++ if (ret)
++ goto pm_put;
++
++ return 0;
+
+- return of_clk_add_hw_provider(np, of_clk_hw_simple_get, &priv->hw);
++pm_put:
++ pm_runtime_put(dev);
++ pm_runtime_disable(dev);
++ return ret;
+ }
+
+ static const struct dev_pm_ops rcar_usb2_clock_sel_pm_ops = {
+--
+2.30.2
+
--- /dev/null
+From 27f1fdc5943d84e2da00ca3ad0dd7a9d3fa195ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 19:30:35 +0300
+Subject: clk: tegra: Ensure that PLLU configuration is applied properly
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit a7196048cd5168096c2c4f44a3939d7a6dcd06b9 ]
+
+The PLLU (USB) consists of the PLL configuration itself and configuration
+of the PLLU outputs. The PLLU programming is inconsistent on T30 vs T114,
+where T114 immediately bails out if PLLU is enabled and T30 re-enables
+a potentially already enabled PLL (left after bootloader) and then fully
+reprograms it, which could be unsafe to do. The correct way should be to
+skip enabling of the PLL if it's already enabled and then apply
+configuration to the outputs. This patch doesn't fix any known problems,
+it's a minor improvement.
+
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-pll.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c
+index c5cc0a2dac6f..d709ecb7d8d7 100644
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -1131,7 +1131,8 @@ static int clk_pllu_enable(struct clk_hw *hw)
+ if (pll->lock)
+ spin_lock_irqsave(pll->lock, flags);
+
+- _clk_pll_enable(hw);
++ if (!clk_pll_is_enabled(hw))
++ _clk_pll_enable(hw);
+
+ ret = clk_pll_wait_for_lock(pll);
+ if (ret < 0)
+@@ -1748,15 +1749,13 @@ static int clk_pllu_tegra114_enable(struct clk_hw *hw)
+ return -EINVAL;
+ }
+
+- if (clk_pll_is_enabled(hw))
+- return 0;
+-
+ input_rate = clk_hw_get_rate(__clk_get_hw(osc));
+
+ if (pll->lock)
+ spin_lock_irqsave(pll->lock, flags);
+
+- _clk_pll_enable(hw);
++ if (!clk_pll_is_enabled(hw))
++ _clk_pll_enable(hw);
+
+ ret = clk_pll_wait_for_lock(pll);
+ if (ret < 0)
+--
+2.30.2
+
--- /dev/null
+From 364859f8bcffc9664c76dfa610c43c0d33eccf95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 19:30:34 +0300
+Subject: clk: tegra: Fix refcounting of gate clocks
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit c592c8a28f5821e880ac6675781cd8a151b0737c ]
+
+The refcounting of the gate clocks has a bug causing the enable_refcnt
+to underflow when unused clocks are disabled. This happens because clk
+provider erroneously bumps the refcount if clock is enabled at a boot
+time, which it shouldn't be doing, and it does this only for the gate
+clocks, while peripheral clocks are using the same gate ops and the
+peripheral clocks are missing the initial bump. Hence the refcount of
+the peripheral clocks is 0 when unused clocks are disabled and then the
+counter is decremented further by the gate ops, causing the integer
+underflow.
+
+Fix this problem by removing the erroneous bump and by implementing the
+disable_unused() callback, which disables the unused gates properly.
+
+The visible effect of the bug is such that the unused clocks are never
+gated if a loaded kernel module grabs the unused clocks and starts to use
+them. In practice this shouldn't cause any real problems for the drivers
+and boards supported by the kernel today.
+
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-periph-gate.c | 72 +++++++++++++++++++----------
+ drivers/clk/tegra/clk-periph.c | 11 +++++
+ 2 files changed, 58 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-periph-gate.c b/drivers/clk/tegra/clk-periph-gate.c
+index 4b31beefc9fc..dc3f92678407 100644
+--- a/drivers/clk/tegra/clk-periph-gate.c
++++ b/drivers/clk/tegra/clk-periph-gate.c
+@@ -48,18 +48,9 @@ static int clk_periph_is_enabled(struct clk_hw *hw)
+ return state;
+ }
+
+-static int clk_periph_enable(struct clk_hw *hw)
++static void clk_periph_enable_locked(struct clk_hw *hw)
+ {
+ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw);
+- unsigned long flags = 0;
+-
+- spin_lock_irqsave(&periph_ref_lock, flags);
+-
+- gate->enable_refcnt[gate->clk_num]++;
+- if (gate->enable_refcnt[gate->clk_num] > 1) {
+- spin_unlock_irqrestore(&periph_ref_lock, flags);
+- return 0;
+- }
+
+ write_enb_set(periph_clk_to_bit(gate), gate);
+ udelay(2);
+@@ -78,6 +69,32 @@ static int clk_periph_enable(struct clk_hw *hw)
+ udelay(1);
+ writel_relaxed(0, gate->clk_base + LVL2_CLK_GATE_OVRE);
+ }
++}
++
++static void clk_periph_disable_locked(struct clk_hw *hw)
++{
++ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw);
++
++ /*
++ * If peripheral is in the APB bus then read the APB bus to
++ * flush the write operation in apb bus. This will avoid the
++ * peripheral access after disabling clock
++ */
++ if (gate->flags & TEGRA_PERIPH_ON_APB)
++ tegra_read_chipid();
++
++ write_enb_clr(periph_clk_to_bit(gate), gate);
++}
++
++static int clk_periph_enable(struct clk_hw *hw)
++{
++ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw);
++ unsigned long flags = 0;
++
++ spin_lock_irqsave(&periph_ref_lock, flags);
++
++ if (!gate->enable_refcnt[gate->clk_num]++)
++ clk_periph_enable_locked(hw);
+
+ spin_unlock_irqrestore(&periph_ref_lock, flags);
+
+@@ -91,21 +108,28 @@ static void clk_periph_disable(struct clk_hw *hw)
+
+ spin_lock_irqsave(&periph_ref_lock, flags);
+
+- gate->enable_refcnt[gate->clk_num]--;
+- if (gate->enable_refcnt[gate->clk_num] > 0) {
+- spin_unlock_irqrestore(&periph_ref_lock, flags);
+- return;
+- }
++ WARN_ON(!gate->enable_refcnt[gate->clk_num]);
++
++ if (--gate->enable_refcnt[gate->clk_num] == 0)
++ clk_periph_disable_locked(hw);
++
++ spin_unlock_irqrestore(&periph_ref_lock, flags);
++}
++
++static void clk_periph_disable_unused(struct clk_hw *hw)
++{
++ struct tegra_clk_periph_gate *gate = to_clk_periph_gate(hw);
++ unsigned long flags = 0;
++
++ spin_lock_irqsave(&periph_ref_lock, flags);
+
+ /*
+- * If peripheral is in the APB bus then read the APB bus to
+- * flush the write operation in apb bus. This will avoid the
+- * peripheral access after disabling clock
++ * Some clocks are duplicated and some of them are marked as critical,
++ * like fuse and fuse_burn for example, thus the enable_refcnt will
++ * be non-zero here if the "unused" duplicate is disabled by CCF.
+ */
+- if (gate->flags & TEGRA_PERIPH_ON_APB)
+- tegra_read_chipid();
+-
+- write_enb_clr(periph_clk_to_bit(gate), gate);
++ if (!gate->enable_refcnt[gate->clk_num])
++ clk_periph_disable_locked(hw);
+
+ spin_unlock_irqrestore(&periph_ref_lock, flags);
+ }
+@@ -114,6 +138,7 @@ const struct clk_ops tegra_clk_periph_gate_ops = {
+ .is_enabled = clk_periph_is_enabled,
+ .enable = clk_periph_enable,
+ .disable = clk_periph_disable,
++ .disable_unused = clk_periph_disable_unused,
+ };
+
+ struct clk *tegra_clk_register_periph_gate(const char *name,
+@@ -148,9 +173,6 @@ struct clk *tegra_clk_register_periph_gate(const char *name,
+ gate->enable_refcnt = enable_refcnt;
+ gate->regs = pregs;
+
+- if (read_enb(gate) & periph_clk_to_bit(gate))
+- enable_refcnt[clk_num]++;
+-
+ /* Data in .init is copied by clk_register(), so stack variable OK */
+ gate->hw.init = &init;
+
+diff --git a/drivers/clk/tegra/clk-periph.c b/drivers/clk/tegra/clk-periph.c
+index 67620c7ecd9e..79ca3aa072b7 100644
+--- a/drivers/clk/tegra/clk-periph.c
++++ b/drivers/clk/tegra/clk-periph.c
+@@ -100,6 +100,15 @@ static void clk_periph_disable(struct clk_hw *hw)
+ gate_ops->disable(gate_hw);
+ }
+
++static void clk_periph_disable_unused(struct clk_hw *hw)
++{
++ struct tegra_clk_periph *periph = to_clk_periph(hw);
++ const struct clk_ops *gate_ops = periph->gate_ops;
++ struct clk_hw *gate_hw = &periph->gate.hw;
++
++ gate_ops->disable_unused(gate_hw);
++}
++
+ static void clk_periph_restore_context(struct clk_hw *hw)
+ {
+ struct tegra_clk_periph *periph = to_clk_periph(hw);
+@@ -126,6 +135,7 @@ const struct clk_ops tegra_clk_periph_ops = {
+ .is_enabled = clk_periph_is_enabled,
+ .enable = clk_periph_enable,
+ .disable = clk_periph_disable,
++ .disable_unused = clk_periph_disable_unused,
+ .restore_context = clk_periph_restore_context,
+ };
+
+@@ -135,6 +145,7 @@ static const struct clk_ops tegra_clk_periph_nodiv_ops = {
+ .is_enabled = clk_periph_is_enabled,
+ .enable = clk_periph_enable,
+ .disable = clk_periph_disable,
++ .disable_unused = clk_periph_disable_unused,
+ .restore_context = clk_periph_restore_context,
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 05509696ac1d51ebaef73aeddec44052dba675ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 11:05:14 +0800
+Subject: cw1200: add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/st/cw1200/cw1200_sdio.c b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+index b65ec14136c7..4c30b5772ce0 100644
+--- a/drivers/net/wireless/st/cw1200/cw1200_sdio.c
++++ b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+@@ -53,6 +53,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = {
+ { SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) },
+ { /* end: all zeroes */ },
+ };
++MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids);
+
+ /* hwbus_ops implemetation */
+
+--
+2.30.2
+
--- /dev/null
+From ab09eba55bea704447654e549c9f3574cf556109 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 06:24:54 +0900
+Subject: dm: Fix dm_accept_partial_bio() relative to zone management commands
+
+From: Damien Le Moal <damien.lemoal@wdc.com>
+
+[ Upstream commit 6842d264aa5205da338b6dcc6acfa2a6732558f1 ]
+
+Fix dm_accept_partial_bio() to actually check that zone management
+commands are not passed as explained in the function documentation
+comment. Also, since a zone append operation cannot be split, add
+REQ_OP_ZONE_APPEND as a forbidden command.
+
+White lines are added around the group of BUG_ON() calls to make the
+code more legible.
+
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 638c04f9e832..19a70f434029 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1230,8 +1230,8 @@ static int dm_dax_zero_page_range(struct dax_device *dax_dev, pgoff_t pgoff,
+
+ /*
+ * A target may call dm_accept_partial_bio only from the map routine. It is
+- * allowed for all bio types except REQ_PREFLUSH, REQ_OP_ZONE_RESET,
+- * REQ_OP_ZONE_OPEN, REQ_OP_ZONE_CLOSE and REQ_OP_ZONE_FINISH.
++ * allowed for all bio types except REQ_PREFLUSH, REQ_OP_ZONE_* zone management
++ * operations and REQ_OP_ZONE_APPEND (zone append writes).
+ *
+ * dm_accept_partial_bio informs the dm that the target only wants to process
+ * additional n_sectors sectors of the bio and the rest of the data should be
+@@ -1261,9 +1261,13 @@ void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors)
+ {
+ struct dm_target_io *tio = container_of(bio, struct dm_target_io, clone);
+ unsigned bi_size = bio->bi_iter.bi_size >> SECTOR_SHIFT;
++
+ BUG_ON(bio->bi_opf & REQ_PREFLUSH);
++ BUG_ON(op_is_zone_mgmt(bio_op(bio)));
++ BUG_ON(bio_op(bio) == REQ_OP_ZONE_APPEND);
+ BUG_ON(bi_size > *tio->len_ptr);
+ BUG_ON(n_sectors > bi_size);
++
+ *tio->len_ptr -= bi_size - n_sectors;
+ bio->bi_iter.bi_size = n_sectors << SECTOR_SHIFT;
+ }
+--
+2.30.2
+
--- /dev/null
+From 72f26dc9b840b3933a74ec9fa058eb5fa4312d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 09:03:49 +0100
+Subject: dm space maps: don't reset space map allocation cursor when
+ committing
+
+From: Joe Thornber <ejt@redhat.com>
+
+[ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ]
+
+Current commit code resets the place where the search for free blocks
+will begin back to the start of the metadata device. There are a couple
+of repercussions to this:
+
+- The first allocation after the commit is likely to take longer than
+ normal as it searches for a free block in an area that is likely to
+ have very few free blocks (if any).
+
+- Any free blocks it finds will have been recently freed. Reusing them
+ means we have fewer old copies of the metadata to aid recovery from
+ hardware error.
+
+Fix these issues by leaving the cursor alone, only resetting when the
+search hits the end of the metadata device.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/persistent-data/dm-space-map-disk.c | 9 ++++++++-
+ drivers/md/persistent-data/dm-space-map-metadata.c | 9 ++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c
+index bf4c5e2ccb6f..e0acae7a3815 100644
+--- a/drivers/md/persistent-data/dm-space-map-disk.c
++++ b/drivers/md/persistent-data/dm-space-map-disk.c
+@@ -171,6 +171,14 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b)
+ * Any block we allocate has to be free in both the old and current ll.
+ */
+ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b);
++ if (r == -ENOSPC) {
++ /*
++ * There's no free block between smd->begin and the end of the metadata device.
++ * We search before smd->begin in case something has been freed.
++ */
++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, 0, smd->begin, b);
++ }
++
+ if (r)
+ return r;
+
+@@ -199,7 +207,6 @@ static int sm_disk_commit(struct dm_space_map *sm)
+ return r;
+
+ memcpy(&smd->old_ll, &smd->ll, sizeof(smd->old_ll));
+- smd->begin = 0;
+ smd->nr_allocated_this_transaction = 0;
+
+ r = sm_disk_get_nr_free(sm, &nr_free);
+diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
+index 9e3c64ec2026..da439ac85796 100644
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -452,6 +452,14 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b)
+ * Any block we allocate has to be free in both the old and current ll.
+ */
+ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b);
++ if (r == -ENOSPC) {
++ /*
++ * There's no free block between smm->begin and the end of the metadata device.
++ * We search before smm->begin in case something has been freed.
++ */
++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, 0, smm->begin, b);
++ }
++
+ if (r)
+ return r;
+
+@@ -503,7 +511,6 @@ static int sm_metadata_commit(struct dm_space_map *sm)
+ return r;
+
+ memcpy(&smm->old_ll, &smm->ll, sizeof(smm->old_ll));
+- smm->begin = 0;
+ smm->allocated_this_transaction = 0;
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 34c42101d30248b21181761b44e16ec8c2b7f908 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jun 2021 16:13:16 -0400
+Subject: dm writecache: commit just one block, not a full page
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 991bd8d7bc78966b4dc427b53a144f276bffcd52 ]
+
+Some architectures have pages larger than 4k and committing a full
+page causes needless overhead.
+
+Fix this by writing a single block when committing the superblock.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-writecache.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
+index 64c2980aaa54..894b58bbe56e 100644
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -532,11 +532,7 @@ static void ssd_commit_superblock(struct dm_writecache *wc)
+
+ region.bdev = wc->ssd_dev->bdev;
+ region.sector = 0;
+- region.count = PAGE_SIZE >> SECTOR_SHIFT;
+-
+- if (unlikely(region.sector + region.count > wc->metadata_sectors))
+- region.count = wc->metadata_sectors - region.sector;
+-
++ region.count = wc->block_size >> SECTOR_SHIFT;
+ region.sector += wc->start_sector;
+
+ req.bi_op = REQ_OP_WRITE;
+--
+2.30.2
+
--- /dev/null
+From 02c855f35366133b1aded8e63f360e427331be79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 10:29:45 -0400
+Subject: dm writecache: don't split bios when overwriting contiguous cache
+ content
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit ee50cc19d80e9b9a8283d1fb517a778faf2f6899 ]
+
+If dm-writecache overwrites existing cached data, it splits the
+incoming bio into many block-sized bios. The I/O scheduler does merge
+these bios into one large request but this needless splitting and
+merging causes performance degradation.
+
+Fix this by avoiding bio splitting if the cache target area that is
+being overwritten is contiguous.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-writecache.c | 38 ++++++++++++++++++++++++++++++--------
+ 1 file changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/md/dm-writecache.c b/drivers/md/dm-writecache.c
+index 8628c4aa2e85..64c2980aaa54 100644
+--- a/drivers/md/dm-writecache.c
++++ b/drivers/md/dm-writecache.c
+@@ -1360,14 +1360,18 @@ read_next_block:
+ } else {
+ do {
+ bool found_entry = false;
++ bool search_used = false;
+ if (writecache_has_error(wc))
+ goto unlock_error;
+ e = writecache_find_entry(wc, bio->bi_iter.bi_sector, 0);
+ if (e) {
+- if (!writecache_entry_is_committed(wc, e))
++ if (!writecache_entry_is_committed(wc, e)) {
++ search_used = true;
+ goto bio_copy;
++ }
+ if (!WC_MODE_PMEM(wc) && !e->write_in_progress) {
+ wc->overwrote_committed = true;
++ search_used = true;
+ goto bio_copy;
+ }
+ found_entry = true;
+@@ -1404,13 +1408,31 @@ bio_copy:
+ sector_t current_cache_sec = start_cache_sec + (bio_size >> SECTOR_SHIFT);
+
+ while (bio_size < bio->bi_iter.bi_size) {
+- struct wc_entry *f = writecache_pop_from_freelist(wc, current_cache_sec);
+- if (!f)
+- break;
+- write_original_sector_seq_count(wc, f, bio->bi_iter.bi_sector +
+- (bio_size >> SECTOR_SHIFT), wc->seq_count);
+- writecache_insert_entry(wc, f);
+- wc->uncommitted_blocks++;
++ if (!search_used) {
++ struct wc_entry *f = writecache_pop_from_freelist(wc, current_cache_sec);
++ if (!f)
++ break;
++ write_original_sector_seq_count(wc, f, bio->bi_iter.bi_sector +
++ (bio_size >> SECTOR_SHIFT), wc->seq_count);
++ writecache_insert_entry(wc, f);
++ wc->uncommitted_blocks++;
++ } else {
++ struct wc_entry *f;
++ struct rb_node *next = rb_next(&e->rb_node);
++ if (!next)
++ break;
++ f = container_of(next, struct wc_entry, rb_node);
++ if (f != e + 1)
++ break;
++ if (read_original_sector(wc, f) !=
++ read_original_sector(wc, e) + (wc->block_size >> SECTOR_SHIFT))
++ break;
++ if (unlikely(f->write_in_progress))
++ break;
++ if (writecache_entry_is_committed(wc, f))
++ wc->overwrote_committed = true;
++ e = f;
++ }
+ bio_size += wc->block_size;
+ current_cache_sec += wc->block_size >> SECTOR_SHIFT;
+ }
+--
+2.30.2
+
--- /dev/null
+From c126b075b2ebf8e445715f856c7d4edb4b442f30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 17:08:47 +0800
+Subject: drm/amd/amdgpu/sriov disable all ip hw status by default
+
+From: Jack Zhang <Jack.Zhang1@amd.com>
+
+[ Upstream commit 95ea3dbc4e9548d35ab6fbf67675cef8c293e2f5 ]
+
+Disable all ip's hw status to false before any hw_init.
+Only set it to true until its hw_init is executed.
+
+The old 5.9 branch has this change but somehow the 5.11 kernrel does
+not have this fix.
+
+Without this change, sriov tdr have gfx IB test fail.
+
+Signed-off-by: Jack Zhang <Jack.Zhang1@amd.com>
+Review-by: Emily Deng <Emily.Deng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 87c7c45f1bb7..6948ab3c0d99 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2760,7 +2760,7 @@ static int amdgpu_device_ip_reinit_early_sriov(struct amdgpu_device *adev)
+ AMD_IP_BLOCK_TYPE_IH,
+ };
+
+- for (i = 0; i < ARRAY_SIZE(ip_order); i++) {
++ for (i = 0; i < adev->num_ip_blocks; i++) {
+ int j;
+ struct amdgpu_ip_block *block;
+
+--
+2.30.2
+
--- /dev/null
+From 81d68f86bdad2dcbcb4908bad5f1b03657e02505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 10:53:54 -0700
+Subject: drm/amd/display: Avoid HDCP over-read and corruption
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 06888d571b513cbfc0b41949948def6cb81021b2 ]
+
+Instead of reading the desired 5 bytes of the actual target field,
+the code was reading 8. This could result in a corrupted value if the
+trailing 3 bytes were non-zero, so instead use an appropriately sized
+and zero-initialized bounce buffer, and read only 5 bytes before casting
+to u64.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c
+index f244b72e74e0..53eab2b8e2c8 100644
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c
+@@ -29,8 +29,10 @@ static inline enum mod_hdcp_status validate_bksv(struct mod_hdcp *hdcp)
+ {
+ uint64_t n = 0;
+ uint8_t count = 0;
++ u8 bksv[sizeof(n)] = { };
+
+- memcpy(&n, hdcp->auth.msg.hdcp1.bksv, sizeof(uint64_t));
++ memcpy(bksv, hdcp->auth.msg.hdcp1.bksv, sizeof(hdcp->auth.msg.hdcp1.bksv));
++ n = *(uint64_t *)bksv;
+
+ while (n) {
+ count++;
+--
+2.30.2
+
--- /dev/null
+From 0b02e5eaa9c1da86d1480ead3dccc7bedebded86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 12:33:12 -0400
+Subject: drm/amd/display: Fix DCN 3.01 DSCCLK validation
+
+From: Nikola Cornij <nikola.cornij@amd.com>
+
+[ Upstream commit 346cf627fb27c0fea63a041cedbaa4f31784e504 ]
+
+[why]
+DSCCLK validation is not necessary because DSCCLK is derrived from
+DISPCLK, therefore if DISPCLK validation passes, DSCCLK is valid, too.
+Doing DSCLK validation in addition to DISPCLK leads to modes being
+wrongly rejected when DSCCLK was incorrectly set outside of DML.
+
+[how]
+Remove DSCCLK validation because it's implicitly validated under DISPCLK
+
+Signed-off-by: Nikola Cornij <nikola.cornij@amd.com>
+Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../dc/dml/dcn30/display_mode_vba_30.c | 64 ++++++-------------
+ 1 file changed, 21 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+index 9e0ae18e71fa..d66e89283c48 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+@@ -64,6 +64,7 @@ typedef struct {
+ #define BPP_INVALID 0
+ #define BPP_BLENDED_PIPE 0xffffffff
+ #define DCN30_MAX_DSC_IMAGE_WIDTH 5184
++#define DCN30_MAX_FMT_420_BUFFER_WIDTH 4096
+
+ static void DisplayPipeConfiguration(struct display_mode_lib *mode_lib);
+ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerformanceCalculation(
+@@ -3987,19 +3988,30 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l
+ } else if (v->PlaneRequiredDISPCLKWithoutODMCombine > v->MaxDispclkRoundedDownToDFSGranularity) {
+ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1;
+ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1;
+- } else if (v->DSCEnabled[k] && (v->HActive[k] > DCN30_MAX_DSC_IMAGE_WIDTH)) {
+- v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1;
+- v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1;
+ } else {
+ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_disabled;
+ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithoutODMCombine;
+- /*420 format workaround*/
+- if (v->HActive[k] > 4096 && v->OutputFormat[k] == dm_420) {
++ }
++ if (v->DSCEnabled[k] && v->HActive[k] > DCN30_MAX_DSC_IMAGE_WIDTH
++ && v->ODMCombineEnablePerState[i][k] != dm_odm_combine_mode_4to1) {
++ if (v->HActive[k] / 2 > DCN30_MAX_DSC_IMAGE_WIDTH) {
++ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_4to1;
++ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine4To1;
++ } else {
++ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1;
++ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1;
++ }
++ }
++ if (v->OutputFormat[k] == dm_420 && v->HActive[k] > DCN30_MAX_FMT_420_BUFFER_WIDTH
++ && v->ODMCombineEnablePerState[i][k] != dm_odm_combine_mode_4to1) {
++ if (v->HActive[k] / 2 > DCN30_MAX_FMT_420_BUFFER_WIDTH) {
++ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_4to1;
++ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine4To1;
++ } else {
+ v->ODMCombineEnablePerState[i][k] = dm_odm_combine_mode_2to1;
+ v->PlaneRequiredDISPCLK = v->PlaneRequiredDISPCLKWithODMCombine2To1;
+ }
+ }
+-
+ if (v->ODMCombineEnablePerState[i][k] == dm_odm_combine_mode_4to1) {
+ v->MPCCombine[i][j][k] = false;
+ v->NoOfDPP[i][j][k] = 4;
+@@ -4281,42 +4293,8 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l
+ }
+ }
+
+- for (i = 0; i < v->soc.num_states; i++) {
+- v->DSCCLKRequiredMoreThanSupported[i] = false;
+- for (k = 0; k <= v->NumberOfActivePlanes - 1; k++) {
+- if (v->BlendingAndTiming[k] == k) {
+- if (v->Output[k] == dm_dp || v->Output[k] == dm_edp) {
+- if (v->OutputFormat[k] == dm_420) {
+- v->DSCFormatFactor = 2;
+- } else if (v->OutputFormat[k] == dm_444) {
+- v->DSCFormatFactor = 1;
+- } else if (v->OutputFormat[k] == dm_n422) {
+- v->DSCFormatFactor = 2;
+- } else {
+- v->DSCFormatFactor = 1;
+- }
+- if (v->RequiresDSC[i][k] == true) {
+- if (v->ODMCombineEnablePerState[i][k] == dm_odm_combine_mode_4to1) {
+- if (v->PixelClockBackEnd[k] / 12.0 / v->DSCFormatFactor
+- > (1.0 - v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) * v->MaxDSCCLK[i]) {
+- v->DSCCLKRequiredMoreThanSupported[i] = true;
+- }
+- } else if (v->ODMCombineEnablePerState[i][k] == dm_odm_combine_mode_2to1) {
+- if (v->PixelClockBackEnd[k] / 6.0 / v->DSCFormatFactor
+- > (1.0 - v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) * v->MaxDSCCLK[i]) {
+- v->DSCCLKRequiredMoreThanSupported[i] = true;
+- }
+- } else {
+- if (v->PixelClockBackEnd[k] / 3.0 / v->DSCFormatFactor
+- > (1.0 - v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0) * v->MaxDSCCLK[i]) {
+- v->DSCCLKRequiredMoreThanSupported[i] = true;
+- }
+- }
+- }
+- }
+- }
+- }
+- }
++ /* Skip dscclk validation: as long as dispclk is supported, dscclk is also implicitly supported */
++
+ for (i = 0; i < v->soc.num_states; i++) {
+ v->NotEnoughDSCUnits[i] = false;
+ v->TotalDSCUnitsRequired = 0.0;
+@@ -5319,7 +5297,7 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l
+ for (j = 0; j < 2; j++) {
+ if (v->ScaleRatioAndTapsSupport == 1 && v->SourceFormatPixelAndScanSupport == 1 && v->ViewportSizeSupport[i][j] == 1
+ && v->DIOSupport[i] == 1 && v->ODMCombine4To1SupportCheckOK[i] == 1
+- && v->NotEnoughDSCUnits[i] == 0 && v->DSCCLKRequiredMoreThanSupported[i] == 0
++ && v->NotEnoughDSCUnits[i] == 0
+ && v->DTBCLKRequiredMoreThanSupported[i] == 0
+ && v->ROBSupport[i][j] == 1 && v->DISPCLK_DPPCLK_Support[i][j] == 1 && v->TotalAvailablePipesSupport[i][j] == 1
+ && EnoughWritebackUnits == 1 && WritebackModeSupport == 1
+--
+2.30.2
+
--- /dev/null
+From fe892d924270394295db0c327fe1e686ae71a420 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Apr 2021 14:47:46 +0800
+Subject: drm/amd/display: fix HDCP reset sequence on reinitialize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Brandon Syu <Brandon.Syu@amd.com>
+
+[ Upstream commit 99c248c41c2199bd34232ce8e729d18c4b343b64 ]
+
+[why]
+When setup is called after hdcp has already setup,
+it would cause to disable HDCP flow won’t execute.
+
+[how]
+Don't clean up hdcp content to be 0.
+
+Signed-off-by: Brandon Syu <Brandon.Syu@amd.com>
+Reviewed-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Acked-by: Wayne Lin <waynelin@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
+index 20e554e771d1..fa8aeec304ef 100644
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
+@@ -260,7 +260,6 @@ enum mod_hdcp_status mod_hdcp_setup(struct mod_hdcp *hdcp,
+ struct mod_hdcp_output output;
+ enum mod_hdcp_status status = MOD_HDCP_STATUS_SUCCESS;
+
+- memset(hdcp, 0, sizeof(struct mod_hdcp));
+ memset(&output, 0, sizeof(output));
+ hdcp->config = *config;
+ HDCP_TOP_INTERFACE_TRACE(hdcp);
+--
+2.30.2
+
--- /dev/null
+From 7a72a8ad13ace7ce35506b2a21adcdf6afa9fe7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 18:38:54 -0400
+Subject: drm/amd/display: Fix off-by-one error in DML
+
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+
+[ Upstream commit e4e3678260e9734f6f41b4325aac0b171833a618 ]
+
+[WHY]
+For DCN30 and later, there is no data in DML arrays indexed by state at
+index num_states.
+
+Signed-off-by: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+index d66e89283c48..2663f1b31842 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+@@ -2053,7 +2053,7 @@ static void DISPCLKDPPCLKDCFCLKDeepSleepPrefetchParametersWatermarksAndPerforman
+ v->DISPCLKWithoutRamping,
+ v->DISPCLKDPPCLKVCOSpeed);
+ v->MaxDispclkRoundedToDFSGranularity = RoundToDFSGranularityDown(
+- v->soc.clock_limits[mode_lib->soc.num_states].dispclk_mhz,
++ v->soc.clock_limits[mode_lib->soc.num_states - 1].dispclk_mhz,
+ v->DISPCLKDPPCLKVCOSpeed);
+ if (v->DISPCLKWithoutRampingRoundedToDFSGranularity
+ > v->MaxDispclkRoundedToDFSGranularity) {
+@@ -3958,20 +3958,20 @@ void dml30_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_l
+ for (k = 0; k <= v->NumberOfActivePlanes - 1; k++) {
+ v->PlaneRequiredDISPCLKWithoutODMCombine = v->PixelClock[k] * (1.0 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0)
+ * (1.0 + v->DISPCLKRampingMargin / 100.0);
+- if ((v->PlaneRequiredDISPCLKWithoutODMCombine >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states]
+- && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states])) {
++ if ((v->PlaneRequiredDISPCLKWithoutODMCombine >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states - 1]
++ && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states - 1])) {
+ v->PlaneRequiredDISPCLKWithoutODMCombine = v->PixelClock[k] * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0);
+ }
+ v->PlaneRequiredDISPCLKWithODMCombine2To1 = v->PixelClock[k] / 2 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0)
+ * (1 + v->DISPCLKRampingMargin / 100.0);
+- if ((v->PlaneRequiredDISPCLKWithODMCombine2To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states]
+- && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states])) {
++ if ((v->PlaneRequiredDISPCLKWithODMCombine2To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states - 1]
++ && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states - 1])) {
+ v->PlaneRequiredDISPCLKWithODMCombine2To1 = v->PixelClock[k] / 2 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0);
+ }
+ v->PlaneRequiredDISPCLKWithODMCombine4To1 = v->PixelClock[k] / 4 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0)
+ * (1 + v->DISPCLKRampingMargin / 100.0);
+- if ((v->PlaneRequiredDISPCLKWithODMCombine4To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states]
+- && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states])) {
++ if ((v->PlaneRequiredDISPCLKWithODMCombine4To1 >= v->MaxDispclk[i] && v->MaxDispclk[i] == v->MaxDispclk[mode_lib->soc.num_states - 1]
++ && v->MaxDppclk[i] == v->MaxDppclk[mode_lib->soc.num_states - 1])) {
+ v->PlaneRequiredDISPCLKWithODMCombine4To1 = v->PixelClock[k] / 4 * (1 + v->DISPCLKDPPCLKDSCCLKDownSpreading / 100.0);
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 69d8c9e627e61672bb03b23140b0c79b8e2cbc6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 17:50:53 -0400
+Subject: drm/amd/display: fix use_max_lb flag for 420 pixel formats
+
+From: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+
+[ Upstream commit 8809a7a4afe90ad9ffb42f72154d27e7c47551ae ]
+
+Right now the flag simply selects memory config 0 when flag is true
+however 420 modes benefit more from memory config 3.
