kernel-alx/patches-5.4/0276-5.4.177-all-fixes.patch

diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst
index 621111ce57401..28c0461ba2e1b 100644
--- a/Documentation/accounting/psi.rst
+++ b/Documentation/accounting/psi.rst
@@ -90,7 +90,8 @@ Triggers can be set on more than one psi metric and more than one trigger
 for the same psi metric can be specified. However for each trigger a separate
 file descriptor is required to be able to poll it separately from others,
 therefore for each trigger a separate open() syscall should be made even
-when opening the same psi interface file.
+when opening the same psi interface file. Write operations to a file descriptor
+with an already existing psi trigger will fail with EBUSY.
 
 Monitors activate only when system enters stall state for the monitored
 psi metric and deactivates upon exit from the stall state. While system is
diff --git a/Makefile b/Makefile
index b23aa51ada93e..324939b64d7b7 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 # SPDX-License-Identifier: GPL-2.0
 VERSION = 5
 PATCHLEVEL = 4
-SUBLEVEL = 176
+SUBLEVEL = 177
 EXTRAVERSION =
 NAME = Kleptomaniac Octopus
 
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index da8c2c4aca7ef..0442d7e1cd20b 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -721,7 +721,9 @@ static void xgbe_stop_timers(struct xgbe_prv_data *pdata)
 		if (!channel->tx_ring)
 			break;
 
+		/* Deactivate the Tx timer */
 		del_timer_sync(&channel->tx_timer);
+		channel->tx_timer_active = 0;
 	}
 }
 
@@ -2765,6 +2767,14 @@ read_again:
 			buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
 			len += buf2_len;
 
+			if (buf2_len > rdata->rx.buf.dma_len) {
+				/* Hardware inconsistency within the descriptors
+				 * that has resulted in a length underflow.
+				 */
+				error = 1;
+				goto skip_data;
+			}
+
 			if (!skb) {
 				skb = xgbe_create_skb(pdata, napi, rdata,
 						      buf1_len);
@@ -2794,8 +2804,10 @@ skip_data:
 		if (!last || context_next)
 			goto read_again;
 
-		if (!skb)
+		if (!skb || error) {
+			dev_kfree_skb(skb);
 			goto next_packet;
+		}
 
 		/* Be sure we don't exceed the configured MTU */
 		max_len = netdev->mtu + ETH_HLEN;
diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
index 345576f1a7470..73ad78f47763c 100644
--- a/drivers/net/usb/ipheth.c
+++ b/drivers/net/usb/ipheth.c
@@ -121,7 +121,7 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone)
 	if (tx_buf == NULL)
 		goto free_rx_urb;
 
-	rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE,
+	rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
 				    GFP_KERNEL, &rx_urb->transfer_dma);
 	if (rx_buf == NULL)
 		goto free_tx_buf;
@@ -146,7 +146,7 @@ error_nomem:
 
 static void ipheth_free_urbs(struct ipheth_device *iphone)
 {
-	usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf,
+	usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf,
 			  iphone->rx_urb->transfer_dma);
 	usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf,
 			  iphone->tx_urb->transfer_dma);
@@ -317,7 +317,7 @@ static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags)
 
 	usb_fill_bulk_urb(dev->rx_urb, udev,
 			  usb_rcvbulkpipe(udev, dev->bulk_in),
-			  dev->rx_buf, IPHETH_BUF_SIZE,
+			  dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
 			  ipheth_rcvbulk_callback,
 			  dev);
 	dev->rx_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
index 88b996764ff95..907b8be86ce04 100644
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -577,6 +577,8 @@ read_status:
 	 */
 	if (ctrl->power_fault_detected)
 		status &= ~PCI_EXP_SLTSTA_PFD;
+	else if (status & PCI_EXP_SLTSTA_PFD)
+		ctrl->power_fault_detected = true;
 
 	events |= status;
 	if (!events) {
@@ -586,7 +588,7 @@ read_status:
 	}
 
 	if (status) {
-		pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events);
+		pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, status);
 
 		/*
 		 * In MSI mode, all event bits must be zero before the port
@@ -660,8 +662,7 @@ static irqreturn_t pciehp_ist(int irq, void *dev_id)
 	}
 
