--- /dev/null
+From b5d59401e2e965b4576376582e32bcb46f7c111d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 20:03:25 +0900
+Subject: HID: apple: Fix logical maximum and usage maximum of Magic Keyboard
+ JIS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mizuho Mori <morimolymoly@gmail.com>
+
+[ Upstream commit 67fd71ba16a37c663d139f5ba5296f344d80d072 ]
+
+Apple Magic Keyboard(JIS)'s Logical Maximum and Usage Maximum are wrong.
+
+Below is a report descriptor.
+
+0x05, 0x01, /* Usage Page (Desktop), */
+0x09, 0x06, /* Usage (Keyboard), */
+0xA1, 0x01, /* Collection (Application), */
+0x85, 0x01, /* Report ID (1), */
+0x05, 0x07, /* Usage Page (Keyboard), */
+0x15, 0x00, /* Logical Minimum (0), */
+0x25, 0x01, /* Logical Maximum (1), */
+0x19, 0xE0, /* Usage Minimum (KB Leftcontrol), */
+0x29, 0xE7, /* Usage Maximum (KB Right GUI), */
+0x75, 0x01, /* Report Size (1), */
+0x95, 0x08, /* Report Count (8), */
+0x81, 0x02, /* Input (Variable), */
+0x95, 0x05, /* Report Count (5), */
+0x75, 0x01, /* Report Size (1), */
+0x05, 0x08, /* Usage Page (LED), */
+0x19, 0x01, /* Usage Minimum (01h), */
+0x29, 0x05, /* Usage Maximum (05h), */
+0x91, 0x02, /* Output (Variable), */
+0x95, 0x01, /* Report Count (1), */
+0x75, 0x03, /* Report Size (3), */
+0x91, 0x03, /* Output (Constant, Variable), */
+0x95, 0x08, /* Report Count (8), */
+0x75, 0x01, /* Report Size (1), */
+0x15, 0x00, /* Logical Minimum (0), */
+0x25, 0x01, /* Logical Maximum (1), */
+
+here is a report descriptor which is parsed one in kernel.
+see sys/kernel/debug/hid/<dev>/rdesc
+
+05 01 09 06 a1 01 85 01 05 07
+15 00 25 01 19 e0 29 e7 75 01
+95 08 81 02 95 05 75 01 05 08
+19 01 29 05 91 02 95 01 75 03
+91 03 95 08 75 01 15 00 25 01
+06 00 ff 09 03 81 03 95 06 75
+08 15 00 25 [65] 05 07 19 00 29
+[65] 81 00 95 01 75 01 15 00 25
+01 05 0c 09 b8 81 02 95 01 75
+01 06 01 ff 09 03 81 02 95 01
+75 06 81 03 06 02 ff 09 55 85
+55 15 00 26 ff 00 75 08 95 40
+b1 a2 c0 06 00 ff 09 14 a1 01
+85 90 05 84 75 01 95 03 15 00
+25 01 09 61 05 85 09 44 09 46
+81 02 95 05 81 01 75 08 95 01
+15 00 26 ff 00 09 65 81 02 c0
+00
+
+Position 64(Logical Maximum) and 70(Usage Maximum) are 101.
+Both should be 0xE7 to support JIS specific keys(ろ, Eisu, Kana, |) support.
+position 117 is also 101 but not related(it is Usage 65h).
+
+There are no difference of product id between JIS and ANSI.
+They are same 0x0267.
