--- /dev/null
+From 2b4eb4f337e5fdc7212102018ebcb62d2afd92bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 15:49:40 +0200
+Subject: ARM: imx6: disable the GIC CPU interface before calling stby-poweroff
+ sequence
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 783f3db030563f7bcdfe2d26428af98ea1699a8e ]
+
+Any pending interrupt can prevent entering standby based power off state.
+To avoid it, disable the GIC CPU interface.
+
+Fixes: 8148d2136002 ("ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-imx/pm-imx6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/mach-imx/pm-imx6.c b/arch/arm/mach-imx/pm-imx6.c
+index 4bfefbec971a..c3ca6e2cf7ff 100644
+--- a/arch/arm/mach-imx/pm-imx6.c
++++ b/arch/arm/mach-imx/pm-imx6.c
+@@ -15,6 +15,7 @@
+ #include <linux/io.h>
+ #include <linux/irq.h>
+ #include <linux/genalloc.h>
++#include <linux/irqchip/arm-gic.h>
+ #include <linux/mfd/syscon.h>
+ #include <linux/mfd/syscon/imx6q-iomuxc-gpr.h>
+ #include <linux/of.h>
+@@ -622,6 +623,7 @@ static void __init imx6_pm_common_init(const struct imx6_pm_socdata
+
+ static void imx6_pm_stby_poweroff(void)
+ {
++ gic_cpu_if_down(0);
+ imx6_set_lpm(STOP_POWER_OFF);
+ imx6q_suspend_finish(0);
+
+--
+2.33.0
+
--- /dev/null
+From 304244412443f6513ebac8d4d3f95845011d9ad7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 11:13:10 +0200
+Subject: bpf, arm: Fix register clobbering in div/mod implementation
+
+From: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+
+[ Upstream commit 79e3445b38e0cab94264a3894c0c3d57c930b97e ]
+
+On ARM CPUs that lack div/mod instructions, ALU32 BPF_DIV and BPF_MOD are
+implemented using a call to a helper function. Before, the emitted code
+for those function calls failed to preserve caller-saved ARM registers.
+Since some of those registers happen to be mapped to BPF registers, it
+resulted in eBPF register values being overwritten.
+
+This patch emits code to push and pop the remaining caller-saved ARM
+registers r2-r3 into the stack during the div/mod function call. ARM
+registers r0-r1 are used as arguments and return value, and those were
+already saved and restored correctly.
+
+Fixes: 39c13c204bb1 ("arm: eBPF JIT compiler")
+Signed-off-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/net/bpf_jit_32.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
+index 79b12e744537..dade3a3ba666 100644
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -39,6 +39,10 @@
+ * +-----+
+ * |RSVD | JIT scratchpad
+ * current ARM_SP => +-----+ <= (BPF_FP - STACK_SIZE + SCRATCH_SIZE)
++ * | ... | caller-saved registers
++ * +-----+
++ * | ... | arguments passed on stack
++ * ARM_SP during call => +-----|
+ * | |
+ * | ... | Function call stack
+ * | |
+@@ -66,6 +70,12 @@
+ *
+ * When popping registers off the stack at the end of a BPF function, we
+ * reference them via the current ARM_FP register.
++ *
++ * Some eBPF operations are implemented via a call to a helper function.
++ * Such calls are "invisible" in the eBPF code, so it is up to the calling
++ * program to preserve any caller-saved ARM registers during the call. The
++ * JIT emits code to push and pop those registers onto the stack, immediately
++ * above the callee stack frame.
