--- /dev/null
+From da061a147e1c202000235d37d9e8b5309929b092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 21:27:54 -0800
+Subject: appletalk: Fix skb allocation size in loopback case
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 ]
+
+If a DDP broadcast packet is sent out to a non-gateway target, it is
+also looped back. There is a potential for the loopback device to have a
+longer hardware header length than the original target route's device,
+which can result in the skb not being created with enough room for the
+loopback device's hardware header. This patch fixes the issue by
+determining that a loopback will be necessary prior to allocating the
+skb, and if so, ensuring the skb has enough room.
+
+This was discovered while testing a new driver that creates a LocalTalk
+network interface (LTALK_HLEN = 1). It caused an skb_under_panic.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/ddp.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index 1d48708c5a2e..c94b212d8e7c 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1576,8 +1576,8 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ struct sk_buff *skb;
+ struct net_device *dev;
+ struct ddpehdr *ddp;
+- int size;
+- struct atalk_route *rt;
++ int size, hard_header_len;
++ struct atalk_route *rt, *rt_lo = NULL;
+ int err;
+
+ if (flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))
+@@ -1640,7 +1640,22 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ SOCK_DEBUG(sk, "SK %p: Size needed %d, device %s\n",
+ sk, size, dev->name);
+
+- size += dev->hard_header_len;
++ hard_header_len = dev->hard_header_len;
++ /* Leave room for loopback hardware header if necessary */
++ if (usat->sat_addr.s_node == ATADDR_BCAST &&
++ (dev->flags & IFF_LOOPBACK || !(rt->flags & RTF_GATEWAY))) {
++ struct atalk_addr at_lo;
++
++ at_lo.s_node = 0;
++ at_lo.s_net = 0;
++
++ rt_lo = atrtr_find(&at_lo);
++
++ if (rt_lo && rt_lo->dev->hard_header_len > hard_header_len)
++ hard_header_len = rt_lo->dev->hard_header_len;
++ }
++
++ size += hard_header_len;
+ release_sock(sk);
+ skb = sock_alloc_send_skb(sk, size, (flags & MSG_DONTWAIT), &err);
+ lock_sock(sk);
+@@ -1648,7 +1663,7 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ goto out;
+
+ skb_reserve(skb, ddp_dl->header_length);
+- skb_reserve(skb, dev->hard_header_len);
++ skb_reserve(skb, hard_header_len);
+ skb->dev = dev;
+
+ SOCK_DEBUG(sk, "SK %p: Begin build.\n", sk);
+@@ -1699,18 +1714,12 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ /* loop back */
+ skb_orphan(skb);
+ if (ddp->deh_dnode == ATADDR_BCAST) {
+- struct atalk_addr at_lo;
+-
+- at_lo.s_node = 0;
+- at_lo.s_net = 0;
+-
+- rt = atrtr_find(&at_lo);
+- if (!rt) {
++ if (!rt_lo) {
+ kfree_skb(skb);
+ err = -ENETUNREACH;
+ goto out;
+ }
+- dev = rt->dev;
++ dev = rt_lo->dev;
+ skb->dev = dev;
+ }
+ ddp_dl->request(ddp_dl, skb, dev->dev_addr);
+--
+2.30.1
+
--- /dev/null
+From 15a10a0b8e4344981f1516fb5be91395237cbd3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Feb 2021 14:21:07 -0700
+Subject: ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr()
+
+From: Shuah Khan <skhan@linuxfoundation.org>
+
+[ Upstream commit 09078368d516918666a0122f2533dc73676d3d7e ]
+
+ieee80211_find_sta_by_ifaddr() must be called under the RCU lock and
+the resulting pointer is only valid under RCU lock as well.
+
+Fix ath10k_wmi_tlv_op_pull_peer_stats_info() to hold RCU lock before it
+calls ieee80211_find_sta_by_ifaddr() and release it when the resulting
+pointer is no longer needed.
+
+This problem was found while reviewing code to debug RCU warn from
+ath10k_wmi_tlv_parse_peer_stats_info().
+
+Link: https://lore.kernel.org/linux-wireless/7230c9e5-2632-b77e-c4f9-10eca557a5bb@linuxfoundation.org/
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210210212107.40373-1-skhan@linuxfoundation.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+index e6135795719a..e7072fc4f487 100644
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -576,13 +576,13 @@ static void ath10k_wmi_event_tdls_peer(struct ath10k *ar, struct sk_buff *skb)
+ case WMI_TDLS_TEARDOWN_REASON_TX:
+ case WMI_TDLS_TEARDOWN_REASON_RSSI:
+ case WMI_TDLS_TEARDOWN_REASON_PTR_TIMEOUT:
++ rcu_read_lock();
+ station = ieee80211_find_sta_by_ifaddr(ar->hw,
+ ev->peer_macaddr.addr,
+ NULL);
+ if (!station) {
+ ath10k_warn(ar, "did not find station from tdls peer event");
+- kfree(tb);
+- return;
++ goto exit;
+ }
+ arvif = ath10k_get_arvif(ar, __le32_to_cpu(ev->vdev_id));
+ ieee80211_tdls_oper_request(
+@@ -593,6 +593,9 @@ static void ath10k_wmi_event_tdls_peer(struct ath10k *ar, struct sk_buff *skb)
+ );
+ break;
+ }
++
++exit:
++ rcu_read_unlock();
+ kfree(tb);
+ }
+
+--
+2.30.1
+
--- /dev/null
+From d7d1c33598bafb90c832308946ab0ed5cd141158 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Jan 2021 18:26:00 +0200
+Subject: ath11k: add ieee80211_unregister_hw to avoid kernel crash caused by
+ NULL pointer
+
+From: Wen Gong <wgong@codeaurora.org>
+
+[ Upstream commit 0d96968315d7ffbd70d608b29e9bea084210b96d ]
+
+When function return fail to __ath11k_mac_register after success called
+ieee80211_register_hw, then it set wiphy->dev.parent to NULL by
+SET_IEEE80211_DEV(ar->hw, NULL) in end of __ath11k_mac_register, then
+cfg80211_get_drvinfo will be called by below call stack, but the
+wiphy->dev.parent is NULL, so kernel crash.
+
+Call stack to cfg80211_get_drvinfo:
+NetworkManager 826 [001] 6696.731371: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+ ffffffffc107d8f1 cfg80211_get_drvinfo+0x1 (/lib/modules/5.10.0-rc1-wt-ath+/kernel/net/wireless-back/cfg80211.ko)
+ ffffffff9d8fc529 ethtool_get_drvinfo+0x99 (vmlinux)
+ ffffffff9d90080e dev_ethtool+0x1dbe (vmlinux)
+ ffffffff9d8b88f7 dev_ioctl+0xb7 (vmlinux)
+ ffffffff9d8668de sock_do_ioctl+0xae (vmlinux)
+ ffffffff9d866d60 sock_ioctl+0x350 (vmlinux)
+ ffffffff9d2ca30e __x64_sys_ioctl+0x8e (vmlinux)
+ ffffffff9da0dda3 do_syscall_64+0x33 (vmlinux)
+ ffffffff9dc0008c entry_SYSCALL_64_after_hwframe+0x44 (vmlinux)
+ 7feb5f673007 __GI___ioctl+0x7 (/lib/x86_64-linux-gnu/libc-2.23.so)
+ 0 [unknown] ([unknown])
+
+Code of cfg80211_get_drvinfo, the pdev which is wiphy->dev.parent is
+NULL when kernel crash:
+void cfg80211_get_drvinfo(struct net_device *dev, struct ethtool_drvinfo *info)
+{
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ struct device *pdev = wiphy_dev(wdev->wiphy);
+
+ if (pdev->driver)
+....
