--- /dev/null
+From 5fcfe9f625bc904cc7c33355de479273f297be21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 14:53:36 +0800
+Subject: atm: iphase: fix possible use-after-free in ia_module_exit()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/iphase.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
+index 8c7a996d1f16..46990352b5d3 100644
+--- a/drivers/atm/iphase.c
++++ b/drivers/atm/iphase.c
+@@ -3295,7 +3295,7 @@ static void __exit ia_module_exit(void)
+ {
+ pci_unregister_driver(&ia_driver);
+
+- del_timer(&ia_timer);
++ del_timer_sync(&ia_timer);
+ }
+
+ module_init(ia_module_init);
+--
+2.30.2
+
--- /dev/null
+From 771bb52155a684460aec3e2ccc5442d7e534c417 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 15:00:24 +0800
+Subject: atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index bb9835c62641..5ec7b6a60145 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -297,7 +297,7 @@ static void __exit nicstar_cleanup(void)
+ {
+ XPRINTK("nicstar: nicstar_cleanup() called.\n");
+
+- del_timer(&ns_timer);
++ del_timer_sync(&ns_timer);
+
+ pci_unregister_driver(&nicstar_driver);
+
+--
+2.30.2
+
--- /dev/null
+From c9cd119010ef4b1e2473aa32a0f257d1f0653666 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 15:24:15 +0000
+Subject: atm: nicstar: register the interrupt handler in the right place
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ]
+
+Because the error handling is sequential, the application of resources
+should be carried out in the order of error handling, so the operation
+of registering the interrupt handler should be put in front, so as not
+to free the unregistered interrupt handler during error handling.
+
+This log reveals it:
+
+[ 3.438724] Trying to free already-free IRQ 23
+[ 3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480
+[ 3.440039] Modules linked in:
+[ 3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
+[ 3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.441561] RIP: 0010:free_irq+0xfb/0x480
+[ 3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
+[ 3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
+[ 3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
+[ 3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
+[ 3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
+[ 3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
+[ 3.444994] FS: 0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000
+[ 3.444994] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.444994] Call Trace:
+[ 3.444994] ns_init_card_error+0x18e/0x250
+[ 3.444994] nicstar_init_one+0x10d2/0x1130
+[ 3.444994] local_pci_probe+0x4a/0xb0
+[ 3.444994] pci_device_probe+0x126/0x1d0
+[ 3.444994] ? pci_device_remove+0x100/0x100
+[ 3.444994] really_probe+0x27e/0x650
+[ 3.444994] driver_probe_device+0x84/0x1d0
+[ 3.444994] ? mutex_lock_nested+0x16/0x20
+[ 3.444994] device_driver_attach+0x63/0x70
+[ 3.444994] __driver_attach+0x117/0x1a0
+[ 3.444994] ? device_driver_attach+0x70/0x70
+[ 3.444994] bus_for_each_dev+0xb6/0x110
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] driver_attach+0x22/0x30
+[ 3.444994] bus_add_driver+0x1e6/0x2a0
+[ 3.444994] driver_register+0xa4/0x180
+[ 3.444994] __pci_register_driver+0x77/0x80
+[ 3.444994] ? uPD98402_module_init+0xd/0xd
+[ 3.444994] nicstar_init+0x1f/0x75
+[ 3.444994] do_one_initcall+0x7a/0x3d0
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.444994] kernel_init_freeable+0x2a7/0x2f9
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] kernel_init+0x13/0x180
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ret_from_fork+0x1f/0x30
+[ 3.444994] Kernel panic - not syncing: panic_on_warn set ...
+[ 3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
+[ 3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.444994] Call Trace:
+[ 3.444994] dump_stack+0xba/0xf5
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] panic+0x155/0x3ed
+[ 3.444994] ? __warn+0xed/0x150
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] __warn+0x103/0x150
+[ 3.444994] ? free_irq+0xfb/0x480
+[ 3.444994] report_bug+0x119/0x1c0
+[ 3.444994] handle_bug+0x3b/0x80
+[ 3.444994] exc_invalid_op+0x18/0x70
+[ 3.444994] asm_exc_invalid_op+0x12/0x20
+[ 3.444994] RIP: 0010:free_irq+0xfb/0x480
+[ 3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
+[ 3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
+[ 3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
+[ 3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
+[ 3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
+[ 3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
+[ 3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
+[ 3.444994] ? vprintk_func+0x71/0x110
+[ 3.444994] ns_init_card_error+0x18e/0x250
+[ 3.444994] nicstar_init_one+0x10d2/0x1130
+[ 3.444994] local_pci_probe+0x4a/0xb0
+[ 3.444994] pci_device_probe+0x126/0x1d0
+[ 3.444994] ? pci_device_remove+0x100/0x100
+[ 3.444994] really_probe+0x27e/0x650
+[ 3.444994] driver_probe_device+0x84/0x1d0
+[ 3.444994] ? mutex_lock_nested+0x16/0x20
+[ 3.444994] device_driver_attach+0x63/0x70
+[ 3.444994] __driver_attach+0x117/0x1a0
+[ 3.444994] ? device_driver_attach+0x70/0x70
+[ 3.444994] bus_for_each_dev+0xb6/0x110
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] driver_attach+0x22/0x30
+[ 3.444994] bus_add_driver+0x1e6/0x2a0
+[ 3.444994] driver_register+0xa4/0x180
+[ 3.444994] __pci_register_driver+0x77/0x80
+[ 3.444994] ? uPD98402_module_init+0xd/0xd
+[ 3.444994] nicstar_init+0x1f/0x75
+[ 3.444994] do_one_initcall+0x7a/0x3d0
+[ 3.444994] ? rdinit_setup+0x40/0x40
+[ 3.444994] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.444994] kernel_init_freeable+0x2a7/0x2f9
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] kernel_init+0x13/0x180
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ? rest_init+0x2c0/0x2c0
+[ 3.444994] ret_from_fork+0x1f/0x30
+[ 3.444994] Dumping ftrace buffer:
+[ 3.444994] (ftrace buffer empty)
+[ 3.444994] Kernel Offset: disabled
+[ 3.444994] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index f1e8aa26d284..f9d29de537b6 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -525,6 +525,15 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
+ /* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */
+ writel(0x00000000, card->membase + VPM);
+
++ card->intcnt = 0;
++ if (request_irq
++ (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
++ pr_err("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
++ error = 9;
++ ns_init_card_error(card, error);
++ return error;
++ }
++
+ /* Initialize TSQ */
+ card->tsq.org = dma_alloc_coherent(&card->pcidev->dev,
+ NS_TSQSIZE + NS_TSQ_ALIGNMENT,
+@@ -751,15 +760,6 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
+
+ card->efbie = 1;
+
+- card->intcnt = 0;
+- if (request_irq
+- (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
+- printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
+- error = 9;
+- ns_init_card_error(card, error);
+- return error;
+- }
+-
+ /* Register device */
+ card->atmdev = atm_dev_register("nicstar", &card->pcidev->dev, &atm_ops,
+ -1, NULL);
+--
+2.30.2
+
--- /dev/null
+From af0a1c5d208d05adb3c45371218308f5c912c3ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Jun 2021 15:24:14 +0000
+Subject: atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+[ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ]
+
+When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for
+error handling, but the correct memory free function should be used,
+otherwise it will cause an error. Since 'card->rsq.org' and
+'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they
+should be freed using 'dma_free_coherent'.
+
+Fix this by using 'dma_free_coherent' instead of 'kfree'
+
+This log reveals it:
+
+[ 3.440294] kernel BUG at mm/slub.c:4206!
+[ 3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI
+[ 3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141
+[ 3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+[ 3.442780] RIP: 0010:kfree+0x26a/0x300
+[ 3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
+[ 3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
+[ 3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
+[ 3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
+[ 3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
+[ 3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
+[ 3.443396] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 3.443396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.443396] Call Trace:
+[ 3.443396] ns_init_card_error+0x12c/0x220
+[ 3.443396] nicstar_init_one+0x10d2/0x1130
+[ 3.443396] local_pci_probe+0x4a/0xb0
+[ 3.443396] pci_device_probe+0x126/0x1d0
+[ 3.443396] ? pci_device_remove+0x100/0x100
+[ 3.443396] really_probe+0x27e/0x650
+[ 3.443396] driver_probe_device+0x84/0x1d0
+[ 3.443396] ? mutex_lock_nested+0x16/0x20
+[ 3.443396] device_driver_attach+0x63/0x70
+[ 3.443396] __driver_attach+0x117/0x1a0
+[ 3.443396] ? device_driver_attach+0x70/0x70
+[ 3.443396] bus_for_each_dev+0xb6/0x110
+[ 3.443396] ? rdinit_setup+0x40/0x40
+[ 3.443396] driver_attach+0x22/0x30
+[ 3.443396] bus_add_driver+0x1e6/0x2a0
+[ 3.443396] driver_register+0xa4/0x180
+[ 3.443396] __pci_register_driver+0x77/0x80
+[ 3.443396] ? uPD98402_module_init+0xd/0xd
+[ 3.443396] nicstar_init+0x1f/0x75
+[ 3.443396] do_one_initcall+0x7a/0x3d0
+[ 3.443396] ? rdinit_setup+0x40/0x40
+[ 3.443396] ? rcu_read_lock_sched_held+0x4a/0x70
+[ 3.443396] kernel_init_freeable+0x2a7/0x2f9
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] kernel_init+0x13/0x180
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] ? rest_init+0x2c0/0x2c0
+[ 3.443396] ret_from_fork+0x1f/0x30
+[ 3.443396] Modules linked in:
+[ 3.443396] Dumping ftrace buffer:
+[ 3.443396] (ftrace buffer empty)
+[ 3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]---
+[ 3.458922] RIP: 0010:kfree+0x26a/0x300
+[ 3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
+[ 3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
+[ 3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
+[ 3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
+[ 3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
+[ 3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
+[ 3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
+[ 3.463368] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
+[ 3.463949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
+[ 3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 3.465860] Kernel panic - not syncing: Fatal exception
+[ 3.466370] Dumping ftrace buffer:
+[ 3.466616] (ftrace buffer empty)
+[ 3.466871] Kernel Offset: disabled
+[ 3.467122] Rebooting in 1 seconds..
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/nicstar.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
+index 5ec7b6a60145..f1e8aa26d284 100644
+--- a/drivers/atm/nicstar.c
++++ b/drivers/atm/nicstar.c
+@@ -837,10 +837,12 @@ static void ns_init_card_error(ns_dev *card, int error)
+ dev_kfree_skb_any(hb);
+ }
+ if (error >= 12) {
+- kfree(card->rsq.org);
++ dma_free_coherent(&card->pcidev->dev, NS_RSQSIZE + NS_RSQ_ALIGNMENT,
++ card->rsq.org, card->rsq.dma);
+ }
+ if (error >= 11) {
+- kfree(card->tsq.org);
++ dma_free_coherent(&card->pcidev->dev, NS_TSQSIZE + NS_TSQ_ALIGNMENT,
++ card->tsq.org, card->tsq.dma);
+ }
+ if (error >= 10) {
+ free_irq(card->pcidev->irq, card);
+--
+2.30.2
+
--- /dev/null
+From 0b8640e00d08a82de2fec3a044770e131d864b69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 17:57:10 +0800
+Subject: Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca
+ btsoc.
+
+From: Tim Jiang <tjiang@codeaurora.org>
+
+[ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ]
+
+This is btsoc timing issue, after host start to downloading bt firmware,
+ep2 need time to switch from function acl to function dfu, so host add
+20ms delay as workaround.
+
+Signed-off-by: Tim Jiang <tjiang@codeaurora.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 27ff7a6e2fc9..6d643651d69f 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -3263,6 +3263,11 @@ static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
+ sent += size;
+ count -= size;
+
++ /* ep2 need time to switch from function acl to function dfu,
++ * so we add 20ms delay here.
++ */
++ msleep(20);
++
+ while (count) {
+ size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
+
+--
+2.30.2
+
--- /dev/null
+From fa5252809bc9b1800575c5f454d2ad149f90ea48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Apr 2021 23:06:26 +0800
+Subject: Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip.
+
+From: mark-yw.chen <mark-yw.chen@mediatek.com>
+
+[ Upstream commit 8454ed9ff9647e31e061fb5eb2e39ce79bc5e960 ]
+
+This patch reduce in-token during download patch procedure.
+Don't submit urb for polling event before sending hci command.
+
+Signed-off-by: mark-yw.chen <mark-yw.chen@mediatek.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b467fd05c5e8..27ff7a6e2fc9 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2700,11 +2700,6 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
+ struct btmtk_wmt_hdr *hdr;
+ int err;
+
+- /* Submit control IN URB on demand to process the WMT event */
+- err = btusb_mtk_submit_wmt_recv_urb(hdev);
+- if (err < 0)
+- return err;
+-
+ /* Send the WMT command and wait until the WMT event returns */
+ hlen = sizeof(*hdr) + wmt_params->dlen;
+ if (hlen > 255)
+@@ -2726,6 +2721,11 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev,
+ return err;
+ }
+
++ /* Submit control IN URB on demand to process the WMT event */
++ err = btusb_mtk_submit_wmt_recv_urb(hdev);
++ if (err < 0)
++ return err;
++
+ /* The vendor specific WMT commands are all answered by a vendor
+ * specific event and will have the Command Status or Command
+ * Complete as with usual HCI command flow control.
+--
+2.30.2
+
--- /dev/null
+From 022bfaabd5ea896fa5cdee1b1ff8d05aa33a0585 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 16:53:30 -0700
+Subject: Bluetooth: Fix the HCI to MGMT status conversion table
+
+From: Yu Liu <yudiliu@google.com>
+
+[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ]
+
+0x2B, 0x31 and 0x33 are reserved for future use but were not present in
+the HCI to MGMT conversion table, this caused the conversion to be
+incorrect for the HCI status code greater than 0x2A.
+
+Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
+Signed-off-by: Yu Liu <yudiliu@google.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index db525321da1f..0ae5d3cab4dc 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -219,12 +219,15 @@ static u8 mgmt_status_table[] = {
+ MGMT_STATUS_TIMEOUT, /* Instant Passed */
+ MGMT_STATUS_NOT_SUPPORTED, /* Pairing Not Supported */
+ MGMT_STATUS_FAILED, /* Transaction Collision */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_INVALID_PARAMS, /* Unacceptable Parameter */
+ MGMT_STATUS_REJECTED, /* QoS Rejected */
+ MGMT_STATUS_NOT_SUPPORTED, /* Classification Not Supported */
+ MGMT_STATUS_REJECTED, /* Insufficient Security */
+ MGMT_STATUS_INVALID_PARAMS, /* Parameter Out Of Range */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_BUSY, /* Role Switch Pending */
++ MGMT_STATUS_FAILED, /* Reserved for future use */
+ MGMT_STATUS_FAILED, /* Slot Violation */
+ MGMT_STATUS_FAILED, /* Role Switch Failed */
+ MGMT_STATUS_INVALID_PARAMS, /* EIR Too Large */
+--
+2.30.2
+
--- /dev/null
+From 08ad8adf1c27911610e959bd5190da99612cd6a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 May 2021 15:14:52 +0800
+Subject: Bluetooth: Shutdown controller after workqueues are flushed or
+ cancelled
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ]
+
+Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it
+stops working:
+[ 509.691509] Bluetooth: hci0: HCI reset during shutdown failed
+[ 514.897584] Bluetooth: hci0: MSFT filter_enable is already on
+[ 530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
+[ 545.660350] usb 3-10: device descriptor read/64, error -110
+[ 561.283530] usb 3-10: device descriptor read/64, error -110
+[ 561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
+[ 566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500
+[ 568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113)
+[ 578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110)
+[ 586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113)
+[ 596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110)
+
+Or kernel panics because other workqueues already freed skb:
+[ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 2048.663775] #PF: supervisor read access in kernel mode
+[ 2048.663779] #PF: error_code(0x0000) - not-present page
+[ 2048.663782] PGD 0 P4D 0
+[ 2048.663787] Oops: 0000 [#1] SMP NOPTI
+[ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G W 5.13.0-rc1-next-20210510+ #20
+[ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020
+[ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50
+[ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1
+07 83 f8 01
+[ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286
+[ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000
+[ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000
+[ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0
+[ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000
+[ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000
+[ 2048.663843] FS: 00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000
+[ 2048.663849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0
+[ 2048.663856] PKRU: 55555554
+[ 2048.663859] Call Trace:
+[ 2048.663865] ? skb_release_head_state+0x5e/0x80
+[ 2048.663873] kfree_skb+0x2f/0xb0
+[ 2048.663881] btusb_shutdown_intel_new+0x36/0x60 [btusb]
+[ 2048.663905] hci_dev_do_close+0x48c/0x5e0 [bluetooth]
+[ 2048.663954] ? __cond_resched+0x1a/0x50
+[ 2048.663962] hci_rfkill_set_block+0x56/0xa0 [bluetooth]
+[ 2048.664007] rfkill_set_block+0x98/0x170
+[ 2048.664016] rfkill_fop_write+0x136/0x1e0
+[ 2048.664022] vfs_write+0xc7/0x260
+[ 2048.664030] ksys_write+0xb1/0xe0
+[ 2048.664035] ? exit_to_user_mode_prepare+0x37/0x1c0
+[ 2048.664042] __x64_sys_write+0x1a/0x20
+[ 2048.664048] do_syscall_64+0x40/0xb0
+[ 2048.664055] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 2048.664060] RIP: 0033:0x7fe02ac23c27
+[ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
+[ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27
+[ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003
+[ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440
+[ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
+[ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff
+
+So move the shutdown callback to a place where workqueues are either
+flushed or cancelled to resolve the issue.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 21a7ea9b70c8..37b585c9e857 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -1672,14 +1672,6 @@ int hci_dev_do_close(struct hci_dev *hdev)
+
+ BT_DBG("%s %p", hdev->name, hdev);
+
+- if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
+- !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
+- test_bit(HCI_UP, &hdev->flags)) {
+- /* Execute vendor specific shutdown routine */
+- if (hdev->shutdown)
+- hdev->shutdown(hdev);
+- }
+-
+ cancel_delayed_work(&hdev->power_off);
+
+ hci_request_cancel_all(hdev);
+@@ -1753,6 +1745,14 @@ int hci_dev_do_close(struct hci_dev *hdev)
+ clear_bit(HCI_INIT, &hdev->flags);
+ }
+
++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
++ test_bit(HCI_UP, &hdev->flags)) {
++ /* Execute vendor specific shutdown routine */
++ if (hdev->shutdown)
++ hdev->shutdown(hdev);
++ }
++
+ /* flush cmd work */
+ flush_work(&hdev->cmd_work);
+
+--
+2.30.2
+
--- /dev/null
+From d59df69cb6daf06c0b551b60a7f58fc2fffe0f4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 11:25:11 +0200
+Subject: bpf: Fix up register-based shifts in interpreter to silence KUBSAN
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 28131e9d933339a92f78e7ab6429f4aaaa07061c ]
+
+syzbot reported a shift-out-of-bounds that KUBSAN observed in the
+interpreter:
+
+ [...]
+ UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1420:2
+ shift exponent 255 is too large for 64-bit type 'long long unsigned int'
+ CPU: 1 PID: 11097 Comm: syz-executor.4 Not tainted 5.12.0-rc2-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
+ ___bpf_prog_run.cold+0x19/0x56c kernel/bpf/core.c:1420
+ __bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1735
+ bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
+ bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline]
+ bpf_prog_run_clear_cb include/linux/filter.h:755 [inline]
+ run_filter+0x1a1/0x470 net/packet/af_packet.c:2031
+ packet_rcv+0x313/0x13e0 net/packet/af_packet.c:2104
+ dev_queue_xmit_nit+0x7c2/0xa90 net/core/dev.c:2387
+ xmit_one net/core/dev.c:3588 [inline]
+ dev_hard_start_xmit+0xad/0x920 net/core/dev.c:3609
+ __dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182
+ __bpf_tx_skb net/core/filter.c:2116 [inline]
+ __bpf_redirect_no_mac net/core/filter.c:2141 [inline]
+ __bpf_redirect+0x548/0xc80 net/core/filter.c:2164
+ ____bpf_clone_redirect net/core/filter.c:2448 [inline]
+ bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420
+ ___bpf_prog_run+0x34e1/0x77d0 kernel/bpf/core.c:1523
+ __bpf_prog_run512+0x99/0xe0 kernel/bpf/core.c:1737
+ bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline]
+ bpf_test_run+0x3ed/0xc50 net/bpf/test_run.c:50
+ bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:582
+ bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline]
+ __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [...]
+
+Generally speaking, KUBSAN reports from the kernel should be fixed.
+However, in case of BPF, this particular report caused concerns since
+the large shift is not wrong from BPF point of view, just undefined.
+In the verifier, K-based shifts that are >= {64,32} (depending on the
+bitwidth of the instruction) are already rejected. The register-based
+cases were not given their content might not be known at verification
+time. Ideas such as verifier instruction rewrite with an additional
+AND instruction for the source register were brought up, but regularly
+rejected due to the additional runtime overhead they incur.
+
+As Edward Cree rightly put it:
+
+ Shifts by more than insn bitness are legal in the BPF ISA; they are
+ implementation-defined behaviour [of the underlying architecture],
+ rather than UB, and have been made legal for performance reasons.
+ Each of the JIT backends compiles the BPF shift operations to machine
+ instructions which produce implementation-defined results in such a
+ case; the resulting contents of the register may be arbitrary but
+ program behaviour as a whole remains defined.
+
+ Guard checks in the fast path (i.e. affecting JITted code) will thus
+ not be accepted.
+
+ The case of division by zero is not truly analogous here, as division
+ instructions on many of the JIT-targeted architectures will raise a
+ machine exception / fault on division by zero, whereas (to the best
+ of my knowledge) none will do so on an out-of-bounds shift.
+
+Given the KUBSAN report only affects the BPF interpreter, but not JITs,
+one solution is to add the ANDs with 63 or 31 into ___bpf_prog_run().
+That would make the shifts defined, and thus shuts up KUBSAN, and the
+compiler would optimize out the AND on any CPU that interprets the shift
+amounts modulo the width anyway (e.g., confirmed from disassembly that
+on x86-64 and arm64 the generated interpreter code is the same before
+and after this fix).
+
+The BPF interpreter is slow path, and most likely compiled out anyway
+as distros select BPF_JIT_ALWAYS_ON to avoid speculative execution of
+BPF instructions by the interpreter. Given the main argument was to
+avoid sacrificing performance, the fact that the AND is optimized away
+from compiler for mainstream archs helps as well as a solution moving
+forward. Also add a comment on LSH/RSH/ARSH translation for JIT authors
+to provide guidance when they see the ___bpf_prog_run() interpreter
+code and use it as a model for a new JIT backend.
+
+Reported-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
+Reported-by: Kurt Manucredo <fuzzybritches0@gmail.com>
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Co-developed-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com
+Cc: Edward Cree <ecree.xilinx@gmail.com>
+Link: https://lore.kernel.org/bpf/0000000000008f912605bd30d5d7@google.com
+Link: https://lore.kernel.org/bpf/bac16d8d-c174-bdc4-91bd-bfa62b410190@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 61 +++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 43 insertions(+), 18 deletions(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 56bc96f5ad20..323913ba13b3 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1321,29 +1321,54 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
+ select_insn:
+ goto *jumptable[insn->code];
+
+- /* ALU */
+-#define ALU(OPCODE, OP) \
+- ALU64_##OPCODE##_X: \
+- DST = DST OP SRC; \
+- CONT; \
+- ALU_##OPCODE##_X: \
+- DST = (u32) DST OP (u32) SRC; \
+- CONT; \
+- ALU64_##OPCODE##_K: \
+- DST = DST OP IMM; \
+- CONT; \
+- ALU_##OPCODE##_K: \
+- DST = (u32) DST OP (u32) IMM; \
++ /* Explicitly mask the register-based shift amounts with 63 or 31
++ * to avoid undefined behavior. Normally this won't affect the
++ * generated code, for example, in case of native 64 bit archs such
++ * as x86-64 or arm64, the compiler is optimizing the AND away for
++ * the interpreter. In case of JITs, each of the JIT backends compiles
++ * the BPF shift operations to machine instructions which produce
++ * implementation-defined results in such a case; the resulting
++ * contents of the register may be arbitrary, but program behaviour
++ * as a whole remains defined. In other words, in case of JIT backends,
++ * the AND must /not/ be added to the emitted LSH/RSH/ARSH translation.
++ */
++ /* ALU (shifts) */
++#define SHT(OPCODE, OP) \
++ ALU64_##OPCODE##_X: \
++ DST = DST OP (SRC & 63); \
++ CONT; \
++ ALU_##OPCODE##_X: \
++ DST = (u32) DST OP ((u32) SRC & 31); \
++ CONT; \
++ ALU64_##OPCODE##_K: \
++ DST = DST OP IMM; \
++ CONT; \
++ ALU_##OPCODE##_K: \
++ DST = (u32) DST OP (u32) IMM; \
++ CONT;
++ /* ALU (rest) */
++#define ALU(OPCODE, OP) \
++ ALU64_##OPCODE##_X: \
++ DST = DST OP SRC; \
++ CONT; \
++ ALU_##OPCODE##_X: \
++ DST = (u32) DST OP (u32) SRC; \
++ CONT; \
++ ALU64_##OPCODE##_K: \
++ DST = DST OP IMM; \
++ CONT; \
++ ALU_##OPCODE##_K: \
++ DST = (u32) DST OP (u32) IMM; \
+ CONT;
+-
+ ALU(ADD, +)
+ ALU(SUB, -)
+ ALU(AND, &)
+ ALU(OR, |)
+- ALU(LSH, <<)
+- ALU(RSH, >>)
+ ALU(XOR, ^)
+ ALU(MUL, *)
++ SHT(LSH, <<)
++ SHT(RSH, >>)
++#undef SHT
+ #undef ALU
+ ALU_NEG:
+ DST = (u32) -DST;
+@@ -1368,13 +1393,13 @@ select_insn:
+ insn++;
+ CONT;
+ ALU_ARSH_X:
+- DST = (u64) (u32) (((s32) DST) >> SRC);
++ DST = (u64) (u32) (((s32) DST) >> (SRC & 31));
+ CONT;
+ ALU_ARSH_K:
+ DST = (u64) (u32) (((s32) DST) >> IMM);
+ CONT;
+ ALU64_ARSH_X:
+- (*(s64 *) &DST) >>= SRC;
++ (*(s64 *) &DST) >>= (SRC & 63);
+ CONT;
+ ALU64_ARSH_K:
+ (*(s64 *) &DST) >>= IMM;
+--
+2.30.2
+
--- /dev/null
+From a1cb577b83a6118644bbf4799ee4025b32537e1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 May 2021 13:36:38 +0900
+Subject: clk: renesas: r8a77995: Add ZA2 clock
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 790c06cc5df263cdaff748670cc65958c81b0951 ]
+
+R-Car D3 ZA2 clock is from PLL0D3 or S0,
+and it can be controlled by ZA2CKCR.
+It is needed for R-Car Sound, but is not used so far.
+Using default settings is very enough at this point.
+This patch adds it by DEF_FIXED().
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/87pmxclrmy.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/renesas/r8a77995-cpg-mssr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/renesas/r8a77995-cpg-mssr.c b/drivers/clk/renesas/r8a77995-cpg-mssr.c
+index 962bb337f2e7..315f0d4bc420 100644
+--- a/drivers/clk/renesas/r8a77995-cpg-mssr.c
++++ b/drivers/clk/renesas/r8a77995-cpg-mssr.c
+@@ -75,6 +75,7 @@ static const struct cpg_core_clk r8a77995_core_clks[] __initconst = {
+ DEF_RATE(".oco", CLK_OCO, 8 * 1000 * 1000),
+
+ /* Core Clock Outputs */
++ DEF_FIXED("za2", R8A77995_CLK_ZA2, CLK_PLL0D3, 2, 1),
+ DEF_FIXED("z2", R8A77995_CLK_Z2, CLK_PLL0D3, 1, 1),
+ DEF_FIXED("ztr", R8A77995_CLK_ZTR, CLK_PLL1, 6, 1),
+ DEF_FIXED("zt", R8A77995_CLK_ZT, CLK_PLL1, 4, 1),
+--
+2.30.2
+
--- /dev/null
+From 55475b712faebfa96e58ac50e7491576cb51e781 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 May 2021 19:30:35 +0300
+Subject: clk: tegra: Ensure that PLLU configuration is applied properly
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit a7196048cd5168096c2c4f44a3939d7a6dcd06b9 ]
+
+The PLLU (USB) consists of the PLL configuration itself and configuration
+of the PLLU outputs. The PLLU programming is inconsistent on T30 vs T114,
+where T114 immediately bails out if PLLU is enabled and T30 re-enables
+a potentially already enabled PLL (left after bootloader) and then fully
+reprograms it, which could be unsafe to do. The correct way should be to
+skip enabling of the PLL if it's already enabled and then apply
+configuration to the outputs. This patch doesn't fix any known problems,
+it's a minor improvement.
+
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-pll.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-pll.c b/drivers/clk/tegra/clk-pll.c
+index 80f640d9ea71..24ecfc114d41 100644
+--- a/drivers/clk/tegra/clk-pll.c
++++ b/drivers/clk/tegra/clk-pll.c
+@@ -1089,7 +1089,8 @@ static int clk_pllu_enable(struct clk_hw *hw)
+ if (pll->lock)
+ spin_lock_irqsave(pll->lock, flags);
+
+- _clk_pll_enable(hw);
++ if (!clk_pll_is_enabled(hw))
++ _clk_pll_enable(hw);
+
+ ret = clk_pll_wait_for_lock(pll);
+ if (ret < 0)
+@@ -1706,15 +1707,13 @@ static int clk_pllu_tegra114_enable(struct clk_hw *hw)
+ return -EINVAL;
+ }
+
+- if (clk_pll_is_enabled(hw))
+- return 0;
+-
+ input_rate = clk_hw_get_rate(__clk_get_hw(osc));
+
+ if (pll->lock)
+ spin_lock_irqsave(pll->lock, flags);
+
+- _clk_pll_enable(hw);
++ if (!clk_pll_is_enabled(hw))
++ _clk_pll_enable(hw);
+
+ ret = clk_pll_wait_for_lock(pll);
+ if (ret < 0)
+--
+2.30.2
+
--- /dev/null
+From 8496a38220b007012304d4f525dffaca4fd60895 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 11:05:14 +0800
+Subject: cw1200: add missing MODULE_DEVICE_TABLE
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ]
+
+This patch adds missing MODULE_DEVICE_TABLE definition which generates
+correct modalias for automatic loading of this driver when it is built
+as an external module.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/st/cw1200/cw1200_sdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/st/cw1200/cw1200_sdio.c b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+index 43e012073dbf..5ac06d672fc6 100644
+--- a/drivers/net/wireless/st/cw1200/cw1200_sdio.c
++++ b/drivers/net/wireless/st/cw1200/cw1200_sdio.c
+@@ -60,6 +60,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = {
+ { SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) },
+ { /* end: all zeroes */ },
+ };
++MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids);
+
+ /* hwbus_ops implemetation */
+
+--
+2.30.2
+
--- /dev/null
+From 900be0b8c7416fdd0739ec4a57422d99f6976ce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Apr 2021 09:03:49 +0100
+Subject: dm space maps: don't reset space map allocation cursor when
+ committing
+
+From: Joe Thornber <ejt@redhat.com>
+
+[ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ]
+
+Current commit code resets the place where the search for free blocks
+will begin back to the start of the metadata device. There are a couple
+of repercussions to this:
+
+- The first allocation after the commit is likely to take longer than
+ normal as it searches for a free block in an area that is likely to
+ have very few free blocks (if any).
+
+- Any free blocks it finds will have been recently freed. Reusing them
+ means we have fewer old copies of the metadata to aid recovery from
+ hardware error.
+
+Fix these issues by leaving the cursor alone, only resetting when the
+search hits the end of the metadata device.
+
+Signed-off-by: Joe Thornber <ejt@redhat.com>
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/persistent-data/dm-space-map-disk.c | 9 ++++++++-
+ drivers/md/persistent-data/dm-space-map-metadata.c | 9 ++++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c
+index bf4c5e2ccb6f..e0acae7a3815 100644
+--- a/drivers/md/persistent-data/dm-space-map-disk.c
++++ b/drivers/md/persistent-data/dm-space-map-disk.c
+@@ -171,6 +171,14 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b)
+ * Any block we allocate has to be free in both the old and current ll.
+ */
+ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b);
++ if (r == -ENOSPC) {
++ /*
++ * There's no free block between smd->begin and the end of the metadata device.
++ * We search before smd->begin in case something has been freed.
++ */
++ r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, 0, smd->begin, b);
++ }
++
+ if (r)
+ return r;
+
+@@ -199,7 +207,6 @@ static int sm_disk_commit(struct dm_space_map *sm)
+ return r;
+
+ memcpy(&smd->old_ll, &smd->ll, sizeof(smd->old_ll));
+- smd->begin = 0;
+ smd->nr_allocated_this_transaction = 0;
+
+ r = sm_disk_get_nr_free(sm, &nr_free);
+diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
+index 9e3c64ec2026..da439ac85796 100644
+--- a/drivers/md/persistent-data/dm-space-map-metadata.c
++++ b/drivers/md/persistent-data/dm-space-map-metadata.c
+@@ -452,6 +452,14 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b)
+ * Any block we allocate has to be free in both the old and current ll.
+ */
+ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b);
++ if (r == -ENOSPC) {
++ /*
++ * There's no free block between smm->begin and the end of the metadata device.
++ * We search before smm->begin in case something has been freed.
++ */
++ r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, 0, smm->begin, b);
++ }
++
+ if (r)
+ return r;
+
+@@ -503,7 +511,6 @@ static int sm_metadata_commit(struct dm_space_map *sm)
+ return r;
+
+ memcpy(&smm->old_ll, &smm->ll, sizeof(smm->old_ll));
+- smm->begin = 0;
+ smm->allocated_this_transaction = 0;
+
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 6faf934b59100b014ba70f1e833e1dd68a3f5b16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Apr 2021 17:08:47 +0800
+Subject: drm/amd/amdgpu/sriov disable all ip hw status by default
+
+From: Jack Zhang <Jack.Zhang1@amd.com>
+
+[ Upstream commit 95ea3dbc4e9548d35ab6fbf67675cef8c293e2f5 ]
+
+Disable all ip's hw status to false before any hw_init.
+Only set it to true until its hw_init is executed.
+
+The old 5.9 branch has this change but somehow the 5.11 kernrel does
+not have this fix.
+
+Without this change, sriov tdr have gfx IB test fail.
+
+Signed-off-by: Jack Zhang <Jack.Zhang1@amd.com>
+Review-by: Emily Deng <Emily.Deng@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 765f9a6c4640..d0e1fd011de5 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -2291,7 +2291,7 @@ static int amdgpu_device_ip_reinit_early_sriov(struct amdgpu_device *adev)
+ AMD_IP_BLOCK_TYPE_IH,
+ };
+
+- for (i = 0; i < ARRAY_SIZE(ip_order); i++) {
++ for (i = 0; i < adev->num_ip_blocks; i++) {
+ int j;
+ struct amdgpu_ip_block *block;
+
+--
+2.30.2
+
--- /dev/null
+From 62c5ddc57f4c62aea2b26a1e52f42f75c14bfc1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 17:50:53 -0400
+Subject: drm/amd/display: fix use_max_lb flag for 420 pixel formats
+
+From: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+
+[ Upstream commit 8809a7a4afe90ad9ffb42f72154d27e7c47551ae ]
+
+Right now the flag simply selects memory config 0 when flag is true
+however 420 modes benefit more from memory config 3.
+
+Signed-off-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
+index d67e0abeee93..11a89d873384 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_dpp_dscl.c
+@@ -484,10 +484,13 @@ static enum lb_memory_config dpp1_dscl_find_lb_memory_config(struct dcn10_dpp *d
+ int vtaps_c = scl_data->taps.v_taps_c;
+ int ceil_vratio = dc_fixpt_ceil(scl_data->ratios.vert);
+ int ceil_vratio_c = dc_fixpt_ceil(scl_data->ratios.vert_c);
+- enum lb_memory_config mem_cfg = LB_MEMORY_CONFIG_0;
+
+- if (dpp->base.ctx->dc->debug.use_max_lb)
+- return mem_cfg;
++ if (dpp->base.ctx->dc->debug.use_max_lb) {
++ if (scl_data->format == PIXEL_FORMAT_420BPP8
++ || scl_data->format == PIXEL_FORMAT_420BPP10)
++ return LB_MEMORY_CONFIG_3;
++ return LB_MEMORY_CONFIG_0;
++ }
+
+ dpp->base.caps->dscl_calc_lb_num_partitions(
+ scl_data, LB_MEMORY_CONFIG_1, &num_part_y, &num_part_c);
+--
+2.30.2
+
--- /dev/null
+From ab110d26a46a92871b47f1fc907d6dd7876d34ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 13:55:46 -0400
+Subject: drm/amd/display: Release MST resources on switch from MST to SST
+
+From: Vladimir Stempen <vladimir.stempen@amd.com>
+
+[ Upstream commit 3f8518b60c10aa96f3efa38a967a0b4eb9211ac0 ]
+
+[why]
+When OS overrides training link training parameters
+for MST device to SST mode, MST resources are not
+released and leak of the resource may result crash and
+incorrect MST discovery during following hot plugs.
+
+[how]
+Retaining sink object to be reused by SST link and
+releasing MST resources.
+
+Signed-off-by: Vladimir Stempen <vladimir.stempen@amd.com>
+Reviewed-by: Wenjing Liu <Wenjing.Liu@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+index c18f39271b03..4bc95e9075e9 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c
+@@ -1284,6 +1284,8 @@ static void set_dp_mst_mode(struct dc_link *link, bool mst_enable)
+ link->type = dc_connection_single;
+ link->local_sink = link->remote_sinks[0];
+ link->local_sink->sink_signal = SIGNAL_TYPE_DISPLAY_PORT;
++ dc_sink_retain(link->local_sink);
++ dm_helpers_dp_mst_stop_top_mgr(link->ctx, link);
+ } else if (mst_enable == true &&
+ link->type == dc_connection_single &&
+ link->remote_sinks[0] != NULL) {
+--
+2.30.2
+
--- /dev/null
+From 52c1f35acb9b8c36c55fddb64f9d0f5e83386de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 May 2021 12:12:48 -0400
+Subject: drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7
+
+From: Wesley Chalmers <Wesley.Chalmers@amd.com>
+
+[ Upstream commit 3577e1678772ce3ede92af3a75b44a4b76f9b4ad ]
+
+[WHY]
+DISPCLK_MAX_ERRDET_CYCLES must be 7 to prevent connection loss when
+changing DENTIST_DISPCLK_WDIVIDER from 126 to 127 and back.