+ */
+ #define CALLEE_MASK (1 << ARM_R4 | 1 << ARM_R5 | 1 << ARM_R6 | \
+ 1 << ARM_R7 | 1 << ARM_R8 | 1 << ARM_R9 | \
+@@ -73,6 +83,8 @@
+ #define CALLEE_PUSH_MASK (CALLEE_MASK | 1 << ARM_LR)
+ #define CALLEE_POP_MASK (CALLEE_MASK | 1 << ARM_PC)
+
++#define CALLER_MASK (1 << ARM_R0 | 1 << ARM_R1 | 1 << ARM_R2 | 1 << ARM_R3)
++
+ enum {
+ /* Stack layout - these are offsets from (top of stack - 4) */
+ BPF_R2_HI,
+@@ -467,6 +479,7 @@ static inline int epilogue_offset(const struct jit_ctx *ctx)
+
+ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 op)
+ {
++ const int exclude_mask = BIT(ARM_R0) | BIT(ARM_R1);
+ const s8 *tmp = bpf2a32[TMP_REG_1];
+
+ #if __LINUX_ARM_ARCH__ == 7
+@@ -498,11 +511,17 @@ static inline void emit_udivmod(u8 rd, u8 rm, u8 rn, struct jit_ctx *ctx, u8 op)
+ emit(ARM_MOV_R(ARM_R0, rm), ctx);
+ }
+
++ /* Push caller-saved registers on stack */
++ emit(ARM_PUSH(CALLER_MASK & ~exclude_mask), ctx);
++
+ /* Call appropriate function */
+ emit_mov_i(ARM_IP, op == BPF_DIV ?
+ (u32)jit_udiv32 : (u32)jit_mod32, ctx);
+ emit_blx_r(ARM_IP, ctx);
+
++ /* Restore caller-saved registers from stack */
++ emit(ARM_POP(CALLER_MASK & ~exclude_mask), ctx);
++
+ /* Save return value */
+ if (rd != ARM_R0)
+ emit(ARM_MOV_R(rd, ARM_R0), ctx);
+--
+2.33.0
+
--- /dev/null
+From 61a8e4d1dadc13fcd008d176f87340d16445161e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 22:55:45 +0900
+Subject: bpf: Fix integer overflow in prealloc_elems_and_freelist()
+
+From: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+
+[ Upstream commit 30e29a9a2bc6a4888335a6ede968b75cd329657a ]
+
+In prealloc_elems_and_freelist(), the multiplication to calculate the
+size passed to bpf_map_area_alloc() could lead to an integer overflow.
+As a result, out-of-bounds write could occur in pcpu_freelist_populate()
+as reported by KASAN:
+
+[...]
+[ 16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100
+[ 16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78
+[ 16.970038]
+[ 16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1
+[ 16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+[ 16.972026] Call Trace:
+[ 16.972306] dump_stack_lvl+0x34/0x44
+[ 16.972687] print_address_description.constprop.0+0x21/0x140
+[ 16.973297] ? pcpu_freelist_populate+0xd9/0x100
+[ 16.973777] ? pcpu_freelist_populate+0xd9/0x100
+[ 16.974257] kasan_report.cold+0x7f/0x11b
+[ 16.974681] ? pcpu_freelist_populate+0xd9/0x100
+[ 16.975190] pcpu_freelist_populate+0xd9/0x100
+[ 16.975669] stack_map_alloc+0x209/0x2a0
+[ 16.976106] __sys_bpf+0xd83/0x2ce0
+[...]
+
+The possibility of this overflow was originally discussed in [0], but
+was overlooked.
+
+Fix the integer overflow by changing elem_size to u64 from u32.
+
+ [0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/
+
+Fixes: 557c0c6e7df8 ("bpf: convert stackmap to pre-allocation")
+Signed-off-by: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/stackmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
+index a47d623f59fe..92310b07cb98 100644
+--- a/kernel/bpf/stackmap.c
++++ b/kernel/bpf/stackmap.c
+@@ -63,7 +63,8 @@ static inline int stack_map_data_size(struct bpf_map *map)
+
+ static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
+ {
+- u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
++ u64 elem_size = sizeof(struct stack_map_bucket) +
++ (u64)smap->map.value_size;
+ int err;
+
+ smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
+--
+2.33.0
+
--- /dev/null
+From f2bc8b1971a40899d35d82eab1df1aef9a81cc9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Sep 2021 15:50:23 +0800
+Subject: drm/nouveau/debugfs: fix file release memory leak
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit f5a8703a9c418c6fc54eb772712dfe7641e3991c ]
+
+When using single_open() for opening, single_release() should be
+called, otherwise the 'op' allocated in single_open() will be leaked.