+
+kernel crash log:
+[ 973.619550] ath11k_pci 0000:05:00.0: failed to perform regd update : -16
+[ 973.619555] ath11k_pci 0000:05:00.0: ath11k regd update failed: -16
+[ 973.619566] ath11k_pci 0000:05:00.0: failed register the radio with mac80211: -16
+[ 973.619618] ath11k_pci 0000:05:00.0: failed to create pdev core: -16
+[ 973.636035] BUG: kernel NULL pointer dereference, address: 0000000000000068
+[ 973.636046] #PF: supervisor read access in kernel mode
+[ 973.636050] #PF: error_code(0x0000) - not-present page
+[ 973.636054] PGD 800000012452e067 P4D 800000012452e067 PUD 12452d067 PMD 0
+[ 973.636064] Oops: 0000 [#1] SMP PTI
+[ 973.636072] CPU: 3 PID: 848 Comm: NetworkManager Kdump: loaded Tainted: G W OE 5.10.0-rc1-wt-ath+ #24
+[ 973.636076] Hardware name: LENOVO 418065C/418065C, BIOS 83ET63WW (1.33 ) 07/29/2011
+[ 973.636161] RIP: 0010:cfg80211_get_drvinfo+0x25/0xd0 [cfg80211]
+[ 973.636169] Code: e9 c9 fe ff ff 66 66 66 66 90 55 53 ba 20 00 00 00 48 8b af 08 03 00 00 48 89 f3 48 8d 7e 04 48 8b 45 00 48 8b 80 90 01 00 00 <48> 8b 40 68 48 85 c0 0f 84 8d 00 00 00 48 8b 30 e8 a6 cc 72 c7 48
+[ 973.636174] RSP: 0018:ffffaafb4040bbe0 EFLAGS: 00010286
+[ 973.636180] RAX: 0000000000000000 RBX: ffffaafb4040bbfc RCX: 0000000000000000
+[ 973.636184] RDX: 0000000000000020 RSI: ffffaafb4040bbfc RDI: ffffaafb4040bc00
+[ 973.636188] RBP: ffff8a84c9568950 R08: 722d302e30312e35 R09: 74612d74772d3163
+[ 973.636192] R10: 3163722d302e3031 R11: 2b6874612d74772d R12: ffffaafb4040bbfc
+[ 973.636196] R13: 00007ffe453707c0 R14: ffff8a84c9568000 R15: 0000000000000000
+[ 973.636202] FS: 00007fd3d179b940(0000) GS:ffff8a84fa2c0000(0000) knlGS:0000000000000000
+[ 973.636206] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 973.636211] CR2: 0000000000000068 CR3: 00000001153b6002 CR4: 00000000000606e0
+[ 973.636215] Call Trace:
+[ 973.636234] ethtool_get_drvinfo+0x99/0x1f0
+[ 973.636246] dev_ethtool+0x1dbe/0x2be0
+[ 973.636256] ? mntput_no_expire+0x35/0x220
+[ 973.636264] ? inet_ioctl+0x1ce/0x200
+[ 973.636274] ? tomoyo_path_number_perm+0x68/0x1d0
+[ 973.636282] ? kmem_cache_alloc+0x3cb/0x430
+[ 973.636290] ? dev_ioctl+0xb7/0x570
+[ 973.636295] dev_ioctl+0xb7/0x570
+[ 973.636307] sock_do_ioctl+0xae/0x150
+[ 973.636315] ? sock_ioctl+0x350/0x3c0
+[ 973.636319] sock_ioctl+0x350/0x3c0
+[ 973.636332] ? __x64_sys_ioctl+0x8e/0xd0
+[ 973.636339] ? dlci_ioctl_set+0x30/0x30
+[ 973.636346] __x64_sys_ioctl+0x8e/0xd0
+[ 973.636359] do_syscall_64+0x33/0x80
+[ 973.636368] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Sequence of function call when wlan load for success case when function
+__ath11k_mac_register return 0:
+
+kworker/u16:3-e 2922 [001] 6696.729734: probe:ieee80211_register_hw: (ffffffffc116ae60)
+kworker/u16:3-e 2922 [001] 6696.730210: probe:ieee80211_if_add: (ffffffffc1185cc0)
+NetworkManager 826 [001] 6696.731345: probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
+NetworkManager 826 [001] 6696.731371: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+NetworkManager 826 [001] 6696.731639: probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
+NetworkManager 826 [001] 6696.731653: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+NetworkManager 826 [001] 6696.732866: probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
+NetworkManager 826 [001] 6696.732893: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+systemd-udevd 3850 [003] 6696.737199: probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
+systemd-udevd 3850 [003] 6696.737226: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+NetworkManager 826 [000] 6696.759950: probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
+NetworkManager 826 [000] 6696.759967: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+NetworkManager 826 [000] 6696.760057: probe:ethtool_get_drvinfo: (ffffffff9d8fc490)
+NetworkManager 826 [000] 6696.760062: probe:cfg80211_get_drvinfo: (ffffffffc107d8f0)
+
+After apply this patch, kernel crash gone, and below is the test case's
+sequence of function call and log when wlan load with fail by function
+ath11k_regd_update, and __ath11k_mac_register return fail:
+
+kworker/u16:5-e 192 [001] 215.174388: probe:ieee80211_register_hw: (ffffffffc1131e60)
+kworker/u16:5-e 192 [000] 215.174973: probe:ieee80211_if_add: (ffffffffc114ccc0)
+NetworkManager 846 [001] 215.175857: probe:ethtool_get_drvinfo: (ffffffff928fc490)
+kworker/u16:5-e 192 [000] 215.175867: probe:ieee80211_unregister_hw: (ffffffffc1131970)
+NetworkManager 846 [001] 215.175880: probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
+NetworkManager 846 [001] 215.176105: probe:ethtool_get_drvinfo: (ffffffff928fc490)
+NetworkManager 846 [001] 215.176118: probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
+[ 215.175859] ath11k_pci 0000:05:00.0: ath11k regd update failed: -16
+NetworkManager 846 [001] 215.196420: probe:ethtool_get_drvinfo: (ffffffff928fc490)
+NetworkManager 846 [001] 215.196430: probe:cfg80211_get_drvinfo: (ffffffffc107f8f0)
+[ 215.258598] ath11k_pci 0000:05:00.0: failed register the radio with mac80211: -16
+[ 215.258613] ath11k_pci 0000:05:00.0: failed to create pdev core: -16
+
+When ath11k_regd_update or ath11k_debugfs_register return fail, function
+ieee80211_unregister_hw of mac80211 will be called, then it will wait
+untill cfg80211_get_drvinfo finished, the wiphy->dev.parent is not NULL
+at this moment, after that, it set wiphy->dev.parent to NULL by
+SET_IEEE80211_DEV(ar->hw, NULL) in end of __ath11k_mac_register, so
+not happen kernel crash.
+
+Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1608607824-16067-1-git-send-email-wgong@codeaurora.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index ee0edd918560..e9e6b0c4de22 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -6317,17 +6317,20 @@ static int __ath11k_mac_register(struct ath11k *ar)
+ ret = ath11k_regd_update(ar, true);
+ if (ret) {
+ ath11k_err(ar->ab, "ath11k regd update failed: %d\n", ret);
+- goto err_free_if_combs;
++ goto err_unregister_hw;
+ }
+
+ ret = ath11k_debugfs_register(ar);
+ if (ret) {
+ ath11k_err(ar->ab, "debugfs registration failed: %d\n", ret);
+- goto err_free_if_combs;
++ goto err_unregister_hw;
+ }
+
+ return 0;
+
++err_unregister_hw:
++ ieee80211_unregister_hw(ar->hw);
++
+ err_free_if_combs:
+ kfree(ar->hw->wiphy->iface_combinations[0].limits);
+ kfree(ar->hw->wiphy->iface_combinations);
+--
+2.30.1
+
--- /dev/null
+From 7b76bd454e8f94f1b457c31ed51c515979253aaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Dec 2020 11:51:59 +0100
+Subject: brcmfmac: clear EAP/association status bits on linkdown events
+
+From: Luca Pesce <luca.pesce@vimar.com>
+
+[ Upstream commit e862a3e4088070de352fdafe9bd9e3ae0a95a33c ]
+
+This ensure that previous association attempts do not leave stale statuses
+on subsequent attempts.
+
+This fixes the WARN_ON(!cr->bss)) from __cfg80211_connect_result() when
+connecting to an AP after a previous connection failure (e.g. where EAP fails
+due to incorrect psk but association succeeded). In some scenarios, indeed,
+brcmf_is_linkup() was reporting a link up event too early due to stale
+BRCMF_VIF_STATUS_ASSOC_SUCCESS bit, thus reporting to cfg80211 a connection
+result with a zeroed bssid (vif->profile.bssid is still empty), causing the
+WARN_ON due to the call to cfg80211_get_bss() with the empty bssid.
+
+Signed-off-by: Luca Pesce <luca.pesce@vimar.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1608807119-21785-1-git-send-email-luca.pesce@vimar.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 0ee421f30aa2..23e6422c2251 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5611,7 +5611,8 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
+ return false;
+ }
+
+-static bool brcmf_is_linkdown(const struct brcmf_event_msg *e)
++static bool brcmf_is_linkdown(struct brcmf_cfg80211_vif *vif,
++ const struct brcmf_event_msg *e)
+ {
+ u32 event = e->event_code;
+ u16 flags = e->flags;
+@@ -5620,6 +5621,8 @@ static bool brcmf_is_linkdown(const struct brcmf_event_msg *e)
+ (event == BRCMF_E_DISASSOC_IND) ||
+ ((event == BRCMF_E_LINK) && (!(flags & BRCMF_EVENT_MSG_LINK)))) {
+ brcmf_dbg(CONN, "Processing link down\n");
++ clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
++ clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
+ return true;
+ }
+ return false;
+@@ -6067,7 +6070,7 @@ brcmf_notify_connect_status(struct brcmf_if *ifp,
+ } else
+ brcmf_bss_connect_done(cfg, ndev, e, true);
+ brcmf_net_setcarrier(ifp, true);
+- } else if (brcmf_is_linkdown(e)) {
++ } else if (brcmf_is_linkdown(ifp->vif, e)) {
+ brcmf_dbg(CONN, "Linkdown\n");
+ if (!brcmf_is_ibssmode(ifp->vif) &&
+ test_bit(BRCMF_VIF_STATUS_CONNECTED,
+--
+2.30.1
+
--- /dev/null
+From eebb01dbb93ae757a6f2773576cdc92e06f85dd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jan 2021 15:19:17 +0100
+Subject: can: dev: move driver related infrastructure into separate subdir
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 3e77f70e734584e0ad1038e459ed3fd2400f873a ]
+
+This patch moves the CAN driver related infrastructure into a separate subdir.
+It will be split into more files in the coming patches.
+
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/r/20210111141930.693847-3-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/Makefile | 7 +------
+ drivers/net/can/dev/Makefile | 7 +++++++
+ drivers/net/can/{ => dev}/dev.c | 0
+ drivers/net/can/{ => dev}/rx-offload.c | 0
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+ create mode 100644 drivers/net/can/dev/Makefile
+ rename drivers/net/can/{ => dev}/dev.c (100%)
+ rename drivers/net/can/{ => dev}/rx-offload.c (100%)
+
+diff --git a/drivers/net/can/Makefile b/drivers/net/can/Makefile
+index 22164300122d..a2b4463d8480 100644
+--- a/drivers/net/can/Makefile
++++ b/drivers/net/can/Makefile
+@@ -7,12 +7,7 @@ obj-$(CONFIG_CAN_VCAN) += vcan.o
+ obj-$(CONFIG_CAN_VXCAN) += vxcan.o
+ obj-$(CONFIG_CAN_SLCAN) += slcan.o
+
+-obj-$(CONFIG_CAN_DEV) += can-dev.o
+-can-dev-y += dev.o
+-can-dev-y += rx-offload.o
+-
+-can-dev-$(CONFIG_CAN_LEDS) += led.o
+-
++obj-y += dev/
+ obj-y += rcar/
+ obj-y += spi/
+ obj-y += usb/
+diff --git a/drivers/net/can/dev/Makefile b/drivers/net/can/dev/Makefile
+new file mode 100644
+index 000000000000..cba92e6bcf6f
+--- /dev/null
++++ b/drivers/net/can/dev/Makefile
+@@ -0,0 +1,7 @@
++# SPDX-License-Identifier: GPL-2.0
++
++obj-$(CONFIG_CAN_DEV) += can-dev.o
++can-dev-y += dev.o
++can-dev-y += rx-offload.o
++
++can-dev-$(CONFIG_CAN_LEDS) += led.o
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev/dev.c
+similarity index 100%
+rename from drivers/net/can/dev.c
+rename to drivers/net/can/dev/dev.c
+diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/dev/rx-offload.c
+similarity index 100%
+rename from drivers/net/can/rx-offload.c
+rename to drivers/net/can/dev/rx-offload.c
+--
+2.30.1
+
--- /dev/null
+From fab46458e983fe1c37b8d1ed31f85cf90abba6e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 19:13:21 -0400
+Subject: can: tcan4x5x: fix max register value
+
+[ Upstream commit 6e1caaf8ed22eb700cc47ec353816eee33186c1c ]
+
+This patch fixes the max register value for the regmap.
