--- /dev/null
+From 208978af974ed79d377e7d4347aa773288313a38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Feb 2023 21:12:14 +0800
+Subject: ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 1cd489e1ada1cffa56bd06fd4609f5a60a985d43 ]
+
+usb@2184000: 'pinctrl-0' is a dependency of 'pinctrl-names'
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Fixes: 9c7016f1ca6d ("ARM: dts: imx: add devicetree for Tolino Shine 2 HD")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts b/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts
+index a17b8bbbdb956..f2231cb1e32df 100644
+--- a/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts
++++ b/arch/arm/boot/dts/imx6sl-tolino-shine2hd.dts
+@@ -597,6 +597,7 @@ &usdhc3 {
+
+ &usbotg1 {
+ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usbotg1>;
+ disable-over-current;
+ srp-disable;
+ hnp-disable;
+--
+2.39.2
+
--- /dev/null
+From 5353c3b23e215b4b55856a9bb31a8101daa57878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Feb 2023 21:12:13 +0800
+Subject: ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit 957c04e9784c7c757e8cc293d7fb2a60cdf461b6 ]
+
+usb@2184000: 'pinctrl-0' is a dependency of 'pinctrl-names'
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Fixes: c100ea86e6ab ("ARM: dts: add Netronix E60K02 board common file")
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/e60k02.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/e60k02.dtsi b/arch/arm/boot/dts/e60k02.dtsi
+index cfb239d5186ac..54b4de6a5925d 100644
+--- a/arch/arm/boot/dts/e60k02.dtsi
++++ b/arch/arm/boot/dts/e60k02.dtsi
+@@ -302,6 +302,7 @@ &usdhc3 {
+
+ &usbotg1 {
+ pinctrl-names = "default";
++ pinctrl-0 = <&pinctrl_usbotg1>;
+ disable-over-current;
+ srp-disable;
+ hnp-disable;
+--
+2.39.2
+
--- /dev/null
+From 284b5ba7006a14e264c998da77678c936315480a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Feb 2023 22:52:44 +0100
+Subject: arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 62fb54148cd6eb456ff031be8fb447c98cf0bd9b ]
+
+Add #sound-dai-cells properties to SAI nodes.
+
+Reviewed-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Fixes: 9e9860069725 ("arm64: dts: imx8mn: Add SAI nodes")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn.dtsi b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+index 0c47ff2426410..16a5efba17f39 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn.dtsi
+@@ -265,6 +265,7 @@ spba2: spba-bus@30000000 {
+ sai2: sai@30020000 {
+ compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai";
+ reg = <0x30020000 0x10000>;
++ #sound-dai-cells = <0>;
+ interrupts = <GIC_SPI 96 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clk IMX8MN_CLK_SAI2_IPG>,
+ <&clk IMX8MN_CLK_DUMMY>,
+@@ -279,6 +280,7 @@ sai2: sai@30020000 {
+ sai3: sai@30030000 {
+ compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai";
+ reg = <0x30030000 0x10000>;
++ #sound-dai-cells = <0>;
+ interrupts = <GIC_SPI 50 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clk IMX8MN_CLK_SAI3_IPG>,
+ <&clk IMX8MN_CLK_DUMMY>,
+@@ -293,6 +295,7 @@ sai3: sai@30030000 {
+ sai5: sai@30050000 {
+ compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai";
+ reg = <0x30050000 0x10000>;
++ #sound-dai-cells = <0>;
+ interrupts = <GIC_SPI 90 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clk IMX8MN_CLK_SAI5_IPG>,
+ <&clk IMX8MN_CLK_DUMMY>,
+@@ -309,6 +312,7 @@ sai5: sai@30050000 {
+ sai6: sai@30060000 {
+ compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai";
+ reg = <0x30060000 0x10000>;
++ #sound-dai-cells = <0>;
+ interrupts = <GIC_SPI 90 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clk IMX8MN_CLK_SAI6_IPG>,
+ <&clk IMX8MN_CLK_DUMMY>,
+@@ -366,6 +370,7 @@ spdif1: spdif@30090000 {
+ sai7: sai@300b0000 {
+ compatible = "fsl,imx8mn-sai", "fsl,imx8mq-sai";
+ reg = <0x300b0000 0x10000>;
++ #sound-dai-cells = <0>;
+ interrupts = <GIC_SPI 111 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&clk IMX8MN_CLK_SAI7_IPG>,
+ <&clk IMX8MN_CLK_DUMMY>,
+--
+2.39.2
+
--- /dev/null
+From 124f8aea34e70dc2b687e9a3d84dc063d313a4d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 14:33:18 +0000
+Subject: atm: idt77252: fix kmemleak when rmmod idt77252
+
+From: Li Zetao <lizetao1@huawei.com>
+
+[ Upstream commit 4fe3c88552a3fbe1944426a4506a18cdeb457b5a ]
+
+There are memory leaks reported by kmemleak:
+
+ unreferenced object 0xffff888106500800 (size 128):
+ comm "modprobe", pid 1017, jiffies 4297787785 (age 67.152s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000970ce626>] __kmem_cache_alloc_node+0x20c/0x380
+ [<00000000fb5f78d9>] kmalloc_trace+0x2f/0xb0
+ [<000000000e947e2a>] idt77252_init_one+0x2847/0x3c90 [idt77252]
+ [<000000006efb048e>] local_pci_probe+0xeb/0x1a0
+ ...
+
+ unreferenced object 0xffff888106500b00 (size 128):
+ comm "modprobe", pid 1017, jiffies 4297787785 (age 67.152s)
+ hex dump (first 32 bytes):
+ 00 20 3d 01 80 88 ff ff 00 20 3d 01 80 88 ff ff . =...... =.....
+ f0 23 3d 01 80 88 ff ff 00 20 3d 01 00 00 00 00 .#=...... =.....
+ backtrace:
+ [<00000000970ce626>] __kmem_cache_alloc_node+0x20c/0x380
+ [<00000000fb5f78d9>] kmalloc_trace+0x2f/0xb0
+ [<00000000f451c5be>] alloc_scq.constprop.0+0x4a/0x400 [idt77252]
+ [<00000000e6313849>] idt77252_init_one+0x28cf/0x3c90 [idt77252]
+
+The root cause is traced to the vc_maps which alloced in open_card_oam()
+are not freed in close_card_oam(). The vc_maps are used to record
+open connections, so when close a vc_map in close_card_oam(), the memory
+should be freed. Moreover, the ubr0 is not closed when close a idt77252
+device, leading to the memory leak of vc_map and scq_info.
+
+Fix them by adding kfree in close_card_oam() and implementing new
+close_card_ubr0() to close ubr0.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Francois Romieu <romieu@fr.zoreil.com>
+Link: https://lore.kernel.org/r/20230320143318.2644630-1-lizetao1@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/idt77252.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
+index 681cb3786794d..49cb4537344aa 100644
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -2909,6 +2909,7 @@ close_card_oam(struct idt77252_dev *card)
+
+ recycle_rx_pool_skb(card, &vc->rcv.rx_pool);
+ }
++ kfree(vc);
+ }
+ }
+ }
+@@ -2952,6 +2953,15 @@ open_card_ubr0(struct idt77252_dev *card)
+ return 0;
+ }
+
++static void
++close_card_ubr0(struct idt77252_dev *card)
++{
++ struct vc_map *vc = card->vcs[0];
++
++ free_scq(card, vc->scq);
++ kfree(vc);
++}
++
+ static int
+ idt77252_dev_open(struct idt77252_dev *card)
+ {
+@@ -3001,6 +3011,7 @@ static void idt77252_dev_close(struct atm_dev *dev)
+ struct idt77252_dev *card = dev->dev_data;
+ u32 conf;
+
++ close_card_ubr0(card);
+ close_card_oam(card);
+
+ conf = SAR_CFG_RXPTH | /* enable receive path */
+--
+2.39.2
+
--- /dev/null
+From ab82c517fe59bd7a7580f1751ba3a5498bfb6e1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 14:31:55 +0100
+Subject: Bluetooth: btqcomsmd: Fix command timeout after setting BD address
+
+From: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+
+[ Upstream commit 5d44ab9e204200a78ad55cdf185aa2bb109b5950 ]
+
+On most devices using the btqcomsmd driver (e.g. the DragonBoard 410c
+and other devices based on the Qualcomm MSM8916/MSM8909/... SoCs)
+the Bluetooth firmware seems to become unresponsive for a while after
+setting the BD address. On recent kernel versions (at least 5.17+)
+this often causes timeouts for subsequent commands, e.g. the HCI reset
+sent by the Bluetooth core during initialization:
+
+ Bluetooth: hci0: Opcode 0x c03 failed: -110
+
+Unfortunately this behavior does not seem to be documented anywhere.
+Experimentation suggests that the minimum necessary delay to avoid
+the problem is ~150us. However, to be sure add a sleep for > 1ms
+in case it is a bit longer on other firmware versions.
+
+Older kernel versions are likely also affected, although perhaps with
+slightly different errors or less probability. Side effects can easily
+hide the issue in most cases, e.g. unrelated incoming interrupts that
+cause the necessary delay.
+
+Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqcomsmd.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c
+index 2acb719e596f5..11c7e04bf3947 100644
+--- a/drivers/bluetooth/btqcomsmd.c
++++ b/drivers/bluetooth/btqcomsmd.c
+@@ -122,6 +122,21 @@ static int btqcomsmd_setup(struct hci_dev *hdev)
+ return 0;
+ }
+
++static int btqcomsmd_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
++{
++ int ret;
++
++ ret = qca_set_bdaddr_rome(hdev, bdaddr);
++ if (ret)
++ return ret;
++
++ /* The firmware stops responding for a while after setting the bdaddr,
++ * causing timeouts for subsequent commands. Sleep a bit to avoid this.
++ */
++ usleep_range(1000, 10000);
++ return 0;
++}
++
+ static int btqcomsmd_probe(struct platform_device *pdev)
+ {
+ struct btqcomsmd *btq;
+@@ -162,7 +177,7 @@ static int btqcomsmd_probe(struct platform_device *pdev)
+ hdev->close = btqcomsmd_close;
+ hdev->send = btqcomsmd_send;
+ hdev->setup = btqcomsmd_setup;
+- hdev->set_bdaddr = qca_set_bdaddr_rome;
++ hdev->set_bdaddr = btqcomsmd_set_bdaddr;
+
+ ret = hci_register_dev(hdev);
+ if (ret < 0)
+--
+2.39.2
+
--- /dev/null
+From 501fd3292d68099ebbc47f1dc8b35122d1c2c011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Mar 2023 16:07:39 +0800
+Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to
+ unfinished work
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f ]
+
+In btsdio_probe, &data->work was bound with btsdio_work.In
+btsdio_send_frame, it was started by schedule_work.
+
+If we call btsdio_remove with an unfinished job, there may
+be a race condition and cause UAF bug on hdev.
+
+Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btsdio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
+index 199e8f7d426d9..7050a16e7efeb 100644
+--- a/drivers/bluetooth/btsdio.c
++++ b/drivers/bluetooth/btsdio.c
+@@ -352,6 +352,7 @@ static void btsdio_remove(struct sdio_func *func)
+
+ BT_DBG("func %p", func);
+
++ cancel_work_sync(&data->work);
+ if (!data)
+ return;
+
+--
+2.39.2
+
--- /dev/null
+From 32d9e5e39c5b5903911ce3dbdcddd5c4780423fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 14:20:34 -0800
+Subject: Bluetooth: L2CAP: Fix responding with wrong PDU type
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 9aa9d9473f1550d1936c31259720b3f1f4690576 ]
+
+L2CAP_ECRED_CONN_REQ shall be responded with L2CAP_ECRED_CONN_RSP not
+L2CAP_LE_CONN_RSP:
+
+L2CAP LE EATT Server - Reject - run
+ Listening for connections
+ New client connection with handle 0x002a
+ Sending L2CAP Request from client
+ Client received response code 0x15
+ Unexpected L2CAP response code (expected 0x18)
+L2CAP LE EATT Server - Reject - test failed
+
+> ACL Data RX: Handle 42 flags 0x02 dlen 26
+ LE L2CAP: Enhanced Credit Connection Request (0x17) ident 1 len 18
+ PSM: 39 (0x0027)
+ MTU: 64
+ MPS: 64
+ Credits: 5
+ Source CID: 65
+ Source CID: 66
+ Source CID: 67
+ Source CID: 68
+ Source CID: 69
+< ACL Data TX: Handle 42 flags 0x00 dlen 16
+ LE L2CAP: LE Connection Response (0x15) ident 1 len 8
+ invalid size
+ 00 00 00 00 00 00 06 00
+
+L2CAP LE EATT Server - Reject - run
+ Listening for connections
+ New client connection with handle 0x002a
+ Sending L2CAP Request from client
+ Client received response code 0x18
+L2CAP LE EATT Server - Reject - test passed
+
+Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 117 +++++++++++++++++++++++++------------
+ 1 file changed, 79 insertions(+), 38 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index a21e086d69d0e..0194c25b8dc57 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -708,6 +708,17 @@ void l2cap_chan_del(struct l2cap_chan *chan, int err)
+ }
+ EXPORT_SYMBOL_GPL(l2cap_chan_del);
+
++static void __l2cap_chan_list_id(struct l2cap_conn *conn, u16 id,
++ l2cap_chan_func_t func, void *data)
++{
++ struct l2cap_chan *chan, *l;
++
++ list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
++ if (chan->ident == id)
++ func(chan, data);
++ }
++}
++
+ static void __l2cap_chan_list(struct l2cap_conn *conn, l2cap_chan_func_t func,
+ void *data)
+ {
+@@ -775,23 +786,9 @@ static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
+
+ static void l2cap_chan_ecred_connect_reject(struct l2cap_chan *chan)
+ {
+- struct l2cap_conn *conn = chan->conn;
+- struct l2cap_ecred_conn_rsp rsp;
+- u16 result;
+-
+- if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
+- result = L2CAP_CR_LE_AUTHORIZATION;
+- else
+- result = L2CAP_CR_LE_BAD_PSM;
+-
+ l2cap_state_change(chan, BT_DISCONN);
+
+- memset(&rsp, 0, sizeof(rsp));
+-
+- rsp.result = cpu_to_le16(result);
+-
+- l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
+- &rsp);
++ __l2cap_ecred_conn_rsp_defer(chan);
+ }
+
+ static void l2cap_chan_connect_reject(struct l2cap_chan *chan)
+@@ -846,7 +843,7 @@ void l2cap_chan_close(struct l2cap_chan *chan, int reason)
+ break;
+ case L2CAP_MODE_EXT_FLOWCTL:
+ l2cap_chan_ecred_connect_reject(chan);
+- break;
++ return;
+ }
+ }
+ }
+@@ -3938,43 +3935,86 @@ void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
+ &rsp);
+ }
+
+-void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
++static void l2cap_ecred_list_defer(struct l2cap_chan *chan, void *data)
+ {
++ int *result = data;
++
++ if (*result || test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
++ return;
++
++ switch (chan->state) {
++ case BT_CONNECT2:
++ /* If channel still pending accept add to result */
++ (*result)++;
++ return;
++ case BT_CONNECTED:
++ return;
++ default:
++ /* If not connected or pending accept it has been refused */
++ *result = -ECONNREFUSED;
++ return;
++ }
++}
++
++struct l2cap_ecred_rsp_data {
+ struct {
+ struct l2cap_ecred_conn_rsp rsp;
+- __le16 dcid[5];
++ __le16 scid[L2CAP_ECRED_MAX_CID];
+ } __packed pdu;
++ int count;
++};
++
++static void l2cap_ecred_rsp_defer(struct l2cap_chan *chan, void *data)
++{
++ struct l2cap_ecred_rsp_data *rsp = data;
++
++ if (test_bit(FLAG_ECRED_CONN_REQ_SENT, &chan->flags))
++ return;
++
++ /* Reset ident so only one response is sent */
++ chan->ident = 0;
++
++ /* Include all channels pending with the same ident */
++ if (!rsp->pdu.rsp.result)
++ rsp->pdu.rsp.dcid[rsp->count++] = cpu_to_le16(chan->scid);
++ else
++ l2cap_chan_del(chan, ECONNRESET);
++}
++
++void __l2cap_ecred_conn_rsp_defer(struct l2cap_chan *chan)
++{
+ struct l2cap_conn *conn = chan->conn;
+- u16 ident = chan->ident;
+- int i = 0;
++ struct l2cap_ecred_rsp_data data;
++ u16 id = chan->ident;
++ int result = 0;
+
+- if (!ident)
++ if (!id)
+ return;
+
+- BT_DBG("chan %p ident %d", chan, ident);
++ BT_DBG("chan %p id %d", chan, id);
+
+- pdu.rsp.mtu = cpu_to_le16(chan->imtu);
+- pdu.rsp.mps = cpu_to_le16(chan->mps);
+- pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
+- pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
++ memset(&data, 0, sizeof(data));
+
+- mutex_lock(&conn->chan_lock);
++ data.pdu.rsp.mtu = cpu_to_le16(chan->imtu);
++ data.pdu.rsp.mps = cpu_to_le16(chan->mps);
++ data.pdu.rsp.credits = cpu_to_le16(chan->rx_credits);
++ data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
+
+- list_for_each_entry(chan, &conn->chan_l, list) {
+- if (chan->ident != ident)
+- continue;
++ /* Verify that all channels are ready */
++ __l2cap_chan_list_id(conn, id, l2cap_ecred_list_defer, &result);
+
+- /* Reset ident so only one response is sent */
+- chan->ident = 0;
++ if (result > 0)
++ return;
+
+- /* Include all channels pending with the same ident */
+- pdu.dcid[i++] = cpu_to_le16(chan->scid);
+- }
++ if (result < 0)
++ data.pdu.rsp.result = cpu_to_le16(L2CAP_CR_LE_AUTHORIZATION);
+
+- mutex_unlock(&conn->chan_lock);
++ /* Build response */
++ __l2cap_chan_list_id(conn, id, l2cap_ecred_rsp_defer, &data);
+
+- l2cap_send_cmd(conn, ident, L2CAP_ECRED_CONN_RSP,
+- sizeof(pdu.rsp) + i * sizeof(__le16), &pdu);
++ l2cap_send_cmd(conn, id, L2CAP_ECRED_CONN_RSP,
++ sizeof(data.pdu.rsp) + (data.count * sizeof(__le16)),
++ &data.pdu);
+ }
+
+ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
+@@ -6078,6 +6118,7 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
+ __set_chan_timer(chan, chan->ops->get_sndtimeo(chan));
+
+ chan->ident = cmd->ident;
++ chan->mode = L2CAP_MODE_EXT_FLOWCTL;
+
+ if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) {
+ l2cap_state_change(chan, BT_CONNECT2);
+--
+2.39.2
+
--- /dev/null
+From b3fce2673f77ac27eaefde14d242c60249aca6d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 22:54:08 +0900
+Subject: bootconfig: Fix testcase to increase max node
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit b69245126a48e50882021180fa5d264dc7149ccc ]
+
+Since commit 6c40624930c5 ("bootconfig: Increase max nodes of bootconfig
+from 1024 to 8192 for DCC support") increased the max number of bootconfig
+node to 8192, the bootconfig testcase of the max number of nodes fails.