 	/* Check Power Fault Detected */
-	if ((events & PCI_EXP_SLTSTA_PFD) && !ctrl->power_fault_detected) {
-		ctrl->power_fault_detected = 1;
+	if (events & PCI_EXP_SLTSTA_PFD) {
 		ctrl_err(ctrl, "Slot(%s): Power fault\n", slot_name(ctrl));
 		pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF,
 				      PCI_EXP_SLTCTL_ATTN_IND_ON);
diff --git a/include/linux/psi.h b/include/linux/psi.h
index 7b3de73212199..7712b58009276 100644
--- a/include/linux/psi.h
+++ b/include/linux/psi.h
@@ -31,7 +31,7 @@ void cgroup_move_task(struct task_struct *p, struct css_set *to);
 
 struct psi_trigger *psi_trigger_create(struct psi_group *group,
 			char *buf, size_t nbytes, enum psi_res res);
-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t);
+void psi_trigger_destroy(struct psi_trigger *t);
 
 __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file,
 			poll_table *wait);
diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
index 07aaf9b822416..0023052eab23f 100644
--- a/include/linux/psi_types.h
+++ b/include/linux/psi_types.h
@@ -120,9 +120,6 @@ struct psi_trigger {
 	 * events to one per window
 	 */
 	u64 last_event_time;
-
-	/* Refcounting to prevent premature destruction */
-	struct kref refcount;
 };
 
 struct psi_group {
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 2d0ef613ca070..5e465c4b1e64c 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -549,6 +549,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
 
 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
 
+	/*
+	 * Release agent gets called with all capabilities,
+	 * require capabilities to set release agent.
+	 */
+	if ((of->file->f_cred->user_ns != &init_user_ns) ||
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	cgrp = cgroup_kn_lock_live(of->kn, false);
 	if (!cgrp)
 		return -ENODEV;
@@ -961,6 +969,12 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
 		/* Specifying two release agents is forbidden */
 		if (ctx->release_agent)
 			return cg_invalf(fc, "cgroup1: release_agent respecified");
+		/*
+		 * Release agent gets called with all capabilities,
+		 * require capabilities to set release agent.
+		 */
+		if ((fc->user_ns != &init_user_ns) || !capable(CAP_SYS_ADMIN))
+			return cg_invalf(fc, "cgroup1: Setting release_agent not allowed");
 		ctx->release_agent = param->string;
 		param->string = NULL;
 		break;
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 1904ffcee0f1e..ce1745ac7b8c0 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -3659,6 +3659,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
 	cgroup_get(cgrp);
 	cgroup_kn_unlock(of->kn);
 
+	/* Allow only one trigger per file descriptor */
+	if (of->priv) {
+		cgroup_put(cgrp);
+		return -EBUSY;
+	}
+
 	psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
 	new = psi_trigger_create(psi, buf, nbytes, res);
 	if (IS_ERR(new)) {
@@ -3666,8 +3672,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
 		return PTR_ERR(new);
 	}
 
-	psi_trigger_replace(&of->priv, new);
-
+	smp_store_release(&of->priv, new);
 	cgroup_put(cgrp);
 
 	return nbytes;
@@ -3702,7 +3707,7 @@ static __poll_t cgroup_pressure_poll(struct kernfs_open_file *of,
 
 static void cgroup_pressure_release(struct kernfs_open_file *of)
 {
-	psi_trigger_replace(&of->priv, NULL);
+	psi_trigger_destroy(of->priv);
 }
 #endif /* CONFIG_PSI */
 
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index badfa8f153599..411be8b2e837e 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -1558,8 +1558,7 @@ static int update_cpumask(struct cpuset *cs, struct cpuset *trialcs,
 	 * Make sure that subparts_cpus is a subset of cpus_allowed.
 	 */
 	if (cs->nr_subparts_cpus) {
-		cpumask_andnot(cs->subparts_cpus, cs->subparts_cpus,
-			       cs->cpus_allowed);
+		cpumask_and(cs->subparts_cpus, cs->subparts_cpus, cs->cpus_allowed);
 		cs->nr_subparts_cpus = cpumask_weight(cs->subparts_cpus);
 	}
 	spin_unlock_irq(&callback_lock);
diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
index 9154e745f0978..9dd83eb74a9da 100644
--- a/kernel/sched/psi.c
+++ b/kernel/sched/psi.c
@@ -1046,7 +1046,6 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
 	t->event = 0;
 	t->last_event_time = 0;
 	init_waitqueue_head(&t->event_wait);
-	kref_init(&t->refcount);
 
 	mutex_lock(&group->trigger_lock);
 
@@ -1079,15 +1078,19 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
 	return t;
 }
 
