--- /dev/null
+From 998c1e9973fba358b982c1b683bb43a6fefc9ee2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jun 2022 15:59:57 +0100
+Subject: afs: Fix dynamic root getattr
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit cb78d1b5efffe4cf97e16766329dd7358aed3deb ]
+
+The recent patch to make afs_getattr consult the server didn't account
+for the pseudo-inodes employed by the dynamic root-type afs superblock
+not having a volume or a server to access, and thus an oops occurs if
+such a directory is stat'd.
+
+Fix this by checking to see if the vnode->volume pointer actually points
+anywhere before following it in afs_getattr().
+
+This can be tested by stat'ing a directory in /afs. It may be
+sufficient just to do "ls /afs" and the oops looks something like:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000020
+ ...
+ RIP: 0010:afs_getattr+0x8b/0x14b
+ ...
+ Call Trace:
+ <TASK>
+ vfs_statx+0x79/0xf5
+ vfs_fstatat+0x49/0x62
+
+Fixes: 2aeb8c86d499 ("afs: Fix afs_getattr() to refetch file status if callback break occurred")
+Reported-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Tested-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/165408450783.1031787.7941404776393751186.stgit@warthog.procyon.org.uk/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/afs/inode.c b/fs/afs/inode.c
+index a47666ba48f5..785bacb972da 100644
+--- a/fs/afs/inode.c
++++ b/fs/afs/inode.c
+@@ -733,7 +733,8 @@ int afs_getattr(struct user_namespace *mnt_userns, const struct path *path,
+
+ _enter("{ ino=%lu v=%u }", inode->i_ino, inode->i_generation);
+
+- if (!(query_flags & AT_STATX_DONT_SYNC) &&
++ if (vnode->volume &&
++ !(query_flags & AT_STATX_DONT_SYNC) &&
+ !test_bit(AFS_VNODE_CB_PROMISED, &vnode->flags)) {
+ key = afs_request_key(vnode->volume->cell);
+ if (IS_ERR(key))
+--
+2.35.1
+
--- /dev/null
+From 44671b082198a66a5e9e90016418c69ee77765a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 12:32:40 -0700
+Subject: bonding: ARP monitor spams NETDEV_NOTIFY_PEERS notifiers
+
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+
+[ Upstream commit 7a9214f3d88cfdb099f3896e102a306b316d8707 ]
+
+The bonding ARP monitor fails to decrement send_peer_notif, the
+number of peer notifications (gratuitous ARP or ND) to be sent. This
+results in a continuous series of notifications.
+
+Correct this by decrementing the counter for each notification.
+
+Reported-by: Jonathan Toppins <jtoppins@redhat.com>
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Fixes: b0929915e035 ("bonding: Fix RTNL: assertion failed at net/core/rtnetlink.c for ab arp monitor")
+Link: https://lore.kernel.org/netdev/b2fd4147-8f50-bebd-963a-1a3e8d1d9715@redhat.com/
+Tested-by: Jonathan Toppins <jtoppins@redhat.com>
+Reviewed-by: Jonathan Toppins <jtoppins@redhat.com>
+Link: https://lore.kernel.org/r/9400.1655407960@famine
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 2e75b7e8f70b..cd0d7b24f014 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3474,9 +3474,11 @@ static void bond_activebackup_arp_mon(struct bonding *bond)
+ if (!rtnl_trylock())
+ return;
+
+- if (should_notify_peers)
++ if (should_notify_peers) {
++ bond->send_peer_notif--;
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS,
+ bond->dev);
++ }
+ if (should_notify_rtnl) {
+ bond_slave_state_notify(bond);
+ bond_slave_link_notify(bond);
+--
+2.35.1
+
--- /dev/null
+From e6174509c17c13ffbb4426d7068894db10524c86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 11:15:40 +1000
+Subject: bpf: Fix request_sock leak in sk lookup helpers
+
+From: Jon Maxwell <jmaxwell37@gmail.com>
+
+[ Upstream commit 3046a827316c0e55fc563b4fb78c93b9ca5c7c37 ]
+
+A customer reported a request_socket leak in a Calico cloud environment. We
+found that a BPF program was doing a socket lookup with takes a refcnt on
+the socket and that it was finding the request_socket but returning the parent
+LISTEN socket via sk_to_full_sk() without decrementing the child request socket
+1st, resulting in request_sock slab object leak. This patch retains the
+existing behaviour of returning full socks to the caller but it also decrements
+the child request_socket if one is present before doing so to prevent the leak.
+
+Thanks to Curtis Taylor for all the help in diagnosing and testing this. And
+thanks to Antoine Tenart for the reproducer and patch input.
+
+v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to
+validate RCU flags on the listen socket so that it balances with bpf_sk_release()
+and update comments as per Martin KaFai Lau's suggestion. One small change to
+Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra
+instruction.
+
+Fixes: f7355a6c0497 ("bpf: Check sk_fullsock() before returning from bpf_sk_lookup()")
+Fixes: edbf8c01de5a ("bpf: add skc_lookup_tcp helper")
+Co-developed-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Curtis Taylor <cutaylor-pub@yahoo.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/56d6f898-bde0-bb25-3427-12a330b29fb8@iogearbox.net
+Link: https://lore.kernel.org/bpf/20220615011540.813025-1-jmaxwell37@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 0816468c545c..d1e2ef77ce4c 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -6209,10 +6209,21 @@ __bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
+ ifindex, proto, netns_id, flags);
+
+ if (sk) {
+- sk = sk_to_full_sk(sk);
+- if (!sk_fullsock(sk)) {
++ struct sock *sk2 = sk_to_full_sk(sk);
++
++ /* sk_to_full_sk() may return (sk)->rsk_listener, so make sure the original sk
++ * sock refcnt is decremented to prevent a request_sock leak.
++ */
++ if (!sk_fullsock(sk2))
++ sk2 = NULL;
++ if (sk2 != sk) {
+ sock_gen_put(sk);
+- return NULL;
++ /* Ensure there is no need to bump sk2 refcnt */
++ if (unlikely(sk2 && !sock_flag(sk2, SOCK_RCU_FREE))) {
++ WARN_ONCE(1, "Found non-RCU, unreferenced socket!");
++ return NULL;
++ }
++ sk = sk2;
+ }
+ }
+
+@@ -6246,10 +6257,21 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
+ flags);
+
+ if (sk) {
+- sk = sk_to_full_sk(sk);
+- if (!sk_fullsock(sk)) {
++ struct sock *sk2 = sk_to_full_sk(sk);
++
++ /* sk_to_full_sk() may return (sk)->rsk_listener, so make sure the original sk
++ * sock refcnt is decremented to prevent a request_sock leak.
++ */
++ if (!sk_fullsock(sk2))
++ sk2 = NULL;
++ if (sk2 != sk) {
+ sock_gen_put(sk);
+- return NULL;
++ /* Ensure there is no need to bump sk2 refcnt */
++ if (unlikely(sk2 && !sock_flag(sk2, SOCK_RCU_FREE))) {
++ WARN_ONCE(1, "Found non-RCU, unreferenced socket!");
++ return NULL;
++ }
++ sk = sk2;
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 80478f4a984047eeeefe6bff903e76bd1f83fc76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 18:20:36 +0200
+Subject: bpf, x86: Fix tail call count offset calculation on bpf2bpf call
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit ff672c67ee7635ca1e28fb13729e8ef0d1f08ce5 ]
+
+On x86-64 the tail call count is passed from one BPF function to another
+through %rax. Additionally, on function entry, the tail call count value
+is stored on stack right after the BPF program stack, due to register
+shortage.
+
+The stored count is later loaded from stack either when performing a tail
+call - to check if we have not reached the tail call limit - or before
+calling another BPF function call in order to pass it via %rax.
+
+In the latter case, we miscalculate the offset at which the tail call count
+was stored on function entry. The JIT does not take into account that the
+allocated BPF program stack is always a multiple of 8 on x86, while the
+actual stack depth does not have to be.
+
+This leads to a load from an offset that belongs to the BPF stack, as shown
+in the example below:
+
+SEC("tc")
+int entry(struct __sk_buff *skb)
+{
+ /* Have data on stack which size is not a multiple of 8 */
+ volatile char arr[1] = {};
+ return subprog_tail(skb);
+}
+
+int entry(struct __sk_buff * skb):
+ 0: (b4) w2 = 0
+ 1: (73) *(u8 *)(r10 -1) = r2
+ 2: (85) call pc+1#bpf_prog_ce2f79bb5f3e06dd_F
+ 3: (95) exit
+
+int entry(struct __sk_buff * skb):
+ 0xffffffffa0201788: nop DWORD PTR [rax+rax*1+0x0]
+ 0xffffffffa020178d: xor eax,eax
+ 0xffffffffa020178f: push rbp
+ 0xffffffffa0201790: mov rbp,rsp
+ 0xffffffffa0201793: sub rsp,0x8
+ 0xffffffffa020179a: push rax
+ 0xffffffffa020179b: xor esi,esi
+ 0xffffffffa020179d: mov BYTE PTR [rbp-0x1],sil
+ 0xffffffffa02017a1: mov rax,QWORD PTR [rbp-0x9] !!! tail call count
+ 0xffffffffa02017a8: call 0xffffffffa02017d8 !!! is at rbp-0x10
+ 0xffffffffa02017ad: leave
+ 0xffffffffa02017ae: ret
+
+Fix it by rounding up the BPF stack depth to a multiple of 8, when
+calculating the tail call count offset on stack.
+
+Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20220616162037.535469-2-jakub@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/net/bpf_jit_comp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
+index d99434dc215c..8dca2bcbb0ea 100644
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1440,8 +1440,9 @@ st: if (is_imm8(insn->off))
+ case BPF_JMP | BPF_CALL:
+ func = (u8 *) __bpf_call_base + imm32;
+ if (tail_call_reachable) {
++ /* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */
+ EMIT3_off32(0x48, 0x8B, 0x85,
+- -(bpf_prog->aux->stack_depth + 8));
++ -round_up(bpf_prog->aux->stack_depth, 8) - 8);
+ if (!imm32 || emit_call(&prog, func, image + addrs[i - 1] + 7))
+ return -EINVAL;
+ } else {
+--
+2.35.1
+
--- /dev/null
+From 80c31aad5d6b592b9942a482fb226346298669cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jun 2022 10:55:39 -0700
+Subject: drm/msm/dp: check core_initialized before disable interrupts at
+ dp_display_unbind()
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit d80c3ba0ac247791a4ed7a0cd865a64906c8906a ]
+
+During msm initialize phase, dp_display_unbind() will be called to undo
+initializations had been done by dp_display_bind() previously if there is
+error happen at msm_drm_bind. In this case, core_initialized flag had to
+be check to make sure clocks is on before update DP controller register
+to disable HPD interrupts. Otherwise system will crash due to below NOC
+fatal error.
+
+QTISECLIB [01f01a7ad]CNOC2 ERROR: ERRLOG0_LOW = 0x00061007
+QTISECLIB [01f01a7ad]GEM_NOC ERROR: ERRLOG0_LOW = 0x00001007
+QTISECLIB [01f0371a0]CNOC2 ERROR: ERRLOG0_HIGH = 0x00000003
+QTISECLIB [01f055297]GEM_NOC ERROR: ERRLOG0_HIGH = 0x00000003
+QTISECLIB [01f072beb]CNOC2 ERROR: ERRLOG1_LOW = 0x00000024
+QTISECLIB [01f0914b8]GEM_NOC ERROR: ERRLOG1_LOW = 0x00000042
+QTISECLIB [01f0ae639]CNOC2 ERROR: ERRLOG1_HIGH = 0x00004002
+QTISECLIB [01f0cc73f]GEM_NOC ERROR: ERRLOG1_HIGH = 0x00004002
+QTISECLIB [01f0ea092]CNOC2 ERROR: ERRLOG2_LOW = 0x0009020c
+QTISECLIB [01f10895f]GEM_NOC ERROR: ERRLOG2_LOW = 0x0ae9020c
+QTISECLIB [01f125ae1]CNOC2 ERROR: ERRLOG2_HIGH = 0x00000000
+QTISECLIB [01f143be7]GEM_NOC ERROR: ERRLOG2_HIGH = 0x00000000
+QTISECLIB [01f16153a]CNOC2 ERROR: ERRLOG3_LOW = 0x00000000
+QTISECLIB [01f17fe07]GEM_NOC ERROR: ERRLOG3_LOW = 0x00000000
+QTISECLIB [01f19cf89]CNOC2 ERROR: ERRLOG3_HIGH = 0x00000000
+QTISECLIB [01f1bb08e]GEM_NOC ERROR: ERRLOG3_HIGH = 0x00000000
+QTISECLIB [01f1d8a31]CNOC2 ERROR: SBM1 FAULTINSTATUS0_LOW = 0x00000002
+QTISECLIB [01f1f72a4]GEM_NOC ERROR: SBM0 FAULTINSTATUS0_LOW = 0x00000001
+QTISECLIB [01f21a217]CNOC3 ERROR: ERRLOG0_LOW = 0x00000006
+QTISECLIB [01f23dfd3]NOC error fatal
+
+changes in v2:
+-- drop the first patch (drm/msm: enable msm irq after all initializations are done successfully at msm_drm_init()) since the problem had been fixed by other patch
+
+Fixes: 570d3e5d28db ("drm/msm/dp: stop event kernel thread when DP unbind")
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/488387/
+Link: https://lore.kernel.org/r/1654538139-7450-1-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index 7b624191abf1..8b51a5cc3eb8 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -260,7 +260,8 @@ static void dp_display_unbind(struct device *dev, struct device *master,
+ struct dp_display_private, dp_display);
+
+ /* disable all HPD interrupts */
+- dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_INT_MASK, false);
++ if (dp->core_initialized)
++ dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_INT_MASK, false);
+
+ kthread_stop(dp->ev_tsk);
+
+--
+2.35.1
+
--- /dev/null
+From c85f41a15c5d7a52198a81753217dca8da97f753 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jan 2022 10:47:25 -0800
+Subject: drm/msm/dp: do not initialize phy until plugin interrupt received
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit 989ebe7bc4463002c210db0010c8475797a9098f ]
+
+Current DP drivers have regulators, clocks, irq and phy are grouped
+together within a function and executed not in a symmetric manner.
+This increase difficulty of code maintenance and limited code scalability.
+This patch divides the driver life cycle of operation into four states,
+resume (including booting up), dongle plugin, dongle unplugged and suspend.
+Regulators, core clocks and irq are grouped together and enabled at resume
+(or booting up) so that the DP controller is armed and ready to receive HPD
+plugin interrupts. HPD plugin interrupt is generated when a dongle plugs
+into DUT (device under test). Once HPD plugin interrupt is received, DP
+controller will initialize phy so that dpcd read/write will function and
+following link training can be proceeded successfully. DP phy will be
+disabled after main link is teared down at end of unplugged HPD interrupt
+handle triggered by dongle unplugged out of DUT. Finally regulators, code
+clocks and irq are disabled at corresponding suspension.
+
+Changes in V2:
+-- removed unnecessary dp_ctrl NULL check
+-- removed unnecessary phy init_count and power_count DRM_DEBUG_DP logs
+-- remove flip parameter out of dp_ctrl_irq_enable()
+-- add fixes tag
+
+Changes in V3:
+-- call dp_display_host_phy_init() instead of dp_ctrl_phy_init() at
+ dp_display_host_init() for eDP
+
+Changes in V4:
+-- rewording commit text to match this commit changes
+
+Changes in V5:
+-- rebase on top of msm-next branch
+
+Changes in V6:
+-- delete flip variable
+
+Changes in V7:
+-- dp_ctrl_irq_enable/disabe() merged into dp_ctrl_reset_irq_ctrl()
+
+Changes in V8:
+-- add more detail comment regrading dp phy at dp_display_host_init()
+
+Changes in V9:
+-- remove set phy_initialized to false when -ECONNRESET detected
+
+Changes in v10:
+-- group into one series
+
+Changes in v11:
+-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately
+ if aux read
+
+Changes in v12:
+-- move dp_display_host_phy_exit() after dp_display_host_deinit()
+
+Changes in v13:
+-- do not execute phy_init until plugged_in interrupt for edp, same as DP.
+
+Changes in v14:
+-- remove redundant dp->core_initialized = false form dp_pm_suspend.
+
+Changes in v15:
+-- remove core_initialized flag check at both host_init and host_deinit
+
+Changes in v16:
+-- remove dp_display_host_phy_exit core_initialized=false at dp_pm_suspend
+
+Changes in v17:
+-- remove core_initialized checking before execute attention_cb()
+
+Changes in v18:
+-- remove core_initialized checking at dp_pm_suspend
+
+Fixes: 8ede2ecc3e5e ("drm/msm/dp: Add DP compliance tests on Snapdragon Chipsets")
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/1642531648-8448-2-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_ctrl.c | 80 ++++++++------------
+ drivers/gpu/drm/msm/dp/dp_ctrl.h | 8 +-
+ drivers/gpu/drm/msm/dp/dp_display.c | 111 ++++++++++++++--------------
+ 3 files changed, 92 insertions(+), 107 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+index 1992347537e6..0776b1960f21 100644
+--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c
++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+@@ -1348,60 +1348,44 @@ static int dp_ctrl_enable_stream_clocks(struct dp_ctrl_private *ctrl)
+ return ret;
+ }
+
+-int dp_ctrl_host_init(struct dp_ctrl *dp_ctrl, bool flip, bool reset)
++void dp_ctrl_reset_irq_ctrl(struct dp_ctrl *dp_ctrl, bool enable)
++{
++ struct dp_ctrl_private *ctrl;
++
++ ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl);
++
++ dp_catalog_ctrl_reset(ctrl->catalog);
++
++ if (enable)
++ dp_catalog_ctrl_enable_irq(ctrl->catalog, enable);
++}
++
++void dp_ctrl_phy_init(struct dp_ctrl *dp_ctrl)
+ {
+ struct dp_ctrl_private *ctrl;
+ struct dp_io *dp_io;
+ struct phy *phy;
+
+- if (!dp_ctrl) {
+- DRM_ERROR("Invalid input data\n");
+- return -EINVAL;
+- }
+-
+ ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl);
+ dp_io = &ctrl->parser->io;
+ phy = dp_io->phy;
+
+- ctrl->dp_ctrl.orientation = flip;
+-
+- if (reset)
+- dp_catalog_ctrl_reset(ctrl->catalog);
+-
+- DRM_DEBUG_DP("flip=%d\n", flip);
+ dp_catalog_ctrl_phy_reset(ctrl->catalog);
+ phy_init(phy);
+- dp_catalog_ctrl_enable_irq(ctrl->catalog, true);
+-
+- return 0;
+ }
+
+-/**
+- * dp_ctrl_host_deinit() - Uninitialize DP controller
+- * @dp_ctrl: Display Port Driver data
+- *
+- * Perform required steps to uninitialize DP controller
+- * and its resources.