+
+Signed-off-by: Wesley Chalmers <Wesley.Chalmers@amd.com>
+Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index 083c42e521f5..03a2e1d7f067 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -126,7 +126,7 @@ void dcn20_dccg_init(struct dce_hwseq *hws)
+ REG_WRITE(MILLISECOND_TIME_BASE_DIV, 0x1186a0);
+
+ /* This value is dependent on the hardware pipeline delay so set once per SOC */
+- REG_WRITE(DISPCLK_FREQ_CHANGE_CNTL, 0x801003c);
++ REG_WRITE(DISPCLK_FREQ_CHANGE_CNTL, 0xe01003c);
+ }
+ void dcn20_display_init(struct dc *dc)
+ {
+--
+2.30.2
+
--- /dev/null
+From 9d1564173ea65cca35e9a2cf37e4384a71f1c226 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 May 2021 10:20:25 -0400
+Subject: drm/amd/display: Update scaling settings on modeset
+
+From: Roman Li <roman.li@amd.com>
+
+[ Upstream commit c521fc316d12fb9ea7b7680e301d673bceda922e ]
+
+[Why]
+We update scaling settings when scaling mode has been changed.
+However when changing mode from native resolution the scaling mode previously
+set gets ignored.
+
+[How]
+Perform scaling settings update on modeset.
+
+Signed-off-by: Roman Li <roman.li@amd.com>
+Reviewed-by: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 6e31e899192c..fca466d4806b 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -6832,7 +6832,8 @@ skip_modeset:
+ BUG_ON(dm_new_crtc_state->stream == NULL);
+
+ /* Scaling or underscan settings */
+- if (is_scaling_state_different(dm_old_conn_state, dm_new_conn_state))
++ if (is_scaling_state_different(dm_old_conn_state, dm_new_conn_state) ||
++ drm_atomic_crtc_needs_modeset(new_crtc_state))
+ update_stream_scaling_settings(
+ &new_crtc_state->mode, dm_new_conn_state, dm_new_crtc_state->stream);
+
+--
+2.30.2
+
--- /dev/null
+From 3cfebbd13964527ed2c1a9aeb657494d871a0d0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jun 2021 13:01:07 -0400
+Subject: drm/amd/display: Verify Gamma & Degamma LUT sizes in
+ amdgpu_dm_atomic_check
+
+From: Mark Yacoub <markyacoub@chromium.org>
+
+[ Upstream commit 03fc4cf45d30533d54f0f4ebc02aacfa12f52ce2 ]
+
+For each CRTC state, check the size of Gamma and Degamma LUTs so
+unexpected and larger sizes wouldn't slip through.
+
+TEST: IGT:kms_color::pipe-invalid-gamma-lut-sizes
+
+v2: fix assignments in if clauses, Mark's email.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++
+ .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 1 +
+ .../amd/display/amdgpu_dm/amdgpu_dm_color.c | 41 ++++++++++++++++---
+ 3 files changed, 40 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index fca466d4806b..11da904fcb7e 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -7407,6 +7407,10 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ old_crtc_state->vrr_enabled == new_crtc_state->vrr_enabled)
+ continue;
+
++ ret = amdgpu_dm_verify_lut_sizes(new_crtc_state);
++ if (ret)
++ goto fail;
++
+ if (!new_crtc_state->enable)
+ continue;
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+index c8c525a2b505..54163c970e7a 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+@@ -387,6 +387,7 @@ void amdgpu_dm_update_freesync_caps(struct drm_connector *connector,
+ #define MAX_COLOR_LEGACY_LUT_ENTRIES 256
+
+ void amdgpu_dm_init_color_mod(void);
++int amdgpu_dm_verify_lut_sizes(const struct drm_crtc_state *crtc_state);
+ int amdgpu_dm_update_crtc_color_mgmt(struct dm_crtc_state *crtc);
+ int amdgpu_dm_update_plane_color_mgmt(struct dm_crtc_state *crtc,
+ struct dc_plane_state *dc_plane_state);
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
+index 2233d293a707..6acc460a3e98 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
+@@ -277,6 +277,37 @@ static int __set_input_tf(struct dc_transfer_func *func,
+ return res ? 0 : -ENOMEM;
+ }
+
++/**
++ * Verifies that the Degamma and Gamma LUTs attached to the |crtc_state| are of
++ * the expected size.
++ * Returns 0 on success.
++ */
++int amdgpu_dm_verify_lut_sizes(const struct drm_crtc_state *crtc_state)
++{
++ const struct drm_color_lut *lut = NULL;
++ uint32_t size = 0;
++
++ lut = __extract_blob_lut(crtc_state->degamma_lut, &size);
++ if (lut && size != MAX_COLOR_LUT_ENTRIES) {
++ DRM_DEBUG_DRIVER(
++ "Invalid Degamma LUT size. Should be %u but got %u.\n",
++ MAX_COLOR_LUT_ENTRIES, size);
++ return -EINVAL;
++ }
++
++ lut = __extract_blob_lut(crtc_state->gamma_lut, &size);
++ if (lut && size != MAX_COLOR_LUT_ENTRIES &&
++ size != MAX_COLOR_LEGACY_LUT_ENTRIES) {
++ DRM_DEBUG_DRIVER(
++ "Invalid Gamma LUT size. Should be %u (or %u for legacy) but got %u.\n",
++ MAX_COLOR_LUT_ENTRIES, MAX_COLOR_LEGACY_LUT_ENTRIES,
++ size);
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ /**
+ * amdgpu_dm_update_crtc_color_mgmt: Maps DRM color management to DC stream.
+ * @crtc: amdgpu_dm crtc state
+@@ -311,14 +342,12 @@ int amdgpu_dm_update_crtc_color_mgmt(struct dm_crtc_state *crtc)
+ bool is_legacy;
+ int r;
+
+- degamma_lut = __extract_blob_lut(crtc->base.degamma_lut, °amma_size);
+- if (degamma_lut && degamma_size != MAX_COLOR_LUT_ENTRIES)
+- return -EINVAL;
++ r = amdgpu_dm_verify_lut_sizes(&crtc->base);
++ if (r)
++ return r;
+
++ degamma_lut = __extract_blob_lut(crtc->base.degamma_lut, °amma_size);
+ regamma_lut = __extract_blob_lut(crtc->base.gamma_lut, ®amma_size);
+- if (regamma_lut && regamma_size != MAX_COLOR_LUT_ENTRIES &&
+- regamma_size != MAX_COLOR_LEGACY_LUT_ENTRIES)
+- return -EINVAL;
+
+ has_degamma =
+ degamma_lut && !__is_lut_linear(degamma_lut, degamma_size);
+--
+2.30.2
+
--- /dev/null
+From 31fa8fca6df9f416c9ffff32d4ec5747c6369270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 13:23:44 +0200
+Subject: drm/amdkfd: use allowed domain for vmbo validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nirmoy Das <nirmoy.das@amd.com>
+
+[ Upstream commit bc05716d4fdd065013633602c5960a2bf1511b9c ]
+
+Fixes handling when page tables are in system memory.
+
+v3: remove struct amdgpu_vm_parser.
+v2: remove unwanted variable.
+ change amdgpu_amdkfd_validate instead of amdgpu_amdkfd_bo_validate.
+
+Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 21 ++++---------------
+ 1 file changed, 4 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+index f3fa271e3394..25af45adc03e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -55,12 +55,6 @@ static struct {
+ spinlock_t mem_limit_lock;
+ } kfd_mem_limit;
+
+-/* Struct used for amdgpu_amdkfd_bo_validate */
+-struct amdgpu_vm_parser {
+- uint32_t domain;
+- bool wait;
+-};
+-
+ static const char * const domain_bit_to_string[] = {
+ "CPU",
+ "GTT",
+@@ -293,11 +287,9 @@ validate_fail:
+ return ret;
+ }
+
+-static int amdgpu_amdkfd_validate(void *param, struct amdgpu_bo *bo)
++static int amdgpu_amdkfd_validate_vm_bo(void *_unused, struct amdgpu_bo *bo)
+ {
+- struct amdgpu_vm_parser *p = param;
+-
+- return amdgpu_amdkfd_bo_validate(bo, p->domain, p->wait);
++ return amdgpu_amdkfd_bo_validate(bo, bo->allowed_domains, false);
+ }
+
+ /* vm_validate_pt_pd_bos - Validate page table and directory BOs
+@@ -311,20 +303,15 @@ static int vm_validate_pt_pd_bos(struct amdgpu_vm *vm)
+ {
+ struct amdgpu_bo *pd = vm->root.base.bo;
+ struct amdgpu_device *adev = amdgpu_ttm_adev(pd->tbo.bdev);
+- struct amdgpu_vm_parser param;
+ int ret;
+
+- param.domain = AMDGPU_GEM_DOMAIN_VRAM;
+- param.wait = false;
+-
+- ret = amdgpu_vm_validate_pt_bos(adev, vm, amdgpu_amdkfd_validate,
+- ¶m);
++ ret = amdgpu_vm_validate_pt_bos(adev, vm, amdgpu_amdkfd_validate_vm_bo, NULL);
+ if (ret) {
+ pr_err("amdgpu: failed to validate PT BOs\n");
+ return ret;
+ }
+
+- ret = amdgpu_amdkfd_validate(¶m, pd);
++ ret = amdgpu_amdkfd_validate_vm_bo(NULL, pd);
+ if (ret) {
+ pr_err("amdgpu: failed to validate PD\n");
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 691c33ad57561937991113c95f1ac830073e1e92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 15:11:07 +0800
+Subject: drm/amdkfd: Walk through list with dqm lock hold
+
+From: xinhui pan <xinhui.pan@amd.com>
+
+[ Upstream commit 56f221b6389e7ab99c30bbf01c71998ae92fc584 ]
+
+To avoid any list corruption.
+
+Signed-off-by: xinhui pan <xinhui.pan@amd.com>
+Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/amdkfd/kfd_device_queue_manager.c | 22 ++++++++++---------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+index ab69898c9cb7..723ec6c2830d 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+@@ -1584,7 +1584,7 @@ static int process_termination_cpsch(struct device_queue_manager *dqm,
+ struct qcm_process_device *qpd)
+ {
+ int retval;
+- struct queue *q, *next;
++ struct queue *q;
+ struct kernel_queue *kq, *kq_next;
+ struct mqd_manager *mqd_mgr;
+ struct device_process_node *cur, *next_dpn;
+@@ -1639,24 +1639,26 @@ static int process_termination_cpsch(struct device_queue_manager *dqm,
+ qpd->reset_wavefronts = false;
+ }
+
+- dqm_unlock(dqm);
+-
+- /* Outside the DQM lock because under the DQM lock we can't do
+- * reclaim or take other locks that others hold while reclaiming.
+- */
+- if (found)
+- kfd_dec_compute_active(dqm->dev);
+-
+ /* Lastly, free mqd resources.
+ * Do free_mqd() after dqm_unlock to avoid circular locking.
+ */
+- list_for_each_entry_safe(q, next, &qpd->queues_list, list) {
++ while (!list_empty(&qpd->queues_list)) {
++ q = list_first_entry(&qpd->queues_list, struct queue, list);
+ mqd_mgr = dqm->mqd_mgrs[get_mqd_type_from_queue_type(
+ q->properties.type)];
+ list_del(&q->list);
+ qpd->queue_count--;
++ dqm_unlock(dqm);
+ mqd_mgr->free_mqd(mqd_mgr, q->mqd, q->mqd_mem_obj);
++ dqm_lock(dqm);
+ }
++ dqm_unlock(dqm);
++
++ /* Outside the DQM lock because under the DQM lock we can't do
++ * reclaim or take other locks that others hold while reclaiming.
++ */
++ if (found)
++ kfd_dec_compute_active(dqm->dev);
+
+ return retval;
+ }
+--
+2.30.2
+
--- /dev/null
+From b6a632e52333db4f8b356d4c95f676e10e7482a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 May 2021 15:21:02 +0800
+Subject: drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 33f90f27e1c5ccd648d3e78a1c28be9ee8791cf1 ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Reviewed-by: Robert Foss <robert.foss@linaro.org>
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/1621840862-106024-1-git-send-email-zou_wei@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/cdns-dsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/cdns-dsi.c b/drivers/gpu/drm/bridge/cdns-dsi.c
+index 6166dca6be81..0cb9dd6986ec 100644
+--- a/drivers/gpu/drm/bridge/cdns-dsi.c
++++ b/drivers/gpu/drm/bridge/cdns-dsi.c
+@@ -1026,7 +1026,7 @@ static ssize_t cdns_dsi_transfer(struct mipi_dsi_host *host,
+ struct mipi_dsi_packet packet;
+ int ret, i, tx_len, rx_len;
+
+- ret = pm_runtime_get_sync(host->dev);
++ ret = pm_runtime_resume_and_get(host->dev);
+ if (ret < 0)
+ return ret;
+
+--
+2.30.2
+
--- /dev/null
+From 24c1d5c7076d6d5269caf704f93919b1dd09b1d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Apr 2021 03:48:41 +0000
+Subject: drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init()
+
+From: Wang Li <wangli74@huawei.com>
+
+[ Upstream commit 69777e6ca396f0a7e1baff40fcad4a9d3d445b7a ]
+
+pm_runtime_get_sync will increment pm usage counter even it failed.
+Forgetting to putting operation will result in reference leak here.
+Fix it by replacing it with pm_runtime_resume_and_get to keep usage
+counter balanced.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Li <wangli74@huawei.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+index f9455f2724d2..f370d41b3d04 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+@@ -240,7 +240,7 @@ static int mtk_crtc_ddp_hw_init(struct mtk_drm_crtc *mtk_crtc)
+ drm_connector_list_iter_end(&conn_iter);
+ }
+
+- ret = pm_runtime_get_sync(crtc->dev->dev);
++ ret = pm_runtime_resume_and_get(crtc->dev->dev);
+ if (ret < 0) {
+ DRM_ERROR("Failed to enable power domain: %d\n", ret);
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 0af72c15b59df2731037785cea5cc6ba42f33256 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 13:00:38 +0200
+Subject: drm/mxsfb: Don't select DRM_KMS_FB_HELPER
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit 13b29cc3a722c2c0bc9ab9f72f9047d55d08a2f9 ]
+
+Selecting DRM_FBDEV_EMULATION will include the correct settings for
+fbdev emulation. Drivers should not override this.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Stefan Agner <stefan@agner.ch>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-3-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mxsfb/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig
+index 0dca8f27169e..33916b7b2c50 100644
+--- a/drivers/gpu/drm/mxsfb/Kconfig
++++ b/drivers/gpu/drm/mxsfb/Kconfig
+@@ -10,7 +10,6 @@ config DRM_MXSFB
+ depends on COMMON_CLK
+ select DRM_MXS
+ select DRM_KMS_HELPER
+- select DRM_KMS_FB_HELPER
+ select DRM_KMS_CMA_HELPER
+ select DRM_PANEL
+ help
+--
+2.30.2
+
--- /dev/null
+From 71b5e7a3961e49cb9dcb95379b5313d476da3e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 May 2021 10:14:07 -0400
+Subject: drm/sched: Avoid data corruptions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+
+[ Upstream commit 0b10ab80695d61422337ede6ff496552d8ace99d ]
+
+Wait for all dependencies of a job to complete before
+killing it to avoid data corruptions.
+
+Signed-off-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210519141407.88444-1-andrey.grodzovsky@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
+index 1a5153197fe9..57f9baad9e36 100644
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -235,11 +235,16 @@ static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f,
+ static void drm_sched_entity_kill_jobs(struct drm_sched_entity *entity)
+ {
+ struct drm_sched_job *job;
++ struct dma_fence *f;
+ int r;
+
+ while ((job = to_drm_sched_job(spsc_queue_pop(&entity->job_queue)))) {
+ struct drm_sched_fence *s_fence = job->s_fence;
+
++ /* Wait for all dependencies to avoid data corruptions */
++ while ((f = job->sched->ops->dependency(job, entity)))
++ dma_fence_wait(f, false);
++
+ drm_sched_fence_scheduled(s_fence);
+ dma_fence_set_error(&s_fence->finished, -ESRCH);
+
+--
+2.30.2
+
--- /dev/null
+From c8a6d8bb43f559ec6429ab18c05465842684d646 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Apr 2021 13:18:03 +0300
+Subject: drm/vc4: fix argument ordering in vc4_crtc_get_margins()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e590c2b03a6143ba93ddad306bc9eaafa838c020 ]
+
+Cppcheck complains that the declaration doesn't match the function
+definition. Obviously "left" should come before "right". The caller
+and the function implementation are done this way, it's just the
+declaration which is wrong so this doesn't affect runtime.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://patchwork.freedesktop.org/patch/msgid/YH/720FD978TPhHp@mwanda
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/vc4_drv.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h
+index 6627b20c99e9..3ddaa817850d 100644
+--- a/drivers/gpu/drm/vc4/vc4_drv.h
++++ b/drivers/gpu/drm/vc4/vc4_drv.h
+@@ -750,7 +750,7 @@ bool vc4_crtc_get_scanoutpos(struct drm_device *dev, unsigned int crtc_id,
+ void vc4_crtc_handle_vblank(struct vc4_crtc *crtc);
+ void vc4_crtc_txp_armed(struct drm_crtc_state *state);
+ void vc4_crtc_get_margins(struct drm_crtc_state *state,
+- unsigned int *right, unsigned int *left,
++ unsigned int *left, unsigned int *right,
+ unsigned int *top, unsigned int *bottom);
+
+ /* vc4_debugfs.c */
+--
+2.30.2
+
--- /dev/null
+From 8dc4589261bf1412857304bc344c90c845658c7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:49:12 +0800
+Subject: drm/virtio: Fix double free on probe failure
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ]
+
+The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure.
+But such failure will be caught by virtio_gpu_probe() and then
+virtio_gpu_release() will be called to do some cleanup which
+will free vgdev and vgdev->vbufs again. So let's set dev->dev_private
+to NULL to avoid double free.
+
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_kms.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
+index 6dcc05ab31eb..4f855b242dfd 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
+@@ -218,6 +218,7 @@ err_ttm:
+ err_vbufs:
+ vgdev->vdev->config->del_vqs(vgdev->vdev);
+ err_vqs:
++ dev->dev_private = NULL;
+ kfree(vgdev);
+ return ret;
+ }
+--
+2.30.2
+
--- /dev/null
+From 5b9438b380d0d8928b37545cf1ec16db2bcbb487 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Apr 2021 13:00:39 +0200
+Subject: drm/zte: Don't select DRM_KMS_FB_HELPER
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit a50e74bec1d17e95275909660c6b43ffe11ebcf0 ]
+
+Selecting DRM_FBDEV_EMULATION will include the correct settings for
+fbdev emulation. Drivers should not override this.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210415110040.23525-4-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/zte/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/zte/Kconfig b/drivers/gpu/drm/zte/Kconfig
+index 90ebaedc11fd..aa8594190b50 100644
+--- a/drivers/gpu/drm/zte/Kconfig
++++ b/drivers/gpu/drm/zte/Kconfig
+@@ -3,7 +3,6 @@ config DRM_ZTE
+ tristate "DRM Support for ZTE SoCs"
+ depends on DRM && ARCH_ZX
+ select DRM_KMS_CMA_HELPER
+- select DRM_KMS_FB_HELPER
+ select DRM_KMS_HELPER
+ select SND_SOC_HDMI_CODEC if SND_SOC
+ select VIDEOMODE_HELPERS
+--
+2.30.2
+
--- /dev/null
+From 206899372d3cc32e80da038880727c45cf25f5f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:38:24 -0700
+Subject: e100: handle eeprom as little endian
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ]
+
+Sparse tool was warning on some implicit conversions from
+little endian data read from the EEPROM on the e100 cards.