+To fix this issue, we can not simply increase the number in the test script
+because the test bootconfig file becomes too big (>32KB). To fix that, we
+can use a combination of three alphabets (26^3 = 17576). But with that,
+we can not express the 8193 (just one exceed from the limitation) because
+it also exceeds the max size of bootconfig. So, the first 26 nodes will just
+use one alphabet.
+
+With this fix, test-bootconfig.sh passes all tests.
+
+Link: https://lore.kernel.org/all/167888844790.791176.670805252426835131.stgit@devnote2/
+
+Reported-by: Heinz Wiesinger <pprkut@slackware.com>
+Link: https://lore.kernel.org/all/2463802.XAFRqVoOGU@amaterasu.liwjatan.org
+Fixes: 6c40624930c5 ("bootconfig: Increase max nodes of bootconfig from 1024 to 8192 for DCC support")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/test-bootconfig.sh | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/tools/bootconfig/test-bootconfig.sh b/tools/bootconfig/test-bootconfig.sh
+index f68e2e9eef8b2..a2c484c243f5d 100755
+--- a/tools/bootconfig/test-bootconfig.sh
++++ b/tools/bootconfig/test-bootconfig.sh
+@@ -87,10 +87,14 @@ xfail grep -i "error" $OUTFILE
+
+ echo "Max node number check"
+
+-echo -n > $TEMPCONF
+-for i in `seq 1 1024` ; do
+- echo "node$i" >> $TEMPCONF
+-done
++awk '
++BEGIN {
++ for (i = 0; i < 26; i += 1)
++ printf("%c\n", 65 + i % 26)
++ for (i = 26; i < 8192; i += 1)
++ printf("%c%c%c\n", 65 + i % 26, 65 + (i / 26) % 26, 65 + (i / 26 / 26))
++}
++' > $TEMPCONF
+ xpass $BOOTCONF -a $TEMPCONF $INITRD
+
+ echo "badnode" >> $TEMPCONF
+--
+2.39.2
+
--- /dev/null
+From 7f84fdf46e5d00de55797de9cc5ab74984bc684b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 15:37:25 +0100
+Subject: bpf: Adjust insufficient default bpf_jit_limit
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 10ec8ca8ec1a2f04c4ed90897225231c58c124a7 ]
+
+We've seen recent AWS EKS (Kubernetes) user reports like the following:
+
+ After upgrading EKS nodes from v20230203 to v20230217 on our 1.24 EKS
+ clusters after a few days a number of the nodes have containers stuck
+ in ContainerCreating state or liveness/readiness probes reporting the
+ following error:
+
+ Readiness probe errored: rpc error: code = Unknown desc = failed to
+ exec in container: failed to start exec "4a11039f730203ffc003b7[...]":
+ OCI runtime exec failed: exec failed: unable to start container process:
+ unable to init seccomp: error loading seccomp filter into kernel:
+ error loading seccomp filter: errno 524: unknown
+
+ However, we had not been seeing this issue on previous AMIs and it only
+ started to occur on v20230217 (following the upgrade from kernel 5.4 to
+ 5.10) with no other changes to the underlying cluster or workloads.
+
+ We tried the suggestions from that issue (sysctl net.core.bpf_jit_limit=452534528)
+ which helped to immediately allow containers to be created and probes to
+ execute but after approximately a day the issue returned and the value
+ returned by cat /proc/vmallocinfo | grep bpf_jit | awk '{s+=$2} END {print s}'
+ was steadily increasing.
+
+I tested bpf tree to observe bpf_jit_charge_modmem, bpf_jit_uncharge_modmem
+their sizes passed in as well as bpf_jit_current under tcpdump BPF filter,
+seccomp BPF and native (e)BPF programs, and the behavior all looks sane
+and expected, that is nothing "leaking" from an upstream perspective.
+
+The bpf_jit_limit knob was originally added in order to avoid a situation
+where unprivileged applications loading BPF programs (e.g. seccomp BPF
+policies) consuming all the module memory space via BPF JIT such that loading
+of kernel modules would be prevented. The default limit was defined back in
+2018 and while good enough back then, we are generally seeing far more BPF
+consumers today.
+
+Adjust the limit for the BPF JIT pool from originally 1/4 to now 1/2 of the
+module memory space to better reflect today's needs and avoid more users
+running into potentially hard to debug issues.
+
+Fixes: fdadd04931c2 ("bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K")
+Reported-by: Stephen Haynes <sh@synk.net>
+Reported-by: Lefteris Alexakis <lefteris.alexakis@kpn.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://github.com/awslabs/amazon-eks-ami/issues/1179
+Link: https://github.com/awslabs/amazon-eks-ami/issues/1219
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230320143725.8394-1-daniel@iogearbox.net
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index cea0d1296599c..f7c27c1cc593b 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -829,7 +829,7 @@ static int __init bpf_jit_charge_init(void)
+ {
+ /* Only used as heuristic here to derive limit. */
+ bpf_jit_limit_max = bpf_jit_alloc_exec_limit();
+- bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 2,
++ bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 1,
+ PAGE_SIZE), LONG_MAX);
+ return 0;
+ }
+--
+2.39.2
+
--- /dev/null
+From adde3b1c5de955793f2b472b9a051b99aef6d9b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 16:19:20 +0100
+Subject: drm/i915/gt: perform uc late init after probe error injection
+
+From: Andrzej Hajda <andrzej.hajda@intel.com>
+
+[ Upstream commit 150784f9285e656373cf3953ef4a7663f1e1a0f2 ]
+
+Probe pseudo errors should be injected only in places where real errors
+can be encountered, otherwise unwinding code can be broken.
+Placing intel_uc_init_late before i915_inject_probe_error violated
+this rule, resulting in following bug:
+__intel_gt_disable:655 GEM_BUG_ON(intel_gt_pm_is_awake(gt))
+
+Fixes: 481d458caede ("drm/i915/guc: Add golden context to GuC ADS")
+Acked-by: Nirmoy Das <nirmoy.das@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230314151920.1065847-1-andrzej.hajda@intel.com
+(cherry picked from commit c4252a11131c7f27a158294241466e2a4e7ff94e)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_gt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_gt.c b/drivers/gpu/drm/i915/gt/intel_gt.c
+index 952e7177409ba..b2a003127d319 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gt.c
++++ b/drivers/gpu/drm/i915/gt/intel_gt.c
+@@ -709,12 +709,12 @@ int intel_gt_init(struct intel_gt *gt)
+ if (err)
+ goto err_gt;
+
+- intel_uc_init_late(>->uc);
+-
+ err = i915_inject_probe_error(gt->i915, -EIO);
+ if (err)
+ goto err_gt;
+
++ intel_uc_init_late(>->uc);
++
+ intel_migrate_init(>->migrate, gt);
+
+ goto out_fw;
+--
+2.39.2
+
--- /dev/null
+From 78fd85a65d28ba7714d85ff1f6094f5af7206cc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 16:34:27 +0000
+Subject: erspan: do not use skb_mac_header() in ndo_start_xmit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8e50ed774554f93d55426039b27b1e38d7fa64d8 ]
+
+Drivers should not assume skb_mac_header(skb) == skb->data in their
+ndo_start_xmit().
+
+Use skb_network_offset() and skb_transport_offset() which
+better describe what is needed in erspan_fb_xmit() and
+ip6erspan_tunnel_xmit()
+
+syzbot reported:
+WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 skb_mac_header include/linux/skbuff.h:2873 [inline]
+WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962
+Modules linked in:
+CPU: 0 PID: 5083 Comm: syz-executor406 Not tainted 6.3.0-rc2-syzkaller-00866-gd4671cb96fa3 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
+RIP: 0010:skb_mac_header include/linux/skbuff.h:2873 [inline]
+RIP: 0010:ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962
+Code: 04 02 41 01 de 84 c0 74 08 3c 03 0f 8e 1c 0a 00 00 45 89 b4 24 c8 00 00 00 c6 85 77 fe ff ff 01 e9 33 e7 ff ff e8 b4 27 a1 f8 <0f> 0b e9 b6 e7 ff ff e8 a8 27 a1 f8 49 8d bf f0 0c 00 00 48 b8 00
+RSP: 0018:ffffc90003b2f830 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000
+RDX: ffff888021273a80 RSI: ffffffff88e1bd4c RDI: 0000000000000003
+RBP: ffffc90003b2f9d8 R08: 0000000000000003 R09: 000000000000ffff
+R10: 000000000000ffff R11: 0000000000000000 R12: ffff88802b28da00
+R13: 00000000000000d0 R14: ffff88807e25b6d0 R15: ffff888023408000
+FS: 0000555556a61300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055e5b11eb6e8 CR3: 0000000027c1b000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+__netdev_start_xmit include/linux/netdevice.h:4900 [inline]
+netdev_start_xmit include/linux/netdevice.h:4914 [inline]
+__dev_direct_xmit+0x504/0x730 net/core/dev.c:4300
+dev_direct_xmit include/linux/netdevice.h:3088 [inline]
+packet_xmit+0x20a/0x390 net/packet/af_packet.c:285
+packet_snd net/packet/af_packet.c:3075 [inline]
+packet_sendmsg+0x31a0/0x5150 net/packet/af_packet.c:3107
+sock_sendmsg_nosec net/socket.c:724 [inline]
+sock_sendmsg+0xde/0x190 net/socket.c:747
+__sys_sendto+0x23a/0x340 net/socket.c:2142
+__do_sys_sendto net/socket.c:2154 [inline]
+__se_sys_sendto net/socket.c:2150 [inline]
+__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2150
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7f123aaa1039
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffc15d12058 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f123aaa1039
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f123aa648c0
+R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: 1baf5ebf8954 ("erspan: auto detect truncated packets.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230320163427.8096-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 4 ++--
+ net/ipv6/ip6_gre.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 454c4357a2979..c094963a86f1e 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -552,7 +552,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
+ truncate = true;
+ }
+
+- nhoff = skb_network_header(skb) - skb_mac_header(skb);
++ nhoff = skb_network_offset(skb);
+ if (skb->protocol == htons(ETH_P_IP) &&
+ (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff))
+ truncate = true;
+@@ -561,7 +561,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
+ int thoff;
+
+ if (skb_transport_header_was_set(skb))
+- thoff = skb_transport_header(skb) - skb_mac_header(skb);
++ thoff = skb_transport_offset(skb);
+ else
+ thoff = nhoff + sizeof(struct ipv6hdr);
+ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index 13b1748b8b465..a91f93ec7d2b4 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -959,7 +959,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ truncate = true;
+ }
+
+- nhoff = skb_network_header(skb) - skb_mac_header(skb);
++ nhoff = skb_network_offset(skb);
+ if (skb->protocol == htons(ETH_P_IP) &&
+ (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff))
+ truncate = true;
+@@ -968,7 +968,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ int thoff;
+
+ if (skb_transport_header_was_set(skb))
+- thoff = skb_transport_header(skb) - skb_mac_header(skb);
++ thoff = skb_transport_offset(skb);
+ else
+ thoff = nhoff + sizeof(struct ipv6hdr);
+ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)
+--
+2.39.2
+
--- /dev/null
+From 65ddd78f705acfec2337628985c02de53b077e39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Mar 2023 10:23:32 -0700
+Subject: gve: Cache link_speed value from device
+
+From: Joshua Washington <joshwash@google.com>
+
+[ Upstream commit 68c3e4fc8628b1487c965aabb29207249657eb5f ]
+
+The link speed is never changed for the uptime of a VM, and the current
+implementation sends an admin queue command for each call. Admin queue
+command invocations have nontrivial overhead (e.g., VM exits), which can
+be disruptive to users if triggered frequently. Our telemetry data shows
+that there are VMs that make frequent calls to this admin queue command.
+Caching the result of the original admin queue command would eliminate
+the need to send multiple admin queue commands on subsequent calls to
+retrieve link speed.
+
+Fixes: 7e074d5a76ca ("gve: Enable Link Speed Reporting in the driver.")
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20230321172332.91678-1-joshwash@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c
+index 878329ddcf8df..6a0663aadd1e9 100644
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -526,7 +526,10 @@ static int gve_get_link_ksettings(struct net_device *netdev,
+ struct ethtool_link_ksettings *cmd)
+ {
+ struct gve_priv *priv = netdev_priv(netdev);
+- int err = gve_adminq_report_link_speed(priv);
++ int err = 0;
++
++ if (priv->link_speed == 0)
++ err = gve_adminq_report_link_speed(priv);
+
+ cmd->base.speed = priv->link_speed;
+ return err;
+--
+2.39.2
+
--- /dev/null
+From a2c7ab457a3a73039448065f45c7210a1cbe3d6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 16:09:11 +0100
+Subject: hvc/xen: prevent concurrent accesses to the shared ring
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 6214894f49a967c749ee6c07cb00f9cede748df4 ]
+
+The hvc machinery registers both a console and a tty device based on
+the hv ops provided by the specific implementation. Those two
+interfaces however have different locks, and there's no single locks
+that's shared between the tty and the console implementations, hence
+the driver needs to protect itself against concurrent accesses.
+Otherwise concurrent calls using the split interfaces are likely to
+corrupt the ring indexes, leaving the console unusable.
+
+Introduce a lock to xencons_info to serialize accesses to the shared
+ring. This is only required when using the shared memory console,
+concurrent accesses to the hypercall based console implementation are
+not an issue.
+
+Note the conditional logic in domU_read_console() is slightly modified
+so the notify_daemon() call can be done outside of the locked region:
+it's an hypercall and there's no need for it to be done with the lock
+held.