+
+Signed-off-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
+index fce37c527a0b..8bb5912d837d 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
+@@ -482,10 +482,13 @@ static enum lb_memory_config dpp1_dscl_find_lb_memory_config(struct dcn10_dpp *d
+ int vtaps_c = scl_data->taps.v_taps_c;
+ int ceil_vratio = dc_fixpt_ceil(scl_data->ratios.vert);
+ int ceil_vratio_c = dc_fixpt_ceil(scl_data->ratios.vert_c);
+- enum lb_memory_config mem_cfg = LB_MEMORY_CONFIG_0;
+
+- if (dpp->base.ctx->dc->debug.use_max_lb)
+- return mem_cfg;
++ if (dpp->base.ctx->dc->debug.use_max_lb) {
++ if (scl_data->format == PIXEL_FORMAT_420BPP8
++ || scl_data->format == PIXEL_FORMAT_420BPP10)
++ return LB_MEMORY_CONFIG_3;
++ return LB_MEMORY_CONFIG_0;
++ }
+
+ dpp->base.caps->dscl_calc_lb_num_partitions(
+ scl_data, LB_MEMORY_CONFIG_1, &num_part_y, &num_part_c);
+--
+2.30.2
+
--- /dev/null
+From afe4ad2b0faa39fee595764f273575eb20be7cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 13:55:46 -0400
+Subject: drm/amd/display: Release MST resources on switch from MST to SST
+
+From: Vladimir Stempen <vladimir.stempen@amd.com>
+
+[ Upstream commit 3f8518b60c10aa96f3efa38a967a0b4eb9211ac0 ]
+
+[why]
+When OS overrides training link training parameters
+for MST device to SST mode, MST resources are not
+released and leak of the resource may result crash and
+incorrect MST discovery during following hot plugs.
+
+[how]
+Retaining sink object to be reused by SST link and
+releasing MST resources.
+
+Signed-off-by: Vladimir Stempen <vladimir.stempen@amd.com>
+Reviewed-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+index 32b73ea86673..a7f8caf1086b 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+@@ -1704,6 +1704,8 @@ static void set_dp_mst_mode(struct dc_link *link, bool mst_enable)
+ link->type = dc_connection_single;
+ link->local_sink = link->remote_sinks[0];
+ link->local_sink->sink_signal = SIGNAL_TYPE_DISPLAY_PORT;
++ dc_sink_retain(link->local_sink);
++ dm_helpers_dp_mst_stop_top_mgr(link->ctx, link);
+ } else if (mst_enable == true &&
+ link->type == dc_connection_single &&
+ link->remote_sinks[0] != NULL) {
+--
+2.30.2
+
--- /dev/null
+From fd532739924dc62129d702412b3886bc4ac97110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 12:12:48 -0400
+Subject: drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7
+
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+
+[ Upstream commit 3577e1678772ce3ede92af3a75b44a4b76f9b4ad ]
+
+[WHY]
+DISPCLK_MAX_ERRDET_CYCLES must be 7 to prevent connection loss when
+changing DENTIST_DISPCLK_WDIVIDER from 126 to 127 and back.
+
+Signed-off-by: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index f1e9b3b06b92..9d3ccdd35582 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -243,7 +243,7 @@ void dcn20_dccg_init(struct dce_hwseq *hws)
+ REG_WRITE(MILLISECOND_TIME_BASE_DIV, 0x1186a0);
+
+ /* This value is dependent on the hardware pipeline delay so set once per SOC */
+- REG_WRITE(DISPCLK_FREQ_CHANGE_CNTL, 0x801003c);
++ REG_WRITE(DISPCLK_FREQ_CHANGE_CNTL, 0xe01003c);
+ }
+
+ void dcn20_disable_vga(
+--
+2.30.2
+
--- /dev/null
+From 3fecd5bd6d84dae5baa5787a5abfa1d9b56e4633 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 10:20:25 -0400
+Subject: drm/amd/display: Update scaling settings on modeset
+
+From: Roman Li <roman.li@amd.com>
+
+[ Upstream commit c521fc316d12fb9ea7b7680e301d673bceda922e ]
+
+[Why]
+We update scaling settings when scaling mode has been changed.
+However when changing mode from native resolution the scaling mode previously
+set gets ignored.
+
+[How]
+Perform scaling settings update on modeset.
+
+Signed-off-by: Roman Li <roman.li@amd.com>
+Reviewed-by: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index df26c07cb912..b413a7a2e92f 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8291,7 +8291,8 @@ skip_modeset:
+ BUG_ON(dm_new_crtc_state->stream == NULL);
+
+ /* Scaling or underscan settings */
+- if (is_scaling_state_different(dm_old_conn_state, dm_new_conn_state))
++ if (is_scaling_state_different(dm_old_conn_state, dm_new_conn_state) ||
++ drm_atomic_crtc_needs_modeset(new_crtc_state))
+ update_stream_scaling_settings(
+ &new_crtc_state->mode, dm_new_conn_state, dm_new_crtc_state->stream);
+
+--
+2.30.2
+
--- /dev/null
+From 9941778e6338be0a50632a598dba9afa4e82c26e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 13:01:07 -0400
+Subject: drm/amd/display: Verify Gamma & Degamma LUT sizes in
+ amdgpu_dm_atomic_check
+
+From: Mark Yacoub <markyacoub@chromium.org>
+
+[ Upstream commit 03fc4cf45d30533d54f0f4ebc02aacfa12f52ce2 ]
+
+For each CRTC state, check the size of Gamma and Degamma LUTs so
+unexpected and larger sizes wouldn't slip through.
+
+TEST: IGT:kms_color::pipe-invalid-gamma-lut-sizes
+
+v2: fix assignments in if clauses, Mark's email.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
+ .../amd/display/amdgpu_dm/amdgpu_dm_color.c | 41 ++++++++++++++++---
+ 3 files changed, 40 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index b413a7a2e92f..bdcec5b3f5e5 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8745,6 +8745,10 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ old_crtc_state->vrr_enabled == new_crtc_state->vrr_enabled)
+ continue;
+
++ ret = amdgpu_dm_verify_lut_sizes(new_crtc_state);
++ if (ret)
++ goto fail;
++
+ if (!new_crtc_state->enable)
+ continue;
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+index 1df7f1b18049..6c7235bb2f41 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+@@ -498,6 +498,7 @@ void amdgpu_dm_trigger_timing_sync(struct drm_device *dev);
+ #define MAX_COLOR_LEGACY_LUT_ENTRIES 256
+
+ void amdgpu_dm_init_color_mod(void);
++int amdgpu_dm_verify_lut_sizes(const struct drm_crtc_state *crtc_state);
+ int amdgpu_dm_update_crtc_color_mgmt(struct dm_crtc_state *crtc);
+ int amdgpu_dm_update_plane_color_mgmt(struct dm_crtc_state *crtc,
+ struct dc_plane_state *dc_plane_state);
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
+index 5df05f0d18bc..179ff4b42f20 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
+@@ -284,6 +284,37 @@ static int __set_input_tf(struct dc_transfer_func *func,
+ return res ? 0 : -ENOMEM;
+ }
+
++/**
++ * Verifies that the Degamma and Gamma LUTs attached to the |crtc_state| are of
++ * the expected size.
++ * Returns 0 on success.
++ */
++int amdgpu_dm_verify_lut_sizes(const struct drm_crtc_state *crtc_state)
++{
++ const struct drm_color_lut *lut = NULL;
++ uint32_t size = 0;
++
++ lut = __extract_blob_lut(crtc_state->degamma_lut, &size);
++ if (lut && size != MAX_COLOR_LUT_ENTRIES) {
++ DRM_DEBUG_DRIVER(
++ "Invalid Degamma LUT size. Should be %u but got %u.\n",
++ MAX_COLOR_LUT_ENTRIES, size);
++ return -EINVAL;
++ }
++
++ lut = __extract_blob_lut(crtc_state->gamma_lut, &size);
++ if (lut && size != MAX_COLOR_LUT_ENTRIES &&
++ size != MAX_COLOR_LEGACY_LUT_ENTRIES) {
++ DRM_DEBUG_DRIVER(
++ "Invalid Gamma LUT size. Should be %u (or %u for legacy) but got %u.\n",
++ MAX_COLOR_LUT_ENTRIES, MAX_COLOR_LEGACY_LUT_ENTRIES,
++ size);
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ /**
+ * amdgpu_dm_update_crtc_color_mgmt: Maps DRM color management to DC stream.
+ * @crtc: amdgpu_dm crtc state
+@@ -317,14 +348,12 @@ int amdgpu_dm_update_crtc_color_mgmt(struct dm_crtc_state *crtc)
+ bool is_legacy;
+ int r;
+
+- degamma_lut = __extract_blob_lut(crtc->base.degamma_lut, °amma_size);
+- if (degamma_lut && degamma_size != MAX_COLOR_LUT_ENTRIES)
+- return -EINVAL;
++ r = amdgpu_dm_verify_lut_sizes(&crtc->base);
++ if (r)
++ return r;
+
++ degamma_lut = __extract_blob_lut(crtc->base.degamma_lut, °amma_size);
+ regamma_lut = __extract_blob_lut(crtc->base.gamma_lut, ®amma_size);
+- if (regamma_lut && regamma_size != MAX_COLOR_LUT_ENTRIES &&
+- regamma_size != MAX_COLOR_LEGACY_LUT_ENTRIES)
+- return -EINVAL;
+
+ has_degamma =
+ degamma_lut && !__is_lut_linear(degamma_lut, degamma_size);
+--
+2.30.2
+
--- /dev/null
+From e6e9df5dbd808e64b428a8eecacbbed3f0b52bc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 21:14:01 +0800
+Subject: drm/amdgpu: fix bad address translation for sienna_cichlid
+
+From: Stanley.Yang <Stanley.Yang@amd.com>
+
+[ Upstream commit 6ec598cc9dfbf40433e94a2ed1a622e3ef80268b ]
+
+Signed-off-by: Stanley.Yang <Stanley.Yang@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h | 5 +++++
+ drivers/gpu/drm/amd/amdgpu/umc_v8_7.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h
+index 183814493658..bda4438c3925 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.h
+@@ -21,6 +21,11 @@
+ #ifndef __AMDGPU_UMC_H__
+ #define __AMDGPU_UMC_H__
+
++/*
++ * (addr / 256) * 4096, the higher 26 bits in ErrorAddr
++ * is the index of 4KB block
++ */
++#define ADDR_OF_4KB_BLOCK(addr) (((addr) & ~0xffULL) << 4)
+ /*
+ * (addr / 256) * 8192, the higher 26 bits in ErrorAddr
+ * is the index of 8KB block
+diff --git a/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c b/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c
+index 5665c77a9d58..afbbe9f05d5e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c
++++ b/drivers/gpu/drm/amd/amdgpu/umc_v8_7.c
+@@ -233,7 +233,7 @@ static void umc_v8_7_query_error_address(struct amdgpu_device *adev,
+ err_addr &= ~((0x1ULL << lsb) - 1);
+
+ /* translate umc channel address to soc pa, 3 parts are included */
+- retired_page = ADDR_OF_8KB_BLOCK(err_addr) |
++ retired_page = ADDR_OF_4KB_BLOCK(err_addr) |
+ ADDR_OF_256B_BLOCK(channel_index) |
+ OFFSET_IN_256B_BLOCK(err_addr);
+
+--
+2.30.2
+
--- /dev/null
+From 8d5c4118bf552a0ef2dd3bd6f8b57cc57cf6bf98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 10:56:50 +0800
+Subject: drm/amdgpu: remove unsafe optimization to drop preamble ib
+
+From: Jiansong Chen <Jiansong.Chen@amd.com>
+
+[ Upstream commit 7d9c70d23550eb86a1bec1954ccaa8d6ec3a3328 ]
+
+Take the situation with gfxoff, the optimization may cause
+corrupt CE ram contents. In addition emit_cntxcntl callback
+has similar optimization which firmware can handle properly
+even for power feature.
+
+Signed-off-by: Jiansong Chen <Jiansong.Chen@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
+index 28f20f0b722f..163188ce02bd 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c
+@@ -128,7 +128,7 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs,
+ struct amdgpu_device *adev = ring->adev;
+ struct amdgpu_ib *ib = &ibs[0];
+ struct dma_fence *tmp = NULL;
+- bool skip_preamble, need_ctx_switch;
++ bool need_ctx_switch;
+ unsigned patch_offset = ~0;
+ struct amdgpu_vm *vm;
+ uint64_t fence_ctx;
+@@ -221,7 +221,6 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs,
+ if (need_ctx_switch)
+ status |= AMDGPU_HAVE_CTX_SWITCH;
+
+- skip_preamble = ring->current_ctx == fence_ctx;
+ if (job && ring->funcs->emit_cntxcntl) {
+ status |= job->preamble_status;
+ status |= job->preemption_status;
+@@ -239,14 +238,6 @@ int amdgpu_ib_schedule(struct amdgpu_ring *ring, unsigned num_ibs,
+ for (i = 0; i < num_ibs; ++i) {
+ ib = &ibs[i];
+
+- /* drop preamble IBs if we don't have a context switch */
+- if ((ib->flags & AMDGPU_IB_FLAG_PREAMBLE) &&
+- skip_preamble &&
+- !(status & AMDGPU_PREAMBLE_IB_PRESENT_FIRST) &&
+- !amdgpu_mcbp &&
+- !amdgpu_sriov_vf(adev)) /* for SRIOV preemption, Preamble CE ib must be inserted anyway */
+- continue;
+-
+ if (job && ring->funcs->emit_frame_cntl) {
+ if (secure != !!(ib->flags & AMDGPU_IB_FLAGS_SECURE)) {
+ amdgpu_ring_emit_frame_cntl(ring, false, secure);
+--
+2.30.2
+
--- /dev/null
+From 3b940334926372725290622de9082d137fdc6916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 14:46:21 -0400
+Subject: drm/amdkfd: Fix circular lock in nocpsch path
+
+From: Amber Lin <Amber.Lin@amd.com>
+
+[ Upstream commit a7b2451d31cfa2e8aeccf3b35612ce33f02371fc ]
+
+Calling free_mqd inside of destroy_queue_nocpsch_locked can cause a
+circular lock. destroy_queue_nocpsch_locked is called under a DQM lock,
+which is taken in MMU notifiers, potentially in FS reclaim context.
+Taking another lock, which is BO reservation lock from free_mqd, while
+causing an FS reclaim inside the DQM lock creates a problematic circular
+lock dependency. Therefore move free_mqd out of
+destroy_queue_nocpsch_locked and call it after unlocking DQM.
+
+Signed-off-by: Amber Lin <Amber.Lin@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/amdkfd/kfd_device_queue_manager.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index b971532e69eb..ffb3d37881a8 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -486,9 +486,6 @@ static int destroy_queue_nocpsch_locked(struct device_queue_manager *dqm,
+ if (retval == -ETIME)
+ qpd->reset_wavefronts = true;
+
+-
+- mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj);
+-
+ list_del(&q->list);
+ if (list_empty(&qpd->queues_list)) {
+ if (qpd->reset_wavefronts) {
+@@ -523,6 +520,8 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm,
+ int retval;
+ uint64_t sdma_val = 0;
+ struct kfd_process_device *pdd = qpd_to_pdd(qpd);
++ struct mqd_manager *mqd_mgr =
++ dqm->mqd_mgrs[get_mqd_type_from_queue_type(q->properties.type)];
+
+ /* Get the SDMA queue stats */
+ if ((q->properties.type == KFD_QUEUE_TYPE_SDMA) ||
+@@ -540,6 +539,8 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm,
+ pdd->sdma_past_activity_counter += sdma_val;
+ dqm_unlock(dqm);
+
++ mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj);
++
+ return retval;
+ }
+
+@@ -1632,7 +1633,7 @@ static int set_trap_handler(struct device_queue_manager *dqm,
+ static int process_termination_nocpsch(struct device_queue_manager *dqm,
+ struct qcm_process_device *qpd)
+ {
+- struct queue *q, *next;
++ struct queue *q;
+ struct device_process_node *cur, *next_dpn;
+ int retval = 0;
+ bool found = false;
+@@ -1640,12 +1641,19 @@ static int process_termination_nocpsch(struct device_queue_manager *dqm,
+ dqm_lock(dqm);
+
+ /* Clear all user mode queues */
+- list_for_each_entry_safe(q, next, &qpd->queues_list, list) {
++ while (!list_empty(&qpd->queues_list)) {
++ struct mqd_manager *mqd_mgr;
+ int ret;
+
++ q = list_first_entry(&qpd->queues_list, struct queue, list);
++ mqd_mgr = dqm->mqd_mgrs[get_mqd_type_from_queue_type(
++ q->properties.type)];
+ ret = destroy_queue_nocpsch_locked(dqm, qpd, q);
+ if (ret)
+ retval = ret;
++ dqm_unlock(dqm);
++ mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj);
++ dqm_lock(dqm);
+ }
+
+ /* Unregister process */
+--
+2.30.2
+
--- /dev/null
+From 90ee2a335ad6eadfd6d00f1e4551fd7a9f937f24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 13:36:34 -0400
+Subject: drm/amdkfd: fix circular locking on get_wave_state
+
+From: Jonathan Kim <jonathan.kim@amd.com>
+
+[ Upstream commit 63f6e01237257e7226efc5087f3f0b525d320f54 ]
+
+get_wave_state acquires the mmap_lock on copy_to_user but so do
+mmu_notifiers. mmu_notifiers allows dqm locking so do get_wave_state
+outside the dqm_lock to prevent circular locking.
+
+v2: squash in unused variable removal.
+
+Signed-off-by: Jonathan Kim <jonathan.kim@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/amdkfd/kfd_device_queue_manager.c | 28 +++++++++----------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index 6ea8a4b6efde..b971532e69eb 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1677,29 +1677,27 @@ static int get_wave_state(struct device_queue_manager *dqm,
+ u32 *save_area_used_size)
+ {
+ struct mqd_manager *mqd_mgr;
+- int r;
+
+ dqm_lock(dqm);
+
+- if (q->properties.type != KFD_QUEUE_TYPE_COMPUTE ||
+- q->properties.is_active || !q->device->cwsr_enabled) {
+- r = -EINVAL;
+- goto dqm_unlock;
+- }
+-
+ mqd_mgr = dqm->mqd_mgrs[KFD_MQD_TYPE_CP];
+
+- if (!mqd_mgr->get_wave_state) {
+- r = -EINVAL;
+- goto dqm_unlock;
++ if (q->properties.type != KFD_QUEUE_TYPE_COMPUTE ||
++ q->properties.is_active || !q->device->cwsr_enabled ||
++ !mqd_mgr->get_wave_state) {
++ dqm_unlock(dqm);
++ return -EINVAL;
+ }
+
+- r = mqd_mgr->get_wave_state(mqd_mgr, q->mqd, ctl_stack,
+- ctl_stack_used_size, save_area_used_size);
+-
+-dqm_unlock:
+ dqm_unlock(dqm);
+- return r;
++
++ /*
++ * get_wave_state is outside the dqm lock to prevent circular locking
++ * and the queue should be protected against destruction by the process
++ * lock.
++ */
++ return mqd_mgr->get_wave_state(mqd_mgr, q->mqd, ctl_stack,
++ ctl_stack_used_size, save_area_used_size);
+ }
+
+ static int process_termination_cpsch(struct device_queue_manager *dqm,
+--
+2.30.2
+
--- /dev/null
+From 9da050bfd8934aa4e1e4cc99a0fcc236d245549d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 13:23:44 +0200
+Subject: drm/amdkfd: use allowed domain for vmbo validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@amd.com>
+
+[ Upstream commit bc05716d4fdd065013633602c5960a2bf1511b9c ]
+
+Fixes handling when page tables are in system memory.
+
+v3: remove struct amdgpu_vm_parser.
+v2: remove unwanted variable.
+ change amdgpu_amdkfd_validate instead of amdgpu_amdkfd_bo_validate.
+
+Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 21 ++++---------------
+ 1 file changed, 4 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+index 5da487b64a66..26f8a2138377 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -48,12 +48,6 @@ static struct {
+ spinlock_t mem_limit_lock;
+ } kfd_mem_limit;
+
+-/* Struct used for amdgpu_amdkfd_bo_validate */
+-struct amdgpu_vm_parser {
+- uint32_t domain;
+- bool wait;
+-};
+-
+ static const char * const domain_bit_to_string[] = {
+ "CPU",
+ "GTT",
+@@ -337,11 +331,9 @@ validate_fail:
+ return ret;
+ }
+
+-static int amdgpu_amdkfd_validate(void *param, struct amdgpu_bo *bo)
++static int amdgpu_amdkfd_validate_vm_bo(void *_unused, struct amdgpu_bo *bo)
+ {
+- struct amdgpu_vm_parser *p = param;
+-
+- return amdgpu_amdkfd_bo_validate(bo, p->domain, p->wait);
++ return amdgpu_amdkfd_bo_validate(bo, bo->allowed_domains, false);
+ }
+
+ /* vm_validate_pt_pd_bos - Validate page table and directory BOs
+@@ -355,20 +347,15 @@ static int vm_validate_pt_pd_bos(struct amdgpu_vm *vm)
+ {
+ struct amdgpu_bo *pd = vm->root.base.bo;
+ struct amdgpu_device *adev = amdgpu_ttm_adev(pd->tbo.bdev);
+- struct amdgpu_vm_parser param;
+ int ret;
+
+- param.domain = AMDGPU_GEM_DOMAIN_VRAM;
+- param.wait = false;
+-
+- ret = amdgpu_vm_validate_pt_bos(adev, vm, amdgpu_amdkfd_validate,
+- ¶m);
++ ret = amdgpu_vm_validate_pt_bos(adev, vm, amdgpu_amdkfd_validate_vm_bo, NULL);
+ if (ret) {
+ pr_err("failed to validate PT BOs\n");
+ return ret;
+ }
+
+- ret = amdgpu_amdkfd_validate(¶m, pd);
++ ret = amdgpu_amdkfd_validate_vm_bo(NULL, pd);
+ if (ret) {
+ pr_err("failed to validate PD\n");
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From d8dcc4499af4ac962ca8fab49d88e14dab7ecac0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 15:11:07 +0800
+Subject: drm/amdkfd: Walk through list with dqm lock hold
+
+From: xinhui pan <xinhui.pan@amd.com>
+
+[ Upstream commit 56f221b6389e7ab99c30bbf01c71998ae92fc584 ]
+
+To avoid any list corruption.
+
+Signed-off-by: xinhui pan <xinhui.pan@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/amdkfd/kfd_device_queue_manager.c | 22 ++++++++++---------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index ffb3d37881a8..352a32dc609b 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1712,7 +1712,7 @@ static int process_termination_cpsch(struct device_queue_manager *dqm,
+ struct qcm_process_device *qpd)
+ {
+ int retval;
+- struct queue *q, *next;
++ struct queue *q;
+ struct kernel_queue *kq, *kq_next;
+ struct mqd_manager *mqd_mgr;
+ struct device_process_node *cur, *next_dpn;
+@@ -1769,24 +1769,26 @@ static int process_termination_cpsch(struct device_queue_manager *dqm,
+ qpd->reset_wavefronts = false;
+ }
+
+- dqm_unlock(dqm);
+-
+- /* Outside the DQM lock because under the DQM lock we can't do
+- * reclaim or take other locks that others hold while reclaiming.
+- */
+- if (found)
+- kfd_dec_compute_active(dqm->dev);
+-
+ /* Lastly, free mqd resources.
+ * Do free_mqd() after dqm_unlock to avoid circular locking.
+ */
+- list_for_each_entry_safe(q, next, &qpd->queues_list, list) {
++ while (!list_empty(&qpd->queues_list)) {
++ q = list_first_entry(&qpd->queues_list, struct queue, list);
+ mqd_mgr = dqm->mqd_mgrs[get_mqd_type_from_queue_type(
+ q->properties.type)];
+ list_del(&q->list);
+ qpd->queue_count--;
++ dqm_unlock(dqm);
+ mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj);
++ dqm_lock(dqm);
+ }
++ dqm_unlock(dqm);
++
++ /* Outside the DQM lock because under the DQM lock we can't do
++ * reclaim or take other locks that others hold while reclaiming.
++ */
++ if (found)
++ kfd_dec_compute_active(dqm->dev);
+
+ return retval;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2d950cca835f21d3f27c7ee4d024c3ce9ab7dcf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 16:58:59 +0800
+Subject: drm/ast: Fixed CVE for DP501
+
+From: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>
+
+[ Upstream commit ba4e0339a6a33e2ba341703ce14ae8ca203cb2f1 ]
+
+[Bug][DP501]
+If ASPEED P2A (PCI to AHB) bridge is disabled and disallowed for
+CVE_2019_6260 item3, and then the monitor's EDID is unable read through
+Parade DP501.
+The reason is the DP501's FW is mapped to BMC addressing space rather
+than Host addressing space.
+The resolution is that using "pci_iomap_range()" maps to DP501's FW that
+stored on the end of FB (Frame Buffer).
+In this case, FrameBuffer reserves the last 2MB used for the image of
+DP501.
