--- /dev/null
+From 0c744631b5e977437ac1b26b4542d53d4adb1f6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 11:26:01 +0200
+Subject: ACPI: Kconfig: Fix table override from built-in initrd
+
+From: Robert Richter <rrichter@amd.com>
+
+[ Upstream commit d2cbbf1fe503c07e466c62f83aa1926d74d15821 ]
+
+During a rework of initramfs code the INITRAMFS_COMPRESSION config
+option was removed in commit 65e00e04e5ae. A leftover as a dependency
+broke the config option ACPI_TABLE_OVERRIDE_VIA_ BUILTIN_INITRD that
+is used to enable the overriding of ACPI tables from built-in initrd.
+Fixing the dependency.
+
+Fixes: 65e00e04e5ae ("initramfs: refactor the initramfs build rules")
+Signed-off-by: Robert Richter <rrichter@amd.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/Kconfig b/drivers/acpi/Kconfig
+index edf1558c1105..b5ea34c340cc 100644
+--- a/drivers/acpi/Kconfig
++++ b/drivers/acpi/Kconfig
+@@ -359,7 +359,7 @@ config ACPI_TABLE_UPGRADE
+ config ACPI_TABLE_OVERRIDE_VIA_BUILTIN_INITRD
+ bool "Override ACPI tables from built-in initrd"
+ depends on ACPI_TABLE_UPGRADE
+- depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION=""
++ depends on INITRAMFS_SOURCE!="" && INITRAMFS_COMPRESSION_NONE
+ help
+ This option provides functionality to override arbitrary ACPI tables
+ from built-in uncompressed initrd.
+--
+2.30.2
+
--- /dev/null
+From 1f34ded5bcf90b2c79f052f2eb3a7d11286621c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 11:57:26 +0100
+Subject: afs: Fix tracepoint string placement with built-in AFS
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 6c881ca0b3040f3e724eae513117ba4ddef86057 ]
+
+To quote Alexey[1]:
+
+ I was adding custom tracepoint to the kernel, grabbed full F34 kernel
+ .config, disabled modules and booted whole shebang as VM kernel.
+
+ Then did
+
+ perf record -a -e ...
+
+ It crashed:
+
+ general protection fault, probably for non-canonical address 0x435f5346592e4243: 0000 [#1] SMP PTI
+ CPU: 1 PID: 842 Comm: cat Not tainted 5.12.6+ #26
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+ RIP: 0010:t_show+0x22/0xd0
+
+ Then reproducer was narrowed to
+
+ # cat /sys/kernel/tracing/printk_formats
+
+ Original F34 kernel with modules didn't crash.
+
+ So I started to disable options and after disabling AFS everything
+ started working again.
+
+ The root cause is that AFS was placing char arrays content into a
+ section full of _pointers_ to strings with predictable consequences.
+
+ Non canonical address 435f5346592e4243 is "CB.YFS_" which came from
+ CM_NAME macro.
+
+ Steps to reproduce:
+
+ CONFIG_AFS=y
+ CONFIG_TRACING=y
+
+ # cat /sys/kernel/tracing/printk_formats
+
+Fix this by the following means:
+
+ (1) Add enum->string translation tables in the event header with the AFS
+ and YFS cache/callback manager operations listed by RPC operation ID.
+
+ (2) Modify the afs_cb_call tracepoint to print the string from the
+ translation table rather than using the string at the afs_call name
+ pointer.
+
+ (3) Switch translation table depending on the service we're being accessed
+ as (AFS or YFS) in the tracepoint print clause. Will this cause
+ problems to userspace utilities?
+
+ Note that the symbolic representation of the YFS service ID isn't
+ available to this header, so I've put it in as a number. I'm not sure
+ if this is the best way to do this.
+
+ (4) Remove the name wrangling (CM_NAME) macro and put the names directly
+ into the afs_call_type structs in cmservice.c.
+
+Fixes: 8e8d7f13b6d5a9 ("afs: Add some tracepoints")
+Reported-by: Alexey Dobriyan (SK hynix) <adobriyan@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: Andrew Morton <akpm@linux-foundation.org>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/YLAXfvZ+rObEOdc%2F@localhost.localdomain/ [1]
+Link: https://lore.kernel.org/r/643721.1623754699@warthog.procyon.org.uk/
+Link: https://lore.kernel.org/r/162430903582.2896199.6098150063997983353.stgit@warthog.procyon.org.uk/ # v1
+Link: https://lore.kernel.org/r/162609463957.3133237.15916579353149746363.stgit@warthog.procyon.org.uk/ # v1 (repost)
+Link: https://lore.kernel.org/r/162610726860.3408253.445207609466288531.stgit@warthog.procyon.org.uk/ # v2
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cmservice.c | 25 ++++----------
+ include/trace/events/afs.h | 67 +++++++++++++++++++++++++++++++++++---
+ 2 files changed, 69 insertions(+), 23 deletions(-)
+
+diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
+index a4e9e6e07e93..2a528b70478c 100644
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -29,16 +29,11 @@ static void SRXAFSCB_TellMeAboutYourself(struct work_struct *);
+
+ static int afs_deliver_yfs_cb_callback(struct afs_call *);
+
+-#define CM_NAME(name) \
+- char afs_SRXCB##name##_name[] __tracepoint_string = \
+- "CB." #name
+-
+ /*
+ * CB.CallBack operation type
+ */
+-static CM_NAME(CallBack);
+ static const struct afs_call_type afs_SRXCBCallBack = {
+- .name = afs_SRXCBCallBack_name,
++ .name = "CB.CallBack",
+ .deliver = afs_deliver_cb_callback,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_CallBack,
+@@ -47,9 +42,8 @@ static const struct afs_call_type afs_SRXCBCallBack = {
+ /*
+ * CB.InitCallBackState operation type
+ */
+-static CM_NAME(InitCallBackState);
+ static const struct afs_call_type afs_SRXCBInitCallBackState = {
+- .name = afs_SRXCBInitCallBackState_name,
++ .name = "CB.InitCallBackState",
+ .deliver = afs_deliver_cb_init_call_back_state,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_InitCallBackState,
+@@ -58,9 +52,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState = {
+ /*
+ * CB.InitCallBackState3 operation type
+ */
+-static CM_NAME(InitCallBackState3);
+ static const struct afs_call_type afs_SRXCBInitCallBackState3 = {
+- .name = afs_SRXCBInitCallBackState3_name,
++ .name = "CB.InitCallBackState3",
+ .deliver = afs_deliver_cb_init_call_back_state3,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_InitCallBackState,
+@@ -69,9 +62,8 @@ static const struct afs_call_type afs_SRXCBInitCallBackState3 = {
+ /*
+ * CB.Probe operation type
+ */
+-static CM_NAME(Probe);
+ static const struct afs_call_type afs_SRXCBProbe = {
+- .name = afs_SRXCBProbe_name,
++ .name = "CB.Probe",
+ .deliver = afs_deliver_cb_probe,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_Probe,
+@@ -80,9 +72,8 @@ static const struct afs_call_type afs_SRXCBProbe = {
+ /*
+ * CB.ProbeUuid operation type
+ */
+-static CM_NAME(ProbeUuid);
+ static const struct afs_call_type afs_SRXCBProbeUuid = {
+- .name = afs_SRXCBProbeUuid_name,
++ .name = "CB.ProbeUuid",
+ .deliver = afs_deliver_cb_probe_uuid,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_ProbeUuid,
+@@ -91,9 +82,8 @@ static const struct afs_call_type afs_SRXCBProbeUuid = {
+ /*
+ * CB.TellMeAboutYourself operation type
+ */
+-static CM_NAME(TellMeAboutYourself);
+ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = {
+- .name = afs_SRXCBTellMeAboutYourself_name,
++ .name = "CB.TellMeAboutYourself",
+ .deliver = afs_deliver_cb_tell_me_about_yourself,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_TellMeAboutYourself,
+@@ -102,9 +92,8 @@ static const struct afs_call_type afs_SRXCBTellMeAboutYourself = {
+ /*
+ * YFS CB.CallBack operation type
+ */
+-static CM_NAME(YFS_CallBack);
+ static const struct afs_call_type afs_SRXYFSCB_CallBack = {
+- .name = afs_SRXCBYFS_CallBack_name,
++ .name = "YFSCB.CallBack",
+ .deliver = afs_deliver_yfs_cb_callback,
+ .destructor = afs_cm_destructor,
+ .work = SRXAFSCB_CallBack,
+diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
+index 4eef374d4413..5deb9f490f6f 100644
+--- a/include/trace/events/afs.h
++++ b/include/trace/events/afs.h
+@@ -174,6 +174,34 @@ enum afs_vl_operation {
+ afs_VL_GetCapabilities = 65537, /* AFS Get VL server capabilities */
+ };
+
++enum afs_cm_operation {
++ afs_CB_CallBack = 204, /* AFS break callback promises */
++ afs_CB_InitCallBackState = 205, /* AFS initialise callback state */
++ afs_CB_Probe = 206, /* AFS probe client */
++ afs_CB_GetLock = 207, /* AFS get contents of CM lock table */
++ afs_CB_GetCE = 208, /* AFS get cache file description */
++ afs_CB_GetXStatsVersion = 209, /* AFS get version of extended statistics */
++ afs_CB_GetXStats = 210, /* AFS get contents of extended statistics data */
++ afs_CB_InitCallBackState3 = 213, /* AFS initialise callback state, version 3 */
++ afs_CB_ProbeUuid = 214, /* AFS check the client hasn't rebooted */
++};
++
++enum yfs_cm_operation {
++ yfs_CB_Probe = 206, /* YFS probe client */
++ yfs_CB_GetLock = 207, /* YFS get contents of CM lock table */
++ yfs_CB_XStatsVersion = 209, /* YFS get version of extended statistics */
++ yfs_CB_GetXStats = 210, /* YFS get contents of extended statistics data */
++ yfs_CB_InitCallBackState3 = 213, /* YFS initialise callback state, version 3 */
++ yfs_CB_ProbeUuid = 214, /* YFS check the client hasn't rebooted */
++ yfs_CB_GetServerPrefs = 215,
++ yfs_CB_GetCellServDV = 216,
++ yfs_CB_GetLocalCell = 217,
++ yfs_CB_GetCacheConfig = 218,
++ yfs_CB_GetCellByNum = 65537,
++ yfs_CB_TellMeAboutYourself = 65538, /* get client capabilities */
++ yfs_CB_CallBack = 64204,
++};
++
+ enum afs_edit_dir_op {
+ afs_edit_dir_create,
+ afs_edit_dir_create_error,
+@@ -435,6 +463,32 @@ enum afs_cb_break_reason {
+ EM(afs_YFSVL_GetCellName, "YFSVL.GetCellName") \
+ E_(afs_VL_GetCapabilities, "VL.GetCapabilities")
+
++#define afs_cm_operations \
++ EM(afs_CB_CallBack, "CB.CallBack") \
++ EM(afs_CB_InitCallBackState, "CB.InitCallBackState") \
++ EM(afs_CB_Probe, "CB.Probe") \
++ EM(afs_CB_GetLock, "CB.GetLock") \
++ EM(afs_CB_GetCE, "CB.GetCE") \
++ EM(afs_CB_GetXStatsVersion, "CB.GetXStatsVersion") \
++ EM(afs_CB_GetXStats, "CB.GetXStats") \
++ EM(afs_CB_InitCallBackState3, "CB.InitCallBackState3") \
++ E_(afs_CB_ProbeUuid, "CB.ProbeUuid")
++
++#define yfs_cm_operations \
++ EM(yfs_CB_Probe, "YFSCB.Probe") \
++ EM(yfs_CB_GetLock, "YFSCB.GetLock") \
++ EM(yfs_CB_XStatsVersion, "YFSCB.XStatsVersion") \
++ EM(yfs_CB_GetXStats, "YFSCB.GetXStats") \
++ EM(yfs_CB_InitCallBackState3, "YFSCB.InitCallBackState3") \
++ EM(yfs_CB_ProbeUuid, "YFSCB.ProbeUuid") \
++ EM(yfs_CB_GetServerPrefs, "YFSCB.GetServerPrefs") \
++ EM(yfs_CB_GetCellServDV, "YFSCB.GetCellServDV") \
++ EM(yfs_CB_GetLocalCell, "YFSCB.GetLocalCell") \
++ EM(yfs_CB_GetCacheConfig, "YFSCB.GetCacheConfig") \
++ EM(yfs_CB_GetCellByNum, "YFSCB.GetCellByNum") \
++ EM(yfs_CB_TellMeAboutYourself, "YFSCB.TellMeAboutYourself") \
++ E_(yfs_CB_CallBack, "YFSCB.CallBack")
++
+ #define afs_edit_dir_ops \
+ EM(afs_edit_dir_create, "create") \
+ EM(afs_edit_dir_create_error, "c_fail") \
+@@ -567,6 +621,8 @@ afs_server_traces;
+ afs_cell_traces;
+ afs_fs_operations;
+ afs_vl_operations;
++afs_cm_operations;
++yfs_cm_operations;
+ afs_edit_dir_ops;
+ afs_edit_dir_reasons;
+ afs_eproto_causes;
+@@ -647,20 +703,21 @@ TRACE_EVENT(afs_cb_call,
+
+ TP_STRUCT__entry(
+ __field(unsigned int, call )
+- __field(const char *, name )
+ __field(u32, op )
++ __field(u16, service_id )
+ ),
+
+ TP_fast_assign(
+ __entry->call = call->debug_id;
+- __entry->name = call->type->name;
+ __entry->op = call->operation_ID;
++ __entry->service_id = call->service_id;
+ ),
+
+- TP_printk("c=%08x %s o=%u",
++ TP_printk("c=%08x %s",
+ __entry->call,
+- __entry->name,
+- __entry->op)
++ __entry->service_id == 2501 ?
++ __print_symbolic(__entry->op, yfs_cm_operations) :
++ __print_symbolic(__entry->op, afs_cm_operations))
+ );
+
+ TRACE_EVENT(afs_call,
+--
+2.30.2
+
--- /dev/null
+From c50a9530049bbf888660005198588f2b41f41796 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 18:17:46 -0500
+Subject: ALSA: hda: intel-dsp-cfg: add missing ElkhartLake PCI ID
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 114613f62f42e7cbc1242c4e82076a0153043761 ]
+
+We missed the fact that ElkhartLake platforms have two different PCI
+IDs. We only added one so the SOF driver is never selected by the
+autodetection logic for the missing configuration.
+
+BugLink: https://github.com/thesofproject/linux/issues/2990
+Fixes: cc8f81c7e625 ('ALSA: hda: fix intel DSP config')
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20210719231746.557325-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/intel-dsp-config.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c
+index fe49e9a97f0e..61e1de6d7be0 100644
+--- a/sound/hda/intel-dsp-config.c
++++ b/sound/hda/intel-dsp-config.c
+@@ -318,6 +318,10 @@ static const struct config_entry config_table[] = {
+ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC,
+ .device = 0x4b55,
+ },
++ {
++ .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC,
++ .device = 0x4b58,
++ },
+ #endif
+
+ };
+--
+2.30.2
+
--- /dev/null
+From b76adb1ff09f5ca437e7cd3d41966a0b8bbbadb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 03:50:11 +0300
+Subject: ASoC: rt5631: Fix regcache sync errors on resume
+
+From: Maxim Schwalm <maxim.schwalm@gmail.com>
+
+[ Upstream commit c71f78a662611fe2c67f3155da19b0eff0f29762 ]
+
+The ALC5631 does not like multi-write accesses, avoid them. This fixes:
+
+rt5631 4-001a: Unable to sync registers 0x3a-0x3c. -121
+
+errors on resume from suspend (and all registers after the registers in
+the error not being synced).
+
+Inspired by commit 2d30e9494f1e ("ASoC: rt5651: Fix regcache sync errors
+on resume") from Hans de Geode, which fixed the same errors on ALC5651.
+
+Signed-off-by: Maxim Schwalm <maxim.schwalm@gmail.com>
+Link: https://lore.kernel.org/r/20210712005011.28536-1-digetx@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5631.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/codecs/rt5631.c b/sound/soc/codecs/rt5631.c
+index 653da3eaf355..86d58d0df057 100644
+--- a/sound/soc/codecs/rt5631.c
++++ b/sound/soc/codecs/rt5631.c
+@@ -1695,6 +1695,8 @@ static const struct regmap_config rt5631_regmap_config = {
+ .reg_defaults = rt5631_reg,
+ .num_reg_defaults = ARRAY_SIZE(rt5631_reg),
+ .cache_type = REGCACHE_RBTREE,
++ .use_single_read = true,
++ .use_single_write = true,
+ };
+
+ static int rt5631_i2c_probe(struct i2c_client *i2c,
+--
+2.30.2
+
--- /dev/null
+From d5b2564f457f67625bf86b72afcbe1186c58c481 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jun 2021 16:59:39 +0100
+Subject: ASoC: wm_adsp: Correct wm_coeff_tlv_get handling
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit dd6fb8ff2210f74b056bf9234d0605e8c26a8ac0 ]
+
+When wm_coeff_tlv_get was updated it was accidentally switch to the _raw
+version of the helper causing it to ignore the current DSP state it
+should be checking. Switch the code back to the correct helper so that
+users can't read the controls when they arn't available.
+
+Fixes: 73ecf1a673d3 ("ASoC: wm_adsp: Correct cache handling of new kernel control API")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210626155941.12251-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wm_adsp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c
+index 985b2dcecf13..51d95437e0fd 100644
+--- a/sound/soc/codecs/wm_adsp.c
++++ b/sound/soc/codecs/wm_adsp.c
+@@ -1221,7 +1221,7 @@ static int wm_coeff_tlv_get(struct snd_kcontrol *kctl,
+
+ mutex_lock(&ctl->dsp->pwr_lock);
+
+- ret = wm_coeff_read_ctrl_raw(ctl, ctl->cache, size);
++ ret = wm_coeff_read_ctrl(ctl, ctl->cache, size);
+
+ if (!ret && copy_to_user(bytes, ctl->cache, size))
+ ret = -EFAULT;
+--
+2.30.2
+
--- /dev/null
+From e14b9063a20def723b780e4d31b0c950c14c7128 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:28 -0400
+Subject: bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in
+ bnxt_fw_rset_task()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 6cd657cb3ee6f4de57e635b126ffbe0e51d00f1a ]
+
+In the BNXT_FW_RESET_STATE_POLL_VF state in bnxt_fw_reset_task() after all
+VFs have unregistered, we need to check for BNXT_STATE_ABORT_ERR after
+we acquire the rtnl_lock. If the flag is set, we need to abort.
+
+Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index f003f08de167..dee6bcfe2fe2 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11480,6 +11480,10 @@ static void bnxt_fw_reset_task(struct work_struct *work)
+ }
+ bp->fw_reset_timestamp = jiffies;
+ rtnl_lock();
++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) {
++ rtnl_unlock();
++ goto fw_reset_abort;
++ }
+ bnxt_fw_reset_close(bp);
+ if (bp->fw_cap & BNXT_FW_CAP_ERR_RECOVER_RELOAD) {
+ bp->fw_reset_state = BNXT_FW_RESET_STATE_POLL_FW_DOWN;
+--
+2.30.2
+
--- /dev/null
+From da0b6a9f0e5cf7f5b4339c2563d93882b19d7e40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:31 -0400
+Subject: bnxt_en: Check abort error state in bnxt_half_open_nic()
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit 11a39259ff79b74bc99f8b7c44075a2d6d5e7ab1 ]
+
+bnxt_half_open_nic() is called during during ethtool self test and is
+protected by rtnl_lock. Firmware reset can be happening at the same
+time. Only critical portions of the entire firmware reset sequence
+are protected by the rtnl_lock. It is possible that bnxt_half_open_nic()
+can be called when the firmware reset sequence is aborting. In that
+case, bnxt_half_open_nic() needs to check if the ABORT_ERR flag is set
+and abort if it is. The ethtool self test will fail but the NIC will be
+brought to a consistent IF_DOWN state.
+
+Without this patch, if bnxt_half_open_nic() were to continue in this
+error state, it may crash like this:
+
+ bnxt_en 0000:82:00.1 enp130s0f1np1: FW reset in progress during close, FW reset will be aborted
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ ...
+ Process ethtool (pid: 333327, stack limit = 0x0000000046476577)
+ Call trace:
+ bnxt_alloc_mem+0x444/0xef0 [bnxt_en]
+ bnxt_half_open_nic+0x24/0xb8 [bnxt_en]
+ bnxt_self_test+0x2dc/0x390 [bnxt_en]
+ ethtool_self_test+0xe0/0x1f8
+ dev_ethtool+0x1744/0x22d0
+ dev_ioctl+0x190/0x3e0
+ sock_ioctl+0x238/0x480
+ do_vfs_ioctl+0xc4/0x758
+ ksys_ioctl+0x84/0xb8
+ __arm64_sys_ioctl+0x28/0x38
+ el0_svc_handler+0xb0/0x180
+ el0_svc+0x8/0xc
+
+Fixes: a1301f08c5ac ("bnxt_en: Check abort error state in bnxt_open_nic().")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index e3a8c1c6d237..8f169508a90a 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9841,6 +9841,12 @@ int bnxt_half_open_nic(struct bnxt *bp)
+ {
+ int rc = 0;
+
++ if (test_bit(BNXT_STATE_ABORT_ERR, &bp->state)) {
++ netdev_err(bp->dev, "A previous firmware reset has not completed, aborting half open\n");
++ rc = -ENODEV;
++ goto half_open_err;
++ }
++
+ rc = bnxt_alloc_mem(bp, false);
+ if (rc) {
+ netdev_err(bp->dev, "bnxt_alloc_mem err: %x\n", rc);
+--
+2.30.2
+
--- /dev/null
+From ba985c1cc534f781a73cd47e6d3de224986235ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:25 -0400
+Subject: bnxt_en: don't disable an already disabled PCI device
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit c81cfb6256d90ea5ba4a6fb280ea3b171be4e05c ]
+
+If device is already disabled in reset path and PCI io error is
+detected before the device could be enabled, driver could
+call pci_disable_device() for already disabled device. Fix this
+problem by calling pci_disable_device() only if the device is already
+enabled.
+
+Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.")
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index db1b89f57079..f003f08de167 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -12901,7 +12901,8 @@ static pci_ers_result_t bnxt_io_error_detected(struct pci_dev *pdev,
+ if (netif_running(netdev))
+ bnxt_close(netdev);
+
+- pci_disable_device(pdev);
++ if (pci_is_enabled(pdev))
++ pci_disable_device(pdev);
+ bnxt_free_ctx_mem(bp);
+ kfree(bp->ctx);
+ bp->ctx = NULL;
+--
+2.30.2
+
--- /dev/null
+From adc5afb655794c84d87e5825e5a28841b71cf41e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:27 -0400
+Subject: bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe()
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 2c9f046bc377efd1f5e26e74817d5f96e9506c86 ]
+
+The capabilities can change after firmware upgrade/downgrade, so we
+should get the up-to-date RoCE capabilities everytime bnxt_ulp_probe()
+is called.
+
+Fixes: 2151fe0830fd ("bnxt_en: Handle RESET_NOTIFY async event from firmware.")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+index 64dbbb04b043..abf169001bf3 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -479,15 +479,16 @@ struct bnxt_en_dev *bnxt_ulp_probe(struct net_device *dev)
+ if (!edev)
+ return ERR_PTR(-ENOMEM);
+ edev->en_ops = &bnxt_en_ops_tbl;
+- if (bp->flags & BNXT_FLAG_ROCEV1_CAP)
+- edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP;
+- if (bp->flags & BNXT_FLAG_ROCEV2_CAP)
+- edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP;
+ edev->net = dev;
+ edev->pdev = bp->pdev;
+ edev->l2_db_size = bp->db_size;
+ edev->l2_db_size_nc = bp->db_size;
+ bp->edev = edev;
+ }
++ edev->flags &= ~BNXT_EN_FLAG_ROCE_CAP;
++ if (bp->flags & BNXT_FLAG_ROCEV1_CAP)
++ edev->flags |= BNXT_EN_FLAG_ROCEV1_CAP;
++ if (bp->flags & BNXT_FLAG_ROCEV2_CAP)
++ edev->flags |= BNXT_EN_FLAG_ROCEV2_CAP;
+ return bp->edev;
+ }
+--
+2.30.2
+
--- /dev/null
+From e27df44aeac9314833e6ead0938f8c294856c7df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 15:36:30 -0400
+Subject: bnxt_en: Validate vlan protocol ID on RX packets
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 96bdd4b9ea7ef9a12db8fdd0ce90e37dffbd3703 ]
+
+Only pass supported VLAN protocol IDs for stripped VLAN tags to the
+stack. The stack will hit WARN() if the protocol ID is unsupported.
+
+Existing firmware sets up the chip to strip 0x8100, 0x88a8, 0x9100.
+Only the 1st two protocols are supported by the kernel.
+
+Fixes: a196e96bb68f ("bnxt_en: clean up VLAN feature bit handling")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index dee6bcfe2fe2..e3a8c1c6d237 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1633,11 +1633,16 @@ static inline struct sk_buff *bnxt_tpa_end(struct bnxt *bp,
+
+ if ((tpa_info->flags2 & RX_CMP_FLAGS2_META_FORMAT_VLAN) &&
+ (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) {
+- u16 vlan_proto = tpa_info->metadata >>
+- RX_CMP_FLAGS2_METADATA_TPID_SFT;
++ __be16 vlan_proto = htons(tpa_info->metadata >>
++ RX_CMP_FLAGS2_METADATA_TPID_SFT);
+ u16 vtag = tpa_info->metadata & RX_CMP_FLAGS2_METADATA_TCI_MASK;
+
+- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag);
++ if (eth_type_vlan(vlan_proto)) {
++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag);
++ } else {
++ dev_kfree_skb(skb);
++ return NULL;
++ }
+ }
+
+ skb_checksum_none_assert(skb);
+@@ -1858,9 +1863,15 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ (skb->dev->features & BNXT_HW_FEATURE_VLAN_ALL_RX)) {
+ u32 meta_data = le32_to_cpu(rxcmp1->rx_cmp_meta_data);
+ u16 vtag = meta_data & RX_CMP_FLAGS2_METADATA_TCI_MASK;
+- u16 vlan_proto = meta_data >> RX_CMP_FLAGS2_METADATA_TPID_SFT;
++ __be16 vlan_proto = htons(meta_data >>
++ RX_CMP_FLAGS2_METADATA_TPID_SFT);
+
+- __vlan_hwaccel_put_tag(skb, htons(vlan_proto), vtag);
++ if (eth_type_vlan(vlan_proto)) {
++ __vlan_hwaccel_put_tag(skb, vlan_proto, vtag);
++ } else {
++ dev_kfree_skb(skb);
++ goto next_rx;
++ }
+ }
+
+ skb_checksum_none_assert(skb);
+--
+2.30.2
+
--- /dev/null
+From 773e64da6e0b587e3e02af280d6a9af6d4d10c1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:12 +0000
+Subject: bonding: Add struct bond_ipesc to manage SA
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 9a5605505d9c7dbfdb89cc29a8f5fc5cf9fd2334 ]
+
+bonding has been supporting ipsec offload.
+When SA is added, bonding just passes SA to its own active real interface.
+But it doesn't manage SA.
+So, when events(add/del real interface, active real interface change, etc)
+occur, bonding can't handle that well because It doesn't manage SA.
+So some problems(panic, UAF, refcnt leak)occur.
+
+In order to make it stable, it should manage SA.
+That's the reason why struct bond_ipsec is added.
+When a new SA is added to bonding interface, it is stored in the
+bond_ipsec list. And the SA is passed to a current active real interface.
+If events occur, it uses bond_ipsec data to handle these events.
+bond->ipsec_list is protected by bond->ipsec_lock.
+
+If a current active real interface is changed, the following logic works.
+1. delete all SAs from old active real interface
+2. Add all SAs to the new active real interface.
+3. If a new active real interface doesn't support ipsec offload or SA's
+option, it sets real_dev to NULL.
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 139 +++++++++++++++++++++++++++-----
+ include/net/bonding.h | 9 ++-
+ 2 files changed, 127 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 3555798879f2..484784757073 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -385,6 +385,7 @@ static int bond_vlan_rx_kill_vid(struct net_device *bond_dev,
+ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ {
+ struct net_device *bond_dev = xs->xso.dev;
++ struct bond_ipsec *ipsec;
+ struct bonding *bond;
+ struct slave *slave;
+ int err;
+@@ -400,9 +401,6 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ return -ENODEV;
+ }
+
+- xs->xso.real_dev = slave->dev;
+- bond->xs = xs;
+-
+ if (!slave->dev->xfrmdev_ops ||
+ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
+ netif_is_bond_master(slave->dev)) {
+@@ -411,11 +409,63 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ return -EINVAL;
+ }
+
++ ipsec = kmalloc(sizeof(*ipsec), GFP_ATOMIC);
++ if (!ipsec) {
++ rcu_read_unlock();
++ return -ENOMEM;
++ }
++ xs->xso.real_dev = slave->dev;
++
+ err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);
++ if (!err) {
++ ipsec->xs = xs;
++ INIT_LIST_HEAD(&ipsec->list);
++ spin_lock_bh(&bond->ipsec_lock);
++ list_add(&ipsec->list, &bond->ipsec_list);
++ spin_unlock_bh(&bond->ipsec_lock);
++ } else {
++ kfree(ipsec);
++ }
+ rcu_read_unlock();
+ return err;
+ }
+
++static void bond_ipsec_add_sa_all(struct bonding *bond)
++{
++ struct net_device *bond_dev = bond->dev;
++ struct bond_ipsec *ipsec;
++ struct slave *slave;
++
++ rcu_read_lock();
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (!slave)
++ goto out;
++
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
++ netif_is_bond_master(slave->dev)) {
++ spin_lock_bh(&bond->ipsec_lock);
++ if (!list_empty(&bond->ipsec_list))
++ slave_warn(bond_dev, slave->dev,
++ "%s: no slave xdo_dev_state_add\n",
++ __func__);
++ spin_unlock_bh(&bond->ipsec_lock);
++ goto out;
++ }
++
++ spin_lock_bh(&bond->ipsec_lock);
++ list_for_each_entry(ipsec, &bond->ipsec_list, list) {
++ ipsec->xs->xso.real_dev = slave->dev;
++ if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs)) {
++ slave_warn(bond_dev, slave->dev, "%s: failed to add SA\n", __func__);
++ ipsec->xs->xso.real_dev = NULL;
++ }
++ }
++ spin_unlock_bh(&bond->ipsec_lock);
++out:
++ rcu_read_unlock();
++}
++
+ /**
+ * bond_ipsec_del_sa - clear out this specific SA
+ * @xs: pointer to transformer state struct
+@@ -423,6 +473,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+ {
+ struct net_device *bond_dev = xs->xso.dev;
++ struct bond_ipsec *ipsec;
+ struct bonding *bond;
+ struct slave *slave;
+
+@@ -436,7 +487,10 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+ if (!slave)
+ goto out;
+
+- xs->xso.real_dev = slave->dev;
++ if (!xs->xso.real_dev)
++ goto out;
++
++ WARN_ON(xs->xso.real_dev != slave->dev);
+
+ if (!slave->dev->xfrmdev_ops ||
+ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
+@@ -447,6 +501,48 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+
+ slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs);
+ out:
++ spin_lock_bh(&bond->ipsec_lock);
++ list_for_each_entry(ipsec, &bond->ipsec_list, list) {
++ if (ipsec->xs == xs) {
++ list_del(&ipsec->list);
++ kfree(ipsec);
++ break;
++ }
++ }
++ spin_unlock_bh(&bond->ipsec_lock);
++ rcu_read_unlock();
++}
++
++static void bond_ipsec_del_sa_all(struct bonding *bond)
++{
++ struct net_device *bond_dev = bond->dev;
++ struct bond_ipsec *ipsec;
++ struct slave *slave;
++
++ rcu_read_lock();
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (!slave) {
++ rcu_read_unlock();
++ return;
++ }
++
++ spin_lock_bh(&bond->ipsec_lock);
++ list_for_each_entry(ipsec, &bond->ipsec_list, list) {
++ if (!ipsec->xs->xso.real_dev)
++ continue;
++
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
++ netif_is_bond_master(slave->dev)) {
++ slave_warn(bond_dev, slave->dev,
++ "%s: no slave xdo_dev_state_delete\n",
++ __func__);
++ } else {
++ slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
++ }
++ ipsec->xs->xso.real_dev = NULL;
++ }
++ spin_unlock_bh(&bond->ipsec_lock);
+ rcu_read_unlock();
+ }
+
+@@ -458,22 +554,27 @@ out:
+ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ {
+ struct net_device *bond_dev = xs->xso.dev;
+- struct bonding *bond = netdev_priv(bond_dev);
+- struct slave *curr_active = rcu_dereference(bond->curr_active_slave);
+- struct net_device *slave_dev = curr_active->dev;
++ struct net_device *real_dev;
++ struct slave *curr_active;
++ struct bonding *bond;
++
++ bond = netdev_priv(bond_dev);
++ curr_active = rcu_dereference(bond->curr_active_slave);
++ real_dev = curr_active->dev;
+
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
+ return true;
+
+- if (!slave_dev->xfrmdev_ops ||
+- !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
+- netif_is_bond_master(slave_dev)) {
+- slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__);
++ if (!xs->xso.real_dev)
++ return false;
++
++ if (!real_dev->xfrmdev_ops ||
++ !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
++ netif_is_bond_master(real_dev)) {
+ return false;
+ }
+
+- xs->xso.real_dev = slave_dev;
+- return slave_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
++ return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
+ }
+
+ static const struct xfrmdev_ops bond_xfrmdev_ops = {
+@@ -990,8 +1091,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active)
+ return;
+
+ #ifdef CONFIG_XFRM_OFFLOAD
+- if (old_active && bond->xs)
+- bond_ipsec_del_sa(bond->xs);
++ bond_ipsec_del_sa_all(bond);
+ #endif /* CONFIG_XFRM_OFFLOAD */
+
+ if (new_active) {
+@@ -1067,10 +1167,7 @@ void bond_change_active_slave(struct bonding *bond, struct slave *new_active)
+ }
+
+ #ifdef CONFIG_XFRM_OFFLOAD
+- if (new_active && bond->xs) {
+- xfrm_dev_state_flush(dev_net(bond->dev), bond->dev, true);
+- bond_ipsec_add_sa(bond->xs);
+- }
++ bond_ipsec_add_sa_all(bond);
+ #endif /* CONFIG_XFRM_OFFLOAD */
+
+ /* resend IGMP joins since active slave has changed or
+@@ -3309,6 +3406,7 @@ static int bond_master_netdev_event(unsigned long event,
+ return bond_event_changename(event_bond);
+ case NETDEV_UNREGISTER:
+ bond_remove_proc_entry(event_bond);
++ xfrm_dev_state_flush(dev_net(bond_dev), bond_dev, true);
+ break;
+ case NETDEV_REGISTER:
+ bond_create_proc_entry(event_bond);
+@@ -4742,7 +4840,8 @@ void bond_setup(struct net_device *bond_dev)
+ #ifdef CONFIG_XFRM_OFFLOAD
+ /* set up xfrm device ops (only supported in active-backup right now) */
+ bond_dev->xfrmdev_ops = &bond_xfrmdev_ops;
+- bond->xs = NULL;
++ INIT_LIST_HEAD(&bond->ipsec_list);
++ spin_lock_init(&bond->ipsec_lock);
+ #endif /* CONFIG_XFRM_OFFLOAD */
+
+ /* don't acquire bond device's netif_tx_lock when transmitting */
+diff --git a/include/net/bonding.h b/include/net/bonding.h
+index adc3da776970..67d676059aa0 100644
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -199,6 +199,11 @@ struct bond_up_slave {
+ */
+ #define BOND_LINK_NOCHANGE -1
+
++struct bond_ipsec {
++ struct list_head list;
++ struct xfrm_state *xs;
++};
++
+ /*
+ * Here are the locking policies for the two bonding locks:
+ * Get rcu_read_lock when reading or RTNL when writing slave list.
