--- /dev/null
+From 6bdc9520a9eb4f65485bf333c4823e13b9bb9e15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:27 +0100
+Subject: ASoC: cs42l42: Correct definition of ADC Volume control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit ee86f680ff4c9b406d49d4e22ddf10805b8a2137 ]
+
+The ADC volume is a signed 8-bit number with range -97 to +12,
+with -97 being mute. Use a SOC_SINGLE_S8_TLV() to define this
+and fix the DECLARE_TLV_DB_SCALE() to have the correct start and
+mute flag.
+
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20210729170929.6589-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 5faf8877137a..5c6d288a92ab 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -403,7 +403,7 @@ static const struct regmap_config cs42l42_regmap = {
+ .use_single_write = true,
+ };
+
+-static DECLARE_TLV_DB_SCALE(adc_tlv, -9600, 100, false);
++static DECLARE_TLV_DB_SCALE(adc_tlv, -9700, 100, true);
+ static DECLARE_TLV_DB_SCALE(mixer_tlv, -6300, 100, true);
+
+ static const char * const cs42l42_hpf_freq_text[] = {
+@@ -442,8 +442,7 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_INV_SHIFT, true, false),
+ SOC_SINGLE("ADC Boost Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_DIG_BOOST_SHIFT, true, false),
+- SOC_SINGLE_SX_TLV("ADC Volume", CS42L42_ADC_VOLUME,
+- CS42L42_ADC_VOL_SHIFT, 0xA0, 0x6C, adc_tlv),
++ SOC_SINGLE_S8_TLV("ADC Volume", CS42L42_ADC_VOLUME, -97, 12, adc_tlv),
+ SOC_SINGLE("ADC WNF Switch", CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_EN_SHIFT, true, false),
+ SOC_SINGLE("ADC HPF Switch", CS42L42_ADC_WNF_HPF_CTL,
+--
+2.30.2
+
--- /dev/null
+From 7622de04b97dcc9df15df0d47f49795760f1b790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 18:09:28 +0100
+Subject: ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 64324bac750b84ca54711fb7d332132fcdb87293 ]
+
+The driver has no support for left-justified protocol so it should
+not have been allowing this to be passed to cs42l42_set_dai_fmt().
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210729170929.6589-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 5c6d288a92ab..978f5df1ff79 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -772,7 +772,6 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+- case SND_SOC_DAIFMT_LEFT_J:
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From d32ec689dfac7984c06810f8ac904eb813d50cad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:33 +0100
+Subject: ASoC: cs42l42: Fix inversion of ADC Notch Switch control
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 30615bd21b4cc3c3bb5ae8bd70e2a915cc5f75c7 ]
+
+The underlying register field has inverted sense (0 = enabled) so
+the control definition must be marked as inverted.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 978f5df1ff79..032ec4bd060b 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -435,7 +435,7 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+- CS42L42_ADC_NOTCH_DIS_SHIFT, true, false),
++ CS42L42_ADC_NOTCH_DIS_SHIFT, true, true),
+ SOC_SINGLE("ADC Weak Force Switch", CS42L42_ADC_CTL,
+ CS42L42_ADC_FORCE_WEAK_VCM_SHIFT, true, false),
+ SOC_SINGLE("ADC Invert Switch", CS42L42_ADC_CTL,
+--
+2.30.2
+
--- /dev/null
+From e170c9d3ac74b64d031efa191bc960c7f6756517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 17:11:05 +0100
+Subject: ASoC: cs42l42: Fix LRCLK frame start edge
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 0c2f2ad4f16a58879463d0979a54293f8f296d6f ]
+
+An I2S frame starts on the falling edge of LRCLK so ASP_STP must
+be 0.
+
+At the same time, move other format settings in the same register
+from cs42l42_pll_config() to cs42l42_set_dai_fmt() where you'd
+expect to find them, and merge into a single write.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210805161111.10410-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index eb37f88f8233..6825e874785f 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -658,15 +658,6 @@ static int cs42l42_pll_config(struct snd_soc_component *component)
+ CS42L42_FSYNC_PULSE_WIDTH_MASK,
+ CS42L42_FRAC1_VAL(fsync - 1) <<
+ CS42L42_FSYNC_PULSE_WIDTH_SHIFT);
+- snd_soc_component_update_bits(component,
+- CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_5050_MASK,
+- CS42L42_ASP_5050_MASK);
+- /* Set the frame delay to 1.0 SCLK clocks */
+- snd_soc_component_update_bits(component, CS42L42_ASP_FRM_CFG,
+- CS42L42_ASP_FSD_MASK,
+- CS42L42_ASP_FSD_1_0 <<
+- CS42L42_ASP_FSD_SHIFT);
+ /* Set the sample rates (96k or lower) */
+ snd_soc_component_update_bits(component, CS42L42_FS_RATE_EN,
+ CS42L42_FS_EN_MASK,
+@@ -762,6 +753,18 @@ static int cs42l42_set_dai_fmt(struct snd_soc_dai *codec_dai, unsigned int fmt)
+ /* interface format */
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
++ /*
++ * 5050 mode, frame starts on falling edge of LRCLK,
++ * frame delayed by 1.0 SCLKs
++ */
++ snd_soc_component_update_bits(component,
++ CS42L42_ASP_FRM_CFG,
++ CS42L42_ASP_STP_MASK |
++ CS42L42_ASP_5050_MASK |
++ CS42L42_ASP_FSD_MASK,
++ CS42L42_ASP_5050_MASK |
++ (CS42L42_ASP_FSD_1_0 <<
++ CS42L42_ASP_FSD_SHIFT));
+ break;
+ default:
+ return -EINVAL;
+--
+2.30.2
+
--- /dev/null
+From c23cd3f626e9381ab9e11998f2ad4e6e34fca910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 17:08:34 +0100
+Subject: ASoC: cs42l42: Remove duplicate control for WNF filter frequency
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 8b353bbeae20e2214c9d9d88bcb2fda4ba145d83 ]
+
+The driver was defining two ALSA controls that both change the same
+register field for the wind noise filter corner frequency. The filter
+response has two corners, at different frequencies, and the duplicate
+controls most likely were an attempt to be able to set the value using
+either of the frequencies.
+
+However, having two controls changing the same field can be problematic
+and it is unnecessary. Both frequencies are related to each other so
+setting one implies exactly what the other would be.
+
+Removing a control affects user-side code, but there is currently no
+known use of the removed control so it would be best to remove it now
+before it becomes a problem.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec")
+Link: https://lore.kernel.org/r/20210803160834.9005-2-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l42.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c
+index 032ec4bd060b..eb37f88f8233 100644
+--- a/sound/soc/codecs/cs42l42.c
++++ b/sound/soc/codecs/cs42l42.c
+@@ -423,15 +423,6 @@ static SOC_ENUM_SINGLE_DECL(cs42l42_wnf3_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+ CS42L42_ADC_WNF_CF_SHIFT,
+ cs42l42_wnf3_freq_text);
+
+-static const char * const cs42l42_wnf05_freq_text[] = {
+- "280Hz", "315Hz", "350Hz", "385Hz",
+- "420Hz", "455Hz", "490Hz", "525Hz"
+-};
+-
+-static SOC_ENUM_SINGLE_DECL(cs42l42_wnf05_freq_enum, CS42L42_ADC_WNF_HPF_CTL,
+- CS42L42_ADC_WNF_CF_SHIFT,
+- cs42l42_wnf05_freq_text);
+-
+ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ /* ADC Volume and Filter Controls */
+ SOC_SINGLE("ADC Notch Switch", CS42L42_ADC_CTL,
+@@ -449,7 +440,6 @@ static const struct snd_kcontrol_new cs42l42_snd_controls[] = {
+ CS42L42_ADC_HPF_EN_SHIFT, true, false),
+ SOC_ENUM("HPF Corner Freq", cs42l42_hpf_freq_enum),
+ SOC_ENUM("WNF 3dB Freq", cs42l42_wnf3_freq_enum),
+- SOC_ENUM("WNF 05dB Freq", cs42l42_wnf05_freq_enum),
+
+ /* DAC Volume and Filter Controls */
+ SOC_SINGLE("DACA Invert Switch", CS42L42_DAC_CTL1,
+--
+2.30.2
+
--- /dev/null
+From a5cbf78e82f57bc653285556457ff657e99546a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 09:40:05 +0000
+Subject: drm/meson: fix colour distortion from HDR set during vendor u-boot
+
+From: Christian Hewitt <christianshewitt@gmail.com>
+
+[ Upstream commit bf33677a3c394bb8fddd48d3bbc97adf0262e045 ]
+
+Add support for the OSD1 HDR registers so meson DRM can handle the HDR
+properties set by Amlogic u-boot on G12A and newer devices which result
+in blue/green/pink colour distortion to display output.