+
+Signed-off-by: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210421085859.17761-1-kuohsiang_chou@aspeedtech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ast/ast_dp501.c | 139 +++++++++++++++++++++++---------
+ drivers/gpu/drm/ast/ast_drv.h | 12 +++
+ drivers/gpu/drm/ast/ast_main.c | 10 ++-
+ 3 files changed, 124 insertions(+), 37 deletions(-)
+
+diff --git a/drivers/gpu/drm/ast/ast_dp501.c b/drivers/gpu/drm/ast/ast_dp501.c
+index 88121c0e0d05..cd93c44f2662 100644
+--- a/drivers/gpu/drm/ast/ast_dp501.c
++++ b/drivers/gpu/drm/ast/ast_dp501.c
+@@ -189,6 +189,9 @@ bool ast_backup_fw(struct drm_device *dev, u8 *addr, u32 size)
+ u32 i, data;
+ u32 boot_address;
+
++ if (ast->config_mode != ast_use_p2a)
++ return false;
++
+ data = ast_mindwm(ast, 0x1e6e2100) & 0x01;
+ if (data) {
+ boot_address = get_fw_base(ast);
+@@ -207,6 +210,9 @@ static bool ast_launch_m68k(struct drm_device *dev)
+ u8 *fw_addr = NULL;
+ u8 jreg;
+
++ if (ast->config_mode != ast_use_p2a)
++ return false;
++
+ data = ast_mindwm(ast, 0x1e6e2100) & 0x01;
+ if (!data) {
+
+@@ -271,25 +277,55 @@ u8 ast_get_dp501_max_clk(struct drm_device *dev)
+ struct ast_private *ast = to_ast_private(dev);
+ u32 boot_address, offset, data;
+ u8 linkcap[4], linkrate, linklanes, maxclk = 0xff;
++ u32 *plinkcap;
+
+- boot_address = get_fw_base(ast);
+-
+- /* validate FW version */
+- offset = 0xf000;
+- data = ast_mindwm(ast, boot_address + offset);
+- if ((data & 0xf0) != 0x10) /* version: 1x */
+- return maxclk;
+-
+- /* Read Link Capability */
+- offset = 0xf014;
+- *(u32 *)linkcap = ast_mindwm(ast, boot_address + offset);
+- if (linkcap[2] == 0) {
+- linkrate = linkcap[0];
+- linklanes = linkcap[1];
+- data = (linkrate == 0x0a) ? (90 * linklanes) : (54 * linklanes);
+- if (data > 0xff)
+- data = 0xff;
+- maxclk = (u8)data;
++ if (ast->config_mode == ast_use_p2a) {
++ boot_address = get_fw_base(ast);
++
++ /* validate FW version */
++ offset = AST_DP501_GBL_VERSION;
++ data = ast_mindwm(ast, boot_address + offset);
++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1) /* version: 1x */
++ return maxclk;
++
++ /* Read Link Capability */
++ offset = AST_DP501_LINKRATE;
++ plinkcap = (u32 *)linkcap;
++ *plinkcap = ast_mindwm(ast, boot_address + offset);
++ if (linkcap[2] == 0) {
++ linkrate = linkcap[0];
++ linklanes = linkcap[1];
++ data = (linkrate == 0x0a) ? (90 * linklanes) : (54 * linklanes);
++ if (data > 0xff)
++ data = 0xff;
++ maxclk = (u8)data;
++ }
++ } else {
++ if (!ast->dp501_fw_buf)
++ return AST_DP501_DEFAULT_DCLK; /* 1024x768 as default */
++
++ /* dummy read */
++ offset = 0x0000;
++ data = readl(ast->dp501_fw_buf + offset);
++
++ /* validate FW version */
++ offset = AST_DP501_GBL_VERSION;
++ data = readl(ast->dp501_fw_buf + offset);
++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1) /* version: 1x */
++ return maxclk;
++
++ /* Read Link Capability */
++ offset = AST_DP501_LINKRATE;
++ plinkcap = (u32 *)linkcap;
++ *plinkcap = readl(ast->dp501_fw_buf + offset);
++ if (linkcap[2] == 0) {
++ linkrate = linkcap[0];
++ linklanes = linkcap[1];
++ data = (linkrate == 0x0a) ? (90 * linklanes) : (54 * linklanes);
++ if (data > 0xff)
++ data = 0xff;
++ maxclk = (u8)data;
++ }
+ }
+ return maxclk;
+ }
+@@ -298,26 +334,57 @@ bool ast_dp501_read_edid(struct drm_device *dev, u8 *ediddata)
+ {
+ struct ast_private *ast = to_ast_private(dev);
+ u32 i, boot_address, offset, data;
++ u32 *pEDIDidx;
+
+- boot_address = get_fw_base(ast);
+-
+- /* validate FW version */
+- offset = 0xf000;
+- data = ast_mindwm(ast, boot_address + offset);
+- if ((data & 0xf0) != 0x10)
+- return false;
+-
+- /* validate PnP Monitor */
+- offset = 0xf010;
+- data = ast_mindwm(ast, boot_address + offset);
+- if (!(data & 0x01))
+- return false;
++ if (ast->config_mode == ast_use_p2a) {
++ boot_address = get_fw_base(ast);
+
+- /* Read EDID */
+- offset = 0xf020;
+- for (i = 0; i < 128; i += 4) {
+- data = ast_mindwm(ast, boot_address + offset + i);
+- *(u32 *)(ediddata + i) = data;
++ /* validate FW version */
++ offset = AST_DP501_GBL_VERSION;
++ data = ast_mindwm(ast, boot_address + offset);
++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1)
++ return false;
++
++ /* validate PnP Monitor */
++ offset = AST_DP501_PNPMONITOR;
++ data = ast_mindwm(ast, boot_address + offset);
++ if (!(data & AST_DP501_PNP_CONNECTED))
++ return false;
++
++ /* Read EDID */
++ offset = AST_DP501_EDID_DATA;
++ for (i = 0; i < 128; i += 4) {
++ data = ast_mindwm(ast, boot_address + offset + i);
++ pEDIDidx = (u32 *)(ediddata + i);
++ *pEDIDidx = data;
++ }
++ } else {
++ if (!ast->dp501_fw_buf)
++ return false;
++
++ /* dummy read */
++ offset = 0x0000;
++ data = readl(ast->dp501_fw_buf + offset);
++
++ /* validate FW version */
++ offset = AST_DP501_GBL_VERSION;
++ data = readl(ast->dp501_fw_buf + offset);
++ if ((data & AST_DP501_FW_VERSION_MASK) != AST_DP501_FW_VERSION_1)
++ return false;
++
++ /* validate PnP Monitor */
++ offset = AST_DP501_PNPMONITOR;
++ data = readl(ast->dp501_fw_buf + offset);
++ if (!(data & AST_DP501_PNP_CONNECTED))
++ return false;
++
++ /* Read EDID */
++ offset = AST_DP501_EDID_DATA;
++ for (i = 0; i < 128; i += 4) {
++ data = readl(ast->dp501_fw_buf + offset + i);
++ pEDIDidx = (u32 *)(ediddata + i);
++ *pEDIDidx = data;
++ }
+ }
+
+ return true;
+diff --git a/drivers/gpu/drm/ast/ast_drv.h b/drivers/gpu/drm/ast/ast_drv.h
+index 467049ca8430..b68b1ddfecb7 100644
+--- a/drivers/gpu/drm/ast/ast_drv.h
++++ b/drivers/gpu/drm/ast/ast_drv.h
+@@ -120,6 +120,7 @@ struct ast_private {
+
+ void __iomem *regs;
+ void __iomem *ioregs;
++ void __iomem *dp501_fw_buf;
+
+ enum ast_chip chip;
+ bool vga2_clone;
+@@ -298,6 +299,17 @@ int ast_mode_config_init(struct ast_private *ast);
+ #define AST_MM_ALIGN_SHIFT 4
+ #define AST_MM_ALIGN_MASK ((1 << AST_MM_ALIGN_SHIFT) - 1)
+
++#define AST_DP501_FW_VERSION_MASK GENMASK(7, 4)
++#define AST_DP501_FW_VERSION_1 BIT(4)
++#define AST_DP501_PNP_CONNECTED BIT(1)
++
++#define AST_DP501_DEFAULT_DCLK 65
++
++#define AST_DP501_GBL_VERSION 0xf000
++#define AST_DP501_PNPMONITOR 0xf010
++#define AST_DP501_LINKRATE 0xf014
++#define AST_DP501_EDID_DATA 0xf020
++
+ int ast_mm_init(struct ast_private *ast);
+
+ /* ast post */
+diff --git a/drivers/gpu/drm/ast/ast_main.c b/drivers/gpu/drm/ast/ast_main.c
+index ee82b2ddf932..0d163511564e 100644
+--- a/drivers/gpu/drm/ast/ast_main.c
++++ b/drivers/gpu/drm/ast/ast_main.c
+@@ -98,7 +98,7 @@ static void ast_detect_config_mode(struct drm_device *dev, u32 *scu_rev)
+ if (!(jregd0 & 0x80) || !(jregd1 & 0x10)) {
+ /* Double check it's actually working */
+ data = ast_read32(ast, 0xf004);
+- if (data != 0xFFFFFFFF) {
++ if ((data != 0xFFFFFFFF) && (data != 0x00)) {
+ /* P2A works, grab silicon revision */
+ ast->config_mode = ast_use_p2a;
+
+@@ -446,6 +446,14 @@ struct ast_private *ast_device_create(struct drm_driver *drv,
+ if (ret)
+ return ERR_PTR(ret);
+
++ /* map reserved buffer */
++ ast->dp501_fw_buf = NULL;
++ if (dev->vram_mm->vram_size < pci_resource_len(dev->pdev, 0)) {
++ ast->dp501_fw_buf = pci_iomap_range(dev->pdev, 0, dev->vram_mm->vram_size, 0);
++ if (!ast->dp501_fw_buf)
++ drm_info(dev, "failed to map reserved buffer!\n");
++ }
++
+ ret = ast_mode_config_init(ast);
+ if (ret)
+ return ERR_PTR(ret);
+--
+2.30.2
+
--- /dev/null
+From 29f0eae82f1d469f701223bdfa596b38f00b38af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 15:21:02 +0800
+Subject: drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 33f90f27e1c5ccd648d3e78a1c28be9ee8791cf1 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1621840862-106024-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/cdns-dsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/cdns-dsi.c b/drivers/gpu/drm/bridge/cdns-dsi.c
+index 76373e31df92..b31281f76117 100644
+--- a/drivers/gpu/drm/bridge/cdns-dsi.c
++++ b/drivers/gpu/drm/bridge/cdns-dsi.c
+@@ -1028,7 +1028,7 @@ static ssize_t cdns_dsi_transfer(struct mipi_dsi_host *host,
+ struct mipi_dsi_packet packet;
+ int ret, i, tx_len, rx_len;
+
+- ret = pm_runtime_get_sync(host->dev);
++ ret = pm_runtime_resume_and_get(host->dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From dc85fb184775a4aec4b84ddefab01bf119cfb293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 21:56:22 +0800
+Subject: drm: bridge: cdns-mhdp8546: Fix PM reference leak in
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit f674555ee5444c8987dfea0922f1cf6bf0c12847 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210531135622.3348252-1-yukuai3@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+index d0c65610ebb5..f56ff97c9899 100644
+--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
++++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+@@ -2369,9 +2369,9 @@ static int cdns_mhdp_probe(struct platform_device *pdev)
+ clk_prepare_enable(clk);
+
+ pm_runtime_enable(dev);
+- ret = pm_runtime_get_sync(dev);
++ ret = pm_runtime_resume_and_get(dev);
+ if (ret < 0) {
+- dev_err(dev, "pm_runtime_get_sync failed\n");
++ dev_err(dev, "pm_runtime_resume_and_get failed\n");
+ pm_runtime_disable(dev);
+ goto clk_disable;
+ }
+--
+2.30.2
+
--- /dev/null
+From 90b24170907b99573dcd7c4304f4a74543bd923a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 14:45:55 +0800
+Subject: drm/bridge: lt9611: Add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 8d0b1fe81e18eb66a2d4406386760795fe0d77d9 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1620801955-19188-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt9611.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c
+index d734d9402c35..c1926154eda8 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt9611.c
++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c
+@@ -1209,6 +1209,7 @@ static struct i2c_device_id lt9611_id[] = {
+ { "lontium,lt9611", 0 },
+ {}
+ };
++MODULE_DEVICE_TABLE(i2c, lt9611_id);
+
+ static const struct of_device_id lt9611_match_table[] = {
+ { .compatible = "lontium,lt9611" },
+--
+2.30.2
+
--- /dev/null
+From 81d9b16e20d40abd1326e5ce5431c74a2994973b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Apr 2021 17:26:41 +0800
+Subject: drm/bridge: nwl-dsi: Force a full modeset when crtc_state->active is
+ changed to be true
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit 3afb2a28fa2404d11cce1956a003f2aaca4da421 ]
+
+This patch replaces ->mode_fixup() with ->atomic_check() so that
+a full modeset can be requested from there when crtc_state->active
+is changed to be true(which implies only connector's DPMS is brought
+out of "Off" status, though not necessarily). Bridge functions are
+added or changed to accommodate the ->atomic_check() callback. That
+full modeset is needed by the up-coming patch which gets MIPI DSI
+controller and PHY ready in ->mode_set(), because it makes sure
+->mode_set() and ->atomic_disable() are called in pairs.
+
+Cc: Andrzej Hajda <a.hajda@samsung.com>
+Cc: Neil Armstrong <narmstrong@baylibre.com>
+Cc: Robert Foss <robert.foss@linaro.org>
+Cc: Laurent Pinchart <Laurent.pinchart@ideasonboard.com>
+Cc: Jonas Karlman <jonas@kwiboo.se>
+Cc: Jernej Skrabec <jernej.skrabec@siol.net>
+Cc: David Airlie <airlied@linux.ie>
+Cc: Daniel Vetter <daniel@ffwll.ch>
+Cc: Guido Günther <agx@sigxcpu.org>
+Cc: Robert Chiras <robert.chiras@nxp.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/1619170003-4817-2-git-send-email-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/nwl-dsi.c | 61 ++++++++++++++++++++------------
+ 1 file changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/nwl-dsi.c b/drivers/gpu/drm/bridge/nwl-dsi.c
+index 66b67402f1ac..c65ca860712d 100644
+--- a/drivers/gpu/drm/bridge/nwl-dsi.c
++++ b/drivers/gpu/drm/bridge/nwl-dsi.c
+@@ -21,6 +21,7 @@
+ #include <linux/sys_soc.h>
+ #include <linux/time64.h>
+
++#include <drm/drm_atomic_state_helper.h>
+ #include <drm/drm_bridge.h>
+ #include <drm/drm_mipi_dsi.h>
+ #include <drm/drm_of.h>
+@@ -742,7 +743,9 @@ static int nwl_dsi_disable(struct nwl_dsi *dsi)
+ return 0;
+ }
+
+-static void nwl_dsi_bridge_disable(struct drm_bridge *bridge)
++static void
++nwl_dsi_bridge_atomic_disable(struct drm_bridge *bridge,
++ struct drm_bridge_state *old_bridge_state)
+ {
+ struct nwl_dsi *dsi = bridge_to_dsi(bridge);
+ int ret;
+@@ -803,17 +806,6 @@ static int nwl_dsi_get_dphy_params(struct nwl_dsi *dsi,
+ return 0;
+ }
+
+-static bool nwl_dsi_bridge_mode_fixup(struct drm_bridge *bridge,
+- const struct drm_display_mode *mode,
+- struct drm_display_mode *adjusted_mode)
+-{
+- /* At least LCDIF + NWL needs active high sync */
+- adjusted_mode->flags |= (DRM_MODE_FLAG_PHSYNC | DRM_MODE_FLAG_PVSYNC);
+- adjusted_mode->flags &= ~(DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_NVSYNC);
+-
+- return true;
+-}
+-
+ static enum drm_mode_status
+ nwl_dsi_bridge_mode_valid(struct drm_bridge *bridge,
+ const struct drm_display_info *info,
+@@ -831,6 +823,24 @@ nwl_dsi_bridge_mode_valid(struct drm_bridge *bridge,
+ return MODE_OK;
+ }
+
++static int nwl_dsi_bridge_atomic_check(struct drm_bridge *bridge,
++ struct drm_bridge_state *bridge_state,
++ struct drm_crtc_state *crtc_state,
++ struct drm_connector_state *conn_state)
++{
++ struct drm_display_mode *adjusted_mode = &crtc_state->adjusted_mode;
++
++ /* At least LCDIF + NWL needs active high sync */
++ adjusted_mode->flags |= (DRM_MODE_FLAG_PHSYNC | DRM_MODE_FLAG_PVSYNC);
++ adjusted_mode->flags &= ~(DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_NVSYNC);
++
++ /* Do a full modeset if crtc_state->active is changed to be true. */
++ if (crtc_state->active_changed && crtc_state->active)
++ crtc_state->mode_changed = true;
++
++ return 0;
++}
++
+ static void
+ nwl_dsi_bridge_mode_set(struct drm_bridge *bridge,
+ const struct drm_display_mode *mode,
+@@ -862,7 +872,9 @@ nwl_dsi_bridge_mode_set(struct drm_bridge *bridge,
+ drm_mode_debug_printmodeline(adjusted_mode);
+ }
+
+-static void nwl_dsi_bridge_pre_enable(struct drm_bridge *bridge)
++static void
++nwl_dsi_bridge_atomic_pre_enable(struct drm_bridge *bridge,
++ struct drm_bridge_state *old_bridge_state)
+ {
+ struct nwl_dsi *dsi = bridge_to_dsi(bridge);
+ int ret;
+@@ -897,7 +909,9 @@ static void nwl_dsi_bridge_pre_enable(struct drm_bridge *bridge)
+ }
+ }
+
+-static void nwl_dsi_bridge_enable(struct drm_bridge *bridge)
++static void
++nwl_dsi_bridge_atomic_enable(struct drm_bridge *bridge,
++ struct drm_bridge_state *old_bridge_state)
+ {
+ struct nwl_dsi *dsi = bridge_to_dsi(bridge);
+ int ret;
+@@ -942,14 +956,17 @@ static void nwl_dsi_bridge_detach(struct drm_bridge *bridge)
+ }
+
+ static const struct drm_bridge_funcs nwl_dsi_bridge_funcs = {
+- .pre_enable = nwl_dsi_bridge_pre_enable,
+- .enable = nwl_dsi_bridge_enable,
+- .disable = nwl_dsi_bridge_disable,
+- .mode_fixup = nwl_dsi_bridge_mode_fixup,
+- .mode_set = nwl_dsi_bridge_mode_set,
+- .mode_valid = nwl_dsi_bridge_mode_valid,
+- .attach = nwl_dsi_bridge_attach,
+- .detach = nwl_dsi_bridge_detach,
++ .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state,
++ .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state,
++ .atomic_reset = drm_atomic_helper_bridge_reset,
++ .atomic_check = nwl_dsi_bridge_atomic_check,
++ .atomic_pre_enable = nwl_dsi_bridge_atomic_pre_enable,
++ .atomic_enable = nwl_dsi_bridge_atomic_enable,
++ .atomic_disable = nwl_dsi_bridge_atomic_disable,
++ .mode_set = nwl_dsi_bridge_mode_set,
++ .mode_valid = nwl_dsi_bridge_mode_valid,
++ .attach = nwl_dsi_bridge_attach,
++ .detach = nwl_dsi_bridge_detach,
+ };
+
+ static int nwl_dsi_parse_dt(struct nwl_dsi *dsi)
+--
+2.30.2
+
--- /dev/null
+From a0d252f9691f44228a5e4ebcb78cf4b35c143691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 03:48:41 +0000
+Subject: drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init()
+
+From: Wang Li <wangli74@huawei.com>
+
+[ Upstream commit 69777e6ca396f0a7e1baff40fcad4a9d3d445b7a ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Li <wangli74@huawei.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+index ac038572164d..dfd5ed15a7f4 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+@@ -274,7 +274,7 @@ static int mtk_crtc_ddp_hw_init(struct mtk_drm_crtc *mtk_crtc)
+ drm_connector_list_iter_end(&conn_iter);
+ }
+
+- ret = pm_runtime_get_sync(crtc->dev->dev);
++ ret = pm_runtime_resume_and_get(crtc->dev->dev);
+ if (ret < 0) {
+ DRM_ERROR("Failed to enable power domain: %d\n", ret);
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 91a1b258c108f752ed6f35efd01a85440d943407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 13:00:38 +0200
+Subject: drm/mxsfb: Don't select DRM_KMS_FB_HELPER
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 13b29cc3a722c2c0bc9ab9f72f9047d55d08a2f9 ]
+
+Selecting DRM_FBDEV_EMULATION will include the correct settings for
+fbdev emulation. Drivers should not override this.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-3-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig
+index 0143d539f8f8..ee22cd25d3e3 100644
+--- a/drivers/gpu/drm/mxsfb/Kconfig
++++ b/drivers/gpu/drm/mxsfb/Kconfig
+@@ -10,7 +10,6 @@ config DRM_MXSFB
+ depends on COMMON_CLK
+ select DRM_MXS
+ select DRM_KMS_HELPER
+- select DRM_KMS_FB_HELPER
+ select DRM_KMS_CMA_HELPER
+ select DRM_PANEL
+ select DRM_PANEL_BRIDGE
+--
+2.30.2
+
--- /dev/null
+From e2e3fcf7f5064c4d90b922e0437cd914b7b787e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 15:05:52 +0200
+Subject: drm: rockchip: add missing registers for RK3066
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 742203cd56d150eb7884eb45abb7d9dbc2bdbf04 ]
+
+Add dither_up, dsp_lut_en and data_blank registers to enable their
+respective functionality for RK3066's VOP.
+
+While at that also fix .rb_swap and .format registers for all windows,
+which have to be set though RK3066_SYS_CTRL1 register.
+Also remove .scl from win1: Scaling is only supported on the primary
+plane.
+
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-4-knaerzche@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
+index b8dcee64a1f7..a6fe03c3748a 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
++++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
+@@ -349,8 +349,8 @@ static const struct vop_win_phy rk3066_win0_data = {
+ .nformats = ARRAY_SIZE(formats_win_full),
+ .format_modifiers = format_modifiers_win_full,
+ .enable = VOP_REG(RK3066_SYS_CTRL1, 0x1, 0),
+- .format = VOP_REG(RK3066_SYS_CTRL0, 0x7, 4),
+- .rb_swap = VOP_REG(RK3066_SYS_CTRL0, 0x1, 19),
++ .format = VOP_REG(RK3066_SYS_CTRL1, 0x7, 4),
++ .rb_swap = VOP_REG(RK3066_SYS_CTRL1, 0x1, 19),
+ .act_info = VOP_REG(RK3066_WIN0_ACT_INFO, 0x1fff1fff, 0),
+ .dsp_info = VOP_REG(RK3066_WIN0_DSP_INFO, 0x0fff0fff, 0),
+ .dsp_st = VOP_REG(RK3066_WIN0_DSP_ST, 0x1fff1fff, 0),
+@@ -361,13 +361,12 @@ static const struct vop_win_phy rk3066_win0_data = {
+ };
+
+ static const struct vop_win_phy rk3066_win1_data = {
+- .scl = &rk3066_win_scl,
+ .data_formats = formats_win_full,
+ .nformats = ARRAY_SIZE(formats_win_full),
+ .format_modifiers = format_modifiers_win_full,
+ .enable = VOP_REG(RK3066_SYS_CTRL1, 0x1, 1),
+- .format = VOP_REG(RK3066_SYS_CTRL0, 0x7, 7),
+- .rb_swap = VOP_REG(RK3066_SYS_CTRL0, 0x1, 23),
++ .format = VOP_REG(RK3066_SYS_CTRL1, 0x7, 7),
++ .rb_swap = VOP_REG(RK3066_SYS_CTRL1, 0x1, 23),
+ .act_info = VOP_REG(RK3066_WIN1_ACT_INFO, 0x1fff1fff, 0),
+ .dsp_info = VOP_REG(RK3066_WIN1_DSP_INFO, 0x0fff0fff, 0),
+ .dsp_st = VOP_REG(RK3066_WIN1_DSP_ST, 0x1fff1fff, 0),
+@@ -382,8 +381,8 @@ static const struct vop_win_phy rk3066_win2_data = {
+ .nformats = ARRAY_SIZE(formats_win_lite),
+ .format_modifiers = format_modifiers_win_lite,
+ .enable = VOP_REG(RK3066_SYS_CTRL1, 0x1, 2),
+- .format = VOP_REG(RK3066_SYS_CTRL0, 0x7, 10),
+- .rb_swap = VOP_REG(RK3066_SYS_CTRL0, 0x1, 27),
++ .format = VOP_REG(RK3066_SYS_CTRL1, 0x7, 10),
++ .rb_swap = VOP_REG(RK3066_SYS_CTRL1, 0x1, 27),
+ .dsp_info = VOP_REG(RK3066_WIN2_DSP_INFO, 0x0fff0fff, 0),
+ .dsp_st = VOP_REG(RK3066_WIN2_DSP_ST, 0x1fff1fff, 0),
+ .yrgb_mst = VOP_REG(RK3066_WIN2_MST, 0xffffffff, 0),
+@@ -408,6 +407,9 @@ static const struct vop_common rk3066_common = {
+ .dither_down_en = VOP_REG(RK3066_DSP_CTRL0, 0x1, 11),
+ .dither_down_mode = VOP_REG(RK3066_DSP_CTRL0, 0x1, 10),
+ .dsp_blank = VOP_REG(RK3066_DSP_CTRL1, 0x1, 24),
++ .dither_up = VOP_REG(RK3066_DSP_CTRL0, 0x1, 9),
++ .dsp_lut_en = VOP_REG(RK3066_SYS_CTRL1, 0x1, 31),
++ .data_blank = VOP_REG(RK3066_DSP_CTRL1, 0x1, 25),
+ };
+
+ static const struct vop_win_data rk3066_vop_win_data[] = {
+--
+2.30.2
+
--- /dev/null
+From 268c27aa5423c9c590c3982e2944159b84a6b958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 15:05:51 +0200
+Subject: drm: rockchip: add missing registers for RK3188
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit ab64b448a175b8a5a4bd323b8f74758c2574482c ]
+
+Add dither_up, dsp_lut_en and data_blank registers to enable their
+respective functionality for RK3188's VOP.
+While at that also fix .dsp_blank register which is (only) set with
+BIT24 (same as RK3066)
+
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210528130554.72191-3-knaerzche@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
+index 80053d91a301..b8dcee64a1f7 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
++++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
+@@ -505,7 +505,10 @@ static const struct vop_common rk3188_common = {
+ .dither_down_sel = VOP_REG(RK3188_DSP_CTRL0, 0x1, 27),
+ .dither_down_en = VOP_REG(RK3188_DSP_CTRL0, 0x1, 11),
+ .dither_down_mode = VOP_REG(RK3188_DSP_CTRL0, 0x1, 10),
+- .dsp_blank = VOP_REG(RK3188_DSP_CTRL1, 0x3, 24),
++ .dsp_blank = VOP_REG(RK3188_DSP_CTRL1, 0x1, 24),
++ .dither_up = VOP_REG(RK3188_DSP_CTRL0, 0x1, 9),
++ .dsp_lut_en = VOP_REG(RK3188_SYS_CTRL, 0x1, 28),
++ .data_blank = VOP_REG(RK3188_DSP_CTRL1, 0x1, 25),
+ };
+
+ static const struct vop_win_data rk3188_vop_win_data[] = {
+--
+2.30.2
+
--- /dev/null
+From 1bffb9e432240d4d4c3fa7e0f5be07d6eb9f8a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 10:14:07 -0400
+Subject: drm/sched: Avoid data corruptions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit 0b10ab80695d61422337ede6ff496552d8ace99d ]
+
+Wait for all dependencies of a job to complete before
+killing it to avoid data corruptions.
+
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210519141407.88444-1-andrey.grodzovsky@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
+index 2006cc057f99..3f7f761df4cd 100644
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -219,11 +219,16 @@ static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f,
+ static void drm_sched_entity_kill_jobs(struct drm_sched_entity *entity)
+ {
+ struct drm_sched_job *job;
++ struct dma_fence *f;
+ int r;
+
+ while ((job = to_drm_sched_job(spsc_queue_pop(&entity->job_queue)))) {
+ struct drm_sched_fence *s_fence = job->s_fence;
+
++ /* Wait for all dependencies to avoid data corruptions */
++ while ((f = job->sched->ops->dependency(job, entity)))
++ dma_fence_wait(f, false);
++
+ drm_sched_fence_scheduled(s_fence);
+ dma_fence_set_error(&s_fence->finished, -ESRCH);
+
+--
+2.30.2
+
--- /dev/null
+From d3da1c6673f9553459fa0a2660719a313eca1aeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 10:26:45 -0400
+Subject: drm/scheduler: Fix hang when sched_entity released
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit c61cdbdbffc169dc7f1e6fe94dfffaf574fe672a ]
+
+Problem: If scheduler is already stopped by the time sched_entity
+is released and entity's job_queue not empty I encountred
+a hang in drm_sched_entity_flush. This is because drm_sched_entity_is_idle
+never becomes false.
+
+Fix: In drm_sched_fini detach all sched_entities from the
+scheduler's run queues. This will satisfy drm_sched_entity_is_idle.
+Also wakeup all those processes stuck in sched_entity flushing
+as the scheduler main thread which wakes them up is stopped by now.
+
+v2:
+Reverse order of drm_sched_rq_remove_entity and marking
+s_entity as stopped to prevent reinserion back to rq due
+to race.
+
+v3:
+Drop drm_sched_rq_remove_entity, only modify entity->stopped
+and check for it in drm_sched_entity_is_idle
+
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210512142648.666476-14-andrey.grodzovsky@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 3 ++-
+ drivers/gpu/drm/scheduler/sched_main.c | 24 ++++++++++++++++++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
+index 146380118962..2006cc057f99 100644
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -113,7 +113,8 @@ static bool drm_sched_entity_is_idle(struct drm_sched_entity *entity)
+ rmb(); /* for list_empty to work without lock */
+
+ if (list_empty(&entity->list) ||
+- spsc_queue_count(&entity->job_queue) == 0)
++ spsc_queue_count(&entity->job_queue) == 0 ||
++ entity->stopped)
+ return true;
+
+ return false;
+diff --git a/drivers/gpu/drm/scheduler/sched_main.c b/drivers/gpu/drm/scheduler/sched_main.c
+index 7111e0f527b0..b6c2757c3d83 100644
+--- a/drivers/gpu/drm/scheduler/sched_main.c
++++ b/drivers/gpu/drm/scheduler/sched_main.c
+@@ -887,9 +887,33 @@ EXPORT_SYMBOL(drm_sched_init);
+ */
+ void drm_sched_fini(struct drm_gpu_scheduler *sched)
+ {
++ struct drm_sched_entity *s_entity;
++ int i;
++
+ if (sched->thread)
+ kthread_stop(sched->thread);
+
++ for (i = DRM_SCHED_PRIORITY_COUNT - 1; i >= DRM_SCHED_PRIORITY_MIN; i--) {
++ struct drm_sched_rq *rq = &sched->sched_rq[i];
++
++ if (!rq)
++ continue;
++
++ spin_lock(&rq->lock);
++ list_for_each_entry(s_entity, &rq->entities, list)
++ /*
++ * Prevents reinsertion and marks job_queue as idle,
++ * it will removed from rq in drm_sched_entity_fini
++ * eventually
++ */
++ s_entity->stopped = true;
++ spin_unlock(&rq->lock);
++
++ }
++
++ /* Wakeup everyone stuck in drm_sched_entity_flush for this scheduler */
++ wake_up_all(&sched->job_scheduled);
++
+ /* Confirm no work left behind accessing device structures */
+ cancel_delayed_work_sync(&sched->work_tdr);
+
+--
+2.30.2
+
--- /dev/null
+From 87d0253d68bc1dcc38d0bb00a5680b95838dae2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 13:18:03 +0300
+Subject: drm/vc4: fix argument ordering in vc4_crtc_get_margins()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e590c2b03a6143ba93ddad306bc9eaafa838c020 ]
+
+Cppcheck complains that the declaration doesn't match the function
+definition. Obviously "left" should come before "right". The caller
+and the function implementation are done this way, it's just the
+declaration which is wrong so this doesn't affect runtime.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/YH/720FD978TPhHp@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_drv.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h
+index c5f2944d5bc6..9809c3a856c6 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.h
++++ b/drivers/gpu/drm/vc4/vc4_drv.h
+@@ -837,7 +837,7 @@ void vc4_crtc_destroy_state(struct drm_crtc *crtc,
+ void vc4_crtc_reset(struct drm_crtc *crtc);
+ void vc4_crtc_handle_vblank(struct vc4_crtc *crtc);
+ void vc4_crtc_get_margins(struct drm_crtc_state *state,
+- unsigned int *right, unsigned int *left,
++ unsigned int *left, unsigned int *right,
+ unsigned int *top, unsigned int *bottom);
+
+ /* vc4_debugfs.c */
+--
+2.30.2
+
--- /dev/null
+From dafebd817ccfa1a2ae139fe836de50c66987da6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 17:03:41 +0200
+Subject: drm/vc4: Fix clock source for VEC PixelValve on BCM2711
+
+From: Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
+
+[ Upstream commit fc7a8abcee2225d6279ff785d33e24d70c738c6e ]
+
+On the BCM2711 (Raspberry Pi 4), the VEC is actually connected to
+output 2 of pixelvalve3.
+
+NOTE: This contradicts the Broadcom docs, but has been empirically
+tested and confirmed by Raspberry Pi firmware devs.
+
+Signed-off-by: Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210520150344.273900-2-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c
+index 1d2416d466a3..7062d0e6fe76 100644
+--- a/drivers/gpu/drm/vc4/vc4_crtc.c
++++ b/drivers/gpu/drm/vc4/vc4_crtc.c
+@@ -1001,7 +1001,7 @@ static const struct vc4_pv_data bcm2711_pv3_data = {
+ .fifo_depth = 64,
+ .pixels_per_clock = 1,
+ .encoder_types = {
+- [0] = VC4_ENCODER_TYPE_VEC,
++ [PV_CONTROL_CLK_SELECT_VEC] = VC4_ENCODER_TYPE_VEC,
+ },
+ };
+
+--
+2.30.2
+
--- /dev/null
+From df41ded210ed8a3807a17c818f8e751b0d044c89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 15:20:54 +0800
+Subject: drm/vc4: hdmi: Fix PM reference leak in
+ vc4_hdmi_encoder_pre_crtc_co()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 5e4322a8b266bc9f5ee7ea4895f661c01dbd7cb3 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/1621840854-105978-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
+index 25a09aaf5883..6a19a3de3962 100644
+--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
+@@ -627,7 +627,7 @@ static void vc4_hdmi_encoder_pre_crtc_configure(struct drm_encoder *encoder)
+ unsigned long pixel_rate, hsm_rate;
+ int ret;
+
+- ret = pm_runtime_get_sync(&vc4_hdmi->pdev->dev);
++ ret = pm_runtime_resume_and_get(&vc4_hdmi->pdev->dev);
+ if (ret < 0) {
+ DRM_ERROR("Failed to retain power domain: %d\n", ret);
+ return;
+--
+2.30.2
+
--- /dev/null
+From 679ece35ae3373bd992f6d506c4661862f229811 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:49:12 +0800
+Subject: drm/virtio: Fix double free on probe failure
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ]
+
+The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure.
+But such failure will be caught by virtio_gpu_probe() and then
+virtio_gpu_release() will be called to do some cleanup which
+will free vgdev and vgdev->vbufs again. So let's set dev->dev_private
+to NULL to avoid double free.
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_kms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
+index eed57a931309..a28b01f92793 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
+@@ -209,6 +209,7 @@ err_scanouts:
+ err_vbufs:
+ vgdev->vdev->config->del_vqs(vgdev->vdev);
+ err_vqs:
++ dev->dev_private = NULL;
+ kfree(vgdev);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 4a21008f250d4dc4c61fc27ef2f709f1dc4dbbde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 13:00:39 +0200
+Subject: drm/zte: Don't select DRM_KMS_FB_HELPER
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit a50e74bec1d17e95275909660c6b43ffe11ebcf0 ]
+
+Selecting DRM_FBDEV_EMULATION will include the correct settings for
+fbdev emulation. Drivers should not override this.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-4-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/zte/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/zte/Kconfig b/drivers/gpu/drm/zte/Kconfig
+index 90ebaedc11fd..aa8594190b50 100644
+--- a/drivers/gpu/drm/zte/Kconfig
++++ b/drivers/gpu/drm/zte/Kconfig
+@@ -3,7 +3,6 @@ config DRM_ZTE
+ tristate "DRM Support for ZTE SoCs"
+ depends on DRM && ARCH_ZX
+ select DRM_KMS_CMA_HELPER
+- select DRM_KMS_FB_HELPER
+ select DRM_KMS_HELPER
+ select SND_SOC_HDMI_CODEC if SND_SOC
+ select VIDEOMODE_HELPERS
+--
+2.30.2
+
--- /dev/null
+From 9939eac0a61d31c7f717fc614bd665813bb077d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:38:24 -0700
+Subject: e100: handle eeprom as little endian
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ]
+
+Sparse tool was warning on some implicit conversions from
+little endian data read from the EEPROM on the e100 cards.
+
+Fix these by being explicit about the conversions using
+le16_to_cpu().
