--- /dev/null
+From 11a37eb66812ce6a06b79223ad530eb0e1d7294d Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 20 Jun 2022 13:11:14 +0800
+Subject: caif_virtio: fix race between virtio_device_ready() and ndo_open()
+
+From: Jason Wang <jasowang@redhat.com>
+
+commit 11a37eb66812ce6a06b79223ad530eb0e1d7294d upstream.
+
+We currently depend on probe() calling virtio_device_ready() -
+which happens after netdev
+registration. Since ndo_open() can be called immediately
+after register_netdev, this means there exists a race between
+ndo_open() and virtio_device_ready(): the driver may start to use the
+device (e.g. TX) before DRIVER_OK which violates the spec.
+
+Fix this by switching to use register_netdevice() and protect the
+virtio_device_ready() with rtnl_lock() to make sure ndo_open() can
+only be called after virtio_device_ready().
+
+Fixes: 0d2e1a2926b18 ("caif_virtio: Introduce caif over virtio")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20220620051115.3142-3-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/caif/caif_virtio.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/caif/caif_virtio.c
++++ b/drivers/net/caif/caif_virtio.c
+@@ -721,13 +721,21 @@ static int cfv_probe(struct virtio_devic
+ /* Carrier is off until netdevice is opened */
+ netif_carrier_off(netdev);
+
++ /* serialize netdev register + virtio_device_ready() with ndo_open() */
++ rtnl_lock();
++
+ /* register Netdev */
+- err = register_netdev(netdev);
++ err = register_netdevice(netdev);
+ if (err) {
++ rtnl_unlock();
+ dev_err(&vdev->dev, "Unable to register netdev (%d)\n", err);
+ goto err;
+ }
+
++ virtio_device_ready(vdev);
++
++ rtnl_unlock();
++
+ debugfs_init(cfv);
+
+ return 0;
--- /dev/null
+From 8ee9d82cd0a45e7d050ade598c9f33032a0f2891 Mon Sep 17 00:00:00 2001
+From: Tong Zhang <ztong0001@gmail.com>
+Date: Sun, 26 Jun 2022 21:33:48 -0700
+Subject: epic100: fix use after free on rmmod
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+commit 8ee9d82cd0a45e7d050ade598c9f33032a0f2891 upstream.
+
+epic_close() calls epic_rx() and uses dma buffer, but in epic_remove_one()
+we already freed the dma buffer. To fix this issue, reorder function calls
+like in the .probe function.
+
+BUG: KASAN: use-after-free in epic_rx+0xa6/0x7e0 [epic100]
+Call Trace:
+ epic_rx+0xa6/0x7e0 [epic100]
+ epic_close+0xec/0x2f0 [epic100]
+ unregister_netdev+0x18/0x20
+ epic_remove_one+0xaa/0xf0 [epic100]
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Yilun Wu <yiluwu@cs.stonybrook.edu>
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
+Link: https://lore.kernel.org/r/20220627043351.25615-1-ztong0001@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/smsc/epic100.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/smsc/epic100.c
++++ b/drivers/net/ethernet/smsc/epic100.c
+@@ -1513,14 +1513,14 @@ static void epic_remove_one(struct pci_d
+ struct net_device *dev = pci_get_drvdata(pdev);
+ struct epic_private *ep = netdev_priv(dev);
+
++ unregister_netdev(dev);
+ dma_free_coherent(&pdev->dev, TX_TOTAL_SIZE, ep->tx_ring,
+ ep->tx_ring_dma);
+ dma_free_coherent(&pdev->dev, RX_TOTAL_SIZE, ep->rx_ring,
+ ep->rx_ring_dma);
+- unregister_netdev(dev);
+ pci_iounmap(pdev, ep->ioaddr);
+- pci_release_regions(pdev);
+ free_netdev(dev);
++ pci_release_regions(pdev);
+ pci_disable_device(pdev);
+ /* pci_power_off(pdev, -1); */
+ }
+++ /dev/null
-From 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b Mon Sep 17 00:00:00 2001
-From: Eddie James <eajames@linux.ibm.com>
-Date: Tue, 28 Jun 2022 15:30:29 -0500
-Subject: hwmon: (occ) Prevent power cap command overwriting poll response
-
-From: Eddie James <eajames@linux.ibm.com>
-
-commit 1bbb2809040a1f9c7c53c9f06c21aa83275ed27b upstream.
-
-Currently, the response to the power cap command overwrites the
-first eight bytes of the poll response, since the commands use
-the same buffer. This means that user's get the wrong data between
-the time of sending the power cap and the next poll response update.
-Fix this by specifying a different buffer for the power cap command
-response.
-
-Fixes: 5b5513b88002 ("hwmon: Add On-Chip Controller (OCC) hwmon driver")
-Signed-off-by: Eddie James <eajames@linux.ibm.com>
-Link: https://lore.kernel.org/r/20220628203029.51747-1-eajames@linux.ibm.com
-Signed-off-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hwmon/occ/common.c | 5 +++--
- drivers/hwmon/occ/common.h | 3 ++-
- drivers/hwmon/occ/p8_i2c.c | 13 +++++++------
- drivers/hwmon/occ/p9_sbe.c | 7 +++----
- 4 files changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c
-index ea070b91e5b9..157b73a3da29 100644
---- a/drivers/hwmon/occ/common.c
-+++ b/drivers/hwmon/occ/common.c
-@@ -145,7 +145,7 @@ static int occ_poll(struct occ *occ)
- cmd[6] = 0; /* checksum lsb */
-
- /* mutex should already be locked if necessary */
-- rc = occ->send_cmd(occ, cmd, sizeof(cmd));
-+ rc = occ->send_cmd(occ, cmd, sizeof(cmd), &occ->resp, sizeof(occ->resp));
- if (rc) {
- occ->last_error = rc;
- if (occ->error_count++ > OCC_ERROR_COUNT_THRESHOLD)
-@@ -182,6 +182,7 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap)
- {
- int rc;
- u8 cmd[8];
-+ u8 resp[8];
- __be16 user_power_cap_be = cpu_to_be16(user_power_cap);
-
- cmd[0] = 0; /* sequence number */
-@@ -198,7 +199,7 @@ static int occ_set_user_power_cap(struct occ *occ, u16 user_power_cap)
- if (rc)
- return rc;
-
-- rc = occ->send_cmd(occ, cmd, sizeof(cmd));
-+ rc = occ->send_cmd(occ, cmd, sizeof(cmd), resp, sizeof(resp));
-
- mutex_unlock(&occ->lock);
-
-diff --git a/drivers/hwmon/occ/common.h b/drivers/hwmon/occ/common.h
-index 64d5ec7e169b..7ac4b2febce6 100644
---- a/drivers/hwmon/occ/common.h
-+++ b/drivers/hwmon/occ/common.h
-@@ -96,7 +96,8 @@ struct occ {
-
- int powr_sample_time_us; /* average power sample time */
- u8 poll_cmd_data; /* to perform OCC poll command */
-- int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len);
