commit 5cd40b137cba45a5a3d0b9a8554f779a3e0e93b4
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Oct 6 15:56:04 2021 +0200

    Linux 5.10.71
    
    Link: https://lore.kernel.org/r/20211004125034.579439135@linuxfoundation.org
    Tested-by: Fox Chen <foxhlchen@gmail.com>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Link: https://lore.kernel.org/r/20211005083301.812942169@linuxfoundation.org
    Tested-by: Fox Chen <foxhlchen@gmail.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Florian Fainelli <f.fainelli@gmail.com>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: SSalvatore Bonaccorso <carnil@debian.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 96f439a7eda6e80b1f45a97da7d3020b259b04a4
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Mon Sep 13 20:38:52 2021 +0200

    netfilter: nf_tables: Fix oversized kvmalloc() calls
    
    commit 45928afe94a094bcda9af858b96673d59bc4a0e9 upstream.
    
    The commit 7661809d493b ("mm: don't allow oversized kvmalloc() calls")
    limits the max allocatable memory via kvmalloc() to MAX_INT.
    
    Reported-by: syzbot+cd43695a64bcd21b8596@syzkaller.appspotmail.com
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e2d192301a0df8160d1555b66ae8611e8050e424
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Sep 17 15:15:56 2021 -0700

    netfilter: conntrack: serialize hash resizes and cleanups
    
    commit e9edc188fc76499b0b9bd60364084037f6d03773 upstream.
    
    Syzbot was able to trigger the following warning [1]
    
    No repro found by syzbot yet but I was able to trigger similar issue
    by having 2 scripts running in parallel, changing conntrack hash sizes,
    and:
    
    for j in `seq 1 1000` ; do unshare -n /bin/true >/dev/null ; done
    
    It would take more than 5 minutes for net_namespace structures
    to be cleaned up.
    
    This is because nf_ct_iterate_cleanup() has to restart everytime
    a resize happened.
    
    By adding a mutex, we can serialize hash resizes and cleanups
    and also make get_next_corpse() faster by skipping over empty
    buckets.
    
    Even without resizes in the picture, this patch considerably
    speeds up network namespace dismantles.
    
    [1]
    INFO: task syz-executor.0:8312 can't die for more than 144 seconds.
    task:syz-executor.0  state:R  running task     stack:25672 pid: 8312 ppid:  6573 flags:0x00004006
    Call Trace:
     context_switch kernel/sched/core.c:4955 [inline]
     __schedule+0x940/0x26f0 kernel/sched/core.c:6236
     preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408
     preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35
     __local_bh_enable_ip+0x109/0x120 kernel/softirq.c:390
     local_bh_enable include/linux/bottom_half.h:32 [inline]
     get_next_corpse net/netfilter/nf_conntrack_core.c:2252 [inline]
     nf_ct_iterate_cleanup+0x15a/0x450 net/netfilter/nf_conntrack_core.c:2275
     nf_conntrack_cleanup_net_list+0x14c/0x4f0 net/netfilter/nf_conntrack_core.c:2469
     ops_exit_list+0x10d/0x160 net/core/net_namespace.c:171
     setup_net+0x639/0xa30 net/core/net_namespace.c:349
     copy_net_ns+0x319/0x760 net/core/net_namespace.c:470
     create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
     unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
     ksys_unshare+0x445/0x920 kernel/fork.c:3128
     __do_sys_unshare kernel/fork.c:3202 [inline]
     __se_sys_unshare kernel/fork.c:3200 [inline]
     __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3200
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x7f63da68e739
    RSP: 002b:00007f63d7c05188 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
    RAX: ffffffffffffffda RBX: 00007f63da792f80 RCX: 00007f63da68e739
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000
    RBP: 00007f63da6e8cc4 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007f63da792f80
    R13: 00007fff50b75d3f R14: 00007f63d7c05300 R15: 0000000000022000
    
    Showing all locks held in the system:
    1 lock held by khungtaskd/27:
     #0: ffffffff8b980020 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446
    2 locks held by kworker/u4:2/153:
     #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
     #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline]
     #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline]
     #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline]
     #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline]
     #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268
     #1: ffffc9000140fdb0 ((kfence_timer).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272
    1 lock held by systemd-udevd/2970:
    1 lock held by in:imklog/6258:
     #0: ffff88807f970ff0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990
    3 locks held by kworker/1:6/8158:
    1 lock held by syz-executor.0/8312:
    2 locks held by kworker/u4:13/9320:
    1 lock held by syz-executor.5/10178:
    1 lock held by syz-executor.4/10217:
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit deb2949417677649e2413266d7ce8c2ff73952b4
Author: Haimin Zhang <tcs_kernel@tencent.com>
Date:   Fri Sep 3 10:37:06 2021 +0800

    KVM: x86: Handle SRCU initialization failure during page track init
    
    commit eb7511bf9182292ef1df1082d23039e856d1ddfb upstream.
    
    Check the return of init_srcu_struct(), which can fail due to OOM, when
    initializing the page track mechanism.  Lack of checking leads to a NULL
    pointer deref found by a modified syzkaller.
    
    Reported-by: TCS Robot <tcs_robot@tencent.com>
    Signed-off-by: Haimin Zhang <tcs_kernel@tencent.com>
    Message-Id: <1630636626-12262-1-git-send-email-tcs_kernel@tencent.com>
    [Move the call towards the beginning of kvm_arch_init_vm. - Paolo]
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f7ac4d24e1610b92689946fa88177673f1e88a3f
Author: Anirudh Rayabharam <mail@anirudhrb.com>
Date:   Thu Jun 24 00:10:29 2021 +0530

    HID: usbhid: free raw_report buffers in usbhid_stop
    
    commit f7744fa16b96da57187dc8e5634152d3b63d72de upstream.
    
    Free the unsent raw_report buffers when the device is removed.
    
    Fixes a memory leak reported by syzbot at:
    https://syzkaller.appspot.com/bug?id=7b4fa7cb1a7c2d3342a2a8a6c53371c8c418ab47
    
    Reported-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
    Tested-by: syzbot+47b26cd837ececfc666d@syzkaller.appspotmail.com
    Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 57a269a1b12a3a6fe51f62e1be5e74494bad1d92
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Jul 14 09:45:49 2021 -0700

    mm: don't allow oversized kvmalloc() calls
    
    commit 7661809d493b426e979f39ab512e3adf41fbcc69 upstream.
    
    'kvmalloc()' is a convenience function for people who want to do a
    kmalloc() but fall back on vmalloc() if there aren't enough physically
    contiguous pages, or if the allocation is larger than what kmalloc()
    supports.
    
    However, let's make sure it doesn't get _too_ easy to do crazy things
    with it.  In particular, don't allow big allocations that could be due
    to integer overflow or underflow.  So make sure the allocation size fits
    in an 'int', to protect against trivial integer conversion issues.
    
    Acked-by: Willy Tarreau <w@1wt.eu>
    Cc: Kees Cook <keescook@chromium.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit da5b8b9319f044c2ca24f6602c54033931e0c1cc
Author: Jozsef Kadlecsik <kadlec@netfilter.org>
Date:   Mon Sep 6 18:26:34 2021 +0200

    netfilter: ipset: Fix oversized kvmalloc() calls
    
    commit 7bbc3d385bd813077acaf0e6fdb2a86a901f5382 upstream.
    
    The commit
    
    commit 7661809d493b426e979f39ab512e3adf41fbcc69
    Author: Linus Torvalds <torvalds@linux-foundation.org>
    Date:   Wed Jul 14 09:45:49 2021 -0700
    
        mm: don't allow oversized kvmalloc() calls
    
    limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the
    same limit in ipset.
    
    Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com
    Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com
    Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com
    Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dedfc35a2de2bae9fa3da8210a05bfd515f83fee
Author: F.A.Sulaiman <asha.16@itfac.mrt.ac.lk>
Date:   Tue Aug 24 20:37:30 2021 +0530

    HID: betop: fix slab-out-of-bounds Write in betop_probe
    
    commit 1e4ce418b1cb1a810256b5fb3fd33d22d1325993 upstream.
    
    Syzbot reported slab-out-of-bounds Write bug in hid-betopff driver.
    The problem is the driver assumes the device must have an input report but
    some malicious devices violate this assumption.
    
    So this patch checks hid_device's input is non empty before it's been used.
    
    Reported-by: syzbot+07efed3bc5a1407bd742@syzkaller.appspotmail.com
    Signed-off-by: F.A. SULAIMAN <asha.16@itfac.mrt.ac.lk>
    Reviewed-by: Pavel Skripkin <paskripkin@gmail.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 17ccc64e4fa5d3673528474bfeda814d95dc600a
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Thu Aug 26 16:04:27 2021 +0300

    crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
    
    commit 505d9dcb0f7ddf9d075e729523a33d38642ae680 upstream.
    
    There are three bugs in this code:
    
    1) If we ccp_init_data() fails for &src then we need to free aad.
       Use goto e_aad instead of goto e_ctx.
    2) The label to free the &final_wa was named incorrectly as "e_tag" but
       it should have been "e_final_wa".  One error path leaked &final_wa.
    3) The &tag was leaked on one error path.  In that case, I added a free
       before the goto because the resource was local to that block.
    
    Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
    Reported-by: "minihanshen(沈明航)" <minihanshen@tencent.com>
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: John Allen <john.allen@amd.com>
    Tested-by: John Allen <john.allen@amd.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 28f0fdbac0f52c411763a6bbc475b0643a5d8d28
Author: Dongliang Mu <mudongliangabcd@gmail.com>
Date:   Wed Jul 21 16:14:57 2021 +0800

    usb: hso: remove the bailout parameter
    
    commit dcb713d53e2eadf42b878c12a471e74dc6ed3145 upstream.
    
    There are two invocation sites of hso_free_net_device. After
    refactoring hso_create_net_device, this parameter is useless.
    Remove the bailout in the hso_free_net_device and change the invocation
    sites of this function.
    
    Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    [Backport this cleanup patch to 5.10 and 5.14 in order to keep the
    codebase consistent with the 4.14/4.19/5.4 patchseries]
    Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ad4852b9adf1345561c202569fe88b0af21eabf
Author: Shuming Fan <shumingf@realtek.com>
Date:   Mon Feb 8 17:40:42 2021 -0600

    ASoC: dapm: use component prefix when checking widget names
    
    commit ae4fc532244b3bb4d86c397418d980b0c6be1dfd upstream.
    
    On a TigerLake SoundWire platform, we see these warnings:
    
    [   27.360086] rt5682 sdw:0:25d:5682:0: ASoC: DAPM unknown pin MICBIAS
    [   27.360092] rt5682 sdw:0:25d:5682:0: ASoC: DAPM unknown pin Vref2
    
    This is root-caused to the addition of a component prefix in the
    machine driver. The tests in soc-dapm should account for a prefix
    instead of reporting an invalid issue.
    
    Reported-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Reviewed-by: Rander Wang <rander.wang@linux.intel.com>
    Signed-off-by: Shuming Fan <shumingf@realtek.com>
    Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Link: https://lore.kernel.org/r/20210208234043.59750-2-pierre-louis.bossart@linux.intel.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Robert Lee <lerobert@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5c3a90b6ff75c18d9c8e1701b3b9b56580acfc61
Author: Eric Dumazet <edumazet@google.com>
Date:   Mon Sep 27 17:29:24 2021 -0700

    net: udp: annotate data race around udp_sk(sk)->corkflag
    
    commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.
    
    up->corkflag field can be read or written without any lock.
    Annotate accesses to avoid possible syzbot/KCSAN reports.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a7f4c633ae120562e91a0891101ed44eaa6c6d1e
Author: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date:   Thu Sep 16 17:33:11 2021 +0100

    HID: u2fzero: ignore incomplete packets without data
    
    commit 22d65765f211cc83186fd8b87521159f354c0da9 upstream.
    
    Since the actual_length calculation is performed unsigned, packets
    shorter than 7 bytes (e.g. packets without data or otherwise truncated)
    or non-received packets ("zero" bytes) can cause buffer overflow.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=214437
    Fixes: 42337b9d4d958("HID: add driver for U2F Zero built-in LED and RNG")
    Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3770e21f60fc29326a7f3febfa8adc9a3c2dde62
Author: yangerkun <yangerkun@huawei.com>
Date:   Tue Sep 14 19:14:15 2021 +0800

    ext4: fix potential infinite loop in ext4_dx_readdir()
    
    commit 42cb447410d024e9d54139ae9c21ea132a8c384c upstream.
    
    When ext4_htree_fill_tree() fails, ext4_dx_readdir() can run into an
    infinite loop since if info->last_pos != ctx->pos this will reset the
    directory scan and reread the failing entry.  For example:
    
    1. a dx_dir which has 3 block, block 0 as dx_root block, block 1/2 as
       leaf block which own the ext4_dir_entry_2
    2. block 1 read ok and call_filldir which will fill the dirent and update
       the ctx->pos
    3. block 2 read fail, but we has already fill some dirent, so we will
       return back to userspace will a positive return val(see ksys_getdents64)
    4. the second ext4_dx_readdir will reset the world since info->last_pos
       != ctx->pos, and will also init the curr_hash which pos to block 1
    5. So we will read block1 too, and once block2 still read fail, we can
       only fill one dirent because the hash of the entry in block1(besides
       the last one) won't greater than curr_hash
    6. this time, we forget update last_pos too since the read for block2
       will fail, and since we has got the one entry, ksys_getdents64 can
       return success
    7. Latter we will trapped in a loop with step 4~6
    
    Cc: stable@kernel.org
    Signed-off-by: yangerkun <yangerkun@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Link: https://lore.kernel.org/r/20210914111415.3921954-1-yangerkun@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a63474dbf692dd09b50fed592bc41f6de5f102fc
Author: Theodore Ts'o <tytso@mit.edu>
Date:   Thu Sep 2 11:36:01 2021 -0400

    ext4: add error checking to ext4_ext_replay_set_iblocks()
    
    commit 1fd95c05d8f742abfe906620780aee4dbe1a2db0 upstream.
    
    If the call to ext4_map_blocks() fails due to an corrupted file
    system, ext4_ext_replay_set_iblocks() can get stuck in an infinite
    loop.  This could be reproduced by running generic/526 with a file
    system that has inline_data and fast_commit enabled.  The system will
    repeatedly log to the console:
    
    EXT4-fs warning (device dm-3): ext4_block_to_path:105: block 1074800922 > max in inode 131076
    
    and the stack that it gets stuck in is:
    
       ext4_block_to_path+0xe3/0x130
       ext4_ind_map_blocks+0x93/0x690
       ext4_map_blocks+0x100/0x660
       skip_hole+0x47/0x70
       ext4_ext_replay_set_iblocks+0x223/0x440
       ext4_fc_replay_inode+0x29e/0x3b0
       ext4_fc_replay+0x278/0x550
       do_one_pass+0x646/0xc10
       jbd2_journal_recover+0x14a/0x270
       jbd2_journal_load+0xc4/0x150
       ext4_load_journal+0x1f3/0x490
       ext4_fill_super+0x22d4/0x2c00
    
    With this patch, generic/526 still fails, but system is no longer
    locking up in a tight loop.  It's likely the root casue is that
    fast_commit replay is corrupting file systems with inline_data, and we
    probably need to add better error handling in the fast commit replay
    code path beyond what is done here, which essentially just breaks the
    infinite loop without reporting the to the higher levels of the code.
    
    Fixes: 8016E29F4362 ("ext4: fast commit recovery path")
    Cc: stable@kernel.org
    Cc: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9ccf35492b084ecbc916761a5c6f42599450f013
Author: Jeffle Xu <jefflexu@linux.alibaba.com>
Date:   Mon Aug 23 14:13:58 2021 +0800

    ext4: fix reserved space counter leakage
    
    commit 6fed83957f21eff11c8496e9f24253b03d2bc1dc upstream.
    