+
+Fixes: b536b4b96230 ('xen: use the hvc console infrastructure for Xen console')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20221130150919.13935-1-roger.pau@citrix.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/hvc/hvc_xen.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/hvc/hvc_xen.c b/drivers/tty/hvc/hvc_xen.c
+index 609a51137e96f..f2f066ce8d9ef 100644
+--- a/drivers/tty/hvc/hvc_xen.c
++++ b/drivers/tty/hvc/hvc_xen.c
+@@ -43,6 +43,7 @@ struct xencons_info {
+ int irq;
+ int vtermno;
+ grant_ref_t gntref;
++ spinlock_t ring_lock;
+ };
+
+ static LIST_HEAD(xenconsoles);
+@@ -89,12 +90,15 @@ static int __write_console(struct xencons_info *xencons,
+ XENCONS_RING_IDX cons, prod;
+ struct xencons_interface *intf = xencons->intf;
+ int sent = 0;
++ unsigned long flags;
+
++ spin_lock_irqsave(&xencons->ring_lock, flags);
+ cons = intf->out_cons;
+ prod = intf->out_prod;
+ mb(); /* update queue values before going on */
+
+ if ((prod - cons) > sizeof(intf->out)) {
++ spin_unlock_irqrestore(&xencons->ring_lock, flags);
+ pr_err_once("xencons: Illegal ring page indices");
+ return -EINVAL;
+ }
+@@ -104,6 +108,7 @@ static int __write_console(struct xencons_info *xencons,
+
+ wmb(); /* write ring before updating pointer */
+ intf->out_prod = prod;
++ spin_unlock_irqrestore(&xencons->ring_lock, flags);
+
+ if (sent)
+ notify_daemon(xencons);
+@@ -146,16 +151,19 @@ static int domU_read_console(uint32_t vtermno, char *buf, int len)
+ int recv = 0;
+ struct xencons_info *xencons = vtermno_to_xencons(vtermno);
+ unsigned int eoiflag = 0;
++ unsigned long flags;
+
+ if (xencons == NULL)
+ return -EINVAL;
+ intf = xencons->intf;
+
++ spin_lock_irqsave(&xencons->ring_lock, flags);
+ cons = intf->in_cons;
+ prod = intf->in_prod;
+ mb(); /* get pointers before reading ring */
+
+ if ((prod - cons) > sizeof(intf->in)) {
++ spin_unlock_irqrestore(&xencons->ring_lock, flags);
+ pr_err_once("xencons: Illegal ring page indices");
+ return -EINVAL;
+ }
+@@ -179,10 +187,13 @@ static int domU_read_console(uint32_t vtermno, char *buf, int len)
+ xencons->out_cons = intf->out_cons;
+ xencons->out_cons_same = 0;
+ }
++ if (!recv && xencons->out_cons_same++ > 1) {
++ eoiflag = XEN_EOI_FLAG_SPURIOUS;
++ }
++ spin_unlock_irqrestore(&xencons->ring_lock, flags);
++
+ if (recv) {
+ notify_daemon(xencons);
+- } else if (xencons->out_cons_same++ > 1) {
+- eoiflag = XEN_EOI_FLAG_SPURIOUS;
+ }
+
+ xen_irq_lateeoi(xencons->irq, eoiflag);
+@@ -239,6 +250,7 @@ static int xen_hvm_console_init(void)
+ info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
++ spin_lock_init(&info->ring_lock);
+ } else if (info->intf != NULL) {
+ /* already configured */
+ return 0;
+@@ -275,6 +287,7 @@ static int xen_hvm_console_init(void)
+
+ static int xencons_info_pv_init(struct xencons_info *info, int vtermno)
+ {
++ spin_lock_init(&info->ring_lock);
+ info->evtchn = xen_start_info->console.domU.evtchn;
+ /* GFN == MFN for PV guest */
+ info->intf = gfn_to_virt(xen_start_info->console.domU.mfn);
+@@ -325,6 +338,7 @@ static int xen_initial_domain_console_init(void)
+ info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
++ spin_lock_init(&info->ring_lock);
+ }
+
+ info->irq = bind_virq_to_irq(VIRQ_CONSOLE, 0, false);
+@@ -482,6 +496,7 @@ static int xencons_probe(struct xenbus_device *dev,
+ info = kzalloc(sizeof(struct xencons_info), GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
++ spin_lock_init(&info->ring_lock);
+ dev_set_drvdata(&dev->dev, info);
+ info->xbdev = dev;
+ info->vtermno = xenbus_devid_to_vtermno(devid);
+--
+2.39.2
+
--- /dev/null
+From 761f47aafd9b65d8daf8328c50acde69ad1a414a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:45:52 +0800
+Subject: i2c: hisi: Only use the completion interrupt to finish the transfer
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit d98263512684a47e81bcb72a5408958ecd1e60b0 ]
+
+The controller will always generate a completion interrupt when the
+transfer is finished normally or not. Currently we use either error or
+completion interrupt to finish, this may result the completion
+interrupt unhandled and corrupt the next transfer, especially at low
+speed mode. Since on error case, the error interrupt will come first
+then is the completion interrupt. So only use the completion interrupt
+to finish the whole transfer process.
+
+Fixes: d62fbdb99a85 ("i2c: add support for HiSilicon I2C controller")
+Reported-by: Sheng Feng <fengsheng5@huawei.com>
+Signed-off-by: Sheng Feng <fengsheng5@huawei.com>
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-hisi.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-hisi.c b/drivers/i2c/busses/i2c-hisi.c
+index acf3948120613..72e43ecaff133 100644
+--- a/drivers/i2c/busses/i2c-hisi.c
++++ b/drivers/i2c/busses/i2c-hisi.c
+@@ -340,7 +340,11 @@ static irqreturn_t hisi_i2c_irq(int irq, void *context)
+ hisi_i2c_read_rx_fifo(ctlr);
+
+ out:
+- if (int_stat & HISI_I2C_INT_TRANS_CPLT || ctlr->xfer_err) {
++ /*
++ * Only use TRANS_CPLT to indicate the completion. On error cases we'll
++ * get two interrupts, INT_ERR first then TRANS_CPLT.
++ */
++ if (int_stat & HISI_I2C_INT_TRANS_CPLT) {
+ hisi_i2c_disable_int(ctlr, HISI_I2C_INT_ALL);
+ hisi_i2c_clear_int(ctlr, HISI_I2C_INT_ALL);
+ complete(ctlr->completion);
+--
+2.39.2
+
--- /dev/null
+From 1944eae1de117b336846fe8a0ef285edd88f49b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jan 2023 16:32:47 +0100
+Subject: i2c: imx-lpi2c: check only for enabled interrupt flags
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+[ Upstream commit 1c7885004567e8951d65a983be095f254dd20bef ]
+
+When reading from I2C, the Tx watermark is set to 0. Unfortunately the
+TDF (transmit data flag) is enabled when Tx FIFO entries is equal or less
+than watermark. So it is set in every case, hence the reset default of 1.
+This results in the MSR_RDF _and_ MSR_TDF flags to be set thus trying
+to send Tx data on a read message.
+Mask the IRQ status to filter for wanted flags only.
+
+Fixes: a55fa9d0e42e ("i2c: imx-lpi2c: add low power i2c bus driver")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Tested-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c
+index 8b9ba055c4186..2018dbcf241e9 100644
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -502,10 +502,14 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapter,
+ static irqreturn_t lpi2c_imx_isr(int irq, void *dev_id)
+ {
+ struct lpi2c_imx_struct *lpi2c_imx = dev_id;
++ unsigned int enabled;
+ unsigned int temp;
+
++ enabled = readl(lpi2c_imx->base + LPI2C_MIER);
++
+ lpi2c_imx_intctrl(lpi2c_imx, 0);
+ temp = readl(lpi2c_imx->base + LPI2C_MSR);
++ temp &= enabled;
+
+ if (temp & MSR_RDF)
+ lpi2c_imx_read_rxfifo(lpi2c_imx);
+--
+2.39.2
+
--- /dev/null
+From 3ba627ccc92f4a4ec506fc9cce171e8297e12e93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 15:07:33 +0100
+Subject: i40e: fix flow director packet filter programming
+
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+
+[ Upstream commit c672297bbc0e86dbf88396b8053e2fbb173f16ff ]
+
+Initialize to zero structures to build a valid
+Tx Packet used for the filter programming.
+
+Fixes: a9219b332f52 ("i40e: VLAN field for flow director")
+Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 8f5aad9bbba33..9787e794eeda6 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -170,10 +170,10 @@ static char *i40e_create_dummy_packet(u8 *dummy_packet, bool ipv4, u8 l4proto,
+ struct i40e_fdir_filter *data)
+ {
+ bool is_vlan = !!data->vlan_tag;
+- struct vlan_hdr vlan;
+- struct ipv6hdr ipv6;
+- struct ethhdr eth;
+- struct iphdr ip;
++ struct vlan_hdr vlan = {};
++ struct ipv6hdr ipv6 = {};
++ struct ethhdr eth = {};
++ struct iphdr ip = {};
+ u8 *tmp;
+
+ if (ipv4) {
+--
+2.39.2
+
--- /dev/null
+From e9e2cf943764a8a61066341db7f7a21b528f80ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Mar 2023 17:06:45 +0100
+Subject: iavf: fix hang on reboot with ice
+
+From: Stefan Assmann <sassmann@kpanic.de>
+
+[ Upstream commit 4e264be98b88a6d6f476c11087fe865696e8bef5 ]
+
+When a system with E810 with existing VFs gets rebooted the following
+hang may be observed.
+
+ Pid 1 is hung in iavf_remove(), part of a network driver:
+ PID: 1 TASK: ffff965400e5a340 CPU: 24 COMMAND: "systemd-shutdow"
+ #0 [ffffaad04005fa50] __schedule at ffffffff8b3239cb
+ #1 [ffffaad04005fae8] schedule at ffffffff8b323e2d
+ #2 [ffffaad04005fb00] schedule_hrtimeout_range_clock at ffffffff8b32cebc
+ #3 [ffffaad04005fb80] usleep_range_state at ffffffff8b32c930
+ #4 [ffffaad04005fbb0] iavf_remove at ffffffffc12b9b4c [iavf]
+ #5 [ffffaad04005fbf0] pci_device_remove at ffffffff8add7513
+ #6 [ffffaad04005fc10] device_release_driver_internal at ffffffff8af08baa
+ #7 [ffffaad04005fc40] pci_stop_bus_device at ffffffff8adcc5fc
+ #8 [ffffaad04005fc60] pci_stop_and_remove_bus_device at ffffffff8adcc81e
+ #9 [ffffaad04005fc70] pci_iov_remove_virtfn at ffffffff8adf9429
+ #10 [ffffaad04005fca8] sriov_disable at ffffffff8adf98e4
+ #11 [ffffaad04005fcc8] ice_free_vfs at ffffffffc04bb2c8 [ice]
+ #12 [ffffaad04005fd10] ice_remove at ffffffffc04778fe [ice]
+ #13 [ffffaad04005fd38] ice_shutdown at ffffffffc0477946 [ice]
+ #14 [ffffaad04005fd50] pci_device_shutdown at ffffffff8add58f1
+ #15 [ffffaad04005fd70] device_shutdown at ffffffff8af05386
+ #16 [ffffaad04005fd98] kernel_restart at ffffffff8a92a870
+ #17 [ffffaad04005fda8] __do_sys_reboot at ffffffff8a92abd6
+ #18 [ffffaad04005fee0] do_syscall_64 at ffffffff8b317159
+ #19 [ffffaad04005ff08] __context_tracking_enter at ffffffff8b31b6fc
+ #20 [ffffaad04005ff18] syscall_exit_to_user_mode at ffffffff8b31b50d
+ #21 [ffffaad04005ff28] do_syscall_64 at ffffffff8b317169
+ #22 [ffffaad04005ff50] entry_SYSCALL_64_after_hwframe at ffffffff8b40009b
+ RIP: 00007f1baa5c13d7 RSP: 00007fffbcc55a98 RFLAGS: 00000202
+ RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1baa5c13d7
+ RDX: 0000000001234567 RSI: 0000000028121969 RDI: 00000000fee1dead
+ RBP: 00007fffbcc55ca0 R8: 0000000000000000 R9: 00007fffbcc54e90
+ R10: 00007fffbcc55050 R11: 0000000000000202 R12: 0000000000000005
+ R13: 0000000000000000 R14: 00007fffbcc55af0 R15: 0000000000000000
+ ORIG_RAX: 00000000000000a9 CS: 0033 SS: 002b
+
+During reboot all drivers PM shutdown callbacks are invoked.
+In iavf_shutdown() the adapter state is changed to __IAVF_REMOVE.
+In ice_shutdown() the call chain above is executed, which at some point
+calls iavf_remove(). However iavf_remove() expects the VF to be in one
+of the states __IAVF_RUNNING, __IAVF_DOWN or __IAVF_INIT_FAILED. If
+that's not the case it sleeps forever.
+So if iavf_shutdown() gets invoked before iavf_remove() the system will
+hang indefinitely because the adapter is already in state __IAVF_REMOVE.
+
+Fix this by returning from iavf_remove() if the state is __IAVF_REMOVE,
+as we already went through iavf_shutdown().
+
+Fixes: 974578017fc1 ("iavf: Add waiting so the port is initialized in remove")
+Fixes: a8417330f8a5 ("iavf: Fix race condition between iavf_shutdown and iavf_remove")
+Reported-by: Marius Cornea <mcornea@redhat.com>
+Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 82c4f1190e41c..f5e6ae2c683f4 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -4213,6 +4213,11 @@ static void iavf_remove(struct pci_dev *pdev)
+ mutex_unlock(&adapter->crit_lock);
+ break;
+ }
++ /* Simply return if we already went through iavf_shutdown */
++ if (adapter->state == __IAVF_REMOVE) {
++ mutex_unlock(&adapter->crit_lock);
++ return;
++ }
+
+ mutex_unlock(&adapter->crit_lock);
+ usleep_range(500, 1000);
+--
+2.39.2
+
--- /dev/null
+From 65710502fff434276ed5661f9a86c963a51c993d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 12:59:07 +0100
+Subject: iavf: fix inverted Rx hash condition leading to disabled hash
+
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+
+[ Upstream commit 32d57f667f871bc5a8babbe27ea4c5e668ee0ea8 ]
+
+Condition, which checks whether the netdev has hashing enabled is
+inverted. Basically, the tagged commit effectively disabled passing flow
+hash from descriptor to skb, unless user *disables* it via Ethtool.
+Commit a876c3ba59a6 ("i40e/i40evf: properly report Rx packet hash")
+fixed this problem, but only for i40e.
+Invert the condition now in iavf and unblock passing hash to skbs again.
+
+Fixes: 857942fd1aa1 ("i40e: Fix Rx hash reported to the stack by our driver")
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_txrx.c b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+index e76e3df3e2d9e..643dbe5bf9973 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_txrx.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_txrx.c
+@@ -1061,7 +1061,7 @@ static inline void iavf_rx_hash(struct iavf_ring *ring,
+ cpu_to_le64((u64)IAVF_RX_DESC_FLTSTAT_RSS_HASH <<
+ IAVF_RX_DESC_STATUS_FLTSTAT_SHIFT);
+
+- if (ring->netdev->features & NETIF_F_RXHASH)
++ if (!(ring->netdev->features & NETIF_F_RXHASH))
+ return;
+
+ if ((rx_desc->wb.qword1.status_error_len & rss_mask) == rss_mask) {
+--
+2.39.2
+
--- /dev/null
+From 60b0e803afcd2f253ee01821d4e42b14a1427428 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Mar 2023 12:59:08 +0100
+Subject: iavf: fix non-tunneled IPv6 UDP packet type and hashing
+
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+
+[ Upstream commit de58647b4301fe181f9c38e8b46f7021584ae427 ]
+
+Currently, IAVF's decode_rx_desc_ptype() correctly reports payload type
+of L4 for IPv4 UDP packets and IPv{4,6} TCP, but only L3 for IPv6 UDP.
+Originally, i40e, ice and iavf were affected.
+Commit 73df8c9e3e3d ("i40e: Correct UDP packet header for non_tunnel-ipv6")
+fixed that in i40e, then
+commit 638a0c8c8861 ("ice: fix incorrect payload indicator on PTYPE")
+fixed that for ice.
+IPv6 UDP is L4 obviously. Fix it and make iavf report correct L4 hash
+type for such packets, so that the stack won't calculate it on CPU when
+needs it.