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index 8cc651d37a7f..609e47b8287d 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1395,7 +1395,7 @@ static int e100_phy_check_without_mii(struct nic *nic)
+ u8 phy_type;
+ int without_mii;
+
+- phy_type = (nic->eeprom[eeprom_phy_iface] >> 8) & 0x0f;
++ phy_type = (le16_to_cpu(nic->eeprom[eeprom_phy_iface]) >> 8) & 0x0f;
+
+ switch (phy_type) {
+ case NoSuchPhy: /* Non-MII PHY; UNTESTED! */
+@@ -1515,7 +1515,7 @@ static int e100_phy_init(struct nic *nic)
+ mdio_write(netdev, nic->mii.phy_id, MII_BMCR, bmcr);
+ } else if ((nic->mac >= mac_82550_D102) || ((nic->flags & ich) &&
+ (mdio_read(netdev, nic->mii.phy_id, MII_TPISTATUS) & 0x8000) &&
+- (nic->eeprom[eeprom_cnfg_mdix] & eeprom_mdix_enabled))) {
++ (le16_to_cpu(nic->eeprom[eeprom_cnfg_mdix]) & eeprom_mdix_enabled))) {
+ /* enable/disable MDI/MDI-X auto-switching. */
+ mdio_write(netdev, nic->mii.phy_id, MII_NCONFIG,
+ nic->mii.force_media ? 0 : NCONFIG_AUTO_SWITCH);
+@@ -2263,9 +2263,9 @@ static int e100_asf(struct nic *nic)
+ {
+ /* ASF can be enabled from eeprom */
+ return (nic->pdev->device >= 0x1050) && (nic->pdev->device <= 0x1057) &&
+- (nic->eeprom[eeprom_config_asf] & eeprom_asf) &&
+- !(nic->eeprom[eeprom_config_asf] & eeprom_gcl) &&
+- ((nic->eeprom[eeprom_smbus_addr] & 0xFF) != 0xFE);
++ (le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_asf) &&
++ !(le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_gcl) &&
++ ((le16_to_cpu(nic->eeprom[eeprom_smbus_addr]) & 0xFF) != 0xFE);
+ }
+
+ static int e100_up(struct nic *nic)
+@@ -2920,7 +2920,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ /* Wol magic packet can be enabled from eeprom */
+ if ((nic->mac >= mac_82558_D101_A4) &&
+- (nic->eeprom[eeprom_id] & eeprom_id_wol)) {
++ (le16_to_cpu(nic->eeprom[eeprom_id]) & eeprom_id_wol)) {
+ nic->flags |= wol_magic;
+ device_set_wakeup_enable(&pdev->dev, true);
+ }
+--
+2.30.2
+
--- /dev/null
+From a3fe2a035b097993f1f1d76ef5b8538d14f869b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 16:02:43 +0800
+Subject: fjes: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f18c11812c949553d2b2481ecaa274dd51bed1e7 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fjes/fjes_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c
+index 466622664424..e449d9466122 100644
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1262,6 +1262,10 @@ static int fjes_probe(struct platform_device *plat_dev)
+ adapter->interrupt_watch_enable = false;
+
+ res = platform_get_resource(plat_dev, IORESOURCE_MEM, 0);
++ if (!res) {
++ err = -EINVAL;
++ goto err_free_control_wq;
++ }
+ hw->hw_res.start = res->start;
+ hw->hw_res.size = resource_size(res);
+ hw->hw_res.irq = platform_get_irq(plat_dev, 0);
+--
+2.30.2
+
--- /dev/null
+From c1cee195a49370dd4cecb6764742006f4f0896a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jun 2021 04:56:06 -0700
+Subject: flow_offload: action should not be NULL when it is referenced
+
+From: gushengxian <gushengxian@yulong.com>
+
+[ Upstream commit 9ea3e52c5bc8bb4a084938dc1e3160643438927a ]
+
+"action" should not be NULL when it is referenced.
+
+Signed-off-by: gushengxian <13145886936@163.com>
+Signed-off-by: gushengxian <gushengxian@yulong.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/flow_offload.h | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h
+index 123b1e9ea304..161b90979038 100644
+--- a/include/net/flow_offload.h
++++ b/include/net/flow_offload.h
+@@ -312,12 +312,14 @@ flow_action_mixed_hw_stats_check(const struct flow_action *action,
+ if (flow_offload_has_one_action(action))
+ return true;
+
+- flow_action_for_each(i, action_entry, action) {
+- if (i && action_entry->hw_stats != last_hw_stats) {
+- NL_SET_ERR_MSG_MOD(extack, "Mixing HW stats types for actions is not supported");
+- return false;
++ if (action) {
++ flow_action_for_each(i, action_entry, action) {
++ if (i && action_entry->hw_stats != last_hw_stats) {
++ NL_SET_ERR_MSG_MOD(extack, "Mixing HW stats types for actions is not supported");
++ return false;
++ }
++ last_hw_stats = action_entry->hw_stats;
+ }
+- last_hw_stats = action_entry->hw_stats;
+ }
+ return true;
+ }
+--
+2.30.2
+
--- /dev/null
+From 69d424809b6808f5d7e26765d53583cf93379cc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 21:15:32 +0800
+Subject: hugetlb: clear huge pte during flush function on mips platform
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+[ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ]
+
+If multiple threads are accessing the same huge page at the same
+time, hugetlb_cow will be called if one thread write the COW huge
+page. And function huge_ptep_clear_flush is called to notify other
+threads to clear the huge pte tlb entry. The other threads clear
+the huge pte tlb entry and reload it from page table, the reload
+huge pte entry may be old.
+
+This patch fixes this issue on mips platform, and it clears huge
+pte entry before notifying other threads to flush current huge
+page entry, it is similar with other architectures.
+
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/hugetlb.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h
+index 10e3be870df7..c2144409c0c4 100644
+--- a/arch/mips/include/asm/hugetlb.h
++++ b/arch/mips/include/asm/hugetlb.h
+@@ -46,7 +46,13 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
+ static inline void huge_ptep_clear_flush(struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep)
+ {
+- flush_tlb_page(vma, addr & huge_page_mask(hstate_vma(vma)));
++ /*
++ * clear the huge pte entry firstly, so that the other smp threads will
++ * not get old pte entry after finishing flush_tlb_page and before
++ * setting new huge pte entry
++ */
++ huge_ptep_get_and_clear(vma->vm_mm, addr, ptep);
++ flush_tlb_page(vma, addr);
+ }
+
+ #define __HAVE_ARCH_HUGE_PTE_NONE
+--
+2.30.2
+
--- /dev/null
+From 627d763841fe95c992528200b1391f62973d74f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 11:52:15 +0300
+Subject: IB/isert: Align target max I/O size to initiator size
+
+From: Max Gurtovoy <mgurtovoy@nvidia.com>
+
+[ Upstream commit 109d19a5eb3ddbdb87c43bfd4bcf644f4569da64 ]
+
+Since the Linux iser initiator default max I/O size set to 512KB and since
+there is no handshake procedure for this size in iser protocol, set the
+default max IO size of the target to 512KB as well.
+
+For changing the default values, there is a module parameter for both
+drivers.
+
+Link: https://lore.kernel.org/r/20210524085215.29005-1-mgurtovoy@nvidia.com
+Reviewed-by: Alaa Hleihel <alaa@nvidia.com>
+Reviewed-by: Israel Rukshin <israelr@nvidia.com>
+Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Acked-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/isert/ib_isert.c | 4 ++--
+ drivers/infiniband/ulp/isert/ib_isert.h | 3 ---
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/ulp/isert/ib_isert.c
+index e653c83f8a35..edea37da8a5b 100644
+--- a/drivers/infiniband/ulp/isert/ib_isert.c
++++ b/drivers/infiniband/ulp/isert/ib_isert.c
+@@ -35,10 +35,10 @@ static const struct kernel_param_ops sg_tablesize_ops = {
+ .get = param_get_int,
+ };
+
+-static int isert_sg_tablesize = ISCSI_ISER_DEF_SG_TABLESIZE;
++static int isert_sg_tablesize = ISCSI_ISER_MIN_SG_TABLESIZE;
+ module_param_cb(sg_tablesize, &sg_tablesize_ops, &isert_sg_tablesize, 0644);
+ MODULE_PARM_DESC(sg_tablesize,
+- "Number of gather/scatter entries in a single scsi command, should >= 128 (default: 256, max: 4096)");
++ "Number of gather/scatter entries in a single scsi command, should >= 128 (default: 128, max: 4096)");
+
+ static DEFINE_MUTEX(device_list_mutex);
+ static LIST_HEAD(device_list);
+diff --git a/drivers/infiniband/ulp/isert/ib_isert.h b/drivers/infiniband/ulp/isert/ib_isert.h
+index 6c5af13db4e0..ca8cfebe26ca 100644
+--- a/drivers/infiniband/ulp/isert/ib_isert.h
++++ b/drivers/infiniband/ulp/isert/ib_isert.h
+@@ -65,9 +65,6 @@
+ */
+ #define ISER_RX_SIZE (ISCSI_DEF_MAX_RECV_SEG_LEN + 1024)
+
+-/* Default I/O size is 1MB */
+-#define ISCSI_ISER_DEF_SG_TABLESIZE 256
+-
+ /* Minimum I/O size is 512KB */
+ #define ISCSI_ISER_MIN_SG_TABLESIZE 128
+
+--
+2.30.2
+
--- /dev/null
+From 347c958c679747b697d04c009f3f5b177f859620 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 14:17:06 -0700
+Subject: ice: fix clang warning regarding deadcode.DeadStores
+
+From: Paul M Stillwell Jr <paul.m.stillwell.jr@intel.com>
+
+[ Upstream commit 7e94090ae13e1ae5fe8bd3a9cd08136260bb7039 ]
+
+clang generates deadcode.DeadStores warnings when a variable
+is used to read a value, but then that value isn't used later
+in the code. Fix this warning.
+
+Signed-off-by: Paul M Stillwell Jr <paul.m.stillwell.jr@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index a7975afecf70..14eba9bc174d 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -3492,13 +3492,9 @@ static int
+ ice_get_rc_coalesce(struct ethtool_coalesce *ec, enum ice_container_type c_type,
+ struct ice_ring_container *rc)
+ {
+- struct ice_pf *pf;
+-
+ if (!rc->ring)
+ return -EINVAL;
+
+- pf = rc->ring->vsi->back;
+-
+ switch (c_type) {
+ case ICE_RX_CONTAINER:
+ ec->use_adaptive_rx_coalesce = ITR_IS_DYNAMIC(rc->itr_setting);
+@@ -3510,7 +3506,7 @@ ice_get_rc_coalesce(struct ethtool_coalesce *ec, enum ice_container_type c_type,
+ ec->tx_coalesce_usecs = rc->itr_setting & ~ICE_ITR_DYNAMIC;
+ break;
+ default:
+- dev_dbg(ice_pf_to_dev(pf), "Invalid c_type %d\n", c_type);
++ dev_dbg(ice_pf_to_dev(rc->ring->vsi->back), "Invalid c_type %d\n", c_type);
+ return -EINVAL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 9a1d8fea6129a2ead9ab55f51c9758eb478a1a20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 08:40:04 -0700
+Subject: ice: fix incorrect payload indicator on PTYPE
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 638a0c8c8861cb8a3b54203e632ea5dcc23d8ca5 ]
+
+The entry for PTYPE 90 indicates that the payload is layer 3. This does
+not match the specification in the datasheet which indicates the packet
+is a MAC, IPv6, UDP packet, with a payload in layer 4.
+
+Fix the lookup table to match the data sheet.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+index 4ec24c3e813f..98a7f27c532b 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+@@ -722,7 +722,7 @@ static const struct ice_rx_ptype_decoded ice_ptype_lkup[] = {
+ /* Non Tunneled IPv6 */
+ ICE_PTT(88, IP, IPV6, FRG, NONE, NONE, NOF, NONE, PAY3),
+ ICE_PTT(89, IP, IPV6, NOF, NONE, NONE, NOF, NONE, PAY3),
+- ICE_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY3),
++ ICE_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY4),
+ ICE_PTT_UNUSED_ENTRY(91),
+ ICE_PTT(92, IP, IPV6, NOF, NONE, NONE, NOF, TCP, PAY4),
+ ICE_PTT(93, IP, IPV6, NOF, NONE, NONE, NOF, SCTP, PAY4),
+--
+2.30.2
+
--- /dev/null
+From 104283581781013db2ddf5b15eedfa5c28a84d40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 08:40:05 -0700
+Subject: ice: mark PTYPE 2 as reserved
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 0c526d440f76676733cb470b454db9d5507a3a50 ]
+
+The entry for PTYPE 2 in the ice_ptype_lkup table incorrectly states
+that this is an L2 packet with no payload. According to the datasheet,
+this PTYPE is actually unused and reserved.
+
+Fix the lookup entry to indicate this is an unused entry that is
+reserved.
+
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+index 98a7f27c532b..c0ee0541e53f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
++++ b/drivers/net/ethernet/intel/ice/ice_lan_tx_rx.h
+@@ -608,7 +608,7 @@ static const struct ice_rx_ptype_decoded ice_ptype_lkup[] = {
+ /* L2 Packet types */
+ ICE_PTT_UNUSED_ENTRY(0),
+ ICE_PTT(1, L2, NONE, NOF, NONE, NONE, NOF, NONE, PAY2),
+- ICE_PTT(2, L2, NONE, NOF, NONE, NONE, NOF, NONE, NONE),
++ ICE_PTT_UNUSED_ENTRY(2),
+ ICE_PTT_UNUSED_ENTRY(3),
+ ICE_PTT_UNUSED_ENTRY(4),
+ ICE_PTT_UNUSED_ENTRY(5),
+--
+2.30.2
+
--- /dev/null
+From 8789737901f42ced8f88e838d078b730676fdcd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 17:31:06 +0800
+Subject: ice: set the value of global config lock timeout longer
+
+From: Liwei Song <liwei.song@windriver.com>
+
+[ Upstream commit fb3612840d4f587a0af9511a11d7989d1fa48206 ]
+
+It may need hold Global Config Lock a longer time when download DDP
+package file, extend the timeout value to 5000ms to ensure that
+download can be finished before other AQ command got time to run,
+this will fix the issue below when probe the device, 5000ms is a test
+value that work with both Backplane and BreakoutCable NVM image:
+
+ice 0000:f4:00.0: VSI 12 failed lan queue config, error ICE_ERR_CFG
+ice 0000:f4:00.0: Failed to delete VSI 12 in FW - error: ICE_ERR_AQ_TIMEOUT
+ice 0000:f4:00.0: probe failed due to setup PF switch: -12
+ice: probe of 0000:f4:00.0 failed with error -12
+
+Signed-off-by: Liwei Song <liwei.song@windriver.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_type.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_type.h b/drivers/net/ethernet/intel/ice/ice_type.h
+index 1bed183d96a0..ee3497d25464 100644
+--- a/drivers/net/ethernet/intel/ice/ice_type.h
++++ b/drivers/net/ethernet/intel/ice/ice_type.h
+@@ -63,7 +63,7 @@ enum ice_aq_res_ids {
+ /* FW update timeout definitions are in milliseconds */
+ #define ICE_NVM_TIMEOUT 180000
+ #define ICE_CHANGE_LOCK_TIMEOUT 1000
+-#define ICE_GLOBAL_CFG_LOCK_TIMEOUT 3000
++#define ICE_GLOBAL_CFG_LOCK_TIMEOUT 5000
+
+ enum ice_aq_res_access_type {
+ ICE_RES_READ = 1,
+--
+2.30.2
+
--- /dev/null
+From 4c9e0316c7e893f78065294e95f20b7ba93abf4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:38:29 -0700
+Subject: igb: fix assignment on big endian machines
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit b514958dd1a3bd57638b0e63b8e5152b1960e6aa ]
+
+The igb driver was trying hard to be sparse correct, but somehow
+ended up converting a variable into little endian order and then
+tries to OR something with it.
+
+A much plainer way of doing things is to leave all variables and
+OR operations in CPU (non-endian) mode, and then convert to
+little endian only once, which is what this change does.
+
+This probably fixes a bug that might have been seen only on
+big endian systems.
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 157683fbf61c..4b9b5148c916 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6289,12 +6289,12 @@ int igb_xmit_xdp_ring(struct igb_adapter *adapter,
+ cmd_type |= len | IGB_TXD_DCMD;
+ tx_desc->read.cmd_type_len = cpu_to_le32(cmd_type);
+
+- olinfo_status = cpu_to_le32(len << E1000_ADVTXD_PAYLEN_SHIFT);
++ olinfo_status = len << E1000_ADVTXD_PAYLEN_SHIFT;
+ /* 82575 requires a unique index per ring */
+ if (test_bit(IGB_RING_FLAG_TX_CTX_IDX, &tx_ring->flags))
+ olinfo_status |= tx_ring->reg_idx << 4;
+
+- tx_desc->read.olinfo_status = olinfo_status;
++ tx_desc->read.olinfo_status = cpu_to_le32(olinfo_status);
+
+ netdev_tx_sent_queue(txring_txq(tx_ring), tx_buffer->bytecount);
+
+--
+2.30.2
+
--- /dev/null
+From 2eb16aa37d49d9280daa02ae5a077d79eddf1873 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:38:28 -0700
+Subject: igb: handle vlan types with checker enabled
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit c7cbfb028b95360403d579c47aaaeef1ff140964 ]
+
+The sparse build (C=2) finds some issues with how the driver
+dealt with the (very difficult) hardware that in some generations
+uses little-endian, and in others uses big endian, for the VLAN
+field. The code as written picks __le16 as a type and for some
+hardware revisions we override it to __be16 as done in this
+patch. This impacted the VF driver as well so fix it there too.
+
+Also change the vlan_tci assignment to override the sparse
+warning without changing functionality.
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 5 +++--
+ drivers/net/ethernet/intel/igbvf/netdev.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 5c87c0a7ce3d..157683fbf61c 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -2643,7 +2643,8 @@ static int igb_parse_cls_flower(struct igb_adapter *adapter,
+ }
+
+ input->filter.match_flags |= IGB_FILTER_FLAG_VLAN_TCI;
+- input->filter.vlan_tci = match.key->vlan_priority;
++ input->filter.vlan_tci =
++ (__force __be16)match.key->vlan_priority;
+ }
+ }
+
+@@ -8617,7 +8618,7 @@ static void igb_process_skb_fields(struct igb_ring *rx_ring,
+
+ if (igb_test_staterr(rx_desc, E1000_RXDEXT_STATERR_LB) &&
+ test_bit(IGB_RING_FLAG_RX_LB_VLAN_BSWAP, &rx_ring->flags))
+- vid = be16_to_cpu(rx_desc->wb.upper.vlan);
++ vid = be16_to_cpu((__force __be16)rx_desc->wb.upper.vlan);
+ else
+ vid = le16_to_cpu(rx_desc->wb.upper.vlan);
+
+diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
+index ee9f8c1dca83..07c9e9e0546f 100644
+--- a/drivers/net/ethernet/intel/igbvf/netdev.c
++++ b/drivers/net/ethernet/intel/igbvf/netdev.c
+@@ -83,14 +83,14 @@ static int igbvf_desc_unused(struct igbvf_ring *ring)
+ static void igbvf_receive_skb(struct igbvf_adapter *adapter,
+ struct net_device *netdev,
+ struct sk_buff *skb,
+- u32 status, u16 vlan)
++ u32 status, __le16 vlan)
+ {
+ u16 vid;
+
+ if (status & E1000_RXD_STAT_VP) {
+ if ((adapter->flags & IGBVF_FLAG_RX_LB_VLAN_BSWAP) &&
+ (status & E1000_RXDEXT_STATERR_LB))
+- vid = be16_to_cpu(vlan) & E1000_RXD_SPC_VLAN_MASK;
++ vid = be16_to_cpu((__force __be16)vlan) & E1000_RXD_SPC_VLAN_MASK;
+ else
+ vid = le16_to_cpu(vlan) & E1000_RXD_SPC_VLAN_MASK;
+ if (test_bit(vid, adapter->active_vlans))
+--
+2.30.2
+
--- /dev/null
+From 89341e898345ed660578dd76abea9068e8807280 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 18:13:59 +0100
+Subject: io_uring: fix false WARN_ONCE
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit e6ab8991c5d0b0deae0961dc22c0edd1dee328f5 ]
+
+WARNING: CPU: 1 PID: 11749 at fs/io-wq.c:244 io_wqe_wake_worker fs/io-wq.c:244 [inline]
+WARNING: CPU: 1 PID: 11749 at fs/io-wq.c:244 io_wqe_enqueue+0x7f6/0x910 fs/io-wq.c:751
+
+A WARN_ON_ONCE() in io_wqe_wake_worker() can be triggered by a valid
+userspace setup. Replace it with pr_warn.
+
+Reported-by: syzbot+ea2f1484cffe5109dc10@syzkaller.appspotmail.com
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/f7ede342c3342c4c26668f5168e2993e38bbd99c.1623949695.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io-wq.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/io-wq.c b/fs/io-wq.c
+index f72d53848dcb..8bb17b6d4de3 100644
+--- a/fs/io-wq.c
++++ b/fs/io-wq.c
+@@ -299,7 +299,8 @@ static void io_wqe_wake_worker(struct io_wqe *wqe, struct io_wqe_acct *acct)
+ * Most likely an attempt to queue unbounded work on an io_wq that
+ * wasn't setup with any unbounded workers.
+ */
+- WARN_ON_ONCE(!acct->max_workers);
++ if (unlikely(!acct->max_workers))
++ pr_warn_once("io-wq is not configured for unbound workers");
+
+ rcu_read_lock();
+ ret = io_wqe_activate_free_worker(wqe);
+@@ -1085,6 +1086,8 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
+
+ if (WARN_ON_ONCE(!data->free_work || !data->do_work))
+ return ERR_PTR(-EINVAL);
++ if (WARN_ON_ONCE(!bounded))
++ return ERR_PTR(-EINVAL);
+
+ wq = kzalloc(sizeof(*wq), GFP_KERNEL);
+ if (!wq)
+--
+2.30.2
+
--- /dev/null
+From 15590a824b5e9c74c9732d9ea236bbfd54cab3c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 May 2021 13:07:46 +0200
+Subject: ipv6: use prandom_u32() for ID generation
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ]
+
+This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash
+table for IP ID generation"), but focusing on some specific aspects
+of IPv6.
+
+Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a
+minimum MTU of 1280, it's much less easy to force a remote peer to
+produce many fragments to explore its ID sequence. In addition packet
+IDs are 32-bit in IPv6, which further complicates their analysis. On
+the other hand, it is often easier to choose among plenty of possible
+source addresses and partially work around the bigger hash table the
+commit above permits, which leaves IPv6 partially exposed to some
+possibilities of remote analysis at the risk of weakening some
+protocols like DNS if some IDs can be predicted with a good enough
+probability.
+
+Given the wide range of permitted IDs, the risk of collision is extremely
+low so there's no need to rely on the positive increment algorithm that
+is shared with the IPv4 code via ip_idents_reserve(). We have a fast
+PRNG, so let's simply call prandom_u32() and be done with it.
+
+Performance measurements at 10 Gbps couldn't show any difference with
+the previous code, even when using a single core, because due to the
+large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost
+of the random generation is completely offset by other operations and by
+the network transfer time. In addition, this change removes the need to
+update a shared entry in the idents table so it may even end up being
+slightly faster on large scale systems where this matters.
+
+The risk of at least one collision here is about 1/80 million among
+10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,
+which remains very low compared to IPv4 where all IDs are reused
+every 4 to 80ms on a 10 Gbps flow depending on packet sizes.
+
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/output_core.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index af36acc1a644..2880dc7d9a49 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -15,29 +15,11 @@ static u32 __ipv6_select_ident(struct net *net,
+ const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
+- const struct {
+- struct in6_addr dst;
+- struct in6_addr src;
+- } __aligned(SIPHASH_ALIGNMENT) combined = {
+- .dst = *dst,
+- .src = *src,
+- };
+- u32 hash, id;
+-
+- /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
+-
+- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+-
+- /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+- * set the hight order instead thus minimizing possible future
+- * collisions.
+- */
+- id = ip_idents_reserve(hash, 1);
+- if (unlikely(!id))
+- id = 1 << 31;
++ u32 id;
++
++ do {
++ id = prandom_u32();
++ } while (!id);
+
+ return id;
+ }
+--
+2.30.2
+
--- /dev/null
+From 5a3c27e4dfeee47b28bf54b93f0a72d00e7b6a0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:32:38 +0300
+Subject: iwlwifi: mvm: don't change band on bound PHY contexts
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8835a64f74c46baebfc946cd5a2c861b866ebcee ]
+
+When we have a P2P Device active, we attempt to only change the
+PHY context it uses when we get a new remain-on-channel, if the
+P2P Device is the only user of the PHY context.
+
+This is fine if we're switching within a band, but if we're
+switching bands then the switch implies a removal and re-add
+of the PHY context, which isn't permitted by the firmware while
+it's bound to an interface.
+
+Fix the code to skip the unbind/release/... cycle only if the
+band doesn't change (or we have old devices that can switch the
+band on the fly as well.)
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210612142637.e9ac313f70f3.I713b9d109957df7e7d9ed0861d5377ce3f8fccd3@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index d42165559df6..8cba923b1ec6 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -3794,6 +3794,7 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw,
+ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+ struct cfg80211_chan_def chandef;
+ struct iwl_mvm_phy_ctxt *phy_ctxt;
++ bool band_change_removal;
+ int ret, i;
+
+ IWL_DEBUG_MAC80211(mvm, "enter (%d, %d, %d)\n", channel->hw_value,
+@@ -3874,19 +3875,30 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw,
+ cfg80211_chandef_create(&chandef, channel, NL80211_CHAN_NO_HT);
+
+ /*
+- * Change the PHY context configuration as it is currently referenced
+- * only by the P2P Device MAC
++ * Check if the remain-on-channel is on a different band and that
++ * requires context removal, see iwl_mvm_phy_ctxt_changed(). If
++ * so, we'll need to release and then re-configure here, since we
++ * must not remove a PHY context that's part of a binding.
+ */
+- if (mvmvif->phy_ctxt->ref == 1) {
++ band_change_removal =
++ fw_has_capa(&mvm->fw->ucode_capa,
++ IWL_UCODE_TLV_CAPA_BINDING_CDB_SUPPORT) &&
++ mvmvif->phy_ctxt->channel->band != chandef.chan->band;
++
++ if (mvmvif->phy_ctxt->ref == 1 && !band_change_removal) {
++ /*
++ * Change the PHY context configuration as it is currently
++ * referenced only by the P2P Device MAC (and we can modify it)
++ */
+ ret = iwl_mvm_phy_ctxt_changed(mvm, mvmvif->phy_ctxt,
+ &chandef, 1, 1);
+ if (ret)
+ goto out_unlock;
+ } else {
+ /*
+- * The PHY context is shared with other MACs. Need to remove the
+- * P2P Device from the binding, allocate an new PHY context and
+- * create a new binding
++ * The PHY context is shared with other MACs (or we're trying to
++ * switch bands), so remove the P2P Device from the binding,
++ * allocate an new PHY context and create a new binding.
+ */
+ phy_ctxt = iwl_mvm_get_free_phy_ctxt(mvm);
+ if (!phy_ctxt) {
+--
+2.30.2
+
--- /dev/null
+From 81e643ccc7327550f4e6201408b61e9889101499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 10:08:45 +0300
+Subject: iwlwifi: mvm: fix error print when session protection ends
+
+From: Shaul Triebitz <shaul.triebitz@intel.com>
+
+[ Upstream commit 976ac0af7ba2c5424bc305b926c0807d96fdcc83 ]
+
+When the session protection ends and the Driver is not
+associated or a beacon was not heard, the Driver
+prints "No beacons heard...".
+That's confusing for the case where not associated.
+Change the print when not associated to "Not associated...".
+
+Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210617100544.41a5a5a894fa.I9eabb76e7a3a7f4abbed8f2ef918f1df8e825726@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+index 3939eccd3d5a..394598b14a17 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
+@@ -345,6 +345,8 @@ static void iwl_mvm_te_handle_notif(struct iwl_mvm *mvm,
+ * and know the dtim period.
+ */
+ iwl_mvm_te_check_disconnect(mvm, te_data->vif,
++ !te_data->vif->bss_conf.assoc ?
++ "Not associated and the time event is over already..." :
+ "No beacon heard and the time event is over already...");
+ break;
+ default:
+@@ -843,6 +845,8 @@ void iwl_mvm_rx_session_protect_notif(struct iwl_mvm *mvm,
+ * and know the dtim period.
+ */
+ iwl_mvm_te_check_disconnect(mvm, vif,
++ !vif->bss_conf.assoc ?
++ "Not associated and the session protection is over already..." :
+ "No beacon heard and the session protection is over already...");
+ spin_lock_bh(&mvm->time_event_lock);
+ iwl_mvm_te_clear_data(mvm, te_data);
+--
+2.30.2
+
--- /dev/null
+From 12bd71034101bab20b6e4fe99ca87359d1a26983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 11:01:17 +0300
+Subject: iwlwifi: pcie: fix context info freeing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 26d18c75a7496c4c52b0b6789e713dc76ebfbc87 ]
+
+After firmware alive, iwl_trans_pcie_gen2_fw_alive() is called
+to free the context info. However, on gen3 that will then free
+the context info with the wrong size.
+
+Since we free this allocation later, let it stick around until
+the device is stopped for now, freeing some of it earlier is a
+separate change.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210618105614.afb63fb8cbc1.If4968db8e09f4ce2a1d27a6d750bca3d132d7d70@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+index 4c3ca2a37696..b031e9304983 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -269,7 +269,8 @@ void iwl_trans_pcie_gen2_fw_alive(struct iwl_trans *trans, u32 scd_addr)
+ /* now that we got alive we can free the fw image & the context info.
+ * paging memory cannot be freed included since FW will still use it
+ */
+- iwl_pcie_ctxt_info_free(trans);
++ if (trans->trans_cfg->device_family < IWL_DEVICE_FAMILY_AX210)
++ iwl_pcie_ctxt_info_free(trans);
+
+ /*
+ * Re-enable all the interrupts, including the RF-Kill one, now that
+--
+2.30.2
+
--- /dev/null
+From 3ca5fc08aad82a11bfb3537aa398a93738f4d7c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 11:01:16 +0300
+Subject: iwlwifi: pcie: free IML DMA memory allocation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 310f60f53a86eba680d9bc20a371e13b06a5f903 ]
+
+In the case of gen3 devices with image loader (IML) support,
+we were leaking the IML DMA allocation and never freeing it.
+Fix that.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210618105614.07e117dbedb7.I7bb9ebbe0617656986c2a598ea5e827b533bd3b9@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 15 ++++++++++-----
+ .../net/wireless/intel/iwlwifi/pcie/internal.h | 3 +++
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+index ec1d6025081d..56f63f5f5dd3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+@@ -126,7 +126,6 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
+ struct iwl_prph_scratch *prph_scratch;
+ struct iwl_prph_scratch_ctrl_cfg *prph_sc_ctrl;
+ struct iwl_prph_info *prph_info;
+- void *iml_img;
+ u32 control_flags = 0;
+ int ret;
+ int cmdq_size = max_t(u32, IWL_CMD_QUEUE_SIZE,
+@@ -234,14 +233,15 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
+ trans_pcie->prph_scratch = prph_scratch;
+
+ /* Allocate IML */
+- iml_img = dma_alloc_coherent(trans->dev, trans->iml_len,
+- &trans_pcie->iml_dma_addr, GFP_KERNEL);
+- if (!iml_img) {
++ trans_pcie->iml = dma_alloc_coherent(trans->dev, trans->iml_len,
++ &trans_pcie->iml_dma_addr,
++ GFP_KERNEL);
++ if (!trans_pcie->iml) {
+ ret = -ENOMEM;
+ goto err_free_ctxt_info;
+ }
+
+- memcpy(iml_img, trans->iml, trans->iml_len);
++ memcpy(trans_pcie->iml, trans->iml, trans->iml_len);
+
+ iwl_enable_fw_load_int_ctx_info(trans);
+
+@@ -290,6 +290,11 @@ void iwl_pcie_ctxt_info_gen3_free(struct iwl_trans *trans)
+ trans_pcie->ctxt_info_dma_addr = 0;
+ trans_pcie->ctxt_info_gen3 = NULL;
+
++ dma_free_coherent(trans->dev, trans->iml_len, trans_pcie->iml,
++ trans_pcie->iml_dma_addr);
++ trans_pcie->iml_dma_addr = 0;
++ trans_pcie->iml = NULL;
++
+ iwl_pcie_ctxt_info_free_fw_img(trans);
+
+ dma_free_coherent(trans->dev, sizeof(*trans_pcie->prph_scratch),
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+index ff542d2f0054..f05025e8d11d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+@@ -336,6 +336,8 @@ struct cont_rec {
+ * Context information addresses will be taken from here.
+ * This is driver's local copy for keeping track of size and
+ * count for allocating and freeing the memory.
++ * @iml: image loader image virtual address
++ * @iml_dma_addr: image loader image DMA address
+ * @trans: pointer to the generic transport area
+ * @scd_base_addr: scheduler sram base address in SRAM
+ * @kw: keep warm address
+@@ -388,6 +390,7 @@ struct iwl_trans_pcie {
+ };
+ struct iwl_prph_info *prph_info;
+ struct iwl_prph_scratch *prph_scratch;
++ void *iml;
+ dma_addr_t ctxt_info_dma_addr;
+ dma_addr_t prph_info_dma_addr;
+ dma_addr_t prph_scratch_dma_addr;
+--
+2.30.2
+
--- /dev/null
+From 483f646939a5c33781c8e8927ae748a1d5f2b6eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 22:08:16 +0200
+Subject: mac80211: consider per-CPU statistics if present
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d656a4c6ead6c3f252b2f2532bc9735598f7e317 ]
+
+If we have been keeping per-CPU statistics, consider them
+regardless of USES_RSS, because we may not actually fill
+those, for example in non-fast-RX cases when the connection
+is not compatible with fast-RX. If we didn't fill them, the
+additional data will be zero and not affect anything, and
+if we did fill them then it's more correct to consider them.