-+ int (*send_cmd)(struct occ *occ, u8 *cmd, size_t len, void *resp,
-+ size_t resp_len);
-
- unsigned long next_update;
- struct mutex lock; /* lock OCC access */
-diff --git a/drivers/hwmon/occ/p8_i2c.c b/drivers/hwmon/occ/p8_i2c.c
-index da39ea28df31..b221be1f35f3 100644
---- a/drivers/hwmon/occ/p8_i2c.c
-+++ b/drivers/hwmon/occ/p8_i2c.c
-@@ -111,7 +111,8 @@ static int p8_i2c_occ_putscom_be(struct i2c_client *client, u32 address,
- be32_to_cpu(data1));
- }
-
--static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
-+static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len,
-+ void *resp, size_t resp_len)
- {
- int i, rc;
- unsigned long start;
-@@ -120,7 +121,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
- const long wait_time = msecs_to_jiffies(OCC_CMD_IN_PRG_WAIT_MS);
- struct p8_i2c_occ *ctx = to_p8_i2c_occ(occ);
- struct i2c_client *client = ctx->client;
-- struct occ_response *resp = &occ->resp;
-+ struct occ_response *or = (struct occ_response *)resp;
-
- start = jiffies;
-
-@@ -151,7 +152,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
- return rc;
-
- /* wait for OCC */
-- if (resp->return_status == OCC_RESP_CMD_IN_PRG) {
-+ if (or->return_status == OCC_RESP_CMD_IN_PRG) {
- rc = -EALREADY;
-
- if (time_after(jiffies, start + timeout))
-@@ -163,7 +164,7 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
- } while (rc);
-
- /* check the OCC response */
-- switch (resp->return_status) {
-+ switch (or->return_status) {
- case OCC_RESP_CMD_IN_PRG:
- rc = -ETIMEDOUT;
- break;
-@@ -192,8 +193,8 @@ static int p8_i2c_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
- if (rc < 0)
- return rc;
-
-- data_length = get_unaligned_be16(&resp->data_length);
-- if (data_length > OCC_RESP_DATA_BYTES)
-+ data_length = get_unaligned_be16(&or->data_length);
-+ if ((data_length + 7) > resp_len)
- return -EMSGSIZE;
-
- /* fetch the rest of the response data */
-diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c
-index 42fc7b97bb34..a91937e28e12 100644
---- a/drivers/hwmon/occ/p9_sbe.c
-+++ b/drivers/hwmon/occ/p9_sbe.c
-@@ -78,11 +78,10 @@ static bool p9_sbe_occ_save_ffdc(struct p9_sbe_occ *ctx, const void *resp,
- return notify;
- }
-
--static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
-+static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len,
-+ void *resp, size_t resp_len)
- {
-- struct occ_response *resp = &occ->resp;
- struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ);
-- size_t resp_len = sizeof(*resp);
- int rc;
-
- rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len);
-@@ -96,7 +95,7 @@ static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len)
- return rc;
- }
-
-- switch (resp->return_status) {
-+ switch (((struct occ_response *)resp)->return_status) {
- case OCC_RESP_CMD_IN_PRG:
- rc = -ETIMEDOUT;
- break;
---
-2.37.0
-
--- /dev/null
+From foo@baz Mon Jul 4 03:23:28 PM CEST 2022
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 30 Jun 2022 14:42:05 -0600
+Subject: io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 73911426aaaadbae54fa72359b33a7b6a56947db upstream.
+
+All other opcodes correctly check if this is set and -EINVAL if it is
+and they don't support that field, for some reason the these were
+forgotten.
+
+This was unified a bit differently in the upstream tree, but had the
+same effect as making sure we error on this field. Rather than have
+a painful backport of the upstream commit, just fixup the mentioned
+opcodes.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4788,6 +4788,8 @@ static int io_sendmsg_prep(struct io_kio
+ return -EINVAL;
+ if (unlikely(sqe->addr2 || sqe->file_index))
+ return -EINVAL;
++ if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio))
++ return -EINVAL;
+
+ sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
+ sr->len = READ_ONCE(sqe->len);
+@@ -5011,6 +5013,8 @@ static int io_recvmsg_prep(struct io_kio
+ return -EINVAL;
+ if (unlikely(sqe->addr2 || sqe->file_index))
+ return -EINVAL;
++ if (unlikely(sqe->addr2 || sqe->file_index || sqe->ioprio))
++ return -EINVAL;
+
+ sr->umsg = u64_to_user_ptr(READ_ONCE(sqe->addr));
+ sr->len = READ_ONCE(sqe->len);
--- /dev/null
+From 805206e66fab4ba1e0ebd19402006d62cd1d4902 Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 24 Jun 2022 09:51:38 +0200
+Subject: net: asix: fix "can't send until first packet is send" issue
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 805206e66fab4ba1e0ebd19402006d62cd1d4902 upstream.
+
+If cable is attached after probe sequence, the usbnet framework would
+not automatically start processing RX packets except at least one
+packet was transmitted.
+
+On systems with any kind of address auto configuration this issue was
+not detected, because some packets are send immediately after link state
+is changed to "running".
+
+With this patch we will notify usbnet about link status change provided by the
+PHYlib.
+
+Fixes: e532a096be0e ("net: usb: asix: ax88772: add phylib support")
+Reported-by: Anton Lundin <glance@acc.umu.se>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Tested-by: Anton Lundin <glance@acc.umu.se>
+Link: https://lore.kernel.org/r/20220624075139.3139300-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -431,6 +431,7 @@ void asix_adjust_link(struct net_device
+
+ asix_write_medium_mode(dev, mode, 0);
+ phy_print_status(phydev);
++ usbnet_link_change(dev, phydev->link, 0);
+ }
+
+ int asix_write_gpio(struct usbnet *dev, u16 value, int sleep, int in_pm)
--- /dev/null
+From ab84db251c04d38b8dc7ee86e13d4050bedb1c88 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 27 Jun 2022 10:28:13 +0000
+Subject: net: bonding: fix possible NULL deref in rlb code
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit ab84db251c04d38b8dc7ee86e13d4050bedb1c88 upstream.
+
+syzbot has two reports involving the same root cause.
+
+bond_alb_initialize() must not set bond->alb_info.rlb_enabled
+if a memory allocation error is detected.