+
+Fixes: 206812b5fccb ("i40e/i40evf: i40e implementation for skb_set_hash")
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_common.c b/drivers/net/ethernet/intel/iavf/iavf_common.c
+index e9cc7f6ddc466..c423e73c2d026 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_common.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_common.c
+@@ -661,7 +661,7 @@ struct iavf_rx_ptype_decoded iavf_ptype_lookup[BIT(8)] = {
+ /* Non Tunneled IPv6 */
+ IAVF_PTT(88, IP, IPV6, FRG, NONE, NONE, NOF, NONE, PAY3),
+ IAVF_PTT(89, IP, IPV6, NOF, NONE, NONE, NOF, NONE, PAY3),
+- IAVF_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY3),
++ IAVF_PTT(90, IP, IPV6, NOF, NONE, NONE, NOF, UDP, PAY4),
+ IAVF_PTT_UNUSED_ENTRY(91),
+ IAVF_PTT(92, IP, IPV6, NOF, NONE, NONE, NOF, TCP, PAY4),
+ IAVF_PTT(93, IP, IPV6, NOF, NONE, NONE, NOF, SCTP, PAY4),
+--
+2.39.2
+
--- /dev/null
+From 841f14cbea3b015e9d63b6382c8cb8b9af357909 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 19:20:03 +0900
+Subject: igbvf: Regard vf reset nack as success
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit 02c83791ef969c6a8a150b4927193d0d0e50fb23 ]
+
+vf reset nack actually represents the reset operation itself is
+performed but no address is assigned. Therefore, e1000_reset_hw_vf
+should fill the "perm_addr" with the zero address and return success on
+such an occasion. This prevents its callers in netdev.c from saying PF
+still resetting, and instead allows them to correctly report that no
+address is assigned.
+
+Fixes: 6ddbc4cf1f4d ("igb: Indicate failure on vf reset for empty mac address")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/vf.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/vf.c b/drivers/net/ethernet/intel/igbvf/vf.c
+index b8ba3f94c3632..a47a2e3e548cf 100644
+--- a/drivers/net/ethernet/intel/igbvf/vf.c
++++ b/drivers/net/ethernet/intel/igbvf/vf.c
+@@ -1,6 +1,8 @@
+ // SPDX-License-Identifier: GPL-2.0
+ /* Copyright(c) 2009 - 2018 Intel Corporation. */
+
++#include <linux/etherdevice.h>
++
+ #include "vf.h"
+
+ static s32 e1000_check_for_link_vf(struct e1000_hw *hw);
+@@ -131,11 +133,16 @@ static s32 e1000_reset_hw_vf(struct e1000_hw *hw)
+ /* set our "perm_addr" based on info provided by PF */
+ ret_val = mbx->ops.read_posted(hw, msgbuf, 3);
+ if (!ret_val) {
+- if (msgbuf[0] == (E1000_VF_RESET |
+- E1000_VT_MSGTYPE_ACK))
++ switch (msgbuf[0]) {
++ case E1000_VF_RESET | E1000_VT_MSGTYPE_ACK:
+ memcpy(hw->mac.perm_addr, addr, ETH_ALEN);
+- else
++ break;
++ case E1000_VF_RESET | E1000_VT_MSGTYPE_NACK:
++ eth_zero_addr(hw->mac.perm_addr);
++ break;
++ default:
+ ret_val = -E1000_ERR_MAC_INIT;
++ }
+ }
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 66b6f59c46b19faef8b94897fa48ae1a3ba0a218 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 15:45:31 +0900
+Subject: igc: fix the validation logic for taprio's gate list
+
+From: AKASHI Takahiro <takahiro.akashi@linaro.org>
+
+[ Upstream commit 2b4cc3d3f4d8ec42961e98568a0afeee96a943ab ]
+
+The check introduced in the commit a5fd39464a40 ("igc: Lift TAPRIO schedule
+restriction") can detect a false positive error in some corner case.
+For instance,
+ tc qdisc replace ... taprio num_tc 4
+ ...
+ sched-entry S 0x01 100000 # slot#1
+ sched-entry S 0x03 100000 # slot#2
+ sched-entry S 0x04 100000 # slot#3
+ sched-entry S 0x08 200000 # slot#4
+ flags 0x02 # hardware offload
+
+Here the queue#0 (the first queue) is on at the slot#1 and #2,
+and off at the slot#3 and #4. Under the current logic, when the slot#4
+is examined, validate_schedule() returns *false* since the enablement
+count for the queue#0 is two and it is already off at the previous slot
+(i.e. #3). But this definition is truely correct.
+
+Let's fix the logic to enforce a strict validation for consecutively-opened
+slots.
+
+Fixes: a5fd39464a40 ("igc: Lift TAPRIO schedule restriction")
+Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index bde3fea2c442e..e255b0a004f88 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5951,18 +5951,18 @@ static bool validate_schedule(struct igc_adapter *adapter,
+ if (e->command != TC_TAPRIO_CMD_SET_GATES)
+ return false;
+
+- for (i = 0; i < adapter->num_tx_queues; i++) {
+- if (e->gate_mask & BIT(i))
++ for (i = 0; i < adapter->num_tx_queues; i++)
++ if (e->gate_mask & BIT(i)) {
+ queue_uses[i]++;
+
+- /* There are limitations: A single queue cannot be
+- * opened and closed multiple times per cycle unless the
+- * gate stays open. Check for it.
+- */
+- if (queue_uses[i] > 1 &&
+- !(prev->gate_mask & BIT(i)))
+- return false;
+- }
++ /* There are limitations: A single queue cannot
++ * be opened and closed multiple times per cycle
++ * unless the gate stays open. Check for it.
++ */
++ if (queue_uses[i] > 1 &&
++ !(prev->gate_mask & BIT(i)))
++ return false;
++ }
+ }
+
+ return true;
+--
+2.39.2
+
--- /dev/null
+From cea5ef4d6d7784a93a5423d632f7f88d6671a626 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 10:28:52 +0800
+Subject: intel/igbvf: free irq on the error path in igbvf_request_msix()
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+[ Upstream commit 85eb39bb39cbb5c086df1e19ba67cc1366693a77 ]
+
+In igbvf_request_msix(), irqs have not been freed on the err path,
+we need to free it. Fix it.
+
+Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/netdev.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
+index d051918dfdff9..ebd6d464fa0cf 100644
+--- a/drivers/net/ethernet/intel/igbvf/netdev.c
++++ b/drivers/net/ethernet/intel/igbvf/netdev.c
+@@ -1074,7 +1074,7 @@ static int igbvf_request_msix(struct igbvf_adapter *adapter)
+ igbvf_intr_msix_rx, 0, adapter->rx_ring->name,
+ netdev);
+ if (err)
+- goto out;
++ goto free_irq_tx;
+
+ adapter->rx_ring->itr_register = E1000_EITR(vector);
+ adapter->rx_ring->itr_val = adapter->current_itr;
+@@ -1083,10 +1083,14 @@ static int igbvf_request_msix(struct igbvf_adapter *adapter)
+ err = request_irq(adapter->msix_entries[vector].vector,
+ igbvf_msix_other, 0, netdev->name, netdev);
+ if (err)
+- goto out;
++ goto free_irq_rx;
+
+ igbvf_configure_msix(adapter);
+ return 0;
++free_irq_rx:
++ free_irq(adapter->msix_entries[--vector].vector, netdev);
++free_irq_tx:
++ free_irq(adapter->msix_entries[--vector].vector, netdev);
+ out:
+ return err;
+ }
+--
+2.39.2
+
--- /dev/null
+From 2d2976fabdb1ae6b49f0bc9e4fc168f6d706b68a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Mar 2023 15:15:18 +0000
+Subject: keys: Do not cache key in task struct if key is requested from kernel
+ thread
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 47f9e4c924025c5be87959d3335e66fcbb7f6b5c ]
+
+The key which gets cached in task structure from a kernel thread does not
+get invalidated even after expiry. Due to which, a new key request from
+kernel thread will be served with the cached key if it's present in task
+struct irrespective of the key validity. The change is to not cache key in
+task_struct when key requested from kernel thread so that kernel thread
+gets a valid key on every key request.
+
+The problem has been seen with the cifs module doing DNS lookups from a
+kernel thread and the results getting pinned by being attached to that
+kernel thread's cache - and thus not something that can be easily got rid
+of. The cache would ordinarily be cleared by notify-resume, but kernel
+threads don't do that.
+
+This isn't seen with AFS because AFS is doing request_key() within the
+kernel half of a user thread - which will do notify-resume.
+
+Fixes: 7743c48e54ee ("keys: Cache result of request_key*() temporarily in task_struct")
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Shyam Prasad N <nspmangalore@gmail.com>
+cc: Steve French <smfrench@gmail.com>
+cc: keyrings@vger.kernel.org
+cc: linux-cifs@vger.kernel.org
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/CAGypqWw951d=zYRbdgNR4snUDvJhWL=q3=WOyh7HhSJupjz2vA@mail.gmail.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/request_key.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 2da4404276f0f..07a0ef2baacd8 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -38,9 +38,12 @@ static void cache_requested_key(struct key *key)
+ #ifdef CONFIG_KEYS_REQUEST_CACHE
+ struct task_struct *t = current;
+
+- key_put(t->cached_requested_key);
+- t->cached_requested_key = key_get(key);
+- set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
++ /* Do not cache key if it is a kernel thread */
++ if (!(t->flags & PF_KTHREAD)) {
++ key_put(t->cached_requested_key);
++ t->cached_requested_key = key_get(key);
++ set_tsk_thread_flag(t, TIF_NOTIFY_RESUME);
++ }
+ #endif
+ }
+
+--
+2.39.2
+
--- /dev/null
+From 408cf459b8fdeb20b1ee2302ebfb40a8476b8b6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Mar 2023 21:56:07 +0900
+Subject: ksmbd: add low bound validation to FSCTL_QUERY_ALLOCATED_RANGES
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 342edb60dcda7a409430359b0cac2864bb9dfe44 ]
+
+Smatch static checker warning:
+ fs/ksmbd/vfs.c:1040 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'length'
+ fs/ksmbd/vfs.c:1041 ksmbd_vfs_fqar_lseek() warn: no lower bound on 'start'
+
+Fix unexpected result that could caused from negative start and length.
+
+Fixes: f44158485826 ("cifsd: add file operations")
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 305313abbc24b..45e7c854e1d4b 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -7415,13 +7415,16 @@ static int fsctl_query_allocated_ranges(struct ksmbd_work *work, u64 id,
+ if (in_count == 0)
+ return -EINVAL;
+
++ start = le64_to_cpu(qar_req->file_offset);
++ length = le64_to_cpu(qar_req->length);
++
++ if (start < 0 || length < 0)
++ return -EINVAL;
++
+ fp = ksmbd_lookup_fd_fast(work, id);
+ if (!fp)
+ return -ENOENT;
+
+- start = le64_to_cpu(qar_req->file_offset);
+- length = le64_to_cpu(qar_req->length);
+-
+ ret = ksmbd_vfs_fqar_lseek(fp, start, length,
+ qar_rsp, in_count, out_count);
+ if (ret && ret != -E2BIG)
+--
+2.39.2
+
--- /dev/null
+From 4e1aa4d4c95f617c89a2ffe733086b2a049d340d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Mar 2023 21:04:00 +0900
+Subject: ksmbd: add low bound validation to FSCTL_SET_ZERO_DATA
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 2d74ec97131b1179a373b6d521f195c84e894eb6 ]
+
+Smatch static checker warning:
+ fs/ksmbd/smb2pdu.c:7759 smb2_ioctl()
+ warn: no lower bound on 'off'
+
+Fix unexpected result that could caused from negative off and bfz.
+
+Fixes: b5e5f9dfc915 ("ksmbd: check invalid FileOffset and BeyondFinalZero in FSCTL_ZERO_DATA")
+Reported-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index ac029dfd23ab8..305313abbc24b 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -7725,7 +7725,7 @@ int smb2_ioctl(struct ksmbd_work *work)
+
+ off = le64_to_cpu(zero_data->FileOffset);
+ bfz = le64_to_cpu(zero_data->BeyondFinalZero);
+- if (off > bfz) {
++ if (off < 0 || bfz < 0 || off > bfz) {
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.39.2
+
--- /dev/null
+From 36deeb861c167214602fc8c4ad0757c94a8e990e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Mar 2023 21:58:04 +0800
+Subject: ksmbd: fix possible refcount leak in smb2_open()
+
+From: ChenXiaoSong <chenxiaosong2@huawei.com>
+
+[ Upstream commit 2624b445544ffc1472ccabfb6ec867c199d4c95c ]
+
+Reference count of acls will leak when memory allocation fails. Fix this
+by adding the missing posix_acl_release().
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Signed-off-by: ChenXiaoSong <chenxiaosong2@huawei.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 45e7c854e1d4b..733a3d851e4ce 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -2979,8 +2979,11 @@ int smb2_open(struct ksmbd_work *work)
+ sizeof(struct smb_acl) +
+ sizeof(struct smb_ace) * ace_num * 2,
+ GFP_KERNEL);
+- if (!pntsd)
++ if (!pntsd) {
++ posix_acl_release(fattr.cf_acls);
++ posix_acl_release(fattr.cf_dacls);
+ goto err_out;
++ }
+
+ rc = build_sec_desc(user_ns,
+ pntsd, NULL, 0,
+--
+2.39.2
+
--- /dev/null
+From 8153275da2e26e9580d4f3ff908b3b6f8c12ec71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 18:28:07 +0100
+Subject: net: dsa: b53: mmap: fix device tree support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 30796d0dcb6e41c6558a07950f2ce60c209da867 ]
+
+CPU port should also be enabled in order to get a working switch.
+
+Fixes: a5538a777b73 ("net: dsa: b53: mmap: Add device tree support")
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230316172807.460146-1-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_mmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_mmap.c b/drivers/net/dsa/b53/b53_mmap.c
+index ae4c79d39bc04..3388f620fac99 100644
+--- a/drivers/net/dsa/b53/b53_mmap.c
++++ b/drivers/net/dsa/b53/b53_mmap.c
+@@ -263,7 +263,7 @@ static int b53_mmap_probe_of(struct platform_device *pdev,
+ if (of_property_read_u32(of_port, "reg", ®))
+ continue;
+
+- if (reg < B53_CPU_PORT)
++ if (reg < B53_N_PORTS)
+ pdata->enabled_ports |= BIT(reg);
+ }
+
+--
+2.39.2
+
--- /dev/null
+From f08ca53eb4ef05a1ff963dab208fea475d7abb53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 22:05:18 +0300
+Subject: net: dsa: mt7530: move enabling disabling core clock to
+ mt7530_pll_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 8f058a6ef99f0b88a177b58cc46a44ff5112e40a ]
+
+Split the code that enables and disables TRGMII clocks and core clock.
+Move enabling and disabling core clock to mt7530_pll_setup() as it's
+supposed to be run there.
+
+Add 20 ms delay before enabling the core clock as seen on the U-Boot
+MediaTek ethernet driver.
+
+Change the comment for enabling and disabling TRGMII clocks as the code
+seems to affect both TXC and RXC.
+
+Tested rgmii and trgmii modes of port 6 and rgmii mode of port 5 on MCM
+MT7530 on MT7621AT Unielec U7621-06 and standalone MT7530 on MT7623NI
+Bananapi BPI-R2.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Link: https://source.denx.de/u-boot/u-boot/-/blob/29a48bf9ccba45a5e560bb564bbe76e42629325f/drivers/net/mtk_eth.c#L589
+Tested-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230320190520.124513-1-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 793992c378559..1ad6c8b44183c 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -391,6 +391,9 @@ mt7530_fdb_write(struct mt7530_priv *priv, u16 vid,
+ /* Set up switch core clock for MT7530 */
+ static void mt7530_pll_setup(struct mt7530_priv *priv)
+ {
++ /* Disable core clock */
++ core_clear(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN);
++
+ /* Disable PLL */
+ core_write(priv, CORE_GSWPLL_GRP1, 0);
+
+@@ -404,6 +407,11 @@ static void mt7530_pll_setup(struct mt7530_priv *priv)
+ RG_GSWPLL_EN_PRE |
+ RG_GSWPLL_POSDIV_200M(2) |
+ RG_GSWPLL_FBKDIV_200M(32));
++
++ udelay(20);
++
++ /* Enable core clock */
++ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN);
+ }
+
+ /* Setup TX circuit including relevant PAD and driving */
+@@ -461,9 +469,8 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
+ TD_DM_DRVP(8) | TD_DM_DRVN(8));
+
+- /* Disable MT7530 core and TRGMII Tx clocks */
+- core_clear(priv, CORE_TRGMII_GSW_CLK_CG,
+- REG_GSWCK_EN | REG_TRGMIICK_EN);
++ /* Disable the MT7530 TRGMII clocks */
++ core_clear(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN);
+
+ /* Setup the MT7530 TRGMII Tx Clock */
+ core_write(priv, CORE_PLL_GROUP5, RG_LCDDS_PCW_NCPO1(ncpo1));
+@@ -480,9 +487,8 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ RG_LCDDS_PCW_NCPO_CHG | RG_LCCDS_C(3) |
+ RG_LCDDS_PWDB | RG_LCDDS_ISO_EN);
+
+- /* Enable MT7530 core and TRGMII Tx clocks */
+- core_set(priv, CORE_TRGMII_GSW_CLK_CG,
+- REG_GSWCK_EN | REG_TRGMIICK_EN);
++ /* Enable the MT7530 TRGMII clocks */
++ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN);
+ } else {
+ for (i = 0 ; i < NUM_TRGMII_CTRL; i++)
+ mt7530_rmw(priv, MT7530_TRGMII_RD(i),
+--
+2.39.2
+
--- /dev/null
+From 2843f67b72ae99983f15f64a643fcc103c3f6d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 22:05:19 +0300
+Subject: net: dsa: mt7530: move lowering TRGMII driving to mt7530_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit fdcc8ccd823740c18e803b886cec461bc0e64201 ]
+
+Move lowering the TRGMII Tx clock driving to mt7530_setup(), after setting
+the core clock, as seen on the U-Boot MediaTek ethernet driver.