+
+Fixes: 6e9fc177399f ("drm/nouveau/debugfs: add copy of sysfs pstate interface ported to debugfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Signed-off-by: Karol Herbst <kherbst@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210911075023.3969054-2-yangyingliang@huawei.com
+Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_debugfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+index 4561a786fab0..cce4833a6083 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
++++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+@@ -185,6 +185,7 @@ static const struct file_operations nouveau_pstate_fops = {
+ .open = nouveau_debugfs_pstate_open,
+ .read = seq_read,
+ .write = nouveau_debugfs_pstate_set,
++ .release = single_release,
+ };
+
+ static struct drm_info_list nouveau_debugfs_list[] = {
+--
+2.33.0
+
--- /dev/null
+From 0750fe0f25232634e6bb651b76959ae2068adb8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Sep 2021 10:54:42 +0200
+Subject: i40e: fix endless loop under rtnl
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit 857b6c6f665cca9828396d9743faf37fd09e9ac3 ]
+
+The loop in i40e_get_capabilities can never end. The problem is that
+although i40e_aq_discover_capabilities returns with an error if there's
+a firmware problem, the returned error is not checked. There is a check for
+pf->hw.aq.asq_last_status but that value is set to I40E_AQ_RC_OK on most
+firmware problems.
+
+When i40e_aq_discover_capabilities encounters a firmware problem, it will
+encounter the same problem on its next invocation. As the result, the loop
+becomes endless. We hit this with I40E_ERR_ADMIN_QUEUE_TIMEOUT but looking
+at the code, it can happen with a range of other firmware errors.
+
+I don't know what the correct behavior should be: whether the firmware
+should be retried a few times, or whether pf->hw.aq.asq_last_status should
+be always set to the encountered firmware error (but then it would be
+pointless and can be just replaced by the i40e_aq_discover_capabilities
+return value). However, the current behavior with an endless loop under the
+rtnl mutex(!) is unacceptable and Intel has not submitted a fix, although we
+explained the bug to them 7 months ago.
+
+This may not be the best possible fix but it's better than hanging the whole
+system on a firmware bug.
+
+Fixes: 56a62fc86895 ("i40e: init code and hardware support")
+Tested-by: Stefan Assmann <sassmann@redhat.com>
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 246734be5177..8f7d3af75ed6 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -9068,7 +9068,7 @@ static int i40e_get_capabilities(struct i40e_pf *pf,
+ if (pf->hw.aq.asq_last_status == I40E_AQ_RC_ENOMEM) {
+ /* retry with a larger buffer */
+ buf_len = data_size;
+- } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK) {
++ } else if (pf->hw.aq.asq_last_status != I40E_AQ_RC_OK || err) {
+ dev_info(&pf->pdev->dev,
+ "capability discovery failed, err %s aq_err %s\n",
+ i40e_stat_str(&pf->hw, err),
+--
+2.33.0
+
--- /dev/null
+From 54630ccca750a8ff1bb6d21026e036b2b0eacd63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 11:40:41 +0200
+Subject: i40e: Fix freeing of uninitialized misc IRQ vector
+
+From: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+
+[ Upstream commit 2e5a20573a926302b233b0c2e1077f5debc7ab2e ]
+
+When VSI set up failed in i40e_probe() as part of PF switch set up
+driver was trying to free misc IRQ vectors in
+i40e_clear_interrupt_scheme and produced a kernel Oops:
+
+ Trying to free already-free IRQ 266
+ WARNING: CPU: 0 PID: 5 at kernel/irq/manage.c:1731 __free_irq+0x9a/0x300
+ Workqueue: events work_for_cpu_fn
+ RIP: 0010:__free_irq+0x9a/0x300
+ Call Trace:
+ ? synchronize_irq+0x3a/0xa0
+ free_irq+0x2e/0x60
+ i40e_clear_interrupt_scheme+0x53/0x190 [i40e]
+ i40e_probe.part.108+0x134b/0x1a40 [i40e]
+ ? kmem_cache_alloc+0x158/0x1c0
+ ? acpi_ut_update_ref_count.part.1+0x8e/0x345
+ ? acpi_ut_update_object_reference+0x15e/0x1e2
+ ? strstr+0x21/0x70
+ ? irq_get_irq_data+0xa/0x20
+ ? mp_check_pin_attr+0x13/0xc0
+ ? irq_get_irq_data+0xa/0x20
+ ? mp_map_pin_to_irq+0xd3/0x2f0
+ ? acpi_register_gsi_ioapic+0x93/0x170
+ ? pci_conf1_read+0xa4/0x100
+ ? pci_bus_read_config_word+0x49/0x70
+ ? do_pci_enable_device+0xcc/0x100
+ local_pci_probe+0x41/0x90
+ work_for_cpu_fn+0x16/0x20
+ process_one_work+0x1a7/0x360
+ worker_thread+0x1cf/0x390
+ ? create_worker+0x1a0/0x1a0
+ kthread+0x112/0x130
+ ? kthread_flush_work_fn+0x10/0x10
+ ret_from_fork+0x1f/0x40
+
+The problem is that at that point misc IRQ vectors
+were not allocated yet and we get a call trace
+that driver is trying to free already free IRQ vectors.