+
+Reviewed-by: Dan Murphy <dmurphy@ti.com>
+Tested-by: Sean Nyekjaer <sean@geanix.com>
+Link: https://lore.kernel.org/r/20201215231746.1132907-12-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/tcan4x5x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/tcan4x5x.c b/drivers/net/can/m_can/tcan4x5x.c
+index 01f5b6e03a2d..f169d9090e52 100644
+--- a/drivers/net/can/m_can/tcan4x5x.c
++++ b/drivers/net/can/m_can/tcan4x5x.c
+@@ -88,7 +88,7 @@
+
+ #define TCAN4X5X_MRAM_START 0x8000
+ #define TCAN4X5X_MCAN_OFFSET 0x1000
+-#define TCAN4X5X_MAX_REGISTER 0x8fff
++#define TCAN4X5X_MAX_REGISTER 0x8ffc
+
+ #define TCAN4X5X_CLEAR_ALL_INT 0xffffffff
+ #define TCAN4X5X_SET_ALL_INT 0xffffffff
+--
+2.30.1
+
--- /dev/null
+From 198f458bb82e081d097aada4ee828b2f8a9df267 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Feb 2021 16:12:25 +0100
+Subject: flow_dissector: fix TTL and TOS dissection on IPv4 fragments
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit d2126838050ccd1dadf310ffb78b2204f3b032b9 ]
+
+the following command:
+
+ # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
+ $tcflags dst_ip 192.0.2.2 ip_ttl 63 action drop
+
+doesn't drop all IPv4 packets that match the configured TTL / destination
+address. In particular, if "fragment offset" or "more fragments" have non
+zero value in the IPv4 header, setting of FLOW_DISSECTOR_KEY_IP is simply
+ignored. Fix this dissecting IPv4 TTL and TOS before fragment info; while
+at it, add a selftest for tc flower's match on 'ip_ttl' that verifies the
+correct behavior.
+
+Fixes: 518d8a2e9bad ("net/flow_dissector: add support for dissection of misc ip header fields")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 6 +--
+ .../selftests/net/forwarding/tc_flower.sh | 38 ++++++++++++++++++-
+ 2 files changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index c79be25b2e0c..d48b37b15b27 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -1050,6 +1050,9 @@ proto_again:
+ key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
+ }
+
++ __skb_flow_dissect_ipv4(skb, flow_dissector,
++ target_container, data, iph);
++
+ if (ip_is_fragment(iph)) {
+ key_control->flags |= FLOW_DIS_IS_FRAGMENT;
+
+@@ -1066,9 +1069,6 @@ proto_again:
+ }
+ }
+
+- __skb_flow_dissect_ipv4(skb, flow_dissector,
+- target_container, data, iph);
+-
+ break;
+ }
+ case htons(ETH_P_IPV6): {
+diff --git a/tools/testing/selftests/net/forwarding/tc_flower.sh b/tools/testing/selftests/net/forwarding/tc_flower.sh
+index 058c746ee300..b11d8e6b5bc1 100755
+--- a/tools/testing/selftests/net/forwarding/tc_flower.sh
++++ b/tools/testing/selftests/net/forwarding/tc_flower.sh
+@@ -3,7 +3,7 @@
+
+ ALL_TESTS="match_dst_mac_test match_src_mac_test match_dst_ip_test \
+ match_src_ip_test match_ip_flags_test match_pcp_test match_vlan_test \
+- match_ip_tos_test match_indev_test"
++ match_ip_tos_test match_indev_test match_ip_ttl_test"
+ NUM_NETIFS=2
+ source tc_common.sh
+ source lib.sh
+@@ -310,6 +310,42 @@ match_ip_tos_test()
+ log_test "ip_tos match ($tcflags)"
+ }
+
++match_ip_ttl_test()
++{
++ RET=0
++
++ tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
++ $tcflags dst_ip 192.0.2.2 ip_ttl 63 action drop
++ tc filter add dev $h2 ingress protocol ip pref 2 handle 102 flower \
++ $tcflags dst_ip 192.0.2.2 action drop
++
++ $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
++ -t ip "ttl=63" -q
++
++ $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
++ -t ip "ttl=63,mf,frag=256" -q
++
++ tc_check_packets "dev $h2 ingress" 102 1
++ check_fail $? "Matched on the wrong filter (no check on ttl)"
++
++ tc_check_packets "dev $h2 ingress" 101 2
++ check_err $? "Did not match on correct filter (ttl=63)"
++
++ $MZ $h1 -c 1 -p 64 -a $h1mac -b $h2mac -A 192.0.2.1 -B 192.0.2.2 \
++ -t ip "ttl=255" -q
++
++ tc_check_packets "dev $h2 ingress" 101 3
++ check_fail $? "Matched on a wrong filter (ttl=63)"
++
++ tc_check_packets "dev $h2 ingress" 102 1
++ check_err $? "Did not match on correct filter (no check on ttl)"
++
++ tc filter del dev $h2 ingress protocol ip pref 2 handle 102 flower
++ tc filter del dev $h2 ingress protocol ip pref 1 handle 101 flower
++
++ log_test "ip_ttl match ($tcflags)"
++}
++
+ match_indev_test()
+ {
+ RET=0
+--
+2.30.1
+
--- /dev/null
+From a74785f9c8b260962cf44f1d3a8a2ccf8567d999 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Feb 2021 13:56:27 +0200
+Subject: iwlwifi: pcie: don't disable interrupts for reg_lock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 874020f8adce535cd318af1768ffe744251b6593 ]
+
+The only thing we do touching the device in hard interrupt context
+is, at most, writing an interrupt ACK register, which isn't racing
+in with anything protected by the reg_lock.
+
+Thus, avoid disabling interrupts here for potentially long periods
+of time, particularly long periods have been observed with dumping
+of firmware memory (leading to lockup warnings on some devices.)
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210210135352.da916ab91298.I064c3e7823b616647293ed97da98edefb9ce9435@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/pcie/trans.c | 11 +++++-----
+ .../net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 5 ++---
+ drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 22 ++++++++-----------
+ 3 files changed, 16 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index 1a222469b5b4..bb990be7c870 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -2026,7 +2026,7 @@ static bool iwl_trans_pcie_grab_nic_access(struct iwl_trans *trans,
+ int ret;
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+
+- spin_lock_irqsave(&trans_pcie->reg_lock, *flags);
++ spin_lock_bh(&trans_pcie->reg_lock);
+
+ if (trans_pcie->cmd_hold_nic_awake)
+ goto out;
+@@ -2111,7 +2111,7 @@ static bool iwl_trans_pcie_grab_nic_access(struct iwl_trans *trans,
+ }
+
+ err:
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, *flags);
++ spin_unlock_bh(&trans_pcie->reg_lock);
+ return false;
+ }
+
+@@ -2149,7 +2149,7 @@ static void iwl_trans_pcie_release_nic_access(struct iwl_trans *trans,
+ * scheduled on different CPUs (after we drop reg_lock).