+
+Move the code which looks like it lowers the TRGMII Rx clock driving to
+after the TRGMII Tx clock driving is lowered. This is run after lowering
+the Tx clock driving on the U-Boot MediaTek ethernet driver as well.
+
+This way, the switch should consume less power regardless of port 6 being
+used.
+
+Update the comment explaining mt7530_pad_clk_setup().
+
+Tested rgmii and trgmii modes of port 6 and rgmii mode of port 5 on MCM
+MT7530 on MT7621AT Unielec U7621-06 and standalone MT7530 on MT7623NI
+Bananapi BPI-R2.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Link: https://source.denx.de/u-boot/u-boot/-/blob/29a48bf9ccba45a5e560bb564bbe76e42629325f/drivers/net/mtk_eth.c#L682
+Tested-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230320190520.124513-2-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 1ad6c8b44183c..314770515018c 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -414,12 +414,12 @@ static void mt7530_pll_setup(struct mt7530_priv *priv)
+ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN);
+ }
+
+-/* Setup TX circuit including relevant PAD and driving */
++/* Setup port 6 interface mode and TRGMII TX circuit */
+ static int
+ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ {
+ struct mt7530_priv *priv = ds->priv;
+- u32 ncpo1, ssc_delta, trgint, i, xtal;
++ u32 ncpo1, ssc_delta, trgint, xtal;
+
+ xtal = mt7530_read(priv, MT7530_MHWTRAP) & HWTRAP_XTAL_MASK;
+
+@@ -464,11 +464,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ P6_INTF_MODE(trgint));
+
+ if (trgint) {
+- /* Lower Tx Driving for TRGMII path */
+- for (i = 0 ; i < NUM_TRGMII_CTRL ; i++)
+- mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
+- TD_DM_DRVP(8) | TD_DM_DRVN(8));
+-
+ /* Disable the MT7530 TRGMII clocks */
+ core_clear(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN);
+
+@@ -489,10 +484,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+
+ /* Enable the MT7530 TRGMII clocks */
+ core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_TRGMIICK_EN);
+- } else {
+- for (i = 0 ; i < NUM_TRGMII_CTRL; i++)
+- mt7530_rmw(priv, MT7530_TRGMII_RD(i),
+- RD_TAP_MASK, RD_TAP(16));
+ }
+
+ return 0;
+@@ -2174,6 +2165,15 @@ mt7530_setup(struct dsa_switch *ds)
+
+ mt7530_pll_setup(priv);
+
++ /* Lower Tx driving for TRGMII path */
++ for (i = 0; i < NUM_TRGMII_CTRL; i++)
++ mt7530_write(priv, MT7530_TRGMII_TD_ODT(i),
++ TD_DM_DRVP(8) | TD_DM_DRVN(8));
++
++ for (i = 0; i < NUM_TRGMII_CTRL; i++)
++ mt7530_rmw(priv, MT7530_TRGMII_RD(i),
++ RD_TAP_MASK, RD_TAP(16));
++
+ /* Enable port 6 */
+ val = mt7530_read(priv, MT7530_MHWTRAP);
+ val &= ~MHWTRAP_P6_DIS & ~MHWTRAP_PHY_ACCESS;
+--
+2.39.2
+
--- /dev/null
+From 678e97d788d527d727a38a52e8820501197d9c01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 22:05:20 +0300
+Subject: net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII
+ case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arınç ÜNAL <arinc.unal@arinc9.com>
+
+[ Upstream commit 407b508bdd70b6848993843d96ed49ac4108fb52 ]
+
+Move setting the ssc_delta variable to under the PHY_INTERFACE_MODE_TRGMII
+case as it's only needed when trgmii is used.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Link: https://lore.kernel.org/r/20230320190520.124513-3-arinc.unal@arinc9.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mt7530.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c
+index 314770515018c..dfea2ab0c297f 100644
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -436,6 +436,10 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ break;
+ case PHY_INTERFACE_MODE_TRGMII:
+ trgint = 1;
++ if (xtal == HWTRAP_XTAL_25MHZ)
++ ssc_delta = 0x57;
++ else
++ ssc_delta = 0x87;
+ if (priv->id == ID_MT7621) {
+ /* PLL frequency: 150MHz: 1.2GBit */
+ if (xtal == HWTRAP_XTAL_40MHZ)
+@@ -455,11 +459,6 @@ mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
+ return -EINVAL;
+ }
+
+- if (xtal == HWTRAP_XTAL_25MHZ)
+- ssc_delta = 0x57;
+- else
+- ssc_delta = 0x87;
+-
+ mt7530_rmw(priv, MT7530_P6ECR, P6_INTF_MODE_MASK,
+ P6_INTF_MODE(trgint));
+
+--
+2.39.2
+
--- /dev/null
+From 74058c1289af3efd5d5fc8d22b91f41935e293aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Mar 2023 10:55:40 +0100
+Subject: net: dsa: tag_brcm: legacy: fix daisy-chained switches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 032a954061afd4b7426c3eb6bfd2952ef1e9a384 ]
+
+When BCM63xx internal switches are connected to switches with a 4-byte
+Broadcom tag, it does not identify the packet as VLAN tagged, so it adds one
+based on its PVID (which is likely 0).
+Right now, the packet is received by the BCM63xx internal switch and the 6-byte
+tag is properly processed. The next step would to decode the corresponding
+4-byte tag. However, the internal switch adds an invalid VLAN tag after the
+6-byte tag and the 4-byte tag handling fails.
+In order to fix this we need to remove the invalid VLAN tag after the 6-byte
+tag before passing it to the 4-byte tag decoding.
+
+Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20230319095540.239064-1-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_brcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c
+index 96dbb8ee2fee1..ed5f68c4f1dad 100644
+--- a/net/dsa/tag_brcm.c
++++ b/net/dsa/tag_brcm.c
+@@ -7,6 +7,7 @@
+
+ #include <linux/dsa/brcm.h>
+ #include <linux/etherdevice.h>
++#include <linux/if_vlan.h>
+ #include <linux/list.h>
+ #include <linux/slab.h>
+
+@@ -248,6 +249,7 @@ static struct sk_buff *brcm_leg_tag_xmit(struct sk_buff *skb,
+ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
+ struct net_device *dev)
+ {
++ int len = BRCM_LEG_TAG_LEN;
+ int source_port;
+ u8 *brcm_tag;
+
+@@ -262,12 +264,16 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
+ if (!skb->dev)
+ return NULL;
+
++ /* VLAN tag is added by BCM63xx internal switch */
++ if (netdev_uses_dsa(skb->dev))
++ len += VLAN_HLEN;
++
+ /* Remove Broadcom tag and update checksum */
+- skb_pull_rcsum(skb, BRCM_LEG_TAG_LEN);
++ skb_pull_rcsum(skb, len);
+
+ dsa_default_offload_fwd_mark(skb);
+
+- dsa_strip_etype_header(skb, BRCM_LEG_TAG_LEN);
++ dsa_strip_etype_header(skb, len);
+
+ return skb;
+ }
+--
+2.39.2
+
--- /dev/null
+From 7f7b78fb00920caec2f104451435a729627e04f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 16:33:16 -0700
+Subject: net: mdio: fix owner field for mdio buses registered using
+ device-tree
+
+From: Maxime Bizon <mbizon@freebox.fr>
+
+[ Upstream commit 99669259f3361d759219811e670b7e0742668556 ]
+
+Bus ownership is wrong when using of_mdiobus_register() to register an mdio
+bus. That function is not inline, so when it calls mdiobus_register() the wrong
+THIS_MODULE value is captured.
+
+Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
+Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs")
+[florian: fix kdoc, added Fixes tag]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/of_mdio.c | 12 +++++++-----
+ drivers/net/phy/mdio_devres.c | 11 ++++++-----
+ include/linux/of_mdio.h | 22 +++++++++++++++++++---
+ 3 files changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/mdio/of_mdio.c b/drivers/net/mdio/of_mdio.c
+index 510822d6d0d90..1e46e39f5f46a 100644
+--- a/drivers/net/mdio/of_mdio.c
++++ b/drivers/net/mdio/of_mdio.c
+@@ -139,21 +139,23 @@ bool of_mdiobus_child_is_phy(struct device_node *child)
+ EXPORT_SYMBOL(of_mdiobus_child_is_phy);
+
+ /**
+- * of_mdiobus_register - Register mii_bus and create PHYs from the device tree
++ * __of_mdiobus_register - Register mii_bus and create PHYs from the device tree
+ * @mdio: pointer to mii_bus structure
+ * @np: pointer to device_node of MDIO bus.
++ * @owner: module owning the @mdio object.
+ *
+ * This function registers the mii_bus structure and registers a phy_device
+ * for each child node of @np.
+ */
+-int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
++int __of_mdiobus_register(struct mii_bus *mdio, struct device_node *np,
++ struct module *owner)
+ {
+ struct device_node *child;
+ bool scanphys = false;
+ int addr, rc;
+
+ if (!np)
+- return mdiobus_register(mdio);
++ return __mdiobus_register(mdio, owner);
+
+ /* Do not continue if the node is disabled */
+ if (!of_device_is_available(np))
+@@ -172,7 +174,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
+ of_property_read_u32(np, "reset-post-delay-us", &mdio->reset_post_delay_us);
+
+ /* Register the MDIO bus */
+- rc = mdiobus_register(mdio);
++ rc = __mdiobus_register(mdio, owner);
+ if (rc)
+ return rc;
+
+@@ -236,7 +238,7 @@ int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np)
+ mdiobus_unregister(mdio);
+ return rc;
+ }
+-EXPORT_SYMBOL(of_mdiobus_register);
++EXPORT_SYMBOL(__of_mdiobus_register);
+
+ /**
+ * of_mdio_find_device - Given a device tree node, find the mdio_device
+diff --git a/drivers/net/phy/mdio_devres.c b/drivers/net/phy/mdio_devres.c
+index b560e99695dfd..69b829e6ab35b 100644
+--- a/drivers/net/phy/mdio_devres.c
++++ b/drivers/net/phy/mdio_devres.c
+@@ -98,13 +98,14 @@ EXPORT_SYMBOL(__devm_mdiobus_register);
+
+ #if IS_ENABLED(CONFIG_OF_MDIO)
+ /**
+- * devm_of_mdiobus_register - Resource managed variant of of_mdiobus_register()
++ * __devm_of_mdiobus_register - Resource managed variant of of_mdiobus_register()
+ * @dev: Device to register mii_bus for
+ * @mdio: MII bus structure to register
+ * @np: Device node to parse
++ * @owner: Owning module
+ */
+-int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+- struct device_node *np)
++int __devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
++ struct device_node *np, struct module *owner)
+ {
+ struct mdiobus_devres *dr;
+ int ret;
+@@ -117,7 +118,7 @@ int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+ if (!dr)
+ return -ENOMEM;
+
+- ret = of_mdiobus_register(mdio, np);
++ ret = __of_mdiobus_register(mdio, np, owner);
+ if (ret) {
+ devres_free(dr);
+ return ret;
+@@ -127,7 +128,7 @@ int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+ devres_add(dev, dr);
+ return 0;
+ }
+-EXPORT_SYMBOL(devm_of_mdiobus_register);
++EXPORT_SYMBOL(__devm_of_mdiobus_register);
+ #endif /* CONFIG_OF_MDIO */
+
+ MODULE_LICENSE("GPL");
+diff --git a/include/linux/of_mdio.h b/include/linux/of_mdio.h
+index da633d34ab866..8a52ef2e6fa6b 100644
+--- a/include/linux/of_mdio.h
++++ b/include/linux/of_mdio.h
+@@ -14,9 +14,25 @@
+
+ #if IS_ENABLED(CONFIG_OF_MDIO)
+ bool of_mdiobus_child_is_phy(struct device_node *child);
+-int of_mdiobus_register(struct mii_bus *mdio, struct device_node *np);
+-int devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
+- struct device_node *np);
++int __of_mdiobus_register(struct mii_bus *mdio, struct device_node *np,
++ struct module *owner);
++
++static inline int of_mdiobus_register(struct mii_bus *mdio,
++ struct device_node *np)
++{
++ return __of_mdiobus_register(mdio, np, THIS_MODULE);
++}
++
++int __devm_of_mdiobus_register(struct device *dev, struct mii_bus *mdio,
++ struct device_node *np, struct module *owner);
++
++static inline int devm_of_mdiobus_register(struct device *dev,
++ struct mii_bus *mdio,
++ struct device_node *np)
++{
++ return __devm_of_mdiobus_register(dev, mdio, np, THIS_MODULE);
++}
++
+ struct mdio_device *of_mdio_find_device(struct device_node *np);
+ struct phy_device *of_phy_find_device(struct device_node *phy_np);
+ struct phy_device *
+--
+2.39.2
+
--- /dev/null
+From 3386b3498bf6fbf256812debe8e70e97ef95375c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 16:33:17 -0700
+Subject: net: mdio: fix owner field for mdio buses registered using ACPI
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 30b605b8501e321f79e19c3238aa6ca31da6087c ]
+
+Bus ownership is wrong when using acpi_mdiobus_register() to register an
+mdio bus. That function is not inline, so when it calls
+mdiobus_register() the wrong THIS_MODULE value is captured.
+
+CC: Maxime Bizon <mbizon@freebox.fr>
+Fixes: 803ca24d2f92 ("net: mdio: Add ACPI support code for mdio")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/acpi_mdio.c | 10 ++++++----
+ include/linux/acpi_mdio.h | 9 ++++++++-
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/mdio/acpi_mdio.c b/drivers/net/mdio/acpi_mdio.c
+index d77c987fda9cd..4630dde019749 100644
+--- a/drivers/net/mdio/acpi_mdio.c
++++ b/drivers/net/mdio/acpi_mdio.c
+@@ -18,16 +18,18 @@ MODULE_AUTHOR("Calvin Johnson <calvin.johnson@oss.nxp.com>");
+ MODULE_LICENSE("GPL");
+
+ /**
+- * acpi_mdiobus_register - Register mii_bus and create PHYs from the ACPI ASL.
++ * __acpi_mdiobus_register - Register mii_bus and create PHYs from the ACPI ASL.
+ * @mdio: pointer to mii_bus structure
+ * @fwnode: pointer to fwnode of MDIO bus. This fwnode is expected to represent
++ * @owner: module owning this @mdio object.
+ * an ACPI device object corresponding to the MDIO bus and its children are
+ * expected to correspond to the PHY devices on that bus.
+ *
+ * This function registers the mii_bus structure and registers a phy_device
+ * for each child node of @fwnode.