+
+Add a check in i40e_clear_interrupt_scheme for __I40E_MISC_IRQ_REQUESTED
+PF state before calling i40e_free_misc_vector. This state is set only if
+misc IRQ vectors were properly initialized.
+
+Fixes: c17401a1dd21 ("i40e: use separate state bit for miscellaneous IRQ setup")
+Reported-by: PJ Waskiewicz <pwaskiewicz@jumptrading.com>
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Dave Switzer <david.switzer@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index 8f7d3af75ed6..062b94251782 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -4724,7 +4724,8 @@ static void i40e_clear_interrupt_scheme(struct i40e_pf *pf)
+ {
+ int i;
+
+- i40e_free_misc_vector(pf);
++ if (test_bit(__I40E_MISC_IRQ_REQUESTED, pf->state))
++ i40e_free_misc_vector(pf);
+
+ i40e_put_lump(pf->irq_pile, pf->iwarp_base_vector,
+ I40E_IWARP_IRQ_PILE_ID);
+--
+2.33.0
+
--- /dev/null
+From 8bb09e39e955baaaef74590738bc30bb29efb102 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 18:05:07 -0700
+Subject: net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dbe0b88064494b7bb6a9b2aa7e085b14a3112d44 ]
+
+bridge_fill_linkxstats() is using nla_reserve_64bit().
+
+We must use nla_total_size_64bit() instead of nla_total_size()
+for corresponding data structure.
+
+Fixes: 1080ab95e3c7 ("net: bridge: add support for IGMP/MLD stats and export them via netlink")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Nikolay Aleksandrov <nikolay@nvidia.com>
+Cc: Vivien Didelot <vivien.didelot@gmail.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
+index ec2b58a09f76..c00cb376263a 100644
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -1511,7 +1511,7 @@ static size_t br_get_linkxstats_size(const struct net_device *dev, int attr)
+ }
+
+ return numvls * nla_total_size(sizeof(struct bridge_vlan_xstats)) +
+- nla_total_size(sizeof(struct br_mcast_stats)) +
++ nla_total_size_64bit(sizeof(struct br_mcast_stats)) +
+ nla_total_size(0);
+ }
+
+--
+2.33.0
+
--- /dev/null
+From 67d169c1357c59ee756ee447ced7fb3a9a1f617f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 17:50:02 -0400
+Subject: net: sfp: Fix typo in state machine debug string
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+[ Upstream commit 25a9da6641f1f66006e93ddbefee13a437efa8c0 ]
+
+The string should be "tx_disable" to match the state enum.