+- */
+-void dp_ctrl_host_deinit(struct dp_ctrl *dp_ctrl)
++void dp_ctrl_phy_exit(struct dp_ctrl *dp_ctrl)
+ {
+ struct dp_ctrl_private *ctrl;
+ struct dp_io *dp_io;
+ struct phy *phy;
+
+- if (!dp_ctrl) {
+- DRM_ERROR("Invalid input data\n");
+- return;
+- }
+-
+ ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl);
+ dp_io = &ctrl->parser->io;
+ phy = dp_io->phy;
+
+- dp_catalog_ctrl_enable_irq(ctrl->catalog, false);
++ dp_catalog_ctrl_phy_reset(ctrl->catalog);
+ phy_exit(phy);
+-
+- DRM_DEBUG_DP("Host deinitialized successfully\n");
+ }
+
+ static bool dp_ctrl_use_fixed_nvid(struct dp_ctrl_private *ctrl)
+@@ -1471,7 +1455,10 @@ static int dp_ctrl_deinitialize_mainlink(struct dp_ctrl_private *ctrl)
+ }
+
+ phy_power_off(phy);
++
++ /* aux channel down, reinit phy */
+ phy_exit(phy);
++ phy_init(phy);
+
+ return 0;
+ }
+@@ -1877,8 +1864,14 @@ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl)
+ return ret;
+ }
+
++ DRM_DEBUG_DP("Before, phy=%x init_count=%d power_on=%d\n",
++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count);
++
+ phy_power_off(phy);
+
++ DRM_DEBUG_DP("After, phy=%x init_count=%d power_on=%d\n",
++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count);
++
+ /* aux channel down, reinit phy */
+ phy_exit(phy);
+ phy_init(phy);
+@@ -1887,23 +1880,6 @@ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl)
+ return ret;
+ }
+
+-void dp_ctrl_off_phy(struct dp_ctrl *dp_ctrl)
+-{
+- struct dp_ctrl_private *ctrl;
+- struct dp_io *dp_io;
+- struct phy *phy;
+-
+- ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl);
+- dp_io = &ctrl->parser->io;
+- phy = dp_io->phy;
+-
+- dp_catalog_ctrl_reset(ctrl->catalog);
+-
+- phy_exit(phy);
+-
+- DRM_DEBUG_DP("DP off phy done\n");
+-}
+-
+ int dp_ctrl_off(struct dp_ctrl *dp_ctrl)
+ {
+ struct dp_ctrl_private *ctrl;
+@@ -1931,10 +1907,14 @@ int dp_ctrl_off(struct dp_ctrl *dp_ctrl)
+ DRM_ERROR("Failed to disable link clocks. ret=%d\n", ret);
+ }
+
++ DRM_DEBUG_DP("Before, phy=%x init_count=%d power_on=%d\n",
++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count);
++
+ phy_power_off(phy);
+- phy_exit(phy);
+
+- DRM_DEBUG_DP("DP off done\n");
++ DRM_DEBUG_DP("After, phy=%x init_count=%d power_on=%d\n",
++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count);
++
+ return ret;
+ }
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.h b/drivers/gpu/drm/msm/dp/dp_ctrl.h
+index 2363a2df9597..2433edbc70a6 100644
+--- a/drivers/gpu/drm/msm/dp/dp_ctrl.h
++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.h
+@@ -19,12 +19,9 @@ struct dp_ctrl {
+ u32 pixel_rate;
+ };
+
+-int dp_ctrl_host_init(struct dp_ctrl *dp_ctrl, bool flip, bool reset);
+-void dp_ctrl_host_deinit(struct dp_ctrl *dp_ctrl);
+ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl);
+ int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl);
+ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl);
+-void dp_ctrl_off_phy(struct dp_ctrl *dp_ctrl);
+ int dp_ctrl_off(struct dp_ctrl *dp_ctrl);
+ void dp_ctrl_push_idle(struct dp_ctrl *dp_ctrl);
+ void dp_ctrl_isr(struct dp_ctrl *dp_ctrl);
+@@ -34,4 +31,9 @@ struct dp_ctrl *dp_ctrl_get(struct device *dev, struct dp_link *link,
+ struct dp_power *power, struct dp_catalog *catalog,
+ struct dp_parser *parser);
+
++void dp_ctrl_reset_irq_ctrl(struct dp_ctrl *dp_ctrl, bool enable);
++void dp_ctrl_phy_init(struct dp_ctrl *dp_ctrl);
++void dp_ctrl_phy_exit(struct dp_ctrl *dp_ctrl);
++void dp_ctrl_irq_phy_exit(struct dp_ctrl *dp_ctrl);
++
+ #endif /* _DP_CTRL_H_ */
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index 32b8dbb917bf..bbd0bf820192 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -81,6 +81,7 @@ struct dp_display_private {
+
+ /* state variables */
+ bool core_initialized;
++ bool phy_initialized;
+ bool hpd_irq_on;
+ bool audio_supported;
+
+@@ -362,36 +363,45 @@ static int dp_display_process_hpd_high(struct dp_display_private *dp)
+ return rc;
+ }
+
+-static void dp_display_host_init(struct dp_display_private *dp, int reset)
++static void dp_display_host_phy_init(struct dp_display_private *dp)
+ {
+- bool flip = false;
++ DRM_DEBUG_DP("core_init=%d phy_init=%d\n",
++ dp->core_initialized, dp->phy_initialized);
+
+- DRM_DEBUG_DP("core_initialized=%d\n", dp->core_initialized);
+- if (dp->core_initialized) {
+- DRM_DEBUG_DP("DP core already initialized\n");
+- return;
++ if (!dp->phy_initialized) {
++ dp_ctrl_phy_init(dp->ctrl);
++ dp->phy_initialized = true;
+ }
++}
++
++static void dp_display_host_phy_exit(struct dp_display_private *dp)
++{
++ DRM_DEBUG_DP("core_init=%d phy_init=%d\n",
++ dp->core_initialized, dp->phy_initialized);
+
+- if (dp->usbpd->orientation == ORIENTATION_CC2)
+- flip = true;
++ if (dp->phy_initialized) {
++ dp_ctrl_phy_exit(dp->ctrl);
++ dp->phy_initialized = false;
++ }
++}
++
++static void dp_display_host_init(struct dp_display_private *dp)
++{
++ DRM_DEBUG_DP("core_initialized=%d\n", dp->core_initialized);
+
+- dp_power_init(dp->power, flip);
+- dp_ctrl_host_init(dp->ctrl, flip, reset);
++ dp_power_init(dp->power, false);
++ dp_ctrl_reset_irq_ctrl(dp->ctrl, true);
+ dp_aux_init(dp->aux);
+ dp->core_initialized = true;
+ }
+
+ static void dp_display_host_deinit(struct dp_display_private *dp)
+ {
+- if (!dp->core_initialized) {
+- DRM_DEBUG_DP("DP core not initialized\n");
+- return;
+- }
++ DRM_DEBUG_DP("core_initialized=%d\n", dp->core_initialized);
+
+- dp_ctrl_host_deinit(dp->ctrl);
++ dp_ctrl_reset_irq_ctrl(dp->ctrl, false);
+ dp_aux_deinit(dp->aux);
+ dp_power_deinit(dp->power);
+-
+ dp->core_initialized = false;
+ }
+
+@@ -409,7 +419,7 @@ static int dp_display_usbpd_configure_cb(struct device *dev)
+ dp = container_of(g_dp_display,
+ struct dp_display_private, dp_display);
+
+- dp_display_host_init(dp, false);
++ dp_display_host_phy_init(dp);
+
+ rc = dp_display_process_hpd_high(dp);
+ end:
+@@ -550,11 +560,6 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data)
+ ret = dp_display_usbpd_configure_cb(&dp->pdev->dev);
+ if (ret) { /* link train failed */
+ dp->hpd_state = ST_DISCONNECTED;
+-
+- if (ret == -ECONNRESET) { /* cable unplugged */
+- dp->core_initialized = false;
+- }
+-
+ } else {
+ /* start sentinel checking in case of missing uevent */
+ dp_add_event(dp, EV_CONNECT_PENDING_TIMEOUT, 0, tout);
+@@ -624,8 +629,7 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data)
+ if (state == ST_DISCONNECTED) {
+ /* triggered by irq_hdp with sink_count = 0 */
+ if (dp->link->sink_count == 0) {
+- dp_ctrl_off_phy(dp->ctrl);
+- dp->core_initialized = false;
++ dp_display_host_phy_exit(dp);
+ }
+ mutex_unlock(&dp->event_mutex);
+ return 0;
+@@ -687,7 +691,6 @@ static int dp_disconnect_pending_timeout(struct dp_display_private *dp, u32 data
+ static int dp_irq_hpd_handle(struct dp_display_private *dp, u32 data)
+ {
+ u32 state;
+- int ret;
+
+ mutex_lock(&dp->event_mutex);
+
+@@ -712,16 +715,8 @@ static int dp_irq_hpd_handle(struct dp_display_private *dp, u32 data)
+ return 0;
+ }
+
+- /*
+- * dp core (ahb/aux clks) must be initialized before
+- * irq_hpd be handled
+- */
+- if (dp->core_initialized) {
+- ret = dp_display_usbpd_attention_cb(&dp->pdev->dev);
+- if (ret == -ECONNRESET) { /* cable unplugged */
+- dp->core_initialized = false;
+- }
+- }
++ dp_display_usbpd_attention_cb(&dp->pdev->dev);
++
+ DRM_DEBUG_DP("hpd_state=%d\n", state);
+
+ mutex_unlock(&dp->event_mutex);
+@@ -916,12 +911,19 @@ static int dp_display_disable(struct dp_display_private *dp, u32 data)
+
+ dp_display->audio_enabled = false;
+
+- /* triggered by irq_hpd with sink_count = 0 */
+ if (dp->link->sink_count == 0) {
++ /*
++ * irq_hpd with sink_count = 0
++ * hdmi unplugged out of dongle
++ */
+ dp_ctrl_off_link_stream(dp->ctrl);
+ } else {
++ /*
++ * unplugged interrupt
++ * dongle unplugged out of DUT
++ */
+ dp_ctrl_off(dp->ctrl);
+- dp->core_initialized = false;
++ dp_display_host_phy_exit(dp);
+ }
+
+ dp_display->power_on = false;
+@@ -1051,7 +1053,7 @@ void msm_dp_snapshot(struct msm_disp_state *disp_state, struct msm_dp *dp)
+ static void dp_display_config_hpd(struct dp_display_private *dp)
+ {
+
+- dp_display_host_init(dp, true);
++ dp_display_host_init(dp);
+ dp_catalog_ctrl_hpd_config(dp->catalog);
+
+ /* Enable interrupt first time
+@@ -1318,20 +1320,23 @@ static int dp_pm_resume(struct device *dev)
+ dp->hpd_state = ST_DISCONNECTED;
+
+ /* turn on dp ctrl/phy */
+- dp_display_host_init(dp, true);
++ dp_display_host_init(dp);
+
+ dp_catalog_ctrl_hpd_config(dp->catalog);
+
+- /*
+- * set sink to normal operation mode -- D0
+- * before dpcd read
+- */
+- dp_link_psm_config(dp->link, &dp->panel->link_info, false);
+
+ if (dp_catalog_link_is_connected(dp->catalog)) {
++ /*
++ * set sink to normal operation mode -- D0
++ * before dpcd read
++ */
++ dp_display_host_phy_init(dp);
++ dp_link_psm_config(dp->link, &dp->panel->link_info, false);
+ sink_count = drm_dp_read_sink_count(dp->aux);
+ if (sink_count < 0)
+ sink_count = 0;
++
++ dp_display_host_phy_exit(dp);
+ }
+
+ dp->link->sink_count = sink_count;
+@@ -1370,18 +1375,16 @@ static int dp_pm_suspend(struct device *dev)
+ DRM_DEBUG_DP("Before, core_inited=%d power_on=%d\n",
+ dp->core_initialized, dp_display->power_on);
+
+- if (dp->core_initialized == true) {
+- /* mainlink enabled */
+- if (dp_power_clk_status(dp->power, DP_CTRL_PM))
+- dp_ctrl_off_link_stream(dp->ctrl);
++ /* mainlink enabled */
++ if (dp_power_clk_status(dp->power, DP_CTRL_PM))
++ dp_ctrl_off_link_stream(dp->ctrl);
+
+- dp_display_host_deinit(dp);
+- }
+-
+- dp->hpd_state = ST_SUSPENDED;
++ dp_display_host_phy_exit(dp);
+
+ /* host_init will be called at pm_resume */
+- dp->core_initialized = false;
++ dp_display_host_deinit(dp);
++
++ dp->hpd_state = ST_SUSPENDED;
+
+ DRM_DEBUG_DP("After, core_inited=%d power_on=%d\n",
+ dp->core_initialized, dp_display->power_on);
+@@ -1538,7 +1541,7 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder)
+ state = dp_display->hpd_state;
+
+ if (state == ST_DISPLAY_OFF)
+- dp_display_host_init(dp_display, true);
++ dp_display_host_phy_init(dp_display);
+
+ dp_display_enable(dp_display, 0);
+
+--
+2.35.1
+
--- /dev/null
+From 3de4524eb34b7db46474a1dfd6e416284f7198c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 09:41:02 -0800
+Subject: drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read
+ failed
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit f61550b3864b9578527c28cf9c465316ac1566e1 ]
+
+Add checking aux read/write status at both dp_link_parse_sink_count()
+and dp_link_parse_sink_status_filed() to avoid long timeout delay if
+dp aux read/write failed at timeout due to cable unplugged.
+
+Changes in V4:
+-- split this patch as stand alone patch
+
+Changes in v5:
+-- rebase on msm-next branch
+
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Tested-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/1638985262-2072-1-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 12 +++++++++---
+ drivers/gpu/drm/msm/dp/dp_link.c | 19 ++++++++++++++-----
+ 2 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index a66ee63253a3..32b8dbb917bf 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -712,9 +712,15 @@ static int dp_irq_hpd_handle(struct dp_display_private *dp, u32 data)
+ return 0;
+ }
+
+- ret = dp_display_usbpd_attention_cb(&dp->pdev->dev);
+- if (ret == -ECONNRESET) { /* cable unplugged */
+- dp->core_initialized = false;
++ /*
++ * dp core (ahb/aux clks) must be initialized before
++ * irq_hpd be handled
++ */
++ if (dp->core_initialized) {
++ ret = dp_display_usbpd_attention_cb(&dp->pdev->dev);
++ if (ret == -ECONNRESET) { /* cable unplugged */
++ dp->core_initialized = false;
++ }
+ }
+ DRM_DEBUG_DP("hpd_state=%d\n", state);
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c
+index a5bdfc5029de..d4d31e5bda07 100644
+--- a/drivers/gpu/drm/msm/dp/dp_link.c
++++ b/drivers/gpu/drm/msm/dp/dp_link.c
+@@ -737,18 +737,25 @@ static int dp_link_parse_sink_count(struct dp_link *dp_link)
+ return 0;
+ }
+
+-static void dp_link_parse_sink_status_field(struct dp_link_private *link)
++static int dp_link_parse_sink_status_field(struct dp_link_private *link)
+ {
+ int len = 0;
+
+ link->prev_sink_count = link->dp_link.sink_count;
+- dp_link_parse_sink_count(&link->dp_link);
++ len = dp_link_parse_sink_count(&link->dp_link);
++ if (len < 0) {
++ DRM_ERROR("DP parse sink count failed\n");
++ return len;
++ }
+
+ len = drm_dp_dpcd_read_link_status(link->aux,
+ link->link_status);
+- if (len < DP_LINK_STATUS_SIZE)
++ if (len < DP_LINK_STATUS_SIZE) {
+ DRM_ERROR("DP link status read failed\n");
+- dp_link_parse_request(link);
++ return len;
++ }
++
++ return dp_link_parse_request(link);
+ }
+
+ /**
+@@ -1023,7 +1030,9 @@ int dp_link_process_request(struct dp_link *dp_link)
+
+ dp_link_reset_data(link);
+
+- dp_link_parse_sink_status_field(link);
++ ret = dp_link_parse_sink_status_field(link);
++ if (ret)
++ return ret;
+
+ if (link->request.test_requested == DP_TEST_LINK_EDID_READ) {
+ dp_link->sink_request |= DP_TEST_LINK_EDID_READ;
+--
+2.35.1
+
--- /dev/null
+From 2ebc23ad5e8bcd6b5ce005076b8f5319f75196c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Nov 2021 10:22:46 -0700
+Subject: drm/msm/dp: Drop now unused hpd_high member
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit fabae667b1263216be53e0230cd3966a9a1963a4 ]
+
+Since '8ede2ecc3e5e ("drm/msm/dp: Add DP compliance tests on Snapdragon
+Chipsets")' the hpd_high member of struct dp_usbpd has been write-only.
+
+Let's clean up the code a little bit by removing the writes as well.
+
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20211106172246.2597431-1-bjorn.andersson@linaro.org
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 6 ------
+ drivers/gpu/drm/msm/dp/dp_hpd.c | 2 --
+ drivers/gpu/drm/msm/dp/dp_hpd.h | 2 --
+ 3 files changed, 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index 8b51a5cc3eb8..a66ee63253a3 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -547,11 +547,8 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data)
+
+ dp->hpd_state = ST_CONNECT_PENDING;
+
+- hpd->hpd_high = 1;
+-
+ ret = dp_display_usbpd_configure_cb(&dp->pdev->dev);
+ if (ret) { /* link train failed */
+- hpd->hpd_high = 0;
+ dp->hpd_state = ST_DISCONNECTED;
+
+ if (ret == -ECONNRESET) { /* cable unplugged */
+@@ -628,7 +625,6 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data)
+ /* triggered by irq_hdp with sink_count = 0 */
+ if (dp->link->sink_count == 0) {
+ dp_ctrl_off_phy(dp->ctrl);
+- hpd->hpd_high = 0;
+ dp->core_initialized = false;
+ }
+ mutex_unlock(&dp->event_mutex);
+@@ -652,8 +648,6 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data)
+ /* disable HPD plug interrupts */
+ dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_PLUG_INT_MASK, false);
+
+- hpd->hpd_high = 0;
+-
+ /*
+ * We don't need separate work for disconnect as
+ * connect/attention interrupts are disabled
+diff --git a/drivers/gpu/drm/msm/dp/dp_hpd.c b/drivers/gpu/drm/msm/dp/dp_hpd.c
+index e1c90fa47411..db98a1d431eb 100644
+--- a/drivers/gpu/drm/msm/dp/dp_hpd.c
++++ b/drivers/gpu/drm/msm/dp/dp_hpd.c
+@@ -32,8 +32,6 @@ int dp_hpd_connect(struct dp_usbpd *dp_usbpd, bool hpd)
+ hpd_priv = container_of(dp_usbpd, struct dp_hpd_private,
+ dp_usbpd);
+
+- dp_usbpd->hpd_high = hpd;
+-
+ if (!hpd_priv->dp_cb || !hpd_priv->dp_cb->configure
+ || !hpd_priv->dp_cb->disconnect) {
+ pr_err("hpd dp_cb not initialized\n");
+diff --git a/drivers/gpu/drm/msm/dp/dp_hpd.h b/drivers/gpu/drm/msm/dp/dp_hpd.h
+index 5bc5bb64680f..8feec5aa5027 100644
+--- a/drivers/gpu/drm/msm/dp/dp_hpd.h
++++ b/drivers/gpu/drm/msm/dp/dp_hpd.h
+@@ -26,7 +26,6 @@ enum plug_orientation {
+ * @multi_func: multi-function preferred
+ * @usb_config_req: request to switch to usb
+ * @exit_dp_mode: request exit from displayport mode
+- * @hpd_high: Hot Plug Detect signal is high.
+ * @hpd_irq: Change in the status since last message
+ * @alt_mode_cfg_done: bool to specify alt mode status
+ * @debug_en: bool to specify debug mode
+@@ -39,7 +38,6 @@ struct dp_usbpd {
+ bool multi_func;
+ bool usb_config_req;
+ bool exit_dp_mode;
+- bool hpd_high;
+ bool hpd_irq;
+ bool alt_mode_cfg_done;
+ bool debug_en;
+--
+2.35.1
+
--- /dev/null
+From 2ccbc3e83da9eec97bf275c7014e247bafebebed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 13:26:40 -0700
+Subject: drm/msm/dp: force link training for display resolution change
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+[ Upstream commit a6e2af64a79afa7f1b29375b5231e840a84bb845 ]
+
+Display resolution change is implemented through drm modeset. Older
+modeset (resolution) has to be disabled first before newer modeset
+(resolution) can be enabled. Display disable will turn off both
+pixel clock and main link clock so that main link have to be
+re-trained during display enable to have new video stream flow
+again. At current implementation, display enable function manually
+kicks up irq_hpd_handle which will read panel link status and start
+link training if link status is not in sync state.
+
+However, there is rare case that a particular panel links status keep
+staying in sync for some period of time after main link had been shut
+down previously at display disabled. In this case, main link retraining
+will not be executed by irq_hdp_handle(). Hence video stream of newer
+display resolution will fail to be transmitted to panel due to main
+link is not in sync between host and panel.
+
+This patch will bypass irq_hpd_handle() in favor of directly call
+dp_ctrl_on_stream() to always perform link training in regardless of
+main link status. So that no unexpected exception resolution change
+failure cases will happen. Also this implementation are more efficient
+than manual kicking off irq_hpd_handle function.