+
+Fix these by being explicit about the conversions using
+le16_to_cpu().
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index a65d5a9ba7db..911b3d2a94e1 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -1398,7 +1398,7 @@ static int e100_phy_check_without_mii(struct nic *nic)
+ u8 phy_type;
+ int without_mii;
+
+- phy_type = (nic->eeprom[eeprom_phy_iface] >> 8) & 0x0f;
++ phy_type = (le16_to_cpu(nic->eeprom[eeprom_phy_iface]) >> 8) & 0x0f;
+
+ switch (phy_type) {
+ case NoSuchPhy: /* Non-MII PHY; UNTESTED! */
+@@ -1518,7 +1518,7 @@ static int e100_phy_init(struct nic *nic)
+ mdio_write(netdev, nic->mii.phy_id, MII_BMCR, bmcr);
+ } else if ((nic->mac >= mac_82550_D102) || ((nic->flags & ich) &&
+ (mdio_read(netdev, nic->mii.phy_id, MII_TPISTATUS) & 0x8000) &&
+- (nic->eeprom[eeprom_cnfg_mdix] & eeprom_mdix_enabled))) {
++ (le16_to_cpu(nic->eeprom[eeprom_cnfg_mdix]) & eeprom_mdix_enabled))) {
+ /* enable/disable MDI/MDI-X auto-switching. */
+ mdio_write(netdev, nic->mii.phy_id, MII_NCONFIG,
+ nic->mii.force_media ? 0 : NCONFIG_AUTO_SWITCH);
+@@ -2266,9 +2266,9 @@ static int e100_asf(struct nic *nic)
+ {
+ /* ASF can be enabled from eeprom */
+ return (nic->pdev->device >= 0x1050) && (nic->pdev->device <= 0x1057) &&
+- (nic->eeprom[eeprom_config_asf] & eeprom_asf) &&
+- !(nic->eeprom[eeprom_config_asf] & eeprom_gcl) &&
+- ((nic->eeprom[eeprom_smbus_addr] & 0xFF) != 0xFE);
++ (le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_asf) &&
++ !(le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_gcl) &&
++ ((le16_to_cpu(nic->eeprom[eeprom_smbus_addr]) & 0xFF) != 0xFE);
+ }
+
+ static int e100_up(struct nic *nic)
+@@ -2924,7 +2924,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+
+ /* Wol magic packet can be enabled from eeprom */
+ if ((nic->mac >= mac_82558_D101_A4) &&
+- (nic->eeprom[eeprom_id] & eeprom_id_wol)) {
++ (le16_to_cpu(nic->eeprom[eeprom_id]) & eeprom_id_wol)) {
+ nic->flags |= wol_magic;
+ device_set_wakeup_enable(&pdev->dev, true);
+ }
+--
+2.30.2
+
--- /dev/null
+From 8f1da38c1b33b72cd1f4da38a1b539bf220a7306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 16:02:43 +0800
+Subject: fjes: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f18c11812c949553d2b2481ecaa274dd51bed1e7 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fjes/fjes_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c
+index 91a1059517f5..b89b4a3800a4 100644
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1262,6 +1262,10 @@ static int fjes_probe(struct platform_device *plat_dev)
+ adapter->interrupt_watch_enable = false;
+
+ res = platform_get_resource(plat_dev, IORESOURCE_MEM, 0);
++ if (!res) {
++ err = -EINVAL;
++ goto err_free_control_wq;
++ }
+ hw->hw_res.start = res->start;
+ hw->hw_res.size = resource_size(res);
+ hw->hw_res.irq = platform_get_irq(plat_dev, 0);
+--
+2.30.2
+
--- /dev/null
+From 81bb3fb8c7686a99f0add4e9e183d86530968db8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jun 2020 21:15:32 +0800
+Subject: hugetlb: clear huge pte during flush function on mips platform
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+[ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ]
+
+If multiple threads are accessing the same huge page at the same
+time, hugetlb_cow will be called if one thread write the COW huge
+page. And function huge_ptep_clear_flush is called to notify other
+threads to clear the huge pte tlb entry. The other threads clear
+the huge pte tlb entry and reload it from page table, the reload
+huge pte entry may be old.
+
+This patch fixes this issue on mips platform, and it clears huge
+pte entry before notifying other threads to flush current huge
+page entry, it is similar with other architectures.
+
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/hugetlb.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h
+index 425bb6fc3bda..bf1bf8c7c332 100644
+--- a/arch/mips/include/asm/hugetlb.h
++++ b/arch/mips/include/asm/hugetlb.h
+@@ -53,7 +53,13 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
+ static inline void huge_ptep_clear_flush(struct vm_area_struct *vma,
+ unsigned long addr, pte_t *ptep)
+ {
+- flush_tlb_page(vma, addr & huge_page_mask(hstate_vma(vma)));
++ /*
++ * clear the huge pte entry firstly, so that the other smp threads will
++ * not get old pte entry after finishing flush_tlb_page and before
++ * setting new huge pte entry
++ */
++ huge_ptep_get_and_clear(vma->vm_mm, addr, ptep);
++ flush_tlb_page(vma, addr);
+ }
+
+ #define __HAVE_ARCH_HUGE_PTE_NONE
+--
+2.30.2
+
--- /dev/null
+From b7a0c0f45f29d272e65e6bf64fd7bdbb89fdb128 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Apr 2021 17:31:06 +0800
+Subject: ice: set the value of global config lock timeout longer
+
+From: Liwei Song <liwei.song@windriver.com>
+
+[ Upstream commit fb3612840d4f587a0af9511a11d7989d1fa48206 ]
+
+It may need hold Global Config Lock a longer time when download DDP
+package file, extend the timeout value to 5000ms to ensure that
+download can be finished before other AQ command got time to run,
+this will fix the issue below when probe the device, 5000ms is a test
+value that work with both Backplane and BreakoutCable NVM image:
+
+ice 0000:f4:00.0: VSI 12 failed lan queue config, error ICE_ERR_CFG
+ice 0000:f4:00.0: Failed to delete VSI 12 in FW - error: ICE_ERR_AQ_TIMEOUT
+ice 0000:f4:00.0: probe failed due to setup PF switch: -12
+ice: probe of 0000:f4:00.0 failed with error -12
+
+Signed-off-by: Liwei Song <liwei.song@windriver.com>
+Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_type.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_type.h b/drivers/net/ethernet/intel/ice/ice_type.h
+index 6667d17a4206..0b2e657b96eb 100644
+--- a/drivers/net/ethernet/intel/ice/ice_type.h
++++ b/drivers/net/ethernet/intel/ice/ice_type.h
+@@ -48,7 +48,7 @@ enum ice_aq_res_ids {
+ /* FW update timeout definitions are in milliseconds */
+ #define ICE_NVM_TIMEOUT 180000
+ #define ICE_CHANGE_LOCK_TIMEOUT 1000
+-#define ICE_GLOBAL_CFG_LOCK_TIMEOUT 3000
++#define ICE_GLOBAL_CFG_LOCK_TIMEOUT 5000
+
+ enum ice_aq_res_access_type {
+ ICE_RES_READ = 1,
+--
+2.30.2
+
--- /dev/null
+From d30f0a6a2bc973043da15648cacb0db166189e06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Mar 2021 17:38:28 -0700
+Subject: igb: handle vlan types with checker enabled
+
+From: Jesse Brandeburg <jesse.brandeburg@intel.com>
+
+[ Upstream commit c7cbfb028b95360403d579c47aaaeef1ff140964 ]
+
+The sparse build (C=2) finds some issues with how the driver
+dealt with the (very difficult) hardware that in some generations
+uses little-endian, and in others uses big endian, for the VLAN
+field. The code as written picks __le16 as a type and for some
+hardware revisions we override it to __be16 as done in this
+patch. This impacted the VF driver as well so fix it there too.
+
+Also change the vlan_tci assignment to override the sparse
+warning without changing functionality.
+
+Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 5 +++--
+ drivers/net/ethernet/intel/igbvf/netdev.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 7a4e2b014dd6..c37f0590b3a4 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -2651,7 +2651,8 @@ static int igb_parse_cls_flower(struct igb_adapter *adapter,
+ }
+
+ input->filter.match_flags |= IGB_FILTER_FLAG_VLAN_TCI;
+- input->filter.vlan_tci = match.key->vlan_priority;
++ input->filter.vlan_tci =
++ (__force __be16)match.key->vlan_priority;
+ }
+ }
+
+@@ -8255,7 +8256,7 @@ static void igb_process_skb_fields(struct igb_ring *rx_ring,
+
+ if (igb_test_staterr(rx_desc, E1000_RXDEXT_STATERR_LB) &&
+ test_bit(IGB_RING_FLAG_RX_LB_VLAN_BSWAP, &rx_ring->flags))
+- vid = be16_to_cpu(rx_desc->wb.upper.vlan);
++ vid = be16_to_cpu((__force __be16)rx_desc->wb.upper.vlan);
+ else
+ vid = le16_to_cpu(rx_desc->wb.upper.vlan);
+
+diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
+index 0f2b68f4bb0f..77cb2ab7dab4 100644
+--- a/drivers/net/ethernet/intel/igbvf/netdev.c
++++ b/drivers/net/ethernet/intel/igbvf/netdev.c
+@@ -83,14 +83,14 @@ static int igbvf_desc_unused(struct igbvf_ring *ring)
+ static void igbvf_receive_skb(struct igbvf_adapter *adapter,
+ struct net_device *netdev,
+ struct sk_buff *skb,
+- u32 status, u16 vlan)
++ u32 status, __le16 vlan)
+ {
+ u16 vid;
+
+ if (status & E1000_RXD_STAT_VP) {
+ if ((adapter->flags & IGBVF_FLAG_RX_LB_VLAN_BSWAP) &&
+ (status & E1000_RXDEXT_STATERR_LB))
+- vid = be16_to_cpu(vlan) & E1000_RXD_SPC_VLAN_MASK;
++ vid = be16_to_cpu((__force __be16)vlan) & E1000_RXD_SPC_VLAN_MASK;
+ else
+ vid = le16_to_cpu(vlan) & E1000_RXD_SPC_VLAN_MASK;
+ if (test_bit(vid, adapter->active_vlans))
+--
+2.30.2
+
--- /dev/null
+From 6804d8d5a5de1d5dd7a069b90c62c74bdccecb05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 May 2021 13:07:46 +0200
+Subject: ipv6: use prandom_u32() for ID generation
+
+From: Willy Tarreau <w@1wt.eu>
+
+[ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ]
+
+This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash
+table for IP ID generation"), but focusing on some specific aspects
+of IPv6.
+
+Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a
+minimum MTU of 1280, it's much less easy to force a remote peer to
+produce many fragments to explore its ID sequence. In addition packet
+IDs are 32-bit in IPv6, which further complicates their analysis. On
+the other hand, it is often easier to choose among plenty of possible
+source addresses and partially work around the bigger hash table the
+commit above permits, which leaves IPv6 partially exposed to some
+possibilities of remote analysis at the risk of weakening some
+protocols like DNS if some IDs can be predicted with a good enough
+probability.
+
+Given the wide range of permitted IDs, the risk of collision is extremely
+low so there's no need to rely on the positive increment algorithm that
+is shared with the IPv4 code via ip_idents_reserve(). We have a fast
+PRNG, so let's simply call prandom_u32() and be done with it.
+
+Performance measurements at 10 Gbps couldn't show any difference with
+the previous code, even when using a single core, because due to the
+large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost
+of the random generation is completely offset by other operations and by
+the network transfer time. In addition, this change removes the need to
+update a shared entry in the idents table so it may even end up being
+slightly faster on large scale systems where this matters.
+
+The risk of at least one collision here is about 1/80 million among
+10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,
+which remains very low compared to IPv4 where all IDs are reused
+every 4 to 80ms on a 10 Gbps flow depending on packet sizes.
+
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/output_core.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
+index af36acc1a644..2880dc7d9a49 100644
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -15,29 +15,11 @@ static u32 __ipv6_select_ident(struct net *net,
+ const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
+- const struct {
+- struct in6_addr dst;
+- struct in6_addr src;
+- } __aligned(SIPHASH_ALIGNMENT) combined = {
+- .dst = *dst,
+- .src = *src,
+- };
+- u32 hash, id;
+-
+- /* Note the following code is not safe, but this is okay. */
+- if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+- get_random_bytes(&net->ipv4.ip_id_key,
+- sizeof(net->ipv4.ip_id_key));
+-
+- hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+-
+- /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+- * set the hight order instead thus minimizing possible future
+- * collisions.
+- */
+- id = ip_idents_reserve(hash, 1);
+- if (unlikely(!id))
+- id = 1 << 31;
++ u32 id;
++
++ do {
++ id = prandom_u32();
++ } while (!id);
+
+ return id;
+ }
+--
+2.30.2
+
--- /dev/null
+From 2f0210a0905d9ef86e2db9a56c71c1ed1aab59f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:32:38 +0300
+Subject: iwlwifi: mvm: don't change band on bound PHY contexts
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8835a64f74c46baebfc946cd5a2c861b866ebcee ]
+
+When we have a P2P Device active, we attempt to only change the
+PHY context it uses when we get a new remain-on-channel, if the
+P2P Device is the only user of the PHY context.
+
+This is fine if we're switching within a band, but if we're
+switching bands then the switch implies a removal and re-add
+of the PHY context, which isn't permitted by the firmware while
+it's bound to an interface.
+
+Fix the code to skip the unbind/release/... cycle only if the
+band doesn't change (or we have old devices that can switch the
+band on the fly as well.)
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210612142637.e9ac313f70f3.I713b9d109957df7e7d9ed0861d5377ce3f8fccd3@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 ++++++++++++++-----
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+index fc6430edd110..09b1a6beee77 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+@@ -3725,6 +3725,7 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw,
+ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
+ struct cfg80211_chan_def chandef;
+ struct iwl_mvm_phy_ctxt *phy_ctxt;
++ bool band_change_removal;
+ int ret, i;
+
+ IWL_DEBUG_MAC80211(mvm, "enter (%d, %d, %d)\n", channel->hw_value,
+@@ -3794,19 +3795,30 @@ static int iwl_mvm_roc(struct ieee80211_hw *hw,
+ cfg80211_chandef_create(&chandef, channel, NL80211_CHAN_NO_HT);
+
+ /*
+- * Change the PHY context configuration as it is currently referenced
+- * only by the P2P Device MAC
++ * Check if the remain-on-channel is on a different band and that
++ * requires context removal, see iwl_mvm_phy_ctxt_changed(). If
++ * so, we'll need to release and then re-configure here, since we
++ * must not remove a PHY context that's part of a binding.
+ */
+- if (mvmvif->phy_ctxt->ref == 1) {
++ band_change_removal =
++ fw_has_capa(&mvm->fw->ucode_capa,
++ IWL_UCODE_TLV_CAPA_BINDING_CDB_SUPPORT) &&
++ mvmvif->phy_ctxt->channel->band != chandef.chan->band;
++
++ if (mvmvif->phy_ctxt->ref == 1 && !band_change_removal) {
++ /*
++ * Change the PHY context configuration as it is currently
++ * referenced only by the P2P Device MAC (and we can modify it)
++ */
+ ret = iwl_mvm_phy_ctxt_changed(mvm, mvmvif->phy_ctxt,
+ &chandef, 1, 1);
+ if (ret)
+ goto out_unlock;
+ } else {
+ /*
+- * The PHY context is shared with other MACs. Need to remove the
+- * P2P Device from the binding, allocate an new PHY context and
+- * create a new binding
++ * The PHY context is shared with other MACs (or we're trying to
++ * switch bands), so remove the P2P Device from the binding,
++ * allocate an new PHY context and create a new binding.
+ */
+ phy_ctxt = iwl_mvm_get_free_phy_ctxt(mvm);
+ if (!phy_ctxt) {
+--
+2.30.2
+
--- /dev/null
+From 57fe0136214d9bffd930f3abfaf887a5af7a1b46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 11:01:17 +0300
+Subject: iwlwifi: pcie: fix context info freeing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 26d18c75a7496c4c52b0b6789e713dc76ebfbc87 ]
+
+After firmware alive, iwl_trans_pcie_gen2_fw_alive() is called
+to free the context info. However, on gen3 that will then free
+the context info with the wrong size.
+
+Since we free this allocation later, let it stick around until
+the device is stopped for now, freeing some of it earlier is a
+separate change.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210618105614.afb63fb8cbc1.If4968db8e09f4ce2a1d27a6d750bca3d132d7d70@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+index df8455f14e4d..ee45e475405a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -269,7 +269,8 @@ void iwl_trans_pcie_gen2_fw_alive(struct iwl_trans *trans, u32 scd_addr)
+ /* now that we got alive we can free the fw image & the context info.
+ * paging memory cannot be freed included since FW will still use it
+ */
+- iwl_pcie_ctxt_info_free(trans);
++ if (trans->trans_cfg->device_family < IWL_DEVICE_FAMILY_AX210)
++ iwl_pcie_ctxt_info_free(trans);
+
+ /*
+ * Re-enable all the interrupts, including the RF-Kill one, now that
+--
+2.30.2
+
--- /dev/null
+From 084fef9f034b0d338c015655af7e04b0e705d203 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 11:01:16 +0300
+Subject: iwlwifi: pcie: free IML DMA memory allocation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 310f60f53a86eba680d9bc20a371e13b06a5f903 ]
+
+In the case of gen3 devices with image loader (IML) support,
+we were leaking the IML DMA allocation and never freeing it.
+Fix that.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20210618105614.07e117dbedb7.I7bb9ebbe0617656986c2a598ea5e827b533bd3b9@changeid
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c | 15 ++++++++++-----
+ .../net/wireless/intel/iwlwifi/pcie/internal.h | 3 +++
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+index eab159205e48..f6b43cd87d5d 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c
+@@ -63,7 +63,6 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
+ struct iwl_prph_scratch *prph_scratch;
+ struct iwl_prph_scratch_ctrl_cfg *prph_sc_ctrl;
+ struct iwl_prph_info *prph_info;
+- void *iml_img;
+ u32 control_flags = 0;
+ int ret;
+ int cmdq_size = max_t(u32, IWL_CMD_QUEUE_SIZE,
+@@ -162,14 +161,15 @@ int iwl_pcie_ctxt_info_gen3_init(struct iwl_trans *trans,
+ trans_pcie->prph_scratch = prph_scratch;
+
+ /* Allocate IML */
+- iml_img = dma_alloc_coherent(trans->dev, trans->iml_len,
+- &trans_pcie->iml_dma_addr, GFP_KERNEL);
+- if (!iml_img) {
++ trans_pcie->iml = dma_alloc_coherent(trans->dev, trans->iml_len,
++ &trans_pcie->iml_dma_addr,
++ GFP_KERNEL);
++ if (!trans_pcie->iml) {
+ ret = -ENOMEM;
+ goto err_free_ctxt_info;
+ }
+
+- memcpy(iml_img, trans->iml, trans->iml_len);
++ memcpy(trans_pcie->iml, trans->iml, trans->iml_len);
+
+ iwl_enable_fw_load_int_ctx_info(trans);
+
+@@ -242,6 +242,11 @@ void iwl_pcie_ctxt_info_gen3_free(struct iwl_trans *trans)
+ trans_pcie->ctxt_info_dma_addr = 0;
+ trans_pcie->ctxt_info_gen3 = NULL;
+
++ dma_free_coherent(trans->dev, trans->iml_len, trans_pcie->iml,
++ trans_pcie->iml_dma_addr);
++ trans_pcie->iml_dma_addr = 0;
++ trans_pcie->iml = NULL;
++
+ iwl_pcie_ctxt_info_free_fw_img(trans);
+
+ dma_free_coherent(trans->dev, sizeof(*trans_pcie->prph_scratch),
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+index 9b5b96e34456..553164f06a6b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/internal.h
+@@ -475,6 +475,8 @@ struct cont_rec {
+ * Context information addresses will be taken from here.