+@@ -247,7 +252,9 @@ struct bonding {
+ #endif /* CONFIG_DEBUG_FS */
+ struct rtnl_link_stats64 bond_stats;
+ #ifdef CONFIG_XFRM_OFFLOAD
+- struct xfrm_state *xs;
++ struct list_head ipsec_list;
++ /* protecting ipsec_list */
++ spinlock_t ipsec_lock;
+ #endif /* CONFIG_XFRM_OFFLOAD */
+ };
+
+--
+2.30.2
+
--- /dev/null
+From cd6b6c49c24d708f754f0c48eb80a9c53b3fee42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:11 +0000
+Subject: bonding: disallow setting nested bonding + ipsec offload
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit b121693381b112b78c076dea171ee113e237c0e4 ]
+
+bonding interface can be nested and it supports ipsec offload.
+So, it allows setting the nested bonding + ipsec scenario.
+But code does not support this scenario.
+So, it should be disallowed.
+
+interface graph:
+bond2
+ |
+bond1
+ |
+eth0
+
+The nested bonding + ipsec offload may not a real usecase.
+So, disallowing this scenario is fine.
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 952796fb5f1a..3555798879f2 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -403,8 +403,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ xs->xso.real_dev = slave->dev;
+ bond->xs = xs;
+
+- if (!(slave->dev->xfrmdev_ops
+- && slave->dev->xfrmdev_ops->xdo_dev_state_add)) {
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
++ netif_is_bond_master(slave->dev)) {
+ slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n");
+ rcu_read_unlock();
+ return -EINVAL;
+@@ -437,8 +438,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+
+ xs->xso.real_dev = slave->dev;
+
+- if (!(slave->dev->xfrmdev_ops
+- && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) {
++ if (!slave->dev->xfrmdev_ops ||
++ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
++ netif_is_bond_master(slave->dev)) {
+ slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
+ goto out;
+ }
+@@ -463,8 +465,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
+ return true;
+
+- if (!(slave_dev->xfrmdev_ops
+- && slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) {
++ if (!slave_dev->xfrmdev_ops ||
++ !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
++ netif_is_bond_master(slave_dev)) {
+ slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__);
+ return false;
+ }
+--
+2.30.2
+
--- /dev/null
+From d6766784e03cba9e043eaf3f026a0198e6a2e4f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:14 +0000
+Subject: bonding: fix incorrect return value of bond_ipsec_offload_ok()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 168e696a36792a4a3b2525a06249e7472ef90186 ]
+
+bond_ipsec_offload_ok() is called to check whether the interface supports
+ipsec offload or not.
+bonding interface support ipsec offload only in active-backup mode.
+So, if a bond interface is not in active-backup mode, it should return
+false but it returns true.
+
+Fixes: a3b658cfb664 ("bonding: allow xfrm offload setup post-module-load")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 9aa2d79aa942..1a795a858630 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -565,7 +565,7 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ real_dev = curr_active->dev;
+
+ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
+- err = true;
++ err = false;
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b5ce909a7c27ef2bc2d6bdcfd79d925505fd4ef1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:07 +0000
+Subject: bonding: fix null dereference in bond_ipsec_add_sa()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 105cd17a866017b45f3c45901b394c711c97bf40 ]
+
+If bond doesn't have real device, bond->curr_active_slave is null.
+But bond_ipsec_add_sa() dereferences bond->curr_active_slave without
+null checking.
+So, null-ptr-deref would occur.
+
+Test commands:
+ ip link add bond0 type bond
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi \
+0x07 mode transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+
+Splat looks like:
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 4 PID: 680 Comm: ip Not tainted 5.13.0-rc3+ #1168
+RIP: 0010:bond_ipsec_add_sa+0xc4/0x2e0 [bonding]
+Code: 85 21 02 00 00 4d 8b a6 48 0c 00 00 e8 75 58 44 ce 85 c0 0f 85 14
+01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02
+00 0f 85 fc 01 00 00 48 8d bb e0 02 00 00 4d 8b 2c 24 48
+RSP: 0018:ffff88810946f508 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff88810b4e8040 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: ffffffff8fe34280 RDI: ffff888115abe100
+RBP: ffff88810946f528 R08: 0000000000000003 R09: fffffbfff2287e11
+R10: 0000000000000001 R11: ffff888115abe0c8 R12: 0000000000000000
+R13: ffffffffc0aea9a0 R14: ffff88800d7d2000 R15: ffff88810b4e8330
+FS: 00007efc5552e680(0000) GS:ffff888119c00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055c2530dbf40 CR3: 0000000103056004 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ xfrm_dev_state_add+0x2a9/0x770
+ ? memcpy+0x38/0x60
+ xfrm_add_sa+0x2278/0x3b10 [xfrm_user]
+ ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user]
+ ? register_lock_class+0x1750/0x1750
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? netlink_ack+0x9d0/0x9d0
+ ? netlink_deliver_tap+0x17c/0xa50
+ xfrm_netlink_rcv+0x68/0x80 [xfrm_user]
+ netlink_unicast+0x41c/0x610
+ ? netlink_attachskb+0x710/0x710
+ netlink_sendmsg+0x6b9/0xb70
+[ ...]
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 8bb90e97898d..a66d639c415f 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -395,6 +395,11 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
++ if (!slave) {
++ rcu_read_unlock();
++ return -ENODEV;
++ }
++
+ xs->xso.real_dev = slave->dev;
+ bond->xs = xs;
+
+--
+2.30.2
+
--- /dev/null
+From 9d46332a6b667cca5067e85886ccc19d8b748a34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:06 +0000
+Subject: bonding: fix suspicious RCU usage in bond_ipsec_add_sa()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit b648eba4c69e5819880b4907e7fcb2bb576069ab ]
+
+To dereference bond->curr_active_slave, it uses rcu_dereference().
+But it and the caller doesn't acquire RCU so a warning occurs.
+So add rcu_read_lock().
+
+Test commands:
+ ip link add dummy0 type dummy
+ ip link add bond0 type bond
+ ip link set dummy0 master bond0
+ ip link set dummy0 up
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 \
+ mode transport \
+ reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+ 0x44434241343332312423222114131211f4f3f2f1 128 sel \
+ src 14.0.0.52/24 dst 14.0.0.70/24 proto tcp offload \
+ dev bond0 dir in
+
+Splat looks like:
+=============================
+WARNING: suspicious RCU usage
+5.13.0-rc3+ #1168 Not tainted
+-----------------------------
+drivers/net/bonding/bond_main.c:411 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ip/684:
+ #0: ffffffff9a2757c0 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3},
+at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user]
+ 55.191733][ T684] stack backtrace:
+CPU: 0 PID: 684 Comm: ip Not tainted 5.13.0-rc3+ #1168
+Call Trace:
+ dump_stack+0xa4/0xe5
+ bond_ipsec_add_sa+0x18c/0x1f0 [bonding]
+ xfrm_dev_state_add+0x2a9/0x770
+ ? memcpy+0x38/0x60
+ xfrm_add_sa+0x2278/0x3b10 [xfrm_user]
+ ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user]
+ ? register_lock_class+0x1750/0x1750
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? netlink_ack+0x9d0/0x9d0
+ ? netlink_deliver_tap+0x17c/0xa50
+ xfrm_netlink_rcv+0x68/0x80 [xfrm_user]
+ netlink_unicast+0x41c/0x610
+ ? netlink_attachskb+0x710/0x710
+ netlink_sendmsg+0x6b9/0xb70
+[ ... ]
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 345a3f61c723..8bb90e97898d 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -387,10 +387,12 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ struct net_device *bond_dev = xs->xso.dev;
+ struct bonding *bond;
+ struct slave *slave;
++ int err;
+
+ if (!bond_dev)
+ return -EINVAL;
+
++ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
+ xs->xso.real_dev = slave->dev;
+@@ -399,10 +401,13 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
+ if (!(slave->dev->xfrmdev_ops
+ && slave->dev->xfrmdev_ops->xdo_dev_state_add)) {
+ slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n");
++ rcu_read_unlock();
+ return -EINVAL;
+ }
+
+- return slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);
++ err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs);
++ rcu_read_unlock();
++ return err;
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From af746137a8008ff41116e4c964f277381716bfb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:10 +0000
+Subject: bonding: fix suspicious RCU usage in bond_ipsec_del_sa()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit a22c39b831a081da9b2c488bd970a4412d926f30 ]
+
+To dereference bond->curr_active_slave, it uses rcu_dereference().
+But it and the caller doesn't acquire RCU so a warning occurs.
+So add rcu_read_lock().
+
+Test commands:
+ ip netns add A
+ ip netns exec A bash
+ modprobe netdevsim
+ echo "1 1" > /sys/bus/netdevsim/new_device
+ ip link add bond0 type bond
+ ip link set eth0 master bond0
+ ip link set eth0 up
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \
+transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+ ip x s f
+
+Splat looks like:
+=============================
+WARNING: suspicious RCU usage
+5.13.0-rc3+ #1168 Not tainted
+-----------------------------
+drivers/net/bonding/bond_main.c:448 suspicious rcu_dereference_check()
+usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+2 locks held by ip/705:
+ #0: ffff888106701780 (&net->xfrm.xfrm_cfg_mutex){+.+.}-{3:3},
+at: xfrm_netlink_rcv+0x59/0x80 [xfrm_user]
+ #1: ffff8880075b0098 (&x->lock){+.-.}-{2:2},
+at: xfrm_state_delete+0x16/0x30
+
+stack backtrace:
+CPU: 6 PID: 705 Comm: ip Not tainted 5.13.0-rc3+ #1168
+Call Trace:
+ dump_stack+0xa4/0xe5
+ bond_ipsec_del_sa+0x16a/0x1c0 [bonding]
+ __xfrm_state_delete+0x51f/0x730
+ xfrm_state_delete+0x1e/0x30
+ xfrm_state_flush+0x22f/0x390
+ xfrm_flush_sa+0xd8/0x260 [xfrm_user]
+ ? xfrm_flush_policy+0x290/0x290 [xfrm_user]
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+[ ... ]
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index a66d639c415f..952796fb5f1a 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -428,21 +428,24 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
+ if (!bond_dev)
+ return;
+
++ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
+
+ if (!slave)
+- return;
++ goto out;
+
+ xs->xso.real_dev = slave->dev;
+
+ if (!(slave->dev->xfrmdev_ops
+ && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) {
+ slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
+- return;
++ goto out;
+ }
+
+ slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs);
++out:
++ rcu_read_unlock();
+ }
+
+ /**
+--
+2.30.2
+
--- /dev/null
+From 393d37fbcb9b76c2fb4b1c2b66320a3cc85f9dd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:13 +0000
+Subject: bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 955b785ec6b3b2f9b91914d6eeac8ee66ee29239 ]
+
+To dereference bond->curr_active_slave, it uses rcu_dereference().
+But it and the caller doesn't acquire RCU so a warning occurs.
+So add rcu_read_lock().
+
+Splat looks like:
+WARNING: suspicious RCU usage
+5.13.0-rc6+ #1179 Not tainted
+drivers/net/bonding/bond_main.c:571 suspicious
+rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ping/974:
+ #0: ffff888109e7db70 (sk_lock-AF_INET){+.+.}-{0:0},
+at: raw_sendmsg+0x1303/0x2cb0
+
+stack backtrace:
+CPU: 2 PID: 974 Comm: ping Not tainted 5.13.0-rc6+ #1179
+Call Trace:
+ dump_stack+0xa4/0xe5
+ bond_ipsec_offload_ok+0x1f4/0x260 [bonding]
+ xfrm_output+0x179/0x890
+ xfrm4_output+0xfa/0x410
+ ? __xfrm4_output+0x4b0/0x4b0
+ ? __ip_make_skb+0xecc/0x2030
+ ? xfrm4_udp_encap_rcv+0x800/0x800
+ ? ip_local_out+0x21/0x3a0
+ ip_send_skb+0x37/0xa0
+ raw_sendmsg+0x1bfd/0x2cb0
+
+Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 484784757073..9aa2d79aa942 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -557,24 +557,34 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ struct net_device *real_dev;
+ struct slave *curr_active;
+ struct bonding *bond;
++ int err;
+
+ bond = netdev_priv(bond_dev);
++ rcu_read_lock();
+ curr_active = rcu_dereference(bond->curr_active_slave);
+ real_dev = curr_active->dev;
+
+- if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
+- return true;
++ if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) {
++ err = true;
++ goto out;
++ }
+
+- if (!xs->xso.real_dev)
+- return false;
++ if (!xs->xso.real_dev) {
++ err = false;
++ goto out;
++ }
+
+ if (!real_dev->xfrmdev_ops ||
+ !real_dev->xfrmdev_ops->xdo_dev_offload_ok ||
+ netif_is_bond_master(real_dev)) {
+- return false;
++ err = false;
++ goto out;
+ }
+
+- return real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
++ err = real_dev->xfrmdev_ops->xdo_dev_offload_ok(skb, xs);
++out:
++ rcu_read_unlock();
++ return err;
+ }
+
+ static const struct xfrmdev_ops bond_xfrmdev_ops = {
+--
+2.30.2
+
--- /dev/null
+From 00859be3e51c02dd95986aafd82c0276d8e6eb36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 22:57:35 +0200
+Subject: bpf: Fix tail_call_reachable rejection for interpreter when jit
+ failed
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 5dd0a6b8582ffbfa88351949d50eccd5b6694ade ]
+
+During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly
+and fix use-after-free") under various failure conditions, for example, when
+jit_subprogs() fails and tries to clean up the program to be run under the
+interpreter, we ran into the following freeze:
+
+ [...]
+ #127/8 tailcall_bpf2bpf_3:FAIL
+ [...]
+ [ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20
+ [ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682
+ [ 92.043707]
+ [ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87
+ [ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
+ [ 92.046785] Call Trace:
+ [ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0
+ [ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.049019] ? ktime_get+0x117/0x130
+ [...] // few hundred [similar] lines more
+ [ 92.659025] ? ktime_get+0x117/0x130
+ [ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0
+ [ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.662378] ? print_usage_bug+0x50/0x50
+ [ 92.663221] ? print_usage_bug+0x50/0x50
+ [ 92.664077] ? bpf_ksym_find+0x9c/0xe0
+ [ 92.664887] ? ktime_get+0x117/0x130
+ [ 92.665624] ? kernel_text_address+0xf5/0x100
+ [ 92.666529] ? __kernel_text_address+0xe/0x30
+ [ 92.667725] ? unwind_get_return_address+0x2f/0x50
+ [ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20
+ [ 92.670185] ? ktime_get+0x117/0x130
+ [ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0
+ [ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0
+ [ 92.675159] ? ktime_get+0x117/0x130
+ [ 92.677074] ? lock_is_held_type+0xd5/0x130
+ [ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20
+ [ 92.680046] ? ktime_get+0x117/0x130
+ [ 92.681285] ? __bpf_prog_run32+0x6b/0x90
+ [ 92.682601] ? __bpf_prog_run64+0x90/0x90
+ [ 92.683636] ? lock_downgrade+0x370/0x370
+ [ 92.684647] ? mark_held_locks+0x44/0x90
+ [ 92.685652] ? ktime_get+0x117/0x130
+ [ 92.686752] ? lockdep_hardirqs_on+0x79/0x100
+ [ 92.688004] ? ktime_get+0x117/0x130
+ [ 92.688573] ? __cant_migrate+0x2b/0x80
+ [ 92.689192] ? bpf_test_run+0x2f4/0x510
+ [ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0
+ [ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90
+ [ 92.691506] ? __kasan_slab_alloc+0x61/0x80
+ [ 92.692128] ? eth_type_trans+0x128/0x240
+ [ 92.692737] ? __build_skb+0x46/0x50
+ [ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50
+ [ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0
+ [ 92.694639] ? __fget_light+0xa1/0x100
+ [ 92.695162] ? bpf_prog_inc+0x23/0x30
+ [ 92.695685] ? __sys_bpf+0xb40/0x2c80
+ [ 92.696324] ? bpf_link_get_from_fd+0x90/0x90
+ [ 92.697150] ? mark_held_locks+0x24/0x90
+ [ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220
+ [ 92.699045] ? finish_task_switch+0xe6/0x370
+ [ 92.700072] ? lockdep_hardirqs_on+0x79/0x100
+ [ 92.701233] ? finish_task_switch+0x11d/0x370
+ [ 92.702264] ? __switch_to+0x2c0/0x740
+ [ 92.703148] ? mark_held_locks+0x24/0x90
+ [ 92.704155] ? __x64_sys_bpf+0x45/0x50
+ [ 92.705146] ? do_syscall_64+0x35/0x80
+ [ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [...]
+
+Turns out that the program rejection from e411901c0b77 ("bpf: allow for tailcalls
+in BPF subprograms for x64 JIT") is buggy since env->prog->aux->tail_call_reachable
+is never true. Commit ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall
+handling in JIT") added a tracker into check_max_stack_depth() which propagates
+the tail_call_reachable condition throughout the subprograms. This info is then
+assigned to the subprogram's func[i]->aux->tail_call_reachable. However, in the
+case of the rejection check upon JIT failure, env->prog->aux->tail_call_reachable
+is used. func[0]->aux->tail_call_reachable which represents the main program's
+information did not propagate this to the outer env->prog->aux, though. Add this
+propagation into check_max_stack_depth() where it needs to belong so that the
+check can be done reliably.
+
+Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
+Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT")
+Co-developed-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/bpf/618c34e3163ad1a36b1e82377576a6081e182f25.1626123173.git.daniel@iogearbox.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 1f8bf2b39d50..36bc34fce623 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -3356,6 +3356,8 @@ continue_func:
+ if (tail_call_reachable)
+ for (j = 0; j < frame; j++)
+ subprog[ret_prog[j]].tail_call_reachable = true;
++ if (subprog[0].tail_call_reachable)
++ env->prog->aux->tail_call_reachable = true;
+
+ /* end of for() loop means the last insn of the 'subprog'
+ * was reached. Doesn't matter whether it was JA or EXIT
+--
+2.30.2
+
--- /dev/null
+From 9ce3f2a13b8b718679be23835c6886d995a7ca8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 12:55:45 -0700
+Subject: bpf, sockmap: Fix potential memory leak on unlikely error case
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 7e6b27a69167f97c56b5437871d29e9722c3e470 ]
+
+If skb_linearize is needed and fails we could leak a msg on the error
+handling. To fix ensure we kfree the msg block before returning error.
+Found during code review.
+
+Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/bpf/20210712195546.423990-2-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 923a1d0f84ca..c4c224a5b9de 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -433,10 +433,8 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ if (skb_linearize(skb))
+ return -EAGAIN;
+ num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len);
+- if (unlikely(num_sge < 0)) {
+- kfree(msg);
++ if (unlikely(num_sge < 0))
+ return num_sge;
+- }
+
+ copied = skb->len;
+ msg->sg.start = 0;
+@@ -455,6 +453,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb)
+ {
+ struct sock *sk = psock->sk;
+ struct sk_msg *msg;
++ int err;
+
+ /* If we are receiving on the same sock skb->sk is already assigned,
+ * skip memory accounting and owner transition seeing it already set
+@@ -473,7 +472,10 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb)
+ * into user buffers.
+ */
+ skb_set_owner_r(skb, sk);
+- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ if (err < 0)
++ kfree(msg);
++ return err;
+ }
+
+ /* Puts an skb on the ingress queue of the socket already assigned to the
+@@ -484,12 +486,16 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ {
+ struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC);
+ struct sock *sk = psock->sk;
++ int err;
+
+ if (unlikely(!msg))
+ return -EAGAIN;
+ sk_msg_init(msg);
+ skb_set_owner_r(skb, sk);
+- return sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg);
++ if (err < 0)
++ kfree(msg);
++ return err;
+ }
+
+ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
+--
+2.30.2
+
--- /dev/null
+From 704377a489c7551e030fa50a562218b6a7c70c20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Jul 2021 12:55:46 -0700
+Subject: bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 228a4a7ba8e99bb9ef980b62f71e3be33f4aae69 ]
+
+The proc socket stats use sk_prot->inuse_idx value to record inuse sock
+stats. We currently do not set this correctly from sockmap side. The
+result is reading sock stats '/proc/net/sockstat' gives incorrect values.
+The socket counter is incremented correctly, but because we don't set the
+counter correctly when we replace sk_prot we may omit the decrement.
+
+To get the correct inuse_idx value move the core_initcall that initializes
+the TCP proto handlers to late_initcall. This way it is initialized after
+TCP has the chance to assign the inuse_idx value from the register protocol
+handler.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/bpf/20210712195546.423990-3-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index bc7d2a586e18..f91ae827d47f 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -588,7 +588,7 @@ static int __init tcp_bpf_v4_build_proto(void)
+ tcp_bpf_rebuild_protos(tcp_bpf_prots[TCP_BPF_IPV4], &tcp_prot);
+ return 0;
+ }
+-core_initcall(tcp_bpf_v4_build_proto);
++late_initcall(tcp_bpf_v4_build_proto);
+
+ static int tcp_bpf_assert_proto_ops(struct proto *ops)
+ {
+--
+2.30.2
+
--- /dev/null
+From fe74851f0f83c3da13483edfea12266d9503358d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:47:50 +0200
+Subject: bpf, sockmap, udp: sk_prot needs inuse_idx set for proc stats
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit 54ea2f49fd9400dd698c25450be3352b5613b3b4 ]
+
+The proc socket stats use sk_prot->inuse_idx value to record inuse sock
+stats. We currently do not set this correctly from sockmap side. The
+result is reading sock stats '/proc/net/sockstat' gives incorrect values.
+The socket counter is incremented correctly, but because we don't set the
+counter correctly when we replace sk_prot we may omit the decrement.
+
+To get the correct inuse_idx value move the core_initcall that initializes
+the UDP proto handlers to late_initcall. This way it is initialized after
+UDP has the chance to assign the inuse_idx value from the register protocol
+handler.
+
+Fixes: edc6741cc660 ("bpf: Add sockmap hooks for UDP sockets")
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20210714154750.528206-1-jakub@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c
+index 7a94791efc1a..69c9663f9ee7 100644
+--- a/net/ipv4/udp_bpf.c
++++ b/net/ipv4/udp_bpf.c
+@@ -39,7 +39,7 @@ static int __init udp_bpf_v4_build_proto(void)
+ udp_bpf_rebuild_protos(&udp_bpf_prots[UDP_BPF_IPV4], &udp_prot);
+ return 0;
+ }
+-core_initcall(udp_bpf_v4_build_proto);
++late_initcall(udp_bpf_v4_build_proto);
+
+ struct proto *udp_bpf_get_proto(struct sock *sk, struct sk_psock *psock)
+ {
+--
+2.30.2
+
--- /dev/null
+From 9e721886d108fc99e886e1bce4039e629f745b32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 16:04:09 +0800
+Subject: bpf, test: fix NULL pointer dereference on invalid
+ expected_attach_type
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit 5e21bb4e812566aef86fbb77c96a4ec0782286e4 ]
+
+These two types of XDP progs (BPF_XDP_DEVMAP, BPF_XDP_CPUMAP) will not be
+executed directly in the driver, therefore we should also not directly
+run them from here. To run in these two situations, there must be further
+preparations done, otherwise these may cause a kernel panic.
+
+For more details, see also dev_xdp_attach().
+
+ [ 46.982479] BUG: kernel NULL pointer dereference, address: 0000000000000000
+ [ 46.984295] #PF: supervisor read access in kernel mode
+ [ 46.985777] #PF: error_code(0x0000) - not-present page
+ [ 46.987227] PGD 800000010dca4067 P4D 800000010dca4067 PUD 10dca6067 PMD 0
+ [ 46.989201] Oops: 0000 [#1] SMP PTI
+ [ 46.990304] CPU: 7 PID: 562 Comm: a.out Not tainted 5.13.0+ #44
+ [ 46.992001] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/24
+ [ 46.995113] RIP: 0010:___bpf_prog_run+0x17b/0x1710
+ [ 46.996586] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
+ [ 47.001562] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
+ [ 47.003115] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
+ [ 47.005163] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
+ [ 47.007135] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
+ [ 47.009171] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
+ [ 47.011172] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
+ [ 47.013244] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
+ [ 47.015705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 47.017475] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
+ [ 47.019558] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 47.021595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 47.023574] PKRU: 55555554
+ [ 47.024571] Call Trace:
+ [ 47.025424] __bpf_prog_run32+0x32/0x50
+ [ 47.026296] ? printk+0x53/0x6a
+ [ 47.027066] ? ktime_get+0x39/0x90
+ [ 47.027895] bpf_test_run.cold.28+0x23/0x123
+ [ 47.028866] ? printk+0x53/0x6a
+ [ 47.029630] bpf_prog_test_run_xdp+0x149/0x1d0
+ [ 47.030649] __sys_bpf+0x1305/0x23d0
+ [ 47.031482] __x64_sys_bpf+0x17/0x20
+ [ 47.032316] do_syscall_64+0x3a/0x80
+ [ 47.033165] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 47.034254] RIP: 0033:0x7f04a51364dd
+ [ 47.035133] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 48
+ [ 47.038768] RSP: 002b:00007fff8f9fc518 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
+ [ 47.040344] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04a51364dd
+ [ 47.041749] RDX: 0000000000000048 RSI: 0000000020002a80 RDI: 000000000000000a
+ [ 47.043171] RBP: 00007fff8f9fc530 R08: 0000000002049300 R09: 0000000020000100
+ [ 47.044626] R10: 0000000000000004 R11: 0000000000000213 R12: 0000000000401070
+ [ 47.046088] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ [ 47.047579] Modules linked in:
+ [ 47.048318] CR2: 0000000000000000
+ [ 47.049120] ---[ end trace 7ad34443d5be719a ]---
+ [ 47.050273] RIP: 0010:___bpf_prog_run+0x17b/0x1710
+ [ 47.051343] Code: 49 03 14 cc e8 76 f6 fe ff e9 ad fe ff ff 0f b6 43 01 48 0f bf 4b 02 48 83 c3 08 89 c2 83 e0 0f c0 ea 04 02
+ [ 47.054943] RSP: 0018:ffffc900005afc58 EFLAGS: 00010246
+ [ 47.056068] RAX: 0000000000000000 RBX: ffffc9000023f068 RCX: 0000000000000000
+ [ 47.057522] RDX: 0000000000000000 RSI: 0000000000000079 RDI: ffffc900005afc98
+ [ 47.058961] RBP: 0000000000000000 R08: ffffc9000023f048 R09: c0000000ffffdfff
+ [ 47.060390] R10: 0000000000000001 R11: ffffc900005afb40 R12: ffffc900005afc98
+ [ 47.061803] R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff825258a8
+ [ 47.063249] FS: 00007f04a5207580(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000
+ [ 47.065070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 47.066307] CR2: 0000000000000000 CR3: 0000000100182005 CR4: 0000000000770ee0
+ [ 47.067747] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ [ 47.069217] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ [ 47.070652] PKRU: 55555554
+ [ 47.071318] Kernel panic - not syncing: Fatal exception
+ [ 47.072854] Kernel Offset: disabled
+ [ 47.073683] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Fixes: 9216477449f3 ("bpf: cpumap: Add the possibility to attach an eBPF program to cpumap")
+Fixes: fbee97feed9b ("bpf: Add support to attach bpf program to a devmap entry")
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: David Ahern <dsahern@kernel.org>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20210708080409.73525-1-xuanzhuo@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index 8b796c499cbb..e7cbd1b4a5e5 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -627,6 +627,9 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
+ void *data;
+ int ret;
+
++ if (prog->expected_attach_type == BPF_XDP_DEVMAP ||
++ prog->expected_attach_type == BPF_XDP_CPUMAP)
++ return -EINVAL;
+ if (kattr->test.ctx_in || kattr->test.ctx_out)
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From c4d78021a2e213bcb36d1a921d9459f2e187011b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:06:09 +0200
+Subject: bpftool: Check malloc return value in mount_bpffs_for_pin
+
+From: Tobias Klauser <tklauser@distanz.ch>
+
+[ Upstream commit d444b06e40855219ef38b5e9286db16d435f06dc ]
+
+Fix and add a missing NULL check for the prior malloc() call.
+
+Fixes: 49a086c201a9 ("bpftool: implement prog load command")
+Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Quentin Monnet <quentin@isovalent.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Link: https://lore.kernel.org/bpf/20210715110609.29364-1-tklauser@distanz.ch
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/common.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/bpf/bpftool/common.c b/tools/bpf/bpftool/common.c
+index 65303664417e..6ebf2b215ef4 100644
+--- a/tools/bpf/bpftool/common.c
++++ b/tools/bpf/bpftool/common.c
+@@ -221,6 +221,11 @@ int mount_bpffs_for_pin(const char *name)
+ int err = 0;
+
+ file = malloc(strlen(name) + 1);
++ if (!file) {
++ p_err("mem alloc failed");
++ return -1;
++ }
++
+ strcpy(file, name);
+ dir = dirname(file);
+
+--
+2.30.2
+
--- /dev/null
+From 840e342de501c74d101e70b90ea6e30167c935d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 14:40:39 +0100
+Subject: ceph: don't WARN if we're still opening a session to an MDS
+
+From: Luis Henriques <lhenriques@suse.de>
+
+[ Upstream commit cdb330f4b41ab55feb35487729e883c9e08b8a54 ]
+
+If MDSs aren't available while mounting a filesystem, the session state
+will transition from SESSION_OPENING to SESSION_CLOSING. And in that
+scenario check_session_state() will be called from delayed_work() and
+trigger this WARN.
+
+Avoid this by only WARNing after a session has already been established
+(i.e., the s_ttl will be different from 0).
+
+Fixes: 62575e270f66 ("ceph: check session state after bumping session->s_seq")
+Signed-off-by: Luis Henriques <lhenriques@suse.de>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/mds_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
+index d560752b764d..6b00f1d7c8e7 100644
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -4401,7 +4401,7 @@ bool check_session_state(struct ceph_mds_session *s)
+ break;
+ case CEPH_MDS_SESSION_CLOSING:
+ /* Should never reach this when we're unmounting */
+- WARN_ON_ONCE(true);
++ WARN_ON_ONCE(s->s_ttl);
+ fallthrough;
+ case CEPH_MDS_SESSION_NEW:
+ case CEPH_MDS_SESSION_RESTARTING:
+--
+2.30.2
+
--- /dev/null
+From 6eff6d0b7dc974383b974002273a6e709c684673 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Jul 2021 11:21:24 +1000
+Subject: cifs: fix fallocate when trying to allocate a hole.
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit 488968a8945c119859d91bb6a8dc13bf50002f15 ]
+
+Remove the conditional checking for out_data_len and skipping the fallocate
+if it is 0. This is wrong will actually change any legitimate the fallocate
+where the entire region is unallocated into a no-op.
+
+Additionally, before allocating the range, if FALLOC_FL_KEEP_SIZE is set then
+we need to clamp the length of the fallocate region as to not extend the size of the file.
+
+Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation")
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 442bf422aa01..b0b06eb86edf 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3516,11 +3516,6 @@ static int smb3_simple_fallocate_range(unsigned int xid,
+ (char **)&out_data, &out_data_len);
+ if (rc)
+ goto out;
+- /*
+- * It is already all allocated
+- */
+- if (out_data_len == 0)
+- goto out;
+
+ buf = kzalloc(1024 * 1024, GFP_KERNEL);
+ if (buf == NULL) {
+@@ -3643,6 +3638,24 @@ static long smb3_simple_falloc(struct file *file, struct cifs_tcon *tcon,
+ goto out;
+ }
+
++ if (keep_size == true) {
++ /*
++ * We can not preallocate pages beyond the end of the file
++ * in SMB2
++ */
++ if (off >= i_size_read(inode)) {
++ rc = 0;
++ goto out;
++ }
++ /*
++ * For fallocates that are partially beyond the end of file,
++ * clamp len so we only fallocate up to the end of file.
++ */
++ if (off + len > i_size_read(inode)) {
++ len = i_size_read(inode) - off;
++ }
++ }
++
+ if ((keep_size == true) || (i_size_read(inode) >= off + len)) {
+ /*
+ * At this point, we are trying to fallocate an internal
+--
+2.30.2
+
--- /dev/null
+From 5342cd08a77be40b6b55479e518f5726d0e7b7f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 14:53:32 +1000
+Subject: cifs: only write 64kb at a time when fallocating a small region of a
+ file
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+[ Upstream commit 2485bd7557a7edb4520b4072af464f0a08c8efe0 ]
+
+We only allow sending single credit writes through the SMB2_write() synchronous
+api so split this into smaller chunks.