+ */
+ out:
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, *flags);
++ spin_unlock_bh(&trans_pcie->reg_lock);
+ }
+
+ static int iwl_trans_pcie_read_mem(struct iwl_trans *trans, u32 addr,
+@@ -2403,11 +2403,10 @@ static void iwl_trans_pcie_set_bits_mask(struct iwl_trans *trans, u32 reg,
+ u32 mask, u32 value)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+- unsigned long flags;
+
+- spin_lock_irqsave(&trans_pcie->reg_lock, flags);
++ spin_lock_bh(&trans_pcie->reg_lock);
+ __iwl_trans_pcie_set_bits_mask(trans, reg, mask, value);
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
++ spin_unlock_bh(&trans_pcie->reg_lock);
+ }
+
+ static const char *get_csr_string(int cmd)
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+index baa83a0b8593..8c7138247869 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+@@ -78,7 +78,6 @@ static int iwl_pcie_gen2_enqueue_hcmd(struct iwl_trans *trans,
+ struct iwl_txq *txq = trans->txqs.txq[trans->txqs.cmd.q_id];
+ struct iwl_device_cmd *out_cmd;
+ struct iwl_cmd_meta *out_meta;
+- unsigned long flags;
+ void *dup_buf = NULL;
+ dma_addr_t phys_addr;
+ int i, cmd_pos, idx;
+@@ -291,11 +290,11 @@ static int iwl_pcie_gen2_enqueue_hcmd(struct iwl_trans *trans,
+ if (txq->read_ptr == txq->write_ptr && txq->wd_timeout)
+ mod_timer(&txq->stuck_timer, jiffies + txq->wd_timeout);
+
+- spin_lock_irqsave(&trans_pcie->reg_lock, flags);
++ spin_lock(&trans_pcie->reg_lock);
+ /* Increment and update queue's write index */
+ txq->write_ptr = iwl_txq_inc_wrap(trans, txq->write_ptr);
+ iwl_txq_inc_wr_ptr(trans, txq);
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
++ spin_unlock(&trans_pcie->reg_lock);
+
+ out:
+ spin_unlock_bh(&txq->lock);
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+index ed54d04e4396..50133c09a780 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+@@ -321,12 +321,10 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id)
+ txq->read_ptr = iwl_txq_inc_wrap(trans, txq->read_ptr);
+
+ if (txq->read_ptr == txq->write_ptr) {
+- unsigned long flags;
+-
+- spin_lock_irqsave(&trans_pcie->reg_lock, flags);
++ spin_lock(&trans_pcie->reg_lock);
+ if (txq_id == trans->txqs.cmd.q_id)
+ iwl_pcie_clear_cmd_in_flight(trans);
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
++ spin_unlock(&trans_pcie->reg_lock);
+ }
+ }
+
+@@ -931,7 +929,6 @@ static void iwl_pcie_cmdq_reclaim(struct iwl_trans *trans, int txq_id, int idx)
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+ struct iwl_txq *txq = trans->txqs.txq[txq_id];
+- unsigned long flags;
+ int nfreed = 0;
+ u16 r;
+
+@@ -962,9 +959,10 @@ static void iwl_pcie_cmdq_reclaim(struct iwl_trans *trans, int txq_id, int idx)
+ }
+
+ if (txq->read_ptr == txq->write_ptr) {
+- spin_lock_irqsave(&trans_pcie->reg_lock, flags);
++ /* BHs are also disabled due to txq->lock */
++ spin_lock(&trans_pcie->reg_lock);
+ iwl_pcie_clear_cmd_in_flight(trans);
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
++ spin_unlock(&trans_pcie->reg_lock);
+ }
+
+ iwl_pcie_txq_progress(txq);
+@@ -1173,7 +1171,6 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
+ struct iwl_txq *txq = trans->txqs.txq[trans->txqs.cmd.q_id];
+ struct iwl_device_cmd *out_cmd;
+ struct iwl_cmd_meta *out_meta;
+- unsigned long flags;
+ void *dup_buf = NULL;
+ dma_addr_t phys_addr;
+ int idx;
+@@ -1416,20 +1413,19 @@ static int iwl_pcie_enqueue_hcmd(struct iwl_trans *trans,
+ if (txq->read_ptr == txq->write_ptr && txq->wd_timeout)
+ mod_timer(&txq->stuck_timer, jiffies + txq->wd_timeout);
+
+- spin_lock_irqsave(&trans_pcie->reg_lock, flags);
++ spin_lock(&trans_pcie->reg_lock);
+ ret = iwl_pcie_set_cmd_in_flight(trans, cmd);
+ if (ret < 0) {
+ idx = ret;
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
+- goto out;
++ goto unlock_reg;
+ }
+
+ /* Increment and update queue's write index */
+ txq->write_ptr = iwl_txq_inc_wrap(trans, txq->write_ptr);
+ iwl_pcie_txq_inc_wr_ptr(trans, txq);
+
+- spin_unlock_irqrestore(&trans_pcie->reg_lock, flags);
+-
++ unlock_reg:
++ spin_unlock(&trans_pcie->reg_lock);
+ out:
+ spin_unlock_bh(&txq->lock);
+ free_dup_buf:
+--
+2.30.1
+
--- /dev/null
+From d7b8e1dc18c7c96e14100ca0517e1f55f75a3206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Mar 2021 17:19:32 +0800
+Subject: net: 9p: advance iov on empty read
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit d65614a01d24704b016635abf5cc028a54e45a62 ]
+
+I met below warning when cating a small size(about 80bytes) txt file
+on 9pfs(msize=2097152 is passed to 9p mount option), the reason is we
+miss iov_iter_advance() if the read count is 0 for zerocopy case, so
+we didn't truncate the pipe, then iov_iter_pipe() thinks the pipe is
+full. Fix it by removing the exception for 0 to ensure to call
+iov_iter_advance() even on empty read for zerocopy case.
+
+[ 8.279568] WARNING: CPU: 0 PID: 39 at lib/iov_iter.c:1203 iov_iter_pipe+0x31/0x40
+[ 8.280028] Modules linked in:
+[ 8.280561] CPU: 0 PID: 39 Comm: cat Not tainted 5.11.0+ #6
+[ 8.281260] RIP: 0010:iov_iter_pipe+0x31/0x40
+[ 8.281974] Code: 2b 42 54 39 42 5c 76 22 c7 07 20 00 00 00 48 89 57 18 8b 42 50 48 c7 47 08 b
+[ 8.283169] RSP: 0018:ffff888000cbbd80 EFLAGS: 00000246
+[ 8.283512] RAX: 0000000000000010 RBX: ffff888000117d00 RCX: 0000000000000000
+[ 8.283876] RDX: ffff88800031d600 RSI: 0000000000000000 RDI: ffff888000cbbd90
+[ 8.284244] RBP: ffff888000cbbe38 R08: 0000000000000000 R09: ffff8880008d2058
+[ 8.284605] R10: 0000000000000002 R11: ffff888000375510 R12: 0000000000000050
+[ 8.284964] R13: ffff888000cbbe80 R14: 0000000000000050 R15: ffff88800031d600
+[ 8.285439] FS: 00007f24fd8af600(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
+[ 8.285844] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 8.286150] CR2: 00007f24fd7d7b90 CR3: 0000000000c97000 CR4: 00000000000406b0
+[ 8.286710] Call Trace:
+[ 8.288279] generic_file_splice_read+0x31/0x1a0
+[ 8.289273] ? do_splice_to+0x2f/0x90
+[ 8.289511] splice_direct_to_actor+0xcc/0x220
+[ 8.289788] ? pipe_to_sendpage+0xa0/0xa0
+[ 8.290052] do_splice_direct+0x8b/0xd0
+[ 8.290314] do_sendfile+0x1ad/0x470
+[ 8.290576] do_syscall_64+0x2d/0x40
+[ 8.290818] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 8.291409] RIP: 0033:0x7f24fd7dca0a
+[ 8.292511] Code: c3 0f 1f 80 00 00 00 00 4c 89 d2 4c 89 c6 e9 bd fd ff ff 0f 1f 44 00 00 31 8
+[ 8.293360] RSP: 002b:00007ffc20932818 EFLAGS: 00000206 ORIG_RAX: 0000000000000028
+[ 8.293800] RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f24fd7dca0a
+[ 8.294153] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000001
+[ 8.294504] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
+[ 8.294867] R10: 0000000001000000 R11: 0000000000000206 R12: 0000000000000003
+[ 8.295217] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
+[ 8.295782] ---[ end trace 63317af81b3ca24b ]---
+
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/client.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/net/9p/client.c b/net/9p/client.c
+index 09f1ec589b80..eb42bbb72f52 100644
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -1617,10 +1617,6 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to,
+ }
+
+ p9_debug(P9_DEBUG_9P, "<<< RREAD count %d\n", count);
+- if (!count) {
+- p9_tag_remove(clnt, req);
+- return 0;
+- }
+
+ if (non_zc) {
+ int n = copy_to_iter(dataptr, count, to);
+--
+2.30.1
+
--- /dev/null
+From c3d1b0938b2c42831ebc15bbdf56035e65e9a3e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 05:17:57 +0000
+Subject: net: ethernet: aquantia: Handle error cleanup of start on open
+
+From: Nathan Rossi <nathan.rossi@digi.com>
+
+[ Upstream commit 8a28af7a3e85ddf358f8c41e401a33002f7a9587 ]
+
+The aq_nic_start function can fail in a variety of cases which leaves
+the device in broken state.
+
+An example case where the start function fails is the
+request_threaded_irq which can be interrupted, resulting in a EINTR
+result. This can be manually triggered by bringing the link up (e.g. ip
+link set up) and triggering a SIGINT on the initiating process (e.g.
+Ctrl+C). This would put the device into a half configured state.
+Subsequently bringing the link up again would cause the napi_enable to
+BUG.
+
+In order to correctly clean up the failed attempt to start a device call
+aq_nic_stop.
+
+Signed-off-by: Nathan Rossi <nathan.rossi@digi.com>
+Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+index 8f70a3909929..4af0cd9530de 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+@@ -71,8 +71,10 @@ static int aq_ndev_open(struct net_device *ndev)
+ goto err_exit;
+
+ err = aq_nic_start(aq_nic);
+- if (err < 0)
++ if (err < 0) {
++ aq_nic_stop(aq_nic);
+ goto err_exit;
++ }
+
+ err_exit:
+ if (err < 0)
+--
+2.30.1
+
--- /dev/null
+From 9acccaadf1ffb6400aa5ac20bb04b6e44f5d2b02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Feb 2021 08:01:26 +0100
+Subject: net: introduce CAN specific pointer in the struct net_device
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 4e096a18867a5a989b510f6999d9c6b6622e8f7b ]
+
+Since 20dd3850bcf8 ("can: Speed up CAN frame receiption by using
+ml_priv") the CAN framework uses per device specific data in the AF_CAN
+protocol. For this purpose the struct net_device->ml_priv is used. Later
+the ml_priv usage in CAN was extended for other users, one of them being
+CAN_J1939.
+
+Later in the kernel ml_priv was converted to an union, used by other
+drivers. E.g. the tun driver started storing it's stats pointer.
+
+Since tun devices can claim to be a CAN device, CAN specific protocols
+will wrongly interpret this pointer, which will cause system crashes.
+Mostly this issue is visible in the CAN_J1939 stack.
+
+To fix this issue, we request a dedicated CAN pointer within the
+net_device struct.