+
+Report 1:
+
+general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+CPU: 0 PID: 12276 Comm: kworker/u4:10 Not tainted 5.19.0-rc3-syzkaller-00132-g3b89b511ea0c #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+RIP: 0010:rlb_clear_slave+0x10e/0x690 drivers/net/bonding/bond_alb.c:393
+Code: 8e fc 83 fb ff 0f 84 74 02 00 00 e8 cc 2a 8e fc 48 8b 44 24 08 89 dd 48 c1 e5 06 4c 8d 34 28 49 8d 7e 14 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
+RSP: 0018:ffffc90018a8f678 EFLAGS: 00010203
+RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff88803375bb00 RSI: ffffffff84ec4ac4 RDI: 0000000000000014
+RBP: 0000000000000000 R08: 0000000000000005 R09: 00000000ffffffff
+R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
+R13: ffff8880ac889000 R14: 0000000000000000 R15: ffff88815a668c80
+FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00005597077e10b0 CR3: 0000000026668000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+bond_alb_deinit_slave+0x43c/0x6b0 drivers/net/bonding/bond_alb.c:1663
+__bond_release_one.cold+0x383/0xd53 drivers/net/bonding/bond_main.c:2370
+bond_slave_netdev_event drivers/net/bonding/bond_main.c:3778 [inline]
+bond_netdev_event+0x993/0xad0 drivers/net/bonding/bond_main.c:3889
+notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
+call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
+call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
+call_netdevice_notifiers net/core/dev.c:1997 [inline]
+unregister_netdevice_many+0x948/0x18b0 net/core/dev.c:10839
+default_device_exit_batch+0x449/0x590 net/core/dev.c:11333
+ops_exit_list+0x125/0x170 net/core/net_namespace.c:167
+cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
+process_one_work+0x996/0x1610 kernel/workqueue.c:2289
+worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
+</TASK>
+
+Report 2:
+
+general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+CPU: 1 PID: 5206 Comm: syz-executor.1 Not tainted 5.18.0-syzkaller-12108-g58f9d52ff689 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:rlb_req_update_slave_clients+0x109/0x2f0 drivers/net/bonding/bond_alb.c:502
+Code: 5d 18 8f fc 41 80 3e 00 0f 85 a5 01 00 00 89 d8 48 c1 e0 06 49 03 84 24 68 01 00 00 48 8d 78 30 49 89 c7 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 98 01 00 00 4d 39 6f 30 75 83 e8 22 18 8f fc 49
+RSP: 0018:ffffc9000300ee80 EFLAGS: 00010206
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90016c11000
+RDX: 0000000000000006 RSI: ffffffff84eb6bf3 RDI: 0000000000000030
+RBP: dffffc0000000000 R08: 0000000000000005 R09: 00000000ffffffff
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff888027c80c80
+R13: ffff88807d7ff800 R14: ffffed1004f901bd R15: 0000000000000000
+FS: 00007f6f46c58700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020010000 CR3: 00000000516cc000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ alb_fasten_mac_swap+0x886/0xa80 drivers/net/bonding/bond_alb.c:1070
+ bond_alb_handle_active_change+0x624/0x1050 drivers/net/bonding/bond_alb.c:1765
+ bond_change_active_slave+0xfa1/0x29b0 drivers/net/bonding/bond_main.c:1173
+ bond_select_active_slave+0x23f/0xa50 drivers/net/bonding/bond_main.c:1253
+ bond_enslave+0x3b34/0x53b0 drivers/net/bonding/bond_main.c:2159
+ do_set_master+0x1c8/0x220 net/core/rtnetlink.c:2577
+ rtnl_newlink_create net/core/rtnetlink.c:3380 [inline]
+ __rtnl_newlink+0x13ac/0x17e0 net/core/rtnetlink.c:3580
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
+ rtnetlink_rcv_msg+0x43a/0xc90 net/core/rtnetlink.c:6089
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:734
+ ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2546
+ __sys_sendmsg net/socket.c:2575 [inline]
+ __do_sys_sendmsg net/socket.c:2584 [inline]
+ __se_sys_sendmsg net/socket.c:2582 [inline]
+ __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x46/0xb0
+RIP: 0033:0x7f6f45a89109
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f6f46c58168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f6f45b9c030 RCX: 00007f6f45a89109
+RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000006
+RBP: 00007f6f45ae308d R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007ffed99029af R14: 00007f6f46c58300 R15: 0000000000022000
+ </TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/20220627102813.126264-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_alb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -1281,12 +1281,12 @@ int bond_alb_initialize(struct bonding *
+ return res;
+
+ if (rlb_enabled) {
+- bond->alb_info.rlb_enabled = 1;
+ res = rlb_initialize(bond);
+ if (res) {
+ tlb_deinitialize(bond);
+ return res;
+ }
++ bond->alb_info.rlb_enabled = 1;
+ } else {
+ bond->alb_info.rlb_enabled = 0;
+ }
--- /dev/null
+From 050133e1aa2cb49bb17be847d48a4431598ef562 Mon Sep 17 00:00:00 2001
+From: Yevhen Orlov <yevhen.orlov@plvision.eu>
+Date: Wed, 29 Jun 2022 04:29:14 +0300
+Subject: net: bonding: fix use-after-free after 802.3ad slave unbind
+
+From: Yevhen Orlov <yevhen.orlov@plvision.eu>
+
+commit 050133e1aa2cb49bb17be847d48a4431598ef562 upstream.
+
+commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"),
+resolve case, when there is several aggregation groups in the same bond.
+bond_3ad_unbind_slave will invalidate (clear) aggregator when
+__agg_active_ports return zero. So, ad_clear_agg can be executed even, when
+num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,
+previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave
+will not update slave ports list, because lag_ports==NULL. So, here we
+got slave ports, pointing to freed aggregator memory.
+
+Fix with checking actual number of ports in group (as was before
+commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ),
+before ad_clear_agg().
+
+The KASAN logs are as follows:
+
+[ 767.617392] ==================================================================
+[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470
+[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767
+[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15
+[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)
+[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler
+[ 767.666468] Call trace:
+[ 767.668930] dump_backtrace+0x0/0x2d0
+[ 767.672625] show_stack+0x24/0x30
+[ 767.675965] dump_stack_lvl+0x68/0x84
+[ 767.679659] print_address_description.constprop.0+0x74/0x2b8
+[ 767.685451] kasan_report+0x1f0/0x260
+[ 767.689148] __asan_load2+0x94/0xd0
+[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
+
+Fixes: 0622cab0341c ("bonding: fix 802.3ad aggregator reselection")
+Co-developed-by: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
+Signed-off-by: Maksym Glubokiy <maksym.glubokiy@plvision.eu>
+Signed-off-by: Yevhen Orlov <yevhen.orlov@plvision.eu>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/20220629012914.361-1-yevhen.orlov@plvision.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_3ad.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -2228,7 +2228,8 @@ void bond_3ad_unbind_slave(struct slave
+ temp_aggregator->num_of_ports--;
+ if (__agg_active_ports(temp_aggregator) == 0) {
+ select_new_active_agg = temp_aggregator->is_active;
+- ad_clear_agg(temp_aggregator);
++ if (temp_aggregator->num_of_ports == 0)
++ ad_clear_agg(temp_aggregator);
+ if (select_new_active_agg) {
+ slave_info(bond->dev, slave->dev, "Removing an active aggregator\n");
+ /* select new active aggregator */
--- /dev/null
+From 16d584d2fc8f4ea36203af45a76becd7093586f1 Mon Sep 17 00:00:00 2001
+From: Liang He <windhl@126.com>
+Date: Wed, 22 Jun 2022 12:06:21 +0800
+Subject: net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup()
+
+From: Liang He <windhl@126.com>
+
+commit 16d584d2fc8f4ea36203af45a76becd7093586f1 upstream.
+
+of_find_node_by_name() will decrease the refcount of its first arg and
+we need a of_node_get() to keep refcount balance.
