--- /dev/null
+From 83a0d2ce19761c791b350876c9b1dcd4ca8eca17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 08:08:24 +0300
+Subject: ASoC: cs35l33: fix an error code in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 833bc4cf9754643acc69b3c6b65988ca78df4460 ]
+
+This error path returns zero (success) but it should return -EINVAL.
+
+Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/YKXuyGEzhPT35R3G@mwanda
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs35l33.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/cs35l33.c b/sound/soc/codecs/cs35l33.c
+index 668cd3754209..73fa784646e5 100644
+--- a/sound/soc/codecs/cs35l33.c
++++ b/sound/soc/codecs/cs35l33.c
+@@ -1204,6 +1204,7 @@ static int cs35l33_i2c_probe(struct i2c_client *i2c_client,
+ dev_err(&i2c_client->dev,
+ "CS35L33 Device ID (%X). Expected ID %X\n",
+ devid, CS35L33_CHIP_ID);
++ ret = -EINVAL;
+ goto err_enable;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 90e26734c6ded368c32ac7d0e89ce407fcd921db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 15:47:42 +0000
+Subject: bpf: Set mac_len in bpf_skb_change_head
+
+From: Jussi Maki <joamaki@gmail.com>
+
+[ Upstream commit 84316ca4e100d8cbfccd9f774e23817cb2059868 ]
+
+The skb_change_head() helper did not set "skb->mac_len", which is
+problematic when it's used in combination with skb_redirect_peer().
+Without it, redirecting a packet from a L3 device such as wireguard to
+the veth peer device will cause skb->data to point to the middle of the
+IP header on entry to tcp_v4_rcv() since the L2 header is not pulled
+correctly due to mac_len=0.
+
+Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure")
+Signed-off-by: Jussi Maki <joamaki@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210519154743.2554771-2-joamaki@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 6272570fe139..01561268d216 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3020,6 +3020,7 @@ static inline int __bpf_skb_change_head(struct sk_buff *skb, u32 head_room,
+ __skb_push(skb, head_room);
+ memset(skb->data, 0, head_room);
+ skb_reset_mac_header(skb);
++ skb_reset_mac_len(skb);
+ }
+
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 1257543e538667d7b082218d28d1d21ad112bf03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 13:21:14 -0700
+Subject: ipv6: record frag_max_size in atomic fragments in input path
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+[ Upstream commit e29f011e8fc04b2cdc742a2b9bbfa1b62518381a ]
+
+Commit dbd1759e6a9c ("ipv6: on reassembly, record frag_max_size")
+filled the frag_max_size field in IP6CB in the input path.
+The field should also be filled in case of atomic fragments.
+
+Fixes: dbd1759e6a9c ('ipv6: on reassembly, record frag_max_size')
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/reassembly.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
+index c6132e39ab16..60dfd0d11851 100644
+--- a/net/ipv6/reassembly.c
++++ b/net/ipv6/reassembly.c
+@@ -347,7 +347,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
+ hdr = ipv6_hdr(skb);
+ fhdr = (struct frag_hdr *)skb_transport_header(skb);
+
+- if (!(fhdr->frag_off & htons(0xFFF9))) {
++ if (!(fhdr->frag_off & htons(IP6_OFFSET | IP6_MF))) {
+ /* It is not a fragmented frame */
+ skb->transport_header += sizeof(struct frag_hdr);
+ __IP6_INC_STATS(net,
+@@ -355,6 +355,8 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
+
+ IP6CB(skb)->nhoff = (u8 *)fhdr - skb_network_header(skb);
+ IP6CB(skb)->flags |= IP6SKB_FRAGMENTED;
++ IP6CB(skb)->frag_max_size = ntohs(hdr->payload_len) +
++ sizeof(struct ipv6hdr);
+ return 1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 290d695017ec389439209f576f7ca9d6f0fe6528 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 11:18:35 -0700
+Subject: ixgbe: fix large MTU request from VF
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit 63e39d29b3da02e901349f6cd71159818a4737a6 ]
+
+Check that the MTU value requested by the VF is in the supported
+range of MTUs before attempting to set the VF large packet enable,
+otherwise reject the request. This also avoids unnecessary
+register updates in the case of the 82599 controller.