+ */
+-int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode)
++int __acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode,
++ struct module *owner)
+ {
+ struct fwnode_handle *child;
+ u32 addr;
+@@ -35,7 +37,7 @@ int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode)
+
+ /* Mask out all PHYs from auto probing. */
+ mdio->phy_mask = GENMASK(31, 0);
+- ret = mdiobus_register(mdio);
++ ret = __mdiobus_register(mdio, owner);
+ if (ret)
+ return ret;
+
+@@ -55,4 +57,4 @@ int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode)
+ }
+ return 0;
+ }
+-EXPORT_SYMBOL(acpi_mdiobus_register);
++EXPORT_SYMBOL(__acpi_mdiobus_register);
+diff --git a/include/linux/acpi_mdio.h b/include/linux/acpi_mdio.h
+index 0a24ab7cb66fa..8e2eefa9fbc0f 100644
+--- a/include/linux/acpi_mdio.h
++++ b/include/linux/acpi_mdio.h
+@@ -9,7 +9,14 @@
+ #include <linux/phy.h>
+
+ #if IS_ENABLED(CONFIG_ACPI_MDIO)
+-int acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode);
++int __acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode,
++ struct module *owner);
++
++static inline int
++acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *handle)
++{
++ return __acpi_mdiobus_register(mdio, handle, THIS_MODULE);
++}
+ #else /* CONFIG_ACPI_MDIO */
+ static inline int
+ acpi_mdiobus_register(struct mii_bus *mdio, struct fwnode_handle *fwnode)
+--
+2.39.2
+
--- /dev/null
+From 8a7a0945663a534ff407c4784882b77b364e1749 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Mar 2023 14:20:57 +0800
+Subject: net: mdio: thunder: Add missing fwnode_handle_put()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit b1de5c78ebe9858ccec9d49af2f76724f1d47e3e ]
+
+In device_for_each_child_node(), we should add fwnode_handle_put()
+when break out of the iteration device_for_each_child_node()
+as it will automatically increase and decrease the refcounter.
+
+Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.")
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/mdio/mdio-thunder.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/mdio/mdio-thunder.c b/drivers/net/mdio/mdio-thunder.c
+index 822d2cdd2f359..394b864aaa372 100644
+--- a/drivers/net/mdio/mdio-thunder.c
++++ b/drivers/net/mdio/mdio-thunder.c
+@@ -104,6 +104,7 @@ static int thunder_mdiobus_pci_probe(struct pci_dev *pdev,
+ if (i >= ARRAY_SIZE(nexus->buses))
+ break;
+ }
++ fwnode_handle_put(fwn);
+ return 0;
+
+ err_release_regions:
+--
+2.39.2
+
--- /dev/null
+From ebd4eccc1906ebde9fba4070d8e8bdffdccecaec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Feb 2023 14:16:10 +0300
+Subject: net/mlx5: E-Switch, Fix an Oops in error handling code
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit 640fcdbcf27fc62de9223f958ceb4e897a00e791 ]
+
+The error handling dereferences "vport". There is nothing we can do if
+it is an error pointer except returning the error code.
+
+Fixes: 133dcfc577ea ("net/mlx5: E-Switch, Alloc and free unique metadata for match")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
+index 39e948bc12041..34a6542c03f61 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
+@@ -301,8 +301,7 @@ int mlx5_esw_acl_ingress_vport_bond_update(struct mlx5_eswitch *esw, u16 vport_n
+
+ if (WARN_ON_ONCE(IS_ERR(vport))) {
+ esw_warn(esw->dev, "vport(%d) invalid!\n", vport_num);
+- err = PTR_ERR(vport);
+- goto out;
++ return PTR_ERR(vport);
+ }
+
+ esw_acl_ingress_ofld_rules_destroy(esw, vport);
+--
+2.39.2
+
--- /dev/null
+From 19ba55da59c8eee2ec4c6900fd1271e0d0b5c8f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Jan 2023 14:07:03 +0200
+Subject: net/mlx5: Fix steering rules cleanup
+
+From: Lama Kayal <lkayal@nvidia.com>
+
+[ Upstream commit 922f56e9a795d6f3dd72d3428ebdd7ee040fa855 ]
+
+vport's mc, uc and multicast rules are not deleted in teardown path when
+EEH happens. Since the vport's promisc settings(uc, mc and all) in
+firmware are reset after EEH, mlx5 driver will try to delete the above
+rules in the initialization path. This cause kernel crash because these
+software rules are no longer valid.
+
+Fix by nullifying these rules right after delete to avoid accessing any dangling
+pointers.
+
+Call Trace:
+__list_del_entry_valid+0xcc/0x100 (unreliable)
+tree_put_node+0xf4/0x1b0 [mlx5_core]
+tree_remove_node+0x30/0x70 [mlx5_core]
+mlx5_del_flow_rules+0x14c/0x1f0 [mlx5_core]
+esw_apply_vport_rx_mode+0x10c/0x200 [mlx5_core]
+esw_update_vport_rx_mode+0xb4/0x180 [mlx5_core]
+esw_vport_change_handle_locked+0x1ec/0x230 [mlx5_core]
+esw_enable_vport+0x130/0x260 [mlx5_core]
+mlx5_eswitch_enable_sriov+0x2a0/0x2f0 [mlx5_core]
+mlx5_device_enable_sriov+0x74/0x440 [mlx5_core]
+mlx5_load_one+0x114c/0x1550 [mlx5_core]
+mlx5_pci_resume+0x68/0xf0 [mlx5_core]
+eeh_report_resume+0x1a4/0x230
+eeh_pe_dev_traverse+0x98/0x170
+eeh_handle_normal_event+0x3e4/0x640
+eeh_handle_event+0x4c/0x370
+eeh_event_handler+0x14c/0x210
+kthread+0x168/0x1b0
+ret_from_kernel_thread+0x5c/0x84
+
+Fixes: a35f71f27a61 ("net/mlx5: E-Switch, Implement promiscuous rx modes vf request handling")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Signed-off-by: Lama Kayal <lkayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Maor Dickman <maord@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+index 2b9278002354c..7315bf447e061 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -918,6 +918,7 @@ void mlx5_esw_vport_disable(struct mlx5_eswitch *esw, u16 vport_num)
+ */
+ esw_vport_change_handle_locked(vport);
+ vport->enabled_events = 0;
++ esw_apply_vport_rx_mode(esw, vport, false, false);
+ esw_vport_cleanup(esw, vport);
+ esw->enabled_vports--;
+
+--
+2.39.2
+
--- /dev/null
+From 433a99658a3c1fcdf9aed008a4044f1362b442ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 11:04:38 +0200
+Subject: net/mlx5: Read the TC mapping of all priorities on ETS query
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 44d553188c38ac74b799dfdcebafef2f7bb70942 ]
+
+When ETS configurations are queried by the user to get the mapping
+assignment between packet priority and traffic class, only priorities up
+to maximum TCs are queried from QTCT register in FW to retrieve their
+assigned TC, leaving the rest of the priorities mapped to the default
+TC #0 which might be misleading.
+
+Fix by querying the TC mapping of all priorities on each ETS query,
+regardless of the maximum number of TCs configured in FW.
+
+Fixes: 820c2c5e773d ("net/mlx5e: Read ETS settings directly from firmware")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+index 72e08559e0d05..f2862100d1a2e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c
+@@ -117,12 +117,14 @@ static int mlx5e_dcbnl_ieee_getets(struct net_device *netdev,
+ if (!MLX5_CAP_GEN(priv->mdev, ets))
+ return -EOPNOTSUPP;
+
+- ets->ets_cap = mlx5_max_tc(priv->mdev) + 1;
+- for (i = 0; i < ets->ets_cap; i++) {
++ for (i = 0; i < IEEE_8021QAZ_MAX_TCS; i++) {
+ err = mlx5_query_port_prio_tc(mdev, i, &ets->prio_tc[i]);
+ if (err)
+ return err;
++ }
+
++ ets->ets_cap = mlx5_max_tc(priv->mdev) + 1;
++ for (i = 0; i < ets->ets_cap; i++) {
+ err = mlx5_query_port_tc_group(mdev, i, &tc_group[i]);
+ if (err)
+ return err;
+--
+2.39.2
+
--- /dev/null
+From 0706f7e2e559b99da2e66b046ebdc2cc2910418a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 04:15:40 +0200
+Subject: net/mlx5e: Set uplink rep as NETNS_LOCAL
+
+From: Gavin Li <gavinl@nvidia.com>
+
+[ Upstream commit c83172b0639c8a005c0dd3b36252dc22ddd9f19c ]
+
+Previously, NETNS_LOCAL was not set for uplink representors, inconsistent
+with VF representors, and allowed the uplink representor to be moved
+between net namespaces and separated from the VF representors it shares
+the core device with. Such usage would break the isolation model of
+namespaces, as devices in different namespaces would have access to
+shared memory.
+
+To solve this issue, set NETNS_LOCAL for uplink representors if eswitch is
+in switchdev mode.
+
+Fixes: 7a9fb35e8c3a ("net/mlx5e: Do not reload ethernet ports when changing eswitch mode")
+Signed-off-by: Gavin Li <gavinl@nvidia.com>
+Reviewed-by: Gavi Teitz <gavi@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index f1dd966e2bdbf..ec1c667bd145a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3527,8 +3527,12 @@ static netdev_features_t mlx5e_fix_features(struct net_device *netdev,
+ netdev_warn(netdev, "Disabling rxhash, not supported when CQE compress is active\n");
+ }
+
+- if (mlx5e_is_uplink_rep(priv))
++ if (mlx5e_is_uplink_rep(priv)) {
+ features = mlx5e_fix_uplink_rep_features(netdev, features);
++ features |= NETIF_F_NETNS_LOCAL;
++ } else {
++ features &= ~NETIF_F_NETNS_LOCAL;
++ }
+
+ mutex_unlock(&priv->state_lock);
+
+--
+2.39.2
+
--- /dev/null
+From c3e6ce06f5f214b4d7fb3eb82b4d1f9ada431bf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 13:33:24 -0700
+Subject: net: phy: Ensure state transitions are processed from phy_stop()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 4203d84032e28f893594a453bd8bc9c3b15c7334 ]
+
+In the phy_disconnect() -> phy_stop() path, we will be forcibly setting
+the PHY state machine to PHY_HALTED. This invalidates the old_state !=
+phydev->state condition in phy_state_machine() such that we will neither
+display the state change for debugging, nor will we invoke the
+link_change_notify() callback.
+
+Factor the code by introducing phy_process_state_change(), and ensure
+that we process the state change from phy_stop() as well.
+
+Fixes: 5c5f626bcace ("net: phy: improve handling link_change_notify callback")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
+index 2fc851082e7b4..1135e63a4a76e 100644
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -57,6 +57,18 @@ static const char *phy_state_to_str(enum phy_state st)
+ return NULL;
+ }
+
++static void phy_process_state_change(struct phy_device *phydev,
++ enum phy_state old_state)
++{
++ if (old_state != phydev->state) {
++ phydev_dbg(phydev, "PHY state change %s -> %s\n",
++ phy_state_to_str(old_state),
++ phy_state_to_str(phydev->state));
++ if (phydev->drv && phydev->drv->link_change_notify)
++ phydev->drv->link_change_notify(phydev);
++ }
++}
++
+ static void phy_link_up(struct phy_device *phydev)
+ {
+ phydev->phy_link_change(phydev, true);
+@@ -1061,6 +1073,7 @@ EXPORT_SYMBOL(phy_free_interrupt);
+ void phy_stop(struct phy_device *phydev)
+ {
+ struct net_device *dev = phydev->attached_dev;
++ enum phy_state old_state;
+
+ if (!phy_is_started(phydev) && phydev->state != PHY_DOWN) {
+ WARN(1, "called from state %s\n",
+@@ -1069,6 +1082,7 @@ void phy_stop(struct phy_device *phydev)
+ }
+
+ mutex_lock(&phydev->lock);
++ old_state = phydev->state;
+
+ if (phydev->state == PHY_CABLETEST) {
+ phy_abort_cable_test(phydev);
+@@ -1079,6 +1093,7 @@ void phy_stop(struct phy_device *phydev)
+ sfp_upstream_stop(phydev->sfp_bus);
+
+ phydev->state = PHY_HALTED;
++ phy_process_state_change(phydev, old_state);
+
+ mutex_unlock(&phydev->lock);
+
+@@ -1196,13 +1211,7 @@ void phy_state_machine(struct work_struct *work)
+ if (err < 0)
+ phy_error(phydev);
+
+- if (old_state != phydev->state) {
+- phydev_dbg(phydev, "PHY state change %s -> %s\n",
+- phy_state_to_str(old_state),
+- phy_state_to_str(phydev->state));
+- if (phydev->drv && phydev->drv->link_change_notify)
+- phydev->drv->link_change_notify(phydev);
+- }
++ phy_process_state_change(phydev, old_state);
+
+ /* Only re-schedule a PHY state machine change if we are polling the
+ * PHY, if PHY_MAC_INTERRUPT is set, then we will be moving
+--
+2.39.2
+
--- /dev/null
+From cad32b8ec2b5e05b6430f56c777cf4ebb49942f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 17:39:16 +0000
+Subject: net/ps3_gelic_net: Fix RX sk_buff length
+
+From: Geoff Levand <geoff@infradead.org>
+
+[ Upstream commit 19b3bb51c3bc288b3f2c6f8c4450b0f548320625 ]
+
+The Gelic Ethernet device needs to have the RX sk_buffs aligned to
+GELIC_NET_RXBUF_ALIGN, and also the length of the RX sk_buffs must
+be a multiple of GELIC_NET_RXBUF_ALIGN.
+
+The current Gelic Ethernet driver was not allocating sk_buffs large
+enough to allow for this alignment.
+
+Also, correct the maximum and minimum MTU sizes, and add a new
+preprocessor macro for the maximum frame size, GELIC_NET_MAX_FRAME.
+
+Fixes various randomly occurring runtime network errors.
+
+Fixes: 02c1889166b4 ("ps3: gigabit ethernet driver for PS3, take3")
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_net.c | 19 ++++++++++---------
+ drivers/net/ethernet/toshiba/ps3_gelic_net.h | 5 +++--
+ 2 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.c b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+index 55e652624bd76..bd1316db2d944 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+@@ -365,26 +365,27 @@ static int gelic_card_init_chain(struct gelic_card *card,
+ *
+ * allocates a new rx skb, iommu-maps it and attaches it to the descriptor.
+ * Activate the descriptor state-wise
++ *
++ * Gelic RX sk_buffs must be aligned to GELIC_NET_RXBUF_ALIGN and the length
++ * must be a multiple of GELIC_NET_RXBUF_ALIGN.
+ */
+ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ struct gelic_descr *descr)
+ {
++ static const unsigned int rx_skb_size =
++ ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) +
++ GELIC_NET_RXBUF_ALIGN - 1;
+ int offset;
+- unsigned int bufsize;
+
+ if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE)
+ dev_info(ctodev(card), "%s: ERROR status\n", __func__);
+- /* we need to round up the buffer size to a multiple of 128 */
+- bufsize = ALIGN(GELIC_NET_MAX_MTU, GELIC_NET_RXBUF_ALIGN);
+
+- /* and we need to have it 128 byte aligned, therefore we allocate a
+- * bit more */
+- descr->skb = dev_alloc_skb(bufsize + GELIC_NET_RXBUF_ALIGN - 1);
++ descr->skb = netdev_alloc_skb(*card->netdev, rx_skb_size);
+ if (!descr->skb) {
+ descr->buf_addr = 0; /* tell DMAC don't touch memory */
+ return -ENOMEM;
+ }
+- descr->buf_size = cpu_to_be32(bufsize);
++ descr->buf_size = cpu_to_be32(rx_skb_size);
+ descr->dmac_cmd_status = 0;
+ descr->result_size = 0;
+ descr->valid_size = 0;
+@@ -397,7 +398,7 @@ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ /* io-mmu-map the skb */
+ descr->buf_addr = cpu_to_be32(dma_map_single(ctodev(card),
+ descr->skb->data,
+- GELIC_NET_MAX_MTU,
++ GELIC_NET_MAX_FRAME,
+ DMA_FROM_DEVICE));
+ if (!descr->buf_addr) {
+ dev_kfree_skb_any(descr->skb);
+@@ -915,7 +916,7 @@ static void gelic_net_pass_skb_up(struct gelic_descr *descr,
+ data_error = be32_to_cpu(descr->data_error);
+ /* unmap skb buffer */
+ dma_unmap_single(ctodev(card), be32_to_cpu(descr->buf_addr),
+- GELIC_NET_MAX_MTU,
++ GELIC_NET_MAX_FRAME,
+ DMA_FROM_DEVICE);
+
+ skb_put(skb, be32_to_cpu(descr->valid_size)?