+
+Signed-off-by: Mizuho Mori <morimolymoly@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-apple.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index b58ab769aa7b..4e3dd3f55a96 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -304,12 +304,19 @@ static int apple_event(struct hid_device *hdev, struct hid_field *field,
+
+ /*
+ * MacBook JIS keyboard has wrong logical maximum
++ * Magic Keyboard JIS has wrong logical maximum
+ */
+ static __u8 *apple_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+ struct apple_sc *asc = hid_get_drvdata(hdev);
+
++ if(*rsize >=71 && rdesc[70] == 0x65 && rdesc[64] == 0x65) {
++ hid_info(hdev,
++ "fixing up Magic Keyboard JIS report descriptor\n");
++ rdesc[64] = rdesc[70] = 0xe7;
++ }
++
+ if ((asc->quirks & APPLE_RDESC_JIS) && *rsize >= 60 &&
+ rdesc[53] == 0x65 && rdesc[59] == 0x65) {
+ hid_info(hdev,
+--
+2.33.0
+
--- /dev/null
+From 874c04f5d12b334d42ee8e42ad24a7893fd2f521 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 17:19:00 +0000
+Subject: m68k: Handle arrivals of multiple signals correctly
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 4bb0bd81ce5e97092dfda6a106d414b703ec0ee8 ]
+
+When we have several pending signals, have entered with the kernel
+with large exception frame *and* have already built at least one
+sigframe, regs->stkadj is going to be non-zero and regs->format/sr/pc
+are going to be junk - the real values are in shifted exception stack
+frame we'd built when putting together the first sigframe.
+
+If that happens, subsequent sigframes are going to be garbage.
+Not hard to fix - just need to find the "adjusted" frame first
+and look for format/vector/sr/pc in it.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Tested-by: Michael Schmitz <schmitzmic@gmail.com>
+Reviewed-by: Michael Schmitz <schmitzmic@gmail.com>
+Tested-by: Finn Thain <fthain@linux-m68k.org>
+Link: https://lore.kernel.org/r/YP2dBIAPTaVvHiZ6@zeniv-ca.linux.org.uk
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/kernel/signal.c | 88 +++++++++++++++++++--------------------
+ 1 file changed, 42 insertions(+), 46 deletions(-)
+
+diff --git a/arch/m68k/kernel/signal.c b/arch/m68k/kernel/signal.c
+index 72850b85ecf8..c67a68b6b69d 100644
+--- a/arch/m68k/kernel/signal.c
++++ b/arch/m68k/kernel/signal.c
+@@ -448,7 +448,7 @@ static inline void save_fpu_state(struct sigcontext *sc, struct pt_regs *regs)
+
+ if (CPU_IS_060 ? sc->sc_fpstate[2] : sc->sc_fpstate[0]) {
+ fpu_version = sc->sc_fpstate[0];
+- if (CPU_IS_020_OR_030 &&
++ if (CPU_IS_020_OR_030 && !regs->stkadj &&
+ regs->vector >= (VEC_FPBRUC * 4) &&
+ regs->vector <= (VEC_FPNAN * 4)) {
+ /* Clear pending exception in 68882 idle frame */
+@@ -511,7 +511,7 @@ static inline int rt_save_fpu_state(struct ucontext __user *uc, struct pt_regs *
+ if (!(CPU_IS_060 || CPU_IS_COLDFIRE))
+ context_size = fpstate[1];
+ fpu_version = fpstate[0];
+- if (CPU_IS_020_OR_030 &&
++ if (CPU_IS_020_OR_030 && !regs->stkadj &&
+ regs->vector >= (VEC_FPBRUC * 4) &&
+ regs->vector <= (VEC_FPNAN * 4)) {
+ /* Clear pending exception in 68882 idle frame */
+@@ -828,18 +828,24 @@ badframe:
+ return 0;
+ }
+
++static inline struct pt_regs *rte_regs(struct pt_regs *regs)
++{
++ return (void *)regs + regs->stkadj;
++}
++
+ static void setup_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
+ unsigned long mask)
+ {
++ struct pt_regs *tregs = rte_regs(regs);
+ sc->sc_mask = mask;
+ sc->sc_usp = rdusp();
+ sc->sc_d0 = regs->d0;
+ sc->sc_d1 = regs->d1;
+ sc->sc_a0 = regs->a0;
+ sc->sc_a1 = regs->a1;
+- sc->sc_sr = regs->sr;
+- sc->sc_pc = regs->pc;
+- sc->sc_formatvec = regs->format << 12 | regs->vector;
++ sc->sc_sr = tregs->sr;
++ sc->sc_pc = tregs->pc;