+
+Fixes: 872844ddb9e4 ("ixgbe: Enable jumbo frames support w/ SR-IOV")
+Co-developed-by: Piotr Skajewski <piotrx.skajewski@intel.com>
+Signed-off-by: Piotr Skajewski <piotrx.skajewski@intel.com>
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Co-developed-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+index f6ffd9fb2079..8aaf856771d7 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+@@ -467,12 +467,16 @@ static int ixgbe_set_vf_vlan(struct ixgbe_adapter *adapter, int add, int vid,
+ return err;
+ }
+
+-static s32 ixgbe_set_vf_lpe(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
++static int ixgbe_set_vf_lpe(struct ixgbe_adapter *adapter, u32 max_frame, u32 vf)
+ {
+ struct ixgbe_hw *hw = &adapter->hw;
+- int max_frame = msgbuf[1];
+ u32 max_frs;
+
++ if (max_frame < ETH_MIN_MTU || max_frame > IXGBE_MAX_JUMBO_FRAME_SIZE) {
++ e_err(drv, "VF max_frame %d out of range\n", max_frame);
++ return -EINVAL;
++ }
++
+ /*
+ * For 82599EB we have to keep all PFs and VFs operating with
+ * the same max_frame value in order to avoid sending an oversize
+@@ -532,12 +536,6 @@ static s32 ixgbe_set_vf_lpe(struct ixgbe_adapter *adapter, u32 *msgbuf, u32 vf)
+ }
+ }
+
+- /* MTU < 68 is an error and causes problems on some kernels */
+- if (max_frame > IXGBE_MAX_JUMBO_FRAME_SIZE) {
+- e_err(drv, "VF max_frame %d out of range\n", max_frame);
+- return -EINVAL;
+- }
+-
+ /* pull current max frame size from hardware */
+ max_frs = IXGBE_READ_REG(hw, IXGBE_MAXFRS);
+ max_frs &= IXGBE_MHADD_MFS_MASK;
+@@ -1240,7 +1238,7 @@ static int ixgbe_rcv_msg_from_vf(struct ixgbe_adapter *adapter, u32 vf)
+ retval = ixgbe_set_vf_vlan_msg(adapter, msgbuf, vf);
+ break;
+ case IXGBE_VF_SET_LPE:
+- retval = ixgbe_set_vf_lpe(adapter, msgbuf, vf);
++ retval = ixgbe_set_vf_lpe(adapter, msgbuf[1], vf);
+ break;
+ case IXGBE_VF_SET_MACVLAN:
+ retval = ixgbe_set_vf_macvlan_msg(adapter, msgbuf, vf);
+--
+2.30.2
+
--- /dev/null
+From 96a082c3a10b3f4965f179f8fac038d9f96984c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 17:01:08 -0700
+Subject: MIPS: alchemy: xxs1500: add gpio-au1000.h header file
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit ff4cff962a7eedc73e54b5096693da7f86c61346 ]
+
+board-xxs1500.c references 2 functions without declaring them, so add
+the header file to placate the build.
+
+../arch/mips/alchemy/board-xxs1500.c: In function 'board_setup':
+../arch/mips/alchemy/board-xxs1500.c:56:2: error: implicit declaration of function 'alchemy_gpio1_input_enable' [-Werror=implicit-function-declaration]
+ 56 | alchemy_gpio1_input_enable();
+../arch/mips/alchemy/board-xxs1500.c:57:2: error: implicit declaration of function 'alchemy_gpio2_enable'; did you mean 'alchemy_uart_enable'? [-Werror=implicit-function-declaration]
+ 57 | alchemy_gpio2_enable();
+
+Fixes: 8e026910fcd4 ("MIPS: Alchemy: merge GPR/MTX-1/XXS1500 board code into single files")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Cc: Manuel Lauss <manuel.lauss@googlemail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/alchemy/board-xxs1500.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/alchemy/board-xxs1500.c b/arch/mips/alchemy/board-xxs1500.c
+index 5f05b8714385..b968cff5baa7 100644
+--- a/arch/mips/alchemy/board-xxs1500.c
++++ b/arch/mips/alchemy/board-xxs1500.c
+@@ -31,6 +31,7 @@
+ #include <asm/reboot.h>
+ #include <asm/setup.h>
+ #include <asm/mach-au1x00/au1000.h>
++#include <asm/mach-au1x00/gpio-au1000.h>
+ #include <prom.h>
+
+ const char *get_system_type(void)
+--
+2.30.2
+
--- /dev/null
+From 794bcf4e029bab2de52323790e18e5cfaf6aee90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 17:54:17 -0700
+Subject: MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit fef532ea0cd871afab7d9a7b6e9da99ac2c24371 ]
+
+rt2880_wdt.c uses (well, attempts to use) rt_sysc_membase. However,
+when this watchdog driver is built as a loadable module, there is a
+build error since the rt_sysc_membase symbol is not exported.