    When ext4_insert_delayed block receives and recovers from an error from
    ext4_es_insert_delayed_block(), e.g., ENOMEM, it does not release the
    space it has reserved for that block insertion as it should. One effect
    of this bug is that s_dirtyclusters_counter is not decremented and
    remains incorrectly elevated until the file system has been unmounted.
    This can result in premature ENOSPC returns and apparent loss of free
    space.
    
    Another effect of this bug is that
    /sys/fs/ext4/<dev>/delayed_allocation_blocks can remain non-zero even
    after syncfs has been executed on the filesystem.
    
    Besides, add check for s_dirtyclusters_counter when inode is going to be
    evicted and freed. s_dirtyclusters_counter can still keep non-zero until
    inode is written back in .evict_inode(), and thus the check is delayed
    to .destroy_inode().
    
    Fixes: 51865fda28e5 ("ext4: let ext4 maintain extent status tree")
    Cc: stable@kernel.org
    Suggested-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Signed-off-by: Jeffle Xu <jefflexu@linux.alibaba.com>
    Reviewed-by: Eric Whitney <enwlinux@gmail.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Link: https://lore.kernel.org/r/20210823061358.84473-1-jefflexu@linux.alibaba.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc0942168ab3e38e3a6e6368fae3ebc4b5f4ce2d
Author: Hou Tao <houtao1@huawei.com>
Date:   Fri Aug 20 12:45:05 2021 +0800

    ext4: limit the number of blocks in one ADD_RANGE TLV
    
    commit a2c2f0826e2b75560b31daf1cd9a755ab93cf4c6 upstream.
    
    Now EXT4_FC_TAG_ADD_RANGE uses ext4_extent to track the
    newly-added blocks, but the limit on the max value of
    ee_len field is ignored, and it can lead to BUG_ON as
    shown below when running command "fallocate -l 128M file"
    on a fast_commit-enabled fs:
    
      kernel BUG at fs/ext4/ext4_extents.h:199!
      invalid opcode: 0000 [#1] SMP PTI
      CPU: 3 PID: 624 Comm: fallocate Not tainted 5.14.0-rc6+ #1
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
      RIP: 0010:ext4_fc_write_inode_data+0x1f3/0x200
      Call Trace:
       ? ext4_fc_write_inode+0xf2/0x150
       ext4_fc_commit+0x93b/0xa00
       ? ext4_fallocate+0x1ad/0x10d0
       ext4_sync_file+0x157/0x340
       ? ext4_sync_file+0x157/0x340
       vfs_fsync_range+0x49/0x80
       do_fsync+0x3d/0x70
       __x64_sys_fsync+0x14/0x20
       do_syscall_64+0x3b/0xc0
       entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Simply fixing it by limiting the number of blocks
    in one EXT4_FC_TAG_ADD_RANGE TLV.
    
    Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
    Cc: stable@kernel.org
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Link: https://lore.kernel.org/r/20210820044505.474318-1-houtao1@huawei.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d11502fa26913f84883438c55fab0a8cb0d11474
Author: Ritesh Harjani <riteshh@linux.ibm.com>
Date:   Sat Jun 5 10:39:32 2021 +0530

    ext4: fix loff_t overflow in ext4_max_bitmap_size()
    
    commit 75ca6ad408f459f00b09a64f04c774559848c097 upstream.
    
    We should use unsigned long long rather than loff_t to avoid
    overflow in ext4_max_bitmap_size() for comparison before returning.
    w/o this patch sbi->s_bitmap_maxbytes was becoming a negative
    value due to overflow of upper_limit (with has_huge_files as true)
    
    Below is a quick test to trigger it on a 64KB pagesize system.
    
    sudo mkfs.ext4 -b 65536 -O ^has_extents,^64bit /dev/loop2
    sudo mount /dev/loop2 /mnt
    sudo echo "hello" > /mnt/hello  -> This will error out with
                                    "echo: write error: File too large"
    
    Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    Link: https://lore.kernel.org/r/594f409e2c543e90fd836b78188dfa5c575065ba.1622867594.git.riteshh@linux.ibm.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7cea848678470daadbfdaa6a112b823c290f900c
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Sep 17 13:46:21 2021 +0200

    ipack: ipoctal: fix module reference leak
    
    commit bb8a4fcb2136508224c596a7e665bdba1d7c3c27 upstream.
    
    A reference to the carrier module was taken on every open but was only
    released once when the final reference to the tty struct was dropped.
    
    Fix this by taking the module reference and initialising the tty driver
    data when installing the tty.
    
    Fixes: 82a82340bab6 ("ipoctal: get carrier driver to avoid rmmod")
    Cc: stable@vger.kernel.org      # 3.18
    Cc: Federico Vaga <federico.vaga@cern.ch>
    Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210917114622.5412-6-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 843efca98e6a24a917585247883d7cc34e9fe077
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Sep 17 13:46:20 2021 +0200

    ipack: ipoctal: fix missing allocation-failure check
    
    commit 445c8132727728dc297492a7d9fc074af3e94ba3 upstream.
    
    Add the missing error handling when allocating the transmit buffer to
    avoid dereferencing a NULL pointer in write() should the allocation
    ever fail.
    
    Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board")
    Cc: stable@vger.kernel.org      # 3.5
    Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210917114622.5412-5-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 67d1df661088b70382cd2499945ad80333c16ba1
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Sep 17 13:46:19 2021 +0200

    ipack: ipoctal: fix tty-registration error handling
    
    commit cd20d59291d1790dc74248476e928f57fc455189 upstream.
    
    Registration of the ipoctal tty devices is unlikely to fail, but if it
    ever does, make sure not to deregister a never registered tty device
    (and dereference a NULL pointer) when the driver is later unbound.
    
    Fixes: 2afb41d9d30d ("Staging: ipack/devices/ipoctal: Check tty_register_device return value.")
    Cc: stable@vger.kernel.org      # 3.7
    Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210917114622.5412-4-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f46e5db92fa2c28724724a39f1f51e8ca6a78de9
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Sep 17 13:46:18 2021 +0200

    ipack: ipoctal: fix tty registration race
    
    commit 65c001df517a7bf9be8621b53d43c89f426ce8d6 upstream.
    
    Make sure to set the tty class-device driver data before registering the
    tty to avoid having a racing open() dereference a NULL pointer.
    
    Fixes: 9c1d784afc6f ("Staging: ipack/devices/ipoctal: Get rid of ipoctal_list.")
    Cc: stable@vger.kernel.org      # 3.7
    Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210917114622.5412-3-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5f6a309a699675680df15d9b6d389114515b4426
Author: Johan Hovold <johan@kernel.org>
Date:   Fri Sep 17 13:46:17 2021 +0200

    ipack: ipoctal: fix stack information leak
    
    commit a89936cce87d60766a75732a9e7e25c51164f47c upstream.
    
    The tty driver name is used also after registering the driver and must
    specifically not be allocated on the stack to avoid leaking information
    to user space (or triggering an oops).
    
    Drivers should not try to encode topology information in the tty device
    name but this one snuck in through staging without anyone noticing and
    another driver has since copied this malpractice.
    
    Fixing the ABI is a separate issue, but this at least plugs the security
    hole.
    
    Fixes: ba4dc61fe8c5 ("Staging: ipack: add support for IP-OCTAL mezzanine board")
    Cc: stable@vger.kernel.org      # 3.5
    Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Link: https://lore.kernel.org/r/20210917114622.5412-2-johan@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3bef1b7242e0a344177ba95ddafb3d2c67693ab2
Author: Nirmoy Das <nirmoy.das@amd.com>
Date:   Thu Sep 2 12:29:17 2021 +0200

    debugfs: debugfs_create_file_size(): use IS_ERR to check for error
    
    commit af505cad9567f7a500d34bf183696d570d7f6810 upstream.
    
    debugfs_create_file() returns encoded error so use IS_ERR for checking
    return value.
    
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
    Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL")
    Cc: stable <stable@vger.kernel.org>
    References: https://gitlab.freedesktop.org/drm/amd/-/issues/1686
    Link: https://lore.kernel.org/r/20210902102917.2233-1-nirmoy.das@amd.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15fd3954bca729467675b976e85f54f1d03a2aad
Author: Chen Jingwen <chenjingwen6@huawei.com>
Date:   Tue Sep 28 20:56:57 2021 +0800

    elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings
    
    commit 9b2f72cc0aa4bb444541bb87581c35b7508b37d3 upstream.
    
    In commit b212921b13bd ("elf: don't use MAP_FIXED_NOREPLACE for elf
    executable mappings") we still leave MAP_FIXED_NOREPLACE in place for
    load_elf_interp.
    
    Unfortunately, this will cause kernel to fail to start with:
    
        1 (init): Uhuuh, elf segment at 00003ffff7ffd000 requested but the memory is mapped already
        Failed to execute /init (error -17)
    
    The reason is that the elf interpreter (ld.so) has overlapping segments.
    
      readelf -l ld-2.31.so
      Program Headers:
        Type           Offset             VirtAddr           PhysAddr
                       FileSiz            MemSiz              Flags  Align
        LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                       0x000000000002c94c 0x000000000002c94c  R E    0x10000
        LOAD           0x000000000002dae0 0x000000000003dae0 0x000000000003dae0
                       0x00000000000021e8 0x0000000000002320  RW     0x10000
        LOAD           0x000000000002fe00 0x000000000003fe00 0x000000000003fe00
                       0x00000000000011ac 0x0000000000001328  RW     0x10000
    
    The reason for this problem is the same as described in commit
    ad55eac74f20 ("elf: enforce MAP_FIXED on overlaying elf segments").
    
    Not only executable binaries, elf interpreters (e.g. ld.so) can have
    overlapping elf segments, so we better drop MAP_FIXED_NOREPLACE and go
    back to MAP_FIXED in load_elf_interp.
    
    Fixes: 4ed28639519c ("fs, elf: drop MAP_FIXED usage from elf_map")
    Cc: <stable@vger.kernel.org> # v4.19
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Cc: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Chen Jingwen <chenjingwen6@huawei.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 011b4de950d80d9438e67b44622e2a587e097d56
Author: Keith Busch <kbusch@kernel.org>
Date:   Mon Sep 27 08:43:06 2021 -0700

    nvme: add command id quirk for apple controllers
    
    commit a2941f6aa71a72be2c82c0a168523a492d093530 upstream.
    
    Some apple controllers use the command id as an index to implementation
    specific data structures and will fail if the value is out of bounds.
    The nvme driver's recently introduced command sequence number breaks
    this controller.
    
    Provide a quirk so these spec incompliant controllers can function as
    before. The driver will not have the ability to detect bad completions
    when this quirk is used, but we weren't previously checking this anyway.
    
    The quirk bit was selected so that it can readily apply to stable.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=214509
    Cc: Sven Peter <sven@svenpeter.dev>
    Reported-by: Orlando Chamberlain <redecorating@protonmail.com>
    Reported-by: Aditya Garg <gargaditya08@live.com>
    Signed-off-by: Keith Busch <kbusch@kernel.org>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Tested-by: Sven Peter <sven@svenpeter.dev>
    Link: https://lore.kernel.org/r/20210927154306.387437-1-kbusch@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44c600a57d57547a0bb4865f2589cfb26728b524
Author: Vadim Pasternak <vadimp@nvidia.com>
Date:   Mon Sep 27 10:07:40 2021 +0300

    hwmon: (pmbus/mp2975) Add missed POUT attribute for page 1 mp2975 controller
    
    [ Upstream commit 2292e2f685cd5c65e3f47bbcf9f469513acc3195 ]
    
    Add missed attribute for reading POUT from page 1.
    It is supported by device, but has been missed in initial commit.
    
    Fixes: 2c6fcbb21149 ("hwmon: (pmbus) Add support for MPS Multi-phase mp2975 controller")
    Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
    Link: https://lore.kernel.org/r/20210927070740.2149290-1-vadimp@nvidia.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7fc5f60a01bbcce366d2180722f2bf71c9e3c3df
Author: Kan Liang <kan.liang@linux.intel.com>
Date:   Tue Sep 28 08:19:03 2021 -0700

    perf/x86/intel: Update event constraints for ICX
    
    [ Upstream commit ecc2123e09f9e71ddc6c53d71e283b8ada685fe2 ]
    
    According to the latest event list, the event encoding 0xEF is only
    available on the first 4 counters. Add it into the event constraints
    table.
    
    Fixes: 6017608936c1 ("perf/x86/intel: Add Icelake support")
    Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Link: https://lkml.kernel.org/r/1632842343-25862-1-git-send-email-kan.liang@linux.intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3db53827a0e9130d9e2cbe3c3b5bca601caa4c74
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Sep 29 15:57:50 2021 -0700

    af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
    
    [ Upstream commit 35306eb23814444bd4021f8a1c3047d3cb0c8b2b ]
    
    Jann Horn reported that SO_PEERCRED and SO_PEERGROUPS implementations
    are racy, as af_unix can concurrently change sk_peer_pid and sk_peer_cred.
    
    In order to fix this issue, this patch adds a new spinlock that needs
    to be used whenever these fields are read or written.
    
    Jann also pointed out that l2cap_sock_get_peer_pid_cb() is currently
    reading sk->sk_peer_pid which makes no sense, as this field
    is only possibly set by AF_UNIX sockets.
    We will have to clean this in a separate patch.
    This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get_peer_pid callback"
    or implementing what was truly expected.
    
    Fixes: 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work across namespaces.")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Jann Horn <jannh@google.com>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Cc: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d0d520c19e7ea19ed38dc5797b12397b6ccf9f88
Author: Vlad Buslov <vladbu@nvidia.com>
Date:   Wed Sep 29 18:08:49 2021 +0300

    net: sched: flower: protect fl_walk() with rcu
    
    [ Upstream commit d5ef190693a7d76c5c192d108e8dec48307b46ee ]
    
    Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul()
    also removed rcu protection of individual filters which causes following
    use-after-free when filter is deleted concurrently. Fix fl_walk() to obtain
    rcu read lock while iterating and taking the filter reference and temporary
    release the lock while calling arg->fn() callback that can sleep.
    