+
+This takes the original patch submissions from Mathias [0] and [1] with
+corrections for formatting and the missing description and attribution
+needed for merge.
+
+[0] https://lore.kernel.org/linux-amlogic/59dfd7e6-fc91-3d61-04c4-94e078a3188c@baylibre.com/T/
+[1] https://lore.kernel.org/linux-amlogic/CAOKfEHBx_fboUqkENEMd-OC-NSrf46nto+vDLgvgttzPe99kXg@mail.gmail.com/T/#u
+
+Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup")
+Suggested-by: Mathias Steiger <mathias.steiger@googlemail.com>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Tested-by: Neil Armstrong <narmstrong@baylibre.com>
+Tested-by: Philip Milev <milev.philip@gmail.com>
+[narmsrong: adding missing space on second tested-by tag]
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210806094005.7136-1-christianshewitt@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_registers.h | 5 +++++
+ drivers/gpu/drm/meson/meson_viu.c | 7 ++++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_registers.h b/drivers/gpu/drm/meson/meson_registers.h
+index 05fce48ceee0..f7da816a5562 100644
+--- a/drivers/gpu/drm/meson/meson_registers.h
++++ b/drivers/gpu/drm/meson/meson_registers.h
+@@ -590,6 +590,11 @@
+ #define VPP_WRAP_OSD3_MATRIX_PRE_OFFSET2 0x3dbc
+ #define VPP_WRAP_OSD3_MATRIX_EN_CTRL 0x3dbd
+
++/* osd1 HDR */
++#define OSD1_HDR2_CTRL 0x38a0
++#define OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN BIT(13)
++#define OSD1_HDR2_CTRL_REG_ONLY_MAT BIT(16)
++
+ /* osd2 scaler */
+ #define OSD2_VSC_PHASE_STEP 0x3d00
+ #define OSD2_VSC_INI_PHASE 0x3d01
+diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c
+index 68cf2c2eca5f..33698814c022 100644
+--- a/drivers/gpu/drm/meson/meson_viu.c
++++ b/drivers/gpu/drm/meson/meson_viu.c
+@@ -356,9 +356,14 @@ void meson_viu_init(struct meson_drm *priv)
+ if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXM) ||
+ meson_vpu_is_compatible(priv, VPU_COMPATIBLE_GXL))
+ meson_viu_load_matrix(priv);
+- else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
++ else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) {
+ meson_viu_set_g12a_osd1_matrix(priv, RGB709_to_YUV709l_coeff,
+ true);
++ /* fix green/pink color distortion from vendor u-boot */
++ writel_bits_relaxed(OSD1_HDR2_CTRL_REG_ONLY_MAT |
++ OSD1_HDR2_CTRL_VDIN0_HDR2_TOP_EN, 0,
++ priv->io_base + _REG(OSD1_HDR2_CTRL));
++ }
+
+ /* Initialize OSD1 fifo control register */
+ reg = VIU_OSD_DDR_PRIORITY_URGENT |
+--
+2.30.2
+
--- /dev/null
+From 3da3d236640592b8730f9f9947dba3caffc27b16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 09:53:33 -0700
+Subject: iavf: Set RSS LUT and key in reset handle path
+
+From: Md Fahad Iqbal Polash <md.fahad.iqbal.polash@intel.com>
+
+[ Upstream commit a7550f8b1c9712894f9e98d6caf5f49451ebd058 ]
+
+iavf driver should set RSS LUT and key unconditionally in reset
+path. Currently, the driver does not do that. This patch fixes
+this issue.
+
+Fixes: 2c86ac3c7079 ("i40evf: create a generic config RSS function")
+Signed-off-by: Md Fahad Iqbal Polash <md.fahad.iqbal.polash@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index cda9b9a8392a..dc902e371c2c 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1499,11 +1499,6 @@ static int iavf_reinit_interrupt_scheme(struct iavf_adapter *adapter)
+ set_bit(__IAVF_VSI_DOWN, adapter->vsi.state);
+
+ iavf_map_rings_to_vectors(adapter);
+-
+- if (RSS_AQ(adapter))
+- adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS;
+- else
+- err = iavf_init_rss(adapter);
+ err:
+ return err;
+ }
+@@ -2179,6 +2174,14 @@ continue_reset:
+ goto reset_err;
+ }
+
++ if (RSS_AQ(adapter)) {
++ adapter->aq_required |= IAVF_FLAG_AQ_CONFIGURE_RSS;
++ } else {
++ err = iavf_init_rss(adapter);
++ if (err)
++ goto reset_err;
++ }
++
+ adapter->aq_required |= IAVF_FLAG_AQ_GET_CONFIG;
+ adapter->aq_required |= IAVF_FLAG_AQ_MAP_VECTORS;
+
+--
+2.30.2
+
--- /dev/null
+From 1b8557de2ba94326e0a12dec20a22a9ea23bf01e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Jul 2021 23:56:32 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_new_edge_nl
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 889d0e7dc68314a273627d89cbb60c09e1cc1c25 ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210707155633.1486603-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index da7f8cc9b181..2a78084aeaed 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -418,7 +418,7 @@ static int hwsim_new_edge_nl(struct sk_buff *msg, struct genl_info *info)
+ struct hwsim_edge *e;
+ u32 v0, v1;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From e80425209593e00928375f2ec7401c8f85ea1a7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Jul 2021 21:13:20 +0800
+Subject: ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit e9faf53c5a5d01f6f2a09ae28ec63a3bbd6f64fd ]
+
+Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE,
+MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID and MAC802154_HWSIM_EDGE_ATTR_LQI
+must be present to fix GPF.
+
+Fixes: f25da51fdc38 ("ieee802154: hwsim: add replacement for fakelb")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210705131321.217111-1-mudongliangabcd@gmail.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mac802154_hwsim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
+index 79d74763cf24..da7f8cc9b181 100644
+--- a/drivers/net/ieee802154/mac802154_hwsim.c
++++ b/drivers/net/ieee802154/mac802154_hwsim.c
+@@ -528,14 +528,14 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
+ u32 v0, v1;
+ u8 lqi;
+
+- if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] &&
++ if (!info->attrs[MAC802154_HWSIM_ATTR_RADIO_ID] ||
+ !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
+ return -EINVAL;
+
+ if (nla_parse_nested_deprecated(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX, info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE], hwsim_edge_policy, NULL))
+ return -EINVAL;
+
+- if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] &&
++ if (!edge_attrs[MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID] ||
+ !edge_attrs[MAC802154_HWSIM_EDGE_ATTR_LQI])
+ return -EINVAL;
+
+--
+2.30.2
+
--- /dev/null
+From 9600259f545d7730202dc994fb55b832cba35c45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Aug 2021 23:13:30 +0800
+Subject: nbd: Aovid double completion of a request
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit cddce01160582a5f52ada3da9626c052d852ec42 ]
+
+There is a race between iterating over requests in
+nbd_clear_que() and completing requests in recv_work(),
+which can lead to double completion of a request.
+
+To fix it, flush the recv worker before iterating over
+the requests and don't abort the completed request
+while iterating.
+
+Fixes: 96d97e17828f ("nbd: clear_sock on netlink disconnect")
+Reported-by: Jiang Yadong <jiangyadong@bytedance.com>
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Link: https://lore.kernel.org/r/20210813151330.96-1-xieyongji@bytedance.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 839364371f9a..25e81b1a59a5 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -797,6 +797,10 @@ static bool nbd_clear_req(struct request *req, void *data, bool reserved)
+ {
+ struct nbd_cmd *cmd = blk_mq_rq_to_pdu(req);
+
++ /* don't abort one completed request */
++ if (blk_mq_request_completed(req))
++ return true;
++
+ mutex_lock(&cmd->lock);
+ cmd->status = BLK_STS_IOERR;
+ mutex_unlock(&cmd->lock);
+@@ -2009,15 +2013,19 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
+ {
+ mutex_lock(&nbd->config_lock);
+ nbd_disconnect(nbd);
+- nbd_clear_sock(nbd);
+- mutex_unlock(&nbd->config_lock);
++ sock_shutdown(nbd);
+ /*
+ * Make sure recv thread has finished, so it does not drop the last
+ * config ref and try to destroy the workqueue from inside the work
+- * queue.
++ * queue. And this also ensure that we can safely call nbd_clear_que()
++ * to cancel the inflight I/Os.