++ sc->sc_formatvec = tregs->format << 12 | tregs->vector;
+ save_a5_state(sc, regs);
+ save_fpu_state(sc, regs);
+ }
+@@ -847,6 +853,7 @@ static void setup_sigcontext(struct sigcontext *sc, struct pt_regs *regs,
+ static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs *regs)
+ {
+ struct switch_stack *sw = (struct switch_stack *)regs - 1;
++ struct pt_regs *tregs = rte_regs(regs);
+ greg_t __user *gregs = uc->uc_mcontext.gregs;
+ int err = 0;
+
+@@ -867,9 +874,9 @@ static inline int rt_setup_ucontext(struct ucontext __user *uc, struct pt_regs *
+ err |= __put_user(sw->a5, &gregs[13]);
+ err |= __put_user(sw->a6, &gregs[14]);
+ err |= __put_user(rdusp(), &gregs[15]);
+- err |= __put_user(regs->pc, &gregs[16]);
+- err |= __put_user(regs->sr, &gregs[17]);
+- err |= __put_user((regs->format << 12) | regs->vector, &uc->uc_formatvec);
++ err |= __put_user(tregs->pc, &gregs[16]);
++ err |= __put_user(tregs->sr, &gregs[17]);
++ err |= __put_user((tregs->format << 12) | tregs->vector, &uc->uc_formatvec);
+ err |= rt_save_fpu_state(uc, regs);
+ return err;
+ }
+@@ -886,13 +893,14 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
+ {
+ struct sigframe __user *frame;
+- int fsize = frame_extra_sizes(regs->format);
++ struct pt_regs *tregs = rte_regs(regs);
++ int fsize = frame_extra_sizes(tregs->format);
+ struct sigcontext context;
+ int err = 0, sig = ksig->sig;
+
+ if (fsize < 0) {
+ pr_debug("setup_frame: Unknown frame format %#x\n",
+- regs->format);
++ tregs->format);
+ return -EFAULT;
+ }
+
+@@ -903,7 +911,7 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+
+ err |= __put_user(sig, &frame->sig);
+
+- err |= __put_user(regs->vector, &frame->code);
++ err |= __put_user(tregs->vector, &frame->code);
+ err |= __put_user(&frame->sc, &frame->psc);
+
+ if (_NSIG_WORDS > 1)
+@@ -928,34 +936,28 @@ static int setup_frame(struct ksignal *ksig, sigset_t *set,
+
+ push_cache ((unsigned long) &frame->retcode);
+
+- /*
+- * Set up registers for signal handler. All the state we are about
+- * to destroy is successfully copied to sigframe.
+- */
+- wrusp ((unsigned long) frame);
+- regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
+- adjustformat(regs);
+-
+ /*
+ * This is subtle; if we build more than one sigframe, all but the
+ * first one will see frame format 0 and have fsize == 0, so we won't
+ * screw stkadj.
+ */
+- if (fsize)
++ if (fsize) {
+ regs->stkadj = fsize;
+-
+- /* Prepare to skip over the extra stuff in the exception frame. */
+- if (regs->stkadj) {
+- struct pt_regs *tregs =
+- (struct pt_regs *)((ulong)regs + regs->stkadj);
++ tregs = rte_regs(regs);
+ pr_debug("Performing stackadjust=%04lx\n", regs->stkadj);
+- /* This must be copied with decreasing addresses to
+- handle overlaps. */
+ tregs->vector = 0;
+ tregs->format = 0;
+- tregs->pc = regs->pc;
+ tregs->sr = regs->sr;
+ }
++
++ /*
++ * Set up registers for signal handler. All the state we are about
++ * to destroy is successfully copied to sigframe.
++ */
++ wrusp ((unsigned long) frame);
++ tregs->pc = (unsigned long) ksig->ka.sa.sa_handler;
++ adjustformat(regs);
++
+ return 0;
+ }
+
+@@ -963,7 +965,8 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+ struct pt_regs *regs)
+ {
+ struct rt_sigframe __user *frame;
+- int fsize = frame_extra_sizes(regs->format);
++ struct pt_regs *tregs = rte_regs(regs);
++ int fsize = frame_extra_sizes(tregs->format);
+ int err = 0, sig = ksig->sig;
+
+ if (fsize < 0) {
+@@ -1012,34 +1015,27 @@ static int setup_rt_frame(struct ksignal *ksig, sigset_t *set,
+
+ push_cache ((unsigned long) &frame->retcode);
+
+- /*
+- * Set up registers for signal handler. All the state we are about
+- * to destroy is successfully copied to sigframe.