+
+Changes in v2:
+-- set force_link_train flag on DP only (is_edp == false)
+
+Changes in v3:
+-- revise commit text
+-- add Fixes tag
+
+Changes in v4:
+-- revise commit text
+
+Changes in v5:
+-- fix spelling at commit text
+
+Changes in v6:
+-- split dp_ctrl_on_stream() for phy test case
+-- revise commit text for modeset
+
+Changes in v7:
+-- drop 0 assignment at local variable (ret = 0)
+
+Changes in v8:
+-- add patch to remove pixel_rate from dp_ctrl
+
+Changes in v9:
+-- forward declare dp_ctrl_on_stream_phy_test_report()
+
+Fixes: 62671d2ef24b ("drm/msm/dp: fixes wrong connection state caused by failure of link train")
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/489895/
+Link: https://lore.kernel.org/r/1655411200-7255-1-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dp/dp_ctrl.c | 33 ++++++++++++++++++++++-------
+ drivers/gpu/drm/msm/dp/dp_ctrl.h | 2 +-
+ drivers/gpu/drm/msm/dp/dp_display.c | 13 ++++++------
+ 3 files changed, 32 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+index 0776b1960f21..afffdad0ebf9 100644
+--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c
++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c
+@@ -1488,6 +1488,8 @@ static int dp_ctrl_link_maintenance(struct dp_ctrl_private *ctrl)
+ return ret;
+ }
+
++static int dp_ctrl_on_stream_phy_test_report(struct dp_ctrl *dp_ctrl);
++
+ static int dp_ctrl_process_phy_test_request(struct dp_ctrl_private *ctrl)
+ {
+ int ret = 0;
+@@ -1510,7 +1512,7 @@ static int dp_ctrl_process_phy_test_request(struct dp_ctrl_private *ctrl)
+
+ ret = dp_ctrl_on_link(&ctrl->dp_ctrl);
+ if (!ret)
+- ret = dp_ctrl_on_stream(&ctrl->dp_ctrl);
++ ret = dp_ctrl_on_stream_phy_test_report(&ctrl->dp_ctrl);
+ else
+ DRM_ERROR("failed to enable DP link controller\n");
+
+@@ -1765,7 +1767,27 @@ static int dp_ctrl_link_retrain(struct dp_ctrl_private *ctrl)
+ return dp_ctrl_setup_main_link(ctrl, &training_step);
+ }
+
+-int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl)
++static int dp_ctrl_on_stream_phy_test_report(struct dp_ctrl *dp_ctrl)
++{
++ int ret;
++ struct dp_ctrl_private *ctrl;
++
++ ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl);
++
++ ctrl->dp_ctrl.pixel_rate = ctrl->panel->dp_mode.drm_mode.clock;
++
++ ret = dp_ctrl_enable_stream_clocks(ctrl);
++ if (ret) {
++ DRM_ERROR("Failed to start pixel clocks. ret=%d\n", ret);
++ return ret;
++ }
++
++ dp_ctrl_send_phy_test_pattern(ctrl);
++
++ return 0;
++}
++
++int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl, bool force_link_train)
+ {
+ int ret = 0;
+ bool mainlink_ready = false;
+@@ -1796,12 +1818,7 @@ int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl)
+ goto end;
+ }
+
+- if (ctrl->link->sink_request & DP_TEST_LINK_PHY_TEST_PATTERN) {
+- dp_ctrl_send_phy_test_pattern(ctrl);
+- return 0;
+- }
+-
+- if (!dp_ctrl_channel_eq_ok(ctrl))
++ if (force_link_train || !dp_ctrl_channel_eq_ok(ctrl))
+ dp_ctrl_link_retrain(ctrl);
+
+ /* stop txing train pattern to end link training */
+diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.h b/drivers/gpu/drm/msm/dp/dp_ctrl.h
+index 2433edbc70a6..dcc7af21a5f0 100644
+--- a/drivers/gpu/drm/msm/dp/dp_ctrl.h
++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.h
+@@ -20,7 +20,7 @@ struct dp_ctrl {
+ };
+
+ int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl);
+-int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl);
++int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl, bool force_link_train);
+ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl);
+ int dp_ctrl_off(struct dp_ctrl *dp_ctrl);
+ void dp_ctrl_push_idle(struct dp_ctrl *dp_ctrl);
+diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
+index bbd0bf820192..b141ccb527b0 100644
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -865,7 +865,7 @@ static int dp_display_enable(struct dp_display_private *dp, u32 data)
+ return 0;
+ }
+
+- rc = dp_ctrl_on_stream(dp->ctrl);
++ rc = dp_ctrl_on_stream(dp->ctrl, data);
+ if (!rc)
+ dp_display->power_on = true;
+
+@@ -1512,6 +1512,7 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder)
+ int rc = 0;
+ struct dp_display_private *dp_display;
+ u32 state;
++ bool force_link_train = false;
+
+ dp_display = container_of(dp, struct dp_display_private, dp_display);
+ if (!dp_display->dp_mode.drm_mode.clock) {
+@@ -1540,10 +1541,12 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder)
+
+ state = dp_display->hpd_state;
+
+- if (state == ST_DISPLAY_OFF)
++ if (state == ST_DISPLAY_OFF) {
+ dp_display_host_phy_init(dp_display);
++ force_link_train = true;
++ }
+
+- dp_display_enable(dp_display, 0);
++ dp_display_enable(dp_display, force_link_train);
+
+ rc = dp_display_post_enable(dp);
+ if (rc) {
+@@ -1552,10 +1555,6 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder)
+ dp_display_unprepare(dp);
+ }
+
+- /* manual kick off plug event to train link */
+- if (state == ST_DISPLAY_OFF)
+- dp_add_event(dp_display, EV_IRQ_HPD_INT, 0, 0);
+-
+ /* completed connection */
+ dp_display->hpd_state = ST_CONNECTED;
+
+--
+2.35.1
+
--- /dev/null
+From 4fce174e236bbda8d4f02042b11a23c5e724bc93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 May 2022 13:08:56 -0700
+Subject: drm/msm: Ensure mmap offset is initialized
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 036d20726c30267724416e966c9f92db07de8081 ]
+
+If a GEM object is allocated, and then exported as a dma-buf fd which is
+mmap'd before or without the GEM buffer being directly mmap'd, the
+vma_node could be unitialized. This leads to a situation where the CPU
+mapping is not correctly torn down in drm_vma_node_unmap().
+
+Fixes: e5516553999f ("drm: call drm_gem_object_funcs.mmap with fake offset")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220531200857.136547-1-robdclark@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 2 +-
+ drivers/gpu/drm/msm/msm_drv.h | 1 +
+ drivers/gpu/drm/msm/msm_gem_prime.c | 15 +++++++++++++++
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
+index 9712582886aa..916361c30d77 100644
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -1102,7 +1102,7 @@ static const struct drm_driver msm_driver = {
+ .prime_handle_to_fd = drm_gem_prime_handle_to_fd,
+ .prime_fd_to_handle = drm_gem_prime_fd_to_handle,
+ .gem_prime_import_sg_table = msm_gem_prime_import_sg_table,
+- .gem_prime_mmap = drm_gem_prime_mmap,
++ .gem_prime_mmap = msm_gem_prime_mmap,
+ #ifdef CONFIG_DEBUG_FS
+ .debugfs_init = msm_debugfs_init,
+ #endif
+diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h
+index c552f0c3890c..bd5132bb9bde 100644
+--- a/drivers/gpu/drm/msm/msm_drv.h
++++ b/drivers/gpu/drm/msm/msm_drv.h
+@@ -298,6 +298,7 @@ unsigned long msm_gem_shrinker_shrink(struct drm_device *dev, unsigned long nr_t
+ void msm_gem_shrinker_init(struct drm_device *dev);
+ void msm_gem_shrinker_cleanup(struct drm_device *dev);
+
++int msm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma);
+ struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj);
+ int msm_gem_prime_vmap(struct drm_gem_object *obj, struct dma_buf_map *map);
+ void msm_gem_prime_vunmap(struct drm_gem_object *obj, struct dma_buf_map *map);
+diff --git a/drivers/gpu/drm/msm/msm_gem_prime.c b/drivers/gpu/drm/msm/msm_gem_prime.c
+index 8a2d94bd5df2..02c70a0b2a03 100644
+--- a/drivers/gpu/drm/msm/msm_gem_prime.c
++++ b/drivers/gpu/drm/msm/msm_gem_prime.c
+@@ -11,6 +11,21 @@
+ #include "msm_drv.h"
+ #include "msm_gem.h"
+
++int msm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma)
++{
++ int ret;
++
++ /* Ensure the mmap offset is initialized. We lazily initialize it,
++ * so if it has not been first mmap'd directly as a GEM object, the
++ * mmap offset will not be already initialized.
++ */
++ ret = drm_gem_create_mmap_offset(obj);
++ if (ret)
++ return ret;
++
++ return drm_gem_prime_mmap(obj, vma);
++}
++
+ struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj)
+ {
+ struct msm_gem_object *msm_obj = to_msm_bo(obj);
+--
+2.35.1
+
--- /dev/null
+From 1c3195b0b06d9f0ef2b982b08892ad04c411d94c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jun 2022 23:13:05 +0200
+Subject: drm/msm: Fix double pm_runtime_disable() call
+
+From: Maximilian Luz <luzmaximilian@gmail.com>
+
+[ Upstream commit ce0db505bc0c51ef5e9ba446c660de7e26f78f29 ]
+
+Following commit 17e822f7591f ("drm/msm: fix unbalanced
+pm_runtime_enable in adreno_gpu_{init, cleanup}"), any call to
+adreno_unbind() will disable runtime PM twice, as indicated by the call
+trees below:
+
+ adreno_unbind()
+ -> pm_runtime_force_suspend()
+ -> pm_runtime_disable()
+
+ adreno_unbind()
+ -> gpu->funcs->destroy() [= aNxx_destroy()]
+ -> adreno_gpu_cleanup()
+ -> pm_runtime_disable()
+
+Note that pm_runtime_force_suspend() is called right before
+gpu->funcs->destroy() and both functions are called unconditionally.
+
+With recent addition of the eDP AUX bus code, this problem manifests
+itself when the eDP panel cannot be found yet and probing is deferred.
+On the first probe attempt, we disable runtime PM twice as described
+above. This then causes any later probe attempt to fail with
+
+ [drm:adreno_load_gpu [msm]] *ERROR* Couldn't power up the GPU: -13
+
+preventing the driver from loading.
+
+As there seem to be scenarios where the aNxx_destroy() functions are not
+called from adreno_unbind(), simply removing pm_runtime_disable() from
+inside adreno_unbind() does not seem to be the proper fix. This is what
+commit 17e822f7591f ("drm/msm: fix unbalanced pm_runtime_enable in
+adreno_gpu_{init, cleanup}") intended to fix. Therefore, instead check
+whether runtime PM is still enabled, and only disable it in that case.
+
+Fixes: 17e822f7591f ("drm/msm: fix unbalanced pm_runtime_enable in adreno_gpu_{init, cleanup}")
+Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
+Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Link: https://lore.kernel.org/r/20220606211305.189585-1-luzmaximilian@gmail.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/adreno_gpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+index 748665232d29..bba68776cb25 100644
+--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+@@ -958,7 +958,8 @@ void adreno_gpu_cleanup(struct adreno_gpu *adreno_gpu)
+ for (i = 0; i < ARRAY_SIZE(adreno_gpu->info->fw); i++)
+ release_firmware(adreno_gpu->fw[i]);
+
+- pm_runtime_disable(&priv->gpu_pdev->dev);
++ if (pm_runtime_enabled(&priv->gpu_pdev->dev))
++ pm_runtime_disable(&priv->gpu_pdev->dev);
+
+ msm_gpu_cleanup(&adreno_gpu->base);
+ }
+--
+2.35.1
+
--- /dev/null
+From 939245487dacbfa76ca0aac8dd42d49afe9d9e08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jun 2022 15:08:38 +0400
+Subject: drm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit b9cc4598607cb7f7eae5c75fc1e3209cd52ff5e0 ]
+
+of_graph_get_remote_node() returns remote device node pointer with
+refcount incremented, we should use of_node_put() on it
+when not need anymore.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 86418f90a4c1 ("drm: convert drivers to use of_graph_get_remote_node")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/488473/
+Link: https://lore.kernel.org/r/20220607110841.53889-1-linmq006@gmail.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
+index cdcaf470f148..97ae68182f3e 100644
+--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c
+@@ -223,6 +223,7 @@ static int mdp4_modeset_init_intf(struct mdp4_kms *mdp4_kms,
+ encoder = mdp4_lcdc_encoder_init(dev, panel_node);
+ if (IS_ERR(encoder)) {
+ DRM_DEV_ERROR(dev->dev, "failed to construct LCDC encoder\n");
++ of_node_put(panel_node);
+ return PTR_ERR(encoder);
+ }
+
+@@ -232,6 +233,7 @@ static int mdp4_modeset_init_intf(struct mdp4_kms *mdp4_kms,
+ connector = mdp4_lvds_connector_init(dev, panel_node, encoder);
+ if (IS_ERR(connector)) {
+ DRM_DEV_ERROR(dev->dev, "failed to initialize LVDS connector\n");
++ of_node_put(panel_node);
+ return PTR_ERR(connector);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 36c7f8a8ff5121d9ff0ec8473fd479ab51c3698a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jun 2022 09:13:34 -0700
+Subject: drm/msm: Switch ordering of runpm put vs devfreq_idle
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 49e477610087a02c3604061b8f3ee3a25a493987 ]
+
+In msm_devfreq_suspend() we cancel idle_work synchronously so that it
+doesn't run after we power of the hw or in the resume path. But this
+means that we want to ensure that idle_work is not scheduled *after* we
+no longer hold a runpm ref. So switch the ordering of pm_runtime_put()
+vs msm_devfreq_idle().
+
+v2. Only move the runpm _put_autosuspend, and not the _mark_last_busy()
+
+Fixes: 9bc95570175a ("drm/msm: Devfreq tuning")
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Link: https://lore.kernel.org/r/20210927152928.831245-1-robdclark@gmail.com
+Reviewed-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20220608161334.2140611-1-robdclark@gmail.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
+index 2c46cd968ac4..b01d0a521c90 100644
+--- a/drivers/gpu/drm/msm/msm_gpu.c
++++ b/drivers/gpu/drm/msm/msm_gpu.c
+@@ -658,7 +658,6 @@ static void retire_submit(struct msm_gpu *gpu, struct msm_ringbuffer *ring,
+ msm_submit_retire(submit);
+
+ pm_runtime_mark_last_busy(&gpu->pdev->dev);
+- pm_runtime_put_autosuspend(&gpu->pdev->dev);
+
+ spin_lock_irqsave(&ring->submit_lock, flags);
+ list_del(&submit->node);
+@@ -672,6 +671,8 @@ static void retire_submit(struct msm_gpu *gpu, struct msm_ringbuffer *ring,
+ msm_devfreq_idle(gpu);
+ mutex_unlock(&gpu->active_lock);
+
++ pm_runtime_put_autosuspend(&gpu->pdev->dev);
++
+ msm_gem_submit_put(submit);
+ }
+
+--
+2.35.1
+
--- /dev/null
+From e3424f27c106b903d63f6f37e2513dee0beba3ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jun 2022 18:10:19 -0400
+Subject: drm/msm: use for_each_sgtable_sg to iterate over scatterlist
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 62b5e322fb6cc5a5a91fdeba0e4e57e75d9f4387 ]
+
+The dma_map_sgtable() call (used to invalidate cache) overwrites sgt->nents
+with 1, so msm_iommu_pagetable_map maps only the first physical segment.
+
+To fix this problem use for_each_sgtable_sg(), which uses orig_nents.
+
+Fixes: b145c6e65eb0 ("drm/msm: Add support to create a local pagetable")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Link: https://lore.kernel.org/r/20220613221019.11399-1-jonathan@marek.ca
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c
+index bcaddbba564d..a54ed354578b 100644
+--- a/drivers/gpu/drm/msm/msm_iommu.c
++++ b/drivers/gpu/drm/msm/msm_iommu.c
+@@ -58,7 +58,7 @@ static int msm_iommu_pagetable_map(struct msm_mmu *mmu, u64 iova,
+ u64 addr = iova;
+ unsigned int i;
+
+- for_each_sg(sgt->sgl, sg, sgt->nents, i) {
++ for_each_sgtable_sg(sgt, sg, i) {
+ size_t size = sg->length;
+ phys_addr_t phys = sg_phys(sg);
+
+--
+2.35.1
+
--- /dev/null
+From 43bf0e2fa72566c711db2bf048a119bd04b1be19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jun 2022 00:42:53 -0500
+Subject: drm/sun4i: Fix crash during suspend after component bind failure
+
+From: Samuel Holland <samuel@sholland.org>
+
+[ Upstream commit 1342b5b23da9559a1578978eaff7f797d8a87d91 ]
+
+If the component driver fails to bind, or is unbound, the driver data
+for the top-level platform device points to a freed drm_device. If the
+system is then suspended, the driver passes this dangling pointer to
+drm_mode_config_helper_suspend(), which crashes.
+
+Fix this by only setting the driver data while the platform driver holds
+a reference to the drm_device.
+
+Fixes: 624b4b48d9d8 ("drm: sun4i: Add support for suspending the display driver")
+Signed-off-by: Samuel Holland <samuel@sholland.org>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20220615054254.16352-1-samuel@sholland.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sun4i/sun4i_drv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c
+index 54dd562e294c..5b7061e2bca4 100644
+--- a/drivers/gpu/drm/sun4i/sun4i_drv.c
++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c
+@@ -72,7 +72,6 @@ static int sun4i_drv_bind(struct device *dev)
+ goto free_drm;
+ }
+
+- dev_set_drvdata(dev, drm);
+ drm->dev_private = drv;
+ INIT_LIST_HEAD(&drv->frontend_list);
+ INIT_LIST_HEAD(&drv->engine_list);
+@@ -113,6 +112,8 @@ static int sun4i_drv_bind(struct device *dev)
+
+ drm_fbdev_generic_setup(drm, 32);
+
++ dev_set_drvdata(dev, drm);
++
+ return 0;
+
+ finish_poll:
+@@ -129,6 +130,7 @@ static void sun4i_drv_unbind(struct device *dev)
+ {
+ struct drm_device *drm = dev_get_drvdata(dev);
+
++ dev_set_drvdata(dev, NULL);
+ drm_dev_unregister(drm);
+ drm_kms_helper_poll_fini(drm);
+ drm_atomic_helper_shutdown(drm);
+--
+2.35.1
+
--- /dev/null
+From b6f8541cd7d5d63341e95412ef4c100a0f5dbca6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 01:35:06 -0700
+Subject: erspan: do not assume transport header is always set
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 301bd140ed0b24f0da660874c7e8a47dad8c8222 ]
+
+Rewrite tests in ip6erspan_tunnel_xmit() and
+erspan_fb_xmit() to not assume transport header is set.