+
+Fixes: 4005a7cb4f55 ("net: phy: sftp: print debug message with text, not numbers")
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/sfp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
+index 47d518e6d5d4..71bafc8f5ed0 100644
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -113,7 +113,7 @@ static const char * const sm_state_strings[] = {
+ [SFP_S_LINK_UP] = "link_up",
+ [SFP_S_TX_FAULT] = "tx_fault",
+ [SFP_S_REINIT] = "reinit",
+- [SFP_S_TX_DISABLE] = "rx_disable",
++ [SFP_S_TX_DISABLE] = "tx_disable",
+ };
+
+ static const char *sm_state_to_str(unsigned short sm_state)
+--
+2.33.0
+
--- /dev/null
+From 9846da773afe33332590b188563b1a58e89b5e32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 14:22:39 -0700
+Subject: net_sched: fix NULL deref in fifo_set_limit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 560ee196fe9e5037e5015e2cdb14b3aecb1cd7dc ]
+
+syzbot reported another NULL deref in fifo_set_limit() [1]
+
+I could repro the issue with :
+
+unshare -n
+tc qd add dev lo root handle 1:0 tbf limit 200000 burst 70000 rate 100Mbit
+tc qd replace dev lo parent 1:0 pfifo_fast
+tc qd change dev lo root handle 1:0 tbf limit 300000 burst 70000 rate 100Mbit
+
+pfifo_fast does not have a change() operation.
+Make fifo_set_limit() more robust about this.
+
+[1]
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 1cf99067 P4D 1cf99067 PUD 7ca49067 PMD 0
+Oops: 0010 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 14443 Comm: syz-executor959 Not tainted 5.15.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+RSP: 0018:ffffc9000e2f7310 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffffffff8d6ecc00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff888024c27910 RDI: ffff888071e34000
+RBP: ffff888071e34000 R08: 0000000000000001 R09: ffffffff8fcfb947
+R10: 0000000000000001 R11: 0000000000000000 R12: ffff888024c27910
+R13: ffff888071e34018 R14: 0000000000000000 R15: ffff88801ef74800
+FS: 00007f321d897700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 00000000722c3000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ fifo_set_limit net/sched/sch_fifo.c:242 [inline]
+ fifo_set_limit+0x198/0x210 net/sched/sch_fifo.c:227
+ tbf_change+0x6ec/0x16d0 net/sched/sch_tbf.c:418
+ qdisc_change net/sched/sch_api.c:1332 [inline]
+ tc_modify_qdisc+0xd9a/0x1a60 net/sched/sch_api.c:1634
+ rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:704 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:724
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: fb0305ce1b03 ("net-sched: consolidate default fifo qdisc setup")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20210930212239.3430364-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_fifo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
+index 24893d3b5d22..bcd3ca97caea 100644
+--- a/net/sched/sch_fifo.c
++++ b/net/sched/sch_fifo.c
+@@ -152,6 +152,9 @@ int fifo_set_limit(struct Qdisc *q, unsigned int limit)
+ if (strncmp(q->ops->id + 1, "fifo", 4) != 0)
+ return 0;
+
++ if (!q->ops->change)
++ return 0;
++
+ nla = kmalloc(nla_attr_size(sizeof(struct tc_fifo_qopt)), GFP_KERNEL);
+ if (nla) {
+ nla->nla_type = RTM_NEWQDISC;
+--
+2.33.0
+
--- /dev/null
+From 620f7fa101cfb312d9c5722e3d228740b53f8454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Oct 2021 14:24:15 -0700
+Subject: netlink: annotate data races around nlk->bound
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7707a4d01a648e4c655101a469c956cb11273655 ]
+
+While existing code is correct, KCSAN is reporting
+a data-race in netlink_insert / netlink_sendmsg [1]
+
+It is correct to read nlk->bound without a lock, as netlink_autobind()
+will acquire all needed locks.