+
+Fixes: 966a3cb7c7db ("cifs: improve fallocate emulation")
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Reported-by: Namjae Jeon <namjae.jeon@samsung.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index f6ceb79a995d..442bf422aa01 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3466,7 +3466,7 @@ static int smb3_simple_fallocate_write_range(unsigned int xid,
+ char *buf)
+ {
+ struct cifs_io_parms io_parms = {0};
+- int nbytes;
++ int rc, nbytes;
+ struct kvec iov[2];
+
+ io_parms.netfid = cfile->fid.netfid;
+@@ -3474,13 +3474,25 @@ static int smb3_simple_fallocate_write_range(unsigned int xid,
+ io_parms.tcon = tcon;
+ io_parms.persistent_fid = cfile->fid.persistent_fid;
+ io_parms.volatile_fid = cfile->fid.volatile_fid;
+- io_parms.offset = off;
+- io_parms.length = len;
+
+- /* iov[0] is reserved for smb header */
+- iov[1].iov_base = buf;
+- iov[1].iov_len = io_parms.length;
+- return SMB2_write(xid, &io_parms, &nbytes, iov, 1);
++ while (len) {
++ io_parms.offset = off;
++ io_parms.length = len;
++ if (io_parms.length > SMB2_MAX_BUFFER_SIZE)
++ io_parms.length = SMB2_MAX_BUFFER_SIZE;
++ /* iov[0] is reserved for smb header */
++ iov[1].iov_base = buf;
++ iov[1].iov_len = io_parms.length;
++ rc = SMB2_write(xid, &io_parms, &nbytes, iov, 1);
++ if (rc)
++ break;
++ if (nbytes > len)
++ return -EINVAL;
++ buf += nbytes;
++ off += nbytes;
++ len -= nbytes;
++ }
++ return rc;
+ }
+
+ static int smb3_simple_fallocate_range(unsigned int xid,
+--
+2.30.2
+
--- /dev/null
+From 4731270754e95823e9e5b85f9b5fd7e23b67fd1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 21:51:56 +0530
+Subject: cxgb4: fix IRQ free race during driver unload
+
+From: Shahjada Abul Husain <shahjada@chelsio.com>
+
+[ Upstream commit 015fe6fd29c4b9ac0f61b8c4455ef88e6018b9cc ]
+
+IRQs are requested during driver's ndo_open() and then later
+freed up in disable_interrupts() during driver unload.
+A race exists where driver can set the CXGB4_FULL_INIT_DONE
+flag in ndo_open() after the disable_interrupts() in driver
+unload path checks it, and hence misses calling free_irq().
+
+Fix by unregistering netdevice first and sync with driver's
+ndo_open(). This ensures disable_interrupts() checks the flag
+correctly and frees up the IRQs properly.
+
+Fixes: b37987e8db5f ("cxgb4: Disable interrupts and napi before unregistering netdev")
+Signed-off-by: Shahjada Abul Husain <shahjada@chelsio.com>
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/chelsio/cxgb4/cxgb4_main.c | 18 ++++++++++--------
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 3 +++
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 8be525c5e2e4..6698afad4379 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -2643,6 +2643,9 @@ static void detach_ulds(struct adapter *adap)
+ {
+ unsigned int i;
+
++ if (!is_uld(adap))
++ return;
++
+ mutex_lock(&uld_mutex);
+ list_del(&adap->list_node);
+
+@@ -7145,10 +7148,13 @@ static void remove_one(struct pci_dev *pdev)
+ */
+ destroy_workqueue(adapter->workq);
+
+- if (is_uld(adapter)) {
+- detach_ulds(adapter);
+- t4_uld_clean_up(adapter);
+- }
++ detach_ulds(adapter);
++
++ for_each_port(adapter, i)
++ if (adapter->port[i]->reg_state == NETREG_REGISTERED)
++ unregister_netdev(adapter->port[i]);
++
++ t4_uld_clean_up(adapter);
+
+ adap_free_hma_mem(adapter);
+
+@@ -7156,10 +7162,6 @@ static void remove_one(struct pci_dev *pdev)
+
+ cxgb4_free_mps_ref_entries(adapter);
+
+- for_each_port(adapter, i)
+- if (adapter->port[i]->reg_state == NETREG_REGISTERED)
+- unregister_netdev(adapter->port[i]);
+-
+ debugfs_remove_recursive(adapter->debugfs_root);
+
+ if (!is_t4(adapter->params.chip))
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+index 743af9e654aa..17faac715882 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c
+@@ -581,6 +581,9 @@ void t4_uld_clean_up(struct adapter *adap)
+ {
+ unsigned int i;
+
++ if (!is_uld(adap))
++ return;
++
+ mutex_lock(&uld_mutex);
+ for (i = 0; i < CXGB4_ULD_MAX; i++) {
+ if (!adap->uld[i].handle)
+--
+2.30.2
+
--- /dev/null
+From 47ac4c72edabcc99b36989ab6011e960ecc9e53f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 11:39:34 +0300
+Subject: dma-mapping: handle vmalloc addresses in
+ dma_common_{mmap,get_sgtable}
+
+From: Roman Skakun <Roman_Skakun@epam.com>
+
+[ Upstream commit 40ac971eab89330d6153e7721e88acd2d98833f9 ]
+
+xen-swiotlb can use vmalloc backed addresses for dma coherent allocations
+and uses the common helpers. Properly handle them to unbreak Xen on
+ARM platforms.
+
+Fixes: 1b65c4e5a9af ("swiotlb-xen: use xen_alloc/free_coherent_pages")
+Signed-off-by: Roman Skakun <roman_skakun@epam.com>
+Reviewed-by: Andrii Anisov <andrii_anisov@epam.com>
+[hch: split the patch, renamed the helpers]
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/ops_helpers.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/dma/ops_helpers.c b/kernel/dma/ops_helpers.c
+index 910ae69cae77..af4a6ef48ce0 100644
+--- a/kernel/dma/ops_helpers.c
++++ b/kernel/dma/ops_helpers.c
+@@ -5,6 +5,13 @@
+ */
+ #include <linux/dma-map-ops.h>
+
++static struct page *dma_common_vaddr_to_page(void *cpu_addr)
++{
++ if (is_vmalloc_addr(cpu_addr))
++ return vmalloc_to_page(cpu_addr);
++ return virt_to_page(cpu_addr);
++}
++
+ /*
+ * Create scatter-list for the already allocated DMA buffer.
+ */
+@@ -12,7 +19,7 @@ int dma_common_get_sgtable(struct device *dev, struct sg_table *sgt,
+ void *cpu_addr, dma_addr_t dma_addr, size_t size,
+ unsigned long attrs)
+ {
+- struct page *page = virt_to_page(cpu_addr);
++ struct page *page = dma_common_vaddr_to_page(cpu_addr);
+ int ret;
+
+ ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
+@@ -32,6 +39,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma,
+ unsigned long user_count = vma_pages(vma);
+ unsigned long count = PAGE_ALIGN(size) >> PAGE_SHIFT;
+ unsigned long off = vma->vm_pgoff;
++ struct page *page = dma_common_vaddr_to_page(cpu_addr);
+ int ret = -ENXIO;
+
+ vma->vm_page_prot = dma_pgprot(dev, vma->vm_page_prot, attrs);
+@@ -43,7 +51,7 @@ int dma_common_mmap(struct device *dev, struct vm_area_struct *vma,
+ return -ENXIO;
+
+ return remap_pfn_range(vma, vma->vm_start,
+- page_to_pfn(virt_to_page(cpu_addr)) + vma->vm_pgoff,
++ page_to_pfn(page) + vma->vm_pgoff,
+ user_count << PAGE_SHIFT, vma->vm_page_prot);
+ #else
+ return -ENXIO;
+--
+2.30.2
+
--- /dev/null
+From 60a67fd4305eeb9c3ab9a58949a0151126d1e275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 15:45:23 +0200
+Subject: drm/panel: raspberrypi-touchscreen: Prevent double-free
+
+From: Maxime Ripard <maxime@cerno.tech>
+
+[ Upstream commit 7bbcb919e32d776ca8ddce08abb391ab92eef6a9 ]
+
+The mipi_dsi_device allocated by mipi_dsi_device_register_full() is
+already free'd on release.
+
+Fixes: 2f733d6194bd ("drm/panel: Add support for the Raspberry Pi 7" Touchscreen.")
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Reviewed-by: Sam Ravnborg <sam@ravnborg.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210720134525.563936-9-maxime@cerno.tech
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
+index 5e9ccefb88f6..bbdd086be7f5 100644
+--- a/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
++++ b/drivers/gpu/drm/panel/panel-raspberrypi-touchscreen.c
+@@ -447,7 +447,6 @@ static int rpi_touchscreen_remove(struct i2c_client *i2c)
+ drm_panel_remove(&ts->base);
+
+ mipi_dsi_device_unregister(ts->dsi);
+- kfree(ts->dsi);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From d656d53d12b89e886f7e0f791730861fd8621a69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:05:53 +0200
+Subject: e1000e: Fix an error handling path in 'e1000_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 4589075608420bc49fcef6e98279324bf2bb91ae ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 111b9dc5c981 ("e1000e: add aer support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index b3ad95ac3d85..361b8d0bd78d 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -7657,6 +7657,7 @@ err_flashmap:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From d639bbdeebbc783c88043129488967fb3c3d5b05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 11:46:54 +0200
+Subject: efi/tpm: Differentiate missing and invalid final event log table.
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit 674a9f1f6815849bfb5bf385e7da8fc198aaaba9 ]
+
+Missing TPM final event log table is not a firmware bug.
+
+Clearly if providing event log in the old format makes the final event
+log invalid it should not be provided at least in that case.
+
+Fixes: b4f1874c6216 ("tpm: check event log version before reading final events")
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/tpm.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/efi/tpm.c b/drivers/firmware/efi/tpm.c
+index c1955d320fec..8f665678e9e3 100644
+--- a/drivers/firmware/efi/tpm.c
++++ b/drivers/firmware/efi/tpm.c
+@@ -62,9 +62,11 @@ int __init efi_tpm_eventlog_init(void)
+ tbl_size = sizeof(*log_tbl) + log_tbl->size;
+ memblock_reserve(efi.tpm_log, tbl_size);
+
+- if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR ||
+- log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) {
+- pr_warn(FW_BUG "TPM Final Events table missing or invalid\n");
++ if (efi.tpm_final_log == EFI_INVALID_TABLE_ADDR) {
++ pr_info("TPM Final Events table not present\n");
++ goto out;
++ } else if (log_tbl->version != EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) {
++ pr_warn(FW_BUG "TPM Final Events table invalid\n");
+ goto out;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d06387922a4fa641ab4ece2604e04efe38de862a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:00:36 +0200
+Subject: fm10k: Fix an error handling path in 'fm10k_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e85e14d68f517ef12a5fb8123fff65526b35b6cd ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 19ae1b3fb99c ("fm10k: Add support for PCI power management and error handling")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/fm10k/fm10k_pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+index 9e3103fae723..caedf24c24c1 100644
+--- a/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
++++ b/drivers/net/ethernet/intel/fm10k/fm10k_pci.c
+@@ -2227,6 +2227,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_netdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From bb3f912cce5172fa6dfb76cc555e6fe457d4ff54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 22:18:24 +0200
+Subject: gve: Fix an error handling path in 'gve_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 2342ae10d1272d411a468a85a67647dd115b344f ]
+
+If the 'register_netdev() call fails, we must release the resources
+allocated by the previous 'gve_init_priv()' call, as already done in the
+remove function.
+
+Add a new label and the missing 'gve_teardown_priv_resources()' in the
+error handling path.
+
+Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Catherine Sullivan <csully@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 3a74e4645ce6..0b714b606ba1 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1340,13 +1340,16 @@ static int gve_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ err = register_netdev(dev);
+ if (err)
+- goto abort_with_wq;
++ goto abort_with_gve_init;
+
+ dev_info(&pdev->dev, "GVE version %s\n", gve_version_str);
+ gve_clear_probe_in_progress(priv);
+ queue_work(priv->gve_wq, &priv->service_task);
+ return 0;
+
++abort_with_gve_init:
++ gve_teardown_priv_resources(priv);
++
+ abort_with_wq:
+ destroy_workqueue(priv->gve_wq);
+
+--
+2.30.2
+
--- /dev/null
+From 145b31bf5b7ff75a3ed5a8927ce4e6da6da95502 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:53:02 +0200
+Subject: iavf: Fix an error handling path in 'iavf_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit af30cbd2f4d6d66a9b6094e0aa32420bc8b20e08 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 5eae00c57f5e ("i40evf: main driver core")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index ebd08543791b..f3caf5eab8d4 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -3759,6 +3759,7 @@ static int iavf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 108ef6af91fc3f1a7f31e054ecaf2f85c28ee9e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 10:19:23 +0000
+Subject: igb: Check if num of q_vectors is smaller than max before array
+ access
+
+From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+
+[ Upstream commit 6c19d772618fea40d9681f259368f284a330fd90 ]
+
+Ensure that the adapter->q_vector[MAX_Q_VECTORS] array isn't accessed
+beyond its size. It was fixed by using a local variable num_q_vectors
+as a limit for loop index, and ensure that num_q_vectors is not bigger
+than MAX_Q_VECTORS.
+
+Fixes: 047e0030f1e6 ("igb: add new data structure for handling interrupts and NAPI")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Grzegorz Siwik <grzegorz.siwik@intel.com>
+Reviewed-by: Arkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
+Reviewed-by: Slawomir Laba <slawomirx.laba@intel.com>
+Reviewed-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Reviewed-by: Mateusz Palczewski <mateusz.placzewski@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 43f2096a0669..c083e5e4e8e6 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -931,6 +931,7 @@ static void igb_configure_msix(struct igb_adapter *adapter)
+ **/
+ static int igb_request_msix(struct igb_adapter *adapter)
+ {
++ unsigned int num_q_vectors = adapter->num_q_vectors;
+ struct net_device *netdev = adapter->netdev;
+ int i, err = 0, vector = 0, free_vector = 0;
+
+@@ -939,7 +940,13 @@ static int igb_request_msix(struct igb_adapter *adapter)
+ if (err)
+ goto err_out;
+
+- for (i = 0; i < adapter->num_q_vectors; i++) {
++ if (num_q_vectors > MAX_Q_VECTORS) {
++ num_q_vectors = MAX_Q_VECTORS;
++ dev_warn(&adapter->pdev->dev,
++ "The number of queue vectors (%d) is higher than max allowed (%d)\n",
++ adapter->num_q_vectors, MAX_Q_VECTORS);
++ }
++ for (i = 0; i < num_q_vectors; i++) {
+ struct igb_q_vector *q_vector = adapter->q_vector[i];
+
+ vector++;
+--
+2.30.2
+
--- /dev/null
+From d81af865981ae01d03e2d11dcfa6f3f8b392ceb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 22:08:33 +0200
+Subject: igb: Fix an error handling path in 'igb_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit fea03b1cebd653cd095f2e9a58cfe1c85661c363 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 40a914fa72ab ("igb: Add support for pci-e Advanced Error Reporting")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index b40654664025..43f2096a0669 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3616,6 +3616,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From cf7f6314d59c74ce2b4f030479a09fe1fce358a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 22:42:17 +0000
+Subject: igb: Fix position of assignment to *ring
+
+From: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+
+[ Upstream commit 382a7c20d9253bcd5715789b8179528d0f3de72c ]
+
+Assignment to *ring should be done after correctness check of the
+argument queue.
+
+Fixes: 91db364236c8 ("igb: Refactor igb_configure_cbs()")
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index c083e5e4e8e6..e24fb122c03a 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -1685,14 +1685,15 @@ static bool is_any_txtime_enabled(struct igb_adapter *adapter)
+ **/
+ static void igb_config_tx_modes(struct igb_adapter *adapter, int queue)
+ {
+- struct igb_ring *ring = adapter->tx_ring[queue];
+ struct net_device *netdev = adapter->netdev;
+ struct e1000_hw *hw = &adapter->hw;
++ struct igb_ring *ring;
+ u32 tqavcc, tqavctrl;
+ u16 value;
+
+ WARN_ON(hw->mac.type != e1000_i210);
+ WARN_ON(queue < 0 || queue > 1);
++ ring = adapter->tx_ring[queue];
+
+ /* If any of the Qav features is enabled, configure queues as SR and
+ * with HIGH PRIO. If none is, then configure them with LOW PRIO and
+--
+2.30.2
+
--- /dev/null
+From 341a46682aeaaae50776bfd2e8447e949a5997de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 17:31:04 -0700
+Subject: igb: Fix use-after-free error during reset
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e ]
+
+Cleans the next descriptor to watch (next_to_watch) when cleaning the
+TX ring.
+
+Failure to do so can cause invalid memory accesses. If igb_poll() runs
+while the controller is reset this can lead to the driver try to free
+a skb that was already freed.
+
+(The crash is harder to reproduce with the igb driver, but the same
+potential problem exists as the code is identical to igc)
+
+Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reported-by: Erez Geva <erez.geva.ext@siemens.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 4b9b5148c916..b40654664025 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -4836,6 +4836,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring)
+ DMA_TO_DEVICE);
+ }
+
++ tx_buffer->next_to_watch = NULL;
++
+ /* move us one more past the eop_desc for start of next pkt */
+ tx_buffer++;
+ i++;
+--
+2.30.2
+
--- /dev/null
+From 82a0f601a62562bd6c2650b79da5b5fcc6de7309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 12:50:19 -0700
+Subject: igc: change default return of igc_read_phy_reg()
+
+From: Tom Rix <trix@redhat.com>
+
+[ Upstream commit 05682a0a61b6cbecd97a0f37f743b2cbfd516977 ]
+
+Static analysis reports this problem
+
+igc_main.c:4944:20: warning: The left operand of '&'
+ is a garbage value
+ if (!(phy_data & SR_1000T_REMOTE_RX_STATUS) &&
+ ~~~~~~~~ ^
+
+phy_data is set by the call to igc_read_phy_reg() only if
+there is a read_reg() op, else it is unset and a 0 is
+returned. Change the return to -EOPNOTSUPP.
+
+Fixes: 208983f099d9 ("igc: Add watchdog")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 6dca67d9c25d..a97bf7a5f1d6 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -532,7 +532,7 @@ static inline s32 igc_read_phy_reg(struct igc_hw *hw, u32 offset, u16 *data)
+ if (hw->phy.ops.read_reg)
+ return hw->phy.ops.read_reg(hw, offset, data);
+
+- return 0;
++ return -EOPNOTSUPP;
+ }
+
+ void igc_reinit_locked(struct igc_adapter *);
+--
+2.30.2
+
--- /dev/null
+From a9a21e55db0e1479e6bb816fbaabe5fea2662dca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 22:00:05 +0200
+Subject: igc: Fix an error handling path in 'igc_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c6bc9e5ce5d37cb3e6b552f41b92a193db1806ab ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: c9a11c23ceb6 ("igc: Add netdev")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Acked-by: Sasha Neftin <sasha.neftin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 4b58dd97a7c0..b9fe2785f573 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5223,6 +5223,7 @@ err_sw_init:
+ err_ioremap:
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 7954f08060d44c5294514f8137e01585f5826ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 17:31:03 -0700
+Subject: igc: Fix use-after-free error during reset
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 56ea7ed103b46970e171eb1c95916f393d64eeff ]
+
+Cleans the next descriptor to watch (next_to_watch) when cleaning the
+TX ring.
+
+Failure to do so can cause invalid memory accesses. If igc_poll() runs
+while the controller is being reset this can lead to the driver try to
+free a skb that was already freed.
+
+Log message:
+
+ [ 101.525242] refcount_t: underflow; use-after-free.
+ [ 101.525251] WARNING: CPU: 1 PID: 646 at lib/refcount.c:28 refcount_warn_saturate+0xab/0xf0
+ [ 101.525259] Modules linked in: sch_etf(E) sch_mqprio(E) rfkill(E) intel_rapl_msr(E) intel_rapl_common(E)
+ x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) binfmt_misc(E) kvm_intel(E) kvm(E) irqbypass(E) crc32_pclmul(E)
+ ghash_clmulni_intel(E) aesni_intel(E) mei_wdt(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) snd_hda_codec_hdmi(E)
+ rapl(E) intel_cstate(E) snd_hda_intel(E) snd_intel_dspcfg(E) sg(E) soundwire_intel(E) intel_uncore(E) at24(E)
+ soundwire_generic_allocation(E) iTCO_wdt(E) soundwire_cadence(E) intel_pmc_bxt(E) serio_raw(E) snd_hda_codec(E)
+ iTCO_vendor_support(E) watchdog(E) snd_hda_core(E) snd_hwdep(E) snd_soc_core(E) snd_compress(E) snd_pcsp(E)
+ soundwire_bus(E) snd_pcm(E) evdev(E) snd_timer(E) mei_me(E) snd(E) soundcore(E) mei(E) configfs(E) ip_tables(E) x_tables(E)
+ autofs4(E) ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E)
+ i915(E) ahci(E) libahci(E) ehci_pci(E) igb(E) xhci_pci(E) ehci_hcd(E)
+ [ 101.525303] drm_kms_helper(E) dca(E) xhci_hcd(E) libata(E) crct10dif_pclmul(E) cec(E) crct10dif_common(E) tsn(E) igc(E)
+ e1000e(E) ptp(E) i2c_i801(E) crc32c_intel(E) psmouse(E) i2c_algo_bit(E) i2c_smbus(E) scsi_mod(E) lpc_ich(E) pps_core(E)
+ usbcore(E) drm(E) button(E) video(E)
+ [ 101.525318] CPU: 1 PID: 646 Comm: irq/37-enp7s0-T Tainted: G E 5.10.30-rt37-tsn1-rt-ipipe #ipipe
+ [ 101.525320] Hardware name: SIEMENS AG SIMATIC IPC427D/A5E31233588, BIOS V17.02.09 03/31/2017
+ [ 101.525322] RIP: 0010:refcount_warn_saturate+0xab/0xf0
+ [ 101.525325] Code: 05 31 48 44 01 01 e8 f0 c6 42 00 0f 0b c3 80 3d 1f 48 44 01 00 75 90 48 c7 c7 78 a8 f3 a6 c6 05 0f 48
+ 44 01 01 e8 d1 c6 42 00 <0f> 0b c3 80 3d fe 47 44 01 00 0f 85 6d ff ff ff 48 c7 c7 d0 a8 f3
+ [ 101.525327] RSP: 0018:ffffbdedc0917cb8 EFLAGS: 00010286
+ [ 101.525329] RAX: 0000000000000000 RBX: ffff98fd6becbf40 RCX: 0000000000000001
+ [ 101.525330] RDX: 0000000000000001 RSI: ffffffffa6f2700c RDI: 00000000ffffffff
+ [ 101.525332] RBP: ffff98fd6becc14c R08: ffffffffa7463d00 R09: ffffbdedc0917c50
+ [ 101.525333] R10: ffffffffa74c3578 R11: 0000000000000034 R12: 00000000ffffff00
+ [ 101.525335] R13: ffff98fd6b0b1000 R14: 0000000000000039 R15: ffff98fd6be35c40
+ [ 101.525337] FS: 0000000000000000(0000) GS:ffff98fd6e240000(0000) knlGS:0000000000000000
+ [ 101.525339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 101.525341] CR2: 00007f34135a3a70 CR3: 0000000150210003 CR4: 00000000001706e0
+ [ 101.525343] Call Trace:
+ [ 101.525346] sock_wfree+0x9c/0xa0
+ [ 101.525353] unix_destruct_scm+0x7b/0xa0
+ [ 101.525358] skb_release_head_state+0x40/0x90
+ [ 101.525362] skb_release_all+0xe/0x30
+ [ 101.525364] napi_consume_skb+0x57/0x160
+ [ 101.525367] igc_poll+0xb7/0xc80 [igc]
+ [ 101.525376] ? sched_clock+0x5/0x10
+ [ 101.525381] ? sched_clock_cpu+0xe/0x100
+ [ 101.525385] net_rx_action+0x14c/0x410
+ [ 101.525388] __do_softirq+0xe9/0x2f4
+ [ 101.525391] __local_bh_enable_ip+0xe3/0x110
+ [ 101.525395] ? irq_finalize_oneshot.part.47+0xe0/0xe0
+ [ 101.525398] irq_forced_thread_fn+0x6a/0x80
+ [ 101.525401] irq_thread+0xe8/0x180
+ [ 101.525403] ? wake_threads_waitq+0x30/0x30
+ [ 101.525406] ? irq_thread_check_affinity+0xd0/0xd0
+ [ 101.525408] kthread+0x183/0x1a0
+ [ 101.525412] ? kthread_park+0x80/0x80
+ [ 101.525415] ret_from_fork+0x22/0x30
+
+Fixes: 13b5b7fd6a4a ("igc: Add support for Tx/Rx rings")
+Reported-by: Erez Geva <erez.geva.ext@siemens.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 7b822cdcc6c5..4b58dd97a7c0 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -207,6 +207,8 @@ static void igc_clean_tx_ring(struct igc_ring *tx_ring)
+ DMA_TO_DEVICE);
+ }
+
++ tx_buffer->next_to_watch = NULL;
++
+ /* move us one more past the eop_desc for start of next pkt */
+ tx_buffer++;
+ i++;
+--
+2.30.2
+
--- /dev/null
+From eb56fadf97f8692999509ae248963f3c90167dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 15:08:40 +0200
+Subject: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 8fb4792f091e608a0a1d353dfdf07ef55a719db5 ]
+
+While running the self-tests on a KASAN enabled kernel, I observed a
+slab-out-of-bounds splat very similar to the one reported in
+commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in
+ fib6_nh_flush_exceptions").
+
+We additionally need to take care of fib6_metrics initialization
+failure when the caller provides an nh.
+
+The fix is similar, explicitly free the route instead of calling
+fib6_info_release on a half-initialized object.
+
+Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index ccff4738313c..62db3c98424b 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3640,7 +3640,7 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
+ err = PTR_ERR(rt->fib6_metrics);
+ /* Do not leave garbage there. */
+ rt->fib6_metrics = (struct dst_metrics *)&dst_default_metrics;
+- goto out;
++ goto out_free;
+ }
+
+ if (cfg->fc_flags & RTF_ADDRCONF)
+--
+2.30.2
+
--- /dev/null
+From 4a2549be9fb22276cdd96de505a8e8c30d82a52e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jul 2021 11:13:35 +0200
+Subject: ipv6: fix 'disable_policy' for fwd packets
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ]
+
+The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of
+"disable_policy" sysctl") was to have the disable_policy from ipv4
+available on ipv6.
+However, it's not exactly the same mechanism. On IPv4, all packets coming
+from an interface, which has disable_policy set, bypass the policy check.
+For ipv6, this is done only for local packets, ie for packets destinated to
+an address configured on the incoming interface.
+
+Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same
+effect for both protocols.
+
+My first approach was to create a new kind of route cache entries, to be
+able to set DST_NOPOLICY without modifying routes. This would have added a
+lot of code. Because the local delivery path is already handled, I choose
+to focus on the forwarding path to minimize code churn.
+
+Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_output.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index e889655ca0e2..341d0c7acc8b 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -478,7 +478,9 @@ int ip6_forward(struct sk_buff *skb)
+ if (skb_warn_if_lro(skb))
+ goto drop;
+
+- if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
++ if (!net->ipv6.devconf_all->disable_policy &&
++ !idev->cnf.disable_policy &&
++ !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
+ __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
+ goto drop;
+ }
+--
+2.30.2
+
--- /dev/null
+From e49bf0ea5fae8bed804e19ff96bc6f69decd8000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 15:46:09 +0200
+Subject: ixgbe: Fix an error handling path in 'ixgbe_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit dd2aefcd5e37989ae5f90afdae44bbbf3a2990da ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 6fabd715e6d8 ("ixgbe: Implement PCIe AER support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 1bfba87f1ff6..5c8f9ba43968 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -11081,6 +11081,7 @@ err_ioremap:
+ disable_dev = !test_and_set_bit(__IXGBE_DISABLED, &adapter->state);
+ free_netdev(netdev);
+ err_alloc_etherdev:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_mem_regions(pdev);
+ err_pci_reg:
+ err_dma:
+--
+2.30.2
+
--- /dev/null
+From 0720bb50079aadbedeb45eea98fc0aa378f5eb1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 15:38:09 +0000
+Subject: ixgbevf: use xso.real_dev instead of xso.dev in callback functions of
+ struct xfrmdev_ops
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 2de7e4f67599affc97132bd07e30e3bd59d0b777 ]
+
+There are two pointers in struct xfrm_state_offload, *dev, *real_dev.
+These are used in callback functions of struct xfrmdev_ops.
+The *dev points whether bonding interface or real interface.
+If bonding ipsec offload is used, it points bonding interface If not,
+it points real interface.
+And real_dev always points real interface.
+So, ixgbevf should always use real_dev instead of dev.
+Of course, real_dev always not be null.
+
+Test commands:
+ ip link add bond0 type bond
+ #eth0 is ixgbevf interface
+ ip link set eth0 master bond0
+ ip link set bond0 up
+ ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \
+transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+
+Splat looks like:
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 6 PID: 688 Comm: ip Not tainted 5.13.0-rc3+ #1168
+RIP: 0010:ixgbevf_ipsec_find_empty_idx+0x28/0x1b0 [ixgbevf]
+Code: 00 00 0f 1f 44 00 00 55 53 48 89 fb 48 83 ec 08 40 84 f6 0f 84 9c
+00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02
+84 c0 74 08 3c 01 0f 8e 4c 01 00 00 66 81 3b 00 04 0f
+RSP: 0018:ffff8880089af390 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+RBP: ffff8880089af4f8 R08: 0000000000000003 R09: fffffbfff4287e11
+R10: 0000000000000001 R11: ffff888005de8908 R12: 0000000000000000
+R13: ffff88810936a000 R14: ffff88810936a000 R15: ffff888004d78040
+FS: 00007fdf9883a680(0000) GS:ffff88811a400000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055bc14adbf40 CR3: 000000000b87c005 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ixgbevf_ipsec_add_sa+0x1bf/0x9c0 [ixgbevf]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? ixgbevf_ipsec_parse_proto_keys.isra.9+0x280/0x280 [ixgbevf]
+ ? lock_acquire+0x191/0x720
+ ? bond_ipsec_add_sa+0x48/0x350 [bonding]
+ ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0
+ ? rcu_read_lock_held+0x91/0xa0
+ ? rcu_read_lock_sched_held+0xc0/0xc0
+ bond_ipsec_add_sa+0x193/0x350 [bonding]
+ xfrm_dev_state_add+0x2a9/0x770
+ ? memcpy+0x38/0x60
+ xfrm_add_sa+0x2278/0x3b10 [xfrm_user]
+ ? xfrm_get_policy+0xaa0/0xaa0 [xfrm_user]
+ ? register_lock_class+0x1750/0x1750
+ xfrm_user_rcv_msg+0x331/0x660 [xfrm_user]
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ ? xfrm_user_state_lookup.constprop.39+0x320/0x320 [xfrm_user]
+ ? find_held_lock+0x3a/0x1c0
+ ? mutex_lock_io_nested+0x1210/0x1210
+ ? sched_clock_cpu+0x18/0x170
+ netlink_rcv_skb+0x121/0x350
+[ ... ]
+
+Fixes: 272c2330adc9 ("xfrm: bail early on slave pass over skb")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ipsec.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbevf/ipsec.c b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+index caaea2c920a6..e3e4676af9e4 100644
+--- a/drivers/net/ethernet/intel/ixgbevf/ipsec.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ipsec.c
+@@ -211,7 +211,7 @@ struct xfrm_state *ixgbevf_ipsec_find_rx_state(struct ixgbevf_ipsec *ipsec,
+ static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs,
+ u32 *mykey, u32 *mysalt)
+ {
+- struct net_device *dev = xs->xso.dev;
++ struct net_device *dev = xs->xso.real_dev;
+ unsigned char *key_data;
+ char *alg_name = NULL;
+ int key_len;
+@@ -260,12 +260,15 @@ static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs,
+ **/
+ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
+ {
+- struct net_device *dev = xs->xso.dev;
+- struct ixgbevf_adapter *adapter = netdev_priv(dev);
+- struct ixgbevf_ipsec *ipsec = adapter->ipsec;
++ struct net_device *dev = xs->xso.real_dev;
++ struct ixgbevf_adapter *adapter;
++ struct ixgbevf_ipsec *ipsec;
+ u16 sa_idx;
+ int ret;
+
++ adapter = netdev_priv(dev);
++ ipsec = adapter->ipsec;
++
+ if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
+ netdev_err(dev, "Unsupported protocol 0x%04x for IPsec offload\n",
+ xs->id.proto);
+@@ -383,11 +386,14 @@ static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
+ **/
+ static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
+ {
+- struct net_device *dev = xs->xso.dev;
+- struct ixgbevf_adapter *adapter = netdev_priv(dev);
+- struct ixgbevf_ipsec *ipsec = adapter->ipsec;
++ struct net_device *dev = xs->xso.real_dev;
++ struct ixgbevf_adapter *adapter;
++ struct ixgbevf_ipsec *ipsec;
+ u16 sa_idx;
+
++ adapter = netdev_priv(dev);
++ ipsec = adapter->ipsec;
++
+ if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
+ sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
+
+--
+2.30.2
+
--- /dev/null
+From 92bd57d9c7417392b8407ea4f458f1c4f4ff1d4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 12:43:09 +1000
+Subject: KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bd31ecf44b8e18ccb1e5f6b50f85de6922a60de3 ]
+
+When running CPU_FTR_P9_TM_HV_ASSIST, HFSCR[TM] is set for the guest
+even if the host has CONFIG_TRANSACTIONAL_MEM=n, which causes it to be
+unprepared to handle guest exits while transactional.
+
+Normal guests don't have a problem because the HTM capability will not
+be advertised, but a rogue or buggy one could crash the host.
+
+Fixes: 4bb3c7a0208f ("KVM: PPC: Book3S HV: Work around transactional memory bugs in POWER9")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210716024310.164448-1-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/book3s_hv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
+index 2325b7a6e95f..bd7350a608d4 100644
+--- a/arch/powerpc/kvm/book3s_hv.c
++++ b/arch/powerpc/kvm/book3s_hv.c
+@@ -2366,8 +2366,10 @@ static int kvmppc_core_vcpu_create_hv(struct kvm_vcpu *vcpu)
+ HFSCR_DSCR | HFSCR_VECVSX | HFSCR_FP | HFSCR_PREFIX;
+ if (cpu_has_feature(CPU_FTR_HVMODE)) {
+ vcpu->arch.hfscr &= mfspr(SPRN_HFSCR);
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ if (cpu_has_feature(CPU_FTR_P9_TM_HV_ASSIST))
+ vcpu->arch.hfscr |= HFSCR_TM;
++#endif
+ }
+ if (cpu_has_feature(CPU_FTR_TM_COMP))
+ vcpu->arch.hfscr |= HFSCR_TM;
+--
+2.30.2
+
--- /dev/null
+From e1992608f27133f6d4d1e1e1bd04c4f329006cc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 12:43:10 +1000
+Subject: KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+[ Upstream commit bc4188a2f56e821ea057aca6bf444e138d06c252 ]
+
+vcpu_put is not called if the user copy fails. This can result in preempt
+notifier corruption and crashes, among other issues.