+ * This is driver's local copy for keeping track of size and
+ * count for allocating and freeing the memory.
++ * @iml: image loader image virtual address
++ * @iml_dma_addr: image loader image DMA address
+ * @trans: pointer to the generic transport area
+ * @scd_base_addr: scheduler sram base address in SRAM
+ * @scd_bc_tbls: pointer to the byte count table of the scheduler
+@@ -522,6 +524,7 @@ struct iwl_trans_pcie {
+ };
+ struct iwl_prph_info *prph_info;
+ struct iwl_prph_scratch *prph_scratch;
++ void *iml;
+ dma_addr_t ctxt_info_dma_addr;
+ dma_addr_t prph_info_dma_addr;
+ dma_addr_t prph_scratch_dma_addr;
+--
+2.30.2
+
--- /dev/null
+From 6e48780b6a98a281535b618fd57ab139918252f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 22:37:54 +0100
+Subject: media, bpf: Do not copy more entries than user space requested
+
+From: Sean Young <sean@mess.org>
+
+[ Upstream commit 647d446d66e493d23ca1047fa8492b0269674530 ]
+
+The syscall bpf(BPF_PROG_QUERY, &attr) should use the prog_cnt field to
+see how many entries user space provided and return ENOSPC if there are
+more programs than that. Before this patch, this is not checked and
+ENOSPC is never returned.
+
+Note that one lirc device is limited to 64 bpf programs, and user space
+I'm aware of -- ir-keytable -- always gives enough space for 64 entries
+already. However, we should not copy program ids than are requested.
+
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210623213754.632-1-sean@mess.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/bpf-lirc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/bpf-lirc.c b/drivers/media/rc/bpf-lirc.c
+index 0a0ce620e4a2..d5f839fdcde7 100644
+--- a/drivers/media/rc/bpf-lirc.c
++++ b/drivers/media/rc/bpf-lirc.c
+@@ -329,7 +329,8 @@ int lirc_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr)
+ }
+
+ if (attr->query.prog_cnt != 0 && prog_ids && cnt)
+- ret = bpf_prog_array_copy_to_user(progs, prog_ids, cnt);
++ ret = bpf_prog_array_copy_to_user(progs, prog_ids,
++ attr->query.prog_cnt);
+
+ unlock:
+ mutex_unlock(&ir_raw_handler_lock);
+--
+2.30.2
+
--- /dev/null
+From c9a1df0784eeef4a1f74588b00b4c8ac5bd0468d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:09:46 +0800
+Subject: MIPS: add PMD table accounting into MIPS'pmd_alloc_one
+
+From: Huang Pei <huangpei@loongson.cn>
+
+[ Upstream commit ed914d48b6a1040d1039d371b56273d422c0081e ]
+
+This fixes Page Table accounting bug.
+
+MIPS is the ONLY arch just defining __HAVE_ARCH_PMD_ALLOC_ONE alone.
+Since commit b2b29d6d011944 (mm: account PMD tables like PTE tables),
+"pmd_free" in asm-generic with PMD table accounting and "pmd_alloc_one"
+in MIPS without PMD table accounting causes PageTable accounting number
+negative, which read by global_zone_page_state(), always returns 0.
+
+Signed-off-by: Huang Pei <huangpei@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/pgalloc.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
+index 166842337eb2..dd10854321ca 100644
+--- a/arch/mips/include/asm/pgalloc.h
++++ b/arch/mips/include/asm/pgalloc.h
+@@ -62,11 +62,15 @@ do { \
+
+ static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
+ {
+- pmd_t *pmd;
++ pmd_t *pmd = NULL;
++ struct page *pg;
+
+- pmd = (pmd_t *) __get_free_pages(GFP_KERNEL, PMD_ORDER);
+- if (pmd)
++ pg = alloc_pages(GFP_KERNEL | __GFP_ACCOUNT, PMD_ORDER);
++ if (pg) {
++ pgtable_pmd_page_ctor(pg);
++ pmd = (pmd_t *)page_address(pg);
+ pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table);
++ }
+ return pmd;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 051a115d4546c620ca4eeed8a6bab9b6c5e5b32c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 17:11:05 +0800
+Subject: MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops
+
+From: zhanglianjie <zhanglianjie@uniontech.com>
+
+[ Upstream commit 6817c944430d00f71ccaa9c99ff5b0096aeb7873 ]
+
+The cause of the problem is as follows:
+1. when cat /sys/devices/system/memory/memory0/valid_zones,
+ test_pages_in_a_zone() will be called.
+2. test_pages_in_a_zone() finds the zone according to stat_pfn = 0.
+ The smallest pfn of the numa node in the mips architecture is 128,
+ and the page corresponding to the previous 0~127 pfn is not
+ initialized (page->flags is 0xFFFFFFFF)
+3. The nid and zonenum obtained using page_zone(pfn_to_page(0)) are out
+ of bounds in the corresponding array,
+ &NODE_DATA(page_to_nid(page))->node_zones[page_zonenum(page)],
+ access to the out-of-bounds zone member variables appear abnormal,
+ resulting in Oops.
+Therefore, it is necessary to keep the page between 0 and the minimum
+pfn to prevent Oops from appearing.
+
+Signed-off-by: zhanglianjie <zhanglianjie@uniontech.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/loongson64/loongson-3/numa.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/mips/loongson64/loongson-3/numa.c b/arch/mips/loongson64/loongson-3/numa.c
+index 8f20d2cb3767..7e7376cc94b1 100644
+--- a/arch/mips/loongson64/loongson-3/numa.c
++++ b/arch/mips/loongson64/loongson-3/numa.c
+@@ -200,6 +200,9 @@ static void __init node_mem_init(unsigned int node)
+ if (node_end_pfn(0) >= (0xffffffff >> PAGE_SHIFT))
+ memblock_reserve((node_addrspace_offset | 0xfe000000),
+ 32 << 20);
++
++ /* Reserve pfn range 0~node[0]->node_start_pfn */
++ memblock_reserve(0, PAGE_SIZE * start_pfn);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From d09b322e939593f6c3828c0d06ace9197cfe361a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 14:50:26 -0700
+Subject: MIPS: set mips32r5 for virt extensions
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+[ Upstream commit c994a3ec7ecc8bd2a837b2061e8a76eb8efc082b ]
+
+Clang's integrated assembler only accepts these instructions when the
+cpu is set to mips32r5. With this change, we can assemble
+malta_defconfig with Clang via `make LLVM_IAS=1`.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/763
+Reported-by: Dmitry Golovin <dima@golovin.in>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mipsregs.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/mips/include/asm/mipsregs.h b/arch/mips/include/asm/mipsregs.h
+index 3afdb39d092a..c28b892937fe 100644
+--- a/arch/mips/include/asm/mipsregs.h
++++ b/arch/mips/include/asm/mipsregs.h
+@@ -2007,7 +2007,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c)
+ ({ int __res; \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips32r2\n\t" \
++ ".set\tmips32r5\n\t" \
+ _ASM_SET_VIRT \
+ "mfgc0\t%0, " #source ", %1\n\t" \
+ ".set\tpop" \
+@@ -2020,7 +2020,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c)
+ ({ unsigned long long __res; \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips64r2\n\t" \
++ ".set\tmips64r5\n\t" \
+ _ASM_SET_VIRT \
+ "dmfgc0\t%0, " #source ", %1\n\t" \
+ ".set\tpop" \
+@@ -2033,7 +2033,7 @@ _ASM_MACRO_0(tlbginvf, _ASM_INSN_IF_MIPS(0x4200000c)
+ do { \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips32r2\n\t" \
++ ".set\tmips32r5\n\t" \
+ _ASM_SET_VIRT \
+ "mtgc0\t%z0, " #register ", %1\n\t" \
+ ".set\tpop" \
+@@ -2045,7 +2045,7 @@ do { \
+ do { \
+ __asm__ __volatile__( \
+ ".set\tpush\n\t" \
+- ".set\tmips64r2\n\t" \
++ ".set\tmips64r5\n\t" \
+ _ASM_SET_VIRT \
+ "dmtgc0\t%z0, " #register ", %1\n\t" \
+ ".set\tpop" \
+--
+2.30.2
+
--- /dev/null
+From 48fd166472d8cf68efa34d3c441bba8b937c2459 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 May 2021 14:58:53 +0800
+Subject: mISDN: fix possible use-after-free in HFC_cleanup()
+
+From: Zou Wei <zou_wei@huawei.com>
+
+[ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ]
+
+This module's remove path calls del_timer(). However, that function
+does not wait until the timer handler finishes. This means that the
+timer handler may still be running after the driver's remove function
+has finished, which would result in a use-after-free.
+
+Fix by calling del_timer_sync(), which makes sure the timer handler
+has finished, and unable to re-schedule itself.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zou Wei <zou_wei@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcpci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
+index 2330a7d24267..a2b2ce1dfec8 100644
+--- a/drivers/isdn/hardware/mISDN/hfcpci.c
++++ b/drivers/isdn/hardware/mISDN/hfcpci.c
+@@ -2341,7 +2341,7 @@ static void __exit
+ HFC_cleanup(void)
+ {
+ if (timer_pending(&hfc_tl))
+- del_timer(&hfc_tl);
++ del_timer_sync(&hfc_tl);
+
+ pci_unregister_driver(&hfc_driver);
+ }
+--
+2.30.2
+
--- /dev/null
+From d9266be14965e9739b6dfb0156e3558d1fc384df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 May 2021 14:07:53 +0200
+Subject: mt76: mt7615: fix fixed-rate tx status reporting
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit ec8f1a90d006f7cedcf86ef19fd034a406a213d6 ]
+
+Rely on the txs fixed-rate bit instead of info->control.rates
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+index 111e38ff954a..a6c530b9ceee 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+@@ -840,22 +840,20 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta,
+ int first_idx = 0, last_idx;
+ int i, idx, count;
+ bool fixed_rate, ack_timeout;
+- bool probe, ampdu, cck = false;
++ bool ampdu, cck = false;
+ bool rs_idx;
+ u32 rate_set_tsf;
+ u32 final_rate, final_rate_flags, final_nss, txs;
+
+- fixed_rate = info->status.rates[0].count;
+- probe = !!(info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE);
+-
+ txs = le32_to_cpu(txs_data[1]);
+- ampdu = !fixed_rate && (txs & MT_TXS1_AMPDU);
++ ampdu = txs & MT_TXS1_AMPDU;
+
+ txs = le32_to_cpu(txs_data[3]);
+ count = FIELD_GET(MT_TXS3_TX_COUNT, txs);
+ last_idx = FIELD_GET(MT_TXS3_LAST_TX_RATE, txs);
+
+ txs = le32_to_cpu(txs_data[0]);
++ fixed_rate = txs & MT_TXS0_FIXED_RATE;
+ final_rate = FIELD_GET(MT_TXS0_TX_RATE, txs);
+ ack_timeout = txs & MT_TXS0_ACK_TIMEOUT;
+
+@@ -877,7 +875,7 @@ static bool mt7615_fill_txs(struct mt7615_dev *dev, struct mt7615_sta *sta,
+
+ first_idx = max_t(int, 0, last_idx - (count + 1) / MT7615_RATE_RETRY);
+
+- if (fixed_rate && !probe) {
++ if (fixed_rate) {
+ info->status.rates[0].count = count;
+ i = 0;
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From c5353e4daf3b782e1b9fa3d006733b2d1a04bda6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 21:38:37 +0800
+Subject: net: bcmgenet: check return value after calling
+ platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 74325bf0104573c6dfce42837139aeef3f34be76 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmmii.c b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+index dbe18cdf6c1b..ce569b7d3b35 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -426,6 +426,10 @@ static int bcmgenet_mii_register(struct bcmgenet_priv *priv)
+ int id, ret;
+
+ pres = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!pres) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ memset(&res, 0, sizeof(res));
+ memset(&ppd, 0, sizeof(ppd));
+
+--
+2.30.2
+
--- /dev/null
+From 69b702026980365a694f94f6e64549b83f2d80d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 11:37:11 +0800
+Subject: net: fix mistake path for netdev_features_strings
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 2d8ea148e553e1dd4e80a87741abdfb229e2b323 ]
+
+Th_strings arrays netdev_features_strings, tunable_strings, and
+phy_tunable_strings has been moved to file net/ethtool/common.c.
+So fixes the comment.
+
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdev_features.h | 2 +-
+ include/uapi/linux/ethtool.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
+index 4b19c544c59a..640e7279f161 100644
+--- a/include/linux/netdev_features.h
++++ b/include/linux/netdev_features.h
+@@ -83,7 +83,7 @@ enum {
+
+ /*
+ * Add your fresh new feature above and remember to update
+- * netdev_features_strings[] in net/core/ethtool.c and maybe
++ * netdev_features_strings[] in net/ethtool/common.c and maybe
+ * some feature mask #defines below. Please also describe it
+ * in Documentation/networking/netdev-features.txt.
+ */
+diff --git a/include/uapi/linux/ethtool.h b/include/uapi/linux/ethtool.h
+index 7857aa413627..8d465e5322e7 100644
+--- a/include/uapi/linux/ethtool.h
++++ b/include/uapi/linux/ethtool.h
+@@ -223,7 +223,7 @@ enum tunable_id {
+ ETHTOOL_PFC_PREVENTION_TOUT, /* timeout in msecs */
+ /*
+ * Add your fresh new tunable attribute above and remember to update
+- * tunable_strings[] in net/core/ethtool.c
++ * tunable_strings[] in net/ethtool/common.c
+ */
+ __ETHTOOL_TUNABLE_COUNT,
+ };
+@@ -287,7 +287,7 @@ enum phy_tunable_id {
+ ETHTOOL_PHY_EDPD,
+ /*
+ * Add your fresh new phy tunable attribute above and remember to update
+- * phy_tunable_strings[] in net/core/ethtool.c
++ * phy_tunable_strings[] in net/ethtool/common.c
+ */
+ __ETHTOOL_PHY_TUNABLE_COUNT,
+ };
+--
+2.30.2
+
--- /dev/null
+From 9325b3c837cc82a1b0a75b5d31443df2ffa3fe72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jun 2021 14:44:38 -0700
+Subject: net: ip: avoid OOM kills with large UDP sends over loopback
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 6d123b81ac615072a8525c13c6c41b695270a15d ]
+
+Dave observed number of machines hitting OOM on the UDP send
+path. The workload seems to be sending large UDP packets over
+loopback. Since loopback has MTU of 64k kernel will try to
+allocate an skb with up to 64k of head space. This has a good
+chance of failing under memory pressure. What's worse if
+the message length is <32k the allocation may trigger an
+OOM killer.
+
+This is entirely avoidable, we can use an skb with page frags.
+
+af_unix solves a similar problem by limiting the head
+length to SKB_MAX_ALLOC. This seems like a good and simple
+approach. It means that UDP messages > 16kB will now
+use fragments if underlying device supports SG, if extra
+allocator pressure causes regressions in real workloads
+we can switch to trying the large allocation first and
+falling back.
+
+v4: pre-calculate all the additions to alloclen so
+ we can be sure it won't go over order-2
+
+Reported-by: Dave Jones <dsj@fb.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_output.c | 32 ++++++++++++++++++--------------
+ net/ipv6/ip6_output.c | 32 +++++++++++++++++---------------
+ 2 files changed, 35 insertions(+), 29 deletions(-)
+
+diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
+index 7a394479dd56..f52bc9c22e5b 100644
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1048,7 +1048,7 @@ static int __ip_append_data(struct sock *sk,
+ unsigned int datalen;
+ unsigned int fraglen;
+ unsigned int fraggap;
+- unsigned int alloclen;
++ unsigned int alloclen, alloc_extra;
+ unsigned int pagedlen;
+ struct sk_buff *skb_prev;
+ alloc_new_skb:
+@@ -1068,35 +1068,39 @@ alloc_new_skb:
+ fraglen = datalen + fragheaderlen;
+ pagedlen = 0;
+
++ alloc_extra = hh_len + 15;
++ alloc_extra += exthdrlen;
++
++ /* The last fragment gets additional space at tail.
++ * Note, with MSG_MORE we overallocate on fragments,
++ * because we have no idea what fragment will be
++ * the last.
++ */
++ if (datalen == length + fraggap)
++ alloc_extra += rt->dst.trailer_len;
++
+ if ((flags & MSG_MORE) &&
+ !(rt->dst.dev->features&NETIF_F_SG))
+ alloclen = mtu;
+- else if (!paged)
++ else if (!paged &&
++ (fraglen + alloc_extra < SKB_MAX_ALLOC ||
++ !(rt->dst.dev->features & NETIF_F_SG)))
+ alloclen = fraglen;
+ else {
+ alloclen = min_t(int, fraglen, MAX_HEADER);
+ pagedlen = fraglen - alloclen;
+ }
+
+- alloclen += exthdrlen;
+-
+- /* The last fragment gets additional space at tail.
+- * Note, with MSG_MORE we overallocate on fragments,
+- * because we have no idea what fragment will be
+- * the last.
+- */
+- if (datalen == length + fraggap)
+- alloclen += rt->dst.trailer_len;
++ alloclen += alloc_extra;
+
+ if (transhdrlen) {
+- skb = sock_alloc_send_skb(sk,
+- alloclen + hh_len + 15,
++ skb = sock_alloc_send_skb(sk, alloclen,
+ (flags & MSG_DONTWAIT), &err);
+ } else {
+ skb = NULL;
+ if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <=
+ 2 * sk->sk_sndbuf)
+- skb = alloc_skb(alloclen + hh_len + 15,
++ skb = alloc_skb(alloclen,
+ sk->sk_allocation);
+ if (unlikely(!skb))
+ err = -ENOBUFS;
+diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
+index 7a80c42fcce2..4dcbb1ccab25 100644
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1484,7 +1484,7 @@ emsgsize:
+ unsigned int datalen;
+ unsigned int fraglen;
+ unsigned int fraggap;
+- unsigned int alloclen;
++ unsigned int alloclen, alloc_extra;
+ unsigned int pagedlen;
+ alloc_new_skb:
+ /* There's no room in the current skb */
+@@ -1511,17 +1511,28 @@ alloc_new_skb:
+ fraglen = datalen + fragheaderlen;
+ pagedlen = 0;
+
++ alloc_extra = hh_len;
++ alloc_extra += dst_exthdrlen;
++ alloc_extra += rt->dst.trailer_len;
++
++ /* We just reserve space for fragment header.
++ * Note: this may be overallocation if the message
++ * (without MSG_MORE) fits into the MTU.