+
+[1]
+BUG: KCSAN: data-race in netlink_insert / netlink_sendmsg
+
+write to 0xffff8881031c8b30 of 1 bytes by task 18752 on cpu 0:
+ netlink_insert+0x5cc/0x7f0 net/netlink/af_netlink.c:597
+ netlink_autobind+0xa9/0x150 net/netlink/af_netlink.c:842
+ netlink_sendmsg+0x479/0x7c0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2475
+ __do_sys_sendmsg net/socket.c:2484 [inline]
+ __se_sys_sendmsg net/socket.c:2482 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2482
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff8881031c8b30 of 1 bytes by task 18751 on cpu 1:
+ netlink_sendmsg+0x270/0x7c0 net/netlink/af_netlink.c:1891
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ __sys_sendto+0x2a8/0x370 net/socket.c:2019
+ __do_sys_sendto net/socket.c:2031 [inline]
+ __se_sys_sendto net/socket.c:2027 [inline]
+ __x64_sys_sendto+0x74/0x90 net/socket.c:2027
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 18751 Comm: syz-executor.0 Not tainted 5.14.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: da314c9923fe ("netlink: Replace rhash_portid with bound")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index b0fd268ed65e..dd4e4289d0d2 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -599,7 +599,10 @@ static int netlink_insert(struct sock *sk, u32 portid)
+
+ /* We need to ensure that the socket is hashed and visible. */
+ smp_wmb();
+- nlk_sk(sk)->bound = portid;
++ /* Paired with lockless reads from netlink_bind(),
++ * netlink_connect() and netlink_sendmsg().
++ */
++ WRITE_ONCE(nlk_sk(sk)->bound, portid);
+
+ err:
+ release_sock(sk);
+@@ -1018,7 +1021,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
+ else if (nlk->ngroups < 8*sizeof(groups))
+ groups &= (1UL << nlk->ngroups) - 1;
+
+- bound = nlk->bound;
++ /* Paired with WRITE_ONCE() in netlink_insert() */
++ bound = READ_ONCE(nlk->bound);
+ if (bound) {
+ /* Ensure nlk->portid is up-to-date. */
+ smp_rmb();
+@@ -1104,8 +1108,9 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
+
+ /* No need for barriers here as we return to user-space without
+ * using any of the bound attributes.
++ * Paired with WRITE_ONCE() in netlink_insert().
+ */
+- if (!nlk->bound)
++ if (!READ_ONCE(nlk->bound))
+ err = netlink_autobind(sock);
+
+ if (err == 0) {
+@@ -1870,7 +1875,8 @@ static int netlink_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ dst_group = nlk->dst_group;
+ }
+
+- if (!nlk->bound) {
++ /* Paired with WRITE_ONCE() in netlink_insert() */
++ if (!READ_ONCE(nlk->bound)) {
+ err = netlink_autobind(sock);
+ if (err)
+ goto out;
+--
+2.33.0
+
--- /dev/null
+From e211785555ac532435e97e45e63bf0b3b5e3c622 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Sep 2021 20:50:28 +0300
+Subject: phy: mdio: fix memory leak
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit ca6e11c337daf7925ff8a2aac8e84490a8691905 ]
+
+Syzbot reported memory leak in MDIO bus interface, the problem was in
+wrong state logic.
+
+MDIOBUS_ALLOCATED indicates 2 states:
+ 1. Bus is only allocated
+ 2. Bus allocated and __mdiobus_register() fails, but
+ device_register() was called
+
+In case of device_register() has been called we should call put_device()
+to correctly free the memory allocated for this device, but mdiobus_free()
+calls just kfree(dev) in case of MDIOBUS_ALLOCATED state
+
+To avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED
+_before_ calling device_register(), because put_device() should be
+called even in case of device_register() failure.
+
+Link: https://lore.kernel.org/netdev/YVMRWNDZDUOvQjHL@shell.armlinux.org.uk/
+Fixes: 46abc02175b3 ("phylib: give mdio buses a device tree presence")
+Reported-and-tested-by: syzbot+398e7dc692ddbbb4cfec@syzkaller.appspotmail.com
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/eceae1429fbf8fa5c73dd2a0d39d525aa905074d.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mdio_bus.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c
+index 08c81d4cfca8..3207da2224f6 100644
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -378,6 +378,13 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner)
+ bus->dev.groups = NULL;
+ dev_set_name(&bus->dev, "%s", bus->id);
+
++ /* We need to set state to MDIOBUS_UNREGISTERED to correctly release
++ * the device in mdiobus_free()
++ *
++ * State will be updated later in this function in case of success
++ */
++ bus->state = MDIOBUS_UNREGISTERED;
++
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
+--
+2.33.0
+
--- /dev/null
+From f9cbf40b99ec9bab268301867d2b1e2b009a00a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Oct 2021 11:04:09 +0200
+Subject: powerpc/fsl/dts: Fix phy-connection-type for fm1mac3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit eed183abc0d3b8adb64fd1363b7cea7986cd58d6 ]
+
+Property phy-connection-type contains invalid value "sgmii-2500" per scheme
+defined in file ethernet-controller.yaml.