+ */
+ if (nbd->recv_workq)
+ flush_workqueue(nbd->recv_workq);
++ nbd_clear_que(nbd);
++ nbd->task_setup = NULL;
++ mutex_unlock(&nbd->config_lock);
++
+ if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF,
+ &nbd->config->runtime_flags))
+ nbd_config_put(nbd);
+--
+2.30.2
+
--- /dev/null
+From 4d877d4ce7bee516654c97a5192eb29ac9186781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 21:20:23 +0800
+Subject: net: bridge: fix memleak in br_add_if()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 519133debcc19f5c834e7e28480b60bdc234fe02 ]
+
+I got a memleak report:
+
+BUG: memory leak
+unreferenced object 0x607ee521a658 (size 240):
+comm "syz-executor.0", pid 955, jiffies 4294780569 (age 16.449s)
+hex dump (first 32 bytes, cpu 1):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000d830ea5a>] br_multicast_add_port+0x1c2/0x300 net/bridge/br_multicast.c:1693
+[<00000000274d9a71>] new_nbp net/bridge/br_if.c:435 [inline]
+[<00000000274d9a71>] br_add_if+0x670/0x1740 net/bridge/br_if.c:611
+[<0000000012ce888e>] do_set_master net/core/rtnetlink.c:2513 [inline]
+[<0000000012ce888e>] do_set_master+0x1aa/0x210 net/core/rtnetlink.c:2487
+[<0000000099d1cafc>] __rtnl_newlink+0x1095/0x13e0 net/core/rtnetlink.c:3457
+[<00000000a01facc0>] rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3488
+[<00000000acc9186c>] rtnetlink_rcv_msg+0x369/0xa10 net/core/rtnetlink.c:5550
+[<00000000d4aabb9c>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000bc2e12a3>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<00000000bc2e12a3>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000e4dc2d0e>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000d22c8b3>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000d22c8b3>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000e281417a>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000237aa2ab>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000004f2dc381>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<0000000005feca6c>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<000000007304477d>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+On error path of br_add_if(), p->mcast_stats allocated in
+new_nbp() need be freed, or it will be leaked.
+
+Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20210809132023.978546-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_if.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
+index bec20dbf6f60..e2a999890d05 100644
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -599,6 +599,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev,
+
+ err = dev_set_allmulti(dev, 1);
+ if (err) {
++ br_multicast_del_port(p);
+ kfree(p); /* kobject not yet init'd, manually free */
+ goto err1;
+ }
+@@ -712,6 +713,7 @@ err4:
+ err3:
+ sysfs_remove_link(br->ifobj, p->dev->name);
+ err2:
++ br_multicast_del_port(p);
+ kobject_put(&p->kobj);
+ dev_set_allmulti(dev, -1);
+ err1:
+--
+2.30.2
+
--- /dev/null
+From 9fbc8daebb5ea8e5e0570ef013b48a0d36cf7ebd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:54 +0300
+Subject: net: dsa: lan9303: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ada2fee185d8145afb89056558bb59545b9dbdd0 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: ab335349b852 ("net: dsa: lan9303: Add port_fast_age and port_fdb_dump methods")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lan9303-core.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
+index bbec86b9418e..19d1f1c51f97 100644
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -557,12 +557,12 @@ static int lan9303_alr_make_entry_raw(struct lan9303 *chip, u32 dat0, u32 dat1)
+ return 0;
+ }
+
+-typedef void alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
+- int portmap, void *ctx);
++typedef int alr_loop_cb_t(struct lan9303 *chip, u32 dat0, u32 dat1,
++ int portmap, void *ctx);
+
+-static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
++static int lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ {
+- int i;
++ int ret = 0, i;
+
+ mutex_lock(&chip->alr_mutex);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+@@ -582,13 +582,17 @@ static void lan9303_alr_loop(struct lan9303 *chip, alr_loop_cb_t *cb, void *ctx)
+ LAN9303_ALR_DAT1_PORT_BITOFFS;
+ portmap = alrport_2_portmap[alrport];
+
+- cb(chip, dat0, dat1, portmap, ctx);
++ ret = cb(chip, dat0, dat1, portmap, ctx);
++ if (ret)
++ break;
+
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD,
+ LAN9303_ALR_CMD_GET_NEXT);
+ lan9303_write_switch_reg(chip, LAN9303_SWE_ALR_CMD, 0);
+ }
+ mutex_unlock(&chip->alr_mutex);
++
++ return ret;
+ }
+
+ static void alr_reg_to_mac(u32 dat0, u32 dat1, u8 mac[6])
+@@ -606,18 +610,20 @@ struct del_port_learned_ctx {
+ };
+
+ /* Clear learned (non-static) entry on given port */
+-static void alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_del_port_learned(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct del_port_learned_ctx *del_ctx = ctx;
+ int port = del_ctx->port;
+
+ if (((BIT(port) & portmap) == 0) || (dat1 & LAN9303_ALR_DAT1_STATIC))
+- return;
++ return 0;
+
+ /* learned entries has only one port, we can just delete */
+ dat1 &= ~LAN9303_ALR_DAT1_VALID; /* delete entry */
+ lan9303_alr_make_entry_raw(chip, dat0, dat1);
++
++ return 0;
+ }
+
+ struct port_fdb_dump_ctx {
+@@ -626,19 +632,19 @@ struct port_fdb_dump_ctx {
+ dsa_fdb_dump_cb_t *cb;
+ };
+
+-static void alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
+- u32 dat1, int portmap, void *ctx)
++static int alr_loop_cb_fdb_port_dump(struct lan9303 *chip, u32 dat0,
++ u32 dat1, int portmap, void *ctx)
+ {
+ struct port_fdb_dump_ctx *dump_ctx = ctx;
+ u8 mac[ETH_ALEN];
+ bool is_static;
+
+ if ((BIT(dump_ctx->port) & portmap) == 0)
+- return;
++ return 0;
+
+ alr_reg_to_mac(dat0, dat1, mac);
+ is_static = !!(dat1 & LAN9303_ALR_DAT1_STATIC);
+- dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
++ return dump_ctx->cb(mac, 0, is_static, dump_ctx->data);
+ }
+
+ /* Set a static ALR entry. Delete entry if port_map is zero */
+@@ -1210,9 +1216,7 @@ static int lan9303_port_fdb_dump(struct dsa_switch *ds, int port,
+ };
+
+ dev_dbg(chip->dev, "%s(%d)\n", __func__, port);
+- lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+-
+- return 0;
++ return lan9303_alr_loop(chip, alr_loop_cb_fdb_port_dump, &dump_ctx);
+ }
+
+ static int lan9303_port_mdb_prepare(struct dsa_switch *ds, int port,
+--
+2.30.2
+
--- /dev/null
+From 37f5d574e4c68fc6bcffbceab306832a45076fb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:55 +0300
+Subject: net: dsa: lantiq: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 871a73a1c8f55da0a3db234e9dd816ea4fd546f2 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: 58c59ef9e930 ("net: dsa: lantiq: Add Forwarding Database access")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/lantiq_gswip.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c
+index dc75e798dbff..af3d56636a07 100644
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -1399,11 +1399,17 @@ static int gswip_port_fdb_dump(struct dsa_switch *ds, int port,
+ addr[1] = mac_bridge.key[2] & 0xff;
+ addr[0] = (mac_bridge.key[2] >> 8) & 0xff;
+ if (mac_bridge.val[1] & GSWIP_TABLE_MAC_BRIDGE_STATIC) {
+- if (mac_bridge.val[0] & BIT(port))
+- cb(addr, 0, true, data);
++ if (mac_bridge.val[0] & BIT(port)) {
++ err = cb(addr, 0, true, data);
++ if (err)
++ return err;
++ }
+ } else {
+- if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port)
+- cb(addr, 0, false, data);
++ if (((mac_bridge.val[0] & GENMASK(7, 4)) >> 4) == port) {
++ err = cb(addr, 0, false, data);
++ if (err)
++ return err;
++ }
+ }
+ }
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From fccfa12e9caefc5738e274ace935834a21be3b6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 00:59:12 +0200
+Subject: net: dsa: microchip: Fix ksz_read64()
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit c34f674c8875235725c3ef86147a627f165d23b4 ]
+
+ksz_read64() currently does some dubious byte-swapping on the two
+halves of a 64-bit register, and then only returns the high bits.
+Replace this with a straightforward expression.