+- */
+- wrusp ((unsigned long) frame);
+- regs->pc = (unsigned long) ksig->ka.sa.sa_handler;
+- adjustformat(regs);
+-
+ /*
+ * This is subtle; if we build more than one sigframe, all but the
+ * first one will see frame format 0 and have fsize == 0, so we won't
+ * screw stkadj.
+ */
+- if (fsize)
++ if (fsize) {
+ regs->stkadj = fsize;
+-
+- /* Prepare to skip over the extra stuff in the exception frame. */
+- if (regs->stkadj) {
+- struct pt_regs *tregs =
+- (struct pt_regs *)((ulong)regs + regs->stkadj);
++ tregs = rte_regs(regs);
+ pr_debug("Performing stackadjust=%04lx\n", regs->stkadj);
+- /* This must be copied with decreasing addresses to
+- handle overlaps. */
+ tregs->vector = 0;
+ tregs->format = 0;
+- tregs->pc = regs->pc;
+ tregs->sr = regs->sr;
+ }
++
++ /*
++ * Set up registers for signal handler. All the state we are about
++ * to destroy is successfully copied to sigframe.
++ */
++ wrusp ((unsigned long) frame);
++ tregs->pc = (unsigned long) ksig->ka.sa.sa_handler;
++ adjustformat(regs);
+ return 0;
+ }
+
+--
+2.33.0
+
--- /dev/null
+From fd5385e6e95c92924fbcfec0dc512fa4ee1154a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 03:34:57 +0000
+Subject: mac80211: check return value of rhashtable_init
+
+From: MichelleJin <shjy180909@gmail.com>
+
+[ Upstream commit 111461d573741c17eafad029ac93474fa9adcce0 ]
+
+When rhashtable_init() fails, it returns -EINVAL.
+However, since error return value of rhashtable_init is not checked,
+it can cause use of uninitialized pointers.
+So, fix unhandled errors of rhashtable_init.
+
+Signed-off-by: MichelleJin <shjy180909@gmail.com>
+Link: https://lore.kernel.org/r/20210927033457.1020967-4-shjy180909@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 6dc5f93b1e4d..06b44c3c831a 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -63,7 +63,10 @@ static struct mesh_table *mesh_table_alloc(void)
+ atomic_set(&newtbl->entries, 0);
+ spin_lock_init(&newtbl->gates_lock);
+ spin_lock_init(&newtbl->walk_lock);
+- rhashtable_init(&newtbl->rhead, &mesh_rht_params);
++ if (rhashtable_init(&newtbl->rhead, &mesh_rht_params)) {
++ kfree(newtbl);
++ return NULL;
++ }
+
+ return newtbl;
+ }
+--
+2.33.0
+
--- /dev/null
+From 039d272c040156b9c6971d30ae245cc4fc5db677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Aug 2021 22:42:30 +0800
+Subject: mac80211: Drop frames from invalid MAC address in ad-hoc mode
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit a6555f844549cd190eb060daef595f94d3de1582 ]
+
+WARNING: CPU: 1 PID: 9 at net/mac80211/sta_info.c:554
+sta_info_insert_rcu+0x121/0x12a0
+Modules linked in:
+CPU: 1 PID: 9 Comm: kworker/u8:1 Not tainted 5.14.0-rc7+ #253
+Workqueue: phy3 ieee80211_iface_work
+RIP: 0010:sta_info_insert_rcu+0x121/0x12a0
+...