+
+Reported-by: syzbot+5138c4dd15a0401bec7b@syzkaller.appspotmail.com
+Fixes: 20dd3850bcf8 ("can: Speed up CAN frame receiption by using ml_priv")
+Fixes: ffd956eef69b ("can: introduce CAN midlayer private and allocate it automatically")
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Fixes: 497a5757ce4e ("tun: switch to net core provided statistics counters")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20210223070127.4538-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev/dev.c | 4 +++-
+ drivers/net/can/slcan.c | 4 +++-
+ drivers/net/can/vcan.c | 2 +-
+ drivers/net/can/vxcan.c | 6 +++++-
+ include/linux/can/can-ml.h | 12 ++++++++++++
+ include/linux/netdevice.h | 34 +++++++++++++++++++++++++++++++++-
+ net/can/af_can.c | 34 ++--------------------------------
+ net/can/j1939/main.c | 22 ++++++++--------------
+ net/can/j1939/socket.c | 13 ++++---------
+ net/can/proc.c | 19 +++++++++++++------
+ 10 files changed, 84 insertions(+), 66 deletions(-)
+
+diff --git a/drivers/net/can/dev/dev.c b/drivers/net/can/dev/dev.c
+index dc9b4aae3abb..2b38a99884f2 100644
+--- a/drivers/net/can/dev/dev.c
++++ b/drivers/net/can/dev/dev.c
+@@ -747,6 +747,7 @@ EXPORT_SYMBOL_GPL(alloc_can_err_skb);
+ struct net_device *alloc_candev_mqs(int sizeof_priv, unsigned int echo_skb_max,
+ unsigned int txqs, unsigned int rxqs)
+ {
++ struct can_ml_priv *can_ml;
+ struct net_device *dev;
+ struct can_priv *priv;
+ int size;
+@@ -778,7 +779,8 @@ struct net_device *alloc_candev_mqs(int sizeof_priv, unsigned int echo_skb_max,
+ priv = netdev_priv(dev);
+ priv->dev = dev;
+
+- dev->ml_priv = (void *)priv + ALIGN(sizeof_priv, NETDEV_ALIGN);
++ can_ml = (void *)priv + ALIGN(sizeof_priv, NETDEV_ALIGN);
++ can_set_ml_priv(dev, can_ml);
+
+ if (echo_skb_max) {
+ priv->echo_skb_max = echo_skb_max;
+diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
+index b4a39f0449ba..6471a71c2ee6 100644
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -516,6 +516,7 @@ static struct slcan *slc_alloc(void)
+ int i;
+ char name[IFNAMSIZ];
+ struct net_device *dev = NULL;
++ struct can_ml_priv *can_ml;
+ struct slcan *sl;
+ int size;
+
+@@ -538,7 +539,8 @@ static struct slcan *slc_alloc(void)
+
+ dev->base_addr = i;
+ sl = netdev_priv(dev);
+- dev->ml_priv = (void *)sl + ALIGN(sizeof(*sl), NETDEV_ALIGN);
++ can_ml = (void *)sl + ALIGN(sizeof(*sl), NETDEV_ALIGN);
++ can_set_ml_priv(dev, can_ml);
+
+ /* Initialize channel control data */
+ sl->magic = SLCAN_MAGIC;
+diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
+index 39ca14b0585d..067705e2850b 100644
+--- a/drivers/net/can/vcan.c
++++ b/drivers/net/can/vcan.c
+@@ -153,7 +153,7 @@ static void vcan_setup(struct net_device *dev)
+ dev->addr_len = 0;
+ dev->tx_queue_len = 0;
+ dev->flags = IFF_NOARP;
+- dev->ml_priv = netdev_priv(dev);
++ can_set_ml_priv(dev, netdev_priv(dev));
+
+ /* set flags according to driver capabilities */
+ if (echo)
+diff --git a/drivers/net/can/vxcan.c b/drivers/net/can/vxcan.c
+index b1baa4ac1d53..7000c6cd1e48 100644
+--- a/drivers/net/can/vxcan.c
++++ b/drivers/net/can/vxcan.c
+@@ -141,6 +141,8 @@ static const struct net_device_ops vxcan_netdev_ops = {
+
+ static void vxcan_setup(struct net_device *dev)
+ {
++ struct can_ml_priv *can_ml;
++
+ dev->type = ARPHRD_CAN;
+ dev->mtu = CANFD_MTU;
+ dev->hard_header_len = 0;
+@@ -149,7 +151,9 @@ static void vxcan_setup(struct net_device *dev)
+ dev->flags = (IFF_NOARP|IFF_ECHO);
+ dev->netdev_ops = &vxcan_netdev_ops;
+ dev->needs_free_netdev = true;
+- dev->ml_priv = netdev_priv(dev) + ALIGN(sizeof(struct vxcan_priv), NETDEV_ALIGN);
++
++ can_ml = netdev_priv(dev) + ALIGN(sizeof(struct vxcan_priv), NETDEV_ALIGN);
++ can_set_ml_priv(dev, can_ml);
+ }
+
+ /* forward declaration for rtnl_create_link() */
+diff --git a/include/linux/can/can-ml.h b/include/linux/can/can-ml.h
+index 2f5d731ae251..8afa92d15a66 100644
+--- a/include/linux/can/can-ml.h
++++ b/include/linux/can/can-ml.h
+@@ -44,6 +44,7 @@
+
+ #include <linux/can.h>
+ #include <linux/list.h>
++#include <linux/netdevice.h>
+
+ #define CAN_SFF_RCV_ARRAY_SZ (1 << CAN_SFF_ID_BITS)
+ #define CAN_EFF_RCV_HASH_BITS 10
+@@ -65,4 +66,15 @@ struct can_ml_priv {
+ #endif
+ };
+
++static inline struct can_ml_priv *can_get_ml_priv(struct net_device *dev)
++{
++ return netdev_get_ml_priv(dev, ML_PRIV_CAN);
++}
++
++static inline void can_set_ml_priv(struct net_device *dev,
++ struct can_ml_priv *ml_priv)
++{
++ netdev_set_ml_priv(dev, ml_priv, ML_PRIV_CAN);
++}
++
+ #endif /* CAN_ML_H */
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index 8753e98a8d58..e37480b5f4c0 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1600,6 +1600,12 @@ enum netdev_priv_flags {
+ #define IFF_L3MDEV_RX_HANDLER IFF_L3MDEV_RX_HANDLER
+ #define IFF_LIVE_RENAME_OK IFF_LIVE_RENAME_OK
+
++/* Specifies the type of the struct net_device::ml_priv pointer */
++enum netdev_ml_priv_type {
++ ML_PRIV_NONE,
++ ML_PRIV_CAN,
++};
++
+ /**
+ * struct net_device - The DEVICE structure.
+ *
+@@ -1795,6 +1801,7 @@ enum netdev_priv_flags {
+ * @nd_net: Network namespace this network device is inside
+ *
+ * @ml_priv: Mid-layer private
++ * @ml_priv_type: Mid-layer private type
+ * @lstats: Loopback statistics
+ * @tstats: Tunnel statistics
+ * @dstats: Dummy statistics
+@@ -2107,8 +2114,10 @@ struct net_device {
+ possible_net_t nd_net;
+
+ /* mid-layer private */
++ void *ml_priv;
++ enum netdev_ml_priv_type ml_priv_type;
++
+ union {
+- void *ml_priv;
+ struct pcpu_lstats __percpu *lstats;
+ struct pcpu_sw_netstats __percpu *tstats;
+ struct pcpu_dstats __percpu *dstats;
+@@ -2298,6 +2307,29 @@ static inline void netdev_reset_rx_headroom(struct net_device *dev)
+ netdev_set_rx_headroom(dev, -1);
+ }
+
++static inline void *netdev_get_ml_priv(struct net_device *dev,
++ enum netdev_ml_priv_type type)
++{
++ if (dev->ml_priv_type != type)
++ return NULL;
++
++ return dev->ml_priv;
++}
++
++static inline void netdev_set_ml_priv(struct net_device *dev,
++ void *ml_priv,
++ enum netdev_ml_priv_type type)
++{
++ WARN(dev->ml_priv_type && dev->ml_priv_type != type,
++ "Overwriting already set ml_priv_type (%u) with different ml_priv_type (%u)!\n",
++ dev->ml_priv_type, type);
++ WARN(!dev->ml_priv_type && dev->ml_priv,
++ "Overwriting already set ml_priv and ml_priv_type is ML_PRIV_NONE!\n");
++
++ dev->ml_priv = ml_priv;
++ dev->ml_priv_type = type;
++}
++
+ /*
+ * Net namespace inlines
+ */
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index 4c343b43067f..1c95ede2c9a6 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -304,8 +304,8 @@ static struct can_dev_rcv_lists *can_dev_rcv_lists_find(struct net *net,
+ struct net_device *dev)
+ {
+ if (dev) {
+- struct can_ml_priv *ml_priv = dev->ml_priv;
+- return &ml_priv->dev_rcv_lists;
++ struct can_ml_priv *can_ml = can_get_ml_priv(dev);
++ return &can_ml->dev_rcv_lists;
+ } else {
+ return net->can.rx_alldev_list;
+ }
+@@ -790,25 +790,6 @@ void can_proto_unregister(const struct can_proto *cp)
+ }
+ EXPORT_SYMBOL(can_proto_unregister);
+
+-/* af_can notifier to create/remove CAN netdevice specific structs */
+-static int can_notifier(struct notifier_block *nb, unsigned long msg,
+- void *ptr)
+-{
+- struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+-
+- if (dev->type != ARPHRD_CAN)
+- return NOTIFY_DONE;
+-
+- switch (msg) {
+- case NETDEV_REGISTER:
+- WARN(!dev->ml_priv,
+- "No CAN mid layer private allocated, please fix your driver and use alloc_candev()!\n");
+- break;
+- }
+-
+- return NOTIFY_DONE;
+-}
+-
+ static int can_pernet_init(struct net *net)
+ {
+ spin_lock_init(&net->can.rcvlists_lock);
+@@ -876,11 +857,6 @@ static const struct net_proto_family can_family_ops = {
+ .owner = THIS_MODULE,
+ };
+
+-/* notifier block for netdevice event */
+-static struct notifier_block can_netdev_notifier __read_mostly = {