+
+syzbot reported:
+
+WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skb_transport_header include/linux/skbuff.h:2911 [inline]
+WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963
+Modules linked in:
+CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6e53f #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+RIP: 0010:skb_transport_header include/linux/skbuff.h:2911 [inline]
+RIP: 0010:ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963
+Code: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00
+RSP: 0018:ffffc90005daf910 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000
+RDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003
+RBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff
+R10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40
+R13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000
+FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0
+Call Trace:
+<TASK>
+__netdev_start_xmit include/linux/netdevice.h:4805 [inline]
+netdev_start_xmit include/linux/netdevice.h:4819 [inline]
+xmit_one net/core/dev.c:3588 [inline]
+dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3604
+sch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342
+__dev_xmit_skb net/core/dev.c:3815 [inline]
+__dev_queue_xmit+0x14a1/0x3900 net/core/dev.c:4219
+dev_queue_xmit include/linux/netdevice.h:2994 [inline]
+tx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63
+kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229
+kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
+</TASK>
+
+Fixes: d5db21a3e697 ("erspan: auto detect truncated ipv6 packets.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 15 ++++++++++-----
+ net/ipv6/ip6_gre.c | 15 ++++++++++-----
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index f23528c77539..fc74a3e3b3e1 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -524,7 +524,6 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
+ int tunnel_hlen;
+ int version;
+ int nhoff;
+- int thoff;
+
+ tun_info = skb_tunnel_info(skb);
+ if (unlikely(!tun_info || !(tun_info->mode & IP_TUNNEL_INFO_TX) ||
+@@ -558,10 +557,16 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
+ (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff))
+ truncate = true;
+
+- thoff = skb_transport_header(skb) - skb_mac_header(skb);
+- if (skb->protocol == htons(ETH_P_IPV6) &&
+- (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff))
+- truncate = true;
++ if (skb->protocol == htons(ETH_P_IPV6)) {
++ int thoff;
++
++ if (skb_transport_header_was_set(skb))
++ thoff = skb_transport_header(skb) - skb_mac_header(skb);
++ else
++ thoff = nhoff + sizeof(struct ipv6hdr);
++ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)
++ truncate = true;
++ }
+
+ if (version == 1) {
+ erspan_build_header(skb, ntohl(tunnel_id_to_key32(key->tun_id)),
+diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
+index a817ac6d9759..70ef4d4ebff4 100644
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -944,7 +944,6 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ __be16 proto;
+ __u32 mtu;
+ int nhoff;
+- int thoff;
+
+ if (!pskb_inet_may_pull(skb))
+ goto tx_err;
+@@ -965,10 +964,16 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
+ (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff))
+ truncate = true;
+
+- thoff = skb_transport_header(skb) - skb_mac_header(skb);
+- if (skb->protocol == htons(ETH_P_IPV6) &&
+- (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff))
+- truncate = true;
++ if (skb->protocol == htons(ETH_P_IPV6)) {
++ int thoff;
++
++ if (skb_transport_header_was_set(skb))
++ thoff = skb_transport_header(skb) - skb_mac_header(skb);
++ else
++ thoff = nhoff + sizeof(struct ipv6hdr);
++ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)
++ truncate = true;
++ }
+
+ if (skb_cow_head(skb, dev->needed_headroom ?: t->hlen))
+ goto tx_err;
+--
+2.35.1
+
--- /dev/null
+From b42b3d6ffe1c2d25993e4613850fee8d6ab8fcac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 18:08:55 +0200
+Subject: ethtool: Fix get module eeprom fallback
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit a3bb7b63813f674fb62bac321cdd897cc62de094 ]
+
+Function fallback_set_params() checks if the module type returned
+by a driver is ETH_MODULE_SFF_8079 and in this case it assumes
+that buffer returns a concatenated content of page A0h and A2h.
+The check is wrong because the correct type is ETH_MODULE_SFF_8472.
+
+Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20220616160856.3623273-1-ivecera@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ethtool/eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c
+index 7e6b37a54add..1c94bb8ea03f 100644
+--- a/net/ethtool/eeprom.c
++++ b/net/ethtool/eeprom.c
+@@ -36,7 +36,7 @@ static int fallback_set_params(struct eeprom_req_info *request,
+ if (request->page)
+ offset = request->page * ETH_MODULE_EEPROM_PAGE_LEN + offset;
+
+- if (modinfo->type == ETH_MODULE_SFF_8079 &&
++ if (modinfo->type == ETH_MODULE_SFF_8472 &&
+ request->i2c_address == 0x51)
+ offset += ETH_MODULE_EEPROM_PAGE_LEN * 2;
+
+--
+2.35.1
+
--- /dev/null
+From a39afe07564bc9b4956340f951f28edf1edbe668 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jun 2022 11:29:48 +0300
+Subject: gpio: winbond: Fix error code in winbond_gpio_get()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 9ca766eaea2e87b8b773bff04ee56c055cb76d4e ]
+
+This error path returns 1, but it should instead propagate the negative
+error code from winbond_sio_enter().
+
+Fixes: a0d65009411c ("gpio: winbond: Add driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-winbond.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpio-winbond.c b/drivers/gpio/gpio-winbond.c
+index 7f8f5b02e31d..4b61d975cc0e 100644
+--- a/drivers/gpio/gpio-winbond.c
++++ b/drivers/gpio/gpio-winbond.c
+@@ -385,12 +385,13 @@ static int winbond_gpio_get(struct gpio_chip *gc, unsigned int offset)
+ unsigned long *base = gpiochip_get_data(gc);
+ const struct winbond_gpio_info *info;
+ bool val;
++ int ret;
+
+ winbond_gpio_get_info(&offset, &info);
+
+- val = winbond_sio_enter(*base);
+- if (val)
+- return val;
++ ret = winbond_sio_enter(*base);
++ if (ret)
++ return ret;
+
+ winbond_sio_select_logical(*base, info->dev);
+
+--
+2.35.1
+
--- /dev/null
+From 2b5dc98ab17cc8047cf05cd8ca5f62b5b76c71bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 09:47:05 +0200
+Subject: ice: ethtool: advertise 1000M speeds properly
+
+From: Anatolii Gerasymenko <anatolii.gerasymenko@intel.com>
+
+[ Upstream commit c3d184c83ff4b80167e34edfc3d21df424bf27ff ]
+
+In current implementation ice_update_phy_type enables all link modes
+for selected speed. This approach doesn't work for 1000M speeds,
+because both copper (1000baseT) and optical (1000baseX) standards
+cannot be enabled at once.
+
+Fix this, by adding the function `ice_set_phy_type_from_speed()`
+for 1000M speeds.
+
+Fixes: 48cb27f2fd18 ("ice: Implement handlers for ethtool PHY/link operations")
+Signed-off-by: Anatolii Gerasymenko <anatolii.gerasymenko@intel.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 39 +++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index 19f115402969..982db894754f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -2150,6 +2150,42 @@ ice_setup_autoneg(struct ice_port_info *p, struct ethtool_link_ksettings *ks,
+ return err;
+ }
+
++/**
++ * ice_set_phy_type_from_speed - set phy_types based on speeds
++ * and advertised modes
++ * @ks: ethtool link ksettings struct
++ * @phy_type_low: pointer to the lower part of phy_type
++ * @phy_type_high: pointer to the higher part of phy_type
++ * @adv_link_speed: targeted link speeds bitmap
++ */
++static void
++ice_set_phy_type_from_speed(const struct ethtool_link_ksettings *ks,
++ u64 *phy_type_low, u64 *phy_type_high,
++ u16 adv_link_speed)
++{
++ /* Handle 1000M speed in a special way because ice_update_phy_type
++ * enables all link modes, but having mixed copper and optical
++ * standards is not supported.
++ */
++ adv_link_speed &= ~ICE_AQ_LINK_SPEED_1000MB;
++
++ if (ethtool_link_ksettings_test_link_mode(ks, advertising,
++ 1000baseT_Full))
++ *phy_type_low |= ICE_PHY_TYPE_LOW_1000BASE_T |
++ ICE_PHY_TYPE_LOW_1G_SGMII;
++
++ if (ethtool_link_ksettings_test_link_mode(ks, advertising,
++ 1000baseKX_Full))
++ *phy_type_low |= ICE_PHY_TYPE_LOW_1000BASE_KX;
++
++ if (ethtool_link_ksettings_test_link_mode(ks, advertising,
++ 1000baseX_Full))
++ *phy_type_low |= ICE_PHY_TYPE_LOW_1000BASE_SX |
++ ICE_PHY_TYPE_LOW_1000BASE_LX;
++
++ ice_update_phy_type(phy_type_low, phy_type_high, adv_link_speed);
++}
++
+ /**
+ * ice_set_link_ksettings - Set Speed and Duplex
+ * @netdev: network interface device structure
+@@ -2286,7 +2322,8 @@ ice_set_link_ksettings(struct net_device *netdev,
+ adv_link_speed = curr_link_speed;
+
+ /* Convert the advertise link speeds to their corresponded PHY_TYPE */
+- ice_update_phy_type(&phy_type_low, &phy_type_high, adv_link_speed);
++ ice_set_phy_type_from_speed(ks, &phy_type_low, &phy_type_high,
++ adv_link_speed);
+
+ if (!autoneg_changed && adv_link_speed == curr_link_speed) {
+ netdev_info(netdev, "Nothing changed, exiting without setting anything.\n");
+--
+2.35.1
+
--- /dev/null
+From 8c1ff7e7bc2501017242b3e2b661f9f95e50de93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 16:13:20 +0200
+Subject: igb: fix a use-after-free issue in igb_clean_tx_ring
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec ]
+
+Fix the following use-after-free bug in igb_clean_tx_ring routine when
+the NIC is running in XDP mode. The issue can be triggered redirecting
+traffic into the igb NIC and then closing the device while the traffic
+is flowing.
+
+[ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9
+[ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017
+[ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0
+[ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282
+[ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000
+[ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0
+[ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058
+[ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090
+[ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000
+[ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000
+[ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0
+[ 73.426565] Call Trace:
+[ 73.429087] <TASK>
+[ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb]
+[ 73.436002] igb_down+0x1d7/0x220 [igb]
+[ 73.439974] __igb_close+0x3c/0x120 [igb]
+[ 73.444118] igb_xdp+0x10c/0x150 [igb]
+[ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb]
+[ 73.453362] dev_xdp_install+0xda/0x110
+[ 73.457371] dev_xdp_attach+0x1da/0x550
+[ 73.461369] do_setlink+0xfd0/0x10f0
+[ 73.465166] ? __nla_validate_parse+0x89/0xc70
+[ 73.469714] rtnl_setlink+0x11a/0x1e0
+[ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0
+[ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130
+[ 73.482258] netlink_rcv_skb+0x8d/0x110
+[ 73.486229] netlink_unicast+0x230/0x340
+[ 73.490317] netlink_sendmsg+0x215/0x470
+[ 73.494395] __sys_sendto+0x179/0x190
+[ 73.498268] ? move_addr_to_user+0x37/0x70
+[ 73.502547] ? __sys_getsockname+0x84/0xe0
+[ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0
+[ 73.511349] ? __sys_setsockopt+0xc8/0x1d0
+[ 73.515636] __x64_sys_sendto+0x20/0x30
+[ 73.519603] do_syscall_64+0x3b/0x80
+[ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 73.528712] RIP: 0033:0x7ff38d41f20c
+[ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c
+[ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003
+[ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
+[ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0
+[ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30
+[ 73.596545] </TASK>
+[ 73.598842] ---[ end trace 0000000000000000 ]---
+
+Fixes: 9cbc948b5a20c ("igb: add XDP support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Link: https://lore.kernel.org/r/e5c01d549dc37bff18e46aeabd6fb28a7bcf84be.1655388571.git.lorenzo@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index b88303351484..5ee5ee8e6848 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -4819,8 +4819,11 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring)
+ while (i != tx_ring->next_to_use) {
+ union e1000_adv_tx_desc *eop_desc, *tx_desc;
+
+- /* Free all the Tx ring sk_buffs */
+- dev_kfree_skb_any(tx_buffer->skb);
++ /* Free all the Tx ring sk_buffs or xdp frames */
++ if (tx_buffer->type == IGB_TYPE_SKB)
++ dev_kfree_skb_any(tx_buffer->skb);
++ else
++ xdp_return_frame(tx_buffer->xdpf);
+
+ /* unmap skb header data */
+ dma_unmap_single(tx_ring->dev,
+--
+2.35.1
+
--- /dev/null
+From 44a69353a2940563c8c663910b5b9d368650c17e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jun 2022 15:10:56 -0700
+Subject: igb: Make DMA faster when CPU is active on the PCIe link
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 4e0effd9007ea0be31f7488611eb3824b4541554 ]
+
+Intel I210 on some Intel Alder Lake platforms can only achieve ~750Mbps
+Tx speed via iperf. The RR2DCDELAY shows around 0x2xxx DMA delay, which
+will be significantly lower when 1) ASPM is disabled or 2) SoC package
+c-state stays above PC3. When the RR2DCDELAY is around 0x1xxx the Tx
+speed can reach to ~950Mbps.
+
+According to the I210 datasheet "8.26.1 PCIe Misc. Register - PCIEMISC",
+"DMA Idle Indication" doesn't seem to tie to DMA coalesce anymore, so
+set it to 1b for "DMA is considered idle when there is no Rx or Tx AND
+when there are no TLPs indicating that CPU is active detected on the
+PCIe link (such as the host executes CSR or Configuration register read
+or write operation)" and performing Tx should also fall under "active
+CPU on PCIe link" case.
+
+In addition to that, commit b6e0c419f040 ("igb: Move DMA Coalescing init
+code to separate function.") seems to wrongly changed from enabling
+E1000_PCIEMISC_LX_DECISION to disabling it, also fix that.
+
+Fixes: b6e0c419f040 ("igb: Move DMA Coalescing init code to separate function.")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20220621221056.604304-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 5ee5ee8e6848..db11a1c278f6 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -9823,11 +9823,10 @@ static void igb_init_dmac(struct igb_adapter *adapter, u32 pba)
+ struct e1000_hw *hw = &adapter->hw;
+ u32 dmac_thr;
+ u16 hwm;
++ u32 reg;
+
+ if (hw->mac.type > e1000_82580) {
+ if (adapter->flags & IGB_FLAG_DMAC) {
+- u32 reg;
+-
+ /* force threshold to 0. */
+ wr32(E1000_DMCTXTH, 0);
+
+@@ -9860,7 +9859,6 @@ static void igb_init_dmac(struct igb_adapter *adapter, u32 pba)
+ /* Disable BMC-to-OS Watchdog Enable */
+ if (hw->mac.type != e1000_i354)
+ reg &= ~E1000_DMACR_DC_BMC2OSW_EN;
+-
+ wr32(E1000_DMACR, reg);
+
+ /* no lower threshold to disable
+@@ -9877,12 +9875,12 @@ static void igb_init_dmac(struct igb_adapter *adapter, u32 pba)
+ */
+ wr32(E1000_DMCTXTH, (IGB_MIN_TXPBSIZE -
+ (IGB_TX_BUF_4096 + adapter->max_frame_size)) >> 6);
++ }
+
+- /* make low power state decision controlled
+- * by DMA coal
+- */
++ if (hw->mac.type >= e1000_i210 ||
++ (adapter->flags & IGB_FLAG_DMAC)) {
+ reg = rd32(E1000_PCIEMISC);
+- reg &= ~E1000_PCIEMISC_LX_DECISION;
++ reg |= E1000_PCIEMISC_LX_DECISION;
+ wr32(E1000_PCIEMISC, reg);
+ } /* endif adapter->dmac is not disabled */
+ } else if (hw->mac.type == e1000_82580) {
+--
+2.35.1
+
--- /dev/null
+From 6e744caa5f5abba8db7baf49db7988e08fa25615 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 May 2022 11:50:26 +0300
+Subject: iio: adc: vf610: fix conversion mode sysfs node name
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit f1a633b15cd5371a2a83f02c513984e51132dd68 ]
+
+The documentation missed the "in_" prefix for this IIO_SHARED_BY_DIR
+entry.
+
+Fixes: bf04c1a367e3 ("iio: adc: vf610: implement configurable conversion modes")
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Acked-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://lore.kernel.org/r/560dc93fafe5ef7e9a409885fd20b6beac3973d8.1653900626.git.baruch@tkos.co.il
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-iio-vf610 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-iio-vf610 b/Documentation/ABI/testing/sysfs-bus-iio-vf610
+index 308a6756d3bf..491ead804488 100644
+--- a/Documentation/ABI/testing/sysfs-bus-iio-vf610
++++ b/Documentation/ABI/testing/sysfs-bus-iio-vf610
+@@ -1,4 +1,4 @@
+-What: /sys/bus/iio/devices/iio:deviceX/conversion_mode
++What: /sys/bus/iio/devices/iio:deviceX/in_conversion_mode
+ KernelVersion: 4.2
+ Contact: linux-iio@vger.kernel.org
+ Description:
+--
+2.35.1
+
--- /dev/null
+From 1325dbdac6d3c89a62adcb2047d1834d3ea4967f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 May 2022 21:50:29 +0200
+Subject: iio: magnetometer: yas530: Fix memchr_inv() misuse
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit bb52d3691db8cf24cea049235223f3599778f264 ]
+
+The call to check if the calibration is all zeroes is doing
+it wrong: memchr_inv() returns NULL if the the calibration
+contains all zeroes, but the check is for != NULL.
+
+Fix it up. It's probably not an urgent fix because the inner
+check for BIT(7) in data[13] will save us. But fix it.
+
+Fixes: de8860b1ed47 ("iio: magnetometer: Add driver for Yamaha YAS530")
+Reported-by: Jakob Hauser <jahau@rocketmail.com>
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20220501195029.151852-1-linus.walleij@linaro.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/yamaha-yas530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c
+index 9ff7b0e56cf6..b2bc637150bf 100644
+--- a/drivers/iio/magnetometer/yamaha-yas530.c
++++ b/drivers/iio/magnetometer/yamaha-yas530.c
+@@ -639,7 +639,7 @@ static int yas532_get_calibration_data(struct yas5xx *yas5xx)
+ dev_dbg(yas5xx->dev, "calibration data: %*ph\n", 14, data);
+
+ /* Sanity check, is this all zeroes? */
+- if (memchr_inv(data, 0x00, 13)) {
++ if (memchr_inv(data, 0x00, 13) == NULL) {
+ if (!(data[13] & BIT(7)))
+ dev_warn(yas5xx->dev, "calibration is blank!\n");
+ }
+--
+2.35.1
+
--- /dev/null
+From 65c86c495a3780f820dfef9c202d54acb596727d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Apr 2022 16:41:00 +0800
+Subject: iio: mma8452: fix probe fail when device tree compatible is used.
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+[ Upstream commit fe18894930a025617114aa8ca0adbf94d5bffe89 ]
+
+Correct the logic for the probe. First check of_match_table, if
+not meet, then check i2c_driver.id_table. If both not meet, then
+return fail.
+
+Fixes: a47ac019e7e8 ("iio: mma8452: Fix probe failing when an i2c_device_id is used")
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://lore.kernel.org/r/1650876060-17577-1-git-send-email-haibo.chen@nxp.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma8452.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c
+index 21a99467f364..40faf09f5d87 100644
+--- a/drivers/iio/accel/mma8452.c
++++ b/drivers/iio/accel/mma8452.c
+@@ -1539,11 +1539,13 @@ static int mma8452_probe(struct i2c_client *client,
+ mutex_init(&data->lock);
+
+ data->chip_info = device_get_match_data(&client->dev);
+- if (!data->chip_info && id) {
+- data->chip_info = &mma_chip_info_table[id->driver_data];
+- } else {
+- dev_err(&client->dev, "unknown device model\n");
+- return -ENODEV;
++ if (!data->chip_info) {
++ if (id) {
++ data->chip_info = &mma_chip_info_table[id->driver_data];
++ } else {
++ dev_err(&client->dev, "unknown device model\n");
++ return -ENODEV;
++ }
+ }
+
+ data->vdd_reg = devm_regulator_get(&client->dev, "vdd");
+--
+2.35.1
+
--- /dev/null
+From daac2f4249065dd60642e07170e398d4b5e79b4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 16:11:34 +0000
+Subject: KVM: arm64: Prevent kmemleak from accessing pKVM memory
+
+From: Quentin Perret <qperret@google.com>
+
+[ Upstream commit 56961c6331463cce2d84d0f973177a517fb33a82 ]
+
+Commit a7259df76702 ("memblock: make memblock_find_in_range method
+private") changed the API using which memory is reserved for the pKVM
+hypervisor. However, memblock_phys_alloc() differs from the original API in
+terms of kmemleak semantics -- the old one didn't report the reserved
+regions to kmemleak while the new one does. Unfortunately, when protected
+KVM is enabled, all kernel accesses to pKVM-private memory result in a
+fatal exception, which can now happen because of kmemleak scans:
+
+$ echo scan > /sys/kernel/debug/kmemleak
+[ 34.991354] kvm [304]: nVHE hyp BUG at: [<ffff800008fa3750>] __kvm_nvhe_handle_host_mem_abort+0x270/0x290!
+[ 34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000
+[ 34.991813] Kernel panic - not syncing: HYP panic:
+[ 34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
+[ 34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
+[ 34.991813] VCPU:0000000000000000
+[ 34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102
+[ 34.994059] Hardware name: linux,dummy-virt (DT)
+[ 34.994452] Call trace:
+[ 34.994641] dump_backtrace.part.0+0xcc/0xe0
+[ 34.994932] show_stack+0x18/0x6c
+[ 34.995094] dump_stack_lvl+0x68/0x84
+[ 34.995276] dump_stack+0x18/0x34
+[ 34.995484] panic+0x16c/0x354
+[ 34.995673] __hyp_pgtable_total_pages+0x0/0x60
+[ 34.995933] scan_block+0x74/0x12c
+[ 34.996129] scan_gray_list+0xd8/0x19c
+[ 34.996332] kmemleak_scan+0x2c8/0x580
+[ 34.996535] kmemleak_write+0x340/0x4a0
+[ 34.996744] full_proxy_write+0x60/0xbc
+[ 34.996967] vfs_write+0xc4/0x2b0
+[ 34.997136] ksys_write+0x68/0xf4
+[ 34.997311] __arm64_sys_write+0x20/0x2c
+[ 34.997532] invoke_syscall+0x48/0x114
+[ 34.997779] el0_svc_common.constprop.0+0x44/0xec
+[ 34.998029] do_el0_svc+0x2c/0xc0
+[ 34.998205] el0_svc+0x2c/0x84
+[ 34.998421] el0t_64_sync_handler+0xf4/0x100
+[ 34.998653] el0t_64_sync+0x18c/0x190
+[ 34.999252] SMP: stopping secondary CPUs
+[ 35.000034] Kernel Offset: disabled
+[ 35.000261] CPU features: 0x800,00007831,00001086
+[ 35.000642] Memory Limit: none
+[ 35.001329] ---[ end Kernel panic - not syncing: HYP panic:
+[ 35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800
+[ 35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000
+[ 35.001329] VCPU:0000000000000000 ]---
+
+Fix this by explicitly excluding the hypervisor's memory pool from
+kmemleak like we already do for the hyp BSS.