+
+Fixes: e66f840c08a2 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz_common.h | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz_common.h b/drivers/net/dsa/microchip/ksz_common.h
+index 061142b183cb..d6013410dc88 100644
+--- a/drivers/net/dsa/microchip/ksz_common.h
++++ b/drivers/net/dsa/microchip/ksz_common.h
+@@ -215,12 +215,8 @@ static inline int ksz_read64(struct ksz_device *dev, u32 reg, u64 *val)
+ int ret;
+
+ ret = regmap_bulk_read(dev->regmap[2], reg, value, 2);
+- if (!ret) {
+- /* Ick! ToDo: Add 64bit R/W to regmap on 32bit systems */
+- value[0] = swab32(value[0]);
+- value[1] = swab32(value[1]);
+- *val = swab64((u64)*value);
+- }
++ if (!ret)
++ *val = (u64)value[0] << 32 | value[1];
+
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 08faa9279fa508ec2f57db6aa82f3163ef522a87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 12:05:27 +0800
+Subject: net: dsa: mt7530: add the missing RxUnicast MIB counter
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+[ Upstream commit aff51c5da3208bd164381e1488998667269c6cf4 ]
+
+Add the missing RxUnicast counter.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 071e5015bf91..e1a3c33fdad9 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -45,6 +45,7 @@ static const struct mt7530_mib_desc mt7530_mib[] = {
+ MIB_DESC(2, 0x48, "TxBytes"),
+ MIB_DESC(1, 0x60, "RxDrop"),
+ MIB_DESC(1, 0x64, "RxFiltering"),
++ MIB_DESC(1, 0x68, "RxUnicast"),
+ MIB_DESC(1, 0x6c, "RxMulticast"),
+ MIB_DESC(1, 0x70, "RxBroadcast"),
+ MIB_DESC(1, 0x74, "RxAlignErr"),
+--
+2.30.2
+
--- /dev/null
+From e1ec09fe7fa977d2a7dcc2777d8c2b97046f3e5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 14:19:56 +0300
+Subject: net: dsa: sja1105: fix broken backpressure in .port_fdb_dump
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 21b52fed928e96d2f75d2f6aa9eac7a4b0b55d22 ]
+
+rtnl_fdb_dump() has logic to split a dump of PF_BRIDGE neighbors into
+multiple netlink skbs if the buffer provided by user space is too small
+(one buffer will typically handle a few hundred FDB entries).
+
+When the current buffer becomes full, nlmsg_put() in
+dsa_slave_port_fdb_do_dump() returns -EMSGSIZE and DSA saves the index
+of the last dumped FDB entry, returns to rtnl_fdb_dump() up to that
+point, and then the dump resumes on the same port with a new skb, and
+FDB entries up to the saved index are simply skipped.
+
+Since dsa_slave_port_fdb_do_dump() is pointed to by the "cb" passed to
+drivers, then drivers must check for the -EMSGSIZE error code returned
+by it. Otherwise, when a netlink skb becomes full, DSA will no longer
+save newly dumped FDB entries to it, but the driver will continue
+dumping. So FDB entries will be missing from the dump.
+
+Fix the broken backpressure by propagating the "cb" return code and
+allow rtnl_fdb_dump() to restart the FDB dump with a new skb.
+
+Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index a07d8051ec3e..eab861352bf2 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1312,7 +1312,9 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port,
+ /* We need to hide the dsa_8021q VLANs from the user. */
+ if (!dsa_port_is_vlan_filtering(&ds->ports[port]))
+ l2_lookup.vlanid = 0;
+- cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data);
++ rc = cb(macaddr, l2_lookup.vlanid, l2_lookup.lockeds, data);
++ if (rc)
++ return rc;
+ }
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 6f385b581e52f767f5d980bf89f66f3fe42511a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 16:54:14 +0900
+Subject: net: Fix memory leak in ieee802154_raw_deliver
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+[ Upstream commit 1090340f7ee53e824fd4eef66a4855d548110c5b ]
+
+If IEEE-802.15.4-RAW is closed before receive skb, skb is leaked.
+Fix this, by freeing sk_receive_queue in sk->sk_destruct().
+
+syzbot report:
+BUG: memory leak
+unreferenced object 0xffff88810f644600 (size 232):
+ comm "softirq", pid 0, jiffies 4294967032 (age 81.270s)
+ hex dump (first 32 bytes):
+ 10 7d 4b 12 81 88 ff ff 10 7d 4b 12 81 88 ff ff .}K......}K.....
+ 00 00 00 00 00 00 00 00 40 7c 4b 12 81 88 ff ff ........@|K.....
+ backtrace:
+ [<ffffffff83651d4a>] skb_clone+0xaa/0x2b0 net/core/skbuff.c:1496
+ [<ffffffff83fe1b80>] ieee802154_raw_deliver net/ieee802154/socket.c:369 [inline]
+ [<ffffffff83fe1b80>] ieee802154_rcv+0x100/0x340 net/ieee802154/socket.c:1070
+ [<ffffffff8367cc7a>] __netif_receive_skb_one_core+0x6a/0xa0 net/core/dev.c:5384
+ [<ffffffff8367cd07>] __netif_receive_skb+0x27/0xa0 net/core/dev.c:5498
+ [<ffffffff8367cdd9>] netif_receive_skb_internal net/core/dev.c:5603 [inline]
+ [<ffffffff8367cdd9>] netif_receive_skb+0x59/0x260 net/core/dev.c:5662
+ [<ffffffff83fe6302>] ieee802154_deliver_skb net/mac802154/rx.c:29 [inline]
+ [<ffffffff83fe6302>] ieee802154_subif_frame net/mac802154/rx.c:102 [inline]
+ [<ffffffff83fe6302>] __ieee802154_rx_handle_packet net/mac802154/rx.c:212 [inline]
+ [<ffffffff83fe6302>] ieee802154_rx+0x612/0x620 net/mac802154/rx.c:284
+ [<ffffffff83fe59a6>] ieee802154_tasklet_handler+0x86/0xa0 net/mac802154/main.c:35
+ [<ffffffff81232aab>] tasklet_action_common.constprop.0+0x5b/0x100 kernel/softirq.c:557
+ [<ffffffff846000bf>] __do_softirq+0xbf/0x2ab kernel/softirq.c:345
+ [<ffffffff81232f4c>] do_softirq kernel/softirq.c:248 [inline]
+ [<ffffffff81232f4c>] do_softirq+0x5c/0x80 kernel/softirq.c:235
+ [<ffffffff81232fc1>] __local_bh_enable_ip+0x51/0x60 kernel/softirq.c:198
+ [<ffffffff8367a9a4>] local_bh_enable include/linux/bottom_half.h:32 [inline]
+ [<ffffffff8367a9a4>] rcu_read_unlock_bh include/linux/rcupdate.h:745 [inline]
+ [<ffffffff8367a9a4>] __dev_queue_xmit+0x7f4/0xf60 net/core/dev.c:4221
+ [<ffffffff83fe2db4>] raw_sendmsg+0x1f4/0x2b0 net/ieee802154/socket.c:295
+ [<ffffffff8363af16>] sock_sendmsg_nosec net/socket.c:654 [inline]
+ [<ffffffff8363af16>] sock_sendmsg+0x56/0x80 net/socket.c:674
+ [<ffffffff8363deec>] __sys_sendto+0x15c/0x200 net/socket.c:1977
+ [<ffffffff8363dfb6>] __do_sys_sendto net/socket.c:1989 [inline]
+ [<ffffffff8363dfb6>] __se_sys_sendto net/socket.c:1985 [inline]
+ [<ffffffff8363dfb6>] __x64_sys_sendto+0x26/0x30 net/socket.c:1985
+
+Fixes: 9ec767160357 ("net: add IEEE 802.15.4 socket family implementation")
+Reported-and-tested-by: syzbot+1f68113fa907bf0695a8@syzkaller.appspotmail.com
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+Link: https://lore.kernel.org/r/20210805075414.GA15796@DESKTOP
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index d93d4531aa9b..9a675ba0bf0a 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -992,6 +992,11 @@ static const struct proto_ops ieee802154_dgram_ops = {
+ #endif
+ };
+
++static void ieee802154_sock_destruct(struct sock *sk)
++{
++ skb_queue_purge(&sk->sk_receive_queue);
++}
++
+ /* Create a socket. Initialise the socket, blank the addresses
+ * set the state.
+ */
+@@ -1032,7 +1037,7 @@ static int ieee802154_create(struct net *net, struct socket *sock,
+ sock->ops = ops;
+
+ sock_init_data(sock, sk);
+- /* FIXME: sk->sk_destruct */
++ sk->sk_destruct = ieee802154_sock_destruct;
+ sk->sk_family = PF_IEEE802154;
+
+ /* Checksums on by default */
+--
+2.30.2
+
--- /dev/null
+From 83e79f635999bd6bb67adbe13ba2cacc6f6cbd75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 02:45:47 -0700
+Subject: net: igmp: fix data-race in igmp_ifc_timer_expire()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a2b285e7e103d4d6c6ed3e5052a0ff74a5d7f15 ]
+
+Fix the data-race reported by syzbot [1]
+Issue here is that igmp_ifc_timer_expire() can update in_dev->mr_ifc_count
+while another change just occured from another context.
+
+in_dev->mr_ifc_count is only 8bit wide, so the race had little
+consequences.