+Export it to quell the build error.
+
+ERROR: modpost: "rt_sysc_membase" [drivers/watchdog/rt2880_wdt.ko] undefined!
+
+Fixes: 473cf939ff34 ("watchdog: add ralink watchdog driver")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: Wim Van Sebroeck <wim@iguana.be>
+Cc: John Crispin <john@phrozen.org>
+Cc: linux-mips@vger.kernel.org
+Cc: linux-watchdog@vger.kernel.org
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/ralink/of.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/mips/ralink/of.c b/arch/mips/ralink/of.c
+index 1ada8492733b..92b3d4849996 100644
+--- a/arch/mips/ralink/of.c
++++ b/arch/mips/ralink/of.c
+@@ -10,6 +10,7 @@
+
+ #include <linux/io.h>
+ #include <linux/clk.h>
++#include <linux/export.h>
+ #include <linux/init.h>
+ #include <linux/sizes.h>
+ #include <linux/of_fdt.h>
+@@ -27,6 +28,7 @@
+
+ __iomem void *rt_sysc_membase;
+ __iomem void *rt_memc_membase;
++EXPORT_SYMBOL_GPL(rt_sysc_membase);
+
+ __iomem void *plat_of_remap_node(const char *node)
+ {
+--
+2.30.2
+
--- /dev/null
+From 65aee96455543fd78cffa43094afa851350003a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 14:44:42 +0000
+Subject: mld: fix panic in mld_newpack()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 020ef930b826d21c5446fdc9db80fd72a791bc21 ]
+
+mld_newpack() doesn't allow to allocate high order page,
+only order-0 allocation is allowed.
+If headroom size is too large, a kernel panic could occur in skb_put().
+
+Test commands:
+ ip netns del A
+ ip netns del B
+ ip netns add A
+ ip netns add B
+ ip link add veth0 type veth peer name veth1
+ ip link set veth0 netns A
+ ip link set veth1 netns B
+
+ ip netns exec A ip link set lo up
+ ip netns exec A ip link set veth0 up
+ ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0
+ ip netns exec B ip link set lo up
+ ip netns exec B ip link set veth1 up
+ ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1
+ for i in {1..99}
+ do
+ let A=$i-1
+ ip netns exec A ip link add ip6gre$i type ip6gre \
+ local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100
+ ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i
+ ip netns exec A ip link set ip6gre$i up
+
+ ip netns exec B ip link add ip6gre$i type ip6gre \
+ local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100
+ ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i
+ ip netns exec B ip link set ip6gre$i up
+ done
+
+Splat looks like:
+kernel BUG at net/core/skbuff.c:110!
+invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891
+Workqueue: ipv6_addrconf addrconf_dad_work
+RIP: 0010:skb_panic+0x15d/0x15f
+Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83
+41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89
+34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20
+RSP: 0018:ffff88810091f820 EFLAGS: 00010282
+RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000
+RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb
+RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031
+R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028
+R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0
+FS: 0000000000000000(0000) GS:ffff888117c00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
+ ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
+ skb_put.cold.104+0x22/0x22
+ ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600
+ ? rcu_read_lock_sched_held+0x91/0xc0
+ mld_newpack+0x398/0x8f0
+ ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600
+ ? lock_contended+0xc40/0xc40
+ add_grhead.isra.33+0x280/0x380
+ add_grec+0x5ca/0xff0
+ ? mld_sendpack+0xf40/0xf40
+ ? lock_downgrade+0x690/0x690
+ mld_send_initial_cr.part.34+0xb9/0x180
+ ipv6_mc_dad_complete+0x15d/0x1b0
+ addrconf_dad_completed+0x8d2/0xbb0
+ ? lock_downgrade+0x690/0x690
+ ? addrconf_rs_timer+0x660/0x660
+ ? addrconf_dad_work+0x73c/0x10e0
+ addrconf_dad_work+0x73c/0x10e0
+
+Allowing high order page allocation could fix this problem.