+
+Fixes: 7d9ee2e8ff15 ("net: dsa: hellcreek: Add PTP status LEDs")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220622040621.4094304-1-windhl@126.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/hirschmann/hellcreek_ptp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/dsa/hirschmann/hellcreek_ptp.c
++++ b/drivers/net/dsa/hirschmann/hellcreek_ptp.c
+@@ -300,6 +300,7 @@ static int hellcreek_led_setup(struct he
+ const char *label, *state;
+ int ret = -EINVAL;
+
++ of_node_get(hellcreek->dev->of_node);
+ leds = of_find_node_by_name(hellcreek->dev->of_node, "leds");
+ if (!leds) {
+ dev_err(hellcreek->dev, "No LEDs specified in device tree!\n");
--- /dev/null
+From fa152f626b24ec2ca3489100d8c5c0a0bce4e2ef Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 28 Jun 2022 13:43:49 +0200
+Subject: net: phy: ax88772a: fix lost pause advertisement configuration
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit fa152f626b24ec2ca3489100d8c5c0a0bce4e2ef upstream.
+
+In case of asix_ax88772a_link_change_notify() workaround, we run soft
+reset which will automatically clear MII_ADVERTISE configuration. The
+PHYlib framework do not know about changed configuration state of the
+PHY, so we need use phy_init_hw() to reinit PHY configuration.
+
+Fixes: dde258469257 ("net: usb/phy: asix: add support for ax88772A/C PHYs")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220628114349.3929928-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/ax88796b.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/ax88796b.c b/drivers/net/phy/ax88796b.c
+index 457896337505..0f1e617a26c9 100644
+--- a/drivers/net/phy/ax88796b.c
++++ b/drivers/net/phy/ax88796b.c
+@@ -88,8 +88,10 @@ static void asix_ax88772a_link_change_notify(struct phy_device *phydev)
+ /* Reset PHY, otherwise MII_LPA will provide outdated information.
+ * This issue is reproducible only with some link partner PHYs
+ */
+- if (phydev->state == PHY_NOLINK && phydev->drv->soft_reset)
+- phydev->drv->soft_reset(phydev);
++ if (phydev->state == PHY_NOLINK) {
++ phy_init_hw(phydev);
++ phy_start_aneg(phydev);
++ }
+ }
+
+ static struct phy_driver asix_driver[] = {
+--
+2.37.0
+
--- /dev/null
+From 76b39b94382f9e0a639e1c70c3253de248cc4c83 Mon Sep 17 00:00:00 2001
+From: Victor Nogueira <victor@mojatatu.com>
+Date: Thu, 23 Jun 2022 11:07:41 -0300
+Subject: net/sched: act_api: Notify user space if any actions were flushed before error
+
+From: Victor Nogueira <victor@mojatatu.com>
+
+commit 76b39b94382f9e0a639e1c70c3253de248cc4c83 upstream.
+
+If during an action flush operation one of the actions is still being
+referenced, the flush operation is aborted and the kernel returns to
+user space with an error. However, if the kernel was able to flush, for
+example, 3 actions and failed on the fourth, the kernel will not notify
+user space that it deleted 3 actions before failing.
+
+This patch fixes that behaviour by notifying user space of how many
+actions were deleted before flush failed and by setting extack with a
+message describing what happened.
+
+Fixes: 55334a5db5cd ("net_sched: act: refuse to remove bound action outside")
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -350,7 +350,8 @@ static int tcf_idr_release_unsafe(struct
+ }
+
+ static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
+- const struct tc_action_ops *ops)
++ const struct tc_action_ops *ops,
++ struct netlink_ext_ack *extack)
+ {
+ struct nlattr *nest;
+ int n_i = 0;
+@@ -366,20 +367,25 @@ static int tcf_del_walker(struct tcf_idr
+ if (nla_put_string(skb, TCA_KIND, ops->kind))
+ goto nla_put_failure;
+
++ ret = 0;
+ mutex_lock(&idrinfo->lock);
+ idr_for_each_entry_ul(idr, p, tmp, id) {
+ if (IS_ERR(p))
+ continue;
+ ret = tcf_idr_release_unsafe(p);
+- if (ret == ACT_P_DELETED) {
++ if (ret == ACT_P_DELETED)
+ module_put(ops->owner);
+- n_i++;
+- } else if (ret < 0) {
+- mutex_unlock(&idrinfo->lock);
+- goto nla_put_failure;
+- }
++ else if (ret < 0)
++ break;
++ n_i++;
+ }
+ mutex_unlock(&idrinfo->lock);
++ if (ret < 0) {
++ if (n_i)
++ NL_SET_ERR_MSG(extack, "Unable to flush all TC actions");
++ else
++ goto nla_put_failure;
++ }
+
+ ret = nla_put_u32(skb, TCA_FCNT, n_i);
+ if (ret)
+@@ -400,7 +406,7 @@ int tcf_generic_walker(struct tc_action_
+ struct tcf_idrinfo *idrinfo = tn->idrinfo;
+
+ if (type == RTM_DELACTION) {
+- return tcf_del_walker(idrinfo, skb, ops);
++ return tcf_del_walker(idrinfo, skb, ops, extack);
+ } else if (type == RTM_GETACTION) {
+ return tcf_dump_walker(idrinfo, skb, cb);
+ } else {
--- /dev/null
+From 05907f10e235680cc7fb196810e4ad3215d5e648 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 21 Jun 2022 14:01:41 +0200
+Subject: netfilter: nft_dynset: restore set element counter when failing to update
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 05907f10e235680cc7fb196810e4ad3215d5e648 upstream.
+
+This patch fixes a race condition.
+
+nft_rhash_update() might fail for two reasons:
+
+- Element already exists in the hashtable.
+- Another packet won race to insert an entry in the hashtable.
+
+In both cases, new() has already bumped the counter via atomic_add_unless(),
+therefore, decrement the set element counter.
+
+Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_hash.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -143,6 +143,7 @@ static bool nft_rhash_update(struct nft_
+ /* Another cpu may race to insert the element with the same key */
+ if (prev) {
+ nft_set_elem_destroy(set, he, true);
++ atomic_dec(&set->nelems);
+ he = prev;
+ }
+
+@@ -152,6 +153,7 @@ out:
+
+ err2:
+ nft_set_elem_destroy(set, he, true);
++ atomic_dec(&set->nelems);
+ err1:
+ return false;
+ }
--- /dev/null
+From 5a478a653b4cca148d5c89832f007ec0809d7e6d Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Mon, 27 Jun 2022 14:40:48 +0200
+Subject: nfc: nfcmrvl: Fix irq_of_parse_and_map() return value
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 5a478a653b4cca148d5c89832f007ec0809d7e6d upstream.