    KASAN trace:
    
    [  352.773640] ==================================================================
    [  352.775041] BUG: KASAN: use-after-free in fl_walk+0x159/0x240 [cls_flower]
    [  352.776304] Read of size 4 at addr ffff8881c8251480 by task tc/2987
    
    [  352.777862] CPU: 3 PID: 2987 Comm: tc Not tainted 5.15.0-rc2+ #2
    [  352.778980] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
    [  352.781022] Call Trace:
    [  352.781573]  dump_stack_lvl+0x46/0x5a
    [  352.782332]  print_address_description.constprop.0+0x1f/0x140
    [  352.783400]  ? fl_walk+0x159/0x240 [cls_flower]
    [  352.784292]  ? fl_walk+0x159/0x240 [cls_flower]
    [  352.785138]  kasan_report.cold+0x83/0xdf
    [  352.785851]  ? fl_walk+0x159/0x240 [cls_flower]
    [  352.786587]  kasan_check_range+0x145/0x1a0
    [  352.787337]  fl_walk+0x159/0x240 [cls_flower]
    [  352.788163]  ? fl_put+0x10/0x10 [cls_flower]
    [  352.789007]  ? __mutex_unlock_slowpath.constprop.0+0x220/0x220
    [  352.790102]  tcf_chain_dump+0x231/0x450
    [  352.790878]  ? tcf_chain_tp_delete_empty+0x170/0x170
    [  352.791833]  ? __might_sleep+0x2e/0xc0
    [  352.792594]  ? tfilter_notify+0x170/0x170
    [  352.793400]  ? __mutex_unlock_slowpath.constprop.0+0x220/0x220
    [  352.794477]  tc_dump_tfilter+0x385/0x4b0
    [  352.795262]  ? tc_new_tfilter+0x1180/0x1180
    [  352.796103]  ? __mod_node_page_state+0x1f/0xc0
    [  352.796974]  ? __build_skb_around+0x10e/0x130
    [  352.797826]  netlink_dump+0x2c0/0x560
    [  352.798563]  ? netlink_getsockopt+0x430/0x430
    [  352.799433]  ? __mutex_unlock_slowpath.constprop.0+0x220/0x220
    [  352.800542]  __netlink_dump_start+0x356/0x440
    [  352.801397]  rtnetlink_rcv_msg+0x3ff/0x550
    [  352.802190]  ? tc_new_tfilter+0x1180/0x1180
    [  352.802872]  ? rtnl_calcit.isra.0+0x1f0/0x1f0
    [  352.803668]  ? tc_new_tfilter+0x1180/0x1180
    [  352.804344]  ? _copy_from_iter_nocache+0x800/0x800
    [  352.805202]  ? kasan_set_track+0x1c/0x30
    [  352.805900]  netlink_rcv_skb+0xc6/0x1f0
    [  352.806587]  ? rht_deferred_worker+0x6b0/0x6b0
    [  352.807455]  ? rtnl_calcit.isra.0+0x1f0/0x1f0
    [  352.808324]  ? netlink_ack+0x4d0/0x4d0
    [  352.809086]  ? netlink_deliver_tap+0x62/0x3d0
    [  352.809951]  netlink_unicast+0x353/0x480
    [  352.810744]  ? netlink_attachskb+0x430/0x430
    [  352.811586]  ? __alloc_skb+0xd7/0x200
    [  352.812349]  netlink_sendmsg+0x396/0x680
    [  352.813132]  ? netlink_unicast+0x480/0x480
    [  352.813952]  ? __import_iovec+0x192/0x210
    [  352.814759]  ? netlink_unicast+0x480/0x480
    [  352.815580]  sock_sendmsg+0x6c/0x80
    [  352.816299]  ____sys_sendmsg+0x3a5/0x3c0
    [  352.817096]  ? kernel_sendmsg+0x30/0x30
    [  352.817873]  ? __ia32_sys_recvmmsg+0x150/0x150
    [  352.818753]  ___sys_sendmsg+0xd8/0x140
    [  352.819518]  ? sendmsg_copy_msghdr+0x110/0x110
    [  352.820402]  ? ___sys_recvmsg+0xf4/0x1a0
    [  352.821110]  ? __copy_msghdr_from_user+0x260/0x260
    [  352.821934]  ? _raw_spin_lock+0x81/0xd0
    [  352.822680]  ? __handle_mm_fault+0xef3/0x1b20
    [  352.823549]  ? rb_insert_color+0x2a/0x270
    [  352.824373]  ? copy_page_range+0x16b0/0x16b0
    [  352.825209]  ? perf_event_update_userpage+0x2d0/0x2d0
    [  352.826190]  ? __fget_light+0xd9/0xf0
    [  352.826941]  __sys_sendmsg+0xb3/0x130
    [  352.827613]  ? __sys_sendmsg_sock+0x20/0x20
    [  352.828377]  ? do_user_addr_fault+0x2c5/0x8a0
    [  352.829184]  ? fpregs_assert_state_consistent+0x52/0x60
    [  352.830001]  ? exit_to_user_mode_prepare+0x32/0x160
    [  352.830845]  do_syscall_64+0x35/0x80
    [  352.831445]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    [  352.832331] RIP: 0033:0x7f7bee973c17
    [  352.833078] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
    [  352.836202] RSP: 002b:00007ffcbb368e28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [  352.837524] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7bee973c17
    [  352.838715] RDX: 0000000000000000 RSI: 00007ffcbb368e50 RDI: 0000000000000003
    [  352.839838] RBP: 00007ffcbb36d090 R08: 00000000cea96d79 R09: 00007f7beea34a40
    [  352.841021] R10: 00000000004059bb R11: 0000000000000246 R12: 000000000046563f
    [  352.842208] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffcbb36d088
    
    [  352.843784] Allocated by task 2960:
    [  352.844451]  kasan_save_stack+0x1b/0x40
    [  352.845173]  __kasan_kmalloc+0x7c/0x90
    [  352.845873]  fl_change+0x282/0x22db [cls_flower]
    [  352.846696]  tc_new_tfilter+0x6cf/0x1180
    [  352.847493]  rtnetlink_rcv_msg+0x471/0x550
    [  352.848323]  netlink_rcv_skb+0xc6/0x1f0
    [  352.849097]  netlink_unicast+0x353/0x480
    [  352.849886]  netlink_sendmsg+0x396/0x680
    [  352.850678]  sock_sendmsg+0x6c/0x80
    [  352.851398]  ____sys_sendmsg+0x3a5/0x3c0
    [  352.852202]  ___sys_sendmsg+0xd8/0x140
    [  352.852967]  __sys_sendmsg+0xb3/0x130
    [  352.853718]  do_syscall_64+0x35/0x80
    [  352.854457]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    [  352.855830] Freed by task 7:
    [  352.856421]  kasan_save_stack+0x1b/0x40
    [  352.857139]  kasan_set_track+0x1c/0x30
    [  352.857854]  kasan_set_free_info+0x20/0x30
    [  352.858609]  __kasan_slab_free+0xed/0x130
    [  352.859348]  kfree+0xa7/0x3c0
    [  352.859951]  process_one_work+0x44d/0x780
    [  352.860685]  worker_thread+0x2e2/0x7e0
    [  352.861390]  kthread+0x1f4/0x220
    [  352.862022]  ret_from_fork+0x1f/0x30
    
    [  352.862955] Last potentially related work creation:
    [  352.863758]  kasan_save_stack+0x1b/0x40
    [  352.864378]  kasan_record_aux_stack+0xab/0xc0
    [  352.865028]  insert_work+0x30/0x160
    [  352.865617]  __queue_work+0x351/0x670
    [  352.866261]  rcu_work_rcufn+0x30/0x40
    [  352.866917]  rcu_core+0x3b2/0xdb0
    [  352.867561]  __do_softirq+0xf6/0x386
    
    [  352.868708] Second to last potentially related work creation:
    [  352.869779]  kasan_save_stack+0x1b/0x40
    [  352.870560]  kasan_record_aux_stack+0xab/0xc0
    [  352.871426]  call_rcu+0x5f/0x5c0
    [  352.872108]  queue_rcu_work+0x44/0x50
    [  352.872855]  __fl_put+0x17c/0x240 [cls_flower]
    [  352.873733]  fl_delete+0xc7/0x100 [cls_flower]
    [  352.874607]  tc_del_tfilter+0x510/0xb30
    [  352.886085]  rtnetlink_rcv_msg+0x471/0x550
    [  352.886875]  netlink_rcv_skb+0xc6/0x1f0
    [  352.887636]  netlink_unicast+0x353/0x480
    [  352.888285]  netlink_sendmsg+0x396/0x680
    [  352.888942]  sock_sendmsg+0x6c/0x80
    [  352.889583]  ____sys_sendmsg+0x3a5/0x3c0
    [  352.890311]  ___sys_sendmsg+0xd8/0x140
    [  352.891019]  __sys_sendmsg+0xb3/0x130
    [  352.891716]  do_syscall_64+0x35/0x80
    [  352.892395]  entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    [  352.893666] The buggy address belongs to the object at ffff8881c8251000
                    which belongs to the cache kmalloc-2k of size 2048
    [  352.895696] The buggy address is located 1152 bytes inside of
                    2048-byte region [ffff8881c8251000, ffff8881c8251800)
    [  352.897640] The buggy address belongs to the page:
    [  352.898492] page:00000000213bac35 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c8250
    [  352.900110] head:00000000213bac35 order:3 compound_mapcount:0 compound_pincount:0
    [  352.901541] flags: 0x2ffff800010200(slab|head|node=0|zone=2|lastcpupid=0x1ffff)
    [  352.902908] raw: 002ffff800010200 0000000000000000 dead000000000122 ffff888100042f00
    [  352.904391] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
    [  352.905861] page dumped because: kasan: bad access detected
    
    [  352.907323] Memory state around the buggy address:
    [  352.908218]  ffff8881c8251380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [  352.909471]  ffff8881c8251400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [  352.910735] >ffff8881c8251480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [  352.912012]                    ^
    [  352.912642]  ffff8881c8251500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [  352.913919]  ffff8881c8251580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [  352.915185] ==================================================================
    
    Fixes: d39d714969cd ("idr: introduce idr_for_each_entry_continue_ul()")
    Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
    Acked-by: Cong Wang <cong.wang@bytedance.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit e63f6d8fe74a5e65a77189cc13930630e8e88971
Author: Florian Fainelli <f.fainelli@gmail.com>
Date:   Tue Sep 28 13:32:33 2021 -0700

    net: phy: bcm7xxx: Fixed indirect MMD operations
    
    [ Upstream commit d88fd1b546ff19c8040cfaea76bf16aed1c5a0bb ]
    
    When EEE support was added to the 28nm EPHY it was assumed that it would
    be able to support the standard clause 45 over clause 22 register access
    method. It turns out that the PHY does not support that, which is the
    very reason for using the indirect shadow mode 2 bank 3 access method.
    
    Implement {read,write}_mmd to allow the standard PHY library routines
    pertaining to EEE querying and configuration to work correctly on these
    PHYs. This forces us to implement a __phy_set_clr_bits() function that
    does not grab the MDIO bus lock since the PHY driver's {read,write}_mmd
    functions are always called with that lock held.
    
    Fixes: 83ee102a6998 ("net: phy: bcm7xxx: add support for 28nm EPHY")
    Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 071febc37e066c9bd6f417179b4f763d0b13437b
Author: Guangbin Huang <huangguangbin2@huawei.com>
Date:   Wed Sep 29 17:35:55 2021 +0800

    net: hns3: fix always enable rx vlan filter problem after selftest
    
    [ Upstream commit 27bf4af69fcb9845fb2f0076db5d562ec072e70f ]
    
    Currently, the rx vlan filter will always be disabled before selftest and
    be enabled after selftest as the rx vlan filter feature is fixed on in
    old device earlier than V3.
    
    However, this feature is not fixed in some new devices and it can be
    disabled by user. In this case, it is wrong if rx vlan filter is enabled
    after selftest. So fix it.
    
    Fixes: bcc26e8dc432 ("net: hns3: remove unused code in hns3_self_test()")
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 85e4f5d28d25c40965004c225133457f3bcb0ac9
Author: Peng Li <lipeng321@huawei.com>
Date:   Mon Aug 30 14:06:37 2021 +0800

    net: hns3: reconstruct function hns3_self_test
    
    [ Upstream commit 4c8dab1c709c5a715bce14efdb8f4e889d86aa04 ]
    
    This patch reconstructs function hns3_self_test to reduce the code
    cycle complexity and make code more concise.
    
    Signed-off-by: Peng Li <lipeng321@huawei.com>
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8e89876c84b23d79a7ea58c3f5c300695a227570
Author: Huazhong Tan <tanhuazhong@huawei.com>
Date:   Fri Mar 26 09:36:25 2021 +0800

    net: hns3: fix prototype warning
    
    [ Upstream commit a1e144d7dc3c55aa4d451e3a23cd8f34cd65ee01 ]
    
    Correct a report warning in hns3_ethtool.c
    
    Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d4a14faf7919b331d95d87d7d84e36774f9408c4
Author: Jian Shen <shenjian15@huawei.com>
Date:   Wed Sep 29 17:35:53 2021 +0800

    net: hns3: fix show wrong state when add existing uc mac address
    
    [ Upstream commit 108b3c7810e14892c4a1819b1d268a2c785c087c ]
    
    Currently, if function adds an existing unicast mac address, eventhough
    driver will not add this address into hardware, but it will return 0 in
    function hclge_add_uc_addr_common(). It will cause the state of this
    unicast mac address is ACTIVE in driver, but it should be in TO-ADD state.
    
    To fix this problem, function hclge_add_uc_addr_common() returns -EEXIST
    if mac address is existing, and delete two error log to avoid printing
    them all the time after this modification.
    
    Fixes: 72110b567479 ("net: hns3: return 0 and print warning when hit duplicate MAC")
    Signed-off-by: Jian Shen <shenjian15@huawei.com>
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 64dae9551f8af31033836a043f2273fee2a74c55
Author: Jian Shen <shenjian15@huawei.com>
Date:   Wed Sep 29 17:35:52 2021 +0800

    net: hns3: fix mixed flag HCLGE_FLAG_MQPRIO_ENABLE and HCLGE_FLAG_DCB_ENABLE
    
    [ Upstream commit 0472e95ffeac8e61259eec17ab61608c6b35599d ]
    
    HCLGE_FLAG_MQPRIO_ENABLE is supposed to set when enable
    multiple TCs with tc mqprio, and HCLGE_FLAG_DCB_ENABLE is
    supposed to set when enable multiple TCs with ets. But
    the driver mixed the flags when updating the tm configuration.
    
    Furtherly, PFC should be available when HCLGE_FLAG_MQPRIO_ENABLE
    too, so remove the unnecessary limitation.
    
    Fixes: 5a5c90917467 ("net: hns3: add support for tc mqprio offload")
    Signed-off-by: Jian Shen <shenjian15@huawei.com>
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8d3d27664ef42775c14118c0127d015c687c744f
Author: Yonglong Liu <liuyonglong@huawei.com>
Date:   Sat Nov 28 11:51:50 2020 +0800

    net: hns3: keep MAC pause mode when multiple TCs are enabled
    
    [ Upstream commit d78e5b6a6764cb6e83668806b63d74566db36399 ]
    
    Bellow HNAE3_DEVICE_VERSION_V3, MAC pause mode just support one
    TC, when enabled multiple TCs, force enable PFC mode.
    
    HNAE3_DEVICE_VERSION_V3 can support MAC pause mode on multiple
    TCs, so when enable multiple TCs, just keep MAC pause mode,
    and enable PFC mode just according to the user settings.
    
    Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
    Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f8ba689cb69523144d10606096ef686002dd7285
Author: Jian Shen <shenjian15@huawei.com>
Date:   Wed Sep 29 17:35:49 2021 +0800

    net: hns3: do not allow call hns3_nic_net_open repeatedly
    
    [ Upstream commit 5b09e88e1bf7fe86540fab4b5f3eece8abead39e ]
    
    hns3_nic_net_open() is not allowed to called repeatly, but there
    is no checking for this. When doing device reset and setup tc
    concurrently, there is a small oppotunity to call hns3_nic_net_open
    repeatedly, and cause kernel bug by calling napi_enable twice.
    