+- .notifier_call = can_notifier,
+-};
+-
+ static struct pernet_operations can_pernet_ops __read_mostly = {
+ .init = can_pernet_init,
+ .exit = can_pernet_exit,
+@@ -911,17 +887,12 @@ static __init int can_init(void)
+ err = sock_register(&can_family_ops);
+ if (err)
+ goto out_sock;
+- err = register_netdevice_notifier(&can_netdev_notifier);
+- if (err)
+- goto out_notifier;
+
+ dev_add_pack(&can_packet);
+ dev_add_pack(&canfd_packet);
+
+ return 0;
+
+-out_notifier:
+- sock_unregister(PF_CAN);
+ out_sock:
+ unregister_pernet_subsys(&can_pernet_ops);
+ out_pernet:
+@@ -935,7 +906,6 @@ static __exit void can_exit(void)
+ /* protocol unregister */
+ dev_remove_pack(&canfd_packet);
+ dev_remove_pack(&can_packet);
+- unregister_netdevice_notifier(&can_netdev_notifier);
+ sock_unregister(PF_CAN);
+
+ unregister_pernet_subsys(&can_pernet_ops);
+diff --git a/net/can/j1939/main.c b/net/can/j1939/main.c
+index 137054bff9ec..e52330f628c9 100644
+--- a/net/can/j1939/main.c
++++ b/net/can/j1939/main.c
+@@ -140,9 +140,9 @@ static struct j1939_priv *j1939_priv_create(struct net_device *ndev)
+ static inline void j1939_priv_set(struct net_device *ndev,
+ struct j1939_priv *priv)
+ {
+- struct can_ml_priv *can_ml_priv = ndev->ml_priv;
++ struct can_ml_priv *can_ml = can_get_ml_priv(ndev);
+
+- can_ml_priv->j1939_priv = priv;
++ can_ml->j1939_priv = priv;
+ }
+
+ static void __j1939_priv_release(struct kref *kref)
+@@ -211,12 +211,9 @@ static void __j1939_rx_release(struct kref *kref)
+ /* get pointer to priv without increasing ref counter */
+ static inline struct j1939_priv *j1939_ndev_to_priv(struct net_device *ndev)
+ {
+- struct can_ml_priv *can_ml_priv = ndev->ml_priv;
++ struct can_ml_priv *can_ml = can_get_ml_priv(ndev);
+
+- if (!can_ml_priv)
+- return NULL;
+-
+- return can_ml_priv->j1939_priv;
++ return can_ml->j1939_priv;
+ }
+
+ static struct j1939_priv *j1939_priv_get_by_ndev_locked(struct net_device *ndev)
+@@ -225,9 +222,6 @@ static struct j1939_priv *j1939_priv_get_by_ndev_locked(struct net_device *ndev)
+
+ lockdep_assert_held(&j1939_netdev_lock);
+
+- if (ndev->type != ARPHRD_CAN)
+- return NULL;
+-
+ priv = j1939_ndev_to_priv(ndev);
+ if (priv)
+ j1939_priv_get(priv);
+@@ -348,15 +342,16 @@ static int j1939_netdev_notify(struct notifier_block *nb,
+ unsigned long msg, void *data)
+ {
+ struct net_device *ndev = netdev_notifier_info_to_dev(data);
++ struct can_ml_priv *can_ml = can_get_ml_priv(ndev);
+ struct j1939_priv *priv;
+
++ if (!can_ml)
++ goto notify_done;
++
+ priv = j1939_priv_get_by_ndev(ndev);
+ if (!priv)
+ goto notify_done;
+
+- if (ndev->type != ARPHRD_CAN)
+- goto notify_put;
+-
+ switch (msg) {
+ case NETDEV_DOWN:
+ j1939_cancel_active_session(priv, NULL);
+@@ -365,7 +360,6 @@ static int j1939_netdev_notify(struct notifier_block *nb,
+ break;
+ }
+
+-notify_put:
+ j1939_priv_put(priv);
+
+ notify_done:
+diff --git a/net/can/j1939/socket.c b/net/can/j1939/socket.c
+index f23966526a88..56aa66147d5a 100644
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -12,6 +12,7 @@
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
++#include <linux/can/can-ml.h>
+ #include <linux/can/core.h>
+ #include <linux/can/skb.h>
+ #include <linux/errqueue.h>
+@@ -453,6 +454,7 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+ j1939_jsk_del(priv, jsk);
+ j1939_local_ecu_put(priv, jsk->addr.src_name, jsk->addr.sa);
+ } else {
++ struct can_ml_priv *can_ml;
+ struct net_device *ndev;
+
+ ndev = dev_get_by_index(net, addr->can_ifindex);
+@@ -461,15 +463,8 @@ static int j1939_sk_bind(struct socket *sock, struct sockaddr *uaddr, int len)
+ goto out_release_sock;
+ }
+
+- if (ndev->type != ARPHRD_CAN) {
+- dev_put(ndev);
+- ret = -ENODEV;
+- goto out_release_sock;
+- }
+-
+- if (!ndev->ml_priv) {
+- netdev_warn_once(ndev,
+- "No CAN mid layer private allocated, please fix your driver and use alloc_candev()!\n");
++ can_ml = can_get_ml_priv(ndev);
++ if (!can_ml) {
+ dev_put(ndev);
+ ret = -ENODEV;
+ goto out_release_sock;
+diff --git a/net/can/proc.c b/net/can/proc.c
+index 5ea8695f507e..b15760b5c1cc 100644
+--- a/net/can/proc.c
++++ b/net/can/proc.c
+@@ -322,8 +322,11 @@ static int can_rcvlist_proc_show(struct seq_file *m, void *v)
+
+ /* receive list for registered CAN devices */
+ for_each_netdev_rcu(net, dev) {
+- if (dev->type == ARPHRD_CAN && dev->ml_priv)
+- can_rcvlist_proc_show_one(m, idx, dev, dev->ml_priv);
++ struct can_ml_priv *can_ml = can_get_ml_priv(dev);
++
++ if (can_ml)
++ can_rcvlist_proc_show_one(m, idx, dev,
++ &can_ml->dev_rcv_lists);
+ }
+
+ rcu_read_unlock();
+@@ -375,8 +378,10 @@ static int can_rcvlist_sff_proc_show(struct seq_file *m, void *v)
+
+ /* sff receive list for registered CAN devices */
+ for_each_netdev_rcu(net, dev) {
+- if (dev->type == ARPHRD_CAN && dev->ml_priv) {
+- dev_rcv_lists = dev->ml_priv;
++ struct can_ml_priv *can_ml = can_get_ml_priv(dev);
++
++ if (can_ml) {
++ dev_rcv_lists = &can_ml->dev_rcv_lists;
+ can_rcvlist_proc_show_array(m, dev, dev_rcv_lists->rx_sff,
+ ARRAY_SIZE(dev_rcv_lists->rx_sff));
+ }
+@@ -406,8 +411,10 @@ static int can_rcvlist_eff_proc_show(struct seq_file *m, void *v)
+
+ /* eff receive list for registered CAN devices */
+ for_each_netdev_rcu(net, dev) {
+- if (dev->type == ARPHRD_CAN && dev->ml_priv) {
+- dev_rcv_lists = dev->ml_priv;
++ struct can_ml_priv *can_ml = can_get_ml_priv(dev);
++
++ if (can_ml) {
++ dev_rcv_lists = &can_ml->dev_rcv_lists;
+ can_rcvlist_proc_show_array(m, dev, dev_rcv_lists->rx_eff,
+ ARRAY_SIZE(dev_rcv_lists->rx_eff));
+ }
+--
+2.30.1
+
--- /dev/null
+From d3992d1ff91613832a6a548b7d47baf41a294ff5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Feb 2021 08:34:00 -0600
+Subject: net: ipa: fix register write command validation
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit 2d65ed76924bc772d3974b0894d870b1aa63b34a ]
+
+In ipa_cmd_register_write_valid() we verify that values we will
+supply to a REGISTER_WRITE IPA immediate command will fit in
+the fields that need to hold them. This patch fixes some issues
+in that function and ipa_cmd_register_write_offset_valid().
+
+The dev_err() call in ipa_cmd_register_write_offset_valid() has
+some printf format errors:
+ - The name of the register (corresponding to the string format
+ specifier) was not supplied.
+ - The IPA base offset and offset need to be supplied separately to
+ match the other format specifiers.
+Also make the ~0 constant used there to compute the maximum
+supported offset value explicitly unsigned.
+
+There are two other issues in ipa_cmd_register_write_valid():
+ - There's no need to check the hash flush register for platforms
+ (like IPA v4.2) that do not support hashed tables
+ - The highest possible endpoint number, whose status register
+ offset is computed, is COUNT - 1, not COUNT.
+
+Fix these problems, and add some additional commentary.
+
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/ipa_cmd.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ipa/ipa_cmd.c b/drivers/net/ipa/ipa_cmd.c
+index d92dd3f09b73..46d8b7336d8f 100644
+--- a/drivers/net/ipa/ipa_cmd.c
++++ b/drivers/net/ipa/ipa_cmd.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0
+
+ /* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved.
+- * Copyright (C) 2019-2020 Linaro Ltd.
++ * Copyright (C) 2019-2021 Linaro Ltd.
+ */
+
+ #include <linux/types.h>
+@@ -244,11 +244,15 @@ static bool ipa_cmd_register_write_offset_valid(struct ipa *ipa,
+ if (ipa->version != IPA_VERSION_3_5_1)
+ bit_count += hweight32(REGISTER_WRITE_FLAGS_OFFSET_HIGH_FMASK);
+ BUILD_BUG_ON(bit_count > 32);
+- offset_max = ~0 >> (32 - bit_count);
++ offset_max = ~0U >> (32 - bit_count);
+
++ /* Make sure the offset can be represented by the field(s)
++ * that holds it. Also make sure the offset is not outside
++ * the overall IPA memory range.