+
+Fixes: b3cebfe8c1ca ("KVM: PPC: Move vcpu_load/vcpu_put down to each ioctl case in kvm_arch_vcpu_ioctl")
+Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210716024310.164448-2-npiggin@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/powerpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
+index 32fa0fa3d4ff..543db9157f3b 100644
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -2041,9 +2041,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ {
+ struct kvm_enable_cap cap;
+ r = -EFAULT;
+- vcpu_load(vcpu);
+ if (copy_from_user(&cap, argp, sizeof(cap)))
+ goto out;
++ vcpu_load(vcpu);
+ r = kvm_vcpu_ioctl_enable_cap(vcpu, &cap);
+ vcpu_put(vcpu);
+ break;
+@@ -2067,9 +2067,9 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
+ case KVM_DIRTY_TLB: {
+ struct kvm_dirty_tlb dirty;
+ r = -EFAULT;
+- vcpu_load(vcpu);
+ if (copy_from_user(&dirty, argp, sizeof(dirty)))
+ goto out;
++ vcpu_load(vcpu);
+ r = kvm_vcpu_ioctl_dirty_tlb(vcpu, &dirty);
+ vcpu_put(vcpu);
+ break;
+--
+2.30.2
+
--- /dev/null
+From 91349599f1b011f3f73b1fc1a8f71ee274142020 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 15:43:54 +0800
+Subject: KVM: x86/pmu: Clear anythread deprecated bit when 0xa leaf is
+ unsupported on the SVM
+
+From: Like Xu <like.xu.linux@gmail.com>
+
+[ Upstream commit 7234c362ccb3c2228f06f19f93b132de9cfa7ae4 ]
+
+The AMD platform does not support the functions Ah CPUID leaf. The returned
+results for this entry should all remain zero just like the native does:
+
+AMD host:
+ 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00000000
+(uncanny) AMD guest:
+ 0x0000000a 0x00: eax=0x00000000 ebx=0x00000000 ecx=0x00000000 edx=0x00008000
+
+Fixes: cadbaa039b99 ("perf/x86/intel: Make anythread filter support conditional")
+Signed-off-by: Like Xu <likexu@tencent.com>
+Message-Id: <20210628074354.33848-1-likexu@tencent.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/cpuid.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
+index 7a3fbf3b796e..41b0dc37720e 100644
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -684,7 +684,8 @@ static inline int __do_cpuid_func(struct kvm_cpuid_array *array, u32 function)
+
+ edx.split.num_counters_fixed = min(cap.num_counters_fixed, MAX_FIXED_COUNTERS);
+ edx.split.bit_width_fixed = cap.bit_width_fixed;
+- edx.split.anythread_deprecated = 1;
++ if (cap.version)
++ edx.split.anythread_deprecated = 1;
+ edx.split.reserved1 = 0;
+ edx.split.reserved2 = 0;
+
+--
+2.30.2
+
--- /dev/null
+From dbe34e28a4937f3e2d57c9cd53c1c6a2548249cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 16:23:43 +0100
+Subject: liquidio: Fix unintentional sign extension issue on left shift of u16
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit e7efc2ce3d0789cd7c21b70ff00cd7838d382639 ]
+
+Shifting the u16 integer oct->pcie_port by CN23XX_PKT_INPUT_CTL_MAC_NUM_POS
+(29) bits will be promoted to a 32 bit signed int and then sign-extended
+to a u64. In the cases where oct->pcie_port where bit 2 is set (e.g. 3..7)
+the shifted value will be sign extended and the top 32 bits of the result
+will be set.
+
+Fix this by casting the u16 values to a u64 before the 29 bit left shift.
+
+Addresses-Coverity: ("Unintended sign extension")
+
+Fixes: 3451b97cce2d ("liquidio: CN23XX register setup")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+index 4cddd628d41b..9ed3d1ab2ca5 100644
+--- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
++++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c
+@@ -420,7 +420,7 @@ static int cn23xx_pf_setup_global_input_regs(struct octeon_device *oct)
+ * bits 32:47 indicate the PVF num.
+ */
+ for (q_no = 0; q_no < ern; q_no++) {
+- reg_val = oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS;
++ reg_val = (u64)oct->pcie_port << CN23XX_PKT_INPUT_CTL_MAC_NUM_POS;
+
+ /* for VF assigned queues. */
+ if (q_no < oct->sriov_info.pf_srn) {
+--
+2.30.2
+
--- /dev/null
+From 5682efc6ea950922aba875ae1e80bf009884f07e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 17:20:46 -0700
+Subject: mptcp: fix warning in __skb_flow_dissect() when do syn cookie for
+ subflow join
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+[ Upstream commit 0c71929b5893e410e0efbe1bbeca6f19a5f19956 ]
+
+I did stress test with wrk[1] and webfsd[2] with the assistance of
+mptcp-tools[3]:
+
+ Server side:
+ ./use_mptcp.sh webfsd -4 -R /tmp/ -p 8099
+ Client side:
+ ./use_mptcp.sh wrk -c 200 -d 30 -t 4 http://192.168.174.129:8099/
+
+and got the following warning message:
+
+[ 55.552626] TCP: request_sock_subflow: Possible SYN flooding on port 8099. Sending cookies. Check SNMP counters.
+[ 55.553024] ------------[ cut here ]------------
+[ 55.553027] WARNING: CPU: 0 PID: 10 at net/core/flow_dissector.c:984 __skb_flow_dissect+0x280/0x1650
+...
+[ 55.553117] CPU: 0 PID: 10 Comm: ksoftirqd/0 Not tainted 5.12.0+ #18
+[ 55.553121] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020
+[ 55.553124] RIP: 0010:__skb_flow_dissect+0x280/0x1650
+...
+[ 55.553133] RSP: 0018:ffffb79580087770 EFLAGS: 00010246
+[ 55.553137] RAX: 0000000000000000 RBX: ffffffff8ddb58e0 RCX: ffffb79580087888
+[ 55.553139] RDX: ffffffff8ddb58e0 RSI: ffff8f7e4652b600 RDI: 0000000000000000
+[ 55.553141] RBP: ffffb79580087858 R08: 0000000000000000 R09: 0000000000000008
+[ 55.553143] R10: 000000008c622965 R11: 00000000d3313a5b R12: ffff8f7e4652b600
+[ 55.553146] R13: ffff8f7e465c9062 R14: 0000000000000000 R15: ffffb79580087888
+[ 55.553149] FS: 0000000000000000(0000) GS:ffff8f7f75e00000(0000) knlGS:0000000000000000
+[ 55.553152] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 55.553154] CR2: 00007f73d1d19000 CR3: 0000000135e10004 CR4: 00000000003706f0
+[ 55.553160] Call Trace:
+[ 55.553166] ? __sha256_final+0x67/0xd0
+[ 55.553173] ? sha256+0x7e/0xa0
+[ 55.553177] __skb_get_hash+0x57/0x210
+[ 55.553182] subflow_init_req_cookie_join_save+0xac/0xc0
+[ 55.553189] subflow_check_req+0x474/0x550
+[ 55.553195] ? ip_route_output_key_hash+0x67/0x90
+[ 55.553200] ? xfrm_lookup_route+0x1d/0xa0
+[ 55.553207] subflow_v4_route_req+0x8e/0xd0
+[ 55.553212] tcp_conn_request+0x31e/0xab0
+[ 55.553218] ? selinux_socket_sock_rcv_skb+0x116/0x210
+[ 55.553224] ? tcp_rcv_state_process+0x179/0x6d0
+[ 55.553229] tcp_rcv_state_process+0x179/0x6d0
+[ 55.553235] tcp_v4_do_rcv+0xaf/0x220
+[ 55.553239] tcp_v4_rcv+0xce4/0xd80
+[ 55.553243] ? ip_route_input_rcu+0x246/0x260
+[ 55.553248] ip_protocol_deliver_rcu+0x35/0x1b0
+[ 55.553253] ip_local_deliver_finish+0x44/0x50
+[ 55.553258] ip_local_deliver+0x6c/0x110
+[ 55.553262] ? ip_rcv_finish_core.isra.19+0x5a/0x400
+[ 55.553267] ip_rcv+0xd1/0xe0
+...
+
+After debugging, I found in __skb_flow_dissect(), skb->dev and skb->sk
+are both NULL, then net is NULL, and trigger WARN_ON_ONCE(!net),
+actually net is always NULL in this code path, as skb->dev is set to
+NULL in tcp_v4_rcv(), and skb->sk is never set.
+
+Code snippet in __skb_flow_dissect() that trigger warning:
+ 975 if (skb) {
+ 976 if (!net) {
+ 977 if (skb->dev)
+ 978 net = dev_net(skb->dev);
+ 979 else if (skb->sk)
+ 980 net = sock_net(skb->sk);
+ 981 }
+ 982 }
+ 983
+ 984 WARN_ON_ONCE(!net);
+
+So, using seq and transport header derived hash.
+
+[1] https://github.com/wg/wrk
+[2] https://github.com/ourway/webfsd
+[3] https://github.com/pabeni/mptcp-tools
+
+Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use")
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/syncookies.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/net/mptcp/syncookies.c b/net/mptcp/syncookies.c
+index abe0fd099746..37127781aee9 100644
+--- a/net/mptcp/syncookies.c
++++ b/net/mptcp/syncookies.c
+@@ -37,7 +37,21 @@ static spinlock_t join_entry_locks[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp
+
+ static u32 mptcp_join_entry_hash(struct sk_buff *skb, struct net *net)
+ {
+- u32 i = skb_get_hash(skb) ^ net_hash_mix(net);
++ static u32 mptcp_join_hash_secret __read_mostly;
++ struct tcphdr *th = tcp_hdr(skb);
++ u32 seq, i;
++
++ net_get_random_once(&mptcp_join_hash_secret,
++ sizeof(mptcp_join_hash_secret));
++
++ if (th->syn)
++ seq = TCP_SKB_CB(skb)->seq;
++ else
++ seq = TCP_SKB_CB(skb)->seq - 1;
++
++ i = jhash_3words(seq, net_hash_mix(net),
++ (__force __u32)th->source << 16 | (__force __u32)th->dest,
++ mptcp_join_hash_secret);
+
+ return i % ARRAY_SIZE(join_entries);
+ }
+--
+2.30.2
+
--- /dev/null
+From ca2de4b28be01cf117e6790e7e87d739e79014b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Oct 2020 17:36:19 +0000
+Subject: net: add kcov handle to skb extensions
+
+From: Aleksandr Nogikh <nogikh@google.com>
+
+[ Upstream commit 6370cc3bbd8a0f9bf975b013781243ab147876c6 ]
+
+Remote KCOV coverage collection enables coverage-guided fuzzing of the
+code that is not reachable during normal system call execution. It is
+especially helpful for fuzzing networking subsystems, where it is
+common to perform packet handling in separate work queues even for the
+packets that originated directly from the user space.
+
+Enable coverage-guided frame injection by adding kcov remote handle to
+skb extensions. Default initialization in __alloc_skb and
+__build_skb_around ensures that no socket buffer that was generated
+during a system call will be missed.
+
+Code that is of interest and that performs packet processing should be
+annotated with kcov_remote_start()/kcov_remote_stop().
+
+An alternative approach is to determine kcov_handle solely on the
+basis of the device/interface that received the specific socket
+buffer. However, in this case it would be impossible to distinguish
+between packets that originated during normal background network
+processes or were intentionally injected from the user space.
+
+Signed-off-by: Aleksandr Nogikh <nogikh@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 33 +++++++++++++++++++++++++++++++++
+ lib/Kconfig.debug | 1 +
+ net/core/skbuff.c | 11 +++++++++++
+ 3 files changed, 45 insertions(+)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index a828cf99c521..2d01b2bbb746 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -4150,6 +4150,9 @@ enum skb_ext_id {
+ #endif
+ #if IS_ENABLED(CONFIG_MPTCP)
+ SKB_EXT_MPTCP,
++#endif
++#if IS_ENABLED(CONFIG_KCOV)
++ SKB_EXT_KCOV_HANDLE,
+ #endif
+ SKB_EXT_NUM, /* must be last */
+ };
+@@ -4605,5 +4608,35 @@ static inline void skb_reset_redirect(struct sk_buff *skb)
+ #endif
+ }
+
++#ifdef CONFIG_KCOV
++static inline void skb_set_kcov_handle(struct sk_buff *skb,
++ const u64 kcov_handle)
++{
++ /* Do not allocate skb extensions only to set kcov_handle to zero
++ * (as it is zero by default). However, if the extensions are
++ * already allocated, update kcov_handle anyway since
++ * skb_set_kcov_handle can be called to zero a previously set
++ * value.
++ */
++ if (skb_has_extensions(skb) || kcov_handle) {
++ u64 *kcov_handle_ptr = skb_ext_add(skb, SKB_EXT_KCOV_HANDLE);
++
++ if (kcov_handle_ptr)
++ *kcov_handle_ptr = kcov_handle;
++ }
++}
++
++static inline u64 skb_get_kcov_handle(struct sk_buff *skb)
++{
++ u64 *kcov_handle = skb_ext_find(skb, SKB_EXT_KCOV_HANDLE);
++
++ return kcov_handle ? *kcov_handle : 0;
++}
++#else
++static inline void skb_set_kcov_handle(struct sk_buff *skb,
++ const u64 kcov_handle) { }
++static inline u64 skb_get_kcov_handle(struct sk_buff *skb) { return 0; }
++#endif /* CONFIG_KCOV */
++
+ #endif /* __KERNEL__ */
+ #endif /* _LINUX_SKBUFF_H */
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index 5b7f88a2876d..ffccc13d685b 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -1869,6 +1869,7 @@ config KCOV
+ depends on CC_HAS_SANCOV_TRACE_PC || GCC_PLUGINS
+ select DEBUG_FS
+ select GCC_PLUGIN_SANCOV if !CC_HAS_SANCOV_TRACE_PC
++ select SKB_EXTENSIONS
+ help
+ KCOV exposes kernel code coverage information in a form suitable
+ for coverage-guided fuzzing (randomized testing).
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 1301ea694b94..d17b87aabc8b 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -249,6 +249,9 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
+
+ fclones->skb2.fclone = SKB_FCLONE_CLONE;
+ }
++
++ skb_set_kcov_handle(skb, kcov_common_handle());
++
+ out:
+ return skb;
+ nodata:
+@@ -282,6 +285,8 @@ static struct sk_buff *__build_skb_around(struct sk_buff *skb,
+ memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
+ atomic_set(&shinfo->dataref, 1);
+
++ skb_set_kcov_handle(skb, kcov_common_handle());
++
+ return skb;
+ }
+
+@@ -4248,6 +4253,9 @@ static const u8 skb_ext_type_len[] = {
+ #if IS_ENABLED(CONFIG_MPTCP)
+ [SKB_EXT_MPTCP] = SKB_EXT_CHUNKSIZEOF(struct mptcp_ext),
+ #endif
++#if IS_ENABLED(CONFIG_KCOV)
++ [SKB_EXT_KCOV_HANDLE] = SKB_EXT_CHUNKSIZEOF(u64),
++#endif
+ };
+
+ static __always_inline unsigned int skb_ext_total_length(void)
+@@ -4264,6 +4272,9 @@ static __always_inline unsigned int skb_ext_total_length(void)
+ #endif
+ #if IS_ENABLED(CONFIG_MPTCP)
+ skb_ext_type_len[SKB_EXT_MPTCP] +
++#endif
++#if IS_ENABLED(CONFIG_KCOV)
++ skb_ext_type_len[SKB_EXT_KCOV_HANDLE] +
+ #endif
+ 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From de1eefd3f388676cd205858f795303c611b3a5f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:13:20 +0800
+Subject: net: decnet: Fix sleeping inside in af_decnet
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba ]
+
+The release_sock() is blocking function, it would change the state
+after sleeping. use wait_woken() instead.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/decnet/af_decnet.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
+index 5dbd45dc35ad..dc92a67baea3 100644
+--- a/net/decnet/af_decnet.c
++++ b/net/decnet/af_decnet.c
+@@ -816,7 +816,7 @@ static int dn_auto_bind(struct socket *sock)
+ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err;
+
+ if (scp->state != DN_CR)
+@@ -826,11 +826,11 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ scp->segsize_loc = dst_metric_advmss(__sk_dst_get(sk));
+ dn_send_conn_conf(sk, allocation);
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -844,9 +844,8 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+ } else if (scp->state != DN_CC) {
+@@ -858,7 +857,7 @@ static int dn_confirm_accept(struct sock *sk, long *timeo, gfp_t allocation)
+ static int dn_wait_run(struct sock *sk, long *timeo)
+ {
+ struct dn_scp *scp = DN_SK(sk);
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int err = 0;
+
+ if (scp->state == DN_RUN)
+@@ -867,11 +866,11 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ if (!*timeo)
+ return -EALREADY;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ if (scp->state == DN_CI || scp->state == DN_CC)
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ lock_sock(sk);
+ err = 0;
+ if (scp->state == DN_RUN)
+@@ -885,9 +884,8 @@ static int dn_wait_run(struct sock *sk, long *timeo)
+ err = -ETIMEDOUT;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+ out:
+ if (err == 0) {
+ sk->sk_socket->state = SS_CONNECTED;
+@@ -1032,16 +1030,16 @@ static void dn_user_copy(struct sk_buff *skb, struct optdata_dn *opt)
+
+ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ {
+- DEFINE_WAIT(wait);
++ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ struct sk_buff *skb = NULL;
+ int err = 0;
+
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
++ add_wait_queue(sk_sleep(sk), &wait);
+ for(;;) {
+ release_sock(sk);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ if (skb == NULL) {
+- *timeo = schedule_timeout(*timeo);
++ *timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, *timeo);
+ skb = skb_dequeue(&sk->sk_receive_queue);
+ }
+ lock_sock(sk);
+@@ -1056,9 +1054,8 @@ static struct sk_buff *dn_wait_for_connect(struct sock *sk, long *timeo)
+ err = -EAGAIN;
+ if (!*timeo)
+ break;
+- prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ }
+- finish_wait(sk_sleep(sk), &wait);
++ remove_wait_queue(sk_sleep(sk), &wait);
+
+ return skb == NULL ? ERR_PTR(err) : skb;
+ }
+--
+2.30.2
+
--- /dev/null
+From b6c2d6d20cdc81b9ec442bc0061a176915d05099 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 18:16:09 +0200
+Subject: net: do not reuse skbuff allocated from skbuff_fclone_cache in the
+ skb cache
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 28b34f01a73435a754956ebae826e728c03ffa38 ]
+
+Some socket buffers allocated in the fclone cache (in __alloc_skb) can
+end-up in the following path[1]:
+
+napi_skb_finish
+ __kfree_skb_defer
+ napi_skb_cache_put
+
+The issue is napi_skb_cache_put is not fclone friendly and will put
+those skbuff in the skb cache to be reused later, although this cache
+only expects skbuff allocated from skbuff_head_cache. When this happens
+the skbuff is eventually freed using the wrong origin cache, and we can
+see traces similar to:
+
+[ 1223.947534] cache_from_obj: Wrong slab cache. skbuff_head_cache but object is from skbuff_fclone_cache
+[ 1223.948895] WARNING: CPU: 3 PID: 0 at mm/slab.h:442 kmem_cache_free+0x251/0x3e0
+[ 1223.950211] Modules linked in:
+[ 1223.950680] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.13.0+ #474
+[ 1223.951587] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-3.fc34 04/01/2014
+[ 1223.953060] RIP: 0010:kmem_cache_free+0x251/0x3e0
+
+Leading sometimes to other memory related issues.
+
+Fix this by using __kfree_skb for fclone skbuff, similar to what is done
+the other place __kfree_skb_defer is called.
+
+[1] At least in setups using veth pairs and tunnels. Building a kernel
+ with KASAN we can for example see packets allocated in
+ sk_stream_alloc_skb hit the above path and later the issue arises
+ when the skbuff is reused.
+
+Fixes: 9243adfc311a ("skbuff: queue NAPI_MERGED_FREE skbs into NAPI cache instead of freeing")
+Cc: Alexander Lobakin <alobakin@pm.me>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 6b08de52bf0e..86a0fe0f4c02 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6100,6 +6100,8 @@ static gro_result_t napi_skb_finish(struct napi_struct *napi,
+ case GRO_MERGED_FREE:
+ if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD)
+ napi_skb_free_stolen_head(skb);
++ else if (skb->fclone != SKB_FCLONE_UNAVAILABLE)
++ __kfree_skb(skb);
+ else
+ __kfree_skb(skb);
+ break;
+--
+2.30.2
+
--- /dev/null
+From aad75e1dde1cbcb029d3029d8b4b1b1f62ba7428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 15:37:59 +0300
+Subject: net: dsa: sja1105: make VID 4095 a bridge VLAN too
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit e40cba9490bab1414d45c2d62defc0ad4f6e4136 ]
+
+This simple series of commands:
+
+ip link add br0 type bridge vlan_filtering 1
+ip link set swp0 master br0
+
+fails on sja1105 with the following error:
+[ 33.439103] sja1105 spi0.1: vlan-lookup-table needs to have at least the default untagged VLAN
+[ 33.447710] sja1105 spi0.1: Invalid config, cannot upload
+Warning: sja1105: Failed to change VLAN Ethertype.
+
+For context, sja1105 has 3 operating modes:
+- SJA1105_VLAN_UNAWARE: the dsa_8021q_vlans are committed to hardware
+- SJA1105_VLAN_FILTERING_FULL: the bridge_vlans are committed to hardware
+- SJA1105_VLAN_FILTERING_BEST_EFFORT: both the dsa_8021q_vlans and the
+ bridge_vlans are committed to hardware
+
+Swapping out a VLAN list and another in happens in
+sja1105_build_vlan_table(), which performs a delta update procedure.
+That function is called from a few places, notably from
+sja1105_vlan_filtering() which is called from the
+SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler.
+
+The above set of 2 commands fails when run on a kernel pre-commit
+8841f6e63f2c ("net: dsa: sja1105: make devlink property
+best_effort_vlan_filtering true by default"). So the priv->vlan_state
+transition that takes place is between VLAN-unaware and full VLAN
+filtering. So the dsa_8021q_vlans are swapped out and the bridge_vlans
+are swapped in.
+
+So why does it fail?
+
+Well, the bridge driver, through nbp_vlan_init(), first sets up the
+SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING attribute, and only then
+proceeds to call nbp_vlan_add for the default_pvid.
+
+So when we swap out the dsa_8021q_vlans and swap in the bridge_vlans in
+the SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING handler, there are no bridge
+VLANs (yet). So we have wiped the VLAN table clean, and the low-level
+static config checker complains of an invalid configuration. We _will_
+add the bridge VLANs using the dynamic config interface, albeit later,
+when nbp_vlan_add() calls us. So it is natural that it fails.
+
+So why did it ever work?
+
+Surprisingly, it looks like I only tested this configuration with 2
+things set up in a particular way:
+- a network manager that brings all ports up
+- a kernel with CONFIG_VLAN_8021Q=y
+
+It is widely known that commit ad1afb003939 ("vlan_dev: VLAN 0 should be
+treated as "no vlan tag" (802.1p packet)") installs VID 0 to every net
+device that comes up. DSA treats these VLANs as bridge VLANs, and
+therefore, in my testing, the list of bridge_vlans was never empty.
+
+However, if CONFIG_VLAN_8021Q is not enabled, or the port is not up when
+it joins a VLAN-aware bridge, the bridge_vlans list will be temporarily
+empty, and the sja1105_static_config_reload() call from
+sja1105_vlan_filtering() will fail.
+
+To fix this, the simplest thing is to keep VID 4095, the one used for
+CPU-injected control packets since commit ed040abca4c1 ("net: dsa:
+sja1105: use 4095 as the private VLAN for untagged traffic"), in the
+list of bridge VLANs too, not just the list of tag_8021q VLANs. This
+ensures that the list of bridge VLANs will never be empty.
+
+Fixes: ec5ae61076d0 ("net: dsa: sja1105: save/restore VLANs using a delta commit method")
+Reported-by: Radu Pirea (NXP OSS) <radu-nicolae.pirea@oss.nxp.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 82852c57cc0e..82b918d36117 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -350,6 +350,12 @@ static int sja1105_init_static_vlan(struct sja1105_private *priv)
+ if (dsa_is_cpu_port(ds, port))
+ v->pvid = true;
+ list_add(&v->list, &priv->dsa_8021q_vlans);
++
++ v = kmemdup(v, sizeof(*v), GFP_KERNEL);
++ if (!v)
++ return -ENOMEM;
++
++ list_add(&v->list, &priv->bridge_vlans);
+ }
+
+ ((struct sja1105_vlan_lookup_entry *)table->entries)[0] = pvid;
+--
+2.30.2
+
--- /dev/null
+From 03441529fe18250d950f05298803bb1c3449d51e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 20:22:04 +0800
+Subject: net: fix uninit-value in caif_seqpkt_sendmsg
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 991e634360f2622a683b48dfe44fe6d9cb765a09 ]
+
+When nr_segs equal to zero in iovec_from_user, the object
+msg->msg_iter.iov is uninit stack memory in caif_seqpkt_sendmsg
+which is defined in ___sys_sendmsg. So we cann't just judge
+msg->msg_iter.iov->base directlly. We can use nr_segs to judge
+msg in caif_seqpkt_sendmsg whether has data buffers.
+
+=====================================================
+BUG: KMSAN: uninit-value in caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ caif_seqpkt_sendmsg+0x693/0xf60 net/caif/caif_socket.c:542
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2343
+ ___sys_sendmsg net/socket.c:2397 [inline]
+ __sys_sendmmsg+0x808/0xc90 net/socket.c:2480
+ __compat_sys_sendmmsg net/compat.c:656 [inline]
+
+Reported-by: syzbot+09a5d591c1f98cf5efcb@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?id=1ace85e8fc9b0d5a45c08c2656c3e91762daa9b8
+Fixes: bece7b2398d0 ("caif: Rewritten socket implementation")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/caif/caif_socket.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 3ad0a1df6712..9d26c5e9da05 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -539,7 +539,8 @@ static int caif_seqpkt_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto err;
+
+ ret = -EINVAL;
+- if (unlikely(msg->msg_iter.iov->iov_base == NULL))
++ if (unlikely(msg->msg_iter.nr_segs == 0) ||
++ unlikely(msg->msg_iter.iov->iov_base == NULL))
+ goto err;
+ noblock = msg->msg_flags & MSG_DONTWAIT;
+
+--
+2.30.2
+
--- /dev/null
+From 44acb8c045f31e28f604dc82d15543ebe3d51b9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 13:38:34 -0700
+Subject: net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit b16f3299ae1aa3c327e1fb742d0379ae4d6e86f2 ]
+
+Building on ARCH=arc causes a "redefined" warning, so rename this
+driver's CACHE_LINE_MASK to avoid the warning.
+
+../drivers/net/ethernet/hisilicon/hip04_eth.c:134: warning: "CACHE_LINE_MASK" redefined
+ 134 | #define CACHE_LINE_MASK 0x3F
+In file included from ../include/linux/cache.h:6,
+ from ../include/linux/printk.h:9,
+ from ../include/linux/kernel.h:19,
+ from ../include/linux/list.h:9,
+ from ../include/linux/module.h:12,
+ from ../drivers/net/ethernet/hisilicon/hip04_eth.c:7:
+../arch/arc/include/asm/cache.h:17: note: this is the location of the previous definition
+ 17 | #define CACHE_LINE_MASK (~(L1_CACHE_BYTES - 1))
+
+Fixes: d413779cdd93 ("net: hisilicon: Add an tx_desc to adapt HI13X1_GMAC")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vineet Gupta <vgupta@synopsys.com>
+Cc: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
+index 12f6c2442a7a..e53512f6878a 100644
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -131,7 +131,7 @@
+ /* buf unit size is cache_line_size, which is 64, so the shift is 6 */
+ #define PPE_BUF_SIZE_SHIFT 6
+ #define PPE_TX_BUF_HOLD BIT(31)
+-#define CACHE_LINE_MASK 0x3F
++#define SOC_CACHE_LINE_MASK 0x3F
+ #else
+ #define PPE_CFG_QOS_VMID_GRP_SHIFT 8
+ #define PPE_CFG_RX_CTRL_ALIGN_SHIFT 11
+@@ -531,8 +531,8 @@ hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ #if defined(CONFIG_HI13X1_GMAC)
+ desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV
+ | TX_RELEASE_TO_PPE | priv->port << TX_POOL_SHIFT);
+- desc->data_offset = (__force u32)cpu_to_be32(phys & CACHE_LINE_MASK);
+- desc->send_addr = (__force u32)cpu_to_be32(phys & ~CACHE_LINE_MASK);
++ desc->data_offset = (__force u32)cpu_to_be32(phys & SOC_CACHE_LINE_MASK);
++ desc->send_addr = (__force u32)cpu_to_be32(phys & ~SOC_CACHE_LINE_MASK);
+ #else
+ desc->cfg = (__force u32)cpu_to_be32(TX_CLEAR_WB | TX_FINISH_CACHE_INV);
+ desc->send_addr = (__force u32)cpu_to_be32(phys);
+--
+2.30.2
+
--- /dev/null
+From 539f1a3b4016b11a200af8df52b0354dd4dd9c6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 17:13:05 +0800
+Subject: net: hns3: fix possible mismatches resp of mailbox
+
+From: Chengwen Feng <fengchengwen@huawei.com>
+
+[ Upstream commit 1b713d14dc3c077ec45e65dab4ea01a8bc41b8c1 ]
+
+Currently, the mailbox synchronous communication between VF and PF use
+the following fields to maintain communication:
+1. Origin_mbx_msg which was combined by message code and subcode, used
+to match request and response.
+2. Received_resp which means whether received response.
+
+There may possible mismatches of the following situation:
+1. VF sends message A with code=1 subcode=1.
+2. PF was blocked about 500ms when processing the message A.
+3. VF will detect message A timeout because it can't get the response
+within 500ms.
+4. VF sends message B with code=1 subcode=1 which equal message A.
+5. PF processes the first message A and send the response message to
+VF.
+6. VF will identify the response matched the message B because the
+code/subcode is the same. This will lead to mismatch of request and
+response.
+
+To fix the above bug, we use the following scheme:
+1. The message sent from VF was labelled with match_id which was a
+unique 16-bit non-zero value.
+2. The response sent from PF will label with match_id which got from
+the request.
+3. The VF uses the match_id to match request and response message.
+
+As for PF driver, it only needs to copy the match_id from request to
+response.
+
+Fixes: dde1a86e93ca ("net: hns3: Add mailbox support to PF driver")
+Signed-off-by: Chengwen Feng <fengchengwen@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h | 6 ++++--
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
+index 98a9f5e3fe86..98f55fbe6c3d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hclge_mbx.h
+@@ -134,7 +134,8 @@ struct hclge_mbx_vf_to_pf_cmd {
+ u8 mbx_need_resp;
+ u8 rsv1[1];
+ u8 msg_len;
+- u8 rsv2[3];
++ u8 rsv2;
++ u16 match_id;
+ struct hclge_vf_to_pf_msg msg;
+ };
+
+@@ -144,7 +145,8 @@ struct hclge_mbx_pf_to_vf_cmd {
+ u8 dest_vfid;
+ u8 rsv[3];
+ u8 msg_len;
+- u8 rsv1[3];
++ u8 rsv1;
++ u16 match_id;
+ struct hclge_pf_to_vf_msg msg;
+ };
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+index 2c2d53f5c56e..61f6f0287cbe 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+@@ -47,6 +47,7 @@ static int hclge_gen_resp_to_vf(struct hclge_vport *vport,
+
+ resp_pf_to_vf->dest_vfid = vf_to_pf_req->mbx_src_vfid;
+ resp_pf_to_vf->msg_len = vf_to_pf_req->msg_len;
++ resp_pf_to_vf->match_id = vf_to_pf_req->match_id;
+
+ resp_pf_to_vf->msg.code = HCLGE_MBX_PF_VF_RESP;
+ resp_pf_to_vf->msg.vf_mbx_msg_code = vf_to_pf_req->msg.code;
+--
+2.30.2
+
--- /dev/null
+From 72e82a44fd98984394c47e235e0d5bdb5cd93892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 17:13:08 +0800
+Subject: net: hns3: fix rx VLAN offload state inconsistent issue
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit bbfd4506f962e7e6fff8f37f017154a3c3791264 ]
+
+Currently, VF doesn't enable rx VLAN offload when initializating,
+and PF does it for VFs. If user disable the rx VLAN offload for
+VF with ethtool -K, and reload the VF driver, it may cause the
+rx VLAN offload state being inconsistent between hardware and
+software.
+
+Fixes it by enabling rx VLAN offload when VF initializing.
+
+Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index ac6980acb6f0..d3010d5ab366 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2518,6 +2518,16 @@ static int hclgevf_rss_init_hw(struct hclgevf_dev *hdev)
+
+ static int hclgevf_init_vlan_config(struct hclgevf_dev *hdev)
+ {
++ struct hnae3_handle *nic = &hdev->nic;
++ int ret;
++
++ ret = hclgevf_en_hw_strip_rxvtag(nic, true);
++ if (ret) {
++ dev_err(&hdev->pdev->dev,
++ "failed to enable rx vlan offload, ret = %d\n", ret);
++ return ret;
++ }
++
+ return hclgevf_set_vlan_filter(&hdev->nic, htons(ETH_P_8021Q), 0,
+ false);
+ }
+--
+2.30.2
+
--- /dev/null
+From 68a591042e8fd5c95c5882d812e76ed215988e5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Nov 2020 19:51:56 +0100
+Subject: net: Introduce preferred busy-polling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn.topel@intel.com>
+
+[ Upstream commit 7fd3253a7de6a317a0683f83739479fb880bffc8 ]
+
+The existing busy-polling mode, enabled by the SO_BUSY_POLL socket
+option or system-wide using the /proc/sys/net/core/busy_read knob, is
+an opportunistic. That means that if the NAPI context is not
+scheduled, it will poll it. If, after busy-polling, the budget is
+exceeded the busy-polling logic will schedule the NAPI onto the
+regular softirq handling.