+
+[1]
+BUG: KCSAN: data-race in igmp_ifc_event / igmp_ifc_timer_expire
+
+write to 0xffff8881051e3062 of 1 bytes by task 12547 on cpu 0:
+ igmp_ifc_event+0x1d5/0x290 net/ipv4/igmp.c:821
+ igmp_group_added+0x462/0x490 net/ipv4/igmp.c:1356
+ ____ip_mc_inc_group+0x3ff/0x500 net/ipv4/igmp.c:1461
+ __ip_mc_join_group+0x24d/0x2c0 net/ipv4/igmp.c:2199
+ ip_mc_join_group_ssm+0x20/0x30 net/ipv4/igmp.c:2218
+ do_ip_setsockopt net/ipv4/ip_sockglue.c:1285 [inline]
+ ip_setsockopt+0x1827/0x2a80 net/ipv4/ip_sockglue.c:1423
+ tcp_setsockopt+0x8c/0xa0 net/ipv4/tcp.c:3657
+ sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3362
+ __sys_setsockopt+0x18f/0x200 net/socket.c:2159
+ __do_sys_setsockopt net/socket.c:2170 [inline]
+ __se_sys_setsockopt net/socket.c:2167 [inline]
+ __x64_sys_setsockopt+0x62/0x70 net/socket.c:2167
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff8881051e3062 of 1 bytes by interrupt on cpu 1:
+ igmp_ifc_timer_expire+0x706/0xa30 net/ipv4/igmp.c:808
+ call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1419
+ expire_timers+0x135/0x250 kernel/time/timer.c:1464
+ __run_timers+0x358/0x420 kernel/time/timer.c:1732
+ run_timer_softirq+0x19/0x30 kernel/time/timer.c:1745
+ __do_softirq+0x12c/0x26e kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu+0x9a/0xb0 kernel/softirq.c:636
+ sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1100
+ asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
+ console_unlock+0x8e8/0xb30 kernel/printk/printk.c:2646
+ vprintk_emit+0x125/0x3d0 kernel/printk/printk.c:2174
+ vprintk_default+0x22/0x30 kernel/printk/printk.c:2185
+ vprintk+0x15a/0x170 kernel/printk/printk_safe.c:392
+ printk+0x62/0x87 kernel/printk/printk.c:2216
+ selinux_netlink_send+0x399/0x400 security/selinux/hooks.c:6041
+ security_netlink_send+0x42/0x90 security/security.c:2070
+ netlink_sendmsg+0x59e/0x7c0 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2475
+ __do_sys_sendmsg net/socket.c:2484 [inline]
+ __se_sys_sendmsg net/socket.c:2482 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x01 -> 0x02
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 12539 Comm: syz-executor.1 Not tainted 5.14.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index c8cbdc4d5cbc..cfa31c34b5bb 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -805,10 +805,17 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
++ u8 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+- if (in_dev->mr_ifc_count) {
+- in_dev->mr_ifc_count--;
++restart:
++ mr_ifc_count = READ_ONCE(in_dev->mr_ifc_count);
++
++ if (mr_ifc_count) {
++ if (cmpxchg(&in_dev->mr_ifc_count,
++ mr_ifc_count,
++ mr_ifc_count - 1) != mr_ifc_count)
++ goto restart;
+ igmp_ifc_start_timer(in_dev,
+ unsolicited_report_interval(in_dev));
+ }
+@@ -820,7 +827,7 @@ static void igmp_ifc_event(struct in_device *in_dev)
+ struct net *net = dev_net(in_dev->dev);
+ if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev))
+ return;
+- in_dev->mr_ifc_count = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
++ WRITE_ONCE(in_dev->mr_ifc_count, in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv);
+ igmp_ifc_start_timer(in_dev, 1);
+ }
+
+@@ -959,7 +966,7 @@ static bool igmp_heard_query(struct in_device *in_dev, struct sk_buff *skb,
+ in_dev->mr_qri;
+ }
+ /* cancel the interface change timer */
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ /* clear deleted report items */
+@@ -1726,7 +1733,7 @@ void ip_mc_down(struct in_device *in_dev)
+ igmp_group_dropped(pmc);
+
+ #ifdef CONFIG_IP_MULTICAST
+- in_dev->mr_ifc_count = 0;
++ WRITE_ONCE(in_dev->mr_ifc_count, 0);
+ if (del_timer(&in_dev->mr_ifc_timer))
+ __in_dev_put(in_dev);
+ in_dev->mr_gq_running = 0;
+@@ -1943,7 +1950,7 @@ static int ip_mc_del_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ pmc->sfmode = MCAST_INCLUDE;
+ #ifdef CONFIG_IP_MULTICAST
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(pmc->interface);
+@@ -2122,7 +2129,7 @@ static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
+ /* else no filters; keep old mode for reports */
+
+ pmc->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+- in_dev->mr_ifc_count = pmc->crcount;
++ WRITE_ONCE(in_dev->mr_ifc_count, pmc->crcount);
+ for (psf = pmc->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = 0;
+ igmp_ifc_event(in_dev);
+--
+2.30.2
+
--- /dev/null
+From da4979fc7288396414e85bd1b3768455c177bf5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Aug 2021 12:57:15 -0700
+Subject: net: igmp: increase size of mr_ifc_count
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b69dd5b3780a7298bd893816a09da751bc0636f7 ]
+
+Some arches support cmpxchg() on 4-byte and 8-byte only.
+Increase mr_ifc_count width to 32bit to fix this problem.
+
+Fixes: 4a2b285e7e10 ("net: igmp: fix data-race in igmp_ifc_timer_expire()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20210811195715.3684218-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/inetdevice.h | 2 +-
+ net/ipv4/igmp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index 3515ca64e638..b68fca08be27 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -41,7 +41,7 @@ struct in_device {
+ unsigned long mr_qri; /* Query Response Interval */
+ unsigned char mr_qrv; /* Query Robustness Variable */
+ unsigned char mr_gq_running;
+- unsigned char mr_ifc_count;
++ u32 mr_ifc_count;
+ struct timer_list mr_gq_timer; /* general query timer */
+ struct timer_list mr_ifc_timer; /* interface change timer */
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index cfa31c34b5bb..d2b1ae83f258 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -805,7 +805,7 @@ static void igmp_gq_timer_expire(struct timer_list *t)
+ static void igmp_ifc_timer_expire(struct timer_list *t)
+ {
+ struct in_device *in_dev = from_timer(in_dev, t, mr_ifc_timer);
+- u8 mr_ifc_count;
++ u32 mr_ifc_count;
+
+ igmpv3_send_cr(in_dev);
+ restart:
+--
+2.30.2
+
--- /dev/null
+From 4d659a584aa6284d00cd709877f6dc590f0f8004 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 18:06:28 +0200
+Subject: net: linkwatch: fix failure to restore device state across
+ suspend/resume
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 6922110d152e56d7569616b45a1f02876cf3eb9f ]
+
+After migrating my laptop from 4.19-LTS to 5.4-LTS a while ago I noticed
+that my Ethernet port to which a bond and a VLAN interface are attached
+appeared to remain up after resuming from suspend with the cable unplugged
+(and that problem still persists with 5.10-LTS).
+
+It happens that the following happens:
+
+ - the network driver (e1000e here) prepares to suspend, calls e1000e_down()
+ which calls netif_carrier_off() to signal that the link is going down.
+ - netif_carrier_off() adds a link_watch event to the list of events for
+ this device
+ - the device is completely stopped.
+ - the machine suspends
+ - the cable is unplugged and the machine brought to another location
+ - the machine is resumed
+ - the queued linkwatch events are processed for the device
+ - the device doesn't yet have the __LINK_STATE_PRESENT bit and its events
+ are silently dropped
+ - the device is resumed with its link down
+ - the upper VLAN and bond interfaces are never notified that the link had
+ been turned down and remain up
+ - the only way to provoke a change is to physically connect the machine
+ to a port and possibly unplug it.
+
+The state after resume looks like this:
+ $ ip -br li | egrep 'bond|eth'
+ bond0 UP e8:6a:64:64:64:64 <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP>
+ eth0 DOWN e8:6a:64:64:64:64 <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP>
+ eth0.2@eth0 UP e8:6a:64:64:64:64 <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP>
+
+Placing an explicit call to netdev_state_change() either in the suspend
+or the resume code in the NIC driver worked around this but the solution
+is not satisfying.
+
+The issue in fact really is in link_watch that loses events while it
+ought not to. It happens that the test for the device being present was
+added by commit 124eee3f6955 ("net: linkwatch: add check for netdevice
+being present to linkwatch_do_dev") in 4.20 to avoid an access to
+devices that are not present.
+
+Instead of dropping events, this patch proceeds slightly differently by
+postponing their handling so that they happen after the device is fully
+resumed.