+
+The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
+
+Reported-by: Lv Ruyi <lv.ruyi@zte.com.cn>
+Fixes: caf6e49bf6d0 ("NFC: nfcmrvl: add spi driver")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20220627124048.296253-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/nfcmrvl/i2c.c | 6 +++---
+ drivers/nfc/nfcmrvl/spi.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/nfc/nfcmrvl/i2c.c
++++ b/drivers/nfc/nfcmrvl/i2c.c
+@@ -167,9 +167,9 @@ static int nfcmrvl_i2c_parse_dt(struct d
+ pdata->irq_polarity = IRQF_TRIGGER_RISING;
+
+ ret = irq_of_parse_and_map(node, 0);
+- if (ret < 0) {
+- pr_err("Unable to get irq, error: %d\n", ret);
+- return ret;
++ if (!ret) {
++ pr_err("Unable to get irq\n");
++ return -EINVAL;
+ }
+ pdata->irq = ret;
+
+--- a/drivers/nfc/nfcmrvl/spi.c
++++ b/drivers/nfc/nfcmrvl/spi.c
+@@ -115,9 +115,9 @@ static int nfcmrvl_spi_parse_dt(struct d
+ }
+
+ ret = irq_of_parse_and_map(node, 0);
+- if (ret < 0) {
+- pr_err("Unable to get irq, error: %d\n", ret);
+- return ret;
++ if (!ret) {
++ pr_err("Unable to get irq\n");
++ return -EINVAL;
+ }
+ pdata->irq = ret;
+
--- /dev/null
+From eddd95b9423946aaacb55cac6a9b2cea8ab944fc Mon Sep 17 00:00:00 2001
+From: Michael Walle <michael@walle.cc>
+Date: Mon, 27 Jun 2022 19:06:42 +0200
+Subject: NFC: nxp-nci: Don't issue a zero length i2c_master_read()
+
+From: Michael Walle <michael@walle.cc>
+
+commit eddd95b9423946aaacb55cac6a9b2cea8ab944fc upstream.
+
+There are packets which doesn't have a payload. In that case, the second
+i2c_master_read() will have a zero length. But because the NFC
+controller doesn't have any data left, it will NACK the I2C read and
+-ENXIO will be returned. In case there is no payload, just skip the
+second i2c master read.
+
+Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
+Signed-off-by: Michael Walle <michael@walle.cc>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/nxp-nci/i2c.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/nfc/nxp-nci/i2c.c
++++ b/drivers/nfc/nxp-nci/i2c.c
+@@ -162,6 +162,9 @@ static int nxp_nci_i2c_nci_read(struct n
+
+ skb_put_data(*skb, (void *)&header, NCI_CTRL_HDR_SIZE);
+
++ if (!header.plen)
++ return 0;
++
+ r = i2c_master_recv(client, skb_put(*skb, header.plen), header.plen);
+ if (r != header.plen) {
+ nfc_err(&client->dev,
--- /dev/null
+From f44b799603a9b5d2e375b0b2d54dd0b791eddfc2 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Thu, 26 May 2022 12:28:56 +0400
+Subject: PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit f44b799603a9b5d2e375b0b2d54dd0b791eddfc2 upstream.
+
+of_get_child_by_name() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when done.
+This function only calls of_node_put() in normal path,
+missing it in error paths.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: f262f28c1470 ("PM / devfreq: event: Add devfreq_event class")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/devfreq/event/exynos-ppmu.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/devfreq/event/exynos-ppmu.c
++++ b/drivers/devfreq/event/exynos-ppmu.c
+@@ -514,15 +514,19 @@ static int of_get_devfreq_events(struct
+
+ count = of_get_child_count(events_np);
+ desc = devm_kcalloc(dev, count, sizeof(*desc), GFP_KERNEL);
+- if (!desc)
++ if (!desc) {
++ of_node_put(events_np);
+ return -ENOMEM;
++ }
+ info->num_events = count;
+
+ of_id = of_match_device(exynos_ppmu_id_match, dev);
+ if (of_id)
+ info->ppmu_type = (enum exynos_ppmu_type)of_id->data;
+- else
++ else {
++ of_node_put(events_np);
+ return -EINVAL;
++ }
+
+ j = 0;
+ for_each_child_of_node(events_np, node) {
--- /dev/null
+From ac790d09885d36143076e7e02825c541e8eee899 Mon Sep 17 00:00:00 2001
+From: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>
+Date: Wed, 29 Jun 2022 10:39:25 +0530
+Subject: powerpc/memhotplug: Add add_pages override for PPC
+
+From: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+
+commit ac790d09885d36143076e7e02825c541e8eee899 upstream.
+
+With commit ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit")
+the kernel now validate the addr against high_memory value. This results
+in the below BUG_ON with dax pfns.
+
+[ 635.798741][T26531] kernel BUG at mm/page_alloc.c:5521!
+1:mon> e
+cpu 0x1: Vector: 700 (Program Check) at [c000000007287630]
+ pc: c00000000055ed48: free_pages.part.0+0x48/0x110
+ lr: c00000000053ca70: tlb_finish_mmu+0x80/0xd0
+ sp: c0000000072878d0
+ msr: 800000000282b033
+ current = 0xc00000000afabe00
+ paca = 0xc00000037ffff300 irqmask: 0x03 irq_happened: 0x05
+ pid = 26531, comm = 50-landscape-sy
+kernel BUG at :5521!
+Linux version 5.19.0-rc3-14659-g4ec05be7c2e1 (kvaneesh@ltc-boston8) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #625 SMP Thu Jun 23 00:35:43 CDT 2022
+1:mon> t
+[link register ] c00000000053ca70 tlb_finish_mmu+0x80/0xd0
+[c0000000072878d0] c00000000053ca54 tlb_finish_mmu+0x64/0xd0 (unreliable)
+[c000000007287900] c000000000539424 exit_mmap+0xe4/0x2a0
+[c0000000072879e0] c00000000019fc1c mmput+0xcc/0x210
+[c000000007287a20] c000000000629230 begin_new_exec+0x5e0/0xf40
+[c000000007287ae0] c00000000070b3cc load_elf_binary+0x3ac/0x1e00
+[c000000007287c10] c000000000627af0 bprm_execve+0x3b0/0xaf0
+[c000000007287cd0] c000000000628414 do_execveat_common.isra.0+0x1e4/0x310
+[c000000007287d80] c00000000062858c sys_execve+0x4c/0x60
+[c000000007287db0] c00000000002c1b0 system_call_exception+0x160/0x2c0
+[c000000007287e10] c00000000000c53c system_call_common+0xec/0x250
+
+The fix is to make sure we update high_memory on memory hotplug.
+This is similar to what x86 does in commit 3072e413e305 ("mm/memory_hotplug: introduce add_pages")
+
+Fixes: ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit")
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20220629050925.31447-1-aneesh.kumar@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/Kconfig | 4 ++++
+ arch/powerpc/mm/mem.c | 33 ++++++++++++++++++++++++++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -353,6 +353,10 @@ config ARCH_SUSPEND_NONZERO_CPU
+ def_bool y
+ depends on PPC_POWERNV || PPC_PSERIES
+
++config ARCH_HAS_ADD_PAGES
++ def_bool y
++ depends on ARCH_ENABLE_MEMORY_HOTPLUG
++
+ config PPC_DCR_NATIVE
+ bool
+
+--- a/arch/powerpc/mm/mem.c
++++ b/arch/powerpc/mm/mem.c
+@@ -104,6 +104,37 @@ void __ref arch_remove_linear_mapping(u6
+ vm_unmap_aliases();
+ }
+
++/*
++ * After memory hotplug the variables max_pfn, max_low_pfn and high_memory need
++ * updating.