+
+One implication of the behavior above is that a busy/heavy loaded NAPI
+context will never enter/allow for busy-polling. Some applications
+prefer that most NAPI processing would be done by busy-polling.
+
+This series adds a new socket option, SO_PREFER_BUSY_POLL, that works
+in concert with the napi_defer_hard_irqs and gro_flush_timeout
+knobs. The napi_defer_hard_irqs and gro_flush_timeout knobs were
+introduced in commit 6f8b12d661d0 ("net: napi: add hard irqs deferral
+feature"), and allows for a user to defer interrupts to be enabled and
+instead schedule the NAPI context from a watchdog timer. When a user
+enables the SO_PREFER_BUSY_POLL, again with the other knobs enabled,
+and the NAPI context is being processed by a softirq, the softirq NAPI
+processing will exit early to allow the busy-polling to be performed.
+
+If the application stops performing busy-polling via a system call,
+the watchdog timer defined by gro_flush_timeout will timeout, and
+regular softirq handling will resume.
+
+In summary; Heavy traffic applications that prefer busy-polling over
+softirq processing should use this option.
+
+Example usage:
+
+ $ echo 2 | sudo tee /sys/class/net/ens785f1/napi_defer_hard_irqs
+ $ echo 200000 | sudo tee /sys/class/net/ens785f1/gro_flush_timeout
+
+Note that the timeout should be larger than the userspace processing
+window, otherwise the watchdog will timeout and fall back to regular
+softirq processing.
+
+Enable the SO_BUSY_POLL/SO_PREFER_BUSY_POLL options on your socket.
+
+Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/bpf/20201130185205.196029-2-bjorn.topel@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/alpha/include/uapi/asm/socket.h | 2 +
+ arch/mips/include/uapi/asm/socket.h | 2 +
+ arch/parisc/include/uapi/asm/socket.h | 2 +
+ arch/sparc/include/uapi/asm/socket.h | 2 +
+ fs/eventpoll.c | 2 +-
+ include/linux/netdevice.h | 35 +++++++-----
+ include/net/busy_poll.h | 5 +-
+ include/net/sock.h | 4 ++
+ include/uapi/asm-generic/socket.h | 2 +
+ net/core/dev.c | 78 +++++++++++++++++++++------
+ net/core/sock.c | 9 ++++
+ 11 files changed, 111 insertions(+), 32 deletions(-)
+
+diff --git a/arch/alpha/include/uapi/asm/socket.h b/arch/alpha/include/uapi/asm/socket.h
+index de6c4df61082..538359642554 100644
+--- a/arch/alpha/include/uapi/asm/socket.h
++++ b/arch/alpha/include/uapi/asm/socket.h
+@@ -124,6 +124,8 @@
+
+ #define SO_DETACH_REUSEPORT_BPF 68
+
++#define SO_PREFER_BUSY_POLL 69
++
+ #if !defined(__KERNEL__)
+
+ #if __BITS_PER_LONG == 64
+diff --git a/arch/mips/include/uapi/asm/socket.h b/arch/mips/include/uapi/asm/socket.h
+index d0a9ed2ca2d6..e406e73b5e6e 100644
+--- a/arch/mips/include/uapi/asm/socket.h
++++ b/arch/mips/include/uapi/asm/socket.h
+@@ -135,6 +135,8 @@
+
+ #define SO_DETACH_REUSEPORT_BPF 68
+
++#define SO_PREFER_BUSY_POLL 69
++
+ #if !defined(__KERNEL__)
+
+ #if __BITS_PER_LONG == 64
+diff --git a/arch/parisc/include/uapi/asm/socket.h b/arch/parisc/include/uapi/asm/socket.h
+index 10173c32195e..1bc46200889d 100644
+--- a/arch/parisc/include/uapi/asm/socket.h
++++ b/arch/parisc/include/uapi/asm/socket.h
+@@ -116,6 +116,8 @@
+
+ #define SO_DETACH_REUSEPORT_BPF 0x4042
+
++#define SO_PREFER_BUSY_POLL 0x4043
++
+ #if !defined(__KERNEL__)
+
+ #if __BITS_PER_LONG == 64
+diff --git a/arch/sparc/include/uapi/asm/socket.h b/arch/sparc/include/uapi/asm/socket.h
+index 8029b681fc7c..99688cf673a4 100644
+--- a/arch/sparc/include/uapi/asm/socket.h
++++ b/arch/sparc/include/uapi/asm/socket.h
+@@ -117,6 +117,8 @@
+
+ #define SO_DETACH_REUSEPORT_BPF 0x0047
+
++#define SO_PREFER_BUSY_POLL 0x0048
++
+ #if !defined(__KERNEL__)
+
+
+diff --git a/fs/eventpoll.c b/fs/eventpoll.c
+index 6094b2e9058b..9e5b05e818ad 100644
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -397,7 +397,7 @@ static void ep_busy_loop(struct eventpoll *ep, int nonblock)
+ unsigned int napi_id = READ_ONCE(ep->napi_id);
+
+ if ((napi_id >= MIN_NAPI_ID) && net_busy_loop_on())
+- napi_busy_loop(napi_id, nonblock ? NULL : ep_busy_loop_end, ep);
++ napi_busy_loop(napi_id, nonblock ? NULL : ep_busy_loop_end, ep, false);
+ }
+
+ static inline void ep_reset_busy_poll_napi_id(struct eventpoll *ep)
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index e37480b5f4c0..2488638a8749 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -350,23 +350,25 @@ struct napi_struct {
+ };
+
+ enum {
+- NAPI_STATE_SCHED, /* Poll is scheduled */
+- NAPI_STATE_MISSED, /* reschedule a napi */
+- NAPI_STATE_DISABLE, /* Disable pending */
+- NAPI_STATE_NPSVC, /* Netpoll - don't dequeue from poll_list */
+- NAPI_STATE_LISTED, /* NAPI added to system lists */
+- NAPI_STATE_NO_BUSY_POLL,/* Do not add in napi_hash, no busy polling */
+- NAPI_STATE_IN_BUSY_POLL,/* sk_busy_loop() owns this NAPI */
++ NAPI_STATE_SCHED, /* Poll is scheduled */
++ NAPI_STATE_MISSED, /* reschedule a napi */
++ NAPI_STATE_DISABLE, /* Disable pending */
++ NAPI_STATE_NPSVC, /* Netpoll - don't dequeue from poll_list */
++ NAPI_STATE_LISTED, /* NAPI added to system lists */
++ NAPI_STATE_NO_BUSY_POLL, /* Do not add in napi_hash, no busy polling */
++ NAPI_STATE_IN_BUSY_POLL, /* sk_busy_loop() owns this NAPI */
++ NAPI_STATE_PREFER_BUSY_POLL, /* prefer busy-polling over softirq processing*/
+ };
+
+ enum {
+- NAPIF_STATE_SCHED = BIT(NAPI_STATE_SCHED),
+- NAPIF_STATE_MISSED = BIT(NAPI_STATE_MISSED),
+- NAPIF_STATE_DISABLE = BIT(NAPI_STATE_DISABLE),
+- NAPIF_STATE_NPSVC = BIT(NAPI_STATE_NPSVC),
+- NAPIF_STATE_LISTED = BIT(NAPI_STATE_LISTED),
+- NAPIF_STATE_NO_BUSY_POLL = BIT(NAPI_STATE_NO_BUSY_POLL),
+- NAPIF_STATE_IN_BUSY_POLL = BIT(NAPI_STATE_IN_BUSY_POLL),
++ NAPIF_STATE_SCHED = BIT(NAPI_STATE_SCHED),
++ NAPIF_STATE_MISSED = BIT(NAPI_STATE_MISSED),
++ NAPIF_STATE_DISABLE = BIT(NAPI_STATE_DISABLE),
++ NAPIF_STATE_NPSVC = BIT(NAPI_STATE_NPSVC),
++ NAPIF_STATE_LISTED = BIT(NAPI_STATE_LISTED),
++ NAPIF_STATE_NO_BUSY_POLL = BIT(NAPI_STATE_NO_BUSY_POLL),
++ NAPIF_STATE_IN_BUSY_POLL = BIT(NAPI_STATE_IN_BUSY_POLL),
++ NAPIF_STATE_PREFER_BUSY_POLL = BIT(NAPI_STATE_PREFER_BUSY_POLL),
+ };
+
+ enum gro_result {
+@@ -437,6 +439,11 @@ static inline bool napi_disable_pending(struct napi_struct *n)
+ return test_bit(NAPI_STATE_DISABLE, &n->state);
+ }
+
++static inline bool napi_prefer_busy_poll(struct napi_struct *n)
++{
++ return test_bit(NAPI_STATE_PREFER_BUSY_POLL, &n->state);
++}
++
+ bool napi_schedule_prep(struct napi_struct *n);
+
+ /**
+diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h
+index b001fa91c14e..0292b8353d7e 100644
+--- a/include/net/busy_poll.h
++++ b/include/net/busy_poll.h
+@@ -43,7 +43,7 @@ bool sk_busy_loop_end(void *p, unsigned long start_time);
+
+ void napi_busy_loop(unsigned int napi_id,
+ bool (*loop_end)(void *, unsigned long),
+- void *loop_end_arg);
++ void *loop_end_arg, bool prefer_busy_poll);
+
+ #else /* CONFIG_NET_RX_BUSY_POLL */
+ static inline unsigned long net_busy_loop_on(void)
+@@ -105,7 +105,8 @@ static inline void sk_busy_loop(struct sock *sk, int nonblock)
+ unsigned int napi_id = READ_ONCE(sk->sk_napi_id);
+
+ if (napi_id >= MIN_NAPI_ID)
+- napi_busy_loop(napi_id, nonblock ? NULL : sk_busy_loop_end, sk);
++ napi_busy_loop(napi_id, nonblock ? NULL : sk_busy_loop_end, sk,
++ READ_ONCE(sk->sk_prefer_busy_poll));
+ #endif
+ }
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 3c7addf95150..95311369567f 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -301,6 +301,7 @@ struct bpf_local_storage;
+ * @sk_ack_backlog: current listen backlog
+ * @sk_max_ack_backlog: listen backlog set in listen()
+ * @sk_uid: user id of owner
++ * @sk_prefer_busy_poll: prefer busypolling over softirq processing
+ * @sk_priority: %SO_PRIORITY setting
+ * @sk_type: socket type (%SOCK_STREAM, etc)
+ * @sk_protocol: which protocol this socket belongs in this network family
+@@ -479,6 +480,9 @@ struct sock {
+ u32 sk_ack_backlog;
+ u32 sk_max_ack_backlog;
+ kuid_t sk_uid;
++#ifdef CONFIG_NET_RX_BUSY_POLL
++ u8 sk_prefer_busy_poll;
++#endif
+ struct pid *sk_peer_pid;
+ const struct cred *sk_peer_cred;
+ long sk_rcvtimeo;
+diff --git a/include/uapi/asm-generic/socket.h b/include/uapi/asm-generic/socket.h
+index 77f7c1638eb1..7dd02408b7ce 100644
+--- a/include/uapi/asm-generic/socket.h
++++ b/include/uapi/asm-generic/socket.h
+@@ -119,6 +119,8 @@
+
+ #define SO_DETACH_REUSEPORT_BPF 68
+
++#define SO_PREFER_BUSY_POLL 69
++
+ #if !defined(__KERNEL__)
+
+ #if __BITS_PER_LONG == 64 || (defined(__x86_64__) && defined(__ILP32__))
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 2fdf30eefc59..6b08de52bf0e 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6496,7 +6496,8 @@ bool napi_complete_done(struct napi_struct *n, int work_done)
+
+ WARN_ON_ONCE(!(val & NAPIF_STATE_SCHED));
+
+- new = val & ~(NAPIF_STATE_MISSED | NAPIF_STATE_SCHED);
++ new = val & ~(NAPIF_STATE_MISSED | NAPIF_STATE_SCHED |
++ NAPIF_STATE_PREFER_BUSY_POLL);
+
+ /* If STATE_MISSED was set, leave STATE_SCHED set,
+ * because we will call napi->poll() one more time.
+@@ -6535,8 +6536,29 @@ static struct napi_struct *napi_by_id(unsigned int napi_id)
+
+ #define BUSY_POLL_BUDGET 8
+
+-static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock)
++static void __busy_poll_stop(struct napi_struct *napi, bool skip_schedule)
+ {
++ if (!skip_schedule) {
++ gro_normal_list(napi);
++ __napi_schedule(napi);
++ return;
++ }
++
++ if (napi->gro_bitmask) {
++ /* flush too old packets
++ * If HZ < 1000, flush all packets.
++ */
++ napi_gro_flush(napi, HZ >= 1000);
++ }
++
++ gro_normal_list(napi);
++ clear_bit(NAPI_STATE_SCHED, &napi->state);
++}
++
++static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock, bool prefer_busy_poll)
++{
++ bool skip_schedule = false;
++ unsigned long timeout;
+ int rc;
+
+ /* Busy polling means there is a high chance device driver hard irq
+@@ -6553,6 +6575,15 @@ static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock)
+
+ local_bh_disable();
+
++ if (prefer_busy_poll) {
++ napi->defer_hard_irqs_count = READ_ONCE(napi->dev->napi_defer_hard_irqs);
++ timeout = READ_ONCE(napi->dev->gro_flush_timeout);
++ if (napi->defer_hard_irqs_count && timeout) {
++ hrtimer_start(&napi->timer, ns_to_ktime(timeout), HRTIMER_MODE_REL_PINNED);
++ skip_schedule = true;
++ }
++ }
++
+ /* All we really want here is to re-enable device interrupts.
+ * Ideally, a new ndo_busy_poll_stop() could avoid another round.
+ */
+@@ -6563,19 +6594,14 @@ static void busy_poll_stop(struct napi_struct *napi, void *have_poll_lock)
+ */
+ trace_napi_poll(napi, rc, BUSY_POLL_BUDGET);
+ netpoll_poll_unlock(have_poll_lock);
+- if (rc == BUSY_POLL_BUDGET) {
+- /* As the whole budget was spent, we still own the napi so can
+- * safely handle the rx_list.
+- */
+- gro_normal_list(napi);
+- __napi_schedule(napi);
+- }
++ if (rc == BUSY_POLL_BUDGET)
++ __busy_poll_stop(napi, skip_schedule);
+ local_bh_enable();
+ }
+
+ void napi_busy_loop(unsigned int napi_id,
+ bool (*loop_end)(void *, unsigned long),
+- void *loop_end_arg)
++ void *loop_end_arg, bool prefer_busy_poll)
+ {
+ unsigned long start_time = loop_end ? busy_loop_current_time() : 0;
+ int (*napi_poll)(struct napi_struct *napi, int budget);
+@@ -6603,12 +6629,18 @@ restart:
+ * we avoid dirtying napi->state as much as we can.
+ */
+ if (val & (NAPIF_STATE_DISABLE | NAPIF_STATE_SCHED |
+- NAPIF_STATE_IN_BUSY_POLL))
++ NAPIF_STATE_IN_BUSY_POLL)) {
++ if (prefer_busy_poll)
++ set_bit(NAPI_STATE_PREFER_BUSY_POLL, &napi->state);
+ goto count;
++ }
+ if (cmpxchg(&napi->state, val,
+ val | NAPIF_STATE_IN_BUSY_POLL |
+- NAPIF_STATE_SCHED) != val)
++ NAPIF_STATE_SCHED) != val) {
++ if (prefer_busy_poll)
++ set_bit(NAPI_STATE_PREFER_BUSY_POLL, &napi->state);
+ goto count;
++ }
+ have_poll_lock = netpoll_poll_lock(napi);
+ napi_poll = napi->poll;
+ }
+@@ -6626,7 +6658,7 @@ count:
+
+ if (unlikely(need_resched())) {
+ if (napi_poll)
+- busy_poll_stop(napi, have_poll_lock);
++ busy_poll_stop(napi, have_poll_lock, prefer_busy_poll);
+ preempt_enable();
+ rcu_read_unlock();
+ cond_resched();
+@@ -6637,7 +6669,7 @@ count:
+ cpu_relax();
+ }
+ if (napi_poll)
+- busy_poll_stop(napi, have_poll_lock);
++ busy_poll_stop(napi, have_poll_lock, prefer_busy_poll);
+ preempt_enable();
+ out:
+ rcu_read_unlock();
+@@ -6688,8 +6720,10 @@ static enum hrtimer_restart napi_watchdog(struct hrtimer *timer)
+ * NAPI_STATE_MISSED, since we do not react to a device IRQ.
+ */
+ if (!napi_disable_pending(napi) &&
+- !test_and_set_bit(NAPI_STATE_SCHED, &napi->state))
++ !test_and_set_bit(NAPI_STATE_SCHED, &napi->state)) {
++ clear_bit(NAPI_STATE_PREFER_BUSY_POLL, &napi->state);
+ __napi_schedule_irqoff(napi);
++ }
+
+ return HRTIMER_NORESTART;
+ }
+@@ -6747,6 +6781,7 @@ void napi_disable(struct napi_struct *n)
+
+ hrtimer_cancel(&n->timer);
+
++ clear_bit(NAPI_STATE_PREFER_BUSY_POLL, &n->state);
+ clear_bit(NAPI_STATE_DISABLE, &n->state);
+ }
+ EXPORT_SYMBOL(napi_disable);
+@@ -6819,6 +6854,19 @@ static int napi_poll(struct napi_struct *n, struct list_head *repoll)
+ goto out_unlock;
+ }
+
++ /* The NAPI context has more processing work, but busy-polling
++ * is preferred. Exit early.
++ */
++ if (napi_prefer_busy_poll(n)) {
++ if (napi_complete_done(n, work)) {
++ /* If timeout is not set, we need to make sure
++ * that the NAPI is re-scheduled.
++ */
++ napi_schedule(n);
++ }
++ goto out_unlock;
++ }
++
+ if (n->gro_bitmask) {
+ /* flush too old packets
+ * If HZ < 1000, flush all packets.
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 7de51ea15cdf..cf0e5fc3a8ba 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1167,6 +1167,12 @@ set_sndbuf:
+ sk->sk_ll_usec = val;
+ }
+ break;
++ case SO_PREFER_BUSY_POLL:
++ if (valbool && !capable(CAP_NET_ADMIN))
++ ret = -EPERM;
++ else
++ WRITE_ONCE(sk->sk_prefer_busy_poll, valbool);
++ break;
+ #endif
+
+ case SO_MAX_PACING_RATE:
+@@ -1531,6 +1537,9 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ case SO_BUSY_POLL:
+ v.val = sk->sk_ll_usec;
+ break;
++ case SO_PREFER_BUSY_POLL:
++ v.val = READ_ONCE(sk->sk_prefer_busy_poll);
++ break;
+ #endif
+
+ case SO_MAX_PACING_RATE:
+--
+2.30.2
+
--- /dev/null
+From 49a0dc0e0fc088c9469b90c4593ced0912c59cbe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 16:41:24 -0700
+Subject: net/sched: act_skbmod: Skip non-Ethernet packets
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit 727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 ]
+
+Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2
+protocol, which is not always the case. As an example, for CAN devices:
+
+ $ ip link add dev vcan0 type vcan
+ $ ip link set up vcan0
+ $ tc qdisc add dev vcan0 root handle 1: htb
+ $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \
+ matchall action skbmod swap mac
+
+Doing the above silently corrupts all the packets. Do not perform skbmod
+actions for non-Ethernet packets.
+
+Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_skbmod.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
+index 81a1c67335be..8d17a543cc9f 100644
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -6,6 +6,7 @@
+ */
+
+ #include <linux/module.h>
++#include <linux/if_arp.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+ #include <linux/skbuff.h>
+@@ -33,6 +34,13 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a,
+ tcf_lastuse_update(&d->tcf_tm);
+ bstats_cpu_update(this_cpu_ptr(d->common.cpu_bstats), skb);
+
++ action = READ_ONCE(d->tcf_action);
++ if (unlikely(action == TC_ACT_SHOT))
++ goto drop;
++
++ if (!skb->dev || skb->dev->type != ARPHRD_ETHER)
++ return action;
++
+ /* XXX: if you are going to edit more fields beyond ethernet header
+ * (example when you add IP header replacement or vlan swap)
+ * then MAX_EDIT_LEN needs to change appropriately
+@@ -41,10 +49,6 @@ static int tcf_skbmod_act(struct sk_buff *skb, const struct tc_action *a,
+ if (unlikely(err)) /* best policy is to drop on the floor */
+ goto drop;
+
+- action = READ_ONCE(d->tcf_action);
+- if (unlikely(action == TC_ACT_SHOT))
+- goto drop;
+-
+ p = rcu_dereference_bh(d->skbmod_p);
+ flags = p->flags;
+ if (flags & SKBMOD_F_DMAC)
+--
+2.30.2
+
--- /dev/null
+From bffb006885ab9394354a4375cb039f11b4b175d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Jul 2021 11:23:43 +0800
+Subject: net: sched: cls_api: Fix the the wrong parameter
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 9d85a6f44bd5585761947f40f7821c9cd78a1bbe ]
+
+The 4th parameter in tc_chain_notify() should be flags rather than seq.
+Let's change it back correctly.
+
+Fixes: 32a4f5ecd738 ("net: sched: introduce chain object to uapi")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
+index 30090794b791..31ac76a9189e 100644
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -2905,7 +2905,7 @@ replay:
+ break;
+ case RTM_GETCHAIN:
+ err = tc_chain_notify(chain, skb, n->nlmsg_seq,
+- n->nlmsg_seq, n->nlmsg_type, true);
++ n->nlmsg_flags, n->nlmsg_type, true);
+ if (err < 0)
+ NL_SET_ERR_MSG(extack, "Failed to send chain notify message");
+ break;
+--
+2.30.2
+
--- /dev/null
+From e2534dbf9dfe9028db62c6a40b9fa3edb0f7ff93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jul 2021 14:29:33 +0300
+Subject: net: sched: fix memory leak in tcindex_partial_destroy_work
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit f5051bcece50140abd1a11a2d36dc3ec5484fc32 ]
+
+Syzbot reported memory leak in tcindex_set_parms(). The problem was in
+non-freed perfect hash in tcindex_partial_destroy_work().
+
+In tcindex_set_parms() new tcindex_data is allocated and some fields from
+old one are copied to new one, but not the perfect hash. Since
+tcindex_partial_destroy_work() is the destroy function for old
+tcindex_data, we need to free perfect hash to avoid memory leak.
+
+Reported-and-tested-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
+Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_tcindex.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index 5b274534264c..e9a8a2c86bbd 100644
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -278,6 +278,8 @@ static int tcindex_filter_result_init(struct tcindex_filter_result *r,
+ TCA_TCINDEX_POLICE);
+ }
+
++static void tcindex_free_perfect_hash(struct tcindex_data *cp);
++
+ static void tcindex_partial_destroy_work(struct work_struct *work)
+ {
+ struct tcindex_data *p = container_of(to_rcu_work(work),
+@@ -285,7 +287,8 @@ static void tcindex_partial_destroy_work(struct work_struct *work)
+ rwork);
+
+ rtnl_lock();
+- kfree(p->perfect);
++ if (p->perfect)
++ tcindex_free_perfect_hash(p);
+ kfree(p);
+ rtnl_unlock();
+ }
+--
+2.30.2
+
--- /dev/null
+From 6998d4c1f1bf1d0f4855a2b727e05d5fb5a0c8a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Jul 2021 02:12:18 -0700
+Subject: net/tcp_fastopen: fix data races around tfo_active_disable_stamp
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ]
+
+tfo_active_disable_stamp is read and written locklessly.
+We need to annotate these accesses appropriately.
+
+Then, we need to perform the atomic_inc(tfo_active_disable_times)
+after the timestamp has been updated, and thus add barriers
+to make sure tcp_fastopen_active_should_disable() wont read
+a stale timestamp.
+
+Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_fastopen.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index af2814c9342a..08548ff23d83 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -507,8 +507,15 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
++ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
++ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
++
++ /* Paired with smp_rmb() in tcp_fastopen_active_should_disable().
++ * We want net->ipv4.tfo_active_disable_stamp to be updated first.
++ */
++ smp_mb__before_atomic();
+ atomic_inc(&net->ipv4.tfo_active_disable_times);
+- net->ipv4.tfo_active_disable_stamp = jiffies;
++
+ NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE);
+ }
+
+@@ -526,10 +533,16 @@ bool tcp_fastopen_active_should_disable(struct sock *sk)
+ if (!tfo_da_times)
+ return false;
+
++ /* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */
++ smp_rmb();
++
+ /* Limit timout to max: 2^6 * initial timeout */
+ multiplier = 1 << min(tfo_da_times - 1, 6);
+- timeout = multiplier * tfo_bh_timeout * HZ;
+- if (time_before(jiffies, sock_net(sk)->ipv4.tfo_active_disable_stamp + timeout))
++
++ /* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */
++ timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) +
++ multiplier * tfo_bh_timeout * HZ;
++ if (time_before(jiffies, timeout))
+ return true;
+
+ /* Mark check bit so we can check for successful active TFO
+--
+2.30.2
+
--- /dev/null
+From 399ade11841e93564de18eefcf87fa90f358eff4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 Jul 2021 22:40:13 +0800
+Subject: netrom: Decrease sock refcount when sock timers expire
+
+From: Nguyen Dinh Phi <phind.uet@gmail.com>
+
+[ Upstream commit 517a16b1a88bdb6b530f48d5d153478b2552d9a8 ]
+
+Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use
+sock timer API. It replaces mod_timer() by sk_reset_timer(), and
+del_timer() by sk_stop_timer().
+
+Function sk_reset_timer() will increase the refcount of sock if it is
+called on an inactive timer, hence, in case the timer expires, we need to
+decrease the refcount ourselves in the handler, otherwise, the sock
+refcount will be unbalanced and the sock will never be freed.
+
+Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
+Reported-by: syzbot+10f1194569953b72f1ae@syzkaller.appspotmail.com
+Fixes: 63346650c1a9 ("netrom: switch to sock timer API")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_timer.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
+index 9115f8a7dd45..a8da88db7893 100644
+--- a/net/netrom/nr_timer.c
++++ b/net/netrom/nr_timer.c
+@@ -121,11 +121,9 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
+- sock_hold(sk);
+ bh_unlock_sock(sk);
+ nr_destroy_socket(sk);
+- sock_put(sk);
+- return;
++ goto out;
+ }
+ break;
+
+@@ -146,6 +144,8 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+
+ nr_start_heartbeat(sk);
+ bh_unlock_sock(sk);
++out:
++ sock_put(sk);
+ }
+
+ static void nr_t2timer_expiry(struct timer_list *t)
+@@ -159,6 +159,7 @@ static void nr_t2timer_expiry(struct timer_list *t)
+ nr_enquiry_response(sk);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t4timer_expiry(struct timer_list *t)
+@@ -169,6 +170,7 @@ static void nr_t4timer_expiry(struct timer_list *t)
+ bh_lock_sock(sk);
+ nr_sk(sk)->condition &= ~NR_COND_PEER_RX_BUSY;
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_idletimer_expiry(struct timer_list *t)
+@@ -197,6 +199,7 @@ static void nr_idletimer_expiry(struct timer_list *t)
+ sock_set_flag(sk, SOCK_DEAD);
+ }
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+
+ static void nr_t1timer_expiry(struct timer_list *t)
+@@ -209,8 +212,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_1:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_CONNREQ);
+@@ -220,8 +222,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_2:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_write_internal(sk, NR_DISCREQ);
+@@ -231,8 +232,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ case NR_STATE_3:
+ if (nr->n2count == nr->n2) {
+ nr_disconnect(sk, ETIMEDOUT);
+- bh_unlock_sock(sk);
+- return;
++ goto out;
+ } else {
+ nr->n2count++;
+ nr_requeue_frames(sk);
+@@ -241,5 +241,7 @@ static void nr_t1timer_expiry(struct timer_list *t)
+ }
+
+ nr_start_t1timer(sk);
++out:
+ bh_unlock_sock(sk);
++ sock_put(sk);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8eaf1a2c015aaa928aa5ad35ab14613c411defd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 14:14:32 -0700
+Subject: nvme-pci: do not call nvme_dev_remove_admin from nvme_remove
+
+From: Casey Chen <cachen@purestorage.com>
+
+[ Upstream commit 251ef6f71be2adfd09546a26643426fe62585173 ]
+
+nvme_dev_remove_admin could free dev->admin_q and the admin_tagset
+while they are being accessed by nvme_dev_disable(), which can be called
+by nvme_reset_work via nvme_remove_dead_ctrl.
+
+Commit cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
+intended to avoid requests being stuck on a removed controller by killing
+the admin queue. But the later fix c8e9e9b7646e ("nvme-pci: unquiesce
+admin queue on shutdown"), together with nvme_dev_disable(dev, true)
+right before nvme_dev_remove_admin() could help dispatch requests and
+fail them early, so we don't need nvme_dev_remove_admin() any more.
+
+Fixes: cb4bfda62afa ("nvme-pci: fix hot removal during error handling")
+Signed-off-by: Casey Chen <cachen@purestorage.com>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 3f05df98697d..80e1d45b0668 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3003,7 +3003,6 @@ static void nvme_remove(struct pci_dev *pdev)
+ if (!pci_device_is_present(pdev)) {
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DEAD);
+ nvme_dev_disable(dev, true);
+- nvme_dev_remove_admin(dev);
+ }
+
+ flush_work(&dev->ctrl.reset_work);
+--
+2.30.2
+
--- /dev/null
+From a0e56141256178192c5e0d88c7ac46452ce01703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:38:29 +0800
+Subject: nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not
+ RESETTING
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 7764656b108cd308c39e9a8554353b8f9ca232a3 ]
+
+Followling process:
+nvme_probe
+ nvme_reset_ctrl
+ nvme_change_ctrl_state(ctrl, NVME_CTRL_RESETTING)
+ queue_work(nvme_reset_wq, &ctrl->reset_work)
+
+--------------> nvme_remove
+ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING)
+worker_thread
+ process_one_work
+ nvme_reset_work
+ WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)
+
+, which will trigger WARN_ON in nvme_reset_work():
+[ 127.534298] WARNING: CPU: 0 PID: 139 at drivers/nvme/host/pci.c:2594
+[ 127.536161] CPU: 0 PID: 139 Comm: kworker/u8:7 Not tainted 5.13.0
+[ 127.552518] Call Trace:
+[ 127.552840] ? kvm_sched_clock_read+0x25/0x40
+[ 127.553936] ? native_send_call_func_single_ipi+0x1c/0x30
+[ 127.555117] ? send_call_function_single_ipi+0x9b/0x130
+[ 127.556263] ? __smp_call_single_queue+0x48/0x60
+[ 127.557278] ? ttwu_queue_wakelist+0xfa/0x1c0
+[ 127.558231] ? try_to_wake_up+0x265/0x9d0
+[ 127.559120] ? ext4_end_io_rsv_work+0x160/0x290
+[ 127.560118] process_one_work+0x28c/0x640
+[ 127.561002] worker_thread+0x39a/0x700
+[ 127.561833] ? rescuer_thread+0x580/0x580
+[ 127.562714] kthread+0x18c/0x1e0
+[ 127.563444] ? set_kthread_struct+0x70/0x70
+[ 127.564347] ret_from_fork+0x1f/0x30
+
+The preceding problem can be easily reproduced by executing following
+script (based on blktests suite):
+test() {
+ pdev="$(_get_pci_dev_from_blkdev)"
+ sysfs="/sys/bus/pci/devices/${pdev}"
+ for ((i = 0; i < 10; i++)); do
+ echo 1 > "$sysfs/remove"
+ echo 1 > /sys/bus/pci/rescan
+ done
+}
+
+Since the device ctrl could be updated as an non-RESETTING state by
+repeating probe/remove in userspace (which is a normal situation), we
+can replace stack dumping WARN_ON with a warnning message.
+
+Fixes: 82b057caefaff ("nvme-pci: fix multiple ctrl removal schedulin")
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 80e1d45b0668..fb48a88d1acb 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2596,7 +2596,9 @@ static void nvme_reset_work(struct work_struct *work)
+ bool was_suspend = !!(dev->ctrl.ctrl_config & NVME_CC_SHN_NORMAL);
+ int result;
+
+- if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) {
++ if (dev->ctrl.state != NVME_CTRL_RESETTING) {
++ dev_warn(dev->ctrl.device, "ctrl state %d is not RESETTING\n",
++ dev->ctrl.state);
+ result = -ENODEV;
+ goto out;
+ }
+--
+2.30.2
+
--- /dev/null
+From 9539404584f179a8abefd3c6ed6967fd62e736db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:00:11 +0200
+Subject: nvme: set the PRACT bit when using Write Zeroes with T10 PI
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit aaeb7bb061be545251606f4d9c82d710ca2a7c8e ]
+
+When using Write Zeroes on a namespace that has protection
+information enabled they behavior without the PRACT bit
+counter-intuitive and will generally lead to validation failures
+when reading the written blocks. Fix this by always setting the
+PRACT bit that generates matching PI data on the fly.
+
+Fixes: 6e02318eaea5 ("nvme: add support for the Write Zeroes command")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index f520a71a361f..ff5a16b17133 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -751,7 +751,10 @@ static inline blk_status_t nvme_setup_write_zeroes(struct nvme_ns *ns,
+ cpu_to_le64(nvme_sect_to_lba(ns, blk_rq_pos(req)));
+ cmnd->write_zeroes.length =
+ cpu_to_le16((blk_rq_bytes(req) >> ns->lba_shift) - 1);
+- cmnd->write_zeroes.control = 0;
++ if (nvme_ns_has_pi(ns))
++ cmnd->write_zeroes.control = cpu_to_le16(NVME_RW_PRINFO_PRACT);
++ else
++ cmnd->write_zeroes.control = 0;
+ return BLK_STS_OK;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d5ac86421bdd6ade24e663ba7735b4f6961cd620 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 16:11:20 +0200
+Subject: perf data: Close all files in close_dir()
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit d4b3eedce151e63932ce4a00f1d0baa340a8b907 ]
+
+When using 'perf report' in directory mode, the first file is not closed
+on exit, causing a memory leak.
+
+The problem is caused by the iterating variable never reaching 0.