+Call Trace:
+ ieee80211_ibss_finish_sta+0xbc/0x170
+ ieee80211_ibss_work+0x13f/0x7d0
+ ieee80211_iface_work+0x37a/0x500
+ process_one_work+0x357/0x850
+ worker_thread+0x41/0x4d0
+
+If an Ad-Hoc node receives packets with invalid source MAC address,
+it hits a WARN_ON in sta_info_insert_check(), this can spam the log.
+
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20210827144230.39944-1-yuehaibing@huawei.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 012697efafc3..e0baa563a4de 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -3875,7 +3875,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+ if (!bssid)
+ return false;
+ if (ether_addr_equal(sdata->vif.addr, hdr->addr2) ||
+- ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2))
++ ether_addr_equal(sdata->u.ibss.bssid, hdr->addr2) ||
++ !is_valid_ether_addr(hdr->addr2))
+ return false;
+ if (ieee80211_is_beacon(hdr->frame_control))
+ return true;
+--
+2.33.0
+
--- /dev/null
+From 50199cc910788ac787fcf2147d600a80a6fe7dcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 10:35:58 +0800
+Subject: net: prevent user from passing illegal stab size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: 王贇 <yun.wang@linux.alibaba.com>
+
+[ Upstream commit b193e15ac69d56f35e1d8e2b5d16cbd47764d053 ]
+
+We observed below report when playing with netlink sock:
+
+ UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
+ shift exponent 249 is too large for 32-bit type
+ CPU: 0 PID: 685 Comm: a.out Not tainted
+ Call Trace:
+ dump_stack_lvl+0x8d/0xcf
+ ubsan_epilogue+0xa/0x4e
+ __ubsan_handle_shift_out_of_bounds+0x161/0x182
+ __qdisc_calculate_pkt_len+0xf0/0x190
+ __dev_queue_xmit+0x2ed/0x15b0
+
+it seems like kernel won't check the stab log value passing from
+user, and will use the insane value later to calculate pkt_len.
+
+This patch just add a check on the size/cell_log to avoid insane
+calculation.
+
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Michael Wang <yun.wang@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/pkt_sched.h | 1 +
+ net/sched/sch_api.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
+index 5e99771a5dcc..edca90ef3bdc 100644
+--- a/include/net/pkt_sched.h
++++ b/include/net/pkt_sched.h
+@@ -11,6 +11,7 @@
+ #include <uapi/linux/pkt_sched.h>
+
+ #define DEFAULT_TX_QUEUE_LEN 1000
++#define STAB_SIZE_LOG_MAX 30
+
+ struct qdisc_walker {
+ int stop;
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 1f12be9f0207..0bb4f7a94a3c 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -498,6 +498,12 @@ static struct qdisc_size_table *qdisc_get_stab(struct nlattr *opt,
+ return stab;
+ }
+
++ if (s->size_log > STAB_SIZE_LOG_MAX ||
++ s->cell_log > STAB_SIZE_LOG_MAX) {
++ NL_SET_ERR_MSG(extack, "Invalid logarithmic size of size table");
++ return ERR_PTR(-EINVAL);
++ }
++
+ stab = kmalloc(sizeof(*stab) + tsize * sizeof(u16), GFP_KERNEL);
+ if (!stab)
+ return ERR_PTR(-ENOMEM);
+--
+2.33.0
+
--- /dev/null
+From 32b7970fd6f55b943b3bda7d08debf52e5e6aed0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 14:48:23 -0700
+Subject: net: sun: SUNVNET_COMMON should depend on INET
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 103bde372f084206c6972be543ecc247ebbff9f3 ]
+
+When CONFIG_INET is not set, there are failing references to IPv4
+functions, so make this driver depend on INET.