-static void psi_trigger_destroy(struct kref *ref)
+void psi_trigger_destroy(struct psi_trigger *t)
 {
-	struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount);
-	struct psi_group *group = t->group;
+	struct psi_group *group;
 	struct kthread_worker *kworker_to_destroy = NULL;
 
-	if (static_branch_likely(&psi_disabled))
+	/*
+	 * We do not check psi_disabled since it might have been disabled after
+	 * the trigger got created.
+	 */
+	if (!t)
 		return;
 
+	group = t->group;
 	/*
 	 * Wakeup waiters to stop polling. Can happen if cgroup is deleted
 	 * from under a polling process.
@@ -1122,9 +1125,9 @@ static void psi_trigger_destroy(struct kref *ref)
 	mutex_unlock(&group->trigger_lock);
 
 	/*
-	 * Wait for both *trigger_ptr from psi_trigger_replace and
-	 * poll_kworker RCUs to complete their read-side critical sections
-	 * before destroying the trigger and optionally the poll_kworker
+	 * Wait for psi_schedule_poll_work RCU to complete its read-side
+	 * critical section before destroying the trigger and optionally the
+	 * poll_task.
 	 */
 	synchronize_rcu();
 	/*
@@ -1146,18 +1149,6 @@ static void psi_trigger_destroy(struct kref *ref)
 	kfree(t);
 }
 
-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new)
-{
-	struct psi_trigger *old = *trigger_ptr;
-
-	if (static_branch_likely(&psi_disabled))
-		return;
-
-	rcu_assign_pointer(*trigger_ptr, new);
-	if (old)
-		kref_put(&old->refcount, psi_trigger_destroy);
-}
-
 __poll_t psi_trigger_poll(void **trigger_ptr,
 				struct file *file, poll_table *wait)
 {
@@ -1167,24 +1158,15 @@ __poll_t psi_trigger_poll(void **trigger_ptr,
 	if (static_branch_likely(&psi_disabled))
 		return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
 
-	rcu_read_lock();
-
-	t = rcu_dereference(*(void __rcu __force **)trigger_ptr);
-	if (!t) {
-		rcu_read_unlock();
+	t = smp_load_acquire(trigger_ptr);
+	if (!t)
 		return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
-	}
-	kref_get(&t->refcount);
-
-	rcu_read_unlock();
 
 	poll_wait(file, &t->event_wait, wait);
 
 	if (cmpxchg(&t->event, 1, 0) == 1)
 		ret |= EPOLLPRI;
 
-	kref_put(&t->refcount, psi_trigger_destroy);
-
 	return ret;
 }
 
@@ -1208,14 +1190,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf,
 
 	buf[buf_size - 1] = '\0';
 
-	new = psi_trigger_create(&psi_system, buf, nbytes, res);
-	if (IS_ERR(new))
-		return PTR_ERR(new);
-
 	seq = file->private_data;
+
 	/* Take seq->lock to protect seq->private from concurrent writes */
 	mutex_lock(&seq->lock);
-	psi_trigger_replace(&seq->private, new);
+
+	/* Allow only one trigger per file descriptor */
+	if (seq->private) {
+		mutex_unlock(&seq->lock);
+		return -EBUSY;
+	}
+
+	new = psi_trigger_create(&psi_system, buf, nbytes, res);
+	if (IS_ERR(new)) {
+		mutex_unlock(&seq->lock);
+		return PTR_ERR(new);
+	}
+
+	smp_store_release(&seq->private, new);
 	mutex_unlock(&seq->lock);
 
 	return nbytes;
@@ -1250,7 +1242,7 @@ static int psi_fop_release(struct inode *inode, struct file *file)
 {
 	struct seq_file *seq = file->private_data;
 
-	psi_trigger_replace(&seq->private, NULL);
+	psi_trigger_destroy(seq->private);
 	return single_release(inode, file);
 }
 
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 55c0f32b9375b..dbc9b2f53649d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3022,8 +3022,8 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
 	struct nlattr *slave_attr[RTNL_SLAVE_MAX_TYPE + 1];
 	unsigned char name_assign_type = NET_NAME_USER;
 	struct nlattr *linkinfo[IFLA_INFO_MAX + 1];
-	const struct rtnl_link_ops *m_ops = NULL;
-	struct net_device *master_dev = NULL;
+	const struct rtnl_link_ops *m_ops;
+	struct net_device *master_dev;
 	struct net *net = sock_net(skb->sk);
 	const struct rtnl_link_ops *ops;
 	struct nlattr *tb[IFLA_MAX + 1];
@@ -3063,6 +3063,8 @@ replay:
 			dev = NULL;
 	}
 