+
+Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/mcast.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index f2f8551416c3..3d048401141f 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1606,10 +1606,7 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu)
+ IPV6_TLV_PADN, 0 };
+
+ /* we assume size > sizeof(ra) here */
+- /* limit our allocations to order-0 page */
+- size = min_t(int, size, SKB_MAX_ORDER(0, 0));
+ skb = sock_alloc_send_skb(sk, size, 1, &err);
+-
+ if (!skb)
+ return NULL;
+
+--
+2.30.2
+
--- /dev/null
+From 74eebfecafb59d63d4acbe3c40736a2b449ad7aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 May 2021 15:16:05 +0800
+Subject: net: bnx2: Fix error return code in bnx2_init_board()
+
+From: Zhen Lei <thunder.leizhen@huawei.com>
+
+[ Upstream commit 28c66b6da4087b8cfe81c2ec0a46eb6116dafda9 ]
+
+Fix to return -EPERM from the error handling case instead of 0, as done
+elsewhere in this function.
+
+Fixes: b6016b767397 ("[BNX2]: New Broadcom gigabit network driver.")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c
+index 122fdb80a789..9993f1162ac6 100644
+--- a/drivers/net/ethernet/broadcom/bnx2.c
++++ b/drivers/net/ethernet/broadcom/bnx2.c
+@@ -8253,9 +8253,9 @@ bnx2_init_board(struct pci_dev *pdev, struct net_device *dev)
+ BNX2_WR(bp, PCI_COMMAND, reg);
+ } else if ((BNX2_CHIP_ID(bp) == BNX2_CHIP_ID_5706_A1) &&
+ !(bp->flags & BNX2_FLAG_PCIX)) {
+-
+ dev_err(&pdev->dev,
+ "5706 A1 can only be used in a PCIX bus, aborting\n");
++ rc = -EPERM;
+ goto err_out_unmap;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 0b1de50aca4db30f2b826a737e7cd307f139560c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 May 2021 22:33:38 +0300
+Subject: net: dsa: fix error code getting shifted with 4 in
+ dsa_slave_get_sset_count
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit b94cbc909f1d80378a1f541968309e5c1178c98b ]
+
+DSA implements a bunch of 'standardized' ethtool statistics counters,
+namely tx_packets, tx_bytes, rx_packets, rx_bytes. So whatever the
+hardware driver returns in .get_sset_count(), we need to add 4 to that.
+
+That is ok, except that .get_sset_count() can return a negative error
+code, for example:
+
+b53_get_sset_count
+-> phy_ethtool_get_sset_count
+ -> return -EIO
+
+-EIO is -5, and with 4 added to it, it becomes -1, aka -EPERM. One can
+imagine that certain error codes may even become positive, although
+based on code inspection I did not see instances of that.
+
+Check the error code first, if it is negative return it as-is.
+
+Based on a similar patch for dsa_master_get_strings from Dan Carpenter:
+https://patchwork.kernel.org/project/netdevbpf/patch/YJaSe3RPgn7gKxZv@mwanda/
+
+Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/slave.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/dsa/slave.c b/net/dsa/slave.c
+index 11f1560de639..b887d9edb9c3 100644
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -598,13 +598,15 @@ static int dsa_slave_get_sset_count(struct net_device *dev, int sset)
+ struct dsa_switch *ds = dp->ds;
+
+ if (sset == ETH_SS_STATS) {
+- int count;
++ int count = 0;
+
+- count = 4;
+- if (ds->ops->get_sset_count)
+- count += ds->ops->get_sset_count(ds, dp->index, sset);
++ if (ds->ops->get_sset_count) {
++ count = ds->ops->get_sset_count(ds, dp->index, sset);
++ if (count < 0)
++ return count;
++ }
+
+- return count;
++ return count + 4;
+ }
+
+ return -EOPNOTSUPP;
+--
+2.30.2
+
--- /dev/null
+From c0ff4d50f939c05276b883fae3df885f3f2acea4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 10:43:59 +0800
+Subject: net: fec: fix the potential memory leak in fec_enet_init()
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit 619fee9eb13b5d29e4267cb394645608088c28a8 ]
+
+If the memory allocated for cbd_base is failed, it should
+free the memory allocated for the queues, otherwise it causes
+memory leak.