+
+Cc: Mike Rapoport <rppt@kernel.org>
+Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private")
+Signed-off-by: Quentin Perret <qperret@google.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20220616161135.3997786-1-qperret@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kvm/arm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c
+index a30c036577a3..f181527f9d43 100644
+--- a/arch/arm64/kvm/arm.c
++++ b/arch/arm64/kvm/arm.c
+@@ -2011,11 +2011,11 @@ static int finalize_hyp_mode(void)
+ return 0;
+
+ /*
+- * Exclude HYP BSS from kmemleak so that it doesn't get peeked
+- * at, which would end badly once the section is inaccessible.
+- * None of other sections should ever be introspected.
++ * Exclude HYP sections from kmemleak so that they don't get peeked
++ * at, which would end badly once inaccessible.
+ */
+ kmemleak_free_part(__hyp_bss_start, __hyp_bss_end - __hyp_bss_start);
++ kmemleak_free_part(__va(hyp_mem_base), hyp_mem_size);
+ return pkvm_drop_host_privileges();
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 0a752cdee9b3ef018894db578a76f890db854f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jun 2022 19:14:20 +0800
+Subject: MIPS: Remove repetitive increase irq_err_count
+
+From: huhai <huhai@kylinos.cn>
+
+[ Upstream commit c81aba8fde2aee4f5778ebab3a1d51bd2ef48e4c ]
+
+commit 979934da9e7a ("[PATCH] mips: update IRQ handling for vr41xx") added
+a function irq_dispatch, and it'll increase irq_err_count when the get_irq
+callback returns a negative value, but increase irq_err_count in get_irq
+was not removed.
+
+And also, modpost complains once gpio-vr41xx drivers become modules.
+ ERROR: modpost: "irq_err_count" [drivers/gpio/gpio-vr41xx.ko] undefined!
+
+So it would be a good idea to remove repetitive increase irq_err_count in
+get_irq callback.
+
+Fixes: 27fdd325dace ("MIPS: Update VR41xx GPIO driver to use gpiolib")
+Fixes: 979934da9e7a ("[PATCH] mips: update IRQ handling for vr41xx")
+Reported-by: k2ci <kernel-bot@kylinos.cn>
+Signed-off-by: huhai <huhai@kylinos.cn>
+Signed-off-by: Genjian Zhang <zhanggenjian@kylinos.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/vr41xx/common/icu.c | 2 --
+ drivers/gpio/gpio-vr41xx.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c
+index 7b7f25b4b057..9240bcdbe74e 100644
+--- a/arch/mips/vr41xx/common/icu.c
++++ b/arch/mips/vr41xx/common/icu.c
+@@ -640,8 +640,6 @@ static int icu_get_irq(unsigned int irq)
+
+ printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2);
+
+- atomic_inc(&irq_err_count);
+-
+ return -1;
+ }
+
+diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c
+index 98cd715ccc33..8d09b619c166 100644
+--- a/drivers/gpio/gpio-vr41xx.c
++++ b/drivers/gpio/gpio-vr41xx.c
+@@ -217,8 +217,6 @@ static int giu_get_irq(unsigned int irq)
+ printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
+ maskl, pendl, maskh, pendh);
+
+- atomic_inc(&irq_err_count);
+-
+ return -EINVAL;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 63402ad564f281bf29f9f767b49e0ebe7a293957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 00:34:34 -0700
+Subject: net: fix data-race in dev_isalive()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cc26c2661fefea215f41edb665193324a5f99021 ]
+
+dev_isalive() is called under RTNL or dev_base_lock protection.
+
+This means that changes to dev->reg_state should be done with both locks held.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in register_netdevice / type_show
+
+write to 0xffff888144ecf518 of 1 bytes by task 20886 on cpu 0:
+register_netdevice+0xb9f/0xdf0 net/core/dev.c:10050
+lapbeth_new_device drivers/net/wan/lapbether.c:414 [inline]
+lapbeth_device_event+0x4a0/0x6c0 drivers/net/wan/lapbether.c:456
+notifier_call_chain kernel/notifier.c:87 [inline]
+raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:455
+__dev_notify_flags+0x1d6/0x3a0
+dev_change_flags+0xa2/0xc0 net/core/dev.c:8607
+do_setlink+0x778/0x2230 net/core/rtnetlink.c:2780
+__rtnl_newlink net/core/rtnetlink.c:3546 [inline]
+rtnl_newlink+0x114c/0x16a0 net/core/rtnetlink.c:3593
+rtnetlink_rcv_msg+0x811/0x8c0 net/core/rtnetlink.c:6089
+netlink_rcv_skb+0x13e/0x240 net/netlink/af_netlink.c:2501
+rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6107
+netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+netlink_unicast+0x58a/0x660 net/netlink/af_netlink.c:1345
+netlink_sendmsg+0x661/0x750 net/netlink/af_netlink.c:1921
+sock_sendmsg_nosec net/socket.c:714 [inline]
+sock_sendmsg net/socket.c:734 [inline]
+__sys_sendto+0x21e/0x2c0 net/socket.c:2119
+__do_sys_sendto net/socket.c:2131 [inline]
+__se_sys_sendto net/socket.c:2127 [inline]
+__x64_sys_sendto+0x74/0x90 net/socket.c:2127
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+read to 0xffff888144ecf518 of 1 bytes by task 20423 on cpu 1:
+dev_isalive net/core/net-sysfs.c:38 [inline]
+netdev_show net/core/net-sysfs.c:50 [inline]
+type_show+0x24/0x90 net/core/net-sysfs.c:112
+dev_attr_show+0x35/0x90 drivers/base/core.c:2095
+sysfs_kf_seq_show+0x175/0x240 fs/sysfs/file.c:59
+kernfs_seq_show+0x75/0x80 fs/kernfs/file.c:162
+seq_read_iter+0x2c3/0x8e0 fs/seq_file.c:230
+kernfs_fop_read_iter+0xd1/0x2f0 fs/kernfs/file.c:235
+call_read_iter include/linux/fs.h:2052 [inline]
+new_sync_read fs/read_write.c:401 [inline]
+vfs_read+0x5a5/0x6a0 fs/read_write.c:482
+ksys_read+0xe8/0x1a0 fs/read_write.c:620
+__do_sys_read fs/read_write.c:630 [inline]
+__se_sys_read fs/read_write.c:628 [inline]
+__x64_sys_read+0x3e/0x50 fs/read_write.c:628
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+value changed: 0x00 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 20423 Comm: udevd Tainted: G W 5.19.0-rc2-syzkaller-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 28 ++++++++++++++++------------
+ net/core/net-sysfs.c | 1 +
+ 2 files changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 860fc6a98373..6111506a4105 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -378,16 +378,18 @@ static void list_netdevice(struct net_device *dev)
+ /* Device list removal
+ * caller must respect a RCU grace period before freeing/reusing dev
+ */
+-static void unlist_netdevice(struct net_device *dev)
++static void unlist_netdevice(struct net_device *dev, bool lock)
+ {
+ ASSERT_RTNL();
+
+ /* Unlink dev from the device chain */
+- write_lock(&dev_base_lock);
++ if (lock)
++ write_lock(&dev_base_lock);
+ list_del_rcu(&dev->dev_list);
+ netdev_name_node_del(dev->name_node);
+ hlist_del_rcu(&dev->index_hlist);
+- write_unlock(&dev_base_lock);
++ if (lock)
++ write_unlock(&dev_base_lock);
+
+ dev_base_seq_inc(dev_net(dev));
+ }
+@@ -10319,11 +10321,11 @@ int register_netdevice(struct net_device *dev)
+ goto err_uninit;
+
+ ret = netdev_register_kobject(dev);
+- if (ret) {
+- dev->reg_state = NETREG_UNREGISTERED;
++ write_lock(&dev_base_lock);
++ dev->reg_state = ret ? NETREG_UNREGISTERED : NETREG_REGISTERED;
++ write_unlock(&dev_base_lock);
++ if (ret)
+ goto err_uninit;
+- }
+- dev->reg_state = NETREG_REGISTERED;
+
+ __netdev_update_features(dev);
+
+@@ -10483,8 +10485,6 @@ static void netdev_wait_allrefs(struct net_device *dev)
+ unsigned long rebroadcast_time, warning_time;
+ int wait = 0, refcnt;
+
+- linkwatch_forget_dev(dev);
+-
+ rebroadcast_time = warning_time = jiffies;
+ refcnt = netdev_refcnt_read(dev);
+
+@@ -10598,7 +10598,10 @@ void netdev_run_todo(void)
+ continue;
+ }
+
++ write_lock(&dev_base_lock);
+ dev->reg_state = NETREG_UNREGISTERED;
++ write_unlock(&dev_base_lock);
++ linkwatch_forget_dev(dev);
+
+ netdev_wait_allrefs(dev);
+
+@@ -11043,9 +11046,10 @@ void unregister_netdevice_many(struct list_head *head)
+
+ list_for_each_entry(dev, head, unreg_list) {
+ /* And unlink it from device chain. */
+- unlist_netdevice(dev);
+-
++ write_lock(&dev_base_lock);
++ unlist_netdevice(dev, false);
+ dev->reg_state = NETREG_UNREGISTERING;
++ write_unlock(&dev_base_lock);
+ }
+ flush_all_backlogs();
+
+@@ -11190,7 +11194,7 @@ int __dev_change_net_namespace(struct net_device *dev, struct net *net,
+ dev_close(dev);
+
+ /* And unlink it from device chain */
+- unlist_netdevice(dev);
++ unlist_netdevice(dev, true);
+
+ synchronize_net();
+
+diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
+index 9e5657f63245..e9ea0695efb4 100644
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -32,6 +32,7 @@ static const char fmt_dec[] = "%d\n";
+ static const char fmt_ulong[] = "%lu\n";
+ static const char fmt_u64[] = "%llu\n";
+
++/* Caller holds RTNL or dev_base_lock */
+ static inline int dev_isalive(const struct net_device *dev)
+ {
+ return dev->reg_state <= NETREG_REGISTERED;
+--
+2.35.1
+
--- /dev/null
+From 25bd214c1b949ad1911561aff474c9a01690bae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 16:43:36 -0700
+Subject: net/sched: sch_netem: Fix arithmetic in netem_dump() for 32-bit
+ platforms
+
+From: Peilin Ye <peilin.ye@bytedance.com>
+
+[ Upstream commit a2b1a5d40bd12b44322c2ccd40bb0ec1699708b6 ]
+
+As reported by Yuming, currently tc always show a latency of UINT_MAX
+for netem Qdisc's on 32-bit platforms:
+
+ $ tc qdisc add dev dummy0 root netem latency 100ms
+ $ tc qdisc show dev dummy0
+ qdisc netem 8001: root refcnt 2 limit 1000 delay 275s 275s
+ ^^^^^^^^^^^^^^^^
+
+Let us take a closer look at netem_dump():
+
+ qopt.latency = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->latency,
+ UINT_MAX);
+
+qopt.latency is __u32, psched_tdiff_t is signed long,
+(psched_tdiff_t)(UINT_MAX) is negative for 32-bit platforms, so
+qopt.latency is always UINT_MAX.
+
+Fix it by using psched_time_t (u64) instead.
+
+Note: confusingly, users have two ways to specify 'latency':
+
+ 1. normally, via '__u32 latency' in struct tc_netem_qopt;
+ 2. via the TCA_NETEM_LATENCY64 attribute, which is s64.
+
+For the second case, theoretically 'latency' could be negative. This
+patch ignores that corner case, since it is broken (i.e. assigning a
+negative s64 to __u32) anyways, and should be handled separately.
+
+Thanks Ted Lin for the analysis [1] .
+
+[1] https://github.com/raspberrypi/linux/issues/3512
+
+Reported-by: Yuming Chen <chenyuming.junnan@bytedance.com>
+Fixes: 112f9cb65643 ("netem: convert to qdisc_watchdog_schedule_ns")
+Reviewed-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Peilin Ye <peilin.ye@bytedance.com>
+Acked-by: Stephen Hemminger <stephen@networkplumber.org>
+Link: https://lore.kernel.org/r/20220616234336.2443-1-yepeilin.cs@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 0c345e43a09a..adc5407fd5d5 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -1146,9 +1146,9 @@ static int netem_dump(struct Qdisc *sch, struct sk_buff *skb)
+ struct tc_netem_rate rate;
+ struct tc_netem_slot slot;
+
+- qopt.latency = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->latency),
++ qopt.latency = min_t(psched_time_t, PSCHED_NS2TICKS(q->latency),
+ UINT_MAX);
+- qopt.jitter = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->jitter),
++ qopt.jitter = min_t(psched_time_t, PSCHED_NS2TICKS(q->jitter),
+ UINT_MAX);
+ qopt.limit = q->limit;
+ qopt.loss = q->loss;
+--
+2.35.1
+
--- /dev/null
+From 69ea086ce5343beb379dffa13cd67141f5cb32d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 12:35:08 +0800
+Subject: net/tls: fix tls_sk_proto_close executed repeatedly
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 69135c572d1f84261a6de2a1268513a7e71753e2 ]
+
+After setting the sock ktls, update ctx->sk_proto to sock->sk_prot by
+tls_update(), so now ctx->sk_proto->close is tls_sk_proto_close(). When
+close the sock, tls_sk_proto_close() is called for sock->sk_prot->close
+is tls_sk_proto_close(). But ctx->sk_proto->close() will be executed later
+in tls_sk_proto_close(). Thus tls_sk_proto_close() executed repeatedly
+occurred. That will trigger the following bug.
+
+=================================================================
+KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
+RIP: 0010:tls_sk_proto_close+0xd8/0xaf0 net/tls/tls_main.c:306
+Call Trace:
+ <TASK>
+ tls_sk_proto_close+0x356/0xaf0 net/tls/tls_main.c:329
+ inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
+ __sock_release+0xcd/0x280 net/socket.c:650
+ sock_close+0x18/0x20 net/socket.c:1365
+
+Updating a proto which is same with sock->sk_prot is incorrect. Add proto
+and sock->sk_prot equality check at the head of tls_update() to fix it.
+
+Fixes: 95fa145479fb ("bpf: sockmap/tls, close can race with map free")
+Reported-by: syzbot+29c3c12f3214b85ad081@syzkaller.appspotmail.com
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 9aac9c60d786..057c1af6182a 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -790,6 +790,9 @@ static void tls_update(struct sock *sk, struct proto *p,
+ {
+ struct tls_context *ctx;
+
++ if (sk->sk_prot == p)
++ return;
++
+ ctx = tls_get_ctx(sk);
+ if (likely(ctx)) {
+ ctx->sk_write_space = write_space;
+--
+2.35.1
+
--- /dev/null
+From 2634d7f1414aa76c55144cc4c8cecd30ed09c3af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 17:15:29 +0100
+Subject: net: Write lock dev_base_lock without disabling bottom halves.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit fd888e85fe6b661e78044dddfec0be5271afa626 ]
+
+The writer acquires dev_base_lock with disabled bottom halves.
+The reader can acquire dev_base_lock without disabling bottom halves
+because there is no writer in softirq context.
+
+On PREEMPT_RT the softirqs are preemptible and local_bh_disable() acts
+as a lock to ensure that resources, that are protected by disabling
+bottom halves, remain protected.
+This leads to a circular locking dependency if the lock acquired with
+disabled bottom halves (as in write_lock_bh()) and somewhere else with
+enabled bottom halves (as by read_lock() in netstat_show()) followed by
+disabling bottom halves (cxgb_get_stats() -> t4_wr_mbox_meat_timeout()
+-> spin_lock_bh()). This is the reverse locking order.
+
+All read_lock() invocation are from sysfs callback which are not invoked
+from softirq context. Therefore there is no need to disable bottom
+halves while acquiring a write lock.
+
+Acquire the write lock of dev_base_lock without disabling bottom halves.
+
+Reported-by: Pei Zhang <pezhang@redhat.com>
+Reported-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 16 ++++++++--------
+ net/core/link_watch.c | 4 ++--
+ net/core/rtnetlink.c | 8 ++++----
+ net/hsr/hsr_device.c | 6 +++---
+ 4 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index b9731b267d07..860fc6a98373 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -365,12 +365,12 @@ static void list_netdevice(struct net_device *dev)
+
+ ASSERT_RTNL();
+
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ list_add_tail_rcu(&dev->dev_list, &net->dev_base_head);
+ netdev_name_node_add(net, dev->name_node);
+ hlist_add_head_rcu(&dev->index_hlist,
+ dev_index_hash(net, dev->ifindex));
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+
+ dev_base_seq_inc(net);
+ }
+@@ -383,11 +383,11 @@ static void unlist_netdevice(struct net_device *dev)
+ ASSERT_RTNL();
+
+ /* Unlink dev from the device chain */
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ list_del_rcu(&dev->dev_list);
+ netdev_name_node_del(dev->name_node);
+ hlist_del_rcu(&dev->index_hlist);
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+
+ dev_base_seq_inc(dev_net(dev));
+ }
+@@ -1266,15 +1266,15 @@ int dev_change_name(struct net_device *dev, const char *newname)
+
+ netdev_adjacent_rename_links(dev, oldname);
+
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ netdev_name_node_del(dev->name_node);
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+
+ synchronize_rcu();
+
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ netdev_name_node_add(net, dev->name_node);
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+
+ ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev);
+ ret = notifier_to_errno(ret);
+diff --git a/net/core/link_watch.c b/net/core/link_watch.c
+index 1a455847da54..9599afd0862d 100644
+--- a/net/core/link_watch.c
++++ b/net/core/link_watch.c
+@@ -55,7 +55,7 @@ static void rfc2863_policy(struct net_device *dev)
+ if (operstate == dev->operstate)
+ return;
+
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+
+ switch(dev->link_mode) {
+ case IF_LINK_MODE_TESTING:
+@@ -74,7 +74,7 @@ static void rfc2863_policy(struct net_device *dev)
+
+ dev->operstate = operstate;
+
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+ }
+
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 9c0e8ccf9bc5..8c85e93daa73 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -842,9 +842,9 @@ static void set_operstate(struct net_device *dev, unsigned char transition)
+ }
+
+ if (dev->operstate != operstate) {
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ dev->operstate = operstate;
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+ netdev_state_change(dev);
+ }
+ }
+@@ -2781,11 +2781,11 @@ static int do_setlink(const struct sk_buff *skb,
+ if (tb[IFLA_LINKMODE]) {
+ unsigned char value = nla_get_u8(tb[IFLA_LINKMODE]);
+
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ if (dev->link_mode ^ value)
+ status |= DO_SETLINK_NOTIFY;
+ dev->link_mode = value;
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+ }
+
+ if (tb[IFLA_VFINFO_LIST]) {
+diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
+index 26c32407f029..ea7b96e296ef 100644
+--- a/net/hsr/hsr_device.c
++++ b/net/hsr/hsr_device.c
+@@ -30,13 +30,13 @@ static bool is_slave_up(struct net_device *dev)
+
+ static void __hsr_set_operstate(struct net_device *dev, int transition)
+ {
+- write_lock_bh(&dev_base_lock);
++ write_lock(&dev_base_lock);
+ if (dev->operstate != transition) {
+ dev->operstate = transition;
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+ netdev_state_change(dev);
+ } else {
+- write_unlock_bh(&dev_base_lock);
++ write_unlock(&dev_base_lock);
+ }
+ }
+
+--
+2.35.1
+
--- /dev/null
+From 2564d00f64ff408749efddeab579411d0c62d7fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 May 2022 20:15:31 +0200
+Subject: netfilter: use get_random_u32 instead of prandom
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit b1fd94e704571f98b21027340eecf821b2bdffba ]
+
+bh might occur while updating per-cpu rnd_state from user context,
+ie. local_out path.