+
+This fixes an issue in mesh mode where some statistics are
+not updated due to USES_RSS being set, but fast-RX isn't
+used.
+
+Reported-by: Thiraviyam Mariyappan <tmariyap@codeaurora.org>
+Link: https://lore.kernel.org/r/20210610220814.13b35f5797c5.I511e9b33c5694e0d6cef4b6ae755c873d7c22124@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index 13250cadb420..e18c3855f616 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -2088,10 +2088,9 @@ static struct ieee80211_sta_rx_stats *
+ sta_get_last_rx_stats(struct sta_info *sta)
+ {
+ struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;
+- struct ieee80211_local *local = sta->local;
+ int cpu;
+
+- if (!ieee80211_hw_check(&local->hw, USES_RSS))
++ if (!sta->pcpu_rx_stats)
+ return stats;
+
+ for_each_possible_cpu(cpu) {
+@@ -2191,9 +2190,7 @@ static void sta_set_tidstats(struct sta_info *sta,
+ int cpu;
+
+ if (!(tidstats->filled & BIT(NL80211_TID_STATS_RX_MSDU))) {
+- if (!ieee80211_hw_check(&local->hw, USES_RSS))
+- tidstats->rx_msdu +=
+- sta_get_tidstats_msdu(&sta->rx_stats, tid);
++ tidstats->rx_msdu += sta_get_tidstats_msdu(&sta->rx_stats, tid);
+
+ if (sta->pcpu_rx_stats) {
+ for_each_possible_cpu(cpu) {
+@@ -2272,7 +2269,6 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo,
+ sinfo->rx_beacon = sdata->u.mgd.count_beacon_signal;
+
+ drv_sta_statistics(local, sdata, &sta->sta, sinfo);
+-
+ sinfo->filled |= BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME) |
+ BIT_ULL(NL80211_STA_INFO_STA_FLAGS) |
+ BIT_ULL(NL80211_STA_INFO_BSS_PARAM) |
+@@ -2307,8 +2303,7 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo,
+
+ if (!(sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES64) |
+ BIT_ULL(NL80211_STA_INFO_RX_BYTES)))) {
+- if (!ieee80211_hw_check(&local->hw, USES_RSS))
+- sinfo->rx_bytes += sta_get_stats_bytes(&sta->rx_stats);
++ sinfo->rx_bytes += sta_get_stats_bytes(&sta->rx_stats);
+
+ if (sta->pcpu_rx_stats) {
+ for_each_possible_cpu(cpu) {
+--
+2.30.2
+
--- /dev/null
+From e0d33275d6dc8f35098cbe7b2a459e3eca875f69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 May 2021 11:05:29 -0700
+Subject: mac80211_hwsim: add concurrent channels scanning support over virtio
+
+From: Weilun Du <wdu@google.com>
+
+[ Upstream commit 626c30f9e77354301ff9162c3bdddaf92d9b5cf3 ]
+
+This fixed the crash when setting channels to 2 or more when
+communicating over virtio.
+
+Signed-off-by: Weilun Du <wdu@google.com>
+Link: https://lore.kernel.org/r/20210506180530.3418576-1-wdu@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 48 +++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index f147d4feedb9..4ca0b06d09ad 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -557,6 +557,7 @@ struct mac80211_hwsim_data {
+ u32 ciphers[ARRAY_SIZE(hwsim_ciphers)];
+
+ struct mac_address addresses[2];
++ struct ieee80211_chanctx_conf *chanctx;
+ int channels, idx;
+ bool use_chanctx;
+ bool destroy_on_close;
+@@ -1187,7 +1188,8 @@ static inline u16 trans_tx_rate_flags_ieee2hwsim(struct ieee80211_tx_rate *rate)
+
+ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
+ struct sk_buff *my_skb,
+- int dst_portid)
++ int dst_portid,
++ struct ieee80211_channel *channel)
+ {
+ struct sk_buff *skb;
+ struct mac80211_hwsim_data *data = hw->priv;
+@@ -1242,7 +1244,7 @@ static void mac80211_hwsim_tx_frame_nl(struct ieee80211_hw *hw,
+ if (nla_put_u32(skb, HWSIM_ATTR_FLAGS, hwsim_flags))
+ goto nla_put_failure;
+
+- if (nla_put_u32(skb, HWSIM_ATTR_FREQ, data->channel->center_freq))
++ if (nla_put_u32(skb, HWSIM_ATTR_FREQ, channel->center_freq))
+ goto nla_put_failure;
+
+ /* We get the tx control (rate and retries) info*/
+@@ -1589,7 +1591,7 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw,
+ _portid = READ_ONCE(data->wmediumd);
+
+ if (_portid || hwsim_virtio_enabled)
+- return mac80211_hwsim_tx_frame_nl(hw, skb, _portid);
++ return mac80211_hwsim_tx_frame_nl(hw, skb, _portid, channel);
+
+ /* NO wmediumd detected, perfect medium simulation */
+ data->tx_pkts++;
+@@ -1705,7 +1707,7 @@ static void mac80211_hwsim_tx_frame(struct ieee80211_hw *hw,
+ mac80211_hwsim_monitor_rx(hw, skb, chan);
+
+ if (_pid || hwsim_virtio_enabled)
+- return mac80211_hwsim_tx_frame_nl(hw, skb, _pid);
++ return mac80211_hwsim_tx_frame_nl(hw, skb, _pid, chan);
+
+ mac80211_hwsim_tx_frame_no_nl(hw, skb, chan);
+ dev_kfree_skb(skb);
+@@ -2444,6 +2446,11 @@ static int mac80211_hwsim_croc(struct ieee80211_hw *hw,
+ static int mac80211_hwsim_add_chanctx(struct ieee80211_hw *hw,
+ struct ieee80211_chanctx_conf *ctx)
+ {
++ struct mac80211_hwsim_data *hwsim = hw->priv;
++
++ mutex_lock(&hwsim->mutex);
++ hwsim->chanctx = ctx;
++ mutex_unlock(&hwsim->mutex);
+ hwsim_set_chanctx_magic(ctx);
+ wiphy_dbg(hw->wiphy,
+ "add channel context control: %d MHz/width: %d/cfreqs:%d/%d MHz\n",
+@@ -2455,6 +2462,11 @@ static int mac80211_hwsim_add_chanctx(struct ieee80211_hw *hw,
+ static void mac80211_hwsim_remove_chanctx(struct ieee80211_hw *hw,
+ struct ieee80211_chanctx_conf *ctx)
+ {
++ struct mac80211_hwsim_data *hwsim = hw->priv;
++
++ mutex_lock(&hwsim->mutex);
++ hwsim->chanctx = NULL;
++ mutex_unlock(&hwsim->mutex);
+ wiphy_dbg(hw->wiphy,
+ "remove channel context control: %d MHz/width: %d/cfreqs:%d/%d MHz\n",
+ ctx->def.chan->center_freq, ctx->def.width,
+@@ -2467,6 +2479,11 @@ static void mac80211_hwsim_change_chanctx(struct ieee80211_hw *hw,
+ struct ieee80211_chanctx_conf *ctx,
+ u32 changed)
+ {
++ struct mac80211_hwsim_data *hwsim = hw->priv;
++
++ mutex_lock(&hwsim->mutex);
++ hwsim->chanctx = ctx;
++ mutex_unlock(&hwsim->mutex);
+ hwsim_check_chanctx_magic(ctx);
+ wiphy_dbg(hw->wiphy,
+ "change channel context control: %d MHz/width: %d/cfreqs:%d/%d MHz\n",
+@@ -3059,6 +3076,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
+ hw->wiphy->max_remain_on_channel_duration = 1000;
+ data->if_combination.radar_detect_widths = 0;
+ data->if_combination.num_different_channels = data->channels;
++ data->chanctx = NULL;
+ } else {
+ data->if_combination.num_different_channels = 1;
+ data->if_combination.radar_detect_widths =
+@@ -3566,6 +3584,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
+ int frame_data_len;
+ void *frame_data;
+ struct sk_buff *skb = NULL;
++ struct ieee80211_channel *channel = NULL;
+
+ if (!info->attrs[HWSIM_ATTR_ADDR_RECEIVER] ||
+ !info->attrs[HWSIM_ATTR_FRAME] ||
+@@ -3592,6 +3611,17 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
+ if (!data2)
+ goto out;
+
++ if (data2->use_chanctx) {
++ if (data2->tmp_chan)
++ channel = data2->tmp_chan;
++ else if (data2->chanctx)
++ channel = data2->chanctx->def.chan;
++ } else {
++ channel = data2->channel;
++ }
++ if (!channel)
++ goto out;
++
+ if (!hwsim_virtio_enabled) {
+ if (hwsim_net_get_netgroup(genl_info_net(info)) !=
+ data2->netgroup)
+@@ -3603,7 +3633,7 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
+
+ /* check if radio is configured properly */
+
+- if (data2->idle || !data2->started)
++ if ((data2->idle && !data2->tmp_chan) || !data2->started)
+ goto out;
+
+ /* A frame is received from user space */
+@@ -3616,18 +3646,16 @@ static int hwsim_cloned_frame_received_nl(struct sk_buff *skb_2,
+ mutex_lock(&data2->mutex);
+ rx_status.freq = nla_get_u32(info->attrs[HWSIM_ATTR_FREQ]);
+
+- if (rx_status.freq != data2->channel->center_freq &&
+- (!data2->tmp_chan ||
+- rx_status.freq != data2->tmp_chan->center_freq)) {
++ if (rx_status.freq != channel->center_freq) {
+ mutex_unlock(&data2->mutex);
+ goto out;
+ }
+ mutex_unlock(&data2->mutex);
+ } else {
+- rx_status.freq = data2->channel->center_freq;
++ rx_status.freq = channel->center_freq;
+ }
+
+- rx_status.band = data2->channel->band;
++ rx_status.band = channel->band;
+ rx_status.rate_idx = nla_get_u32(info->attrs[HWSIM_ATTR_RX_RATE]);
+ rx_status.signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
+
+--
+2.30.2
+
--- /dev/null
+From b8f711294236f33f1041df25a55f93f2920814b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 22:37:54 +0100
+Subject: media, bpf: Do not copy more entries than user space requested
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ]
+
+The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to
+see how many entries user space provided and return ENOSPC if there are
+more programs than that. Before this patch, this is not checked and
+ENOSPC is never returned.
+
+Note that one lirc device is limited to 64 bpf programs, and user space
+I'm aware of -- ir-keytable -- always gives enough space for 64 entries
+already. However, we should not copy program ids than are requested.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/bpf-lirc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c
+index 3fe3edd80876..afae0afe3f81 100644
+--- a/drivers/media/rc/bpf-lirc.c
++++ b/drivers/media/rc/bpf-lirc.c
+@@ -326,7 +326,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr)
+ }
+
+ if (attr->query.prog_cnt != 0 && prog_ids && cnt)
+- ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt);
++ ret = bpf_prog_array_copy_to_user(progs, prog_ids,
++ attr->query.prog_cnt);
+
+ unlock:
+ mutex_unlock(&ir_raw_handler_lock);
+--
+2.30.2
+
--- /dev/null
+From 364915888d06e4e203b3bff4b63e1507f29ac746 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:09:46 +0800
+Subject: MIPS: add PMD table accounting into MIPS'pmd_alloc_one
+
+From: Huang Pei <huangpei@loongson.cn>
+
+[ Upstream commit ed914d48b6a1040d1039d371b56273d422c0081e ]
+
+This fixes Page Table accounting bug.
+
+MIPS is the ONLY arch just defining __HAVE_ARCH_PMD_ALLOC_ONE alone.
+Since commit b2b29d6d011944 (mm: account PMD tables like PTE tables),
+"pmd_free" in asm-generic with PMD table accounting and "pmd_alloc_one"
+in MIPS without PMD table accounting causes PageTable accounting number
+negative, which read by global_zone_page_state(), always returns 0.
+
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/pgalloc.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
+index 8b18424b3120..d0cf997b4ba8 100644
+--- a/arch/mips/include/asm/pgalloc.h
++++ b/arch/mips/include/asm/pgalloc.h
+@@ -59,11 +59,15 @@ do { \
+
+ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
+ {
+- pmd_t *pmd;
++ pmd_t *pmd = NULL;
++ struct page *pg;
+
+- pmd = (pmd_t *) __get_free_pages(GFP_KERNEL, PMD_ORDER);
+- if (pmd)
++ pg = alloc_pages(GFP_KERNEL | __GFP_ACCOUNT, PMD_ORDER);
++ if (pg) {
++ pgtable_pmd_page_ctor(pg);
++ pmd = (pmd_t *)page_address(pg);
+ pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table);
++ }
+ return pmd;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b46f22867dd58d431d457e0786a46f768946a3e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 18:17:57 +0100
+Subject: MIPS: cpu-probe: Fix FPU detection on Ingenic JZ4760(B)
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+[ Upstream commit fc52f92a653215fbd6bc522ac5311857b335e589 ]
+
+Ingenic JZ4760 and JZ4760B do have a FPU, but the config registers don't
+report it. Force the FPU detection in case the processor ID match the
+JZ4760(B) one.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/cpu-probe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/mips/kernel/cpu-probe.c b/arch/mips/kernel/cpu-probe.c
+index e6ae2bcdbeda..067cb3eb1614 100644
+--- a/arch/mips/kernel/cpu-probe.c
++++ b/arch/mips/kernel/cpu-probe.c
+@@ -1827,6 +1827,11 @@ static inline void cpu_probe_ingenic(struct cpuinfo_mips *c, unsigned int cpu)
+ */
+ case PRID_COMP_INGENIC_D0:
+ c->isa_level &= ~MIPS_CPU_ISA_M32R2;
++
++ /* FPU is not properly detected on JZ4760(B). */
++ if (c->processor_id == 0x2ed0024f)
++ c->options |= MIPS_CPU_FPU;
++
+ fallthrough;
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From d007ad5984aac6220a0b5276cdbaf9f4963a38ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 May 2021 18:17:59 +0100
+Subject: MIPS: ingenic: Select CPU_SUPPORTS_CPUFREQ && MIPS_EXTERNAL_TIMER
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+[ Upstream commit eb3849370ae32b571e1f9a63ba52c61adeaf88f7 ]
+
+The clock driving the XBurst CPUs in Ingenic SoCs is integer divided
+from the main PLL. As such, it is possible to control the frequency of
+the CPU, either by changing the divider, or by changing the rate of the
+main PLL.
+
+The XBurst CPUs also lack the CP0 timer; the TCU, a separate piece of
+hardware in the SoC, provides this functionality.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
+index 1917ccd39256..1a63f592034e 100644
+--- a/arch/mips/Kconfig
++++ b/arch/mips/Kconfig
+@@ -418,6 +418,8 @@ config MACH_INGENIC_SOC
+ select MIPS_GENERIC
+ select MACH_INGENIC
+ select SYS_SUPPORTS_ZBOOT_UART16550
++ select CPU_SUPPORTS_CPUFREQ
++ select MIPS_EXTERNAL_TIMER
+
+ config LANTIQ
+ bool "Lantiq based platforms"
+--
+2.30.2
+
--- /dev/null
+From 3dc7b5d45385d9ada595dabfc156a3d0f4b55bb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 17:11:05 +0800
+Subject: MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops
+
+From: zhanglianjie <zhanglianjie@uniontech.com>
+
+[ Upstream commit 6817c944430d00f71ccaa9c99ff5b0096aeb7873 ]
+
+The cause of the problem is as follows:
+1. when cat /sys/devices/system/memory/memory0/valid_zones,
+ test_pages_in_a_zone() will be called.
+2. test_pages_in_a_zone() finds the zone according to stat_pfn = 0.
+ The smallest pfn of the numa node in the mips architecture is 128,
+ and the page corresponding to the previous 0~127 pfn is not
+ initialized (page->flags is 0xFFFFFFFF)
+3. The nid and zonenum obtained using page_zone(pfn_to_page(0)) are out
+ of bounds in the corresponding array,
+ &NODE_DATA(page_to_nid(page))->node_zones[page_zonenum(page)],
+ access to the out-of-bounds zone member variables appear abnormal,
+ resulting in Oops.
+Therefore, it is necessary to keep the page between 0 and the minimum
+pfn to prevent Oops from appearing.
+
+Signed-off-by: zhanglianjie <zhanglianjie@uniontech.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/loongson64/numa.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/mips/loongson64/numa.c b/arch/mips/loongson64/numa.c
+index cf9459f79f9b..e4c461df3ee6 100644
+--- a/arch/mips/loongson64/numa.c
++++ b/arch/mips/loongson64/numa.c
+@@ -182,6 +182,9 @@ static void __init node_mem_init(unsigned int node)
+ if (node_end_pfn(0) >= (0xffffffff >> PAGE_SHIFT))
+ memblock_reserve((node_addrspace_offset | 0xfe000000),
+ 32 << 20);
++
++ /* Reserve pfn range 0~node[0]->node_start_pfn */
++ memblock_reserve(0, PAGE_SIZE * start_pfn);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d08533519ce0200c90b57207b916ff00ac84f5e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 14:50:26 -0700
+Subject: MIPS: set mips32r5 for virt extensions
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit c994a3ec7ecc8bd2a837b2061e8a76eb8efc082b ]
+
+Clang's integrated assembler only accepts these instructions when the
+cpu is set to mips32r5. With this change, we can assemble
+malta_defconfig with Clang via `make LLVM_IAS=1`.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/763
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mipsregs.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
+index a0e8ae5497b6..7a7467d3f7f0 100644
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -2073,7 +2073,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c)
+ ({ int __res; \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips32r2\n\t" \
++ ".set\tmips32r5\n\t" \
+ _ASM_SET_VIRT \
+ "mfgc0\t%0, " #source ", %1\n\t" \
+ ".set\tpop" \
+@@ -2086,7 +2086,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c)
+ ({ unsigned long long __res; \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips64r2\n\t" \
++ ".set\tmips64r5\n\t" \
+ _ASM_SET_VIRT \
+ "dmfgc0\t%0, " #source ", %1\n\t" \
+ ".set\tpop" \
+@@ -2099,7 +2099,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c)
+ do { \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips32r2\n\t" \
++ ".set\tmips32r5\n\t" \
+ _ASM_SET_VIRT \
+ "mtgc0\t%z0, " #register ", %1\n\t" \
+ ".set\tpop" \
+@@ -2111,7 +2111,7 @@ do { \
+ do { \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips64r2\n\t" \
++ ".set\tmips64r5\n\t" \
+ _ASM_SET_VIRT \
+ "dmtgc0\t%z0, " #register ", %1\n\t" \
+ ".set\tpop" \
+--
+2.30.2
+
--- /dev/null
+From 105823b943eef0eaae7a200c0120b0b1f664f1b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 14:58:53 +0800
+Subject: mISDN: fix possible use-after-free in HFC_cleanup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcpci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
+index 56bd2e9db6ed..e501cb03f211 100644
+--- a/drivers/isdn/hardware/mISDN/hfcpci.c
++++ b/drivers/isdn/hardware/mISDN/hfcpci.c
+@@ -2342,7 +2342,7 @@ static void __exit
+ HFC_cleanup(void)
+ {
+ if (timer_pending(&hfc_tl))
+- del_timer(&hfc_tl);
++ del_timer_sync(&hfc_tl);
+
+ pci_unregister_driver(&hfc_driver);
+ }
+--
+2.30.2
+
--- /dev/null
+From 31856ab9302fe4cec71014aabd16b2b617fe645b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 May 2021 14:07:53 +0200
+Subject: mt76: mt7615: fix fixed-rate tx status reporting
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit ec8f1a90d006f7cedcf86ef19fd034a406a213d6 ]
+
+Rely on the txs fixed-rate bit instead of info->control.rates
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index 5795e44f8a52..f44f478bb970 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -1177,22 +1177,20 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta,
+ int first_idx = 0, last_idx;
+ int i, idx, count;
+ bool fixed_rate, ack_timeout;
+- bool probe, ampdu, cck = false;
++ bool ampdu, cck = false;
+ bool rs_idx;
+ u32 rate_set_tsf;
+ u32 final_rate, final_rate_flags, final_nss, txs;
+
+- fixed_rate = info->status.rates[0].count;
+- probe = !!(info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE);
+-
+ txs = le32_to_cpu(txs_data[1]);
+- ampdu = !fixed_rate && (txs & MT_TXS1_AMPDU);
++ ampdu = txs & MT_TXS1_AMPDU;
+
+ txs = le32_to_cpu(txs_data[3]);
+ count = FIELD_GET(MT_TXS3_TX_COUNT, txs);
+ last_idx = FIELD_GET(MT_TXS3_LAST_TX_RATE, txs);
+
+ txs = le32_to_cpu(txs_data[0]);
++ fixed_rate = txs & MT_TXS0_FIXED_RATE;
+ final_rate = FIELD_GET(MT_TXS0_TX_RATE, txs);
+ ack_timeout = txs & MT_TXS0_ACK_TIMEOUT;
+
+@@ -1214,7 +1212,7 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta,
+
+ first_idx = max_t(int, 0, last_idx - (count - 1) / MT7615_RATE_RETRY);
+
+- if (fixed_rate && !probe) {
++ if (fixed_rate) {
+ info->status.rates[0].count = count;
+ i = 0;
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From ff72d2f66ac525988b37652f8dbffe674fd7da11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 02:04:20 +0800
+Subject: mt76: mt7915: fix IEEE80211_HE_PHY_CAP7_MAX_NC for station mode
+
+From: Ryder Lee <ryder.lee@mediatek.com>
+
+[ Upstream commit 2707ff4dd7b1479dbd44ebb3c74788084cc95245 ]
+
+The value of station mode is always 0.
+
+Fixed: 00b2e16e0063 ("mt76: mt7915: add TxBF capabilities")
+Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/init.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+index 0232b66acb4f..8f01ca1694bc 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+@@ -335,6 +335,9 @@ mt7915_set_stream_he_txbf_caps(struct ieee80211_sta_he_cap *he_cap,
+ if (nss < 2)
+ return;
+
++ /* the maximum cap is 4 x 3, (Nr, Nc) = (3, 2) */
++ elem->phy_cap_info[7] |= min_t(int, nss - 1, 2) << 3;
++
+ if (vif != NL80211_IFTYPE_AP)
+ return;
+
+@@ -348,9 +351,6 @@ mt7915_set_stream_he_txbf_caps(struct ieee80211_sta_he_cap *he_cap,
+ c = IEEE80211_HE_PHY_CAP6_TRIG_SU_BEAMFORMER_FB |
+ IEEE80211_HE_PHY_CAP6_TRIG_MU_BEAMFORMER_FB;
+ elem->phy_cap_info[6] |= c;
+-
+- /* the maximum cap is 4 x 3, (Nr, Nc) = (3, 2) */
+- elem->phy_cap_info[7] |= min_t(int, nss - 1, 2) << 3;
+ }
+
+ static void
+--
+2.30.2
+
--- /dev/null
+From 8d9fd370da86e0f24b2e267a6ee2483bbb2d9fbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 21:38:37 +0800
+Subject: net: bcmgenet: check return value after calling
+ platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 74325bf0104573c6dfce42837139aeef3f34be76 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+index 6fb6c3556285..f9e91304d232 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -423,6 +423,10 @@ static int bcmgenet_mii_register(struct bcmgenet_priv *priv)
+ int id, ret;
+
+ pres = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!pres) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ memset(&res, 0, sizeof(res));
+ memset(&ppd, 0, sizeof(ppd));
+
+--
+2.30.2
+
--- /dev/null
+From 168907a59285c417beee0c7fbeedab5d7999c4ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 12:37:47 +0200
+Subject: net: bridge: mrp: Update ring transitions.
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit fcb34635854a5a5814227628867ea914a9805384 ]
+
+According to the standard IEC 62439-2, the number of transitions needs
+to be counted for each transition 'between' ring state open and ring
+state closed and not from open state to closed state.
+
+Therefore fix this for both ring and interconnect ring.
+
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_mrp.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_mrp.c b/net/bridge/br_mrp.c
+index d1336a7ad7ff..3259f5480127 100644
+--- a/net/bridge/br_mrp.c
++++ b/net/bridge/br_mrp.c
+@@ -607,8 +607,7 @@ int br_mrp_set_ring_state(struct net_bridge *br,
+ if (!mrp)
+ return -EINVAL;
+
+- if (mrp->ring_state == BR_MRP_RING_STATE_CLOSED &&
+- state->ring_state != BR_MRP_RING_STATE_CLOSED)
++ if (mrp->ring_state != state->ring_state)
+ mrp->ring_transitions++;
+
+ mrp->ring_state = state->ring_state;
+@@ -690,8 +689,7 @@ int br_mrp_set_in_state(struct net_bridge *br, struct br_mrp_in_state *state)
+ if (!mrp)
+ return -EINVAL;
+
+- if (mrp->in_state == BR_MRP_IN_STATE_CLOSED &&
+- state->in_state != BR_MRP_IN_STATE_CLOSED)
++ if (mrp->in_state != state->in_state)
+ mrp->in_transitions++;
+
+ mrp->in_state = state->in_state;
+--
+2.30.2
+
--- /dev/null
+From c0aa37edc8b4ef705f6e4055f63c30567881ff28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 14:27:37 +0800
+Subject: net: fec: add ndo_select_queue to fix TX bandwidth fluctuations
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit 52c4a1a85f4b346c39c896c0168f4a843b3385ff ]
+
+As we know that AVB is enabled by default, and the ENET IP design is
+queue 0 for best effort, queue 1&2 for AVB Class A&B. Bandwidth of each
+queue 1&2 set in driver is 50%, TX bandwidth fluctuated when selecting
+tx queues randomly with FEC_QUIRK_HAS_AVB quirk available.
+
+This patch adds ndo_select_queue callback to select queues for
+transmitting to fix this issue. It will always return queue 0 if this is
+not a vlan packet, and return queue 1 or 2 based on priority of vlan
+packet.
+
+You may complain that in fact we only use single queue for trasmitting
+if we are not targeted to VLAN. Yes, but seems we have no choice, since
+AVB is enabled when the driver probed, we can't switch this feature
+dynamicly. After compare multiple queues to single queue, TX throughput
+almost no improvement.
+
+One way we can implemet is to configure the driver to multiple queues
+with Round-robin scheme by default. Then add ndo_setup_tc callback to
+enable/disable AVB feature for users. Unfortunately, ENET AVB IP seems
+not follow the standard 802.1Qav spec. We only can program
+DMAnCFG[IDLE_SLOPE] field to calculate bandwidth fraction. And idle
+slope is restricted to certain valus (a total of 19). It's far away from
+CBS QDisc implemented in Linux TC framework. If you strongly suggest to do
+this, I think we only can support limited numbers of bandwidth and reject
+others, but it's really urgly and wried.
+
+With this patch, VLAN tagged packets route to queue 0/1/2 based on vlan
+priority; VLAN untagged packets route to queue 0.
+
+Tested-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Reported-by: Frieder Schrempf <frieder.schrempf@kontron.de>
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 32 +++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 960def41cc55..2cb73e850a32 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -75,6 +75,8 @@ static void fec_enet_itr_coal_init(struct net_device *ndev);
+
+ #define DRIVER_NAME "fec"
+
++static const u16 fec_enet_vlan_pri_to_queue[8] = {0, 0, 1, 1, 1, 2, 2, 2};
++
+ /* Pause frame feild and FIFO threshold */
+ #define FEC_ENET_FCE (1 << 5)
+ #define FEC_ENET_RSEM_V 0x84
+@@ -3222,10 +3224,40 @@ static int fec_set_features(struct net_device *netdev,
+ return 0;
+ }
+
++static u16 fec_enet_get_raw_vlan_tci(struct sk_buff *skb)
++{
++ struct vlan_ethhdr *vhdr;
++ unsigned short vlan_TCI = 0;
++
++ if (skb->protocol == htons(ETH_P_ALL)) {
++ vhdr = (struct vlan_ethhdr *)(skb->data);
++ vlan_TCI = ntohs(vhdr->h_vlan_TCI);
++ }
++
++ return vlan_TCI;
++}
++
++static u16 fec_enet_select_queue(struct net_device *ndev, struct sk_buff *skb,
++ struct net_device *sb_dev)
++{
++ struct fec_enet_private *fep = netdev_priv(ndev);
++ u16 vlan_tag;
++
++ if (!(fep->quirks & FEC_QUIRK_HAS_AVB))
++ return netdev_pick_tx(ndev, skb, NULL);
++
++ vlan_tag = fec_enet_get_raw_vlan_tci(skb);
++ if (!vlan_tag)
++ return vlan_tag;
++
++ return fec_enet_vlan_pri_to_queue[vlan_tag >> 13];
++}
++
+ static const struct net_device_ops fec_netdev_ops = {
+ .ndo_open = fec_enet_open,
+ .ndo_stop = fec_enet_close,
+ .ndo_start_xmit = fec_enet_start_xmit,
++ .ndo_select_queue = fec_enet_select_queue,
+ .ndo_set_rx_mode = set_multicast_list,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_tx_timeout = fec_timeout,
+--
+2.30.2
+
--- /dev/null
+From 8e5a3669380a5616c6a967415627864d72cf4925 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 11:37:11 +0800
+Subject: net: fix mistake path for netdev_features_strings
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 2d8ea148e553e1dd4e80a87741abdfb229e2b323 ]
+
+Th_strings arrays netdev_features_strings, tunable_strings, and
+phy_tunable_strings has been moved to file net/ethtool/common.c.
+So fixes the comment.
+
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdev_features.h | 2 +-
+ include/uapi/linux/ethtool.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
+index 0b17c4322b09..f96b7f8d82e5 100644
+--- a/include/linux/netdev_features.h
++++ b/include/linux/netdev_features.h
+@@ -87,7 +87,7 @@ enum {
+
+ /*
+ * Add your fresh new feature above and remember to update
+- * netdev_features_strings[] in net/core/ethtool.c and maybe
++ * netdev_features_strings[] in net/ethtool/common.c and maybe
+ * some feature mask #defines below. Please also describe it
+ * in Documentation/networking/netdev-features.rst.
+ */
+diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h
+index cde753bb2093..13772f039c8d 100644
+--- a/include/uapi/linux/ethtool.h
++++ b/include/uapi/linux/ethtool.h
+@@ -223,7 +223,7 @@ enum tunable_id {
+ ETHTOOL_PFC_PREVENTION_TOUT, /* timeout in msecs */
+ /*
+ * Add your fresh new tunable attribute above and remember to update
+- * tunable_strings[] in net/core/ethtool.c
++ * tunable_strings[] in net/ethtool/common.c
+ */
+ __ETHTOOL_TUNABLE_COUNT,
+ };
+@@ -287,7 +287,7 @@ enum phy_tunable_id {
+ ETHTOOL_PHY_EDPD,
+ /*
+ * Add your fresh new phy tunable attribute above and remember to update
+- * phy_tunable_strings[] in net/core/ethtool.c
++ * phy_tunable_strings[] in net/ethtool/common.c
+ */
+ __ETHTOOL_PHY_TUNABLE_COUNT,
+ };
+--
+2.30.2
+
--- /dev/null
+From 93fa5ebe812e6efc6f330d294f343d7e582ae835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 14:44:38 -0700
+Subject: net: ip: avoid OOM kills with large UDP sends over loopback
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 6d123b81ac615072a8525c13c6c41b695270a15d ]
+
+Dave observed number of machines hitting OOM on the UDP send
+path. The workload seems to be sending large UDP packets over
+loopback. Since loopback has MTU of 64k kernel will try to
+allocate an skb with up to 64k of head space. This has a good
+chance of failing under memory pressure. What's worse if
+the message length is <32k the allocation may trigger an
+OOM killer.
+
+This is entirely avoidable, we can use an skb with page frags.