    The calltrace information is like below:
    [ 3078.222780] ------------[ cut here ]------------
    [ 3078.230255] kernel BUG at net/core/dev.c:6991!
    [ 3078.236224] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
    [ 3078.243431] Modules linked in: hns3 hclgevf hclge hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O)
    [ 3078.258880] CPU: 0 PID: 295 Comm: kworker/u8:5 Tainted: G           O      5.14.0-rc4+ #1
    [ 3078.269102] Hardware name:  , BIOS KpxxxFPGA 1P B600 V181 08/12/2021
    [ 3078.276801] Workqueue: hclge hclge_service_task [hclge]
    [ 3078.288774] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--)
    [ 3078.296168] pc : napi_enable+0x80/0x84
    tc qdisc sho[w  3d0e7v8 .e3t0h218 79] lr : hns3_nic_net_open+0x138/0x510 [hns3]
    
    [ 3078.314771] sp : ffff8000108abb20
    [ 3078.319099] x29: ffff8000108abb20 x28: 0000000000000000 x27: ffff0820a8490300
    [ 3078.329121] x26: 0000000000000001 x25: ffff08209cfc6200 x24: 0000000000000000
    [ 3078.339044] x23: ffff0820a8490300 x22: ffff08209cd76000 x21: ffff0820abfe3880
    [ 3078.349018] x20: 0000000000000000 x19: ffff08209cd76900 x18: 0000000000000000
    [ 3078.358620] x17: 0000000000000000 x16: ffffc816e1727a50 x15: 0000ffff8f4ff930
    [ 3078.368895] x14: 0000000000000000 x13: 0000000000000000 x12: 0000259e9dbeb6b4
    [ 3078.377987] x11: 0096a8f7e764eb40 x10: 634615ad28d3eab5 x9 : ffffc816ad8885b8
    [ 3078.387091] x8 : ffff08209cfc6fb8 x7 : ffff0820ac0da058 x6 : ffff0820a8490344
    [ 3078.396356] x5 : 0000000000000140 x4 : 0000000000000003 x3 : ffff08209cd76938
    [ 3078.405365] x2 : 0000000000000000 x1 : 0000000000000010 x0 : ffff0820abfe38a0
    [ 3078.414657] Call trace:
    [ 3078.418517]  napi_enable+0x80/0x84
    [ 3078.424626]  hns3_reset_notify_up_enet+0x78/0xd0 [hns3]
    [ 3078.433469]  hns3_reset_notify+0x64/0x80 [hns3]
    [ 3078.441430]  hclge_notify_client+0x68/0xb0 [hclge]
    [ 3078.450511]  hclge_reset_rebuild+0x524/0x884 [hclge]
    [ 3078.458879]  hclge_reset_service_task+0x3c4/0x680 [hclge]
    [ 3078.467470]  hclge_service_task+0xb0/0xb54 [hclge]
    [ 3078.475675]  process_one_work+0x1dc/0x48c
    [ 3078.481888]  worker_thread+0x15c/0x464
    [ 3078.487104]  kthread+0x160/0x170
    [ 3078.492479]  ret_from_fork+0x10/0x18
    [ 3078.498785] Code: c8027c81 35ffffa2 d50323bf d65f03c0 (d4210000)
    [ 3078.506889] ---[ end trace 8ebe0340a1b0fb44 ]---
    
    Once hns3_nic_net_open() is excute success, the flag
    HNS3_NIC_STATE_DOWN will be cleared. So add checking for this
    flag, directly return when HNS3_NIC_STATE_DOWN is no set.
    
    Fixes: e888402789b9 ("net: hns3: call hns3_nic_net_open() while doing HNAE3_UP_CLIENT")
    Signed-off-by: Jian Shen <shenjian15@huawei.com>
    Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 20f6c4a31a525edd9ea6243712b868ba0e4e331e
Author: Feng Zhou <zhoufeng.zf@bytedance.com>
Date:   Tue Sep 28 15:23:59 2021 -0700

    ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup
    
    [ Upstream commit 513e605d7a9ce136886cb42ebb2c40e9a6eb6333 ]
    
    The ixgbe driver currently generates a NULL pointer dereference with
    some machine (online cpus < 63). This is due to the fact that the
    maximum value of num_xdp_queues is nr_cpu_ids. Code is in
    "ixgbe_set_rss_queues"".
    
    Here's how the problem repeats itself:
    Some machine (online cpus < 63), And user set num_queues to 63 through
    ethtool. Code is in the "ixgbe_set_channels",
            adapter->ring_feature[RING_F_FDIR].limit = count;
    
    It becomes 63.
    
    When user use xdp, "ixgbe_set_rss_queues" will set queues num.
            adapter->num_rx_queues = rss_i;
            adapter->num_tx_queues = rss_i;
            adapter->num_xdp_queues = ixgbe_xdp_queues(adapter);
    
    And rss_i's value is from
            f = &adapter->ring_feature[RING_F_FDIR];
            rss_i = f->indices = f->limit;
    
    So "num_rx_queues" > "num_xdp_queues", when run to "ixgbe_xdp_setup",
            for (i = 0; i < adapter->num_rx_queues; i++)
                    if (adapter->xdp_ring[i]->xsk_umem)
    
    It leads to panic.
    
    Call trace:
    [exception RIP: ixgbe_xdp+368]
    RIP: ffffffffc02a76a0  RSP: ffff9fe16202f8d0  RFLAGS: 00010297
    RAX: 0000000000000000  RBX: 0000000000000020  RCX: 0000000000000000
    RDX: 0000000000000000  RSI: 000000000000001c  RDI: ffffffffa94ead90
    RBP: ffff92f8f24c0c18   R8: 0000000000000000   R9: 0000000000000000
    R10: ffff9fe16202f830  R11: 0000000000000000  R12: ffff92f8f24c0000
    R13: ffff9fe16202fc01  R14: 000000000000000a  R15: ffffffffc02a7530
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
     7 [ffff9fe16202f8f0] dev_xdp_install at ffffffffa89fbbcc
     8 [ffff9fe16202f920] dev_change_xdp_fd at ffffffffa8a08808
     9 [ffff9fe16202f960] do_setlink at ffffffffa8a20235
    10 [ffff9fe16202fa88] rtnl_setlink at ffffffffa8a20384
    11 [ffff9fe16202fc78] rtnetlink_rcv_msg at ffffffffa8a1a8dd
    12 [ffff9fe16202fcf0] netlink_rcv_skb at ffffffffa8a717eb
    13 [ffff9fe16202fd40] netlink_unicast at ffffffffa8a70f88
    14 [ffff9fe16202fd80] netlink_sendmsg at ffffffffa8a71319
    15 [ffff9fe16202fdf0] sock_sendmsg at ffffffffa89df290
    16 [ffff9fe16202fe08] __sys_sendto at ffffffffa89e19c8
    17 [ffff9fe16202ff30] __x64_sys_sendto at ffffffffa89e1a64
    18 [ffff9fe16202ff38] do_syscall_64 at ffffffffa84042b9
    19 [ffff9fe16202ff50] entry_SYSCALL_64_after_hwframe at ffffffffa8c0008c
    
    So I fix ixgbe_max_channels so that it will not allow a setting of queues
    to be higher than the num_online_cpus(). And when run to ixgbe_xdp_setup,
    take the smaller value of num_rx_queues and num_xdp_queues.
    
    Fixes: 4a9b32f30f80 ("ixgbe: fix potential RX buffer starvation for AF_XDP")
    Signed-off-by: Feng Zhou <zhoufeng.zf@bytedance.com>
    Tested-by: Sandeep Penigalapati <sandeep.penigalapati@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 16138cf938dc1194ba1dddcd7028080f35322ddc
Author: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
Date:   Mon Sep 27 21:44:08 2021 +0530

    scsi: csiostor: Add module softdep on cxgb4
    
    [ Upstream commit 79a7482249a7353bc86aff8127954d5febf02472 ]
    
    Both cxgb4 and csiostor drivers run on their own independent Physical
    Function. But when cxgb4 and csiostor are both being loaded in parallel via
    modprobe, there is a race when firmware upgrade is attempted by both the
    drivers.
    
    When the cxgb4 driver initiates the firmware upgrade, it halts the firmware
    and the chip until upgrade is complete. When the csiostor driver is coming
    up in parallel, the firmware mailbox communication fails with timeouts and
    the csiostor driver probe fails.
    
    Add a module soft dependency on cxgb4 driver to ensure loading csiostor
    triggers cxgb4 to load first when available to avoid the firmware upgrade
    race.
    
    Link: https://lore.kernel.org/r/1632759248-15382-1-git-send-email-rahul.lakkireddy@chelsio.com
    Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver")
    Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 0306a2c7df7ebe7c740ecb6c845668401ed3cc8e
Author: Jens Axboe <axboe@kernel.dk>
Date:   Tue Sep 28 06:33:15 2021 -0600

    Revert "block, bfq: honor already-setup queue merges"
    
    [ Upstream commit ebc69e897e17373fbe1daaff1debaa77583a5284 ]
    
    This reverts commit 2d52c58b9c9bdae0ca3df6a1eab5745ab3f7d80b.
    
    We have had several folks complain that this causes hangs for them, which
    is especially problematic as the commit has also hit stable already.
    
    As no resolution seems to be forthcoming right now, revert the patch.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=214503
    Fixes: 2d52c58b9c9b ("block, bfq: honor already-setup queue merges")
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1f2ca30fbde6387c2c68e7b8fc3bdda3158d2789
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Mon Sep 27 16:13:02 2021 +0200

    net: ks8851: fix link error
    
    [ Upstream commit 51bb08dd04a05035a64504faa47651d36b0f3125 ]
    
    An object file cannot be built for both loadable module and built-in
    use at the same time:
    
    arm-linux-gnueabi-ld: drivers/net/ethernet/micrel/ks8851_common.o: in function `ks8851_probe_common':
    ks8851_common.c:(.text+0xf80): undefined reference to `__this_module'
    
    Change the ks8851_common code to be a standalone module instead,
    and use Makefile logic to ensure this is built-in if at least one
    of its two users is.
    
    Fixes: 797047f875b5 ("net: ks8851: Implement Parallel bus operations")
    Link: https://lore.kernel.org/netdev/20210125121937.3900988-1-arnd@kernel.org/
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Acked-by: Marek Vasut <marex@denx.de>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f1dd6e10f077cef7f8a073fae759db8e41705ac8
Author: Jiri Benc <jbenc@redhat.com>
Date:   Thu Sep 23 10:40:22 2021 +0200

    selftests, bpf: test_lwt_ip_encap: Really disable rp_filter
    
    [ Upstream commit 79e2c306667542b8ee2d9a9d947eadc7039f0a3c ]
    
    It's not enough to set net.ipv4.conf.all.rp_filter=0, that does not override
    a greater rp_filter value on the individual interfaces. We also need to set
    net.ipv4.conf.default.rp_filter=0 before creating the interfaces. That way,
    they'll also get their own rp_filter value of zero.
    
    Fixes: 0fde56e4385b0 ("selftests: bpf: add test_lwt_ip_encap selftest")
    Signed-off-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/b1cdd9d469f09ea6e01e9c89a6071c79b7380f89.1632386362.git.jbenc@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 4967ae9ab44b8a92b51859dfdf6b81794a61b9a6
Author: Jiri Benc <jbenc@redhat.com>
Date:   Mon Sep 27 18:01:36 2021 +0200

    selftests, bpf: Fix makefile dependencies on libbpf
    
    [ Upstream commit d888eaac4fb1df30320bb1305a8f78efe86524c6 ]
    
    When building bpf selftest with make -j, I'm randomly getting build failures
    such as this one:
    
      In file included from progs/bpf_flow.c:19:
      [...]/tools/testing/selftests/bpf/tools/include/bpf/bpf_helpers.h:11:10: fatal error: 'bpf_helper_defs.h' file not found
      #include "bpf_helper_defs.h"
               ^~~~~~~~~~~~~~~~~~~
    
    The file that fails the build varies between runs but it's always in the
    progs/ subdir.
    
    The reason is a missing make dependency on libbpf for the .o files in
    progs/. There was a dependency before commit 3ac2e20fba07e but that commit
    removed it to prevent unneeded rebuilds. However, that only works if libbpf
    has been built already; the 'wildcard' prerequisite does not trigger when
    there's no bpf_helper_defs.h generated yet.
    
    Keep the libbpf as an order-only prerequisite to satisfy both goals. It is
    always built before the progs/ objects but it does not trigger unnecessary
    rebuilds by itself.
    
    Fixes: 3ac2e20fba07e ("selftests/bpf: BPF object files should depend only on libbpf headers")
    Signed-off-by: Jiri Benc <jbenc@redhat.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/ee84ab66436fba05a197f952af23c98d90eb6243.1632758415.git.jbenc@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 59efda5073abb4fff2ce8c90ca9c2d25882e84a4
Author: Lorenz Bauer <lmb@cloudflare.com>
Date:   Wed Sep 22 12:11:52 2021 +0100

    bpf: Exempt CAP_BPF from checks against bpf_jit_limit
    
    [ Upstream commit 8a98ae12fbefdb583a7696de719a1d57e5e940a2 ]
    
    When introducing CAP_BPF, bpf_jit_charge_modmem() was not changed to treat
    programs with CAP_BPF as privileged for the purpose of JIT memory allocation.
    This means that a program without CAP_BPF can block a program with CAP_BPF
    from loading a program.
    
    Fix this by checking bpf_capable() in bpf_jit_charge_modmem().
    
    Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF")
    Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Link: https://lore.kernel.org/bpf/20210922111153.19843-1-lmb@cloudflare.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f908072391a653776d7ce9e23d63d3789a6c4b7d
Author: Yixing Liu <liuyixing1@huawei.com>
Date:   Fri Dec 11 09:37:36 2020 +0800

    RDMA/hns: Fix inaccurate prints
    
    [ Upstream commit 61918e9b008492f48577692428aca3cebf56111a ]
    
    Some %d in print format string should be %u, and some prints miss the
    useful errno or are in nonstandard format. Just fix above issues.
    
    Link: https://lore.kernel.org/r/1607650657-35992-11-git-send-email-liweihang@huawei.com
    Signed-off-by: Yixing Liu <liuyixing1@huawei.com>
    Signed-off-by: Weihang Li <liweihang@huawei.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7e3eda32b88140252f11c81b100bda4a43f4a727
Author: Jacob Keller <jacob.e.keller@intel.com>
Date:   Wed Sep 8 10:52:37 2021 -0700

    e100: fix buffer overrun in e100_get_regs
    
    [ Upstream commit 51032e6f17ce990d06123ad7307f258c50d25aa7 ]
    
    The e100_get_regs function is used to implement a simple register dump
    for the e100 device. The data is broken into a couple of MAC control
    registers, and then a series of PHY registers, followed by a memory dump
    buffer.
    
    The total length of the register dump is defined as (1 + E100_PHY_REGS)
    * sizeof(u32) + sizeof(nic->mem->dump_buf).
    
    The logic for filling in the PHY registers uses a convoluted inverted
    count for loop which counts from E100_PHY_REGS (0x1C) down to 0, and
    assigns the slots 1 + E100_PHY_REGS - i. The first loop iteration will
    fill in [1] and the final loop iteration will fill in [1 + 0x1C]. This
    is actually one more than the supposed number of PHY registers.
    
    The memory dump buffer is then filled into the space at
    [2 + E100_PHY_REGS] which will cause that memcpy to assign 4 bytes past
    the total size.
    
    The end result is that we overrun the total buffer size allocated by the
    kernel, which could lead to a panic or other issues due to memory
    corruption.
    
    It is difficult to determine the actual total number of registers
    here. The only 8255x datasheet I could find indicates there are 28 total
    MDI registers. However, we're reading 29 here, and reading them in
    reverse!
    
    In addition, the ethtool e100 register dump interface appears to read
    the first PHY register to determine if the device is in MDI or MDIx
    mode. This doesn't appear to be documented anywhere within the 8255x
    datasheet. I can only assume it must be in register 28 (the extra
    register we're reading here).
    
    Lets not change any of the intended meaning of what we copy here. Just
    extend the space by 4 bytes to account for the extra register and
    continue copying the data out in the same order.
    
    Change the E100_PHY_REGS value to be the correct total (29) so that the
    total register dump size is calculated properly. Fix the offset for
    where we copy the dump buffer so that it doesn't overrun the total size.
    
    Re-write the for loop to use counting up instead of the convoluted
    down-counting. Correct the mdio_read offset to use the 0-based register
    offsets, but maintain the bizarre reverse ordering so that we have the
    ABI expected by applications like ethtool. This requires and additional
    subtraction of 1. It seems a bit odd but it makes the flow of assignment
    into the register buffer easier to follow.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: Felicitas Hetzelt <felicitashetzelt@gmail.com>
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Tested-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f2edf80cdd0316e9e3452437e9797e948b8271bf
Author: Jacob Keller <jacob.e.keller@intel.com>
Date:   Wed Sep 8 10:52:36 2021 -0700

    e100: fix length calculation in e100_get_regs_len
    
    [ Upstream commit 4329c8dc110b25d5f04ed20c6821bb60deff279f ]
    
    commit abf9b902059f ("e100: cleanup unneeded math") tried to simplify
    e100_get_regs_len and remove a double 'divide and then multiply'
    calculation that the e100_reg_regs_len function did.
    