++ */
++ alloc_extra += sizeof(struct frag_hdr);
++
+ if ((flags & MSG_MORE) &&
+ !(rt->dst.dev->features&NETIF_F_SG))
+ alloclen = mtu;
+- else if (!paged)
++ else if (!paged &&
++ (fraglen + alloc_extra < SKB_MAX_ALLOC ||
++ !(rt->dst.dev->features & NETIF_F_SG)))
+ alloclen = fraglen;
+ else {
+ alloclen = min_t(int, fraglen, MAX_HEADER);
+ pagedlen = fraglen - alloclen;
+ }
+-
+- alloclen += dst_exthdrlen;
++ alloclen += alloc_extra;
+
+ if (datalen != length + fraggap) {
+ /*
+@@ -1531,30 +1542,21 @@ alloc_new_skb:
+ datalen += rt->dst.trailer_len;
+ }
+
+- alloclen += rt->dst.trailer_len;
+ fraglen = datalen + fragheaderlen;
+
+- /*
+- * We just reserve space for fragment header.
+- * Note: this may be overallocation if the message
+- * (without MSG_MORE) fits into the MTU.
+- */
+- alloclen += sizeof(struct frag_hdr);
+-
+ copy = datalen - transhdrlen - fraggap - pagedlen;
+ if (copy < 0) {
+ err = -EINVAL;
+ goto error;
+ }
+ if (transhdrlen) {
+- skb = sock_alloc_send_skb(sk,
+- alloclen + hh_len,
++ skb = sock_alloc_send_skb(sk, alloclen,
+ (flags & MSG_DONTWAIT), &err);
+ } else {
+ skb = NULL;
+ if (refcount_read(&sk->sk_wmem_alloc) + wmem_alloc_delta <=
+ 2 * sk->sk_sndbuf)
+- skb = alloc_skb(alloclen + hh_len,
++ skb = alloc_skb(alloclen,
+ sk->sk_allocation);
+ if (unlikely(!skb))
+ err = -ENOBUFS;
+--
+2.30.2
+
--- /dev/null
+From 44acd2da790116aef0a837a6949c3ab29e9b0560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 22:55:21 +0800
+Subject: net: micrel: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8842.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8842.c b/drivers/net/ethernet/micrel/ks8842.c
+index da329ca115cc..fb838e29d52d 100644
+--- a/drivers/net/ethernet/micrel/ks8842.c
++++ b/drivers/net/ethernet/micrel/ks8842.c
+@@ -1136,6 +1136,10 @@ static int ks8842_probe(struct platform_device *pdev)
+ unsigned i;
+
+ iomem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ if (!iomem) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ if (!request_mem_region(iomem->start, resource_size(iomem), DRV_NAME))
+ goto err_mem_region;
+
+--
+2.30.2
+
--- /dev/null
+From ae8621da378ce782ab29674d14a413c64fbd4bce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 23:02:59 +0800
+Subject: net: moxa: Use devm_platform_get_and_ioremap_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 35cba15a504bf4f585bb9d78f47b22b28a1a06b2 ]
+
+Use devm_platform_get_and_ioremap_resource() to simplify
+code and avoid a null-ptr-deref by checking 'res' in it.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/moxa/moxart_ether.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c
+index f70bb81e1ed6..9f7eaae51335 100644
+--- a/drivers/net/ethernet/moxa/moxart_ether.c
++++ b/drivers/net/ethernet/moxa/moxart_ether.c
+@@ -480,14 +480,13 @@ static int moxart_mac_probe(struct platform_device *pdev)
+ priv->ndev = ndev;
+ priv->pdev = pdev;
+
+- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- ndev->base_addr = res->start;
+- priv->base = devm_ioremap_resource(p_dev, res);
++ priv->base = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
+ if (IS_ERR(priv->base)) {
+ dev_err(p_dev, "devm_ioremap_resource failed\n");
+ ret = PTR_ERR(priv->base);
+ goto init_fail;
+ }
++ ndev->base_addr = res->start;
+
+ spin_lock_init(&priv->txlock);
+
+--
+2.30.2
+
--- /dev/null
+From dc6f61208f3a3b8cc93c0f26d78bb7026bd5f0c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 22:36:02 +0800
+Subject: net: mvpp2: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 0bb51a3a385790a4be20085494cf78f70dadf646 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index 7857ebff92e8..dac0e51e6aaf 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5740,6 +5740,10 @@ static int mvpp2_probe(struct platform_device *pdev)
+ return PTR_ERR(priv->lms_base);
+ } else {
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
++ if (!res) {
++ dev_err(&pdev->dev, "Invalid resource\n");
++ return -EINVAL;
++ }
+ if (has_acpi_companion(&pdev->dev)) {
+ /* In case the MDIO memory region is declared in
+ * the ACPI, it can already appear as 'in-use'
+--
+2.30.2
+
--- /dev/null
+From 0fbfe4471c2e1a4e3399806ec1f63ace5f2c775a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 19:39:30 +0300
+Subject: net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ]
+
+Sparse is not happy about handling of strict types in pch_ptp_match():
+
+ .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types)
+ .../pch_gbe_main.c:158:33: expected unsigned short [usertype] uid_hi
+ .../pch_gbe_main.c:158:33: got restricted __be16 [usertype]
+ .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types)
+ .../pch_gbe_main.c:158:45: expected unsigned int [usertype] uid_lo
+ .../pch_gbe_main.c:158:45: got restricted __be32 [usertype]
+ .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types)
+ .../pch_gbe_main.c:158:56: expected unsigned short [usertype] seqid
+ .../pch_gbe_main.c:158:56: got restricted __be16 [usertype]
+
+Fix that by switching to use proper accessors to BE data.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Flavio Suligoi <f.suligoi@asem.it>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+index f1269fe4ac72..8ff4c616f0ad 100644
+--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+@@ -107,7 +107,7 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
+ {
+ u8 *data = skb->data;
+ unsigned int offset;
+- u16 *hi, *id;
++ u16 hi, id;
+ u32 lo;
+
+ if (ptp_classify_raw(skb) == PTP_CLASS_NONE)
+@@ -118,14 +118,11 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
+ if (skb->len < offset + OFF_PTP_SEQUENCE_ID + sizeof(seqid))
+ return 0;
+
+- hi = (u16 *)(data + offset + OFF_PTP_SOURCE_UUID);
+- id = (u16 *)(data + offset + OFF_PTP_SEQUENCE_ID);
++ hi = get_unaligned_be16(data + offset + OFF_PTP_SOURCE_UUID + 0);
++ lo = get_unaligned_be32(data + offset + OFF_PTP_SOURCE_UUID + 2);
++ id = get_unaligned_be16(data + offset + OFF_PTP_SEQUENCE_ID);
+
+- memcpy(&lo, &hi[1], sizeof(lo));
+-
+- return (uid_hi == *hi &&
+- uid_lo == lo &&
+- seqid == *id);
++ return (uid_hi == hi && uid_lo == lo && seqid == id);
+ }
+
+ static void
+@@ -135,7 +132,6 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
+ struct pci_dev *pdev;
+ u64 ns;
+ u32 hi, lo, val;
+- u16 uid, seq;
+
+ if (!adapter->hwts_rx_en)
+ return;
+@@ -151,10 +147,7 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
+ lo = pch_src_uuid_lo_read(pdev);
+ hi = pch_src_uuid_hi_read(pdev);
+
+- uid = hi & 0xffff;
+- seq = (hi >> 16) & 0xffff;
+-
+- if (!pch_ptp_match(skb, htons(uid), htonl(lo), htons(seq)))
++ if (!pch_ptp_match(skb, hi, lo, hi >> 16))
+ goto out;
+
+ ns = pch_rx_snap_read(pdev);
+--
+2.30.2
+
--- /dev/null
+From 8caa543e33e04c720b9b5f9f91575db71cd18593 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 16:02:07 +0800
+Subject: net: sched: fix error return code in tcf_del_walker()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 55d96f72e8ddc0a294e0b9c94016edbb699537e1 ]
+
+When nla_put_u32() fails, 'ret' could be 0, it should
+return error code in tcf_del_walker().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_api.c b/net/sched/act_api.c
+index 716cad677318..17e5cd9ebd89 100644
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -316,7 +316,8 @@ static int tcf_del_walker(struct tcf_idrinfo *idrinfo, struct sk_buff *skb,
+ }
+ mutex_unlock(&idrinfo->lock);
+
+- if (nla_put_u32(skb, TCA_FCNT, n_i))
++ ret = nla_put_u32(skb, TCA_FCNT, n_i);
++ if (ret)
+ goto nla_put_failure;
+ nla_nest_end(skb, nest);
+
+--
+2.30.2
+
--- /dev/null
+From de18527d252d0f210cf03e51fdd7de52288f58b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 May 2021 23:43:24 +0200
+Subject: net: Treat __napi_schedule_irqoff() as __napi_schedule() on
+ PREEMPT_RT
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ]
+
+__napi_schedule_irqoff() is an optimized version of __napi_schedule()
+which can be used where it is known that interrupts are disabled,
+e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer
+callbacks.
+
+On PREEMPT_RT enabled kernels this assumptions is not true. Force-
+threaded interrupt handlers and spinlocks are not disabling interrupts
+and the NAPI hrtimer callback is forced into softirq context which runs
+with interrupts enabled as well.
+
+Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole
+game so make __napi_schedule_irqoff() invoke __napi_schedule() for
+PREEMPT_RT kernels.
+
+The callers of ____napi_schedule() in the networking core have been
+audited and are correct on PREEMPT_RT kernels as well.
+
+Reported-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index e226f266da9e..3810eaf89b26 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5972,11 +5972,18 @@ EXPORT_SYMBOL(napi_schedule_prep);
+ * __napi_schedule_irqoff - schedule for receive
+ * @n: entry to schedule
+ *
+- * Variant of __napi_schedule() assuming hard irqs are masked
++ * Variant of __napi_schedule() assuming hard irqs are masked.
++ *
++ * On PREEMPT_RT enabled kernels this maps to __napi_schedule()
++ * because the interrupt disabled assumption might not be true
++ * due to force-threaded interrupts and spinlock substitution.
+ */
+ void __napi_schedule_irqoff(struct napi_struct *n)
+ {
+- ____napi_schedule(this_cpu_ptr(&softnet_data), n);
++ if (!IS_ENABLED(CONFIG_PREEMPT_RT))
++ ____napi_schedule(this_cpu_ptr(&softnet_data), n);
++ else
++ __napi_schedule(n);
+ }
+ EXPORT_SYMBOL(__napi_schedule_irqoff);
+
+--
+2.30.2
+
--- /dev/null
+From 5d13b7016060d6e0d2b8d71a0aa950fc2cc9cd78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 10:48:18 +0000
+Subject: pinctrl: mcp23s08: fix race condition in irq handler
+
+From: Radim Pavlik <radim.pavlik@tbs-biometrics.com>
+
+[ Upstream commit 897120d41e7afd9da435cb00041a142aeeb53c07 ]
+
+Checking value of MCP_INTF in mcp23s08_irq suggests that the handler may be
+called even when there is no interrupt pending.
+
+But the actual interrupt could happened between reading MCP_INTF and MCP_GPIO.
+In this situation we got nothing from MCP_INTF, but the event gets acknowledged
+on the expander by reading MCP_GPIO. This leads to losing events.
+
+Fix the problem by not reading any register until we see something in MCP_INTF.
+
+The error was reproduced and fix tested on MCP23017.
+
+Signed-off-by: Radim Pavlik <radim.pavlik@tbs-biometrics.com>
+Link: https://lore.kernel.org/r/AM7PR06MB6769E1183F68DEBB252F665ABA3E9@AM7PR06MB6769.eurprd06.prod.outlook.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pinctrl/pinctrl-mcp23s08.c b/drivers/pinctrl/pinctrl-mcp23s08.c
+index d8bcbefcba89..9d5e2d9b6b93 100644
+--- a/drivers/pinctrl/pinctrl-mcp23s08.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08.c
+@@ -459,6 +459,11 @@ static irqreturn_t mcp23s08_irq(int irq, void *data)
+ if (mcp_read(mcp, MCP_INTF, &intf))
+ goto unlock;
+
++ if (intf == 0) {
++ /* There is no interrupt pending */
++ return IRQ_HANDLED;
++ }
++
+ if (mcp_read(mcp, MCP_INTCAP, &intcap))
+ goto unlock;
+
+@@ -476,11 +481,6 @@ static irqreturn_t mcp23s08_irq(int irq, void *data)
+ mcp->cached_gpio = gpio;
+ mutex_unlock(&mcp->lock);
+
+- if (intf == 0) {
+- /* There is no interrupt pending */
+- return IRQ_HANDLED;
+- }
+-
+ dev_dbg(mcp->chip.parent,
+ "intcap 0x%04X intf 0x%04X gpio_orig 0x%04X gpio 0x%04X\n",
+ intcap, intf, gpio_orig, gpio);
+--
+2.30.2
+
--- /dev/null
+From ae41511c43f34cb09afb3784ccba7d87813d4950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 22:56:59 +0200
+Subject: r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 1ee8856de82faec9bc8bd0f2308a7f27e30ba207 ]
+
+It has been reported that on RTL8106e the link-up interrupt may be
+significantly delayed if the user enables ASPM L1. Per default ASPM
+is disabled. The change leaves L1 enabled on the PCIe link (thus still
+allowing to reach higher package power saving states), but the
+NIC won't actively trigger it.
+
+Reported-by: Koba Ko <koba.ko@canonical.com>
+Tested-by: Koba Ko <koba.ko@canonical.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index 661202e85412..5969f64169e5 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -5190,7 +5190,6 @@ static void rtl_hw_start_8106(struct rtl8169_private *tp)
+ RTL_W8(tp, DLLPR, RTL_R8(tp, DLLPR) & ~PFM_EN);
+
+ rtl_pcie_state_l2l3_disable(tp);
+- rtl_hw_aspm_clkreq_enable(tp, true);
+ }
+
+ DECLARE_RTL_COND(rtl_mac_ocp_e00e_cond)
+--
+2.30.2
+
--- /dev/null
+From 874c7e20ba5581543d7bc0c47689c9798da3d1a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jun 2021 11:55:31 -0700
+Subject: RDMA/cma: Fix rdma_resolve_route() memory leak
+
+From: Gerd Rausch <gerd.rausch@oracle.com>
+
+[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ]
+
+Fix a memory leak when "mda_resolve_route() is called more than once on
+the same "rdma_cm_id".
+
+This is possible if cma_query_handler() triggers the
+RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and
+allows rdma_resolve_route() to be called again.
+
+Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com
+Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 92428990f0cc..ec9e9598894f 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -2719,7 +2719,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv,
+
+ cma_init_resolve_route_work(work, id_priv);
+
+- route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
++ if (!route->path_rec)
++ route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
+ if (!route->path_rec) {
+ ret = -ENOMEM;
+ goto err1;
+--
+2.30.2
+
--- /dev/null
+From 51f3db4ca09b9b4de59f4d568d2098ec88351ea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jun 2021 19:07:49 +0800
+Subject: RDMA/cxgb4: Fix missing error code in create_qp()
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ]
+
+The error code is missing in this code scenario so 0 will be returned. Add
+the error code '-EINVAL' to the return value 'ret'.
+
+Eliminates the follow smatch warning:
+
+drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'.
+
+Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/qp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
+index e7472f0da59d..3ac08f47a8ce 100644
+--- a/drivers/infiniband/hw/cxgb4/qp.c
++++ b/drivers/infiniband/hw/cxgb4/qp.c
+@@ -295,6 +295,7 @@ static int create_qp(struct c4iw_rdev *rdev, struct t4_wq *wq,
+ if (user && (!wq->sq.bar2_pa || (need_rq && !wq->rq.bar2_pa))) {
+ pr_warn("%s: sqid %u or rqid %u not in BAR2 range\n",
+ pci_name(rdev->lldi.pdev), wq->sq.qid, wq->rq.qid);
++ ret = -EINVAL;
+ goto free_dma;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From dbd191f9f928ea3cb158a7ea4560c05302d85b98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 15:14:56 +0800
+Subject: RDMA/rxe: Don't overwrite errno from ib_umem_get()
+
+From: Xiao Yang <yangx.jy@fujitsu.com>
+
+[ Upstream commit 20ec0a6d6016aa28b9b3299be18baef1a0f91cd2 ]
+
+rxe_mr_init_user() always returns the fixed -EINVAL when ib_umem_get()
+fails so it's hard for user to know which actual error happens in
+ib_umem_get(). For example, ib_umem_get() will return -EOPNOTSUPP when
+trying to pin pages on a DAX file.
+
+Return actual error as mlx4/mlx5 does.
+
+Link: https://lore.kernel.org/r/20210621071456.4259-1-ice_yangxiao@163.com
+Signed-off-by: Xiao Yang <yangx.jy@fujitsu.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_mr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c
+index ffbc50341a55..f885e245699b 100644
+--- a/drivers/infiniband/sw/rxe/rxe_mr.c
++++ b/drivers/infiniband/sw/rxe/rxe_mr.c
+@@ -173,7 +173,7 @@ int rxe_mem_init_user(struct rxe_pd *pd, u64 start,
+ if (IS_ERR(umem)) {
+ pr_warn("err %d from rxe_umem_get\n",
+ (int)PTR_ERR(umem));
+- err = -EINVAL;
++ err = PTR_ERR(umem);
+ goto err1;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From b025a7bbb915d088d2a3afd88da94623839de63b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 15:15:45 +0300
+Subject: reiserfs: add check for invalid 1st journal block
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ]
+
+syzbot reported divide error in reiserfs.
+The problem was in incorrect journal 1st block.
+
+Syzbot's reproducer manualy generated wrong superblock
+with incorrect 1st block. In journal_init() wasn't
+any checks about this particular case.
+
+For example, if 1st journal block is before superblock
+1st block, it can cause zeroing important superblock members
+in do_journal_end().
+
+Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com
+Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/reiserfs/journal.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
+index 4b3e3e73b512..09ad022a78a5 100644
+--- a/fs/reiserfs/journal.c
++++ b/fs/reiserfs/journal.c
+@@ -2763,6 +2763,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
+ goto free_and_return;
+ }
+
++ /*
++ * Sanity check to see if journal first block is correct.
++ * If journal first block is invalid it can cause
++ * zeroing important superblock members.
++ */
++ if (!SB_ONDISK_JOURNAL_DEVICE(sb) &&
++ SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) {
++ reiserfs_warning(sb, "journal-1393",
++ "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d",
++ SB_JOURNAL_1st_RESERVED_BLOCK(sb),
++ SB_ONDISK_JOURNAL_1st_BLOCK(sb));
++ goto free_and_return;
++ }
++
+ if (journal_init_dev(sb, journal, j_dev_name) != 0) {
+ reiserfs_warning(sb, "sh-462",
+ "unable to initialize journal device");
+--
+2.30.2
+
--- /dev/null
+From 351a045deba821602a98224647b1679d9f7e566d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 Apr 2021 18:29:59 +0100
+Subject: rtl8xxxu: Fix device info for RTL8192EU devices
+
+From: Pascal Terjan <pterjan@google.com>
+
+[ Upstream commit c240b044edefa3c3af4014a4030e017dd95b59a1 ]
+
+Based on 2001:3319 and 2357:0109 which I used to test the fix and
+0bda:818b and 2357:0108 for which I found efuse dumps online.
+
+== 2357:0109 ==
+=== Before ===
+Vendor: Realtek
+Product: \x03802.11n NI
+Serial:
+=== After ===
+Vendor: Realtek
+Product: 802.11n NIC
+Serial not available.
+
+== 2001:3319 ==
+=== Before ===
+Vendor: Realtek
+Product: Wireless N
+Serial: no USB Adap
+=== After ===
+Vendor: Realtek
+Product: Wireless N Nano USB Adapter
+Serial not available.