+
+af_unix solves a similar problem by limiting the head
+length to SKB_MAX_ALLOC. This seems like a good and simple
+approach. It means that UDP messages > 16kB will now
+use fragments if underlying device supports SG, if extra
+allocator pressure causes regressions in real workloads
+we can switch to trying the large allocation first and
+falling back.
+
+v4: pre-calculate all the additions to alloclen so
+ we can be sure it won't go over order-2
+
+Reported-by: Dave Jones <dsj@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_output.c | 32 ++++++++++++++++++--------------
+ net/ipv6/ip6_output.c | 32 +++++++++++++++++---------------
+ 2 files changed, 35 insertions(+), 29 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 97975bed491a..560d5dc43562 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1053,7 +1053,7 @@ static int __ip_append_data(struct sock *sk,
+ unsigned int datalen;
+ unsigned int fraglen;
+ unsigned int fraggap;
+- unsigned int alloclen;
++ unsigned int alloclen, alloc_extra;
+ unsigned int pagedlen;
+ struct sk_buff *skb_prev;
+ alloc_new_skb:
+@@ -1073,35 +1073,39 @@ alloc_new_skb:
+ fraglen = datalen + fragheaderlen;
+ pagedlen = 0;
+
++ alloc_extra = hh_len + 15;
++ alloc_extra += exthdrlen;
++
++ /* The last fragment gets additional space at tail.
++ * Note, with MSG_MORE we overallocate on fragments,
++ * because we have no idea what fragment will be
++ * the last.
++ */
++ if (datalen == length + fraggap)
++ alloc_extra += rt->dst.trailer_len;
++
+ if ((flags & MSG_MORE) &&
+ !(rt->dst.dev->features&NETIF_F_SG))
+ alloclen = mtu;
+- else if (!paged)
++ else if (!paged &&
++ (fraglen + alloc_extra < SKB_MAX_ALLOC ||
++ !(rt->dst.dev->features & NETIF_F_SG)))
+ alloclen = fraglen;
+ else {
+ alloclen = min_t(int, fraglen, MAX_HEADER);
+ pagedlen = fraglen - alloclen;
+ }
+
+- alloclen += exthdrlen;
+-
+- /* The last fragment gets additional space at tail.
+- * Note, with MSG_MORE we overallocate on fragments,
+- * because we have no idea what fragment will be
+- * the last.
+- */
+- if (datalen == length + fraggap)
+- alloclen += rt->dst.trailer_len;
++ alloclen += alloc_extra;
+
+ if (transhdrlen) {
+- skb = sock_alloc_send_skb(sk,
+- alloclen + hh_len + 15,
++ skb = sock_alloc_send_skb(sk, alloclen,
+ (flags & MSG_DONTWAIT), &err);
+ } else {
+ skb = NULL;
+ if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <=
+ 2 * sk->sk_sndbuf)
+- skb = alloc_skb(alloclen + hh_len + 15,
++ skb = alloc_skb(alloclen,
+ sk->sk_allocation);
+ if (unlikely(!skb))
+ err = -ENOBUFS;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 077d43af8226..e889655ca0e2 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1554,7 +1554,7 @@ emsgsize:
+ unsigned int datalen;
+ unsigned int fraglen;
+ unsigned int fraggap;
+- unsigned int alloclen;
++ unsigned int alloclen, alloc_extra;
+ unsigned int pagedlen;
+ alloc_new_skb:
+ /* There's no room in the current skb */
+@@ -1581,17 +1581,28 @@ alloc_new_skb:
+ fraglen = datalen + fragheaderlen;
+ pagedlen = 0;
+
++ alloc_extra = hh_len;
++ alloc_extra += dst_exthdrlen;
++ alloc_extra += rt->dst.trailer_len;
++
++ /* We just reserve space for fragment header.
++ * Note: this may be overallocation if the message
++ * (without MSG_MORE) fits into the MTU.
++ */
++ alloc_extra += sizeof(struct frag_hdr);
++
+ if ((flags & MSG_MORE) &&
+ !(rt->dst.dev->features&NETIF_F_SG))
+ alloclen = mtu;
+- else if (!paged)
++ else if (!paged &&
++ (fraglen + alloc_extra < SKB_MAX_ALLOC ||
++ !(rt->dst.dev->features & NETIF_F_SG)))
+ alloclen = fraglen;
+ else {
+ alloclen = min_t(int, fraglen, MAX_HEADER);
+ pagedlen = fraglen - alloclen;
+ }
+-
+- alloclen += dst_exthdrlen;
++ alloclen += alloc_extra;
+
+ if (datalen != length + fraggap) {
+ /*
+@@ -1601,30 +1612,21 @@ alloc_new_skb:
+ datalen += rt->dst.trailer_len;
+ }
+
+- alloclen += rt->dst.trailer_len;
+ fraglen = datalen + fragheaderlen;
+
+- /*
+- * We just reserve space for fragment header.
+- * Note: this may be overallocation if the message
+- * (without MSG_MORE) fits into the MTU.
+- */
+- alloclen += sizeof(struct frag_hdr);
+-
+ copy = datalen - transhdrlen - fraggap - pagedlen;
+ if (copy < 0) {
+ err = -EINVAL;
+ goto error;
+ }
+ if (transhdrlen) {
+- skb = sock_alloc_send_skb(sk,
+- alloclen + hh_len,
++ skb = sock_alloc_send_skb(sk, alloclen,
+ (flags & MSG_DONTWAIT), &err);
+ } else {
+ skb = NULL;
+ if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <=
+ 2 * sk->sk_sndbuf)
+- skb = alloc_skb(alloclen + hh_len,
++ skb = alloc_skb(alloclen,
+ sk->sk_allocation);
+ if (unlikely(!skb))
+ err = -ENOBUFS;
+--
+2.30.2
+
--- /dev/null
+From 24729143d9a17bc9f88a57b07ae51cfa9e1ba41c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 13:11:19 +0800
+Subject: net: ipa: Add missing of_node_put() in ipa_firmware_load()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit b244163f2c45c12053cb0291c955f892e79ed8a9 ]
+
+This node pointer is returned by of_parse_phandle() with refcount
+incremented in this function. of_node_put() on it before exiting
+this function.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/ipa_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ipa/ipa_main.c b/drivers/net/ipa/ipa_main.c
+index cd4d993b0bbb..4162a608a3bf 100644
+--- a/drivers/net/ipa/ipa_main.c
++++ b/drivers/net/ipa/ipa_main.c
+@@ -589,6 +589,7 @@ static int ipa_firmware_load(struct device *dev)
+ }
+
+ ret = of_address_to_resource(node, 0, &res);
++ of_node_put(node);
+ if (ret) {
+ dev_err(dev, "error %d getting \"memory-region\" resource\n",
+ ret);
+--
+2.30.2
+
--- /dev/null
+From f6c3fca04ceca41a48956e5b4ded9bc8c69a5d51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 23:03:50 +0200
+Subject: net: mdio: ipq8064: add regmap config to disable REGCACHE
+
+From: Ansuel Smith <ansuelsmth@gmail.com>
+
+[ Upstream commit b097bea10215315e8ee17f88b4c1bbb521b1878c ]
+
+mdio drivers should not use REGCHACHE. Also disable locking since it's
+handled by the mdio users and regmap is always accessed atomically.
+
+Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-ipq8064.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/mdio/mdio-ipq8064.c b/drivers/net/mdio/mdio-ipq8064.c
+index 1bd18857e1c5..f0a6bfa61645 100644
+--- a/drivers/net/mdio/mdio-ipq8064.c
++++ b/drivers/net/mdio/mdio-ipq8064.c
+@@ -10,7 +10,7 @@
+ #include <linux/module.h>
+ #include <linux/regmap.h>
+ #include <linux/of_mdio.h>
+-#include <linux/phy.h>
++#include <linux/of_address.h>
+ #include <linux/platform_device.h>
+ #include <linux/mfd/syscon.h>
+
+@@ -96,14 +96,34 @@ ipq8064_mdio_write(struct mii_bus *bus, int phy_addr, int reg_offset, u16 data)
+ return ipq8064_mdio_wait_busy(priv);
+ }
+
++static const struct regmap_config ipq8064_mdio_regmap_config = {
++ .reg_bits = 32,
++ .reg_stride = 4,
++ .val_bits = 32,
++ .can_multi_write = false,
++ /* the mdio lock is used by any user of this mdio driver */
++ .disable_locking = true,
++
++ .cache_type = REGCACHE_NONE,
++};
++
+ static int
+ ipq8064_mdio_probe(struct platform_device *pdev)
+ {
+ struct device_node *np = pdev->dev.of_node;
+ struct ipq8064_mdio *priv;
++ struct resource res;
+ struct mii_bus *bus;
++ void __iomem *base;
+ int ret;
+
++ if (of_address_to_resource(np, 0, &res))
++ return -ENOMEM;
++
++ base = ioremap(res.start, resource_size(&res));
++ if (!base)
++ return -ENOMEM;
++
+ bus = devm_mdiobus_alloc_size(&pdev->dev, sizeof(*priv));
+ if (!bus)
+ return -ENOMEM;
+@@ -115,15 +135,10 @@ ipq8064_mdio_probe(struct platform_device *pdev)
+ bus->parent = &pdev->dev;
+
+ priv = bus->priv;
+- priv->base = device_node_to_regmap(np);
+- if (IS_ERR(priv->base)) {
+- if (priv->base == ERR_PTR(-EPROBE_DEFER))
+- return -EPROBE_DEFER;
+-
+- dev_err(&pdev->dev, "error getting device regmap, error=%pe\n",
+- priv->base);
++ priv->base = devm_regmap_init_mmio(&pdev->dev, base,
++ &ipq8064_mdio_regmap_config);
++ if (IS_ERR(priv->base))
+ return PTR_ERR(priv->base);
+- }
+
+ ret = of_mdiobus_register(bus, np);
+ if (ret)
+--
+2.30.2
+
--- /dev/null
+From b2dc110ca7667530cabed0fc2a0eeb3ee365ec27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 20:49:24 +0300
+Subject: net: mdio: provide shim implementation of devm_of_mdiobus_register
+
+From: Vladimir Oltean <olteanv@gmail.com>
+
+[ Upstream commit 86544c3de6a2185409c5a3d02f674ea223a14217 ]
+
+Similar to the way in which of_mdiobus_register() has a fallback to the
+non-DT based mdiobus_register() when CONFIG_OF is not set, we can create
+a shim for the device-managed devm_of_mdiobus_register() which calls
+devm_mdiobus_register() and discards the struct device_node *.
+
+In particular, this solves a build issue with the qca8k DSA driver which
+uses devm_of_mdiobus_register and can be compiled without CONFIG_OF.
+
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
+Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/of_mdio.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/include/linux/of_mdio.h b/include/linux/of_mdio.h
+index cfe8c607a628..f56c6a9230ac 100644
+--- a/include/linux/of_mdio.h
++++ b/include/linux/of_mdio.h
+@@ -75,6 +75,13 @@ static inline int of_mdiobus_register(struct mii_bus *mdio, struct device_node *
+ return mdiobus_register(mdio);
+ }
+
++static inline int devm_of_mdiobus_register(struct device *dev,
++ struct mii_bus *mdio,
++ struct device_node *np)
++{
++ return devm_mdiobus_register(dev, mdio);
++}
++
+ static inline struct mdio_device *of_mdio_find_device(struct device_node *np)
+ {
+ return NULL;
+--
+2.30.2
+
--- /dev/null
+From a34dd8c168d78c9cb3482e8a54782bc79db1660d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 22:55:21 +0800
+Subject: net: micrel: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8842.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8842.c b/drivers/net/ethernet/micrel/ks8842.c
+index caa251d0e381..b27713906d3a 100644
+--- a/drivers/net/ethernet/micrel/ks8842.c
++++ b/drivers/net/ethernet/micrel/ks8842.c
+@@ -1135,6 +1135,10 @@ static int ks8842_probe(struct platform_device *pdev)
+ unsigned i;
+
+ iomem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!iomem) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ if (!request_mem_region(iomem->start, resource_size(iomem), DRV_NAME))
+ goto err_mem_region;
+
+--
+2.30.2
+
--- /dev/null
+From 8da7f9ab3d96a6b38777f4491720907f9b1bdaa5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 May 2021 14:39:58 +0300
+Subject: net/mlx5: Fix lag port remapping logic
+
+From: Eli Cohen <elic@nvidia.com>
+
+[ Upstream commit 8613641063617c1dfc731b403b3ee4935ef15f87 ]
+
+Fix the logic so that if both ports netdevices are enabled or disabled,
+use the trivial mapping without swapping.
+
+If only one of the netdevice's tx is enabled, use it to remap traffic to
+that port.
+
+Signed-off-by: Eli Cohen <elic@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lag.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
+index 9025e5f38bb6..fe5476a76464 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
+@@ -118,17 +118,24 @@ static bool __mlx5_lag_is_sriov(struct mlx5_lag *ldev)
+ static void mlx5_infer_tx_affinity_mapping(struct lag_tracker *tracker,
+ u8 *port1, u8 *port2)
+ {
++ bool p1en;
++ bool p2en;
++
++ p1en = tracker->netdev_state[MLX5_LAG_P1].tx_enabled &&
++ tracker->netdev_state[MLX5_LAG_P1].link_up;
++
++ p2en = tracker->netdev_state[MLX5_LAG_P2].tx_enabled &&
++ tracker->netdev_state[MLX5_LAG_P2].link_up;
++
+ *port1 = 1;
+ *port2 = 2;
+- if (!tracker->netdev_state[MLX5_LAG_P1].tx_enabled ||
+- !tracker->netdev_state[MLX5_LAG_P1].link_up) {
+- *port1 = 2;
++ if ((!p1en && !p2en) || (p1en && p2en))
+ return;
+- }
+
+- if (!tracker->netdev_state[MLX5_LAG_P2].tx_enabled ||
+- !tracker->netdev_state[MLX5_LAG_P2].link_up)
++ if (p1en)
+ *port2 = 1;
++ else
++ *port1 = 2;
+ }
+
+ void mlx5_modify_lag(struct mlx5_lag *ldev,
+--
+2.30.2
+
--- /dev/null
+From 5c8f9465df455aa89ae3b59d41cba3f074028bd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Dec 2020 10:58:54 -0600
+Subject: net/mlx5e: IPsec/rep_tc: Fix rep_tc_update_skb drops IPsec packet
+
+From: Huy Nguyen <huyn@nvidia.com>
+
+[ Upstream commit c07274ab1ab2c38fb128e32643c22c89cb319384 ]
+
+rep_tc copy REG_C1 to REG_B. IPsec crypto utilizes the whole REG_B
+register with BIT31 as IPsec marker. rep_tc_update_skb drops
+IPsec because it thought REG_B contains bad value.
+
+In previous patch, BIT 31 of REG_C1 is reserved for IPsec.
+Skip the rep_tc_update_skb if BIT31 of REG_B is set.
+
+Signed-off-by: Huy Nguyen <huyn@nvidia.com>
+Signed-off-by: Raed Salem <raeds@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 7e1f8660dfec..f327b78261ec 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -1318,7 +1318,8 @@ static void mlx5e_handle_rx_cqe_rep(struct mlx5e_rq *rq, struct mlx5_cqe64 *cqe)
+ if (rep->vlan && skb_vlan_tag_present(skb))
+ skb_vlan_pop(skb);
+
+- if (!mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv)) {
++ if (unlikely(!mlx5_ipsec_is_rx_flow(cqe) &&
++ !mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv))) {
+ dev_kfree_skb_any(skb);
+ goto free_wqe;
+ }
+@@ -1375,7 +1376,8 @@ static void mlx5e_handle_rx_cqe_mpwrq_rep(struct mlx5e_rq *rq, struct mlx5_cqe64
+
+ mlx5e_complete_rx_cqe(rq, cqe, cqe_bcnt, skb);
+
+- if (!mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv)) {
++ if (unlikely(!mlx5_ipsec_is_rx_flow(cqe) &&
++ !mlx5e_rep_tc_update_skb(cqe, skb, &tc_priv))) {
+ dev_kfree_skb_any(skb);
+ goto mpwrq_cqe_out;
+ }
+--
+2.30.2
+
--- /dev/null
+From c94ead7e452562a7ecaeea31153871f9e8cb2c18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 23:02:59 +0800
+Subject: net: moxa: Use devm_platform_get_and_ioremap_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 35cba15a504bf4f585bb9d78f47b22b28a1a06b2 ]
+
+Use devm_platform_get_and_ioremap_resource() to simplify
+code and avoid a null-ptr-deref by checking 'res' in it.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/moxa/moxart_ether.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c
+index 49fd843c4c8a..a4380c45f668 100644
+--- a/drivers/net/ethernet/moxa/moxart_ether.c
++++ b/drivers/net/ethernet/moxa/moxart_ether.c
+@@ -481,14 +481,13 @@ static int moxart_mac_probe(struct platform_device *pdev)
+ priv->ndev = ndev;
+ priv->pdev = pdev;
+
+- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- ndev->base_addr = res->start;
+- priv->base = devm_ioremap_resource(p_dev, res);
++ priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+ if (IS_ERR(priv->base)) {
+ dev_err(p_dev, "devm_ioremap_resource failed\n");
+ ret = PTR_ERR(priv->base);
+ goto init_fail;
+ }
++ ndev->base_addr = res->start;
+
+ spin_lock_init(&priv->txlock);
+
+--
+2.30.2
+
--- /dev/null
+From 62e07020022663b0799be7026c652baca661186f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 10:31:48 +0800
+Subject: net: mscc: ocelot: check return value after calling
+ platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f1fe19c2cb3fdc92a614cf330ced1613f8f1a681 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/ocelot/seville_vsc9953.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/dsa/ocelot/seville_vsc9953.c b/drivers/net/dsa/ocelot/seville_vsc9953.c
+index ebbaf6817ec8..7026523f886c 100644
+--- a/drivers/net/dsa/ocelot/seville_vsc9953.c
++++ b/drivers/net/dsa/ocelot/seville_vsc9953.c
+@@ -1214,6 +1214,11 @@ static int seville_probe(struct platform_device *pdev)
+ felix->info = &seville_info_vsc9953;
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!res) {
++ err = -EINVAL;
++ dev_err(&pdev->dev, "Invalid resource\n");
++ goto err_alloc_felix;
++ }
+ felix->switch_base = res->start;
+
+ ds = kzalloc(sizeof(struct dsa_switch), GFP_KERNEL);
+--
+2.30.2
+
--- /dev/null
+From 1463e3cfb8ad778ebaf6d80fcea4d40399fffc7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 22:36:02 +0800
+Subject: net: mvpp2: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0bb51a3a385790a4be20085494cf78f70dadf646 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index a9f65d667761..ec9b6c564300 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -6871,6 +6871,10 @@ static int mvpp2_probe(struct platform_device *pdev)
+ return PTR_ERR(priv->lms_base);
+ } else {
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
++ if (!res) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ if (has_acpi_companion(&pdev->dev)) {
+ /* In case the MDIO memory region is declared in
+ * the ACPI, it can already appear as 'in-use'
+--
+2.30.2
+
--- /dev/null
+From 87c15f1ea33aa1ec240e42386f1400dd48aa22a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 19:39:30 +0300
+Subject: net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ]
+
+Sparse is not happy about handling of strict types in pch_ptp_match():
+
+ .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types)
+ .../pch_gbe_main.c:158:33: expected unsigned short [usertype] uid_hi
+ .../pch_gbe_main.c:158:33: got restricted __be16 [usertype]
+ .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types)
+ .../pch_gbe_main.c:158:45: expected unsigned int [usertype] uid_lo
+ .../pch_gbe_main.c:158:45: got restricted __be32 [usertype]
+ .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types)
+ .../pch_gbe_main.c:158:56: expected unsigned short [usertype] seqid
+ .../pch_gbe_main.c:158:56: got restricted __be16 [usertype]
+
+Fix that by switching to use proper accessors to BE data.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Flavio Suligoi <f.suligoi@asem.it>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index 9a0870dc2f03..2942102efd48 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -107,7 +107,7 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
+ {
+ u8 *data = skb->data;
+ unsigned int offset;
+- u16 *hi, *id;
++ u16 hi, id;
+ u32 lo;
+
+ if (ptp_classify_raw(skb) == PTP_CLASS_NONE)
+@@ -118,14 +118,11 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
+ if (skb->len < offset + OFF_PTP_SEQUENCE_ID + sizeof(seqid))
+ return 0;
+
+- hi = (u16 *)(data + offset + OFF_PTP_SOURCE_UUID);
+- id = (u16 *)(data + offset + OFF_PTP_SEQUENCE_ID);
++ hi = get_unaligned_be16(data + offset + OFF_PTP_SOURCE_UUID + 0);
++ lo = get_unaligned_be32(data + offset + OFF_PTP_SOURCE_UUID + 2);
++ id = get_unaligned_be16(data + offset + OFF_PTP_SEQUENCE_ID);
+
+- memcpy(&lo, &hi[1], sizeof(lo));
+-
+- return (uid_hi == *hi &&
+- uid_lo == lo &&
+- seqid == *id);
++ return (uid_hi == hi && uid_lo == lo && seqid == id);
+ }
+
+ static void
+@@ -135,7 +132,6 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
+ struct pci_dev *pdev;
+ u64 ns;
+ u32 hi, lo, val;
+- u16 uid, seq;
+
+ if (!adapter->hwts_rx_en)
+ return;
+@@ -151,10 +147,7 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
+ lo = pch_src_uuid_lo_read(pdev);
+ hi = pch_src_uuid_hi_read(pdev);
+
+- uid = hi & 0xffff;
+- seq = (hi >> 16) & 0xffff;
+-
+- if (!pch_ptp_match(skb, htons(uid), htonl(lo), htons(seq)))
++ if (!pch_ptp_match(skb, hi, lo, hi >> 16))
+ goto out;
+
+ ns = pch_rx_snap_read(pdev);
+--
+2.30.2
+
--- /dev/null
+From cc34b172d297f13f2329a4a05dc323c683ab9955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 11:15:35 +0800
+Subject: net: phy: realtek: add delay to fix RXC generation issue
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit 6813cc8cfdaf401476e1a007cec8ae338cefa573 ]
+
+PHY will delay about 11.5ms to generate RXC clock when switching from
+power down to normal operation. Read/write registers would also cause RXC
+become unstable and stop for a while during this process. Realtek engineer
+suggests 15ms or more delay can workaround this issue.
+
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/realtek.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/realtek.c b/drivers/net/phy/realtek.c
+index 575580d3ffe0..b4879306bb8a 100644
+--- a/drivers/net/phy/realtek.c
++++ b/drivers/net/phy/realtek.c
+@@ -246,6 +246,19 @@ static int rtl8211f_config_init(struct phy_device *phydev)
+ return 0;
+ }
+
++static int rtl821x_resume(struct phy_device *phydev)
++{
++ int ret;
++
++ ret = genphy_resume(phydev);
++ if (ret < 0)
++ return ret;
++
++ msleep(20);
++
++ return 0;
++}
++
+ static int rtl8211e_config_init(struct phy_device *phydev)
+ {
+ int ret = 0, oldpage;
+@@ -624,7 +637,7 @@ static struct phy_driver realtek_drvs[] = {
+ .ack_interrupt = &rtl8211f_ack_interrupt,
+ .config_intr = &rtl8211f_config_intr,
+ .suspend = genphy_suspend,
+- .resume = genphy_resume,
++ .resume = rtl821x_resume,
+ .read_page = rtl821x_read_page,
+ .write_page = rtl821x_write_page,
+ }, {
+--
+2.30.2
+
--- /dev/null
+From 83669c47f13e5da0558b00ab8347014f44c85fa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 15:17:21 +0200
+Subject: net/sched: cls_api: increase max_reclassify_loop
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 05ff8435e50569a0a6b95e5ceaea43696e8827ab ]
+
+modern userspace applications, like OVN, can configure the TC datapath to
+"recirculate" packets several times. If more than 4 "recirculation" rules
+are configured, packets can be dropped by __tcf_classify().
+Changing the maximum number of reclassifications (from 4 to 16) should be
+sufficient to prevent drops in most use cases, and guard against loops at
+the same time.
+
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index a281da07bb1d..30090794b791 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -1532,7 +1532,7 @@ static inline int __tcf_classify(struct sk_buff *skb,
+ u32 *last_executed_chain)
+ {
+ #ifdef CONFIG_NET_CLS_ACT
+- const int max_reclassify_loop = 4;
++ const int max_reclassify_loop = 16;
+ const struct tcf_proto *first_tp;
+ int limit = 0;
+
+--
+2.30.2
+
--- /dev/null
+From 54714919a1a27949fa5a236cda600b0a662848f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 16:02:07 +0800
+Subject: net: sched: fix error return code in tcf_del_walker()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 55d96f72e8ddc0a294e0b9c94016edbb699537e1 ]
+
+When nla_put_u32() fails, 'ret' could be 0, it should
+return error code in tcf_del_walker().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 88e14cfeb5d5..f613299ca7f0 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -333,7 +333,8 @@ static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
+ }
+ mutex_unlock(&idrinfo->lock);
+
+- if (nla_put_u32(skb, TCA_FCNT, n_i))
++ ret = nla_put_u32(skb, TCA_FCNT, n_i);
++ if (ret)
+ goto nla_put_failure;
+ nla_nest_end(skb, nest);
+
+--
+2.30.2
+
--- /dev/null
+From db58dafe2bb90da430aa0fe587d23b1819f1da0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 21:25:15 +0800
+Subject: net: sgi: ioc3-eth: check return value after calling
+ platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit db8f7be1e1d64fbf113a456ef94534fbf5e9a9af ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sgi/ioc3-eth.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/sgi/ioc3-eth.c b/drivers/net/ethernet/sgi/ioc3-eth.c
+index 6eef0f45b133..2b29fd4cbdf4 100644
+--- a/drivers/net/ethernet/sgi/ioc3-eth.c
++++ b/drivers/net/ethernet/sgi/ioc3-eth.c
+@@ -835,6 +835,10 @@ static int ioc3eth_probe(struct platform_device *pdev)
+ int err;
+
+ regs = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!regs) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ /* get mac addr from one wire prom */
+ if (ioc3eth_get_mac_addr(regs, mac_addr))
+ return -EPROBE_DEFER; /* not available yet */
+--
+2.30.2
+
--- /dev/null
+From 08f7ad611b5834b623a058348f664c49e2eacb42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 18:59:59 +0300
+Subject: net: stmmac: the XPCS obscures a potential "PHY not found" error
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 4751d2aa321f2828d8c5d2f7ce4ed18a01e47f46 ]
+
+stmmac_mdio_register() has logic to search for PHYs on the MDIO bus and
+assign them IRQ lines, as well as to set priv->plat->phy_addr.
+
+If no PHY is found, the "found" variable remains set to 0 and the
+function errors out.
+
+After the introduction of commit f213bbe8a9d6 ("net: stmmac: Integrate
+it with DesignWare XPCS"), the "found" variable was immediately reused
+for searching for a PCS on the same MDIO bus.
+
+This can result in 2 types of potential problems (none of them seems to
+be seen on the only Intel system that sets has_xpcs = true, otherwise it
+would have been reported):
+
+1. If a PCS is found but a PHY is not, then the code happily exits with
+ no error. One might say "yes, but this is not possible, because
+ of_mdiobus_register will probe a PHY for all MDIO addresses,
+ including for the XPCS, so if an XPCS exists, then a PHY certainly
+ exists too". Well, that is not true, see intel_mgbe_common_data():
+
+ /* Ensure mdio bus scan skips intel serdes and pcs-xpcs */
+ plat->mdio_bus_data->phy_mask = 1 << INTEL_MGBE_ADHOC_ADDR;
+ plat->mdio_bus_data->phy_mask |= 1 << INTEL_MGBE_XPCS_ADDR;
+
+2. A PHY is found but an MDIO device with the XPCS PHY ID isn't, and in
+ that case, the error message will be "No PHY found". Confusing.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20210527155959.3270478-1-olteanv@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_mdio.c | 21 +++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+index b2a707e2ef43..678726c62a8a 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+@@ -441,6 +441,12 @@ int stmmac_mdio_register(struct net_device *ndev)
+ found = 1;
+ }
+
++ if (!found && !mdio_node) {
++ dev_warn(dev, "No PHY found\n");
++ err = -ENODEV;
++ goto no_phy_found;
++ }
++
+ /* Try to probe the XPCS by scanning all addresses. */
+ if (priv->hw->xpcs) {
+ struct mdio_xpcs_args *xpcs = &priv->hw->xpcs_args;
+@@ -449,6 +455,7 @@ int stmmac_mdio_register(struct net_device *ndev)
+
+ xpcs->bus = new_bus;
+
++ found = 0;
+ for (addr = 0; addr < max_addr; addr++) {
+ xpcs->addr = addr;
+
+@@ -458,13 +465,12 @@ int stmmac_mdio_register(struct net_device *ndev)
+ break;
+ }
+ }
+- }
+
+- if (!found && !mdio_node) {
+- dev_warn(dev, "No PHY found\n");
+- mdiobus_unregister(new_bus);
+- mdiobus_free(new_bus);
+- return -ENODEV;
++ if (!found && !mdio_node) {
++ dev_warn(dev, "No XPCS found\n");
++ err = -ENODEV;
++ goto no_xpcs_found;
++ }
+ }
+
+ bus_register_done:
+@@ -472,6 +478,9 @@ bus_register_done:
+
+ return 0;
+
++no_xpcs_found:
++no_phy_found:
++ mdiobus_unregister(new_bus);
+ bus_register_fail:
+ mdiobus_free(new_bus);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From faaac733e16934eecec74c0dbc4ce51325b4bf89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jun 2021 17:51:21 -0700
+Subject: net: tcp better handling of reordering then loss cases
+
+From: Yuchung Cheng <ycheng@google.com>
+
+[ Upstream commit a29cb6914681a55667436a9eb7a42e28da8cf387 ]
+
+This patch aims to improve the situation when reordering and loss are
+ocurring in the same flight of packets.
+
+Previously the reordering would first induce a spurious recovery, then
+the subsequent ACK may undo the cwnd (based on the timestamps e.g.).
+However the current loss recovery does not proceed to invoke
+RACK to install a reordering timer. If some packets are also lost, this
+may lead to a long RTO-based recovery. An example is
+https://groups.google.com/g/bbr-dev/c/OFHADvJbTEI
+
+The solution is to after reverting the recovery, always invoke RACK
+to either mount the RACK timer to fast retransmit after the reordering
+window, or restarts the recovery if new loss is identified. Hence
+it is possible the sender may go from Recovery to Disorder/Open to
+Recovery again in one ACK.
+
+Reported-by: mingkun bian <bianmingkun@gmail.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 45 +++++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index fac5c1469cee..4d4b641c204d 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2802,8 +2802,17 @@ static void tcp_process_loss(struct sock *sk, int flag, int num_dupack,
+ *rexmit = REXMIT_LOST;
+ }
+
++static bool tcp_force_fast_retransmit(struct sock *sk)
++{
++ struct tcp_sock *tp = tcp_sk(sk);
++
++ return after(tcp_highest_sack_seq(tp),
++ tp->snd_una + tp->reordering * tp->mss_cache);
++}
++
+ /* Undo during fast recovery after partial ACK. */
+-static bool tcp_try_undo_partial(struct sock *sk, u32 prior_snd_una)
++static bool tcp_try_undo_partial(struct sock *sk, u32 prior_snd_una,
++ bool *do_lost)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+
+@@ -2828,7 +2837,9 @@ static bool tcp_try_undo_partial(struct sock *sk, u32 prior_snd_una)
+ tcp_undo_cwnd_reduction(sk, true);
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPPARTIALUNDO);
+ tcp_try_keep_open(sk);
+- return true;
++ } else {
++ /* Partial ACK arrived. Force fast retransmit. */
++ *do_lost = tcp_force_fast_retransmit(sk);
+ }
+ return false;
+ }
+@@ -2852,14 +2863,6 @@ static void tcp_identify_packet_loss(struct sock *sk, int *ack_flag)
+ }
+ }
+
+-static bool tcp_force_fast_retransmit(struct sock *sk)
+-{
+- struct tcp_sock *tp = tcp_sk(sk);
+-
+- return after(tcp_highest_sack_seq(tp),
+- tp->snd_una + tp->reordering * tp->mss_cache);
+-}
+-
+ /* Process an event, which can update packets-in-flight not trivially.