++ */
++static void update_end_of_memory_vars(u64 start, u64 size)
++{
++ unsigned long end_pfn = PFN_UP(start + size);
++
++ if (end_pfn > max_pfn) {
++ max_pfn = end_pfn;
++ max_low_pfn = end_pfn;
++ high_memory = (void *)__va(max_pfn * PAGE_SIZE - 1) + 1;
++ }
++}
++
++int __ref add_pages(int nid, unsigned long start_pfn, unsigned long nr_pages,
++ struct mhp_params *params)
++{
++ int ret;
++
++ ret = __add_pages(nid, start_pfn, nr_pages, params);
++ if (ret)
++ return ret;
++
++ /* update max_pfn, max_low_pfn and high_memory */
++ update_end_of_memory_vars(start_pfn << PAGE_SHIFT,
++ nr_pages << PAGE_SHIFT);
++
++ return ret;
++}
++
+ int __ref arch_add_memory(int nid, u64 start, u64 size,
+ struct mhp_params *params)
+ {
+@@ -114,7 +145,7 @@ int __ref arch_add_memory(int nid, u64 s
+ rc = arch_create_linear_mapping(nid, start, size, params);
+ if (rc)
+ return rc;
+- rc = __add_pages(nid, start_pfn, nr_pages, params);
++ rc = add_pages(nid, start_pfn, nr_pages, params);
+ if (rc)
+ arch_remove_linear_mapping(start, size);
+ return rc;
--- /dev/null
+From 25deecb21c18ee29e3be8ac6177b2a9504c33d2d Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <masahiroy@kernel.org>
+Date: Tue, 14 Jun 2022 02:09:00 +0900
+Subject: s390: remove unneeded 'select BUILD_BIN2C'
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+commit 25deecb21c18ee29e3be8ac6177b2a9504c33d2d upstream.
+
+Since commit 4c0f032d4963 ("s390/purgatory: Omit use of bin2c"),
+s390 builds the purgatory without using bin2c.
+
+Remove 'select BUILD_BIN2C' to avoid the unneeded build of bin2c.
+
+Fixes: 4c0f032d4963 ("s390/purgatory: Omit use of bin2c")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Link: https://lore.kernel.org/r/20220613170902.1775211-1-masahiroy@kernel.org
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/s390/Kconfig
++++ b/arch/s390/Kconfig
+@@ -516,7 +516,6 @@ config KEXEC
+ config KEXEC_FILE
+ bool "kexec file based system call"
+ select KEXEC_CORE
+- select BUILD_BIN2C
+ depends on CRYPTO
+ depends on CRYPTO_SHA256
+ depends on CRYPTO_SHA256_S390
selftests-mptcp-more-stable-diag-tests.patch
net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch
nfsd-restore-einval-error-translation-in-nfsd_commit.patch
-hwmon-occ-prevent-power-cap-command-overwriting-poll-response.patch
+vfs-fix-copy_file_range-regression-in-cross-fs-copies.patch
+caif_virtio-fix-race-between-virtio_device_ready-and-ndo_open.patch
+pm-devfreq-exynos-ppmu-fix-refcount-leak-in-of_get_devfreq_events.patch
+vdpa-mlx5-update-control-vq-callback-information.patch
+s390-remove-unneeded-select-build_bin2c.patch
+netfilter-nft_dynset-restore-set-element-counter-when-failing-to-update.patch
+net-dsa-hirschmann-add-missing-of_node_get-in-hellcreek_led_setup.patch
+net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch
+net-asix-fix-can-t-send-until-first-packet-is-send-issue.patch
+net-bonding-fix-possible-null-deref-in-rlb-code.patch
+net-phy-ax88772a-fix-lost-pause-advertisement-configuration.patch
+net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch
+powerpc-memhotplug-add-add_pages-override-for-ppc.patch
+nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch
+nfc-nxp-nci-don-t-issue-a-zero-length-i2c_master_read.patch
+tipc-move-bc-link-creation-back-to-tipc_node_create.patch
+epic100-fix-use-after-free-on-rmmod.patch
+io_uring-ensure-that-send-sendmsg-and-recv-recvmsg-check-sqe-ioprio.patch
--- /dev/null
+From cb8092d70a6f5f01ec1490fce4d35efed3ed996c Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 24 Jun 2022 12:24:31 -0400
+Subject: tipc: move bc link creation back to tipc_node_create
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit cb8092d70a6f5f01ec1490fce4d35efed3ed996c upstream.
+
+Shuang Li reported a NULL pointer dereference crash:
+
+ [] BUG: kernel NULL pointer dereference, address: 0000000000000068
+ [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc]
+ [] Call Trace:
+ [] <IRQ>
+ [] tipc_bcast_rcv+0xa2/0x190 [tipc]
+ [] tipc_node_bc_rcv+0x8b/0x200 [tipc]
+ [] tipc_rcv+0x3af/0x5b0 [tipc]
+ [] tipc_udp_recv+0xc7/0x1e0 [tipc]
+
+It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it
+creates a node in tipc_node_check_dest(), after inserting the new node
+into hashtable in tipc_node_create(), it creates the bc link. However,
+there is a gap between this insert and bc link creation, a bc packet
+may come in and get the node from the hashtable then try to dereference
+its bc link, which is NULL.
+
+This patch is to fix it by moving the bc link creation before inserting
+into the hashtable.
+
+Note that for a preliminary node becoming "real", the bc link creation
+should also be called before it's rehashed, as we don't create it for
+preliminary nodes.