+
+Signed-off-by: Pascal Terjan <pterjan@google.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210424172959.1559890-1-pterjan@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 11 +---
+ .../realtek/rtl8xxxu/rtl8xxxu_8192e.c | 59 +++++++++++++++++--
+ 2 files changed, 56 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+index 5e9ce03067de..6858f7de0915 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+@@ -853,15 +853,10 @@ struct rtl8192eu_efuse {
+ u8 usb_optional_function;
+ u8 res9[2];
+ u8 mac_addr[ETH_ALEN]; /* 0xd7 */
+- u8 res10[2];
+- u8 vendor_name[7];
+- u8 res11[2];
+- u8 device_name[0x0b]; /* 0xe8 */
+- u8 res12[2];
+- u8 serial[0x0b]; /* 0xf5 */
+- u8 res13[0x30];
++ u8 device_info[80];
++ u8 res11[3];
+ u8 unknown[0x0d]; /* 0x130 */
+- u8 res14[0xc3];
++ u8 res12[0xc3];
+ };
+
+ struct rtl8xxxu_reg8val {
+diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
+index c747f6a1922d..02ca80501c3a 100644
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_8192e.c
+@@ -554,9 +554,43 @@ rtl8192e_set_tx_power(struct rtl8xxxu_priv *priv, int channel, bool ht40)
+ }
+ }
+
++static void rtl8192eu_log_next_device_info(struct rtl8xxxu_priv *priv,
++ char *record_name,
++ char *device_info,
++ unsigned int *record_offset)
++{
++ char *record = device_info + *record_offset;
++
++ /* A record is [ total length | 0x03 | value ] */
++ unsigned char l = record[0];
++
++ /*
++ * The whole device info section seems to be 80 characters, make sure
++ * we don't read further.
++ */
++ if (*record_offset + l > 80) {
++ dev_warn(&priv->udev->dev,
++ "invalid record length %d while parsing \"%s\" at offset %u.\n",
++ l, record_name, *record_offset);
++ return;
++ }
++
++ if (l >= 2) {
++ char value[80];
++
++ memcpy(value, &record[2], l - 2);
++ value[l - 2] = '\0';
++ dev_info(&priv->udev->dev, "%s: %s\n", record_name, value);
++ *record_offset = *record_offset + l;
++ } else {
++ dev_info(&priv->udev->dev, "%s not available.\n", record_name);
++ }
++}
++
+ static int rtl8192eu_parse_efuse(struct rtl8xxxu_priv *priv)
+ {
+ struct rtl8192eu_efuse *efuse = &priv->efuse_wifi.efuse8192eu;
++ unsigned int record_offset;
+ int i;
+
+ if (efuse->rtl_id != cpu_to_le16(0x8129))
+@@ -604,12 +638,25 @@ static int rtl8192eu_parse_efuse(struct rtl8xxxu_priv *priv)
+ priv->has_xtalk = 1;
+ priv->xtalk = priv->efuse_wifi.efuse8192eu.xtal_k & 0x3f;
+
+- dev_info(&priv->udev->dev, "Vendor: %.7s\n", efuse->vendor_name);
+- dev_info(&priv->udev->dev, "Product: %.11s\n", efuse->device_name);
+- if (memchr_inv(efuse->serial, 0xff, 11))
+- dev_info(&priv->udev->dev, "Serial: %.11s\n", efuse->serial);
+- else
+- dev_info(&priv->udev->dev, "Serial not available.\n");
++ /*
++ * device_info section seems to be laid out as records
++ * [ total length | 0x03 | value ] so:
++ * - vendor length + 2
++ * - 0x03
++ * - vendor string (not null terminated)
++ * - product length + 2
++ * - 0x03
++ * - product string (not null terminated)
++ * Then there is one or 2 0x00 on all the 4 devices I own or found
++ * dumped online.
++ * As previous version of the code handled an optional serial
++ * string, I now assume there may be a third record if the
++ * length is not 0.
++ */
++ record_offset = 0;
++ rtl8192eu_log_next_device_info(priv, "Vendor", efuse->device_info, &record_offset);
++ rtl8192eu_log_next_device_info(priv, "Product", efuse->device_info, &record_offset);
++ rtl8192eu_log_next_device_info(priv, "Serial", efuse->device_info, &record_offset);
+
+ if (rtl8xxxu_debug & RTL8XXXU_DEBUG_EFUSE) {
+ unsigned char *raw = priv->efuse_wifi.raw;
+--
+2.30.2
+
--- /dev/null
+From 49038b3c92a4e4800763bcf94a98ef51fb00e6b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 16:13:42 -0300
+Subject: sctp: add size validation when walking chunks
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]
+
+The first chunk in a packet is ensured to be present at the beginning of
+sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
+one, may not be completely available and ch->length can be over
+uninitialized memory.
+
+Fix here is by only trying to walk on the next chunk if there is enough to
+hold at least the header, and then proceed with the ch->length validation
+that is already there.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index a84523284777..ab84ebf1af4a 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
+
+ ch = (struct sctp_chunkhdr *)ch_end;
+ chunk_num++;
+- } while (ch_end < skb_tail_pointer(skb));
++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
+
+ return asoc;
+ }
+--
+2.30.2
+
--- /dev/null
+From 9124111531eac53b0bfa944e7ed1f37528a79fe8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jun 2021 16:13:41 -0300
+Subject: sctp: validate from_addr_param return
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ]
+
+Ilja reported that, simply putting it, nothing was validating that
+from_addr_param functions were operating on initialized memory. That is,
+the parameter itself was being validated by sctp_walk_params, but it
+doesn't check for types and their specific sizes and it could be a 0-length
+one, causing from_addr_param to potentially work over the next parameter or
+even uninitialized memory.
+
+The fix here is to, in all calls to from_addr_param, check if enough space
+is there for the wanted IP address type.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sctp/structs.h | 2 +-
+ net/sctp/bind_addr.c | 19 +++++++++++--------
+ net/sctp/input.c | 6 ++++--
+ net/sctp/ipv6.c | 7 ++++++-
+ net/sctp/protocol.c | 7 ++++++-
+ net/sctp/sm_make_chunk.c | 29 ++++++++++++++++-------------
+ 6 files changed, 44 insertions(+), 26 deletions(-)
+
+diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
+index 3e8f87a3c52f..fd7c3f76040c 100644
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -466,7 +466,7 @@ struct sctp_af {
+ int saddr);
+ void (*from_sk) (union sctp_addr *,
+ struct sock *sk);
+- void (*from_addr_param) (union sctp_addr *,
++ bool (*from_addr_param) (union sctp_addr *,
+ union sctp_addr_param *,
+ __be16 port, int iif);
+ int (*to_addr_param) (const union sctp_addr *,
+diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
+index 701c5a4e441d..a825e74d01fc 100644
+--- a/net/sctp/bind_addr.c
++++ b/net/sctp/bind_addr.c
+@@ -270,22 +270,19 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list,
+ rawaddr = (union sctp_addr_param *)raw_addr_list;
+
+ af = sctp_get_af_specific(param_type2af(param->type));
+- if (unlikely(!af)) {
++ if (unlikely(!af) ||
++ !af->from_addr_param(&addr, rawaddr, htons(port), 0)) {
+ retval = -EINVAL;
+- sctp_bind_addr_clean(bp);
+- break;
++ goto out_err;
+ }
+
+- af->from_addr_param(&addr, rawaddr, htons(port), 0);
+ if (sctp_bind_addr_state(bp, &addr) != -1)
+ goto next;
+ retval = sctp_add_bind_addr(bp, &addr, sizeof(addr),
+ SCTP_ADDR_SRC, gfp);
+- if (retval) {
++ if (retval)
+ /* Can't finish building the list, clean up. */
+- sctp_bind_addr_clean(bp);
+- break;
+- }
++ goto out_err;
+
+ next:
+ len = ntohs(param->length);
+@@ -294,6 +291,12 @@ next:
+ }
+
+ return retval;
++
++out_err:
++ if (retval)
++ sctp_bind_addr_clean(bp);
++
++ return retval;
+ }
+
+ /********************************************************************
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 7807754f69c5..a84523284777 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -1131,7 +1131,8 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net,
+ if (!af)
+ continue;
+
+- af->from_addr_param(paddr, params.addr, sh->source, 0);
++ if (!af->from_addr_param(paddr, params.addr, sh->source, 0))
++ continue;
+
+ asoc = __sctp_lookup_association(net, laddr, paddr, transportp);
+ if (asoc)
+@@ -1174,7 +1175,8 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
+ if (unlikely(!af))
+ return NULL;
+
+- af->from_addr_param(&paddr, param, peer_port, 0);
++ if (af->from_addr_param(&paddr, param, peer_port, 0))
++ return NULL;
+
+ return __sctp_lookup_association(net, laddr, &paddr, transportp);
+ }
+diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
+index 52c92b8d827f..fae6157e837a 100644
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -530,15 +530,20 @@ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
+ }
+
+ /* Initialize a sctp_addr from an address parameter. */
+-static void sctp_v6_from_addr_param(union sctp_addr *addr,
++static bool sctp_v6_from_addr_param(union sctp_addr *addr,
+ union sctp_addr_param *param,
+ __be16 port, int iif)
+ {
++ if (ntohs(param->v6.param_hdr.length) < sizeof(struct sctp_ipv6addr_param))
++ return false;
++
+ addr->v6.sin6_family = AF_INET6;
+ addr->v6.sin6_port = port;
+ addr->v6.sin6_flowinfo = 0; /* BUG */
+ addr->v6.sin6_addr = param->v6.addr;
+ addr->v6.sin6_scope_id = iif;
++
++ return true;
+ }
+
+ /* Initialize an address parameter from a sctp_addr and return the length
+diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
+index 981c7cbca46a..7f8702abc7bf 100644
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -253,14 +253,19 @@ static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
+ }
+
+ /* Initialize a sctp_addr from an address parameter. */
+-static void sctp_v4_from_addr_param(union sctp_addr *addr,
++static bool sctp_v4_from_addr_param(union sctp_addr *addr,
+ union sctp_addr_param *param,
+ __be16 port, int iif)
+ {
++ if (ntohs(param->v4.param_hdr.length) < sizeof(struct sctp_ipv4addr_param))
++ return false;
++
+ addr->v4.sin_family = AF_INET;
+ addr->v4.sin_port = port;
+ addr->v4.sin_addr.s_addr = param->v4.addr.s_addr;
+ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
++
++ return true;
+ }
+
+ /* Initialize an address parameter from a sctp_addr and return the length
+diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
+index 4ffb9116b6f2..38ca7ce8a44e 100644
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2337,11 +2337,13 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
+
+ /* Process the initialization parameters. */
+ sctp_walk_params(param, peer_init, init_hdr.params) {
+- if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+- param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
++ if (!src_match &&
++ (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
++ param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
+ af = sctp_get_af_specific(param_type2af(param.p->type));
+- af->from_addr_param(&addr, param.addr,
+- chunk->sctp_hdr->source, 0);
++ if (!af->from_addr_param(&addr, param.addr,
++ chunk->sctp_hdr->source, 0))
++ continue;
+ if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
+ src_match = 1;
+ }
+@@ -2522,7 +2524,8 @@ static int sctp_process_param(struct sctp_association *asoc,
+ break;
+ do_addr_param:
+ af = sctp_get_af_specific(param_type2af(param.p->type));
+- af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0);
++ if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0))
++ break;
+ scope = sctp_scope(peer_addr);
+ if (sctp_in_scope(net, &addr, scope))
+ if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED))
+@@ -2623,15 +2626,13 @@ do_addr_param:
+ addr_param = param.v + sizeof(struct sctp_addip_param);
+
+ af = sctp_get_af_specific(param_type2af(addr_param->p.type));
+- if (af == NULL)
++ if (!af)
+ break;
+
+- af->from_addr_param(&addr, addr_param,
+- htons(asoc->peer.port), 0);
++ if (!af->from_addr_param(&addr, addr_param,
++ htons(asoc->peer.port), 0))
++ break;
+
+- /* if the address is invalid, we can't process it.
+- * XXX: see spec for what to do.
+- */
+ if (!af->addr_valid(&addr, NULL, NULL))
+ break;
+
+@@ -3045,7 +3046,8 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
+ if (unlikely(!af))
+ return SCTP_ERROR_DNS_FAILED;
+
+- af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0);
++ if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0))
++ return SCTP_ERROR_DNS_FAILED;
+
+ /* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast
+ * or multicast address.
+@@ -3322,7 +3324,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
+
+ /* We have checked the packet before, so we do not check again. */
+ af = sctp_get_af_specific(param_type2af(addr_param->p.type));
+- af->from_addr_param(&addr, addr_param, htons(bp->port), 0);
++ if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0))
++ return;
+
+ switch (asconf_param->param_hdr.type) {
+ case SCTP_PARAM_ADD_IP:
+--
+2.30.2
+
--- /dev/null
+From d3b74f36a5b2d62c21783c578391211a4f210994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 09:37:17 -0700
+Subject: selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
+
+From: Minchan Kim <minchan@kernel.org>
+
+[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ]
+
+In the field, we have seen lots of allocation failure from the call
+path below.
+
+06-03 13:29:12.999 1010315 31557 31557 W Binder : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0
+...
+...
+06-03 13:29:12.999 1010315 31557 31557 W Call trace:
+06-03 13:29:12.999 1010315 31557 31557 W : dump_backtrace.cfi_jt+0x0/0x8
+06-03 13:29:12.999 1010315 31557 31557 W : dump_stack+0xc8/0x14c
+06-03 13:29:12.999 1010315 31557 31557 W : warn_alloc+0x158/0x1c8
+06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_slowpath+0x9d8/0xb80
+06-03 13:29:12.999 1010315 31557 31557 W : __alloc_pages_nodemask+0x1c4/0x430
+06-03 13:29:12.999 1010315 31557 31557 W : allocate_slab+0xb4/0x390
+06-03 13:29:12.999 1010315 31557 31557 W : ___slab_alloc+0x12c/0x3a4
+06-03 13:29:12.999 1010315 31557 31557 W : kmem_cache_alloc+0x358/0x5e4
+06-03 13:29:12.999 1010315 31557 31557 W : avc_alloc_node+0x30/0x184
+06-03 13:29:12.999 1010315 31557 31557 W : avc_update_node+0x54/0x4f0
+06-03 13:29:12.999 1010315 31557 31557 W : avc_has_extended_perms+0x1a4/0x460
+06-03 13:29:12.999 1010315 31557 31557 W : selinux_file_ioctl+0x320/0x3d0
+06-03 13:29:12.999 1010315 31557 31557 W : __arm64_sys_ioctl+0xec/0x1fc
+06-03 13:29:12.999 1010315 31557 31557 W : el0_svc_common+0xc0/0x24c
+06-03 13:29:12.999 1010315 31557 31557 W : el0_svc+0x28/0x88
+06-03 13:29:12.999 1010315 31557 31557 W : el0_sync_handler+0x8c/0xf0
+06-03 13:29:12.999 1010315 31557 31557 W : el0_sync+0x1a4/0x1c0
+..
+..
+06-03 13:29:12.999 1010315 31557 31557 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010315 31557 31557 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010315 31557 31557 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:12.999 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:12.999 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:12.999 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 1010161 10686 10686 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 1010161 10686 10686 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 1010161 10686 10686 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+06-03 13:29:13.000 10230 30892 30892 W node 0 : slabs: 57, objs: 2907, free: 0
+06-03 13:29:13.000 10230 30892 30892 W SLUB : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
+06-03 13:29:13.000 10230 30892 30892 W cache : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
+
+Based on [1], selinux is tolerate for failure of memory allocation.
+Then, use __GFP_NOWARN together.
+
+[1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches")
+
+Signed-off-by: Minchan Kim <minchan@kernel.org>
+[PM: subj fix, line wraps, normalized commit refs]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/selinux/avc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/security/selinux/avc.c b/security/selinux/avc.c
+index d18cb32a242a..4a744b1cebc8 100644
+--- a/security/selinux/avc.c
++++ b/security/selinux/avc.c
+@@ -294,26 +294,27 @@ static struct avc_xperms_decision_node
+ struct avc_xperms_decision_node *xpd_node;
+ struct extended_perms_decision *xpd;
+
+- xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT);
++ xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd_node)
+ return NULL;
+
+ xpd = &xpd_node->xpd;
+ if (which & XPERMS_ALLOWED) {
+ xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->allowed)
+ goto error;
+ }
+ if (which & XPERMS_AUDITALLOW) {
+ xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->auditallow)
+ goto error;
+ }
+ if (which & XPERMS_DONTAUDIT) {
+ xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
+- GFP_NOWAIT);
++ GFP_NOWAIT | __GFP_NOWARN);
+ if (!xpd->dontaudit)
+ goto error;
+ }
+@@ -341,7 +342,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void)
+ {
+ struct avc_xperms_node *xp_node;
+
+- xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT);
++ xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN);
+ if (!xp_node)
+ return xp_node;
+ INIT_LIST_HEAD(&xp_node->xpd_head);
+@@ -497,7 +498,7 @@ static struct avc_node *avc_alloc_node(struct selinux_avc *avc)
+ {
+ struct avc_node *node;
+
+- node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT);
++ node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN);
+ if (!node)
+ goto out;
+
+--
+2.30.2
+
--- /dev/null
+drm-mxsfb-don-t-select-drm_kms_fb_helper.patch
+drm-zte-don-t-select-drm_kms_fb_helper.patch
+drm-amd-amdgpu-sriov-disable-all-ip-hw-status-by-def.patch
+drm-vc4-fix-argument-ordering-in-vc4_crtc_get_margin.patch
+net-pch_gbe-use-proper-accessors-to-be-data-in-pch_p.patch
+drm-amd-display-fix-use_max_lb-flag-for-420-pixel-fo.patch
+hugetlb-clear-huge-pte-during-flush-function-on-mips.patch
+atm-iphase-fix-possible-use-after-free-in-ia_module_.patch
+misdn-fix-possible-use-after-free-in-hfc_cleanup.patch
+atm-nicstar-fix-possible-use-after-free-in-nicstar_c.patch
+net-treat-__napi_schedule_irqoff-as-__napi_schedule-.patch
+drm-mediatek-fix-pm-reference-leak-in-mtk_crtc_ddp_h.patch
+reiserfs-add-check-for-invalid-1st-journal-block.patch
+drm-virtio-fix-double-free-on-probe-failure.patch
+drm-sched-avoid-data-corruptions.patch
+udf-fix-null-pointer-dereference-in-udf_symlink-func.patch
+e100-handle-eeprom-as-little-endian.patch
+igb-handle-vlan-types-with-checker-enabled.patch
+drm-bridge-cdns-fix-pm-reference-leak-in-cdns_dsi_tr.patch
+clk-renesas-r8a77995-add-za2-clock.patch
+clk-tegra-ensure-that-pllu-configuration-is-applied-.patch
+ipv6-use-prandom_u32-for-id-generation.patch
+rdma-cxgb4-fix-missing-error-code-in-create_qp.patch
+dm-space-maps-don-t-reset-space-map-allocation-curso.patch
+pinctrl-mcp23s08-fix-race-condition-in-irq-handler.patch
+ice-set-the-value-of-global-config-lock-timeout-long.patch
+virtio_net-remove-bug-to-avoid-machine-dead.patch
+net-bcmgenet-check-return-value-after-calling-platfo.patch
+net-mvpp2-check-return-value-after-calling-platform_.patch
+net-micrel-check-return-value-after-calling-platform.patch
+net-moxa-use-devm_platform_get_and_ioremap_resource.patch
+drm-amd-display-update-scaling-settings-on-modeset.patch
+drm-amd-display-release-mst-resources-on-switch-from.patch
+drm-amd-display-set-dispclk_max_errdet_cycles-to-7.patch
+drm-amdkfd-use-allowed-domain-for-vmbo-validation.patch
+fjes-check-return-value-after-calling-platform_get_r.patch
+selinux-use-__gfp_nowarn-with-gfp_nowait-in-the-avc.patch
+r8169-avoid-link-up-interrupt-issue-on-rtl8106e-if-u.patch
+drm-amd-display-verify-gamma-degamma-lut-sizes-in-am.patch
+xfrm-fix-error-reporting-in-xfrm_state_construct.patch
+wlcore-wl12xx-fix-wl12xx-get_mac-error-if-device-is-.patch
+wl1251-fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
+cw1200-add-missing-module_device_table.patch
+bpf-fix-up-register-based-shifts-in-interpreter-to-s.patch
+mt76-mt7615-fix-fixed-rate-tx-status-reporting.patch
+net-fix-mistake-path-for-netdev_features_strings.patch
+net-sched-fix-error-return-code-in-tcf_del_walker.patch
+drm-amdkfd-walk-through-list-with-dqm-lock-hold.patch
+rtl8xxxu-fix-device-info-for-rtl8192eu-devices.patch
+mips-add-pmd-table-accounting-into-mips-pmd_alloc_on.patch
+atm-nicstar-use-dma_free_coherent-instead-of-kfree.patch
+atm-nicstar-register-the-interrupt-handler-in-the-ri.patch
+vsock-notify-server-to-shutdown-when-client-has-pend.patch
+rdma-rxe-don-t-overwrite-errno-from-ib_umem_get.patch
+iwlwifi-mvm-don-t-change-band-on-bound-phy-contexts.patch
+iwlwifi-pcie-free-iml-dma-memory-allocation.patch
+iwlwifi-pcie-fix-context-info-freeing.patch
+sfc-avoid-double-pci_remove-of-vfs.patch
+sfc-error-code-if-sriov-cannot-be-disabled.patch
+wireless-wext-spy-fix-out-of-bounds-warning.patch
+media-bpf-do-not-copy-more-entries-than-user-space-r.patch
+net-ip-avoid-oom-kills-with-large-udp-sends-over-loo.patch
+rdma-cma-fix-rdma_resolve_route-memory-leak.patch
+bluetooth-btusb-fixed-too-many-in-token-issue-for-me.patch
+bluetooth-fix-the-hci-to-mgmt-status-conversion-tabl.patch
+bluetooth-shutdown-controller-after-workqueues-are-f.patch
+bluetooth-btusb-fix-bt-fiwmare-downloading-failure-i.patch
+sctp-validate-from_addr_param-return.patch
+sctp-add-size-validation-when-walking-chunks.patch
+mips-loongsoon64-reserve-memory-below-starting-pfn-t.patch
+mips-set-mips32r5-for-virt-extensions.patch
--- /dev/null
+From 848ef9f08597b3fdc65b79625aae0206a8ca6f38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 17:32:35 +0200
+Subject: sfc: avoid double pci_remove of VFs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ]
+
+If pci_remove was called for a PF with VFs, the removal of the VFs was
+called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove
+and another implicit by calling pci_disable_sriov, which also perform
+the VFs remove. This was leading to crashing the kernel on the second
+attempt.