+
+BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725
+caller is nft_ng_random_eval+0x24/0x54 [nft_numgen]
+Call Trace:
+ check_preemption_disabled+0xde/0xe0
+ nft_ng_random_eval+0x24/0x54 [nft_numgen]
+
+Use the random driver instead, this also avoids need for local prandom
+state. Moreover, prandom now uses the random driver since d4150779e60f
+("random32: use real rng for non-deterministic randomness").
+
+Based on earlier patch from Pablo Neira.
+
+Fixes: 6b2faee0ca91 ("netfilter: nft_meta: place prandom handling in a helper")
+Fixes: 978d8f9055c3 ("netfilter: nft_numgen: add map lookups for numgen random operations")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_meta.c | 13 ++-----------
+ net/netfilter/nft_numgen.c | 12 +++---------
+ 2 files changed, 5 insertions(+), 20 deletions(-)
+
+diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
+index a7e01e9952f1..44d9b38e5f90 100644
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -14,6 +14,7 @@
+ #include <linux/in.h>
+ #include <linux/ip.h>
+ #include <linux/ipv6.h>
++#include <linux/random.h>
+ #include <linux/smp.h>
+ #include <linux/static_key.h>
+ #include <net/dst.h>
+@@ -32,8 +33,6 @@
+ #define NFT_META_SECS_PER_DAY 86400
+ #define NFT_META_DAYS_PER_WEEK 7
+
+-static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state);
+-
+ static u8 nft_meta_weekday(void)
+ {
+ time64_t secs = ktime_get_real_seconds();
+@@ -267,13 +266,6 @@ static bool nft_meta_get_eval_ifname(enum nft_meta_keys key, u32 *dest,
+ return true;
+ }
+
+-static noinline u32 nft_prandom_u32(void)
+-{
+- struct rnd_state *state = this_cpu_ptr(&nft_prandom_state);
+-
+- return prandom_u32_state(state);
+-}
+-
+ #ifdef CONFIG_IP_ROUTE_CLASSID
+ static noinline bool
+ nft_meta_get_eval_rtclassid(const struct sk_buff *skb, u32 *dest)
+@@ -385,7 +377,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
+ break;
+ #endif
+ case NFT_META_PRANDOM:
+- *dest = nft_prandom_u32();
++ *dest = get_random_u32();
+ break;
+ #ifdef CONFIG_XFRM
+ case NFT_META_SECPATH:
+@@ -514,7 +506,6 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
+ len = IFNAMSIZ;
+ break;
+ case NFT_META_PRANDOM:
+- prandom_init_once(&nft_prandom_state);
+ len = sizeof(u32);
+ break;
+ #ifdef CONFIG_XFRM
+diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
+index 722cac1e90e0..4e43214e88de 100644
+--- a/net/netfilter/nft_numgen.c
++++ b/net/netfilter/nft_numgen.c
+@@ -9,12 +9,11 @@
+ #include <linux/netlink.h>
+ #include <linux/netfilter.h>
+ #include <linux/netfilter/nf_tables.h>
++#include <linux/random.h>
+ #include <linux/static_key.h>
+ #include <net/netfilter/nf_tables.h>
+ #include <net/netfilter/nf_tables_core.h>
+
+-static DEFINE_PER_CPU(struct rnd_state, nft_numgen_prandom_state);
+-
+ struct nft_ng_inc {
+ u8 dreg;
+ u32 modulus;
+@@ -104,12 +103,9 @@ struct nft_ng_random {
+ u32 offset;
+ };
+
+-static u32 nft_ng_random_gen(struct nft_ng_random *priv)
++static u32 nft_ng_random_gen(const struct nft_ng_random *priv)
+ {
+- struct rnd_state *state = this_cpu_ptr(&nft_numgen_prandom_state);
+-
+- return reciprocal_scale(prandom_u32_state(state), priv->modulus) +
+- priv->offset;
++ return reciprocal_scale(get_random_u32(), priv->modulus) + priv->offset;
+ }
+
+ static void nft_ng_random_eval(const struct nft_expr *expr,
+@@ -137,8 +133,6 @@ static int nft_ng_random_init(const struct nft_ctx *ctx,
+ if (priv->offset + priv->modulus - 1 < priv->offset)
+ return -EOVERFLOW;
+
+- prandom_init_once(&nft_numgen_prandom_state);
+-
+ return nft_parse_register_store(ctx, tb[NFTA_NG_DREG], &priv->dreg,
+ NULL, NFT_DATA_VALUE, sizeof(u32));
+ }
+--
+2.35.1
+
--- /dev/null
+From af366c5f4347fcf16575a1299e3e148604306780 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 10:29:42 +0200
+Subject: nvme: move the Samsung X5 quirk entry to the core quirks
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit e6487833182a8a0187f0292aca542fc163ccd03e ]
+
+This device shares the PCI ID with the Samsung 970 Evo Plus that
+does not need or want the quirks. Move the the quirk entry to the
+core table based on the model number instead.
+
+Fixes: bc360b0b1611 ("nvme-pci: add quirks for Samsung X5 SSDs")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Pankaj Raghav <p.raghav@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 14 ++++++++++++++
+ drivers/nvme/host/pci.c | 4 ----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 3ef1f9112ee0..19054b791c67 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2489,6 +2489,20 @@ static const struct nvme_core_quirk_entry core_quirks[] = {
+ .vid = 0x1e0f,
+ .mn = "KCD6XVUL6T40",
+ .quirks = NVME_QUIRK_NO_APST,
++ },
++ {
++ /*
++ * The external Samsung X5 SSD fails initialization without a
++ * delay before checking if it is ready and has a whole set of
++ * other problems. To make this even more interesting, it
++ * shares the PCI ID with internal Samsung 970 Evo Plus that
++ * does not need or want these quirks.
++ */
++ .vid = 0x144d,
++ .mn = "Samsung Portable SSD X5",
++ .quirks = NVME_QUIRK_DELAY_BEFORE_CHK_RDY |
++ NVME_QUIRK_NO_DEEPEST_PS |
++ NVME_QUIRK_IGNORE_DEV_SUBNQN,
+ }
+ };
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 3ddd24a42043..58b8461b2b0f 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3380,10 +3380,6 @@ static const struct pci_device_id nvme_id_table[] = {
+ NVME_QUIRK_128_BYTES_SQES |
+ NVME_QUIRK_SHARED_TAGS |
+ NVME_QUIRK_SKIP_CID_GEN },
+- { PCI_DEVICE(0x144d, 0xa808), /* Samsung X5 */
+- .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY|
+- NVME_QUIRK_NO_DEEPEST_PS |
+- NVME_QUIRK_IGNORE_DEV_SUBNQN, },
+ { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },
+ { 0, }
+ };
+--
+2.35.1
+
--- /dev/null
+From 430ddfa7cafd83642f80d5cf9d0e9d32cdac50f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Nov 2021 23:08:57 -0300
+Subject: nvme-pci: add NO APST quirk for Kioxia device
+
+From: Enzo Matsumiya <ematsumiya@suse.de>
+
+[ Upstream commit 5a6254d55e2a9f7919ead8580d7aa0c7a382b26a ]
+
+This particular Kioxia device times out and aborts I/O during any load,
+but it's more easily observable with discards (fstrim).
+
+The device gets to a state that is also not possible to use
+"nvme set-feature" to disable APST.
+Booting with nvme_core.default_ps_max_latency=0 solves the issue.
+
+We had a dozen or so of these devices behaving this same way in
+customer environments.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 9bc9f6d225bd..3ef1f9112ee0 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -2475,6 +2475,20 @@ static const struct nvme_core_quirk_entry core_quirks[] = {
+ .vid = 0x14a4,
+ .fr = "22301111",
+ .quirks = NVME_QUIRK_SIMPLE_SUSPEND,
++ },
++ {
++ /*
++ * This Kioxia CD6-V Series / HPE PE8030 device times out and
++ * aborts I/O during any load, but more easily reproducible
++ * with discards (fstrim).
++ *
++ * The device is left in a state where it is also not possible
++ * to use "nvme set-feature" to disable APST, but booting with
++ * nvme_core.default_ps_max_latency=0 works.
++ */
++ .vid = 0x1e0f,
++ .mn = "KCD6XVUL6T40",
++ .quirks = NVME_QUIRK_NO_APST,
+ }
+ };
+
+--
+2.35.1
+
--- /dev/null
+From 8185e7def60607dddcd79a1334c5463cc803b8c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 May 2022 02:03:25 +0000
+Subject: perf arm-spe: Don't set data source if it's not a memory operation
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit 51ba539f5bdb5a8cc7b1dedd5e73ac54564a7602 ]
+
+Except for memory load and store operations, ARM SPE records also can
+support other operation types, bug when set the data source field the
+current code assumes a record is a either load operation or store
+operation, this leads to wrongly synthesize memory samples.
+
+This patch strictly checks the record operation type, it only sets data
+source only for the operation types ARM_SPE_LD and ARM_SPE_ST,
+otherwise, returns zero for data source. Therefore, we can synthesize
+memory samples only when data source is a non-zero value, the function
+arm_spe__is_memory_event() is useless and removed.
+
+Fixes: e55ed3423c1bb29f ("perf arm-spe: Synthesize memory event")
+Reviewed-by: Ali Saidi <alisaidi@amazon.com>
+Reviewed-by: German Gomez <german.gomez@arm.com>
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Tested-by: Ali Saidi <alisaidi@amazon.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: alisaidi@amazon.com
+Cc: Andrew Kilroy <andrew.kilroy@arm.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: John Garry <john.garry@huawei.com>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Li Huafei <lihuafei1@huawei.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Nick Forrington <nick.forrington@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Will Deacon <will@kernel.org>
+Link: http://lore.kernel.org/lkml/20220517020326.18580-5-alisaidi@amazon.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/arm-spe.c | 22 ++++++++--------------
+ 1 file changed, 8 insertions(+), 14 deletions(-)
+
+diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c
+index 235549bb28b9..569e1b8ad0ab 100644
+--- a/tools/perf/util/arm-spe.c
++++ b/tools/perf/util/arm-spe.c
+@@ -312,26 +312,16 @@ static int arm_spe__synth_branch_sample(struct arm_spe_queue *speq,
+ return arm_spe_deliver_synth_event(spe, speq, event, &sample);
+ }
+
+-#define SPE_MEM_TYPE (ARM_SPE_L1D_ACCESS | ARM_SPE_L1D_MISS | \
+- ARM_SPE_LLC_ACCESS | ARM_SPE_LLC_MISS | \
+- ARM_SPE_REMOTE_ACCESS)
+-
+-static bool arm_spe__is_memory_event(enum arm_spe_sample_type type)
+-{
+- if (type & SPE_MEM_TYPE)
+- return true;
+-
+- return false;
+-}
+-
+ static u64 arm_spe__synth_data_source(const struct arm_spe_record *record)
+ {
+ union perf_mem_data_src data_src = { 0 };
+
+ if (record->op == ARM_SPE_LD)
+ data_src.mem_op = PERF_MEM_OP_LOAD;
+- else
++ else if (record->op == ARM_SPE_ST)
+ data_src.mem_op = PERF_MEM_OP_STORE;
++ else
++ return 0;
+
+ if (record->type & (ARM_SPE_LLC_ACCESS | ARM_SPE_LLC_MISS)) {
+ data_src.mem_lvl = PERF_MEM_LVL_L3;
+@@ -435,7 +425,11 @@ static int arm_spe_sample(struct arm_spe_queue *speq)
+ return err;
+ }
+
+- if (spe->sample_memory && arm_spe__is_memory_event(record->type)) {
++ /*
++ * When data_src is zero it means the record is not a memory operation,
++ * skip to synthesize memory sample for this case.
++ */
++ if (spe->sample_memory && data_src) {
+ err = arm_spe__synth_mem_sample(speq, spe->memory_id, data_src);
+ if (err)
+ return err;
+--
+2.35.1
+
--- /dev/null
+From 409c0b9e02b65c66cb415bf6978be59a6e67f45c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jun 2022 11:40:37 +0300
+Subject: phy: aquantia: Fix AN when higher speeds than 1G are not advertised
+
+From: Claudiu Manoil <claudiu.manoil@nxp.com>
+
+[ Upstream commit 9b7fd1670a94a57d974795acebde843a5c1a354e ]
+
+Even when the eth port is resticted to work with speeds not higher than 1G,
+and so the eth driver is requesting the phy (via phylink) to advertise up
+to 1000BASET support, the aquantia phy device is still advertising for 2.5G
+and 5G speeds.
+Clear these advertising defaults when requested.
+
+Cc: Ondrej Spacek <ondrej.spacek@nxp.com>
+Fixes: 09c4c57f7bc41 ("net: phy: aquantia: add support for auto-negotiation configuration")
+Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
+Link: https://lore.kernel.org/r/20220610084037.7625-1-claudiu.manoil@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia_main.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/aquantia_main.c b/drivers/net/phy/aquantia_main.c
+index 968dd43a2b1e..3221224525ac 100644
+--- a/drivers/net/phy/aquantia_main.c
++++ b/drivers/net/phy/aquantia_main.c
+@@ -34,6 +34,8 @@
+ #define MDIO_AN_VEND_PROV 0xc400
+ #define MDIO_AN_VEND_PROV_1000BASET_FULL BIT(15)
+ #define MDIO_AN_VEND_PROV_1000BASET_HALF BIT(14)
++#define MDIO_AN_VEND_PROV_5000BASET_FULL BIT(11)
++#define MDIO_AN_VEND_PROV_2500BASET_FULL BIT(10)
+ #define MDIO_AN_VEND_PROV_DOWNSHIFT_EN BIT(4)
+ #define MDIO_AN_VEND_PROV_DOWNSHIFT_MASK GENMASK(3, 0)
+ #define MDIO_AN_VEND_PROV_DOWNSHIFT_DFLT 4
+@@ -231,9 +233,20 @@ static int aqr_config_aneg(struct phy_device *phydev)
+ phydev->advertising))
+ reg |= MDIO_AN_VEND_PROV_1000BASET_HALF;
+
++ /* Handle the case when the 2.5G and 5G speeds are not advertised */
++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_2500baseT_Full_BIT,
++ phydev->advertising))
++ reg |= MDIO_AN_VEND_PROV_2500BASET_FULL;
++
++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_5000baseT_Full_BIT,
++ phydev->advertising))
++ reg |= MDIO_AN_VEND_PROV_5000BASET_FULL;
++
+ ret = phy_modify_mmd_changed(phydev, MDIO_MMD_AN, MDIO_AN_VEND_PROV,
+ MDIO_AN_VEND_PROV_1000BASET_HALF |
+- MDIO_AN_VEND_PROV_1000BASET_FULL, reg);
++ MDIO_AN_VEND_PROV_1000BASET_FULL |
++ MDIO_AN_VEND_PROV_2500BASET_FULL |
++ MDIO_AN_VEND_PROV_5000BASET_FULL, reg);
+ if (ret < 0)
+ return ret;
+ if (ret > 0)
+--
+2.35.1
+
--- /dev/null
+From 1be45a6094255d181ac75c7178e8ecc9a435bef4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 21:05:56 +0100
+Subject: regmap-irq: Fix a bug in regmap_irq_enable() for type_in_mask chips
+
+From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+
+[ Upstream commit 485037ae9a095491beb7f893c909a76cc4f9d1e7 ]
+
+When enabling a type_in_mask irq, the type_buf contents must be
+AND'd with the mask of the IRQ we're enabling to avoid enabling
+other IRQs by accident, which can happen if several type_in_mask
+irqs share a mask register.
+
+Fixes: bc998a730367 ("regmap: irq: handle HW using separate rising/falling edge interrupts")
+Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+Link: https://lore.kernel.org/r/20220620200644.1961936-2-aidanmacdonald.0x0@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-irq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c
+index 4a446259a184..cd12078ed51b 100644
+--- a/drivers/base/regmap/regmap-irq.c
++++ b/drivers/base/regmap/regmap-irq.c
+@@ -252,6 +252,7 @@ static void regmap_irq_enable(struct irq_data *data)
+ struct regmap_irq_chip_data *d = irq_data_get_irq_chip_data(data);
+ struct regmap *map = d->map;
+ const struct regmap_irq *irq_data = irq_to_regmap_irq(d, data->hwirq);
++ unsigned int reg = irq_data->reg_offset / map->reg_stride;
+ unsigned int mask, type;
+
+ type = irq_data->type.type_falling_val | irq_data->type.type_rising_val;
+@@ -268,14 +269,14 @@ static void regmap_irq_enable(struct irq_data *data)
+ * at the corresponding offset in regmap_irq_set_type().
+ */
+ if (d->chip->type_in_mask && type)
+- mask = d->type_buf[irq_data->reg_offset / map->reg_stride];
++ mask = d->type_buf[reg] & irq_data->mask;
+ else
+ mask = irq_data->mask;
+
+ if (d->chip->clear_on_unmask)
+ d->clear_status = true;
+
+- d->mask_buf[irq_data->reg_offset / map->reg_stride] &= ~mask;
++ d->mask_buf[reg] &= ~mask;
+ }
+
+ static void regmap_irq_disable(struct irq_data *data)
+--
+2.35.1
+
--- /dev/null
+From 609e3e770484bb7a8558ec15393f893d4c3adfe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 21:05:57 +0100
+Subject: regmap-irq: Fix offset/index mismatch in read_sub_irq_data()
+
+From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+
+[ Upstream commit 3f05010f243be06478a9b11cfce0ce994f5a0890 ]
+
+We need to divide the sub-irq status register offset by register
+stride to get an index for the status buffer to avoid an out of
+bounds write when the register stride is greater than 1.
+
+Fixes: a2d21848d921 ("regmap: regmap-irq: Add main status register support")
+Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
+Link: https://lore.kernel.org/r/20220620200644.1961936-3-aidanmacdonald.0x0@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-irq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c
+index cd12078ed51b..3aac960ae30a 100644
+--- a/drivers/base/regmap/regmap-irq.c
++++ b/drivers/base/regmap/regmap-irq.c
+@@ -387,6 +387,7 @@ static inline int read_sub_irq_data(struct regmap_irq_chip_data *data,
+ subreg = &chip->sub_reg_offsets[b];
+ for (i = 0; i < subreg->num_regs; i++) {
+ unsigned int offset = subreg->offset[i];
++ unsigned int index = offset / map->reg_stride;
+
+ if (chip->not_fixed_stride)
+ ret = regmap_read(map,
+@@ -395,7 +396,7 @@ static inline int read_sub_irq_data(struct regmap_irq_chip_data *data,
+ else
+ ret = regmap_read(map,
+ chip->status_base + offset,
+- &data->status_buf[offset]);
++ &data->status_buf[index]);
+
+ if (ret)
+ break;
+--
+2.35.1
+
--- /dev/null
+From 3df1d8262080947de2a8557e41717c624da8a676 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 12:13:52 -0700
+Subject: Revert "net/tls: fix tls_sk_proto_close executed repeatedly"
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 1b205d948fbb06a7613d87dcea0ff5fd8a08ed91 ]
+
+This reverts commit 69135c572d1f84261a6de2a1268513a7e71753e2.
+
+This commit was just papering over the issue, ULP should not
+get ->update() called with its own sk_prot. Each ULP would
+need to add this check.
+
+Fixes: 69135c572d1f ("net/tls: fix tls_sk_proto_close executed repeatedly")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20220620191353.1184629-1-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_main.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 057c1af6182a..9aac9c60d786 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -790,9 +790,6 @@ static void tls_update(struct sock *sk, struct proto *p,
+ {
+ struct tls_context *ctx;
+
+- if (sk->sk_prot == p)
+- return;
+-
+ ctx = tls_get_ctx(sk);
+ if (likely(ctx)) {
+ ctx->sk_write_space = write_space;
+--
+2.35.1
+
--- /dev/null
+From fd836eb6e5423c3f843b02bd2298ea73dc4ad16a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jun 2022 15:19:00 +0200
+Subject: s390/cpumf: Handle events cycles and instructions identical
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit be857b7f77d130dbbd47c91fc35198b040f35865 ]
+
+Events CPU_CYCLES and INSTRUCTIONS can be submitted with two different
+perf_event attribute::type values:
+ - PERF_TYPE_HARDWARE: when invoked via perf tool predefined events name
+ cycles or cpu-cycles or instructions.