+
+Fixes: 124eee3f6955 ("net: linkwatch: add check for netdevice being present to linkwatch_do_dev")
+Link: https://lists.openwall.net/netdev/2018/03/15/62
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20210809160628.22623-1-w@1wt.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/link_watch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/link_watch.c b/net/core/link_watch.c
+index f153e0601838..35b0e39030da 100644
+--- a/net/core/link_watch.c
++++ b/net/core/link_watch.c
+@@ -150,7 +150,7 @@ static void linkwatch_do_dev(struct net_device *dev)
+ clear_bit(__LINK_STATE_LINKWATCH_PENDING, &dev->state);
+
+ rfc2863_policy(dev);
+- if (dev->flags & IFF_UP && netif_device_present(dev)) {
++ if (dev->flags & IFF_UP) {
+ if (netif_carrier_ok(dev))
+ dev_activate(dev);
+ else
+@@ -196,7 +196,8 @@ static void __linkwatch_run_queue(int urgent_only)
+ dev = list_first_entry(&wrk, struct net_device, link_watch_list);
+ list_del_init(&dev->link_watch_list);
+
+- if (urgent_only && !linkwatch_urgent_event(dev)) {
++ if (!netif_device_present(dev) ||
++ (urgent_only && !linkwatch_urgent_event(dev))) {
+ list_add_tail(&dev->link_watch_list, &lweventlist);
+ continue;
+ }
+--
+2.30.2
+
--- /dev/null
+From 45ea6e4f9e46a0a68f4956490c0eb4baa7fff6c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 16:38:30 +0300
+Subject: net/mlx5: Fix return value from tracer initialization
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit bd37c2888ccaa5ceb9895718f6909b247cc372e0 ]
+
+Check return value of mlx5_fw_tracer_start(), set error path and fix
+return value of mlx5_fw_tracer_init() accordingly.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index eb2e57ff08a6..dc36b0db3722 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -1017,12 +1017,19 @@ int mlx5_fw_tracer_init(struct mlx5_fw_tracer *tracer)
+ MLX5_NB_INIT(&tracer->nb, fw_tracer_event, DEVICE_TRACER);
+ mlx5_eq_notifier_register(dev, &tracer->nb);
+
+- mlx5_fw_tracer_start(tracer);
+-
++ err = mlx5_fw_tracer_start(tracer);
++ if (err) {
++ mlx5_core_warn(dev, "FWTracer: Failed to start tracer %d\n", err);
++ goto err_notifier_unregister;
++ }
+ return 0;
+
++err_notifier_unregister:
++ mlx5_eq_notifier_unregister(dev, &tracer->nb);
++ mlx5_core_destroy_mkey(dev, &tracer->buff.mkey);
+ err_dealloc_pd:
+ mlx5_core_dealloc_pd(dev, tracer->buff.pdn);
++ cancel_work_sync(&tracer->read_fw_strings_work);
+ return err;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 4070a454ea6768894014dbbef9eae77069f70154 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 02:06:18 +0200
+Subject: net: phy: micrel: Fix link detection on ksz87xx switch"
+
+From: Ben Hutchings <ben.hutchings@mind.be>
+
+[ Upstream commit 2383cb9497d113360137a2be308b390faa80632d ]
+
+Commit a5e63c7d38d5 "net: phy: micrel: Fix detection of ksz87xx
+switch" broke link detection on the external ports of the KSZ8795.
+
+The previously unused phy_driver structure for these devices specifies
+config_aneg and read_status functions that appear to be designed for a
+fixed link and do not work with the embedded PHYs in the KSZ8795.
+
+Delete the use of these functions in favour of the generic PHY
+implementations which were used previously.
+
+Fixes: a5e63c7d38d5 ("net: phy: micrel: Fix detection of ksz87xx switch")
+Signed-off-by: Ben Hutchings <ben.hutchings@mind.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index 910ab2182158..f95bd1b0fb96 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -1184,8 +1184,6 @@ static struct phy_driver ksphy_driver[] = {
+ .name = "Micrel KSZ87XX Switch",
+ /* PHY_BASIC_FEATURES */
+ .config_init = kszphy_config_init,
+- .config_aneg = ksz8873mll_config_aneg,
+- .read_status = ksz8873mll_read_status,
+ .match_phy_device = ksz8795_match_phy_device,
+ .suspend = genphy_suspend,
+ .resume = genphy_resume,
+--
+2.30.2
+
--- /dev/null
+From 0b2701b06dc4ad2628fa6b9dd76eb85478270728 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 15:04:55 +0800
+Subject: net: sched: act_mirred: Reset ct info when mirror/redirect skb
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit d09c548dbf3b31cb07bba562e0f452edfa01efe3 ]
+
+When mirror/redirect a skb to a different port, the ct info should be reset
+for reclassification. Or the pkts will match unexpected rules. For example,
+with following topology and commands:
+
+ -----------
+ |
+ veth0 -+-------
+ |
+ veth1 -+-------
+ |
+ ------------
+
+ tc qdisc add dev veth0 clsact
+ # The same with "action mirred egress mirror dev veth1" or "action mirred ingress redirect dev veth1"
+ tc filter add dev veth0 egress chain 1 protocol ip flower ct_state +trk action mirred ingress mirror dev veth1
+ tc filter add dev veth0 egress chain 0 protocol ip flower ct_state -inv action ct commit action goto chain 1
+ tc qdisc add dev veth1 clsact
+ tc filter add dev veth1 ingress chain 0 protocol ip flower ct_state +trk action drop
+
+ ping <remove ip via veth0> &
+ tc -s filter show dev veth1 ingress
+
+With command 'tc -s filter show', we can find the pkts were dropped on
+veth1.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_mirred.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
+index 8327ef9793ef..e3ff884a48c5 100644
+--- a/net/sched/act_mirred.c
++++ b/net/sched/act_mirred.c
+@@ -261,6 +261,9 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
+ goto out;
+ }
+
++ /* All mirred/redirected skbs should clear previous ct info */
++ nf_reset_ct(skb2);
++
+ want_ingress = tcf_mirred_act_wants_ingress(m_eaction);
+
+ expects_nh = want_ingress || !m_mac_header_xmit;
+--
+2.30.2
+
--- /dev/null
+From 01dd19446e412d8ee020351c0c43b5613afe43f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 16:20:21 +0800
+Subject: netfilter: nf_conntrack_bridge: Fix memory leak when error
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit 38ea9def5b62f9193f6bad96c5d108e2830ecbde ]
+
+It should be added kfree_skb_list() when err is not equal to zero
+in nf_br_ip_fragment().
+
+v2: keep this aligned with IPv6.
+v3: modify iter.frag_list to iter.frag.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index 8d033a75a766..fdbed3158555 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -88,6 +88,12 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+
+ skb = ip_fraglist_next(&iter);
+ }
++
++ if (!err)
++ return 0;
++
++ kfree_skb_list(iter.frag);
++
+ return err;
+ }
+ slow_path:
+--
+2.30.2
+
--- /dev/null
+From ff51d47f9f6ed35b23fe5f6c82e02081abb7e760 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Aug 2021 13:55:15 +0200
+Subject: platform/x86: pcengines-apuv2: Add missing terminating entries to
+ gpio-lookup tables
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 9d7b132e62e41b7d49bf157aeaf9147c27492e0f ]
+
+The gpiod_lookup_table.table passed to gpiod_add_lookup_table() must
+be terminated with an empty entry, add this.
+
+Note we have likely been getting away with this not being present because
+the GPIO lookup code first matches on the dev_id, causing most lookups to
+skip checking the table and the lookups which do check the table will
+find a matching entry before reaching the end. With that said, terminating
+these tables properly still is obviously the correct thing to do.
+
+Fixes: f8eb0235f659 ("x86: pcengines apuv2 gpio/leds/keys platform driver")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210806115515.12184-1-hdegoede@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pcengines-apuv2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/platform/x86/pcengines-apuv2.c b/drivers/platform/x86/pcengines-apuv2.c
+index cb95b4ede824..5db6f7394ef2 100644
+--- a/drivers/platform/x86/pcengines-apuv2.c
++++ b/drivers/platform/x86/pcengines-apuv2.c
+@@ -94,6 +94,7 @@ static struct gpiod_lookup_table gpios_led_table = {
+ NULL, 1, GPIO_ACTIVE_LOW),
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_LED3,
+ NULL, 2, GPIO_ACTIVE_LOW),
++ {} /* Terminating entry */
+ }
+ };
+
+@@ -123,6 +124,7 @@ static struct gpiod_lookup_table gpios_key_table = {
+ .table = {
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_MODESW,
+ NULL, 0, GPIO_ACTIVE_LOW),
++ {} /* Terminating entry */
+ }
+ };
+
+--
+2.30.2
+
--- /dev/null
+From f39d484e12a4d7b1b3f9679272bf1cf4450cf724 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jul 2020 10:50:10 +0200
+Subject: platform/x86: pcengines-apuv2: revert wiring up simswitch GPIO as LED
+
+From: Florian Eckert <fe@dev.tdt.de>
+
+[ Upstream commit f560cd502190a9fd0ca8db0a15c5cca7d9091d2c ]
+
+This reverts commit 5037d4ddda31c2dbbb018109655f61054b1756dc.