+ * Main goal of this function is to calculate new estimate for left_out,
+ * taking into account both packets sitting in receiver's buffer and
+@@ -2929,17 +2932,21 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una,
+ if (!(flag & FLAG_SND_UNA_ADVANCED)) {
+ if (tcp_is_reno(tp))
+ tcp_add_reno_sack(sk, num_dupack, ece_ack);
+- } else {
+- if (tcp_try_undo_partial(sk, prior_snd_una))
+- return;
+- /* Partial ACK arrived. Force fast retransmit. */
+- do_lost = tcp_force_fast_retransmit(sk);
+- }
+- if (tcp_try_undo_dsack(sk)) {
+- tcp_try_keep_open(sk);
++ } else if (tcp_try_undo_partial(sk, prior_snd_una, &do_lost))
+ return;
+- }
++
++ if (tcp_try_undo_dsack(sk))
++ tcp_try_keep_open(sk);
++
+ tcp_identify_packet_loss(sk, ack_flag);
++ if (icsk->icsk_ca_state != TCP_CA_Recovery) {
++ if (!tcp_time_to_recover(sk, flag))
++ return;
++ /* Undo reverts the recovery state. If loss is evident,
++ * starts a new recovery (e.g. reordering then loss);
++ */
++ tcp_enter_recovery(sk, ece_ack);
++ }
+ break;
+ case TCP_CA_Loss:
+ tcp_process_loss(sk, flag, num_dupack, rexmit);
+--
+2.30.2
+
--- /dev/null
+From 3735ec7a192bb9be71c6693dccb50afe7b3cfea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 23:43:24 +0200
+Subject: net: Treat __napi_schedule_irqoff() as __napi_schedule() on
+ PREEMPT_RT
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ]
+
+__napi_schedule_irqoff() is an optimized version of __napi_schedule()
+which can be used where it is known that interrupts are disabled,
+e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer
+callbacks.
+
+On PREEMPT_RT enabled kernels this assumptions is not true. Force-
+threaded interrupt handlers and spinlocks are not disabling interrupts
+and the NAPI hrtimer callback is forced into softirq context which runs
+with interrupts enabled as well.
+
+Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole
+game so make __napi_schedule_irqoff() invoke __napi_schedule() for
+PREEMPT_RT kernels.
+
+The callers of ____napi_schedule() in the networking core have been
+audited and are correct on PREEMPT_RT kernels as well.
+
+Reported-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 0c9ce36afc8c..2fdf30eefc59 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6433,11 +6433,18 @@ EXPORT_SYMBOL(napi_schedule_prep);
+ * __napi_schedule_irqoff - schedule for receive
+ * @n: entry to schedule
+ *
+- * Variant of __napi_schedule() assuming hard irqs are masked
++ * Variant of __napi_schedule() assuming hard irqs are masked.
++ *
++ * On PREEMPT_RT enabled kernels this maps to __napi_schedule()
++ * because the interrupt disabled assumption might not be true
++ * due to force-threaded interrupts and spinlock substitution.
+ */
+ void __napi_schedule_irqoff(struct napi_struct *n)
+ {
+- ____napi_schedule(this_cpu_ptr(&softnet_data), n);
++ if (!IS_ENABLED(CONFIG_PREEMPT_RT))
++ ____napi_schedule(this_cpu_ptr(&softnet_data), n);
++ else
++ __napi_schedule(n);
+ }
+ EXPORT_SYMBOL(__napi_schedule_irqoff);
+
+--
+2.30.2
+
--- /dev/null
+From 79706da858467e88177e58e939db8de6c7ab9809 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 11:15:02 +0800
+Subject: pinctrl: equilibrium: Add missing MODULE_DEVICE_TABLE
+
+From: Bixuan Cui <cuibixuan@huawei.com>
+
+[ Upstream commit d7f444499d6faf9a6ae3b27ec094109528d2b9a7 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
+Link: https://lore.kernel.org/r/20210508031502.53637-1-cuibixuan@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-equilibrium.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/pinctrl-equilibrium.c b/drivers/pinctrl/pinctrl-equilibrium.c
+index 067271b7d35a..ac1c47f542c1 100644
+--- a/drivers/pinctrl/pinctrl-equilibrium.c
++++ b/drivers/pinctrl/pinctrl-equilibrium.c
+@@ -929,6 +929,7 @@ static const struct of_device_id eqbr_pinctrl_dt_match[] = {
+ { .compatible = "intel,lgm-io" },
+ {}
+ };
++MODULE_DEVICE_TABLE(of, eqbr_pinctrl_dt_match);
+
+ static struct platform_driver eqbr_pinctrl_driver = {
+ .probe = eqbr_pinctrl_probe,
+--
+2.30.2
+
--- /dev/null
+From 4f27011351bbb9d42d4648b2f698838a98c337d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 10:48:18 +0000
+Subject: pinctrl: mcp23s08: fix race condition in irq handler
+
+From: Radim Pavlik <radim.pavlik@tbs-biometrics.com>
+
+[ Upstream commit 897120d41e7afd9da435cb00041a142aeeb53c07 ]
+
+Checking value of MCP_INTF in mcp23s08_irq suggests that the handler may be
+called even when there is no interrupt pending.
+
+But the actual interrupt could happened between reading MCP_INTF and MCP_GPIO.
+In this situation we got nothing from MCP_INTF, but the event gets acknowledged
+on the expander by reading MCP_GPIO. This leads to losing events.
+
+Fix the problem by not reading any register until we see something in MCP_INTF.
+
+The error was reproduced and fix tested on MCP23017.
+
+Signed-off-by: Radim Pavlik <radim.pavlik@tbs-biometrics.com>
+Link: https://lore.kernel.org/r/AM7PR06MB6769E1183F68DEBB252F665ABA3E9@AM7PR06MB6769.eurprd06.prod.outlook.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index ce2d8014b7e0..799d596a1a4b 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -351,6 +351,11 @@ static irqreturn_t mcp23s08_irq(int irq, void *data)
+ if (mcp_read(mcp, MCP_INTF, &intf))
+ goto unlock;
+
++ if (intf == 0) {
++ /* There is no interrupt pending */
++ return IRQ_HANDLED;
++ }
++
+ if (mcp_read(mcp, MCP_INTCAP, &intcap))
+ goto unlock;
+
+@@ -368,11 +373,6 @@ static irqreturn_t mcp23s08_irq(int irq, void *data)
+ mcp->cached_gpio = gpio;
+ mutex_unlock(&mcp->lock);
+
+- if (intf == 0) {
+- /* There is no interrupt pending */
+- return IRQ_HANDLED;
+- }
+-
+ dev_dbg(mcp->chip.parent,
+ "intcap 0x%04X intf 0x%04X gpio_orig 0x%04X gpio 0x%04X\n",
+ intcap, intf, gpio_orig, gpio);
+--
+2.30.2
+
--- /dev/null
+From 4f46c95d172d8a1c170daa836543cc68e2825b2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 22:56:59 +0200
+Subject: r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 1ee8856de82faec9bc8bd0f2308a7f27e30ba207 ]
+
+It has been reported that on RTL8106e the link-up interrupt may be
+significantly delayed if the user enables ASPM L1. Per default ASPM
+is disabled. The change leaves L1 enabled on the PCIe link (thus still
+allowing to reach higher package power saving states), but the
+NIC won't actively trigger it.
+
+Reported-by: Koba Ko <koba.ko@canonical.com>
+Tested-by: Koba Ko <koba.ko@canonical.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index a6bf80b52967..9010aabd9782 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -3547,7 +3547,6 @@ static void rtl_hw_start_8106(struct rtl8169_private *tp)
+ rtl_eri_write(tp, 0x1b0, ERIAR_MASK_0011, 0x0000);
+
+ rtl_pcie_state_l2l3_disable(tp);
+- rtl_hw_aspm_clkreq_enable(tp, true);
+ }
+
+ DECLARE_RTL_COND(rtl_mac_ocp_e00e_cond)
+--
+2.30.2
+
--- /dev/null
+From 718d5626694152927d59648a12e3a768be3e876b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 11:55:31 -0700
+Subject: RDMA/cma: Fix rdma_resolve_route() memory leak
+
+From: Gerd Rausch <gerd.rausch@oracle.com>
+
+[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ]
+
+Fix a memory leak when "mda_resolve_route() is called more than once on
+the same "rdma_cm_id".
+
+This is possible if cma_query_handler() triggers the
+RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and
+allows rdma_resolve_route() to be called again.
+
+Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com
+Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 0c879e40bd18..34b94e525390 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2793,7 +2793,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv,
+
+ cma_init_resolve_route_work(work, id_priv);
+
+- route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
++ if (!route->path_rec)
++ route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
+ if (!route->path_rec) {
+ ret = -ENOMEM;
+ goto err1;
+--
+2.30.2
+
--- /dev/null
+From d98d5b89584e3ed0dc7c33f52d923b2885821fcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 19:07:49 +0800
+Subject: RDMA/cxgb4: Fix missing error code in create_qp()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ]
+
+The error code is missing in this code scenario so 0 will be returned. Add
+the error code '-EINVAL' to the return value 'ret'.
+
+Eliminates the follow smatch warning:
+
+drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'.
+
+Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index 5df4bb52bb10..861e19fdfeb4 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -295,6 +295,7 @@ static int create_qp(struct c4iw_rdev *rdev, struct t4_wq *wq,
+ if (user && (!wq->sq.bar2_pa || (need_rq && !wq->rq.bar2_pa))) {
+ pr_warn("%s: sqid %u or rqid %u not in BAR2 range\n",
+ pci_name(rdev->lldi.pdev), wq->sq.qid, wq->rq.qid);
++ ret = -EINVAL;
+ goto free_dma;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From e5dbd328d9c4ee0f473c598e8a6c53d8fdede357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 13:30:03 +0200
+Subject: RDMA/rtrs: Change MAX_SESS_QUEUE_DEPTH
+
+From: Gioh Kim <gi-oh.kim@cloud.ionos.com>
+
+[ Upstream commit 3a98ea7041b7d18ac356da64823c2ba2f8391b3e ]
+
+Max IB immediate data size is 2^28 (MAX_IMM_PAYL_BITS)
+and the minimum chunk size is 4096 (2^12).
+Therefore the maximum sess_queue_depth is 65536 (2^16).
+
+Link: https://lore.kernel.org/r/20210528113018.52290-6-jinpu.wang@ionos.com
+Signed-off-by: Gioh Kim <gi-oh.kim@ionos.com>
+Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/ulp/rtrs/rtrs-pri.h | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/rtrs/rtrs-pri.h b/drivers/infiniband/ulp/rtrs/rtrs-pri.h
+index 8caad0a2322b..51c60f542876 100644
+--- a/drivers/infiniband/ulp/rtrs/rtrs-pri.h
++++ b/drivers/infiniband/ulp/rtrs/rtrs-pri.h
+@@ -47,12 +47,15 @@ enum {
+ MAX_PATHS_NUM = 128,
+
+ /*
+- * With the size of struct rtrs_permit allocated on the client, 4K
+- * is the maximum number of rtrs_permits we can allocate. This number is
+- * also used on the client to allocate the IU for the user connection
+- * to receive the RDMA addresses from the server.
++ * Max IB immediate data size is 2^28 (MAX_IMM_PAYL_BITS)
++ * and the minimum chunk size is 4096 (2^12).
++ * So the maximum sess_queue_depth is 65536 (2^16) in theory.
++ * But mempool_create, create_qp and ib_post_send fail with
++ * "cannot allocate memory" error if sess_queue_depth is too big.
++ * Therefore the pratical max value of sess_queue_depth is
++ * somewhere between 1 and 65536 and it depends on the system.
+ */
+- MAX_SESS_QUEUE_DEPTH = 4096,
++ MAX_SESS_QUEUE_DEPTH = 65536,
+
+ RTRS_HB_INTERVAL_MS = 5000,
+ RTRS_HB_MISSED_MAX = 5,
+--
+2.30.2
+
--- /dev/null
+From 3bd51c9553057aea1e8dfa9233474553092a76a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 15:14:56 +0800
+Subject: RDMA/rxe: Don't overwrite errno from ib_umem_get()
+
+From: Xiao Yang <yangx.jy@fujitsu.com>
+
+[ Upstream commit 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 ]
+
+rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get()
+fails so it's hard for user to know which actual error happens in
+ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when
+trying to pin pages on a DAX file.
+
+Return actual error as mlx4/mlx5 does.
+
+Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com
+Signed-off-by: Xiao Yang <yangx.jy@fujitsu.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
+index d2ce852447c1..026285f7f36a 100644
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -139,7 +139,7 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start,
+ if (IS_ERR(umem)) {
+ pr_warn("err %d from rxe_umem_get\n",
+ (int)PTR_ERR(umem));
+- err = -EINVAL;
++ err = PTR_ERR(umem);
+ goto err1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 169681acbd6c0d985181ad11d8f34418b08eee68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 15:15:45 +0300
+Subject: reiserfs: add check for invalid 1st journal block
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ]
+
+syzbot reported divide error in reiserfs.
+The problem was in incorrect journal 1st block.
+
+Syzbot's reproducer manualy generated wrong superblock
+with incorrect 1st block. In journal_init() wasn't
+any checks about this particular case.
+
+For example, if 1st journal block is before superblock
+1st block, it can cause zeroing important superblock members
+in do_journal_end().
+
+Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com
+Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/journal.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
+index e98f99338f8f..df5fc12a6cee 100644
+--- a/fs/reiserfs/journal.c
++++ b/fs/reiserfs/journal.c
+@@ -2760,6 +2760,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
+ goto free_and_return;
+ }
+
++ /*
++ * Sanity check to see if journal first block is correct.
++ * If journal first block is invalid it can cause
++ * zeroing important superblock members.
++ */
++ if (!SB_ONDISK_JOURNAL_DEVICE(sb) &&
++ SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) {
++ reiserfs_warning(sb, "journal-1393",
++ "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d",
++ SB_JOURNAL_1st_RESERVED_BLOCK(sb),
++ SB_ONDISK_JOURNAL_1st_BLOCK(sb));
++ goto free_and_return;
++ }
++
+ if (journal_init_dev(sb, journal, j_dev_name) != 0) {
+ reiserfs_warning(sb, "sh-462",
+ "unable to initialize journal device");
+--
+2.30.2
+
--- /dev/null
+From 6eb03c8574ea4eaab7fe1025f2e5a20c1b106e3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Apr 2021 18:29:59 +0100
+Subject: rtl8xxxu: Fix device info for RTL8192EU devices
+
+From: Pascal Terjan <pterjan@google.com>
+
+[ Upstream commit c240b044edefa3c3af4014a4030e017dd95b59a1 ]
+
+Based on 2001:3319 and 2357:0109 which I used to test the fix and
+0bda:818b and 2357:0108 for which I found efuse dumps online.
+
+== 2357:0109 ==
+=== Before ===
+Vendor: Realtek
+Product: \x03802.11n NI
+Serial:
+=== After ===
+Vendor: Realtek
+Product: 802.11n NIC
+Serial not available.
+
+== 2001:3319 ==
+=== Before ===
+Vendor: Realtek
+Product: Wireless N
+Serial: no USB Adap
+=== After ===
+Vendor: Realtek
+Product: Wireless N Nano USB Adapter
+Serial not available.
+
+Signed-off-by: Pascal Terjan <pterjan@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210424172959.1559890-1-pterjan@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 11 +---
+ .../realtek/rtl8xxxu/rtl8xxxu_8192e.c | 59 +++++++++++++++++--
+ 2 files changed, 56 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index d6d1be4169e5..acb6b0cd3667 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -853,15 +853,10 @@ struct rtl8192eu_efuse {
+ u8 usb_optional_function;
+ u8 res9[2];
+ u8 mac_addr[ETH_ALEN]; /* 0xd7 */
+- u8 res10[2];
+- u8 vendor_name[7];
+- u8 res11[2];
+- u8 device_name[0x0b]; /* 0xe8 */
+- u8 res12[2];
+- u8 serial[0x0b]; /* 0xf5 */
+- u8 res13[0x30];
++ u8 device_info[80];
++ u8 res11[3];
+ u8 unknown[0x0d]; /* 0x130 */
+- u8 res14[0xc3];
++ u8 res12[0xc3];
+ };
+
+ struct rtl8xxxu_reg8val {
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
+index 9f1f93d04145..199e7e031d7d 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
+@@ -554,9 +554,43 @@ rtl8192e_set_tx_power(struct rtl8xxxu_priv *priv, int channel, bool ht40)
+ }
+ }
+
++static void rtl8192eu_log_next_device_info(struct rtl8xxxu_priv *priv,
++ char *record_name,
++ char *device_info,
++ unsigned int *record_offset)
++{
++ char *record = device_info + *record_offset;
++
++ /* A record is [ total length | 0x03 | value ] */
++ unsigned char l = record[0];
++
++ /*
++ * The whole device info section seems to be 80 characters, make sure
++ * we don't read further.
++ */
++ if (*record_offset + l > 80) {
++ dev_warn(&priv->udev->dev,
++ "invalid record length %d while parsing \"%s\" at offset %u.\n",
++ l, record_name, *record_offset);
++ return;
++ }
++
++ if (l >= 2) {
++ char value[80];
++
++ memcpy(value, &record[2], l - 2);
++ value[l - 2] = '\0';
++ dev_info(&priv->udev->dev, "%s: %s\n", record_name, value);
++ *record_offset = *record_offset + l;
++ } else {
++ dev_info(&priv->udev->dev, "%s not available.\n", record_name);
++ }
++}
++
+ static int rtl8192eu_parse_efuse(struct rtl8xxxu_priv *priv)
+ {
+ struct rtl8192eu_efuse *efuse = &priv->efuse_wifi.efuse8192eu;
++ unsigned int record_offset;
+ int i;
+
+ if (efuse->rtl_id != cpu_to_le16(0x8129))
+@@ -604,12 +638,25 @@ static int rtl8192eu_parse_efuse(struct rtl8xxxu_priv *priv)
+ priv->has_xtalk = 1;
+ priv->xtalk = priv->efuse_wifi.efuse8192eu.xtal_k & 0x3f;
+
+- dev_info(&priv->udev->dev, "Vendor: %.7s\n", efuse->vendor_name);
+- dev_info(&priv->udev->dev, "Product: %.11s\n", efuse->device_name);
+- if (memchr_inv(efuse->serial, 0xff, 11))
+- dev_info(&priv->udev->dev, "Serial: %.11s\n", efuse->serial);
+- else
+- dev_info(&priv->udev->dev, "Serial not available.\n");
++ /*
++ * device_info section seems to be laid out as records
++ * [ total length | 0x03 | value ] so:
++ * - vendor length + 2
++ * - 0x03
++ * - vendor string (not null terminated)
++ * - product length + 2
++ * - 0x03
++ * - product string (not null terminated)
++ * Then there is one or 2 0x00 on all the 4 devices I own or found
++ * dumped online.
++ * As previous version of the code handled an optional serial
++ * string, I now assume there may be a third record if the
++ * length is not 0.
++ */
++ record_offset = 0;
++ rtl8192eu_log_next_device_info(priv, "Vendor", efuse->device_info, &record_offset);
++ rtl8192eu_log_next_device_info(priv, "Product", efuse->device_info, &record_offset);
++ rtl8192eu_log_next_device_info(priv, "Serial", efuse->device_info, &record_offset);
+
+ if (rtl8xxxu_debug & RTL8XXXU_DEBUG_EFUSE) {
+ unsigned char *raw = priv->efuse_wifi.raw;
+--
+2.30.2
+
--- /dev/null
+From 1d1ea92e3af733f0c41e47594d507a815a871a71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 13:18:15 +0200
+Subject: sched/fair: Ensure _sum and _avg values stay consistent
+
+From: Odin Ugedal <odin@uged.al>
+
+[ Upstream commit 1c35b07e6d3986474e5635be566e7bc79d97c64d ]
+
+The _sum and _avg values are in general sync together with the PELT
+divider. They are however not always completely in perfect sync,
+resulting in situations where _sum gets to zero while _avg stays
+positive. Such situations are undesirable.
+
+This comes from the fact that PELT will increase period_contrib, also
+increasing the PELT divider, without updating _sum and _avg values to
+stay in perfect sync where (_sum == _avg * divider). However, such PELT
+change will never lower _sum, making it impossible to end up in a
+situation where _sum is zero and _avg is not.
+
+Therefore, we need to ensure that when subtracting load outside PELT,
+that when _sum is zero, _avg is also set to zero. This occurs when
+(_sum < _avg * divider), and the subtracted (_avg * divider) is bigger
+or equal to the current _sum, while the subtracted _avg is smaller than
+the current _avg.
+
+Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Odin Ugedal <odin@uged.al>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
+Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
+Link: https://lore.kernel.org/r/20210624111815.57937-1-odin@uged.al
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 3d92de7909bf..32c0905bca84 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -3672,15 +3672,15 @@ update_cfs_rq_load_avg(u64 now, struct cfs_rq *cfs_rq)
+
+ r = removed_load;
+ sub_positive(&sa->load_avg, r);
+- sub_positive(&sa->load_sum, r * divider);
++ sa->load_sum = sa->load_avg * divider;
+
+ r = removed_util;
+ sub_positive(&sa->util_avg, r);
+- sub_positive(&sa->util_sum, r * divider);
++ sa->util_sum = sa->util_avg * divider;
+
+ r = removed_runnable;
+ sub_positive(&sa->runnable_avg, r);
+- sub_positive(&sa->runnable_sum, r * divider);
++ sa->runnable_sum = sa->runnable_avg * divider;
+
+ /*
+ * removed_runnable is the unweighted version of removed_load so we
+--
+2.30.2
+
--- /dev/null
+From 9f76624076f61748a04d0d19313413e7ba60b2f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 16:13:42 -0300
+Subject: sctp: add size validation when walking chunks
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]
+
+The first chunk in a packet is ensured to be present at the beginning of
+sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
+one, may not be completely available and ch->length can be over
+uninitialized memory.
+
+Fix here is by only trying to walk on the next chunk if there is enough to
+hold at least the header, and then proceed with the ch->length validation
+that is already there.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 8924e2e142c8..f72bff93745c 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
+
+ ch = (struct sctp_chunkhdr *)ch_end;
+ chunk_num++;
+- } while (ch_end < skb_tail_pointer(skb));
++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
+
+ return asoc;
+ }
+--
+2.30.2
+
--- /dev/null
+From 40586cd17bb28dc752a8788029ba6029f8527ccb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 16:13:41 -0300
+Subject: sctp: validate from_addr_param return
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ]
+
+Ilja reported that, simply putting it, nothing was validating that
+from_addr_param functions were operating on initialized memory. That is,
+the parameter itself was being validated by sctp_walk_params, but it
+doesn't check for types and their specific sizes and it could be a 0-length
+one, causing from_addr_param to potentially work over the next parameter or
+even uninitialized memory.
+
+The fix here is to, in all calls to from_addr_param, check if enough space
+is there for the wanted IP address type.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sctp/structs.h | 2 +-
+ net/sctp/bind_addr.c | 19 +++++++++++--------
+ net/sctp/input.c | 6 ++++--
+ net/sctp/ipv6.c | 7 ++++++-
+ net/sctp/protocol.c | 7 ++++++-
+ net/sctp/sm_make_chunk.c | 29 ++++++++++++++++-------------
+ 6 files changed, 44 insertions(+), 26 deletions(-)
+
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 0bdff38eb4bb..51d698f2656f 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -458,7 +458,7 @@ struct sctp_af {
+ int saddr);
+ void (*from_sk) (union sctp_addr *,
+ struct sock *sk);
+- void (*from_addr_param) (union sctp_addr *,
++ bool (*from_addr_param) (union sctp_addr *,
+ union sctp_addr_param *,
+ __be16 port, int iif);
+ int (*to_addr_param) (const union sctp_addr *,
+diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
+index 53e5ed79f63f..59e653b528b1 100644
+--- a/net/sctp/bind_addr.c
++++ b/net/sctp/bind_addr.c
+@@ -270,22 +270,19 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
+ rawaddr = (union sctp_addr_param *)raw_addr_list;
+
+ af = sctp_get_af_specific(param_type2af(param->type));
+- if (unlikely(!af)) {
++ if (unlikely(!af) ||
++ !af->from_addr_param(&addr, rawaddr, htons(port), 0)) {
+ retval = -EINVAL;
+- sctp_bind_addr_clean(bp);
+- break;
++ goto out_err;
+ }
+
+- af->from_addr_param(&addr, rawaddr, htons(port), 0);
+ if (sctp_bind_addr_state(bp, &addr) != -1)
+ goto next;
+ retval = sctp_add_bind_addr(bp, &addr, sizeof(addr),
+ SCTP_ADDR_SRC, gfp);
+- if (retval) {
++ if (retval)
+ /* Can't finish building the list, clean up. */
+- sctp_bind_addr_clean(bp);
+- break;
+- }
++ goto out_err;
+
+ next:
+ len = ntohs(param->length);
+@@ -294,6 +291,12 @@ next:
+ }
+
+ return retval;
++
++out_err:
++ if (retval)
++ sctp_bind_addr_clean(bp);
++
++ return retval;
+ }
+
+ /********************************************************************
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index d508f6f3dd08..8924e2e142c8 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1131,7 +1131,8 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net,
+ if (!af)
+ continue;
+
+- af->from_addr_param(paddr, params.addr, sh->source, 0);
++ if (!af->from_addr_param(paddr, params.addr, sh->source, 0))
++ continue;
+
+ asoc = __sctp_lookup_association(net, laddr, paddr, transportp);
+ if (asoc)
+@@ -1174,7 +1175,8 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
+ if (unlikely(!af))
+ return NULL;
+
+- af->from_addr_param(&paddr, param, peer_port, 0);
++ if (af->from_addr_param(&paddr, param, peer_port, 0))
++ return NULL;
+
+ return __sctp_lookup_association(net, laddr, &paddr, transportp);
+ }
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index c8074f435d3e..d594b949ae82 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -530,15 +530,20 @@ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
+ }
+
+ /* Initialize a sctp_addr from an address parameter. */
+-static void sctp_v6_from_addr_param(union sctp_addr *addr,
++static bool sctp_v6_from_addr_param(union sctp_addr *addr,
+ union sctp_addr_param *param,
+ __be16 port, int iif)
+ {
++ if (ntohs(param->v6.param_hdr.length) < sizeof(struct sctp_ipv6addr_param))
++ return false;
++
+ addr->v6.sin6_family = AF_INET6;
+ addr->v6.sin6_port = port;
+ addr->v6.sin6_flowinfo = 0; /* BUG */
+ addr->v6.sin6_addr = param->v6.addr;
+ addr->v6.sin6_scope_id = iif;
++
++ return true;
+ }
+
+ /* Initialize an address parameter from a sctp_addr and return the length
+diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
+index 25833238fe93..47fb87ce489f 100644
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -253,14 +253,19 @@ static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
+ }
+
+ /* Initialize a sctp_addr from an address parameter. */
+-static void sctp_v4_from_addr_param(union sctp_addr *addr,
++static bool sctp_v4_from_addr_param(union sctp_addr *addr,
+ union sctp_addr_param *param,
+ __be16 port, int iif)
+ {
++ if (ntohs(param->v4.param_hdr.length) < sizeof(struct sctp_ipv4addr_param))
++ return false;
++
+ addr->v4.sin_family = AF_INET;
+ addr->v4.sin_port = port;
+ addr->v4.sin_addr.s_addr = param->v4.addr.s_addr;
+ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
++
++ return true;
+ }
+
+ /* Initialize an address parameter from a sctp_addr and return the length
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index b9d6babe2870..7411fa442821 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2329,11 +2329,13 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
+
+ /* Process the initialization parameters. */
+ sctp_walk_params(param, peer_init, init_hdr.params) {
+- if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+- param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
++ if (!src_match &&
++ (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
++ param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
+ af = sctp_get_af_specific(param_type2af(param.p->type));
+- af->from_addr_param(&addr, param.addr,
+- chunk->sctp_hdr->source, 0);
++ if (!af->from_addr_param(&addr, param.addr,
++ chunk->sctp_hdr->source, 0))
++ continue;
+ if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
+ src_match = 1;
+ }
+@@ -2514,7 +2516,8 @@ static int sctp_process_param(struct sctp_association *asoc,
+ break;
+ do_addr_param:
+ af = sctp_get_af_specific(param_type2af(param.p->type));
+- af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0);
++ if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0))
++ break;
+ scope = sctp_scope(peer_addr);
+ if (sctp_in_scope(net, &addr, scope))
+ if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED))
+@@ -2615,15 +2618,13 @@ do_addr_param:
+ addr_param = param.v + sizeof(struct sctp_addip_param);
+
+ af = sctp_get_af_specific(param_type2af(addr_param->p.type));
+- if (af == NULL)
++ if (!af)
+ break;
+
+- af->from_addr_param(&addr, addr_param,
+- htons(asoc->peer.port), 0);
++ if (!af->from_addr_param(&addr, addr_param,
++ htons(asoc->peer.port), 0))
++ break;
+
+- /* if the address is invalid, we can't process it.
+- * XXX: see spec for what to do.
+- */
+ if (!af->addr_valid(&addr, NULL, NULL))
+ break;
+
+@@ -3037,7 +3038,8 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ if (unlikely(!af))
+ return SCTP_ERROR_DNS_FAILED;
+
+- af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0);
++ if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0))
++ return SCTP_ERROR_DNS_FAILED;
+
+ /* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast
+ * or multicast address.
+@@ -3314,7 +3316,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
+
+ /* We have checked the packet before, so we do not check again. */
+ af = sctp_get_af_specific(param_type2af(addr_param->p.type));
+- af->from_addr_param(&addr, addr_param, htons(bp->port), 0);
++ if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0))
++ return;
+
+ switch (asconf_param->param_hdr.type) {
+ case SCTP_PARAM_ADD_IP:
+--
+2.30.2
+
--- /dev/null
+From dff9fbae38dcce2c817b9fb50873f7b448dcc30e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 15:44:09 +0300
+Subject: selftests: Clean forgotten resources as part of cleanup()
+
+From: Amit Cohen <amcohen@nvidia.com>
+
+[ Upstream commit e67dfb8d15deb33c425d0b0ee22f2e5eef54c162 ]
+
+Several tests do not set some ports down as part of their cleanup(),
+resulting in IPv6 link-local addresses and associated routes not being
+deleted.
+
+These leaks were found using a BPF tool that monitors ASIC resources.
+
+Solve this by setting the ports down at the end of the tests.