+
+And if the memory allocated for the queues is failed, it can
+return error directly.
+
+Fixes: 59d0f7465644 ("net: fec: init multi queue date structure")
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 7d1a669416f2..6b9eada1feb2 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3221,7 +3221,9 @@ static int fec_enet_init(struct net_device *ndev)
+ return ret;
+ }
+
+- fec_enet_alloc_queue(ndev);
++ ret = fec_enet_alloc_queue(ndev);
++ if (ret)
++ return ret;
+
+ bd_size = (fep->total_tx_ring_size + fep->total_rx_ring_size) * dsize;
+
+@@ -3229,7 +3231,8 @@ static int fec_enet_init(struct net_device *ndev)
+ cbd_base = dmam_alloc_coherent(&fep->pdev->dev, bd_size, &bd_dma,
+ GFP_KERNEL);
+ if (!cbd_base) {
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto free_queue_mem;
+ }
+
+ memset(cbd_base, 0, bd_size);
+@@ -3309,6 +3312,10 @@ static int fec_enet_init(struct net_device *ndev)
+ fec_enet_update_ethtool_stats(ndev);
+
+ return 0;
++
++free_queue_mem:
++ fec_enet_free_queue(ndev);
++ return ret;
+ }
+
+ #ifdef CONFIG_OF
+--
+2.30.2
+
--- /dev/null
+From 77db1d1f9d696642d8997c9442bfb1a634db51db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 09:24:55 +0200
+Subject: net: mdio: octeon: Fix some double free issues
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e1d027dd97e1e750669cdc0d3b016a4f54e473eb ]
+
+'bus->mii_bus' has been allocated with 'devm_mdiobus_alloc_size()' in the
+probe function. So it must not be freed explicitly or there will be a
+double free.
+
+Remove the incorrect 'mdiobus_free' in the error handling path of the
+probe function and in remove function.
+
+Suggested-By: Andrew Lunn <andrew@lunn.ch>
+Fixes: 35d2aeac9810 ("phy: mdio-octeon: Use devm_mdiobus_alloc_size()")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio-octeon.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/phy/mdio-octeon.c b/drivers/net/phy/mdio-octeon.c
+index ab6914f8bd50..1da104150f44 100644
+--- a/drivers/net/phy/mdio-octeon.c
++++ b/drivers/net/phy/mdio-octeon.c
+@@ -75,7 +75,6 @@ static int octeon_mdiobus_probe(struct platform_device *pdev)
+
+ return 0;
+ fail_register:
+- mdiobus_free(bus->mii_bus);
+ smi_en.u64 = 0;
+ oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN);
+ return err;
+@@ -89,7 +88,6 @@ static int octeon_mdiobus_remove(struct platform_device *pdev)
+ bus = platform_get_drvdata(pdev);
+
+ mdiobus_unregister(bus->mii_bus);
+- mdiobus_free(bus->mii_bus);
+ smi_en.u64 = 0;
+ oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN);
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From c0bdc952b901710b7ad00f3058f52480b2d615e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 09:44:49 +0200
+Subject: net: mdio: thunder: Fix a double free issue in the .remove function
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a93a0a15876d2a077a3bc260b387d2457a051f24 ]
+
+'bus->mii_bus' have been allocated with 'devm_mdiobus_alloc_size()' in the
+probe function. So it must not be freed explicitly or there will be a
+double free.
+
+Remove the incorrect 'mdiobus_free' in the remove function.