+
+Given that pci_disable_sriov already calls to pci remove function, get
+rid of the direct call to pci_driver->remove from the driver.
+
+2 different ways to trigger the bug:
+- Create one or more VFs, then attach the PF to a virtual machine (at
+ least with qemu/KVM)
+- Create one or more VFs, then remove the PF with:
+ echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove
+
+Removing sfc module does not trigger the error, at least for me, because
+it removes the VF first, and then the PF.
+
+Example of a log with the error:
+ list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100)
+ ------------[ cut here ]------------
+ kernel BUG at lib/list_debug.c:47!
+ [...trimmed...]
+ RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c
+ [...trimmed...]
+ Call Trace:
+ efx_dissociate+0x1f/0x140 [sfc]
+ efx_pci_remove+0x27/0x150 [sfc]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x103/0x1f0
+ pci_stop_bus_device+0x69/0x90
+ pci_stop_and_remove_bus_device+0xe/0x20
+ pci_iov_remove_virtfn+0xba/0x120
+ sriov_disable+0x2f/0xe0
+ efx_ef10_pci_sriov_disable+0x52/0x80 [sfc]
+ ? pcie_aer_is_native+0x12/0x40
+ efx_ef10_sriov_fini+0x72/0x110 [sfc]
+ efx_pci_remove+0x62/0x150 [sfc]
+ pci_device_remove+0x3b/0xc0
+ device_release_driver_internal+0x103/0x1f0
+ unbind_store+0xf6/0x130
+ kernfs_fop_write+0x116/0x190
+ vfs_write+0xa5/0x1a0
+ ksys_write+0x4f/0xb0
+ do_syscall_64+0x5b/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10_sriov.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
+index 52bd43f45761..695e3508b4d8 100644
+--- a/drivers/net/ethernet/sfc/ef10_sriov.c
++++ b/drivers/net/ethernet/sfc/ef10_sriov.c
+@@ -440,7 +440,6 @@ int efx_ef10_sriov_init(struct efx_nic *efx)
+ void efx_ef10_sriov_fini(struct efx_nic *efx)
+ {
+ struct efx_ef10_nic_data *nic_data = efx->nic_data;
+- unsigned int i;
+ int rc;
+
+ if (!nic_data->vf) {
+@@ -450,14 +449,7 @@ void efx_ef10_sriov_fini(struct efx_nic *efx)
+ return;
+ }
+
+- /* Remove any VFs in the host */
+- for (i = 0; i < efx->vf_count; ++i) {
+- struct efx_nic *vf_efx = nic_data->vf[i].efx;
+-
+- if (vf_efx)
+- vf_efx->pci_dev->driver->remove(vf_efx->pci_dev);
+- }
+-
++ /* Disable SRIOV and remove any VFs in the host */
+ rc = efx_ef10_pci_sriov_disable(efx, true);
+ if (rc)
+ netif_dbg(efx, drv, efx->net_dev,
+--
+2.30.2
+
--- /dev/null
+From cfe78af77ee2bc939703a29dc6db0fe73eafff18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 17:32:36 +0200
+Subject: sfc: error code if SRIOV cannot be disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Íñigo Huguet <ihuguet@redhat.com>
+
+[ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ]
+
+If SRIOV cannot be disabled during device removal or module unloading,
+return error code so it can be logged properly in the calling function.
+
+Note that this can only happen if any VF is currently attached to a
+guest using Xen, but not with vfio/KVM. Despite that in that case the
+VFs won't work properly with PF removed and/or the module unloaded, I
+have let it as is because I don't know what side effects may have
+changing it, and also it seems to be the same that other drivers are
+doing in this situation.
+
+In the case of being called during SRIOV reconfiguration, the behavior
+hasn't changed because the function is called with force=false.
+
+Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/ef10_sriov.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
+index 695e3508b4d8..e7c6aa29d323 100644
+--- a/drivers/net/ethernet/sfc/ef10_sriov.c
++++ b/drivers/net/ethernet/sfc/ef10_sriov.c
+@@ -403,12 +403,17 @@ fail1:
+ return rc;
+ }
+
++/* Disable SRIOV and remove VFs
++ * If some VFs are attached to a guest (using Xen, only) nothing is
++ * done if force=false, and vports are freed if force=true (for the non
++ * attachedc ones, only) but SRIOV is not disabled and VFs are not
++ * removed in either case.
++ */
+ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
+ {
+ struct pci_dev *dev = efx->pci_dev;
+- unsigned int vfs_assigned = 0;
+-
+- vfs_assigned = pci_vfs_assigned(dev);
++ unsigned int vfs_assigned = pci_vfs_assigned(dev);
++ int rc = 0;
+
+ if (vfs_assigned && !force) {
+ netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; "
+@@ -418,10 +423,12 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
+
+ if (!vfs_assigned)
+ pci_disable_sriov(dev);
++ else
++ rc = -EBUSY;
+
+ efx_ef10_sriov_free_vf_vswitching(efx);
+ efx->vf_count = 0;
+- return 0;
++ return rc;
+ }
+
+ int efx_ef10_sriov_configure(struct efx_nic *efx, int num_vfs)
+--
+2.30.2
+
--- /dev/null
+From 49ece004abf4183f7f5a2dcf5ccef274086e55d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 12:34:57 +0200
+Subject: udf: Fix NULL pointer dereference in udf_symlink function
+
+From: Arturo Giusti <koredump@protonmail.com>
+
+[ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ]
+
+In function udf_symlink, epos.bh is assigned with the value returned
+by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c
+and returns the value of sb_getblk function that could be NULL.
+Then, epos.bh is used without any check, causing a possible
+NULL pointer dereference when sb_getblk fails.
+
+This fix adds a check to validate the value of epos.bh.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083
+Signed-off-by: Arturo Giusti <koredump@protonmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/namei.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/udf/namei.c b/fs/udf/namei.c
+index 77b6d89b9bcd..3c3d3b20889c 100644
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -933,6 +933,10 @@ static int udf_symlink(struct inode *dir, struct dentry *dentry,
+ iinfo->i_location.partitionReferenceNum,
+ 0);
+ epos.bh = udf_tgetblk(sb, block);
++ if (unlikely(!epos.bh)) {
++ err = -ENOMEM;
++ goto out_no_entry;
++ }
+ lock_buffer(epos.bh);
+ memset(epos.bh->b_data, 0x00, bsize);
+ set_buffer_uptodate(epos.bh);
+--
+2.30.2
+
--- /dev/null
+From 615868bc535db73535eb3722e23671fc1a42bf90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jun 2021 11:31:00 -0400
+Subject: virtio_net: Remove BUG() to avoid machine dead
+
+From: Xianting Tian <xianting.tian@linux.alibaba.com>
+
+[ Upstream commit 85eb1389458d134bdb75dad502cc026c3753a619 ]
+
+We should not directly BUG() when there is hdr error, it is
+better to output a print when such error happens. Currently,
+the caller of xmit_skb() already did it.
+
+Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index d8ee001d8e8e..5cd55f950032 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1548,7 +1548,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
+ if (virtio_net_hdr_from_skb(skb, &hdr->hdr,
+ virtio_is_little_endian(vi->vdev), false,
+ 0))
+- BUG();
++ return -EPROTO;
+
+ if (vi->mergeable_rx_bufs)
+ hdr->num_buffers = 0;
+--
+2.30.2
+
--- /dev/null
+From f44ec38312423f0cfc3c1170419d6f6d316fe1db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jun 2021 14:26:01 +0800
+Subject: vsock: notify server to shutdown when client has pending signal
+
+From: Longpeng(Mike) <longpeng2@huawei.com>
+
+[ Upstream commit c7ff9cff70601ea19245d997bb977344663434c7 ]
+
+The client's sk_state will be set to TCP_ESTABLISHED if the server
+replay the client's connect request.
+
+However, if the client has pending signal, its sk_state will be set
+to TCP_CLOSE without notify the server, so the server will hold the
+corrupt connection.
+
+ client server
+
+1. sk_state=TCP_SYN_SENT |
+2. call ->connect() |
+3. wait reply |
+ | 4. sk_state=TCP_ESTABLISHED
+ | 5. insert to connected list
+ | 6. reply to the client
+7. sk_state=TCP_ESTABLISHED |
+8. insert to connected list |
+9. *signal pending* <--------------------- the user kill client
+10. sk_state=TCP_CLOSE |
+client is exiting... |
+11. call ->release() |
+ virtio_transport_close
+ if (!(sk->sk_state == TCP_ESTABLISHED ||
+ sk->sk_state == TCP_CLOSING))
+ return true; *return at here, the server cannot notice the connection is corrupt*
+
+So the client should notify the peer in this case.
+
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Cc: Norbert Slusarek <nslusarek@gmx.net>
+Cc: Andra Paraschiv <andraprs@amazon.com>
+Cc: Colin Ian King <colin.king@canonical.com>
+Cc: David Brazdil <dbrazdil@google.com>
+Cc: Alexander Popov <alex.popov@linux.com>
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lkml.org/lkml/2021/5/17/418
+Signed-off-by: lixianming <lixianming5@huawei.com>
+Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index c82e7b52ab1f..d4104144bab1 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1217,7 +1217,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+
+ if (signal_pending(current)) {
+ err = sock_intr_errno(timeout);
+- sk->sk_state = TCP_CLOSE;
++ sk->sk_state = sk->sk_state == TCP_ESTABLISHED ? TCP_CLOSING : TCP_CLOSE;
+ sock->state = SS_UNCONNECTED;
+ vsock_transport_cancel_pkt(vsk);
+ goto out_wait;
+--
+2.30.2
+
--- /dev/null
+From d2562debf9c1e0bb3231f8becd429218cfb192ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Apr 2021 15:00:32 -0500
+Subject: wireless: wext-spy: Fix out-of-bounds warning
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ]
+
+Fix the following out-of-bounds warning:
+
+net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds]
+
+The problem is that the original code is trying to copy data into a
+couple of struct members adjacent to each other in a single call to
+memcpy(). This causes a legitimate compiler warning because memcpy()
+overruns the length of &threshold.low and &spydata->spy_thr_low. As
+these are just a couple of struct members, fix this by using direct
+assignments, instead of memcpy().
+
+This helps with the ongoing efforts to globally enable -Warray-bounds
+and get us closer to being able to tighten the FORTIFY_SOURCE routines
+on memcpy().
+
+Link: https://github.com/KSPP/linux/issues/109
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/wext-spy.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c
+index 33bef22e44e9..b379a0371653 100644
+--- a/net/wireless/wext-spy.c
++++ b/net/wireless/wext-spy.c
+@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device * dev,
+ return -EOPNOTSUPP;
+
+ /* Just do it */
+- memcpy(&(spydata->spy_thr_low), &(threshold->low),
+- 2 * sizeof(struct iw_quality));
++ spydata->spy_thr_low = threshold->low;
++ spydata->spy_thr_high = threshold->high;
+
+ /* Clear flag */
+ memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under));
+@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device * dev,
+ return -EOPNOTSUPP;
+
+ /* Just do it */
+- memcpy(&(threshold->low), &(spydata->spy_thr_low),
+- 2 * sizeof(struct iw_quality));
++ threshold->low = spydata->spy_thr_low;
++ threshold->high = spydata->spy_thr_high;
+
+ return 0;
+ }
+@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device * dev,
+ memcpy(threshold.addr.sa_data, address, ETH_ALEN);
+ threshold.addr.sa_family = ARPHRD_ETHER;
+ /* Copy stats */
+- memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality));
++ threshold.qual = *wstats;
+ /* Copy also thresholds */
+- memcpy(&(threshold.low), &(spydata->spy_thr_low),
+- 2 * sizeof(struct iw_quality));
++ threshold.low = spydata->spy_thr_low;
++ threshold.high = spydata->spy_thr_high;
+
+ /* Send event to user space */
+ wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
+--
+2.30.2
+
--- /dev/null
+From b118050c0693abbb6c313d7b392d8e01098df114 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 12:55:08 +0100
+Subject: wl1251: Fix possible buffer overflow in wl1251_cmd_scan
+
+From: Lee Gibson <leegib@gmail.com>
+
+[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ]
+
+Function wl1251_cmd_scan calls memcpy without checking the length.
+Harden by checking the length is within the maximum allowed size.
+
+Signed-off-by: Lee Gibson <leegib@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
+index 9547aea01b0f..ea0215246c5c 100644
+--- a/drivers/net/wireless/ti/wl1251/cmd.c
++++ b/drivers/net/wireless/ti/wl1251/cmd.c
+@@ -466,9 +466,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
+ cmd->channels[i].channel = channels[i]->hw_value;
+ }
+
+- cmd->params.ssid_len = ssid_len;
+- if (ssid)
+- memcpy(cmd->params.ssid, ssid, ssid_len);
++ if (ssid) {
++ int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
++
++ cmd->params.ssid_len = len;
++ memcpy(cmd->params.ssid, ssid, len);
++ }
+
+ ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
+ if (ret < 0) {
+--
+2.30.2
+
--- /dev/null
+From ff15d2bad8815a40906e1929d05179cf64183007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jun 2021 09:28:14 +0300
+Subject: wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ]
+
+At least on wl12xx, reading the MAC after boot can fail with a warning
+at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read.
+The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls
+after request_firmware_work_func().
+
+After the error, no wireless interface is created. Reloading the wl12xx
+module makes the interface work.
+
+Turns out the wlan controller can be in a low-power ELP state after the
+boot from the bootloader or kexec, and needs to be woken up first.
+
+Let's wake the hardware and add a sleep after that similar to
+wl12xx_pre_boot() is already doing.
+
+Note that a similar issue could exist for wl18xx, but I have not seen it
+so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not
+produce similar errors.
+
+Cc: Carl Philipp Klemm <philipp@uvos.xyz>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
+index 9d7dbfe7fe0c..c6da0cfb4afb 100644
+--- a/drivers/net/wireless/ti/wl12xx/main.c
++++ b/drivers/net/wireless/ti/wl12xx/main.c
+@@ -1503,6 +1503,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl)
+ u32 mac1, mac2;
+ int ret;
+
++ /* Device may be in ELP from the bootloader or kexec */
++ ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL);
++ if (ret < 0)
++ goto out;
++
++ usleep_range(500000, 700000);
++
+ ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]);
+ if (ret < 0)
+ goto out;
+--
+2.30.2
+
--- /dev/null
+From 738f1e01884d5a0eaf869e60eebfe339ac3ef009 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 15:21:49 +0200
+Subject: xfrm: Fix error reporting in xfrm_state_construct.
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+[ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ]
+
+When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails,
+the error will not be reported because the -ENOMEM assignment
+to the err variable is overwritten before. Fix this by moving
+these two in front of the function so that memory allocation
+failures will be reported.
+
+Reported-by: Tobias Brunner <tobias@strongswan.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index fbb7d9d06478..0cee2d3c6e45 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -580,6 +580,20 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+
+ copy_from_user_state(x, p);
+
++ if (attrs[XFRMA_ENCAP]) {
++ x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
++ sizeof(*x->encap), GFP_KERNEL);
++ if (x->encap == NULL)
++ goto error;
++ }
++
++ if (attrs[XFRMA_COADDR]) {
++ x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
++ sizeof(*x->coaddr), GFP_KERNEL);
++ if (x->coaddr == NULL)
++ goto error;
++ }
++
+ if (attrs[XFRMA_SA_EXTRA_FLAGS])
+ x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]);
+
+@@ -600,23 +614,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
+ attrs[XFRMA_ALG_COMP])))
+ goto error;
+
+- if (attrs[XFRMA_ENCAP]) {
+- x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
+- sizeof(*x->encap), GFP_KERNEL);
+- if (x->encap == NULL)
+- goto error;
+- }
+-
+ if (attrs[XFRMA_TFCPAD])
+ x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
+
+- if (attrs[XFRMA_COADDR]) {
+- x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
+- sizeof(*x->coaddr), GFP_KERNEL);
+- if (x->coaddr == NULL)
+- goto error;
+- }
+-
+ xfrm_mark_get(attrs, &x->mark);
+
+ xfrm_smark_init(attrs, &x->props.smark);
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