+	master_dev = NULL;
+	m_ops = NULL;
 	if (dev) {
 		master_dev = netdev_master_upper_dev_get(dev);
 		if (master_dev)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 839e1caa57a59..ed11013d4b953 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1729,7 +1729,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 		err = -ENOSPC;
 		if (refcount_read(&match->sk_ref) < PACKET_FANOUT_MAX) {
 			__dev_remove_pack(&po->prot_hook);
-			po->fanout = match;
+
+			/* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */
+			WRITE_ONCE(po->fanout, match);
+
 			po->rollover = rollover;
 			rollover = NULL;
 			refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1);
@@ -3876,7 +3879,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
 	}
 	case PACKET_FANOUT_DATA:
 	{
-		if (!po->fanout)
+		/* Paired with the WRITE_ONCE() in fanout_add() */
+		if (!READ_ONCE(po->fanout))
 			return -EINVAL;
 
 		return fanout_set_data(po, optval, optlen);
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index a4c61205462ac..80205b138d113 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1928,9 +1928,9 @@ static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
 	bool prio_allocate;
 	u32 parent;
 	u32 chain_index;
-	struct Qdisc *q = NULL;
+	struct Qdisc *q;
 	struct tcf_chain_info chain_info;
-	struct tcf_chain *chain = NULL;
+	struct tcf_chain *chain;
 	struct tcf_block *block;
 	struct tcf_proto *tp;
 	unsigned long cl;
@@ -1958,6 +1958,8 @@ replay:
 	tp = NULL;
 	cl = 0;
 	block = NULL;
+	q = NULL;
+	chain = NULL;
 
 	if (prio == 0) {
 		/* If no priority is provided by the user,
@@ -2764,8 +2766,8 @@ static int tc_ctl_chain(struct sk_buff *skb, struct nlmsghdr *n,
 	struct tcmsg *t;
 	u32 parent;
 	u32 chain_index;
-	struct Qdisc *q = NULL;
-	struct tcf_chain *chain = NULL;
+	struct Qdisc *q;
+	struct tcf_chain *chain;
 	struct tcf_block *block;
 	unsigned long cl;
 	int err;
@@ -2775,6 +2777,7 @@ static int tc_ctl_chain(struct sk_buff *skb, struct nlmsghdr *n,
 		return -EPERM;
 