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.h b/drivers/net/ethernet/toshiba/ps3_gelic_net.h
+index 68f324ed4eaf0..0d98defb011ed 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.h
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.h
+@@ -19,8 +19,9 @@
+ #define GELIC_NET_RX_DESCRIPTORS 128 /* num of descriptors */
+ #define GELIC_NET_TX_DESCRIPTORS 128 /* num of descriptors */
+
+-#define GELIC_NET_MAX_MTU VLAN_ETH_FRAME_LEN
+-#define GELIC_NET_MIN_MTU VLAN_ETH_ZLEN
++#define GELIC_NET_MAX_FRAME 2312
++#define GELIC_NET_MAX_MTU 2294
++#define GELIC_NET_MIN_MTU 64
+ #define GELIC_NET_RXBUF_ALIGN 128
+ #define GELIC_CARD_RX_CSUM_DEFAULT 1 /* hw chksum */
+ #define GELIC_NET_WATCHDOG_TIMEOUT 5*HZ
+--
+2.39.2
+
--- /dev/null
+From 48f3c79b629d4888a4a05c26b895f6c1bd5f57f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 17:39:16 +0000
+Subject: net/ps3_gelic_net: Use dma_mapping_error
+
+From: Geoff Levand <geoff@infradead.org>
+
+[ Upstream commit bebe933d35a63d4f042fbf4dce4f22e689ba0fcd ]
+
+The current Gelic Etherenet driver was checking the return value of its
+dma_map_single call, and not using the dma_mapping_error() routine.
+
+Fixes runtime problems like these:
+
+ DMA-API: ps3_gelic_driver sb_05: device driver failed to check map error
+ WARNING: CPU: 0 PID: 0 at kernel/dma/debug.c:1027 .check_unmap+0x888/0x8dc
+
+Fixes: 02c1889166b4 ("ps3: gigabit ethernet driver for PS3, take3")
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Signed-off-by: Geoff Levand <geoff@infradead.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_net.c | 24 +++++++++++---------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_net.c b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+index bd1316db2d944..78e484ea279bc 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_net.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_net.c
+@@ -317,15 +317,17 @@ static int gelic_card_init_chain(struct gelic_card *card,
+
+ /* set up the hardware pointers in each descriptor */
+ for (i = 0; i < no; i++, descr++) {
++ dma_addr_t cpu_addr;
++
+ gelic_descr_set_status(descr, GELIC_DESCR_DMA_NOT_IN_USE);
+- descr->bus_addr =
+- dma_map_single(ctodev(card), descr,
+- GELIC_DESCR_SIZE,
+- DMA_BIDIRECTIONAL);
+
+- if (!descr->bus_addr)
++ cpu_addr = dma_map_single(ctodev(card), descr,
++ GELIC_DESCR_SIZE, DMA_BIDIRECTIONAL);
++
++ if (dma_mapping_error(ctodev(card), cpu_addr))
+ goto iommu_error;
+
++ descr->bus_addr = cpu_to_be32(cpu_addr);
+ descr->next = descr + 1;
+ descr->prev = descr - 1;
+ }
+@@ -375,6 +377,7 @@ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ static const unsigned int rx_skb_size =
+ ALIGN(GELIC_NET_MAX_FRAME, GELIC_NET_RXBUF_ALIGN) +
+ GELIC_NET_RXBUF_ALIGN - 1;
++ dma_addr_t cpu_addr;
+ int offset;
+
+ if (gelic_descr_get_status(descr) != GELIC_DESCR_DMA_NOT_IN_USE)
+@@ -396,11 +399,10 @@ static int gelic_descr_prepare_rx(struct gelic_card *card,
+ if (offset)
+ skb_reserve(descr->skb, GELIC_NET_RXBUF_ALIGN - offset);
+ /* io-mmu-map the skb */
+- descr->buf_addr = cpu_to_be32(dma_map_single(ctodev(card),
+- descr->skb->data,
+- GELIC_NET_MAX_FRAME,
+- DMA_FROM_DEVICE));
+- if (!descr->buf_addr) {
++ cpu_addr = dma_map_single(ctodev(card), descr->skb->data,
++ GELIC_NET_MAX_FRAME, DMA_FROM_DEVICE);
++ descr->buf_addr = cpu_to_be32(cpu_addr);
++ if (dma_mapping_error(ctodev(card), cpu_addr)) {
+ dev_kfree_skb_any(descr->skb);
+ descr->skb = NULL;
+ dev_info(ctodev(card),
+@@ -780,7 +782,7 @@ static int gelic_descr_prepare_tx(struct gelic_card *card,
+
+ buf = dma_map_single(ctodev(card), skb->data, skb->len, DMA_TO_DEVICE);
+
+- if (!buf) {
++ if (dma_mapping_error(ctodev(card), buf)) {
+ dev_err(ctodev(card),
+ "dma map 2 failed (%p, %i). Dropping packet\n",
+ skb->data, skb->len);
+--
+2.39.2
+
--- /dev/null
+From a947e344f1768355d4f470ace18a5162438b1713 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Mar 2023 16:05:26 +0800
+Subject: net: qcom/emac: Fix use after free bug in emac_remove due to race
+ condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 ]
+
+In emac_probe, &adpt->work_thread is bound with
+emac_work_thread. Then it will be started by timeout
+handler emac_tx_timeout or a IRQ handler emac_isr.
+
+If we remove the driver which will call emac_remove
+ to make cleanup, there may be a unfinished work.
+
+The possible sequence is as follows:
+
+Fix it by finishing the work before cleanup in the emac_remove
+and disable timeout response.
+
+CPU0 CPU1
+
+ |emac_work_thread
+emac_remove |
+free_netdev |
+kfree(netdev); |
+ |emac_reinit_locked
+ |emac_mac_down
+ |//use netdev
+Fixes: b9b17debc69d ("net: emac: emac gigabit ethernet controller driver")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/qualcomm/emac/emac.c b/drivers/net/ethernet/qualcomm/emac/emac.c
+index 9015a38eaced8..bb7f3286824f4 100644
+--- a/drivers/net/ethernet/qualcomm/emac/emac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac.c
+@@ -728,9 +728,15 @@ static int emac_remove(struct platform_device *pdev)
+ struct net_device *netdev = dev_get_drvdata(&pdev->dev);
+ struct emac_adapter *adpt = netdev_priv(netdev);
+
++ netif_carrier_off(netdev);
++ netif_tx_disable(netdev);
++
+ unregister_netdev(netdev);
+ netif_napi_del(&adpt->rx_q.napi);
+
++ free_irq(adpt->irq.irq, &adpt->irq);
++ cancel_work_sync(&adpt->work_thread);
++
+ emac_clks_teardown(adpt);
+
+ put_device(&adpt->phydev->mdio.dev);
+--
+2.39.2
+
--- /dev/null
+From 92be82ab64a899582a8a1d5da737e335f4a422e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Mar 2023 14:45:43 +1100
+Subject: net/sonic: use dma_mapping_error() for error check
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 4107b8746d93ace135b8c4da4f19bbae81db785f ]
+
+The DMA address returned by dma_map_single() should be checked with
+dma_mapping_error(). Fix it accordingly.
+
+Fixes: efcce839360f ("[PATCH] macsonic/jazzsonic network drivers update")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Tested-by: Stan Johnson <userm57@yahoo.com>
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/6645a4b5c1e364312103f48b7b36783b94e197a2.1679370343.git.fthain@linux-m68k.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/natsemi/sonic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/natsemi/sonic.c b/drivers/net/ethernet/natsemi/sonic.c
+index d17d1b4f2585f..825356ee3492e 100644
+--- a/drivers/net/ethernet/natsemi/sonic.c
++++ b/drivers/net/ethernet/natsemi/sonic.c
+@@ -292,7 +292,7 @@ static int sonic_send_packet(struct sk_buff *skb, struct net_device *dev)
+ */
+
+ laddr = dma_map_single(lp->device, skb->data, length, DMA_TO_DEVICE);
+- if (!laddr) {
++ if (dma_mapping_error(lp->device, laddr)) {
+ pr_err_ratelimited("%s: failed to map tx DMA buffer.\n", dev->name);
+ dev_kfree_skb_any(skb);
+ return NETDEV_TX_OK;
+@@ -509,7 +509,7 @@ static bool sonic_alloc_rb(struct net_device *dev, struct sonic_local *lp,
+
+ *new_addr = dma_map_single(lp->device, skb_put(*new_skb, SONIC_RBSIZE),
+ SONIC_RBSIZE, DMA_FROM_DEVICE);
+- if (!*new_addr) {
++ if (dma_mapping_error(lp->device, *new_addr)) {
+ dev_kfree_skb(*new_skb);
+ *new_skb = NULL;
+ return false;
+--
+2.39.2
+
--- /dev/null
+From 16ad3d4b26a89371c09764925e06fc7f1223fecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 11:19:54 +0100
+Subject: net: usb: smsc95xx: Limit packet length to skb->len
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+[ Upstream commit ff821092cf02a70c2bccd2d19269f01e29aa52cf ]
+
+Packet length retrieved from descriptor may be larger than
+the actual socket buffer length. In such case the cloned
+skb passed up the network stack will leak kernel memory contents.
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 7cf9206638c37..649d9f9af6e67 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -1808,6 +1808,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
+ size = (u16)((header & RX_STS_FL_) >> 16);
+ align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4;
+
++ if (unlikely(size > skb->len)) {
++ netif_dbg(dev, rx_err, dev->net,
++ "size err header=0x%08x\n", header);
++ return 0;
++ }
++
+ if (unlikely(header & RX_STS_ES_)) {
+ netif_dbg(dev, rx_err, dev->net,
+ "Error header=0x%08x\n", header);
+--
+2.39.2
+
--- /dev/null
+From 52260d9253994318d42472137784ddc14505c682 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 09:57:36 -0600
+Subject: nvme-tcp: fix nvme_tcp_term_pdu to match spec
+
+From: Caleb Sander <csander@purestorage.com>
+
+[ Upstream commit aa01c67de5926fdb276793180564f172c55fb0d7 ]
+
+The FEI field of C2HTermReq/H2CTermReq is 4 bytes but not 4-byte-aligned
+in the NVMe/TCP specification (it is located at offset 10 in the PDU).
+Split it into two 16-bit integers in struct nvme_tcp_term_pdu
+so no padding is inserted. There should also be 10 reserved bytes after.
+There are currently no users of this type.
+
+Fixes: fc221d05447aa6db ("nvme-tcp: Add protocol header")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Caleb Sander <csander@purestorage.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/nvme-tcp.h | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/nvme-tcp.h b/include/linux/nvme-tcp.h
+index 959e0bd9a913e..73364ae916890 100644
+--- a/include/linux/nvme-tcp.h
++++ b/include/linux/nvme-tcp.h
+@@ -114,8 +114,9 @@ struct nvme_tcp_icresp_pdu {
+ struct nvme_tcp_term_pdu {
+ struct nvme_tcp_hdr hdr;
+ __le16 fes;
+- __le32 fei;
+- __u8 rsvd[8];
++ __le16 feil;
++ __le16 feiu;
++ __u8 rsvd[10];
+ };
+
+ /**
+--
+2.39.2
+
--- /dev/null
+From 411e006a6b2a0115caddaecc232140ad0b13e1ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 14:43:37 +0800
+Subject: octeontx2-vf: Add missing free for alloc_percpu
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit f038f3917baf04835ba2b7bcf2a04ac93fbf8a9c ]
+
+Add the free_percpu for the allocated "vf->hw.lmt_info" in order to avoid
+memory leak, same as the "pf->hw.lmt_info" in
+`drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c`.
+
+Fixes: 5c0512072f65 ("octeontx2-pf: cn10k: Use runtime allocated LMTLINE region")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Acked-by: Geethasowjanya Akula <gakula@marvell.com>
+Link: https://lore.kernel.org/r/20230317064337.18198-1-jiasheng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+index 03b4ec630432b..9822db362c88e 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c
+@@ -704,6 +704,7 @@ static int otx2vf_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ err_unreg_netdev:
+ unregister_netdev(netdev);
+ err_detach_rsrc:
++ free_percpu(vf->hw.lmt_info);
+ if (test_bit(CN10K_LMTST, &vf->hw.cap_flag))
+ qmem_free(vf->dev, vf->dync_lmt);
+ otx2_detach_resources(&vf->mbox);
+@@ -738,6 +739,7 @@ static void otx2vf_remove(struct pci_dev *pdev)
+ destroy_workqueue(vf->otx2_wq);
+ otx2vf_disable_mbox_intr(vf);
+ otx2_detach_resources(&vf->mbox);
++ free_percpu(vf->hw.lmt_info);
+ if (test_bit(CN10K_LMTST, &vf->hw.cap_flag))
+ qmem_free(vf->dev, vf->dync_lmt);
+ otx2vf_vfaf_mbox_destroy(vf);
+--
+2.39.2
+
--- /dev/null
+From a2eb82d76c5874c00ea3d120f3dbfc0f5c1b2cc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Mar 2023 09:06:58 +0800
+Subject: platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit b20cf3f89c56b5f6a38b7f76a8128bf9f291bbd3 ]
+
+It is possible to peep kernel page's data by providing larger `insize`
+in struct cros_ec_command[1] when invoking EC host commands.
+
+Fix it by using zeroed memory.
+
+[1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74
+
+Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC")
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20230324010658.1082361-1-tzungbi@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_chardev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c
+index 0de7c255254e0..d6de5a2941282 100644
+--- a/drivers/platform/chrome/cros_ec_chardev.c
++++ b/drivers/platform/chrome/cros_ec_chardev.c
+@@ -284,7 +284,7 @@ static long cros_ec_chardev_ioctl_xcmd(struct cros_ec_dev *ec, void __user *arg)
+ u_cmd.insize > EC_MAX_MSG_BYTES)
+ return -EINVAL;
+
+- s_cmd = kmalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
++ s_cmd = kzalloc(sizeof(*s_cmd) + max(u_cmd.outsize, u_cmd.insize),
+ GFP_KERNEL);
+ if (!s_cmd)
+ return -ENOMEM;
+--
+2.39.2
+
--- /dev/null
+From 20ff4da4cccae28f994709954d7a38b68db85400 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Mar 2023 01:47:28 +0800
+Subject: power: supply: bq24190: Fix use after free bug in bq24190_remove due
+ to race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 47c29d69212911f50bdcdd0564b5999a559010d4 ]
+
+In bq24190_probe, &bdi->input_current_limit_work is bound
+with bq24190_input_current_limit_work. When external power
+changed, it will call bq24190_charger_external_power_changed
+ to start the work.