+
+Explanation why this does not work:
+This change connects the simswap to the LED subsystem of the kernel.
+From my point of view, it's nonsense. If we do it this way, then this
+can be switched relatively easily via the LED subsystem (trigger:
+none/default-on) and that is dangerous! If this is used, it would be
+unfavorable, since there is also another trigger (trigger:
+heartbeat/netdev).
+
+Therefore, this simswap GPIO should remain in the GPIO
+subsystem and be switched via it and not be connected to the LED
+subsystem. To avoid the problems mentioned above. The LED subsystem is
+not made for this and it is not a good compromise, but rather dangerous.
+
+Signed-off-by: Florian Eckert <fe@dev.tdt.de>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/pcengines-apuv2.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/platform/x86/pcengines-apuv2.c b/drivers/platform/x86/pcengines-apuv2.c
+index c32daf087640..cb95b4ede824 100644
+--- a/drivers/platform/x86/pcengines-apuv2.c
++++ b/drivers/platform/x86/pcengines-apuv2.c
+@@ -78,7 +78,6 @@ static const struct gpio_led apu2_leds[] = {
+ { .name = "apu:green:1" },
+ { .name = "apu:green:2" },
+ { .name = "apu:green:3" },
+- { .name = "apu:simswap" },
+ };
+
+ static const struct gpio_led_platform_data apu2_leds_pdata = {
+@@ -95,8 +94,6 @@ static struct gpiod_lookup_table gpios_led_table = {
+ NULL, 1, GPIO_ACTIVE_LOW),
+ GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_LED3,
+ NULL, 2, GPIO_ACTIVE_LOW),
+- GPIO_LOOKUP_IDX(AMD_FCH_GPIO_DRIVER_NAME, APU2_GPIO_LINE_SIMSWAP,
+- NULL, 3, GPIO_ACTIVE_LOW),
+ }
+ };
+
+--
+2.30.2
+
--- /dev/null
+From 5efc3e42cbbcdb9af34d1fc14a11085c042996eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Aug 2021 15:27:03 +0200
+Subject: ppp: Fix generating ifname when empty IFLA_IFNAME is specified
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 2459dcb96bcba94c08d6861f8a050185ff301672 ]
+
+IFLA_IFNAME is nul-term string which means that IFLA_IFNAME buffer can be
+larger than length of string which contains.
+
+Function __rtnl_newlink() generates new own ifname if either IFLA_IFNAME
+was not specified at all or userspace passed empty nul-term string.
+
+It is expected that if userspace does not specify ifname for new ppp netdev
+then kernel generates one in format "ppp<id>" where id matches to the ppp
+unit id which can be later obtained by PPPIOCGUNIT ioctl.
+
+And it works in this way if IFLA_IFNAME is not specified at all. But it
+does not work when IFLA_IFNAME is specified with empty string.
+
+So fix this logic also for empty IFLA_IFNAME in ppp_nl_newlink() function
+and correctly generates ifname based on ppp unit identifier if userspace
+did not provided preferred ifname.
+
+Without this patch when IFLA_IFNAME was specified with empty string then
+kernel created a new ppp interface in format "ppp<id>" but id did not
+match ppp unit id returned by PPPIOCGUNIT ioctl. In this case id was some
+number generated by __rtnl_newlink() function.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: bb8082f69138 ("ppp: build ifname using unit identifier for rtnl based devices")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index b7e2b4a0f3c6..c6c41a7836c9 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1121,7 +1121,7 @@ static int ppp_nl_newlink(struct net *src_net, struct net_device *dev,
+ * the PPP unit identifer as suffix (i.e. ppp<unit_id>). This allows
+ * userspace to infer the device name using to the PPPIOCGUNIT ioctl.
+ */
+- if (!tb[IFLA_IFNAME])
++ if (!tb[IFLA_IFNAME] || !nla_len(tb[IFLA_IFNAME]) || !*(char *)nla_data(tb[IFLA_IFNAME]))
+ conf.ifname_is_set = false;
+
+ err = ppp_dev_configure(src_net, dev, &conf);
+--
+2.30.2
+
--- /dev/null
+From 2809270813afdb8ae0558327e0fb115b8bb3cf14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Aug 2021 09:52:42 +0300
+Subject: psample: Add a fwd declaration for skbuff
+
+From: Roi Dayan <roid@nvidia.com>
+
+[ Upstream commit beb7f2de5728b0bd2140a652fa51f6ad85d159f7 ]
+
+Without this there is a warning if source files include psample.h
+before skbuff.h or doesn't include it at all.
+
+Fixes: 6ae0a6286171 ("net: Introduce psample, a new genetlink channel for packet sampling")
+Signed-off-by: Roi Dayan <roid@nvidia.com>
+Link: https://lore.kernel.org/r/20210808065242.1522535-1-roid@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/psample.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/psample.h b/include/net/psample.h
+index 68ae16bb0a4a..20a17551f790 100644
+--- a/include/net/psample.h
++++ b/include/net/psample.h
+@@ -18,6 +18,8 @@ struct psample_group *psample_group_get(struct net *net, u32 group_num);
+ void psample_group_take(struct psample_group *group);
+ void psample_group_put(struct psample_group *group);
+
++struct sk_buff;
++
+ #if IS_ENABLED(CONFIG_PSAMPLE)
+
+ void psample_sample_packet(struct psample_group *group, struct sk_buff *skb,
+--
+2.30.2
+
ceph-reduce-contention-in-ceph_check_delayed_caps.patch
acpi-nfit-fix-support-for-virtual-spa-ranges.patch
libnvdimm-region-fix-label-activation-vs-errors.patch
+ieee802154-hwsim-fix-gpf-in-hwsim_set_edge_lqi.patch
+ieee802154-hwsim-fix-gpf-in-hwsim_new_edge_nl.patch
+asoc-cs42l42-correct-definition-of-adc-volume-contro.patch
+asoc-cs42l42-don-t-allow-snd_soc_daifmt_left_j.patch
+asoc-cs42l42-fix-inversion-of-adc-notch-switch-contr.patch
+asoc-cs42l42-remove-duplicate-control-for-wnf-filter.patch
+netfilter-nf_conntrack_bridge-fix-memory-leak-when-e.patch
+asoc-cs42l42-fix-lrclk-frame-start-edge.patch
+net-dsa-mt7530-add-the-missing-rxunicast-mib-counter.patch
+platform-x86-pcengines-apuv2-revert-wiring-up-simswi.patch
+platform-x86-pcengines-apuv2-add-missing-terminating.patch
+net-phy-micrel-fix-link-detection-on-ksz87xx-switch.patch
+ppp-fix-generating-ifname-when-empty-ifla_ifname-is-.patch
+net-sched-act_mirred-reset-ct-info-when-mirror-redir.patch
+iavf-set-rss-lut-and-key-in-reset-handle-path.patch
+psample-add-a-fwd-declaration-for-skbuff.patch
+net-mlx5-fix-return-value-from-tracer-initialization.patch
+drm-meson-fix-colour-distortion-from-hdr-set-during-.patch
+net-dsa-microchip-fix-ksz_read64.patch
+net-fix-memory-leak-in-ieee802154_raw_deliver.patch
+net-igmp-fix-data-race-in-igmp_ifc_timer_expire.patch
+net-dsa-lan9303-fix-broken-backpressure-in-.port_fdb.patch
+net-dsa-lantiq-fix-broken-backpressure-in-.port_fdb_.patch
+net-dsa-sja1105-fix-broken-backpressure-in-.port_fdb.patch
+net-bridge-fix-memleak-in-br_add_if.patch
+net-linkwatch-fix-failure-to-restore-device-state-ac.patch
+tcp_bbr-fix-u32-wrap-bug-in-round-logic-if-bbr_init-.patch
+net-igmp-increase-size-of-mr_ifc_count.patch
+xen-events-fix-race-in-set_evtchn_to_irq.patch
+vsock-virtio-avoid-potential-deadlock-when-vsock-dev.patch
+nbd-aovid-double-completion-of-a-request.patch
--- /dev/null
+From 75bd8f49cef243ae23880d1070887c891d4562e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Aug 2021 22:40:56 -0400
+Subject: tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after
+ 2B packets
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]
+
+Currently if BBR congestion control is initialized after more than 2B
+packets have been delivered, depending on the phase of the
+tp->delivered counter the tracking of BBR round trips can get stuck.