 replay:
+	q = NULL;
 	err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
 				     rtm_tca_policy, extack);
 	if (err < 0)
1	diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst
2	index 621111ce57401..28c0461ba2e1b 100644
3	--- a/Documentation/accounting/psi.rst
4	+++ b/Documentation/accounting/psi.rst
5	@@ -90,7 +90,8 @@ Triggers can be set on more than one psi metric and more than one trigger
6	for the same psi metric can be specified. However for each trigger a separate
7	file descriptor is required to be able to poll it separately from others,
8	therefore for each trigger a separate open() syscall should be made even
9	-when opening the same psi interface file.
10	+when opening the same psi interface file. Write operations to a file descriptor
11	+with an already existing psi trigger will fail with EBUSY.
12
13	Monitors activate only when system enters stall state for the monitored
14	psi metric and deactivates upon exit from the stall state. While system is
15	diff --git a/Makefile b/Makefile
16	index b23aa51ada93e..324939b64d7b7 100644
17	--- a/Makefile
18	+++ b/Makefile
19	@@ -1,7 +1,7 @@
20	# SPDX-License-Identifier: GPL-2.0
21	VERSION = 5
22	PATCHLEVEL = 4
23	-SUBLEVEL = 176
24	+SUBLEVEL = 177
25	EXTRAVERSION =
26	NAME = Kleptomaniac Octopus
27
28	diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
29	index da8c2c4aca7ef..0442d7e1cd20b 100644
30	--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
31	+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
32	@@ -721,7 +721,9 @@ static void xgbe_stop_timers(struct xgbe_prv_data *pdata)
33	if (!channel->tx_ring)
34	break;
35
36	+ /* Deactivate the Tx timer */
37	del_timer_sync(&channel->tx_timer);
38	+ channel->tx_timer_active = 0;
39	}
40	}
41
42	@@ -2765,6 +2767,14 @@ read_again:
43	buf2_len = xgbe_rx_buf2_len(rdata, packet, len);
44	len += buf2_len;
45
46	+ if (buf2_len > rdata->rx.buf.dma_len) {
47	+ /* Hardware inconsistency within the descriptors
48	+ * that has resulted in a length underflow.
49	+ */
50	+ error = 1;
51	+ goto skip_data;
52	+ }
53	+
54	if (!skb) {
55	skb = xgbe_create_skb(pdata, napi, rdata,
56	buf1_len);
57	@@ -2794,8 +2804,10 @@ skip_data:
58	if (!last \|\| context_next)
59	goto read_again;
60
61	- if (!skb)
62	+ if (!skb \|\| error) {
63	+ dev_kfree_skb(skb);
64	goto next_packet;
65	+ }
66
67	/* Be sure we don't exceed the configured MTU */
68	max_len = netdev->mtu + ETH_HLEN;
69	diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
70	index 345576f1a7470..73ad78f47763c 100644
71	--- a/drivers/net/usb/ipheth.c
72	+++ b/drivers/net/usb/ipheth.c
73	@@ -121,7 +121,7 @@ static int ipheth_alloc_urbs(struct ipheth_device *iphone)
74	if (tx_buf == NULL)
75	goto free_rx_urb;
76
77	- rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE,
78	+ rx_buf = usb_alloc_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
79	GFP_KERNEL, &rx_urb->transfer_dma);
80	if (rx_buf == NULL)
81	goto free_tx_buf;
82	@@ -146,7 +146,7 @@ error_nomem:
83
84	static void ipheth_free_urbs(struct ipheth_device *iphone)
85	{
86	- usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->rx_buf,
87	+ usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN, iphone->rx_buf,
88	iphone->rx_urb->transfer_dma);
89	usb_free_coherent(iphone->udev, IPHETH_BUF_SIZE, iphone->tx_buf,
90	iphone->tx_urb->transfer_dma);
91	@@ -317,7 +317,7 @@ static int ipheth_rx_submit(struct ipheth_device *dev, gfp_t mem_flags)
92
93	usb_fill_bulk_urb(dev->rx_urb, udev,
94	usb_rcvbulkpipe(udev, dev->bulk_in),
95	- dev->rx_buf, IPHETH_BUF_SIZE,
96	+ dev->rx_buf, IPHETH_BUF_SIZE + IPHETH_IP_ALIGN,
97	ipheth_rcvbulk_callback,
98	dev);
99	dev->rx_urb->transfer_flags \|= URB_NO_TRANSFER_DMA_MAP;
100	diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
101	index 88b996764ff95..907b8be86ce04 100644
102	--- a/drivers/pci/hotplug/pciehp_hpc.c
103	+++ b/drivers/pci/hotplug/pciehp_hpc.c
104	@@ -577,6 +577,8 @@ read_status:
105	*/
106	if (ctrl->power_fault_detected)
107	status &= ~PCI_EXP_SLTSTA_PFD;
108	+ else if (status & PCI_EXP_SLTSTA_PFD)