+
+Correct phy-connection-type value should be "2500base-x".
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Fixes: 84e0f1c13806 ("powerpc/mpc85xx: Add MDIO bus muxing support to the board device tree(s)")
+Acked-by: Scott Wood <oss@buserror.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/dts/fsl/t1023rdb.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/dts/fsl/t1023rdb.dts b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
+index 5ba6fbfca274..f82f85c65964 100644
+--- a/arch/powerpc/boot/dts/fsl/t1023rdb.dts
++++ b/arch/powerpc/boot/dts/fsl/t1023rdb.dts
+@@ -154,7 +154,7 @@
+
+ fm1mac3: ethernet@e4000 {
+ phy-handle = <&sgmii_aqr_phy3>;
+- phy-connection-type = "sgmii-2500";
++ phy-connection-type = "2500base-x";
+ sleep = <&rcpm 0x20000000>;
+ };
+
+--
+2.33.0
+
--- /dev/null
+From 6d4b659f366bdceb827380c916ddbb495ee35e8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Oct 2021 19:20:33 +0300
+Subject: ptp_pch: Load module automatically if ID matches
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7cd8b1542a7ba0720c5a0a85ed414a122015228b ]
+
+The driver can't be loaded automatically because it misses
+module alias to be provided. Add corresponding MODULE_DEVICE_TABLE()
+call to the driver.
+
+Fixes: 863d08ece9bf ("supports eg20t ptp clock")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_pch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ptp/ptp_pch.c b/drivers/ptp/ptp_pch.c
+index 78ccf936d356..84feaa140f1b 100644
+--- a/drivers/ptp/ptp_pch.c
++++ b/drivers/ptp/ptp_pch.c
+@@ -695,6 +695,7 @@ static const struct pci_device_id pch_ieee1588_pcidev_id[] = {
+ },
+ {0}
+ };
++MODULE_DEVICE_TABLE(pci, pch_ieee1588_pcidev_id);
+
+ static struct pci_driver pch_driver = {
+ .name = KBUILD_MODNAME,
+--
+2.33.0
+
--- /dev/null
+From f97b359b8b63b7560806efa32ff873ddc9107c8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Oct 2021 14:04:17 -0700
+Subject: rtnetlink: fix if_nlmsg_stats_size() under estimation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d34367991933d28bd7331f67a759be9a8c474014 ]
+
+rtnl_fill_statsinfo() is filling skb with one mandatory if_stats_msg structure.
+
+nlmsg_put(skb, pid, seq, type, sizeof(struct if_stats_msg), flags);
+
+But if_nlmsg_stats_size() never considered the needed storage.
+
+This bug did not show up because alloc_skb(X) allocates skb with
+extra tailroom, because of added alignments. This could very well
+be changed in the future to have deterministic behavior.