+
+Fixes these build errors:
+
+sparc64-linux-ld: drivers/net/ethernet/sun/sunvnet_common.o: in function `sunvnet_start_xmit_common':
+sunvnet_common.c:(.text+0x1a68): undefined reference to `__icmp_send'
+sparc64-linux-ld: drivers/net/ethernet/sun/sunvnet_common.o: in function `sunvnet_poll_common':
+sunvnet_common.c:(.text+0x358c): undefined reference to `ip_send_check'
+
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Aaron Young <aaron.young@oracle.com>
+Cc: Rashmi Narasimhan <rashmi.narasimhan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/sun/Kconfig b/drivers/net/ethernet/sun/Kconfig
+index 7b982e02ea3a..1080a2a3e13a 100644
+--- a/drivers/net/ethernet/sun/Kconfig
++++ b/drivers/net/ethernet/sun/Kconfig
+@@ -73,6 +73,7 @@ config CASSINI
+ config SUNVNET_COMMON
+ tristate "Common routines to support Sun Virtual Networking"
+ depends on SUN_LDOMS
++ depends on INET
+ default m
+
+ config SUNVNET
+--
+2.33.0
+
--- /dev/null
+From 8ca21ff171beff0df5b8ca7c8d251a2220b0553e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Sep 2021 22:24:33 +0100
+Subject: netfilter: ip6_tables: zero-initialize fragment offset
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 310e2d43c3ad429c1fba4b175806cf1f55ed73a6 ]
+
+ip6tables only sets the `IP6T_F_PROTO` flag on a rule if a protocol is
+specified (`-p tcp`, for example). However, if the flag is not set,
+`ip6_packet_match` doesn't call `ipv6_find_hdr` for the skb, in which
+case the fragment offset is left uninitialized and a garbage value is
+passed to each matcher.
+
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6_tables.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index dd0c1073dc8e..d93490ac8275 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -276,6 +276,7 @@ ip6t_do_table(struct sk_buff *skb,
+ * things we don't know, ie. tcp syn flag or ports). If the
+ * rule is also a fragment-specific rule, non-fragments won't
+ * match it. */
++ acpar.fragoff = 0;
+ acpar.hotdrop = false;
+ acpar.state = state;
+
+--
+2.33.0
+
--- /dev/null
+From f2161c5e034ebfe71dbdffaa52753f6f4c6955da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 17:04:21 +1000
+Subject: perf/x86: Reset destroy callback on event init failure
+
+From: Anand K Mistry <amistry@google.com>
+
+[ Upstream commit 02d029a41dc986e2d5a77ecca45803857b346829 ]
+
+perf_init_event tries multiple init callbacks and does not reset the
+event state between tries. When x86_pmu_event_init runs, it
+unconditionally sets the destroy callback to hw_perf_event_destroy. On
+the next init attempt after x86_pmu_event_init, in perf_try_init_event,
+if the pmu's capabilities includes PERF_PMU_CAP_NO_EXCLUDE, the destroy
+callback will be run. However, if the next init didn't set the destroy
+callback, hw_perf_event_destroy will be run (since the callback wasn't
+reset).
+
+Looking at other pmu init functions, the common pattern is to only set
+the destroy callback on a successful init. Resetting the callback on
+failure tries to replicate that pattern.
+
+This was discovered after commit f11dd0d80555 ("perf/x86/amd/ibs: Extend
+PERF_PMU_CAP_NO_EXCLUDE to IBS Op") when the second (and only second)
+run of the perf tool after a reboot results in 0 samples being
+generated. The extra run of hw_perf_event_destroy results in
+active_events having an extra decrement on each perf run. The second run
+has active_events == 0 and every subsequent run has active_events < 0.
+When active_events == 0, the NMI handler will early-out and not record
+any samples.