109	+ ctrl->power_fault_detected = true;
110
111	events \|= status;
112	if (!events) {
113	@@ -586,7 +588,7 @@ read_status:
114	}
115
116	if (status) {
117	- pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events);
118	+ pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, status);
119
120	/*
121	* In MSI mode, all event bits must be zero before the port
122	@@ -660,8 +662,7 @@ static irqreturn_t pciehp_ist(int irq, void *dev_id)
123	}
124
125	/* Check Power Fault Detected */
126	- if ((events & PCI_EXP_SLTSTA_PFD) && !ctrl->power_fault_detected) {
127	- ctrl->power_fault_detected = 1;
128	+ if (events & PCI_EXP_SLTSTA_PFD) {
129	ctrl_err(ctrl, "Slot(%s): Power fault\n", slot_name(ctrl));
130	pciehp_set_indicators(ctrl, PCI_EXP_SLTCTL_PWR_IND_OFF,
131	PCI_EXP_SLTCTL_ATTN_IND_ON);
132	diff --git a/include/linux/psi.h b/include/linux/psi.h
133	index 7b3de73212199..7712b58009276 100644
134	--- a/include/linux/psi.h
135	+++ b/include/linux/psi.h
136	@@ -31,7 +31,7 @@ void cgroup_move_task(struct task_struct p, struct css_set to);
137
138	struct psi_trigger psi_trigger_create(struct psi_group group,
139	char *buf, size_t nbytes, enum psi_res res);
140	-void psi_trigger_replace(void *trigger_ptr, struct psi_trigger t);
141	+void psi_trigger_destroy(struct psi_trigger *t);
142
143	__poll_t psi_trigger_poll(void *trigger_ptr, struct file file,
144	poll_table *wait);
145	diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
146	index 07aaf9b822416..0023052eab23f 100644
147	--- a/include/linux/psi_types.h
148	+++ b/include/linux/psi_types.h
149	@@ -120,9 +120,6 @@ struct psi_trigger {
150	* events to one per window
151	*/
152	u64 last_event_time;
153	-
154	- /* Refcounting to prevent premature destruction */
155	- struct kref refcount;
156	};
157
158	struct psi_group {
159	diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
160	index 2d0ef613ca070..5e465c4b1e64c 100644
161	--- a/kernel/cgroup/cgroup-v1.c
162	+++ b/kernel/cgroup/cgroup-v1.c
163	@@ -549,6 +549,14 @@ static ssize_t cgroup_release_agent_write(struct kernfs_open_file *of,
164
165	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
166
167	+ /*
168	+ * Release agent gets called with all capabilities,
169	+ * require capabilities to set release agent.
170	+ */
171	+ if ((of->file->f_cred->user_ns != &init_user_ns) \|\|
172	+ !capable(CAP_SYS_ADMIN))
173	+ return -EPERM;
174	+
175	cgrp = cgroup_kn_lock_live(of->kn, false);
176	if (!cgrp)
177	return -ENODEV;
178	@@ -961,6 +969,12 @@ int cgroup1_parse_param(struct fs_context fc, struct fs_parameter param)
179	/* Specifying two release agents is forbidden */
180	if (ctx->release_agent)
181	return cg_invalf(fc, "cgroup1: release_agent respecified");
182	+ /*
183	+ * Release agent gets called with all capabilities,
184	+ * require capabilities to set release agent.
185	+ */
186	+ if ((fc->user_ns != &init_user_ns) \|\| !capable(CAP_SYS_ADMIN))
187	+ return cg_invalf(fc, "cgroup1: Setting release_agent not allowed");
188	ctx->release_agent = param->string;
189	param->string = NULL;
190	break;
191	diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
192	index 1904ffcee0f1e..ce1745ac7b8c0 100644
193	--- a/kernel/cgroup/cgroup.c
194	+++ b/kernel/cgroup/cgroup.c
195	@@ -3659,6 +3659,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file of, char buf,
196	cgroup_get(cgrp);
197	cgroup_kn_unlock(of->kn);
198
199	+ /* Allow only one trigger per file descriptor */
200	+ if (of->priv) {
201	+ cgroup_put(cgrp);
202	+ return -EBUSY;
203	+ }
204	+
205	psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
206	new = psi_trigger_create(psi, buf, nbytes, res);
207	if (IS_ERR(new)) {
208	@@ -3666,8 +3672,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file of, char buf,
209	return PTR_ERR(new);
210	}
211
212	- psi_trigger_replace(&of->priv, new);
213	-
214	+ smp_store_release(&of->priv, new);
215	cgroup_put(cgrp);
216
217	return nbytes;
218	@@ -3702,7 +3707,7 @@ static __poll_t cgroup_pressure_poll(struct kernfs_open_file *of,
219