+
+Fixes: 4cbf8ac2fe5a ("tipc: enable creating a "preliminary" node")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/node.c | 41 ++++++++++++++++++++++-------------------
+ 1 file changed, 22 insertions(+), 19 deletions(-)
+
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -472,8 +472,8 @@ struct tipc_node *tipc_node_create(struc
+ bool preliminary)
+ {
+ struct tipc_net *tn = net_generic(net, tipc_net_id);
++ struct tipc_link *l, *snd_l = tipc_bc_sndlink(net);
+ struct tipc_node *n, *temp_node;
+- struct tipc_link *l;
+ unsigned long intv;
+ int bearer_id;
+ int i;
+@@ -488,6 +488,16 @@ struct tipc_node *tipc_node_create(struc
+ goto exit;
+ /* A preliminary node becomes "real" now, refresh its data */
+ tipc_node_write_lock(n);
++ if (!tipc_link_bc_create(net, tipc_own_addr(net), addr, peer_id, U16_MAX,
++ tipc_link_min_win(snd_l), tipc_link_max_win(snd_l),
++ n->capabilities, &n->bc_entry.inputq1,
++ &n->bc_entry.namedq, snd_l, &n->bc_entry.link)) {
++ pr_warn("Broadcast rcv link refresh failed, no memory\n");
++ tipc_node_write_unlock_fast(n);
++ tipc_node_put(n);
++ n = NULL;
++ goto exit;
++ }
+ n->preliminary = false;
+ n->addr = addr;
+ hlist_del_rcu(&n->hash);
+@@ -567,7 +577,16 @@ update:
+ n->signature = INVALID_NODE_SIG;
+ n->active_links[0] = INVALID_BEARER_ID;
+ n->active_links[1] = INVALID_BEARER_ID;
+- n->bc_entry.link = NULL;
++ if (!preliminary &&
++ !tipc_link_bc_create(net, tipc_own_addr(net), addr, peer_id, U16_MAX,
++ tipc_link_min_win(snd_l), tipc_link_max_win(snd_l),
++ n->capabilities, &n->bc_entry.inputq1,
++ &n->bc_entry.namedq, snd_l, &n->bc_entry.link)) {
++ pr_warn("Broadcast rcv link creation failed, no memory\n");
++ kfree(n);
++ n = NULL;
++ goto exit;
++ }
+ tipc_node_get(n);
+ timer_setup(&n->timer, tipc_node_timeout, 0);
+ /* Start a slow timer anyway, crypto needs it */
+@@ -1155,7 +1174,7 @@ void tipc_node_check_dest(struct net *ne
+ bool *respond, bool *dupl_addr)
+ {
+ struct tipc_node *n;
+- struct tipc_link *l, *snd_l;
++ struct tipc_link *l;
+ struct tipc_link_entry *le;
+ bool addr_match = false;
+ bool sign_match = false;
+@@ -1175,22 +1194,6 @@ void tipc_node_check_dest(struct net *ne
+ return;
+
+ tipc_node_write_lock(n);
+- if (unlikely(!n->bc_entry.link)) {
+- snd_l = tipc_bc_sndlink(net);
+- if (!tipc_link_bc_create(net, tipc_own_addr(net),
+- addr, peer_id, U16_MAX,
+- tipc_link_min_win(snd_l),
+- tipc_link_max_win(snd_l),
+- n->capabilities,
+- &n->bc_entry.inputq1,
+- &n->bc_entry.namedq, snd_l,
+- &n->bc_entry.link)) {
+- pr_warn("Broadcast rcv link creation failed, no mem\n");
+- tipc_node_write_unlock_fast(n);
+- tipc_node_put(n);
+- return;
+- }
+- }
+
+ le = &n->links[b->identity];
+
--- /dev/null
+From 40f2f3e94178d45e4ee6078effba2dfc76f6f5ba Mon Sep 17 00:00:00 2001
+From: Eli Cohen <elic@nvidia.com>
+Date: Mon, 13 Jun 2022 10:59:57 +0300
+Subject: vdpa/mlx5: Update Control VQ callback information
+
+From: Eli Cohen <elic@nvidia.com>
+
+commit 40f2f3e94178d45e4ee6078effba2dfc76f6f5ba upstream.
+
+The control VQ specific information is stored in the dedicated struct
+mlx5_control_vq. When the callback is updated through
+mlx5_vdpa_set_vq_cb(), make sure to update the control VQ struct.
+
+Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting")
+Signed-off-by: Eli Cohen <elic@nvidia.com>
+Message-Id: <20220613075958.511064-1-elic@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vdpa/mlx5/net/mlx5_vnet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c
++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c
+@@ -1698,6 +1698,8 @@ static void mlx5_vdpa_set_vq_cb(struct v
+ struct mlx5_vdpa_net *ndev = to_mlx5_vdpa_ndev(mvdev);
+
+ ndev->event_cbs[idx] = *cb;
++ if (is_ctrl_vq_idx(mvdev, idx))
++ mvdev->cvq.event_cb = *cb;
+ }
+
+ static void mlx5_cvq_notify(struct vringh *vring)
--- /dev/null
+From 868f9f2f8e004bfe0d3935b1976f625b2924893b Mon Sep 17 00:00:00 2001
+From: Amir Goldstein <amir73il@gmail.com>
+Date: Thu, 30 Jun 2022 22:58:49 +0300
+Subject: vfs: fix copy_file_range() regression in cross-fs copies
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+commit 868f9f2f8e004bfe0d3935b1976f625b2924893b upstream.
+
+A regression has been reported by Nicolas Boichat, found while using the
+copy_file_range syscall to copy a tracefs file.
+
+Before commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across
+devices") the kernel would return -EXDEV to userspace when trying to
+copy a file across different filesystems. After this commit, the
+syscall doesn't fail anymore and instead returns zero (zero bytes
+copied), as this file's content is generated on-the-fly and thus reports
+a size of zero.
+
+Another regression has been reported by He Zhe - the assertion of
+WARN_ON_ONCE(ret == -EOPNOTSUPP) can be triggered from userspace when
+copying from a sysfs file whose read operation may return -EOPNOTSUPP.
+
+Since we do not have test coverage for copy_file_range() between any two
+types of filesystems, the best way to avoid these sort of issues in the
+future is for the kernel to be more picky about filesystems that are
+allowed to do copy_file_range().
+
+This patch restores some cross-filesystem copy restrictions that existed
+prior to commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across
+devices"), namely, cross-sb copy is not allowed for filesystems that do
+not implement ->copy_file_range().
+
+Filesystems that do implement ->copy_file_range() have full control of
+the result - if this method returns an error, the error is returned to
+the user. Before this change this was only true for fs that did not
+implement the ->remap_file_range() operation (i.e. nfsv3).
+
+Filesystems that do not implement ->copy_file_range() still fall-back to
+the generic_copy_file_range() implementation when the copy is within the
+same sb. This helps the kernel can maintain a more consistent story
+about which filesystems support copy_file_range().
+
+nfsd and ksmbd servers are modified to fall-back to the
+generic_copy_file_range() implementation in case vfs_copy_file_range()
+fails with -EOPNOTSUPP or -EXDEV, which preserves behavior of
+server-side-copy.
+
+fall-back to generic_copy_file_range() is not implemented for the smb
+operation FSCTL_DUPLICATE_EXTENTS_TO_FILE, which is arguably a correct
+change of behavior.
+
+Fixes: 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices")
+Link: https://lore.kernel.org/linux-fsdevel/20210212044405.4120619-1-drinkcat@chromium.org/
+Link: https://lore.kernel.org/linux-fsdevel/CANMq1KDZuxir2LM5jOTm0xx+BnvW=ZmpsG47CyHFJwnw7zSX6Q@mail.gmail.com/
+Link: https://lore.kernel.org/linux-fsdevel/20210126135012.1.If45b7cdc3ff707bc1efa17f5366057d60603c45f@changeid/
+Link: https://lore.kernel.org/linux-fsdevel/20210630161320.29006-1-lhenriques@suse.de/
+Reported-by: Nicolas Boichat <drinkcat@chromium.org>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Luis Henriques <lhenriques@suse.de>
+Fixes: 64bf5ff58dff ("vfs: no fallback for ->copy_file_range")
+Link: https://lore.kernel.org/linux-fsdevel/20f17f64-88cb-4e80-07c1-85cb96c83619@windriver.com/
+Reported-by: He Zhe <zhe.he@windriver.com>
+Tested-by: Namjae Jeon <linkinjeon@kernel.org>
+Tested-by: Luis Henriques <lhenriques@suse.de>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 16 ++++++++---
+ fs/ksmbd/vfs.c | 4 ++
+ fs/nfsd/vfs.c | 8 ++++-
+ fs/read_write.c | 77 ++++++++++++++++++++++++++++++-----------------------
+ 4 files changed, 68 insertions(+), 37 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -7794,14 +7794,24 @@ int smb2_ioctl(struct ksmbd_work *work)
+ src_off = le64_to_cpu(dup_ext->SourceFileOffset);
+ dst_off = le64_to_cpu(dup_ext->TargetFileOffset);
+ length = le64_to_cpu(dup_ext->ByteCount);
+- cloned = vfs_clone_file_range(fp_in->filp, src_off, fp_out->filp,
+- dst_off, length, 0);
++ /*
++ * XXX: It is not clear if FSCTL_DUPLICATE_EXTENTS_TO_FILE
++ * should fall back to vfs_copy_file_range(). This could be
++ * beneficial when re-exporting nfs/smb mount, but note that
++ * this can result in partial copy that returns an error status.