+
+The bug arises because if tp->delivered is between 2^31 and 2^32 at
+the time the BBR congestion control module is initialized, then the
+initialization of bbr->next_rtt_delivered to 0 will cause the logic to
+believe that the end of the round trip is still billions of packets in
+the future. More specifically, the following check will fail
+repeatedly:
+
+ !before(rs->prior_delivered, bbr->next_rtt_delivered)
+
+and thus the connection will take up to 2B packets delivered before
+that check will pass and the connection will set:
+
+ bbr->round_start = 1;
+
+This could cause many mechanisms in BBR to fail to trigger, for
+example bbr_check_full_bw_reached() would likely never exit STARTUP.
+
+This bug is 5 years old and has not been observed, and as a practical
+matter this would likely rarely trigger, since it would require
+transferring at least 2B packets, or likely more than 3 terabytes of
+data, before switching congestion control algorithms to BBR.
+
+This patch is a stable candidate for kernels as far back as v4.9,
+when tcp_bbr.c was added.
+
+Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Kevin Yang <yyd@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bbr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
+index 6ea3dc2e4219..6274462b86b4 100644
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -1041,7 +1041,7 @@ static void bbr_init(struct sock *sk)
+ bbr->prior_cwnd = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ bbr->rtt_cnt = 0;
+- bbr->next_rtt_delivered = 0;
++ bbr->next_rtt_delivered = tp->delivered;
+ bbr->prev_ca_state = TCP_CA_Open;
+ bbr->packet_conservation = 0;
+
+--
+2.30.2
+
--- /dev/null
+From 7e4a4ebc12333f1f888efe020222194ada029e8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:30:56 +0800
+Subject: vsock/virtio: avoid potential deadlock when vsock device remove
+
+From: Longpeng(Mike) <longpeng2@huawei.com>
+
+[ Upstream commit 49b0b6ffe20c5344f4173f3436298782a08da4f2 ]
+
+There's a potential deadlock case when remove the vsock device or
+process the RESET event:
+
+ vsock_for_each_connected_socket:
+ spin_lock_bh(&vsock_table_lock) ----------- (1)
+ ...
+ virtio_vsock_reset_sock:
+ lock_sock(sk) --------------------- (2)
+ ...
+ spin_unlock_bh(&vsock_table_lock)
+
+lock_sock() may do initiative schedule when the 'sk' is owned by
+other thread at the same time, we would receivce a warning message
+that "scheduling while atomic".
+
+Even worse, if the next task (selected by the scheduler) try to
+release a 'sk', it need to request vsock_table_lock and the deadlock
+occur, cause the system into softlockup state.
+ Call trace:
+ queued_spin_lock_slowpath
+ vsock_remove_bound
+ vsock_remove_sock
+ virtio_transport_release
+ __vsock_release
+ vsock_release
+ __sock_release
+ sock_close
+ __fput
+ ____fput
+
+So we should not require sk_lock in this case, just like the behavior
+in vhost_vsock or vmci.
+
+Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/20210812053056.1699-1-longpeng2@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/virtio_transport.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 5905f0cddc89..7973f98ebd91 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -373,11 +373,14 @@ static void virtio_vsock_event_fill(struct virtio_vsock *vsock)
+
+ static void virtio_vsock_reset_sock(struct sock *sk)
+ {
+- lock_sock(sk);
++ /* vmci_transport.c doesn't take sk_lock here either. At least we're
++ * under vsock_table_lock so the sock cannot disappear while we're
++ * executing.
++ */
++
+ sk->sk_state = TCP_CLOSE;
+ sk->sk_err = ECONNRESET;
+ sk->sk_error_report(sk);
+- release_sock(sk);
+ }
+
+ static void virtio_vsock_update_guest_cid(struct virtio_vsock *vsock)
+--
+2.30.2
+
--- /dev/null
+From 03dfadb65730de3201c4f7355b2d760786e89c94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Aug 2021 13:09:27 +0000
+Subject: xen/events: Fix race in set_evtchn_to_irq
+
+From: Maximilian Heyne <mheyne@amazon.de>
+
+[ Upstream commit 88ca2521bd5b4e8b83743c01a2d4cb09325b51e9 ]
+
+There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq
+mapping are lazily allocated in this function. The check whether the row
+is already present and the row initialization is not synchronized. Two
+threads can at the same time allocate a new row for evtchn_to_irq and
+add the irq mapping to the their newly allocated row. One thread will
+overwrite what the other has set for evtchn_to_irq[row] and therefore
+the irq mapping is lost. This will trigger a BUG_ON later in
+bind_evtchn_to_cpu:
+
+ INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802
+ INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002)
+ INFO: nvme nvme77: 1/0/0 default/read/poll queues
+ CRIT: kernel BUG at drivers/xen/events/events_base.c:427!
+ WARN: invalid opcode: 0000 [#1] SMP NOPTI
+ WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme]
+ WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0
+ WARN: Call Trace:
+ WARN: set_affinity_irq+0x121/0x150
+ WARN: irq_do_set_affinity+0x37/0xe0
+ WARN: irq_setup_affinity+0xf6/0x170
+ WARN: irq_startup+0x64/0xe0
+ WARN: __setup_irq+0x69e/0x740
+ WARN: ? request_threaded_irq+0xad/0x160
+ WARN: request_threaded_irq+0xf5/0x160
+ WARN: ? nvme_timeout+0x2f0/0x2f0 [nvme]
+ WARN: pci_request_irq+0xa9/0xf0
+ WARN: ? pci_alloc_irq_vectors_affinity+0xbb/0x130
+ WARN: queue_request_irq+0x4c/0x70 [nvme]
+ WARN: nvme_reset_work+0x82d/0x1550 [nvme]
+ WARN: ? check_preempt_wakeup+0x14f/0x230
+ WARN: ? check_preempt_curr+0x29/0x80
+ WARN: ? nvme_irq_check+0x30/0x30 [nvme]
+ WARN: process_one_work+0x18e/0x3c0
+ WARN: worker_thread+0x30/0x3a0
+ WARN: ? process_one_work+0x3c0/0x3c0
+ WARN: kthread+0x113/0x130
+ WARN: ? kthread_park+0x90/0x90
+ WARN: ret_from_fork+0x3a/0x50
+
+This patch sets evtchn_to_irq rows via a cmpxchg operation so that they
+will be set only once. The row is now cleared before writing it to
+evtchn_to_irq in order to not create a race once the row is visible for
+other threads.
+
+While at it, do not require the page to be zeroed, because it will be
+overwritten with -1's in clear_evtchn_to_irq_row anyway.
+
+Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
+Fixes: d0b075ffeede ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated")
+Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/events/events_base.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index de825df4abf6..87cfadd70d0d 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -134,12 +134,12 @@ static void disable_dynirq(struct irq_data *data);
+
+ static DEFINE_PER_CPU(unsigned int, irq_epoch);
+
+-static void clear_evtchn_to_irq_row(unsigned row)
++static void clear_evtchn_to_irq_row(int *evtchn_row)
+ {
+ unsigned col;
+
+ for (col = 0; col < EVTCHN_PER_ROW; col++)
+- WRITE_ONCE(evtchn_to_irq[row][col], -1);
++ WRITE_ONCE(evtchn_row[col], -1);
+ }
+
+ static void clear_evtchn_to_irq_all(void)
+@@ -149,7 +149,7 @@ static void clear_evtchn_to_irq_all(void)
+ for (row = 0; row < EVTCHN_ROW(xen_evtchn_max_channels()); row++) {
+ if (evtchn_to_irq[row] == NULL)
+ continue;
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_to_irq[row]);
+ }
+ }
+
+@@ -157,6 +157,7 @@ static int set_evtchn_to_irq(unsigned evtchn, unsigned irq)
+ {
+ unsigned row;
+ unsigned col;
++ int *evtchn_row;
+
+ if (evtchn >= xen_evtchn_max_channels())
+ return -EINVAL;
+@@ -169,11 +170,18 @@ static int set_evtchn_to_irq(unsigned evtchn, unsigned irq)
+ if (irq == -1)
+ return 0;
+
+- evtchn_to_irq[row] = (int *)get_zeroed_page(GFP_KERNEL);
+- if (evtchn_to_irq[row] == NULL)
++ evtchn_row = (int *) __get_free_pages(GFP_KERNEL, 0);
++ if (evtchn_row == NULL)
+ return -ENOMEM;
+
+- clear_evtchn_to_irq_row(row);
++ clear_evtchn_to_irq_row(evtchn_row);
++
++ /*
++ * We've prepared an empty row for the mapping. If a different
++ * thread was faster inserting it, we can drop ours.
++ */
++ if (cmpxchg(&evtchn_to_irq[row], NULL, evtchn_row) != NULL)
++ free_page((unsigned long) evtchn_row);
+ }
+
+ WRITE_ONCE(evtchn_to_irq[row][col], irq);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