+
+If we remove the module which will call bq24190_remove to make
+cleanup, there may be a unfinished work. The possible
+sequence is as follows:
+
+CPU0 CPUc1
+
+ |bq24190_input_current_limit_work
+bq24190_remove |
+power_supply_unregister |
+device_unregister |
+power_supply_dev_release|
+kfree(psy) |
+ |
+ | power_supply_get_property_from_supplier
+ | //use
+
+Fix it by finishing the work before cleanup in the bq24190_remove
+
+Fixes: 97774672573a ("power_supply: Initialize changed_work before calling device_add")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq24190_charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
+index 0d262fe9780ca..ebb5ba7f8bb63 100644
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -1832,6 +1832,7 @@ static int bq24190_remove(struct i2c_client *client)
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+ int error;
+
++ cancel_delayed_work_sync(&bdi->input_current_limit_work);
+ error = pm_runtime_resume_and_get(bdi->dev);
+ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+--
+2.39.2
+
--- /dev/null
+From 0dad65698150f2ec0a3f4726b1edaf8062eada53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 08:30:44 +0000
+Subject: power: supply: bq24190_charger: using pm_runtime_resume_and_get
+ instead of pm_runtime_get_sync
+
+From: Minghao Chi <chi.minghao@zte.com.cn>
+
+[ Upstream commit d96a89407e5f682d1cb22569d91784506c784863 ]
+
+Using pm_runtime_resume_and_get is more appropriate
+for simplifing code
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Stable-dep-of: 47c29d692129 ("power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq24190_charger.c | 63 +++++++++-----------------
+ 1 file changed, 21 insertions(+), 42 deletions(-)
+
+diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
+index 16c4876fe5afb..0d262fe9780ca 100644
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -446,11 +446,9 @@ static ssize_t bq24190_sysfs_show(struct device *dev,
+ if (!info)
+ return -EINVAL;
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ ret = bq24190_read_mask(bdi, info->reg, info->mask, info->shift, &v);
+ if (ret)
+@@ -481,11 +479,9 @@ static ssize_t bq24190_sysfs_store(struct device *dev,
+ if (ret < 0)
+ return ret;
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ ret = bq24190_write_mask(bdi, info->reg, info->mask, info->shift, v);
+ if (ret)
+@@ -504,10 +500,9 @@ static int bq24190_set_charge_mode(struct regulator_dev *dev, u8 val)
+ struct bq24190_dev_info *bdi = rdev_get_drvdata(dev);
+ int ret;
+
+- ret = pm_runtime_get_sync(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
+ if (ret < 0) {
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret);
+- pm_runtime_put_noidle(bdi->dev);
+ return ret;
+ }
+
+@@ -537,10 +532,9 @@ static int bq24190_vbus_is_enabled(struct regulator_dev *dev)
+ int ret;
+ u8 val;
+
+- ret = pm_runtime_get_sync(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
+ if (ret < 0) {
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", ret);
+- pm_runtime_put_noidle(bdi->dev);
+ return ret;
+ }
+
+@@ -1081,11 +1075,9 @@ static int bq24190_charger_get_property(struct power_supply *psy,
+
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_CHARGE_TYPE:
+@@ -1155,11 +1147,9 @@ static int bq24190_charger_set_property(struct power_supply *psy,
+
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_ONLINE:
+@@ -1418,11 +1408,9 @@ static int bq24190_battery_get_property(struct power_supply *psy,
+ dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n");
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_STATUS:
+@@ -1466,11 +1454,9 @@ static int bq24190_battery_set_property(struct power_supply *psy,
+ dev_warn(bdi->dev, "warning: /sys/class/power_supply/bq24190-battery is deprecated\n");
+ dev_dbg(bdi->dev, "prop: %d\n", psp);
+
+- ret = pm_runtime_get_sync(bdi->dev);
+- if (ret < 0) {
+- pm_runtime_put_noidle(bdi->dev);
++ ret = pm_runtime_resume_and_get(bdi->dev);
++ if (ret < 0)
+ return ret;
+- }
+
+ switch (psp) {
+ case POWER_SUPPLY_PROP_ONLINE:
+@@ -1624,10 +1610,9 @@ static irqreturn_t bq24190_irq_handler_thread(int irq, void *data)
+ int error;
+
+ bdi->irq_event = true;
+- error = pm_runtime_get_sync(bdi->dev);
++ error = pm_runtime_resume_and_get(bdi->dev);
+ if (error < 0) {
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+ return IRQ_NONE;
+ }
+ bq24190_check_status(bdi);
+@@ -1847,11 +1832,9 @@ static int bq24190_remove(struct i2c_client *client)
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+ int error;
+
+- error = pm_runtime_get_sync(bdi->dev);
+- if (error < 0) {
++ error = pm_runtime_resume_and_get(bdi->dev);
++ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+- }
+
+ bq24190_register_reset(bdi);
+ if (bdi->battery)
+@@ -1900,11 +1883,9 @@ static __maybe_unused int bq24190_pm_suspend(struct device *dev)
+ struct bq24190_dev_info *bdi = i2c_get_clientdata(client);
+ int error;
+
+- error = pm_runtime_get_sync(bdi->dev);
+- if (error < 0) {
++ error = pm_runtime_resume_and_get(bdi->dev);
++ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+- }
+
+ bq24190_register_reset(bdi);
+
+@@ -1925,11 +1906,9 @@ static __maybe_unused int bq24190_pm_resume(struct device *dev)
+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+
+- error = pm_runtime_get_sync(bdi->dev);
+- if (error < 0) {
++ error = pm_runtime_resume_and_get(bdi->dev);
++ if (error < 0)
+ dev_warn(bdi->dev, "pm_runtime_get failed: %i\n", error);
+- pm_runtime_put_noidle(bdi->dev);
+- }
+
+ bq24190_register_reset(bdi);
+ bq24190_set_config(bdi);
+--
+2.39.2
+
--- /dev/null
+From a4d80054e5e2c11cd371ccf8a3f73c62cea12c70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Mar 2023 01:46:50 +0800
+Subject: power: supply: da9150: Fix use after free bug in
+ da9150_charger_remove due to race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit 06615d11cc78162dfd5116efb71f29eb29502d37 ]
+
+In da9150_charger_probe, &charger->otg_work is bound with
+da9150_charger_otg_work. da9150_charger_otg_ncb may be
+called to start the work.
+
+If we remove the module which will call da9150_charger_remove
+to make cleanup, there may be a unfinished work. The possible
+sequence is as follows:
+
+Fix it by canceling the work before cleanup in the da9150_charger_remove
+
+CPU0 CPUc1
+
+ |da9150_charger_otg_work
+da9150_charger_remove |
+power_supply_unregister |
+device_unregister |
+power_supply_dev_release|
+kfree(psy) |
+ |
+ | power_supply_changed(charger->usb);
+ | //use
+
+Fixes: c1a281e34dae ("power: Add support for DA9150 Charger")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/da9150-charger.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/power/supply/da9150-charger.c b/drivers/power/supply/da9150-charger.c
+index f9314cc0cd75f..6b987da586556 100644
+--- a/drivers/power/supply/da9150-charger.c
++++ b/drivers/power/supply/da9150-charger.c
+@@ -662,6 +662,7 @@ static int da9150_charger_remove(struct platform_device *pdev)
+
+ if (!IS_ERR_OR_NULL(charger->usb_phy))
+ usb_unregister_notifier(charger->usb_phy, &charger->otg_nb);
++ cancel_work_sync(&charger->otg_work);
+
+ power_supply_unregister(charger->battery);
+ power_supply_unregister(charger->usb);
+--
+2.39.2
+
--- /dev/null
+From 034f966ec1058a31216c77af7c6aaba8d764e6b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Mar 2023 13:29:21 +0300
+Subject: qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 25143b6a01d0cc5319edd3de22ffa2578b045550 ]
+
+We have to make sure that the info returned by the helper is valid
+before using it.
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE
+static analysis tool.
+
+Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust")
+Fixes: 733def6a04bf ("qed*: IOV link control")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_sriov.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+index 3eb05376e7c3e..bf0ba3855da1d 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+@@ -4378,6 +4378,9 @@ qed_iov_configure_min_tx_rate(struct qed_dev *cdev, int vfid, u32 rate)
+ }
+
+ vf = qed_iov_get_vf_info(QED_LEADING_HWFN(cdev), (u16)vfid, true);
++ if (!vf)
++ return -EINVAL;
++
+ vport_id = vf->vport_id;
+
+ return qed_configure_vport_wfq(cdev, vport_id, rate);
+@@ -5124,7 +5127,7 @@ static void qed_iov_handle_trust_change(struct qed_hwfn *hwfn)
+
+ /* Validate that the VF has a configured vport */
+ vf = qed_iov_get_vf_info(hwfn, i, true);
+- if (!vf->vport_instance)
++ if (!vf || !vf->vport_instance)
+ continue;
+
+ memset(¶ms, 0, sizeof(params));
+--
+2.39.2
+
--- /dev/null
+From b1b451e4eed56b7f80dd49d6666a9001e41b573d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 14:21:54 +0800
+Subject: scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit a13faca032acbf2699293587085293bdfaafc8ae ]
+
+If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not
+freed, which will cause following memleak:
+
+unreferenced object 0xffff88810b2c6980 (size 32):
+ comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff @9$.............
+ backtrace:
+ [<0000000098f3a26d>] alua_activate+0xb0/0x320
+ [<000000003b529641>] scsi_dh_activate+0xb2/0x140
+ [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath]
+ [<000000007adc9ace>] process_one_work+0x3c5/0x730
+ [<00000000c457a985>] worker_thread+0x93/0x650
+ [<00000000cb80e628>] kthread+0x1ba/0x210
+ [<00000000a1e61077>] ret_from_fork+0x22/0x30
+
+Fix the problem by freeing 'qdata' in error path.
+
+Fixes: 625fe857e4fa ("scsi: scsi_dh_alua: Check scsi_device_get() return value")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20230315062154.668812-1-yukuai1@huaweicloud.com
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/device_handler/scsi_dh_alua.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c
+index 1d9be771f3ee0..a9c4a5e2ccb90 100644
+--- a/drivers/scsi/device_handler/scsi_dh_alua.c
++++ b/drivers/scsi/device_handler/scsi_dh_alua.c
+@@ -1117,10 +1117,12 @@ static int alua_activate(struct scsi_device *sdev,
+ rcu_read_unlock();
+ mutex_unlock(&h->init_mutex);
+
+- if (alua_rtpg_queue(pg, sdev, qdata, true))
++ if (alua_rtpg_queue(pg, sdev, qdata, true)) {
+ fn = NULL;
+- else
++ } else {
++ kfree(qdata);
+ err = SCSI_DH_DEV_OFFLINED;
++ }
+ kref_put(&pg->kref, release_port_group);
+ out:
+ if (fn)
+--
+2.39.2
+
trace-hwlat-make-use-of-the-helper-function-kthread_.patch
trace-hwlat-do-not-start-per-cpu-thread-if-it-is-alr.patch
net-tls-fix-possible-race-condition-between-do_tls_g.patch
+power-supply-bq24190_charger-using-pm_runtime_resume.patch
+power-supply-bq24190-fix-use-after-free-bug-in-bq241.patch
+power-supply-da9150-fix-use-after-free-bug-in-da9150.patch
+arm-dts-imx6sll-e60k02-fix-usbotg1-pinctrl.patch
+arm-dts-imx6sl-tolino-shine2hd-fix-usbotg1-pinctrl.patch
+arm64-dts-imx8mn-specify-sound-dai-cells-for-sai-nod.patch
+xsk-add-missing-overflow-check-in-xdp_umem_reg.patch
+iavf-fix-inverted-rx-hash-condition-leading-to-disab.patch
+iavf-fix-non-tunneled-ipv6-udp-packet-type-and-hashi.patch
+intel-igbvf-free-irq-on-the-error-path-in-igbvf_requ.patch
+igbvf-regard-vf-reset-nack-as-success.patch
+igc-fix-the-validation-logic-for-taprio-s-gate-list.patch
+i2c-imx-lpi2c-check-only-for-enabled-interrupt-flags.patch
+i2c-hisi-only-use-the-completion-interrupt-to-finish.patch
+scsi-scsi_dh_alua-fix-memleak-for-qdata-in-alua_acti.patch
+net-dsa-b53-mmap-fix-device-tree-support.patch
+net-usb-smsc95xx-limit-packet-length-to-skb-len.patch
+qed-qed_sriov-guard-against-null-derefs-from-qed_iov.patch
+xirc2ps_cs-fix-use-after-free-bug-in-xirc2ps_detach.patch
+net-phy-ensure-state-transitions-are-processed-from-.patch
+net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch
+net-mdio-fix-owner-field-for-mdio-buses-registered-u.patch-9507
+drm-i915-gt-perform-uc-late-init-after-probe-error-i.patch
+net-qcom-emac-fix-use-after-free-bug-in-emac_remove-.patch
+net-ps3_gelic_net-fix-rx-sk_buff-length.patch
+net-ps3_gelic_net-use-dma_mapping_error.patch
+octeontx2-vf-add-missing-free-for-alloc_percpu.patch
+bootconfig-fix-testcase-to-increase-max-node.patch
+keys-do-not-cache-key-in-task-struct-if-key-is-reque.patch
+iavf-fix-hang-on-reboot-with-ice.patch
+i40e-fix-flow-director-packet-filter-programming.patch
+bpf-adjust-insufficient-default-bpf_jit_limit.patch
+net-mlx5e-set-uplink-rep-as-netns_local.patch
+net-mlx5-fix-steering-rules-cleanup.patch
+net-mlx5-read-the-tc-mapping-of-all-priorities-on-et.patch
+net-mlx5-e-switch-fix-an-oops-in-error-handling-code.patch
+net-dsa-tag_brcm-legacy-fix-daisy-chained-switches.patch
+atm-idt77252-fix-kmemleak-when-rmmod-idt77252.patch
+erspan-do-not-use-skb_mac_header-in-ndo_start_xmit.patch
+net-sonic-use-dma_mapping_error-for-error-check.patch
+nvme-tcp-fix-nvme_tcp_term_pdu-to-match-spec.patch
+hvc-xen-prevent-concurrent-accesses-to-the-shared-ri.patch
+ksmbd-add-low-bound-validation-to-fsctl_set_zero_dat.patch
+ksmbd-add-low-bound-validation-to-fsctl_query_alloca.patch
+ksmbd-fix-possible-refcount-leak-in-smb2_open.patch
+gve-cache-link_speed-value-from-device.patch
+net-dsa-mt7530-move-enabling-disabling-core-clock-to.patch
+net-dsa-mt7530-move-lowering-trgmii-driving-to-mt753.patch
+net-dsa-mt7530-move-setting-ssc_delta-to-phy_interfa.patch
+net-mdio-thunder-add-missing-fwnode_handle_put.patch
+bluetooth-btqcomsmd-fix-command-timeout-after-settin.patch
+bluetooth-l2cap-fix-responding-with-wrong-pdu-type.patch
+bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch
+platform-chrome-cros_ec_chardev-fix-kernel-data-leak.patch
--- /dev/null
+From b58122d0fa0ce5def57fbd073bbd298a29628d27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Mar 2023 00:15:26 +0800
+Subject: xirc2ps_cs: Fix use after free bug in xirc2ps_detach
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+[ Upstream commit e8d20c3ded59a092532513c9bd030d1ea66f5f44 ]
+
+In xirc2ps_probe, the local->tx_timeout_task was bounded
+with xirc2ps_tx_timeout_task. When timeout occurs,
+it will call xirc_tx_timeout->schedule_work to start the
+work.
+
+When we call xirc2ps_detach to remove the driver, there
+may be a sequence as follows:
+
+Stop responding to timeout tasks and complete scheduled
+tasks before cleanup in xirc2ps_detach, which will fix
+the problem.
+
+CPU0 CPU1
+
+ |xirc2ps_tx_timeout_task
+xirc2ps_detach |
+ free_netdev |
+ kfree(dev); |
+ |
+ | do_reset
+ | //use dev
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xircom/xirc2ps_cs.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/xircom/xirc2ps_cs.c b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+index ae611e46da6af..f8bbd1489af15 100644
+--- a/drivers/net/ethernet/xircom/xirc2ps_cs.c
++++ b/drivers/net/ethernet/xircom/xirc2ps_cs.c
+@@ -503,6 +503,11 @@ static void
+ xirc2ps_detach(struct pcmcia_device *link)
+ {
+ struct net_device *dev = link->priv;
++ struct local_info *local = netdev_priv(dev);
++
++ netif_carrier_off(dev);
++ netif_tx_disable(dev);
++ cancel_work_sync(&local->tx_timeout_task);
+
+ dev_dbg(&link->dev, "detach\n");
+
+--
+2.39.2
+
--- /dev/null
+From 23b4a12c159219dd5232df7459b12e8a5d0ccdac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Mar 2023 18:40:13 +0100
+Subject: xsk: Add missing overflow check in xdp_umem_reg
+
+From: Kal Conley <kal.conley@dectris.com>
+
+[ Upstream commit c7df4813b149362248d6ef7be41a311e27bf75fe ]
+
+The number of chunks can overflow u32. Make sure to return -EINVAL on
+overflow. Also remove a redundant u32 cast assigning umem->npgs.
+
+Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme")
+Signed-off-by: Kal Conley <kal.conley@dectris.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20230308174013.1114745-1-kal.conley@dectris.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xdp_umem.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
+index f01ef6bda3909..65f918d29531d 100644
+--- a/net/xdp/xdp_umem.c
++++ b/net/xdp/xdp_umem.c
+@@ -152,10 +152,11 @@ static int xdp_umem_account_pages(struct xdp_umem *umem)
+
+ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ {
+- u32 npgs_rem, chunk_size = mr->chunk_size, headroom = mr->headroom;
+ bool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;
+- u64 npgs, addr = mr->addr, size = mr->len;
+- unsigned int chunks, chunks_rem;
++ u32 chunk_size = mr->chunk_size, headroom = mr->headroom;
++ u64 addr = mr->addr, size = mr->len;
++ u32 chunks_rem, npgs_rem;
++ u64 chunks, npgs;
+ int err;
+
+ if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {
+@@ -190,8 +191,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ if (npgs > U32_MAX)
+ return -EINVAL;
+
+- chunks = (unsigned int)div_u64_rem(size, chunk_size, &chunks_rem);
+- if (chunks == 0)
++ chunks = div_u64_rem(size, chunk_size, &chunks_rem);
++ if (!chunks || chunks > U32_MAX)
+ return -EINVAL;
+
+ if (!unaligned_chunks && chunks_rem)
+@@ -204,7 +205,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
+ umem->headroom = headroom;
+ umem->chunk_size = chunk_size;
+ umem->chunks = chunks;
+- umem->npgs = (u32)npgs;
++ umem->npgs = npgs;
+ umem->pgs = NULL;
+ umem->user = NULL;
+ umem->flags = mr->flags;
+--
+2.39.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