++ */
+ if (offset > offset_max || ipa->mem_offset > offset_max - offset) {
+ dev_err(dev, "%s offset too large 0x%04x + 0x%04x > 0x%04x)\n",
+- ipa->mem_offset + offset, offset_max);
++ name, ipa->mem_offset, offset, offset_max);
+ return false;
+ }
+
+@@ -261,12 +265,24 @@ static bool ipa_cmd_register_write_valid(struct ipa *ipa)
+ const char *name;
+ u32 offset;
+
+- offset = ipa_reg_filt_rout_hash_flush_offset(ipa->version);
+- name = "filter/route hash flush";
+- if (!ipa_cmd_register_write_offset_valid(ipa, name, offset))
+- return false;
++ /* If hashed tables are supported, ensure the hash flush register
++ * offset will fit in a register write IPA immediate command.
++ */
++ if (ipa->version != IPA_VERSION_4_2) {
++ offset = ipa_reg_filt_rout_hash_flush_offset(ipa->version);
++ name = "filter/route hash flush";
++ if (!ipa_cmd_register_write_offset_valid(ipa, name, offset))
++ return false;
++ }
+
+- offset = IPA_REG_ENDP_STATUS_N_OFFSET(IPA_ENDPOINT_COUNT);
++ /* Each endpoint can have a status endpoint associated with it,
++ * and this is recorded in an endpoint register. If the modem
++ * crashes, we reset the status endpoint for all modem endpoints
++ * using a register write IPA immediate command. Make sure the
++ * worst case (highest endpoint number) offset of that endpoint
++ * fits in the register write command field(s) that must hold it.
++ */
++ offset = IPA_REG_ENDP_STATUS_N_OFFSET(IPA_ENDPOINT_COUNT - 1);
+ name = "maximal endpoint status";
+ if (!ipa_cmd_register_write_offset_valid(ipa, name, offset))
+ return false;
+--
+2.30.1
+
--- /dev/null
+From 060b3cb642ef22533e0c35c18b4aa6259b3fa471 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Feb 2021 16:10:57 -0600
+Subject: net: ipa: remove two unused register definitions
+
+From: Alex Elder <elder@linaro.org>
+
+[ Upstream commit d5bc5015eb9d64cbd14e467db1a56db1472d0d6c ]
+
+We do not support inter-EE channel or event ring commands. Inter-EE
+interrupts are disabled (and never re-enabled) for all channels and
+event rings, so we have no need for the GSI registers that clear
+those interrupt conditions. So remove their definitions.
+
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipa/gsi_reg.h | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/net/ipa/gsi_reg.h b/drivers/net/ipa/gsi_reg.h
+index 8e0e9350c383..42e5a8b8d324 100644
+--- a/drivers/net/ipa/gsi_reg.h
++++ b/drivers/net/ipa/gsi_reg.h
+@@ -48,16 +48,6 @@
+ #define GSI_INTER_EE_N_SRC_EV_CH_IRQ_OFFSET(ee) \
+ (0x0000c01c + 0x1000 * (ee))
+
+-#define GSI_INTER_EE_SRC_CH_IRQ_CLR_OFFSET \
+- GSI_INTER_EE_N_SRC_CH_IRQ_CLR_OFFSET(GSI_EE_AP)
+-#define GSI_INTER_EE_N_SRC_CH_IRQ_CLR_OFFSET(ee) \
+- (0x0000c028 + 0x1000 * (ee))
+-
+-#define GSI_INTER_EE_SRC_EV_CH_IRQ_CLR_OFFSET \
+- GSI_INTER_EE_N_SRC_EV_CH_IRQ_CLR_OFFSET(GSI_EE_AP)
+-#define GSI_INTER_EE_N_SRC_EV_CH_IRQ_CLR_OFFSET(ee) \
+- (0x0000c02c + 0x1000 * (ee))
+-
+ #define GSI_CH_C_CNTXT_0_OFFSET(ch) \
+ GSI_EE_N_CH_C_CNTXT_0_OFFSET((ch), GSI_EE_AP)
+ #define GSI_EE_N_CH_C_CNTXT_0_OFFSET(ch, ee) \
+--
+2.30.1
+
--- /dev/null
+From df0bd8356fd1f392b0bfed274dc9fbc8deeb1de2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Mar 2021 19:11:09 -0400
+Subject: net: mvpp2: fix interrupt mask/unmask skip condition
+
+[ Upstream commit 7867299cde34e9c2d2c676f2a384a9d5853b914d ]
+
+The condition should be skipped if CPU ID equal to nthreads.
+The patch doesn't fix any actual issue since
+nthreads = min_t(unsigned int, num_present_cpus(), MVPP2_MAX_THREADS).
+On all current Armada platforms, the number of CPU's is
+less than MVPP2_MAX_THREADS.
+
+Fixes: e531f76757eb ("net: mvpp2: handle cases where more CPUs are available than s/w threads")
+Reported-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Stefan Chulski <stefanc@marvell.com>
+Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index d1f7b51cab62..f5333fc27e14 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -1153,7 +1153,7 @@ static void mvpp2_interrupts_unmask(void *arg)
+ u32 val;
+
+ /* If the thread isn't used, don't do anything */
+- if (smp_processor_id() > port->priv->nthreads)
++ if (smp_processor_id() >= port->priv->nthreads)
+ return;
+
+ val = MVPP2_CAUSE_MISC_SUM_MASK |
+@@ -2287,7 +2287,7 @@ static void mvpp2_txq_sent_counter_clear(void *arg)
+ int queue;
+
+ /* If the thread isn't used, don't do anything */
+- if (smp_processor_id() > port->priv->nthreads)
++ if (smp_processor_id() >= port->priv->nthreads)
+ return;
+
+ for (queue = 0; queue < port->ntxqs; queue++) {
+--
+2.30.1
+
--- /dev/null
+From b25558b6fedfa84682bb0ec9f786e59457528a18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 14:17:56 -0500
+Subject: net: wan/lmc: unregister device when no matching device is found
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 62e69bc419772638369eff8ff81340bde8aceb61 ]
+
+lmc set sc->lmc_media pointer when there is a matching device.
+However, when no matching device is found, this pointer is NULL
+and the following dereference will result in a null-ptr-deref.
+
+To fix this issue, unregister the hdlc device and return an error.
+
+[ 4.569359] BUG: KASAN: null-ptr-deref in lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.569748] Read of size 8 at addr 0000000000000008 by task modprobe/95
+[ 4.570102]
+[ 4.570187] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7 #94
+[ 4.570527] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-preb4
+[ 4.571125] Call Trace:
+[ 4.571261] dump_stack+0x7d/0xa3
+[ 4.571445] kasan_report.cold+0x10c/0x10e
+[ 4.571667] ? lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.571932] lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.572186] ? lmc_mii_readreg+0xa0/0xa0 [lmc]
+[ 4.572432] local_pci_probe+0x6f/0xb0
+[ 4.572639] pci_device_probe+0x171/0x240
+[ 4.572857] ? pci_device_remove+0xe0/0xe0
+[ 4.573080] ? kernfs_create_link+0xb6/0x110
+[ 4.573315] ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
+[ 4.573598] really_probe+0x161/0x420
+[ 4.573799] driver_probe_device+0x6d/0xd0
+[ 4.574022] device_driver_attach+0x82/0x90
+[ 4.574249] ? device_driver_attach+0x90/0x90
+[ 4.574485] __driver_attach+0x60/0x100
+[ 4.574694] ? device_driver_attach+0x90/0x90
+[ 4.574931] bus_for_each_dev+0xe1/0x140
+[ 4.575146] ? subsys_dev_iter_exit+0x10/0x10
+[ 4.575387] ? klist_node_init+0x61/0x80
+[ 4.575602] bus_add_driver+0x254/0x2a0
+[ 4.575812] driver_register+0xd3/0x150
+[ 4.576021] ? 0xffffffffc0018000
+[ 4.576202] do_one_initcall+0x84/0x250
+[ 4.576411] ? trace_event_raw_event_initcall_finish+0x150/0x150
+[ 4.576733] ? unpoison_range+0xf/0x30
+[ 4.576938] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[ 4.577219] ? unpoison_range+0xf/0x30
+[ 4.577423] ? unpoison_range+0xf/0x30
+[ 4.577628] do_init_module+0xf8/0x350
+[ 4.577833] load_module+0x3fe6/0x4340
+[ 4.578038] ? vm_unmap_ram+0x1d0/0x1d0
+[ 4.578247] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[ 4.578526] ? module_frob_arch_sections+0x20/0x20
+[ 4.578787] ? __do_sys_finit_module+0x108/0x170
+[ 4.579037] __do_sys_finit_module+0x108/0x170
+[ 4.579278] ? __ia32_sys_init_module+0x40/0x40
+[ 4.579523] ? file_open_root+0x200/0x200
+[ 4.579742] ? do_sys_open+0x85/0xe0
+[ 4.579938] ? filp_open+0x50/0x50
+[ 4.580125] ? exit_to_user_mode_prepare+0xfc/0x130
+[ 4.580390] do_syscall_64+0x33/0x40
+[ 4.580586] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 4.580859] RIP: 0033:0x7f1a724c3cf7
+[ 4.581054] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 48 891
+[ 4.582043] RSP: 002b:00007fff44941c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 4.582447] RAX: ffffffffffffffda RBX: 00000000012ada70 RCX: 00007f1a724c3cf7
+[ 4.582827] RDX: 0000000000000000 RSI: 00000000012ac9e0 RDI: 0000000000000003
+[ 4.583207] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
+[ 4.583587] R10: 00007f1a72527300 R11: 0000000000000246 R12: 00000000012ac9e0
+[ 4.583968] R13: 0000000000000000 R14: 00000000012acc90 R15: 0000000000000001
+[ 4.584349] ==================================================================
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c
+index 36600b0a0ab0..1ee4c8a90632 100644
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -901,6 +901,8 @@ static int lmc_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ break;
+ default:
+ printk(KERN_WARNING "%s: LMC UNKNOWN CARD!\n", dev->name);
++ unregister_hdlc_device(dev);
++ return -EIO;
+ break;
+ }
+
+--
+2.30.1
+
--- /dev/null
+From fccc653b4739b4d0d4bd3edd41aaf11ef3e6e91d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Feb 2021 10:22:55 +0200
+Subject: netdevsim: dev: Initialize FIB module after debugfs
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit f57ab5b75f7193e194c83616cd104f41c8350f68 ]
+
+Initialize the dummy FIB offload module after debugfs, so that the FIB
+module could create its own directory there.