++ * If/when FSCTL_DUPLICATE_EXTENTS_TO_FILE_EX is implemented,
++ * fall back to vfs_copy_file_range(), should be avoided when
++ * the flag DUPLICATE_EXTENTS_DATA_EX_SOURCE_ATOMIC is set.
++ */
++ cloned = vfs_clone_file_range(fp_in->filp, src_off,
++ fp_out->filp, dst_off, length, 0);
+ if (cloned == -EXDEV || cloned == -EOPNOTSUPP) {
+ ret = -EOPNOTSUPP;
+ goto dup_ext_out;
+ } else if (cloned != length) {
+ cloned = vfs_copy_file_range(fp_in->filp, src_off,
+- fp_out->filp, dst_off, length, 0);
++ fp_out->filp, dst_off,
++ length, 0);
+ if (cloned != length) {
+ if (cloned < 0)
+ ret = cloned;
+--- a/fs/ksmbd/vfs.c
++++ b/fs/ksmbd/vfs.c
+@@ -1782,6 +1782,10 @@ int ksmbd_vfs_copy_file_ranges(struct ks
+
+ ret = vfs_copy_file_range(src_fp->filp, src_off,
+ dst_fp->filp, dst_off, len, 0);
++ if (ret == -EOPNOTSUPP || ret == -EXDEV)
++ ret = generic_copy_file_range(src_fp->filp, src_off,
++ dst_fp->filp, dst_off,
++ len, 0);
+ if (ret < 0)
+ return ret;
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -560,6 +560,7 @@ out_err:
+ ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst,
+ u64 dst_pos, u64 count)
+ {
++ ssize_t ret;
+
+ /*
+ * Limit copy to 4MB to prevent indefinitely blocking an nfsd
+@@ -570,7 +571,12 @@ ssize_t nfsd_copy_file_range(struct file
+ * limit like this and pipeline multiple COPY requests.
+ */
+ count = min_t(u64, count, 1 << 22);
+- return vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0);
++ ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0);
++
++ if (ret == -EOPNOTSUPP || ret == -EXDEV)
++ ret = generic_copy_file_range(src, src_pos, dst, dst_pos,
++ count, 0);
++ return ret;
+ }
+
+ __be32 nfsd4_vfs_fallocate(struct svc_rqst *rqstp, struct svc_fh *fhp,
+--- a/fs/read_write.c
++++ b/fs/read_write.c
+@@ -1384,28 +1384,6 @@ ssize_t generic_copy_file_range(struct f
+ }
+ EXPORT_SYMBOL(generic_copy_file_range);
+
+-static ssize_t do_copy_file_range(struct file *file_in, loff_t pos_in,
+- struct file *file_out, loff_t pos_out,
+- size_t len, unsigned int flags)
+-{
+- /*
+- * Although we now allow filesystems to handle cross sb copy, passing
+- * a file of the wrong filesystem type to filesystem driver can result
+- * in an attempt to dereference the wrong type of ->private_data, so
+- * avoid doing that until we really have a good reason. NFS defines
+- * several different file_system_type structures, but they all end up
+- * using the same ->copy_file_range() function pointer.
+- */
+- if (file_out->f_op->copy_file_range &&
+- file_out->f_op->copy_file_range == file_in->f_op->copy_file_range)
+- return file_out->f_op->copy_file_range(file_in, pos_in,
+- file_out, pos_out,
+- len, flags);
+-
+- return generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
+- flags);
+-}
+-
+ /*
+ * Performs necessary checks before doing a file copy
+ *
+@@ -1427,6 +1405,24 @@ static int generic_copy_file_checks(stru
+ if (ret)
+ return ret;
+
++ /*
++ * We allow some filesystems to handle cross sb copy, but passing
++ * a file of the wrong filesystem type to filesystem driver can result
++ * in an attempt to dereference the wrong type of ->private_data, so
++ * avoid doing that until we really have a good reason.
++ *
++ * nfs and cifs define several different file_system_type structures
++ * and several different sets of file_operations, but they all end up
++ * using the same ->copy_file_range() function pointer.
++ */
++ if (file_out->f_op->copy_file_range) {
++ if (file_in->f_op->copy_file_range !=
++ file_out->f_op->copy_file_range)
++ return -EXDEV;
++ } else if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb) {
++ return -EXDEV;
++ }
++
+ /* Don't touch certain kinds of inodes */
+ if (IS_IMMUTABLE(inode_out))
+ return -EPERM;
+@@ -1492,26 +1488,41 @@ ssize_t vfs_copy_file_range(struct file
+ file_start_write(file_out);
+
+ /*
+- * Try cloning first, this is supported by more file systems, and
+- * more efficient if both clone and copy are supported (e.g. NFS).
++ * Cloning is supported by more file systems, so we implement copy on
++ * same sb using clone, but for filesystems where both clone and copy
++ * are supported (e.g. nfs,cifs), we only call the copy method.
+ */
++ if (file_out->f_op->copy_file_range) {
++ ret = file_out->f_op->copy_file_range(file_in, pos_in,
++ file_out, pos_out,
++ len, flags);
++ goto done;
++ }
++
+ if (file_in->f_op->remap_file_range &&
+ file_inode(file_in)->i_sb == file_inode(file_out)->i_sb) {
+- loff_t cloned;
+-
+- cloned = file_in->f_op->remap_file_range(file_in, pos_in,
++ ret = file_in->f_op->remap_file_range(file_in, pos_in,
+ file_out, pos_out,
+ min_t(loff_t, MAX_RW_COUNT, len),
+ REMAP_FILE_CAN_SHORTEN);
+- if (cloned > 0) {
+- ret = cloned;
++ if (ret > 0)
+ goto done;
+- }
+ }
+
+- ret = do_copy_file_range(file_in, pos_in, file_out, pos_out, len,
+- flags);
+- WARN_ON_ONCE(ret == -EOPNOTSUPP);
++ /*
++ * We can get here for same sb copy of filesystems that do not implement
++ * ->copy_file_range() in case filesystem does not support clone or in
++ * case filesystem supports clone but rejected the clone request (e.g.
++ * because it was not block aligned).
++ *
++ * In both cases, fall back to kernel copy so we are able to maintain a
++ * consistent story about which filesystems support copy_file_range()
++ * and which filesystems do not, that will allow userspace tools to
++ * make consistent desicions w.r.t using copy_file_range().
++ */
++ ret = generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
++ flags);
++
+ done:
+ if (ret > 0) {
+ fsnotify_access(file_in);
projects / thirdparty / kernel / stable-queue.git / commitdiff