+
+Signed-off-by: Anand K Mistry <amistry@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210929170405.1.I078b98ee7727f9ae9d6df8262bad7e325e40faf0@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
+index 429389489eed..f612eb1cc818 100644
+--- a/arch/x86/events/core.c
++++ b/arch/x86/events/core.c
+@@ -2096,6 +2096,7 @@ static int x86_pmu_event_init(struct perf_event *event)
+ if (err) {
+ if (event->destroy)
+ event->destroy(event);
++ event->destroy = NULL;
+ }
+
+ if (READ_ONCE(x86_pmu.attr_rdpmc) &&
+--
+2.33.0
+
--- /dev/null
+From 578a89405be881b234bb180057b9b05e618506de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 15:31:11 +0200
+Subject: sched: Always inline is_percpu_thread()
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 83d40a61046f73103b4e5d8f1310261487ff63b0 ]
+
+ vmlinux.o: warning: objtool: check_preemption_disabled()+0x81: call to is_percpu_thread() leaves .noinstr.text section
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210928084218.063371959@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index 5524cd5c6abe..761d0f85c4a5 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1433,7 +1433,7 @@ extern struct pid *cad_pid;
+ #define tsk_used_math(p) ((p)->flags & PF_USED_MATH)
+ #define used_math() tsk_used_math(current)
+
+-static inline bool is_percpu_thread(void)
++static __always_inline bool is_percpu_thread(void)
+ {
+ #ifdef CONFIG_SMP
+ return (current->flags & PF_NO_SETAFFINITY) &&
+--
+2.33.0
+
--- /dev/null
+From 5519586f46de3a86680dc05004c2c98a016b4c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 17:51:53 +0800
+Subject: scsi: ses: Fix unsigned comparison with less than zero
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit dd689ed5aa905daf4ba4c99319a52aad6ea0a796 ]
+
+Fix the following coccicheck warning:
+
+./drivers/scsi/ses.c:137:10-16: WARNING: Unsigned expression compared
+with zero: result > 0.
+
+Link: https://lore.kernel.org/r/1632477113-90378-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ses.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c
+index caf35ca577ce..e79d9f60a528 100644
+--- a/drivers/scsi/ses.c
++++ b/drivers/scsi/ses.c
+@@ -134,7 +134,7 @@ static int ses_recv_diag(struct scsi_device *sdev, int page_code,
+ static int ses_send_diag(struct scsi_device *sdev, int page_code,
+ void *buf, int bufflen)
+ {
+- u32 result;
++ int result;
+
+ unsigned char cmd[] = {
+ SEND_DIAGNOSTIC,
+--
+2.33.0
+
--- /dev/null
+From 74eac699ee87c1fd27d8c65e8e1346de4ea60153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Sep 2021 00:03:30 +0100
+Subject: scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported"
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit cced4c0ec7c06f5230a2958907a409c849762293 ]
+
+There are a couple of spelling mistakes in pr_info and pr_err messages.
+Fix them.
+
+Link: https://lore.kernel.org/r/20210924230330.143785-1-colin.king@canonical.com
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/virtio_scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
+index 3d331a864b2f..50e87823baab 100644
+--- a/drivers/scsi/virtio_scsi.c
++++ b/drivers/scsi/virtio_scsi.c
+@@ -336,7 +336,7 @@ static void virtscsi_handle_transport_reset(struct virtio_scsi *vscsi,
+ }
+ break;
+ default:
+- pr_info("Unsupport virtio scsi event reason %x\n", event->reason);
++ pr_info("Unsupported virtio scsi event reason %x\n", event->reason);
+ }
+ }
+
+@@ -389,7 +389,7 @@ static void virtscsi_handle_event(struct work_struct *work)
+ virtscsi_handle_param_change(vscsi, event);
+ break;
+ default:
+- pr_err("Unsupport virtio scsi event %x\n", event->event);
++ pr_err("Unsupported virtio scsi event %x\n", event->event);
+ }
+ virtscsi_kick_event(vscsi, event_node);
+ }
+--
+2.33.0
+
net-phy-bcm7xxx-fixed-indirect-mmd-operations.patch
+hid-apple-fix-logical-maximum-and-usage-maximum-of-m.patch
+netfilter-ip6_tables-zero-initialize-fragment-offset.patch
+mac80211-drop-frames-from-invalid-mac-address-in-ad-.patch
+m68k-handle-arrivals-of-multiple-signals-correctly.patch
+net-prevent-user-from-passing-illegal-stab-size.patch
+mac80211-check-return-value-of-rhashtable_init.patch
+net-sun-sunvnet_common-should-depend-on-inet.patch
+scsi-ses-fix-unsigned-comparison-with-less-than-zero.patch
+scsi-virtio_scsi-fix-spelling-mistake-unsupport-unsu.patch
+perf-x86-reset-destroy-callback-on-event-init-failur.patch
+sched-always-inline-is_percpu_thread.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