+
+Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio-thunder.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/phy/mdio-thunder.c b/drivers/net/phy/mdio-thunder.c
+index 564616968cad..c0c922eff760 100644
+--- a/drivers/net/phy/mdio-thunder.c
++++ b/drivers/net/phy/mdio-thunder.c
+@@ -129,7 +129,6 @@ static void thunder_mdiobus_pci_remove(struct pci_dev *pdev)
+ continue;
+
+ mdiobus_unregister(bus->mii_bus);
+- mdiobus_free(bus->mii_bus);
+ oct_mdio_writeq(0, bus->register_base + SMI_EN);
+ }
+ pci_set_drvdata(pdev, NULL);
+--
+2.30.2
+
--- /dev/null
+From 63a4d7f495e8303a7b77e1a8e3469bcfeb2cd7f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 May 2021 07:38:22 +0200
+Subject: net: netcp: Fix an error message
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ddb6e00f8413e885ff826e32521cff7924661de0 ]
+
+'ret' is known to be 0 here.
+The expected error code is stored in 'tx_pipe->dma_queue', so use it
+instead.
+
+While at it, switch from %d to %pe which is more user friendly.
+
+Fixes: 84640e27f230 ("net: netcp: Add Keystone NetCP core ethernet driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/netcp_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
+index a1d335a3c5e4..60d411bbbdc6 100644
+--- a/drivers/net/ethernet/ti/netcp_core.c
++++ b/drivers/net/ethernet/ti/netcp_core.c
+@@ -1364,8 +1364,8 @@ int netcp_txpipe_open(struct netcp_tx_pipe *tx_pipe)
+ tx_pipe->dma_queue = knav_queue_open(name, tx_pipe->dma_queue_id,
+ KNAV_QUEUE_SHARED);
+ if (IS_ERR(tx_pipe->dma_queue)) {
+- dev_err(dev, "Could not open DMA queue for channel \"%s\": %d\n",
+- name, ret);
++ dev_err(dev, "Could not open DMA queue for channel \"%s\": %pe\n",
++ name, tx_pipe->dma_queue);
+ ret = PTR_ERR(tx_pipe->dma_queue);
+ goto err;
+ }
+--
+2.30.2
+
--- /dev/null
+From 1cdbab60ed9cf1e0ddf5dfd46c7cdde446ce2144 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 May 2021 21:08:00 +0800
+Subject: openvswitch: meter: fix race when getting now_ms.
+
+From: Tao Liu <thomas.liu@ucloud.cn>
+
+[ Upstream commit e4df1b0c24350a0f00229ff895a91f1072bd850d ]
+
+We have observed meters working unexpected if traffic is 3+Gbit/s
+with multiple connections.
+
+now_ms is not pretected by meter->lock, we may get a negative
+long_delta_ms when another cpu updated meter->used, then:
+ delta_ms = (u32)long_delta_ms;
+which will be a large value.
+
+ band->bucket += delta_ms * band->rate;
+then we get a wrong band->bucket.
+
+OpenVswitch userspace datapath has fixed the same issue[1] some
+time ago, and we port the implementation to kernel datapath.
+
+[1] https://patchwork.ozlabs.org/project/openvswitch/patch/20191025114436.9746-1-i.maximets@ovn.org/
+
+Fixes: 96fbc13d7e77 ("openvswitch: Add meter infrastructure")
+Signed-off-by: Tao Liu <thomas.liu@ucloud.cn>
+Suggested-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Ilya Maximets <i.maximets@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/meter.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c
+index 5ea2471ffc03..9b0c54f0702c 100644
+--- a/net/openvswitch/meter.c
++++ b/net/openvswitch/meter.c
+@@ -464,6 +464,14 @@ bool ovs_meter_execute(struct datapath *dp, struct sk_buff *skb,
+ spin_lock(&meter->lock);
+
+ long_delta_ms = (now_ms - meter->used); /* ms */
++ if (long_delta_ms < 0) {
++ /* This condition means that we have several threads fighting
++ * for a meter lock, and the one who received the packets a
++ * bit later wins. Assuming that all racing threads received
++ * packets at the same time to avoid overflow.