+ - pmu->type: when invoked via perf tool event name cpu_cf/CPU_CYLCES/ or
+ cpu_cf/INSTRUCTIONS/. This invocation also selects the PMU to which
+ the event belongs.
+Handle both type of invocations identical for events CPU_CYLCES and
+INSTRUCTIONS. They address the same hardware.
+The result is different when event modifier exclude_kernel is also set.
+Invocation with event modifier for user space event counting fails.
+
+Output before:
+
+ # perf stat -e cpum_cf/cpu_cycles/u -- true
+
+ Performance counter stats for 'true':
+
+ <not supported> cpum_cf/cpu_cycles/u
+
+ 0.000761033 seconds time elapsed
+
+ 0.000076000 seconds user
+ 0.000725000 seconds sys
+
+ #
+
+Output after:
+ # perf stat -e cpum_cf/cpu_cycles/u -- true
+
+ Performance counter stats for 'true':
+
+ 349,613 cpum_cf/cpu_cycles/u
+
+ 0.000844143 seconds time elapsed
+
+ 0.000079000 seconds user
+ 0.000800000 seconds sys
+ #
+
+Fixes: 6a82e23f45fe ("s390/cpumf: Adjust registration of s390 PMU device drivers")
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Acked-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+[agordeev@linux.ibm.com corrected commit ID of Fixes commit]
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_cf.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c
+index cceb8ec707e4..d2a2a18b5580 100644
+--- a/arch/s390/kernel/perf_cpum_cf.c
++++ b/arch/s390/kernel/perf_cpum_cf.c
+@@ -516,6 +516,26 @@ static int __hw_perf_event_init(struct perf_event *event, unsigned int type)
+ return err;
+ }
+
++/* Events CPU_CYLCES and INSTRUCTIONS can be submitted with two different
++ * attribute::type values:
++ * - PERF_TYPE_HARDWARE:
++ * - pmu->type:
++ * Handle both type of invocations identical. They address the same hardware.
++ * The result is different when event modifiers exclude_kernel and/or
++ * exclude_user are also set.
++ */
++static int cpumf_pmu_event_type(struct perf_event *event)
++{
++ u64 ev = event->attr.config;
++
++ if (cpumf_generic_events_basic[PERF_COUNT_HW_CPU_CYCLES] == ev ||
++ cpumf_generic_events_basic[PERF_COUNT_HW_INSTRUCTIONS] == ev ||
++ cpumf_generic_events_user[PERF_COUNT_HW_CPU_CYCLES] == ev ||
++ cpumf_generic_events_user[PERF_COUNT_HW_INSTRUCTIONS] == ev)
++ return PERF_TYPE_HARDWARE;
++ return PERF_TYPE_RAW;
++}
++
+ static int cpumf_pmu_event_init(struct perf_event *event)
+ {
+ unsigned int type = event->attr.type;
+@@ -525,7 +545,7 @@ static int cpumf_pmu_event_init(struct perf_event *event)
+ err = __hw_perf_event_init(event, type);
+ else if (event->pmu->type == type)
+ /* Registered as unknown PMU */
+- err = __hw_perf_event_init(event, PERF_TYPE_RAW);
++ err = __hw_perf_event_init(event, cpumf_pmu_event_type(event));
+ else
+ return -ENOENT;
+
+--
+2.35.1
+
--- /dev/null
+From 93d2e7f8fb638ad679b84496acdea230c5db22b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jun 2022 15:38:54 +0300
+Subject: scsi: iscsi: Exclude zero from the endpoint ID range
+
+From: Sergey Gorenko <sergeygo@nvidia.com>
+
+[ Upstream commit f6eed15f3ea76596ccc689331e1cc850b999133b ]
+
+The kernel returns an endpoint ID as r.ep_connect_ret.handle in the
+iscsi_uevent. The iscsid validates a received endpoint ID and treats zero
+as an error. The commit referenced in the fixes line changed the endpoint
+ID range, and zero is always assigned to the first endpoint ID. So, the
+first attempt to create a new iSER connection always fails.
+
+Link: https://lore.kernel.org/r/20220613123854.55073-1-sergeygo@nvidia.com
+Fixes: 3c6ae371b8a1 ("scsi: iscsi: Release endpoint ID when its freed")
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: Lee Duncan <lduncan@suse.com>
+Signed-off-by: Sergey Gorenko <sergeygo@nvidia.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index bcdfcb25349a..5947b9d5746e 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -213,7 +213,12 @@ iscsi_create_endpoint(int dd_size)
+ return NULL;
+
+ mutex_lock(&iscsi_ep_idr_mutex);
+- id = idr_alloc(&iscsi_ep_idr, ep, 0, -1, GFP_NOIO);
++
++ /*
++ * First endpoint id should be 1 to comply with user space
++ * applications (iscsid).
++ */
++ id = idr_alloc(&iscsi_ep_idr, ep, 1, -1, GFP_NOIO);
+ if (id < 0) {
+ mutex_unlock(&iscsi_ep_idr_mutex);
+ printk(KERN_ERR "Could not allocate endpoint ID. Error %d.\n",
+--
+2.35.1
+
--- /dev/null
+From 59b71585aa43d7b1cccbe080d7bb8961cdd002df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jun 2022 10:13:02 +0900
+Subject: scsi: scsi_debug: Fix zone transition to full condition
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+[ Upstream commit 566d3c57eb526f32951af15866086e236ce1fc8a ]
+
+When a write command to a sequential write required or sequential write
+preferred zone result in the zone write pointer reaching the end of the
+zone, the zone condition must be set to full AND the number of implicitly
+or explicitly open zones updated to have a correct accounting for zone
+resources. However, the function zbc_inc_wp() only sets the zone condition
+to full without updating the open zone counters, resulting in a zone state
+machine breakage.
+
+Introduce the helper function zbc_set_zone_full() and use it in
+zbc_inc_wp() to correctly transition zones to the full condition.
+
+Link: https://lore.kernel.org/r/20220608011302.92061-1-damien.lemoal@opensource.wdc.com
+Fixes: f0d1cf9378bd ("scsi: scsi_debug: Add ZBC zone commands")
+Reviewed-by: Niklas Cassel <niklas.cassel@wdc.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index cfeadd5f61f1..747e1cbb7ec9 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -2747,6 +2747,24 @@ static void zbc_open_zone(struct sdebug_dev_info *devip,
+ }
+ }
+
++static inline void zbc_set_zone_full(struct sdebug_dev_info *devip,
++ struct sdeb_zone_state *zsp)
++{
++ switch (zsp->z_cond) {
++ case ZC2_IMPLICIT_OPEN:
++ devip->nr_imp_open--;
++ break;
++ case ZC3_EXPLICIT_OPEN:
++ devip->nr_exp_open--;
++ break;
++ default:
++ WARN_ONCE(true, "Invalid zone %llu condition %x\n",
++ zsp->z_start, zsp->z_cond);
++ break;
++ }
++ zsp->z_cond = ZC5_FULL;
++}
++
+ static void zbc_inc_wp(struct sdebug_dev_info *devip,
+ unsigned long long lba, unsigned int num)
+ {
+@@ -2759,7 +2777,7 @@ static void zbc_inc_wp(struct sdebug_dev_info *devip,
+ if (zsp->z_type == ZBC_ZONE_TYPE_SWR) {
+ zsp->z_wp += num;
+ if (zsp->z_wp >= zend)
+- zsp->z_cond = ZC5_FULL;
++ zbc_set_zone_full(devip, zsp);
+ return;
+ }
+
+@@ -2778,7 +2796,7 @@ static void zbc_inc_wp(struct sdebug_dev_info *devip,
+ n = num;
+ }
+ if (zsp->z_wp >= zend)
+- zsp->z_cond = ZC5_FULL;
++ zbc_set_zone_full(devip, zsp);
+
+ num -= n;
+ lba += n;
+--
+2.35.1
+
--- /dev/null
+From 7faf062a3fbe8a7bf449d0aa6bba41f8dc124f4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jun 2022 00:05:55 -0700
+Subject: scsi: storvsc: Correct reporting of Hyper-V I/O size limits
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Saurabh Sengar <ssengar@linux.microsoft.com>
+
+[ Upstream commit 1d3e0980782fbafaf93285779fd3905e4f866802 ]
+
+Current code is based on the idea that the max number of SGL entries
+also determines the max size of an I/O request. While this idea was
+true in older versions of the storvsc driver when SGL entry length
+was limited to 4 Kbytes, commit 3d9c3dcc58e9 ("scsi: storvsc: Enable
+scatterlist entry lengths > 4Kbytes") removed that limitation. It's
+now theoretically possible for the block layer to send requests that
+exceed the maximum size supported by Hyper-V. This problem doesn't
+currently happen in practice because the block layer defaults to a
+512 Kbyte maximum, while Hyper-V in Azure supports 2 Mbyte I/O sizes.
+But some future configuration of Hyper-V could have a smaller max I/O
+size, and the block layer could exceed that max.
+
+Fix this by correctly setting max_sectors as well as sg_tablesize to
+reflect the maximum I/O size that Hyper-V reports. While allowing
+I/O sizes larger than the block layer default of 512 Kbytes doesn’t
+provide any noticeable performance benefit in the tests we ran, it's
+still appropriate to report the correct underlying Hyper-V capabilities
+to the Linux block layer.
+
+Also tweak the virt_boundary_mask to reflect that the required
+alignment derives from Hyper-V communication using a 4 Kbyte page size,
+and not on the guest page size, which might be bigger (eg. ARM64).
+
+Link: https://lore.kernel.org/r/1655190355-28722-1-git-send-email-ssengar@linux.microsoft.com
+Fixes: 3d9c3dcc58e9 ("scsi: storvsc: Enable scatter list entry lengths > 4Kbytes")
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/storvsc_drv.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
+index 9eb1b88a29dd..71c7f7b435c4 100644
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1907,7 +1907,7 @@ static struct scsi_host_template scsi_driver = {
+ .cmd_per_lun = 2048,
+ .this_id = -1,
+ /* Ensure there are no gaps in presented sgls */
+- .virt_boundary_mask = PAGE_SIZE-1,
++ .virt_boundary_mask = HV_HYP_PAGE_SIZE - 1,
+ .no_write_same = 1,
+ .track_queue_depth = 1,
+ .change_queue_depth = storvsc_change_queue_depth,
+@@ -1961,6 +1961,7 @@ static int storvsc_probe(struct hv_device *device,
+ int max_targets;
+ int max_channels;
+ int max_sub_channels = 0;
++ u32 max_xfer_bytes;
+
+ /*
+ * Based on the windows host we are running on,
+@@ -2049,12 +2050,28 @@ static int storvsc_probe(struct hv_device *device,
+ }
+ /* max cmd length */
+ host->max_cmd_len = STORVSC_MAX_CMD_LEN;
+-
+ /*
+- * set the table size based on the info we got
+- * from the host.
++ * Any reasonable Hyper-V configuration should provide
++ * max_transfer_bytes value aligning to HV_HYP_PAGE_SIZE,
++ * protecting it from any weird value.
++ */
++ max_xfer_bytes = round_down(stor_device->max_transfer_bytes, HV_HYP_PAGE_SIZE);
++ /* max_hw_sectors_kb */
++ host->max_sectors = max_xfer_bytes >> 9;
++ /*
++ * There are 2 requirements for Hyper-V storvsc sgl segments,
++ * based on which the below calculation for max segments is
++ * done:
++ *
++ * 1. Except for the first and last sgl segment, all sgl segments
++ * should be align to HV_HYP_PAGE_SIZE, that also means the
++ * maximum number of segments in a sgl can be calculated by
++ * dividing the total max transfer length by HV_HYP_PAGE_SIZE.
++ *
++ * 2. Except for the first and last, each entry in the SGL must
++ * have an offset that is a multiple of HV_HYP_PAGE_SIZE.
+ */
+- host->sg_tablesize = (stor_device->max_transfer_bytes >> PAGE_SHIFT);
++ host->sg_tablesize = (max_xfer_bytes >> HV_HYP_PAGE_SHIFT) + 1;
+ /*
+ * For non-IDE disks, the host supports multiple channels.
+ * Set the number of HW queues we are supporting.
+--
+2.35.1
+
--- /dev/null
+From 405147d73ddcb1770f3756d1e92cc8ab6d9c9758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jun 2022 15:40:46 +0800
+Subject: selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in
+ nft_concat_range.sh
+
+From: Jie2x Zhou <jie2x.zhou@intel.com>
+
+[ Upstream commit 5d79d8af8dec58bf709b3124d09d9572edd9c617 ]
+
+Before change:
+make -C netfilter
+ TEST: performance
+ net,port [SKIP]
+ perf not supported
+ port,net [SKIP]
+ perf not supported
+ net6,port [SKIP]
+ perf not supported
+ port,proto [SKIP]
+ perf not supported
+ net6,port,mac [SKIP]
+ perf not supported
+ net6,port,mac,proto [SKIP]
+ perf not supported
+ net,mac [SKIP]
+ perf not supported
+
+After change:
+ net,mac [ OK ]
+ baseline (drop from netdev hook): 2061098pps
+ baseline hash (non-ranged entries): 1606741pps
+ baseline rbtree (match on first field only): 1191607pps
+ set with 1000 full, ranged entries: 1639119pps
+ok 8 selftests: netfilter: nft_concat_range.sh
+
+Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Jie2x Zhou <jie2x.zhou@intel.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/netfilter/nft_concat_range.sh b/tools/testing/selftests/netfilter/nft_concat_range.sh
+index b5eef5ffb58e..af3461cb5c40 100755
+--- a/tools/testing/selftests/netfilter/nft_concat_range.sh
++++ b/tools/testing/selftests/netfilter/nft_concat_range.sh
+@@ -31,7 +31,7 @@ BUGS="flush_remove_add reload"
+
+ # List of possible paths to pktgen script from kernel tree for performance tests
+ PKTGEN_SCRIPT_PATHS="
+- ../../../samples/pktgen/pktgen_bench_xmit_mode_netif_receive.sh
++ ../../../../samples/pktgen/pktgen_bench_xmit_mode_netif_receive.sh
+ pktgen/pktgen_bench_xmit_mode_netif_receive.sh"
+
+ # Definition of set types:
+--
+2.35.1
+
usb-serial-option-add-telit-le910cx-0x1250-composition.patch
usb-serial-option-add-quectel-em05-g-modem.patch
usb-serial-option-add-quectel-rm500k-module-support.patch
+drm-msm-ensure-mmap-offset-is-initialized.patch
+drm-msm-fix-double-pm_runtime_disable-call.patch
+netfilter-use-get_random_u32-instead-of-prandom.patch
+scsi-scsi_debug-fix-zone-transition-to-full-conditio.patch
+drm-msm-switch-ordering-of-runpm-put-vs-devfreq_idle.patch
+scsi-iscsi-exclude-zero-from-the-endpoint-id-range.patch
+xsk-fix-generic-transmit-when-completion-queue-reser.patch
+drm-msm-use-for_each_sgtable_sg-to-iterate-over-scat.patch
+bpf-fix-request_sock-leak-in-sk-lookup-helpers.patch
+drm-sun4i-fix-crash-during-suspend-after-component-b.patch
+bpf-x86-fix-tail-call-count-offset-calculation-on-bp.patch
+scsi-storvsc-correct-reporting-of-hyper-v-i-o-size-l.patch
+phy-aquantia-fix-an-when-higher-speeds-than-1g-are-n.patch
+kvm-arm64-prevent-kmemleak-from-accessing-pkvm-memor.patch
+net-write-lock-dev_base_lock-without-disabling-botto.patch
+net-fix-data-race-in-dev_isalive.patch
+tipc-fix-use-after-free-read-in-tipc_named_reinit.patch
+igb-fix-a-use-after-free-issue-in-igb_clean_tx_ring.patch
+bonding-arp-monitor-spams-netdev_notify_peers-notifi.patch
+ethtool-fix-get-module-eeprom-fallback.patch
+net-sched-sch_netem-fix-arithmetic-in-netem_dump-for.patch
+drm-msm-mdp4-fix-refcount-leak-in-mdp4_modeset_init_.patch
+drm-msm-dp-check-core_initialized-before-disable-int.patch
+drm-msm-dp-drop-now-unused-hpd_high-member.patch
+drm-msm-dp-dp_link_parse_sink_count-return-immediate.patch
+drm-msm-dp-do-not-initialize-phy-until-plugin-interr.patch
+drm-msm-dp-force-link-training-for-display-resolutio.patch
+perf-arm-spe-don-t-set-data-source-if-it-s-not-a-mem.patch
+erspan-do-not-assume-transport-header-is-always-set.patch
+net-tls-fix-tls_sk_proto_close-executed-repeatedly.patch
+udmabuf-add-back-sanity-check.patch
+selftests-netfilter-correct-pktgen_script_paths-in-n.patch
+xen-blkfront-handle-null-gendisk.patch
+x86-xen-remove-undefined-behavior-in-setup_features.patch
+mips-remove-repetitive-increase-irq_err_count.patch
+afs-fix-dynamic-root-getattr.patch
+ice-ethtool-advertise-1000m-speeds-properly.patch
+regmap-irq-fix-a-bug-in-regmap_irq_enable-for-type_i.patch
+regmap-irq-fix-offset-index-mismatch-in-read_sub_irq.patch
+igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch
+virtio_net-fix-xdp_rxq_info-bug-after-suspend-resume.patch
+revert-net-tls-fix-tls_sk_proto_close-executed-repea.patch
+sock-redo-the-psock-vs-ulp-protection-check.patch
+nvme-pci-add-no-apst-quirk-for-kioxia-device.patch
+nvme-move-the-samsung-x5-quirk-entry-to-the-core-qui.patch
+gpio-winbond-fix-error-code-in-winbond_gpio_get.patch
+s390-cpumf-handle-events-cycles-and-instructions-ide.patch
+iio-mma8452-fix-probe-fail-when-device-tree-compatib.patch
+iio-magnetometer-yas530-fix-memchr_inv-misuse.patch
+iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch
+usb-typec-wcove-drop-wrong-dependency-to-intel_soc_p.patch
--- /dev/null
+From 87cfc77131e7d2c1afe33dd038b5f6d4ff94d8e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 12:13:53 -0700
+Subject: sock: redo the psock vs ULP protection check
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit e34a07c0ae3906f97eb18df50902e2a01c1015b6 ]
+
+Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
+has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to
+the new tcp_bpf_update_proto() function. I'm guessing that this
+was done to allow creating psocks for non-inet sockets.
+
+Unfortunately the destruction path for psock includes the ULP
+unwind, so we need to fail the sk_psock_init() itself.
+Otherwise if ULP is already present we'll notice that later,
+and call tcp_update_ulp() with the sk_proto of the ULP
+itself, which will most likely result in the ULP looping
+its callbacks.