    This change broke the size calculation entirely as it failed to account
    for the fact that the numbered registers are actually 4 bytes wide and
    not 1 byte. This resulted in a significant under allocation of the
    register buffer used by e100_get_regs.
    
    Fix this by properly multiplying the register count by u32 first before
    adding the size of the dump buffer.
    
    Fixes: abf9b902059f ("e100: cleanup unneeded math")
    Reported-by: Felicitas Hetzelt <felicitashetzelt@gmail.com>
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c20a0ad7b6a054d77c3f20660befe77eaae3f24d
Author: Andrew Lunn <andrew@lunn.ch>
Date:   Sun Sep 26 19:41:26 2021 +0200

    dsa: mv88e6xxx: Include tagger overhead when setting MTU for DSA and CPU ports
    
    [ Upstream commit b9c587fed61cf88bd45822c3159644445f6d5aa6 ]
    
    Same members of the Marvell Ethernet switches impose MTU restrictions
    on ports used for connecting to the CPU or another switch for DSA. If
    the MTU is set too low, tagged frames will be discarded. Ensure the
    worst case tagger overhead is included in setting the MTU for DSA and
    CPU ports.
    
    Fixes: 1baf0fac10fb ("net: dsa: mv88e6xxx: Use chip-wide max frame size for MTU")
    Reported by: 曹煜 <cao88yu@gmail.com>
    Signed-off-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 7b771b12229e82dac66cf0090d0774475a3c662c
Author: Andrew Lunn <andrew@lunn.ch>
Date:   Sun Sep 26 19:41:25 2021 +0200

    dsa: mv88e6xxx: Fix MTU definition
    
    [ Upstream commit b92ce2f54c0f0ff781e914ec189c25f7bf1b1ec2 ]
    
    The MTU passed to the DSA driver is the payload size, typically 1500.
    However, the switch uses the frame size when applying restrictions.
    Adjust the MTU with the size of the Ethernet header and the frame
    checksum. The VLAN header also needs to be included when the frame
    size it per port, but not when it is global.
    
    Fixes: 1baf0fac10fb ("net: dsa: mv88e6xxx: Use chip-wide max frame size for MTU")
    Reported by: 曹煜 <cao88yu@gmail.com>
    Signed-off-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ee4d0495a65e366538063907c8b4459245620e0c
Author: Andrew Lunn <andrew@lunn.ch>
Date:   Sun Sep 26 19:41:24 2021 +0200

    dsa: mv88e6xxx: 6161: Use chip wide MAX MTU
    
    [ Upstream commit fe23036192c95b66e60d019d2ec1814d0d561ffd ]
    
    The datasheets suggests the 6161 uses a per port setting for jumbo
    frames. Testing has however shown this is not correct, it uses the old
    style chip wide MTU control. Change the ops in the 6161 structure to
    reflect this.
    
    Fixes: 1baf0fac10fb ("net: dsa: mv88e6xxx: Use chip-wide max frame size for MTU")
    Reported by: 曹煜 <cao88yu@gmail.com>
    Signed-off-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d35d95e8b9da638d27bce9552262e0c486138343
Author: Matthew Auld <matthew.auld@intel.com>
Date:   Tue Sep 21 14:42:02 2021 +0100

    drm/i915/request: fix early tracepoints
    
    [ Upstream commit c83ff0186401169eb27ce5057d820b7a863455c3 ]
    
    Currently we blow up in trace_dma_fence_init, when calling into
    get_driver_name or get_timeline_name, since both the engine and context
    might be NULL(or contain some garbage address) in the case of newly
    allocated slab objects via the request ctor. Note that we also use
    SLAB_TYPESAFE_BY_RCU here, which allows requests to be immediately
    freed, but delay freeing the underlying page by an RCU grace period.
    With this scheme requests can be re-allocated, at the same time as they
    are also being read by some lockless RCU lookup mechanism.
    
    In the ctor case, which is only called for new slab objects(i.e allocate
    new page and call the ctor for each object) it's safe to reset the
    context/engine prior to calling into dma_fence_init, since we can be
    certain that no one is doing an RCU lookup which might depend on peeking
    at the engine/context, like in active_engine(), since the object can't
    yet be externally visible.
    
    In the recycled case(which might also be externally visible) the request
    refcount always transitions from 0->1 after we set the context/engine
    etc, which should ensure it's valid to dereference the engine for
    example, when doing an RCU list-walk, so long as we can also increment
    the refcount first. If the refcount is already zero, then the request is
    considered complete/released.  If it's non-zero, then the request might
    be in the process of being re-allocated, or potentially still in flight,
    however after successfully incrementing the refcount, it's possible to
    carefully inspect the request state, to determine if the request is
    still what we were looking for. Note that all externally visible
    requests returned to the cache must have zero refcount.
    
    One possible fix then is to move dma_fence_init out from the request
    ctor. Originally this was how it was done, but it was moved in:
    
    commit 855e39e65cfc33a73724f1cc644ffc5754864a20
    Author: Chris Wilson <chris@chris-wilson.co.uk>
    Date:   Mon Feb 3 09:41:48 2020 +0000
    
        drm/i915: Initialise basic fence before acquiring seqno
    
    where it looks like intel_timeline_get_seqno() relied on some of the
    rq->fence state, but that is no longer the case since:
    
    commit 12ca695d2c1ed26b2dcbb528b42813bd0f216cfc
    Author: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Date:   Tue Mar 23 16:49:50 2021 +0100
    
        drm/i915: Do not share hwsp across contexts any more, v8.
    
    intel_timeline_get_seqno() could also be cleaned up slightly by dropping
    the request argument.
    
    Moving dma_fence_init back out of the ctor, should ensure we have enough
    of the request initialised in case of trace_dma_fence_init.
    Functionally this should be the same, and is effectively what we were
    already open coding before, except now we also assign the fence->lock
    and fence->ops, but since these are invariant for recycled
    requests(which might be externally visible), and will therefore already
    hold the same value, it shouldn't matter.
    
    An alternative fix, since we don't yet have a fully initialised request
    when in the ctor, is just setting the context/engine as NULL, but this
    does require adding some extra handling in get_driver_name etc.
    
    v2(Daniel):
      - Try to make the commit message less confusing
    
    Fixes: 855e39e65cfc ("drm/i915: Initialise basic fence before acquiring seqno")
    Signed-off-by: Matthew Auld <matthew.auld@intel.com>
    Cc: Michael Mason <michael.w.mason@intel.com>
    Cc: Daniel Vetter <daniel@ffwll.ch>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: https://patchwork.freedesktop.org/patch/msgid/20210921134202.3803151-1-matthew.auld@intel.com
    (cherry picked from commit be988eaee1cb208c4445db46bc3ceaf75f586f0b)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8321738c6e5ab8c85983c3ac5d7d36e0ccc451ae
Author: Aaro Koskinen <aaro.koskinen@iki.fi>
Date:   Fri Sep 24 01:00:16 2021 +0300

    smsc95xx: fix stalled rx after link change
    
    [ Upstream commit 5ab8a447bcfee1ded709e7ff5dc7608ca9f66ae2 ]
    
    After commit 05b35e7eb9a1 ("smsc95xx: add phylib support"), link changes
    are no longer propagated to usbnet. As a result, rx URB allocation won't
    happen until there is a packet sent out first (this might never happen,
    e.g. running just ssh server with a static IP). Fix by triggering usbnet
    EVENT_LINK_CHANGE.
    
    Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
    Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8de12ad9162ca2648c82d631c47c2f7de565aa73
Author: Xiao Liang <shaw.leon@gmail.com>
Date:   Thu Sep 23 23:03:19 2021 +0800

    net: ipv4: Fix rtnexthop len when RTA_FLOW is present
    
    [ Upstream commit 597aa16c782496bf74c5dc3b45ff472ade6cee64 ]
    
    Multipath RTA_FLOW is embedded in nexthop. Dump it in fib_add_nexthop()
    to get the length of rtnexthop correct.
    
    Fixes: b0f60193632e ("ipv4: Refactor nexthop attributes in fib_dump_info")
    Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
    Reviewed-by: David Ahern <dsahern@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit b22c5e2c8e0380430a1c6d9ccbac8cb19d4ce986
Author: Vladimir Oltean <vladimir.oltean@nxp.com>
Date:   Thu Sep 23 16:23:33 2021 +0300

    net: enetc: fix the incorrect clearing of IF_MODE bits
    
    [ Upstream commit 325fd36ae76a6d089983b2d2eccb41237d35b221 ]
    
    The enetc phylink .mac_config handler intends to clear the IFMODE field
    (bits 1:0) of the PM0_IF_MODE register, but incorrectly clears all the
    other fields instead.
    
    For normal operation, the bug was inconsequential, due to the fact that
    we write the PM0_IF_MODE register in two stages, first in
    phylink .mac_config (which incorrectly cleared out a bunch of stuff),
    then we update the speed and duplex to the correct values in
    phylink .mac_link_up.
    
    Judging by the code (not tested), it looks like maybe loopback mode was
    broken, since this is one of the settings in PM0_IF_MODE which is
    incorrectly cleared.
    
    Fixes: c76a97218dcb ("net: enetc: force the RGMII speed and duplex instead of operating in inband mode")
    Reported-by: Pavel Machek (CIP) <pavel@denx.de>
    Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5ee40530b0a6eaae24f77c63411bb1216caab0e2
Author: Paul Fertser <fercerpav@gmail.com>
Date:   Fri Sep 24 12:30:11 2021 +0300

    hwmon: (tmp421) fix rounding for negative values
    
    [ Upstream commit 724e8af85854c4d3401313b6dd7d79cf792d8990 ]
    
    Old code produces -24999 for 0b1110011100000000 input in standard format due to
    always rounding up rather than "away from zero".
    
    Use the common macro for division, unify and simplify the conversion code along
    the way.
    
    Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips")
    Signed-off-by: Paul Fertser <fercerpav@gmail.com>
    Link: https://lore.kernel.org/r/20210924093011.26083-3-fercerpav@gmail.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 89d96f147d82c74f8ec1e2812695fbf89ec3e7ee
Author: Paul Fertser <fercerpav@gmail.com>
Date:   Fri Sep 24 12:30:10 2021 +0300

    hwmon: (tmp421) report /PVLD condition as fault
    
    [ Upstream commit 540effa7f283d25bcc13c0940d808002fee340b8 ]
    
    For both local and remote sensors all the supported ICs can report an
    "undervoltage lockout" condition which means the conversion wasn't
    properly performed due to insufficient power supply voltage and so the
    measurement results can't be trusted.
    
    Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips")
    Signed-off-by: Paul Fertser <fercerpav@gmail.com>
    Link: https://lore.kernel.org/r/20210924093011.26083-2-fercerpav@gmail.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 560271d09f780726f52f65cb6f19f0e95084abdc
Author: Florian Westphal <fw@strlen.de>
Date:   Thu Sep 23 17:04:11 2021 -0700

    mptcp: don't return sockets in foreign netns
    
    [ Upstream commit ea1300b9df7c8e8b65695a08b8f6aaf4b25fec9c ]
    
    mptcp_token_get_sock() may return a mptcp socket that is in
    a different net namespace than the socket that received the token value.
    
    The mptcp syncookie code path had an explicit check for this,
    this moves the test into mptcp_token_get_sock() function.
    
    Eventually token.c should be converted to pernet storage, but
    such change is not suitable for net tree.
    
    Fixes: 2c5ebd001d4f0 ("mptcp: refactor token container")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9c6591ae8e63f93c895ad5e2703c36c548aac997
Author: Xin Long <lucien.xin@gmail.com>
Date:   Thu Sep 23 00:05:04 2021 -0400

    sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
    
    [ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ]
    
    We should always check if skb_header_pointer's return is NULL before
    using it, otherwise it may cause null-ptr-deref, as syzbot reported:
    
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
      RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
      Call Trace:
      <IRQ>
       sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
       ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
       ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
       dst_input include/net/dst.h:460 [inline]
       ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
       NF_HOOK include/linux/netfilter.h:307 [inline]
       NF_HOOK include/linux/netfilter.h:301 [inline]
       ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
    
    Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize")
    Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2c204cf594df3b9468368dc9d0b24d482d93cda7
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Wed Sep 15 11:29:37 2021 +0200

    mac80211-hwsim: fix late beacon hrtimer handling
    
    [ Upstream commit 313bbd1990b6ddfdaa7da098d0c56b098a833572 ]
    
    Thomas explained in https://lore.kernel.org/r/87mtoeb4hb.ffs@tglx
    that our handling of the hrtimer here is wrong: If the timer fires
    late (e.g. due to vCPU scheduling, as reported by Dmitry/syzbot)
    then it tries to actually rearm the timer at the next deadline,
    which might be in the past already:
    
     1          2          3          N          N+1
     |          |          |   ...    |          |
    
     ^ intended to fire here (1)
                ^ next deadline here (2)
                                          ^ actually fired here
    
    The next time it fires, it's later, but will still try to schedule
    for the next deadline (now 3), etc. until it catches up with N,
    but that might take a long time, causing stalls etc.
    
    Now, all of this is simulation, so we just have to fix it, but
    note that the behaviour is wrong even per spec, since there's no
    value then in sending all those beacons unaligned - they should be
    aligned to the TBTT (1, 2, 3, ... in the picture), and if we're a
    bit (or a lot) late, then just resume at that point.
    
    Therefore, change the code to use hrtimer_forward_now() which will
    ensure that the next firing of the timer would be at N+1 (in the
    picture), i.e. the next interval point after the current time.
    
    Suggested-by: Thomas Gleixner <tglx@linutronix.de>
    Reported-by: Dmitry Vyukov <dvyukov@google.com>
    Reported-by: syzbot+0e964fad69a9c462bc1e@syzkaller.appspotmail.com
    Fixes: 01e59e467ecf ("mac80211_hwsim: hrtimer beacon")
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Link: https://lore.kernel.org/r/20210915112936.544f383472eb.I3f9712009027aa09244b65399bf18bf482a8c4f1@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8576e72ac5d651c3ef41afc54b657bed7e9a69d7
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Sep 20 15:40:05 2021 +0200

    mac80211: mesh: fix potentially unaligned access
    
    [ Upstream commit b9731062ce8afd35cf723bf3a8ad55d208f915a5 ]
    
    The pointer here points directly into the frame, so the
    access is potentially unaligned. Use get_unaligned_le16
    to avoid that.
    