++ */
++ long_delta_ms = 0;
++ }
+
+ /* Make sure delta_ms will not be too large, so that bucket will not
+ * wrap around below.
+--
+2.30.2
+
--- /dev/null
+From fca4b5fe9b05dc942848b2d9cd2e5043e4fa295e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 May 2021 14:38:53 +0000
+Subject: sch_dsmark: fix a NULL deref in qdisc_reset()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 9b76eade16423ef06829cccfe3e100cfce31afcd ]
+
+If Qdisc_ops->init() is failed, Qdisc_ops->reset() would be called.
+When dsmark_init(Qdisc_ops->init()) is failed, it possibly doesn't
+initialize dsmark_qdisc_data->q. But dsmark_reset(Qdisc_ops->reset())
+uses dsmark_qdisc_data->q pointer wihtout any null checking.
+So, panic would occur.
+
+Test commands:
+ sysctl net.core.default_qdisc=dsmark -w
+ ip link add dummy0 type dummy
+ ip link add vw0 link dummy0 type virt_wifi
+ ip link set vw0 up
+
+Splat looks like:
+KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
+CPU: 3 PID: 684 Comm: ip Not tainted 5.12.0+ #910
+RIP: 0010:qdisc_reset+0x2b/0x680
+Code: 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54
+55 48 89 fd 48 83 c7 18 53 48 89 fa 48 c1 ea 03 48 83 ec 20 <80> 3c 02
+00 0f 85 09 06 00 00 4c 8b 65 18 0f 1f 44 00 00 65 8b 1d
+RSP: 0018:ffff88800fda6bf8 EFLAGS: 00010282
+RAX: dffffc0000000000 RBX: ffff8880050ed800 RCX: 0000000000000000
+RDX: 0000000000000003 RSI: ffffffff99e34100 RDI: 0000000000000018
+RBP: 0000000000000000 R08: fffffbfff346b553 R09: fffffbfff346b553
+R10: 0000000000000001 R11: fffffbfff346b552 R12: ffffffffc0824940
+R13: ffff888109e83800 R14: 00000000ffffffff R15: ffffffffc08249e0
+FS: 00007f5042287680(0000) GS:ffff888119800000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055ae1f4dbd90 CR3: 0000000006760002 CR4: 00000000003706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ? rcu_read_lock_bh_held+0xa0/0xa0
+ dsmark_reset+0x3d/0xf0 [sch_dsmark]
+ qdisc_reset+0xa9/0x680
+ qdisc_destroy+0x84/0x370
+ qdisc_create_dflt+0x1fe/0x380
+ attach_one_default_qdisc.constprop.41+0xa4/0x180
+ dev_activate+0x4d5/0x8c0
+ ? __dev_open+0x268/0x390
+ __dev_open+0x270/0x390
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_dsmark.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
+index 1c2fce8c45b2..fe030af9272c 100644
+--- a/net/sched/sch_dsmark.c
++++ b/net/sched/sch_dsmark.c
+@@ -402,7 +402,8 @@ static void dsmark_reset(struct Qdisc *sch)
+ struct dsmark_qdisc_data *p = qdisc_priv(sch);
+
+ pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p);
+- qdisc_reset(p->q);
++ if (p->q)
++ qdisc_reset(p->q);
+ sch->qstats.backlog = 0;
+ sch->q.qlen = 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 16185e82a3064e61c3b5fded143a9d05b5687b82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 17:20:27 +0300
+Subject: scsi: libsas: Use _safe() loop in sas_resume_port()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 8c7e7b8486cda21269d393245883c5e4737d5ee7 ]
+
+If sas_notify_lldd_dev_found() fails then this code calls:
+
+ sas_unregister_dev(port, dev);
+
+which removes "dev", our list iterator, from the list. This could lead to
+an endless loop. We need to use list_for_each_entry_safe().