+
+Fixes: 145520631130bd64 ("perf data: Add perf_data__(create_dir|close_dir) functions")
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Zhen Lei <thunder.leizhen@huawei.com>
+Link: http://lore.kernel.org/lkml/20210716141122.858082-1-rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c
+index 5d97b3e45fbb..bcb494dc816a 100644
+--- a/tools/perf/util/data.c
++++ b/tools/perf/util/data.c
+@@ -20,7 +20,7 @@
+
+ static void close_dir(struct perf_data_file *files, int nr)
+ {
+- while (--nr >= 1) {
++ while (--nr >= 0) {
+ close(files[nr].fd);
+ zfree(&files[nr].path);
+ }
+--
+2.30.2
+
--- /dev/null
+From 74af9a71b0cf8cb97cb7d0772f00c272abe37ec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:11 +0200
+Subject: perf dso: Fix memory leak in dso__new_map()
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 581e295a0f6b5c2931d280259fbbfff56959faa9 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "65: maps__merge_in".
+
+The causes of the leaks are two, this patch addresses only the first
+one, which is related to dso__new_map().
+
+The bug is that dso__new_map() creates a new dso but never decreases the
+refcount it gets from creating it.
+
+This patch adds the missing dso__put().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: d3a7c489c7fd2463 ("perf tools: Reference count struct dso")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/60bfe0cd06e89e2ca33646eb8468d7f5de2ee597.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dso.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
+index 55c11e854fe4..b1ff0c9f32da 100644
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -1141,8 +1141,10 @@ struct map *dso__new_map(const char *name)
+ struct map *map = NULL;
+ struct dso *dso = dso__new(name);
+
+- if (dso)
++ if (dso) {
+ map = map__new2(0, dso);
++ dso__put(dso);
++ }
+
+ return map;
+ }
+--
+2.30.2
+
--- /dev/null
+From b75985a750b40a7cb1cbf2130f974db29f6d4e4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:13 +0200
+Subject: perf env: Fix memory leak of cpu_pmu_caps
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit da6b7c6c0626901428245f65712385805e42eba6 ]
+
+ASan reports memory leaks while running:
+
+ # perf test "83: Zstd perf.data compression/decompression"
+
+The first of the leaks is caused by env->cpu_pmu_caps not being freed.
+
+This patch adds the missing (z)free inside perf_env__exit.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 6f91ea283a1ed23e ("perf header: Support CPU PMU capabilities")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/6ba036a8220156ec1f3d6be3e5d25920f6145028.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/env.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index 744e51c4a6bd..03bc843b1cf8 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -183,6 +183,7 @@ void perf_env__exit(struct perf_env *env)
+ zfree(&env->sibling_threads);
+ zfree(&env->pmu_mappings);
+ zfree(&env->cpu);
++ zfree(&env->cpu_pmu_caps);
+ zfree(&env->numa_map);
+
+ for (i = 0; i < env->nr_numa_nodes; i++)
+--
+2.30.2
+
--- /dev/null
+From d177d26ed076dbe7172e08f838372c7dc42a0797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:07 +0200
+Subject: perf env: Fix sibling_dies memory leak
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 42db3d9ded555f7148b5695109a7dc8d66f0dde4 ]
+
+ASan reports a memory leak in perf_env while running:
+
+ # perf test "41: Session topology"
+
+Caused by sibling_dies not being freed.
+
+This patch adds the required free.
+
+Fixes: acae8b36cded0ee6 ("perf header: Add die information in CPU topology")
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/2140d0b57656e4eb9021ca9772250c24c032924b.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/env.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index fadc59708ece..744e51c4a6bd 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -178,6 +178,7 @@ void perf_env__exit(struct perf_env *env)
+ zfree(&env->cpuid);
+ zfree(&env->cmdline);
+ zfree(&env->cmdline_argv);
++ zfree(&env->sibling_dies);
+ zfree(&env->sibling_cores);
+ zfree(&env->sibling_threads);
+ zfree(&env->pmu_mappings);
+--
+2.30.2
+
--- /dev/null
+From b417be806e7a34d4b19e9c221f4aea1b4ad8f5fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf inject: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 0967ebffe098157180a0bbd180ac90348c6e07d7 ]
+
+ASan reports a memory leak of nsinfo during the execution of:
+
+ # perf test "31: Lookup mmap thread"
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased when a
+refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 27c9c3424fc217da ("perf inject: Add --buildid-all option")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-inject.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-inject.c b/tools/perf/builtin-inject.c
+index 5320ac1b1285..ec7e46b63551 100644
+--- a/tools/perf/builtin-inject.c
++++ b/tools/perf/builtin-inject.c
+@@ -358,9 +358,10 @@ static struct dso *findnew_dso(int pid, int tid, const char *filename,
+ dso = machine__findnew_dso_id(machine, filename, id);
+ }
+
+- if (dso)
++ if (dso) {
++ nsinfo__put(dso->nsinfo);
+ dso->nsinfo = nsi;
+- else
++ } else
+ nsinfo__put(nsi);
+
+ thread__put(thread);
+--
+2.30.2
+
--- /dev/null
+From 5d479f7fc8daa9a97098ab28764104b9e92c098e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:19 +0200
+Subject: perf lzma: Close lzma stream on exit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit f8cbb0f926ae1e1fb5f9e51614e5437560ed4039 ]
+
+ASan reports memory leaks when running:
+
+ # perf test "88: Check open filename arg using perf trace + vfs_getname"
+
+One of these is caused by the lzma stream never being closed inside
+lzma_decompress_to_file().
+
+This patch adds the missing lzma_end().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 80a32e5b498a7547 ("perf tools: Add lzma decompression support for kernel module")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/aaf50bdce7afe996cfc06e1bbb36e4a2a9b9db93.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/lzma.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/lzma.c b/tools/perf/util/lzma.c
+index 39062df02629..51424cdc3b68 100644
+--- a/tools/perf/util/lzma.c
++++ b/tools/perf/util/lzma.c
+@@ -69,7 +69,7 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+
+ if (ferror(infile)) {
+ pr_err("lzma: read error: %s\n", strerror(errno));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+
+ if (feof(infile))
+@@ -83,7 +83,7 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+
+ if (writen(output_fd, buf_out, write_size) != write_size) {
+ pr_err("lzma: write error: %s\n", strerror(errno));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+
+ strm.next_out = buf_out;
+@@ -95,11 +95,13 @@ int lzma_decompress_to_file(const char *input, int output_fd)
+ break;
+
+ pr_err("lzma: failed %s\n", lzma_strerror(ret));
+- goto err_fclose;
++ goto err_lzma_end;
+ }
+ }
+
+ err = 0;
++err_lzma_end:
++ lzma_end(&strm);
+ err_fclose:
+ fclose(infile);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From c3082db07e4409f7ca462e7655599cb7307a6b6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf map: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 2d6b74baa7147251c30a46c4996e8cc224aa2dc5 ]
+
+ASan reports a memory leak of nsinfo during the execution of
+
+ # perf test "31: Lookup mmap thread"
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased whenever a
+refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: bf2e710b3cb8445c ("perf maps: Lookup maps in both intitial mountns and inner mountns.")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/map.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/map.c b/tools/perf/util/map.c
+index f4d44f75ba15..6688f6b253a7 100644
+--- a/tools/perf/util/map.c
++++ b/tools/perf/util/map.c
+@@ -192,6 +192,8 @@ struct map *map__new(struct machine *machine, u64 start, u64 len,
+ if (!(prot & PROT_EXEC))
+ dso__set_loaded(dso);
+ }
++
++ nsinfo__put(dso->nsinfo);
+ dso->nsinfo = nsi;
+ dso__put(dso);
+ }
+--
+2.30.2
+
--- /dev/null
+From 5c67055280c3707211feea473aa8590988d005f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:25 +0200
+Subject: perf probe-file: Delete namelist in del_events() on the error path
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit e0fa7ab42232e742dcb3de9f3c1f6127b5adc019 ]
+
+ASan reports some memory leaks when running:
+
+ # perf test "42: BPF filter"
+
+This second leak is caused by a strlist not being dellocated on error
+inside probe_file__del_events.
+
+This patch adds a goto label before the deallocation and makes the error
+path jump to it.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: e7895e422e4da63d ("perf probe: Split del_perf_probe_events()")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/174963c587ae77fa108af794669998e4ae558338.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c
+index bbecb449ea94..d2b98d64438e 100644
+--- a/tools/perf/util/probe-file.c
++++ b/tools/perf/util/probe-file.c
+@@ -342,11 +342,11 @@ int probe_file__del_events(int fd, struct strfilter *filter)
+
+ ret = probe_file__get_events(fd, filter, namelist);
+ if (ret < 0)
+- return ret;
++ goto out;
+
+ ret = probe_file__del_strlist(fd, namelist);
++out:
+ strlist__delete(namelist);
+-
+ return ret;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 6fe023c0157d1807b731ff4cc6111e7d8e2985bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:06 +0200
+Subject: perf probe: Fix dso->nsinfo refcounting
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit dedeb4be203b382ba7245d13079bc3b0f6d40c65 ]
+
+ASan reports a memory leak of nsinfo during the execution of:
+
+ # perf test "31: Lookup mmap thread".
+
+The leak is caused by a refcounted variable being replaced without
+dropping the refcount.
+
+This patch makes sure that the refcnt of nsinfo is decreased whenever
+a refcounted variable is replaced with a new value.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 544abd44c7064c8a ("perf probe: Allow placing uprobes in alternate namespaces.")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Krister Johansen <kjlx@templeofstupid.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/55223bc8821b34ccb01f92ef1401c02b6a32e61f.1626343282.git.rickyman7@gmail.com
+[ Split from a larger patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/probe-event.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/probe-event.c b/tools/perf/util/probe-event.c
+index 8eae2afff71a..07db6cfad65b 100644
+--- a/tools/perf/util/probe-event.c
++++ b/tools/perf/util/probe-event.c
+@@ -180,8 +180,10 @@ struct map *get_target_map(const char *target, struct nsinfo *nsi, bool user)
+ struct map *map;
+
+ map = dso__new_map(target);
+- if (map && map->dso)
++ if (map && map->dso) {
++ nsinfo__put(map->dso->nsinfo);
+ map->dso->nsinfo = nsinfo__get(nsi);
++ }
+ return map;
+ } else {
+ return kernel_get_module_map(target);
+--
+2.30.2
+
--- /dev/null
+From dbbe76228ea5195855847aed8b4b3974c7c58a96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:14 +0200
+Subject: perf report: Free generated help strings for sort option
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit a37338aad8c4d8676173ead14e881d2ec308155c ]
+
+ASan reports the memory leak of the strings allocated by sort_help() when
+running perf report.
+
+This patch changes the returned pointer to char* (instead of const
+char*), saves it in a temporary variable, and finally deallocates it at
+function exit.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 702fb9b415e7c99b ("perf report: Show all sort keys in help output")
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/a38b13f02812a8a6759200b9063c6191337f44d4.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 33 ++++++++++++++++++++++-----------
+ tools/perf/util/sort.c | 2 +-
+ tools/perf/util/sort.h | 2 +-
+ 3 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index 3c74c9c0f3c3..5824aa24acfc 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -1143,6 +1143,8 @@ int cmd_report(int argc, const char **argv)
+ .socket_filter = -1,
+ .annotation_opts = annotation__default_options,
+ };
++ char *sort_order_help = sort_help("sort by key(s):");
++ char *field_order_help = sort_help("output field(s): overhead period sample ");
+ const struct option options[] = {
+ OPT_STRING('i', "input", &input_name, "file",
+ "input file name"),
+@@ -1177,9 +1179,9 @@ int cmd_report(int argc, const char **argv)
+ OPT_BOOLEAN(0, "header-only", &report.header_only,
+ "Show only data header."),
+ OPT_STRING('s', "sort", &sort_order, "key[,key2...]",
+- sort_help("sort by key(s):")),
++ sort_order_help),
+ OPT_STRING('F', "fields", &field_order, "key[,keys...]",
+- sort_help("output field(s): overhead period sample ")),
++ field_order_help),
+ OPT_BOOLEAN(0, "show-cpu-utilization", &symbol_conf.show_cpu_utilization,
+ "Show sample percentage for different cpu modes"),
+ OPT_BOOLEAN_FLAG(0, "showcpuutilization", &symbol_conf.show_cpu_utilization,
+@@ -1308,11 +1310,11 @@ int cmd_report(int argc, const char **argv)
+ char sort_tmp[128];
+
+ if (ret < 0)
+- return ret;
++ goto exit;
+
+ ret = perf_config(report__config, &report);
+ if (ret)
+- return ret;
++ goto exit;
+
+ argc = parse_options(argc, argv, options, report_usage, 0);
+ if (argc) {
+@@ -1326,8 +1328,10 @@ int cmd_report(int argc, const char **argv)
+ report.symbol_filter_str = argv[0];
+ }
+
+- if (annotate_check_args(&report.annotation_opts) < 0)
+- return -EINVAL;
++ if (annotate_check_args(&report.annotation_opts) < 0) {
++ ret = -EINVAL;
++ goto exit;
++ }
+
+ if (report.mmaps_mode)
+ report.tasks_mode = true;
+@@ -1341,12 +1345,14 @@ int cmd_report(int argc, const char **argv)
+ if (symbol_conf.vmlinux_name &&
+ access(symbol_conf.vmlinux_name, R_OK)) {
+ pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto exit;
+ }
+ if (symbol_conf.kallsyms_name &&
+ access(symbol_conf.kallsyms_name, R_OK)) {
+ pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto exit;
+ }
+
+ if (report.inverted_callchain)
+@@ -1370,12 +1376,14 @@ int cmd_report(int argc, const char **argv)
+
+ repeat:
+ session = perf_session__new(&data, false, &report.tool);
+- if (IS_ERR(session))
+- return PTR_ERR(session);
++ if (IS_ERR(session)) {
++ ret = PTR_ERR(session);
++ goto exit;
++ }
+
+ ret = evswitch__init(&report.evswitch, session->evlist, stderr);
+ if (ret)
+- return ret;
++ goto exit;
+
+ if (zstd_init(&(session->zstd_data), 0) < 0)
+ pr_warning("Decompression initialization failed. Reported data may be incomplete.\n");
+@@ -1603,5 +1611,8 @@ error:
+
+ zstd_fini(&(session->zstd_data));
+ perf_session__delete(session);
++exit:
++ free(sort_order_help);
++ free(field_order_help);
+ return ret;
+ }
+diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c
+index 8a3b7d5a4737..5e9e96452b9e 100644
+--- a/tools/perf/util/sort.c
++++ b/tools/perf/util/sort.c
+@@ -3177,7 +3177,7 @@ static void add_hpp_sort_string(struct strbuf *sb, struct hpp_dimension *s, int
+ add_key(sb, s[i].name, llen);
+ }
+
+-const char *sort_help(const char *prefix)
++char *sort_help(const char *prefix)
+ {
+ struct strbuf sb;
+ char *s;
+diff --git a/tools/perf/util/sort.h b/tools/perf/util/sort.h
+index 66d39c4cfe2b..fc94dcd67abc 100644
+--- a/tools/perf/util/sort.h
++++ b/tools/perf/util/sort.h
+@@ -293,7 +293,7 @@ void reset_output_field(void);
+ void sort__setup_elide(FILE *fp);
+ void perf_hpp__set_elide(int idx, bool elide);
+
+-const char *sort_help(const char *prefix);
++char *sort_help(const char *prefix);
+
+ int report_parse_ignore_callees_opt(const struct option *opt, const char *arg, int unset);
+
+--
+2.30.2
+
--- /dev/null
+From edd3e448bfe3707b1293860cf8ebe0ce282801c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Jul 2021 19:23:58 +0800
+Subject: perf sched: Fix record failure when CONFIG_SCHEDSTATS is not set
+
+From: Yang Jihong <yangjihong1@huawei.com>
+
+[ Upstream commit b0f008551f0bf4d5f6db9b5f0e071b02790d6a2e ]
+
+The tracepoints trace_sched_stat_{wait, sleep, iowait} are not exposed to user
+if CONFIG_SCHEDSTATS is not set, "perf sched record" records the three events.
+As a result, the command fails.
+
+Before:
+
+ #perf sched record sleep 1
+ event syntax error: 'sched:sched_stat_wait'
+ \___ unknown tracepoint
+
+ Error: File /sys/kernel/tracing/events/sched/sched_stat_wait not found.
+ Hint: Perhaps this kernel misses some CONFIG_ setting to enable this feature?.
+
+ Run 'perf list' for a list of valid events
+
+ Usage: perf record [<options>] [<command>]
+ or: perf record [<options>] -- <command> [<options>]
+
+ -e, --event <event> event selector. use 'perf list' to list available events
+
+Solution:
+ Check whether schedstat tracepoints are exposed. If no, these events are not recorded.
+
+After:
+ # perf sched record sleep 1
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 0.163 MB perf.data (1091 samples) ]
+ # perf sched report
+ run measurement overhead: 4736 nsecs
+ sleep measurement overhead: 9059979 nsecs
+ the run test took 999854 nsecs
+ the sleep test took 8945271 nsecs
+ nr_run_events: 716
+ nr_sleep_events: 785
+ nr_wakeup_events: 0
+ ...
+ ------------------------------------------------------------
+
+Fixes: 2a09b5de235a6 ("sched/fair: do not expose some tracepoints to user if CONFIG_SCHEDSTATS is not set")
+Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Cc: Yafang Shao <laoar.shao@gmail.com>
+Link: http://lore.kernel.org/lkml/20210713112358.194693-1-yangjihong1@huawei.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 33 +++++++++++++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 0e16f9d5a947..d3b5f5faf8c1 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -3337,6 +3337,16 @@ static void setup_sorting(struct perf_sched *sched, const struct option *options
+ sort_dimension__add("pid", &sched->cmp_pid);
+ }
+
++static bool schedstat_events_exposed(void)
++{
++ /*
++ * Select "sched:sched_stat_wait" event to check
++ * whether schedstat tracepoints are exposed.
++ */
++ return IS_ERR(trace_event__tp_format("sched", "sched_stat_wait")) ?
++ false : true;
++}
++
+ static int __cmd_record(int argc, const char **argv)
+ {
+ unsigned int rec_argc, i, j;
+@@ -3348,21 +3358,33 @@ static int __cmd_record(int argc, const char **argv)
+ "-m", "1024",
+ "-c", "1",
+ "-e", "sched:sched_switch",
+- "-e", "sched:sched_stat_wait",
+- "-e", "sched:sched_stat_sleep",
+- "-e", "sched:sched_stat_iowait",
+ "-e", "sched:sched_stat_runtime",
+ "-e", "sched:sched_process_fork",
+ "-e", "sched:sched_wakeup_new",
+ "-e", "sched:sched_migrate_task",
+ };
++
++ /*
++ * The tracepoints trace_sched_stat_{wait, sleep, iowait}
++ * are not exposed to user if CONFIG_SCHEDSTATS is not set,
++ * to prevent "perf sched record" execution failure, determine
++ * whether to record schedstat events according to actual situation.
++ */
++ const char * const schedstat_args[] = {
++ "-e", "sched:sched_stat_wait",
++ "-e", "sched:sched_stat_sleep",
++ "-e", "sched:sched_stat_iowait",
++ };
++ unsigned int schedstat_argc = schedstat_events_exposed() ?
++ ARRAY_SIZE(schedstat_args) : 0;
++
+ struct tep_event *waking_event;
+
+ /*
+ * +2 for either "-e", "sched:sched_wakeup" or
+ * "-e", "sched:sched_waking"
+ */
+- rec_argc = ARRAY_SIZE(record_args) + 2 + argc - 1;
++ rec_argc = ARRAY_SIZE(record_args) + 2 + schedstat_argc + argc - 1;
+ rec_argv = calloc(rec_argc + 1, sizeof(char *));
+
+ if (rec_argv == NULL)
+@@ -3378,6 +3400,9 @@ static int __cmd_record(int argc, const char **argv)
+ else
+ rec_argv[i++] = strdup("sched:sched_wakeup");
+
++ for (j = 0; j < schedstat_argc; j++)
++ rec_argv[i++] = strdup(schedstat_args[j]);
++
+ for (j = 1; j < (unsigned int)argc; j++, i++)
+ rec_argv[i] = argv[j];
+
+--
+2.30.2
+
--- /dev/null
+From c19c00d6b960ec91772e20fd96b69caeabff9ea4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:18 +0200
+Subject: perf script: Fix memory 'threads' and 'cpus' leaks on exit
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit faf3ac305d61341c74e5cdd9e41daecce7f67bfe ]
+
+ASan reports several memory leaks while running:
+
+ # perf test "82: Use vfs_getname probe to get syscall args filenames"
+
+Two of these are caused by some refcounts not being decreased on
+perf-script exit, namely script.threads and script.cpus.
+
+This patch adds the missing __put calls in a new perf_script__exit
+function, which is called at the end of cmd_script.
+
+This patch concludes the fixes of all remaining memory leaks in perf
+test "82: Use vfs_getname probe to get syscall args filenames".
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: cfc8874a48599249 ("perf script: Process cpu/threads maps")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/5ee73b19791c6fa9d24c4d57f4ac1a23609400d7.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index 48588ccf902e..2bb159c10503 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -2483,6 +2483,12 @@ static void perf_script__exit_per_event_dump_stats(struct perf_script *script)
+ }
+ }
+
++static void perf_script__exit(struct perf_script *script)
++{
++ perf_thread_map__put(script->threads);
++ perf_cpu_map__put(script->cpus);
++}
++
+ static int __cmd_script(struct perf_script *script)
+ {
+ int ret;
+@@ -3937,6 +3943,7 @@ out_delete:
+
+ perf_evlist__free_stats(session->evlist);
+ perf_session__delete(session);
++ perf_script__exit(&script);
+
+ if (script_started)
+ cleanup_scripting();
+--
+2.30.2
+
--- /dev/null
+From a1c8eddda6a9cbd6e8264c35ac2fd273468ff9cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:09 +0200
+Subject: perf test event_update: Fix memory leak of evlist
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit fc56f54f6fcd5337634f4545af6459613129b432 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "49: Synthesize attr update"
+
+Caused by evlist not being deleted.
+
+This patch adds the missing evlist__delete and removes the
+perf_cpu_map__put since it's already being deleted by evlist__delete.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: a6e5281780d1da65 ("perf tools: Add event_update event unit type")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/f7994ad63d248f7645f901132d208fadf9f2b7e4.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/event_update.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/event_update.c b/tools/perf/tests/event_update.c
+index bdcf032f8516..1c9a6138fba1 100644
+--- a/tools/perf/tests/event_update.c
++++ b/tools/perf/tests/event_update.c
+@@ -119,6 +119,6 @@ int test__event_update(struct test *test __maybe_unused, int subtest __maybe_unu
+ TEST_ASSERT_VAL("failed to synthesize attr update cpus",
+ !perf_event__synthesize_event_update_cpus(&tmp.tool, evsel, process_event_cpus));
+
+- perf_cpu_map__put(evsel->core.own_cpus);
++ evlist__delete(evlist);
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 397d45b351985c90c87a2394df70c6cf1ef8abfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:12 +0200
+Subject: perf test maps__merge_in: Fix memory leak of maps
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 244d1797c8c8e850b8de7992af713aa5c70d5650 ]
+
+ASan reports a memory leak when running:
+
+ # perf test "65: maps__merge_in"
+
+This is the second and final patch addressing these memory leaks.
+
+This time, the problem is simply that the maps object is never
+destructed.
+
+This patch adds the missing maps__exit call.
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: 79b6bb73f888933c ("perf maps: Merge 'struct maps' with 'struct map_groups'")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/a1a29b97a58738987d150e94d4ebfad0282fb038.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/maps.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/tests/maps.c b/tools/perf/tests/maps.c
+index edcbc70ff9d6..1ac72919fa35 100644
+--- a/tools/perf/tests/maps.c
++++ b/tools/perf/tests/maps.c
+@@ -116,5 +116,7 @@ int test__maps__merge_in(struct test *t __maybe_unused, int subtest __maybe_unus
+
+ ret = check_maps(merged3, ARRAY_SIZE(merged3), &maps);
+ TEST_ASSERT_VAL("merge check failed", !ret);
++
++ maps__exit(&maps);
+ return TEST_OK;
+ }
+--
+2.30.2
+
--- /dev/null
+From e7e693c3a2ae72ae31ebadc65973e3efeba2b824 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 18:07:08 +0200
+Subject: perf test session_topology: Delete session->evlist
+
+From: Riccardo Mancini <rickyman7@gmail.com>
+
+[ Upstream commit 233f2dc1c284337286f9a64c0152236779a42f6c ]
+
+ASan reports a memory leak related to session->evlist while running:
+
+ # perf test "41: Session topology".
+
+When perf_data is in write mode, session->evlist is owned by the caller,
+which should also take care of deleting it.
+
+This patch adds the missing evlist__delete().
+
+Signed-off-by: Riccardo Mancini <rickyman7@gmail.com>
+Fixes: c84974ed9fb67293 ("perf test: Add entry to test cpu topology")
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Kan Liang <kan.liang@intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: http://lore.kernel.org/lkml/822f741f06eb25250fb60686cf30a35f447e9e91.1626343282.git.rickyman7@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/topology.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/tests/topology.c b/tools/perf/tests/topology.c
+index 22daf2bdf5fa..f4a2c0df0954 100644
+--- a/tools/perf/tests/topology.c
++++ b/tools/perf/tests/topology.c
+@@ -52,6 +52,7 @@ static int session_write_header(char *path)
+ TEST_ASSERT_VAL("failed to write header",
+ !perf_session__write_header(session, session->evlist, data.file.fd, true));
+
++ evlist__delete(session->evlist);
+ perf_session__delete(session);
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 809579bd89a7bc77c7be45423782f463dd19e477 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 18:54:38 -0700
+Subject: proc: Avoid mixing integer types in mem_rw()
+
+From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+
+[ Upstream commit d238692b4b9f2c36e35af4c6e6f6da36184aeb3e ]
+
+Use size_t when capping the count argument received by mem_rw(). Since
+count is size_t, using min_t(int, ...) can lead to a negative value
+that will later be passed to access_remote_vm(), which can cause
+unexpected behavior.
+
+Since we are capping the value to at maximum PAGE_SIZE, the conversion
+from size_t to int when passing it to access_remote_vm() as "len"
+shouldn't be a problem.
+
+Link: https://lkml.kernel.org/r/20210512125215.3348316-1-marcelo.cerri@canonical.com
+Reviewed-by: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Souza Cascardo <cascardo@canonical.com>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Cc: Michel Lespinasse <walken@google.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Lorenzo Stoakes <lstoakes@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index df9b17dd92cb..5d52aea8d7e7 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -855,7 +855,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
+ flags = FOLL_FORCE | (write ? FOLL_WRITE : 0);
+
+ while (count > 0) {
+- int this_len = min_t(int, count, PAGE_SIZE);
++ size_t this_len = min_t(size_t, count, PAGE_SIZE);
+
+ if (write && copy_from_user(page, buf, this_len)) {
+ copied = -EFAULT;
+--
+2.30.2
+
--- /dev/null
+From acbd9bf133384d6aafffa6552d4fe8130d915c93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 10:27:51 +0200
+Subject: pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly
+ skipped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 65e2e6c1c20104ed19060a38f4edbf14e9f9a9a5 ]
+
+As the last call to sprd_pwm_apply() might have exited early if
+state->enabled was false, the values for period and duty_cycle stored in
+pwm->state might not have been written to hardware and it must be
+ensured that they are configured before enabling the PWM.
+
+Fixes: 8aae4b02e8a6 ("pwm: sprd: Add Spreadtrum PWM support")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-sprd.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/pwm/pwm-sprd.c b/drivers/pwm/pwm-sprd.c
+index 5123d948efd6..9eeb59cb81b6 100644
+--- a/drivers/pwm/pwm-sprd.c
++++ b/drivers/pwm/pwm-sprd.c
+@@ -180,13 +180,10 @@ static int sprd_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ }
+ }
+
+- if (state->period != cstate->period ||
+- state->duty_cycle != cstate->duty_cycle) {
+- ret = sprd_pwm_config(spc, pwm, state->duty_cycle,
+- state->period);
+- if (ret)
+- return ret;
+- }
++ ret = sprd_pwm_config(spc, pwm, state->duty_cycle,
++ state->period);
++ if (ret)
++ return ret;
+
+ sprd_pwm_write(spc, pwm->hwpwm, SPRD_PWM_ENABLE, 1);
+ } else if (cstate->enabled) {
+--
+2.30.2
+
--- /dev/null
+From 53dc42af5f5305edc947ece4146e3964d3a4580a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 17:17:40 +0100
+Subject: r8169: Avoid duplicate sysfs entry creation error
+
+From: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
+
+[ Upstream commit e9a72f874d5b95cef0765bafc56005a50f72c5fe ]
+
+When registering the MDIO bus for a r8169 device, we use the PCI
+bus/device specifier as a (seemingly) unique device identifier.
+However the very same BDF number can be used on another PCI segment,
+which makes the driver fail probing:
+
+[ 27.544136] r8169 0002:07:00.0: enabling device (0000 -> 0003)
+[ 27.559734] sysfs: cannot create duplicate filename '/class/mdio_bus/r8169-700'
+....
+[ 27.684858] libphy: mii_bus r8169-700 failed to register
+[ 27.695602] r8169: probe of 0002:07:00.0 failed with error -22
+
+Add the segment number to the device name to make it more unique.
+
+This fixes operation on ARM N1SDP boards, with two boards connected
+together to form an SMP system, and all on-board devices showing up
+twice, just on different PCI segments. A similar issue would occur on
+large systems with many PCI slots and multiple RTL8169 NICs.
+
+Fixes: f1e911d5d0dfd ("r8169: add basic phylib support")
+Signed-off-by: Sayanta Pattanayak <sayanta.pattanayak@arm.com>
+[Andre: expand commit message, use pci_domain_nr()]
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Acked-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 9010aabd9782..e690a1b09e98 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -5160,7 +5160,8 @@ static int r8169_mdio_register(struct rtl8169_private *tp)
+ new_bus->priv = tp;
+ new_bus->parent = &pdev->dev;
+ new_bus->irq[0] = PHY_IGNORE_INTERRUPT;
+- snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x", pci_dev_id(pdev));
++ snprintf(new_bus->id, MII_BUS_ID_SIZE, "r8169-%x-%x",
++ pci_domain_nr(pdev->bus), pci_dev_id(pdev));
+
+ new_bus->read = r8169_mdio_read_reg;
+ new_bus->write = r8169_mdio_write_reg;
+--
+2.30.2
+
--- /dev/null
+From a0ad14fd6576dac3cbc155097fb2680e804cb006 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 17:59:59 +0800
+Subject: regulator: hi6421: Fix getting wrong drvdata
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit 1c73daee4bf30ccdff5e86dc400daa6f74735da5 ]
+
+Since config.dev = pdev->dev.parent in current code, so
+dev_get_drvdata(rdev->dev.parent) call in hi6421_regulator_enable
+returns the drvdata of the mfd device rather than the regulator. Fix it.
+
+This was broken while converting to use simplified DT parsing because the
+config.dev changed from pdev->dev to pdev->dev.parent for parsing the
+parent's of_node.
+
+Fixes: 29dc269a85ef ("regulator: hi6421: Convert to use simplified DT parsing")
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210630095959.2411543-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/hi6421-regulator.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c
+index bff8c515dcde..d144a4bdb76d 100644
+--- a/drivers/regulator/hi6421-regulator.c
++++ b/drivers/regulator/hi6421-regulator.c
+@@ -366,9 +366,8 @@ static struct hi6421_regulator_info
+
+ static int hi6421_regulator_enable(struct regulator_dev *rdev)
+ {
+- struct hi6421_regulator_pdata *pdata;
++ struct hi6421_regulator_pdata *pdata = rdev_get_drvdata(rdev);
+
+- pdata = dev_get_drvdata(rdev->dev.parent);
+ /* hi6421 spec requires regulator enablement must be serialized:
+ * - Because when BUCK, LDO switching from off to on, it will have
+ * a huge instantaneous current; so you can not turn on two or
+@@ -385,9 +384,10 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev)
+
+ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int reg_val;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+ return REGULATOR_MODE_IDLE;
+@@ -397,9 +397,10 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+
+ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int reg_val;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+ return REGULATOR_MODE_STANDBY;
+@@ -410,9 +411,10 @@ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev)
+ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int new_mode;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+ new_mode = 0;
+@@ -434,9 +436,10 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev,
+ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
+ unsigned int new_mode;
+
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+ new_mode = 0;
+@@ -459,7 +462,9 @@ static unsigned int
+ hi6421_regulator_ldo_get_optimum_mode(struct regulator_dev *rdev,
+ int input_uV, int output_uV, int load_uA)
+ {
+- struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
++ struct hi6421_regulator_info *info;
++
++ info = container_of(rdev->desc, struct hi6421_regulator_info, desc);
+
+ if (load_uA > info->eco_microamp)
+ return REGULATOR_MODE_NORMAL;
+@@ -543,14 +548,13 @@ static int hi6421_regulator_probe(struct platform_device *pdev)
+ if (!pdata)
+ return -ENOMEM;
+ mutex_init(&pdata->lock);
+- platform_set_drvdata(pdev, pdata);
+
+ for (i = 0; i < ARRAY_SIZE(hi6421_regulator_info); i++) {
+ /* assign per-regulator data */
+ info = &hi6421_regulator_info[i];
+
+ config.dev = pdev->dev.parent;
+- config.driver_data = info;
++ config.driver_data = pdata;
+ config.regmap = pmic->regmap;
+
+ rdev = devm_regulator_register(&pdev->dev, &info->desc,
+--
+2.30.2
+
--- /dev/null
+From f8a761de36bca9cb0ad50123ede6008f4267dac4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Jun 2021 20:41:33 +0800
+Subject: regulator: hi6421: Use correct variable type for regmap api val
+ argument
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit ae60e6a9d24e89a74e2512204ad04de94921bdd2 ]
+
+Use unsigned int instead of u32 for regmap_read/regmap_update_bits val
+argument.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Link: https://lore.kernel.org/r/20210619124133.4096683-1-axel.lin@ingics.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/hi6421-regulator.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/regulator/hi6421-regulator.c b/drivers/regulator/hi6421-regulator.c
+index dc631c1a46b4..bff8c515dcde 100644
+--- a/drivers/regulator/hi6421-regulator.c
++++ b/drivers/regulator/hi6421-regulator.c
+@@ -386,7 +386,7 @@ static int hi6421_regulator_enable(struct regulator_dev *rdev)
+ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 reg_val;
++ unsigned int reg_val;
+
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+@@ -398,7 +398,7 @@ static unsigned int hi6421_regulator_ldo_get_mode(struct regulator_dev *rdev)
+ static unsigned int hi6421_regulator_buck_get_mode(struct regulator_dev *rdev)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 reg_val;
++ unsigned int reg_val;
+
+ regmap_read(rdev->regmap, rdev->desc->enable_reg, ®_val);
+ if (reg_val & info->mode_mask)
+@@ -411,7 +411,7 @@ static int hi6421_regulator_ldo_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 new_mode;
++ unsigned int new_mode;
+
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+@@ -435,7 +435,7 @@ static int hi6421_regulator_buck_set_mode(struct regulator_dev *rdev,
+ unsigned int mode)
+ {
+ struct hi6421_regulator_info *info = rdev_get_drvdata(rdev);
+- u32 new_mode;
++ unsigned int new_mode;
+
+ switch (mode) {
+ case REGULATOR_MODE_NORMAL:
+--
+2.30.2
+
--- /dev/null
+From c8cb3b3e3648e39b913d005eda23429770055d89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 11:25:16 +0200
+Subject: Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE
+ modem"
+
+From: Vincent Palatin <vpalatin@chromium.org>
+
+[ Upstream commit f3a1a937f7b240be623d989c8553a6d01465d04f ]
+
+This reverts commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd.