    Fixes: 3f52b7e328c5 ("mac80211: mesh power save basics")
    Link: https://lore.kernel.org/r/20210920154009.3110ff75be0c.Ib6a2ff9e9cc9bc6fca50fce631ec1ce725cc926b@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 1282bb00835ff79d2d9c023055d514df5b4de260
Author: Lorenzo Bianconi <lorenzo@kernel.org>
Date:   Mon Sep 20 14:45:22 2021 +0200

    mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
    
    [ Upstream commit 13cb6d826e0ac0d144b0d48191ff1a111d32f0c6 ]
    
    Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap
    routine in order to fix the following warning reported by syzbot:
    
    WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]
    WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244
    Modules linked in:
    CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]
    RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244
    RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216
    RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000
    RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003
    RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100
    R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8
    R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004
    FS:  00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    Call Trace:
     ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740
     netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089
     __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165
     __bpf_tx_skb net/core/filter.c:2114 [inline]
     __bpf_redirect_no_mac net/core/filter.c:2139 [inline]
     __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162
     ____bpf_clone_redirect net/core/filter.c:2429 [inline]
     bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401
     bpf_prog_eeb6f53a69e5c6a2+0x59/0x234
     bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline]
     __bpf_prog_run include/linux/filter.h:624 [inline]
     bpf_prog_run include/linux/filter.h:631 [inline]
     bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119
     bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663
     bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline]
     __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605
     __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
     __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
     __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    RIP: 0033:0x4665f9
    
    Reported-by: syzbot+0196ac871673f0c20f68@syzkaller.appspotmail.com
    Fixes: 646e76bb5daf4 ("mac80211: parse VHT info in injected frames")
    Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
    Link: https://lore.kernel.org/r/c26c3f02dcb38ab63b2f2534cb463d95ee81bb13.1632141760.git.lorenzo@kernel.org
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3748871e1215834a5671849162afbcc4328f7f96
Author: Chih-Kang Chang <gary.chang@realtek.com>
Date:   Mon Aug 30 15:32:40 2021 +0800

    mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
    
    [ Upstream commit fe94bac626d9c1c5bc98ab32707be8a9d7f8adba ]
    
    In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the
    end of skb_shinfo(head)->frag_list, and use it to bind other skb in
    the end of this function. But when execute ieee80211_amsdu_aggregate()
    ->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of
    skb_shinfo(head)->frag_list will be changed. However, the
    ieee80211_amsdu_aggregate() not update frag_tail after call
    pskb_expand_head(). That will cause the second skb can't bind to the
    head skb appropriately.So we update the address of frag_tail to fix it.
    
    Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
    Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
    Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
    Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
    Link: https://lore.kernel.org/r/20210830073240.12736-1-pkshih@realtek.com
    [reword comment]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 76bbb482d33bfcd7e9070ecf594c9ec73e01c930
Author: Vadim Pasternak <vadimp@nvidia.com>
Date:   Thu Sep 16 21:31:51 2021 +0300

    hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs
    
    [ Upstream commit e6fab7af6ba1bc77c78713a83876f60ca7a4a064 ]
    
    Fan speed minimum can be enforced from sysfs. For example, setting
    current fan speed to 20 is used to enforce fan speed to be at 100%
    speed, 19 - to be not below 90% speed, etcetera. This feature provides
    ability to limit fan speed according to some system wise
    considerations, like absence of some replaceable units or high system
    ambient temperature.
    
    Request for changing fan minimum speed is configuration request and can
    be set only through 'sysfs' write procedure. In this situation value of
    argument 'state' is above nominal fan speed maximum.
    
    Return non-zero code in this case to avoid
    thermal_cooling_device_stats_update() call, because in this case
    statistics update violates thermal statistics table range.
    The issues is observed in case kernel is configured with option
    CONFIG_THERMAL_STATISTICS.
    
    Here is the trace from KASAN:
    [  159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0
    [  159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444
    [  159.545625] Call Trace:
    [  159.548366]  dump_stack+0x92/0xc1
    [  159.552084]  ? thermal_cooling_device_stats_update+0x7d/0xb0
    [  159.635869]  thermal_zone_device_update+0x345/0x780
    [  159.688711]  thermal_zone_device_set_mode+0x7d/0xc0
    [  159.694174]  mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]
    [  159.700972]  ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]
    [  159.731827]  mlxsw_thermal_init+0x763/0x880 [mlxsw_core]
    [  160.070233] RIP: 0033:0x7fd995909970
    [  160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..
    [  160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
    [  160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970
    [  160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001
    [  160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700
    [  160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013
    [  160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013
    [  160.143671]
    [  160.145338] Allocated by task 2924:
    [  160.149242]  kasan_save_stack+0x19/0x40
    [  160.153541]  __kasan_kmalloc+0x7f/0xa0
    [  160.157743]  __kmalloc+0x1a2/0x2b0
    [  160.161552]  thermal_cooling_device_setup_sysfs+0xf9/0x1a0
    [  160.167687]  __thermal_cooling_device_register+0x1b5/0x500
    [  160.173833]  devm_thermal_of_cooling_device_register+0x60/0xa0
    [  160.180356]  mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]
    [  160.248140]
    [  160.249807] The buggy address belongs to the object at ffff888116163400
    [  160.249807]  which belongs to the cache kmalloc-1k of size 1024
    [  160.263814] The buggy address is located 64 bytes to the right of
    [  160.263814]  1024-byte region [ffff888116163400, ffff888116163800)
    [  160.277536] The buggy address belongs to the page:
    [  160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160
    [  160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0
    [  160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)
    [  160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0
    [  160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000
    [  160.327033] page dumped because: kasan: bad access detected
    [  160.333270]
    [  160.334937] Memory state around the buggy address:
    [  160.356469] >ffff888116163800: fc ..
    
    Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver")
    Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
    Link: https://lore.kernel.org/r/20210916183151.869427-1-vadimp@nvidia.com
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c61736a994fe68b0e5498e4e84e1c9108dc41075
Author: Piotr Krysiuk <piotras@gmail.com>
Date:   Wed Sep 15 17:04:37 2021 +0100

    bpf, mips: Validate conditional branch offsets
    
    [ Upstream commit 37cb28ec7d3a36a5bace7063a3dba633ab110f8b ]
    
    The conditional branch instructions on MIPS use 18-bit signed offsets
    allowing for a branch range of 128 KBytes (backward and forward).
    However, this limit is not observed by the cBPF JIT compiler, and so
    the JIT compiler emits out-of-range branches when translating certain
    cBPF programs. A specific example of such a cBPF program is included in
    the "BPF_MAXINSNS: exec all MSH" test from lib/test_bpf.c that executes
    anomalous machine code containing incorrect branch offsets under JIT.
    
    Furthermore, this issue can be abused to craft undesirable machine
    code, where the control flow is hijacked to execute arbitrary Kernel
    code.
    
    The following steps can be used to reproduce the issue:
    
      # echo 1 > /proc/sys/net/core/bpf_jit_enable
      # modprobe test_bpf test_name="BPF_MAXINSNS: exec all MSH"
    
    This should produce multiple warnings from build_bimm() similar to:
    
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 209 at arch/mips/mm/uasm-mips.c:210 build_insn+0x558/0x590
      Micro-assembler field overflow
      Modules linked in: test_bpf(+)
      CPU: 0 PID: 209 Comm: modprobe Not tainted 5.14.3 #1
      Stack : 00000000 807bb824 82b33c9c 801843c0 00000000 00000004 00000000 63c9b5ee
              82b33af4 80999898 80910000 80900000 82fd6030 00000001 82b33a98 82087180
              00000000 00000000 80873b28 00000000 000000fc 82b3394c 00000000 2e34312e
              6d6d6f43 809a180f 809a1836 6f6d203a 80900000 00000001 82b33bac 80900000
              00027f80 00000000 00000000 807bb824 00000000 804ed790 001cc317 00000001
      [...]
      Call Trace:
      [<80108f44>] show_stack+0x38/0x118
      [<807a7aac>] dump_stack_lvl+0x5c/0x7c
      [<807a4b3c>] __warn+0xcc/0x140
      [<807a4c3c>] warn_slowpath_fmt+0x8c/0xb8
      [<8011e198>] build_insn+0x558/0x590
      [<8011e358>] uasm_i_bne+0x20/0x2c
      [<80127b48>] build_body+0xa58/0x2a94
      [<80129c98>] bpf_jit_compile+0x114/0x1e4
      [<80613fc4>] bpf_prepare_filter+0x2ec/0x4e4
      [<8061423c>] bpf_prog_create+0x80/0xc4
      [<c0a006e4>] test_bpf_init+0x300/0xba8 [test_bpf]
      [<8010051c>] do_one_initcall+0x50/0x1d4
      [<801c5e54>] do_init_module+0x60/0x220
      [<801c8b20>] sys_finit_module+0xc4/0xfc
      [<801144d0>] syscall_common+0x34/0x58
      [...]
      ---[ end trace a287d9742503c645 ]---
    
    Then the anomalous machine code executes:
    
    => 0xc0a18000:  addiu   sp,sp,-16
       0xc0a18004:  sw      s3,0(sp)
       0xc0a18008:  sw      s4,4(sp)
       0xc0a1800c:  sw      s5,8(sp)
       0xc0a18010:  sw      ra,12(sp)
       0xc0a18014:  move    s5,a0
       0xc0a18018:  move    s4,zero
       0xc0a1801c:  move    s3,zero
    
       # __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0)
       0xc0a18020:  lui     t6,0x8012
       0xc0a18024:  ori     t4,t6,0x9e14
       0xc0a18028:  li      a1,0
       0xc0a1802c:  jalr    t4
       0xc0a18030:  move    a0,s5
       0xc0a18034:  bnez    v0,0xc0a1ffb8           # incorrect branch offset
       0xc0a18038:  move    v0,zero
       0xc0a1803c:  andi    s4,s3,0xf
       0xc0a18040:  b       0xc0a18048
       0xc0a18044:  sll     s4,s4,0x2
       [...]
    
       # __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0)
       0xc0a1ffa0:  lui     t6,0x8012
       0xc0a1ffa4:  ori     t4,t6,0x9e14
       0xc0a1ffa8:  li      a1,0
       0xc0a1ffac:  jalr    t4
       0xc0a1ffb0:  move    a0,s5
       0xc0a1ffb4:  bnez    v0,0xc0a1ffb8           # incorrect branch offset
       0xc0a1ffb8:  move    v0,zero
       0xc0a1ffbc:  andi    s4,s3,0xf
       0xc0a1ffc0:  b       0xc0a1ffc8
       0xc0a1ffc4:  sll     s4,s4,0x2
    
       # __BPF_STMT(BPF_LDX | BPF_B | BPF_MSH, 0)
       0xc0a1ffc8:  lui     t6,0x8012
       0xc0a1ffcc:  ori     t4,t6,0x9e14
       0xc0a1ffd0:  li      a1,0
       0xc0a1ffd4:  jalr    t4
       0xc0a1ffd8:  move    a0,s5
       0xc0a1ffdc:  bnez    v0,0xc0a3ffb8           # correct branch offset
       0xc0a1ffe0:  move    v0,zero
       0xc0a1ffe4:  andi    s4,s3,0xf
       0xc0a1ffe8:  b       0xc0a1fff0
       0xc0a1ffec:  sll     s4,s4,0x2
       [...]
    
       # epilogue
       0xc0a3ffb8:  lw      s3,0(sp)
       0xc0a3ffbc:  lw      s4,4(sp)
       0xc0a3ffc0:  lw      s5,8(sp)
       0xc0a3ffc4:  lw      ra,12(sp)
       0xc0a3ffc8:  addiu   sp,sp,16
       0xc0a3ffcc:  jr      ra
       0xc0a3ffd0:  nop
    
    To mitigate this issue, we assert the branch ranges for each emit call
    that could generate an out-of-range branch.
    
    Fixes: 36366e367ee9 ("MIPS: BPF: Restore MIPS32 cBPF JIT")
    Fixes: c6610de353da ("MIPS: net: Add BPF JIT")
    Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Tested-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
    Acked-by: Johan Almbladh <johan.almbladh@anyfinetworks.com>
    Cc: Paul Burton <paulburton@kernel.org>
    Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Link: https://lore.kernel.org/bpf/20210915160437.4080-1-piotras@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3f4e68902d2e545033c80d7ad62fd9a439e573f4
Author: Tao Liu <thomas.liu@ucloud.cn>
Date:   Mon Sep 13 17:33:44 2021 +0800

    RDMA/cma: Fix listener leak in rdma_cma_listen_on_all() failure
    
    [ Upstream commit ca465e1f1f9b38fe916a36f7d80c5d25f2337c81 ]
    
    If cma_listen_on_all() fails it leaves the per-device ID still on the
    listen_list but the state is not set to RDMA_CM_ADDR_BOUND.
    
    When the cmid is eventually destroyed cma_cancel_listens() is not called
    due to the wrong state, however the per-device IDs are still holding the
    refcount preventing the ID from being destroyed, thus deadlocking:
    
     task:rping state:D stack:   0 pid:19605 ppid: 47036 flags:0x00000084
     Call Trace:
      __schedule+0x29a/0x780
      ? free_unref_page_commit+0x9b/0x110
      schedule+0x3c/0xa0
      schedule_timeout+0x215/0x2b0
      ? __flush_work+0x19e/0x1e0
      wait_for_completion+0x8d/0xf0
      _destroy_id+0x144/0x210 [rdma_cm]
      ucma_close_id+0x2b/0x40 [rdma_ucm]
      __destroy_id+0x93/0x2c0 [rdma_ucm]
      ? __xa_erase+0x4a/0xa0
      ucma_destroy_id+0x9a/0x120 [rdma_ucm]
      ucma_write+0xb8/0x130 [rdma_ucm]
      vfs_write+0xb4/0x250
      ksys_write+0xb5/0xd0
      ? syscall_trace_enter.isra.19+0x123/0x190
      do_syscall_64+0x33/0x40
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Ensure that cma_listen_on_all() atomically unwinds its action under the
    lock during error.
    
    Fixes: c80a0c52d85c ("RDMA/cma: Add missing error handling of listen_id")
    Link: https://lore.kernel.org/r/20210913093344.17230-1-thomas.liu@ucloud.cn
    Signed-off-by: Tao Liu <thomas.liu@ucloud.cn>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 62ba3c50104b405b522bf539eebf70cf0dce8fcd
Author: Christoph Lameter <cl@gentwo.de>
Date:   Wed Sep 8 13:43:28 2021 +0200

    IB/cma: Do not send IGMP leaves for sendonly Multicast groups
    
    [ Upstream commit 2cc74e1ee31d00393b6698ec80b322fd26523da4 ]
    
    ROCE uses IGMP for Multicast instead of the native Infiniband system where
    joins are required in order to post messages on the Multicast group.  On
    Ethernet one can send Multicast messages to arbitrary addresses without
    the need to subscribe to a group.
    
    So ROCE correctly does not send IGMP joins during rdma_join_multicast().
    
    F.e. in cma_iboe_join_multicast() we see:
    
       if (addr->sa_family == AF_INET) {
                    if (gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP) {
                            ib.rec.hop_limit = IPV6_DEFAULT_HOPLIMIT;
                            if (!send_only) {
                                    err = cma_igmp_send(ndev, &ib.rec.mgid,
                                                        true);
                            }
                    }
            } else {
    
    So the IGMP join is suppressed as it is unnecessary.
    
    However no such check is done in destroy_mc(). And therefore leaving a
    sendonly multicast group will send an IGMP leave.
    
    This means that the following scenario can lead to a multicast receiver
    unexpectedly being unsubscribed from a MC group:
    
    1. Sender thread does a sendonly join on MC group X. No IGMP join
       is sent.
    
    2. Receiver thread does a regular join on the same MC Group x.
       IGMP join is sent and the receiver begins to get messages.
    
    3. Sender thread terminates and destroys MC group X.
       IGMP leave is sent and the receiver no longer receives data.
    
    This patch adds the same logic for sendonly joins to destroy_mc() that is
    also used in cma_iboe_join_multicast().
    
    Fixes: ab15c95a17b3 ("IB/core: Support for CMA multicast join flags")
    Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2109081340540.668072@gentwo.de
    Signed-off-by: Christoph Lameter <cl@linux.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d93f65586c59a555dc4ef2fe365d32457bef0fde
Author: Hou Tao <houtao1@huawei.com>
Date:   Tue Sep 14 10:33:51 2021 +0800

    bpf: Handle return value of BPF_PROG_TYPE_STRUCT_OPS prog
    
    [ Upstream commit 356ed64991c6847a0c4f2e8fa3b1133f7a14f1fc ]
    
    Currently if a function ptr in struct_ops has a return value, its
    caller will get a random return value from it, because the return
    value of related BPF_PROG_TYPE_STRUCT_OPS prog is just dropped.
    