+
+Fixes: 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/r/20220620191353.1184629-2-kuba@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet_sock.h | 5 +++++
+ net/core/skmsg.c | 5 +++++
+ net/ipv4/tcp_bpf.c | 3 ---
+ net/tls/tls_main.c | 2 ++
+ 4 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
+index 9e1111f5915b..d81b7f85819e 100644
+--- a/include/net/inet_sock.h
++++ b/include/net/inet_sock.h
+@@ -252,6 +252,11 @@ struct inet_sock {
+ #define IP_CMSG_CHECKSUM BIT(7)
+ #define IP_CMSG_RECVFRAGSIZE BIT(8)
+
++static inline bool sk_is_inet(struct sock *sk)
++{
++ return sk->sk_family == AF_INET || sk->sk_family == AF_INET6;
++}
++
+ /**
+ * sk_to_full_sk - Access to a full socket
+ * @sk: pointer to a socket
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index cc381165ea08..ede0af308f40 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -695,6 +695,11 @@ struct sk_psock *sk_psock_init(struct sock *sk, int node)
+
+ write_lock_bh(&sk->sk_callback_lock);
+
++ if (sk_is_inet(sk) && inet_csk_has_ulp(sk)) {
++ psock = ERR_PTR(-EINVAL);
++ goto out;
++ }
++
+ if (sk->sk_user_data) {
+ psock = ERR_PTR(-EBUSY);
+ goto out;
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 1cdcb4df0eb7..2c597a4e429a 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -612,9 +612,6 @@ int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore)
+ return 0;
+ }
+
+- if (inet_csk_has_ulp(sk))
+- return -EINVAL;
+-
+ if (sk->sk_family == AF_INET6) {
+ if (tcp_bpf_assert_proto_ops(psock->sk_proto))
+ return -EINVAL;
+diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
+index 9aac9c60d786..62b1c5e32bbd 100644
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -790,6 +790,8 @@ static void tls_update(struct sock *sk, struct proto *p,
+ {
+ struct tls_context *ctx;
+
++ WARN_ON_ONCE(sk->sk_prot == p);
++
+ ctx = tls_get_ctx(sk);
+ if (likely(ctx)) {
+ ctx->sk_write_space = write_space;
+--
+2.35.1
+
--- /dev/null
+From ccb2d1d14d4c400cf73b122a840164ace8f84c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 08:45:51 +0700
+Subject: tipc: fix use-after-free Read in tipc_named_reinit
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit 911600bf5a5e84bfda4d33ee32acc75ecf6159f0 ]
+
+syzbot found the following issue on:
+==================================================================
+BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0
+net/tipc/name_distr.c:413
+Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764
+
+CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted
+5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0
+Hardware name: Google Compute Engine/Google Compute Engine,
+BIOS Google 01/01/2011
+Workqueue: events tipc_net_finalize_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0xeb/0x495
+mm/kasan/report.c:313
+ print_report mm/kasan/report.c:429 [inline]
+ kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
+ tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413
+ tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138
+ process_one_work+0x996/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
+ </TASK>
+[...]
+==================================================================
+
+In the commit
+d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"),
+the cancel_work_sync() function just to make sure ONLY the work
+tipc_net_finalize_work() is executing/pending on any CPU completed before
+tipc namespace is destroyed through tipc_exit_net(). But this function
+is not guaranteed the work is the last queued. So, the destroyed instance
+may be accessed in the work which will try to enqueue later.
+
+In order to completely fix, we re-order the calling of cancel_work_sync()
+to make sure the work tipc_net_finalize_work() was last queued and it
+must be completed by calling cancel_work_sync().
+
+Reported-by: syzbot+47af19f3307fc9c5c82e@syzkaller.appspotmail.com
+Fixes: d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/tipc/core.c b/net/tipc/core.c
+index 3f4542e0f065..434e70eabe08 100644
+--- a/net/tipc/core.c
++++ b/net/tipc/core.c
+@@ -109,10 +109,9 @@ static void __net_exit tipc_exit_net(struct net *net)
+ struct tipc_net *tn = tipc_net(net);
+
+ tipc_detach_loopback(net);
++ tipc_net_stop(net);
+ /* Make sure the tipc_net_finalize_work() finished */
+ cancel_work_sync(&tn->work);
+- tipc_net_stop(net);
+-
+ tipc_bcast_stop(net);
+ tipc_nametbl_stop(net);
+ tipc_sk_rht_destroy(net);
+--
+2.35.1
+
--- /dev/null
+From bdea148a7ab3cc7fd112eebf4cdc402be1a9aa82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 09:15:47 +0200
+Subject: udmabuf: add back sanity check
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+[ Upstream commit 05b252cccb2e5c3f56119d25de684b4f810ba40a ]
+
+Check vm_fault->pgoff before using it. When we removed the warning, we
+also removed the check.
+
+Fixes: 7b26e4e2119d ("udmabuf: drop WARN_ON() check.")
+Reported-by: zdi-disclosures@trendmicro.com
+Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/udmabuf.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
+index e7330684d3b8..9631f2fd2faf 100644
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -32,8 +32,11 @@ static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf)
+ {
+ struct vm_area_struct *vma = vmf->vma;
+ struct udmabuf *ubuf = vma->vm_private_data;
++ pgoff_t pgoff = vmf->pgoff;
+
+- vmf->page = ubuf->pages[vmf->pgoff];
++ if (pgoff >= ubuf->pagecount)
++ return VM_FAULT_SIGBUS;
++ vmf->page = ubuf->pages[pgoff];
+ get_page(vmf->page);
+ return 0;
+ }
+--
+2.35.1
+
--- /dev/null
+From 264cfd5f90e72707801f8756798493f1f1fa1720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jun 2022 13:43:16 +0300
+Subject: usb: typec: wcove: Drop wrong dependency to INTEL_SOC_PMIC
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 9ef165406308515dcf2e3f6e97b39a1c56d86db5 ]
+
+Intel SoC PMIC is a generic name for all PMICs that are used
+on Intel platforms. In particular, INTEL_SOC_PMIC kernel configuration
+option refers to Crystal Cove PMIC, which has never been a part
+of any Intel Broxton hardware. Drop wrong dependency from Kconfig.
+
+Note, the correct dependency is satisfied via ACPI PMIC OpRegion driver,
+which the Type-C depends on.
+
+Fixes: d2061f9cc32d ("usb: typec: add driver for Intel Whiskey Cove PMIC USB Type-C PHY")
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20220620104316.57592-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tcpm/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tcpm/Kconfig b/drivers/usb/typec/tcpm/Kconfig
+index 557f392fe24d..073fd2ea5e0b 100644
+--- a/drivers/usb/typec/tcpm/Kconfig
++++ b/drivers/usb/typec/tcpm/Kconfig
+@@ -56,7 +56,6 @@ config TYPEC_WCOVE
+ tristate "Intel WhiskeyCove PMIC USB Type-C PHY driver"
+ depends on ACPI
+ depends on MFD_INTEL_PMC_BXT
+- depends on INTEL_SOC_PMIC
+ depends on BXT_WC_PMIC_OPREGION
+ help
+ This driver adds support for USB Type-C on Intel Broxton platforms
+--
+2.35.1
+
--- /dev/null
+From 8094f72ffc084c5b6b52f7258cb6b4fbba2cf816 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jun 2022 13:48:44 +0200
+Subject: virtio_net: fix xdp_rxq_info bug after suspend/resume
+
+From: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+
+[ Upstream commit 8af52fe9fd3bf5e7478da99193c0632276e1dfce ]
+
+The following sequence currently causes a driver bug warning
+when using virtio_net:
+
+ # ip link set eth0 up
+ # echo mem > /sys/power/state (or e.g. # rtcwake -s 10 -m mem)
+ <resume>
+ # ip link set eth0 down
+
+ Missing register, driver bug
+ WARNING: CPU: 0 PID: 375 at net/core/xdp.c:138 xdp_rxq_info_unreg+0x58/0x60
+ Call trace:
+ xdp_rxq_info_unreg+0x58/0x60
+ virtnet_close+0x58/0xac
+ __dev_close_many+0xac/0x140
+ __dev_change_flags+0xd8/0x210
+ dev_change_flags+0x24/0x64
+ do_setlink+0x230/0xdd0
+ ...
+
+This happens because virtnet_freeze() frees the receive_queue
+completely (including struct xdp_rxq_info) but does not call
+xdp_rxq_info_unreg(). Similarly, virtnet_restore() sets up the
+receive_queue again but does not call xdp_rxq_info_reg().
+
+Actually, parts of virtnet_freeze_down() and virtnet_restore_up()
+are almost identical to virtnet_close() and virtnet_open(): only
+the calls to xdp_rxq_info_(un)reg() are missing. This means that
+we can fix this easily and avoid such problems in the future by
+just calling virtnet_close()/open() from the freeze/restore handlers.
+
+Aside from adding the missing xdp_rxq_info calls the only difference
+is that the refill work is only cancelled if netif_running(). However,
+this should not make any functional difference since the refill work
+should only be active if the network interface is actually up.
+
+Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20220621114845.3650258-1-stephan.gerhold@kernkonzept.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 25 ++++++-------------------
+ 1 file changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 73aba760e10c..468d0ffc266b 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -2431,7 +2431,6 @@ static const struct ethtool_ops virtnet_ethtool_ops = {
+ static void virtnet_freeze_down(struct virtio_device *vdev)
+ {
+ struct virtnet_info *vi = vdev->priv;
+- int i;
+
+ /* Make sure no work handler is accessing the device */
+ flush_work(&vi->config_work);
+@@ -2439,14 +2438,8 @@ static void virtnet_freeze_down(struct virtio_device *vdev)
+ netif_tx_lock_bh(vi->dev);
+ netif_device_detach(vi->dev);
+ netif_tx_unlock_bh(vi->dev);
+- cancel_delayed_work_sync(&vi->refill);
+-
+- if (netif_running(vi->dev)) {
+- for (i = 0; i < vi->max_queue_pairs; i++) {
+- napi_disable(&vi->rq[i].napi);
+- virtnet_napi_tx_disable(&vi->sq[i].napi);
+- }
+- }
++ if (netif_running(vi->dev))
++ virtnet_close(vi->dev);
+ }
+
+ static int init_vqs(struct virtnet_info *vi);
+@@ -2454,7 +2447,7 @@ static int init_vqs(struct virtnet_info *vi);
+ static int virtnet_restore_up(struct virtio_device *vdev)
+ {
+ struct virtnet_info *vi = vdev->priv;
+- int err, i;
++ int err;
+
+ err = init_vqs(vi);
+ if (err)
+@@ -2463,15 +2456,9 @@ static int virtnet_restore_up(struct virtio_device *vdev)
+ virtio_device_ready(vdev);
+
+ if (netif_running(vi->dev)) {
+- for (i = 0; i < vi->curr_queue_pairs; i++)
+- if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
+- schedule_delayed_work(&vi->refill, 0);
+-
+- for (i = 0; i < vi->max_queue_pairs; i++) {
+- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi);
+- virtnet_napi_tx_enable(vi, vi->sq[i].vq,
+- &vi->sq[i].napi);
+- }
++ err = virtnet_open(vi->dev);
++ if (err)
++ return err;
+ }
+
+ netif_tx_lock_bh(vi->dev);
+--
+2.35.1
+
--- /dev/null
+From 2d161481def0d608648b7f5bc2167ef75ef567e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jun 2022 11:30:37 +0100
+Subject: x86/xen: Remove undefined behavior in setup_features()
+
+From: Julien Grall <jgrall@amazon.com>
+
+[ Upstream commit ecb6237fa397b7b810d798ad19322eca466dbab1 ]
+
+1 << 31 is undefined. So switch to 1U << 31.
+
+Fixes: 5ead97c84fa7 ("xen: Core Xen implementation")
+Signed-off-by: Julien Grall <jgrall@amazon.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20220617103037.57828-1-julien@xen.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/features.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/features.c b/drivers/xen/features.c
+index 7b591443833c..87f1828d40d5 100644
+--- a/drivers/xen/features.c
++++ b/drivers/xen/features.c
+@@ -42,7 +42,7 @@ void xen_setup_features(void)
+ if (HYPERVISOR_xen_version(XENVER_get_features, &fi) < 0)
+ break;
+ for (j = 0; j < 32; j++)
+- xen_features[i * 32 + j] = !!(fi.submap & 1<<j);
++ xen_features[i * 32 + j] = !!(fi.submap & 1U << j);
+ }
+
+ if (xen_pv_domain()) {
+--
+2.35.1
+
--- /dev/null
+From 86eae429aa3d410dac656ce02630992f37173a79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Jun 2022 15:53:41 -0400
+Subject: xen-blkfront: Handle NULL gendisk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Andryuk <jandryuk@gmail.com>
+
+[ Upstream commit f9710c357e5bbf64d7ce45ba0bc75a52222491c1 ]
+
+When a VBD is not fully created and then closed, the kernel can have a
+NULL pointer dereference:
+
+The reproducer is trivial:
+
+[user@dom0 ~]$ sudo xl block-attach work backend=sys-usb vdev=xvdi target=/dev/sdz
+[user@dom0 ~]$ xl block-list work
+Vdev BE handle state evt-ch ring-ref BE-path
+51712 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51712
+51728 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51728
+51744 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51744
+51760 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51760
+51840 3 241 3 -1 -1 /local/domain/3/backend/vbd/241/51840
+ ^ note state, the /dev/sdz doesn't exist in the backend
+
+[user@dom0 ~]$ sudo xl block-detach work xvdi
+[user@dom0 ~]$ xl block-list work
+Vdev BE handle state evt-ch ring-ref BE-path
+work is an invalid domain identifier
+
+And its console has:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000050
+PGD 80000000edebb067 P4D 80000000edebb067 PUD edec2067 PMD 0
+Oops: 0000 [#1] PREEMPT SMP PTI
+CPU: 1 PID: 52 Comm: xenwatch Not tainted 5.16.18-2.43.fc32.qubes.x86_64 #1
+RIP: 0010:blk_mq_stop_hw_queues+0x5/0x40
+Code: 00 48 83 e0 fd 83 c3 01 48 89 85 a8 00 00 00 41 39 5c 24 50 77 c0 5b 5d 41 5c 41 5d c3 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <8b> 47 50 85 c0 74 32 41 54 49 89 fc 55 53 31 db 49 8b 44 24 48 48
+RSP: 0018:ffffc90000bcfe98 EFLAGS: 00010293
+RAX: ffffffffc0008370 RBX: 0000000000000005 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
+RBP: ffff88800775f000 R08: 0000000000000001 R09: ffff888006e620b8
+R10: ffff888006e620b0 R11: f000000000000000 R12: ffff8880bff39000
+R13: ffff8880bff39000 R14: 0000000000000000 R15: ffff88800604be00
+FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000050 CR3: 00000000e932e002 CR4: 00000000003706e0
+Call Trace:
+ <TASK>
+ blkback_changed+0x95/0x137 [xen_blkfront]
+ ? read_reply+0x160/0x160
+ xenwatch_thread+0xc0/0x1a0
+ ? do_wait_intr_irq+0xa0/0xa0
+ kthread+0x16b/0x190
+ ? set_kthread_struct+0x40/0x40
+ ret_from_fork+0x22/0x30
+ </TASK>
+Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_seq_device snd_timer snd soundcore ipt_REJECT nf_reject_ipv4 xt_state xt_conntrack nft_counter nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel xen_netfront pcspkr xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn ipmi_devintf ipmi_msghandler fuse bpf_preload ip_tables overlay xen_blkfront
+CR2: 0000000000000050
+---[ end trace 7bc9597fd06ae89d ]---
+RIP: 0010:blk_mq_stop_hw_queues+0x5/0x40
+Code: 00 48 83 e0 fd 83 c3 01 48 89 85 a8 00 00 00 41 39 5c 24 50 77 c0 5b 5d 41 5c 41 5d c3 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <8b> 47 50 85 c0 74 32 41 54 49 89 fc 55 53 31 db 49 8b 44 24 48 48
+RSP: 0018:ffffc90000bcfe98 EFLAGS: 00010293
+RAX: ffffffffc0008370 RBX: 0000000000000005 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
+RBP: ffff88800775f000 R08: 0000000000000001 R09: ffff888006e620b8
+R10: ffff888006e620b0 R11: f000000000000000 R12: ffff8880bff39000
+R13: ffff8880bff39000 R14: 0000000000000000 R15: ffff88800604be00
+FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000050 CR3: 00000000e932e002 CR4: 00000000003706e0
+Kernel panic - not syncing: Fatal exception
+Kernel Offset: disabled
+
+info->rq and info->gd are only set in blkfront_connect(), which is
+called for state 4 (XenbusStateConnected). Guard against using NULL
+variables in blkfront_closing() to avoid the issue.
+
+The rest of blkfront_closing looks okay. If info->nr_rings is 0, then
+for_each_rinfo won't do anything.
+
+blkfront_remove also needs to check for non-NULL pointers before
+cleaning up the gendisk and request queue.
+
+Fixes: 05d69d950d9d "xen-blkfront: sanitize the removal state machine"
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Link: https://lore.kernel.org/r/20220601195341.28581-1-jandryuk@gmail.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/xen-blkfront.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c
+index 390817cf1221..d7a9bf43fb32 100644
+--- a/drivers/block/xen-blkfront.c
++++ b/drivers/block/xen-blkfront.c
+@@ -2140,9 +2140,11 @@ static void blkfront_closing(struct blkfront_info *info)
+ return;
+
+ /* No more blkif_request(). */
+- blk_mq_stop_hw_queues(info->rq);
+- blk_mark_disk_dead(info->gd);
+- set_capacity(info->gd, 0);
++ if (info->rq && info->gd) {
++ blk_mq_stop_hw_queues(info->rq);
++ blk_mark_disk_dead(info->gd);
++ set_capacity(info->gd, 0);
++ }
+
+ for_each_rinfo(info, rinfo, i) {
+ /* No more gnttab callback work. */
+@@ -2478,16 +2480,19 @@ static int blkfront_remove(struct xenbus_device *xbdev)
+
+ dev_dbg(&xbdev->dev, "%s removed", xbdev->nodename);
+
+- del_gendisk(info->gd);
++ if (info->gd)
++ del_gendisk(info->gd);
+
+ mutex_lock(&blkfront_mutex);
+ list_del(&info->info_list);
+ mutex_unlock(&blkfront_mutex);
+
+ blkif_free(info, 0);
+- xlbd_release_minors(info->gd->first_minor, info->gd->minors);
+- blk_cleanup_disk(info->gd);
+- blk_mq_free_tag_set(&info->tag_set);
++ if (info->gd) {
++ xlbd_release_minors(info->gd->first_minor, info->gd->minors);
++ blk_cleanup_disk(info->gd);
++ blk_mq_free_tag_set(&info->tag_set);
++ }
+
+ kfree(info);
+ return 0;
+--
+2.35.1
+
--- /dev/null
+From 5bb2285427cf5425894e5a84d75137b5c672bc5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jun 2022 07:07:46 +0000
+Subject: xsk: Fix generic transmit when completion queue reservation fails
+
+From: Ciara Loftus <ciara.loftus@intel.com>
+
+[ Upstream commit a6e944f25cdbe6b82275402b8bc9a55ad7aac10b ]
+
+Two points of potential failure in the generic transmit function are:
+
+ 1. completion queue (cq) reservation failure.
+ 2. skb allocation failure
+
+Originally the cq reservation was performed first, followed by the skb
+allocation. Commit 675716400da6 ("xdp: fix possible cq entry leak")
+reversed the order because at the time there was no mechanism available
+to undo the cq reservation which could have led to possible cq entry leaks
+in the event of skb allocation failure. However if the skb allocation is
+performed first and the cq reservation then fails, the xsk skb destructor
+is called which blindly adds the skb address to the already full cq leading
+to undefined behavior.
+
+This commit restores the original order (cq reservation followed by skb
+allocation) and uses the xskq_prod_cancel helper to undo the cq reserve
+in event of skb allocation failure.
+
+Fixes: 675716400da6 ("xdp: fix possible cq entry leak")
+Signed-off-by: Ciara Loftus <ciara.loftus@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Link: https://lore.kernel.org/bpf/20220614070746.8871-1-ciara.loftus@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index 16cc38e51f14..9b55ca27cccf 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -553,12 +553,6 @@ static int xsk_generic_xmit(struct sock *sk)
+ goto out;
+ }
+
+- skb = xsk_build_skb(xs, &desc);
+- if (IS_ERR(skb)) {
+- err = PTR_ERR(skb);
+- goto out;
+- }
+-
+ /* This is the backpressure mechanism for the Tx path.
+ * Reserve space in the completion queue and only proceed
+ * if there is space in it. This avoids having to implement
+@@ -567,11 +561,19 @@ static int xsk_generic_xmit(struct sock *sk)
+ spin_lock_irqsave(&xs->pool->cq_lock, flags);
+ if (xskq_prod_reserve(xs->pool->cq)) {
+ spin_unlock_irqrestore(&xs->pool->cq_lock, flags);
+- kfree_skb(skb);
+ goto out;
+ }
+ spin_unlock_irqrestore(&xs->pool->cq_lock, flags);
+
++ skb = xsk_build_skb(xs, &desc);
++ if (IS_ERR(skb)) {
++ err = PTR_ERR(skb);
++ spin_lock_irqsave(&xs->pool->cq_lock, flags);
++ xskq_prod_cancel(xs->pool->cq);
++ spin_unlock_irqrestore(&xs->pool->cq_lock, flags);
++ goto out;
++ }
++
+ err = __dev_direct_xmit(skb, xs->queue_id);
+ if (err == NETDEV_TX_BUSY) {
+ /* Tell user-space to retry the send */
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