220	static void cgroup_pressure_release(struct kernfs_open_file *of)
221	{
222	- psi_trigger_replace(&of->priv, NULL);
223	+ psi_trigger_destroy(of->priv);
224	}
225	#endif /* CONFIG_PSI */
226
227	diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
228	index badfa8f153599..411be8b2e837e 100644
229	--- a/kernel/cgroup/cpuset.c
230	+++ b/kernel/cgroup/cpuset.c
231	@@ -1558,8 +1558,7 @@ static int update_cpumask(struct cpuset cs, struct cpuset trialcs,
232	* Make sure that subparts_cpus is a subset of cpus_allowed.
233	*/
234	if (cs->nr_subparts_cpus) {
235	- cpumask_andnot(cs->subparts_cpus, cs->subparts_cpus,
236	- cs->cpus_allowed);
237	+ cpumask_and(cs->subparts_cpus, cs->subparts_cpus, cs->cpus_allowed);
238	cs->nr_subparts_cpus = cpumask_weight(cs->subparts_cpus);
239	}
240	spin_unlock_irq(&callback_lock);
241	diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
242	index 9154e745f0978..9dd83eb74a9da 100644
243	--- a/kernel/sched/psi.c
244	+++ b/kernel/sched/psi.c
245	@@ -1046,7 +1046,6 @@ struct psi_trigger psi_trigger_create(struct psi_group group,
246	t->event = 0;
247	t->last_event_time = 0;
248	init_waitqueue_head(&t->event_wait);
249	- kref_init(&t->refcount);
250
251	mutex_lock(&group->trigger_lock);
252
253	@@ -1079,15 +1078,19 @@ struct psi_trigger psi_trigger_create(struct psi_group group,
254	return t;
255	}
256
257	-static void psi_trigger_destroy(struct kref *ref)
258	+void psi_trigger_destroy(struct psi_trigger *t)
259	{
260	- struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount);
261	- struct psi_group *group = t->group;
262	+ struct psi_group *group;
263	struct kthread_worker *kworker_to_destroy = NULL;
264
265	- if (static_branch_likely(&psi_disabled))
266	+ /*
267	+ * We do not check psi_disabled since it might have been disabled after
268	+ * the trigger got created.
269	+ */
270	+ if (!t)
271	return;
272
273	+ group = t->group;
274	/*
275	* Wakeup waiters to stop polling. Can happen if cgroup is deleted
276	* from under a polling process.
277	@@ -1122,9 +1125,9 @@ static void psi_trigger_destroy(struct kref *ref)
278	mutex_unlock(&group->trigger_lock);
279
280	/*
281	- * Wait for both *trigger_ptr from psi_trigger_replace and
282	- * poll_kworker RCUs to complete their read-side critical sections
283	- * before destroying the trigger and optionally the poll_kworker
284	+ * Wait for psi_schedule_poll_work RCU to complete its read-side
285	+ * critical section before destroying the trigger and optionally the
286	+ * poll_task.
287	*/
288	synchronize_rcu();
289	/*
290	@@ -1146,18 +1149,6 @@ static void psi_trigger_destroy(struct kref *ref)
291	kfree(t);
292	}
293
294	-void psi_trigger_replace(void *trigger_ptr, struct psi_trigger new)
295	-{
296	- struct psi_trigger old = trigger_ptr;
297	-
298	- if (static_branch_likely(&psi_disabled))
299	- return;
300	-
301	- rcu_assign_pointer(*trigger_ptr, new);
302	- if (old)
303	- kref_put(&old->refcount, psi_trigger_destroy);
304	-}
305	-
306	__poll_t psi_trigger_poll(void **trigger_ptr,
307	struct file file, poll_table wait)
308	{
309	@@ -1167,24 +1158,15 @@ __poll_t psi_trigger_poll(void **trigger_ptr,
310	if (static_branch_likely(&psi_disabled))
311	return DEFAULT_POLLMASK \| EPOLLERR \| EPOLLPRI;
312
313	- rcu_read_lock();
314	-
315	- t = rcu_dereference((void __rcu __force *)trigger_ptr);
316	- if (!t) {
317	- rcu_read_unlock();
318	+ t = smp_load_acquire(trigger_ptr);
319	+ if (!t)
320	return DEFAULT_POLLMASK \| EPOLLERR \| EPOLLPRI;
321	- }
322	- kref_get(&t->refcount);
323	-
324	- rcu_read_unlock();
325
326	poll_wait(file, &t->event_wait, wait);
327
328	if (cmpxchg(&t->event, 1, 0) == 1)
329	ret \|= EPOLLPRI;
330
331	- kref_put(&t->refcount, psi_trigger_destroy);
332	-
333	return ret;
334	}
335
336	@@ -1208,14 +1190,24 @@ static ssize_t psi_write(struct file file, const char __user user_buf,
337
338	buf[buf_size - 1] = '\0';
339
340	- new = psi_trigger_create(&psi_system, buf, nbytes, res);
341	- if (IS_ERR(new))
342	- return PTR_ERR(new);
343	-
344	seq = file->private_data;