    So adding a new flag BPF_TRAMP_F_RET_FENTRY_RET to tell bpf trampoline
    to save and return the return value of struct_ops prog if ret_size of
    the function ptr is greater than 0. Also restricting the flag to be
    used alone.
    
    Fixes: 85d33df357b6 ("bpf: Introduce BPF_MAP_TYPE_STRUCT_OPS")
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Acked-by: Martin KaFai Lau <kafai@fb.com>
    Link: https://lore.kernel.org/bpf/20210914023351.3664499-1-houtao1@huawei.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 12cbdaeeb5d4dfde7a8c2f9eed93bcfa4f4653cd
Author: Andrea Claudi <aclaudi@redhat.com>
Date:   Fri Sep 10 18:08:39 2021 +0200

    ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
    
    [ Upstream commit 69e73dbfda14fbfe748d3812da1244cce2928dcb ]
    
    ip_vs_conn_tab_bits may be provided by the user through the
    conn_tab_bits module parameter. If this value is greater than 31, or
    less than 0, the shift operator used to derive tab_size causes undefined
    behaviour.
    
    Fix this checking ip_vs_conn_tab_bits value to be in the range specified
    in ipvs Kconfig. If not, simply use default value.
    
    Fixes: 6f7edb4881bf ("IPVS: Allow boot time change of hash size")
    Reported-by: Yi Chen <yiche@redhat.com>
    Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Acked-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9f382e1edf90ae03be43dbd4976c2a332cd7ce2d
Author: Hawking Zhang <Hawking.Zhang@amd.com>
Date:   Sun Sep 26 22:19:35 2021 +0800

    drm/amdgpu: correct initial cp_hqd_quantum for gfx9
    
    commit 9f52c25f59b504a29dda42d83ac1e24d2af535d4 upstream.
    
    didn't read the value of mmCP_HQD_QUANTUM from correct
    register offset
    
    Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
    Reviewed-by: Le Ma <Le.Ma@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c331fad63b6d527193ae8b7c056b2f10fef53c81
Author: Charlene Liu <Charlene.Liu@amd.com>
Date:   Mon Sep 20 14:30:02 2021 -0400

    drm/amd/display: Pass PCI deviceid into DC
    
    commit d942856865c733ff60450de9691af796ad71d7bc upstream.
    
    [why]
    pci deviceid not passed to dal dc, without proper break,
    dcn2.x falls into dcn3.x code path
    
    [how]
    pass in pci deviceid, and break once dal_version initialized.
    
    Reviewed-by: Zhan Liu <Zhan.Liu@amd.com>
    Acked-by: Anson Jacob <Anson.Jacob@amd.com>
    Signed-off-by: Charlene Liu <Charlene.Liu@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0a16c9751e0f1de96f08643216cf1f19e8a5a787
Author: Jason Gunthorpe <jgg@ziepe.ca>
Date:   Wed Sep 15 17:21:43 2021 -0300

    RDMA/cma: Do not change route.addr.src_addr.ss_family
    
    commit bc0bdc5afaa740d782fbf936aaeebd65e5c2921d upstream.
    
    If the state is not idle then rdma_bind_addr() will immediately fail and
    no change to global state should happen.
    
    For instance if the state is already RDMA_CM_LISTEN then this will corrupt
    the src_addr and would cause the test in cma_cancel_operation():
    
                    if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)
    
    To view a mangled src_addr, eg with a IPv6 loopback address but an IPv4
    family, failing the test.
    
    This would manifest as this trace from syzkaller:
    
      BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26
      Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204
    
      CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:79 [inline]
       dump_stack+0x141/0x1d7 lib/dump_stack.c:120
       print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
       __kasan_report mm/kasan/report.c:399 [inline]
       kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
       __list_add_valid+0x93/0xa0 lib/list_debug.c:26
       __list_add include/linux/list.h:67 [inline]
       list_add_tail include/linux/list.h:100 [inline]
       cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline]
       rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751
       ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102
       ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732
       vfs_write+0x28e/0xa30 fs/read_write.c:603
       ksys_write+0x1ee/0x250 fs/read_write.c:658
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    Which is indicating that an rdma_id_private was destroyed without doing
    cma_cancel_listens().
    
    Instead of trying to re-use the src_addr memory to indirectly create an
    any address build one explicitly on the stack and bind to that as any
    other normal flow would do.
    
    Link: https://lore.kernel.org/r/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com
    Cc: stable@vger.kernel.org
    Fixes: 732d41c545bb ("RDMA/cma: Make the locking for automatic state transition more clear")
    Reported-by: syzbot+6bb0528b13611047209c@syzkaller.appspotmail.com
    Tested-by: Hao Sun <sunhao.th@gmail.com>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 31a13f039e15e6e16d30081cd07a8bbb1d9526e3
Author: Sean Young <sean@mess.org>
Date:   Tue Sep 14 16:57:46 2021 +0200

    media: ir_toy: prevent device from hanging during transmit
    
    commit f0c15b360fb65ee39849afe987c16eb3d0175d0d upstream.
    
    If the IR Toy is receiving IR while a transmit is done, it may end up
    hanging. We can prevent this from happening by re-entering sample mode
    just before issuing the transmit command.
    
    Link: https://github.com/bengtmartensson/HarcHardware/discussions/25
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Young <sean@mess.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 249e5e5a501ee69b26d55b68f863671396e62f7f
Author: Sean Christopherson <seanjc@google.com>
Date:   Wed Sep 1 13:30:26 2021 -0700

    KVM: rseq: Update rseq when processing NOTIFY_RESUME on xfer to KVM guest
    
    commit 8646e53633f314e4d746a988240d3b951a92f94a upstream.
    
    Invoke rseq's NOTIFY_RESUME handler when processing the flag prior to
    transferring to a KVM guest, which is roughly equivalent to an exit to
    userspace and processes many of the same pending actions.  While the task
    cannot be in an rseq critical section as the KVM path is reachable only
    by via ioctl(KVM_RUN), the side effects that apply to rseq outside of a
    critical section still apply, e.g. the current CPU needs to be updated if
    the task is migrated.
    
    Clearing TIF_NOTIFY_RESUME without informing rseq can lead to segfaults
    and other badness in userspace VMMs that use rseq in combination with KVM,
    e.g. due to the CPU ID being stale after task migration.
    
    Fixes: 72c3c0fe54a3 ("x86/kvm: Use generic xfer to guest work function")
    Reported-by: Peter Foley <pefoley@google.com>
    Bisected-by: Doug Evans <dje@google.com>
    Acked-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    Cc: Shakeel Butt <shakeelb@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20210901203030.1292304-2-seanjc@google.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    [sean: Resolve benign conflict due to unrelated access_ok() check in 5.10]
    Signed-off-by: Sean Christopherson <seanjc@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3778511dfc5941b0ee99d1040faab5c69e51dfac
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Tue Sep 7 18:35:30 2021 +0200

    KVM: nVMX: Filter out all unsupported controls when eVMCS was activated
    
    commit 8d68bad6d869fae8f4d50ab6423538dec7da72d1 upstream.
    
    Windows Server 2022 with Hyper-V role enabled failed to boot on KVM when
    enlightened VMCS is advertised. Debugging revealed there are two exposed
    secondary controls it is not happy with: SECONDARY_EXEC_ENABLE_VMFUNC and
    SECONDARY_EXEC_SHADOW_VMCS. These controls are known to be unsupported,
    as there are no corresponding fields in eVMCSv1 (see the comment above
    EVMCS1_UNSUPPORTED_2NDEXEC definition).
    
    Previously, commit 31de3d2500e4 ("x86/kvm/hyper-v: move VMX controls
    sanitization out of nested_enable_evmcs()") introduced the required
    filtering mechanism for VMX MSRs but for some reason put only known
    to be problematic (and not full EVMCS1_UNSUPPORTED_* lists) controls
    there.
    
    Note, Windows Server 2022 seems to have gained some sanity check for VMX
    MSRs: it doesn't even try to launch a guest when there's something it
    doesn't like, nested_evmcs_check_controls() mechanism can't catch the
    problem.
    
    Let's be bold this time and instead of playing whack-a-mole just filter out
    all unsupported controls from VMX MSRs.
    
    Fixes: 31de3d2500e4 ("x86/kvm/hyper-v: move VMX controls sanitization out of nested_enable_evmcs()")
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Message-Id: <20210907163530.110066-1-vkuznets@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ed671e6bc62325729311dbc75c6db52d10233a7
Author: Maxim Levitsky <mlevitsk@redhat.com>
Date:   Tue Sep 14 18:48:16 2021 +0300

    KVM: x86: nSVM: don't copy virt_ext from vmcb12
    
    commit faf6b755629627f19feafa75b32e81cd7738f12d upstream.
    
    These field correspond to features that we don't expose yet to L2
    
    While currently there are no CVE worthy features in this field,
    if AMD adds more features to this field, that could allow guest
    escapes similar to CVE-2021-3653 and CVE-2021-3656.
    
    Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
    Message-Id: <20210914154825.104886-6-mlevitsk@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bebabb76ad9acca8858e0371e102fb60d708e25b
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date:   Fri Aug 27 11:25:14 2021 +0200

    KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()
    
    commit 2f9b68f57c6278c322793a06063181deded0ad69 upstream.
    
    KASAN reports the following issue:
    
     BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
     Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798
    
     CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G               X --------- ---
     Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020
     Call Trace:
      dump_stack+0xa5/0xe6
      print_address_description.constprop.0+0x18/0x130
      ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
      __kasan_report.cold+0x7f/0x114
      ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
      kasan_report+0x38/0x50
      kasan_check_range+0xf5/0x1d0
      kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
      kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]
      ? kvm_arch_exit+0x110/0x110 [kvm]
      ? sched_clock+0x5/0x10
      ioapic_write_indirect+0x59f/0x9e0 [kvm]
      ? static_obj+0xc0/0xc0
      ? __lock_acquired+0x1d2/0x8c0
      ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]
    
    The problem appears to be that 'vcpu_bitmap' is allocated as a single long
    on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear
    the lower 16 bits of it with bitmap_zero() for no particular reason (my
    guess would be that 'bitmap' and 'vcpu_bitmap' variables in
    kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed
    16-bit long, the later should accommodate all possible vCPUs).
    
    Fixes: 7ee30bc132c6 ("KVM: x86: deliver KVM IOAPIC scan request to target vCPUs")
    Fixes: 9a2ae9f6b6bb ("KVM: x86: Zero the IOAPIC scan request dest vCPUs bitmap")
    Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
    Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
    Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
    Reviewed-by: Sean Christopherson <seanjc@google.com>
    Message-Id: <20210827092516.1027264-7-vkuznets@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 782122ae7db0c4af199a0fdb4d03fcc1e2c7b734
Author: Zelin Deng <zelin.deng@linux.alibaba.com>
Date:   Wed Sep 29 13:13:48 2021 +0800

    x86/kvmclock: Move this_cpu_pvti into kvmclock.h
    
    commit ad9af930680bb396c87582edc172b3a7cf2a3fbf upstream.
    
    There're other modules might use hv_clock_per_cpu variable like ptp_kvm,
    so move it into kvmclock.h and export the symbol to make it visiable to
    other modules.
    
    Signed-off-by: Zelin Deng <zelin.deng@linux.alibaba.com>
    Cc: <stable@vger.kernel.org>
    Message-Id: <1632892429-101194-2-git-send-email-zelin.deng@linux.alibaba.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 57de2dcb18742dc2860861c9f496da7d42b67da0
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Mon Sep 27 11:58:39 2021 +0200

    mac80211: fix use-after-free in CCMP/GCMP RX
    
    commit 94513069eb549737bcfc3d988d6ed4da948a2de8 upstream.
    
    When PN checking is done in mac80211, for fragmentation we need
    to copy the PN to the RX struct so we can later use it to do a
    comparison, since commit bf30ca922a0c ("mac80211: check defrag
    PN against current frame").
    
    Unfortunately, in that commit I used the 'hdr' variable without
    it being necessarily valid, so use-after-free could occur if it
    was necessary to reallocate (parts of) the frame.
    
    Fix this by reloading the variable after the code that results
    in the reallocations, if any.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=214401.
    
    Cc: stable@vger.kernel.org
    Fixes: bf30ca922a0c ("mac80211: check defrag PN against current frame")
    Link: https://lore.kernel.org/r/20210927115838.12b9ac6bb233.I1d066acd5408a662c3b6e828122cd314fcb28cdb@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 201ba843fef53d7098ed30d359046938e3b50193
Author: Jonathan Hsu <jonathan.hsu@mediatek.com>
Date:   Fri Sep 24 16:58:48 2021 +0800

    scsi: ufs: Fix illegal offset in UPIU event trace
    
    commit e8c2da7e329ce004fee748b921e4c765dc2fa338 upstream.
    
    Fix incorrect index for UTMRD reference in ufshcd_add_tm_upiu_trace().
    
    Link: https://lore.kernel.org/r/20210924085848.25500-1-jonathan.hsu@mediatek.com
    Fixes: 4b42d557a8ad ("scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs")
    Cc: stable@vger.kernel.org
    Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Signed-off-by: Jonathan Hsu <jonathan.hsu@mediatek.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bd4e446a6947528f6ea7e0e7f19031a4389a4017
Author: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
Date:   Thu Sep 23 20:22:16 2021 +0300

    gpio: pca953x: do not ignore i2c errors
    
    commit 540cffbab8b8e6c52a4121666ca18d6e94586ed2 upstream.
    
    Per gpio_chip interface, error shall be proparated to the caller.
    
    Attempt to silent diagnostics by returning zero (as written in the
    comment) is plain wrong, because the zero return can be interpreted by
    the caller as the gpio value.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Andrey Gusakov <andrey.gusakov@cogentembedded.com>
    Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
    Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 516d9055039017a20a698103be2b556b4c976bb8
Author: Nadezda Lutovinova <lutovinova@ispras.ru>
Date:   Tue Sep 21 18:51:51 2021 +0300

    hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field
    
    commit 943c15ac1b84d378da26bba41c83c67e16499ac4 upstream.
    
    If driver read val value sufficient for
    (val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))
    from device then Null pointer dereference occurs.
    (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
    Also lm75[] does not serve a purpose anymore after switching to
    devm_i2c_new_dummy_device() in w83791d_detect_subclients().
    
    The patch fixes possible NULL pointer dereference by removing lm75[].
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
    Link: https://lore.kernel.org/r/20210921155153.28098-1-lutovinova@ispras.ru
    [groeck: Dropped unnecessary continuation lines, fixed multi-line alignment]
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1499bb2c3a87a2efea0065adab2bd66badee61c3
Author: Nadezda Lutovinova <lutovinova@ispras.ru>
Date:   Tue Sep 21 18:51:52 2021 +0300

    hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field
    
    commit 0f36b88173f028e372668ae040ab1a496834d278 upstream.
    
    If driver read val value sufficient for
    (val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7))
    from device then Null pointer dereference occurs.
    (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
    Also lm75[] does not serve a purpose anymore after switching to
    devm_i2c_new_dummy_device() in w83791d_detect_subclients().
    
    The patch fixes possible NULL pointer dereference by removing lm75[].
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
    Link: https://lore.kernel.org/r/20210921155153.28098-2-lutovinova@ispras.ru
    [groeck: Dropped unnecessary continuation lines, fixed multipline alignment]
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7c4fd5de39f273626a2b0f3a446d2cc85cd47616
Author: Nadezda Lutovinova <lutovinova@ispras.ru>
Date:   Tue Sep 21 18:51:53 2021 +0300

    hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field
    
    commit dd4d747ef05addab887dc8ff0d6ab9860bbcd783 upstream.
    