+
+While the patch was working as stated,ie preventing the L850-GL LTE modem
+from crashing on some U3 wake-ups due to a race condition between the
+host wake-up and the modem-side wake-up, when using the MBIM interface,
+this would force disabling the USB runtime PM on the device.
+
+The increased power consumption is significant for LTE laptops,
+and given that with decently recent modem firmwares, when the modem hits
+the bug, it automatically recovers (ie it drops from the bus, but
+automatically re-enumerates after less than half a second, rather than being
+stuck until a power cycle as it was doing with ancient firmware), for
+most people, the trade-off now seems in favor of re-enabling it by
+default.
+
+For people with access to the platform code, the bug can also be worked-around
+successfully by changing the USB3 LFPM polling off-time for the XHCI
+controller in the BIOS code.
+
+Signed-off-by: Vincent Palatin <vpalatin@chromium.org>
+Link: https://lore.kernel.org/r/20210721092516.2775971-1-vpalatin@chromium.org
+Fixes: 0bd860493f81 ("USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/quirks.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c
+index 21e7522655ac..a54a735b6384 100644
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -502,10 +502,6 @@ static const struct usb_device_id usb_quirk_list[] = {
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
+- /* Fibocom L850-GL LTE Modem */
+- { USB_DEVICE(0x2cb7, 0x0007), .driver_info =
+- USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+-
+ /* INTEL VALUE SSD */
+ { USB_DEVICE(0x8086, 0xf1a5), .driver_info = USB_QUIRK_RESET_RESUME },
+
+--
+2.30.2
+
--- /dev/null
+From 9937d7d1a324657ad54c78ddc31fc60f5b1ba40c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jul 2021 13:57:12 +0100
+Subject: s390/bpf: Perform r1 range checking before accessing
+ jit->seen_reg[r1]
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 91091656252f5d6d8c476e0c92776ce9fae7b445 ]
+
+Currently array jit->seen_reg[r1] is being accessed before the range
+checking of index r1. The range changing on r1 should be performed
+first since it will avoid any potential out-of-range accesses on the
+array seen_reg[] and also it is more optimal to perform checks on r1
+before fetching data from the array. Fix this by swapping the order
+of the checks before the array access.
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/bpf/20210715125712.24690-1-colin.king@canonical.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 0a4182792876..fc44dce59536 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -112,7 +112,7 @@ static inline void reg_set_seen(struct bpf_jit *jit, u32 b1)
+ {
+ u32 r1 = reg2hex[b1];
+
+- if (!jit->seen_reg[r1] && r1 >= 6 && r1 <= 15)
++ if (r1 >= 6 && r1 <= 15 && !jit->seen_reg[r1])
+ jit->seen_reg[r1] = 1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 5678897f2735e2ee5c51db1e0d7764cd14eba73e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 19:25:59 -0500
+Subject: scsi: iscsi: Fix iface sysfs attr detection
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit e746f3451ec7f91dcc9fd67a631239c715850a34 ]
+
+A ISCSI_IFACE_PARAM can have the same value as a ISCSI_NET_PARAM so when
+iscsi_iface_attr_is_visible tries to figure out the type by just checking
+the value, we can collide and return the wrong type. When we call into the
+driver we might not match and return that we don't want attr visible in
+sysfs. The patch fixes this by setting the type when we figure out what the
+param is.
+
+Link: https://lore.kernel.org/r/20210701002559.89533-1-michael.christie@oracle.com
+Fixes: 3e0f65b34cc9 ("[SCSI] iscsi_transport: Additional parameters for network settings")
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 90 +++++++++++------------------
+ 1 file changed, 34 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 2171dab3e5dc..ac07a9ef3578 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -440,39 +440,10 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ struct device *dev = container_of(kobj, struct device, kobj);
+ struct iscsi_iface *iface = iscsi_dev_to_iface(dev);
+ struct iscsi_transport *t = iface->transport;
+- int param;
+- int param_type;
++ int param = -1;
+
+ if (attr == &dev_attr_iface_enabled.attr)
+ param = ISCSI_NET_PARAM_IFACE_ENABLE;
+- else if (attr == &dev_attr_iface_vlan_id.attr)
+- param = ISCSI_NET_PARAM_VLAN_ID;
+- else if (attr == &dev_attr_iface_vlan_priority.attr)
+- param = ISCSI_NET_PARAM_VLAN_PRIORITY;
+- else if (attr == &dev_attr_iface_vlan_enabled.attr)
+- param = ISCSI_NET_PARAM_VLAN_ENABLED;
+- else if (attr == &dev_attr_iface_mtu.attr)
+- param = ISCSI_NET_PARAM_MTU;
+- else if (attr == &dev_attr_iface_port.attr)
+- param = ISCSI_NET_PARAM_PORT;
+- else if (attr == &dev_attr_iface_ipaddress_state.attr)
+- param = ISCSI_NET_PARAM_IPADDR_STATE;
+- else if (attr == &dev_attr_iface_delayed_ack_en.attr)
+- param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
+- else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
+- else if (attr == &dev_attr_iface_tcp_wsf.attr)
+- param = ISCSI_NET_PARAM_TCP_WSF;
+- else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
+- else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
+- param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
+- else if (attr == &dev_attr_iface_cache_id.attr)
+- param = ISCSI_NET_PARAM_CACHE_ID;
+- else if (attr == &dev_attr_iface_redirect_en.attr)
+- param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (attr == &dev_attr_iface_def_taskmgmt_tmo.attr)
+ param = ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO;
+ else if (attr == &dev_attr_iface_header_digest.attr)
+@@ -509,6 +480,38 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ param = ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN;
+ else if (attr == &dev_attr_iface_initiator_name.attr)
+ param = ISCSI_IFACE_PARAM_INITIATOR_NAME;
++
++ if (param != -1)
++ return t->attr_is_visible(ISCSI_IFACE_PARAM, param);
++
++ if (attr == &dev_attr_iface_vlan_id.attr)
++ param = ISCSI_NET_PARAM_VLAN_ID;
++ else if (attr == &dev_attr_iface_vlan_priority.attr)
++ param = ISCSI_NET_PARAM_VLAN_PRIORITY;
++ else if (attr == &dev_attr_iface_vlan_enabled.attr)
++ param = ISCSI_NET_PARAM_VLAN_ENABLED;
++ else if (attr == &dev_attr_iface_mtu.attr)
++ param = ISCSI_NET_PARAM_MTU;
++ else if (attr == &dev_attr_iface_port.attr)
++ param = ISCSI_NET_PARAM_PORT;
++ else if (attr == &dev_attr_iface_ipaddress_state.attr)
++ param = ISCSI_NET_PARAM_IPADDR_STATE;
++ else if (attr == &dev_attr_iface_delayed_ack_en.attr)
++ param = ISCSI_NET_PARAM_DELAYED_ACK_EN;
++ else if (attr == &dev_attr_iface_tcp_nagle_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_NAGLE_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf_disable.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF_DISABLE;
++ else if (attr == &dev_attr_iface_tcp_wsf.attr)
++ param = ISCSI_NET_PARAM_TCP_WSF;
++ else if (attr == &dev_attr_iface_tcp_timer_scale.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMER_SCALE;
++ else if (attr == &dev_attr_iface_tcp_timestamp_en.attr)
++ param = ISCSI_NET_PARAM_TCP_TIMESTAMP_EN;
++ else if (attr == &dev_attr_iface_cache_id.attr)
++ param = ISCSI_NET_PARAM_CACHE_ID;
++ else if (attr == &dev_attr_iface_redirect_en.attr)
++ param = ISCSI_NET_PARAM_REDIRECT_EN;
+ else if (iface->iface_type == ISCSI_IFACE_TYPE_IPV4) {
+ if (attr == &dev_attr_ipv4_iface_ipaddress.attr)
+ param = ISCSI_NET_PARAM_IPV4_ADDR;
+@@ -599,32 +602,7 @@ static umode_t iscsi_iface_attr_is_visible(struct kobject *kobj,
+ return 0;
+ }
+
+- switch (param) {
+- case ISCSI_IFACE_PARAM_DEF_TASKMGMT_TMO:
+- case ISCSI_IFACE_PARAM_HDRDGST_EN:
+- case ISCSI_IFACE_PARAM_DATADGST_EN:
+- case ISCSI_IFACE_PARAM_IMM_DATA_EN:
+- case ISCSI_IFACE_PARAM_INITIAL_R2T_EN:
+- case ISCSI_IFACE_PARAM_DATASEQ_INORDER_EN:
+- case ISCSI_IFACE_PARAM_PDU_INORDER_EN:
+- case ISCSI_IFACE_PARAM_ERL:
+- case ISCSI_IFACE_PARAM_MAX_RECV_DLENGTH:
+- case ISCSI_IFACE_PARAM_FIRST_BURST:
+- case ISCSI_IFACE_PARAM_MAX_R2T:
+- case ISCSI_IFACE_PARAM_MAX_BURST:
+- case ISCSI_IFACE_PARAM_CHAP_AUTH_EN:
+- case ISCSI_IFACE_PARAM_BIDI_CHAP_EN:
+- case ISCSI_IFACE_PARAM_DISCOVERY_AUTH_OPTIONAL:
+- case ISCSI_IFACE_PARAM_DISCOVERY_LOGOUT_EN:
+- case ISCSI_IFACE_PARAM_STRICT_LOGIN_COMP_EN:
+- case ISCSI_IFACE_PARAM_INITIATOR_NAME:
+- param_type = ISCSI_IFACE_PARAM;
+- break;
+- default:
+- param_type = ISCSI_NET_PARAM;
+- }
+-
+- return t->attr_is_visible(param_type, param);
++ return t->attr_is_visible(ISCSI_NET_PARAM, param);
+ }
+
+ static struct attribute *iscsi_iface_attrs[] = {
+--
+2.30.2
+
--- /dev/null
+From 07f64b53e83ccbce01fa92e0c052ce97a2b835d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jul 2021 12:16:55 +0300
+Subject: scsi: target: Fix protect handling in WRITE SAME(32)
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 6d8e7e7c932162bccd06872362751b0e1d76f5af ]
+
+WRITE SAME(32) command handling reads WRPROTECT at the wrong offset in 1st
+byte instead of 10th byte.
+
+Link: https://lore.kernel.org/r/20210702091655.22818-1-d.bogdanov@yadro.com
+Fixes: afd73f1b60fc ("target: Perform PROTECT sanity checks for WRITE_SAME")
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_sbc.c | 35 ++++++++++++++++----------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/target/target_core_sbc.c b/drivers/target/target_core_sbc.c
+index 6e8b8d30938f..eaf8551ebc61 100644
+--- a/drivers/target/target_core_sbc.c
++++ b/drivers/target/target_core_sbc.c
+@@ -25,7 +25,7 @@
+ #include "target_core_alua.h"
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char *, u32, bool);
++sbc_check_prot(struct se_device *, struct se_cmd *, unsigned char, u32, bool);
+ static sense_reason_t sbc_execute_unmap(struct se_cmd *cmd);
+
+ static sense_reason_t
+@@ -279,14 +279,14 @@ static inline unsigned long long transport_lba_64_ext(unsigned char *cdb)
+ }
+
+ static sense_reason_t
+-sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *ops)
++sbc_setup_write_same(struct se_cmd *cmd, unsigned char flags, struct sbc_ops *ops)
+ {
+ struct se_device *dev = cmd->se_dev;
+ sector_t end_lba = dev->transport->get_blocks(dev) + 1;
+ unsigned int sectors = sbc_get_write_same_sectors(cmd);
+ sense_reason_t ret;
+
+- if ((flags[0] & 0x04) || (flags[0] & 0x02)) {
++ if ((flags & 0x04) || (flags & 0x02)) {
+ pr_err("WRITE_SAME PBDATA and LBDATA"
+ " bits not supported for Block Discard"
+ " Emulation\n");
+@@ -308,7 +308,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ }
+
+ /* We always have ANC_SUP == 0 so setting ANCHOR is always an error */
+- if (flags[0] & 0x10) {
++ if (flags & 0x10) {
+ pr_warn("WRITE SAME with ANCHOR not supported\n");
+ return TCM_INVALID_CDB_FIELD;
+ }
+@@ -316,7 +316,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ * Special case for WRITE_SAME w/ UNMAP=1 that ends up getting
+ * translated into block discard requests within backend code.
+ */
+- if (flags[0] & 0x08) {
++ if (flags & 0x08) {
+ if (!ops->execute_unmap)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+@@ -331,7 +331,7 @@ sbc_setup_write_same(struct se_cmd *cmd, unsigned char *flags, struct sbc_ops *o
+ if (!ops->execute_write_same)
+ return TCM_UNSUPPORTED_SCSI_OPCODE;
+
+- ret = sbc_check_prot(dev, cmd, &cmd->t_task_cdb[0], sectors, true);
++ ret = sbc_check_prot(dev, cmd, flags >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -686,10 +686,9 @@ sbc_set_prot_op_checks(u8 protect, bool fabric_prot, enum target_prot_type prot_
+ }
+
+ static sense_reason_t
+-sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
++sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char protect,
+ u32 sectors, bool is_write)
+ {
+- u8 protect = cdb[1] >> 5;
+ int sp_ops = cmd->se_sess->sup_prot_ops;
+ int pi_prot_type = dev->dev_attrib.pi_prot_type;
+ bool fabric_prot = false;
+@@ -737,7 +736,7 @@ sbc_check_prot(struct se_device *dev, struct se_cmd *cmd, unsigned char *cdb,
+ fallthrough;
+ default:
+ pr_err("Unable to determine pi_prot_type for CDB: 0x%02x "
+- "PROTECT: 0x%02x\n", cdb[0], protect);
++ "PROTECT: 0x%02x\n", cmd->t_task_cdb[0], protect);
+ return TCM_INVALID_CDB_FIELD;
+ }
+
+@@ -812,7 +811,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -826,7 +825,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -840,7 +839,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, false);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, false);
+ if (ret)
+ return ret;
+
+@@ -861,7 +860,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -875,7 +874,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -890,7 +889,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ if (sbc_check_dpofua(dev, cmd, cdb))
+ return TCM_INVALID_CDB_FIELD;
+
+- ret = sbc_check_prot(dev, cmd, cdb, sectors, true);
++ ret = sbc_check_prot(dev, cmd, cdb[1] >> 5, sectors, true);
+ if (ret)
+ return ret;
+
+@@ -949,7 +948,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[12]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[10], ops);
++ ret = sbc_setup_write_same(cmd, cdb[10], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1048,7 +1047,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ size = sbc_get_size(cmd, 1);
+ cmd->t_task_lba = get_unaligned_be64(&cdb[2]);
+
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+@@ -1066,7 +1065,7 @@ sbc_parse_cdb(struct se_cmd *cmd, struct sbc_ops *ops)
+ * Follow sbcr26 with WRITE_SAME (10) and check for the existence
+ * of byte 1 bit 3 UNMAP instead of original reserved field
+ */
+- ret = sbc_setup_write_same(cmd, &cdb[1], ops);
++ ret = sbc_setup_write_same(cmd, cdb[1], ops);
+ if (ret)
+ return ret;
+ break;
+--
+2.30.2
+
--- /dev/null
+From e3dd03de9ba44c5b594b20a1bd60eab6dd76b628 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jul 2021 17:19:19 -0400
+Subject: sctp: trim optlen when it's a huge value in sctp_setsockopt
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 2f3fdd8d4805015fa964807e1c7f3d88f31bd389 ]
+
+After commit ca84bd058dae ("sctp: copy the optval from user space in
+sctp_setsockopt"), it does memory allocation in sctp_setsockopt with
+the optlen, and it would fail the allocation and return error if the
+optlen from user space is a huge value.
+
+This breaks some sockopts, like SCTP_HMAC_IDENT, SCTP_RESET_STREAMS and
+SCTP_AUTH_KEY, as when processing these sockopts before, optlen would
+be trimmed to a biggest value it needs when optlen is a huge value,
+instead of failing the allocation and returning error.
+
+This patch is to fix the allocation failure when it's a huge optlen from
+user space by trimming it to the biggest size sctp sockopt may need when
+necessary, and this biggest size is from sctp_setsockopt_reset_streams()
+for SCTP_RESET_STREAMS, which is bigger than those for SCTP_HMAC_IDENT
+and SCTP_AUTH_KEY.
+
+Fixes: ca84bd058dae ("sctp: copy the optval from user space in sctp_setsockopt")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 3ac6b21ecf2c..e872bc50bbe6 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4471,6 +4471,10 @@ static int sctp_setsockopt(struct sock *sk, int level, int optname,
+ }
+
+ if (optlen > 0) {
++ /* Trim it to the biggest size sctp sockopt may need if necessary */
++ optlen = min_t(unsigned int, optlen,
++ PAGE_ALIGN(USHRT_MAX +
++ sizeof(__u16) * sizeof(struct sctp_reset_streams)));
+ kopt = memdup_sockptr(optval, optlen);
+ if (IS_ERR(kopt))
+ return PTR_ERR(kopt);
+--
+2.30.2
+
--- /dev/null
+From 951ac6b1de3d27f3a73e4f7e40762ba80ca2aef9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Jul 2021 16:07:01 -0400
+Subject: sctp: update active_key for asoc when old key is being replaced
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 58acd10092268831e49de279446c314727101292 ]
+
+syzbot reported a call trace:
+
+ BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ Call Trace:
+ sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
+ sctp_set_owner_w net/sctp/socket.c:131 [inline]
+ sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
+ sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
+ inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:723
+
+This is an use-after-free issue caused by not updating asoc->shkey after
+it was replaced in the key list asoc->endpoint_shared_keys, and the old
+key was freed.
+
+This patch is to fix by also updating active_key for asoc when old key is
+being replaced with a new one. Note that this issue doesn't exist in
+sctp_auth_del_key_id(), as it's not allowed to delete the active_key
+from the asoc.
+
+Fixes: 1b1e0bc99474 ("sctp: add refcnt support for sh_key")
+Reported-by: syzbot+b774577370208727d12b@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/auth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/sctp/auth.c b/net/sctp/auth.c
+index 6f8319b828b0..fe74c5f95630 100644
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -860,6 +860,8 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
+ if (replace) {
+ list_del_init(&shkey->key_list);
+ sctp_auth_shkey_release(shkey);
++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+ }
+ list_add(&cur_key->key_list, sh_keys);
+
+--
+2.30.2
+
--- /dev/null
+From ec21e23c2988af2f1c6571c705989cd32a45cbb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 16:15:30 +0800
+Subject: selftests: icmp_redirect: IPv6 PMTU info should be cleared after
+ redirect
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 0e02bf5de46ae30074a2e1a8194a422a84482a1a ]
+
+After redirecting, it's already a new path. So the old PMTU info should
+be cleared. The IPv6 test "mtu exception plus redirect" should only
+has redirect info without old PMTU.
+
+The IPv4 test can not be changed because of legacy.
+
+Fixes: ec8105352869 ("selftests: Add redirect tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/icmp_redirect.sh | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh
+index bfcabee50155..104a7a5f13b1 100755
+--- a/tools/testing/selftests/net/icmp_redirect.sh
++++ b/tools/testing/selftests/net/icmp_redirect.sh
+@@ -309,9 +309,10 @@ check_exception()
+ fi
+ log_test $? 0 "IPv4: ${desc}"
+
+- if [ "$with_redirect" = "yes" ]; then
++ # No PMTU info for test "redirect" and "mtu exception plus redirect"
++ if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+- grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}"
++ grep -v "mtu" | grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0"
+ elif [ -n "${mtu}" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+ grep -q "${mtu}"
+--
+2.30.2
+
--- /dev/null
+From da91ad43915a3a981c2a8dd2d28d9e2b08b1be11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 16:15:29 +0800
+Subject: selftests: icmp_redirect: remove from checking for IPv6 route get
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 24b671aad4eae423e1abf5b7f08d9a5235458b8d ]
+
+If the kernel doesn't enable option CONFIG_IPV6_SUBTREES, the RTA_SRC
+info will not be exported to userspace in rt6_fill_node(). And ip cmd will
+not print "from ::" to the route output. So remove this check.
+
+Fixes: ec8105352869 ("selftests: Add redirect tests")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/icmp_redirect.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh
+index bf361f30d6ef..bfcabee50155 100755
+--- a/tools/testing/selftests/net/icmp_redirect.sh
++++ b/tools/testing/selftests/net/icmp_redirect.sh
+@@ -311,7 +311,7 @@ check_exception()
+
+ if [ "$with_redirect" = "yes" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+- grep -q "${H2_N2_IP6} from :: via ${R2_LLADDR} dev br0.*${mtu}"
++ grep -q "${H2_N2_IP6} .*via ${R2_LLADDR} dev br0.*${mtu}"
+ elif [ -n "${mtu}" ]; then
+ ip -netns h1 -6 ro get ${H1_VRF_ARG} ${H2_N2_IP6} | \
+ grep -q "${mtu}"
+--
+2.30.2
+
--- /dev/null
+igc-fix-use-after-free-error-during-reset.patch
+igb-fix-use-after-free-error-during-reset.patch
+igc-change-default-return-of-igc_read_phy_reg.patch
+ixgbe-fix-an-error-handling-path-in-ixgbe_probe.patch
+igc-fix-an-error-handling-path-in-igc_probe.patch
+igb-fix-an-error-handling-path-in-igb_probe.patch
+fm10k-fix-an-error-handling-path-in-fm10k_probe.patch
+e1000e-fix-an-error-handling-path-in-e1000_probe.patch
+iavf-fix-an-error-handling-path-in-iavf_probe.patch
+igb-check-if-num-of-q_vectors-is-smaller-than-max-be.patch
+igb-fix-position-of-assignment-to-ring.patch
+gve-fix-an-error-handling-path-in-gve_probe.patch
+net-add-kcov-handle-to-skb-extensions.patch
+net-introduce-preferred-busy-polling.patch
+bonding-fix-suspicious-rcu-usage-in-bond_ipsec_add_s.patch
+bonding-fix-null-dereference-in-bond_ipsec_add_sa.patch
+ixgbevf-use-xso.real_dev-instead-of-xso.dev-in-callb.patch
+bonding-fix-suspicious-rcu-usage-in-bond_ipsec_del_s.patch
+bonding-disallow-setting-nested-bonding-ipsec-offloa.patch
+bonding-add-struct-bond_ipesc-to-manage-sa.patch
+bonding-fix-suspicious-rcu-usage-in-bond_ipsec_offlo.patch
+bonding-fix-incorrect-return-value-of-bond_ipsec_off.patch
+ipv6-fix-disable_policy-for-fwd-packets.patch
+stmmac-platform-fix-signedness-bug-in-stmmac_probe_c.patch
+selftests-icmp_redirect-remove-from-checking-for-ipv.patch
+selftests-icmp_redirect-ipv6-pmtu-info-should-be-cle.patch
+pwm-sprd-ensure-configuring-period-and-duty_cycle-is.patch
+cxgb4-fix-irq-free-race-during-driver-unload.patch
+net-do-not-reuse-skbuff-allocated-from-skbuff_fclone.patch
+mptcp-fix-warning-in-__skb_flow_dissect-when-do-syn-.patch
+nvme-pci-do-not-call-nvme_dev_remove_admin-from-nvme.patch
+kvm-x86-pmu-clear-anythread-deprecated-bit-when-0xa-.patch
+perf-inject-fix-dso-nsinfo-refcounting.patch
+perf-map-fix-dso-nsinfo-refcounting.patch
+perf-probe-fix-dso-nsinfo-refcounting.patch
+perf-env-fix-sibling_dies-memory-leak.patch
+perf-test-session_topology-delete-session-evlist.patch
+perf-test-event_update-fix-memory-leak-of-evlist.patch
+perf-dso-fix-memory-leak-in-dso__new_map.patch
+perf-test-maps__merge_in-fix-memory-leak-of-maps.patch
+perf-env-fix-memory-leak-of-cpu_pmu_caps.patch
+perf-report-free-generated-help-strings-for-sort-opt.patch
+perf-script-fix-memory-threads-and-cpus-leaks-on-exi.patch
+perf-lzma-close-lzma-stream-on-exit.patch
+perf-probe-file-delete-namelist-in-del_events-on-the.patch
+perf-data-close-all-files-in-close_dir.patch
+perf-sched-fix-record-failure-when-config_schedstats.patch
+asoc-wm_adsp-correct-wm_coeff_tlv_get-handling.patch
+spi-imx-add-a-check-for-speed_hz-before-calculating-.patch
+spi-imx-mx51-ecspi-reinstate-low-speed-configreg-del.patch
+spi-stm32-fixes-pm_runtime-calls-in-probe-remove.patch
+regulator-hi6421-use-correct-variable-type-for-regma.patch
+regulator-hi6421-fix-getting-wrong-drvdata.patch
+spi-mediatek-fix-fifo-rx-mode.patch
+asoc-rt5631-fix-regcache-sync-errors-on-resume.patch
+bpf-test-fix-null-pointer-dereference-on-invalid-exp.patch
+bpf-fix-tail_call_reachable-rejection-for-interprete.patch
+xdp-net-fix-use-after-free-in-bpf_xdp_link_release.patch
+timers-fix-get_next_timer_interrupt-with-no-timers-p.patch
+liquidio-fix-unintentional-sign-extension-issue-on-l.patch
+s390-bpf-perform-r1-range-checking-before-accessing-.patch
+bpf-sockmap-fix-potential-memory-leak-on-unlikely-er.patch
+bpf-sockmap-tcp-sk_prot-needs-inuse_idx-set-for-proc.patch
+bpf-sockmap-udp-sk_prot-needs-inuse_idx-set-for-proc.patch
+bpftool-check-malloc-return-value-in-mount_bpffs_for.patch
+net-fix-uninit-value-in-caif_seqpkt_sendmsg.patch
+usb-hso-fix-error-handling-code-of-hso_create_net_de.patch
+dma-mapping-handle-vmalloc-addresses-in-dma_common_-.patch
+efi-tpm-differentiate-missing-and-invalid-final-even.patch
+net-decnet-fix-sleeping-inside-in-af_decnet.patch
+kvm-ppc-book3s-fix-config_transactional_mem-n-crash.patch
+kvm-ppc-fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch
+net-sched-fix-memory-leak-in-tcindex_partial_destroy.patch
+sctp-trim-optlen-when-it-s-a-huge-value-in-sctp_sets.patch
+netrom-decrease-sock-refcount-when-sock-timers-expir.patch
+scsi-iscsi-fix-iface-sysfs-attr-detection.patch
+scsi-target-fix-protect-handling-in-write-same-32.patch
+spi-cadence-correct-initialisation-of-runtime-pm-aga.patch
+acpi-kconfig-fix-table-override-from-built-in-initrd.patch
+bnxt_en-don-t-disable-an-already-disabled-pci-device.patch
+bnxt_en-refresh-roce-capabilities-in-bnxt_ulp_probe.patch
+bnxt_en-add-missing-check-for-bnxt_state_abort_err-i.patch
+bnxt_en-validate-vlan-protocol-id-on-rx-packets.patch
+bnxt_en-check-abort-error-state-in-bnxt_half_open_ni.patch
+net-hisilicon-rename-cache_line_mask-to-avoid-redefi.patch
+net-tcp_fastopen-fix-data-races-around-tfo_active_di.patch
+alsa-hda-intel-dsp-cfg-add-missing-elkhartlake-pci-i.patch
+net-hns3-fix-possible-mismatches-resp-of-mailbox.patch
+net-hns3-fix-rx-vlan-offload-state-inconsistent-issu.patch
+spi-spi-bcm2835-fix-deadlock.patch
+net-sched-act_skbmod-skip-non-ethernet-packets.patch
+ipv6-fix-another-slab-out-of-bounds-in-fib6_nh_flush.patch
+ceph-don-t-warn-if-we-re-still-opening-a-session-to-.patch
+nvme-pci-don-t-warn_on-in-nvme_reset_work-if-ctrl.st.patch
+revert-usb-quirks-ignore-remote-wake-up-on-fibocom-l.patch
+afs-fix-tracepoint-string-placement-with-built-in-af.patch
+r8169-avoid-duplicate-sysfs-entry-creation-error.patch
+nvme-set-the-pract-bit-when-using-write-zeroes-with-.patch
+sctp-update-active_key-for-asoc-when-old-key-is-bein.patch
+tcp-disable-tfo-blackhole-logic-by-default.patch
+net-dsa-sja1105-make-vid-4095-a-bridge-vlan-too.patch
+net-sched-cls_api-fix-the-the-wrong-parameter.patch
+drm-panel-raspberrypi-touchscreen-prevent-double-fre.patch
+cifs-only-write-64kb-at-a-time-when-fallocating-a-sm.patch
+cifs-fix-fallocate-when-trying-to-allocate-a-hole.patch
+proc-avoid-mixing-integer-types-in-mem_rw.patch
--- /dev/null
+From 269e745d8dde8b36ad500e71aa2181ba9600c5ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jul 2021 20:21:33 +0200
+Subject: spi: cadence: Correct initialisation of runtime PM again
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 56912da7a68c8356df6a6740476237441b0b792a ]
+
+The original implementation of RPM handling in probe() was mostly
+correct, except it failed to call pm_runtime_get_*() to activate the
+hardware. The subsequent fix, 734882a8bf98 ("spi: cadence: Correct
+initialisation of runtime PM"), breaks the implementation further,
+to the point where the system using this hard IP on ZynqMP hangs on
+boot, because it accesses hardware which is gated off.
+
+Undo 734882a8bf98 ("spi: cadence: Correct initialisation of runtime
+PM") and instead add missing pm_runtime_get_noresume() and move the
+RPM disabling all the way to the end of probe(). That makes ZynqMP
+not hang on boot yet again.
+
+Fixes: 734882a8bf98 ("spi: cadence: Correct initialisation of runtime PM")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Charles Keepax <ckeepax@opensource.cirrus.com>
+Cc: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20210716182133.218640-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-cadence.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
+index a3afd1b9ac56..ceb16e70d235 100644
+--- a/drivers/spi/spi-cadence.c
++++ b/drivers/spi/spi-cadence.c
+@@ -517,6 +517,12 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ goto clk_dis_apb;
+ }
+
++ pm_runtime_use_autosuspend(&pdev->dev);
++ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
++ pm_runtime_get_noresume(&pdev->dev);
++ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_enable(&pdev->dev);
++
+ ret = of_property_read_u32(pdev->dev.of_node, "num-cs", &num_cs);
+ if (ret < 0)
+ master->num_chipselect = CDNS_SPI_DEFAULT_NUM_CS;
+@@ -531,11 +537,6 @@ static int cdns_spi_probe(struct platform_device *pdev)
+ /* SPI controller initializations */
+ cdns_spi_init_hw(xspi);
+
+- pm_runtime_set_active(&pdev->dev);
+- pm_runtime_enable(&pdev->dev);
+- pm_runtime_use_autosuspend(&pdev->dev);
+- pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
+-
+ irq = platform_get_irq(pdev, 0);
+ if (irq <= 0) {
+ ret = -ENXIO;
+@@ -566,6 +567,9 @@ static int cdns_spi_probe(struct platform_device *pdev)
+
+ master->bits_per_word_mask = SPI_BPW_MASK(8);
+
++ pm_runtime_mark_last_busy(&pdev->dev);
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ ret = spi_register_master(master);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_master failed\n");
+--
+2.30.2
+
--- /dev/null
+From a592a53a8be1aa8a2347193dd94bfe8e7bb8be6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Apr 2021 18:33:47 +0800
+Subject: spi: imx: add a check for speed_hz before calculating the clock
+
+From: Clark Wang <xiaoning.wang@nxp.com>
+
+[ Upstream commit 4df2f5e1372e9eec8f9e1b4a3025b9be23487d36 ]
+
+When some drivers use spi to send data, spi_transfer->speed_hz is
+not assigned. If spidev->max_speed_hz is not assigned as well, it
+will cause an error in configuring the clock.
+Add a check for these two values before configuring the clock. An
+error will be returned when they are not assigned.