+
+Signed-off-by: Amit Cohen <amcohen@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh | 3 +++
+ .../selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh | 3 +++
+ tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh | 2 ++
+ tools/testing/selftests/net/forwarding/pedit_dsfield.sh | 2 ++
+ tools/testing/selftests/net/forwarding/pedit_l4port.sh | 2 ++
+ tools/testing/selftests/net/forwarding/skbedit_priority.sh | 2 ++
+ 6 files changed, 14 insertions(+)
+
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh
+index f5abb1ebd392..269b2680611b 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_drops.sh
+@@ -108,6 +108,9 @@ router_destroy()
+ __addr_add_del $rp1 del 192.0.2.2/24 2001:db8:1::2/64
+
+ tc qdisc del dev $rp2 clsact
++
++ ip link set dev $rp2 down
++ ip link set dev $rp1 down
+ }
+
+ setup_prepare()
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh
+index 1fedfc9da434..1d157b1bd838 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/devlink_trap_l3_exceptions.sh
+@@ -111,6 +111,9 @@ router_destroy()
+ __addr_add_del $rp1 del 192.0.2.2/24 2001:db8:1::2/64
+
+ tc qdisc del dev $rp2 clsact
++
++ ip link set dev $rp2 down
++ ip link set dev $rp1 down
+ }
+
+ setup_prepare()
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh b/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh
+index 5cbff8038f84..28a570006d4d 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/qos_dscp_bridge.sh
+@@ -93,7 +93,9 @@ switch_destroy()
+ lldptool -T -i $swp1 -V APP -d $(dscp_map 10) >/dev/null
+ lldpad_app_wait_del
+
++ ip link set dev $swp2 down
+ ip link set dev $swp2 nomaster
++ ip link set dev $swp1 down
+ ip link set dev $swp1 nomaster
+ ip link del dev br1
+ }
+diff --git a/tools/testing/selftests/net/forwarding/pedit_dsfield.sh b/tools/testing/selftests/net/forwarding/pedit_dsfield.sh
+index 55eeacf59241..64fbd211d907 100755
+--- a/tools/testing/selftests/net/forwarding/pedit_dsfield.sh
++++ b/tools/testing/selftests/net/forwarding/pedit_dsfield.sh
+@@ -75,7 +75,9 @@ switch_destroy()
+ tc qdisc del dev $swp2 clsact
+ tc qdisc del dev $swp1 clsact
+
++ ip link set dev $swp2 down
+ ip link set dev $swp2 nomaster
++ ip link set dev $swp1 down
+ ip link set dev $swp1 nomaster
+ ip link del dev br1
+ }
+diff --git a/tools/testing/selftests/net/forwarding/pedit_l4port.sh b/tools/testing/selftests/net/forwarding/pedit_l4port.sh
+index 5f20d289ee43..10e594c55117 100755
+--- a/tools/testing/selftests/net/forwarding/pedit_l4port.sh
++++ b/tools/testing/selftests/net/forwarding/pedit_l4port.sh
+@@ -71,7 +71,9 @@ switch_destroy()
+ tc qdisc del dev $swp2 clsact
+ tc qdisc del dev $swp1 clsact
+
++ ip link set dev $swp2 down
+ ip link set dev $swp2 nomaster
++ ip link set dev $swp1 down
+ ip link set dev $swp1 nomaster
+ ip link del dev br1
+ }
+diff --git a/tools/testing/selftests/net/forwarding/skbedit_priority.sh b/tools/testing/selftests/net/forwarding/skbedit_priority.sh
+index e3bd8a6bb8b4..bde11dc27873 100755
+--- a/tools/testing/selftests/net/forwarding/skbedit_priority.sh
++++ b/tools/testing/selftests/net/forwarding/skbedit_priority.sh
+@@ -72,7 +72,9 @@ switch_destroy()
+ tc qdisc del dev $swp2 clsact
+ tc qdisc del dev $swp1 clsact
+
++ ip link set dev $swp2 down
+ ip link set dev $swp2 nomaster
++ ip link set dev $swp1 down
+ ip link set dev $swp1 nomaster
+ ip link del dev br1
+ }
+--
+2.30.2
+
--- /dev/null
+From 7d47011b9417a65ef6e517923035f41b255a3716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 09:37:17 -0700
+Subject: selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
+
+From: Minchan Kim <minchan@kernel.org>
+
+[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ]
+
+In the field, we have seen lots of allocation failure from the call
+path below.
+
+06-03 13:29:12.999 1010315 31557 31557 W Binder : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0
+...
+...
+06-03 13:29:12.999 1010315 31557 31557 W Call trace:
+06-03 13:29:12.999 1010315 31557 31557 W : dump_backtrace.cfi_jt+0x0/0x8
+06-03 13:29:12.999 1010315 31557 31557 W : dump_stack+0xc8/0x14c
+06-03 13:29:12.999 1010315 31557 31557 W : warn_alloc+0x158/0x1c8
+06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_slowpath+0x9d8/0xb80
+06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_nodemask+0x1c4/0x430
+06-03 13:29:12.999 1010315 31557 31557 W : allocate_slab+0xb4/0x390
+06-03 13:29:12.999 1010315 31557 31557 W : ___slab_alloc+0x12c/0x3a4
+06-03 13:29:12.999 1010315 31557 31557 W : kmem_cache_alloc+0x358/0x5e4
+06-03 13:29:12.999 1010315 31557 31557 W : avc_alloc_node+0x30/0x184
+06-03 13:29:12.999 1010315 31557 31557 W : avc_update_node+0x54/0x4f0
+06-03 13:29:12.999 1010315 31557 31557 W : avc_has_extended_perms+0x1a4/0x460
+06-03 13:29:12.999 1010315 31557 31557 W : selinux_file_ioctl+0x320/0x3d0
+06-03 13:29:12.999 1010315 31557 31557 W : __arm64_sys_ioctl+0xec/0x1fc
+06-03 13:29:12.999 1010315 31557 31557 W : el0_svc_common+0xc0/0x24c
+06-03 13:29:12.999 1010315 31557 31557 W : el0_svc+0x28/0x88
+06-03 13:29:12.999 1010315 31557 31557 W : el0_sync_handler+0x8c/0xf0
+06-03 13:29:12.999 1010315 31557 31557 W : el0_sync+0x1a4/0x1c0
+..
+..
+06-03 13:29:12.999 1010315 31557 31557 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010315 31557 31557 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010315 31557 31557 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 10230 30892 30892 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+
+Based on [1], selinux is tolerate for failure of memory allocation.
+Then, use __GFP_NOWARN together.
+
+[1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches")
+
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+[PM: subj fix, line wraps, normalized commit refs]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/avc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/security/selinux/avc.c b/security/selinux/avc.c
+index 3c05827608b6..884a014ce2b8 100644
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -297,26 +297,27 @@ static struct avc_xperms_decision_node
+ struct avc_xperms_decision_node *xpd_node;
+ struct extended_perms_decision *xpd;
+
+- xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT);
++ xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd_node)
+ return NULL;
+
+ xpd = &xpd_node->xpd;
+ if (which & XPERMS_ALLOWED) {
+ xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->allowed)
+ goto error;
+ }
+ if (which & XPERMS_AUDITALLOW) {
+ xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->auditallow)
+ goto error;
+ }
+ if (which & XPERMS_DONTAUDIT) {
+ xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->dontaudit)
+ goto error;
+ }
+@@ -344,7 +345,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void)
+ {
+ struct avc_xperms_node *xp_node;
+
+- xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT);
++ xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN);
+ if (!xp_node)
+ return xp_node;
+ INIT_LIST_HEAD(&xp_node->xpd_head);
+@@ -500,7 +501,7 @@ static struct avc_node *avc_alloc_node(struct selinux_avc *avc)
+ {
+ struct avc_node *node;
+
+- node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT);
++ node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN);
+ if (!node)
+ goto out;
+
+--
+2.30.2
+
--- /dev/null
+drm-mxsfb-don-t-select-drm_kms_fb_helper.patch
+drm-zte-don-t-select-drm_kms_fb_helper.patch
+drm-ast-fixed-cve-for-dp501.patch
+drm-amd-display-fix-hdcp-reset-sequence-on-reinitial.patch
+drm-amd-amdgpu-sriov-disable-all-ip-hw-status-by-def.patch
+drm-vc4-fix-argument-ordering-in-vc4_crtc_get_margin.patch
+drm-bridge-nwl-dsi-force-a-full-modeset-when-crtc_st.patch
+net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch
+drm-amd-display-fix-use_max_lb-flag-for-420-pixel-fo.patch
+clk-renesas-rcar-usb2-clock-sel-fix-error-handling-i.patch
+hugetlb-clear-huge-pte-during-flush-function-on-mips.patch
+atm-iphase-fix-possible-use-after-free-in-ia_module_.patch
+misdn-fix-possible-use-after-free-in-hfc_cleanup.patch
+atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch
+net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch
+drm-mediatek-fix-pm-reference-leak-in-mtk_crtc_ddp_h.patch
+net-mdio-ipq8064-add-regmap-config-to-disable-regcac.patch
+drm-bridge-lt9611-add-missing-module_device_table.patch
+reiserfs-add-check-for-invalid-1st-journal-block.patch
+drm-virtio-fix-double-free-on-probe-failure.patch
+net-mdio-provide-shim-implementation-of-devm_of_mdio.patch
+net-sched-cls_api-increase-max_reclassify_loop.patch
+pinctrl-equilibrium-add-missing-module_device_table.patch
+drm-scheduler-fix-hang-when-sched_entity-released.patch
+drm-sched-avoid-data-corruptions.patch
+udf-fix-null-pointer-dereference-in-udf_symlink-func.patch
+drm-vc4-fix-clock-source-for-vec-pixelvalve-on-bcm27.patch
+drm-vc4-hdmi-fix-pm-reference-leak-in-vc4_hdmi_encod.patch
+e100-handle-eeprom-as-little-endian.patch
+igb-handle-vlan-types-with-checker-enabled.patch
+igb-fix-assignment-on-big-endian-machines.patch
+drm-bridge-cdns-fix-pm-reference-leak-in-cdns_dsi_tr.patch
+clk-renesas-r8a77995-add-za2-clock.patch
+net-mlx5e-ipsec-rep_tc-fix-rep_tc_update_skb-drops-i.patch
+net-mlx5-fix-lag-port-remapping-logic.patch
+drm-rockchip-add-missing-registers-for-rk3188.patch
+drm-rockchip-add-missing-registers-for-rk3066.patch
+net-stmmac-the-xpcs-obscures-a-potential-phy-not-fou.patch
+rdma-rtrs-change-max_sess_queue_depth.patch
+clk-tegra-fix-refcounting-of-gate-clocks.patch
+clk-tegra-ensure-that-pllu-configuration-is-applied-.patch
+drm-bridge-cdns-mhdp8546-fix-pm-reference-leak-in.patch
+virtio-net-add-validation-for-used-length.patch
+ipv6-use-prandom_u32-for-id-generation.patch
+mips-cpu-probe-fix-fpu-detection-on-ingenic-jz4760-b.patch
+mips-ingenic-select-cpu_supports_cpufreq-mips_extern.patch
+drm-amd-display-avoid-hdcp-over-read-and-corruption.patch
+drm-amdgpu-remove-unsafe-optimization-to-drop-preamb.patch
+net-tcp-better-handling-of-reordering-then-loss-case.patch
+rdma-cxgb4-fix-missing-error-code-in-create_qp.patch
+dm-space-maps-don-t-reset-space-map-allocation-curso.patch
+dm-writecache-don-t-split-bios-when-overwriting-cont.patch
+dm-fix-dm_accept_partial_bio-relative-to-zone-manage.patch
+net-bridge-mrp-update-ring-transitions.patch
+pinctrl-mcp23s08-fix-race-condition-in-irq-handler.patch
+ice-set-the-value-of-global-config-lock-timeout-long.patch
+ice-fix-clang-warning-regarding-deadcode.deadstores.patch
+virtio_net-remove-bug-to-avoid-machine-dead.patch
+net-mscc-ocelot-check-return-value-after-calling-pla.patch
+net-bcmgenet-check-return-value-after-calling-platfo.patch
+net-mvpp2-check-return-value-after-calling-platform_.patch
+net-micrel-check-return-value-after-calling-platform.patch
+net-moxa-use-devm_platform_get_and_ioremap_resource.patch
+drm-amd-display-fix-dcn-3.01-dscclk-validation.patch
+drm-amd-display-update-scaling-settings-on-modeset.patch
+drm-amd-display-release-mst-resources-on-switch-from.patch
+drm-amd-display-set-dispclk_max_errdet_cycles-to-7.patch
+drm-amd-display-fix-off-by-one-error-in-dml.patch
+net-phy-realtek-add-delay-to-fix-rxc-generation-issu.patch
+selftests-clean-forgotten-resources-as-part-of-clean.patch
+net-sgi-ioc3-eth-check-return-value-after-calling-pl.patch
+drm-amdkfd-use-allowed-domain-for-vmbo-validation.patch
+fjes-check-return-value-after-calling-platform_get_r.patch
+selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch
+r8169-avoid-link-up-interrupt-issue-on-rtl8106e-if-u.patch
+drm-amd-display-verify-gamma-degamma-lut-sizes-in-am.patch
+xfrm-fix-error-reporting-in-xfrm_state_construct.patch
+dm-writecache-commit-just-one-block-not-a-full-page.patch
+wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch
+wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
+cw1200-add-missing-module_device_table.patch
+drm-amdkfd-fix-circular-locking-on-get_wave_state.patch
+drm-amdkfd-fix-circular-lock-in-nocpsch-path.patch
+bpf-fix-up-register-based-shifts-in-interpreter-to-s.patch
+ice-fix-incorrect-payload-indicator-on-ptype.patch
+ice-mark-ptype-2-as-reserved.patch
+mt76-mt7615-fix-fixed-rate-tx-status-reporting.patch
+net-fix-mistake-path-for-netdev_features_strings.patch
+net-ipa-add-missing-of_node_put-in-ipa_firmware_load.patch
+net-sched-fix-error-return-code-in-tcf_del_walker.patch
+io_uring-fix-false-warn_once.patch
+drm-amdgpu-fix-bad-address-translation-for-sienna_ci.patch
+drm-amdkfd-walk-through-list-with-dqm-lock-hold.patch
+mt76-mt7915-fix-ieee80211_he_phy_cap7_max_nc-for-sta.patch
+rtl8xxxu-fix-device-info-for-rtl8192eu-devices.patch
+mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch
+net-fec-add-ndo_select_queue-to-fix-tx-bandwidth-flu.patch
+atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch
+atm-nicstar-register-the-interrupt-handler-in-the-ri.patch
+vsock-notify-server-to-shutdown-when-client-has-pend.patch
+rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch
+iwlwifi-mvm-don-t-change-band-on-bound-phy-contexts.patch
+iwlwifi-mvm-fix-error-print-when-session-protection-.patch
+iwlwifi-pcie-free-iml-dma-memory-allocation.patch
+iwlwifi-pcie-fix-context-info-freeing.patch
+sfc-avoid-double-pci_remove-of-vfs.patch
+sfc-error-code-if-sriov-cannot-be-disabled.patch
+wireless-wext-spy-fix-out-of-bounds-warning.patch
+cfg80211-fix-default-he-tx-bitrate-mask-in-2g-band.patch
+mac80211-consider-per-cpu-statistics-if-present.patch
+mac80211_hwsim-add-concurrent-channels-scanning-supp.patch
+ib-isert-align-target-max-i-o-size-to-initiator-size.patch
+media-bpf-do-not-copy-more-entries-than-user-space-r.patch
+net-ip-avoid-oom-kills-with-large-udp-sends-over-loo.patch
+rdma-cma-fix-rdma_resolve_route-memory-leak.patch
+bluetooth-btusb-fixed-too-many-in-token-issue-for-me.patch
+bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch
+bluetooth-fix-alt-settings-for-incoming-sco-with-tra.patch
+bluetooth-shutdown-controller-after-workqueues-are-f.patch
+bluetooth-btusb-add-a-new-qca_rome-device-0cf3-e500.patch
+bluetooth-l2cap-fix-invalid-access-if-ecred-reconfig.patch
+bluetooth-l2cap-fix-invalid-access-on-ecred-connecti.patch
+bluetooth-btusb-add-support-usb-alt-3-for-wbs.patch
+bluetooth-mgmt-fix-the-command-returns-garbage-param.patch
+bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch
+sched-fair-ensure-_sum-and-_avg-values-stay-consiste.patch
+bpf-fix-false-positive-kmemleak-report-in-bpf_ringbu.patch
+flow_offload-action-should-not-be-null-when-it-is-re.patch
+sctp-validate-from_addr_param-return.patch
+sctp-add-size-validation-when-walking-chunks.patch
+mips-loongsoon64-reserve-memory-below-starting-pfn-t.patch
+mips-set-mips32r5-for-virt-extensions.patch
--- /dev/null
+From 4b87a7f05440b45e982c0f23191ad0dbf4d7ef5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 17:32:35 +0200
+Subject: sfc: avoid double pci_remove of VFs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ]
+
+If pci_remove was called for a PF with VFs, the removal of the VFs was
+called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove
+and another implicit by calling pci_disable_sriov, which also perform
+the VFs remove. This was leading to crashing the kernel on the second
+attempt.
+
+Given that pci_disable_sriov already calls to pci remove function, get
+rid of the direct call to pci_driver->remove from the driver.
+
+2 different ways to trigger the bug:
+- Create one or more VFs, then attach the PF to a virtual machine (at
+ least with qemu/KVM)
+- Create one or more VFs, then remove the PF with:
+ echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove
+
+Removing sfc module does not trigger the error, at least for me, because
+it removes the VF first, and then the PF.
+
+Example of a log with the error:
+ list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100)
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:47!
+ [...trimmed...]
+ RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c
+ [...trimmed...]
+ Call Trace:
+ efx_dissociate+0x1f/0x140 [sfc]
+ efx_pci_remove+0x27/0x150 [sfc]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x103/0x1f0
+ pci_stop_bus_device+0x69/0x90
+ pci_stop_and_remove_bus_device+0xe/0x20
+ pci_iov_remove_virtfn+0xba/0x120
+ sriov_disable+0x2f/0xe0
+ efx_ef10_pci_sriov_disable+0x52/0x80 [sfc]
+ ? pcie_aer_is_native+0x12/0x40
+ efx_ef10_sriov_fini+0x72/0x110 [sfc]
+ efx_pci_remove+0x62/0x150 [sfc]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x103/0x1f0
+ unbind_store+0xf6/0x130
+ kernfs_fop_write+0x116/0x190
+ vfs_write+0xa5/0x1a0
+ ksys_write+0x4f/0xb0
+ do_syscall_64+0x5b/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10_sriov.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
+index 21fa6c0e8873..a5d28b0f75ba 100644
+--- a/drivers/net/ethernet/sfc/ef10_sriov.c
++++ b/drivers/net/ethernet/sfc/ef10_sriov.c
+@@ -439,7 +439,6 @@ int efx_ef10_sriov_init(struct efx_nic *efx)
+ void efx_ef10_sriov_fini(struct efx_nic *efx)
+ {
+ struct efx_ef10_nic_data *nic_data = efx->nic_data;
+- unsigned int i;
+ int rc;
+
+ if (!nic_data->vf) {
+@@ -449,14 +448,7 @@ void efx_ef10_sriov_fini(struct efx_nic *efx)
+ return;
+ }
+
+- /* Remove any VFs in the host */
+- for (i = 0; i < efx->vf_count; ++i) {
+- struct efx_nic *vf_efx = nic_data->vf[i].efx;
+-
+- if (vf_efx)
+- vf_efx->pci_dev->driver->remove(vf_efx->pci_dev);
+- }
+-
++ /* Disable SRIOV and remove any VFs in the host */
+ rc = efx_ef10_pci_sriov_disable(efx, true);
+ if (rc)
+ netif_dbg(efx, drv, efx->net_dev,
+--
+2.30.2
+
--- /dev/null
+From 97cae4175448c3de08276737249bdb000eb923dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 17:32:36 +0200
+Subject: sfc: error code if SRIOV cannot be disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ]
+
+If SRIOV cannot be disabled during device removal or module unloading,
+return error code so it can be logged properly in the calling function.
+
+Note that this can only happen if any VF is currently attached to a
+guest using Xen, but not with vfio/KVM. Despite that in that case the
+VFs won't work properly with PF removed and/or the module unloaded, I
+have let it as is because I don't know what side effects may have
+changing it, and also it seems to be the same that other drivers are
+doing in this situation.
+
+In the case of being called during SRIOV reconfiguration, the behavior
+hasn't changed because the function is called with force=false.
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10_sriov.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
+index a5d28b0f75ba..84041cd587d7 100644
+--- a/drivers/net/ethernet/sfc/ef10_sriov.c
++++ b/drivers/net/ethernet/sfc/ef10_sriov.c
+@@ -402,12 +402,17 @@ fail1:
+ return rc;
+ }
+
++/* Disable SRIOV and remove VFs
++ * If some VFs are attached to a guest (using Xen, only) nothing is
++ * done if force=false, and vports are freed if force=true (for the non
++ * attachedc ones, only) but SRIOV is not disabled and VFs are not
++ * removed in either case.
++ */
+ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
+ {
+ struct pci_dev *dev = efx->pci_dev;
+- unsigned int vfs_assigned = 0;
+-
+- vfs_assigned = pci_vfs_assigned(dev);
++ unsigned int vfs_assigned = pci_vfs_assigned(dev);
++ int rc = 0;
+
+ if (vfs_assigned && !force) {
+ netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; "
+@@ -417,10 +422,12 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
+
+ if (!vfs_assigned)
+ pci_disable_sriov(dev);
++ else
++ rc = -EBUSY;
+
+ efx_ef10_sriov_free_vf_vswitching(efx);
+ efx->vf_count = 0;
+- return 0;
++ return rc;
+ }
+
+ int efx_ef10_sriov_configure(struct efx_nic *efx, int num_vfs)
+--
+2.30.2
+
--- /dev/null
+From 360bb1f3aab7eed4968054767cece5d1611ef145 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 12:34:57 +0200
+Subject: udf: Fix NULL pointer dereference in udf_symlink function
+
+From: Arturo Giusti <koredump@protonmail.com>
+
+[ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ]
+
+In function udf_symlink, epos.bh is assigned with the value returned
+by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c
+and returns the value of sb_getblk function that could be NULL.
+Then, epos.bh is used without any check, causing a possible
+NULL pointer dereference when sb_getblk fails.
+
+This fix adds a check to validate the value of epos.bh.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083
+Signed-off-by: Arturo Giusti <koredump@protonmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/namei.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index e169d8fe35b5..f4a72ff8cf95 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -932,6 +932,10 @@ static int udf_symlink(struct inode *dir, struct dentry *dentry,
+ iinfo->i_location.partitionReferenceNum,
+ 0);
+ epos.bh = udf_tgetblk(sb, block);
++ if (unlikely(!epos.bh)) {
++ err = -ENOMEM;
++ goto out_no_entry;
++ }
+ lock_buffer(epos.bh);
+ memset(epos.bh->b_data, 0x00, bsize);
+ set_buffer_uptodate(epos.bh);
+--
+2.30.2
+
--- /dev/null
+From 5e3f5f30e88b0280da477075d12dfdb9289556df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 May 2021 21:58:52 +0800
+Subject: virtio-net: Add validation for used length
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit ad993a95c508417acdeb15244109e009e50d8758 ]
+
+This adds validation for used length (might come
+from an untrusted device) to avoid data corruption
+or loss.
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20210531135852.113-1-xieyongji@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 286f836a53bf..e2c6c5675ec6 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -660,6 +660,12 @@ static struct sk_buff *receive_small(struct net_device *dev,
+ len -= vi->hdr_len;
+ stats->bytes += len;
+
++ if (unlikely(len > GOOD_PACKET_LEN)) {
++ pr_debug("%s: rx error: len %u exceeds max size %d\n",
++ dev->name, len, GOOD_PACKET_LEN);
++ dev->stats.rx_length_errors++;
++ goto err_len;
++ }
+ rcu_read_lock();
+ xdp_prog = rcu_dereference(rq->xdp_prog);
+ if (xdp_prog) {
+@@ -763,6 +769,7 @@ err:
+ err_xdp:
+ rcu_read_unlock();
+ stats->xdp_drops++;
++err_len:
+ stats->drops++;
+ put_page(page);
+ xdp_xmit:
+@@ -816,6 +823,12 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
+ head_skb = NULL;
+ stats->bytes += len - vi->hdr_len;
+
++ if (unlikely(len > truesize)) {
++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n",
++ dev->name, len, (unsigned long)ctx);
++ dev->stats.rx_length_errors++;
++ goto err_skb;
++ }
+ rcu_read_lock();
+ xdp_prog = rcu_dereference(rq->xdp_prog);
+ if (xdp_prog) {
+@@ -943,13 +956,6 @@ static struct sk_buff *receive_mergeable(struct net_device *dev,
+ }
+ rcu_read_unlock();
+
+- if (unlikely(len > truesize)) {
+- pr_debug("%s: rx error: len %u exceeds truesize %lu\n",
+- dev->name, len, (unsigned long)ctx);
+- dev->stats.rx_length_errors++;
+- goto err_skb;
+- }
+-
+ head_skb = page_to_skb(vi, rq, page, offset, len, truesize, !xdp_prog,
+ metasize);
+ curr_skb = head_skb;
+--
+2.30.2
+
--- /dev/null
+From a65f3c2ef35a952b23d667254472c01ca05cf87a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 11:31:00 -0400
+Subject: virtio_net: Remove BUG() to avoid machine dead
+
+From: Xianting Tian <xianting.tian@linux.alibaba.com>
+
+[ Upstream commit 85eb1389458d134bdb75dad502cc026c3753a619 ]
+
+We should not directly BUG() when there is hdr error, it is
+better to output a print when such error happens. Currently,
+the caller of xmit_skb() already did it.
+
+Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index e2c6c5675ec6..91e0e6254a01 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1563,7 +1563,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
+ if (virtio_net_hdr_from_skb(skb, &hdr->hdr,
+ virtio_is_little_endian(vi->vdev), false,
+ 0))
+- BUG();
++ return -EPROTO;
+
+ if (vi->mergeable_rx_bufs)
+ hdr->num_buffers = 0;
+--
+2.30.2
+
--- /dev/null
+From 544451c5a7c72cddbf71bd039f356db37fd1f501 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 14:26:01 +0800
+Subject: vsock: notify server to shutdown when client has pending signal
+
+From: Longpeng(Mike) <longpeng2@huawei.com>
+
+[ Upstream commit c7ff9cff70601ea19245d997bb977344663434c7 ]
+
+The client's sk_state will be set to TCP_ESTABLISHED if the server
+replay the client's connect request.
+
+However, if the client has pending signal, its sk_state will be set
+to TCP_CLOSE without notify the server, so the server will hold the
+corrupt connection.
+
+ client server
+
+1. sk_state=TCP_SYN_SENT |
+2. call ->connect() |
+3. wait reply |
+ | 4. sk_state=TCP_ESTABLISHED
+ | 5. insert to connected list
+ | 6. reply to the client
+7. sk_state=TCP_ESTABLISHED |
+8. insert to connected list |
+9. *signal pending* <--------------------- the user kill client
+10. sk_state=TCP_CLOSE |
+client is exiting... |
+11. call ->release() |
+ virtio_transport_close
+ if (!(sk->sk_state == TCP_ESTABLISHED ||
+ sk->sk_state == TCP_CLOSING))
+ return true; *return at here, the server cannot notice the connection is corrupt*
+
+So the client should notify the peer in this case.
+
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Norbert Slusarek <nslusarek@gmx.net>
+Cc: Andra Paraschiv <andraprs@amazon.com>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: David Brazdil <dbrazdil@google.com>
+Cc: Alexander Popov <alex.popov@linux.com>
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lkml.org/lkml/2021/5/17/418
+Signed-off-by: lixianming <lixianming5@huawei.com>
+Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index cf86c1376b1a..326250513570 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1352,7 +1352,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+
+ if (signal_pending(current)) {
+ err = sock_intr_errno(timeout);
+- sk->sk_state = TCP_CLOSE;
++ sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+ vsock_transport_cancel_pkt(vsk);
+ goto out_wait;
+--
+2.30.2
+
--- /dev/null
+From 1cc5e7121147f48a1c2d081d801d00012a240da3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 15:00:32 -0500
+Subject: wireless: wext-spy: Fix out-of-bounds warning
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ]
+
+Fix the following out-of-bounds warning:
+
+net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds]
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). This causes a legitimate compiler warning because memcpy()
+overruns the length of &threshold.low and &spydata->spy_thr_low. As
+these are just a couple of struct members, fix this by using direct
+assignments, instead of memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/wext-spy.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c
+index 33bef22e44e9..b379a0371653 100644
+--- a/net/wireless/wext-spy.c
++++ b/net/wireless/wext-spy.c
+@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev,
+ return -EOPNOTSUPP;
+
+ /* Just do it */
+- memcpy(&(spydata->spy_thr_low), &(threshold->low),
+- 2 * sizeof(struct iw_quality));
++ spydata->spy_thr_low = threshold->low;
++ spydata->spy_thr_high = threshold->high;
+
+ /* Clear flag */
+ memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under));
+@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device * dev,
+ return -EOPNOTSUPP;
+
+ /* Just do it */
+- memcpy(&(threshold->low), &(spydata->spy_thr_low),
+- 2 * sizeof(struct iw_quality));
++ threshold->low = spydata->spy_thr_low;
++ threshold->high = spydata->spy_thr_high;
+
+ return 0;
+ }
+@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev,
+ memcpy(threshold.addr.sa_data, address, ETH_ALEN);
+ threshold.addr.sa_family = ARPHRD_ETHER;
+ /* Copy stats */
+- memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality));
++ threshold.qual = *wstats;
+ /* Copy also thresholds */
+- memcpy(&(threshold.low), &(spydata->spy_thr_low),
+- 2 * sizeof(struct iw_quality));
++ threshold.low = spydata->spy_thr_low;
++ threshold.high = spydata->spy_thr_high;
+
+ /* Send event to user space */
+ wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
+--
+2.30.2
+
--- /dev/null
+From 4185e7b8fedf54462fef69c9695927228feea50a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 12:55:08 +0100
+Subject: wl1251: Fix possible buffer overflow in wl1251_cmd_scan
+
+From: Lee Gibson <leegib@gmail.com>
+
+[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ]
+
+Function wl1251_cmd_scan calls memcpy without checking the length.
+Harden by checking the length is within the maximum allowed size.
+
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
+index 9547aea01b0f..ea0215246c5c 100644
+--- a/drivers/net/wireless/ti/wl1251/cmd.c
++++ b/drivers/net/wireless/ti/wl1251/cmd.c
+@@ -466,9 +466,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
+ cmd->channels[i].channel = channels[i]->hw_value;
+ }
+
+- cmd->params.ssid_len = ssid_len;
+- if (ssid)
+- memcpy(cmd->params.ssid, ssid, ssid_len);
++ if (ssid) {
++ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
++
++ cmd->params.ssid_len = len;
++ memcpy(cmd->params.ssid, ssid, len);
++ }
+
+ ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
+ if (ret < 0) {
+--
+2.30.2
+
--- /dev/null
+From b262c4d652ca3803ad36aaa6921ed48e2e8ba4b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 09:28:14 +0300
+Subject: wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ]
+
+At least on wl12xx, reading the MAC after boot can fail with a warning
+at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read.
+The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls
+after request_firmware_work_func().
+
+After the error, no wireless interface is created. Reloading the wl12xx
+module makes the interface work.
+
+Turns out the wlan controller can be in a low-power ELP state after the
+boot from the bootloader or kexec, and needs to be woken up first.
+
+Let's wake the hardware and add a sleep after that similar to
+wl12xx_pre_boot() is already doing.
+
+Note that a similar issue could exist for wl18xx, but I have not seen it
+so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not
+produce similar errors.
+
+Cc: Carl Philipp Klemm <philipp@uvos.xyz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
+index 9d7dbfe7fe0c..c6da0cfb4afb 100644
+--- a/drivers/net/wireless/ti/wl12xx/main.c
++++ b/drivers/net/wireless/ti/wl12xx/main.c
+@@ -1503,6 +1503,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl)
+ u32 mac1, mac2;
+ int ret;
+
++ /* Device may be in ELP from the bootloader or kexec */
++ ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL);
++ if (ret < 0)
++ goto out;
++
++ usleep_range(500000, 700000);
++
+ ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]);
+ if (ret < 0)
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From d0d8bb9bba359eec017c671d212ca5547d117a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 15:21:49 +0200
+Subject: xfrm: Fix error reporting in xfrm_state_construct.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ]
+
+When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails,
+the error will not be reported because the -ENOMEM assignment
+to the err variable is overwritten before. Fix this by moving
+these two in front of the function so that memory allocation
+failures will be reported.
+
+Reported-by: Tobias Brunner <tobias@strongswan.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index d0c32a8fcc4a..45f86a97eaf2 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -580,6 +580,20 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+
+ copy_from_user_state(x, p);
+
++ if (attrs[XFRMA_ENCAP]) {
++ x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
++ sizeof(*x->encap), GFP_KERNEL);
++ if (x->encap == NULL)
++ goto error;
++ }
++
++ if (attrs[XFRMA_COADDR]) {
++ x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
++ sizeof(*x->coaddr), GFP_KERNEL);
++ if (x->coaddr == NULL)
++ goto error;
++ }
++
+ if (attrs[XFRMA_SA_EXTRA_FLAGS])
+ x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]);
+
+@@ -600,23 +614,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+ attrs[XFRMA_ALG_COMP])))
+ goto error;
+
+- if (attrs[XFRMA_ENCAP]) {
+- x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
+- sizeof(*x->encap), GFP_KERNEL);
+- if (x->encap == NULL)
+- goto error;
+- }
+-
+ if (attrs[XFRMA_TFCPAD])
+ x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
+
+- if (attrs[XFRMA_COADDR]) {
+- x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
+- sizeof(*x->coaddr), GFP_KERNEL);
+- if (x->coaddr == NULL)
+- goto error;
+- }
+-
+ xfrm_mark_get(attrs, &x->mark);
+
+ xfrm_smark_init(attrs, &x->props.smark);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