+
+Link: https://lore.kernel.org/r/YKUeq6gwfGcvvhty@mwanda
+Fixes: 303694eeee5e ("[SCSI] libsas: suspend / resume support")
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libsas/sas_port.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/libsas/sas_port.c b/drivers/scsi/libsas/sas_port.c
+index fad23dd39114..1a0b2ce398f7 100644
+--- a/drivers/scsi/libsas/sas_port.c
++++ b/drivers/scsi/libsas/sas_port.c
+@@ -41,7 +41,7 @@ static bool phy_is_wideport_member(struct asd_sas_port *port, struct asd_sas_phy
+
+ static void sas_resume_port(struct asd_sas_phy *phy)
+ {
+- struct domain_device *dev;
++ struct domain_device *dev, *n;
+ struct asd_sas_port *port = phy->port;
+ struct sas_ha_struct *sas_ha = phy->ha;
+ struct sas_internal *si = to_sas_internal(sas_ha->core.shost->transportt);
+@@ -60,7 +60,7 @@ static void sas_resume_port(struct asd_sas_phy *phy)
+ * 1/ presume every device came back
+ * 2/ force the next revalidation to check all expander phys
+ */
+- list_for_each_entry(dev, &port->dev_list, dev_list_node) {
++ list_for_each_entry_safe(dev, n, &port->dev_list, dev_list_node) {
+ int i, rc;
+
+ rc = sas_notify_lldd_dev_found(dev);
+--
+2.30.2
+
drm-amd-display-disconnect-non-dp-with-no-edid.patch
drm-amd-amdgpu-fix-refcount-leak.patch
drm-amdgpu-fix-a-use-after-free.patch
+net-netcp-fix-an-error-message.patch
+net-dsa-fix-error-code-getting-shifted-with-4-in-dsa.patch
+net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch
+net-mdio-thunder-fix-a-double-free-issue-in-the-.rem.patch
+net-mdio-octeon-fix-some-double-free-issues.patch
+openvswitch-meter-fix-race-when-getting-now_ms.patch
+net-bnx2-fix-error-return-code-in-bnx2_init_board.patch
+mld-fix-panic-in-mld_newpack.patch
+staging-emxx_udc-fix-loop-in-_nbu2ss_nuke.patch
+asoc-cs35l33-fix-an-error-code-in-probe.patch
+bpf-set-mac_len-in-bpf_skb_change_head.patch
+ixgbe-fix-large-mtu-request-from-vf.patch
+scsi-libsas-use-_safe-loop-in-sas_resume_port.patch
+ipv6-record-frag_max_size-in-atomic-fragments-in-inp.patch
+sch_dsmark-fix-a-null-deref-in-qdisc_reset.patch
+mips-alchemy-xxs1500-add-gpio-au1000.h-header-file.patch
+mips-ralink-export-rt_sysc_membase-for-rt2880_wdt.c.patch
--- /dev/null
+From 8abcb9b0329796810ca8a4dc5e8cc490dd89e513 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 17:16:50 +0300
+Subject: staging: emxx_udc: fix loop in _nbu2ss_nuke()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e0112a7c9e847ada15a631b88e279d547e8f26a7 ]
+
+The _nbu2ss_ep_done() function calls:
+
+ list_del_init(&req->queue);
+
+which means that the loop will never exit.
+
+Fixes: ca3d253eb967 ("Staging: emxx_udc: Iterate list using list_for_each_entry")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YKUd0sDyjm/lkJfJ@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/emxx_udc/emxx_udc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c
+index 3e51476a7045..d2cb2bd6d913 100644
+--- a/drivers/staging/emxx_udc/emxx_udc.c
++++ b/drivers/staging/emxx_udc/emxx_udc.c
+@@ -2148,7 +2148,7 @@ static int _nbu2ss_nuke(struct nbu2ss_udc *udc,
+ struct nbu2ss_ep *ep,
+ int status)
+ {
+- struct nbu2ss_req *req;
++ struct nbu2ss_req *req, *n;
+
+ /* Endpoint Disable */
+ _nbu2ss_epn_exit(udc, ep);
+@@ -2160,7 +2160,7 @@ static int _nbu2ss_nuke(struct nbu2ss_udc *udc,
+ return 0;
+
+ /* called with irqs blocked */
+- list_for_each_entry(req, &ep->queue, queue) {
++ list_for_each_entry_safe(req, n, &ep->queue, queue) {
+ _nbu2ss_ep_done(ep, req, status);
+ }
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