+
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Link: https://lore.kernel.org/r/20210408103347.244313-2-xiaoning.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index 831a38920fa9..c8b750d8ac35 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -66,8 +66,7 @@ struct spi_imx_data;
+ struct spi_imx_devtype_data {
+ void (*intctrl)(struct spi_imx_data *, int);
+ int (*prepare_message)(struct spi_imx_data *, struct spi_message *);
+- int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *,
+- struct spi_transfer *);
++ int (*prepare_transfer)(struct spi_imx_data *, struct spi_device *);
+ void (*trigger)(struct spi_imx_data *);
+ int (*rx_available)(struct spi_imx_data *);
+ void (*reset)(struct spi_imx_data *);
+@@ -572,11 +571,10 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+ }
+
+ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+- struct spi_device *spi,
+- struct spi_transfer *t)
++ struct spi_device *spi)
+ {
+ u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL);
+- u32 clk = t->speed_hz, delay;
++ u32 clk, delay;
+
+ /* Clear BL field and set the right value */
+ ctrl &= ~MX51_ECSPI_CTRL_BL_MASK;
+@@ -590,7 +588,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+ /* set clock speed */
+ ctrl &= ~(0xf << MX51_ECSPI_CTRL_POSTDIV_OFFSET |
+ 0xf << MX51_ECSPI_CTRL_PREDIV_OFFSET);
+- ctrl |= mx51_ecspi_clkdiv(spi_imx, t->speed_hz, &clk);
++ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->spi_bus_clk, &clk);
+ spi_imx->spi_bus_clk = clk;
+
+ if (spi_imx->usedma)
+@@ -702,13 +700,12 @@ static int mx31_prepare_message(struct spi_imx_data *spi_imx,
+ }
+
+ static int mx31_prepare_transfer(struct spi_imx_data *spi_imx,
+- struct spi_device *spi,
+- struct spi_transfer *t)
++ struct spi_device *spi)
+ {
+ unsigned int reg = MX31_CSPICTRL_ENABLE | MX31_CSPICTRL_MASTER;
+ unsigned int clk;
+
+- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) <<
++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) <<
+ MX31_CSPICTRL_DR_SHIFT;
+ spi_imx->spi_bus_clk = clk;
+
+@@ -807,14 +804,13 @@ static int mx21_prepare_message(struct spi_imx_data *spi_imx,
+ }
+
+ static int mx21_prepare_transfer(struct spi_imx_data *spi_imx,
+- struct spi_device *spi,
+- struct spi_transfer *t)
++ struct spi_device *spi)
+ {
+ unsigned int reg = MX21_CSPICTRL_ENABLE | MX21_CSPICTRL_MASTER;
+ unsigned int max = is_imx27_cspi(spi_imx) ? 16 : 18;
+ unsigned int clk;
+
+- reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, t->speed_hz, max, &clk)
++ reg |= spi_imx_clkdiv_1(spi_imx->spi_clk, spi_imx->spi_bus_clk, max, &clk)
+ << MX21_CSPICTRL_DR_SHIFT;
+ spi_imx->spi_bus_clk = clk;
+
+@@ -883,13 +879,12 @@ static int mx1_prepare_message(struct spi_imx_data *spi_imx,
+ }
+
+ static int mx1_prepare_transfer(struct spi_imx_data *spi_imx,
+- struct spi_device *spi,
+- struct spi_transfer *t)
++ struct spi_device *spi)
+ {
+ unsigned int reg = MX1_CSPICTRL_ENABLE | MX1_CSPICTRL_MASTER;
+ unsigned int clk;
+
+- reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, t->speed_hz, &clk) <<
++ reg |= spi_imx_clkdiv_2(spi_imx->spi_clk, spi_imx->spi_bus_clk, &clk) <<
+ MX1_CSPICTRL_DR_SHIFT;
+ spi_imx->spi_bus_clk = clk;
+
+@@ -1195,6 +1190,16 @@ static int spi_imx_setupxfer(struct spi_device *spi,
+ if (!t)
+ return 0;
+
++ if (!t->speed_hz) {
++ if (!spi->max_speed_hz) {
++ dev_err(&spi->dev, "no speed_hz provided!\n");
++ return -EINVAL;
++ }
++ dev_dbg(&spi->dev, "using spi->max_speed_hz!\n");
++ spi_imx->spi_bus_clk = spi->max_speed_hz;
++ } else
++ spi_imx->spi_bus_clk = t->speed_hz;
++
+ spi_imx->bits_per_word = t->bits_per_word;
+
+ /*
+@@ -1236,7 +1241,7 @@ static int spi_imx_setupxfer(struct spi_device *spi,
+ spi_imx->slave_burst = t->len;
+ }
+
+- spi_imx->devtype_data->prepare_transfer(spi_imx, spi, t);
++ spi_imx->devtype_data->prepare_transfer(spi_imx, spi);
+
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From c86c9a2ccae44fc1873f351e77a6a91124d4b3d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Jul 2021 04:23:00 +0200
+Subject: spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 135cbd378eab336da15de9c84bbb22bf743b38a5 ]
+
+Since 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to
+prepare_message hook."), the MX51_ECSPI_CONFIG write no longer happens
+in prepare_transfer hook, but rather in prepare_message hook, however
+the MX51_ECSPI_CONFIG delay is still left in prepare_transfer hook and
+thus has no effect. This leads to low bus frequency operation problems
+described in 6fd8b8503a0dc ("spi: spi-imx: Fix out-of-order CS/SCLK
+operation at low speeds") again.
+
+Move the MX51_ECSPI_CONFIG write delay into the prepare_message hook
+as well, thus reinstating the low bus frequency fix.
+
+Fixes: 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Cc: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20210703022300.296114-1-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index c8b750d8ac35..8c0a6ea941ad 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -506,7 +506,7 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+ {
+ struct spi_device *spi = msg->spi;
+ u32 ctrl = MX51_ECSPI_CTRL_ENABLE;
+- u32 testreg;
++ u32 testreg, delay;
+ u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG);
+
+ /* set Master or Slave mode */
+@@ -567,6 +567,23 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+
+ writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
+
++ /*
++ * Wait until the changes in the configuration register CONFIGREG
++ * propagate into the hardware. It takes exactly one tick of the
++ * SCLK clock, but we will wait two SCLK clock just to be sure. The
++ * effect of the delay it takes for the hardware to apply changes
++ * is noticable if the SCLK clock run very slow. In such a case, if
++ * the polarity of SCLK should be inverted, the GPIO ChipSelect might
++ * be asserted before the SCLK polarity changes, which would disrupt
++ * the SPI communication as the device on the other end would consider
++ * the change of SCLK polarity as a clock tick already.
++ */
++ delay = (2 * 1000000) / spi_imx->spi_bus_clk;
++ if (likely(delay < 10)) /* SCLK is faster than 100 kHz */
++ udelay(delay);
++ else /* SCLK is _very_ slow */
++ usleep_range(delay, delay + 10);
++
+ return 0;
+ }
+
+@@ -574,7 +591,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+ struct spi_device *spi)
+ {
+ u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL);
+- u32 clk, delay;
++ u32 clk;
+
+ /* Clear BL field and set the right value */
+ ctrl &= ~MX51_ECSPI_CTRL_BL_MASK;
+@@ -596,23 +613,6 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
+
+ writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
+
+- /*
+- * Wait until the changes in the configuration register CONFIGREG
+- * propagate into the hardware. It takes exactly one tick of the
+- * SCLK clock, but we will wait two SCLK clock just to be sure. The
+- * effect of the delay it takes for the hardware to apply changes
+- * is noticable if the SCLK clock run very slow. In such a case, if
+- * the polarity of SCLK should be inverted, the GPIO ChipSelect might
+- * be asserted before the SCLK polarity changes, which would disrupt
+- * the SPI communication as the device on the other end would consider
+- * the change of SCLK polarity as a clock tick already.
+- */
+- delay = (2 * 1000000) / clk;
+- if (likely(delay < 10)) /* SCLK is faster than 100 kHz */
+- udelay(delay);
+- else /* SCLK is _very_ slow */
+- usleep_range(delay, delay + 10);
+-
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4fdd195c949635b46f04ec98ea0ed3bcb2adafd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Jul 2021 14:16:09 +0200
+Subject: spi: mediatek: fix fifo rx mode
+
+From: Peter Hess <peter.hess@ph-home.de>
+
+[ Upstream commit 3a70dd2d050331ee4cf5ad9d5c0a32d83ead9a43 ]
+
+In FIFO mode were two problems:
+- RX mode was never handled and
+- in this case the tx_buf pointer was NULL and caused an exception
+
+fix this by handling RX mode in mtk_spi_fifo_transfer
+
+Fixes: a568231f4632 ("spi: mediatek: Add spi bus for Mediatek MT8173")
+Signed-off-by: Peter Hess <peter.hess@ph-home.de>
+Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
+Link: https://lore.kernel.org/r/20210706121609.680534-1-linux@fw-web.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mt65xx.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
+index 5d643051bf3d..8f2d112f0b5d 100644
+--- a/drivers/spi/spi-mt65xx.c
++++ b/drivers/spi/spi-mt65xx.c
+@@ -434,13 +434,23 @@ static int mtk_spi_fifo_transfer(struct spi_master *master,
+ mtk_spi_setup_packet(master);
+
+ cnt = xfer->len / 4;
+- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt);
++ if (xfer->tx_buf)
++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, xfer->tx_buf, cnt);
++
++ if (xfer->rx_buf)
++ ioread32_rep(mdata->base + SPI_RX_DATA_REG, xfer->rx_buf, cnt);
+
+ remainder = xfer->len % 4;
+ if (remainder > 0) {
+ reg_val = 0;
+- memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
+- writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ if (xfer->tx_buf) {
++ memcpy(®_val, xfer->tx_buf + (cnt * 4), remainder);
++ writel(reg_val, mdata->base + SPI_TX_DATA_REG);
++ }
++ if (xfer->rx_buf) {
++ reg_val = readl(mdata->base + SPI_RX_DATA_REG);
++ memcpy(xfer->rx_buf + (cnt * 4), ®_val, remainder);
++ }
+ }
+
+ mtk_spi_enable_transfer(master);
+--
+2.30.2
+
--- /dev/null
+From c840023158da611d0acf48d082cb0d57a49dcf58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Jul 2021 00:02:45 +0300
+Subject: spi: spi-bcm2835: Fix deadlock
+
+From: Alexandru Tachici <alexandru.tachici@analog.com>
+
+[ Upstream commit c45c1e82bba130db4f19d9dbc1deefcf4ea994ed ]
+
+The bcm2835_spi_transfer_one function can create a deadlock
+if it is called while another thread already has the
+CCF lock.
+
+Signed-off-by: Alexandru Tachici <alexandru.tachici@analog.com>
+Fixes: f8043872e796 ("spi: add driver for BCM2835")
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20210716210245.13240-2-alexandru.tachici@analog.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm2835.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
+index 29ee555a42f9..33c32e931767 100644
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -84,6 +84,7 @@ MODULE_PARM_DESC(polling_limit_us,
+ * struct bcm2835_spi - BCM2835 SPI controller
+ * @regs: base address of register map
+ * @clk: core clock, divided to calculate serial clock
++ * @clk_hz: core clock cached speed
+ * @irq: interrupt, signals TX FIFO empty or RX FIFO ¾ full
+ * @tfr: SPI transfer currently processed
+ * @ctlr: SPI controller reverse lookup
+@@ -124,6 +125,7 @@ MODULE_PARM_DESC(polling_limit_us,
+ struct bcm2835_spi {
+ void __iomem *regs;
+ struct clk *clk;
++ unsigned long clk_hz;
+ int irq;
+ struct spi_transfer *tfr;
+ struct spi_controller *ctlr;
+@@ -1082,19 +1084,18 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr,
+ struct spi_transfer *tfr)
+ {
+ struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr);
+- unsigned long spi_hz, clk_hz, cdiv;
++ unsigned long spi_hz, cdiv;
+ unsigned long hz_per_byte, byte_limit;
+ u32 cs = bs->prepare_cs[spi->chip_select];
+
+ /* set clock */
+ spi_hz = tfr->speed_hz;
+- clk_hz = clk_get_rate(bs->clk);
+
+- if (spi_hz >= clk_hz / 2) {
++ if (spi_hz >= bs->clk_hz / 2) {
+ cdiv = 2; /* clk_hz/2 is the fastest we can go */
+ } else if (spi_hz) {
+ /* CDIV must be a multiple of two */
+- cdiv = DIV_ROUND_UP(clk_hz, spi_hz);
++ cdiv = DIV_ROUND_UP(bs->clk_hz, spi_hz);
+ cdiv += (cdiv % 2);
+
+ if (cdiv >= 65536)
+@@ -1102,7 +1103,7 @@ static int bcm2835_spi_transfer_one(struct spi_controller *ctlr,
+ } else {
+ cdiv = 0; /* 0 is the slowest we can go */
+ }
+- tfr->effective_speed_hz = cdiv ? (clk_hz / cdiv) : (clk_hz / 65536);
++ tfr->effective_speed_hz = cdiv ? (bs->clk_hz / cdiv) : (bs->clk_hz / 65536);
+ bcm2835_wr(bs, BCM2835_SPI_CLK, cdiv);
+
+ /* handle all the 3-wire mode */
+@@ -1318,6 +1319,7 @@ static int bcm2835_spi_probe(struct platform_device *pdev)
+ return bs->irq ? bs->irq : -ENODEV;
+
+ clk_prepare_enable(bs->clk);
++ bs->clk_hz = clk_get_rate(bs->clk);
+
+ err = bcm2835_dma_init(ctlr, &pdev->dev, bs);
+ if (err)
+--
+2.30.2
+
--- /dev/null
+From 6703c242ec2affcf2acb648efc224338f7c30f72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 10:27:00 +0200
+Subject: spi: stm32: fixes pm_runtime calls in probe/remove
+
+From: Alain Volmat <alain.volmat@foss.st.com>
+
+[ Upstream commit 7999d2555c9f879d006ea8469d74db9cdb038af0 ]
+
+Add pm_runtime calls in probe/probe error path and remove
+in order to be consistent in all places in ordering and
+ensure that pm_runtime is disabled prior to resources used
+by the SPI controller.
+
+This patch also fixes the 2 following warnings on driver remove:
+WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:594 clk_core_disable_lock+0x18/0x24
+WARNING: CPU: 0 PID: 743 at drivers/clk/clk.c:476 clk_unprepare+0x24/0x2c
+
+Fixes: 038ac869c9d2 ("spi: stm32: add runtime PM support")
+
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
+Link: https://lore.kernel.org/r/1625646426-5826-2-git-send-email-alain.volmat@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-stm32.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-stm32.c b/drivers/spi/spi-stm32.c
+index 0318f02d6212..8f91f8705eee 100644
+--- a/drivers/spi/spi-stm32.c
++++ b/drivers/spi/spi-stm32.c
+@@ -1946,6 +1946,7 @@ static int stm32_spi_probe(struct platform_device *pdev)
+ master->can_dma = stm32_spi_can_dma;
+
+ pm_runtime_set_active(&pdev->dev);
++ pm_runtime_get_noresume(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+ ret = spi_register_master(master);
+@@ -1967,6 +1968,8 @@ static int stm32_spi_probe(struct platform_device *pdev)
+
+ err_pm_disable:
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
+ err_dma_release:
+ if (spi->dma_tx)
+ dma_release_channel(spi->dma_tx);
+@@ -1983,9 +1986,14 @@ static int stm32_spi_remove(struct platform_device *pdev)
+ struct spi_master *master = platform_get_drvdata(pdev);
+ struct stm32_spi *spi = spi_master_get_devdata(master);
+
++ pm_runtime_get_sync(&pdev->dev);
++
+ spi_unregister_master(master);
+ spi->cfg->disable(spi);
+
++ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
+ if (master->dma_tx)
+ dma_release_channel(master->dma_tx);
+ if (master->dma_rx)
+@@ -1993,7 +2001,6 @@ static int stm32_spi_remove(struct platform_device *pdev)
+
+ clk_disable_unprepare(spi->clk);
+
+- pm_runtime_disable(&pdev->dev);
+
+ pinctrl_pm_select_sleep_state(&pdev->dev);
+
+--
+2.30.2
+
--- /dev/null
+From 72b15156a8746a305c9ea97c07c205b0dca8fc7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 15:53:35 +0800
+Subject: stmmac: platform: Fix signedness bug in stmmac_probe_config_dt()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit eca81f09145d765c21dd8fb1ba5d874ca255c32c ]
+
+The "plat->phy_interface" variable is an enum and in this context GCC
+will treat it as an unsigned int so the error handling is never
+triggered.
+
+Fixes: b9f0b2f634c0 ("net: stmmac: platform: fix probe for ACPI devices")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index ff95400594fc..53be8fc1d125 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -399,6 +399,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac)
+ struct device_node *np = pdev->dev.of_node;
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_dma_cfg *dma_cfg;
++ int phy_mode;
+ int rc;
+
+ plat = devm_kzalloc(&pdev->dev, sizeof(*plat), GFP_KERNEL);
+@@ -413,10 +414,11 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac)
+ *mac = NULL;
+ }
+
+- plat->phy_interface = device_get_phy_mode(&pdev->dev);
+- if (plat->phy_interface < 0)
+- return ERR_PTR(plat->phy_interface);
++ phy_mode = device_get_phy_mode(&pdev->dev);
++ if (phy_mode < 0)
++ return ERR_PTR(phy_mode);
+
++ plat->phy_interface = phy_mode;
+ plat->interface = stmmac_of_get_mac_mode(np);
+ if (plat->interface < 0)
+ plat->interface = plat->phy_interface;
+--
+2.30.2
+
--- /dev/null
+From 8779d173e986f47ea7e7d53625469bb21e34c03c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Jul 2021 10:27:38 -0700
+Subject: tcp: disable TFO blackhole logic by default
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit 213ad73d06073b197a02476db3a4998e219ddb06 ]
+
+Multiple complaints have been raised from the TFO users on the internet
+stating that the TFO blackhole logic is too aggressive and gets falsely
+triggered too often.
+(e.g. https://blog.apnic.net/2021/07/05/tcp-fast-open-not-so-fast/)
+Considering that most middleboxes no longer drop TFO packets, we decide
+to disable the blackhole logic by setting
+/proc/sys/net/ipv4/tcp_fastopen_blackhole_timeout_set to 0 by default.
+
+Fixes: cf1ef3f0719b4 ("net/tcp_fastopen: Disable active side TFO in certain scenarios")
+Signed-off-by: Wei Wang <weiwan@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/ip-sysctl.rst | 2 +-
+ net/ipv4/tcp_fastopen.c | 9 ++++++++-
+ net/ipv4/tcp_ipv4.c | 2 +-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
+index 4abcfff15e38..4822a058a81d 100644
+--- a/Documentation/networking/ip-sysctl.rst
++++ b/Documentation/networking/ip-sysctl.rst
+@@ -751,7 +751,7 @@ tcp_fastopen_blackhole_timeout_sec - INTEGER
+ initial value when the blackhole issue goes away.
+ 0 to disable the blackhole detection.
+
+- By default, it is set to 1hr.
++ By default, it is set to 0 (feature is disabled).
+
+ tcp_fastopen_key - list of comma separated 32-digit hexadecimal INTEGERs
+ The list consists of a primary key and an optional backup key. The
+diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
+index 08548ff23d83..d49709ba8e16 100644
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -507,6 +507,9 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
++ if (!sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout)
++ return;
++
+ /* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
+ WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
+
+@@ -526,10 +529,14 @@ void tcp_fastopen_active_disable(struct sock *sk)
+ bool tcp_fastopen_active_should_disable(struct sock *sk)
+ {
+ unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
+- int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
+ unsigned long timeout;
++ int tfo_da_times;
+ int multiplier;
+
++ if (!tfo_bh_timeout)
++ return false;
++
++ tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
+ if (!tfo_da_times)
+ return false;
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 5212db9ea157..04e259a04443 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2913,7 +2913,7 @@ static int __net_init tcp_sk_init(struct net *net)
+ net->ipv4.sysctl_tcp_comp_sack_nr = 44;
+ net->ipv4.sysctl_tcp_fastopen = TFO_CLIENT_ENABLE;
+ spin_lock_init(&net->ipv4.tcp_fastopen_ctx_lock);
+- net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 60 * 60;
++ net->ipv4.sysctl_tcp_fastopen_blackhole_timeout = 0;
+ atomic_set(&net->ipv4.tfo_active_disable_times, 0);
+
+ /* Reno is always built in */
+--
+2.30.2
+
--- /dev/null
+From 41b0a9ddf6a3c1498d7ed6e53fa7f66f9dc00386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Jul 2021 16:13:25 +0200
+Subject: timers: Fix get_next_timer_interrupt() with no timers pending
+
+From: Nicolas Saenz Julienne <nsaenzju@redhat.com>
+
+[ Upstream commit aebacb7f6ca1926918734faae14d1f0b6fae5cb7 ]
+
+31cd0e119d50 ("timers: Recalculate next timer interrupt only when
+necessary") subtly altered get_next_timer_interrupt()'s behaviour. The
+function no longer consistently returns KTIME_MAX with no timers
+pending.
+
+In order to decide if there are any timers pending we check whether the
+next expiry will happen NEXT_TIMER_MAX_DELTA jiffies from now.
+Unfortunately, the next expiry time and the timer base clock are no
+longer updated in unison. The former changes upon certain timer
+operations (enqueue, expire, detach), whereas the latter keeps track of
+jiffies as they move forward. Ultimately breaking the logic above.
+
+A simplified example:
+
+- Upon entering get_next_timer_interrupt() with:
+
+ jiffies = 1
+ base->clk = 0;
+ base->next_expiry = NEXT_TIMER_MAX_DELTA;
+
+ 'base->next_expiry == base->clk + NEXT_TIMER_MAX_DELTA', the function
+ returns KTIME_MAX.
+
+- 'base->clk' is updated to the jiffies value.
+
+- The next time we enter get_next_timer_interrupt(), taking into account
+ no timer operations happened:
+
+ base->clk = 1;
+ base->next_expiry = NEXT_TIMER_MAX_DELTA;
+
+ 'base->next_expiry != base->clk + NEXT_TIMER_MAX_DELTA', the function
+ returns a valid expire time, which is incorrect.
+
+This ultimately might unnecessarily rearm sched's timer on nohz_full
+setups, and add latency to the system[1].
+
+So, introduce 'base->timers_pending'[2], update it every time
+'base->next_expiry' changes, and use it in get_next_timer_interrupt().
+
+[1] See tick_nohz_stop_tick().
+[2] A quick pahole check on x86_64 and arm64 shows it doesn't make
+ 'struct timer_base' any bigger.
+
+Fixes: 31cd0e119d50 ("timers: Recalculate next timer interrupt only when necessary")
+Signed-off-by: Nicolas Saenz Julienne <nsaenzju@redhat.com>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/timer.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/time/timer.c b/kernel/time/timer.c
+index c3ad64fb9d8b..aa96b8a4e508 100644
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -207,6 +207,7 @@ struct timer_base {
+ unsigned int cpu;
+ bool next_expiry_recalc;
+ bool is_idle;
++ bool timers_pending;
+ DECLARE_BITMAP(pending_map, WHEEL_SIZE);
+ struct hlist_head vectors[WHEEL_SIZE];
+ } ____cacheline_aligned;
+@@ -595,6 +596,7 @@ static void enqueue_timer(struct timer_base *base, struct timer_list *timer,
+ * can reevaluate the wheel:
+ */
+ base->next_expiry = bucket_expiry;
++ base->timers_pending = true;
+ base->next_expiry_recalc = false;
+ trigger_dyntick_cpu(base, timer);
+ }
+@@ -1575,6 +1577,7 @@ static unsigned long __next_timer_interrupt(struct timer_base *base)
+ }
+
+ base->next_expiry_recalc = false;
++ base->timers_pending = !(next == base->clk + NEXT_TIMER_MAX_DELTA);
+
+ return next;
+ }
+@@ -1626,7 +1629,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
+ struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]);
+ u64 expires = KTIME_MAX;
+ unsigned long nextevt;
+- bool is_max_delta;
+
+ /*
+ * Pretend that there is no timer pending if the cpu is offline.
+@@ -1639,7 +1641,6 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
+ if (base->next_expiry_recalc)
+ base->next_expiry = __next_timer_interrupt(base);
+ nextevt = base->next_expiry;
+- is_max_delta = (nextevt == base->clk + NEXT_TIMER_MAX_DELTA);
+
+ /*
+ * We have a fresh next event. Check whether we can forward the
+@@ -1657,7 +1658,7 @@ u64 get_next_timer_interrupt(unsigned long basej, u64 basem)
+ expires = basem;
+ base->is_idle = false;
+ } else {
+- if (!is_max_delta)
++ if (base->timers_pending)
+ expires = basem + (u64)(nextevt - basej) * TICK_NSEC;
+ /*
+ * If we expect to sleep more than a tick, mark the base idle.
+@@ -1940,6 +1941,7 @@ int timers_prepare_cpu(unsigned int cpu)
+ base = per_cpu_ptr(&timer_bases[b], cpu);
+ base->clk = jiffies;
+ base->next_expiry = base->clk + NEXT_TIMER_MAX_DELTA;
++ base->timers_pending = false;
+ base->is_idle = false;
+ }
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 82ac25e563d3bca18b64fc6d508d06c3d4af3c57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Jul 2021 17:13:22 +0800
+Subject: usb: hso: fix error handling code of hso_create_net_device
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit a6ecfb39ba9d7316057cea823b196b734f6b18ca ]
+
+The current error handling code of hso_create_net_device is
+hso_free_net_device, no matter which errors lead to. For example,
+WARNING in hso_free_net_device [1].
+
+Fix this by refactoring the error handling code of
+hso_create_net_device by handling different errors by different code.
+
+[1] https://syzkaller.appspot.com/bug?id=66eff8d49af1b28370ad342787413e35bbe76efe
+
+Reported-by: syzbot+44d53c7255bb1aea22d2@syzkaller.appspotmail.com
+Fixes: 5fcfb6d0bfcd ("hso: fix bailout in error case of probe")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/hso.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index fbfcbd0dcfcb..5b3aff2c279f 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -2496,7 +2496,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ hso_net_init);
+ if (!net) {
+ dev_err(&interface->dev, "Unable to create ethernet device\n");
+- goto exit;
++ goto err_hso_dev;
+ }
+
+ hso_net = netdev_priv(net);
+@@ -2509,13 +2509,13 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ USB_DIR_IN);
+ if (!hso_net->in_endp) {
+ dev_err(&interface->dev, "Can't find BULK IN endpoint\n");
+- goto exit;
++ goto err_net;
+ }
+ hso_net->out_endp = hso_get_ep(interface, USB_ENDPOINT_XFER_BULK,
+ USB_DIR_OUT);
+ if (!hso_net->out_endp) {
+ dev_err(&interface->dev, "Can't find BULK OUT endpoint\n");
+- goto exit;
++ goto err_net;
+ }
+ SET_NETDEV_DEV(net, &interface->dev);
+ SET_NETDEV_DEVTYPE(net, &hso_type);
+@@ -2524,18 +2524,18 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) {
+ hso_net->mux_bulk_rx_urb_pool[i] = usb_alloc_urb(0, GFP_KERNEL);
+ if (!hso_net->mux_bulk_rx_urb_pool[i])
+- goto exit;
++ goto err_mux_bulk_rx;
+ hso_net->mux_bulk_rx_buf_pool[i] = kzalloc(MUX_BULK_RX_BUF_SIZE,
+ GFP_KERNEL);
+ if (!hso_net->mux_bulk_rx_buf_pool[i])
+- goto exit;
++ goto err_mux_bulk_rx;
+ }
+ hso_net->mux_bulk_tx_urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!hso_net->mux_bulk_tx_urb)
+- goto exit;
++ goto err_mux_bulk_rx;
+ hso_net->mux_bulk_tx_buf = kzalloc(MUX_BULK_TX_BUF_SIZE, GFP_KERNEL);
+ if (!hso_net->mux_bulk_tx_buf)
+- goto exit;
++ goto err_free_tx_urb;
+
+ add_net_device(hso_dev);
+
+@@ -2543,7 +2543,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ result = register_netdev(net);
+ if (result) {
+ dev_err(&interface->dev, "Failed to register device\n");
+- goto exit;
++ goto err_free_tx_buf;
+ }
+
+ hso_log_port(hso_dev);
+@@ -2551,8 +2551,21 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
+ hso_create_rfkill(hso_dev, interface);
+
+ return hso_dev;
+-exit:
+- hso_free_net_device(hso_dev, true);
++
++err_free_tx_buf:
++ remove_net_device(hso_dev);
++ kfree(hso_net->mux_bulk_tx_buf);
++err_free_tx_urb:
++ usb_free_urb(hso_net->mux_bulk_tx_urb);
++err_mux_bulk_rx:
++ for (i = 0; i < MUX_BULK_RX_BUF_COUNT; i++) {
++ usb_free_urb(hso_net->mux_bulk_rx_urb_pool[i]);
++ kfree(hso_net->mux_bulk_rx_buf_pool[i]);
++ }
++err_net:
++ free_netdev(net);
++err_hso_dev:
++ kfree(hso_dev);
+ return NULL;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From f01700e6ec08b1d384413de651306610c07eef42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Jul 2021 11:16:35 +0800
+Subject: xdp, net: Fix use-after-free in bpf_xdp_link_release
+
+From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+
+[ Upstream commit 5acc7d3e8d342858405fbbc671221f676b547ce7 ]
+
+The problem occurs between dev_get_by_index() and dev_xdp_attach_link().
+At this point, dev_xdp_uninstall() is called. Then xdp link will not be
+detached automatically when dev is released. But link->dev already
+points to dev, when xdp link is released, dev will still be accessed,
+but dev has been released.
+
+dev_get_by_index() |
+link->dev = dev |
+ | rtnl_lock()
+ | unregister_netdevice_many()
+ | dev_xdp_uninstall()
+ | rtnl_unlock()
+rtnl_lock(); |
+dev_xdp_attach_link() |
+rtnl_unlock(); |
+ | netdev_run_todo() // dev released
+bpf_xdp_link_release() |
+ /* access dev. |
+ use-after-free */ |
+
+[ 45.966867] BUG: KASAN: use-after-free in bpf_xdp_link_release+0x3b8/0x3d0
+[ 45.967619] Read of size 8 at addr ffff00000f9980c8 by task a.out/732
+[ 45.968297]
+[ 45.968502] CPU: 1 PID: 732 Comm: a.out Not tainted 5.13.0+ #22
+[ 45.969222] Hardware name: linux,dummy-virt (DT)
+[ 45.969795] Call trace:
+[ 45.970106] dump_backtrace+0x0/0x4c8
+[ 45.970564] show_stack+0x30/0x40
+[ 45.970981] dump_stack_lvl+0x120/0x18c
+[ 45.971470] print_address_description.constprop.0+0x74/0x30c
+[ 45.972182] kasan_report+0x1e8/0x200
+[ 45.972659] __asan_report_load8_noabort+0x2c/0x50
+[ 45.973273] bpf_xdp_link_release+0x3b8/0x3d0
+[ 45.973834] bpf_link_free+0xd0/0x188
+[ 45.974315] bpf_link_put+0x1d0/0x218
+[ 45.974790] bpf_link_release+0x3c/0x58
+[ 45.975291] __fput+0x20c/0x7e8
+[ 45.975706] ____fput+0x24/0x30
+[ 45.976117] task_work_run+0x104/0x258
+[ 45.976609] do_notify_resume+0x894/0xaf8
+[ 45.977121] work_pending+0xc/0x328
+[ 45.977575]
+[ 45.977775] The buggy address belongs to the page:
+[ 45.978369] page:fffffc00003e6600 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f998
+[ 45.979522] flags: 0x7fffe0000000000(node=0|zone=0|lastcpupid=0x3ffff)
+[ 45.980349] raw: 07fffe0000000000 fffffc00003e6708 ffff0000dac3c010 0000000000000000
+[ 45.981309] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 45.982259] page dumped because: kasan: bad access detected
+[ 45.982948]
+[ 45.983153] Memory state around the buggy address:
+[ 45.983753] ffff00000f997f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 45.984645] ffff00000f998000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.985533] >ffff00000f998080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.986419] ^
+[ 45.987112] ffff00000f998100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.988006] ffff00000f998180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+[ 45.988895] ==================================================================
+[ 45.989773] Disabling lock debugging due to kernel taint
+[ 45.990552] Kernel panic - not syncing: panic_on_warn set ...
+[ 45.991166] CPU: 1 PID: 732 Comm: a.out Tainted: G B 5.13.0+ #22
+[ 45.991929] Hardware name: linux,dummy-virt (DT)
+[ 45.992448] Call trace:
+[ 45.992753] dump_backtrace+0x0/0x4c8
+[ 45.993208] show_stack+0x30/0x40
+[ 45.993627] dump_stack_lvl+0x120/0x18c
+[ 45.994113] dump_stack+0x1c/0x34
+[ 45.994530] panic+0x3a4/0x7d8
+[ 45.994930] end_report+0x194/0x198
+[ 45.995380] kasan_report+0x134/0x200
+[ 45.995850] __asan_report_load8_noabort+0x2c/0x50
+[ 45.996453] bpf_xdp_link_release+0x3b8/0x3d0
+[ 45.997007] bpf_link_free+0xd0/0x188
+[ 45.997474] bpf_link_put+0x1d0/0x218
+[ 45.997942] bpf_link_release+0x3c/0x58
+[ 45.998429] __fput+0x20c/0x7e8
+[ 45.998833] ____fput+0x24/0x30
+[ 45.999247] task_work_run+0x104/0x258
+[ 45.999731] do_notify_resume+0x894/0xaf8
+[ 46.000236] work_pending+0xc/0x328
+[ 46.000697] SMP: stopping secondary CPUs
+[ 46.001226] Dumping ftrace buffer:
+[ 46.001663] (ftrace buffer empty)
+[ 46.002110] Kernel Offset: disabled
+[ 46.002545] CPU features: 0x00000001,23202c00
+[ 46.003080] Memory Limit: none
+
+Fixes: aa8d3a716b59db6c ("bpf, xdp: Add bpf_link-based XDP attachment API")
+Reported-by: Abaci <abaci@linux.alibaba.com>
+Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20210710031635.41649-1-xuanzhuo@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 86a0fe0f4c02..4935ca1e887f 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -9401,14 +9401,17 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
+ struct net_device *dev;
+ int err, fd;
+
++ rtnl_lock();
+ dev = dev_get_by_index(net, attr->link_create.target_ifindex);
+- if (!dev)
++ if (!dev) {
++ rtnl_unlock();
+ return -EINVAL;
++ }
+
+ link = kzalloc(sizeof(*link), GFP_USER);
+ if (!link) {
+ err = -ENOMEM;
+- goto out_put_dev;
++ goto unlock;
+ }
+
+ bpf_link_init(&link->link, BPF_LINK_TYPE_XDP, &bpf_xdp_link_lops, prog);
+@@ -9418,14 +9421,14 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
+ err = bpf_link_prime(&link->link, &link_primer);
+ if (err) {
+ kfree(link);
+- goto out_put_dev;
++ goto unlock;
+ }
+
+- rtnl_lock();
+ err = dev_xdp_attach_link(dev, NULL, link);
+ rtnl_unlock();
+
+ if (err) {
++ link->dev = NULL;
+ bpf_link_cleanup(&link_primer);
+ goto out_put_dev;
+ }
+@@ -9435,6 +9438,9 @@ int bpf_xdp_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
+ dev_put(dev);
+ return fd;
+
++unlock:
++ rtnl_unlock();
++
+ out_put_dev:
+ dev_put(dev);
+ return err;
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