+
+Signed-off-by: Amit Cohen <amcohen@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/dev.c | 40 +++++++++++++++++++------------------
+ 1 file changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
+index e7972e88ffe0..9bbecf4d159b 100644
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -1008,23 +1008,25 @@ static int nsim_dev_reload_create(struct nsim_dev *nsim_dev,
+ nsim_dev->fw_update_status = true;
+ nsim_dev->fw_update_overwrite_mask = 0;
+
+- nsim_dev->fib_data = nsim_fib_create(devlink, extack);
+- if (IS_ERR(nsim_dev->fib_data))
+- return PTR_ERR(nsim_dev->fib_data);
+-
+ nsim_devlink_param_load_driverinit_values(devlink);
+
+ err = nsim_dev_dummy_region_init(nsim_dev, devlink);
+ if (err)
+- goto err_fib_destroy;
++ return err;
+
+ err = nsim_dev_traps_init(devlink);
+ if (err)
+ goto err_dummy_region_exit;
+
++ nsim_dev->fib_data = nsim_fib_create(devlink, extack);
++ if (IS_ERR(nsim_dev->fib_data)) {
++ err = PTR_ERR(nsim_dev->fib_data);
++ goto err_traps_exit;
++ }
++
+ err = nsim_dev_health_init(nsim_dev, devlink);
+ if (err)
+- goto err_traps_exit;
++ goto err_fib_destroy;
+
+ err = nsim_dev_port_add_all(nsim_dev, nsim_bus_dev->port_count);
+ if (err)
+@@ -1039,12 +1041,12 @@ static int nsim_dev_reload_create(struct nsim_dev *nsim_dev,
+
+ err_health_exit:
+ nsim_dev_health_exit(nsim_dev);
++err_fib_destroy:
++ nsim_fib_destroy(devlink, nsim_dev->fib_data);
+ err_traps_exit:
+ nsim_dev_traps_exit(devlink);
+ err_dummy_region_exit:
+ nsim_dev_dummy_region_exit(nsim_dev);
+-err_fib_destroy:
+- nsim_fib_destroy(devlink, nsim_dev->fib_data);
+ return err;
+ }
+
+@@ -1076,15 +1078,9 @@ int nsim_dev_probe(struct nsim_bus_dev *nsim_bus_dev)
+ if (err)
+ goto err_devlink_free;
+
+- nsim_dev->fib_data = nsim_fib_create(devlink, NULL);
+- if (IS_ERR(nsim_dev->fib_data)) {
+- err = PTR_ERR(nsim_dev->fib_data);
+- goto err_resources_unregister;
+- }
+-
+ err = devlink_register(devlink, &nsim_bus_dev->dev);
+ if (err)
+- goto err_fib_destroy;
++ goto err_resources_unregister;
+
+ err = devlink_params_register(devlink, nsim_devlink_params,
+ ARRAY_SIZE(nsim_devlink_params));
+@@ -1104,9 +1100,15 @@ int nsim_dev_probe(struct nsim_bus_dev *nsim_bus_dev)
+ if (err)
+ goto err_traps_exit;
+
++ nsim_dev->fib_data = nsim_fib_create(devlink, NULL);
++ if (IS_ERR(nsim_dev->fib_data)) {
++ err = PTR_ERR(nsim_dev->fib_data);
++ goto err_debugfs_exit;
++ }
++
+ err = nsim_dev_health_init(nsim_dev, devlink);
+ if (err)
+- goto err_debugfs_exit;
++ goto err_fib_destroy;
+
+ err = nsim_bpf_dev_init(nsim_dev);
+ if (err)
+@@ -1124,6 +1126,8 @@ err_bpf_dev_exit:
+ nsim_bpf_dev_exit(nsim_dev);
+ err_health_exit:
+ nsim_dev_health_exit(nsim_dev);
++err_fib_destroy:
++ nsim_fib_destroy(devlink, nsim_dev->fib_data);
+ err_debugfs_exit:
+ nsim_dev_debugfs_exit(nsim_dev);
+ err_traps_exit:
+@@ -1135,8 +1139,6 @@ err_params_unregister:
+ ARRAY_SIZE(nsim_devlink_params));
+ err_dl_unregister:
+ devlink_unregister(devlink);
+-err_fib_destroy:
+- nsim_fib_destroy(devlink, nsim_dev->fib_data);
+ err_resources_unregister:
+ devlink_resources_unregister(devlink, NULL);
+ err_devlink_free:
+@@ -1153,10 +1155,10 @@ static void nsim_dev_reload_destroy(struct nsim_dev *nsim_dev)
+ debugfs_remove(nsim_dev->take_snapshot);
+ nsim_dev_port_del_all(nsim_dev);
+ nsim_dev_health_exit(nsim_dev);
++ nsim_fib_destroy(devlink, nsim_dev->fib_data);
+ nsim_dev_traps_exit(devlink);
+ nsim_dev_dummy_region_exit(nsim_dev);
+ mutex_destroy(&nsim_dev->port_list_lock);
+- nsim_fib_destroy(devlink, nsim_dev->fib_data);
+ }
+
+ void nsim_dev_remove(struct nsim_bus_dev *nsim_bus_dev)
+--
+2.30.1
+
--- /dev/null
+From bbbd5a6ec9a083bad223bc9cdcd5bfec73ba5173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Feb 2021 13:50:10 +0800
+Subject: rtw88: coex: 8821c: correct antenna switch function
+
+From: Guo-Feng Fan <vincent_fann@realtek.com>
+
+[ Upstream commit adba838af159914eb98fcd55bfd3a89c9a7d41a8 ]
+
+This patch fixes a defect that uses incorrect function to access
+registers. Use 8 and 32 bit access function to access 8 and 32 bit long
+data respectively.
+
+Signed-off-by: Guo-Feng Fan <vincent_fann@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210202055012.8296-2-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/rtw8821c.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.c b/drivers/net/wireless/realtek/rtw88/rtw8821c.c
+index da2e7415be8f..f9615f76f173 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.c
+@@ -720,8 +720,8 @@ static void rtw8821c_coex_cfg_ant_switch(struct rtw_dev *rtwdev, u8 ctrl_type,
+ regval = (!polarity_inverse ? 0x1 : 0x2);
+ }
+
+- rtw_write8_mask(rtwdev, REG_RFE_CTRL8, BIT_MASK_R_RFE_SEL_15,
+- regval);
++ rtw_write32_mask(rtwdev, REG_RFE_CTRL8, BIT_MASK_R_RFE_SEL_15,
++ regval);
+ break;
+ case COEX_SWITCH_CTRL_BY_PTA:
+ rtw_write32_clr(rtwdev, REG_LED_CFG, BIT_DPDT_SEL_EN);
+@@ -731,8 +731,8 @@ static void rtw8821c_coex_cfg_ant_switch(struct rtw_dev *rtwdev, u8 ctrl_type,
+ PTA_CTRL_PIN);
+
+ regval = (!polarity_inverse ? 0x2 : 0x1);
+- rtw_write8_mask(rtwdev, REG_RFE_CTRL8, BIT_MASK_R_RFE_SEL_15,
+- regval);
++ rtw_write32_mask(rtwdev, REG_RFE_CTRL8, BIT_MASK_R_RFE_SEL_15,
++ regval);
+ break;
+ case COEX_SWITCH_CTRL_BY_ANTDIV:
+ rtw_write32_clr(rtwdev, REG_LED_CFG, BIT_DPDT_SEL_EN);
+@@ -758,11 +758,11 @@ static void rtw8821c_coex_cfg_ant_switch(struct rtw_dev *rtwdev, u8 ctrl_type,
+ }
+
+ if (ctrl_type == COEX_SWITCH_CTRL_BY_BT) {
+- rtw_write32_clr(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE1);
+- rtw_write32_clr(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE2);
++ rtw_write8_clr(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE1);
++ rtw_write8_clr(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE2);
+ } else {
+- rtw_write32_set(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE1);
+- rtw_write32_set(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE2);
++ rtw_write8_set(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE1);
++ rtw_write8_set(rtwdev, REG_CTRL_TYPE, BIT_CTRL_TYPE2);
+ }
+ }
+
+--
+2.30.1
+
static_call-align-static_call_is_init-patching-condi.patch
ext4-do-not-iput-inode-under-running-transaction-in-.patch
io_uring-call-req_set_fail_links-on-short-send-msg-r.patch
+net-mvpp2-fix-interrupt-mask-unmask-skip-condition.patch
+flow_dissector-fix-ttl-and-tos-dissection-on-ipv4-fr.patch
+can-dev-move-driver-related-infrastructure-into-sepa.patch
+net-introduce-can-specific-pointer-in-the-struct-net.patch
+can-tcan4x5x-fix-max-register-value.patch
+brcmfmac-clear-eap-association-status-bits-on-linkdo.patch
+ath11k-add-ieee80211_unregister_hw-to-avoid-kernel-c.patch
+rtw88-coex-8821c-correct-antenna-switch-function.patch
+netdevsim-dev-initialize-fib-module-after-debugfs.patch
+iwlwifi-pcie-don-t-disable-interrupts-for-reg_lock.patch
+ath10k-hold-rcu-lock-when-calling-ieee80211_find_sta.patch
+net-ethernet-aquantia-handle-error-cleanup-of-start-.patch
+appletalk-fix-skb-allocation-size-in-loopback-case.patch
+net-ipa-remove-two-unused-register-definitions.patch
+net-ipa-fix-register-write-command-validation.patch
+net-wan-lmc-unregister-device-when-no-matching-devic.patch
+net-9p-advance-iov-on-empty-read.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