    If driver read tmp value sufficient for
    (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
    from device then Null pointer dereference occurs.
    (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
    Also lm75[] does not serve a purpose anymore after switching to
    devm_i2c_new_dummy_device() in w83791d_detect_subclients().
    
    The patch fixes possible NULL pointer dereference by removing lm75[].
    
    Found by Linux Driver Verification project (linuxtesting.org).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
    Link: https://lore.kernel.org/r/20210921155153.28098-3-lutovinova@ispras.ru
    [groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 196dabd96bbfd8b816aeeb9b7a59bd489ed0ac89
Author: Paul Fertser <fercerpav@gmail.com>
Date:   Fri Sep 24 12:30:09 2021 +0300

    hwmon: (tmp421) handle I2C errors
    
    commit 2938b2978a70d4cc10777ee71c9e512ffe4e0f4b upstream.
    
    Function i2c_smbus_read_byte_data() can return a negative error number
    instead of the data read if I2C transaction failed for whatever reason.
    
    Lack of error checking can lead to serious issues on production
    hardware, e.g. errors treated as temperatures produce spurious critical
    temperature-crossed-threshold errors in BMC logs for OCP server
    hardware. The patch was tested with Mellanox OCP Mezzanine card
    emulating TMP421 protocol for temperature sensing which sometimes leads
    to I2C protocol error during early boot up stage.
    
    Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips")
    Cc: stable@vger.kernel.org
    Signed-off-by: Paul Fertser <fercerpav@gmail.com>
    Link: https://lore.kernel.org/r/20210924093011.26083-1-fercerpav@gmail.com
    [groeck: dropped unnecessary line breaks]
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 23a6dfa10f0379509b334ee6db428488b7fbe0a0
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Sep 16 13:34:24 2021 -0700

    fs-verity: fix signed integer overflow with i_size near S64_MAX
    
    commit 80f6e3080bfcf865062a926817b3ca6c4a137a57 upstream.
    
    If the file size is almost S64_MAX, the calculated number of Merkle tree
    levels exceeds FS_VERITY_MAX_LEVELS, causing FS_IOC_ENABLE_VERITY to
    fail.  This is unintentional, since as the comment above the definition
    of FS_VERITY_MAX_LEVELS states, it is enough for over U64_MAX bytes of
    data using SHA-256 and 4K blocks.  (Specifically, 4096*128**8 >= 2**64.)
    
    The bug is actually that when the number of blocks in the first level is
    calculated from i_size, there is a signed integer overflow due to i_size
    being signed.  Fix this by treating i_size as unsigned.
    
    This was found by the new test "generic: test fs-verity EFBIG scenarios"
    (https://lkml.kernel.org/r/b1d116cd4d0ea74b9cd86f349c672021e005a75c.1631558495.git.boris@bur.io).
    
    This didn't affect ext4 or f2fs since those have a smaller maximum file
    size, but it did affect btrfs which allows files up to S64_MAX bytes.
    
    Reported-by: Boris Burkov <boris@bur.io>
    Fixes: 3fda4c617e84 ("fs-verity: implement FS_IOC_ENABLE_VERITY ioctl")
    Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")
    Cc: <stable@vger.kernel.org> # v5.4+
    Reviewed-by: Boris Burkov <boris@bur.io>
    Link: https://lore.kernel.org/r/20210916203424.113376-1-ebiggers@kernel.org
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d1d0016e4a7d317c7680f63e61f717c066157b57
Author: Jia He <justin.he@arm.com>
Date:   Wed Sep 22 23:29:19 2021 +0800

    ACPI: NFIT: Use fallback node id when numa info in NFIT table is incorrect
    
    commit f060db99374e80e853ac4916b49f0a903f65e9dc upstream.
    
    When ACPI NFIT table is failing to populate correct numa information
    on arm64, dax_kmem will get NUMA_NO_NODE from the NFIT driver.
    
    Without this patch, pmem can't be probed as RAM devices on arm64 guest:
      $ndctl create-namespace -fe namespace0.0 --mode=devdax --map=dev -s 1g -a 128M
      kmem dax0.0: rejecting DAX region [mem 0x240400000-0x2bfffffff] with invalid node: -1
      kmem: probe of dax0.0 failed with error -22
    
    Suggested-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Jia He <justin.he@arm.com>
    Cc: <stable@vger.kernel.org>
    Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM")
    Link: https://lore.kernel.org/r/20210922152919.6940-1-justin.he@arm.com
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9edc7bc611a2c3b3079677abe97e7fa9db596ce
Author: Cameron Berkenpas <cam@neo-zeon.de>
Date:   Mon Sep 13 14:26:29 2021 -0700

    ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
    
    commit ad7cc2d41b7a8d0c5c5ecff37c3de7a4e137b3a6 upstream.
    
    This patch initializes and enables speaker output on the Lenovo Legion 7i
    15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 series of laptops using the
    HDA verb sequence specific to each model.
    
    Speaker automute is suppressed for the Lenovo Legion 7i 15IMHG05 to avoid
    breaking speaker output on resume and when devices are unplugged from its
    headphone jack.
    
    Thanks to: Andreas Holzer, Vincent Morel, sycxyc, Max Christian Pohle and
    all others that helped.
    
    [ minor coding style fixes by tiwai ]
    
    BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208555
    Signed-off-by: Cameron Berkenpas <cam@neo-zeon.de>
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20210913212627.339362-1-cam@neo-zeon.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 23115ca7d22718662418a79962551ad42033cbd3
Author: Pawel Laszczak <pawell@cadence.com>
Date:   Tue Sep 7 08:26:19 2021 +0200

    usb: cdns3: fix race condition before setting doorbell
    
    [ Upstream commit b69ec50b3e55c4b2a85c8bc46763eaf330605847 ]
    
    For DEV_VER_V3 version there exist race condition between clearing
    ep_sts.EP_STS_TRBERR and setting ep_cmd.EP_CMD_DRDY bit.
    Setting EP_CMD_DRDY will be ignored by controller when
    EP_STS_TRBERR is set. So, between these two instructions we have
    a small time gap in which the EP_STSS_TRBERR can be set. In such case
    the transfer will not start after setting doorbell.
    
    Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
    cc: <stable@vger.kernel.org> # 5.12.x
    Tested-by: Aswath Govindraju <a-govindraju@ti.com>
    Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
    Signed-off-by: Pawel Laszczak <pawell@cadence.com>
    Link: https://lore.kernel.org/r/20210907062619.34622-1-pawell@gli-login.cadence.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3945c481360caee7d496c95b5c73afe923a1c7cd
Author: James Morse <james.morse@arm.com>
Date:   Tue Sep 14 16:56:23 2021 +0000

    cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
    
    [ Upstream commit cdef1196608892b9a46caa5f2b64095a7f0be60c ]
    
    Since commit e5c6b312ce3c ("cpufreq: schedutil: Use kobject release()
    method to free sugov_tunables") kobject_put() has kfree()d the
    attr_set before gov_attr_set_put() returns.
    
    kobject_put() isn't the last user of attr_set in gov_attr_set_put(),
    the subsequent mutex_destroy() triggers a use-after-free:
    | BUG: KASAN: use-after-free in mutex_is_locked+0x20/0x60
    | Read of size 8 at addr ffff000800ca4250 by task cpuhp/2/20
    |
    | CPU: 2 PID: 20 Comm: cpuhp/2 Not tainted 5.15.0-rc1 #12369
    | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development
    | Platform, BIOS EDK II Jul 30 2018
    | Call trace:
    |  dump_backtrace+0x0/0x380
    |  show_stack+0x1c/0x30
    |  dump_stack_lvl+0x8c/0xb8
    |  print_address_description.constprop.0+0x74/0x2b8
    |  kasan_report+0x1f4/0x210
    |  kasan_check_range+0xfc/0x1a4
    |  __kasan_check_read+0x38/0x60
    |  mutex_is_locked+0x20/0x60
    |  mutex_destroy+0x80/0x100
    |  gov_attr_set_put+0xfc/0x150
    |  sugov_exit+0x78/0x190
    |  cpufreq_offline.isra.0+0x2c0/0x660
    |  cpuhp_cpufreq_offline+0x14/0x24
    |  cpuhp_invoke_callback+0x430/0x6d0
    |  cpuhp_thread_fun+0x1b0/0x624
    |  smpboot_thread_fn+0x5e0/0xa6c
    |  kthread+0x3a0/0x450
    |  ret_from_fork+0x10/0x20
    
    Swap the order of the calls.
    
    Fixes: e5c6b312ce3c ("cpufreq: schedutil: Use kobject release() method to free sugov_tunables")
    Cc: 4.7+ <stable@vger.kernel.org> # 4.7+
    Signed-off-by: James Morse <james.morse@arm.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2193cf76f43acdbd87b8609c7206f0b414b241d9
Author: Saurav Kashyap <skashyap@marvell.com>
Date:   Mon Aug 9 21:37:18 2021 -0700

    scsi: qla2xxx: Changes to support kdump kernel for NVMe BFS
    
    [ Upstream commit 4a0a542fe5e4273baf9228459ef3f75c29490cba ]
    
    The MSI-X and MSI calls fails in kdump kernel. Because of this
    qla2xxx_create_qpair() fails leading to .create_queue callback failure.
    The fix is to return existing qpair instead of allocating new one and
    allocate a single hw queue.
    
    [   19.975838] qla2xxx [0000:d8:00.1]-00c7:11: MSI-X: Failed to enable support,
    giving   up -- 16/-28.
    [   19.984885] qla2xxx [0000:d8:00.1]-0037:11: Falling back-to MSI mode --
    ret=-28.
    [   19.992278] qla2xxx [0000:d8:00.1]-0039:11: Falling back-to INTa mode --
    ret=-28.
    ..
    ..
    ..
    [   21.141518] qla2xxx [0000:d8:00.0]-2104:2: qla_nvme_alloc_queue: handle
    00000000e7ee499d, idx =1, qsize 32
    [   21.151166] qla2xxx [0000:d8:00.0]-0181:2: FW/Driver is not multi-queue capable.
    [   21.158558] qla2xxx [0000:d8:00.0]-2122:2: Failed to allocate qpair
    [   21.164824] nvme nvme0: NVME-FC{0}: reset: Reconnect attempt failed (-22)
    [   21.171612] nvme nvme0: NVME-FC{0}: Reconnect attempt in 2 seconds
    
    Link: https://lore.kernel.org/r/20210810043720.1137-13-njavali@marvell.com
    Cc: stable@vger.kernel.org
    Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
    Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
    Signed-off-by: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit a7d4fc84404d45d72f4490417e8cc3efa4af93f1
Author: Kevin Hao <haokexin@gmail.com>
Date:   Thu Aug 5 15:29:17 2021 +0800

    cpufreq: schedutil: Use kobject release() method to free sugov_tunables
    
    [ Upstream commit e5c6b312ce3cc97e90ea159446e6bfa06645364d ]
    
    The struct sugov_tunables is protected by the kobject, so we can't free
    it directly. Otherwise we would get a call trace like this:
      ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x30
      WARNING: CPU: 3 PID: 720 at lib/debugobjects.c:505 debug_print_object+0xb8/0x100
      Modules linked in:
      CPU: 3 PID: 720 Comm: a.sh Tainted: G        W         5.14.0-rc1-next-20210715-yocto-standard+ #507
      Hardware name: Marvell OcteonTX CN96XX board (DT)
      pstate: 40400009 (nZcv daif +PAN -UAO -TCO BTYPE=--)
      pc : debug_print_object+0xb8/0x100
      lr : debug_print_object+0xb8/0x100
      sp : ffff80001ecaf910
      x29: ffff80001ecaf910 x28: ffff00011b10b8d0 x27: ffff800011043d80
      x26: ffff00011a8f0000 x25: ffff800013cb3ff0 x24: 0000000000000000
      x23: ffff80001142aa68 x22: ffff800011043d80 x21: ffff00010de46f20
      x20: ffff800013c0c520 x19: ffff800011d8f5b0 x18: 0000000000000010
      x17: 6e6968207473696c x16: 5f72656d6974203a x15: 6570797420746365
      x14: 6a626f2029302065 x13: 303378302f307830 x12: 2b6e665f72656d69
      x11: ffff8000124b1560 x10: ffff800012331520 x9 : ffff8000100ca6b0
      x8 : 000000000017ffe8 x7 : c0000000fffeffff x6 : 0000000000000001
      x5 : ffff800011d8c000 x4 : ffff800011d8c740 x3 : 0000000000000000
      x2 : ffff0001108301c0 x1 : ab3c90eedf9c0f00 x0 : 0000000000000000
      Call trace:
       debug_print_object+0xb8/0x100
       __debug_check_no_obj_freed+0x1c0/0x230
       debug_check_no_obj_freed+0x20/0x88
       slab_free_freelist_hook+0x154/0x1c8
       kfree+0x114/0x5d0
       sugov_exit+0xbc/0xc0
       cpufreq_exit_governor+0x44/0x90
       cpufreq_set_policy+0x268/0x4a8
       store_scaling_governor+0xe0/0x128
       store+0xc0/0xf0
       sysfs_kf_write+0x54/0x80
       kernfs_fop_write_iter+0x128/0x1c0
       new_sync_write+0xf0/0x190
       vfs_write+0x2d4/0x478
       ksys_write+0x74/0x100
       __arm64_sys_write+0x24/0x30
       invoke_syscall.constprop.0+0x54/0xe0
       do_el0_svc+0x64/0x158
       el0_svc+0x2c/0xb0
       el0t_64_sync_handler+0xb0/0xb8
       el0t_64_sync+0x198/0x19c
      irq event stamp: 5518
      hardirqs last  enabled at (5517): [<ffff8000100cbd7c>] console_unlock+0x554/0x6c8
      hardirqs last disabled at (5518): [<ffff800010fc0638>] el1_dbg+0x28/0xa0
      softirqs last  enabled at (5504): [<ffff8000100106e0>] __do_softirq+0x4d0/0x6c0
      softirqs last disabled at (5483): [<ffff800010049548>] irq_exit+0x1b0/0x1b8
    
    So split the original sugov_tunables_free() into two functions,
    sugov_clear_global_tunables() is just used to clear the global_tunables
    and the new sugov_tunables_free() is used as kobj_type::release to
    release the sugov_tunables safely.
    
    Fixes: 9bdcb44e391d ("cpufreq: schedutil: New governor based on scheduler utilization data")
    Cc: 4.7+ <stable@vger.kernel.org> # 4.7+
    Signed-off-by: Kevin Hao <haokexin@gmail.com>
    Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit d570c48dd37dbe8fc6875d4461d01a9554ae2560
Author: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
Date:   Mon Jun 28 10:45:09 2021 -0300

    tty: Fix out-of-bound vmalloc access in imageblit
    
    [ Upstream commit 3b0c406124719b625b1aba431659f5cdc24a982c ]
    
    This issue happens when a userspace program does an ioctl
    FBIOPUT_VSCREENINFO passing the fb_var_screeninfo struct
    containing only the fields xres, yres, and bits_per_pixel
    with values.
    
    If this struct is the same as the previous ioctl, the
    vc_resize() detects it and doesn't call the resize_screen(),
    leaving the fb_var_screeninfo incomplete. And this leads to
    the updatescrollmode() calculates a wrong value to
    fbcon_display->vrows, which makes the real_y() return a
    wrong value of y, and that value, eventually, causes
    the imageblit to access an out-of-bound address value.
    
    To solve this issue I made the resize_screen() be called
    even if the screen does not need any resizing, so it will
    "fix and fill" the fb_var_screeninfo independently.
    
    Cc: stable <stable@vger.kernel.org> # after 5.15-rc2 is out, give it time to bake
    Reported-and-tested-by: syzbot+858dc7a2f7ef07c2c219@syzkaller.appspotmail.com
    Signed-off-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
    Link: https://lore.kernel.org/r/20210628134509.15895-1-igormtorrente@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>