+
+Fixes: 10c9ead9f3c6 ("rtnetlink: add new RTM_GETSTATS message to dump link stats")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Roopa Prabhu <roopa@nvidia.com>
+Acked-by: Roopa Prabhu <roopa@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 055fd09ac111..83de32e34bb5 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -4512,7 +4512,7 @@ nla_put_failure:
+ static size_t if_nlmsg_stats_size(const struct net_device *dev,
+ u32 filter_mask)
+ {
+- size_t size = 0;
++ size_t size = NLMSG_ALIGN(sizeof(struct if_stats_msg));
+
+ if (stats_attr_valid(filter_mask, IFLA_STATS_LINK_64, 0))
+ size += nla_total_size_64bit(sizeof(struct rtnl_link_stats64));
+--
+2.33.0
+
arm-dts-omap3430-sdp-fix-nand-device-node.patch
arm-dts-qcom-apq8064-use-compatible-which-contains-chipid.patch
bpf-mips-validate-conditional-branch-offsets.patch
+xtensa-call-irqchip_init-only-when-config_use_of-is-.patch
+bpf-arm-fix-register-clobbering-in-div-mod-implement.patch
+bpf-fix-integer-overflow-in-prealloc_elems_and_freel.patch
+phy-mdio-fix-memory-leak.patch
+net_sched-fix-null-deref-in-fifo_set_limit.patch
+powerpc-fsl-dts-fix-phy-connection-type-for-fm1mac3.patch
+ptp_pch-load-module-automatically-if-id-matches.patch
+arm-imx6-disable-the-gic-cpu-interface-before-callin.patch
+net-bridge-use-nla_total_size_64bit-in-br_get_linkxs.patch
+net-sfp-fix-typo-in-state-machine-debug-string.patch
+netlink-annotate-data-races-around-nlk-bound.patch
+drm-nouveau-debugfs-fix-file-release-memory-leak.patch
+rtnetlink-fix-if_nlmsg_stats_size-under-estimation.patch
+i40e-fix-endless-loop-under-rtnl.patch
+i40e-fix-freeing-of-uninitialized-misc-irq-vector.patch
--- /dev/null
+From 35a7ed4acb5a4e1863bb5fe70eef4e275d044415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 09:46:33 -0700
+Subject: xtensa: call irqchip_init only when CONFIG_USE_OF is selected
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 6489f8d0e1d93a3603d8dad8125797559e4cf2a2 ]
+
+During boot time kernel configured with OF=y but USE_OF=n displays the
+following warnings and hangs shortly after starting userspace:
+
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 0 at kernel/irq/irqdomain.c:695 irq_create_mapping_affinity+0x29/0xc0
+irq_create_mapping_affinity(, 6) called with NULL domain
+CPU: 0 PID: 0 Comm: swapper Not tainted 5.15.0-rc3-00001-gd67ed2510d28 #30
+Call Trace:
+ __warn+0x69/0xc4
+ warn_slowpath_fmt+0x6c/0x94
+ irq_create_mapping_affinity+0x29/0xc0
+ local_timer_setup+0x40/0x88
+ time_init+0xb1/0xe8
+ start_kernel+0x31d/0x3f4
+ _startup+0x13b/0x13b
+---[ end trace 1e6630e1c5eda35b ]---
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 0 at arch/xtensa/kernel/time.c:141 local_timer_setup+0x58/0x88
+error: can't map timer irq
+CPU: 0 PID: 0 Comm: swapper Tainted: G W 5.15.0-rc3-00001-gd67ed2510d28 #30
+Call Trace:
+ __warn+0x69/0xc4
+ warn_slowpath_fmt+0x6c/0x94
+ local_timer_setup+0x58/0x88
+ time_init+0xb1/0xe8
+ start_kernel+0x31d/0x3f4
+ _startup+0x13b/0x13b
+---[ end trace 1e6630e1c5eda35c ]---
+Failed to request irq 0 (timer)
+
+Fix that by calling irqchip_init only when CONFIG_USE_OF is selected and
+calling legacy interrupt controller init otherwise.
+
+Fixes: da844a81779e ("xtensa: add device trees support")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/xtensa/kernel/irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/xtensa/kernel/irq.c b/arch/xtensa/kernel/irq.c
+index a48bf2d10ac2..80cc9770a8d2 100644
+--- a/arch/xtensa/kernel/irq.c
++++ b/arch/xtensa/kernel/irq.c
+@@ -145,7 +145,7 @@ unsigned xtensa_get_ext_irq_no(unsigned irq)
+
+ void __init init_IRQ(void)
+ {
+-#ifdef CONFIG_OF
++#ifdef CONFIG_USE_OF
+ irqchip_init();
+ #else
+ #ifdef CONFIG_HAVE_SMP
+--
+2.33.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