345	+
346	/* Take seq->lock to protect seq->private from concurrent writes */
347	mutex_lock(&seq->lock);
348	- psi_trigger_replace(&seq->private, new);
349	+
350	+ /* Allow only one trigger per file descriptor */
351	+ if (seq->private) {
352	+ mutex_unlock(&seq->lock);
353	+ return -EBUSY;
354	+ }
355	+
356	+ new = psi_trigger_create(&psi_system, buf, nbytes, res);
357	+ if (IS_ERR(new)) {
358	+ mutex_unlock(&seq->lock);
359	+ return PTR_ERR(new);
360	+ }
361	+
362	+ smp_store_release(&seq->private, new);
363	mutex_unlock(&seq->lock);
364
365	return nbytes;
366	@@ -1250,7 +1242,7 @@ static int psi_fop_release(struct inode inode, struct file file)
367	{
368	struct seq_file *seq = file->private_data;
369
370	- psi_trigger_replace(&seq->private, NULL);
371	+ psi_trigger_destroy(seq->private);
372	return single_release(inode, file);
373	}
374
375	diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
376	index 55c0f32b9375b..dbc9b2f53649d 100644
377	--- a/net/core/rtnetlink.c
378	+++ b/net/core/rtnetlink.c
379	@@ -3022,8 +3022,8 @@ static int __rtnl_newlink(struct sk_buff skb, struct nlmsghdr nlh,
380	struct nlattr *slave_attr[RTNL_SLAVE_MAX_TYPE + 1];
381	unsigned char name_assign_type = NET_NAME_USER;
382	struct nlattr *linkinfo[IFLA_INFO_MAX + 1];
383	- const struct rtnl_link_ops *m_ops = NULL;
384	- struct net_device *master_dev = NULL;
385	+ const struct rtnl_link_ops *m_ops;
386	+ struct net_device *master_dev;
387	struct net *net = sock_net(skb->sk);
388	const struct rtnl_link_ops *ops;
389	struct nlattr *tb[IFLA_MAX + 1];
390	@@ -3063,6 +3063,8 @@ replay:
391	dev = NULL;
392	}
393
394	+ master_dev = NULL;
395	+ m_ops = NULL;
396	if (dev) {
397	master_dev = netdev_master_upper_dev_get(dev);
398	if (master_dev)
399	diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
400	index 839e1caa57a59..ed11013d4b953 100644
401	--- a/net/packet/af_packet.c
402	+++ b/net/packet/af_packet.c
403	@@ -1729,7 +1729,10 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
404	err = -ENOSPC;
405	if (refcount_read(&match->sk_ref) < PACKET_FANOUT_MAX) {
406	__dev_remove_pack(&po->prot_hook);
407	- po->fanout = match;
408	+
409	+ /* Paired with packet_setsockopt(PACKET_FANOUT_DATA) */
410	+ WRITE_ONCE(po->fanout, match);
411	+
412	po->rollover = rollover;
413	rollover = NULL;
414	refcount_set(&match->sk_ref, refcount_read(&match->sk_ref) + 1);
415	@@ -3876,7 +3879,8 @@ packet_setsockopt(struct socket sock, int level, int optname, char __user optv
416	}
417	case PACKET_FANOUT_DATA:
418	{
419	- if (!po->fanout)
420	+ /* Paired with the WRITE_ONCE() in fanout_add() */
421	+ if (!READ_ONCE(po->fanout))
422	return -EINVAL;
423
424	return fanout_set_data(po, optval, optlen);
425	diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
426	index a4c61205462ac..80205b138d113 100644
427	--- a/net/sched/cls_api.c
428	+++ b/net/sched/cls_api.c
429	@@ -1928,9 +1928,9 @@ static int tc_new_tfilter(struct sk_buff skb, struct nlmsghdr n,
430	bool prio_allocate;
431	u32 parent;
432	u32 chain_index;
433	- struct Qdisc *q = NULL;
434	+ struct Qdisc *q;
435	struct tcf_chain_info chain_info;
436	- struct tcf_chain *chain = NULL;
437	+ struct tcf_chain *chain;
438	struct tcf_block *block;
439	struct tcf_proto *tp;
440	unsigned long cl;
441	@@ -1958,6 +1958,8 @@ replay:
442	tp = NULL;
443	cl = 0;
444	block = NULL;
445	+ q = NULL;
446	+ chain = NULL;
447
448	if (prio == 0) {
449	/* If no priority is provided by the user,
450	@@ -2764,8 +2766,8 @@ static int tc_ctl_chain(struct sk_buff skb, struct nlmsghdr n,
451	struct tcmsg *t;
452	u32 parent;
453	u32 chain_index;
454	- struct Qdisc *q = NULL;
455	- struct tcf_chain *chain = NULL;
456	+ struct Qdisc *q;
457	+ struct tcf_chain *chain;
458	struct tcf_block *block;
459	unsigned long cl;
460	int err;
461	@@ -2775,6 +2777,7 @@ static int tc_ctl_chain(struct sk_buff skb, struct nlmsghdr n,
462	return -EPERM;
463
464	replay:
465	+ q = NULL;
466	err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
467	rtm_tca_policy, extack);
468	if (err < 0)